Interrogating the router
A key part of investigating the wireless crime scene is router interrogation. "This is how you find out how many IP addresses were leased," says Armstrong. Leases tell how many devices might be found on a network. No device can have two IP leases, so for example, if there are two devices but three or four IP leases in a router's routing table, investigators need to start looking for more devices — whether they belong to the suspect, or someone who may have accessed the network.
The router must be interrogated on scene because lease data, contained in random access memory (RAM), is volatile. In other words, says Armstrong, "if the router is unplugged, the data will be gone."
To interrogate a router, an investigator needs an investigative laptop which, when connected to the router, allows the investigator to view routing tables. Williams says this is simple if the user hasn't changed the default security key. "[But] if the suspect won't talk or reveal their locations, and no one else in the residence knows, we have to use old-fashioned investigative techniques."
This may include searching for evidence such as equipment receipts or printouts. If those are found, it's possible to preserve the device. If not, however, only a complete forensic exam — typically done several months later, Williams says — will show storage. "At that point, the suspect would have had ample time to connect to his off-site storage and destroy any evidence there," Williams adds.
In the case of a criminal using someone else's network, the router IP lease can remain for 24 hours or longer, depending on router settings. However, says Armstrong, because the lease expires once the specified time is up, warrant execution is time sensitive. Also, Williams says it's impossible to tell the difference between in-network devices and those connecting from a different location.
Traditional investigation once again comes into play. "If a child exploitation suspect is hopping on and off a wireless network, and you need to identify the offender, use traditional investigative techniques." Armstrong suggests investigators check the sex offender registry to find out if a neighbor might be on it. "Talk to the neighbors and the local patrol officers to see if they've noticed anything suspicious," he says.
Other possible ways to identify a suspect: Police may use a victim's router, or take over a victim network's identity. Law enforcement might also try to set up its own wireless access point (WAP) in a mobile environment and hope the suspect jumps on board.
But Armstrong cautions that high-tech investigation is complex subject matter, requiring hands-on training, equipment and specific software knowledge.
Christa Miller is a writer based in Greenville, S.C. She can be reached at firstname.lastname@example.org.