With more enterprises deploying wireless LANs and employee-owned WiFi devices flooding enterprises, wireless LAN forensics is becoming a key component of any network forensic audit -- whether to prove compliance with a regulation such as PCI DSS or in response to a security incidence. But wireless presents unique challenges to forensic audits.
Last month, at RSA 2010 conference in San Francisco, I had the oppourtunity to discuss this issue with experienced auditor and certified PCI QSA Jim Cowing. Here you can view the video recording of an abridged version of our RSA 2010 talk "Anatomy of a Forensic Audit: How Wireless Changes the Game."
Let me summarize the highlights from the talk:
- Because of the shared and unbounded nature of the wireless medium, you have to deal with and filter out lot of irrelevant data from neighboring wireless devices.
- Unlike wired networks, wireless scanning tools cannot always sit in line with the data traffic. Further, wireless LANs operate on multiple channels within the 2.4 GHz and 5 GHZ bands, and the inherent dynamic nature (mobility, signal loss) of the RF environment can cause significant loss in the data you can capture.
- A wireless intrusion prevention system (WIPS) lends itself well to wireless forensics as multiple wireless sensors deployed to cover the airspace in and around the enterprise, continuously scan across multiple channels and capture wireless data.
- But, the conventional approach of "Rewind, Replay, Analyze" may not work well in wireless forensics. Due to gaps in the relevant data and lot of noise in the form of irrelevant data, manual inspection and interpretation can be time-consuming, tedious, and erroneous, and require high-level of RF expertise. Statistics derived from the incomplete data can be misleading.
- A WIPS should offer what I call a more "qualitative" approach to make the process easier for the auditor. Instead of storing large amount of captured data, a WIPS should analyze the data in real time and store history of that analysis in a ready-to-use form (e.g., when was Rogue AP first detected, how many times has the Rogue AP been active and for how long, what was the physical location of the Rogue AP, which wireless clients connected to the Rogue AP and for how long, etc.).
- A WIPS should also be able to counter common wireless anti-forensic techniques (most of which are available off the shelf!) such as use of stealth-mode Rogue APs, MAC Spoofing, illegal or "in-between" channels, Soft APs (e.g., Windows 7 Virtual WiFi) that hackers can use to evade detection.