13.07.2015 Views

Router Marshal - Computer and Digital Forensics

Router Marshal - Computer and Digital Forensics

Router Marshal - Computer and Digital Forensics

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)<strong>Router</strong> <strong>Marshal</strong>Written & Research byMaegan Katz175 Lakeside Ave, Room 300APhone: 802/865-5744Fax: 802/865-6446http://www.lcdi.champlin.eduJuly 2013Page 1 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)Disclaimer:This document contains information based on research that has been gathered by employee(s) of The SenatorPatrick Leahy Center for <strong>Digital</strong> Investigation (LCDI). The data contained in this project is submittedvoluntarily <strong>and</strong> is unaudited. Every effort has been made by LCDI to assure the accuracy <strong>and</strong> reliability of thedata contained in this report. However, LCDI nor any of our employees make no representation, warranty orguarantee in connection with this report <strong>and</strong> hereby expressly disclaims any liability or responsibility for lossor damage resulting from use of this data. Information in this report can be downloaded <strong>and</strong> redistributed byany person or persons. Any redistribution must maintain the LCDI logo <strong>and</strong> any references from this reportmust be properly annotated.Contents1 Introduction .................................................................................................................................................................... 31.1 Background ............................................................................................................................................................. 31.2 Terminology ............................................................................................................................................................ 31.3 Research Questions ................................................................................................................................................. 41.4 Prior Work ............................................................................................................................................................... 42 Methodology <strong>and</strong> Methods ............................................................................................................................................ 42.1.1 Equipment Used .............................................................................................................................................. 42.1.2 Device Selection .............................................................................................................................................. 52.2 <strong>Router</strong> 1 - TP-Link .................................................................................................................................................... 62.3 <strong>Router</strong> 2 - NETGEAR ................................................................................................................................................ 62.3.1 Testing ............................................................................................................................................................. 62.4 Analysis ................................................................................................................................................................... 62.4.1 Attached Devices ............................................................................................................................................. 72.4.2 <strong>Router</strong> Log ....................................................................................................................................................... 72.4.3 Basic Internet Settings .................................................................................................................................... 72.4.4 Acquired Information for <strong>Router</strong> 2 ................................................................................................................. 83 Results ............................................................................................................................................................................. 84 Conclusion ....................................................................................................................................................................... 95 Further Work ................................................................................................................................................................... 96 References ...................................................................................................................................................................... 9Page 2 of 9


1 IntroductionPatrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)<strong>Router</strong>s connect all of the local devices together in a local network, making them crucial to investigations. Agrowing number of homes <strong>and</strong> business have some type of router or wireless access point, <strong>and</strong> in 2012, twentyfivepercent of households worldwide had Wi-Fi. 1 This research project will explore the forensic data that canbe retrieved from home routers using <strong>Router</strong> <strong>Marshal</strong>, a program used to acquire data from routers <strong>and</strong> wirelessaccess points. The software currently supports Linksys WRT54G/GC/GL/GS/G2, AG241, <strong>and</strong> WRT160N;NETGEAR RP114, WGR614, WNR1000, <strong>and</strong> WNR2000; D-Link TM-G5240 <strong>and</strong> WBR-2310; DD-WRT;Tomato firmware; <strong>and</strong> Cisco IOS routers.1.1 Background<strong>Router</strong> <strong>Marshal</strong> is a digital forensic tool developed by ATC-NY that is used to “automatically acquire digitalforensic evidence from network devices such as routers <strong>and</strong> wireless access points. An investigator can use the<strong>Router</strong> <strong>Marshal</strong> software in the field to identify a network device, automatically acquire volatile forensicevidence from the device, <strong>and</strong> view <strong>and</strong> interpret this evidence.” 2 The software also maintains detailed logs ofall activities <strong>and</strong> communications it performs with a target device.1.2 TerminologyDynamic Domain Name System (DDNS): A protocol or method that updates a name server in the DNS.Dynamic Host Configuration Protocol (DHCP): A protocol that assigns IP addresses to new users.Internet Protocol (IP) Address: A unique string of numbers assigned to a device attached to a computer network<strong>and</strong> the Internet. It is an identifier of networked devices.Local Area Network (LAN): The networking of computers in close proximity to each other. An example is aschool or office building.Nmap: A security scanning tool that is necessary for <strong>Router</strong> <strong>Marshal</strong> to run properly.Power Over Ethernet (POE) Connection: The method of passing electrical power <strong>and</strong> data through Ethernetcabling.Port Triggering: A way to automate port forwarding by allowing certain routers to automatically allow a hostmachine to forward a port back to itself.<strong>Router</strong>: A small physical device that joins multiple networks together; forwards data from one network toanother. It allows communication between a local network <strong>and</strong> the Internet.Universal Plug <strong>and</strong> Play (UPnP): Internet protocols that allow for computers <strong>and</strong> h<strong>and</strong>held devices tocommunicate.1 Callaham, J. (2012, April 05). Study: 25 Percent of All Households Use WiFi. Neowin. Retrieved July 15, 2013, from http://www.neowin.net/news/study-25-percentof-all-households-use-wifi2 <strong>Router</strong> <strong>Marshal</strong> <strong>Digital</strong> Forensic Software. (2010, December 22). <strong>Router</strong> <strong>Marshal</strong> <strong>Digital</strong> Forensic Software. Retrieved from http://routermarshal.com/Page 3 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)Wide Area Network (WAN): The networking of computers in a large geographical area. This could include anumber of LANs connected together.WinPcap: A packet capture <strong>and</strong> filtering engine application used in many networking tools. It is a necessary toolfor <strong>Router</strong> <strong>Marshal</strong> to run properly.1.3 Research Questions1) What types of information are stored on a router?2) What information can <strong>Router</strong> <strong>Marshal</strong> retrieve from a router?3) Can network traffic data <strong>and</strong> connected device data be acquired from a router using <strong>Router</strong> <strong>Marshal</strong>?1.4 Prior WorkTo our knowledge, there has been no prior work done with <strong>Router</strong> <strong>Marshal</strong>. There has been research done withsimilar programs such as Wireshark <strong>and</strong> Cain <strong>and</strong> Able, which are able to gather network traffic rather thanacquiring the data from the router.2 Methodology <strong>and</strong> Methods2.1.1 Equipment UsedItem Identifier Size/SpecificationsLCDI PC 1 Research-5 Running <strong>Router</strong> <strong>Marshal</strong>Version 1.0.1Specs – Desktop, Intel Core i7-3770K CPU @ 3.50GHz, 16GB Memory,Windows 7 Enterprise SP1LCDI Laptop 1 HDLOADNER-04-2 Running <strong>Router</strong> <strong>Marshal</strong>Version 1.0.1Specs – Laptop, Genuine Intel CPU T2400 @ 1.83GHz, 1GB Memory,Windows 7 Enterprise SP1Test <strong>Computer</strong> 1 LCDI Testing <strong>Computer</strong> 3 Specs – Desktop, Pentium Dual-Core CPU E6500 @ 2.93GHz, 4GBMemory, Windows 7 Enterprise SP1IE, Firefox, <strong>and</strong> Chrome installed <strong>and</strong> used for generating dataTest Tablet 1 <strong>Forensics</strong> 0028 iPadVersion 6.1.2Model # MC705LL/ADefault web browser used for generating data<strong>Router</strong> 1 LCDI-EA-001 TP-Link300Mbps Wireless N <strong>Router</strong>Model # TL-WR841N<strong>Router</strong> 2 LCDI-EA-002 NETGEARG54 Wireless <strong>Router</strong>Model # WGR614v10Page 4 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)Our first action was to download <strong>and</strong> install <strong>Router</strong> <strong>Marshal</strong> on Research-5, which is Host <strong>Computer</strong> 1 (2.1.1).In order for <strong>Router</strong> <strong>Marshal</strong> to function properly, according to the manual, we also had to download <strong>and</strong> installNmap (http://nmap.org/) <strong>and</strong> WinPcap, which comes with the Nmap download. We connected LCDI PC 1, with<strong>Router</strong> <strong>Marshal</strong> installed, <strong>and</strong> Test <strong>Computer</strong> 1 to <strong>Router</strong> 1. <strong>Router</strong> 1 is connected to the Student network. Ourfirst attempt at accessing <strong>Router</strong> 1 was also our first time running <strong>Router</strong> <strong>Marshal</strong>, so for the second attempt wemade sure that all the programs, such as Nmap <strong>and</strong> WinPcap, were installed properly. After ensuring that all theprograms were installed, we attempted to acquire data by selecting each of the supported devices in the deviceselection one at a time (Figure 2.1.2). After attempting to obtain data from <strong>Router</strong> 1 eighteen different times, weswitched it out for <strong>Router</strong> 2. At this point we connected Test Tablet 1. After running a variety of tests (Table2.3.1) with LCDI PC 1 hardwired into the router, we installed <strong>Router</strong> <strong>Marshal</strong> on LCDI Laptop 1 <strong>and</strong> attemptedto obtain data wirelessly. We wanted to see if there were any differences when acquiring data wirelessly, but wefound it is still necessary to go through all of the same steps as the hardwire acquisition.The <strong>Router</strong> <strong>Marshal</strong> software helps guide the user step-by-step on how to start an acquisition. In order for<strong>Router</strong> <strong>Marshal</strong> to acquire data, the host computer must be connected to the network, either hardwired in or viaWi-Fi. Additionally, this means that if the Wi-Fi is password protected, the <strong>Router</strong> <strong>Marshal</strong> user will need toknow the password in order to gain access. <strong>Router</strong> <strong>Marshal</strong> will then attempt to identify the IP Address of therouter, <strong>and</strong> once identified, it can be selected. The user must then choose what type of router is connected to thehost computer. <strong>Router</strong> <strong>Marshal</strong> requires the username <strong>and</strong> password for the router in order to access the routersettings. The default username <strong>and</strong> password may auto fill in, which was the case for <strong>Router</strong> 2; otherwise, theuser must be able to supply the username <strong>and</strong> password for the router.2.1.2 Device SelectionPage 5 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)2.2 <strong>Router</strong> 1 - TP-LinkWe originally picked this router because it is supplied by one of the local internet service providers. After<strong>Router</strong> <strong>Marshal</strong> was installed, we began running initial tests with <strong>Router</strong> 1 to see how the software worked. Therouter, LCDI-EA-001, was not compatible with the software, <strong>and</strong> we were unable to complete any of the tests orextract any data from it.2.3 <strong>Router</strong> 2 - NETGEARWe chose a NETGEAR G54 Wireless <strong>Router</strong> for our second router because it is supported by <strong>Router</strong> <strong>Marshal</strong><strong>and</strong> is a fairly inexpensive router, making it common in small businesses <strong>and</strong> households. We ran a number ofdifferent tests (Table 2.3.1) with <strong>Router</strong> 2. We were aiming to acquire different information from the router bychanging router settings. The changes made are represented in the table below (Table 2.3.1). Changes to therouter were made by going to the NETGEAR genie, which is accessed by going to routerlogin.net on a deviceconnected to the router <strong>and</strong> entering the default username <strong>and</strong> password.2.3.1 TestingTest ID CommentTest 001 We confirmed that <strong>Router</strong> 2 is compatible with <strong>Router</strong> <strong>Marshal</strong> by running an analysis successfully.Test 002 We ran <strong>Router</strong> <strong>Marshal</strong> to find out what kind of data could be acquired before any changes were made to the routersettings. Basically, we were aiming to get default data.Test 003 We ran <strong>Router</strong> <strong>Marshal</strong> to see if it could identify that we had Host <strong>Computer</strong> 1 <strong>and</strong> Test <strong>Computer</strong> 1 connected to it.In order to confirm that it was connected to both devices we had to look at the “Attached Devices” section in theanalysis. No changes were made to the router settings for this.Test 004 We ran <strong>Router</strong> <strong>Marshal</strong> to see what data it can acquire from a wireless router (Table 2.3.4).Test 005 We ran <strong>Router</strong> <strong>Marshal</strong> to see if it could identify network traffic from Test <strong>Computer</strong> 1. In order to do this, we visitedvarious websites using Chrome, Firefox, <strong>and</strong> Internet Explorer.Test 006 We ran <strong>Router</strong> <strong>Marshal</strong> to see how logging in to the router’s settings would affect the router log.Test 007 We added the keyword “wikipedia” to the blocked list in the router’s settings <strong>and</strong> then visit various sites includingWikipedia. We turned off the UPnP option, because it is not needed for the remainder of the tests. We then ran <strong>Router</strong><strong>Marshal</strong> to see what changes were made to the results when a keyword is added.Test 008 We removed the keyword “wikipedia” from the blocked list, but left the keyword blocking option on. After visitingvarious websites, we ran <strong>Router</strong> <strong>Marshal</strong> to see what changes were made to the results when the keyword blockingoption is on, but no keywords were being blocked.Test 009 We power reset the router <strong>and</strong> performed the same test as Test 008.Test 010 We visited various websites using the default browser on Test Tablet 1. We ran <strong>Router</strong> <strong>Marshal</strong> to see if there wereany differences in the router’s results when a tablet is being used with it.2.4 Analysis<strong>Router</strong> <strong>Marshal</strong> is able to acquire a variety of information from a router. Table Acquired Information shows thetypes of data stored on a router that we were able to obtain from <strong>Router</strong> 2. The data acquired may be differentdepending on the individual router.The data that we are mainly interested in for this project are the Attached Devices, <strong>Router</strong> Log, <strong>and</strong> BasicInternet Settings. Attached Devices (Figure 2.4.1) will show us the IP address, device name, <strong>and</strong> MAC addressof all devices attached to the router at the time <strong>Router</strong> <strong>Marshal</strong> acquires the data. The <strong>Router</strong> Log (Figure 2.4.2)will show us what is happening with the router, such as admin logons or times when a device is connected. ThePage 6 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)Basic Internet Settings (Figure 2.4.3) will show us the WAN IP address or public IP address, the LAN IPaddress or private IP address, the gateway, the subnet mask, <strong>and</strong> the MAC address of the router.2.4.1 Attached Devices2.4.2 <strong>Router</strong> Log2.4.3 Basic Internet SettingsPage 7 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)2.4.4 Acquired Information for <strong>Router</strong> 2Comm<strong>and</strong>ActionComments(Automatically runby <strong>Router</strong> <strong>Marshal</strong>)/WLG_adv.htm Advanced Wireless Variables No Data for <strong>Router</strong> 2/DEV_device.htm Attached Devices IP Address, Device Name, MAC Address/BAS_ether.htm Basic Internet Settings Ethernet/BAS_pppoe.htm Basic Internet Settings Point-to-Point Protocol Over Ethernet/BAS_pptp.htm Basic Internet Settings Point-to-Point Tunneling Protocol/BKS_keyword.htm Blocked Keywords List of Blocked Keywords/BKS_service.htm Blocked Services No Data for <strong>Router</strong> 2/UPG_upgrade.htm Check for Firmware Updates on Startup Checked/ Unchecked/DNS_ddns.htm DDNS Settings No Data for <strong>Router</strong> 2/RST_st_dhcp.htm DHCP Settings No Data for <strong>Router</strong> 2/FW_email.htm Email Variables No Data for <strong>Router</strong> 2/LAN_lan.htm LAN Variables IP, Subnet Mask, DHCP Start/End, Etc./RST_st_poe.htm POE Connection Status Connected/Disconnected/RST_status.htm Port Information No Data for <strong>Router</strong> 2/FW_pt.htm Port Triggering No Data for <strong>Router</strong> 2/FW_remote.htm Remote Management Settings Port, Start/End IP, Enables/Disabled/LAN_lan.htm Reserved IP Addresses No Data for <strong>Router</strong> 2/FW_log.htm <strong>Router</strong> Log Activity log for the router/STR_stattbl.htm <strong>Router</strong> Status Statistics Uptime, Packets, Etc./FW_schedule.htm Schedule Variables Time Data/STR_routes.htm Static Routes No Data for <strong>Router</strong> 2/BKS_keyword.htm Trusted IP for Blocked Sites No Data for <strong>Router</strong> 2/UPNP_upnp.htm UPnP Portmap Table Active/Unactive, Protocol, IP Address, Etc./RST_status.htm Version Information No Data for <strong>Router</strong> 2/WAN_wan.htm WAN Variables DMZ IP/WLG_acl.htm Wireless Card Access List No Data for <strong>Router</strong> 2/RST_status.htm Wireless Port Information No Data for <strong>Router</strong> 2/WLG_wireless2.htm Wireless2 Settings Variables No Data for <strong>Router</strong> 2/WLG_wireless3.htm Wireless3 Settings Variables No Data for <strong>Router</strong> 23 Results<strong>Router</strong> <strong>Marshal</strong> is able to extract data that can be found when accessing the router settings via a web browser.This program is not a monitoring tool, so the user has to actively run <strong>Router</strong> <strong>Marshal</strong> to view changes in therouter’s data. We were able to successfully acquire what devices were connected to the NETGEAR G54Wireless <strong>Router</strong>, including IP address, device name, <strong>and</strong> MAC address. Additionally, we were able to acquireall of the data listed in Table 2.4.4. Furthermore, we found that <strong>Router</strong> <strong>Marshal</strong> keeps a log of everything that itPage 8 of 9


Patrick Leahy Center for <strong>Digital</strong> Investigation (LCDI)does on the router, such as logging in as an admin or any comm<strong>and</strong>s that it runs, so that the software can beused by investigators in a forensic case.During our research, we were unable to acquire network data, such as usernames <strong>and</strong> passwords or visitedwebsites, but the router log will get a list of allowed sites as long as the “Keyword Blocking” option on therouter is switched to “always on.” This means that the router is allowing or denying sites regardless of if thereare any blocked keywords or sites. This option will not get any additional information, such as keywordssearched, beyond the list of allowed sites. As this is just a list of sites that have been allowed by the router, itdoesn’t necessarily mean that the sites were visited by the user of the computer. These sites could be ads orsome form of webpage analytics as well. If the setting is not turned on, visited sites will not show up in the log,but the log will show data such as: the time the internet is connected/disconnected to the router, the time when adevice is connected, when the time is synchronized with the server, <strong>and</strong> the router’s IP address <strong>and</strong> time whenthe router was accessed. It should be noted that the most recent admin login shown in the router log is fromwhen <strong>Router</strong> <strong>Marshal</strong> logged in to obtain data.4 Conclusion<strong>Router</strong> <strong>Marshal</strong> is a valuable tool for viewing router settings <strong>and</strong> basic router data, as well as exporting this datainto a report. It is a fairly easy to use tool for investigators when dealing with a supported device, <strong>and</strong> it evenhas an easy to underst<strong>and</strong> manual included with the product download. When dealing with an unsupporteddevice, the user must create a script to work with <strong>Router</strong> <strong>Marshal</strong> which may be above the skill set of aninvestigator.<strong>Router</strong> <strong>Marshal</strong> does not intercept data, such as network traffic, between a computer <strong>and</strong> a router; rather it pullsinformation from the router. During our research, we found that the host computer running <strong>Router</strong> <strong>Marshal</strong>needed to be connected to the router being analyzed, either wirelessly or wired. This means that the user wouldneed to know the wireless key in order to access a wireless network, which could pose an access problem. Thesoftware also requires the necessary username <strong>and</strong> password to access the router, so if the default settings havebeen changed, it may be difficult for the user to gain access.5 Further WorkFurther work can be done on this topic by using different routers <strong>and</strong> researching what <strong>Router</strong> <strong>Marshal</strong> canacquire from different devices. Another possibility would be to create a script for the TP-Link <strong>and</strong> attempt toacquire data from the router.6 ReferencesCallaham, J. (2012, April 05). Study: 25 Percent of All Households Use WiFi. Neowin. Retrieved July 15, 2013,from http://www.neowin.net/news/study-25-percent-of-all-households-use-wifi<strong>Router</strong> <strong>Marshal</strong> <strong>Digital</strong> Forensic Software. (2010, December 22). <strong>Router</strong> <strong>Marshal</strong> <strong>Digital</strong>Page 9 of 9

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!