Wireless and Mobile Network Investigation

Similar documents
CSC 4900 Computer Networks: Wireless Networks

Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Data Communication & Networks G Session 5 - Main Theme Wireless Networks. Dr. Jean-Claude Franchitti

Mobility: vocabulary

COMP 3331/9331: Computer Networks and Applications

Wireless technology Principles of Security

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross

Topic 2b Wireless MAC. Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Chapter 6 Wireless and Mobile Networks

Wireless Attacks and Countermeasures

Wireless and Mobile Networks 7-2

CSC 401 Data and Computer Communications Networks

CS 332 Computer Networks Wireless Networks

Mobile and Sensor Systems

The Cellular Interceptor CC2800 Series

Shared Access Networks Wireless. 1/27/14 CS mywireless 1

Wireless (Select Models Only) User Guide

Talk 4: WLAN-GPRS Integration for Next-Generation Mobile Data Networks

Wireless Technologies

Mohammad Hossein Manshaei 1393

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Wireless LAN Security (RM12/2002)

6.9 Summary. 11/20/2013 Wireless and Mobile Networks (SSL) 6-1. Characteristics of selected wireless link standards a, g point-to-point

A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, 5e. Chapter 10 Networking Essentials

PRODUCT GUIDE Wireless Intrusion Prevention Systems

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

Wireless (Select Models Only) User Guide

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Wireless Security Security problems in Wireless Networks

A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, 5e. Chapter 10 Networking Essentials

Area Covered is small Area covered is large. Data transfer rate is high Data transfer rate is low

GSM Open-source intelligence

Last Lecture: Data Link Layer

ECE 4450:427/527 - Computer Networks Spring 2017

Chapter 3 GSM and Similar Architectures

Wireless (Select Models Only) User Guide

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Semi-Active GSM Monitoring System SCL-5020SE

Wireless and WiFi. Daniel Zappala. CS 460 Computer Networking Brigham Young University

GSM Interception IMSI Catcher and Voice Interception

Wireless and Mobile Networks Reading: Sections 2.8 and 4.2.5

Wireless Detective Extreme System

CSCI-1680 Wireless Chen Avin

Wireless Network Security Spring 2011

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

GLOSSARY OF CELLUAR TERMS

Beyond 3G Wireless. K.Raghunandan (RAGHU) Construction Administrator (Wireless) Communication Engineering New York City Transit (MTA)

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Communication Systems for the Mobile Information Society

COMP327 Mobile Computing Session: Lecture Set 6 - Personal Area Networks and Wireless Connections - Part 2

GPRS and UMTS T

LTE : The Future of Mobile Broadband Technology

Wireless Security Background

Wireless Networking Basics. Ed Crowley

Home Area Networks. Outline

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

Wireless Network Security

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross ( 6th ed.); , Kurose and Ross (7th ed.

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

WIRELESS EVIL TWIN ATTACK

Wireless Network Introduction

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

Attack & Defense in Wireless Networks

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

Wireless# Guide to Wireless Communications. Objectives

Introduction to Wireless Networks. Chapter 7: Introduction to Heterogeneous Networks and

CPSC 826 Internetworking. Wireless and Mobile Networks. Wireless Networks Wireless Hosts

This tutorial has been designed to help beginners understand the basic concepts of WiMAX.

It is the process of sharing data, programs, and information between two or more computers.

Unit title: Mobile Technology: Device Connectivity (SCQF level 5) Outcome 1

Chapter 6 Wireless and Mobile Networks. Chapter 6 outline. Chapter 6: Wireless and Mobile Networks. Elements of a wireless network.

Cell Catcher CC1900 3G Target Identifier + IMSI Catcher + Phone Tracking

Module 6: Wireless Mobile Networks

Understand iwag Solution for 3G Mobile Data

Chapter 6 Wireless and Mobile Networks. Chapter 6 outline. Chapter 6: Wireless and Mobile Networks. Elements of a wireless network

1 Wireless Network Architecture

Security of Cellular Networks: Man-in-the Middle Attacks

What is Eavedropping?

CEN 538 Wireless LAN & MAN Networks

Chapter 7. Basic Wireless Concepts and Configuration. Part I

The Case for Secure Communications

Short Message Service (SMS)

Multiple Access Links and Protocols

10/21/2013. The ubiquity of social media has lead inevitably to the involvement of digital evidence in nearly every segment of Criminal Practice

(Geo)Location, Location, Location.!! Matt Blaze University of Pennsylvania

Fixed Mobile Convergence

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science Sixth Semester. Contact Hrs / week: 4 Total hrs: 64

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

Chapter 5 Local Area Networks. Computer Concepts 2013

Mobile Networks Evolution: Economic Aspects of Evolution towards IMT2000

IMSI/IMEI Catching & Localization System. (IMSI/IMEI Catcher + Direction Finder)

Wireless networks: from cellular to ad hoc

Wednesday, May 16, 2018

Introduction to Networks and the Internet

Secure Mobility Challenges. Fat APs, Decentralized Risk. Physical Access. Business Requirements

Wireless and Mobile Networks

Transcription:

Wireless and Mobile Network Investigation Part II.B. Techniques and Tools: Network Forensics CSF: Forensics Cyber-Security Fall 2015 Nuno Santos

Summary } WiFi network investigations } Cellular network investigations 2

Remember were we are } Our journey in this course: } Part I: Foundations of digital forensics } Part II: Techniques and tools } A. Computer forensics } B. Network forensics Current focus } C. Forensic data analysis 3

Previously: Obtaining evidence from networks } Traffic analysis techniques } Packet and flow analysis } Intrusion detection systems } NetFlow devices } ISPs DPI devices 4

Today: Focus on wireless and mobile networks } # wireless (mobile) phone subscribers now exceeds # wired phone subscribers (5-to-1)! } # wireless Internet-connected devices equals # wired Internetconnected devices } laptops, Internet-enabled phones promise anytime untethered Internet access } Two important (but different) challenges } } Wireless: communication over wireless link Mobility: handle mobile user who changes point of attachment to network 5

Many wireless network technologies out there } AM/FM radios } Wireless doorbells } Cordless phones } Cell phones } Bluetooth headsets } Infrared devices, such as TV remotes } Zigbee devices, such as HVAC, thermostat, lighting, and electrical controls } Wi-Fi (802.11) LAN networking over RF } WiMAX (802.16) lastmile broadband 6

Trend is for wireless-connected devices to grow } Landscape of wireless devices connected to the Internet 7

Wireless devices (will) play crucial role in crime } Mobile devices create new opportunities for criminals } While providing valuable sources of evidence 8

Why investigate wireless networks? } Recover stolen laptop by tracking it on a wireless network } Identify rogue wireless APs that have been installed by insiders for convenience or to bypass enterprise security } Investigate malicious or inappropriate activity that occurred via a wireless network } Investigate attacks on the wireless network itself, including DoS, encryption cracking, authentication bypass attacks 9

Our focus today is on investigating 1. WiFi networks 2. Cellular networks 10

WiFi network investigations 11

WiFi networks defined and justified } The term Wi-Fi refers to wireless networks as defined by the IEEE 802.11 standards } We focus on 802.11 Wi-Fi networks because: } They are ubiquitous } Can use many of our previously discussed forensic techniques 12

802.11 LAN architecture in infrastructure mode AP 1 Internet hub, switch or router AP 2 } Wireless host communicates with base station Base Station = Access Point (AP) Acts as wireless hub } Basic Service Set (BSS) (aka cell ) in infrastructure mode contains: wireless hosts access point (AP): base station } Often, networks have multiple APs with same SSID 13

Wireless traffic capture: What info can be obtained? } Investigators can obtain a great deal of info: } Broadcast SSIDs } Wireless AP MAC addresses } Supported encryption/authentication algorithms } Associated client MAC addresses } In many cases, the full Layer 3+ packet contents } Encrypted Wi-Fi traffic can decrypted offline } As long as we obtain the encryption keys 14

It may be challenging to spot wireless traffic 15

16

Spectrum analysis } For Wi-Fi traffic, the IEEE utilizes 3 frequency ranges: } 2.4 GHz (802.11b/g/n)9 } 3.6 GHz (802.11y) } 5 GHz (802.11a/h/j/n) } Frequency ranges is divided into distinct channels } E.g., the IEEE has specified 14 channels in the 2.4 GHz range } Spectrum analyzers can monitor RF frequencies } E.g., Wi-Spy ($100-$1000) 17

Wireless passive evidence acquisition } Need an 802.11 wireless card in monitor mode } Enable capture all packets, not just those destined for the host } NB: Some restrictions are imposed by the wireless cards; they are not fundamental! } RF waves travel through the air, which is a shared medium } As a result, WLAN traffic cannot be physically segmented } Therefore, all WLAN transmissions may be observed and intercepted by all stations within range 18

Tools to collect and analyze traffic } Essentially, we can use the same techniques and tools as we use for wired networks 19

Handling common attacks to wireless networks } Often, investigators suspect that a wireless network has been or is currently under attack } Common attacks on wireless networks include: 1. Sniffing } An attacker eavesdrops on the network 2. Rogue wireless APs } Unauthorized wireless devices that extend the local network 3. WEP cracking } Attempts to recover the WEP encryption key and access the network 4. The evil twin attack } An attacker sets up a WAP with the same SSID as a legitimate WLAN 20

Representation of an evil twin attack } Possibly detected by a wireless intrusion detection system 21

Investigation of wireless access points } A wireless access point (WAP) is a Layer 2 device that aggregates endpoint stations into a LAN } APs may be involved in forensic investigation because } may contain locally stored logs of connection attempts, auth successes and failures, and other local WAP activity } can help track the physical movements of a wireless client throughout a building or campus } their configuration may provide insight regarding how an attacker gained access to the network } their configuration may have been modified by an unauthorized party as part of an attack } they can be compromised 22

Locating wireless devices } Can be difficult to physically locate a device of interest } E.g., compromised laptop, a rogue wireless AP } Some strategies for locating wireless devices: 1. Gather station descriptions, such as MAC addresses } Every network card is assigned a unique OUI by the manufacturer 2. For clients, identify the AP that the station is associated with } Using AP logs or traffic monitoring 3. Pool the device s signal strength and triangulate } Use specialized tools such as NetStumbler or Kismet 4. Leverage commercial enterprise wireless mapping software 23

Screenshot of Cisco s Wireless Location Appliance } Displays devices located on an enterprise floor map } Allows system administrators to search and sort } Lists stations detected, SSID, signal strength, and more } Known devices are marked with a box, while rogue devices are labeled with a skull 24

Cellular network investigations 25

cell v covers geographical region v base station (BST) analogous to 802.11 AP v mobile users attach to network through BST v air-interface: physical and link layer protocol between mobile and BST Components of cellular network architecture MSC v connects cells to wired tel. net. v manages call setup v handles mobility Mobile Switching Center Mobile Switching Center Public telephone network wired network 26

Two techniques for sharing mobile-to-bs radio spectrum Cellular networks: The first hop } combined FDMA/TDMA: divide spectrum in frequency channels, divide each channel into time slots time slots frequency bands } CDMA: code division multiple access 27

2G (voice) network architecture Base station system (BSS) BTS BSC MSC G Gateway MSC Public telephone network Legend Base transceiver station (BTS) Base station controller (BSC) Mobile Switching Center (MSC) Mobile subscribers 28

Main components } Mobile devices connect to a base station (BTS) } Each BTS has at least one radio transceiver that provides radio coverage for a specific geographic region (cell) } GSM uses BSC to control communication between base stations, e.g., coordinates transfer from BTS to another } MSC delivers call and SMSes to mobile devices in its jurisdiction, and coordinates handovers of ongoing communications as devices move between areas 29

2.5G (voice+data) network architecture BSC MSC G Gateway MSC Public telephone network Key insight: new cellular data network operates in parallel (except at edge) with existing cellular voice network q voice network unchanged in core q data network operates in parallel SGSN G GGSN Public Internet Serving GPRS Support Node (SGSN) Gateway GPRS Support Node (GGSN) 30

All components can be important for investigation } MSCs generate a wealth of useful information } Usage logs and charging detail records } List of mobile devices currently being handled by an MSC } Operation centers maintain and monitor NSPs systems } Info about subscribers, billing details, & services they can use } SMSes to be processed (are retained for limited time) } Voicemail } Blacklist of devices reported stolen or flagged as bad } Signaling information for call establishment } Devices IMEI numbers 31

IMEI are quite valuable for investigators } The International Mobile Equipment Identifier (IMEI) is a unique number associated with a particular device } IMEI can be used to obtain stored data from NSPs } To monitor traffic associated with a particular device } To keep track of a mobile device across NSPs 32

Device leaves traces the moment it s turned on } When powered on, the device announces itself to the network, starting the authentication process } The authentication process is based on the IMSI } Identity Mobile Subscriber Identity (IMSI) is a unique # stored on the SIM card and associated with a particular subscriber } IMSI is not directly sent over the network, but replaced with a Temporary Mobile Subscriber Identity (TMSI), which is logged } Investigators can ask NSPs to query their systems for all activities relating to a particular subscriber account 33

Investigations of mobile systems } Investigations are supported by dedicated software } Investigator enters all the data available on a subject } The server performs a thorough analysis and outputs info about mobile devices involved, calls made and received } NSP may provide additional historical info or other } E.g., other mobile devices at BTS on a given date and time 34

Types of evidence } Localization parameters } Usage logs / billing records } Text / multimedia messages } Voice and data 35

Determining the location of mobile devices } Can be important for investigating events in the past } Assessing alibies of suspects } Determining the whereabouts of victims } Can also provide clues for ongoing location tracking in certain cases } E.g., abduction, missing persons, etc. 36

Location parameters } Location parameters: info that can be combined to localize an active mobile device and its related user } Determine device s position: There s a timeframe where mobile devices announce themselves to the network } } Turning on a device and leaving it in an idle state generates data on the network that can help determine its location As a device is moved, it updates the network 37

Position tracking methods: Cell identification } The mobile device can be reached by looking at the cell to which it is currently connected } There is a range of accuracy } Starts from a few hundred meters in urban areas, up to 32 km in suburban } Accuracy depends on the known range of the particular base station 38

Position tracking methods: TDOA } Time difference of arrival (TDOA) aka multilateration } Measures the time it takes for a signal to travel from a device to multiple base stations to estimate the device location } Commonly used in civil and military surveillance applications 39

Location tracking supported by adequate tools } Investigators are assisted by specialized tools that collect and analyze location data from the NSP 40

Signal jamming } Organized criminal groups often protect their privacy by jamming signals in the area around their meeting place } A mobile device jamming system emits a signal to prevent the use of mobile phones within a certain radius } Prevents mobile devices from linking to the BTS and thus connecting to the network } } This prevents investigators from getting an idea of the geographical location of the meeting Side effect: temporarily interrupts the operation of mobile phones in the area 41

Cell phone jammers easily available online 42

But jammers may be crucial for the police too } Mobile devices can be remotely activated in any part of the work (e.g., to detonate a bomb) } E.g., by sending a ring or an SMS containing a code } Upon suspicion by the police, mobile devices can be preventively isolated from the network by deploying jamming systems in the vicinity of the devices 43

Types of evidence } Localization parameters } Usage logs / billing records } Text / multimedia messages } Voice and data 44

Usage logs & billing records } Logs maintained by an NSP can help investigators determine past usage of the phone, as well as communications between individuals } Logs are generated from Call Detail Records (CDRs) maintained for billing purposes: } Telephone number of user } Numbers called } IMEI number of mobile device } Information about the cell } SMS sent (excluding the text) } Date, time, and duration of the calls 45

Text & multimedia messages } Advantages of SMS include the ability of transmitting messages even in areas of very low signal coverage } SMS intercepted using same systems for intercepting voice calls } SMS and MMS can be important to an investigation, but they are maintained on core network for limited time } Therefore tend to be captured in transit during an investigation } The structure of intercepted SMS / MMS is straightforward } Sender, receiver, time, date, and content 46

Types of evidence } Localization parameters } Usage logs / billing records } Text / multimedia messages } Voice and data 47

Interception of evidence on mobile networks } In general, the freedom and privacy of personal communications are inviolable rights that can be compromised only if authorized by judicial authorities } For privacy protection, legal systems dictate limitations to admissibility of interceptions: } Interceptions are allowable only in certain specific crimes } Interceptions must be authorized } Typically, interceptions done in collaboration with NSPs 48

How telephone (or data) interception works } The NSP duplicates a suspect s communication line and deviating it to a Monitoring Center (MC) as specified in a warrant by the Judicial Authorities } In principle, the NSP never gains knowledge of the contents of the tapped telephone calls Ongoing call Mobile Switching Center Monitoring Center 49

Monitoring systems } Powerful systems with database backends that allow investigators to: } } } } } } } 50 Eavesdrop conversations directly Watch video calls Review and print faxes Display location details Monitor telematic info like email and Internet Be notified of call intercept of certain target Search through previously recorded traffic ADACS intelligence collection systems

Monitoring systems offer powerful interfaces } Sample screenshot of the ADACS system } ADACS provides law enforcement and intelligence agencies with the ability to collection, monitor, record and analyze switch-based voice, video, and data transmissions 51

Advanced features in interception systems } Voice recognition } Central database for storage of recognized voices complete with sample recordings and personal notes } Analysis of target behavior } Predictive target behavior analysis and graphic analysis for interaction among targets 52

Alternative approach to interception: IMSI-catcher } IMSI-catcher subjects the phones in its vicinity to a MITM attack, acting to them as a fake base station } Exploits GSM security hole where the network doesn t need to authenticate Normal communication path Intercepted communication path } The FBI adopts this technique using the Stingray IMSI-catcher 53

} To prevent eavesdropping and electronic surveillance, use crypto phones Crypto phones } Crypto phones use algorithms to encrypt the voice signals end-to-end } Implement automatic variation of session key } Cryptographic chip handles crypto operations } This represents a limit for investigations, unless encryption can be broken GSMK Cryptophone 500 54

Conclusions } Wireless and mobile communications represent an increasingly growing amount of network traffic } In particular, WiFi and cellular networks are amongst the most popular technologies used today } Therefore, it is important for digital investigators to be able to collect and analyze evidence from such networks 55

References } Primary bibliography } Casey, Handbook of Digital Forensics and Investigations, 2010 [Ch. 10] 56

Next class } File carving } Or } Invited talk 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback