Wirless Security

Question 1

Dynamic Host Configuration Protocol (DHCP)

Answer 1

Client server protocol that allows the dynamic assignment and configuration of IP addresses to hosts on a network. Configuration includes subnet mask and default gateway

Routers, firewalls and servers get static IP addresses whilst desktop/personal devices are assigned dynamic IP addresses via DHCP

View DHCP Activity in Windows Event Viewer – viewing DHCP logs will display MAC addresses of devices that connected to a specific router.

DHCP can be handled by a router or a server and you may be able to identify a DHCP server by monitoring traffic on ports 67 & 68

Question 2

Event Logs

Answer 2

Windows event log is an in-depth record of events related to the system, security, and application stored on a Windows operating system. Event logs can be used to track system and some application issues and forecast future problems.

Question 3

Forensic Evidence of Wi-Fi connection (Windows)

Answer 3

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{GUID}

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Question 4

Forensic Evidence of Wi-Fi connection (Apple)

Answer 4

/Library/Preferences/SystemConfiguration/ com.apple.airport.preferences

Question 5

Forensic Evidence of Wi-Fi connection (iOS)

Answer 5

com.apple.wifi.plist found in folder /private/var/preferences/SystemConfiguration

Question 6

Forensic Evidence of Wi-Fi connections (Android)

Answer 6

wpa_supplicant.conf (lists all accepted networks and security policies, including pre-shared keys)

com.google.android.gms/databases/herrevad

Question 7

Search & Seizure Wireless devices

Answer 7

A whole range of wired and wireless devices may be encountered:

• Network devices which connect individual systems or provide network functionality: Switches, hubs, routers, firewalls (or devices which combine all three).
• Devices to connect individual computers to the network, such as network cards (which can also be embedded within the computer)
• Devices to set up a wireless network: Wireless Access Points.
• Printers and digital cameras.
• Bluetooth (small range wireless) devices – PDAs, mobile phones, dongles.
• Hard drives which can be connected to the network.

Question 8

Search & Seizure Wireless network detection

Answer 8

• Identify and check network devices to see how much network or Internet activity is taking place. Consider using a wireless network detector to determine whether wireless is in operation and to locate wireless devices. Consideration should also be given to mobile Internet devices such as 3G or GPRS dongles or phones, which operate using the mobile phone network;
• As you do so, consider photographing the layout of the network and the location of the machines connected to it, so as to allow a possible future reconstruction;
• Once satisfied that no data will be lost as a result, you may isolate the network from the Internet. This is best done by identifying the connection to the telephone system or wireless communications point and unplugging it from the telephone point. Keep modems and routers running, as they may need to be interrogated to find out what is connected to them. Owing to their nature, it is particularly difficult to ascertain what is connected to a wireless network;
• Trace each wire from the network devices to discover the computer to which it is connected. This may not be possible in premises where cables may be buried in conduits or walls (advice in this case should be sought from the local IT administrator, if available, as to the set up of the system). Make a note of each connection. Note which computer is connected to which number ‘port’ on the network device (hub / switch / router or multi function device). Label each connection in such a way that the system can be rebuilt exactly as it stands, should there be any future questions as to the layout. It is highly recommended that pictures be taken of the setup;
• Consider making a connection to the access point/router in order to establish the external IP address. Most modern networks use Network Address Translation (NAT) which means that they communicate with an internal IP address and never get assigned and external IP one. In a wireless environment, remember that no cables are used between a PC and other devices. However, there will still be some physical cabling to each device (which could include a network cable to the wired network, power cables etc.), the configuration of which should be recorded. Please also note that Cable / ADSL modems can have wireless capabilities built in.
• Once satisfied that the evidential impact is acceptable, you may remove each connection in turn from the network device once it has been identified. This will isolate each computer in turn from the network. The same can be done with cabling into wireless devices;
• Seize and bag all network hardware, modems, original boxes and CDs / floppy disks etc. (provided they are easily removable);
• Subsequently treat each device as you would a stand-alone device;
• Remember that the data which is sought may be on any one of the computers on the network. Officers should make a decision based on the reasonable assumption that relevant data may be stored on a device before seizing that device;
• Bear in mind the possibility that the network may be a wireless network as well as a wired one, i.e. certain computers may be connected to the network via conventional network cabling. Others may be connected to that same network via the mains system, and others may be connected via a wireless link;
• Also, bear in mind that any mobile phones and PDAs may be wireless or Bluetooth enabled and connected to a domestic network.

Question 9

Search & Seizure Mobile Devices

Answer 9

1. Secure and take control of the area containing the equipment. Do not allow others to interact with
   the equipment;
2. Photograph the device in situ, or note where it was found, and record the status of the device and
   any on-screen information;
3. If the device is switched on, power it off. It is important to isolate the device from receiving signals from a network to avoid changes being made to the data it contains. For example, it is possible to wipe certain devices remotely and powering the device off will prevent this.
   However, in exceptional circumstances the decision may be made to keep the device on. Timely access to the handset data is critical the decision may be made to leave the device switched on. Consideration may be given to place the handset in a Faraday environment to further prevent signal reception. In such circumstances advice should be sought from the DFU.
4. Seize cables, chargers, packaging, manuals, phone bills etc. as these may assist the enquiry and
   minimise the delays in any examination;
5. Packaging materials and associated paperwork may be a good source of PIN/PUK details;
6. Be aware that some mobile phone handsets may have automatic housekeeping functions, which
   clear data after a number of days. For example, some Symbian phones start clearing call/event
   logs after 30 days, or any other user defined period. Submit items for examination as soon as
   possible.