Here at the LCDI we just finished up a project researching a program called Router Marshal. Router Marshal is a digital forensic tool, developed by ATC-NY, which is used to “automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence” (Router Marshall, 2010). The software also maintains detailed logs of all activities and communications it performs with a target device.
On their website, routermarshal.com, ATC-NY lists the features for the device as:
- Analyzes routers, wireless access points, and other network devices
- Connects over the network or through a serial connection
- Acquires evidence via HTTP, HTTPS, Telnet, and SSH
- Extracts and displays case-relevant data from acquired evidence
- Scripting capabilities enable users to add support for new devices
- Maintains an audit trail and generates detailed reports
- Included sample scripts support for the following routers:
- Linksys WRT54G/GC/GL/GS/G2, AG241, and WRT160N
- Netgear RP114, WGR614, WNR1000, and WNR2000
- D-Link TM-G5240 and WBR-2310
- DD-WRT and Tomato firmware
- Cisco IOS
(Router Marshal, 2010)
So, why is this important? Routers are an important part of every investigation as they connect all of the local devices together in a local network. Many homes and business have some type of router or wireless access point. In 2012, twenty-five percent of households worldwide had Wi-Fi. This research project explores the forensic data that can be retrieved from home routers using Router Marshal.
The pieces of data that we were mainly interested in for this project were the Attached Devices, Router Log, and Basic Internet Settings. Attached Devices (Figure 1.1.)* show us the IP address, device name, and MAC address of all devices attached to the router at the time Router Marshal acquired the data. The Router Log (Figure 1.1.2)* shows us what is happening with the router, such as admin logon’s or times when a device was connected. The Basic Internet Settings (Figure 1.1.3)* shows us the WAN (Wide Area Network) IP address, or the public IP address, the LAN IP address, or private IP address, the gateway, the subnet mask, and the MAC address of the router.
1.1.1 Attached Devices
1.1.2 Router Log
1.1.3 Basic Internet Settings
The results we found show that Router Marshal is able to extract data that can be found when accessing the router settings via a web browser. This program is not a monitoring tool, so the user has to actively run Router Marshal to view changes in the router’s data. Additionally, we found that Router Marshal keeps a log of everything that it does on the router, such as logging in as admin or any commands that it runs, so that the software can be used by investigators in a forensic case. This log is different from the router log and is produced from the Router Marshal software.
Additionally, we found that Router Marshal does not intercept data, such as network traffic, between a computer and a router; rather it pulls information from the router. During our research we found that the host computer with Router Marshal running needed to be connected to the router being analyzed, either wirelessly or wired. This means that the user would need to know the wireless key in order to access a wireless network which could pose an access problem. The software also requires the username and password to access the router, so if the defaults have been changed it may be difficult for the user to gain access.
In conclusion, Router Marshal is a good tool for viewing router settings and basic router data and exporting this data into a report. It is a fairly easy to use tool for investigators when dealing with a supported device and it even has an easy to understand manual included with the product download. However, if there is an unsupported device, the user must create a script to work with Router Marshal, which may be above the skill set of an investigator.
References:
Router Marshal™ Digital Forensic Software. (2010, December 22). Router Marshal™ Digital Forensic Software. Retrieved from http://routermarshal.com/
Callaham, J. (2012, April 05). Study: 25 Percent of All Households Use WiFi. Neowin. Retrieved July 15, 2013, from http://www.neowin.net/news/study-25-percent-of-all-households-use-wifi
– Maegan Katz
*IP and MAC addresses blocked for privacy reasons