Thus, even if criminals don't try to hide their activities on their neighbors' networks, they can still take advantage of the technology to store evidence in places that unaware investigators may not think to look — including separate locations entirely. So, investigators need to know what to look for, how to look for it, and what to do with it once they've found it.
Why was it so easy for the juvenile identity thief to access his neighbor's wireless network? A variety of reasons, all having to do with the way 802.11 security works.
It starts with Wired Equivalent Privacy (WEP), a set of security features including authentication, encryption and data integrity. The first protocol used for 802.11 networks, WEP was never designed to provide strong security. The features themselves are weak, and there is no auditing or security key management.
In other words, it's up to users to configure their own username and password, referred to as a key. However, according to Chris Baker, technical consultant at Hopkinton, Mass.-based EMC2 Corp., most remain ignorant of the risks of an unsecured wireless network — and unwilling to take extra steps with their out-of-the-box setup. They use the router manufacturer's default key. Those who do take the time to configure security, meanwhile, "plug in a [security] key and forget about it, never revisit it."
In fact, even though security has improved (via Wi-Fi Protected Access, WPA, with an automatically rotating key — meaning users do not have to configure their own — and WPA2, which layers encryption on top of the automatically rotating key), Baker says most users don't to take advantage of it. "People don't understand the security aspect," he explains. "They think in terms of speed, not security."
It is possible to break encryption and figure out a WPA key, but this is a time-consuming process. Chris Armstrong, a high-tech crimes training specialist with the National Consortium for Justice Information and Statistics (SEARCH), explains that "war-drivers" can capture data packets — which contain information about the encryption key — until they get enough to break the encryption.
However, says Williams, "In my experience, it's much easier for [criminals] to use an open unsecured wireless. 'Why break a window when the next house down has an open door'-type thinking."
For law enforcement, this means those investigating, say, a sex offender's wireless network or unauthorized access (as in the above example) will have little trouble accessing data on devices — once the devices are found.
The wireless crime scene
"In years past, law enforcement first responders bagged and tagged evidence, then brought it to a computer forensic lab for examination," says Armstrong. "But examiners started to find that their forensic software was mapping evidence they hadn't received. In other words, the first responders were missing evidence, like wireless hard drives. In one case, detectives got a second warrant, but when they returned to the site, they found only the spot where the hard drive had been."
Armstrong explains that technology changes so rapidly, investigators must receive regular training on what to look for, what to take into evidence, and what not to take. These kinds of evidence, Williams says, include networked drives, removable hard drives and external drives.
Other examples include wireless-capable mobile phones, especially those with cameras, and gaming devices. "The Sony Playstation Portable has [the Memory Stick Duo], which can hold thousands of pictures," says Armstrong. Likewise, the XBox has a 10GB hard drive, enough to hold plenty of evidence. Although Williams' unit hasn't yet seen many cases of gaming devices used for storage, he says they do consider this during every search and have on occasion taken game systems.
That's why it's important to specify all equipment in a court order. "Spell out everything you suspect you might collect," says Armstrong. "You can do this in detail, or use more general language, such as 'any device that may contain digital data.' "
Williams adds that his task force will typically include information regarding wireless networks in their warrants. "Even if a suspect accessed someone's wireless, there would be evidence at that location, such as the router information and/or MAC address. So we'd still need to serve a warrant [at that second location]."