The Ethical Hacker Network - MAC address as evidence

jimbob

Guest

« on: June 29, 2007, 03:15:32 AM »

Hi all,
Given that you can easily change the MAC address of a NIC, how likely is evidence relating to the MAC address of a computer used to perform a malicious act to stand up in court? Does the fact that it can be changed introduce reasonable doubt?

Jim


	Logged

slimjim100

EH-Net Columnist
Sr. Member

Offline

Posts: 385

Re: MAC address as evidence

« Reply #1 on: June 29, 2007, 07:00:02 AM »

This is true you can spoof a MAC and that in some cases this could be a defense in court. It really depends on the situation and who is defending or prosecuting. But I agree with you that a MAC is not a guarantee you have the right person or a good case. There have been a few legal cases dropped in the courts where the person says a Virus made me do it and claims that the content on there computer was not downloaded by them or the attach was a zombie. So I guess if your collecting evidence you need to get all you can and if your on the other side and defending yourself make sure to bring up the fact there are is a lot of 0-day code that can do some bad stuff where the virus software will not alarm on it.

Brian


	Logged

CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP

warquel

Newbie

Offline

Posts: 5

Re: MAC address as evidence

« Reply #2 on: July 05, 2007, 12:15:17 AM »

If the mac address is your only evidence tying the activity to the host then it's likely to be attacked. If you can provide other evidence that can corroborate the system's mac address that would be helpful. For example, if you have history of mac->ip from your switches, network flow logs and time stamps from something like web cache history on the suspect computer that matches the flow log time stamps, it further reinforces that the mac address at the time was valid.

To be honest though, I don't know how that would work out in court as I've never had to testify yet, however it seems to make logical sense.


	Logged

Kev

Guest

Re: MAC address as evidence

« Reply #3 on: July 06, 2007, 09:37:03 AM »

The Mac address would not be the key evidence used in a prosecution. IP addresses are usually the target. Something has to lead law enforcement to the attacker and that’s usually the IP address. If an attacker’s main form of hiding is to spoof his Mac address, he is wasting his time. Once law enforcement confiscates the computer, they will begin forensics. If the Mac address is the one hard coded in the card, that’s helpful, especially if there might be a house hold with several internet connections. If its not, they will look for things like software that changes Mac addresses. If that’s found, even though you might have spoofed your Mac ID, you are not off the hook. One thing I have noticed with sloppy attackers is they forget they have a lot of “hacking” programs on their box and that’s even more incriminating when they get caught than having an identified Mac address. Maybe the card had a different Mac ID than what was logged, but they find 3 programs for changing Mac addresses, that’s going to look bad. The best attackers remove their hard drive and hide it after their attack. If there box is taken away to be inspected, more than likely all they would see is a hard drive full of Disney movies. Movies legally downloaded of course, lol.


	Logged

oleDB

Recruiters
Full Member

Offline

Posts: 236

Re: MAC address as evidence

« Reply #4 on: July 06, 2007, 10:43:12 AM »

I'm wondering how this would play out for a Wireless incident. Mac and Hostname, both of which are easily faked, maybe the only thing to go on. So far I think alot of the high profile wifi cases were caught in the act. If they used really common hardware and OS config it might be really impossible to prove anything without a doubt based on logs only, assuming the attacker wipes his HD afterwards.


	Logged

Negrita

Sr. Member

Offline

Posts: 299

Re: MAC address as evidence

« Reply #5 on: July 07, 2007, 03:19:48 AM »

Nmap has the ability to spoof both IP addresses with the -S flag and MAC addresses with --spoof-mac, and I have it on my workstation at work, on my laptop and on my home pc. I use it (Nmap) for legitimate troubleshooting of network issues related to our customers networks and network devices, and it is an invaluable tool. Just because I have it on my systems doesn't mean that I should be incriminated.

If I realy wanted to change the MAC address, I could just change it in the NICs driver setting and clear the events in the system logs afterwards - much easier.


	Logged

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Kev

Guest

Re: MAC address as evidence

« Reply #6 on: July 07, 2007, 09:47:36 AM »

In my experience, attackers most often have more than one or 2 legitimate apps on a windows laptop. Such a setup is not going to get you very far into even a medium level secure network any way. They almost always have every hacker program known to mankind and often with some silly and malicious names. Names like "Evil Penetrator", etc... A simple mac address change is not going to save them. Also, very few hackers use live CDs which would solve a lot of stealth issues. This again is based on what I have seen so others might have different experiences. High level hackers usually use a hard drive install of a flexible distro of linux. They will have numerous scripts and custom programs that they have either written or have been given by a fellow hacker. When you have this flexibility, you get very creative in your attack. Live CDs dont offer that.


« Last Edit: July 07, 2007, 06:09:53 PM by Kev »	Logged

Pages: [1] Go Up

« previous next »