Introduction

The huge adoption of wireless technologies over recent years has placed wireless data (or Wi-Fi) networks, based on the 802.11 specifications, as one of the major attack vectors for organizations nowadays. Incident handlers and law enforcement have been forced to deal with the complexity associated with these technologies when managing and responding to security incidents.

This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics.

Part one of this article focuses on the technical details and challenges for traffic acquisition, and provides design requirements and best practices for wireless forensics tools. The second part will address the main considerations and challenges for wireless traffic analysis, including advanced anti-forensic techniques and some legal aspects associated with this discipline.

The reader should note that for simplicity, all practical examples and specific technical details covered in the article use Linux and open-source tools.

Wireless forensics overview

Wireless Forensics is a discipline included within the computer forensic science, and specifically, within the network forensic field, and it’s a term coined by Marcus Ranum in 1997. Its main goal is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.

The wireless forensic process involves capturing all data moving over the network and analyzing network events in order to uncover network anomalies, discover the source of security attacks, and investigate breaches on computers and wireless networks to determine whether they are or have been used for illegal or unauthorized activities.

When performing wireless forensics, the security analyst must follow the same general principles that apply to computer forensics: identify, preserve and analyze the evidence, in order to impartially report the findings and conclusions.

Technical challenges for WiFi traffic acquisition

The main technical challenges associated to wireless forensics are due to the intrinsic nature of radio frequency (RF) communications and the complexity of the physical medium and the 802.11 specifications. The following sections focus on the major handicaps the forensic examiner, and his capture tools, must overcome.

Dealing with the wireless physical medium

The 802.11 wireless data networks divide the frequency spectrum (see Table 1) in several channels that can be used to establish multiple non-overlapping communications. Wireless networks are commonly deployed in specific channels with the goal of avoiding interference.

The first wireless forensic tool consideration is that it must support the 802.11 modulation of the network to monitor; therefore, it is recommended that one use 802.11 a/b/g multi-band wireless cards that support the three most common standards. Atheros is the most popular chipset for a/b/g cards today. The main drawback of multi-band cards is that US FFC regulations do not allow removable antennas on 802.11a equipment working on the UNII1 frequency ranges, which are utilized by most cards.

Standard wireless equipment only contains a single radio component; therefore, it is only capable of listening to an specific channel in a given moment. Wireless tools have used a technique called channel hopping to scan the whole frequency spectrum and sample all the different channels, however, using this method the radio is only listening for a few milliseconds in each channel.

When dealing with a single wireless access point, capturing traffic is not a challenge, because the access point transmits in a unique channel, so the analyst simply needs to configure its card to listen to that channel (as shown below). The following Linux command sets an Atheros (wadwifi driver) card into monitor mode on channel 13.

# iwconfig ath0 mode monitor channel 13

However, enterprise and large environments with multiple access points present a challenge for accurate traffic captures. Wireless forensics tools must be capable of capturing all the traffic from all the wireless networks in a given area when a suspect is located. Therefore, the tools need to listen to all channels simultaneously. The only way of accomplishing this goal is by having as many radio devices as there are channels to monitor.

Although laws and regulations specify the 802.11 channels allowed in every country or region, as described in Table 2 [ref 1] [ref 2], (surprisingly) attackers don't follow the law. Therefore, when talking about 802.11b/g networks, it is imperative for the forensic analyst to collect traffic from all 14 channels available worldwide. Besides, some countries have their own specific local regulations, out of the FCC, U-NII or ITU standards.

Regulations also define the maximum transmission power (in mW or W) for 802.11 equipment, but again, attackers will break these limits. The analyst must be prepared for this illegal usage, as well as for future wireless technologies, such as MIMO (802.11n) [ref 3] and WiMAX (802.16) [ref 4].

Mobile clients and roaming

One of the major advantages wireless networks provide is client mobility, that is, the capability of moving around the wireless network range without losing the network connection. For large networks, this is mainly accomplished through roaming, a technique to fast switch from the current access point to the nearest one while sending and receiving data. This functionality presents complex challenges for wireless forensics.

Wireless clients roam from one access point to another once their network card determines that the former access point signal is too weak to continue transmitting and receiving data. These roaming events typically involve moving from one channel to another. If the wireless forensic tool used to capture data during roaming activities does not monitor all channels, specifically the initial and final channels, portions of the session will be lost, negatively affecting the evidence collected.

Additionally, the location of mobile wireless clients and the facility’s physical layout directly influence from where the traffic can be captured. Occasionally, the location from where the forensic examiner is collecting traffic is no longer valid once the client moves, for example, to an opposite location inside a building. Sometimes, only one end of the communication can be collected.

The only place where the data can be accurately collected for a wireless infrastructure network (seeing both ends of the communication) is near the access point, but this is not a realistic scenario, especially when the network is conformed by multiple access points (the analyst cannot be in all them at the same time) or when wireless ad-hoc (client to client) networks are used. From a wireless forensic perspective this challenge can only be solved by placing multiple traffic capture sensors around the facilities that must be monitored. Having three or more sensors can also help to apply triangulation methods to approximately locate the source of a transmission.

Wireless traffic features and extent

When capturing wireless traffic it is important to consider its main characteristics, such as frames types, sizes, approximate number of frames and bandwidth requirements.

The 802.11 MTU (Maximum Transmission Unit) for data frames is 2304 bytes (frame payload size before encryption). Based on the encryption method use, the final payload size varies: WEP adds a header of 8 bytes for a total of 2312 bytes, WPA (TKIP) adds a header of 20 bytes for a total of 2324 bytes, and WPA2 (AES) adds a header of 16 bytes, for a total of 2320 bytes.

As an example, when using WEP, the maximum total frame size (payload + 802.11 header + trailer) is 2346 bytes (2312 + 30 + 4 bytes). This is the number reflected in the 802.11 specification [ref 5], much bigger than the default MTU for Ethernet, 1500 bytes.

Additionally, the 802.11 specifications define three different types of frames required to manage the unreliable RF medium: control, management and data frames. The first two only exist on wireless networks, as opposed to wired networks, and will influence the amount of data captured during the forensic activities.

For example, due to synchronization requirements, wireless networks (specifically the access point) generate a special type of management frame called beacons. Commonly, each AP generates 10 beacons per second by default. This means that, for a single wireless network based on only one access point, the forensic examiner is going to collect 36000 frames per hour. The implications of these environment peculiarities from the performance and storage perspective must be considered in advance.

To exemplify all these peculiarities using a real-world scenario, Table 3 reflects the details and numbers obtained while collecting 802.11b/g data, from all 14 channels, using a 6dBi omnidirectional antenna. It corresponds to a case following a suspect by car, at low speeds (20-40 Km/h – 12-25 Mph), in a less crowded small town, mainly made of two or three-storey buildings and detached houses.

In the same scenario, another example associated to the static collection of traffic around the suspect facilities from the parking lot, provided the details of Table 4.

These two examples provide a rough estimation of the minimum amount of traffic you can find in a wireless forensics exercise, or around 200-300Mbytes/hour. Obviously, the requirements would increase tremendously in more densely populated locations, such as in major cities and downtown areas with dozens of multi-tenant buildings shared by multiple companies and individuals.

Continued on page 2... (link below)