MAC changers change the MAC address of the NIC in the system…what does that have to do with WAPs?
You identifying WiFi clients over his MAC address.
How you gonna to associate laptop with illegal activity if he use MAC changer?
I think you may have the context a bit backwards…either that, I do, and so does everyone else.
When someone connects a laptop to a WAP, the MAC address of the WAP is retained in the Registry. If you're analyzing the system, you can extract that information.
If you're trying to identify clients that have connected to a WAP by examining the WAP, then you'd have to gain access to the device, and hope that it (a) has logging capability, and (b) has logging enabled.
Changing MAC addresses on the client's wifi adapter will mean that the log files on the WAP will contain the faked mac address. It will also alter what you see with Kismet if you are monitoring the connected users remotely. You'll notice however that the DHCP log file on the WAP also contains the machine's name, something that a lot of hackers fail to change even if they spoof their MACs, and this can help mitigate the problem of MAC spoofing at least to some extent. (Everything of course depends on the logging capabilities of the WAP, and unfortunately logging is typically not very good.)
On the client side, I'm not sure that spoofing your MAC will change anything with regard to activity logging. If I recall, last time I spoofed MAC addresses on a Windows PC, no persistent registry keys were created, and the DHCP and other info was still placed under the correct keys.
So changing your MAC can make things a little harder on the WAP log or kismet log analysis side, but probably not on the client side. I'll have to do a little more testing on this and see precisely how Windows behaves.
On another note, geolocating the APs found in the Registry using Skyhook or a similar service (thanks for reminding me of that SEANMCL) can also help fill in some of the blanks. We can use this info to help investigate the suspect's physical location at the relevant dates and times. We could for example, look for video cameras near the location that might have recorded the suspect or their vehicule at those dates/times.
Another note about changing the client's MAC address…to do so on Windows, you have to enter a value in the Registry. If you have the WAP logs, you can map entries to what's available in the client's Registry.
There are also other things you can look for in your examination of the laptop. Some of the MAC changing utilities are GUIs, meaning that you may find indications of the use of the application throughout the system; UserAssist and MUICache keys, Prefetch files, etc.
If the user changes the MAC address, then deletes the Registry entries, you may find indications of this in either Restore Points/Volume Shadow Copies, or within unallocated space within the hive files.
Thanks! Excellent presentation. Going over it now. Question, what can be deduced from there being keys with GUIDs under WZCSVC\Parameters\Interfaces but with no static#0000, static#0002, etc values? Slide #36 says their should be no keys if the computer has never connected. My question is, what does it mean if there are keys but the keys don't have the "static" values (has the computer connected … yay or nay)?
Thanks
The key is there by default. The static# values are added each time the computer connects to a WAP.
The most likely case is that the computer never connected to a WAP.
No connections means no values, however no values does not mean no connections.
If you are pretty sure that the machine did actually connect to a WAP at some point, I would say there are perhaps other possibilities that could be investigated.
(1) Check the EAPOL\Parameters\Interfaces key to see if there are any registry entries for wireless networks
(2) If the user "cleaned" the registry you might want to check the restore points for earlier evidence of connections to wireless networks (as well as look for registry entries and prefetch files for evidence of a cleaning tool or its use)
(3) Could the user have used a wireless utility that does not use WZCSV when connecting? I'm not sure this is possible, and this would apply more to USB wifi adapters and the like. You'll notice that many come with their own wifi configuration and connection utilities. I haven't looked into this in yet however.
(4) Did the user use a boot CD (e.g. BackTrack)? In which case you may find no evidence on the computer at all.
There's virtually no Microsoft documentation on any of this, so much of it comes from testing and experimentation. You might want to try out different scenarios using process monitor to see what happens in terms of registry modifications or writes to files.
You also have to keep in mind Locard's exchange principle when you do forensic analysis and be aware that it isn't a law of nature - particularly when it comes to digital evidence. Conclusions can't be drawn from lack of evidence, and evidence can be ephemeral, altered, or simply not detectable by the investigator.
I just re-read your question and I may have missed its point.
My guess is that if the key is there for the wireless adapter but there are no values, it may mean that the adapter was active at some point, but that it just hadn't connected to a network. Again, no source material on this so it would have to be tested with a tool like process monitor. I guess we'd have to try to figure out what specific event causes the creation of the key (as opposed to the creation of the values).
(4) Did the user use a boot CD (e.g. BackTrack)? In which case you may find no evidence on the computer at all.
Is there a tool (win/linux) that can find any activity of BackTrack what so ever?
As Mr Rowe suggested, if they do use a wireless utility other than default WSCSVC, then nothing shows up under both EAPOL or WSCSVC keys (I checked this on my own laptop - according to registry I appear not to use any wireless SSIDs, but am always on it… but I use the default Asus wireless s/ware that came with the laptop). If you are looking for MAC addresses I found that Windows Advantage sets up a registry key with the MAC address as its value. Of course it could still be scribbled over if someone really wanted to hide all corroborating information
Regards
Caroline
PS, nice presentation Mr Rowe, I will point it out to my students if that's ok?