How to do a Wi-Fi Forensics Analysis

Abstract.

This paper investigates the various methods to perform a forensic investigation and analysis in a Wi-Fi environment. In this paper, we take a closer look at the different methods of performing a forensic investigation and analysis within a Wi-Fi environment.) The procedures are analyzed using commonly available programs for capturing and analyzing data and will show the consequences as well as identification of an active DOS attack on a computer in a secure Wi-Fi environment

I. Introduction

Wi-Fi forensics is a discipline of the general digital computer forensic science. Its scope is to provide the tools and methodology to collect data in a wireless traffic environment, analyze them, and create valid evidence that is admissible in a court of law.

With today’s expansion of Wi-Fi hotspots, it is a common practice when someone wants to access the internet to use these facilities to cut down costs. It is inevitable, though those laptops using this facility are subject to can be subjected to a hacker’s criminal activity of gaining access to PDAs and laptop computers, stealing valuable data, bank accounts, and other personal information stored.

Attackers are trying to find vulnerabilities of the protocol in the Wi-Fi network, so it is the responsibility of the forensic team to monitor the Wi-Fi traffic and determine whether any abnormality is an attack.

With Wi-Fi forensics, we can perform benchmarking of the network, troubleshoot it, do a transactional and a security attack analysis, and following general principles applied to all computer forensics.

II. Technical Content Part 1

To perform proper Wireless forensics, we must first collect and analyze Wi-Fi traffic. Next, we evaluate the network performance to detect anomalies and misuse of resources, network protocols used, aggregating data from multiple sources, and incident responses.

The process, according to the CIA forensics triangle, consists of three parts.

1. Capture. We must capture packets in a random mode in switched port analyzer (SPAN), sending a copy of all network packets from one port to another port for the packets to be analyzed. We can also use a network terminal access point (TAP) with a dedicated hardware device to a different system that monitors the system to help the forensic team analyze the network.
2. Identify. The packets must be identified and adequately filtered according to time and date.
3. Analyze. The packets are reconstructed and classified according to their type and header.

The first forensic examination step is to perform the identification of the incident based on network indicators. This is crucial for the following steps

The data must be preserved and not altered from interference or electromagnetic damage. The second step is to collect the evidence, record the physical scene, and duplicate the data.

The examination comes next with a systematic in-depth search of the evidence of the hacker’s attack, and then we build detailed documentation for further analysis. The analysis determines the significance by reconstructing the packets of the Wi-Fi traffic and coming to a conclusion, according to the evidence found.

Wireless Forensics consists of two methods: The live forensic analysis and after the event analysis. The method chosen depends on the circumstances.

In the live forensic analysis, we must first determine the existing access points in the area since some of them may not be near, and signal distribution is not Gaussian. Every single device may hold information that will help in the forensic analysis. The gathered data includes wireless channels, SSID and MAC address, and signal strength of the access points since criminals with an active approach can de-authenticate a user in a weak signal environment with the user trying to connect multiple times using his secret key which the attacker can intercept.

To perform the live analysis, we must first perform a packet capture. This can be done using packet capturing software such as PCAP. Digital Packet capturing (PCAP) provides data stream input in the proper forensics’ methods.

The methods used are Catch-it-as-you-can and Stop, look, and listen. [Figure 1]

In Catch-it-as-you-can, all the packets are stored in a database after passing from a traffic point. An analysis is then performed, and the analysis data is then stored in the available database for future analysis. This method, though requires a large storage capacity.

Stop, look, and listen; only the data needed for analysis is stored in the database. The traffic is analyzed and filtered in real-time in memory of the memory section. This means that although the storage space is smaller, a fast processor is needed [1].

We first perform network discovery and enumeration with one of the programs available for the task called “Kismet” in Linux, which is inside the Backtrack 4 distributions. In Windows, the equivalent program is the “Wireless Mon” software for Wi-Fi sniffer analysis. The packet is often accompanied by the appropriate sniffer analysis software. In Linux, the appropriate software is called “LibPcap,” and in Windows, it is “WinPcap.”

This Wi-Fi signal can be captured with a hardware interface card (WNIC), and then it is transferred to PCAP.

The packet sniffing software will retrieve/ display the data and then perform an analysis and make a report. Typical programs that do this are “Tcpdump” for Linux, which is the oldest and most widely used program to do a network sniff. For Windows, equivalent programs are “Windump” for window versions up to Windows XP and “NetFlow” and “Wireshark” for windows versions Win XP and up. “Wireshark” can also be used in Linux.

With Wireshark, we first associate it with existing Wi-Fi networks, and then we select the sniffer Interface and then from options, we select Packet sniffing [2] [Figures 3 and 4].

Packets can be filtered while viewing and concentrating on the packets that are of interest hiding the other ones. Packets can be displayed according to protocol, presence, and values of fields. For example, filtering according to TCP protocol. Values can be compared using different available comparison operators.

It must be noted that sometimes fields change names. DHCP has been recently replaced with BOOTP and SSL, has been replaced with TLS, so choosing the correct fields is necessary. Packets can be either marked, ignored, or time referenced, making the forensic analysis process more straightforward.

Then after the event analysis is more accessible than the real-time live forensics analysis because the available time is higher or increased to analyze suspicious abnormal events that might escape the attention of the investigator in real-time. This analysis can be done using both software and hardware (raspberry -pi) depending on the operating systems, model, and manufacturer of the wireless devices. Special care should be taken with the received data, to not interfere with data from neighboring wireless devices, creating irrelevant forensic clues. If this happens, special filtered techniques should be used.

III. Technical Content Part 2

The live forensics port scanning can be done using many available programs. As an example, we can use the windows program, “Advanced Port Scanning,” and a computer in a secure Wi-Fi environment as a target.

We start the test by launching Wireshark, finding the available networks, and then identifying the wanted Wi-Fi network [Figure 2]. We then do an “ipconfig/ all” from the command line to check and confirm the computer’s IP and MAC address. In the examples test, we see our computer’s IP is 192.168.19.198, and the MAC address is F8-XX-54-AB-AC-66, among other information [Figure 4].

We launch the port scanning program Advanced port scanning, and we confirm that, in the tested Wi-Fi environment, the computer has the same IP and MAC address 192.168.19.198 and F8-XX-54-AB-AC-66. We also see the computer’s open ports like 135, 139, 145 [Figure 5].

If we want to see the traffic of all the ports for the computer, we filter the results with the command “host 192.168.19.198,” and we can see the results [Figure 6].

If we want to see the traffic in a specific port and the example again, for TCP using Wireshark filtering it for TCP investigation port 135 and host 192.168.19.56 (the examples computer), we can see the packets from the specific address [Figure 7].

We can also use Wireshark to make a forensic Denial of Service attack in the target computer by filtering the results using sources and destination/IP statistics, thus tracking down the attacker's IP.

To make the DOS attack, we must first set a secure private environment with only two computers in the network to avoid legal consequences.

We will use this time as the attacker’s IP address 192.168.1.12, attacking the open port 135 of the attacked computer IP address 192.168.1.11. As we can see in the example, the targeted computer is being attacked with a Denial of Service Attack originating from IP 192.168.1.12 flooding the computer [Figure 8].

We can see, using Wireshark filtering with the command TCP port ==135, the amount of the packages received by the attacked computer 192.168.1.11 [Figure 9] originating from the attacker computer 192.168.1.12 (107036 packets), using the statistics command “IPv4 statistics - Source and Destination addresses” [Figure 9].

Other frequent Wi-Fi attacks are C-evil Twin when a hacker uses a WAP using the same SSID as the one being used in the local Wi-Fi. WEP cracking, using Aircrack-ng inserting APR traffic resulting in cracking of the passwords and attacks in rogue access points used by the employees in their company’s Wi-Fi environment for their convenience, not realizing that this opens a gate to the company’s secure environment. These attacks can also be identified using the same procedure as before.

IV. Technical Content Part 3

The captured network traffic needs to be analyzed. To achieve this, the captured data must be prepared according to their relevant machine address that will present which IP addresses are connected with the host. The port count with the number of the open ports that requested connection, the date, the initial time and the finish time must be recorded.

We must then set the appropriate environment for the network intrusion detection system (NIDS) mode. If the analysis is to be done using NMAP, we can use the utility “snort” (it must first be installed: sudo apt install snort -y). Then with the appropriate command snort -v > xxx.txt. we will catch the packets that have attacked the computer. Depending on the port count value set by the analysis module, we can conclude whether a machine is healthy or suspicious. Further, with NMAP, user-defined codes are implemented in the” ipdetail” structure [8].

For the forensic team to decrypt the wireless data packets, they must first import them to Wireshark and find with first Edit then preferences then IEEE 802.11 and edit the Wi-Fi’s SSID. The forensic investigation will present the required evidence required for building the future case in a court of law prosecuting the aggressor.

V. Conclusions

In conclusion, there are many ways to perform a Wi-Fi analysis to investigate as well as monitor activity on networks. The evidence collected must be comprehensive, detailed correctly, and represented in a proper manner, allowing the forensic investigator to perform a thorough and detailed investigation using hardware and software tools available. The software tools can be either Linux or Windows-based.

Once evaluating behaviors or activity, you can select a plan or put a method in place to secure or prevent potential threats and keep your network safe. While technology is ever-changing, with the correct understanding of what software is available, you can implement a plan with the proper tools to keep your network secure and protect your operating systems, lowering the risk of your network being compromised.

References

1. Network Forensics Analysis and Examination Steps, 2019 https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/network-forensics-analysis-and-examination-steps/#gref

2. Raul Siles, “Wireless Forensics: Tapping the Air - Part One,” January 2, 2017, https://www.symantec.com/connect/articles/wireless-forensics-tapping-air-part-one

3. Wi-Fi Network Scan, Forensics and Analysis

4. Network forensics - https://en.wikipedia.org/wiki/Network_forensics

5. Gokhan Kul, “Wireless network forensics: sources of digital evidence,” https://www.academia.edu/35457721/Wireless_network_forensics_sources_of_digital_evidence

6. Joe Grey, March 5, 2109 “Wireless Network and Wi-Fi Security Issues to Look Out For in 2019”, https://www.alienvault.com/blogs/security-essentials/security-issues-of-wifi-how-it-works

7. Sven Taylor, July 15, 2019 “The Scariest Cybersecurity Statistics of 2019” https://restoreprivacy.com/cyber-security-statistics-2019

8. Deepali Avasthi, May 2012, Network Forensic Analysis with Efficient Preservation for SYN Attack https://pdfs.semanticscholar.org/2133/19101bdd6cef017d36432fb4deb13989a529.pdf

9. Lee Wingfield, July 2 2019. “Wi-Fi Networks and Their Use in Computer Crime,” https://www.intaforensics.com/2009/07/03/wifi-networks-and-their-use-in-computer-crime/

Figures

Abbildung in dieser Leseprobe nicht enthalten

Figure 1: Digital Packet capturing (PCAP) methods

Abbildung in dieser Leseprobe nicht enthalten

Figure 2: Wireshark association with existing Wi-Fi networks

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 Wireshark packet sniffing

Abbildung in dieser Leseprobe nicht enthalten

Figure 4: IP and Mac confirmation

Abbildung in dieser Leseprobe nicht enthalten

Figure 5: Wireshark MAC identification and open ports

Abbildung in dieser Leseprobe nicht enthalten

Figure 6: Wireshark All ports flow

Abbildung in dieser Leseprobe nicht enthalten

Figure 7: Wireshark packets flow from a specific address

Abbildung in dieser Leseprobe nicht enthalten

Figure 8: Wireshark Denial of Service Attack

Abbildung in dieser Leseprobe nicht enthalten

Figure 9: Wireshark count of packets in the DOS attack

[...]