Wireless and Mobile Network Investigation

Wireless and Mobile
Network Investigation
Part II.B. Techniques and Tools:
Network Forensics
CSF: Forensics Cyber-Security
Fall 2015
Nuno Santos
Summary
} 
WiFi network investigations
} 
Cellular network investigations
2
CSF - Nuno Santos
2015/16
Remember were we are
} 
Our journey in this course:
} 
Part I: Foundations of digital forensics
} 
Part II: Techniques and tools
} 
A. Computer forensics
}  B.
} 
3
Network forensics
Current focus
C. Forensic data analysis
CSF - Nuno Santos
2015/16
Previously: Obtaining evidence from networks
} 
4
Traffic analysis techniques
} 
Packet and flow analysis
} 
Intrusion detection systems
} 
NetFlow devices
} 
ISPs’ DPI devices
CSF - Nuno Santos
2015/16
Today: Focus on wireless and mobile networks
} 
# wireless (mobile) phone subscribers now exceeds # wired
phone subscribers (5-to-1)!
} 
# wireless Internet-connected devices equals # wired Internetconnected devices
} 
laptops, Internet-enabled phones promise anytime untethered Internet
access
Two important (but different) challenges
} 
} 
} 
5
Wireless: communication over wireless link
Mobility: handle mobile user who changes point of attachment to network
CSF - Nuno Santos
2015/16
Many wireless network technologies out there
} 
AM/FM radios
} 
Wireless doorbells
} 
Cordless phones
} 
} 
Cell phones
Zigbee devices, such as
HVAC, thermostat, lighting,
and electrical controls
} 
Bluetooth headsets
} 
Wi-Fi (802.11)—LAN
networking over RF
} 
Infrared devices, such as
TV remotes
} 
WiMAX (802.16)—“lastmile” broadband
6
CSF - Nuno Santos
2015/16
Trend is for wireless-connected devices to grow
} 
7
Landscape of wireless devices connected to the Internet
CSF - Nuno Santos
2015/16
Wireless devices (will) play crucial role in crime
} 
Mobile devices create new opportunities for criminals
} 
8
While providing valuable sources of evidence
CSF - Nuno Santos
2015/16
Why investigate wireless networks?
9
} 
Recover stolen laptop by tracking it on a wireless network
} 
Identify rogue wireless APs that have been installed by
insiders for convenience or to bypass enterprise security
} 
Investigate malicious or inappropriate activity that
occurred via a wireless network
} 
Investigate attacks on the wireless network itself, including
DoS, encryption cracking, authentication bypass attacks
CSF - Nuno Santos
2015/16
Our focus today is on investigating…
1. WiFi networks
10
2. Cellular networks
CSF - Nuno Santos
2015/16
WiFi network investigations
11
CSF - Nuno Santos
2015/16
WiFi networks defined and justified
} 
The term “Wi-Fi” refers to wireless networks as
defined by the IEEE 802.11 standards
} 
We focus on 802.11 “Wi-Fi” networks because:
} 
} 
12
They are ubiquitous
Can use many of our previously discussed forensic techniques
CSF - Nuno Santos
2015/16
802.11 LAN architecture in infrastructure mode
} 
Internet
Wireless host communicates
with base station
§ 
§ 
Base Station = Access Point (AP)
Acts as wireless hub
AP 1
hub, switch
or router
} 
Basic Service Set (BSS) (aka
“cell”) in infrastructure
mode contains:
§ 
§ 
AP 2
} 
13
wireless hosts
access point (AP): base station
Often, networks have multiple
APs with same SSID
CSF - Nuno Santos
2015/16
Wireless traffic capture: What info can be obtained?
} 
Investigators can obtain a great deal of info:
} 
} 
} 
} 
} 
} 
Broadcast SSIDs
Wireless AP MAC addresses
Supported encryption/authentication algorithms
Associated client MAC addresses
In many cases, the full Layer 3+ packet contents
Encrypted Wi-Fi traffic can decrypted offline
} 
14
As long as we obtain the encryption keys
CSF - Nuno Santos
2015/16
It may be challenging to spot wireless traffic
15
CSF - Nuno Santos
2015/16
16
CSF - Nuno Santos
2015/16
Spectrum analysis
} 
For Wi-Fi traffic, the IEEE utilizes 3 frequency ranges:
} 
} 
} 
} 
9
Frequency ranges is divided into distinct channels
} 
} 
2.4 GHz (802.11b/g/n)
3.6 GHz (802.11y)
5 GHz (802.11a/h/j/n)
E.g., the IEEE has specified 14 channels in the 2.4 GHz range
Spectrum analyzers can monitor RF frequencies
} 
17
E.g., Wi-Spy ($100-$1000)
CSF - Nuno Santos
2015/16
Wireless passive evidence acquisition
} 
Need an 802.11 wireless card in monitor mode
} 
} 
Enable capture all packets, not just those destined for the host
NB: Some restrictions are imposed by the wireless cards;
they are not fundamental!
} 
} 
} 
RF waves travel through the air, which is a shared medium
As a result, WLAN traffic cannot be physically segmented
Therefore, all WLAN transmissions may be observed and
intercepted by all stations within range
18
CSF - Nuno Santos
2015/16
Tools to collect and analyze traffic
} 
Essentially, we can use the same techniques and tools
as we use for wired networks
19
CSF - Nuno Santos
2015/16
Handling common attacks to wireless networks
} 
Often, investigators suspect that a wireless network has
been or is currently under attack
} 
Common attacks on wireless networks include:
Sniffing
1. 
} 
Rogue wireless APs
2. 
} 
Unauthorized wireless devices that extend the local network
WEP cracking
3. 
} 
Attempts to recover the WEP encryption key and access the network
The evil twin attack
4. 
} 
20
An attacker eavesdrops on the network
An attacker sets up a WAP with the same SSID as a legitimate WLAN
CSF - Nuno Santos
2015/16
Representation of an evil twin attack
} 
Possibly detected by a wireless intrusion detection system
21
CSF - Nuno Santos
2015/16
Investigation of wireless access points
} 
A wireless access point (WAP) is a Layer 2 device that
aggregates endpoint stations into a LAN
} 
APs may be involved in forensic investigation because…
} 
} 
} 
} 
} 
22
may contain locally stored logs of connection attempts, auth
successes and failures, and other local WAP activity
can help track the physical movements of a wireless client
throughout a building or campus
their configuration may provide insight regarding how an
attacker gained access to the network
their configuration may have been modified by an
unauthorized party as part of an attack
they can be compromised
CSF - Nuno Santos
2015/16
Locating wireless devices
} 
Can be difficult to physically locate a device of interest
} 
} 
E.g., compromised laptop, a rogue wireless AP
Some strategies for locating wireless devices:
Gather station descriptions, such as MAC addresses
1. 
} 
For clients, identify the AP that the station is associated with
2. 
} 
} 
23
Using AP logs or traffic monitoring
Pool the device’s signal strength and triangulate
3. 
4. 
Every network card is assigned a unique OUI by the manufacturer
Use specialized tools such as NetStumbler or Kismet
Leverage commercial enterprise wireless mapping software
CSF - Nuno Santos
2015/16
Screenshot of Cisco’s Wireless Location Appliance
} 
Displays devices located on an enterprise floor map
} 
Allows system administrators to search and sort
} 
Lists stations
detected, SSID,
signal strength,
and more
} 
Known devices
are marked with
a box, while
“rogue” devices
are labeled with
a skull
24
CSF - Nuno Santos
2015/16
Cellular network investigations
25
CSF - Nuno Santos
2015/16
Components of cellular network architecture
MSC
v  connects
cell
v  covers
cells to wired tel. net.
v  manages call setup
v  handles mobility
geographical
region
v  base station (BST)
analogous to 802.11 AP
v  mobile users attach to
network through BST
v  air-interface: physical
and link layer protocol
between mobile and BST
Mobile
Switching
Center
Public telephone
network
Mobile
Switching
Center
wired network
26
CSF - Nuno Santos
2015/16
Cellular networks: The first hop
Two techniques for sharing
mobile-to-BS radio spectrum
} 
combined FDMA/TDMA:
divide spectrum in frequency
channels, divide each
channel into time slots
time slots
frequency
bands
} 
CDMA: code division
multiple access
27
CSF - Nuno Santos
2015/16
2G (voice) network architecture
Base station system (BSS)
BTS
MSC
G
BSC
Public
telephone
network
Gateway
MSC
Legend
Base transceiver station (BTS)
Base station controller (BSC)
Mobile Switching Center (MSC)
Mobile subscribers
28
CSF - Nuno Santos
2015/16
Main components
} 
Mobile devices connect to a base station (BTS)
} 
Each BTS has at least one radio transceiver that provides
radio coverage for a specific geographic region (cell)
} 
GSM uses BSC to control communication between base
stations, e.g., coordinates transfer from BTS to another
} 
MSC delivers call and SMSes to mobile devices in its
jurisdiction, and coordinates handovers of ongoing
communications as devices move between areas
29
CSF - Nuno Santos
2015/16
2.5G (voice+data) network architecture
MSC
BSC
G
Public
telephone
network
Gateway
MSC
G
SGSN
Key insight: new cellular data
network operates in parallel
(except at edge) with existing
cellular voice network
q  voice network unchanged in core
q  data network operates in parallel
30
CSF - Nuno Santos
Public
Internet
GGSN
Serving GPRS Support Node (SGSN)
Gateway GPRS Support Node (GGSN)
2015/16
All components can be important for investigation
} 
MSCs generate a wealth of useful information
} 
} 
} 
Usage logs and charging detail records
List of mobile devices currently being handled by an MSC
Operation centers maintain and monitor NSPs’ systems
} 
} 
} 
} 
} 
} 
31
Info about subscribers, billing details, & services they can use
SMSes to be processed (are retained for limited time)
Voicemail
Blacklist of devices reported stolen or flagged as bad
Signaling information for call establishment
Devices’ IMEI numbers
CSF - Nuno Santos
2015/16
IMEI are quite valuable for investigators
} 
The International Mobile Equipment Identifier (IMEI) is
a unique number associated with a particular device
} 
IMEI can be used to obtain
stored data from NSPs
} 
To monitor traffic associated
with a particular device
} 
To keep track of a mobile
device across NSPs
32
CSF - Nuno Santos
2015/16
Device leaves traces the moment it’s turned on
} 
When powered on, the device announces itself to
the network, starting the authentication process
} 
The authentication process is based on the IMSI
} 
} 
} 
Identity Mobile Subscriber Identity (IMSI) is a unique # stored
on the SIM card and associated with a particular subscriber
IMSI is not directly sent over the network, but replaced with a
Temporary Mobile Subscriber Identity (TMSI), which is logged
Investigators can ask NSPs to query their systems for all
activities relating to a particular subscriber account
33
CSF - Nuno Santos
2015/16
Investigations of mobile systems
} 
Investigations are supported by dedicated software
} 
} 
} 
Investigator enters all the data available on a subject
The server performs a thorough analysis and outputs info
about mobile devices involved, calls made and received…
NSP may provide additional historical info or other
} 
34
E.g., other mobile devices at BTS on a given date and time
CSF - Nuno Santos
2015/16
Types of evidence
} 
Localization parameters
} 
Usage logs / billing records
} 
Text / multimedia messages
} 
Voice and data
35
CSF - Nuno Santos
2015/16
Determining the location of mobile devices
} 
Can be important for investigating
events in the past
} 
} 
} 
Assessing alibies of suspects
Determining the whereabouts of victims
Can also provide clues for ongoing
location tracking in certain cases
} 
36
E.g., abduction, missing persons, etc.
CSF - Nuno Santos
2015/16
Location parameters
} 
Location parameters: info that can be
combined to localize an active mobile
device and its related user
} 
Determine device’s position: There’s a
timeframe where mobile devices
“announce” themselves to the network
} 
} 
37
Turning on a device and leaving it in an idle
state generates data on the network that
can help determine its location
As a device is moved, it updates the network
CSF - Nuno Santos
2015/16
Position tracking methods: Cell identification
} 
} 
The mobile device can be reached by looking at the
cell to which it is currently connected
There is a range of accuracy
} 
} 
Starts from a few hundred meters in
urban areas, up to 32 km in suburban
Accuracy depends on the known
range of the particular base station
38
CSF - Nuno Santos
2015/16
Position tracking methods: TDOA
} 
Time difference of arrival (TDOA) aka multilateration
} 
} 
39
Measures the time it takes for a signal to travel from a device to
multiple base stations to estimate the device location
Commonly used in civil and military surveillance applications
CSF - Nuno Santos
2015/16
Location tracking supported by adequate tools
} 
Investigators are assisted by specialized tools that
collect and analyze location data from the NSP
40
CSF - Nuno Santos
2015/16
Signal jamming
} 
Organized criminal groups often protect their privacy by
jamming signals in the area around their meeting place
} 
A mobile device jamming system
emits a signal to prevent the use of
mobile phones within a certain radius
} 
Prevents mobile devices from linking
to the BTS and thus connecting to the
network
} 
} 
This prevents investigators from getting an
idea of the geographical location of the
meeting
Side effect: temporarily interrupts the
operation of mobile phones in the area
41
CSF - Nuno Santos
2015/16
Cell phone jammers easily available online
42
CSF - Nuno Santos
2015/16
But jammers may be crucial for the police too
} 
Mobile devices can be remotely activated in any part
of the work (e.g., to detonate a bomb)
} 
} 
E.g., by sending a ring or an SMS containing a code
Upon suspicion by the police, mobile devices can be
preventively isolated from the network by deploying
jamming systems in the vicinity of the devices
43
CSF - Nuno Santos
2015/16
Types of evidence
} 
Localization parameters
} 
Usage logs / billing records
} 
Text / multimedia messages
} 
Voice and data
44
CSF - Nuno Santos
2015/16
Usage logs & billing records
} 
Logs maintained by an NSP can help investigators
determine past usage of the phone, as well as
communications between individuals
} 
Logs are generated from Call Detail Records (CDRs)
maintained for billing purposes:
} 
} 
} 
} 
} 
} 
45
Telephone number of user
Numbers called
IMEI number of mobile device
Information about the cell
SMS sent (excluding the text)
Date, time, and duration of the calls
CSF - Nuno Santos
2015/16
Text & multimedia messages
} 
Advantages of SMS include the ability of transmitting
messages even in areas of very low signal coverage
} 
} 
SMS and MMS can be important to an investigation, but
they are maintained on core network for limited time
} 
} 
SMS intercepted using same systems for intercepting voice calls
Therefore tend to be captured in transit during an investigation
The structure of intercepted SMS / MMS is straightforward
} 
46
Sender, receiver, time, date, and content
CSF - Nuno Santos
2015/16
Types of evidence
} 
Localization parameters
} 
Usage logs / billing records
} 
Text / multimedia messages
} 
Voice and data
47
CSF - Nuno Santos
2015/16
Interception of evidence on mobile networks
} 
In general, the freedom and privacy of personal
communications are inviolable rights that can be
compromised only if authorized by judicial authorities
} 
For privacy protection, legal systems dictate limitations
to admissibility of interceptions:
} 
} 
} 
Interceptions are allowable only in certain specific crimes
Interceptions must be authorized
Typically, interceptions done in collaboration with NSPs
48
CSF - Nuno Santos
2015/16
How telephone (or data) interception works
} 
} 
The NSP duplicates a
suspect’s communication
line and deviating it to a
Monitoring Center (MC)
as specified in a warrant
by the Judicial Authorities
In principle, the NSP
never gains knowledge of
the contents of the
tapped telephone calls
49
CSF - Nuno Santos
Ongoing
call
Mobile
Switching
Center
Monitoring
Center
2015/16
Monitoring systems
} 
Powerful systems with
database backends that
allow investigators to:
} 
} 
} 
} 
} 
} 
} 
50
Eavesdrop conversations
directly
Watch video calls
Review and print faxes
Display location details
Monitor telematic info like email and Internet
Be notified of call intercept
of certain target
Search through previously
recorded traffic
ADACS intelligence collection systems
CSF - Nuno Santos
2015/16
Monitoring systems offer powerful interfaces
} 
Sample screenshot of
the ADACS system
} 
“ADACS provides law
enforcement and
intelligence agencies
with the ability to
collection, monitor,
record and analyze
switch-based voice,
video, and data
transmissions”
51
CSF - Nuno Santos
2015/16
Advanced features in interception systems
} 
Voice recognition
} 
} 
Central database for storage of recognized voices complete
with sample recordings and personal notes
Analysis of target behavior
} 
52
Predictive target behavior analysis and graphic analysis for
interaction among targets
CSF - Nuno Santos
2015/16
Alternative approach to interception: IMSI-catcher
} 
IMSI-catcher subjects the phones in its vicinity to a MITM attack,
acting to them as a fake base station
} 
Exploits GSM security hole where the network doesn’t need to authenticate
Normal communication path
Intercepted
communication
path
} 
The FBI adopts this technique using the Stingray IMSI-catcher
53
CSF - Nuno Santos
2015/16
Crypto phones
} 
To prevent eavesdropping and electronic
surveillance, use crypto phones
} 
Crypto phones use algorithms to encrypt
the voice signals end-to-end
} 
} 
} 
Implement automatic variation of session key
Cryptographic chip handles crypto operations
This represents a limit for investigations,
unless encryption can be broken
54
CSF - Nuno Santos
GSMK
Cryptophone 500
2015/16
Conclusions
} 
Wireless and mobile communications represent an
increasingly growing amount of network traffic
} 
In particular, WiFi and cellular networks are amongst
the most popular technologies used today
} 
Therefore, it is important for digital investigators to be
able to collect and analyze evidence from such
networks
55
CSF - Nuno Santos
2015/16
References
} 
Primary bibliography
} 
56
Casey, Handbook of Digital Forensics and Investigations, 2010
[Ch. 10]
CSF - Nuno Santos
2015/16
Next class
} 
File carving
} 
} 
Or
Invited talk
57
CSF - Nuno Santos
2015/16
Download PDF