Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

How to identify the exact device?

Oct 22, 2018 8:26PM PDT

(Context is government scale, cyber security forensics)

I am a student learning networking (including cyber security). I have this question. Here is a scenario to make the question easier to understand.
- A house network is shared with 3 tenants T1, T2, T3
- T2 tenant engages in the malicious activities such as hacking websites, bank accounts and a lot more.

Now, I know that router will send the requests and when a response is received, the router will know which device to deliver the response to. As I know, router will send requests but will have only the mac address of the router and the ipv4 address of the router. Cyber Security Analysts can identify which location the activity has initiated but won't be able to find which tenant to accuse. (Well I know the owner of the network is liable, but let's keep that fact aside). How can we identify the device in question?

Post was last edited on October 23, 2018 3:39 PM PDT

Discussion is locked

- Collapse -
Clarification Request
That's old information.
Oct 22, 2018 9:18PM PDT

IPv6 is what I'm using now. Also, the MAC address can be randomized so it's only good for the one session.

Why not invalidate the offending connection and see who comes to complain about the failure?

- Collapse -
Thanks, I better update the scenario a bit.
Oct 22, 2018 9:36PM PDT
"Why not invalidate the offending connection and see who comes to complain about the failure?"

Thanks for the reply. I think I better edit the scenario.
- Collapse -
Let me share how I found our Waldo.
Oct 23, 2018 1:03PM PDT

We had an user that was torrenting and clogging up the network. Rather than hunt them down we just removed their MAC address from the allowed users. It didn't take long for "Waldo" to show up at the IT support area.

- Collapse -
context is government scale, cyber security forensics
Oct 23, 2018 3:39PM PDT

Thanks R Proffitt, actually, my context is government scale, cyber security forensics. The government can identify the address, but how would they arrest the responsible tenant? This is the scenario. Thanks

- Collapse -
That's where
Oct 23, 2018 4:06PM PDT

You get a lawyer. They will guide you on legal matters. If you don't get this advice from a lawyer my bet is your case will crumble plus open up another counter suit for damages.

I hope that in such cases, you never take advice from the field. All I can offer is how we found our Waldo.

- Collapse -
Educational only
Oct 23, 2018 5:00PM PDT

Hi my scenario mentioned is for educational purposes only. I am a student of University of London and currently working on the "Data Communication and Networking". Theoretically I see that when a Device from a collection of devices communicates with the outside world, the data goes through the router, and with NAT, router knows which device is waiting for the response. Router only shares the IP address and Mac Address of the router. Is there a way for an outside party (e.g ISP) to locate and identify which device it was communicating? As far as I know, ISP (or any other external party) can only identify the location, which is your address.

Assumption: Browser doesn't share the OS details, pc name, ip address of the device and no VPN is being used.

- Collapse -
While you are moving the goal posts.
Oct 23, 2018 5:13PM PDT

Sorry but next time you post such, spill the beans.

My view is from a legal one as I have worked with lawyers in the past as well as IT. You would NEVER do such in the USA without getting your lawyer involved. Maybe you as an academic wouldn't think of that but in short TLA, "IRL"! This is how it's done.

- Collapse -
send them some cookies
Oct 23, 2018 7:14PM PDT

That way if law enforcement is looking for whose computer has the cookies, then they will find the culprit.

- Collapse -
Why does this make me think of this?
Oct 24, 2018 11:28AM PDT
- Collapse -
Clarification Request
do you have access to the router?
Oct 23, 2018 6:04AM PDT

If so, and logging is turned on in it, you can see which tenant has been connecting to what sites, and identify the targeted sites to the tenant responsible for the unapproved activity.

- Collapse -
context is government scale, cyber security forensics
Oct 23, 2018 3:45PM PDT

Thanks, The context is government scale, cyber security forensics. How would the government officials arrest the correct tenant?

- Collapse -
Investigation
Oct 23, 2018 6:59PM PDT

As it was stated earlier, the government has to go through, it's known and unknown evidence to parties involved and have their lawyers see if it is strong enough to get the federal authorities involved to launch an investigation into the matter. If the evidence is strong enough to justify onsite monitoring of the tenants to pinpoint who is hacking the given entities, a warrant would have to be obtained from a judge to monitor the premises to find out who is doing the hacking. Then after an investigation, an arrest warrant can be requested from the court to arrest the hacker.

- Collapse -
Investigation about massaging
Nov 30, 2018 1:23AM PST

Thank you RootJunky!! I've been on XDA for months waiting on a clear and easy way to root my G930T. Then I saw this. Oh how I missed having a rooted device. Now, if only I could get a perm root for my crappy Alcatel One Touch Pop7 from Tmo.

- Collapse -
Answer
Change the network password is
Oct 25, 2018 6:13AM PDT

the easiest solution and only tell the one using the network legally. It a ISP identifies illegal activities they will show only show the name of the account owner.