Disabling a Wireless Network via Denial of Service

Technical Report MSU-070424

Allison H. Scogin
Abstract
As wireless networking becomes more prevalent in our society, the crimes that are
committed within their boundaries will increase. Investigators in the field of digital forensics
must have the means to safely and legally acquire electronic evidence in these wireless networks.
Acquiring this evidence without altering or damaging it becomes problematic when the evidence
is located within a wireless network. Devices can communicate with other wireless devices until
they are shut down or disconnected from the network. Any communication between wireless
devices after they are seized can jeopardize the validity of the evidence they contain. This afterseizure communication must not be allowed.
Therefore, digital forensic investigators must have the ability to disrupt the wireless
network immediately upon discovery. This paper suggests that wireless networks may be
disabled via a denial of service attack. However, the effects of initiating a denial of service on
the evidence in a wireless network are unknown. This paper investigates the potential effects of
utilizing an active form of a denial of service attack on a wireless network.

1. Introduction
Digital forensics is the use of specialized technology for recovery, authentication, and
analysis of electronic data when a case involves issues relating to reconstruction of computer
usages, examination of residual data, authentication of data by technical analysis or explanation
of technical features of data and computer usage [2]. The field of digital forensics is a
constantly evolving field as new technologies are developed every day. One such new

technology is wireless networking. The use of wireless networking has exploded since the late
1990s.
According to a recent study by Pew Internet & American Life, 34% of all internet users
have logged on with a wireless internet connection either at home, at work, or someplace else
[7]. When Internet users were asked, Do you ever log onto the internet using a wireless
device? in February 2004, 22% gave a positive response. These percentages clearly show a
growth in the use of wireless networking [7]. In 2005, more than 10 million homes in the United
States had a wireless Internet connection [17]. As with any technology in widespread use,
wireless networking has been misused in illegal ways and many crimes have been committed
within the boundaries of a wireless network [22]. Much research is needed in the field of digital
forensics, especially in the area of electronic evidence collection in wireless networks.
Electronic evidence must be treated like any other type of evidence. The collection of
electronic evidence must follow the standards of admissible evidence. These standards are based
on the Federal Rules of Evidence (FRE), which are the rules that govern the admissibility of
evidence in the United States federal court system [3]. There are several steps to follow in digital
forensics to ensure that evidence is not destroyed or compromised. These steps are taken from
[12]. First, acquire the evidence without altering or damaging the original. Second, authenticate
that your recovered evidence is the same as the originally seized data. And third, analyze the data
without modifying it. If these steps are not taken, the original electronic evidence can be
destroyed or altered and as a result may not hold up in a court of law.
This paper concentrates on the first step, which is to acquire the evidence without altering
or damaging the original. This first step can be difficult when the evidence is located within a
wireless environment. This difficultly arises because there are no clear boundaries that define the

wireless network. Unlike a wired network, there are no physical connections between the
wireless router and the wireless devices. The devices communicate via radio waves. The area of
possible communication can often be larger than intended. This becomes a problem when the
area of interest in an investigation does not encapsulate the entire area covered by the wireless
network or when the presence of a wireless device is not apparent to the investigator.
Devices in the wireless network can communicate with other devices until they are
disconnected from the network or shut down. Such communication after the area is secured can
violate the first step of evidence collection: acquire the evidence without altering or damaging
the original. For example, an individual with a laptop enabled with a wireless interface could be
in the next room but still within range of the wireless network. They could then access the
devices located within the area of interest and alter evidence or even remove the evidence
entirely. This can occur after the area is seized but before the devices are made unavailable. This
after-seizure communication jeopardizes the evidence and must not be allowed.
Therefore, digital forensic investigators must have the ability to disrupt the wireless
network immediately upon discovery. One possible way to accomplish this would be to enact a
denial of service. A denial of service is any action, or series of actions, that prevents any part of
a system, or its resources, from functioning in accordance with its intended purpose [6]. Denial
of service is the absence of availability. Denial of service is traditionally an attack method used
by inexperienced hackers called script kiddies. A script kiddie uses attack tools developed by
others to launch large-scale attacks on victims [14]. These attacks have been very damaging and
expensive to victims. In February 2000, Yahoo, Amazon, eBay, and many other online
businesses were attacked via a denial of service causing tens of millions of dollars in damage
[16]. Although denial of service has traditionally been viewed as an attack mechanism, it has

been suggested by Slay and Turnbull that it could be used by law enforcement to disable wireless
networks during forensic investigations [23].
Slay and Turnbull raise the question in their paper, Wireless Forensic Analysis Tools for
Use in the Electronic Evidence Collection Process, of the forensic soundness of enacting a denial
of service during an investigation. They state their argument relates back to the fundamental
forensic principles of McKemmishs second rule of Forensic Computing: Account for any
change [23]. It is possible that the form of denial of service that manipulates network protocols
by inserting active data into the network could affect the electronic evidence. To the authors
knowledge, it has not been proven otherwise. Slay and Turnbull state that the intent (of
initiating a denial of service) should be analyzed, and the potential effects of utilizing and not
utilizing the mechanism should be evaluated [23]. The potential effects of utilizing an active
form of denial of service on a wireless network is investigated in this paper.
The remainder of this paper is organized as follows. Section 2 provides background
information on wireless networks and denial of service attacks. Section 3 describes the
experiment setup and documents the steps taken to set up the wireless network and the denial of
service attacks. Section 4 documents the results of the experiment. Section 5 provides a
conclusion followed by the references.

2. Background
The following section provides a brief background of relevant information concerning
wireless networks and denial of service attacks.
2.1 What is a WLAN?
A wireless LAN, or WLAN, is a local area network that does not require wired Ethernet
connections. Devices in a WLAN communicate via technology based on radio waves [20].

802.11 is the standard by which wireless networking operates. The IEEE working group 11 of
the IEEE LAN/MAN Standards Committee developed the IEEE 802.11 standard. The 802.11
standard is an evolving family of specifications for wireless LAN technology [5].
2.1.1 WLAN Configurations
The 802.11 standard describes two network configurations. In an infrastructure network,
stations are based around an access point. The access point provides communication with the
wired network by serving as a wireless-to-wired bridge [5]. The access point also mediates all
wireless traffic in the network. In an infrastructure network, stations must associate with an
access point to join the network. The access point broadcasts its SSID (Service Set Identifier) to
the stations. This is how the stations become aware of the wireless network. The stations always
initiate the association process and can only be associated with one access point at a time. The
access point uses the contents of an association packet from the requesting station to make the
decision to grant or deny access to the network. In an ad hoc network, stations communicate
directly with each other without the use of an access point [5]. Figure 2.1 provides an illustration
of an ad hoc network and an infrastructure-based network. The dotted lines connecting the
stations in the left-hand side of the diagram and the dotted lines connecting the stations with the
access point in the right-hand side of the diagram represent the wireless medium. The stations
can be any type of device that has a wireless network interface, not necessarily just a laptop or
desktop computer as Figure 2.1 illustrates. An infrastructure-based network was used for this
experiment.

Figure 2.1: Network Configurations

Ad Hoc Network

Infrastructure Network

2.1.2 The 802.11 Protocol Stack

The Open Systems Interconnection (OSI) reference model defines a framework for
implementing networking protocols in seven layers [20]. Each layer in the OSI model provides
services for the layer above it and only interacts with the layer beneath it. The OSI reference
model is illustrated in Table 2.1.
Table 2.1: The OSI Reference Model [20]
Application
Presentation
Session
Transport
Network
Data Link
Physical

The 802.11 specifications concentrate on the two lowest layers of the OSI model: the data
link layer and the physical layer. The data link layer in 802.11 protocols is split into two
sublayers: the MAC sublayer and the LLC sublayer. The MAC (Medium Access Control)
sublayer is a set of rules that determine how to send data and how to access the wireless medium.

Located directly above the MAC sublayer is the LLC (Logical Link Control) sublayer. The LLC
sublayer handles making the various 802 standards indistinguishable to the network layer. The
LLC sublayer takes care of error control, framing, and MAC-sublayer addressing [4].
The physical layer of the OSI model is concerned with transmitting raw bits over a
communication channel. In the case of 802.11, the communication channel is based on radio
waves. The 802.11 standard includes five transmission techniques:
1. Infrared
2. FHSS or Frequency Hopping Spread Spectrum
3. DSSS or Direct Sequence Spread Spectrum
4. OFDM or Orthogonal Frequency Division Multiplexing
5. HR-DSS or High Rate Direct Sequence Spread Spectrum
Each of the five transmission techniques has the same goal: to transmit a MAC frame from one
station in the network to another.
The use of radio waves as a communication channel results in a complicated physical
layer. The 802.11 standard divides the physical layer into two parts: the Physical Layer
Convergence Procedure (PLCP) and the Physical Medium Dependent (PMD). The job of the
PLCP is to map the MAC frames onto the wireless medium. The job of the PMD is to transmit
those frames on the wireless medium. Figure 2.2 illustrates the division of the data link layer into
two sublayers and the various transmission techniques of the physical layer.

Figure 2.2: Part of the 802.11 Protocol Stack [19]

2.1.3 The 802.11 Services

The 802.11 standard provides nine services. These services are divided into two
categories: station services and distribution services. The five distribution services are
association, disassociation, reassociation, distribution, and integration. The association service is
used by stations to connect to an access point. The stations register or associate with the access
points. The disassociation service is used to terminate an association between a station and an
access point. The reassociation service is used when a station moves to a new service area and
must switch to a new access point. Stations use the distribution service to deliver frames to their
destinations.
The four station services are authentication, deauthentication, privacy, and data delivery.
Because wireless networks cannot provide the same level of physical security that wired
networks can, they must use authentication measures to ensure that the systems accessing the
network are authorized to do so. Deauthentication occurs when an authenticated station
terminates its connection. Privacy is the third station service. This service provides encryption
for the data sent over the wireless network. Finally, data delivery is the last station service.

2.1.4 WLAN Advantages

A wireless LAN has many advantages over a wired network. These advantages include:

Flexibility

Mobility

Cost

Ease and speed of deployment [5].

Wireless networks are very flexible compared to wired networks. Because there are no

physical cables connecting devices, wireless networks can be set up quickly. Users can set up a
temporary wireless network without having to unplug and plug wires. The many businesses that
offer hotspots do so because of this flexibility. A hotspot is simply a venue that offers wireless
Internet access. Many businesses, such as coffee shops, airports, hotels, and bookstores now
offer hotspots [9].
The mobility offered by wireless networks allows users to access the Internet from any
location. Users can now work from the neighborhood coffee shop instead of the office. This
mobility leads to increased productivity for its users. For example, a businessperson can use a
PDA to remain constantly connected to the network.
A wireless network can be much less expensive than a traditional wired network.
Wireless networking hardware has recently become comparable in price to wired networking
hardware. In addition, the savings in infrastructure, such as running cables, can also make
wireless networks less expensive. The cable installation required for a wired network can also be
expensive. Also, the infrastructure does not require pricey changes when a new device is added
as long as the device is within range [5].

The final advantage mentioned is the ease of speed and deployment of a wireless
network. The initial setup of an infrastructure-based wireless network usually only requires a
single access point. An ad-hoc-based wireless network requires no additional equipment. A
WLAN can be deployed in areas that may be off-limits to wired networks. One such example
would be a historical building protected from the modifications sometimes required of a wired
network [9]. It is because of these advantages that wireless networking has become so prevalent.
2.2 What is Denial of Service
A denial of service is any action, or series of actions, that prevents any part of a system,
or its resources, from functioning in accordance with its intended purpose [6]. Denial of service
is the absence of availability. Availability is the reliability and timely access to data and
resources by authorized individuals [6]. Availability is one of the three tenets of computer
security, the other two being confidentiality and integrity [15].
2.2.1 Categories of Denial of Service
Denial of service attacks can be categorized as either resource allocation attacks or
resource destruction attacks. A resource allocation attack consumes the resources of the victim
making legitimate use unavailable. When the resource allocation attack is halted, the resources
are made available again. A resource destruction attack exploits vulnerabilities in the protocols to
make resources unavailable. When this type of attack is halted, the resources are not immediately
available. The resource allocation attack was implemented for this experiment [18].
The advantage of a resource allocation attack is that the attack can be directed at specific
wireless networks or specific devices in the wireless network. If forensic investigators were to
use a denial of service attack, they would not want to disable neighboring networks, only the

10

network under investigation. The denial of service attack tool used for this experiment is the
802.11 frame-generating tool Void11.

3. Experimental Environment
This section begins with a description of the equipment used in the experimental
environment as well as descriptions of the Open Source software tools used throughout the
experiment. The setup of the WLAN is explained and the electronic evidence files are provided.
An explanation of the initial setup of the file integrity checker software is provided. This is
followed by a description of the denial of service attack. The section ends with checking the file
integrity checker software for any changes in the electronic evidence files.
3.1 Description of the Equipment
The equipment used in this experiment included three Gateway M4600 laptops. Each
laptop performed a specified function. Two laptops were used as victims and the other laptop
was used as the attacker. The attacker laptop and one victim laptop were installed with the
Redhat Fedora Core 5 operating system. The other victim laptop used the Microsoft Windows
XP operating system. The attacker laptop utilized the Void11 attack tool, which required the use
of the Prism chipset in the wireless card. Therefore, an SMC2532W-B EliteConnect 2.4GHZ
802.11B PCMCIA wireless card was used in the attacker laptop. The two victim laptops used the
Intel Corporation PRO/Wireless 2200BG PCI card. The access point used in the experiment was
the Buffalo Technology AirStation Turbo G High-Power Wireless Cable/DSL Smart Router.
Figure 3.1, Figure 3.2, Figure 3.3, and Figure 3.4 present the previously described equipment.

11

Figure 3.1: Computer One: Attacker Computer

Gateway M4600

System:

Operating System:

Redhat Fedora
Core 5

Type:

SMC2532W-B
EliteConnect
2.4GHz 802.11b
High-Power
Wireless PC Card

Chipset:

Prism

Figure 3.2: Computer Two: Victim Computer

System:

12

Gateway M4600

Operating System:

Redhat Fedora
Core 5

Type

Intel Corporation
PRO/Wireless
2200BG PCI card

Figure 3.3: Computer Three: Victim Computer

System:

Gateway M4600

Operating System:

Microsoft
Windows XP
Professional
Version 2002
Service pack 2

Type

Intel Corporation
PRO/Wireless
2200BG PCI card

Figure 3.4: Access Point

Buffalo Technology AirStation Turbo G

High-Power Wireless Cable/DSL Smart
Router

3.2 The Open Source Software Tools

Several Open Source software tools were used throughout the duration of this
experiment. The purpose of this experiment was to determine if initiating a denial of service
attack on a wireless network during a forensic investigation could damage the electronic
evidence. If it could be proven that it is a safe process, then denial of service could be
incorporated into future investigative procedures. Open Source Tripwire and AFICK, or Another
File Integrity Checker, were used before and after the denial of service attacks to determine any
changes in the victim laptops. Tripwire was used for the victim computer running Linux and

13

AFICK was used for the victim computer running Microsoft Windows XP. A denial of service
attack tool was also required for this experiment. The Open Source attack tool Void11 was
employed. The following section describes the Open Source tools in more detail.
3.2.1

Tripwire
Dr. Eugene Spafford and Gene Kim developed the original Tripwire software in 1992 at

Purdue University [10]. Gene Kim later took the research and co-founded the company Tripwire
in Portland, Oregon [21]. The Tripwire software has since evolved into a Linux Open Source
intrusion-detection system. Open Source Tripwire does not deal with detecting intrusion attempts
in real-time, but instead reports on any discrepancies observed since running Tripwire in
database initialization mode. Running Tripwire in database initialization mode is the first step in
setting up Tripwire for operation. This mode creates a database that is an exact record of the files
on the system. Tripwire later uses this record to discover any discrepancies in the system. The
database is one of the key components of Tripwire [4].
The second key component of Tripwire is the policy file. The policy file lists every file
and directory that Tripwire should monitor. The policy also contains the rules that identify
violations. The policy file determines the level at which Tripwire checks the integrity of the
system [4].
Tripwire protects its files by using two cryptographic keys: the site key and the local key.
The site key protects the policy file and the configuration file. The local key protects the
database and the discrepancy reports generated by Tripwire. Most importantly, Tripwire encrypts
and signs its own files so that it will know if it has been compromised [4]. Tripwire was used to
determine any changes in the laptop running Linux.

14

3.2.2

AFICK
AFICK (Another File Integrity Checker) is very similar to Tripwire. It was developed

after Tripwire and adopts many of Tripwires concepts. Like Tripwire, AFICK also uses a policy
file. The policy file includes any files, directories, or essential elements of the system that
AFICK should monitor. An initial database is created using the policy file as a guide. This
database is a snapshot of the system. To determine if the system has been compromised, a
compare utility is executed which compares the current state to the snapshot taken initially [1].
AFICK was used to determine any changes in the laptop running Microsoft Windows XP.
3.2.3

Void11
Void11 is an 802.11 frame-generating tool. It was initially developed for data link layer

denial-of-service resilience testing [24]. Void11 provides three possible attack modes that
generate the following 802.11 frames:
1. Deauthentication frames
2. Authentication frames
3. Association frames [25].
The default mode Void11 transmits deauthentication frames to the victim causing them to
deauthenticate from the network. The result is that all targeted victims in the wireless network
are unable to use the wireless medium. This attack is possible because management packets in
802.11 networks are not authenticated. When the deauthentication packet is received, the victim
deauthenticates without confirming the identify of the sender. This attack is often referred to as a
de-authentication or deauth attack [25]. This experiment used the deauth attack mode.
The second and third attack modes flood the access point with either authentication
packets or association packets. These packets contain media access control (MAC) addresses for

15

clients in the network. The MAC addresses are hardware addresses that uniquely identify the
clients in the network. The floods of authentication and association packets crash the access
point by filling up the buffer space that is assigned to handle and process these types of requests.
These two modes can be unreliable and were not used for this experiment [14].
Void11 includes two tools named void11_hopper and void11_penetration.

The

void11_penetration tool generates the attack frames. The void11_hopper sets the wireless card
under HostAP to hop through the 14 DSSS 802.11 channels. The void11_hopper tool was not
used. The channel was set manually using the iwconfig command. Void11 requires the use of the
Linux HostAP drivers. The HostAP drivers allow the wireless card to perform all the functions
of an access point as well as manage the IEEE 802.11 management functions [24, 25].
3.3 Setting up the WLAN
An isolated wireless network was set up for this experiment. The wireless network was
modeled on the infrastructure-based configuration. See Figure 2.1 for an illustration. The
network consisted of three laptops and an access point. The two victim laptops were connected
to the wireless network. The attacker laptop used to initiate the denial of service was not
connected to the wireless network. The attacker laptop was set up to use Void11. Void11 only
affects the 802.11b protocol, so the access point was put in 802.11b mode. All security features
for the access point were also turned off.
3.4 The Electronic Evidence
Two identical evidences files were created and placed on the two victim laptops. The
evidence files contained fake social security numbers and fake credit card information. The
contents of the evidence files are located in Table 3.1 and Table 3.2.

16

Jean-Luc Picard
William Riker
Geordi La Forge
Deanna Troi
Mr. Data
Mr. Worf
Beverly Crusher
Wesley Crusher
Miles OBrien
Keiko OBrien
Ro Laren
Mr. Spock
James T. Kirk

Table 3.1: Evidence File: Social Security Numbers

293-29-4951
784-24-8902
772-89-2751
898-35-3279
135-38-4122
331-38-4832
792-32-8694
987-54-2211
908-32-3512
554-32-8352
323-53-8952
221-15-0042
135-32-8321

Table 3.2: Evidence File: Credit Card Numbers

Luke Skywalker
1132544884631142
09/2007
Han Solo
8839258836788493
03/2009
Princess Leia Organa
8694020018226484
06/2007
Grand Moff Tarkin
6839623319095952
03/2007
Ben Obi-Wan Kenobi
8937583323526922
01/2009
C-3PO
8694738214510099
07/2008
R2-D2
2538529183743942
08/2008
Chewbacca
1958372992244830
09/2007
Darth Vader
4924185927431125
05/2007
Uncle Owen
9038534024129305
04/2007
Aunt Beru
5935233211339962
12/2009
3.5 Setting up the File Integrity Checkers
Before the denial of service attacks could be carried out, the file integrity checkers,
Tripwire and AFLCK had to be installed and set up for use. Tripwire was installed on the victim
laptop running Linux and AFLCK was installed on the victim laptop running Windows XP. The
policy files for each file integrity checker were modified to ensure that all crucial files on the
laptops would be included, especially the two evidence files. The databases were initialized and
immediately afterwards a check was done. It was determined that both Tripwire and AFLCK
were working correctly.
17

3.6 Initiating the Denial of Service Attacks

The HostAP drivers and the Void11 attack tool were installed on the attacker laptop. The
Prism-based wireless PC card was set in master mode and the wireless channel was manually set
to 2. The denial of service attacks proceeded with the following command: ./void11_penetration
wlan0 -t 1 -S peznet -s MAC-of-Victim
The denial of service was first initiated on the laptop running Linux. A continuous ping
was sent to the other victim laptop to detect when the laptop running Linux was deauthenticated
from the wireless network. Once the denial of service attack was successful and the victim was
dropped from the network, the attack was halted.
Next, the attack was initiated on the laptop running Windows XP. A continuous ping was
sent to the laptop running Linux to detect when the victim was deauthenticated from the wireless
network. Once again, when the denial of service attack was successful and the victim was
dropped from the network, the attack was stopped.
3.7 Checking for Changes
The next step in the experiment was to establish if the denial of service attacks had any
negative effect on the electronic evidence. The two file integrity checkers AFICK and Tripwire
were once again used to determine the state of the two victim laptops. The results of the denial of
service on the laptops are detailed in section 4.

4. Experimental Results
The following section details the results of initiating the denial of service attacks on the
two victim laptops. Section 4.1 describes the results collected from the laptop running Microsoft
Windows XP. Section 4.2 describes the results collected from the laptop running Linux.

18

4.1

Results of DoS on the Windows Laptop

Before the denial of service attack was initiated, the current state of the laptop had to be

determined. The file integrity checker, AFICK, was used for this purpose. AFICK had already
been installed and initialized, so a simple compare was done. The results of this are presented in
Figure 4.1. The only four files altered were files associated with AFICK. One new file was
created in the archive directory. One file was deleted. Two files were changed, one in the archive
directory and the other in the history directory. In all, 18, 050 files were scanned. This covered
every file specified in the policy file, windows.conf. The MD5 hash was calculated to be
g9VjUWbD3I+KW6J6MHiGqQ.
Figure 4.1: AFICK: Before the Denial of Service

19

As the Void11 tool was initiated, a continuous ping was sent to the other victim
computer. A screenshot of the command prompt is presented in Figure 4.2. The figure shows that
the victim computer is connected to the wireless network as it pings the IP address 192.168.11.9.
As Void11 begins the attack, the ping command times out, and after the denial of service attack
is halted, the pings resume.
Figure 4.2: Command Prompt: During the Denial of Service

After the denial of service was initiated, the compare function for AFICK was executed.
The results of the compare are shown in Figure 4.3. The five files altered were again only files
associated with AFICK. Two new files were created in the archive directory. One file was
deleted. Two files were changed, one in the archive directory and the other in the history
directory. In all, 18,051 files were scanned. This covered every file specified in the policy file,
windows.conf. The MD5 hash was calculated to be g9VjUWbD3I+KW6J6MHiGqQ. This hash
value matched the hash value calculated before the denial of service attack.

20

Figure 4.3: AFICK: After the Denial of Service

4.2

Results of DoS on the Linux Laptop

Before the denial of service attack was initiated, the current state of the laptop had to be

determined. The file integrity checker Tripwire was used for this purpose. The details of the
steps taken can be found in Appendix A. Each command is bolded. First, the initialization
database was created. Then, the current state of the laptop was checked. Tripwire generated an
Integrity Check Report. No errors were detected. The Void11 tool was used to create the denial
of service attack. The state of the laptop was evaluated again by Tripwire. The Integrity Check
Report generated by Tripwire indicated no changes in the files specified by the policy file. The
Integrity Check Report is located in Appendix A.

21

5. Conclusions
The results of the file integrity checkers, Tripwire and AFICK, showed that the denial of
service attacks did not damage or alter the electronic evidence located on the laptops. The MD5
hash sum calculated by AFICK before and after the denial of service attack on the victim laptop
running Windows were identical. The Integrity Check Reports generated by Tripwire before and
after the denial of service attack on the Linux victim laptop also indicated no changes. Slay and
Turnbull stated in their paper Wireless Forensic Analysis Tools for Use in the Electronic
Evidence Collection Process that the intent (of initiating a denial of service) should be
analyzed, and the potential effects of utilizing and not utilizing the mechanism should be
evaluated [23]. This experiment attempted to analyze the potential effects of utilizing a denial
of service to disable a wireless network. It was shown that disabling a wireless network by
invoking a denial of service does not damage or alter the electronic evidence. Therefore, the use
of denial of service could be considered a legitimate procedure in disabling wireless networks
during forensic investigations.

22

REFERENCES
[1]

AFICK (Another File Integrity Checker), http://afick.sourceforge.net/(current May

1, 2007).

[2]

Basic Digital Forensic Investigation Concepts, http://www.digitalevidence.org/di_basics.html (current Mar 1, 2007).

[3]

Federal Rules of Evidence, Cornell Law School, http://www.law.cornell.edu

/rules/fre/index.html (current Mar 1, 2007).

[4]

S. Garfinkel, Aint No Flyswatter Big Enough, CSO Magazine, Nov. 2004

http://www.simson.net/clips/machine/2004-11.htm (current Feb. 28, 2007).

[5]

M. S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd Edition, OReilly
Media, Inc., Sebastopol, California, 2005.

[6]

S. Harris, CISSP Certification, 2nd Edition, McGraw-Hill/Osborne, Emeryville, CA,

2003, p. 873.

[7]

J. Horrigan, Wireless Internet Access, Pew Internet & American Life Project,
http://www.pewinternet.org/, Feb. 2007, (current Mar. 1, 2007).

[8]

E. Kamau, Disabling Wireless Networks for Law Enforcement, published thesis, 2005,
http://esm.cis.unisa.edu.au (current Mar. 1, 2007).

[9]

T. Karygiannis and L. Owens, Wireless Network Security: 802.11, Bluetooth and

Handheld Devices, Special Publication 800-48, National Institute of Standards and
Technology, Gaithersburg, MD, 2002.

[10]

G. H. Kim and E. H. Spafford, The Design and Implementation of Tripwire: A File

Integrity Checker, Proceedings: 2nd ACM Conference on Computer and
Communications Security, Fairfax, Virginia, 1994, pp. 18-29.

[11]

S. Knapp, 802.11: Leaving the Wire Behind, IEEE Internet Computing, vol. 6, Jan.Feb. 2002, pp. 82-85.

[12]

W. G. Kruse II and J. G. Heiser, Computer Forensics: Incident Response Essentials,

Addison Wesley, Indianapolis, IN, 2002.

[13]

A. Lockhart, Network Security Hacks: Tips & Tools for Protecting Your Privacy, 2nd
Edition, OReilly Media, Inc., Sebastopol, CA, 2007. pp. 415-416.

[14]

J. Mirkovic, S. Dietrich, D. Dittrich, P. Reiher, Internet Denial of Service: Attack and

Defense Mechanisms, Pearson Education, Inc,, Upper Saddle River, New Jersey, 2005.

23

[15]

C. P. Pfleeger and S.L Pfleeger, Security in Computer, 4th Edition, Pearson

Education, Inc., Upper Saddle River, New Jersey, 2007.

[16]

R. Power, 2000 CSI/FBI Computer Crime and Security Survey, Computer

Security Journal, vol. 16, no. 2, 2000, pp. 33-49.

[17]

S. Schiesel, Growth of Wireless Internet Opens New Path for Thieves, The New York
Times Mar. 19, 2005, http://www.nytimes.com//2005/03/19/ technology/19wifi.html?
ex=1268888400&en=51d90e7518bba5d6&ei=5090 &partner=rssuserland
(current Mar. 1, 2007).

[18]

A. R. Sharafat and S. Kosari, An Analysis of Denial of Service Attacks (DoS) in the

Wireless Application Protocol (WAP) Environment, Canadian Conference on Electrical
and Computer Engineering, vol. 3, Toronto, Ontario, May 12-15, 2002, pp. 1317-1320.

[19]

J. Slay and B. Turnbull, The Need for a Technical Approach to Digital Forensic
Evidence Collection for Wireless Technologies, 2006 IEEE Information Assurance
Workshop, West Point, New York, June 21-23, pp. 124-132.

[20]

A. S. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, Upper Saddle River,
New Jersey, 2003.

[21]

Tripwire, http://www.tripwire.com/company/index.cfm (current Feb. 28, 2007).

[22]

B. Turnbull and J. Slay, The 802.11 Technology Gap Case Studies in Crime, Tencon
IEEE Region 10 Conference, Melbourne, Australia, Nov. 2005.

[23]

B. Turnbull and J. Slay, Wireless Forensic Analysis Tools for Use in the Electronic
Evidence Collection Process, 40th Annual Hawaii International Conference on Systems
Sciences, Hawaii, 2007, pp. 267a-267a.

[24]

A. A. Vladimirov, K. V. Gavrilenko, and A. A. Mikhailovsky, Wi-Foo: The Secrets of

Wireless Hacking, Pearson, Education, Inc., Boson, MA, 2004, pp. 131-132.

[25]

Void 11, http://www.wirelessdefence.org/Contents/Void11Main.htm

(current Feb. 28, 2007).

24

APPENDIX A
[root@localhost tripwire-2.3.1-2]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/local/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.
[root@localhost tripwire-2.3.1-2]# tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file:
/usr/local/lib/tripwire/report/localhost.localdomain-20070303-215327.twr
Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root
Report created on:
Sat 03 Mar 2007 09:53:27 PM CST
Database last updated on: Never
=====================================================================
==========
Report Summary:
=====================================================================
==========
Host name:
localhost.localdomain
Host IP address:
127.0.0.1
Host ID:
None
Policy file used:
/usr/local/etc/tw.pol
Configuration file used:
/usr/local/etc/tw.cfg
Database file used:
/usr/local/lib/tripwire/localhost.localdomain.twd
Command line used:
tripwire --check
=====================================================================
==========
Rule Summary:
=====================================================================
==========
-------------------------------------------------------------------------------

25

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name
Severity Level
---------------------Tripwire Data Files
0
Monitor Filesystems
0
User Binaries and Libraries
0
Tripwire Binaries
0
OS Binaries and Libraries
0
Temporary Directories
0
* Global Configuration Files
0
System Boot Changes
0
RPM Checksum Files
0
OS Boot Files and Mount Points
0
OS Devices and Misc Directories 0
Root Directory and Files
0

Added Removed
----- ------0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Modified
-------0
0
0
0
0
0
2
0
0
0
0
0

Total objects scanned: 191509

Total violations found: 2
=====================================================================
==========
Object Summary:
=====================================================================
==========
------------------------------------------------------------------------------# Section: Unix File System
------------------------------------------------------------------------------------------------------------------------------------------------------------Rule Name: Global Configuration Files (/etc)
Severity Level: 0
------------------------------------------------------------------------------Modified:
"/etc/cups/certs"
"/etc/cups/certs/0"
=====================================================================
==========
Error Report:

26

=====================================================================
==========
No Errors
------------------------------------------------------------------------------*** End of report ***
Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@localhost tripwire-2.3.1-2]# ping 192.168.11.6
PING 192.168.11.6 (192.168.11.6) 56(84) bytes of data.
64 bytes from 192.168.11.6: icmp_seq=1 ttl=128 time=24.8 ms
From 192.168.11.9 icmp_seq=56 Destination Host Unreachable
From 192.168.11.9 icmp_seq=57 Destination Host Unreachable
From 192.168.11.9 icmp_seq=58 Destination Host Unreachable
From 192.168.11.9 icmp_seq=60 Destination Host Unreachable
From 192.168.11.9 icmp_seq=61 Destination Host Unreachable
From 192.168.11.9 icmp_seq=62 Destination Host Unreachable
--- 192.168.11.6 ping statistics --62 packets transmitted, 1 received, +6 errors, 98% packet loss, time 60990ms
rtt min/avg/max/mdev = 24.860/24.860/24.860/0.000 ms, pipe 3
[root@localhost tripwire-2.3.1-2]# tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file:
/usr/local/lib/tripwire/report/localhost.localdomain-20070303-221041.twr
Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root
Report created on:
Sat 03 Mar 2007 10:10:41 PM CST
Database last updated on: Never
=====================================================================
==========

27

Report Summary:
=====================================================================
==========
Host name:
localhost.localdomain
Host IP address:
127.0.0.1
Host ID:
None
Policy file used:
/usr/local/etc/tw.pol
Configuration file used:
/usr/local/etc/tw.cfg
Database file used:
/usr/local/lib/tripwire/localhost.localdomain.twd
Command line used:
tripwire --check
=====================================================================
==========
Rule Summary:
=====================================================================
==========
------------------------------------------------------------------------------Section: Unix File System
------------------------------------------------------------------------------Rule Name
--------Tripwire Data Files
Monitor Filesystems
User Binaries and Libraries
Tripwire Binaries
OS Binaries and Libraries
Temporary Directories
* Global Configuration Files
System Boot Changes
RPM Checksum Files
OS Boot Files and Mount Points
OS Devices and Misc Directories
Root Directory and Files

Severity Level Added Removed

-------------- ----- ------0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Modified
-------0
0
0
0
0
0
2
0
0
0
0
0

Total objects scanned: 191509

Total violations found: 2
=====================================================================
==========
Object Summary:
=====================================================================
==========

28

------------------------------------------------------------------------------# Section: Unix File System

------------------------------------------------------------------------------------------------------------------------------------------------------------Rule Name: Global Configuration Files (/etc)
Severity Level: 0
------------------------------------------------------------------------------Modified:
"/etc/cups/certs"
"/etc/cups/certs/0"
=====================================================================
==========
Error Report:
=====================================================================
==========
No Errors
------------------------------------------------------------------------------*** End of report ***
Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@localhost tripwire-2.3.1-2]#

29