Patrick Leahy Center for Digital Investigation (LCDI)
Router Marshal
Written & Research by Maegan Katz
175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu
July 2013
Page 1 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
Disclaimer:
This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Contents
1 Introduction ...... 3 1.1 Background ...... 3 1.2 Terminology ...... 3 1.3 Research Questions ...... 4 1.4 Prior Work ...... 4 2 Methodology and Methods ...... 4 2.1.1 Equipment Used ...... 4 2.1.2 Device Selection ...... 5 2.2 Router 1 - TP-Link ...... 6 2.3 Router 2 - NETGEAR ...... 6 2.3.1 Testing ...... 6 2.4 Analysis ...... 6 2.4.1 Attached Devices ...... 7 2.4.2 Router Log ...... 7 2.4.3 Basic Internet Settings ...... 7 2.4.4 Acquired Information for Router 2 ...... 8 3 Results ...... 8 4 Conclusion ...... 9 5 Further Work ...... 9 6 References ...... 9
Page 2 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
1 Introduction Routers connect all of the local devices together in a local network, making them crucial to investigations. A growing number of homes and business have some type of router or wireless access point, and in 2012, twenty- five percent of households worldwide had Wi-Fi.1 This research project will explore the forensic data that can be retrieved from home routers using Router Marshal, a program used to acquire data from routers and wireless access points. The software currently supports Linksys WRT54G/GC/GL/GS/G2, AG241, and WRT160N; NETGEAR RP114, WGR614, WNR1000, and WNR2000; D-Link TM-G5240 and WBR-2310; DD-WRT; Tomato firmware; and Cisco IOS routers.
1.1 Background Router Marshal is a digital forensic tool developed by ATC-NY that is used to “automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence.”2 The software also maintains detailed logs of all activities and communications it performs with a target device.
1.2 Terminology Dynamic Domain Name System (DDNS): A protocol or method that updates a name server in the DNS.
Dynamic Host Configuration Protocol (DHCP): A protocol that assigns IP addresses to new users.
Internet Protocol (IP) Address: A unique string of numbers assigned to a device attached to a computer network and the Internet. It is an identifier of networked devices.
Local Area Network (LAN): The networking of computers in close proximity to each other. An example is a school or office building.
Nmap: A security scanning tool that is necessary for Router Marshal to run properly.
Power Over Ethernet (POE) Connection: The method of passing electrical power and data through Ethernet cabling.
Port Triggering: A way to automate port forwarding by allowing certain routers to automatically allow a host machine to forward a port back to itself.
Router: A small physical device that joins multiple networks together; forwards data from one network to another. It allows communication between a local network and the Internet.
Universal Plug and Play (UPnP): Internet protocols that allow for computers and handheld devices to communicate.
1 Callaham, J. (2012, April 05). Study: 25 Percent of All Households Use WiFi. Neowin. Retrieved July 15, 2013, from http://www.neowin.net/news/study-25-percent- of-all-households-use-wifi 2 Router Marshal™ Digital Forensic Software. (2010, December 22). Router Marshal™ Digital Forensic Software. Retrieved from http://routermarshal.com/ Page 3 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
Wide Area Network (WAN): The networking of computers in a large geographical area. This could include a number of LANs connected together.
WinPcap: A packet capture and filtering engine application used in many networking tools. It is a necessary tool for Router Marshal to run properly. 1.3 Research Questions 1) What types of information are stored on a router? 2) What information can Router Marshal retrieve from a router? 3) Can network traffic data and connected device data be acquired from a router using Router Marshal?
1.4 Prior Work To our knowledge, there has been no prior work done with Router Marshal. There has been research done with similar programs such as Wireshark and Cain and Able, which are able to gather network traffic rather than acquiring the data from the router.
2 Methodology and Methods
2.1.1 Equipment Used Item Identifier Size/Specifications LCDI PC 1 Research-5 Running Router Marshal Version 1.0.1 Specs – Desktop, Intel Core i7-3770K CPU @ 3.50GHz, 16GB Memory, Windows 7 Enterprise SP1 MAC Address: BC:5F:F4:A3:4F:23 LCDI Laptop 1 HDLOADNER-04-2 Running Router Marshal Version 1.0.1
Specs – Laptop, Genuine Intel CPU T2400 @ 1.83GHz, 1GB Memory, Windows 7 Enterprise SP1 Test Computer 1 LCDI Testing Computer 3 Specs – Desktop, Pentium Dual-Core CPU E6500 @ 2.93GHz, 4GB Memory, Windows 7 Enterprise SP1 MAC Address: 6C:62:6D:B1:5D:1A
IE, Firefox, and Chrome installed and used for generating data Test Tablet 1 Forensics 0028 iPad Version 6.1.2 Model # MC705LL/A MAC Address: 64:20:0C:6F:00:A4
Default web browser used for generating data Router 1 LCDI-EA-001 TP-Link 300Mbps Wireless N Router Model # TL-WR841N Router 2 LCDI-EA-002 NETGEAR G54 Wireless Router Model # WGR614v10
Page 4 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
Our first action was to download and install Router Marshal on Research-5, which is Host Computer 1 (2.1.1). In order for Router Marshal to function properly, according to the manual, we also had to download and install Nmap (http://nmap.org/) and WinPcap, which comes with the Nmap download. We connected LCDI PC 1, with Router Marshal installed, and Test Computer 1 to Router 1. Router 1 is connected to the Student network. Our first attempt at accessing Router 1 was also our first time running Router Marshal, so for the second attempt we made sure that all the programs, such as Nmap and WinPcap, were installed properly. After ensuring that all the programs were installed, we attempted to acquire data by selecting each of the supported devices in the device selection one at a time (Figure 2.1.2). After attempting to obtain data from Router 1 eighteen different times, we switched it out for Router 2. At this point we connected Test Tablet 1. After running a variety of tests (Table 2.3.1) with LCDI PC 1 hardwired into the router, we installed Router Marshal on LCDI Laptop 1 and attempted to obtain data wirelessly. We wanted to see if there were any differences when acquiring data wirelessly, but we found it is still necessary to go through all of the same steps as the hardwire acquisition.
The Router Marshal software helps guide the user step-by-step on how to start an acquisition. In order for Router Marshal to acquire data, the host computer must be connected to the network, either hardwired in or via Wi-Fi. Additionally, this means that if the Wi-Fi is password protected, the Router Marshal user will need to know the password in order to gain access. Router Marshal will then attempt to identify the IP Address of the router, and once identified, it can be selected. The user must then choose what type of router is connected to the host computer. Router Marshal requires the username and password for the router in order to access the router settings. The default username and password may auto fill in, which was the case for Router 2; otherwise, the user must be able to supply the username and password for the router.
2.1.2 Device Selection
Page 5 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
2.2 Router 1 - TP-Link We originally picked this router because it is supplied by one of the local internet service providers. After Router Marshal was installed, we began running initial tests with Router 1 to see how the software worked. The router, LCDI-EA-001, was not compatible with the software, and we were unable to complete any of the tests or extract any data from it.
2.3 Router 2 - NETGEAR We chose a NETGEAR G54 Wireless Router for our second router because it is supported by Router Marshal and is a fairly inexpensive router, making it common in small businesses and households. We ran a number of different tests (Table 2.3.1) with Router 2. We were aiming to acquire different information from the router by changing router settings. The changes made are represented in the table below (Table 2.3.1). Changes to the router were made by going to the NETGEAR genie, which is accessed by going to routerlogin.net on a device connected to the router and entering the default username and password.
2.3.1 Testing Test ID Comment Test 001 We confirmed that Router 2 is compatible with Router Marshal by running an analysis successfully. Test 002 We ran Router Marshal to find out what kind of data could be acquired before any changes were made to the router settings. Basically, we were aiming to get default data. Test 003 We ran Router Marshal to see if it could identify that we had Host Computer 1 and Test Computer 1 connected to it. In order to confirm that it was connected to both devices we had to look at the “Attached Devices” section in the analysis. No changes were made to the router settings for this. Test 004 We ran Router Marshal to see what data it can acquire from a wireless router (Table 2.3.4). Test 005 We ran Router Marshal to see if it could identify network traffic from Test Computer 1. In order to do this, we visited various websites using Chrome, Firefox, and Internet Explorer. Test 006 We ran Router Marshal to see how logging in to the router’s settings would affect the router log. Test 007 We added the keyword “wikipedia” to the blocked list in the router’s settings and then visit various sites including Wikipedia. We turned off the UPnP option, because it is not needed for the remainder of the tests. We then ran Router Marshal to see what changes were made to the results when a keyword is added. Test 008 We removed the keyword “wikipedia” from the blocked list, but left the keyword blocking option on. After visiting various websites, we ran Router Marshal to see what changes were made to the results when the keyword blocking option is on, but no keywords were being blocked. Test 009 We power reset the router and performed the same test as Test 008. Test 010 We visited various websites using the default browser on Test Tablet 1. We ran Router Marshal to see if there were any differences in the router’s results when a tablet is being used with it.
2.4 Analysis Router Marshal is able to acquire a variety of information from a router. Table Acquired Information shows the types of data stored on a router that we were able to obtain from Router 2. The data acquired may be different depending on the individual router.
The data that we are mainly interested in for this project are the Attached Devices, Router Log, and Basic Internet Settings. Attached Devices (Figure 2.4.1) will show us the IP address, device name, and MAC address of all devices attached to the router at the time Router Marshal acquires the data. The Router Log (Figure 2.4.2) will show us what is happening with the router, such as admin logons or times when a device is connected. The
Page 6 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
Basic Internet Settings (Figure 2.4.3) will show us the WAN IP address or public IP address, the LAN IP address or private IP address, the gateway, the subnet mask, and the MAC address of the router.
2.4.1 Attached Devices
2.4.2 Router Log
2.4.3 Basic Internet Settings
Page 7 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
2.4.4 Acquired Information for Router 2 Command Action Comments (Automatically run by Router Marshal) /WLG_adv.htm Advanced Wireless Variables No Data for Router 2 /DEV_device.htm Attached Devices IP Address, Device Name, MAC Address /BAS_ether.htm Basic Internet Settings Ethernet /BAS_pppoe.htm Basic Internet Settings Point-to-Point Protocol Over Ethernet /BAS_pptp.htm Basic Internet Settings Point-to-Point Tunneling Protocol /BKS_keyword.htm Blocked Keywords List of Blocked Keywords /BKS_service.htm Blocked Services No Data for Router 2 /UPG_upgrade.htm Check for Firmware Updates on Startup Checked/ Unchecked /DNS_ddns.htm DDNS Settings No Data for Router 2 /RST_st_dhcp.htm DHCP Settings No Data for Router 2 /FW_email.htm Email Variables No Data for Router 2 /LAN_lan.htm LAN Variables IP, Subnet Mask, DHCP Start/End, Etc. /RST_st_poe.htm POE Connection Status Connected/Disconnected /RST_status.htm Port Information No Data for Router 2 /FW_pt.htm Port Triggering No Data for Router 2 /FW_remote.htm Remote Management Settings Port, Start/End IP, Enables/Disabled /LAN_lan.htm Reserved IP Addresses No Data for Router 2 /FW_log.htm Router Log Activity log for the router /STR_stattbl.htm Router Status Statistics Uptime, Packets, Etc. /FW_schedule.htm Schedule Variables Time Data /STR_routes.htm Static Routes No Data for Router 2 /BKS_keyword.htm Trusted IP for Blocked Sites No Data for Router 2 /UPNP_upnp.htm UPnP Portmap Table Active/Unactive, Protocol, IP Address, Etc. /RST_status.htm Version Information No Data for Router 2 /WAN_wan.htm WAN Variables DMZ IP /WLG_acl.htm Wireless Card Access List No Data for Router 2 /RST_status.htm Wireless Port Information No Data for Router 2 /WLG_wireless2.htm Wireless2 Settings Variables No Data for Router 2 /WLG_wireless3.htm Wireless3 Settings Variables No Data for Router 2
3 Results Router Marshal is able to extract data that can be found when accessing the router settings via a web browser. This program is not a monitoring tool, so the user has to actively run Router Marshal to view changes in the router’s data. We were able to successfully acquire what devices were connected to the NETGEAR G54 Wireless Router, including IP address, device name, and MAC address. Additionally, we were able to acquire all of the data listed in Table 2.4.4. Furthermore, we found that Router Marshal keeps a log of everything that it
Page 8 of 10
Patrick Leahy Center for Digital Investigation (LCDI) does on the router, such as logging in as an admin or any commands that it runs, so that the software can be used by investigators in a forensic case.
During our research, we were unable to acquire network data, such as usernames and passwords or visited websites, but the router log will get a list of allowed sites as long as the “Keyword Blocking” option on the router is switched to “always on.” This means that the router is allowing or denying sites regardless of if there are any blocked keywords or sites. This option will not get any additional information, such as keywords searched, beyond the list of allowed sites. As this is just a list of sites that have been allowed by the router, it doesn’t necessarily mean that the sites were visited by the user of the computer. These sites could be ads or some form of webpage analytics as well. If the setting is not turned on, visited sites will not show up in the log, but the log will show data such as: the time the internet is connected/disconnected to the router, the time when a device is connected, when the time is synchronized with the server, and the router’s IP address and time when the router was accessed. It should be noted that the most recent admin login shown in the router log is from when Router Marshal logged in to obtain data.
4 Conclusion Router Marshal is a valuable tool for viewing router settings and basic router data, as well as exporting this data into a report. It is a fairly easy to use tool for investigators when dealing with a supported device, and it even has an easy to understand manual included with the product download. When dealing with an unsupported device, the user must create a script to work with Router Marshal which may be above the skill set of an investigator.
Router Marshal does not intercept data, such as network traffic, between a computer and a router; rather it pulls information from the router. During our research, we found that the host computer running Router Marshal needed to be connected to the router being analyzed, either wirelessly or wired. This means that the user would need to know the wireless key in order to access a wireless network, which could pose an access problem. The software also requires the necessary username and password to access the router, so if the default settings have been changed, it may be difficult for the user to gain access.
5 Further Work Further work can be done on this topic by using different routers and researching what Router Marshal can acquire from different devices. Another possibility would be to create a script for the TP-Link and attempt to acquire data from the router.
6 References
Callaham, J. (2012, April 05). Study: 25 Percent of All Households Use WiFi. Neowin. Retrieved July 15, 2013, from http://www.neowin.net/news/study-25-percent-of-all-households-use-wifi
Page 9 of 10
Patrick Leahy Center for Digital Investigation (LCDI)
Router Marshal™ Digital Forensic Software. (2010, December 22). Router Marshal™ Digital
Page 10 of 10