Wi-Fi Forensics

The IEEE 802.11 standard defines three categories of frames: management frames, control frames, and data frames. Forensic investigators work primarily with management frames because they contain the metadata of network participation: who joined, when, from which device, and with what signal strength. Management frames are transmitted unencrypted on modern networks, including those using WPA2 and WPA3, with the exception of the 802.11w Protected Management Frames standard which encrypts deauthentication and disassociation frames on participating networks.

Data frames carry the actual network payload. On an encrypted network the payload is ciphertext, but the frame headers remain visible and contain the source and destination MAC addresses, the BSSID, and sequence numbers. Sequence number analysis can identify retransmissions, estimate data volumes, and detect frame injection attacks where an adversary inserts forged frames to disrupt a session or plant misleading evidence.

When a Wi-Fi client associates with an access point, the access point records the event. In enterprise deployments the log entry is forwarded by syslog or SNMP trap to a central SIEM or log management platform where it is retained according to organisational policy. A typical association log entry contains: the client MAC address, the SSID and BSSID, the event type (association, reassociation, or disassociation), a timestamp, the 802.11 authentication method, and the received signal strength (RSSI).

In enterprise wireless environments managed by controllers such as Cisco WLC, Aruba Mobility Controller, or Juniper Mist, every access point in the building streams events to the controller, which maintains a searchable event database. Law enforcement can obtain these records by legal process directed at the organisation, the ISP, or the building owner. The retention period is set by organisational policy and local law: the EU's GDPR does not specify a minimum retention for Wi-Fi logs but requires proportionality; India's Information Technology Act 2000 and the Information Technology (Intermediary Guidelines) Rules 2021 require certain service providers to retain logs for 180 days; US federal law under 18 U.S.C. requires providers to preserve records for 90 days on request.

Consumer-grade home routers, which account for a large share of the access points investigators encounter, typically do not log association events to persistent storage. They may maintain a small rolling buffer of DHCP leases or connection events in NVRAM that is lost on reboot. Where AP logs are absent, investigators rely on the ISP's RADIUS authentication records (the ISP authenticates the router to the network, not individual Wi-Fi clients), on DHCP lease logs held by the ISP or home router, or on the device-side artefacts described in the next section.

Every major mobile and desktop operating system records Wi-Fi connection history in persistent storage. The depth and accessibility of that history varies by platform. Recovery requires physical or file-system acquisition in most cases, as these artefacts are not exposed through standard backups.

On Android devices, Wi-Fi configuration and history are stored in several locations depending on the Android version. From Android 9 onward, the primary configuration file is /data/misc/apexdata/com.android.wifi/WifiConfigStore.xml. Earlier versions used /data/misc/wifi/WifiConfigStore.xml or /data/wifi/bcm-wifi/wpa_supplicant.conf. These files contain the SSID, BSSID, frequency band, security type, and timestamps of each remembered network. The wpa_supplicant.conf format also records the order in which networks were prioritised. Recovery requires a physical acquisition or root access to the device file system. For acquisition methods, see Physical Acquisition Techniques.

On iOS, Wi-Fi configuration is stored in the keychain and in preference plists under /private/var/preferences/SystemConfiguration/com.apple.network.identification.plist and the related wifi.plist. iTunes and iCloud encrypted backups include these files. The knownNetworks.plist in particular records the SSID, BSSID, last join date, and channel for each remembered network. On Windows 10 and 11, WLAN profiles are stored in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\ and the SYSTEM registry hive contains additional connection timestamps under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles. The ShimCache and SRUM database provide corroborating timestamps for Wi-Fi adapter activity.

Probe requests are the most tactically useful category of Wi-Fi evidence for real-time or near-real-time surveillance, because they are broadcast in plaintext before a device has connected to any network. A device scanning for Wi-Fi will emit probe requests for each SSID on its preferred network list and may also send broadcast probe requests with a null SSID asking any access point to respond. Both are capturable by any 802.11 monitor-mode receiver within radio range.

A forensic packet capture for probe request evidence requires a Wi-Fi adapter capable of monitor mode, placed on the channel where the target device is expected to operate. Tools commonly used include airodump-ng from the Aircrack-ng suite, which writes a PCAP file with timestamps, and Wireshark with a monitor-mode adapter, which allows live frame inspection. The capture file is the primary exhibit and must be preserved with a cryptographic hash immediately after collection. Metadata required for chain of custody includes the capture device serial number, the adapter make, model and driver version, GPS coordinates of the capture position and time, and the channel configuration used.

Analysing a PCAP file for probe requests uses Wireshark display filters. The filter wlan.fc.type_subtype == 0x04 isolates probe request frames. Within those frames, the SSID parameter field (Tag 0) contains the requested network name, and the source address field contains the transmitting device's MAC address. If the device is using MAC randomisation, the locally administered bit (bit 1 of the first octet of the MAC) will be set to 1, indicating a random rather than burned-in address. This distinction is visible in the packet headers.

Correlating multiple probe captures from different locations allows triangulation. If a target device's MAC address appears in captures from three different sensors at overlapping times, the intersection of their radio ranges narrows the device's probable position. This technique is analogous to cell-tower triangulation and has been used in law enforcement operations in the UK, US, and EU. The legal basis for conducting such captures varies: in the UK it requires authorisation under the Investigatory Powers Act 2016; in the US it requires a warrant under the Fourth Amendment following the Carpenter v. United States (2018) decision on digital location evidence; in India it falls under provisions of the Bharatiya Nagarik Suraksha Sanhita 2023 governing interception.

MAC address randomisation is now the default behaviour on most consumer devices. Android 8 introduced per-network randomisation; iOS 14 extended it to include randomisation of probe request frames; Windows 10 v1903 added optional randomisation. From a forensics perspective, randomisation means that consecutive captures of the same device at different locations may show different source MAC addresses, preventing simple tracking across captures.

Several techniques remain available to investigators. First, the stable burned-in MAC is preserved in device-side artefacts even when randomisation is active, because the OS records the hardware address alongside the randomised one in configuration files. Physical acquisition of the device will recover the real MAC, which can then be cross-referenced against AP logs from before randomisation was introduced. Second, some randomisation implementations are deterministic per-network: the same device generates the same random MAC for the same SSID, so if the network SSID is known, the randomised MAC is consistent across sessions. Third, information elements beyond the MAC in probe request frames, such as the list of supported data rates, the 802.11 capability flags, and the vendor-specific elements included by the chipset driver, form a fingerprint that can persist even as the MAC changes. This technique is called probe request fingerprinting and has been demonstrated in academic research to re-identify devices with high accuracy despite randomisation.

Wi-Fi evidence rarely stands alone in a criminal investigation. Its strength comes from corroboration with other location and device evidence. The AP log places a MAC address at a network at a time. The device's own preferred network list and connection timestamps confirm that the same device was the source. DHCP logs assign an IP address to that MAC, which links to any network-layer activity on the network such as web browsing, cloud service authentication, or file transfers logged by the network.

Cell tower data and GPS logs from the device provide independent location evidence that can confirm or contradict the Wi-Fi evidence. Location history from Google or Apple services, if obtained under legal process, maps BSSID observations to geographic coordinates with timestamp precision. CCTV from the premises where the access point is located can visually confirm that a person was present at the time the device was associated. Together, these sources construct a location narrative that is much harder to challenge than any single source. See Location History and Geolocation Artefacts for the full treatment of multi-source location reconstruction.

The investigator must also account for limitations that defence will raise. Wi-Fi range is not fixed: a high-gain directional antenna can receive probe requests from several hundred metres away, meaning the device could have been in a vehicle on a road outside a building rather than inside it. Access-point clocks may be unsynchronised, creating timestamp errors of minutes or more. MAC spoofing allows a deliberate actor to transmit a target device's MAC from a different device, potentially fabricating the association log entry. Each limitation must be addressed in the investigator's report, with a reasoned conclusion about whether the limitation materially affects the specific evidence being offered.