.

MAC address as evidence

<<

jimbob

Post Fri Jun 29, 2007 3:15 am

MAC address as evidence

Hi all,
Given that you can easily change the MAC address of a NIC, how likely is evidence relating to the MAC address of a computer used to perform a malicious act to stand up in court? Does the fact that it can be changed introduce reasonable doubt?

Jim
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Fri Jun 29, 2007 7:00 am

Re: MAC address as evidence

This is true you can spoof a MAC and that in some cases this could be a defense in court. It really depends on the situation and who is defending or prosecuting. But I agree with you that a MAC is not a guarantee you have the right person or a good case. There have been a few legal cases dropped in the courts where the person says a Virus made me do it and claims that the content on there computer was not downloaded by them or the attach was a zombie. So I guess if your collecting evidence you need to get all you can and if your on the other side and defending yourself make sure to bring up the fact there are is a lot of 0-day code that can do some bad stuff where the virus software will not alarm on it.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

warquel

Newbie
Newbie

Posts: 5

Joined: Tue Jul 03, 2007 10:36 pm

Post Thu Jul 05, 2007 12:15 am

Re: MAC address as evidence

If the mac address is your only evidence tying the activity to the host then it's likely to be attacked. If you can provide other evidence that can corroborate the system's mac address that would be helpful. For example, if you have history of mac->ip from your switches, network flow logs and time stamps from something like web cache history on the suspect computer that matches the flow log time stamps, it further reinforces that the mac address at the time was valid.

To be honest though, I don't know how that would work out in court as I've never had to testify yet, however it seems to make logical sense.
<<

Kev

Post Fri Jul 06, 2007 9:37 am

Re: MAC address as evidence

The Mac address would not be the key evidence used in a prosecution. IP addresses are usually the target.  Something has to lead law enforcement to the attacker and that’s usually the IP address. If an attacker’s main form of hiding is to spoof his Mac address, he is wasting his time.  Once law enforcement confiscates the computer, they will begin forensics. If the Mac address is the one hard coded in the card, that’s helpful, especially if there might be a house hold with several internet connections.  If its not, they will look for things like software that changes Mac addresses. If that’s found, even though you might have spoofed your Mac ID, you are not off the hook.  One thing I have noticed with sloppy attackers is they forget they have a lot of “hacking” programs on their box and that’s even more incriminating when they get caught than having an identified Mac address. Maybe the card had a different Mac ID than what was logged, but they find 3 programs for changing Mac addresses, that’s going to look bad. The best attackers remove their hard drive and hide it after their attack.  If there box is taken away to be inspected, more than likely all they would see is a hard drive full of Disney movies. Movies legally downloaded of course, lol.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri Jul 06, 2007 10:43 am

Re: MAC address as evidence

I'm wondering how this would play out for a Wireless incident. Mac and Hostname, both of which are easily faked, maybe the only thing to go on. So far I think alot of the high profile wifi cases were caught in the act. If they used really common hardware and OS config it might be really impossible to prove anything without a doubt based on logs only, assuming the attacker wipes his HD afterwards.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Sat Jul 07, 2007 3:19 am

Re: MAC address as evidence

Nmap has the ability to spoof both IP addresses with the -S flag and MAC addresses with --spoof-mac, and I have it on my workstation at work, on my laptop and on my home pc. I use it (Nmap) for legitimate troubleshooting of network issues related to our customers networks and network devices, and it is an invaluable tool. Just because I have it on my systems doesn't mean that I should be incriminated.

If I realy wanted to change the MAC address, I could just change it in the NICs driver setting and clear the events in the system logs afterwards - much easier.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

Kev

Post Sat Jul 07, 2007 9:47 am

Re: MAC address as evidence

In my experience, attackers most often have more than one or 2 legitimate apps on a windows laptop. Such a setup is not going to get you very far into even a medium level secure network any way. They almost always have every hacker program known to mankind and often with some silly and malicious names. Names like "Evil Penetrator", etc...  A simple mac address change is not going to save them. Also, very few hackers use live CDs which would solve a lot of stealth issues. This again is based on what I have seen so others might have different experiences.  High level hackers usually use a hard drive install of a flexible distro of linux. They will have numerous scripts and custom programs that they have either written or have been given by a fellow hacker. When you have this flexibility, you get very creative in your attack.  Live CDs dont offer that.
 
Last edited by Kev on Sat Jul 07, 2007 6:09 pm, edited 1 time in total.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software