I was talking to some really, really smart folks last week about some things you could do with data that resulted from computer forensic analysis, and the topic of geolocation came up. I had some ideas, and when I returned from my trip, I started taking a look into how I could use historical information derived from an acquired image to perform geolocation. I sat down yesterday...it was rainy, so it's a nice day to code...and worked up a proof-of-concept that came out quite nicely.
So basically, here's how it works....during the course of an exam, you may determine that the system was used to connect to multiple wireless access points (WAPs). As discussed earlier, there may be more than just the SSID of the WAP recorded in the Registry...for example, the MAC address of the WAP is also recorded. Pretty neat.
So what? So you have a MAC address...what would you do with this information? Look up the vendor? Well...that's a start, as it can help you confirm that you do, in fact, have the right type of device. But in a few easy steps, you may be able to find out where that WAP is physically located. I put heavy emphasis on may because this isn't a 100% done deal...but it is way kewl nonetheless.
So the steps go a little something like this...
1. Run RegRipper (or rip or even ripXP) against the Software hive to get the SSID and MAC address of the WAP, as well as the last time the WAP was connected to. For XP systems, the updated ssid plugin is what you want to use, and for Vista and above systems, I wrote a plugin called networklist.
Note: There's a date associated with the SSID within the binary data of the Registry value on XP systems...however, I have no idea what this date means. On Vista systems and above, the MAC address has a distinct value (ie, does not need to be stripped out of a binary data stream), and a date/time stamp that indicates when the WAP was last connected to.
As an example, here's the data I retrieved from an XP system:
Launching ssid v.20090807
SSID
Microsoft\WZCSVC\Parameters\Interfaces
NIC: 11a/b/g Wireless LAN Mini PCI Express Adapter
Key LastWrite: Thu Feb 7 10:38:43 2008 UTC
Wed Oct 3 16:44:25 2007 tmobile MAC: 00-19-07-5B-36-92
For completeness sake, the output of the networklist plugin looks like this:
Launching networklist v.20090811
Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
linksys
Key LastWrite : Mon Feb 18 16:02:48 2008 UTC
DateLastConnected: Mon Feb 18 11:02:48 2008
DateCreated : Sat Feb 16 12:02:15 2008
DefaultGatewayMac: 00-0F-66-58-41-ED
2. Submit your MAC address to the SkyHook WiFi Geolocation database...for metropolitan areas, you may get a lat/long pair back...it's not guaranteed, of course.
C:\Perl>skyhook.pl 00-19-07-5B-36-92
Latitude = 38.9454029
Longitude = -77.4444937
Note: The code for skyhook.pl was based on this code...many thanks to Joshua! I'm doing this on Windows, and I couldn't find a version of XML::LibXML that installed on Windows, so I used XML::Simple. Also, I made a number of other modifications with respect to programming style, but Joshua did most of the heavy lifting.
3. Using the lat/long pair, create a URL for Google Maps (you can include some additional information, such as the SSID and date last connected), which will give you a map with a pushpin and any additional information you add. For multiple WAPs and to plot multiple pushpins on the same map, you may need to create a KML or KMZ file and host it someplace that can be reached by Google Maps, and then submit the appropriate URL (on the KML Update page, hover over the link that ends in cropcircles.kmz...).
For the WAP in our example, the URL might look like this. Here's an article that describes how WiFi geolocation can be used to recover stolen laptops.
Again, this isn't 100%. Not every area is mapped, and its highly unlikely that SOHO WAPs have been mapped. Still, if you can get something out of this, it might be useful.
Resources
Google Gears Geolocation API gets Wifi
SkyHook Wireless How It Works page
Firefox GeoLocation add-on
Addendum: Updated my Perl script tonight, thanks to input from Colin Shepard on Net::MAC::Vendor (for Windows, download the .tar.gz file, can extract the .pm file into site\lib\Net\MAC in your Perl install...). Now, the script takes either a WAP MAC address (if no SSID is provided, uses "Unknown") or the path to a file containing MAC addresses and SSIDs on single lines, separated by semi-colons. The output is any vendor and address information returned by the OUI lookup, and a URL that can be pasted into your browser window to get a Google Map (if lat/longs are available). For example:
C:\Perl>maclookup.pl -w 00:19:07:5B:36:92 -s tmobile
OUI lookup for 00:19:07:5B:36:92...
Cisco Systems
80 West Tasman Dr.
SJ-M/1
San Jose CA 95134
UNITED STATES
Google Map URL (paste into browser):
http://maps.google.com/maps?q=38.9454029,+-77.4444937+%28tmobile%29&iwloc=A&hl=en
Pretty sweet...
Good article. You keep mentioning new plugins (such as networklist) but you do not include a links. Where can you get these new downloads for regripper?
ReplyDeleteThe last time regripper was updated was more than a year ago on 9/10/2008.
--Rob
Hey, Rob...
ReplyDeleteMostly, I'm still exploring a suitable distribution mechanism, but I'm also still looking for contributions to assist with the development of the plugins themselves; like I've said before, concise requests and sample hives for testing. For the most part, the requests I've received for plugins have been (a) already filled by existing plugins, or (b) without samples to test against.
As there has been very little in the way of requests, and nothing in the way of samples, I've had to explore other avenues.
OK cool. regripper.net or sourceforge do not work well for distribution?
ReplyDeleteSo you are saying you want more help before you release these plugins you mention in your blog articles?
You want your readers to make more requests, give you samples, and to help you code before you will consider releasing updates?
Folks? What do you think? Harlan needs help and support it looks like. Who is in with me to see what we can do?
--Rob
Rob,
ReplyDeleteIt's like this...I'm one guy, with limited resources. The work I do on RegRipper and associated tools is not part of my "day job", and something I can only do with what time and other resources I have available. So when someone comes to me and says, "I need a plugin for LimeWire examinations"...well, I don't have any systems with LimeWire installed.
Sure, you could say, "...just set up a VM and install LimeWire, use it like the bad guy did for a while, and then send out the plugin based on your findings...". Where does the virtual machine come from? Where does the virtual machine infrastructure come from? Where does the time to install and work with the application come from?
I've always invested my own time and money into this, and recently purchased a separate system in order to conduct some research, but I have to say, I cannot continue to invest these resources into something that so many are willing to use but so few are willing to support. I continue to work on RegRipper, but the actual development of the tool and associated plugins has to take the appropriate priority among other projects that will have a more tangible and immediate effect.
Thanks.
Harlan, excellent work as usual. However, if you ever want RegRipper to gain any momentum or maintain the usefulness that I personally see in it then you have to release the plugin with the post for general public use. Simply posting a "Hey look what I can do" with no plugin for immediate use is not helping matters here. I get it, the resource factor issue and 1 man show, I’m just pointing out the obvious. Not a bash, just an observation.
ReplyDeleteHarlan,
ReplyDeleteYou can also look up geographic locations of wireless access points by MAC address in the WIGLE database at https://wigle.net/gps/gps/main. If I'm not mistaken, their database of AP locations is substantially larger than Skyhook's, and it's free as well.
Harlan,
ReplyDeleteI'm with Rob in willing to help with what I can, but what are you looking for the community to help with? Giving you full blown registry hives that have been through x or y? Helping to bug test plugins? Writing plugs? Donating money?
I'm not clear on what help you are looking for.
Tom
John,
ReplyDeleteI've taken a look at the WiGLE pages and don't see any means for simply submitting a query given a WAP MAC address.
cdtdelta,
...what are you looking for the community to help with?
I've made a couple of requests over the past several years, and in particular over the past year+...I mentioned several of them in my previous comment, but I'll reiterate them here...
I've posted on my blog, in forums, and even answered Rob's question at the last SANS Forensic Summit with what I thought was a simple, clear request...if someone has a plugin that they'd like to see, send me a concise description of what you'd like and a sample hive file with the data in it.
In the past, I've been asked to write plugins for things such as Firewire devices; however, I do not have any systems with Firewire connections, nor do I have any Firewire devices. Therefore, I would require (a) hive files or (b) systems and devices, on loan. Neither have been provided.
I had thought that this was a rather simple request, but seeing that its not been something that folks want to provide, I've opted to move on, and purchased my own system and installed Windows 7. I can't magically make up plugins...I need data for testing.
I'm a bit hesitant to just send out plugins to people for them to test, particularly if the recipient has little to no Perl programming background. Also, when I have sent out plugins like this, more often than not, the recipient apparently doesn't have the time to test the plugin, let alone acknowledge receiving it. This just makes it too hard to manage this kind of process.
Anonymous,
ReplyDeleteHowever, if you ever want RegRipper to gain any momentum or maintain the usefulness that I personally see in it then you have to release the plugin with the post for general public use. Simply posting a "Hey look what I can do" with no plugin for immediate use is not helping matters here. I get it, the resource factor issue and 1 man show, I’m just pointing out the obvious.
In most cases, I've written the plugin based on my own needs, not at the request of anyone else. While I would like RegRipper to "gain momentum", the problem I see with your proposal is that posting the plugin for download doesn't really get me anywhere that I'm not already at with respect to momentum or usability. For right now, I've seen very little momentum other than "thanks" emails sent directly to me, and I can count on the fingers of one hand the number of folks who've contributed plugins of their own. I do have some updates to RR itself as well as additional plugins I'd like to work on, but all but one or two of my "to-do" items are things I've come up with myself.
I guess the short version is that if you want it to be about "community", make it about community, not one or two people providing everything for free.
Not a bash, just an observation.
Not taken as such. Thanks...I hope you've received my comments in the same manner.
Harlan,
ReplyDeleteOk, the way you were wording it was as if you were looking for something else.
Basically what you are asking for is if someone wants you to write a plugin to do X, that they supply you with the necessary materials to write said plugin (be it hardware, registry hives, software, etc).
It sounded to me like you were asking for people to just send you registry hives to add to a collection; for testing or something else.
Tom
Tom,
ReplyDeleteThat's right.
If you think about it, though, it's really pretty simple. I mean, what would I do with a collection of hive files? I mean, let's say 5 people go out and download one of the freely available XP images on the 'net, extract the hives and send them to me? Instead of 5, how about 50? Really, what sense does that make? Also, it's not like I have all the time in the world to go looking for interesting stuff, right?
On the flip side, look at the request for a Firewire devices plugin...I don't have any systems with Firewire connections, nor do I have any Firewire devices...so how would I get a hive populated with the necessary entries? Or how about if someone modifies a plugin for XP so that it works on Vista...say, the name of or path to a key changed between versions. Sending me the plugin doesn't do much good without data to test it on.
I hope this makes sense.
You could always go commercial and retire on the proceeds ;)
ReplyDeleteGreat post! I have noticed, however, that when I connect to my home network Google thinks I'm about 100 miles away. That might give me an alibi if I were (more) evil.
Lee,
ReplyDeleteWhen you say, ...hen I connect to my home network..., what do you mean? If you're doing IP geolocation, that may be the reason. Unless you live in a major metropolitan area and have lived there for some time, your WAP MAC may not have been mapped. It appears that none of mine have been mapped...
I mean the WiFi. Sorry, should have been more specific.
ReplyDeleteWhen I use Google Maps on my phone it places me miles away when using WiFi location.
Lee,
ReplyDeleteOkay, gotcha now, but still, that's very different from what I'm doing here. You're using your phone, whereas I'm submitting lookups to the SkyHook database to get a lat/long. Are you using this?
Hi Harlan,
ReplyDeleteI understand and feel your pain. If people who are using the free products provided by others could take a little time to help create some usable data that can be used (they have to test the product on something hopefully) by the developers to test things it would be awesome. I mean quite a few people are using the free products to make a profit so giving up a few minutes of their time to give back should not be a big deal I would think. For example the person you mention requesting the fire devices must have know about them and have access somehow to them and should be able to recreate the data that they have in the hive file they want to examine otherwise how would they know about it. I understand sometimes that data from cases cannot be used but that should not stop someone from being able to mock up an example of the data then pass on. There are some folks out there that do go above and beyond to help out and I appreciate what they do but sadly those people are few and far between.
Kind Regards.
Mark
Mark,
ReplyDeleteThanks for your comments. You're not the first to feel that I implied that I'm "feeling pain" or "frustrated" about this...I'm not. It is what it is. I'm moving ahead with a plan that I've shared with some others, but the main point is that I'm not upset about how things have gone.
Again, thanks for your comments.
H
Understandably, not everyone has time to contribute full-time to everything (many of us already volunteer much of our 'free' time as it is). However, I do believe that most could do a little something in return for having access to RegRipper as it is. When software is purchased, the consumer can demand service from the developer as well as ignore the developer (its your right I suppose since you paid your money). But when you have access to a free-to-use tool AND ability to directly contact the developer, I think a little giving back is in order, in some form or another.
ReplyDeleteI appreciate the use of RegRipper and use it on nearly every case (some cases just don't hit the registry). It does everything I think it needs to do for me, but I'm sure that there is something else it could do, I just can't imagine what else I need it to do.
Even if the idea to lend some support is just to give ideas on how to lend a hand, that seems fair enough to me. At least its a start.
Brett,
ReplyDeleteThanks for your thoughts...coming from you, and considering the contributions you have made, that means a great deal, and I appreciate it.
It's funny that you mention giving ideas...the last time I posted asking about a "RegRipper wishlist", all but one of the suggestions had already been addressed in a plugin. ;-)
Thanks again.
Harlan,
ReplyDeleteThere are two different places you can put in a MAC address in the "Query the FB" form. Both are marked "BSSID or MAC". Not sure why you don't see them unless you didn't log in. You have to be logged in on a (free) account to get to the form. The form is accessed from the "searching" link on the wigle homepage.
John
John,
ReplyDeleteI don't have a login to the site...logging in and having to enter the information manually doesn't directly allow me to replicate the web query as I did for SkyHook...
Yes. You'd have to do the lookup manually. As far as I'm aware, there's not an API to alolow automated lookups in the wigle database.
ReplyDeleteJohn
you can only use WiFi when there is a wireless LAN. But outside of it there's no connection.
ReplyDelete