A Wi-Fi Router as a Witness Device
Note: attached is the full document in .pdf format and is awesome reading for forensic investigators!
Download A WiFi Router as a Witness Device Full Document!
Witnesses often are crucial elements in solving and prosecuting criminal or civil violations. We now regularly use data that various technologies record. Digital witness devices provide a source of largely unbiased and dependable information to the investigator and prosecutor. However, many often ignore or do not even recognize commonly available electronics as potential witness devices. One such device is the wireless router found in most homes and businesses.
As with any witness, some sort of vetting and consideration is wise. Reliability, bias, memory, physical abilities, etc., all can be factors that play roles in the use of digital witness devices and the use of their data. Whether you consider data from digital cameras, microphones, cell phones, computers, or Wi-Fi (wireless) routers, you should approach each with an open eye and determine clearly what each actually offers to your investigation. Data typically is reliable; how you interpret and present that data is key to its ultimate usefulness.
Do not miss how a WIFI Router can be a witness!
An often overlooked digital witness device is a router, particularly, a Wi-Fi router. These devices must internally note the Media Access Control (MAC address, or internal, electronic serial number of a network card) for every device that connects to it. If the router is logging connections, capturing the BSSID is a serial number that a cellular provider can use to provide subscriber information. For instance, if a suspect involved in the incident has her phone set automatically to connect to Wi-Fi, it will connect to any open Wi-Fi router in the area. If your suspect previously connected using a password, his phone likely will automatically connect to the same Wi-Fi router again. The big IF: if the router is set to log connections, that log entry will record the MAC address of the suspect phone in the area at the time of your incident.
Accessing the router involves rather simple steps, but these are largely unknown (and potentially intimidating) to the average investigator with no computer or digital forensic training. Using basic command line queries to determine the default (wireless) gateway IP address, a normal Internet browser can access the administrative interface of a locally connected wireless router.
Once connected, the investigator will need to use a default login and password (or a particularized login and password) to access fully the router’s settings and logs. Note that while accessing the router, an investigator will need to remain cognizant of liabilities present while working in the router room of a business or other limited-access area.
If the investigator is successful in capturing a relevant MAC address for a device that connected during an incident, cellular providers can use that MAC identifier to provide subscriber account information related to that particular period. In addition, the investigator should be knowledgeable of this process to further leverage any data acquired from a mobile device, such as a cellular phone. If the data from a phone shows a wireless connection to a particular “SSID” (Service Set Identifier, also known as the wireless network name), the data also will show a “BSSID” (Basis Service Set Identifier). The BSSID is an electronic serial number assigned to every router. Many phones may show a connection to MacDonald’s or Starbuck’s, but every router at either corporate location will show one particular “BSSID”. In effect, every Wi-Fi router will have an individually assigned BSSID that reflects the manufacturer code and its own serialized code. The first half (the first three sets of double characters) of the MAC address comprises an Organizationally Unique Identifier (OUD). You can check these OUI’s online to determine the type of device for which you are searching.
If the investigator can establish a connection between a suspect device and a particular Wi-Fi router, it is a definitive indication that the device was in the router’s vicinity. Does that invariably state that the suspect was present at the place and time? No. Does it, however, establish that the device was present at the place and time? Definitively yes. While circumstantial, this evidence may provide a lead nowhere else available.
While there are a number of caveats both necessary for this process to work and to keep the investigator safe from liability, accessing the router and exploiting the data in as forensically safe a manner as possible provide a largely untapped resource freely available to any investigator. Any “who-done-it” crime scene is ripe for this exploitation and available for any agency to exploit at no cost. Please refer to the full text of my paper for an in depth discussion and explanation of the suggested processes.
Caveat: The content of this communication is entirely my own and does not reflect the opinions of or endorsement by any federal agency or the government as a whole.
Author: Daniel is a Special Agent with ATF's Digital Forensics Branch. He has thirty-one one years in law enforcement, twenty four of those in the Federal system. He holds a BS in Computer Information Systems and a MS in Cyber Security. He believes that bringing multiple skill sets to problems results in better solutions. He welcomes questions and comments. You may view his LinkedIn profile at https://www.linkedin.com/in/danielarrugueta/.
Editors Note - Dan is a super friend and one of the most innovative Cyber Forensic Investigators. He is truly dedicated to finding the truth and is way ahead of his time. He is a Cyber Instructor and works with many organizations. He is one of a kind!