Developing a ‘router examination at scene’ standard operating procedure for crime scene investigators in the United Kingdom

AbstractAs the majority of dwellings now maintain some form of Internet connectivity, the examination of routers at crime scenes is an increasing requirement. Due to cost and resourcing constraints, police forces are looking to transfer responsibility for carrying out this task to front line crime scene investigators, despite such staff typically lacking specialist training for this type of examination. Such strategies are potentially high-risk, as the mishandling of home routers can result in the oversight or destruction of potentially evidential information denoting home network usage, configuration and connected devices. This information can support scene examiners with their searching practices, ensuring all connected devices within the vicinity of a scene are accounted for or seized, whilst also supporting further technical investigations. This work documents the forensic examination of Sky, BT, Virgin, EE and TalkTalk routers and analysis of relevant evidence content including records of attached and currently connected devices, and, network configuration settings. A standard operating procedures has been developed and offered, to support crime scene investigation staff carry out router investigations.

Keywords: Digital Forensics; Crime Scene Investigation; Routers; Policing; Investigation; Standard Operating Procedures.

1 IntroductionSignificant reliance is now placed upon forensic science providers to support policing [1; 2]. Whilst traditional crimes, for example burglary, still require a regulatory presence; there is now a prominent shift in the commission of digital offences where the digital forensics analysis of requisite devices is witnessing an increased demand [3]. Most digital crimes are arguably facilitated via access to networked communications, a regulatory concern given that 90% of households are now reported to maintain an Internet connection in Great Britain alone [4]. In addition, the number and size of connected devices owned by users poses an investigatory challenge in terms of identification and subsequent analysis at any given crime scene [5]. Media reports suggest that the average United Kingdom (UK) household has 8.3 ‘connected devices’ [6], where by the year 2025, there is expected to be in excess of 75 billion IoT devices in operation globally [7]. Such increased connectivity arguably places the potential to commit crimes involving digital evidence types within the remit of a greater number of individuals.

As digital devices and their subsequent resident data often provide a prominent source of information for criminal investigation, emphasis is placed on the need for effective identification and collection methods to preserve potentially evidential digital content. As part of this, routing equipment is now recognised as a possible source of digital evidence in need of collection and examination [8]. However, resourcing issues mean that expectations are now being placed upon non-technically trained crime scene investigators (CSIs) to carry out this task [9]. Rossy et al., [10] acknowledge that forms of digital evidence have been traditionally considered as beyond the remit of a CSI, therefore little guidance and training may previously have been supplied, creating potential issues surrounding competence and evidential integrity in relation to evidence collecting and handling processes where a CSI has been involved. Concerns around the mishandling of digital evidence have been highlighted

by the UK Forensic Science Regulator and Professor Peter Sommer to the UK Justice Committee [11; 12].

This article provides the documented forensic analysis of example Sky, BT, Virgin, EE and TalkTalk routers in the UK, covering over 85% of main ISP market share in the UK [13], and an appended standard operating procedure (SOP) for on-scene home router examination by CSIs. Work has been undertaken in consultation with <POLICE FORCE REMOVED FOR REVIEW ANONYMISATION> for the purposes of supporting the continuous professional development of their staff and to ensure that effective procedures for router analysis are defined and implemented through training. The authors have uitilised this underpinning research to develop an SOP for the examination of home routers at scene, in order to seek validation from peer-review processes to support its application in real-world field work, whilst seeking support for potential adherence to incoming governing accreditation such as ISO 17020. This SOP is supplied as an appendix to this article. As noted by Marcella Jr and Menendez [14], SOPs should be generally validated and accepted by the community for which they are aimed at, and this is the motivation for this work and submission.

The article is structured as follows. Section 2 provides an overview of the need for SOPs and the context of SOPs for home router examination and the role of the crime scene investigator. Section 3 provides the examination of Sky, BT, Virgin, TalkTalk and EE routing devices, demonstrate procedures for extracting and interpreting its resident digital data information. Section 4 offers a discussion of on-scene examination considerations before conclusions are drawn in Section 5. The formalised SOP if provided in the appendix.

2 SOPsThe importance of SOPs for ensuring standards of quality in the digital forensic field has long-since been acknowledged (see [15]). In order to provide a simplified SOP description reference is drawn to Manghani [16].

‘Simply put, SOPs specify in writing, who does what and when, or the way to carry out an activity or a process. SOPs establish a systematic way of doing work and ensure that work is done consistently by all persons who are required to do the same task. SOPs must be well written in order to provide an effective control...and prevent errors from occurring, thereby minimizing waste and rework’ [16 p.36].

SOPs are essential for ensuring ‘the validity, legitimacy and reliability of digital evidence’ acquired from a digital investigation and are necessary for supporting the proper processing of case work [17 p.43]. They are also a device for quality management and can support the reduction of procedural errors [18; 37], an area in need of development to ensure the maintenance of standards, particularly in relation to digital evidence types [19].

When defining SOPs there exists a trade-off between flexibility and requisite detail to be of some use to a practitioner operating under the SOP [20; 17]. Given the diversity of evidence types and therefore subsequent analysis procedures in digital forensics, standardising certain protocols is remains a challenge. Whilst this may be achievable by removing specific process detail in favour of naming generic procedures, providing flexibility and longevity, where continuous re-writes are not needed, to an SOP; taking such an approach begins to erode the knowledge transfer and guidance an SOP offers a practitioner.

The depth of coverage will always provide a barrier to the defining of SOPs where a balance between depth of analysis and coverage must be struck. In such cases, an SOP is unlikely to cover every eventuality, where underpinning core methodologies may be adaptable for purposes outside of its direct confines [21]. However, it should be noted that SOPs are not designed to be in-depth tutorials with regards to specific analysis types, but a form of operational or procedural guidance to ensure consistency. SOPs should be considered as documenting the minimum acceptable quality for carrying out a specific task. As a result, an SOP provides supporting guidance from which, when combined with sensible investigative and critical thinking, sound procedural advancements can be made [21]. The analysis and SOP provided as part of this work offers a minimum acceptable standard for information gathering whereby CSIs must utilise informed decision making and investigative knowledge to expand the remit of their evidence collection based on the surrounding facts of the investigation.

In terms of quality governance, the regulation of crime scene examination activities currently sits outside the bounds of enforced ISO accreditation. However, the Forensic Science Regulator [22] has determined that ISO 17020 is the appropriate benchmark required for determining effective crime scene examination with a target date of 2020 for implementation. Currently aspects of digital evidence (such as imaging hard drives, screening or recovery of data using an ‘off the shelf tool’ for factual reporting and extraction and analysis of data from digital media) are under mandatory governance of ISO 17025 as of October 2017, however this standard applies typically to laboratory practice only. With the anticipated implementation of ISO 17020 (which covers network analysis) and with the expected expansion in coverage of ISO 17025 to other related analysis areas and disciplines, any additional work should be developed with adherence to such standards in mind. This work anticipates such changes and aims to provide a documented standard for router analysis. Here we provide a method which can be used to achieve the acquisition of data from routers, and which has the potential to be developed and/or validated by individual organisations, under their relevant accreditation frameworks.

The development of an SOP for router examination at scene ensures that the task of extracting router data is carried out methodically, consistently and within the bounds of a defined accepted procedure. In this context, an SOP allows effective preparation to occur prior to arrival and adaptability on-scene in utilising appropriate equipment and techniques. As the scene of a crime can be a high-pressure environment with potentially volatile forms of evidence in existence, it is imperative that suitable procedures are adhered to, in order to ensure the later admissibility of any potential evidence. Furthermore, a practitioner who follows an accepted procedure can defend the robustness of their evidence whilst demonstrating their investigation is forensically sound. In addition, as the gathering of digital evidence can be a complex procedure, where in some cases the original state may be altered by examination processes, the identification and documenting of such procedures ensures that the impact of any contamination of data can be accurately evaluated. Finally an SOP identifies what acts are explicitly excluded from a process, and at which point a practitioner may seek additional advice or cease their current work. It also supports the identification of an examination’s scope, ensure that the collateral impact of any examination process is minimized. In essence, an SOP demonstrates what shall, and what shall not (outside of the scope of the SOP) be done during a specific procedure.

This work is also attempting to develop a protocol by which any gathered information from a router can be used as evidence as opposed to such procedures being utilised for intelligence purposes only. As the rules of evidence and intelligence differ, the former being subject to greater scrutiny, the SOP offered in this work is designed with the intention of evidence gathering from home routers, ensuring CSIs capture router data using processes which are of sufficient quality and validity to adhere to these standards.

2.1 ContextIt is important to note that the proposed discussions and SOP are intended for use by CSIs who are not trained as technical specialists in this area of examination and therefore this must be reflected in any analysis and developed SOP. The role of the CSI is starting to evolve due to an increasing need to examine digital devices which they are now encountering at crime scenes more frequently [9] without requiring assistance from their Digital Forensic Unit. Whilst in some instances, specialist digital forensic staff may be required to attend crime scenes, resourcing and cost issues now mean that CSIs are often required to incorporate the forensically sound collections of digital devices and/or their resident digital data into their existing scene examination strategies. Whilst different devices present different evidence collection challenges, there is an increasing need to access and recover information from home routers to aid CSIs in processing a scene. Whilst routers are now a common entity in households in the UK, there is limited guidance available as to the accepted procedures for accessing and interpreting any potential evidential resident data in a forensically acceptable manner [23]. This is reflected in the discussion offered by National Institute of Standards and Technology (NIST) [24 p.118] who state; ‘consider that a wireless network (WiFi) may be present. Work closely with an electronic evidence collection expert in this situation’. The Association of Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence [25 p.16] offer technical specific guidance on networked examinations, yet indicate that ‘network detecting and monitoring is a specialist area and should not be considered without expert advice’.

In the context of a scene investigation, the proposed SOP in this work is designed to ensure the robust collection of resident data from a home router. Despite it’s design being influenced by the underpinning research, the SOP itself is not designed to support the interpretation of this information, although this work may also support this process. In terms of the interpretation of router data, of particular interest to CSIs are the following areas of router exploration.

1. Which devices are connected to the router: As an active router located inside of a dwelling maintains information regarding connected devices (hence those engaging with it can have continuous Internet access as part of its core functionality), CSIs querying this information can establish a tentative list containing the number of devices for potential seizure. Furthermore, where this information is obtained during initial arrival at a scene, any individuals who subsequently leave can be queried for possession of any potentially relevant digital devices. This is particularly pertinent as over 30% of individuals in the UK are reported to utilise five or more connected devices [26]. Such information may also support decisions related to triage and the prioritization of exhibits for examination [10].

2. Which devices have been connected to a service: Logs of historic connections (those devices which have at one point been connected but are no longer) may support the development of wider investigations. This may be particularly pertinent where metadata which may support the future identification of a device (MAC address etc.) is logged and stored. Blackman and Szewczyk [23 p.37] state that ‘to the modern law enforcement investigator, the potential for an offender to have a mobile device on his or her person, which connects to a Wi-Fi network, may afford evidence to place them at a scene, at a particular time’. A primary investigative use of the MAC address is to establish the number of devices which are currently connected to the router under investigation. This can therefore be used to inform the scene search team regarding the number of devices currently connected to the router.

3. System configurations: System configuration information is a generic definition covering the identification of potentially evidential router settings. What falls within the category is likely dependant on crime type and surrounding circumstances. To provide an example, current network encryption implementations may indicate whether a network was protected or prone to compromise by external entities.

4. When someone has been there: Router information can potentially reveal if a device has been attached to the home network and currently as a scene of crime. At a basic level, router information can indicate that an individual's device has been within the coverage of the home network. In some instances, if time and date information can be attributed to such events, in cases where specific timelines for offences are important, if may place an individual within the vicinity of a suspect event.

2.2 The changing role of the CSIFormalised CSI education and training is only just starting to incorporate collection and recovery of digital data as opposed to digital device collection. As a result, despite being in existence for over 40 years; the incorporation of digital forensic procedures into traditional CSI practices is in its infancy. CSIs can rely on their experience in order to collect potentially relevant evidence at a scene however, in the case of digital evidence and its volatility and diversity of form this is insufficient. The development and formalisation of acceptable procedures is therefore required [10]. The CSI is classed as a ‘level 1’ role within the Policing Professional Framework (PPF) which places them alongside roles such as ‘Fingerprint Officer’, ‘Forensic Laboratory Officer’, ‘Hi Tech Investigation Officer’ and ‘Cyber Intelligence Analyst’ [27]. Their role is defined under the PPF and Skills for Justice where the National Occupational Standards (NOS) identify seven standards which the CSI must be able to meet, yet none refer to the recovery of digital forms of evidence. Whilst the standard for ‘package, store and transport items of potential evidence’ refers to both physical and non-physical (which includes electronic information) forms of evidence, there is no direct addressing of digital media and their content. Similarly the Scenes of Crime Examination Best Practice Manual [28 pg. 14] omits to define the collection of digital evidence as part of the CSI role, instead considering scene attendance in such cases by what they refer to as ‘forensic IT staff’ and not CSIs.

As digital forms of evidence are increasing in frequency CSIs may now find such work (although not formally documented) within their remit as, in some instances, the attendance

of a digital forensic specialist at scene is either no longer required or preferred. <POLICE FORCE REMOVED FOR REVIEW ANONYMISATION> have received a number of enquiries to provide such training to CSIs and Police officers’. Providing that capability and competency are present, then such measures remain sensible in terms of cost and resourcing implications.

3 Device TypesBlackman and Szewczyk [23] noted the need for the creation of a database documenting appropriate procedures for accessing routers and associated evidence types in need of querying, yet such work has yet to be undertaken. The diversity of devices in typical operation means that coverage of every eventuality within an SOP is not feasible. However, in an attempt to address Blackman and Szewczyk [23], this work has provided an analysis of those service providers operating with a majority share of the market in the UK. DeMarco et al., [29] identify Sky, BT, Virgin, TalkTalk and EE as some of the main Internet Service Providers (ISP) in the UK where market share statistics indicate that as of 2017, aforementioned ISPs collectively operate in over 85% of households in the UK [13].

3.1 Defining Investigation ScopeHome routers can maintain large portions of configuration information which may or may not be useful to an investigation, placing emphasis on the need to define both the purpose and boundaries of an investigation. If the purpose of an investigation is simply for a CSI to gather all available information for further analysis, then the impact (or footprint) of their actions following subsequent information querying should be considered [23]. In such cases, even maintaining a connection to the router is likely to lead to device changes (discussed later in Section 3). Routers are typically interrogated live, with limited forms of integrity protection, for example the write protection of resident data. Therefore emphasis is placed on the utilisation of robust principles of interpolation, well-documented and repeatable procedures, and contemporaneous documentation by the CSI of any actions and results. If the aim is to acquire knowledge of devices at a scene for purposes of comprehensive device seizure practices, then querying a router for currently connected devices can be a relatively straightforward task following a connection to a router and its administrative features can be established in the correct way. If more detailed collection is required, then the methodological processing of router configurations is required, documenting each screen via screen capture methods. Finally, if complete data extraction is required, advanced data recovery techniques may be available (such as Universal Asynchronous Receiver/Transmitter (UART), Joint Test Action Group’s Test Access Port Interface (JTAG), and Chip-Off), however these are beyond the remit of this work and beyond the scope of the SOP. Indeed, specialist support should be sought in instances where such work is required.

Returning to the scope of this work, it is necessary to first discuss a number of technical concepts which have potential to influence investigative considerations and decision-making processes in an investigation.

3.1.1 Core technical conceptsGiven that the aim of this work is to support non-technically trained CSIs capture home router resident data, it is necessary to offer accepted technical definitions and explanations of key technologies involved. Such definitions may also be informative to a CSI during the creation of their contemporaneous notes and any subsequent statement and reports.

Router: Reference is drawn to the following CISCO [30] definition - ‘wireless routers are commonly found in homes - they are the hardware devices that Internet service providers use to connect you to their cable or xDSL Internet network ... a router connects local networks to other local networks or to the Internet’. In most cases, the physical identification of a router should be straight forward. Most mainstream routers are branded by the Internet Service Provider making them visually distinct from many other pieces of network hardware such as switches or hubs. Furthermore, routers can be identified by locating the telecommunication point of ingress (phone line or cable socket) within a premises and tracing this to the first network device which is connected.

Media Access Control (MAC) address: A MAC address is a 48 bit hexadecimal number which can be used to uniquely identify a device (subject to the use of spoofing). Every device is assigned a MAC address which maintains manufacturer identifiable information. Where available, MAC address information should be recorded for both devices attached to the network, and, the router itself (which can be later used to correlate a device to a routing device). Where it is not possible to identify the specific device (for example because a device with a matching MAC address is not found), it may still be possible to identify the make (and possibly model) of the unknown device from this data via a MAC vendor lookup tool (https://.macvendors.com). A MAC address is typically structured as follows:- 01:AB:45:CD:89:EF.

Connection Type: Connection types fall into one of two categories; wired (Ethernet) or wireless. Wireless connections initiated with a router require a forensic device to be attached to the wireless network (essentially as any other user, via identifying the network service set identifier (SSID) (the network name) and then applying the password. Wired connections involve establishing an ethernet cabled connection to a device (forensic device-to-router) directly, however do not typically require network credentials in order to establish a connection, therefore making this method a preferable one. Access to router configuration settings via standard interfaces (cabled and non-cabled) requires the use of credentials both to access the network and then to access a router's administrative configurations. This may or may not pose an issue of access. Those who operate their routing device ‘straight from the box’ are less likely to pose accessing issues as network password information is normally locatable on the back of the routing device itself. In addition, administrative password information is either located in a similar location or via help documentation provided by the IPS/manufacturer.

Time and Date Settings (local VS router time): An important consideration, when working with any digital device which stores time/date related data is the accuracy of that time/date information. A computer has its own internal clock, as does a router. In the case of routers, log files of notable activity may be maintained and connection records of devices belonging to potentially notable persons (such as the suspect’s phone) may also be recorded. Dates and times can be set incorrectly, either accidentally or intentionally. Regardless of intent, the result of any incorrectly configured system clock is that the date and times stored on the device itself must immediately be questioned, and possibly adjusted or corrected so that they can be accurately accounted for. Therefore router time and date settings must be recorded and their accuracy determined during any examination of the device. It is also especially important to note that, in the event a decision is made to power-off the router at

any point, date and time verification should be done prior to the power-off occurring, in case the act of powering-off the router cases the date and time to reset.

DeMilitarised Zone (DMZ): The DMZ is a special feature of a router which allows for a machine to be on the network, but effectively placed outside of the firewall. The main reason for the existence of this feature on a domestic router is convenience; it is not uncommon to find a computer running a server for an online multiplayer game being placed in the DMZ, rather than the user having to manually edit the firewall rules to allow traffic to that specific device. As a result of being in the DMZ, such a computer is naturally more ‘accessible’ from the wider Internet. This has the potential to be of significance in intrusion or ‘hacking’ related cases, therefore these settings should be checked as standard

Universal Plug and Play (UPnP): UPnP is a convenience technology, designed to facilitate devices and software communicating on a network, without the user having to manage or carry out complicated network administration tasks. According to Gibson [31] UPnP is “Insecure, Exploit-Prone and Probably Unnecessary”. Like the DMZ, the status of this functionality should be observed and documented during an initial examination as it may become relevant at a later stage, especially in intrusion related cases.

3.1.2 Capturing InformationA typical in-situ router interrogation will take place whilst the device is live and operational utilising another device to establish a connection. This will likely be some form of mobile computing platform (laptop or tablet) where a connection via the browser will be established. As a result, facilities to capture resident browser information displayed from the router need to be in-place. This can involve effectively screen capturing information using a verified ‘webpage-to-pdf’ facility or more appropriately, via the use of video recording software where a CSI’s actions can be captured in real time. Screen captures/recordings should be time stamped for continuity purposes. In addition, practitioners should opt for techniques which capture the integrity of information to prevent unintentional cropping or questions regarding information being missed.

The impact of a CSI interacting with a router must also be quantified and recorded. A CSI must utilise a forensic device to establish a connection with a router and to query the data, as opposed to using one of the devices already at the scene, regardless of whether it belongs to a suspect, witness or victim. In doing so, any logs recording currently connected and previously connected devices on the router will update to reflect this additional device. As a result, it is important to ensure that the CSIs device is appropriately named and recorded in order to distinguish its presence from existing logged devices. It must be also considered that routers may maintain a maximum capacity for logging device information and in some cases, for accepting an additional device onto the network. Where a logging capacity is reached, the result of a CSIs device attaching to the network for purposes of extracting information may result in the overwriting of existing logged data. The risk posed in this case is difficult to quantify and arguably one which would not be avoidable by a CSI as there is no way (in reference to non-invasive or standard connection methods) to predetermine whether a device is operating at max logging capacity. Where a router is operating at a maximum attached device capacity, it may be necessary to first identify and seize an existing suspect device, (shielding the device from network connections for data integrity purposes), thus ‘freeing up’ a space for a CSI to attach to the network.

Point of note:- the likely negative impact of using a device already at scene (in terms of the impact and likelihood of overwriting key data) to access the router is much greater than the impact using a specially-prepared forensic device to access it. Further, utilising a suspect device to interrogate the home router may also compromise its resident data and potentially the integrity of the whole investigation.

3.1.3 Seizure Vs. In-SituIt is important to note that not all CSIs have the automatic right to seize a device as part of their scene search requirements (particularly the case if a CSI is a civilian as opposed to a constable). In addition, the following is noted by the College of Policing [32].

‘Actions taken during an investigation must be proportionate to the crime under investigation and take account of local cultural and social sensitivities...every investigation provides the individual investigator and the police service with a unique opportunity to recognise and understand the impact of criminality on a community...Conducting ethical investigations helps to ensure that individuals and communities have confidence in the effectiveness of the police service and in the fairness of the processes and techniques they use’ (College of Policing, 2017).

Whether a crime is classed as a ‘volume crime’ as opposed to a ‘serious crime’ (see [32] for a definition of both) may impact the need to seize a device. Further, the Criminal Procedure and Investigations Act 1996 (section 23(1)) Code of Practice at point 3.5 enforces the need for ‘reasonableness’ when determining investigatory decisions.

‘In conducting an investigation, the investigator should pursue all reasonable lines of inquiry, whether these point towards or away from the suspect. What is reasonable in each case will depend on the particular circumstances. For example, where material is held on computer, it is a matter for the investigator to decide which material on the computer it is reasonable to inquire into, and in what manner’ [33].

There are two options available to a CSI who encountered a router; seize for later examination or carry out an on-scene interrogation. Whilst the former may seem easier in terms of minimal technical requirements, the impact is twofold. First, access to the Internet is now held in high regard and unnecessary deprivation of it may be frowned upon where much debate exists as to whether access to the Internet should now be considered a human right [34]. In addition, families may incur additional costs to reinstate Internet access into their dwelling via the purchase of a replacement router. Second, data destruction may occur, where volatile log information may be purged following the removal of power. Given these issues, in-situ analysis offers greater benefits providing that those undertaking the interrogation are capable and the work is effectively captured in an admissible way. In addition, on-scene examinations prevent the unnecessary submission of exhibits for investigation in associated high-tech crime units which are already suffering with extensive reported backlogs.

3.1.4 ConsiderationsOf the five ISP supplied routers considered in this work, all were examined in an ‘out of the box’ state, where no bespoke configurations were made. It is argued that in the cases likely to be encountered by a CSI, a typical router found in a domestic premises will likely be in this state. Given that most ISPs provide their customers with one of their own routers to use as part of a contract of service, we argue that an ISP supplied device is likely commonly in use in domestic scenes. Such supplied routers may also vary in make and model depending on which contracts an ISP may hold with router manufacturers, therefore all routers investigated as part of this work were typically supplied by their associated ISPs in 2018.

In relation to each of the five devices covered, device metadata regarding the device itself including hardware and software version information and model is listed. All hard links showing access to router menus including the IP addresses listed to access the router data itself have been tested only against the router model stated.

3.2 SkySky Broadband customers are supplied with a Sky HUB router (see [35] for visual and specification details regarding Sky HUB routing devices). The Sky HUB devices can be accessed via both a wired and non-wired connection, both requiring an effective connection to the router in order to begin any analysis. This is typically achieved via first, identifying the network SSID (network name) and second, utilising the network password to establish a connection (either those disclosed by a suspect or default network login credentials are often defined on the back of most router models). Once a connection is made, typing 192.168.0.1 into a browser window will load the router’s home ‘Summary Status’ page. At this point, the practitioner does not have access to the router’s administrator account, however, a record of devices which are currently connected to the network is still displayed (minus the devices MAC address) and the network’s SSID and encryption status can be recorded (see Figure 1).

Figure 1: Targeted capture of Sky router’s home ‘Summary Status’ page showing connected devices and network information (device names have been anonymised).

Access to further settings on the router requires administrator credentials and a CSI will be prompted to input such information. Access to the router’s administrator account may be possible by identifying the default administrator account password details. These details are published by Sky [36], and at the time of writing, the credentials required for gaining admin access are username ‘admin’ and password ‘sky’. If a user has changed either the network

or administrator passwords, gaining access to the router via a cabled or wireless means is not possible without a suspect’s disclosure. Once access to the administrator account is granted, a CSI should traverse the router configuration menus via their browser interface.

To expand upon information regarding devices attached to the network which can be gleaned without admin access, the ‘Attached Devices’ page (located http://192.168.0.1/sky_attached_devices.html) provides additional MAC information (see Figure 2).

Figure 2: A demonstration of a Sky router’s recording of ‘Attached Devices’ and each device’s assigned IP, name and MAC address (device names & MAC addresses

have been anonymised).

It is important to note that the Sky router configurations do not document devices which have historically been connected to a device, only those with a current connection.

Whilst documented records of devices attached to a network support a CSI’s searching processes, additional network information can be captured from within the Sky router’s administrator interface. At the router’s support page (located http://192.168.0.1/sky_support.html), basic logging information is maintained where ‘router logins’ are recorded. This information may help to help to determine who may have access to the network to manipulate its settings as the event’s IP address can be correlated to the IP addresses assigned to ‘Attached Devices’ (see Figure 3). In addition, it may be necessary to identify whether the router has remote administration settings enabled (located at http://192.168.0.1/sky_remote_management.html) as this may allow a suspect to configure a device beyond the initial crime scene.

Figure 3: Activity logs

Users who configure their network to prevent access to certain content (websites or associated topical content) can do so by listing keywords or domain name (website address), shown in Figure 4. When a network device has attempted to access a blocked site, the router activity log (shown in Figure 3) will record this act as follows:- Apr 29 12:02:16 syslog: Access blocked to url/keyword "teamtalk.com", request from 192.168.0.26

Figure 4: Sky’s ‘blocking’ feature, where users can define both keyword and domain criteria (in this case, www.bbc.co.uk), preventing a user from accessing such

content via the network.

Log content can be captured either via screen-capture techniques or using the ‘save log’ function (located on page http://192.168.0.1/sky_logs.html) which allows the log to be exported and saved to a CSI’s local machine in a basic text format. The types of events which are logged are also subject to user configuration, therefore certain events such as ‘blocked site attempted access’ may not be present if a user has opted not to log this information.

3.2.1 Sky Network Configuration and SetupRouter configuration information may also be valuable to any future investigation processes and can be captured during a traverse of the administrator account. The ‘Router Statistics’ section (located on page http://192.168.0.1/sky_router_status.html) provides records of transferred and received data packets as well as a network’s current ‘up time’ period (how long it has been currently active for, a value which can be affected by a router power cycling of having been

turned off). A router’s current time and date configuration can be acquired from location http://192.168.0.1/sky_schedule.html. DMZ, Dynamic DNS and UPnP information can be found at page http://192.168.0.1/sky_wan_setup.html.

3.2.2 Sky Power RemovalFollowing the removal of power (simulating a device seizure) and subsequent reboot the ‘router statistics’ section and log information (shown in Figure 3) will be lost. If devices are configured to automatically connect to the network when it is operational, then any devices in the vicinity will establish a connection. However, if any suspect devices are configured to insert login credentials every time they wish to connect to the network, then removing power before capturing attached device information may result in missing this information or device during a search.

3.3 BTThe target BT router is a ‘BT Home Hub 5’ (see [38; 39] for details of device specification).

As with Sky, a BT router is accessed via a web browser using a connected device. By typing http://192.168.1.254/ into the browser window, a CSI will be taken to the router’s homepage, where currently connected devices (including their MAC addresses) can be identified, without needing to gain admin access (see Figure 5). Beyond this display, admin credentials are required subject to forced access procedures discussed in section 3.3.2.

Figure 5: A demonstration of the ‘connected devices’ display on BT router homepage (device names & MAC addresses have been anonymised).

For more detailed information regarding both devices connected to a device and those previously connected to a device, a CSI must navigate to ‘Advanced Settings > Home Network - Devices’ (located at http://192.168.1.254/index.htm?pg=ad_HN_Devices.htm). Here, the device tree displays all devices connected to the network where those flagged as ‘not connected’ are records of previously attached devices. In each case a device name, MAC address and IP address assigned by the router is documented (shown in Figure 6).

Figure 6: A demonstration of the device tree (device names & MAC addresses have been anonymised).

3.3.1 Event logThe BT router also maintains an ‘Event log’ (located at http://192.168.1.254/index.htm?pg=troubleshooting_event.htm) which contains a number of potentially evidential records. Testing showed that the log file maintains over one year of past router events, where events include device connect and disconnects and router logins (see Figure 7). Using the ‘Event Log’, it is possible to establish when a device connected and disconnected from the network, where time and date information is present. The ‘Event Log’ can be downloaded to an external device (in .csv format) for later examination.

Figure 7: A demonstration of the ‘Event Log’ (left) and types of events recorded (right) (device names & MAC addresses have been anonymised).

3.3.2 Password OverrideTypically administrator access requires the account credentials. Whilst this is true for BT, an additional ‘password override’ feature is available to force access into the device where admin account details are unknown. The procedures for access are noted in Figure 8.

Figure 8: A demonstration of the ‘password override’ function.

3.3.3 BT generic router setup informationAs with Sky, generic router configuration settings can be found at http://192.168.1.254/index.htm?pg=wirelessBasic.htm including SSID and encryption status. In the ‘advanced settings’ page, under the ‘Broadband’ setting (located at http://192.168.1.254/index.htm?pg=wireless_2G.htm), Dynamic DNS settings are available.

3.3.4 Reboot and Forced Password AccessFollowing power removal and reboot, all information noted previously in this section remained available (connected device information and event log content etc.). This remained the case when testing using the admin password override was carried out.

3.4 Talk TalkThe target TalkTalk router has the following metadata:

- Software version: V1.22T- Hardware Version: H.1.01- Product Type: HG663- Manufacturer: HUAWEI

The TalkTalk router is accessible by typing 192.168.1.1 into the browser window (subject to successful connection to the network). The default administrator account username is admin and password is admin. If a CSI cannot get access to the administrator account (for example, credentials have been changed), it is still possible to identify the number of devices attached to the network, displayed under the ‘Status Information’ field which is available on the initial home splash screen (see Figure 9).

Figure 9: TalkTalk ‘Status Information’ field

TalkTalk’s navigation interface is split into five main banner areas (Home, Internet, Home Network, Share and Maintain) (see Figure 10).

Figure 10: TalkTalk’s navigation interface

The ‘Home’ tab contains four sub-areas of which ‘Check My Network Status’ allows network connected devices to be identified (located at 192.168.1.1/html/wizard/network.html) where currently connected devices are prefixed with green signal strength bars (see Figure 11) and historically connected devices are greyed out. MAC address information for devices is available by mouse-clicking on each device. The ‘Check My Internet Connection Status’ box shown in Figure 9 also shows the current period of time which the network has been up and active.

Figure 11: TalkTalk router network attached devices (device names & MAC addresses have been anonymised).

In reference to Figure 10, the ‘Internet’ tab provides details of generic network configuration content including firewall, router time and date setup and DMZ information. The ‘Home Network’ tab includes details of devices connected to the network (duplication of those recorded under ‘Check My Network Status’). The network’s encryption configuration can be located at 192.168.1.1/html/advance.html#wlan.

3.4.1 Event LogsLocated in the ‘Maintain’ tab (Maintain > System Logs located at 192.168.1.1/html/advance.html#log) is the router system log. This can be downloaded and saved to a CSIs local device in .txt format. The log is configurable by changing the ‘Display Level’ drop down box, where different event types will be displayed. It is key to note that this log includes records of the time a device connected and disconnected to the network. However testing showed that the log only maintained records for approximately one day.

The accuracy of router time and date information should be validated (stored in Internet > Internet Services - located at 192.168.1.1/html/advance.html#Netowkr_services) in order to determine the accuracy of log content.

3.4.2 TalkTalk Reboot

Following power removal and reboot, the data stored in the event log remained persistent as well as information regarding connected devices. The router’s uptime as shown in the ‘Home’ tab was reset.

3.5 EEThe target EE router has the following metadata:

- Runtime Code Version: v0.04.05.0001-OT- Boot Code Version: 0.0.9-OT- Hardware Version: 01

Access to the EE router can be granted via a web browser typing 192.168.1.1 with a default admin account credentials being located on the back of the router. Without logging in to the router with these credentials, no network information is available (unlike BT (see Figure 5) and TalkTalk (see Figure 9)).

Currently connected device information can be located under the STATUS tab where both device name, assigned IP address and MAC address information is available (see Figure 12).

Figure 12: EE router connected devices (device names & MAC addresses have been anonymised).

Generic configuration information regarding the network is located under the ADVANCED tab which includes content such as that aforementioned above in sections 3.2 - 3.4.

3.5.1 EE Event LogSimilar to BT routers, a detailed events log can be downloaded to a CSI’s local device from the router from Advanced > Settings > System Log in a .txt format. Entries include device connection and disconnection records where a typical connect entry is formatted as follows:- 05:47:19, 22 Apr. Device connected: 192.168.1.153, 48:a9:##:##:##:##, TEST Device, lease time is 172800 seconds. The ‘Event Log’ has the only router-resident record of historically connected devices.

3.5.1 EE Reboot

Similar to BT, no event log data purge occurs when the power is removed from the device and a subsequent reboot occurs. However, users can opt to manually clear the log if required.

3.6 VirginThe target Virgin router has the following metadata:

- Software version: 1.01.33- Hardware Version: 3.11- Product Type: Super Hub 2-

As with Sky, access to the router administrator settings is subject to determining a network connection followed by a login to the administrator account (no override function is available). Where neither have been changed by a user, the back of the router will provide details (subject to tampering) of the network SSID, password and administrator login account settings. Both wired and non-wired connection types are available, where typing 192.168.0.1 into a browser window. The default admin password is ‘changeme’. No information regarding network connected devices is available without accessing the administrator account.

Devices currently connected to the network can be identified by selecting the Device Connection Status box (located 192.168.0.1_device_connection_status.html) on the home screen where both wireless and wired connections can be identified (see Figure 13). The Virgin router does not maintain records of historically connected devices, only those with a current, active connection.

Figure 13: Devices currently connected to the network (device names & MAC addresses have been anonymised).

3.6.1 Virgin Network Information

The Virgin router’s encryption status can be found by selecting the Wireless Network Settings box on the homepage (located at 192.168.0.1_device_connection_status.html), as shown in Figure 14.

Figure 14: Network encryption settings (SSID has been anonymised).

Advanced router settings are available at 192.168.0.1/advanced_list.html#logs which includes the maintenance of content such as firewall logs. There are no event logs maintained by the device comparable to those stored by BT and EE.

4 DiscussionFollowing the analysis of the five router types noted in section three, the following investigatory comments are made. First, it is important to note that none of the above routing devices passively collect device information. Therefore given the scenario of the burglary of a dwelling, if a suspect enters a property with their personal device but does not connect to the WiFi network, the router will not maintain a record of this device being within its vicinity. Second, power removal typically results in minimal impact on resident log data, but will impact records of currently connected devices. The recording of currently connected devices is dynamic, therefore if a router is seized and examined in a laboratory environment, this information will be lost. Third, event log information is an important source of data regarding network usage and should be captured where present. However, not all routers will maintain this functionality (see for example Sky). Finally, router access poses an issue and whilst all the aforementioned routers maintain default administrator access credentials, where these are changed, access may be prevented (subject to BT’s override function). Some devices may present basic connection stats even if a login cannot be made (see for example TalkTalk and BT). Where absolutely necessary (for example for high-risk or high-profile cases), consideration can be given to more ‘aggressive’ techniques or alternatively some of the advanced techniques discussed previously (see section 3.1). These techniques are considered outside the scope of this work and the SOP, however awareness of their existence is most certainly beneficial.

It is also important to consider that routers present information to the user through a management console or interface, and that the standard investigative methodology requires

the investigator to access the router using the same interface and methods as a normal user. It is also important to note that this style of interface typically only presents a ‘logical’ view of the data present and not the full ‘physical’ data. Therefore there may in fact be information present on a router which is not exposed or visible to the normal user and ultimately the investigator. Techniques do exist which can be used to access this information. Some of these techniques do carry some risk; for example they can be destructive in nature. Therefore careful consideration must be given as to when and how to use these techniques. In cases which involve significant risk or cases which are sensitive enough to warrant all available avenues of investigation to be explored, use of these techniques, by suitably trained specialists, should be considered. The techniques are therefore beyond the scope of a standard SOP, however they are included here for the sake of thoroughness.

4.1 Scene contaminationWhilst this work refers to the goal of extracting digital information from routing devices, scene contamination concerns should be raised. To capture information, CSIs must introduce a form of forensic device to the vicinity in order to attach to the network and extract content. Whilst digital evidence contamination is of limited concern, the transportation of biological contaminants on such devices is a potential issue, particularly where these devices are re-used at multiple scenes. CSIs need to be aware of this concern and take appropriate measures to prevent this occurring. This may involve routine testing of the device for any apparent biological material followed by cleaning. Or alternatively, the use of disposable packing to protect the device, which can then be removed after a search is complete, protecting the device from acquiring any material. However this may not be practically feasible and therefore it may be advisable that all trace evidence is collected prior to the implementation of any digital data recovery.

4.2 SOPAppendix 1 (<SOP has been submitted as a separate document as part of the article submission for review process>) provides the ‘router examination at scene’ SOP designed to ensure the forensic collection of resident router data. The SOP is designed for the collection of all resident data. Within the SOP procedural guidance is supplied, equipment requirements are noted and procedure limitations are defined. The SOP is in a format which permits documented revisions to occur and continuous policy amendment and revision in line with ISO accreditation practices.

5 ConclusionThis work has provided an examination of Sky, BT, Virgin, TalkTalk and EE routing devices, demonstrating processes for accessing and recording digital information held upon these devices. Interpretative guidance has been provided, analysing forms of potentially relevant information which may be retained upon a routing device. Finally, a ‘route examination at scene’ SOP has been developed in accordance with this research to support CSIs on-scene to forensically acquire router data.

References1. Bradbury, S.A. and Feist, A., 2005. The use of forensic science in volume crime

investigations: a review of the research literature. Research Development and Statistics Directorate, Home Office.

2. Ludwig, A., Fraser, J. and Williams, R., 2012. Crime scene examiners and volume crime investigations: an empirical study of perception and practice. Forensic science policy & management: an international journal, 3(2), pp.53-61.

3. Home Office (2016) ‘Forensic Science Strategy: A national approach to forensic science delivery in the criminal justice system’ Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/506683/54493_Cm_9217_Forensic_Science_Strategy_Print_ready.pdf (Accessed: 16 April 2018)

4. Office of National Statistics (2017) ‘Internet access – households and individuals: 2017’ Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/householdcharacteristics/homeinternetandsocialmediausage/bulletins/internetaccesshouseholdsandindividuals/2017 (Accessed 13 April 2018)

5. Horsman, G., 2017. Can we continue to effectively police digital crime?. Science & Justice.

6. Terrelonge, Zen (2016) ‘Average UK home has 8.3 connected devices, rocketing nation’s digital ad spend’ Available at: https://realbusiness.co.uk/sales-and-marketing/2016/04/14/average-uk-home-has-8-3-connected-devices-rocketing-nations-digital-ad-spend/ (Accessed 16 April 2018)

7. Statista (2018c) ‘Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions)’ Available at: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ (Accessed 13 April 2018)

8. Parliamentary Office of Science and Technology (2016) ‘Digital Forensics and Crime’ Available at: http://researchbriefings.files.parliament.uk/documents/POST-PN-0520/POST-PN-0520.pdf (Accessed 16 April 2018)

9. Hitchcock, B., Le-Khac, N.A. and Scanlon, M., 2016. Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digital Investigation, 16, pp.S75-S85.

10. Rossy, Q., Décary-Hétu, D., Delémont, O. and Mulone, M. eds., 2017. The Routledge International Handbook of Forensic Intelligence and Criminology. Routledge.

11. Parliament.tv (2018) ‘Justice Committee’ Available at: https://www.parliamentlive.tv/Event/Index/13d15d6a-8aa9-40ce-bdf2-3d19777b3af8 (Accessed 16 May 2018)

12. Bowcott, Owen (2018) ‘Police mishandling digital evidence, forensic experts warn’ Available at: https://www.theguardian.com/law/2018/may/15/police-mishandling-digital-evidence-forensic-experts-warn (Accessed 16 may 2018)

13. Statista (2018a) ‘Which Internet Service Provider (ISP) does your household currently use as its MAIN supplier at home? (2017)’ Available at: https://www.statista.com/statistics/387678/uk-market-share-of-internet-service-providers/ (Accessed 13 April 2018)

14. Marcella Jr, A. and Menendez, D., 2007. Cyber forensics: a field manual for collecting, examining, and preserving evidence of computer crimes. Auerbach Publications.

15. Casey, E. ed., 2001. Handbook of computer crime investigation: forensic tools and technology. Elsevier.

16. Manghani, K., 2011. Quality assurance: Importance of systems and standard operating procedures. Perspectives in clinical research, 2(1), p.34.

17. Slay, J., Lin, Y.C., Turnbull, B., Beckett, J. and Lin, P., 2009, January. Towards a formalization of digital forensics. In IFIP International Conference on Digital Forensics (pp. 37-47). Springer, Berlin, Heidelberg.

18. Bulbul, H.I., Yavuzcan, H.G. and Ozel, M., 2013. Digital forensics: an analytical crime scene procedure model (ACSPM). Forensic science international, 233(1-3), pp.244-256.

19. Government Office for Science (2015) ‘Forensic science and beyond: authenticity, provenance and assurance’ Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/506462/gs-15-37b-forensic-science-beyond-evidence.pdf (Accessed 16 April 2018)

20. Wilsdon, T. and Slay, J., 2005, November. Digital forensics: exploring validation, verification & certification. In Systematic Approaches to Digital Forensic Engineering, 2005. First International Workshop on (pp. 48-55). IEEE.

21. Horswell, J. ed., 2004. The practice of crime scene investigation. CRC Press.22. Forensic Science Regulator (2017) ‘Codes of Practice and Conduct for forensic

science providers and practitioners in the Criminal Justice System’ Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/651966/100_-_2017_10_09_-_The_Codes_of_Practice_and_Conduct_-_Issue_4_final_web_web_pdf__2_.pdf (Accessed 27 April 2018)

23. Blackman, D., Szewczyk, P., (2015), The challenges of seizing and searching the contents of wi-fi devices for the modern investigator. Proceedings of the 13th Australian Digital Forensics Conference, 37-48, Security Research Institute, Edith Cowan University.

24. NIST (2013) ‘Crime Scene Investigation: A Guide For Law Enforcement’ available at: https://www.nist.gov/sites/default/files/documents/forensics/Crime-Scene-Investigation.pdf (Accessed 13 April 2018)

25. The Association of Chief Police Officers’s (ACPO), (n.d.) ‘Good Practice Guide for Computer-Based Electronic Evidence’ Available at: https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf (Accessed 16 April 2018)

26. Statista (2018b) ‘How many connected devices do you currently use?’ Available at: https://www.statista.com/statistics/365104/number-connected-devices-per-person-uk/ (Accessed 13 April 2018)

27. Skills For Justice (n.d.) ‘National Roles Level 1’ Available at: https://www.skillsforjustice-ppf.com/national-roles/?rt_id=2&rg_id=9 (Accessed 23 April 2018)

28. ENFSI (2012) ‘Scenes of Crime Examination Best Practice Manual’ Available at: http://library.college.police.uk/docs/appref/ENFSI-BPM-v1_0.pdf(Accessed 27 April 2018)

29. DeMarco, J., Sharrock, S., Crowther, T. and Barnard, M., 2017. Behaviours and characteristics of perpetrators of online-facilitated child sexual abuse and exploitation. A Rapid Evidence Assessment, NatCen. Prepared for Independent Inquiry into Child Sexual Abuse (IICSA).

30. CISCO (n.d.) ‘What Is a Wireless Router?’ Available at: https://www.cisco.com/c/en/us/products/wireless/wireless-router.html (Accessed 13 April 2018)

31. Gibson, S., 2001. UnPlug n’ Pray. Available at: https://www.grc.com/unpnp/unpnp.htm (Accessed 13 April 2018)

32. College of Policing (2017) ‘Investigation’ Available at: https://www.app.college.police.uk/app-content/investigations/introduction/#volume-crime (Accessed 27 April 2018)

33. Ministry of Justice (2015) ‘Criminal Procedure and Investigations Act 1996 (section 23(1)) Code of Practice’ Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/447967/code-of-practice-approved.pdf (Accessed 23 April 2018)

34. Wicker, S.B. and Santoso, S.M., 2013. Access to the internet is a human right. Communications of the ACM, 56(6), pp.43-46.

35. Sky (n.d.) ‘Set up your Sky Hub: Which Sky Hub do you have?’ Available at: https://www.sky.com/help/diagnostics/set-up-your-sky-hub/which-sky-hub-do-you-have (Accessed 20 April 2018)

36. Sky (2017) ‘Accessing your router settings page 192.168.0.1’ Available at: http://helpforum.sky.com/t5/How-to/Accessing-your-router-settings-page-192-168-0-1/ba-p/2649511 (Accessed 23 April 2018)

37. SWGDE (2012) ‘SWGDE Model Standard Operation Procedures for ComputerForensics’ Available at: https://www.swgde.org/documents/Current%20Documents/SWGDE%20QAM%20and%20SOP%20Manuals/SWGDE%20Model%20SOP%20for%20Computer%20Forensics (Accessed 13 April 2018)

38. BT (n.d.) ‘BT Home Hub 5’ Available at: https://www.shop.bt.com/content/uni2/documentation/90ry/home-hub-5-info-and-troubleshooting.pdf (Accessed 17 January 2019)

39. BT (n.d.) ‘BT Home Hub 5’ Available at: http://bt.custhelp.com/app/answers/detail/a_id/56400/c/346 (Accessed 17 January 2019)

Appendix 1: Extraction of Router Data at Scene SOP. (<SOP has been submitted as a separate document as part of the article submission for review process>).