An end-to-end investigation looks at an entire attack. It looks at how an attack starts, at the intermediate devices, and at the result of the attack. Evidence may reside on each device in the path from the attacking system to the victim. Routers, virtual private networks (VPNs), and other devices produce logs. Network security devices, such as firewalls and intrusion detection systems (IDSs), also generate logs. An IDS is software that automates the process of monitoring events occurring in a computer system or network, analyzing them for signs of possible incidents, and attempting to stop detected possible incidents.

A device’s log files contain the primary records of a person’s activities on a system or network. For example, authentication logs show accounts related to a particular event and the authenticated user’s IP address. They contain date and timestamps as well as the user-name and IP address of the requestor. Application logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.

Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events. Network device logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack.

For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities. Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible.

Intrusion detection systems record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover which commands an attacker ran and which files he or she accessed. You can also determine which files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.

You bump into a few problems when using log files, however. One is that logs change rapidly, and getting permission to collect evidence from some sources, such as Internet service providers (ISPs), takes time. In addition, volatile evidence is easily lost. Another is that hackers can easily alter logs to include false information.

Wireless networks are almost everywhere today. Some cities even provide wireless network access to citizens in their areas. In fact, you can often access wireless networks while on an airplane in flight. Wireless connections allow devices to connect to a network without having to physically connect via a cord. This makes it easy to connect computers and devices when running an actual physical cord is either difficult or not practical.

There are some basics of wireless networks you should know:

• 802.11a—This was the first widely used Wi-Fi standard; it operated at 5 GHz and was relatively slow.

• 802.11b—This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).

• 802.11g—There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use 802.11g. This standard includes backward compatibility with 802.11b. 802.11g has an indoor range of 125 feet and a bandwidth of 54 Mbps.

• 802.11n—This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.

• IEEE 802.11n-2009—This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than is possible using a single antenna.

• IEEE 802.11ac—This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.

• IEEE 802.11ad Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.

Many wireless local area networks (LANs) are either not secured or not well secured. Attackers may compromise a server to allow public access to stolen software, music, movies, or pornography.

The following are the most important forensic concerns with wireless networks:

• Did a perpetrator use a wireless network entry point for a direct network attack or theft of data?

• Did an attacker use a third-party wireless network, such as a hotel hotspot, to conceal his or her identity?

In addition to evidence that moves across wireless networking devices, you may find evidence in wireless storage devices. These devices include wireless digital and video cameras, wireless printers with storage capacity, wireless network-attached storage (NAS) devices, tablets and smartphones, wireless digital video recorders (DVRs), and wireless game consoles.

Several tools are available just for discovering wireless networks. Some of the more popular tools include the following:

• NetStumbler at http://www.NetStumbler.com

• MacStumbler at http://www.MacStumbler.com

• iStumbler at http://www.iStumbler.net

There are even apps available for both iPhone and Android that can scan for wireless networks. So Wi-Fi scanning can be accomplished with relative ease. If a hacker discovers a poorly secured wireless network, one thing he or she may try is to access the wireless access point’s administrative screen. Unfortunately, too many people turn on these devices and don’t think to change the default settings. There are websites that store default passwords that anyone can look up. One very popular website is http://www.routerpasswords.com.