SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
To the modern law enforcement investigator, the potential for an offender to have a mobile device on his or her person, who connects to a Wi-Fi network, may afford evidence to place them at a scene, at a particular time. Whilst tools to interrogate mobile devices and Wi-Fi networks, have undergone significant development, little research has been conducted with regards to interrogating Wi-Fi routers and the evidence they may contain. This paper demonstrates that multiple inhibiting factors exist for forensic investigators when attempting to extract data from Wi-Fi routers at the scene. Data volatility means the Wi-Fi router cannot be powered down without losing a substantial quantity of data. Third party Wi-Fi enabled devices may connect to or interact with the access point after an event occurs. Multiple models exist, with varying internal architectures, operating systems, and external interfaces. This paper presents steps and considerations for at scene seizure of Wi-Fi devices for law enforcement, to ensure maximum digital forensic evidence is collected. It also lists a series of recommendations to the manufacturers of Wi-Fi devices to facilitate a standardised mechanism to collect forensic evidence, thus making future acquisitions easier and time efficient.