1. Running head: WIRELESS ATTACKS & IPHONE FORENSICS 1
Wireless Attacks & iPhone Forensics
John Intindolo
December 19, 2014
ISSC456- Digital Forensics: Investigating Wireless Networks & Devices
Professor Andrew Ingraham
American Military University
2. WIRELESS ATTACKS & IPHONE FORENSICS 2
Wireless technology has made for better functionality and convenience for both homeowners
and business owners alike. In the home things like remote controls for the television, wireless surround
sound speakers, or a wireless controller for the Xbox One have all made life more convenient for
everyday life. These all use infrared technology. Bluetooth is another wireless technology that is used to
make hands-free calls and even stream music wireless while running or working out. One wireless
technology that has changed the game altogether for personal and business use is Wi-Fi. The use of Wi-
Fi has made things more convenient, but also creates a vulnerability to attacks that traditionally wired
connections were not subjected to.
Wireless attacks come in many variations and fall under one of two categories, passive or active
attacks. There are ways to protect against these vulnerabilities to help keep the Wireless network as
secure as possible that will be discussed at length hereinafter. Wireless Forensics and more specifically
forensic analysis of the iPhone is the second topic that will be discoursed. Forensics has come a long
way, and in today’s world digital forensics plays a more pivotal role in an investigation than one could
ever imagine ten or fifteen years ago. A suspect’s iPhone for instance may be the key to unlocking
evidence that otherwise may have not been possible in the past. Understanding wireless attacks and
how to protect against them, following the proper steps for acquiring evidence, learning how to acquire
evidence on an iPhone, and recovering deleted data on an iPhone, will be the basis of this paper and
should provide a better outlook for forensic investigators and novices alike.
What is a wireless network? Prior to explaining wireless attacks or even wireless technologies
the first thing to do is to define a wireless network. A wired network is a group of devices connected to
the Internet (or another network) using a cable to connect the Ethernet port on a network router and a
device. The difference with a wireless network, as the name suggests is that this is done without the
3. WIRELESS ATTACKS & IPHONE FORENSICS 3
need of a wired connection. A wireless local-area network or LAN uses radio waves to connect
devices and in doing so eliminates the need for cables (“What is a wireless,” n.d.). The very first form of
wireless technology goes all the way back to 1896 when the first wireless telegraph system was created.
There are some key dates of wireless technology history that have created the landscape that
makes up today’s wireless capabilities and include but are not limited to the following: 1968- DARPA
selects BBN to develop the ARPANET (which set the beginning stages of the Internet), 1968- FCC
opens Docket 18262 to set aside enough spectrum to meet the demand for land mobile communications
(set the early path for mobile phone usage), 1977- FCC authorizes developmental cellular systems
launch in Chicago and the Washington D.C./Baltimore region, 1983- TCP/IP is selected as the official
protocol for the ARPANET, 1983- First commercial cellular system begins functioning in Chicago with
second in the Washington D.C./Baltimore region, 1985- FCC releases the ISM band for unlicensed use
(the beginning of wireless LAN), 1993- IPv4 is established for reliable transmission over the Internet in
conjunction with TCP, 1997- original version of standard IEEE 802.11 wireless LAN is released,
1998- Bluetooth technology was developed with formation of the Bluetooth Special Interest Group
(SIG), 1999- Wi-Fi is founded, 2002- Camera phones are brought in the U.S., 2007- the first iPhone
launches, and 2010- President Obama signs a memorandum that will free up 500 MHz of spectrum for
the wireless industry (“Wireless history timeline,” 2014).
There are several different forms of wireless technologies that exist and include Bluetooth,
Infrared, Wi-Fi, and Wireless USB. Bluetooth is a short range wireless technology used by many
devices including mobile phones, computers, wireless headphones, cars, etc. that can be connected very
easily (Ganguli, 2002). By “pairing” two devices a phone conversation can occur hands-free while
driving (by hearing the other person through a headset or through the speakers of a car’s stereo
4. WIRELESS ATTACKS & IPHONE FORENSICS 4
system), a person can use a wireless stereo headset to listen to music while running or working out
without the hassle of wires, or even transfer files wirelessly between two computers. The key to
Bluetooth technology is that both devices must be “paired” together and must be within close proximity
of each other (in most mobile devices the range is 33 feet).
Infrared is a wireless technology that uses low-frequency infrared light to transmit signals from
one device to another. It is found in all kinds of things that the average person may not even realize.
Some devices that use infrared are T.V./DVD Player/Stereo remote controllers, a wireless keyboard or
mouse, night vision devices (active-infrared night vision can give identifying details even in a dark area),
or even for short-range communication between computer devices and PDAs. A line of sight
transmission is required for this type of signal, meaning if there is something blocking the path between
the two devices it will not work. For instance, If the remote control is not pointed at the infrared beam
on a television, then it will not function when attempting to use it. The next form of wireless technology is
based on IEEE 802.11 standards and is generally an accepted acronym for wireless LAN known as
Wi-Fi.
Wi-Fi otherwise known as 802.11b wireless fidelity transmission allows a person to connect to
the Internet by passing radio frequency transmissions that contain data between a wireless card
(installed in a user’s laptop for instance) and a wireless access point hidden within a designated area (i.e.
an airport, hotel, or coffee shop) known as “Hotspots” (Singh, 2003). Wi-Fi is even used by nearly
everyone connected to the Internet. Many businesses have Wi-Fi connection incorporated into their
networks because it is much cheaper to connect wirelessly then having to connect each and every
computer through a wired LAN. Homeowners probably use Wi-Fi more so than a wired connection
because it gives the ability to be connected to the Internet no matter where a person is in their house.
5. WIRELESS ATTACKS & IPHONE FORENSICS 5
Furthermore, most families have multiple laptops, tablets, phones, T.V.s, and gaming systems that are all
connected simultaneously to the Internet making it much easier for all parties. When it comes to cell
phone service most providers have a monthly cap for Internet usage depending upon how much a
person’s data plan is, therefore when possible using Wi-Fi will save a user from going over their monthly
limit (and increasing their costs).
Wireless USB is a wireless extension to USB that takes the speed and security of wired
technology and combines it with the convenience of wireless technology. It uses Ultra-wideband
wireless technology by spreading data transmission over an extensive frequency spectrum through brief
low-power pulses (“Wireless usb,” 2014). This is an advantage over other wireless technologies
because it avoids transmission at frequencies that are considered troublesome. Devices that use
Wireless USB technology include video game controllers, printers, scanners, hard disk drives, USB
flash drives, and digital cameras. With a general understanding of wireless technologies, the next logical
step is to discuss how to attack them.
As mentioned above, wireless networking provides many advantages for businesses (including
the improved productivity associated with the increase of accessibility) and homeowners alike but they
also come with security risks. A wireless attack is any attack on a wireless network that will attempt to
negatively affect the confidentiality, integrity, and/or availability (CIA) of a network. Wireless networks
that are not properly secured are at risk of an attack that could affect a network’s CIA. The
confidentiality of a network could be at risk if an attacker is able to acquire sensitive company
documents such as payroll and social security information. Integrity attacks can be described as an
attack where the attacker modifies or changes data. For example, a man-in-the-middle attack. Attacks
that affect the availability of an attack are attacks that keep the network from being able to be accessed
6. WIRELESS ATTACKS & IPHONE FORENSICS 6
by users. An example of this type of attack would be a Denial of Service or DoS attack. Specific
attacks will be described in further detail, but first a couple of different methods used to perform
wireless attacks will be outlined.
Wireless networks are everywhere and there are many insecurities associated with them. There
are tools that can be used by attackers to find these insecurities, but they can also be used to whether or
not a company’s network is secure enough. One such method is known as Wardriving. Wardriving is
the “act of moving around a specific area and mapping the population of wireless access points for
statistical purpose” and “is accomplished by anyone moving around a certain area looking for data”
usually in a moving vehicle (Hurley, Puchol, Rogers & Thornton, 2004). Airmon-ng and NetStumbler
are two tools that are used for this. The data captured from Wardrving is then used to increase the
awareness to security problems that occur with wireless networks. Attackers use Wardriving to drive
through a neighborhood with a wireless-enabled laptop, smartphone, or PDA to map houses and
businesses that have open wireless access points to see where they can exploit vulnerabilities.
Warwalking is the same as Wardriving, except it is done when exploring the area on foot, Warflying is
done flying around in an aircraft or by using a drone, and Warchalking is where chalk is by hackers to
place a special symbol on a sidewalk or other surface to point out a nearby open wireless network
(“Wireless safety,” 2010, p. 10-1).
Now it is time to get into specific types of wireless attacks. Wireless attacks generally fall into
one of two categories, passive and active attacks. Passive attacks are those that are used to help
provide information for active attacks and are performed without a sound making them very hard to
detect or stop. Passive attacks typically will capture and store data and then use a packet-deciphering
tool to decrypt it and steal data. This type of insecurity is why the WEP protocol is no longer secure
7. WIRELESS ATTACKS & IPHONE FORENSICS 7
enough for wireless networks, and home and small business networks should instead use WPA-
PSK/WPA2-PSK as a means for encryption. Some examples of passive attacks include
eavesdropping, traffic analysis, and traffic monitoring. Eavesdropping intercepts the traffic on the
network so that it can be used to find out more information to help perform an active attack. Traffic
analysis allows the eavesdropper to analyze the traffic, find out its location, determine the hosts
communicating on it, and observe the communication patterns of the network. Traffic monitoring looks
at the data that is transmitted on a network such as e-mails or files (which may or may not contain
confidential information) without altering it.
Active attacks are done to exploit the weaknesses found from passive attacks. In this type of
attack the attacker will try make changes to data or otherwise disrupt the CIA of the network. Some of
the more popular or infamous active attacks include the following: denial-of-service, flooding, man-in-
the-middle, and hijacking. A denial-of-service attack is one that is used to deny access to a network by
overwhelming the target with more traffic than it is able to handle. Flooding attacks are a form of DoS
attack that floods the network with packets starting incomplete connection requests to the point that it is
unable to process authentic connection requests, thus affecting the availability of the network.
A man-in-the middle attack is where the attacker is able to both monitor as well as inject
messages. In doing so the attacker makes it seem that the reply is coming from the other user, which can
cause confidential data to be stolen like encrypted passwords. Hijacking is a form of a man-in-the-
middle attack where the attacker captures traffic between two users then takes the place of the
legitimate user by disconnecting them (and causing the other legitimate user to believe the attacker is the
legitimate user they were communicating with), and obtains the privileges of that user to gain access to
the network (Onder, 2004, p. 18). So what methods can be made to prevent wireless attacks?
8. WIRELESS ATTACKS & IPHONE FORENSICS 8
It is impossible to protect against every attack, but the key is to ensure that one’s network is
more secure than most others. It is a lot like running from a bear. It is impossible for a human being to
outrun a bear, but the key is that one does not have to run faster than the bear they only need run faster
than another human being there. So if one’s network is more secure than others around it, then hackers
may look to go for the “low hanging fruit” as it were. Securing the wireless network will make an
attacker search out for an easier target and help to keep the CIA of the network intact. The list of best
practices for enhanced wireless security includes the following: creating a wireless security policy,
securing the enterprise wireless LAN, securing the enterprise Ethernet network, securing corporate
laptops from wireless threats when outside the enterprise, and educating employees on wireless policy.
Creating a wireless security policy will give all network users a set of rules that must be followed
while connecting to the network wirelessly. This includes password policies such as the use of strong
authenticated passwords (a mixture of hard to guess numbers, characters, and upper and lower case
letters) and remote access policies (to determine the rules for accessing to the network remotely through
a VPN for instance). The wireless security policy will explain to all users the assets, risks, and security
objectives, an outline of measures to mitigate risk, and the acceptable usage for compliance, but
perhaps the most important component is that it must be followed company-wide. No matter their
position within the company, from the CEO all the way down to the receptionist, the wireless security
policy must be followed for successful implementation.
Some ways to secure the wireless network include the following best practices: close all ports
that are not used, allow only authenticated persons to access the network, change SSID’s on a regular
basis, use strong encryption (SHA-1), deny access for ad hoc and peer-to-peer WLANs, use IEEE
802.11i security standards (access control, strong authentication, strong encryption), ensure all routers
9. WIRELESS ATTACKS & IPHONE FORENSICS 9
and APs have an administrator password for logging in, change default passwords, enable WPA rather
than WEP, use MAC filtering for access control, and use static IP addresses rather than dynamic IP
addresses (“Wireless safety,” 2010, p. 10-16). Furthermore, it is important to educate employees on
the wireless security policy through meetings so that there is no confusion or excuse for failing to
comply. All of these methods will ensure that the wireless network in place will be secured against
attacks.
The first step in any forensics investigation is to establish whether an incident has occurred or
not. Once it is determined that an incident has in fact occurred it is now the investigators responsibility to
evaluate the impact of the incident. Each member of the Computer Forensics Team will follow the
policies and procedures of the investigation process, The policies and procedures will include the
following: the mission statement, each team members specific responsibilities, the resources and
software being used, continuous training for team members, a set of guidelines describing how to submit
a request and the acceptance of said requests of digital evidence, case-management implementation
procedures, how to properly handle evidence, preservation and processing of digital evidence, and
developing technical measures (“Computer forensics: Investigation,” 2010, p. 3-3).
The first thing is to obtain a search warrant. Without a search warrant any evidence gathered
will be unusable in a court room. Next is to identify each and every wireless device connected to the
network including routers, access points, modems, etc. Another key step is detecting a rogue access
point. This will provide evidence that an unauthorized access point was used on the wireless network,
and is a tactic used by attackers to perform passive attacks such as packet sniffing or even active
attacks such as hijacking. A tool used to discover rogue access points is Network Stumbler. It is
extremely vital to the investigation that all evidence be documented and maintains the chain of custody.
10. WIRELESS ATTACKS & IPHONE FORENSICS 10
In other words, all evidence must be accounted for throughout the entire investigation process. If
someone signs out a piece of evidence it must be documented by the time, date, person who signed it
out, and must be signed back in as well once returned.
Wireless Connections can be detected by using the tool Airfart, while the forensic tool Field
Strength Meter or FSM can determine the wireless field’s strength by measuring and calculating the field
strength of radio signals or interference (“Computer forensics: Investigating,” 2010, p. 1-10 – 1-11).
Wireless zones and Hotspots can be mapped through a tool like Microsoft Visio based on the
information gathered. From there direct access to the network can be performed with a network cable
to find relevant case data.
Another method is sniffing traffic between the access point and any devices connected. Using
Airodump to scan all wireless channels using will give the coordinates of the found access points, and
Aireplay is then used to confuse the wireless devices into disconnecting by injecting disassociate packets
to recover hidden ESSID, capture WPA/WPA2 handshakes, and generate ARP requests
(“Deauthentication,” 2010). Next the data can be captured and analyzed using tools like Wireshark,
Tcpdump, and Firewall analyzer writing a report that includes all case information including all evidence
found, documentation of evidence, tools and devices used, outline of steps used in the examination
process, details of the findings, and the conclusion that the investigator has come to.
The most popular smartphone worldwide is the iPhone. It has taken over as the number one
source for all the music, social media, games, Internet surfing, texting, and calling needs a person could
have. A criminal could use a lot of this data that is on an iPhone to store and distribute illegal pictures
and videos, keep records of their crimes (like creating a calendar event of an illegal activity that they are
going to perform), steal user data, jailbreak the phone by unlocking it so that third-party applications
11. WIRELESS ATTACKS & IPHONE FORENSICS 11
can be used, and connecting the iPhone to another system in an attempt to steal its data. The evidence
that is stored on an iPhone contains a lot of pertinent information to an investigation including: text
messages, recent call logs, photos and videos, browsing history, contact lists (which could lead to other
criminals that would have not been found otherwise), and even locations that the suspect has visited.
One problem that can occur is when an iPhone has a security passcode enabled. How can this
be bypassed or is that even possible? One program that can allow investigators to obtain the passcode
is called Elcomsoft Phone Password Breaker and gives investigators access to protected backups of
Apple devices, as well as iCloud data without the original Apple ID and password via over-the-air
acquisition by using a binary authentication token extracted from the suspect’s computer (“Elcomsoft
phone,” 2014). Acquiring evidence from the iPhone involves choosing the right tools for the job. During
this process the following tools will be used: Katana’s Lantern Lite, RedSnow, and the Oxygen
Forensics Analyst Suite. Katana’s Lantern Lite uses the ipsw file (or the iOS firmware) along with the
jailbreaking tool RedSnow to get a bit by bit image of the iPhone. Once Lantern Lite has the physical
image of the iPhone the file will be outputted with the encrypted image or Lantern can decrypt the image
itself. The Oxygen Forensics Analyst Suite enables many things to be performed including: using plug in
tools to parse out data such as location, Wi-Fi, passwords, etc., using PList viewer to gain real
date/time of the region that the phone was used in, Hex viewers showing data in binary raw data format
to help locate passwords or read data that may have been deleted or partially overwritten, SQLite to
parse deleted data, and even to generate the forensic report to make viewing relevant evidence easier
(Shelton, 2013, pp. 52-54).
Wireless technology has evolved in a manner that it is used throughout the world. Whether it be
for home or business use, wireless networks are a convenient way to connect to the Internet without the
12. WIRELESS ATTACKS & IPHONE FORENSICS 12
hassle (and costs) of cables. Unfortunately, that convenience comes at the price of security, but it does
not have to. There are many different types of wireless attacks that can be used to gather information,
deny access, steal data, or perform other malicious activities; however, these things can be mitigated by
having a wireless security policy in place that is thoroughly written, followed, and educated to all levels
of employees. There is no end all be all method that will guard against every attack, but having a security
policy successfully integrated along with following the best practices described previously will make the
an attacker go out and search for an easier target.
Wireless forensics has become an integral part of the investigation process with so many people
using smartphones like the iPhone for example. Following the chain of custody throughout the entire
forensic process is a must, because failure to do so will result in all the hard work by the investigator to
be deemed unusable in a court of law. There is a lot of evidence that can be found on an iPhone and
even a phone that has a security passcode can be broken with the proper forensic tool. Recovering
even deleted text messages can now be performed using tools like Tansee iPhone Transfer. With the
information obtained here a person can have a better understanding of wireless networks and the
forensic process for the most popular smartphone in the world… the iPhone.
13. WIRELESS ATTACKS & IPHONE FORENSICS 13
References
Computer Forensics: Investigation Procedures and Response. (2010). Published by: Cengage
Learning. ISBN: 1-4354-8349-7
Computer Forensics: Investigating Wireless Networks and Devices. (2010). Published by: Cengage
Learning. ISBN: 1435483537
Deauthentication. (2010). Retrieved from http://www.aircrack-ng.org/doku.php?id=deauthentication
Elcomsoft phone password breaker. (2014). Retrieved from http://www.elcomsoft.com/eppb.html
Ganguli, M. (2002). Getting started with bluetooth. Cincinnati, Ohio: Premier Press. Retrieved from
http://library.books24x7.com.ezproxy1.apus.edu/assetviewer.aspx?bookid=4222&chunkid=1
&rowid=2
Hurley, C., Puchol, M., Rogers, R., & Thornton, F. (2004). Wardriving: Drive, detect, defend.
Rockland, MA: Syngress Publishing. Retrieved from
http://common.books24x7.com.ezproxy2.apus.edu/toc.aspx?bookid=7961
Onder, H. (2004, March). Session hijacking attacks in wireless local area networks. Retrieved
from http://www.dtic.mil/dtic/tr/fulltext/u2/a422361.pdf
Shelton, D. (2013). Iphone forensics what you need to know. Retrieved from
http://www.htcia.org/wp-content/uploads/shelton_Mobile_Forensics.pdf
Singh, R. (2003). Wi-fi. Computer Bulletin, 45(6), 28.
References Cont’d.
14. WIRELESS ATTACKS & IPHONE FORENSICS 14
What is a wirless network?: The basics. (n.d.). Retrieved from
http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/work_from_
anywhere/what_is_a_wireless_network/index.html
Wireless history timeline. (2014). Retrieved from http://www.wirelesshistoryfoundation.org/wireless-
history-project/wireless-history-timeline
Wireless Safety: Wireless5 Safety Certification. (2010). Published by: Cengage Learning. ISBN:
1435483766
Wireless usb faq. (2014). Retrieved from http://www.everythingusb.com/wireless-usb.html