In the last two weeks, I was requested by some parties to share the knowledge on digital forensic at two different activities. The first is to be keynote speaker on the digital forensic preview seminar conducted by EC-Council Representative for Indonesia (i.e. PT. Datamation) along with PT. Andalan Nusantara Teknologi. This seminar carried out in Jakarta was attended by about sixty people which are Chief Information Officer (CIO) or IT people from different organisations in Indonesia such as Bank Central Asia (BCA), Pertamina, Bina Nusantara University, Indonesian Foreign Affairs Department and so on. The second is to be guest lecturer at University of Indonesia. This is a program of the British Council (i.e. UK Alumni Road Show) performed jointly with Criminology Department of University of Indonesia. This class moderatored by Prof. Adrianus Meliala was attended by about thirty students which actively followed the session of lecturing.
In both moments, I talked about the current development of digital forensic. Following are some core materials delivered:
Investigation flow chart
On this chart, it is explained that computer crime or computer-related crime is investigated in order to solve the case. This investigation is done by applying digital forensic properly. In this case, digital forensic plays some key roles, namely:
- To support and perform scientific crime investigation.
- To carry out forensic analysis on electronic evidence in order to find out digital evidence.
- To be able to describe the link between the perpetrators and their crime.
- To deliver expert testimony at court.
Digital forensic principles
These principles are adopted from ACPO (i.e. Association of Chief Police Officers in the UK) guidelines. It is widely used by digital forensic practitioners in the world. In my point of view, a digital forensic analyst should understand these principles and has to apply it when performing a forensic investigation. Below are the principles quoted from the guidelines.
1. No action taken by law enforcement agencies should change data held on a computer or storage media.
2. The person accessing the data must be competent to do so and able to explain the relevance and implications of the actions taken.
3. An audit trail or record of all processes applied should be created and preserved.
4. The person in charge has overall responsibility to ensure that these principles are adhered to.
First actions at the scene
When a computer is off, following are some actions which should be taken:
1. Make sure it is switched off and never turn it on.
2. Remove the battery (for notebooks / mobile device) or unplug the end of the power cable attached at CPU first, and then from wall socket (for PCs).
3. For mobile device: if any, never remove SIM cards from the device.
4. Label, document and record it; and then seize it for further analysis.
When a computer is on, the actions would be:
1. Record what is running on the screen.
2. Collect data (e.g. running processes, opened ports, decrypted volumes, etc.). Ensure that changes made to the system are understood.
3. When possible, perform live forensic imaging.
4. Never use the shut down procedure of the OS.
5. Unplug the cable power from CPU first; and then from the wall socket (for PCs) or remove the battery (for notebooks / mobile).
6. Label, document and record it; and then seize it for further analysis.
Digital forensic components
These are components which should be well understood in order to perform digital forensic analysis properly.
1. Qualified Human Resource: Professional digital forensic analyst.
2. Forensic Procedure: Implementation of digital forensic principles.
3. Reliable Hardware: High speed processor, reasonable RAM, USB to IDE cable, write protect, etc.
4. Reliable Software: Forensic applications running under Microsoft Windows and Linux Ubuntu.
5. Management: Solution on budget and non-technical problems.
Digital forensic coverage
Based on the type of the evidence analysed, digital forensic is devided into several categories, namely:
1. Computer Forensic.
2. Cyber & Network Forensic.
3. Mobile Forensic.
4. Audio Forensic.
5. Video & Digital Image Forensic.
6. CD/DVD Forensic.
It is defined as techniques implemented by perpetrator in order to against digital forensic.The objectives of anti-forensic are:
1. To conceal the case-related information.
2. To obscure the criminal’s involvement.
3. To obstruct the action of digital forensic analyst.
The techniques of anti forensic which are frequently implemented are:
1. Cryptography. It is a method to conceal essential information by deploying cryptography algorithm.
2. Steganography. It is a method to conceal essential information by embedding it into a carrier, so that it is difficult to detect.
3. Wiping. It is a method for securely deletion by overwriting sectors of deleted target.
That's several materials I delivered on both moments. It is a pride for me to be speaker or lecturer in sharing my knowledge and experience on digital forensic to other people. I always look forward to receiving the invitation like these programmes. Hopefully this could be useful for anybody or any organisations that would like to apply digital forensic on the investigation of computer crime or computer-related crime.