Forensic Data Storage for Wireless Networks: a compliant architecture
In the past 10 years there has been an explosion of unprecedented growth in wireless based technologies. Wireless networking has escalated in popularity since its inauguration due to the ability to form computer networks without the use of a wired base infrastructure. However, the very nature of wireless networking engenders inherent security threats and vulnerabilities. Furthermore, with the rapid growth of technology based digital services also comes intentional misuse and related corruption of those services. Therefore, potential issues outline the possibility of criminal activity. Now, the need exists for Digital Forensic procedures in wireless networks which are specifically aimed at obtaining viable digital evidence. The current academic literature mainly relates to traditional digital forensic principles and device evidence extraction rather than assurance and network layer architectures. Further research in the particular field of digital forensics in wireless networks is crucial. The main focus of the research project addresses the development of a design system which is capable of acquiring and preserving wireless network traffic, where the resultant data contains viable evidentiary trails from 802.11g based Wireless Local Area Networks (WLAN). The proposed system architecture of the Wireless Forensic Model (WFM) consists of two components: a wireless drone and a Forensic Server. The model is specifically engineered for infrastructure based WLANs with multiple Access Points (APs). The proposed design system therefore monitors and acquires wireless network traffic from the APs using a distribution of wireless drones. These collect and forward the network traffic to the centralised Forensic Server which in turn stores and preserves the acquired data. Four phases of research testing were conducted; two for initial testing and two for stabilised testing. Phase One and Two of initial testing involved the implementation of a test-bed WLAN infrastructure and the implementation of the prescribed WFM design system. Both entities were subjected to benchmark testing. The initial WFM was evaluated to determine the requirements and capabilities of acquiring and preserving data from the WLAN. Phase Three drew experience from the initial WFM testing and reconfigured a stable system design. Benchmark testing was again conducted to examine the system performance and whether a full data set of viable digital evidence could be obtained. In Phase Four the stabilised WFM was finally evaluated on the ability to obtain evidentiary trails from a series of recreated attacks conducted against the WLAN. The findings illustrate that the WFM is capable of acquiring and preserving a large proportion of data generated at the maximum speeds of the 802.11g WLAN configuration. Integrity of the evidence was also maintained. Furthermore, recreated Denial of Service (DoS) and Fake Access Point (FakeAP) attacks against the WLAN infrastructure resulted in evidentiary trails being collected by the implemented WFM. The acquired wireless network traffic also provided details of the attack conducted and the possibility of linking the evidence of the attack to a specific device. The research project has provided additional knowledge relating to forensic investigations in WLANs. The WFM design is also considered to be feasible through the use of readily available hardware and open source software to allow easy implementation of the system architecture. Wireless network traffic, as a source of evidence, has also been evaluated discovering information which may be extracted and the potential use of the collected data. The aim and the positive outcomes of the implemented Wireless Forensic Model, points to an exciting new development area in the realm of digital forensic procedures in wireless networks.