Sunday, 29 December 2013

Butterfly botnet 'mastermind' jailed

BBC News
December 24, 2013 6:25 PM

A hacker accused of masterminding one of the biggest ever botnets has been sentenced to just under 5 years in jail.

Matjaz Skorjanc was arrested in 2010 after a two-year investigation into malware that had hijacked about 12.7 million computers around the world.

The 27-year-old was found guilty of creating the Mariposa botnet software, assisting others in "wrongdoings" and money laundering.

His lawyer said he would appeal.

In addition to the 58-month jail term, Skorjanc was also ordered to pay a 4,000 euro ($4,100; £2,510) fine and give up a flat and car he was alleged to have bought with money he had received from a Spanish criminal syndicate.

The prosecutors in the case have said they also intended to challenge the Slovenian court's ruling because they had wanted a tougher jail sentence of seven-and-a-half-years.

The former medical student's ex-girlfriend Nusa Coh was also sentenced to eight months probation for money laundering.

For more information, please go to the link below:
Butterfly botnet 'mastermind' jailed http://www.bbc.co.uk/news/technology-25506016

Friday, 10 May 2013

Autopsy as a Reliable Forensic Tools

In 2008/09, I joined MSc in Forensic Informatics at the University of Strathclyde, UK through the Chevening scholarship funded by the UK government and administered by the British Council. At that moment, most experiments and assignments conducted in the lab used command line tools running in Linux platform, such as dcfldd for forensic imaging, foremost for carving, exiftool for viewing exif data, and so on. One of the tools which were frequently used for forensic analysis was Autopsy created by Brian Carrier. Autopsy which is a forensic browser running in Linux operating system are derived from The Sleuthkit which is a group of command line forensic tools. I can say that Autopsy is a GUI of The Sleuthkit. Autopsy for Linux is version 2.

On 26 March 2013, Brian Carrier issued new version of Autopsy which runs on Windows platform. It is version 3.0.5 with nice GUI. This version does not use browser as a medium to view the results of forensic analysis like Autopsy v2 in Linux. The good news about Autopsy is that it is free of charge which is distributed under a Apache 2 license. For my self and others, I recommend this tool is one of forensic tools used for digital forensic analysis in more details.

Below is the description about Autopsy which is quoted from its website:

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects.

This page describes the concepts of version 3, which is a complete re-write from version 2. Version 3 currently only runs on Windows. If you perform digital forensics on a non-Windows system, refer to the version 2 page.



You can download Autopsy from the Downloads page and see the full set of features on the Features page.

The following concepts were essential to the design of Autopsy 3:
  • Extensibility: No single vendor can provide a solution to every analysis problem and no one knows what analysis techniques will work best on tomorrow's problems. Autopsy was designed with this in mind. In several places, it uses frameworks that allow plug-in modules to be easily inserted. This allows you to customize Autopsy to suit your analysis needs and extend it with custom or third-party modules.
  • Ease Of Use: Digital forensics tools should be intuitive and approachable so that they can be effectively used by non-technical investigators. Autopsy 3 uses wizards to help the investigator know what the next step is, uses common navigation techniques to help them find their results, and tries to automate as much as possible to reduce errors.
  • Fast Results: As media grows in size, it takes longer to analyze all of it. Autopsy tries to give the investigator relevant information as soon as possible. It analyzes user folders over system folders. It alerts you to hash set hits as soon as they are found and you can change the settings to only focus on important things if you have limited time (i.e. triage).
In order to allow for modules and future extensibility, Autopsy uses a central SQLite database to store its results. This database stays small because file content is not stored in it. This means that you get the benefits have having the data stored in a database without having to install a database or be a database administrator. The schema is documented on the wiki
Ingest Modules analyze the disk image contents. When the investigator adds a disk image to the case, he is prompted to enable and configure the ingest modules (screen shot). The basic version of Autopsy comes with ingest modules for:
  • Hash calculation and lookup
  • Indexed keyword search using open source SOLR/Lucene
  • Recent user activity (web artifacts, recent documents, etc) using Pasco2, RegRipper, and SQLite libraries.
  • MBOX / Thunderbird files
  • EXIF Extraction
These modules are run in parallel. Refer to the wiki page for the latest list of third-party modules. Developers are encouraged to write ingest modules because then can then let Autopsy deal with file access, reporting, and the UI and they can focus on fancy analysis techniques.

Content viewers allow the examiner to view a single file. Different viewers display the file in different formats. Examples include hex, strings, and media (images, video, etc. using gstreamer) (screen shot). Additional viewers can be created to view different file types (such as advanced text analytics or image analysis).

Report modules create the final report. They access the central database to collect the results from all of the ingest modules. The basic version of Autopsy comes with an HTML and Excel report format. You can make other modules to report in custom formats.

Add-on Viewers show data in a more complex way than the three panel design. As an example, the timeline viewer (screen shot) displays the timeline data in graph form.

Several features were added to make sure Autopsy was easy to use for non-technical users.
  • Wizards are used in several places to guide the user through common steps.
  • History is maintained so that the user can use back and forward buttons to back track after they have gone down an investigation path.
  • Previous settings are often saved with the modules so that you can more easily analyze the next image with the same settings as the last image.
Autopsy's default view is a simple interface where all of the analysis results can always be found in a single tree on the left(screen shot). When the examiner is looking for something, he should immediately review the tree. He doesn't have to dig through menus or layers of tabs to find the information.

Autopsy tries to be non-invasive with popups and messages from the background tasks that are running. The motivation for this is that you could be focusing on an investigation path based on some web activity or keyword search results. By having to deal with messages from background ingest modules, you could get distracted. The ingest inbox is where modules send messages. You can then open the inbox when you are ready to see the results, review what has been found since you last opened it, and choose which results to start focusing on.

Thursday, 9 May 2013

SOP 3 about Reporting of Digital Forensic Analysis Results

SOP 3 about Reporting of Digital Forensic Analysis Results


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents


1. Introduction

Once electronic evidence such as a Personal Computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disk, memory cards and and so on are examined and analyzed through the procedures as described in SOP 8 to 15, the next stage is to write down examination and analysis procedures used and the results for each of the evidence in a technical report. The form of the report is the Official Report of Forensic Laboratory that is pro justicia so it can be used as legal evidence in a court of law. Due to the official nature, the report can be issued if there is a written official request and investigative administration files from the police office unit who submit electronic evidence to be examined, in which the letter is addressed to the Chief of Forensic Laboratory Centre.

Because the report will be finally brought to the court, the language style used in the report must be as simple as possible without removing its essential meaning. It is aimed that the jury/judges, prosecutors and/or lawyers can properly understand the process and results of digital forensic examination and analysis. They are not a digital forensic analyst who can understand about digital forensic thoroughly.

2. Purpose

For the orderly administration and technical in making the official report of forensic laboratory that is comprehensive, including mention of the procedures used and the results of digital forensic examination and analysis for each electronic evidence.

3. Scope

The scope of this SOP are as follows:
3.1. Introduction
3.2. Chapter I: Evidence Received
3.3. Chapter II: Purpose of Examination and Analysis
3.4. Chapter III: Procedures of Examination and Analysis
3.5. Chapter IV: Results of Examination and Analysis
3.6. Chapter V: Conclusion
3.7. Chapter VI: Packaging and Labeling Evidence
3.8. Chapter VII: Closing

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Form 1: Receiving Electronic Evidence
5.3. Form 2: Submitting Electronic Evidence
5.4. Technical data yielded from forensic examination and analysis
5.5. Investigative administration files

6. Implementation

6.1. Introduction

It contains the date of examination and analysis is accomplished, the names of the examiners completed with rank and position, warrant for examination and analysis and others.

6.2. Chapter I: Evidence Received

It contains all electronic evidence received completed with technical specifications of each item of evidence as described in SOP 4.

6.3. Chapter II: Purpose of Examination/Analysis

It contains a description of the purpose of examination and analysis which is based on the official request letters or memos that provides information on the type of investigation cases completed with police report.

6.4. Chapter III: Procedures of Examination and Analysis

It contains SOPs which are used, such as SOP 8 and 9 for the Acquisition and Analysis of hard drive, flash and Memory Card. In addition, it also lists the MD5 hash value of the image / backup files generated from forensic imaging or acquisition process as described in SOP 8 and 10.

6.5. Chapter IV: Results of Examination and Analysis

It contains whole data of electronic evidence found as described in SOP 6 to 15, including investigative data related to the case which has been clarified by investigators, and the results of further analysis of the data. If there is an evidence in which the investigative data is not found, so it is stated that on the evidence, the investigative data related to the case is not found.

6.6. Chapter V: Conclusion

It contains the conclusion yielded from the digital forensic examination and analysis which is based on the investigative data found.

6.7. Chapter VI: Packaging and Labeling Evidence

It contains a description of the process of packaging and sealing evidence as well as labeling which contains numbers of evidence, its types, and the police office unit as the origin of electronic evidence, as described in SOP 5.

6.8. Chapter VII: Closing

It contains a closing sentence which is followed with the signature of the examiners and known by Chief of Forensic Laboratory or his representative.

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioners Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police


Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police

Note:

To download the SOP 3 in Indonesian version, please click the link below:

https://dl.dropboxusercontent.com/u/4868186/DFAT_SOP_2013/SOP3_PelaporanHasilPemeriksaanDigitalForensik.pdf

Wednesday, 1 May 2013

Travnet, a new Trojan designed to steal files in compressed data

When reading news of SC Magazine dated on 26 April 2013, I was surprised that there is a new trojan, Travnet found by McAfee Labs with unique style. The trojan steals many files in various formats, and then the files are sent to a remote server in a compressed data chunks of 1,024 bytes. It is very small file through the protocol of http.
In my point of view, in the last several years, there is a change of cyber attack which frequently uses trojan as  a useful tool to attack targets. With trojan, the attackers can do many things from DDoS to stealing confidential data on target, even it can be designed to destroy system on targets, like Stuxnet and Flames. Such trojans are also used by criminals to attack banks and finance institution. There has been many cases due to trojan attacks. Officers of banks, governments, law enforcements and so on must be aware on this type of cyber attack. They should have steps to minimize the risks caused by this attack, and steps to prevent and avoid such attacks.

SC Magazine:
A new trojan capable of compressing stolen data and uploading document files to remote servers is being used in a targeted operation, researchers have found.
Upon infecting a machine, the malware, dubbed “Travnet,” gathers victims' information – such as their computer name, IP address, IP configuration details and a list of running processes – to communicate the information to a command-and-control server.
From there, botnet operators can determine the value of information on the compromised machines at their disposal, while sending further instructions, McAfee Labs researchers discovered.

For further info, please go the link below:
http://www.scmagazine.com/travnet-trojan-compresses-files-to-send-more-info-to-data-thieves/article/290486/

Saturday, 27 April 2013

BBC: Arrest made after huge web attack


The news of BBC on 26 April 2013 makes me happy that the biggest DDoS attack in the world history of the internet  is finally solved. I give high appreciation to the Dutch police for their hard effort of investigation to solve the case. It's great investigation as it is solved in around 2 weeks. Very Good Job...!

BBC:
Spanish police have arrested a Dutchman suspected of being behind one of the biggest ever web attacks.
The 35 year-old-man was detained in Barcelona following a request from the Dutch public prosecutor.
The attack bombarded the websites of anti-junk mail outfit Spamhaus with huge amounts of data in an attempt to knock them offline.
It also slowed data flows over closely linked networks and led to a massive police investigation.
The man arrested is believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker that has been implicated in the attack.

"Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and the way they have worked with us," said a Spamhaus spokesman.
He added: "Spamhaus remains concerned about the way network resources are being exploited as they were in this incident due to the failure of network providers to implement best practice in security."
Spamhaus servers were hit with a huge amount of data via an attack technique known as a Distributed Denial of Service (DDoS) attack. This attempts to overwhelm a web server by sending it many more requests for data than it can handle.
A typical DDoS attack employs about 50 gigabits of data every second (gbps). At its peak the attack on Spamhaus hit 300 gbps.

For complete news, please go to the source below:
http://www.bbc.co.uk/news/technology-22314938

Friday, 26 April 2013

ADFA (Association of Digital Forensic Analyst)

Several days ago, the ADFA (Association of Digital Forensic Analyst) was established as an interactive group at LinkedIn. This Association is intended as an international portal for encouraging digital forensic analyst from law enforcement agencies, private companies, universities, freelancers, and so on all over the world to share one another on digital forensic and its related other issues. It is expected that the members could update such information. Any problems related to the issues are welcomed to share, and then other members are pleased to give solution for the problem. To those who is interested in it, please go to the link below and become a member of the Association.

http://www.linkedin.com/groups?gid=4973640&trk=hb_side_g

Link to download my Mobile Forensic Materials

I just want to share "Mobile Forensic Materials" which I presented at 2013 HADFEx (Hacking And Digital Forensic Expose) conference conducted at the University of Islamic Indonesia, in Yogyakarta - Indonesia on 13 April 2013. The file is pdf which is compiled from presentation slides, and comprises 24 pages. Please get the link below:
http://db.tt/LHe46c50

Monday, 22 April 2013

SOP 2 about Working Hours Commitment

SOP 2 about Working Hours Commitment


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents

1. Introduction

One type of evidence that can be found at the scene, both in civil and criminal cases is evidence of electronic / digital such as the personal computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disks, memory cards, voice recordings, video recordings, digital image and others. Electronic evidence has a significant position in the disclosure of a case due to storing digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 8 to 15 that refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be justified scientifically and legal.

SOP 8 to 15 requires a working reference that describes the time range needed for technical implementation. This is necessary so that the digital forensic examination of the evidence in electronic / digital can be run efficiently and effectively, so that the results can be more powerful for investigators who need speed of test results to determine further investigations. With the time range that is required to be described technically, the examiner can determine how long it will be used in solving one type of digital forensic examination procedurally.

For that reason, the SOP 2 is described about the time range required for each type of examination is called the 'Working Hours Commitment'. This working hours commitment describes in more detail about the time range on each type of examination generally which consists of 5 (five) stages, namely the acceptance phase, acquisition, analysis, reporting and submitting evidence. With the detailed steps, it can be a technical guide for digital forensic examiners in the start up to the end of examination in accordance with the procedures expected. Nevertheless the time range is predictive and flexibly adapted to the complexity of the case.

2. Purpose

For the orderly administration and technical in conducting digital forensic examinations such as the described in SOP 8 to 15 with a description of the time range (hours of work commitments) 
required for each examination, in which the working hours commitment is based on the assumption
that 7 working hours within 1 working day.

3. Scope

The scope of this SOP are as follows:
3.1. Working Hours for examination and analysis on Harddisk
3.2. Working Hours for examination and analysis on Handphone
3.3. Working Hours for examination and analysis on Simcard
3.4. Working Hours for examination and analysis on Flashdisk/Memory Card
3.5. Working Hours for examination and analysis on Triage Forensic
3.6. Working Hours for examination and analysis on Audio Forensic
3.7. Working Hours for examination and analysis on Video Forensic
3.8. Working Hours for examination and analysis on Digital Image Forensic
3.9. Working Hours for examination and analysis on Network Forensic

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk dock or USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Jammer
5.9. Faraday bag
5.10. Portable mobile forensic device
5.11. Flashdisk
5.12. Software for forensic imaging
5.13. Software for write protect
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. Software for digital image forensic analysis
5.19. Software for network forensic analysis

6. Implementation

The following working hours commitment do not include the number of hours used for clarification of data / digital findings with investigators because it often takes a long time and can not be predicted exactly, adjusting to the bustle of the investigation team. This SOP only discusses about working hours for technical examination and analysis of digital forensics Computer at Computer Forensic Sub-Department environment.

6.1. Working Hours for examination and analysis on Harddisk

Number of working hours commitment for the examination and analysis on 1 unit of hard disk is about 38 working hours (about 6 working days) with the details are as follows:

6.1.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.1.2. Acquisition phase
- Preparing data cable/docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk, including bad sectors in average): 10 hours
Total: 11 hours

6.1.3. Analysis phase
- Extracting investigative data (including physical recovery in average): 8 hours
- Analysing investigative data: 8 hours
Total: 16 hours

6.1.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.1.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.2. Working Hours for examination and analysis on Handphone

Number of working hours commitment for the examination and analysis on 1 unit of handphone is about 25 working hours (about 4 working days) with the details are as follows:

6.2.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.2.2. Acquisition phase
- Preparing data cable for connection: 0.75 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 6 hours
Total: 7 hours

6.2.3. Analysis phase
- Extracting investigative data: 3 hours
- Analysing investigative data: 3 hours
Total: 6 hours

6.2.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.2.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.3. Working Hours for examination and analysis on Flashdisk/Memory Card

Number of working hours commitment for the examination and analysis on 1 unit of flashdisk/memory card is about 21 working hours (about 3 working days) with the details are as follows:

6.3.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.3.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB flashdisk): 1 hour
Total: 2 hours

6.3.3. Analysis phase
- Extracting investigative data (including physical recovery): 3 hours
- Analysing investigative data: 4 hours
Total: 7 hours

6.3.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.3.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.4. Working Hours for examination and analysis on Simcard

Number of working hours commitment for the examination and analysis on 1 unit of simcard is about 16 working hours (about 3 working days) with the details are as follows:

6.4.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.4.2. Acquisition phase
- Preparing for connection: 0.25 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 0.5 hour
Total: 7 hours

6.4.3. Analysis phase
- Extracting investigative data: 1 hour
- Analysing investigative data: 2 hours
Total: 3 hours

6.4.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.4.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.5. Working Hours for examination and analysis on Triage Forensic

Number of working hours commitment for the examination and analysis on 1 unit of PC computer/laptop (ON and OFF) at the scene is about 9 working hours (about 2 working days) with the details are as follows:

6.5.1. Discussing about facts of the case: 2 hours
6.5.2. Searching evidence: 0.5 hour
6.5.3. Checking technical specification: 0.5 hour
6.5.4. Computer is OFF (checking status and power): 1 hour
6.5.5. Computer is ON (inquiry and extracting investigative data): 4 hours
6.5.6. Documentation and labeling: 0.5 hour
6.5.7. Packaging evidence to submit to the lab: 0.5. hour
Total: 9 hours

6.6. Working Hours for examination and analysis on Audio Forensic

Number of working hours commitment for the examination and analysis on 1 case of audio forensic is about 49 working hours (about 7 working days) with the details are as follows:

6.6.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.6.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting audio file, then hash and spectrum analysis: 1 hour
Total: 3 hours

6.6.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.6.4. Audio Enhancement phase
For increasing audio quality: 3 hours

6.6.5. Decoding phase
For transcripting audio (for 30 minute duration): 6 hours

6.6.6.Analysis phase
- Selecting at least 20 different words (between known and unknown samples): 4 hours
- Analysis of statistical (for formant and bandwidth), graphical distribution (for formant) and Spectral pattern (for spectrogram): 20 hours
Total: 24 hours

6.6.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.6.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.7. Working Hours for examination and analysis on Video Forensic

Number of working hours commitment for the examination and analysis on 1 case of video forensic is about 22 working hours (about 4 working days) with the details are as follows:

6.7.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.7.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours

6.7.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.7.4. Frame Analysis phase
For analysing edited parts and descripting activities: 4 hours

6.7.5. Bitrate Histogram Analysis phase
For analysing edited parts: 2 hours

6.7.6. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.7.7. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.8. Working Hours for examination and analysis on Digital Image Forensic

Number of working hours commitment for the examination and analysis on 1 case of digital image forensic is about 23 working hours (about 4 working days) with the details are as follows:

6.8.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.8.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours

6.8.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.8.4. Enrichment phase
For increasing digital image quality: 3 hours

6.8.5. Pixel and Zooming Analysis phase: 2 hours

6.8.6. Super Resolution
For increasing resolution quality before extracting frames: 2 hours

6.8.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.8.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.9. Working Hours for examination and analysis on Network Forensic

Number of working hours commitment for the examination and analysis on 1 case of network forensic is about 39 working hours (about 6 working days) with the details are as follows:

6.9.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.9.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk of server): 10 hour
Total: 11 hours

6.9.3. Email Analysis phase: 2 hours

6.9.4. IP Address Analysis phase: 2 hours

6.9.5. Online Social Media Analysis phase: 2 hours

6.9.6. Online Gambling Analysis phase: 6 hours

6.9.7. Data Mining and Profiling phase: 4 hours

6.9.8. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.9.9. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioners Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police


Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police



Note:
To download the SOP 2 in Indonesian version, please click the link below:
http://db.tt/o7KXuW4m

Saturday, 20 April 2013

Study Says Home Routers Vulnerable to Attacks

Again, the phylosophy of "no system is perfect" is proved, including routers used for home and small office. Router is a basic knowledge and device on networking. When it is compromised, it is dangerous for users using the netwoks. They would become victims of hacker's attack although their machine is already protected by the latest patch. I just imagine if it happens at a small network of government, it could cause a leakage of data which could be confidential.

From The SANS Institute:
--Study Says Home Routers Vulnerable to Attacks (April 17 & 18, 2013) Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations.

http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says-study/
http://www.computerworld.com/s/article/9238474/Popular_home_routers_contain_critical_ security_vulnerabilities?taxonomyId=17

Those products were the Linksys WRT310v2, Netgear's WNDR4700, TP-Link's WR1043N, Verizon's FiOS Actiontec MI424WR-GEN3I, D-Link's DIR865L and Belkin's N300, N900 and F5D8236-4 v2 models.
Compromised routers are valuable to hackers, since they can intercept the traffic of anyone on that network. If the traffic is unencrypted, it can be viewed.
Man-in-the-middle attacks can let a hacker launch more sophisticated attacks on all users in the router's domain, ISE said. Hackers can perform attacks such as sniffing and rerouting non-SSL (Secure Sockets Layer) traffic, tampering with DNS (Domain Name System) settings and conducting distributed denial-of-service attacks.
The consultancy divided the attacks into those which required an attacker to be on the same network and those on networks that could be attacked remotely. Two routers from Belkin, the N300 and N900, were vulnerable to a remote attack that did not require the hacker to have authentication credentials.
All of the named products were vulnerable to an authenticated attack if the hacker was on the same network and had login credentials or access to a victim who had an active session on the particular network.

Saturday, 13 April 2013

Hadfex at UII Yogyakarta

Today, from morning till afternoon along with other computer professionals, we are attending HADFEX which is workshops and conference on hacking and digital forensic. It is conducted by University of Islamic Indonesia in Yogyakarta. Very good activities involve many computer professionals coming from different areas in Indonesia. This is to be a place where we can share one another about anything on forensic and hacking. As requested by the HADFEX committee, in this conference, I deliver topic about Mobile Forensic Investigation. I share about basic principles on mobile forensic, starting from physical and logical acquisition to forensic data mechanism. I hope such conference/workshops could continue regularly. Good job for the committee for their hard effort to succeed it.

Thursday, 11 April 2013

SOP 1 about Digital Forensic Examination Procedure

SOP 1 about Digital Forensic Examination Procedure


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents

1. Introduction

One type of evidence that can be found at the scene, both in civil and criminal cases is electronic evidence such as personal computers (PCs), laptops / notebooks, netbooks, tablet PCs, mobile phones, flashdisk, memory cards etc.. Electronic evidence has a significant role in the disclosure of a case due to store digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 6 s / d 15, which refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be scientifically justified and legal.
In addition to the SOPs, digital forensic examination of the electronic evidence should also be implemented via SOP 2 governing work hours commitments for each  examination including its phases in details. This is aimed to run the examination efficiently and effectively so that it can support to speed up efforts of inquiry/further investigation.
In order to obtain an integrated SOPs in the digital forensic examinations globally, it requires SOP 1 which describes procedures for a comprehensive examination of digital forensic starting from activities at the scene until laboratory analysis activities. Through this SOP 1, it is expected that digital forensic examiners and investigators are able to understand that the function of digital forensics can be started from the initial examination at the scene until further investigation which is more complex in the laboratory. Due to the initial handling of the evidence involves digital forensics function, then the procedural validity of the evidence and the integrity of the chain of custody (trip chain of evidence from the crime scene to the trial) can be justified scientifically. In addition, the speed to get the initial data for inquiry / investigation can be met because the implementation of SOP 1 in the initial examination of electronic evidence at crime scene can be done correctly.

2. Purpose

For the orderly administration and technical in handling electronic evidence in a comprehensive manner starting from the crime scene to the laboratory in order to support inquiry / investigation quickly and correctly.

3. Scope

3.1. Examination Principles
3.2. Triage Forensic
3.3. Further Examination in the laboratory

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk doc ot USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Hardware/Software for write protect
5.9. Jammer
5.10. Faraday bag
5.11. Portable mobile forensic device
5.12. Flashdisk
5.13. Software for forensic imaging
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. SOftware for digital image forensic analysis
5.19. SOftware for network forensic analysis

6. Implementation

6.1. Examination Principles

It refers to ‘Good Practice Guide for Computer-Based Electronic Evidenc’ which is published by Association of Chief Police Officers (ACPO). They are:
6.1.1. Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
6.1.2. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
6.1.3. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
6.1.4. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

6.2. Triage Forensic

6.2.1. Examination procedure when the evidence is in OFF state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic:
- Checking
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.2.2. Examination procedure when the evidence is in ON state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic, except for live acquisition:
- Checking
- Initial Data Extraction
- Live Acquisition, referring to SOP 7
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.3. Further examination in the lab

6.3.1. Examination and Analysis on Harddisk, Flashdisk and Memory Card
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Analysis: SOP 9
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.2. Examination and Analysis on Handphone and Simcard
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 10
- Analysis: SOP 11
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.3. Examination and Analysis on Audio Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Audio Enhancement: SOP 12
- Decoding: SOP 12
- Analysis: SOP 12
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.4. Examination and Analysis on Video Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 13
- Frame Analysis: SOP 13
- Bitrate Histogram Analysis: SOP 13
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.5. Examination and Analysis on Digital Image Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 14
- Enrichment: SOP 14
- Pixel Analysis: SOP 14
- Super Resolution: SOP 14
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.6. Examination and Analysis on Network Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Email Analysis: SOP 15
- IP Address Analysis: SOP 15
- Online Social Media Analysis: SOP 15
- Online Gambling Analysis: SOP 15
- Data Mining and Profiling: SOP 15
- Reporting: SOP 3
- Submitting evidence: SOP 5

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioner’s Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police

Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police


Note:
To download the SOP 1 in Indonesian version, please click the link below:
https://dl.dropboxusercontent.com/u/4868186/DFAT_SOP_2013/SOP1_ProsedurPemeriksaanDigitalForensik.pdf

Friday, 5 April 2013

Standard Operating Procedures (SOPs) on Digital Forensic

On this occasion, I'd like to discuss about SOPs on Digital Forensic. As we know, digital forensic is a branch of computer specialization which grows up significantly at this time with high demands in computer market. All over the world, to find out a professional digital forensic analyst/investigator is not as easy as another computer fields, as their number in each country is not much, compared to another computer fields.

To be a good and professional digital forensic analyst/investigators, it needs good technical and academic background, as well as it is supported by good software and hardware. Besides that, it also requires good SOPs in order to guide steps of digital forensic examination/analysis to be done properly. Without good SOPs, the analyst/investigator could be wrong in their examination/analysis. They just rely on hardware/software like ordinary operator. When it hits the wall, they will give up. They becomes not creative to find out the best solution for their problem.

The SOPs are also designed  for accountable examination/analysis. When the results are questionable, it can be re-examined/analyzed by third party of digital forensic analyst/investigator. With the same SOPs, the results should be the same. The SOPs  are also established to show that the proper scientific steps are still better and more valuable than hardware/software. Hardware/software is just tools for the analyst/investigator. They must need it, but they should not put it on the most top sky like God. There is a good phylosophy followed by me and my team: "No system is perfect" and "No hardware/software is perfect". Each of them has their own strengths and weaknesses. That's why a digital forensic analyst/investigator should have many good hardware/software, then they can use it with a proper way to find out which one has the best results for the examination/analysis. The proper ways are the steps guided in SOPs.

A good SOPS should not contain or mention name of hardware/software. It just contain steps of examination/analysis. How to apply it by using hardware/software, it depends on the analyst/investigator to choose which hardware/software which can give the best results. The analyst/investigator plays role as a good chef who can choose which ingredients (without brand name) is the best in order to cook a meal with delicious taste. The ingredients here are hardware/software, and the SOPs are as recipe.

At my digital forensic lab of Indonesian Police Forensic Lab Centre, I've already developed 15 SOPs for digital forensic examination/analysis. They are:

SOP 1 about Digital Forensic Analysis Procedures

SOP 2 about Working Hours Commitment

SOP 3 about Digital Forensic Reporting

SOP 4 about Receiving Electronic/Digital Evidence

SOP 5 about Submitting Electronic/Digital Evidence

SOP 6 about Triage Forensic

SOP 7 about Live Acquisition

SOP 8 about Acquisition on Harddisk, Flashdisk and Memory Card

SOP 9 about Analysis on Harddisk, Flashdisk and Memory Card

SOP 10 about Acquisition on Handphone and Simcard

SOP 11 about Analysis on Handphone and Simcard

SOP 12 about Audio Forensic Analysis

SOP 13 about Video Forensic Analysis

SOP 14 about Digital Image Analysis

SOP 15 about Network Forensic Analysis

The SOPs above have already been implemented at my lab since 2 years ago. We are not rigid on adopting new techniques/methodologies for making our SOPs become better. Since implemented, the SOPs had already been reviewed three times, following the latest technology/methodology. The number of SOPs is most probably to increase. For instance, at this moment, we are in progress to make a new SOP about expert witness. Our SOPs are not confidential. They are based on scientific way and legal, that's why our SOPs are also used by several digital forensic labs of governments and companies in Indonesia. They adopt our SOPs to be implemented at their own labs.

Wednesday, 3 April 2013

Attacks on US Financial Institutions Continue

Fron what I know, at this moment the forms of attack targetting banks or financial institutes are dominantly via trojan horses and DDoS. Several incidents show that the trojans are frequently used when the criminals want to obtain bank-related information as much as possible. The news below shows that the attackers want the victim cannot run their financial business properly, even the DDoS attack could be a cover for hiding or disguising any online bank frauds. I hope the bank's security team has already taken some hardening actions to anticipate these attacks.

From The SANS Institute:
Attacks on US Financial Institutions Continue (March 29 & 30, 2013) A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group's efforts appears to be crippling the banks' websites, there is concern that the attacks could provide a cover for fraudulent transactions. http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-amex-attackers-have-big-bankroll/http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service-hack/2030197/

Friday, 29 March 2013

Massive DDoS against Spamhaus reaches 300Gbps

If the DDos below is committed again in the future with several or even many big targets on a certain country, it could shut the internet down in a wide range of the country's area. If this happens, many people cannot do their own activities based on the internet such as accessing emails, bank accounts, online news and much more. I could say this is one form of cyber terrorism or even cyber war, if it attacks a certain country and the perpetrators are supported by another country. Do we already think about this?  What should we do to strengthen/harden the internet backbone in our country? That requires a well-coordinated team work involving several parties.

From The SANS Institute:
Following a dispute between Dutch hosting provider Cyberbunker and anti-spam group Spamhous, the latter suffered what initially began as a relatively small - 10 Gbps -DDoS, which escalated over the course of last week to a 300Gbps flood. Anti-DDoS provider CloudFlare noted that the attackers - who have not been conclusively linked to Cyberbunker - were able to generate such huge volumes of traffic by using open DNS resolvers, which can respond to small, spoofed requests with massive floods of data. As a result of this attack - one of the largest ever on the Internet to date - a new project has been announced to locate and fix all of the approximately 27 million such systems on the Internet today. Reference: http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet http://openresolverproject.org/

Thursday, 28 March 2013

vSkimmer Steals Payment Card Data From Windows Point-of-Sale Terminals

Several news sent by The SANS Institute in which the latest was dated on March 22, 2013, makes me to a rough conclusion. It is that nowadays the criminals on hacking bank system prefer to play trojan horse as the tools. It means that the bank's security people must be aware on this and warn other staff of the bank about this. The news of The SANS Institute below shows it.

The vSkimmer Trojan horse program steals payment card data from point-of-sale (POS) terminals. The malware has the capacity to steal the data from cards' magnetic strip, which contains account numbers, expiration dates, and security codes; it is being used in targeted attacks. vSkimmer targets Windows machines and sends the data it steals to a remote server. vSkimmer does not work on cards that use the EMV, also known as chip-and-pin authentication standard. HTtp://www.scmagazine.com/vskimmer-trojan-steals-card-data-on-point-of-sale-systems/article/285725/http://www.computerworld.com/s/article/9237828/Researchers_uncover_vSkimmer_malware_ targeting_point_of_sale_systems?taxonomyId=17

Saturday, 23 March 2013

Mobile Forensic: How to detect Reconditioned BlackBerry

I just want to share knowledge and experience on how to detect reconditioned BlackBerry. There are 2 methods for this purpose.
The first one is through the Options - Device - Device and Status Information. With this way, we will find any information related to the current condition of BlackBerry such as signal, battery, IP address, free memory and so on. On this state, we type B U Y R, it will display Buyer's Remorse. In Buyer's Remorse, it will show data usage, voice usage and IT policy. If the BlackBerry is a brand new gadget, it must show null value for data and voice usage. If it is not null, or it already has value, so it means the BlackBerry is already used before.
The second method is by using mobile forensic integrated device such as UFED of Cellebrite, XRY of Micro Systemation and so on. With this device, try to perform physical extraction by applying flash memory dumping. With this way, we do forensically sound imaging on the BlackBerry's flash memory. It takes time about 2 to 6 hours. After it finishes, we perform hex analysis. If it is a brand new, the flash memory should contain OS's file system and factory-based applications only. It means that about 1/2 or more at the end of the flash memory will be 00 because the data usage will be minimum and is allocated at the beginning of the flash memory. If at around the end of the flash memory has been allocated with data, it means that the BlackBerry is already used. The other way is to seek the naming model of root directory. The purpose is to find out deleted or wiped files. If a file is deleted, the file actually still exists in its sectors. It just put unallocated information in the root directory. Also if a file is wiped, it only wipes the allocated sectors of the file. The information of the root directory shows the sectors are unallocated. If we can find the naming model of root directory and it shows deleted or wiped files, it means that the BlackBerry is not a brand new gadget. In the other words, it is already used.
If the BalckBerry which is already used and reconditioned is sold as if it is a brand new, it is a crime as the seller cheats customer. The seller can be arrested and sent to the court for his crime.

Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015

The news of The SANS Institute makes me wondering and a bit jealous. I have a dream that my country also have the cyber defense team to strengthen internet and other computer networks from any computer attacks. I would like to develop it along with other computer professionals in Indonesia. Please read the news.

Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015 (March 19 & 21, 2013) The US Defense Department's Cyber Command plans to deploy more than 100 military cyberdefense teams by the end of 2015. Most of these teams will focus on protecting military networks, not on attacking systems of adversaries. General Keith Alexander, head of Cyber Command, said last week that by September 2013, 13 cyberwarrior teams will be deployed. These teams will focus on taking action against adversaries' networks to prevent attacks on US critical infrastructure systems. http://www.nextgov.com/defense/2013/03/pentagon-plans-deploy-more-100-cyber-teams-late-2015/61948/?oref=ng-channelriver http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber-strike-teams-will-soon-guard-private-networks/62010/?oref=ng-HPtopstory

Major Cyberattack Hits South Korean Banks and Broadcasters

The news of The SANS Institute in this early morning wakes me up from sleepy condition. Trojan.....and trojan again. Always the same way to attack banks. Why are the bankers not aware from this attack? There are many ways to install trojans to bank computers as the targets. They should be aware of this. Please read it below.

Major Cyberattack Hits South Korean Banks and Broadcasters (March 20 & 21, 2013) A major cyberattack hit South Korean banks and broadcasters earlier this week. Two of the country's large banks and three broadcasters were affected, but government systems were not targeted. The malware wiped files from infected computers. Shortly after the attacks, there was speculation that North Korea was responsible, but there has not been positive attribution. James Barnett, former chief of public safety and homeland security for the US Federal Communications Commission (FCC) notes that, "This needs to be a wake-up call. This can happen anywhere." Investigators think that malware may have been spread through servers that send out automatic updates and patches. Symantec researchers say the attack used a Trojan horse program known as Jokra, which can overwrite computers' master boot records and all the data stored there. http://www.washingtonpost.com/business/technology/police-investigating-reports-that-computers-of-south-korean-banks-media-paralyzed/2013/03/20/a7366760-9126-11e2-9173-7f87cda73b49_story.html http://www.latimes.com/news/world/worldnow/la-fg-wn-south-korea-cyber-attack-20130320,0, 1356665.story http://www.scmagazine.com/south-korean-corporations-hit-by-widespread-attack-that-wiped-data-and-shut-down-systems/article/285315/ http://www.foreignpolicy.com/articles/2013/03/21/who_is_whois. More details at http://edition.cnn.com/2013/03/22/world/asia/south-korea-computer-outage/index.html.

Video Profiling on The Best 10 of Chevening Alumni in Indonesia

Several days ago, a team of British Embassy came to my office and labs. They would like to take video profiling on me as the Best 10 among thousands of Chevening alumni in Indonesia. Chevening is a scholarship provided and supported officially  by yhe Foreign and Commonwealth Office (FCO) of the UK government. In the implementation, it is administered by the British Council. It is open for any candidates of any country who would like to join postgraduate degree in the UK. They have to pass several tests before getting this prestigious scholarships award. With the Chevening scholarships, I took MSc in Forensic Informatics at the University of Strathclyde, in Glasgow, UK. I joined it in 2008/09. I got mark of distinction for my dissertation about Steganography Forensic. After finishing my study at the Strathclyde, I returned to my office in Jakarta, Indonesia. I have a personal mission to develop digital forensic at my labs and in Indonesia in general, that's why I like sharing on digital forensic a lot such as to be speaker or instructor for seminars and courses, even I wrote a technical book with title of "Digital Forensic: Practical Guidelines for Computer Investigation" which was published last year. Currently I hold the job as the Chief of Computer Forensic Sub-Dept. at Indonesian Police Forensic Lab Centre (Puslabfor Bareskrim Polri). In this job, I and my team are responsible for digital forensic analysis on any type of electronic and digital evidence coming from cases of computer crime and computer-related crime in Indonesia.
With this job, I've already made 15 Standard Operating Procedure (SOP) on each technical  steps of digital forensic. I could say my computer forensic lab is one of institutes in the world having many SOPs as the guidelines for digital forensic works.

Tuesday, 19 March 2013

Telkom dan Biznet Bantah "Intai" Pengguna Internet Internet

From Kompas.com:

Telkom dan Biznet Bantah "Intai" Pengguna Internet Internet
ADITYA PANJI

JAKARTA, KOMPAS.com — Dua perusahaan penyedia jasa internet besar di Indonesia, Telkom dan Biznet Network, membantah dugaan pihaknya menggunakan perangkat lunak intelijen untuk memata-matai pengguna internet.

Hasil penelitian Citizen Lab, Universitas Toronto, Kanada, menunjukkan bahwa tiga perusahaan penyedia jasa internet (internet service provider atau ISP) di Indonesia memakai perangkat lunak FinFisher atau dikenal juga sebagai FinSpy. Selain Telkom dan Biznet, Matrixnet Global juga diduga memata-matai pelanggan.

"Dari Biznet tidak ada policy seperti itu. Kita sedang cek IP address itu punya siapa," kata Presiden Direktur Biznet Network Adi Kusma saat dihubungi KompasTekno, Senin (18/3/2013).

Hal senada diungkapkan pihak Telkom. "Bahwa Telkom tidak mempunyai server untuk melakukan monitoring atau memata-matai pelanggan," ujar Slamet Riyadi, Head of Corporate Communication and Affair Telkom.

FinFisher adalah perangkat lunak pemantau jarak jauh yang dikembangkan oleh Gamma International di Muenchen, Jerman. Menurut Citizen Lab, produk FinFisher dipasarkan dan dijual secara eksklusif untuk penegak hukum dan badan intelijen oleh Gamma Group yang berbasis di Inggris.

"FinSpy menangkap informasi dari komputer yang terinfeksi, seperti password dan panggilan Skype, dan mengirimkan informasi ke server perintah dan kontrol FinSpy," demikian hasil penelitian Citizen Lab.

Dalam hasil penelitian, Citizen Lab mengungkap alamat internet protokol (IP address) di Indonesia yang diduga mengandung FinSpy atau FinFisher. Alamat IP Telkom dan Matrixnet Global tidak diungkap sepenuhnya.

- 118.97.xxx.xxx PT Telkom dari Indonesia - 118.97.xxx.xxx PT Telkom dari Indonesia - 103.28.xxx.xxx PT Matrixnet Global dari Indonesia - 112.78.143.34 Biznet ISP dari Indonesia - 112.78.143.26 Biznet ISP dari Indonesia

Menurut Slamet, berdasarkan parsial IP address yang dilaporkan Citizen Lab, disimpulkan bahwa itu adalah pelanggan Astinet/Transit Telkom. "Untuk mengidentifikasinya perlu IP address yang lengkap," ungkap Slamet.

Untuk memblokir IP address tersebut, lanjut Slamet, harus ada permintaan dari computer emergency response team (CERT) negara, dalam hal ini Indonesia Security Incident Response Team on Internet Infrastructure (ID-SIRTII) yang berada di bawah Kementerian Komunikasi dan Informatika.

Citizen Lab mencatat, perangkat lunak FinSpy terdeteksi di 25 negara. Selain Indonesia, ia juga ada di Australia, Bahrain, Banglades, Brunei, Kanada, Ceko, Estonia, Etiopia, Jerman, India, Jepang, Latvia, Malaysia, Meksiko, Mongolia, Belanda, Qatar, Serbia, Singapura, Turkmenistan, Uni Emirat Arab, Inggris, Amerika Serikat, dan Vietnam.

Sunday, 17 March 2013

Bank Fraud Investigation Sharing

Yesterday I came to Bandung Indonesia for attending sharing session on bank fraud investigation. We talked and discussed a lot about modus operandi how to make a fraud from a practical phising, e-bank tapping, carding until study case. There were three study case to share. It's about ATM case, Remote Desktop Protocol case and Clearing case. The study case showed the steps of action how to make a successful fraud, so that's why the contens were so sensitive. In this case we need to harden the bank security from knowing the modus operandi. If we know it well, we expect that we can close or patch the holes of breached security properly. No more fraud from such modus operandi.

Wednesday, 13 March 2013

Reserve Bank of Australia Targeted in Cyberattacks (March 11, 2013)

From The SANS Institute:

Reserve Bank of Australia Targeted in Cyberattacks (March 11, 2013) The Reserve Bank of Australia (RBA) has acknowledged that in November 2011, hackers managed to gain access to RBA systems through targeted phishing attacks. The information has come to light through a Freedom of Information request and was disclosed in December 2012. The phishing email messages appeared to come from "a possibly legitimate external email address ... from a senior bank employee" and were accompanied by an attachment that installed a Trojan horse program on the computers of those who opened the attachment. An RBA spokesperson said that while the infection posed the threat of data theft, no information was stolen. http://www.theage.com.au/it-pro/security-it/hackers-breach-reserve-bank-20130311-2fv8i.html http://www.bbc.co.uk/news/business-21738540 http://www.v3.co.uk/v3-uk/news/2253724/australian-central-bank-hit-by-cyber-attacks RBA Media Release: http://www.rba.gov.au/media-releases/2013/mr-13-05.html

U.S. Department of Defense Not Ready for Cyberwar (March 12, 2013)

From The SANS Institute:

U.S. Department of Defense Not Ready for Cyberwar (March 12, 2013) This editorial in today's Washington Post, describes and discusses the findings of the Defense Science Board (DSB), probably the most prestigious collection of technical, policy, and industrial leadership the U.S. has ever asked to focus on cybersecurity and cyber warfare. The DSB report "hints that U.S. nuclear weapons, hardened to survive an atomic blast in the Cold War, may not be ready to survive a cyber-onslaught...[and] called for "immediate action" to make sure the nuclear weapons would survive." The report also projected that when open conflict breaks out, potentially, "hundreds" of simultaneous, synchronized offensive and defensive cyber operations would be needed, and yet the task force found the U.S. military is not ready. http://www.washingtonpost.com/opinions/the-us-is-not-ready-for-a-cyberwar/2013/03/11/782e299a-8838-11e2-98a3-b3db6b9ac586_story.html?hpid=z3

Monday, 11 March 2013

I'm back...!

For a long time, I did not deliver a post in this blog because of getting busy to accomplish tasks of digital forensic analysis. In 2012, I and my team had finished analysis of electronic and digital evidence with the amount of 488 items which were much more than the total days in a year.
This is my first post in this year. Hope it can continue to post.
This week, I will be attending the launching of Cyber Defence Academy in Jakarta, Indonesia. This will be the first institute which will focus on deep information security in Indonesia. It is an honor for me to be invited. Good Luck for my colleagues involved in this project.