HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 26 guests online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow MAC address as evidence
Ethical Hacker Community Forums
November 22, 2008, 03:17:16 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: MAC address as evidence  (Read 3520 times)
0 Members and 1 Guest are viewing this topic.
jimbob
Sr. Member
****
Offline Offline

Posts: 307



View Profile WWW
« on: June 29, 2007, 03:15:32 AM »
Hi all,
Given that you can easily change the MAC address of a NIC, how likely is evidence relating to the MAC address of a computer used to perform a malicious act to stand up in court? Does the fact that it can be changed introduce reasonable doubt?

Jim
Logged
slimjim100
EH-Net Columnist
Sr. Member
*****
Offline Offline

Posts: 363



View Profile WWW
« Reply #1 on: June 29, 2007, 07:00:02 AM »
This is true you can spoof a MAC and that in some cases this could be a defense in court. It really depends on the situation and who is defending or prosecuting. But I agree with you that a MAC is not a guarantee you have the right person or a good case. There have been a few legal cases dropped in the courts where the person says a Virus made me do it and claims that the content on there computer was not downloaded by them or the attach was a zombie. So I guess if your collecting evidence you need to get all you can and if your on the other side and defending yourself make sure to bring up the fact there are is a lot of 0-day code that can do some bad stuff where the virus software will not alarm on it.

Brian
Logged
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
warquel
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #2 on: July 05, 2007, 12:15:17 AM »
If the mac address is your only evidence tying the activity to the host then it's likely to be attacked. If you can provide other evidence that can corroborate the system's mac address that would be helpful. For example, if you have history of mac->ip from your switches, network flow logs and time stamps from something like web cache history on the suspect computer that matches the flow log time stamps, it further reinforces that the mac address at the time was valid.

To be honest though, I don't know how that would work out in court as I've never had to testify yet, however it seems to make logical sense.
Logged
Kev
Guest
« Reply #3 on: July 06, 2007, 09:37:03 AM »
The Mac address would not be the key evidence used in a prosecution. IP addresses are usually the target.  Something has to lead law enforcement to the attacker and that’s usually the IP address. If an attacker’s main form of hiding is to spoof his Mac address, he is wasting his time.  Once law enforcement confiscates the computer, they will begin forensics. If the Mac address is the one hard coded in the card, that’s helpful, especially if there might be a house hold with several internet connections.  If its not, they will look for things like software that changes Mac addresses. If that’s found, even though you might have spoofed your Mac ID, you are not off the hook.  One thing I have noticed with sloppy attackers is they forget they have a lot of “hacking” programs on their box and that’s even more incriminating when they get caught than having an identified Mac address. Maybe the card had a different Mac ID than what was logged, but they find 3 programs for changing Mac addresses, that’s going to look bad. The best attackers remove their hard drive and hide it after their attack.  If there box is taken away to be inspected, more than likely all they would see is a hard drive full of Disney movies. Movies legally downloaded of course, lol.
Logged
oleDB
Full Member
***
Offline Offline

Posts: 231



View Profile WWW
« Reply #4 on: July 06, 2007, 10:43:12 AM »
I'm wondering how this would play out for a Wireless incident. Mac and Hostname, both of which are easily faked, maybe the only thing to go on. So far I think alot of the high profile wifi cases were caught in the act. If they used really common hardware and OS config it might be really impossible to prove anything without a doubt based on logs only, assuming the attacker wipes his HD afterwards.
Logged
Negrita
Sr. Member
****
Offline Offline

Posts: 289



View Profile
« Reply #5 on: July 07, 2007, 03:19:48 AM »
Nmap has the ability to spoof both IP addresses with the -S flag and MAC addresses with --spoof-mac, and I have it on my workstation at work, on my laptop and on my home pc. I use it (Nmap) for legitimate troubleshooting of network issues related to our customers networks and network devices, and it is an invaluable tool. Just because I have it on my systems doesn't mean that I should be incriminated.

If I realy wanted to change the MAC address, I could just change it in the NICs driver setting and clear the events in the system logs afterwards - much easier.
Logged
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
Kev
Guest
« Reply #6 on: July 07, 2007, 09:47:36 AM »
In my experience, attackers most often have more than one or 2 legitimate apps on a windows laptop. Such a setup is not going to get you very far into even a medium level secure network any way. They almost always have every hacker program known to mankind and often with some silly and malicious names. Names like "Evil Penetrator", etc...   A simple mac address change is not going to save them. Also, very few hackers use live CDs which would solve a lot of stealth issues. This again is based on what I have seen so others might have different experiences.   High level hackers usually use a hard drive install of a flexible distro of linux. They will have numerous scripts and custom programs that they have either written or have been given by a fellow hacker. When you have this flexibility, you get very creative in your attack.  Live CDs dont offer that.
 
« Last Edit: July 07, 2007, 06:09:53 PM by Kev » Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.232 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.