, , , , , , , ,

After reading a few posts by Susan Brenner, I was thinking about the value of routers as forensic evidence, and whether it’s possible to acquire, analyse and present that evidence while preserving its integrity. This post isn’t about huge corporate networks, but the average home and small office network without some expensive perimeter-based logging system. There are a couple of real-world examples of how this would be invaluable, either where a criminal used someone else’s network to commit an offence under the owner’s IP address, or where copyright infringement accusations were disputed.

Brenner describes such a case in which a man was convicted for the possession of child pornography, but the defence apparently didn’t have the resources to ‘investigate a theory’ that ‘an unknown third party may have hacked into [Cook’s] wireless router, either using [his] password or a code breaking piece of software.’ Why this matter wasn’t resolved by examinations of his computer is anyone’s guess.

The other example was the ACS:Law scandal that happened around early 2010, where countless extortion letters were sent out demanding settlement payments for alleged copyright infringements. The only apparent evidence were lists of IP addresses provided by another firm. Again, because of the lack of forensic resources, many who protested their innocence were unable to defend themselves against incompetence, blackmail, professional misconduct, extortion and defamation.

As we can see, an IP address gained from a service provider could (perhaps unreliably) identify a network, but never the person behind that network’s router. Therefore, it cannot prove beyond doubt that a given person committed a given offence using the Internet, which is basically the reason we have digital forensics. But the router itself could store valuable information about its security configurations, and perhaps a DHCP log of MAC addresses on the network at given times. If we’re lucky, there just might be a way of extracting that data.

The Router
One of the main things to remember is the modern router is essentially an embedded system that provides a number of services. It has an operating system, it routes traffic, runs a firewall program, and it usually runs a web server for hosting an administration interface. It follows that the router must have some form of persistent storage with a file system, and as such, the data (and perhaps deleted log files) should be recoverable for analysis, as with any solid state device.
In practice it’s not so easy, since it appears there’s no standard procedure yet for acquiring evidence from routers in a way that preserves its integrity, or of imaging whatever storage volumes exist in the device.

A freely available academic paper from researchers at the University of Massachusetts suggests a forensic logging system as a solution to the problems I outlined, but it only works when a certain type of firmware’s installed on the router and properly configured. The evidence would also be much stronger if collected from the router’s internal storage, rather than from an external recording system that might be open to tampering.

Where to Begin…
We might be able to solve the problem with a little analysis of the device and research. Using nmap (version 6 recently released), we can footprint the router and gain specific information about the device type, its operating system and whatever services are running. To give an example:

michael@beatrix:> nmap -sS -A

Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-03 14:48 BST
Nmap scan report for
Host is up (0.0029s latency).
Not shown: **** filtered ports
21/tcp open ftp?
80/tcp open http Embedded ******* ******** webserver **** UPnP/1.0 (***************)
|_html-title: Site doesn't have a title (text/html).
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = *************
MAC Address: *************** (******)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop

1 2.94 ms

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.37 seconds

The nmap output might just indicate options for transferring data and imaging the storage volume over an Ethernet connection, but the chances are it won’t. Following this, it’s possible to search for the Internet for technical information, using nmap’s output, on that specific router and firmware: documentation, manuals, information on what’s inside the casing, and default passwords. After all, there must be a method for getting the firmware installed in the first place.
There’s also another possibility I’ve discovered that’s worth exploring. The image below, from TechRepublic, shows the internals of a reasonably advanced Linksys router (£40 on Amazon).

As we can see, there are no removable storage media here, or much in the way of serial ports. However, the manufacturer left spaces on the circuit board (top left), possibly for USB or RS232 connectors, and these might provide a serial interface for the chipset.