Criminals leave forensic evidence behind at crime scenes that's not being collected by police investigators, says a law enforcement expert.
MAC addresses and router log-in attempts are recorded by routers. That information can tie a smartphone owner to a time and location, which can be valuable when trying to charge or prosecute suspects in criminal cases, reckons a police technical advisor.
"These devices could hold a lot of information, but we're not capturing it," Dan Blackman, a Western Australia police advisor and Edith Cowan University PhD student, said in a Science Network Western Australia article.
Police are missing out, he thinks.
"We might be able to place a specific person at a specific location at a specific time, which is gold in terms of evidence for a court setting," he continues in the article.
What Blackman is talking about is the host of successful and unsuccessful login attempts, de-authentication times, and mobile device MAC addresses that are stored on a Wi-Fi access point's router table.
Those MAC addresses are unique and identify the particular device. If the smartphone used at the scene can be collected — perhaps at a later date — its MAC address can be tied to the location and time of a login attempt by analyzing the router, if investigators are fast enough.
If the investigator knows the owner, or user, it could be corroborating evidence, Blackman said in the article.
There is a problem with the idea, though. Investigators grabbing the router during a forensics sweep and hacking it back at the lab aren't necessarily going to end up with an automatic "no contest, your honor."
Ignoring the admissibility unknowns (I'm no lawyer), and the "someone took my phone" school of criminal defense, there's an issue — powering-down the router erases data. If you switch it off or unplug it, much of the log data is gone.
"If we power off the Wi-Fi device we lose a heck of a lot of data," Blackman says in the article.
Beyond that, even if the investigators arrive on scene within a few minutes of the crime and recover the modem, the internal memory on the router can be overwritten—by the actual responders.
Many routers have limited memory, Blackman has found. Older devices only had 204 kilobytes of storage, Science Network's article says.
Newer ones filled up within eight minutes in tests. Memory was overwritten.
Modified Faraday bag
So even if the power can be retained, perhaps by performing the analysis on scene, arriving police and others' devices can overwrite the existing MAC addresses and logins.
Just by being there, the first responders can corrupt the evidence with network traffic.
"The solution may involve modifying a Faraday bag," Science Network's article says. They are "enclosed carrier units that block connectivity to cellular networks, Wi-Fi and Bluetooth."
But if these logistical issues are solved, from an evidentiary perspective, "Wi-Fi devices could be equally or more valuable than GPS," the article says.
This article is published as part of the IDG Contributor Network. Want to Join?