Main Body
Chapter 10: Routers and modems
Crime scenes carry digital evidence from many locations. When an attack is external to the entity, the attack travels through the scene’s modem as well as the organization’s routers. In many instances, the two are combined into a modem/router and this is the case with most domestic scenes where digital evidence is sought.
A modem is used to connect a network, such as home intranet, to the internet. It converts analogue signals to digital and vice versa. The modem connects to the router within a network such as a business office. In domestic residences, you will find the modem and router are combined into the same physical device called modem/router for simplicity.
In a business, the router is the device which communicates over local networks such as an intranet within an organisation. Behind the router, within the organisation, devices such as workers’ desktops or laptops as well as mobile devices connect to the router which communicates their external facing traffic to the internet.
A switch is used within larger organisations to assist in routing traffic within the organisation. A switch is a digital device that manages data flow from multiple devices within internal networks, before forwarding messages to the next path towards their destination.
For example, different sections within an organisation may operate within their own sub-network (subnet) which can only be reached and interacted with by specifically authorised individuals. Common examples of a subnet within a business are sections such as personnel, accounting, finance, and research. The individuals working in accounting have no requirement to access the network and resources of finance, so they are set up on different sub-networks separated by a switch.
The router receives data packets from internal and external networks and reads the header which determines the appropriate location for the traffic to be delivered. It uses a routing table to be able to locate where destinations are located. The routing table is designed to enable the router a pathway to know where it can send traffic without having to make individual inquiries for each piece of traffic in each instance of communication.
A router is an often-overlooked location of activity in a domestic or commercial scene yet has the potential to tell the investigator a lot about who was present, even when the crime was not digital in nature. As with many of the forms of digital devices we discuss in this book, the router is constantly accumulating data that is available to the investigator who is aware of its existence.
The router in home and commercial environments
A router receives and directs communications throughout a network. The most common router an investigator will deal with in a home environment is the modem/router which links the user with the internet as well as directs communications around the home network. Most Internet of Things (IoT) devices are connected to the router and the internal logs record connections. Even motor vehicles with a large component of connected technology can connect to a home network via the router to update its operating systems when parked in the garage.
A router examination may extend to capturing data as it flows over the network. This may be useful to understand the flow of data within the organisation, as well as identify the activity of an attacker. This is an area requiring expert skills by the digital forensic examiner, as well as a device connected to the target network.
Within a network, each address has a unique Internet Protocol (IP) address as assigned by the systems administrator individually or using an automated process called Dynamic Host Control Protocol (DHCP). This protocol assigns and records IP addresses dynamically and quickly across the network without the systems administrator having to manually assign each device an IP address, a process that may be extensive in a large organization. Home modems/routers usually assign internal IP addresses using the DHCP protocol.
A routing table is stored in the dynamic memory of the device. The router examines the destination IP address of a message received and decides on the best pathway to send the message to its destination. That address may be within or external to the local network. The routing table preserves a record of internet addresses to which it has sent data to. This dynamic table loses data when the device is turned off. To the investigator, it may be interesting to see the IP addresses users of the router have been visiting and whether they have any relationship to the matter under investigation. The information recorded may be decided by the brand and model of the device and cheaper technology may not record all the information detailed in this chapter, or it may not be accessible.
The router contains the assigned individual IP addresses of each device on the network as their internal IP address cannot be seen outside of the individual or corporate network. The external IP address is called the gateway IP address as this is the address that travels over the internet. Internal addresses are called subnetwork addresses.
In the corporate environment, many attacks are external to the network and conducted remotely by the attacker. The modem and routers are the pathways to the data they wish to take or resources they wish to damage. The router and modem become part of the crime scene.
Due to the wide geographical spread of a corporate network, locating the pathway the cybercriminal took into and through the network presents a challenge that needs the cooperation of the systems administrator and digital forensic officers. An examination of a router at a scene should be undertaken by a person experienced and qualified in digital forensics. If such a person is unavailable, record the examination using a separate digital device (not your personal phone which becomes evidence available to be examined by the defence lawyers) but a specific camera used for scene examinations.
Capturing this data may not be a fast process and the time and care taken is an investment. Whilst time taken is an investment, be aware the attacker may still be in the network and has the ability to identify they have been discovered and potentially destroy evidence. Also, networks generate log data at a great rate, and the storage capacity of the devices storing the logs may be limited meaning your evidence may be overwritten whilst you are planning your evidence capture.
Alternatively, when the device is being viewed, the router data can be copied by using screen capture to a document such as a PDF, or a video recording.
Data located within a router is volatile and changes with each interaction by a user and/or device. The researchers Cussack and Lutui recommend the following as the order of evidence to recover from a router based on the volatility of the data.[1]
-
- Registers and cache.
- Routing tables.
- Address Resolution Protocol cache.
- Process table.
- Kernel statistics and modules.
- Main memory.
- Temporary file systems.
- Secondary memory.
- Router configuration.
- Network topology.[2]
Volatile memory requires a continual flow of electricity to ensure the electric current can read/write data from the memory components of the router.[3]
What can a router examination tell you?
A router is a source of evidence often overlooked in scene examinations. Access will most likely be required using a unique password which needs to be obtained from the systems administrator in a commercial setting or homeowner in a dwelling. Access to the router may be by obtaining the password to join the network or using an ethernet cable to physically attach to the router and using the unique router password to gain access to the device.
In domestic locations, many passwords are not changed from the default settings which can be located on the back of the device. Alternatively, searching online for the make and model of the router will identify the default username and password. Should the device owner change the default password, you will need to obtain this information from them or attempt to locate a written record of the username and password.
Of note, when attending a scene, investigators’ personal mobile phones that have Wi-Fi turned on will attempt to pair to the modem and become part of the log file. This can lead to investigators attempting to locate the owners of phones connected to the modem and discovering it was their own or members of the investigation team.
This can be avoided by all investigators turning off the Wi-Fi on their mobile devices prior to arrival at the scene.
The router logs can show devices that it has successfully connected with.[4]
Examples include:
- Mobile phones.
- Voice Over Internet Phones (VoIP).
- Televisions.
- Desktop and laptop computers.
- Mobile devices.
- Motor vehicles.
- Smart devices such as home assistants.
- Internet of Things (IoT) devices.
The above-listed devices may be located on log files stored within the router. Valuable data may include connection time indicating the time a person carrying a device such as a mobile phone with their wireless turned on arrived at a location.
Devices that are successfully connected to a router show a relationship between the device owner and the location. Repeated connections identified from the router’s log files show a stronger relationship.
Devices that have attempted to pair to it but were unsuccessful have their unique identifier called a Media Access Control (MAC) address recorded. A device may have a separate MAC address for its ethernet (blue cable) connection and wireless and Bluetooth connections.[5] A MAC address on a mobile phone is 12 characters and the first six provide evidence of the device manufacturer.
Wireless devices attempt to pair to routers when they are detected. Although the attempt to connect may be unsuccessful, many routers record the MAC address of the unsuccessful device. This may show a lesser relationship between the device owner and the location although the logs may show repeated visits such as a person attending an address to buy drugs, and visiting for two minutes before leaving, however, the router will collect the MAC address of the buyer.
What can the evidence tell you?
Like many devices, routers sit quietly and collect a multitude of data. A major benefit to the investigator is that most criminals are not aware of the technicalities of routers when placing them in a location and certainly not their capability to capture the unique identifier of the visitor’s mobile device (MAC address) and time of arrival at the location.
This evidence may be useful in identifying a mobile phone named, for example, “Jane’s iPhone” recorded in the router logs at the scene of a homicide. Immediately, investigators can start to look to see whether the deceased knew anyone by the name Jane or whether any person known to the deceased knew a person named Jane. Capturing the MAC address presents the potential suspect once Jane is identified. Investigators can then procure a search warrant, go to her address, seize the phone as evidence and open a line of investigation.
Not all modems or routers will capture details such as “Jane’s iPhone”, but most will at least capture the MAC address which may help the investigation once suspects are identified and deny being present at the time the victim was killed. This is not always a guaranteed line of inquiry; however, the experienced detective will know if you do not ask or look, you may miss this valuable evidence.
IP addresses can be useful in a router to see what websites have been recently visited. Whilst this information will usually be available in computer devices generating the inquiry, sometimes these devices cannot be accessed or have been removed by a suspect from the scene. Generally, log files are not large and will need to be captured early in the scene examination. Past cases have identified links to websites, such as a body disposal location, on suspects’ computers where the modem contains the IP addresses of the website.
Router evidence available:[6],[7],[8]
-
-
- Bytes of data sending and receiving.
- Configuration files such as Service Set Identifier, SIM-card information, and device MAC address.
- Destination IP address.
- Firmware type/version.
- Gateway IP address.
- Identify devices connected to the router.
- Identification that a device has been within the power coverage range of the router.
- Internet Protocol addresses of authenticated users on the network.
- Logs identifying previous devices connected which can lead to new avenues of inquiries.
- Make and model of devices connected to modem/router through reading the MAC address.
- MAC address of devices successful or attempting to connect to it.
- MAC addresses showing devices currently connected which may need to be located.
- Network Time Protocol.
- Routing configuration.
- Routing table.
- Schedule of web addresses users have attempted to connect to through the modem by individual users.
- Source IP address.
- Time and date settings of the device.
- Times of device connection whether completed or not.
- Usernames generated from connected devices.
-
It is worth repeating that not all modems/routers will provide this list of evidence, and some may produce only traces of the evidence you seek because of security features, or because the model is cheap or old. However, ask the question of the digital examiner and see where this question leads you.
Scenario
There are two routers in the original location which are of interest.
- Sledge has used Alex’s router previously and the Wi-Fi on his phone was successfully connected when he visited the address. His MAC address and the name of the phone “Sledge’s iPhone” appear on the router logs along with the timestamp of his successful connection.
- The router from the neighbouring property, in whose front yard Sledge hid, also captured the MAC address of Sledge, even though there was no connection. The details of this attempted connection reside in that router’s log.
The time and date settings of both modems/routers will be time synchronized over the internet and will match the times of phones, computers and smart devices located within the initial scene.
The captured data includes the device name, make and models including the version numbers.
Details of internet searches on Alex’s device conducted post-death by Sledge may be recorded, depending upon the make and model of the router.
- Cusack & Lutui (2013) Including network routers in forensic investigations. Proceedings of the 11th Australian Digital Forensics Conference 2-4 December 2013. ↵
- Ibid. ↵
- Al, S. Z. U. H. et, & (2022). Wireless Router Forensics: Finding artifacts of suspect traces with a Raspberry Pi and Kali Linux. Osf.io. https://doi.org/10.17605/OSF.IO/RK4YF ↵
- Horsman, Findlay & Jones (2019). Developing a router examination at the scene. Standard operating procedure for crime scene investigators in the United Kingdom. Digital Investigation 28 (2019) 152-162. ↵
- Ibid. ↵
- Al, S. Z. U. H. et, & (2022). Wireless Router Forensics: Finding artifacts of suspect traces with a Raspberry Pi and Kali Linux. Osf.io. https://doi.org/10.17605/OSF.IO/RK4YF ↵
- Horsman, Findlay & Jones (2019). Developing a router examination at the scene. Standard operating procedure for crime scene investigators in the United Kingdom. Digital Investigation 28 (2019) 152-162. ↵
- Cusack & Lutui (2013) Including network routers in forensic investigations. Proceedings of the 11th Australian Digital Forensics Conference 2-4 December 2013. ↵
Dynamic Host Configuration Protocol is used to automate the process of configuring network settings on devices.
A unique communication identifier for your connected device. For example, a laptop will have unique identifiers for ethernet (the physical blue cable), and wireless and Bluetooth connections.