Turning Wi-Fi Logs Into Law Enforcement Tool

In some of my recent posts regarding Wi-Fi actionable data, I focused on the importance of using logs to learn what traffic is on the network, discover traffic patterns, determine which devices are in use, and more. The amount of data can be overwhelming, but not to law enforcement.

A good WLAN will have historical, on-demand, and real-time reporting capabilities -- all important for providing insight into what's on your network what data is being consumed. But there's a bi-product of WLAN logs -- .rogue access points, from the wireless LANs of nearby residential or commercial users, can get caught in the logs. The same goes for wireless device hotspots, including those in vehicles. The logs will show broadcast SSIDs, and these include MAC addresses and other identifying information.

I pointed out this problem in my recent post, "Wi-Fi RFID Keeps Campus Traffic Flowing." In this example, logs reflected data picked up from vehicle traffic for a school drop-off and pick-up lane. This leads me to the realization that police investigating a person's whereabouts could easily use logs from Wi-Fi networks in a given area and at a given time.

In "Crime Scene Investigation: A Guide for Law Enforcement," the National Forensic Science Technology Center advises:

    "If no cables or USB modem are apparent and multiple devices are in the area, consider that a wireless network (Wi-Fi) may be present. Work closely with an electronic evidence collection expert in this situation."

Of course, this brings up privacy and legal issues regarding how the information is obtained and used, and leads to operational questions such as how long logs should be archive? In one sense these logs may be like security camera footage that carries a limited shelf life.

The U.S. Department of Justice report, "Investigative Uses of Technology: Devices, Tools, and Techniques," specified that investigators should look for information such as connection destination, connection time and date, disconnect time and date, method of connection to system (e.g., telnet, FTP, HTTP), and data transfer volume.

Along with the log data, network admins working in airports can capture movement of people with Wi-Fi-enabled devices, and this means airport security can track movement of people carrying the devices. This may creep some people out, but mobility use keeps growing.

The one concern that I always have about logs is the timestamp, as they can be unreliable for use as forensic evidence (technical or criminal). Log data timestamps often reflect the location of the host or default settings not reflective of the physical premises. Hosted services end up with wrong timestamps as do onsite gear simply because admins haven't set Network Time Protocol to sync with local time settings on the gear.

Is this being too picky? Not for those who troubleshoot networks daily... or law enforcement personnel using WLAN logs to solve crimes.

Follow Matt Brunk on Twitter and Google+!
Matt Brunk on Google+