Evidentiary and Forensic Analysis of Wireless Signals

Abstract

This paper discusses as an overview of the current methods and practices available to forensics investigator in order to ascertain whether a radio frequency device has been participating in a wireless network. Though many of the techniques are applicable in a larger domain this paper attempts to limit the scope to specific scenarios by example, and then discuss how those scenarios could be solved starting with the most basic of elements and then detailing newer and more robust solutions.

Introduction

Police have arrested a man for using someone else’s wireless Internet network in one of the first criminal cases involving this fairly common practice.” (The Associated Press, 2005) If an unknown person is sitting in a vehicle with a laptop in front of somebody elses house how does the homeowner know the unknown individual is not stealing their bandwidth? With the associated ubiquity of wireless networks and broadband wireless nationwide the simple assumption of theft is balanced by the associated assumption that the person has pulled their vehicle over to simply be a safe computer user while accessing a variety of commercial service providers. Naivety,  of the theft and associated access of a network that is presupposed must be grounded in substantial and credible evidence that theft has occurred. Proving that a crime has been committed follows a series of well-known evidentiary processes and is based on the ability to challenge the evidence presented as lawfully obtained and representative of the actual crime. For example at a homicide crime scene finding the blood spatters of victim and assailant is a reasonably reliable proof that both individuals were at the crime scene. Further finding a series of clues such as gun shot residue on both the victim and assailant that can be chemically linked between them is another step in the ladder of evidence. Even the confession of an individual to a heinous crime must be backed by substantial evidence or it may be the undoing of prosecution. The desire then for investigators and law enforcement officials is to have a substantive scientific method of linking an alleged criminal to a criminal act that is based on scientific method. The method must be accepted through the court systems and able to withstand the court challenges (“Daubert v. Merrel Dow Pharmaceuticals,” 1993). The method to link alleged criminals to the associated access of networks as in criminal trespass exist, and linking those individuals in highly dynamic environments is robust enough to show a pattern of access at several levels. Thereby providing an investigator with a variety of solutions to provide the access occurred and was performed in such a way as to be criminal and not unintentional. With the current specific technology of wireless networks it becomes imperative to prove that the access was intentional. Further we see the forensic examiner expanding the role as investigator, scientist, technologist, and requiring computing skills (Shpantzer & Ipsen, 2002). In some cases the forensic examiners may find themselves no longer dealing with static systems that are presentable long after acquisition, but with highly dynamic systems as part of the investigatory process. The goal of the investigator is to maintain a scientific crime scene investigation that can be documented and show beyond the tools of the investigation that there is an underlying science and sensibility to the investigation (Lee, Palmbach, & Miller, 2001).

Statement of the problem

The analysis of forensic evidence involving wireless communications is both difficult and not entirely understood from a holistic evidentiary standpoint. Whereas the interception and recording of telephonic communications is a long understood process. Applying similar techniques to identify agents’ provocateur in an environment both logically and geographically is a difficult if not an insurmountable problem. Identifying the transmitter in the environment in such a way as to provide evidentiary level proof adds a level of complexity to the problem is that the transmitter (especially in saturated wireless environments) is the suspect device must be identified. Further adding to the issues are legal restraints on the agents or actors in the environment who are charged with proving the suspect radio located in a data device or communications device is the actual entity of interest. Within the United States of America restraints exist as Constitutional protections and those protections provide a substantial amount of protections to people from “fishing” expeditions by law enforcement. Does a suitable method for investigating within the restraints of legal and ethical conduct for law enforcement exist to identify with evidentiary level proof a specific data device participating in a wireless environment? In what ways would an investigation proceed to provide evidentiary analysis and proof that a particular device was participating in a network?

Significance of the problem

The problem of identifying wireless devices participating in networks is that such identification is often attempted but hardly provable by law enforcement in such a way as would be required in a court of law. A fairly large body of work has been done on intrusion detection and anomaly detection within wireless environments. This is not within the purview of this paper. The concept of proving that a device was participating in a wireless network in such a way as that proof would be accepted by a court of law is significant. A substantial number of cases have occurred where a person is  accused of participating or hacking into networks. Though rarely are those case challenged sooner or later a savvy defense attorney will identify that observed behavior does not equate to actual network behavior and that a substantial amount of doubt can be created in a jury easily by showing that appearances can and will be deceiving. This investigation provides the opportunity to mitigate the investigatory risks and apply a high level of sophistication to the problem. A solution to this problem is important to those trying cases in a court room, and those who are charged with investigating or providing evidence of transgressions.  Those stakeholders within the system administration and management information systems groups will find a certain amount of significance. These groups are required to provide security and reliability for networks and having a set of guidelines and if possible tools to find individuals internal and external to the organization would be significant. As the wireless environment increases substantially year to year it becomes evident that the wireless environment will only expand. As new technologies are brought into the open market for consumers the scope and requirements for investigatory tools will only increase as well. It will not be long until law enforcement and investigatory units within the government (like The Department of Homeland Security) begin to demand forensically sound wireless monitory tools and procedures be implemented. This would be reasonable when considering current law and doctrine criminalizing unauthorized access to networks.

Background of the problem

Wireless technology is a persistent ubiquitous technology that is not detectable without special instruments. By its nature wireless and specifically wireless local area networks (WLAN) are consumer driven technologies. As the workplace and the work environment have become more mobile, the variety of connectivity options has increased in scope and utilization. The associated criminal enterprises preying on this have had legal interpretations expanded to cover associated malicious or undesirable behaviors. The theft of services “The charge, unauthorized access to a computer network, applies to all varieties of computer network breaches, and gives prosecutors considerable leeway depending on the severity. It carries a potential sentence ranging from probation to 5 years in prison.” (Kelley, 2005). Unfortunately wireless can be used for more than just theft of services. The supposition is that wireless access points can be used for “child pornography”, relay points for terrorism, or communications nodes for criminal activities of any type. If criminals have an open and nearly untraceable method of communication it becomes exceedingly difficult for law enforcement to trace or track activities. A possible Law enforcement issue is impending (or enacted) legislation in response to privacy advocates who have built a series of forensic resistant tools. The scope of this paper does not include the forensic resistance tools that have the ability to obfuscate or directly hide computer communications. Within the scope of this paper is the principle that highly active and dynamic wireless environments are hard to track or trace individual entities with substantial evidentiary level proof. The principles of forensics analysis and evidence are proven and can be applied to the computer realm and specifically to the problem of wireless networks. As an example a simple network can be a user with an access point, firewall between them and the Internet and the victims’ computer provisioned from the network.

Figure 1 Simple wireless computer network depicting the suspect, victim and the relationship between them for an overall view of accessing a network without permission or theft of services. Figure by the author.

Figure 1 Simple wireless computer network depicting the suspect, victim and the relationship between them for an overall view of accessing a network without permission or theft of services. Figure by the author.

The suspect space has certain characteristics such as a computing or mobile device. The device may or may not be a laptop. There are a variety of other technologies including voice over IP phones that could use an unsecured network without permission. The victim space is the access devices, any security or protection devices, the victim’s computers that may have been accessed and the victim user. These elements make up the entirety of the crime space and may not be connected during the investigation, which makes proving the connection more difficult. There is another aspect to the crime space that includes the network provider for the victim, but that is outside the scope of this paper as the variety of laws and competing laws make discussion difficult without being very specific to a particular situation. The intention of the investigator is to seize a device for evidentiary analysis, acquire information about and from the machine, and then analyze that data. There is a variety of evidence to be gathered from a suspects system. The simple existence of a device capable of communicating on the network may not be enough probable cause to seize the machine or device, but in many jurisdictions it would be enough to question the suspect. For the sake of brevity, the basic assumption is that the victim and suspect are utilizing Windows XP as an operating system, utilizing the NTFS file system, and that the machine is a laptop with a wireless local area network card installed. Depending on the forensic first responder procedures used by a jurisdiction, a computing device may be required to be shut off thereby closing of several opportunities for investigation. The following are commands that can be run on a live suspect system. This begs the question if the suspect has any programs running that may alter or change the investigation. There is substantial criticism and debate dealing with the running of commands on a suspect machine and the level of evidentiary proof that should be expected from the running of commands on a live machine (Adelstein, 2006; Carrier, 2006).

Evidence from a suspect computer

The first command that might be run on a machine to see if it is provisioned by a wireless network is “ipconfig /all”. This command will reveal the provisioned network adapters and what they are associated with and last provisioned by. This command can be output to a text file simply by redirecting the output using standard redirections commands like “>”. When running ipconfig it reveals several interesting pieces of information.

Figure 2 Screenshot of output from a Windows XP service pack 2 client ipconfig /all command. This figure details the different adapters and settings for the adapters (anonymized for this purpose) by the author

Figure 2 Screenshot of output from a Windows XP service pack 2 client ipconfig /all command. This figure details the different adapters and settings for the adapters (anonymized for this purpose) by the author

Ipconfig shows the number of adapters inside the machine, the state (connected or not) of each network adapter. The connection will show when the adapter was provisioned last which may help in proving the length of time the suspect has been connected. The command also will disclose the DNS, DHCP and default gateway that in many consumer and enterprise systems will be provisioned by the victim. This gives some corroboration that the suspect system was or was not connected. Careful attention should be paid to the “IP Address” field. A variety of networks share the same IP schemas and IP values.  The associated MAC addresses however, are “supposed” to be distinct. This may or may not be the case as MAC addresses are held in software or firmware and can be maliciously changed. The Address Resolution Protocol (ARP) table in Microsoft Windows serves the purpose of mediating traffic between TCP/IP and the media access control (MAC) or Ethernet NIC. The ARP table is a good place to see if the suspect computer has been interacting with the victim systems. Systems located on the same local area network will show up in the ARP table including the MAC address. Once again the IP address can be similar among multiple networks, but the MAC address is that of the provisioning host in this example, and likely would be that of the victims wireless access point or wireless gateway.

Figure 3 The Windows XP command "arp -a" produces this type of output. Screen shot by the author.

Figure 3 The Windows XP command “arp -a” produces this type of output. Screen shot by the author.

Unfortunately depending on the system and configurations, turning off a computer may destroy this information. In highly dynamic environments this information may be a substantial part of proving the participation in the network. Since the wireless configuration of the network is normally accomplished at an application level the management of the wireless NIC should show a few other things on the suspect computer. There are several ways that computers manage and participate in a wireless network. Specifically there are a variety of applications to manage the wireless configuration. Windows service pack 2 has a built in management program, but for many vendors of wireless network cards they require the use of a specific tool or application. These programs allow for the suspect user to configure a computer to participate in the network. Some of the applications also include a variety of utilities to make finding networks easier. In some cases the utilities will configure and open a network connection for the user without telling the suspect user. This might provide a thin veil of deniability to the suspect user depending on a variety of factors. One factor that could be used to prove intent and that a crime had occurred would be the presence of tools to break the thin encryption called Wired Equivalent Privacy (WEP) on the suspect machines. This would be especially true if the WEP key was also on the suspect machine showing a true one in a million chance of having the key. WEP has the interesting place of being a poor method of securing a network, but it would serve to show intention to use the network. The simple existence of tools on a computer system should not be used to prove culpability, as there are a variety of network administration tasks that would explain the existence of the tools on a suspect computer.

Evidence from a victims system

A victim may or may not understand immediately that their system will hold several of the key pieces of evidence of an intrusion. Specifically, the victim’s access points or wireless routers may contain log files of the suspect system though most consumer devices do not. The victim’s computer may show a variety of connections such as configuration of the suspect machine as might be shown in the ARP tables. If the suspect machine shows up in the ARP tables of the victim’s computers then it is highly likely that the suspect’s machine has been actively participating on the victim’s network. Wireless access devices are often set up as local area network Dynamic Host Configuration Protocol (DHCP) Servers. This is relatively prevalent in the consumer market and small business market. The DHCP service provides configuration information dynamically to the requesting computers wishing to participate in the network. On some Windows systems DHCP will configure a computer without ever asking the user if they actually wish to participate in a network. On a variety of consumer and enterprise grade devices, it is possible to pull a report on the systems that have been provisioned via DHCP. These tables usually depict the IP address of the systems participating in the network along with the MAC address. This is one very simple method to see if a computer is participating in the network.

Figure 4 Screenshot taken from a Linksys Wireless 802.11b wireless access point. The figure depicts the client machine name, IP address, MAC address, and the interface showing wireless. Screenshot by the author.

Figure 4 Screenshot taken from a Linksys Wireless 802.11b wireless access point. The figure depicts the client machine name, IP address, MAC address, and the interface showing wireless. Screenshot by the author.

Much like an investigator would access the suspect device, the investigator can query the victim’s computer and ascertain a variety of information. However, there is the possibility that little can be found on the victim’s machines and the investigator may have to try a variety of tactics to locate evidence that the suspect has gained access without permission.

The network

Evidence found outside the victim computer and suspect computer may still reside in the Crime Space. The space between the criminal and the victim in this situation is the network and unlike the wired constituency of networks the wireless world does not require a direct physical connection. To describe and define this space it must be assumed that participation in the network can only be controlled by signal strength and protection strategies imposed on the network traffic. The radio frequency signal will be detectable even if unintelligible. A computing device can run a variety of tools to “sniff” the airwaves and listen to network traffic as it occurs. This traffic can occur in the open without any protections, or it can be encrypted a variety of ways by the victim’s system. In either case the investigator given the opportunity, can watch the traffic of a suspect in real time as it occurs across the network. Though often considered part of the intrusion detection discipline the investigator can use the same tools to find network packets of particular interest sent across the network as an example: The investigator with permission of the network owner sits in the parking lot with a wireless laptop configured to work on the owner/victim’s network. Running a tool known as a network sniffer the investigator records and watches network traffic as a suspect opens a web browser session and accesses a variety of nefarious websites. Upon seizure of the suspect laptop time and date stamps can corroborate the suspect’s activities to the recorded network traffic.   Simple tools like high gain antennas can also allow an investigator to, with a high degree of precision, target a suspect to view traffic and radio frequency emanations from the suspect. High gain antennas shape the signal and receptions characteristics of an antenna much like a parabolic microphone can be directed at an individual to only pick up their conversation.

What does the literature say about the problem

Though there are a variety of tools to assess and attempt to provide evidence that a computer has participated in a network, there are also consistent threads of tools that are meant to make the investigators job more difficult. Virtual Machine (VM) technologies, spoofing of MAC addresses, Virtual Private Networks (VPN), and several other wide spread technologies can obscure or destroy digital evidence. So, while the computer forensics investigator may have a multitude of tools to assist in an investigation there are also a similar number of tools attempting to create forensic resistance. As detailed earlier, the suspect and victim space can be analyzed and provide evidentiary proof of the associated crimes of trespass or theft of services if done in a timely manner. Within the network space, tools such as sniffers and intrusion detection technologies are based on prior knowledge that a rogue device is on the network currently. It is simple to look at a network and see that when there should be ten devices active there are now eleven or more. What is more difficult is proving a device that is forensically resistant, using tools to obscure or destroy digital evidence, has been participating after the fact. There is rudimentary research into forensically fingerprinting a transmitter. Proposed methods include accessing the MAC sub-layer in 802.11 transmitters and taking timing measurements of transmitters. Looking at the radios the monitor has the ability to make an estimation of the transmitters and likely tie back transmission to a particular transmitter (Sieka, 2006). If assessing the identity of a transmitter could be done in the pathr from the access point to the clients then the ability to identify a particular transmitter would be greatly improved. Listening to the network it has been possible with 802.11b to fingerprint a network participant when looking at the frequency artifacts of the transmitters involved in the network. Since the cycle frequency is as often as the transmitter is engaged the artifacts are easily captured creating a definitive example of how the transmitter is working. These artifacts or anomalies allow for a higher grade of radio frequency fingerprinting (Hall, Barbeau, & Kranakis, 2005). This would mean that the investigator would have the ability to tie participation into a network at a physical level. This makes the case much stronger by showing not only the logical level of participation as provisioned on a network to the physical layer of participation thereby tying a machine to a particular set of behaviors.

Suggested method for proving suspects are accessing a network

Unfortunately, as a forensic investigators or law enforcement officers we cannot rely on a suspect to simply plead guilty every time. Further, as judges see more cases (especially high profile cases) allowing a suspect to plead guilty may not be a solution. A thorough investigation into an issue should show data from the suspect’s computer, data from the victim’s computer, and for proving the physical aspects data from the physical world such as radio frequency fingerprinting of the transmitter.

Figure 5 The three areas of the crime are depicted to show the related parts and the only area that all of the parts seem to meet.  Figure by the author.

Figure 5 The three areas of the crime are depicted to show the related parts and the only area that all of the parts seem to meet. Figure by the author.

In figure 5 the suspect computer, victim computer, and network are interconnected. Data is an example of theft between the suspect and the victim. The network interface cards are the links through the network. Since the network layer connects the suspect and the victim and in the wireless world is a participant in the network (circular but good for the following analogy) the network becomes a witness to the crime. When looking at the agents that affect the network as in the Network Interface Cards (NIC’s) the network becomes the agent of transferal. The investigator within the rule of law can manage and watch the network itself to see the participating computers on the network and ascertain the level or type of use. This paper suggests that the creation of a tool suite that would allow the investigator to watch the network in a dynamic state while storing the data observed in a static state that would allow for perusal (much like a telephone call can be taped and used as evidence in a criminal trial) and analysis at a later date. If the tools were built in such a way that complied with the rules of evidence and were vetted by knowledgeable experts the tools could provide valuable evidence that currently is not being analuyzed. The science to provide evidence with this method and the tools to accomplish this type of solution exist currently.

Discussion (conclusion)

In conclusion, the thesis that there are methods to provide evidentiary level proof of a wireless device participating in a wireless local area network exists. There are few if any tools available to the general public that can provide evidentiary proof of participation in a network. Most investigations into this type of illegal behavior would result in corroboration of the suspect having accessed a network, but would not be to the level of proving that network access was wanton or with intent. Since many current computers will participate in wireless networks without user intervention detecting malevolent users is difficult. That leaves a subset of individuals who have actively compromised the wireless network in an attempt to gain access with intent to steal services or commit other computer related crimes. The evidence available such as WEP keys from the suspect can provide an evidentiary path showing intent. However, even at this level there exist tools to keep that kind of information out of the investigators hands. A multi pronged investigation would include and provide evidence that the radio of a particular device participated in the network. Tying that element in with the network traffic of that device would allow for a deeper level of investigation. Having multiple methods of proving the suspect computer was accessing a network would support the thesis and show that this type of forensic investigation is possible. In the future it would be valuable to see investigators include some basic tools for checking or evaluating a suspects system in real time. Since the smart device, dumb terminal, and a variety of VM technologies have started becoming prevalent having a way of tying the pieces together is becoming more important.

Future research and scholarship….

References

Adelstein, F. (2006). Live Forensics: Diagnosing your system without killing it first. Communications of the ACM, 49(2), 63-66. Carrier, B. (2006). Risks of live digital forensic analysis. Communications of the ACM, 49(2), 56-61. Daubert v. Merrel Dow Pharmaceuticals, 509 US, 113 S.T. 2786, 125 L.Ed. 2d 469 C.F.R.  (1993). Hall, J., Barbeau, M., & Kranakis, E. (2005). Radio frequency fingerprinting for intrusion detection in wireless networks. IEEE Transactions on Dependable and Secure Computing. Kelley, R. (2005, July 7, 2005). Man Charged With Wireless Trespassing.   Retrieved October 30, 2006, from http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/ Lee, H. C., Palmbach, T., & Miller, M. T. (2001). Henry Lee’s crime scene handbook: Academic Press. Shpantzer, G., & Ipsen, T. (2002). Law enforcement challenges in digital forensics. Paper presented at the 6th Nationall Colloquium Information Systems Security Education, Redmond, WA. Sieka, B. (2006). Active fingerprinting of 802.11 devices by timing analysis. Paper presented at the Consumer Communications and Networking Conference 3rd IEEE. The Associated Press. (2005). Florida Man Charged With Stealing Wi-Fi Signal.  Online. Retrieved October 30, 2006, from http://www.usatoday.com/tech/news/techpolicy/2005-07-07-wifitheft_x.htm?csp=34

Leave a Reply