Aircapture Wlan14
Frequently Asked Questions:

1. Why is it necessary to look at data on the air interface? It is available at the server or in the ISP.
This is true, however, it is normal that an investigation starts with an individual and it can take time and be problematic to identify which ISP and then which server to be looking at. It is easy to identify whether a wireless LAN is being used from out side a suspect's residence and if it is the Aircapure product is capable of immediately capturing ALL traffic from ALL the possible WiFi channels whether it is voice, video or data.

2. The traffic on the air interface is always encrypted so what's the point of capturing it?
About 50% of the time it is true that encryption is being used, however, the traffic can be captured and then post processed and decrypted.  Wep and Wpa can be decrypted thru a automated and simple process in our Encryption Buster software which is included in our Wlan 14 package. The software version handles 75 pass phrases per second, WPA. We also have an hw Fpga solution that integrates with Wlan 14 – now called Wlan 14+. One fpga handles about 75000 pass/phrases per second. You can add more than one fpga to our unit and for each one the performance is doubled. If more statistics are needed please contact Aircapture for a White Paper.

3. Why is it necessary to see the air interface at all?
Where a suspect is using a neighbouring WiFi access point the resulting traffic looks as though it has come from the IP address of the owner of the WiFi router. If the traffic is intercepted in the air it is clear where it emanated from. In the event that it is of criminal content it is then possible to apprehend the actual suspect rather than the owner of the WiFi access point that is effectively being 'hacked'.

4. Who thought up the idea of monitoring all the WiFi channels and recording all the data?
The product was conceived by specialists in Sweden working in association with clients who where looking for a tool with such capability. For example it is impossible to trace a VoWlan call once it roams between channels if you use one radio as you will never know which channel or AP the call is going to roam.

5. Is it possible to install a directional antenna such that the exact position of a suspect who might be in a public place such as an airport or railway station can be pin pointed?
Yes, whilst the normal antenna is an omni directional variety with 6-20 db gain it is also possible as an option to fit a directional antenna to pinpoint locations. Also there is a GPS interface to provide accurate locations of where traffic is being captured from. As we capture data from all channels in real time there is a really good chance we will have the relevant data in the PC - This is also a reason why you need to capture all the data as sometimes it can be difficult. You can find the relevant data later by filtering for example on IP address or content.

6. Is it possible to combine data captured on multiple Aircapture products to piece together a roaming conversation which might have been recorded on a variety of different WiFi channel?
Yes, the files of data can be merged chronologically using simple software packages freely available. Often it is not possible to hear the change over between hot spots as the suspect moves between different access points.

7. Why not use commonly available products such as Airopeek, Netstumbler or Ethereal to do the same job?
These other products were not designed with Forensic investigations in mind. They typically have a single radio/air interface and then they capture data to RAM which immediately limits their usefulness in this application. The Aircapture Wlan14 has 14 radios that capture data from all 14 WiFi channels simultaneously and reliably so no data is missed, even if the suspect roams between two or more WiFi access points and even if different channels are used to continue the same conversation. The reliable Linux operating system facilitates the Aircapture Wlan14 to capture data for weeks at a time. The data is stored on removable hard disk drives that are hot swappable to ensure the very minimum 'change over' time.

8. “I have a wireless network, It wasn´t me” is a known phrase in courts when suspects are being prosecuted – and they will typically go free when a teenager is called in as an expertwitness to demonstrate how easy it is to hack a wireless network, even if it has 128 WEP encryption – Can Aircapture Wlan 14 help to gather evidence in these cases?
Yes, It has shown in courts that suspects have been released because they have a wireless network and to monitor their communication on the wired network at the ISP is not enough as a intruders IP address will not be visable on the wired network. Therefore its important to provide evidence that the communication was solely coming from the suspects house and not from any neighbourhood user or hacker. – This proof can be provided with Aircapture Wlan 14, it will see any hacker using a neighbour AP or client, probably the mayor use will be that no-one else was using the network.

9. The goal with wireless forensics is to capture and analyze wireless communication. Sometimes there is a problem to see both ends of the communication, for example if there is an AP in the middle of a house and you have clients moving in different locations to and from the AP. How do you solve these problems with Aircapture Wlan 14.
True, Sometimes it could happen that we can loose packets because of this kind of issue as we have our Aircapture Wlan 14 unit closer to one part of the communication outside a house. This all depends on how walls are constructed etc. In these cases it can be necessary to use the Aircapture Wlan 14 multipoint monitoring feature which basically involves using 2 or more Aircapture Wlan 14 units on different parts of the link when you really don’t want to risk ANY loss of data. The feature includes aome reconstruction features.

10. In the USA it´s illegal to capture data in the air, if I don´t have a search warrant and if I do have I am not allowed to capture any other data than for that certain client or AP. In Europe this is not the case but how can Aircapture Wlan 14 solve this problem for me in the USA, I still want to capture data if the client is moving or roaming.
True, Aircapture Wlan 14 has prefiltering mechanism we especially developed for the US market. Basically we only capture data on a certain SSID, Mac address or IP of the Search Warrant. We apply this filter on ALL radios. This means you will not loose any data even if the client will roam! All actions from the officer using Aircapture Wlan 14 will be logged in our unit for proof of concept.

11. We are interested in looking at http, smtp and chat conversation, not only PCAP files -how can AirCapture help us all the way.
Wlan 14 and Wlan 14+ was designed to solve problems with capturing data in wireless lan environments. Problems like mobility, roaming and reach are solved with our superior RF and simultaneous capture of all possible channels. Our integrated Encryption Buster software and FPGA solution solves issues with decrypted networks. To analyze the actual applications and reconstruct traffic like web, chat and email there are many open source sw solutions available that can be used such as the Wireshark tool, but unfortunately they are not easy to use and not designed as a forensics tool. These tools can be used and import pcap files produced by AirCapture Wlan 14 and Wlan 14+ however because of the lack of both easy to use open source and commercial tools Our own AirCapture Wireless Forensics Analyzer ( WFA ) was developed in spring 2008. WFA can import Traffic, 802.13 standard pcap or 802.11 pcaps and gives you a professional forensics tool which includes offline http reconstruction, chat reconstruction, email reconstruction, image viewer and more. On the 802.11 layer it adds unique expert functionality to find things like evil twins and max spoofing on several radio channel pcaps imported. WFA trial version can be downloaded from our download page.

12. Following targets and collecting data can be difficult if the targets MAC address is not known - how can AirCapture help us to collect the interesting traffic.
When you know the target MAC it is easy to activate a filter on this MAC client or AP on all channels simultaneously in Wlan 14 Gui, If not known and there is a lot of WiFi in the air, for example outside a popular hotspot in a city - it can be difficult to understand the target MAC - in this case you can either verify by looking at the application data captured on all the traffic, there might be text you can search for like a name or other identity and afterwards you can classify the target MAC in Gui with a name and then continue to follow the suspect with the filter applied as he moves and exchange data with hotspots. Another possibility is to use our SmartFind tm feature that has automated functionality to understand if same MAC address is found at different locations.