A while back I'd posted the location of WiFi WAP MAC addresses within the Vista and Windows 7 Registry to ForensicArtifacts.com. This information can be used for intelligence purposes, particularly WiFi geolocation, that is, if the WAP MAC address has been mapped and the lat/longs added to an online database, they can then be looked up and plotted on a map (such as Google Maps). I've blogged about this, and covered it in my upcoming Windows Forensic Analysis 3/e. I also wrote maclookup.pl, which used a URL to query the Skyhook Wireless database to attempt to retrieve lat/longs for a particular WAP MAC address. As it turns out, that script no longer works, and I've been looking into alternatives.
One alternative appears to be WiGLE.net; there seems to be a free search functionality that requires registration to use. Registration is free, and you must agree to non-commercial use during the registration process. Fortunately, there's a Net::Wigle Perl module available, which means that you can write your own code to query WiGLE, get lat/longs, and produce a Google Map...but you have to have Wigle.net credentials to use it. I use ActiveState Perl, so installation of the module was simply a matter of extracting the Wigle.pm file to the C:\Perl\site\lib\Net directory.
So, I updated the maclookup.pl script, using the Net::Wigle module (thanks to the author of the module, as well as Adrian Crenshaw, for some assistance in using the module). I wrote a CLI Perl script, macl.pl, which performs the database lookups, and requires you to enter your Wigle.net username/password in clear text at the command line...this shouldn't be a problem, as you'll be running the script from your analysis workstation. The script takes a WAP MAC address, or a file containing MAC addresses (or both), at the prompt, and allows you to format your output (lat/longs) in a number of ways:
- tabular format
- CSV format
- Each set of lat/longs in a URL to paste into Google Maps
- A KML file that you can load into Google Earth
All output is sent to STDOUT, so all you need to do is add a redirection operator and the appropriate file name, and you're in business.
The code can be downloaded here (macl.zip). The archive contains a thoroughly-documented script, a readme file, and a sample file containing WAP MAC addresses. I updated my copy of Perl2Exe in order to try and create/"compile" a Windows EXE from the script, but there's some more work that needs to be done with respect to modules that "can't be found".
Getting WAP MAC Addresses
So, the big question is, where do you get the WAP MAC addresses? Well, if you're using RegRipper, the networklist.pl plugin will retrieve the information for you. For Windows XP systems, you'll want to use the ssid.pl plugin.
Once again, there are a couple of important things to remember when running the macl.pl script. First, you must have Perl and the Net::Wigle Perl module installed. Neither is difficult to obtain or install. Second, you MUST have a Wigle.net account. Again, this is not difficult to obtain. The readme file in the provided archive provides simple instructions, as well.
Adrian wrote a tool called IGiGLE.exe (using AutoIT) that allows you to search the Wigle.net database (you have to have a username and password) based on ZIP code, lat/longs, etc.
Here is the GeoMena.org lookup page.
Here is a review of some location service APIs. I had no idea there were that many.