Wi-Fi should be used to catch criminals, police advisor says

MAC addresses and login attempts are forensic 'gold' left behind at crime scenes. That router-held data should be used to place perpetrators at the location, an expert says.

Wi-Fi data can help catch criminals
Chris Sampson (CC BY 2.0)

Criminals leave forensic evidence behind at crime scenes that's not being collected by police investigators, says a law enforcement expert.

MAC addresses and router log-in attempts are recorded by routers. That information can tie a smartphone owner to a time and location, which can be valuable when trying to charge or prosecute suspects in criminal cases, reckons a police technical advisor.


"These devices could hold a lot of information, but we're not capturing it," Dan Blackman, a Western Australia police advisor and Edith Cowan University PhD student, said in a Science Network Western Australia article.

Police are missing out, he thinks.

"We might be able to place a specific person at a specific location at a specific time, which is gold in terms of evidence for a court setting," he continues in the article.

Unique identifiers

What Blackman is talking about is the host of successful and unsuccessful login attempts, de-authentication times, and mobile device MAC addresses that are stored on a Wi-Fi access point's router table.

Those MAC addresses are unique and identify the particular device. If the smartphone used at the scene can be collected — perhaps at a later date — its MAC address can be tied to the location and time of a login attempt by analyzing the router, if investigators are fast enough.

If the investigator knows the owner, or user, it could be corroborating evidence, Blackman said in the article.

Nolo Contendere

There is a problem with the idea, though. Investigators grabbing the router during a forensics sweep and hacking it back at the lab aren't necessarily going to end up with an automatic "no contest, your honor."

Ignoring the admissibility unknowns (I'm no lawyer), and the "someone took my phone" school of criminal defense, there's an issue — powering-down the router erases data. If you switch it off or unplug it, much of the log data is gone.

Corrupted data

"If we power off the Wi-Fi device we lose a heck of a lot of data," Blackman says in the article.

Beyond that, even if the investigators arrive on scene within a few minutes of the crime and recover the modem, the internal memory on the router can be overwritten—by the actual responders.

Many routers have limited memory, Blackman has found. Older devices only had 204 kilobytes of storage, Science Network's article says.

Newer ones filled up within eight minutes in tests. Memory was overwritten.

Modified Faraday bag

So even if the power can be retained, perhaps by performing the analysis on scene, arriving police and others' devices can overwrite the existing MAC addresses and logins.

Just by being there, the first responders can corrupt the evidence with network traffic.

"The solution may involve modifying a Faraday bag," Science Network's article says. They are "enclosed carrier units that block connectivity to cellular networks, Wi-Fi and Bluetooth."

But if these logistical issues are solved, from an evidentiary perspective, "Wi-Fi devices could be equally or more valuable than GPS," the article says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.