Hi,
I think this is the right place to ask this question, but feel free to move it if its in the wrong forum.
I am looking for some general(ish) information on whether it is possible to gather reasonable information from routers and wi-fi dongles regarding time and dates of internet access?
I would suspect routers would hold some information while still connected, not sure about once the power is pulled. As for wi-fi dongles (prob can include 3G dongles in this too) that they hold little to none.
Any info appreciated.
4R
After some research (i.e. Googling) I found a few things, but don't appear to give the exact info I need. If I said "Core Dump" would that mean anything to anybody? Personally only just come across it myself this morning, but seems to lead to the kind of area I'm looking for, since we are talking about unplugged / turned off routers.
Connection logs on routers are typically kept in RAM so no power = no logs. Also, most wifi router logging in my experience is pretty minimal (i.e. just who is connected at that moment) unless more advanced security logging features are turned on. It depends a lot on the router and the firmware version…
I don't know what you might find on wifi adapters - never looked at their schematics to see if they had any kind of memory. I suspect nothing however.
In my experience all the interesting data is on the client computer.
You may want to check out this post
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5154
Yeah I kinda gathered that. It appears most routers only have a small bit of flash memory (8mb to 16mb) and that basically holds the firmware and a few other bits and bobs of useless router information.
I think the best you'll get is out of a (large) cisco router by running a memory dump, as for home routers, nah!
Wi-Fi adapters, again your prob right, I can't see them having anything. I think the best best would be to do live forensics if you got to a scene and everything was still plugged in, but again, its nothing that the registry and various other points of interest wont tell you if you wanted to piece something together.
Depends on the router. Enterprise routers, of course, have a lot more information. Most state information on home routers is lost when the power is pulled. However, depending on what in particular you're looking for, the configuration of the router might be useful information.
If you're looking for, "did a person behind this router access IP address X and, if so, at what time", you're unlikely to find that from any home router and much more unlikely to find it if power's been lost.
Im searching for the same answer. I got a case where the laptops had been stolen and left the router and the modem behind. so i need to get those mac adress so i could trace the laptops back that have been seen going online on msn messenger… Hope someone could help ..
deez, two things -
MAC addresses do not route (i.e. you should not/cannot see past the first router, any MAC addrs.)
It is possible that the WiFi hotspot still has the local IP and associated MAC address in the DHCP table.
If you mean wireless access points, most are based upon Linux/busybox and, as noted, there is a small amount of mostly volatile storage which can be accessed via a Web interface or, in some cases, via SSH (although SSH access is usually via a hacked kernel).
If you have the MAC addresses for the laptops, you might alert whoever manages the WiFi access points that the devices are stolen and that you would like to be notifed the next time that there is a connection.
I, once, located a stolen laptop by driving around with the access point to which it had, once, been attached looking for a connection attempt. I had good reason to suspect a particular individual and knew where he lived, but this was more of a lucky shot in the dark then a true practical approach to identifying stolen laptops.