Specification
of E-Detective 802.11 a/b/g Wireless LAN Forensics Appliance
A. Introduction to E-Detective 802.11 a/b/g Wireless LAN Forensics Appliance
First sub-module E-Detective 802.11 a/b/g Wireless LAN
Forensics Appliance provides front-end packet collection sub-module and
back-end protocol restructured sub-modules. This
wireless LAN packet detecting and retrieving modules of the front end.
This module can act as both wireless LAN detector and sniffer, the
sub-module is used to detect 802.11b/g Access Point (AP) over the layer
2 of network communication, the communication station (STA) which
communicates with this AP and skim wireless LAN packet. The second
module acts as a module of restoring and performing forensics, which
categorizes the retrieved packet by its electromagnetic nature and
restores packet arrangement by sequence, then save the packet. At the
same time, it will decipher the categorized packet by known protocol
into plain code and store them into database for reference.
B. Description of these two modules:
| I. |
802.11 a/b/g Wireless LAN Detector & Sniffer Module |
|
The primary feature of
this module is to detect all 802.11 Wireless LAN communications within
the area that this detector can work, and detect any Access Point and
station (STA) within its covering area. Furthermore, this detector can
combine with Global Positioning System (GPS) and locate the approximate
geographic location of detected APs or STAs through electronic map. For
more accurate position of STA or AP, the user may connect three
E-Detective Wireless detectors with networking connection,
high-sensitivity antenna and signal amplifier to calculate the location
of the sniffed object through triangulation, and the accuracy can
be improved
into less 10 meters. The effective area of remote sniffing depends on
the weather, terrain and interference. The farthest distance of
sniffing can be reached into 2 to 4 kilometers, even 5 kilometer. But
the utmost distance couldn’t be over 10 kilometers because of the
curvature of earth.
For the completion of sniffing, the sniffer can be configured into the following configurations and functions: |
The information of detectable Wireless LAN AP includes:
| - |
BBSID of AP (MAC address) |
| -
|
Channel |
| -
|
The number of STAs |
| -
|
The number of encrypted packet |
| -
|
The number of data packet |
| -
|
Additional information of AP (the manufacturer of AP, the manufacturer of AP IC component has to be authenticated through international registration) |
| -
|
Noise level and signal level |
| -
|
SSID or ESSID |
| -
|
Type of Wireless LAN: Probe, Ad-hoc or Infra |
| -
|
WEP (wired equivalent privacy protocol) status |
| -
|
The amount of transferring Wireless LAN packet |
| -
|
Other |
The information of detectable Station (STA) includes:
| - |
The number of encrypted packet through this STA |
| -
|
The number of packet through this STA |
| -
|
IP Address of STA |
| -
|
MAC Address of STA |
| -
|
The manufacturer of STA (the one has been authenticated) |
| -
|
The highest transferring rate of STA |
| -
|
Noise level and signal level of STA |
| -
|
Type of STA (Established, To-DS or From-DS) |
| -
|
Other |
The sniffing functions of Sniffer as follow:
| - | Set up multiple sniffers to sniff distributively, and concentratively process the sniffed data through network connections. |
| - | Each sniffer can be installed at least two Wireless LAN card, and each LAN card can lock two channels to perform sniffing. |
| - | Each Wireless LAN card can sniff in terms of hopping frequency among different channels or locking a specific channel. |
| - | In the case of knowing WEP KEY, it can sniff and decrypt the encrypted packet at real time. |
| - | After sniffing enough amount of WEP-encrypted packet, it will try to acquire encrypted WEP KEY and decrypt the sniffed data. |
| - | The sniffed 802.11 data packet can be processed as Application Layer by E-Detective, and stored into information for later usage. |
| - | Other |
| II.
|
Forensics of restored data parsing & Data Server Module | ||
| Restoring and parsing module of back end will interpret the retrieved packet into plain code by known protocol and store them into the database in data server for user’s reference. The functions as follow: | |||
| 1. | Email log: | ||
| 1.1
|
POP3: POP3 list may record each received mail’s detailed information, which includes receiving date and time, sender, receiver, carbon copy, topic, size and attachment. Also, it can delete data, set the number of data shown on each page, search by presumed criteria, preview the mail content and open attachment, setting up the criteria of exception. The criteria of exception may not display the presumed data in the case of sender, receiver, carbon copy, topic, and file size smaller than presumed value. | ||
| 1.2 | SMTP: record the basic information of email sent, which includes sender, receiver, carbon copy, Blind carbon copy, topic, date, time, size and attachment. Also, its functions include deleting data, setting the number of data shown on each page, advanced search, searching by presumed criteria and keyword, preview the mail content and open attachment. | ||
| 1.3 | Mail forwarding: provides the function of filtering email. The system will record the email, which meets the presumed criteria and keyword, and duplicate one copy to designated personnel. | ||
| 1.4 | Email statistics: including the following information: | ||
| 1.4.1 | The total number of email everyday | ||
| 1.4.2 | The total amount of email everyday | ||
| 1.4.3 | The number of email attachment everyday | ||
| 1.4.4 | The total number of email to specific user | ||
| 1.4.5 | The total amount of email to specific user | ||
| 1.4.6 | The number of email attachment to specific user | ||
| 2. | FTP log: record the date, time, user’s IP Address, username, password and uploaded or downloaded file. Also, it includes the following functions: FTP log, deleting data, and setting the number of data shown on each page. | ||
| 3. | TELNET log: the records of log in and log out behaviors through different Telnet connection and display these records in text format. | ||
| 4. | Instant Message log: | ||
| 4.1 | Record date, time, nickname, IP, the object of dialogue, dialogue contents and attachment. | ||
| 4.2 |
Display the statistics diagram of usage by [Date] or [IP]. | ||
| 4.3 |
Record the instant message of MSN, ICQ, AOL, Yahoo Message, and QQ (except attachment, Client should have the same setup). | ||
| 5. | Website log: record the website address and the contents of web mail that user has browsed. | ||
| 5.1 | Records of website address: including date, time, user’s IP Address (or username) and website address. | ||
| 5.2 | Records of web mail: the records of web mail sent includes date, time, sender, receiver, carbon copy, blind carbon copy, topic, attachment and the web mail server sending mail. | ||
| 5.3 | Recording the web page that supports web mail. | ||
| 5.4 | Recordable web mail servers include Hinet, Hotmail, PCHome, Yahoo, URL, Giga, Yam, Sina, Seednet, mail.tom.com, mail.163.com, Sohu.com and Maildozy (Thailand). | ||
| 6. | System control: | ||
| 6.1 | Browser-based modification to networking setup, DNS setup, correspondent IP, communication port and shut down control. | ||
| 6.2 | Display the information of hard disk drive usage, which includes HDD size, used space, available space, percentage of usage, and warning at the used space reaching 80%. | ||
|
7. |
User list: Edit user’s IP and Domain Name. Display the status of current users. | ||
|
8. |
User account management: Set up username, password, group and authorization. | ||
|
9. |
Web-based interface: support https and SSH, provide data confidentiality and best security. | ||
| 10.
|
Security management: built-in firewall and group limitations, provide system data confidentiality and best security. | ||
| 11. |
Data backup and exporting: provide importing and exporting abilities to CD-ROM and data backup for evidential data storing and processing. | ||
| 12. |
Statistics diagram: generate different and flexible statistics diagrams on demand. | ||
| 13. |
Flexible customizing ability: customizing flexible functions to meet customers’ needs through our capable R&D team. | ||
| 14. |
Mass data storage: support networking file server, it can store mass data in real time. | ||
