Network Investigation & Digital Triage

network-investAs an on-scene investigator, it’s likely that you are often faced with processing live crime scenes that contain an abundance of digital evidence. Unfortunately, traditional digital evidence collection methods have the potential to result in evidence being left at the crime scene or being inadvertently deleted from computers entirely. Don’t let that happen to your case.

Let us teach you how to conduct pre-raid electronic surveillance of a suspect location to identify wireless networks and access points. You’ll learn how to locate suspect networks and then how to recover volatile evidence commonly found on network devices (routers, switches, and hubs) as well as the volatile data from running computers.

Audience: Law enforcement investigators
Prerequisites: Complete The Investigation of Computer Crime course. (Recommended)
Length: 3 days
Difficulty: Basic-to-intermediate


Firefox as an Investigative Tool and Other Online Resources

We show you why Firefox—supplemented by our list of recommended Add-ons—will soon become your favorite Internet browser to use for investigations. You’ll see a demonstration of some Firefox add-ons that will speed up your investigations by increasing functionality. Many of these add-ons fall under the category of “You better hurry up and grab it now, because it might be gone later.”

We introduce you to the SEARCH Investigative Toolbar, which is a collection of shortcuts that point to frequently used web resources. We also introduce you to the SEARCH ISP List, which is a collection of legal contact information and instructions you need in order to serve subpoenas, court orders, and search warrants to Internet Service Providers.

Network Storage

Network storage comes in all shapes and sizes and includes everything from rack storage to wireless hard drives. We introduce you to Network Attached Storage (NAS) and show you how it can be a danger for law enforcement because it’s so easy to hide. We practice setting up and configuring a wireless NAS, and we provide tips on how to locate a NAS device.

Understanding Wireless Routers

Routers—the traffic cops of the Internet—play a major role in network investigations. We show you how routers work to forward information between networks. You’ll learn about wireless access points (WAP), Dynamic Host Configuration Protocol (DHCP), and Network Interface Cards (NIC). We show you that IP lease information—in the form of a client table—can be found within a router. You will learn how to set up a router and enable log functions. This is evidence that can help your case and we show you how to get to it.

Wireless Cameras

Suspects often use wireless cameras as an early warning system or to record and then relive a criminal act. Like routers and storage devices, wireless cameras come in many shapes and sizes. We give you some tips on what to look for and then show you how they work. We show you how to locate hidden cameras and demonstrate some of the tools that will assist in the search. You will work through an exercise and gain valuable experience in setting up a wireless camera.

On-Scene Investigative Tools

Now that we know the kinds of things we’re looking for in our investigation—and how to find them—we can start to capture potential evidence. We show you some tools you can use on-scene that can provide you with valuable information. Specifically, these are tools to 1) rule out encryption, 2) look at devices on a network, 3) look for a network’s WEP or WPA passphrase, and 4) rule out a defense claim of intrusion by a third party. We present this material with an abundance of caution to investigators and urge agencies to work with prosecutors to develop digital evidence collection policies that will guide them through this area of investigation.

Network Client Geolocation

Finding information about a suspect’s network and router is intelligence gathering that you need to do before you can prepare a search warrant. We show you some network scanning tools and explain how they work. You’ll see how to focus on a target network and how to isolate a network. We talk about geolocation, and show you how you can use this feature to target a router. You’ll also see tools that can be used to scan for wifi networks.

Understanding Volatile Data

Volatile data is data that requires power to maintain its existence. If power is removed from a device, the volatile data is erased and gone forever. Examples of volatile data include a computer’s Random Access Memory (RAM) and router client lease tables. We give you a laundry list of things that can be found in the RAM, and show you why it’s important to preserve it. We walk you through the installation and operation of some of the tools that can collect volatile data.

Previewing Tools – Live Previewing

Previewing tools can help investigators determine whether or not a suspect computer contains potential evidence. Most previewing tools can quickly find potential evidence in Internet histories, image and media files. More advanced tools can find passwords, network settings and registry information. We walk you through the precautions you need to take to obtain to this information, and we introduce you to some free tools.

Previewing Tools – Bootable Previewing with WinFE Imaging

Windows Forensic Environment (WinFE) is a tool that gives investigators a forensically safe way to conduct previews within a Windows environment. We walk you through the steps necessary to build a Windows-based, forensically sound bootable operating system using WinFE. You’ll learn what you can expect to find and hear about the limitations and restrictions of the tool. Our WinFE exploration will then walk you through the steps necessary to control the boot sequence to prevent anything from being written to the hard drive. As an added bonus, we give you the software you need to create your own version of WinFE.

Final Exercise

To pull it all together and make sure that you have grasped what’s been covered in this course, we assign a final exercise. You will be asked to take down a simulated crime scene. You will be required to locate a suspect network, collect data from the suspect network, and seize suspect network hardware.