Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.






Lost Password?
No account yet? Register
Who's Online
We have 42 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow MAC address as evidence
EH-Net
May 23, 2013, 01:28:14 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: MAC address as evidence  (Read 6638 times)
0 Members and 1 Guest are viewing this topic.
jimbob
Guest
« on: June 29, 2007, 03:15:32 AM »

Hi all,
Given that you can easily change the MAC address of a NIC, how likely is evidence relating to the MAC address of a computer used to perform a malicious act to stand up in court? Does the fact that it can be changed introduce reasonable doubt?

Jim
Logged
slimjim100
EH-Net Columnist
Sr. Member
*****
Offline Offline

Posts: 385



View Profile WWW
« Reply #1 on: June 29, 2007, 07:00:02 AM »

This is true you can spoof a MAC and that in some cases this could be a defense in court. It really depends on the situation and who is defending or prosecuting. But I agree with you that a MAC is not a guarantee you have the right person or a good case. There have been a few legal cases dropped in the courts where the person says a Virus made me do it and claims that the content on there computer was not downloaded by them or the attach was a zombie. So I guess if your collecting evidence you need to get all you can and if your on the other side and defending yourself make sure to bring up the fact there are is a lot of 0-day code that can do some bad stuff where the virus software will not alarm on it.

Brian
Logged

CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
warquel
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #2 on: July 05, 2007, 12:15:17 AM »

If the mac address is your only evidence tying the activity to the host then it's likely to be attacked. If you can provide other evidence that can corroborate the system's mac address that would be helpful. For example, if you have history of mac->ip from your switches, network flow logs and time stamps from something like web cache history on the suspect computer that matches the flow log time stamps, it further reinforces that the mac address at the time was valid.

To be honest though, I don't know how that would work out in court as I've never had to testify yet, however it seems to make logical sense.
Logged
Kev
Guest
« Reply #3 on: July 06, 2007, 09:37:03 AM »

The Mac address would not be the key evidence used in a prosecution. IP addresses are usually the target.  Something has to lead law enforcement to the attacker and that’s usually the IP address. If an attacker’s main form of hiding is to spoof his Mac address, he is wasting his time.  Once law enforcement confiscates the computer, they will begin forensics. If the Mac address is the one hard coded in the card, that’s helpful, especially if there might be a house hold with several internet connections.  If its not, they will look for things like software that changes Mac addresses. If that’s found, even though you might have spoofed your Mac ID, you are not off the hook.  One thing I have noticed with sloppy attackers is they forget they have a lot of “hacking” programs on their box and that’s even more incriminating when they get caught than having an identified Mac address. Maybe the card had a different Mac ID than what was logged, but they find 3 programs for changing Mac addresses, that’s going to look bad. The best attackers remove their hard drive and hide it after their attack.  If there box is taken away to be inspected, more than likely all they would see is a hard drive full of Disney movies. Movies legally downloaded of course, lol.
Logged
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #4 on: July 06, 2007, 10:43:12 AM »

I'm wondering how this would play out for a Wireless incident. Mac and Hostname, both of which are easily faked, maybe the only thing to go on. So far I think alot of the high profile wifi cases were caught in the act. If they used really common hardware and OS config it might be really impossible to prove anything without a doubt based on logs only, assuming the attacker wipes his HD afterwards.
Logged
Negrita
Sr. Member
****
Offline Offline

Posts: 299



View Profile
« Reply #5 on: July 07, 2007, 03:19:48 AM »

Nmap has the ability to spoof both IP addresses with the -S flag and MAC addresses with --spoof-mac, and I have it on my workstation at work, on my laptop and on my home pc. I use it (Nmap) for legitimate troubleshooting of network issues related to our customers networks and network devices, and it is an invaluable tool. Just because I have it on my systems doesn't mean that I should be incriminated.

If I realy wanted to change the MAC address, I could just change it in the NICs driver setting and clear the events in the system logs afterwards - much easier.
Logged

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
Kev
Guest
« Reply #6 on: July 07, 2007, 09:47:36 AM »

In my experience, attackers most often have more than one or 2 legitimate apps on a windows laptop. Such a setup is not going to get you very far into even a medium level secure network any way. They almost always have every hacker program known to mankind and often with some silly and malicious names. Names like "Evil Penetrator", etc...   A simple mac address change is not going to save them. Also, very few hackers use live CDs which would solve a lot of stealth issues. This again is based on what I have seen so others might have different experiences.   High level hackers usually use a hard drive install of a flexible distro of linux. They will have numerous scripts and custom programs that they have either written or have been given by a fellow hacker. When you have this flexibility, you get very creative in your attack.  Live CDs dont offer that.
 
« Last Edit: July 07, 2007, 06:09:53 PM by Kev » Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com
Valid XHTML 1.0! Valid CSS!
Page created in 0.1 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.