Wednesday, 26 May 2010

2010 Indonesian Super Six UK Alumni

On last April, I was awarded by British Council as one of "2010 Indonesian Super Six UK Alumni". It is really a pride and honour for me to be selected for this award. I've never dreamed it before. For this award, I thank my family for all supports given to me when I joined master degree, MSc in Forensic Informatics at the University of Strathclyde, UK. I am also gratefull to my lecturers teaching and guiding me to understand about this issue comprehensively. Lastly, I will not forget Foreign and Commonwealth Office (FCO) and British Council which already gave opportunity to join Strathclyde through Chevening Scholarships scheme.

For further information about 2010 Indonesian Super Six UK Alumni, please access http://www.britishcouncil.org/indonesia-educationuk-supersix-mnuh.htm.

Cyber Crime Research at Strathclyde

At the end of last April, I was invited to attend the first session of Cyber Crime Research which is conducted by Institutes for Advanced Studies (IAS) along with University of Strathclyde. This session was attended by representatives of UK universities, law enforcement agencies and private sectors. On this moment, I delivered presentation about ATM Crime in which I focused on modus operandi and forensic investigation. I explained how to perform forensic investigation on this crime properly; what type of targets (digital evidence) recovered from electronic evidence; and how to make relationship between perpetrators and the evidence.

I also introduced "Scientific Crime Investigation Triangle" comprising criminals, victims and evidence. To connect among them, it requires forensic investigation and modus operandi. Besides that, I discussed about modus operandi of ATM crime such as duplication of ATM cards by using skimmers and hacking ATM machine by exploiting its system. I also showed the data recovered from skimmer's memory such as 16 digits of card numbers, 15 to 20 digits of account identity, 4 to 6 digits of PIN codes, and countries issuing the card as well as video recordings revealed from spy camera attached around ATM machine. To investigate it properly, it requires processes subsequently such as acquisition, examination, analysis and reportings which are based on the Digital Forensic Principles referring to ACPO Guidelines on Electronic Evidence.

For further information about this presentation, please go to this link http://www.scribd.com/doc/31902914/ATM-Crime-by-Muhammad-Nuh-Al-Azhar. Hopefully this could be useful for anybody investigating this crime.

Friday, 26 February 2010

Sharing the knowledge

In the last two weeks, I was requested by some parties to share the knowledge on digital forensic at two different activities. The first is to be keynote speaker on the digital forensic preview seminar conducted by EC-Council Representative for Indonesia (i.e. PT. Datamation) along with PT. Andalan Nusantara Teknologi. This seminar carried out in Jakarta was attended by about sixty people which are Chief Information Officer (CIO) or IT people from different organisations in Indonesia such as Bank Central Asia (BCA), Pertamina, Bina Nusantara University, Indonesian Foreign Affairs Department and so on. The second is to be guest lecturer at University of Indonesia. This is a program of the British Council (i.e. UK Alumni Road Show) performed jointly with Criminology Department of University of Indonesia. This class moderatored by Prof. Adrianus Meliala was attended by about thirty students which actively followed the session of lecturing.

In both moments, I talked about the current development of digital forensic. Following are some core materials delivered:

Investigation flow chart
On this chart, it is explained that computer crime or computer-related crime is investigated in order to solve the case. This investigation is done by applying digital forensic properly. In this case, digital forensic plays some key roles, namely:
- To support and perform scientific crime investigation.
- To carry out forensic analysis on electronic evidence in order to find out digital evidence.
- To be able to describe the link between the perpetrators and their crime.
- To deliver expert testimony at court.


Digital forensic principles
These principles are adopted from ACPO (i.e. Association of Chief Police Officers in the UK) guidelines. It is widely used by digital forensic practitioners in the world. In my point of view, a digital forensic analyst should understand these principles and has to apply it when performing a forensic investigation. Below are the principles quoted from the guidelines.
1. No action taken by law enforcement agencies should change data held on a computer or storage media.
2. The person accessing the data must be competent to do so and able to explain the relevance and implications of the actions taken.
3. An audit trail or record of all processes applied should be created and preserved.
4. The person in charge has overall responsibility to ensure that  these principles are adhered to.

First actions at the scene
When a computer is off, following are some actions which should be taken:
1. Make sure it is switched off and never turn it on.
2. Remove the battery (for notebooks / mobile device) or unplug the end of the power cable attached at CPU first, and then from wall socket (for PCs).
3. For mobile device: if any, never remove SIM cards from the device.
4. Label, document and record it; and then seize it for further analysis.

When a computer is on, the actions would be:
1. Record what is running on the screen.
2. Collect data (e.g. running processes, opened ports, decrypted volumes, etc.). Ensure that changes made to the system are understood.
3. When possible, perform live forensic imaging.
4. Never use the shut down procedure of the OS.
5. Unplug the cable power from CPU first; and then from the wall socket (for PCs) or remove the battery (for notebooks / mobile).
6. Label, document and record it; and then seize it for further analysis.

Digital forensic components
These are components which should be well understood in order to perform digital forensic analysis properly.
1. Qualified Human Resource: Professional digital forensic analyst.
2. Forensic Procedure: Implementation of digital forensic principles.
3. Reliable Hardware: High speed processor, reasonable RAM, USB to IDE cable, write protect, etc.
4. Reliable Software: Forensic applications running under Microsoft Windows and Linux Ubuntu.
5. Management: Solution on budget and non-technical problems.


Digital forensic coverage
Based on the type of the evidence analysed, digital forensic is devided into several categories, namely:
1. Computer Forensic.
2. Cyber & Network Forensic.
3. Mobile Forensic.
4. Audio Forensic.
5. Video & Digital Image Forensic.
6. CD/DVD Forensic.

Anti forensic
It is defined as techniques implemented by perpetrator in order to against digital forensic.The objectives of anti-forensic are:
1. To conceal the case-related information.
2. To obscure the criminal’s involvement.
3. To obstruct the action of digital forensic analyst.


The techniques of anti forensic which are frequently implemented are:
1. Cryptography. It is a method to conceal essential information by deploying cryptography algorithm.
2. Steganography. It is a method to conceal essential information by embedding it into a carrier, so that it is difficult to detect.
3. Wiping. It is a method for securely deletion by overwriting sectors of deleted target.

That's several materials I delivered on both moments. It is a pride for me to be speaker or lecturer in sharing my knowledge and experience on digital forensic to other people. I always look forward to receiving the invitation like these programmes. Hopefully this could be useful for anybody or any organisations that would like to apply digital forensic on the investigation of computer crime or computer-related crime.

Good luck...!

Saturday, 2 January 2010

New Year Message

Dear All,

Like or dislike, we have leaved the year 2009 behind and we encounter the new year 2010. So many things we have done in the last year. It could be good or bad thing. For the good thing, We hope that we could reach it again in the new year 2010 or even we could exceed it to be better than the previous year. For the bad thing, we have to leave it and do not repeat it in this year. With this ideal condition, we wish that this year would bring more success, luck and health for all of us. May GOD bless us forever.

Good Luck...!

Forensic Cop Journal 3(3): Digital Forensic Principles

Introduction

Following the fast development of IT, computer crime becomes a complex crime with the use of high technology, so that it is not easy for forensic investigators to analyse this crime, even to trace back the perpetrators. The criminals can utilise the internet or intranet in order to commit this crime by exploiting vulnerabilities which might exist in the network, or even in the target’s machine. By doing this, they can intrude the network and then hijack the target computers. They make these computers become botnet (i.e. robot network), so that they can get fully control on these machines, moreover they can order it to attack a server in order to make it down by applying DDos (Distributed Denial of Service) attack.  When a target computer can be compromised, the criminals can get fully access on it. They can obtain much information stored on this computer either confidential or normal. If the information is confidential, so they can use it for their illegal benefits such as selling it to the victim’s competitors or making identity fraud. If the information stolen is bank account or credit/debit card, so they can use it to purchase any stuff from the internet (i.e. it is called carding) or make money transfer. If the information obtained by the criminals is email account, so they can hijack it by changing the password and then send many fully wrong emails on behalf of the victim to anybody or any institutes. The receivers assume that the emails come from the victim. As long as the receivers have not known the actual condition yet, the criminals can persuade them to do something which is able to give bad impact to the target. There are many disadvantages occurred when a computer crime is committed.

From the description above, computer crime is a serious crime which requires more attention of law enforcement agencies. If it cannot be handled properly, so the perpetrators cannot be arrested by police, or even they can be released by the court when the evidence is not sufficient to support the case. Based on this reason, the digital forensic analyst is expected to be able to handle this crime properly. It means that the analyst should be able to provide strong evidence which can be used to prove the relationship between the case and the perpetrators. If this can be performed correctly, so it can be guaranteed that the case can be solved successfully. To provide strong evidence, the analyst should have good background on computer science and practical IT; and then they should be well understood on how a computer crime can occur. With this knowledge, they can investigate the case comprehensively, so that they will be able to obtain the fact of the case properly. The evidence supporting the involvement of the perpetrators can be provided perfectly by the analyst/investigators in order to bring them to the jail.

To reach this goal, the analyst should perform comprehensive digital forensic investigation by applying reliable investigative techniques as well as digital forensic procedures and applications. In dealing with this, the analyst should understand well about digital forensic principles. On this journal, it will explain the basic principles of Association of Chief Police Officers (ACPO) which must be applied by digital forensic analyst. These principles are also adopted by Digital Forensic Analyst Team (DFAT) of Forensic Laboratory Centre of Indonesian National Police (INP).

ACPO Basic Principles on Digital Forensic


To understand how to do seizure correctly, firstly the analyst should be able to understand digital forensic principles. According to ACPO in the UK, there are four principles which must be implemented in digital forensic investigation. Below are such principles (ACPO, p8, 2008).



To obtain further explanations about digital forensic princples particularly from ACPO including its impelementations, please access http://www.scribd.com/doc/24696469/Forensic-Cop-Journal-3-3-2010-Digital-Forensic-Principles. On this link, the pdf version of this journal can be downloaded.

Good Luck...!

Forensic Cop Journal 3(2): Standard Operating Procedure of Seizure on Computer-based Electronic Evidence

Introduction

Handling the evidence found in the case of computer crime or computer-related crime is different from handling other evidence such as blood, tool marks, trace, and fibres. The evidence found at such crimes is grouped as computer-based electronic evidence. As the evidence from this type of crime is easy to volatile, digital forensic analyst should be able to understand how to handle it properly. With proper handling, it is expected that the analyst could reveal the contents of the evidence and bring it to further investigation. With proper ways, the findings in the evidence are also reliable and even it can be accepted by the court, otherwise it will be doubt and even rejected by the court.

Based on this fact, as to handle such evidence is so essential, the analyst must pay more attention when finding it at the crime scene. To handle it is started from seizure; therefore the seizure technique plays a key role on handling it properly. From the seizure at the crime scene, chain of custody of the evidence is also started. Chain of custody is a comprehensive description about the travelling of the evidence from the crime scene to the court. Who firstly found it at the crime scene; and then who handles it in further investigation actions till who submits it to the court. It also describes who does what on the evidence. However this journal does not discuss about chain of custody, but it will explain about how to perform proper seizure on computer-based electronic evidence.

Computer-based Electronic Evidence

The evidence which is found in the case of computer crime or computer-related crime and requires digital forensic analysis is grouped as computer-based electronic evidence. This evidence is actually physical evidence as it is visually seen. Digital forensic analyst and criminal investigators should seek the existence of this evidence type at crime scene. After finding it, they perform a proper seizure on it.

The findings in the form of data or information stored in the evidence are called digital evidence. This digital evidence is then required to be found and analysed by digital forensic analyst as it can prove the relationship between the case and the perpetrators.

There are two conditions related to the seizure of computer-based electronic evidence. Both conditions should be understood correctly by the analyst or the investigators, so that they can perform seizure properly. Below are the conditions.
Condition 1: The electronic evidence appears to be switched off
Condition 2: The electronic evidence appears to be switched on
To know how to do seizure properly on each condition including what types of the evidence which should be seized at the crime scene, please access http://www.scribd.com/doc/24696245/Forensic-Cop-Journal-3-2-2010-Standard-Operating-Procedure-of-Seizure-on-Computer-Based-Electronic-Evidence. On this link, the full version of this journal is provided.

Good Luck...!

Forensic Cop Journal 3(1): Standard Operating Procedure of Physical Analysis on Ubuntu

In this journal, the image file is a dd file which is obtained from the acquisition process previously. After checking the hash value of the dd image file which must be identical with the evidence of storage media, the dd is then analysed in the following further actions.

Method: Physical analysis with the use of Autopsy

Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is designed to be used in command lines on terminal, while Autopsy is a browser for running TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate the evidence. Both applications are reliable for forensic analysis like other commercial applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it does not rely on the operating system to examine the file system, it can show the deleted and hidden contents.

According to the author as described in the Synaptic Package Manager, it allows the analyst to examine the layout of disks and other media. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, the analyst can identify where partitions are located and extract them so that they can be analysed with file system analysis tools. It provides case management, image integrity, keyword searching, and other automated operations for investigative purposes.

As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port 9999 and accepts connections from the localhost.  If the -p port is given, then the server opens the port and if address is given, then connections are only accepted from that host.  When the -i argument is given, then autopsy goes into live analysis mode.

There are four consecutive steps related to physical analysis, namely:
Step 1: Initiating the Autopsy browser
Step 2: Configuring the case
Step 3: Analysing the image
Step 4: Closing the analysis
For full description on the steps above, please access http://www.scribd.com/doc/24695990/Forensic-Cop-Journal-3-1-2009-Standard-Operating-Procedure-of-Physical-Analysis-on-Ubuntu. On this link, the pdf version of this journal can be downloaded.

Good Luck...!