Hi guys, for my university project i have decided to do an investigation into weather any inforamtion can be found from someone stealing bandwidth from a open access point. I was wondering what artifacts would be found and what the process would be to gather such artifacts.
My scenario is a un-encrypted wireless router, two clients on the network, one an authorised client the other is stealing the bandwidth. The idea is to first be able to detect that unauthorised client and gather evidence that the anathorised user is stealing.
The main questions are could i get information back from the DHCP table on the router, if so how, would it be a case of taking photographs? Would there be any evidence from the authorised computer side? perhaps any shared files accessed? Im a real netowrk forensics noob. So what are the steps in a forensic investigation to detect bandwidth theft? Any tools i should be using?
Any help would be greatly appreiated.
Thanks, Gav
The main questions are could i get information back from the DHCP table on the router, if so how, would it be a case of taking photographs?
Kind of depends on the router.
Would there be any evidence from the authorised computer side?
Like what? If someone is simply using the WAP to gain access to the Internet, what sort of things would you expect to see on the authorized computer?
perhaps any shared files accessed?
Shared files? You said stealing bandwidth was the basis for your scenario…wher do "shared files" come from? Perhaps if you could elaborate on the reasoning behind the question, more information could be provided.
Im a real netowrk forensics noob. So what are the steps in a forensic investigation to detect bandwidth theft? Any tools i should be using?
Being new is okay, nothing wrong with it…we all are/were at one point.
However, as this is a university project, one would think that the first step would be for you to develop your knowledge first, before jumping into the project. Otherwise, all of your work is going to consist of asking questions here, and you likely won't be able to explain your work when you're done.
Sorry about the poor posting keydet. I have done my research just to let you know D , and i have just finished a litrature review covering this topic. Its just that there are various ways I have seen for investigating routers that im not sure what is the best method. And there isn't (as far as i can see) definative methods as what to do in this kind of investigation. The reason i mention shared files is that my research indicated that, if the client and attacker both have shared folders or network discovery enabled, then there may be evidence of that shared location inside the registry. Would this not indicate that if the attacker has been using the bandwidth of the unsecured WLAN? If there is evidence he has connected?
The artifacts that i have found consist of the DHCP table, arp tables (router,client,attackers computer), registry entries on client machine and attackers machine, looking for evidence relating to wireless cracking tools, scanners etc, MAC addresses etc. What are the most important artifacts? are there any others i have missed?
Basically all i am asking is, is there a set of procedures that are forensically sound, in finding out if someone is stealing bandwidth wirelessly.
I was thinking going along the lines of….
1. investigate router (diconnect all cables apart from power, physically connect, copy logs, copy settings, take pictures of DHCP/ARP table)
2. Investigate any evidence on authorised computer (look in registry, mainly to eliminate from DHCP table)
3. Live investigation (netstat? wireshark? this is were my knowledge of what and how to investigate a live netowrk falls down)
4. If access to attackers machine investigate ( registry entries relating to lease time etc)
Hope that clears things up a bit better
Gavin
Sorry about the poor posting keydet. I have done my research just to let you know D , and i have just finished a litrature review covering this topic.
No one said anything about a "poor posting"…there were simply questions that I had.
Its just that there are various ways I have seen for investigating routers that im not sure what is the best method.
Well, as in all cases, that will largely depend on what's available.
And there isn't (as far as i can see) definative methods as what to do in this kind of investigation.
Well, again…if someone lists a "this is exactly how you do it", then what happens the first time one of those steps doesn't apply? Does the entire examination fall apart?
The reason i mention shared files is that my research indicated that, if the client and attacker both have shared folders or network discovery enabled, then there may be evidence of that shared location inside the registry. Would this not indicate that if the attacker has been using the bandwidth of the unsecured WLAN? If there is evidence he has connected?
Windows systems will have information about shares available within the Registry. However, if an unauthorized user is simply stealing bandwidth, as you've described, how does that apply to available shares on other systems? You haven't said, "stealing bandwidth AND attempting to access shares on other systems." See…you can have one without the other. For just the scenario you presented, I wouldn't expect to see any information on the authorized system, unless there was a sniffer installed.
The artifacts that i have found consist of the DHCP table, arp tables (router,client,attackers computer), registry entries on client machine and attackers machine, looking for evidence relating to wireless cracking tools, scanners etc, MAC addresses etc. What are the most important artifacts? are there any others i have missed?
For the scenario you presented, I think you'd find a great deal of information through sniffing. I don't know that you'd find much in the way of artifacts on the authorized system, unless the person "stealing bandwidth" specifically attempt to access that system.
Thanks very much for your thoughts. I think ill have a look into forensically staying safe while sniffing etc. And perhaps look into weather my VY voyager supports port monitoring, doubt it tho. Will have to have a look into what the Helix disks can offer.
OK folks, where's the crime? Is someone guilty of "theft" of bandwidth or of information?
Is "theft" of bandwidth a crime? Is it "theft" if the paying customer is not affected?
Let's say my inconsiderate neighbor/neighbour erects a rather high-wattage security light outside her home. Am I "stealing" her "bandwidth" by sitting on my back-porch at night and reading
Real world experience About a year ago one of our rare blizzards cut electricity to my home for several days. On Day 3, tired of not being able to read this forum (and not to mention the desire for personal cleanliness), I checked into a nearby hotel that not only had power, but "high-speed Internet access" as well.
Turns out the hotel was leaching WiFi bandwidth from the college across the street! roll
Was it a crime? No, but maybe a wee bit tacky, eh?
I agree that there are shades of gray about the subject area. Is it illegal?, morally wrong? Can it be classed as theft? etc. However the whole point of the poject is to prove or disprove if someone is stealing/borrowing wireless bandwidth. Regardless of the ethical or legal issues involved.
What happens if the "leacher" decides to do something a bit more illegal. Lets say cause a DoS attack, distribute virus', use computers on the LAN as spam botnet, perhaps look at indecent images.
The project question is looking into the how any one of these crime could of been committed via the means of using a neighbours wireless internet. So thats were the real crime is. But if i am to complete the project of investigating wireless theft, i can't be looking into every crime that can be comitted via wireless leaching.
Hope that makes sence….
?
Thanks very much for your thoughts. I think ill have a look into forensically staying safe while sniffing etc.
What does that mean, though…"forensically safe"?
And perhaps look into weather my VY voyager supports port monitoring, doubt it tho. Will have to have a look into what the Helix disks can offer.
Helix? Why Helix?
I have to be honest, Gavster, from the sounds of things, there seems to be a bit more to do before you embark on this project. It doesn't appear that you're at the point of selecting tools yet, as you don't seem to have a clear idea of what you intend to do.
Given the scenario, how do you intend to use Helix?
Also, what about the whole file sharing thing? Where did that go?
OK folks, where's the crime? Is someone guilty of "theft" of bandwidth or of information?
There was never any mention of a crime being investigated. The OP said that he wants to do this as a university project.
Well the actual investigation techniques need to be researched and honed. But what i plan to do it set up two virtual machines running Xp one a authenicated user and one an attacker cannected via wireless. Then set up a wireless router. This will generate all the evidence i will need.
Then as for the investigative side. I need to set out the procedures that i want. And what tools to use. But thats were i was asking advice in the original post. My ideas are investigating the router first then using sniffing techniques to gather evidence. Then imaging the two VM in encase to see what i can find (perhaps look in the registry). Again all these areas need research and what i mean by forensically safe, is not corrupting potential evidence. As i said i have no knowledge as to how to do a netowrk forensic investigation.
The reason i mentioned helix was to show i was looking into live investigative sources. I never said i was going to use it. I was hoping someone would mention some valuable feedback, like "you might want to look into this subject area"… or "you might find this tool useful". I dont expect anyone to spoon feed me. All i was after was a nudge in the right direction. I think it is best if i take this to my lecturer.
Thanks anyway for all your help,
kind regard,
Gavin