Well the actual investigation techniques need to be researched and honed. But what i plan to do it set up two virtual machines running Xp one a authenicated user and one an attacker cannected via wireless. Then set up a wireless router. This will generate all the evidence i will need.
How do you intend to directly connect the guest OS's to wireless?
Then as for the investigative side. I need to set out the procedures that i want. And what tools to use. But thats were i was asking advice in the original post. My ideas are investigating the router first then using sniffing techniques to gather evidence. Then imaging the two VM in encase to see what i can find (perhaps look in the registry). Again all these areas need research and what i mean by forensically safe, is not corrupting potential evidence. As i said i have no knowledge as to how to do a netowrk forensic investigation.
I'm still unclear as to what you expect to find on the hosts, give an bandwidth theft scenario.
Also, what do you mean by "network forensic investigation"? I ask, only because I recently discussed this sort of thing over email with someone else, and they said that what they were interested in was examining hosts for network-based intrusions. That definition doesn't seem to apply here.
The reason i mentioned helix was to show i was looking into live investigative sources. I never said i was going to use it. I was hoping someone would mention some valuable feedback, like "you might want to look into this subject area"… or "you might find this tool useful". I dont expect anyone to spoon feed me. All i was after was a nudge in the right direction. I think it is best if i take this to my lecturer.
I agree. I suggested that you might want to look to sniffing traffic, and I've asked you about the hosts, not to say that it's wrong, but to get you to consider and explore your reasoning.
This is one of the primary things I try to get folks to consider….what are your reasons and justification for what you do? This isn't to say that it's wrong, but instead to get folks to consider what they're doing rather than proceed on autopilot. As a responder and analyst, these sorts of things need to be kept in mind.
OK folks, where's the crime? Is someone guilty of "theft" of bandwidth or of information?
There was never any mention of a crime being investigated. The OP said that he wants to do this as a university project.
The OP made two references to "stealing" bandwidth. My point is that there is no so such thing as "stealing" bandwidth when it comes to wireless access.
When it is a broadcast technology, it's out there for anyone and everyone.
[slurp]
I was thinking going along the lines of….
1. investigate router (diconnect all cables apart from power, physically connect, copy logs, copy settings, take pictures of DHCP/ARP table)
2. Investigate any evidence on authorised computer (look in registry, mainly to eliminate from DHCP table)
3. Live investigation (netstat? wireshark? this is were my knowledge of what and how to investigate a live netowrk falls down)
4. If access to attackers machine investigate ( registry entries relating to lease time etc)
What about upstream logs with same source IP as the gateway?
Ethereal or WireShark is excellent. Ever tried "Hamster" with "Ferret"?
Does radio power changes either in strength or shape when someone else is connected?
Just some other areas you could look…
OK folks, where's the crime? Is someone guilty of "theft" of bandwidth or of information?
There was never any mention of a crime being investigated. The OP said that he wants to do this as a university project.
The OP made two references to "stealing" bandwidth. My point is that there is no so such thing as "stealing" bandwidth when it comes to wireless access.
When it is a broadcast technology, it's out there for anyone and everyone.
[slurp]
… There is no such personal, business or other "situational ethics". Just ethics.