Saturday 27 April 2013

BBC: Arrest made after huge web attack


The news of BBC on 26 April 2013 makes me happy that the biggest DDoS attack in the world history of the internet  is finally solved. I give high appreciation to the Dutch police for their hard effort of investigation to solve the case. It's great investigation as it is solved in around 2 weeks. Very Good Job...!

BBC:
Spanish police have arrested a Dutchman suspected of being behind one of the biggest ever web attacks.
The 35 year-old-man was detained in Barcelona following a request from the Dutch public prosecutor.
The attack bombarded the websites of anti-junk mail outfit Spamhaus with huge amounts of data in an attempt to knock them offline.
It also slowed data flows over closely linked networks and led to a massive police investigation.
The man arrested is believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker that has been implicated in the attack.

"Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and the way they have worked with us," said a Spamhaus spokesman.
He added: "Spamhaus remains concerned about the way network resources are being exploited as they were in this incident due to the failure of network providers to implement best practice in security."
Spamhaus servers were hit with a huge amount of data via an attack technique known as a Distributed Denial of Service (DDoS) attack. This attempts to overwhelm a web server by sending it many more requests for data than it can handle.
A typical DDoS attack employs about 50 gigabits of data every second (gbps). At its peak the attack on Spamhaus hit 300 gbps.

For complete news, please go to the source below:
http://www.bbc.co.uk/news/technology-22314938

Friday 26 April 2013

ADFA (Association of Digital Forensic Analyst)

Several days ago, the ADFA (Association of Digital Forensic Analyst) was established as an interactive group at LinkedIn. This Association is intended as an international portal for encouraging digital forensic analyst from law enforcement agencies, private companies, universities, freelancers, and so on all over the world to share one another on digital forensic and its related other issues. It is expected that the members could update such information. Any problems related to the issues are welcomed to share, and then other members are pleased to give solution for the problem. To those who is interested in it, please go to the link below and become a member of the Association.

http://www.linkedin.com/groups?gid=4973640&trk=hb_side_g

Link to download my Mobile Forensic Materials

I just want to share "Mobile Forensic Materials" which I presented at 2013 HADFEx (Hacking And Digital Forensic Expose) conference conducted at the University of Islamic Indonesia, in Yogyakarta - Indonesia on 13 April 2013. The file is pdf which is compiled from presentation slides, and comprises 24 pages. Please get the link below:
http://db.tt/LHe46c50

Monday 22 April 2013

SOP 2 about Working Hours Commitment

SOP 2 about Working Hours Commitment


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents

1. Introduction

One type of evidence that can be found at the scene, both in civil and criminal cases is evidence of electronic / digital such as the personal computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disks, memory cards, voice recordings, video recordings, digital image and others. Electronic evidence has a significant position in the disclosure of a case due to storing digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 8 to 15 that refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be justified scientifically and legal.

SOP 8 to 15 requires a working reference that describes the time range needed for technical implementation. This is necessary so that the digital forensic examination of the evidence in electronic / digital can be run efficiently and effectively, so that the results can be more powerful for investigators who need speed of test results to determine further investigations. With the time range that is required to be described technically, the examiner can determine how long it will be used in solving one type of digital forensic examination procedurally.

For that reason, the SOP 2 is described about the time range required for each type of examination is called the 'Working Hours Commitment'. This working hours commitment describes in more detail about the time range on each type of examination generally which consists of 5 (five) stages, namely the acceptance phase, acquisition, analysis, reporting and submitting evidence. With the detailed steps, it can be a technical guide for digital forensic examiners in the start up to the end of examination in accordance with the procedures expected. Nevertheless the time range is predictive and flexibly adapted to the complexity of the case.

2. Purpose

For the orderly administration and technical in conducting digital forensic examinations such as the described in SOP 8 to 15 with a description of the time range (hours of work commitments) 
required for each examination, in which the working hours commitment is based on the assumption
that 7 working hours within 1 working day.

3. Scope

The scope of this SOP are as follows:
3.1. Working Hours for examination and analysis on Harddisk
3.2. Working Hours for examination and analysis on Handphone
3.3. Working Hours for examination and analysis on Simcard
3.4. Working Hours for examination and analysis on Flashdisk/Memory Card
3.5. Working Hours for examination and analysis on Triage Forensic
3.6. Working Hours for examination and analysis on Audio Forensic
3.7. Working Hours for examination and analysis on Video Forensic
3.8. Working Hours for examination and analysis on Digital Image Forensic
3.9. Working Hours for examination and analysis on Network Forensic

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk dock or USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Jammer
5.9. Faraday bag
5.10. Portable mobile forensic device
5.11. Flashdisk
5.12. Software for forensic imaging
5.13. Software for write protect
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. Software for digital image forensic analysis
5.19. Software for network forensic analysis

6. Implementation

The following working hours commitment do not include the number of hours used for clarification of data / digital findings with investigators because it often takes a long time and can not be predicted exactly, adjusting to the bustle of the investigation team. This SOP only discusses about working hours for technical examination and analysis of digital forensics Computer at Computer Forensic Sub-Department environment.

6.1. Working Hours for examination and analysis on Harddisk

Number of working hours commitment for the examination and analysis on 1 unit of hard disk is about 38 working hours (about 6 working days) with the details are as follows:

6.1.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.1.2. Acquisition phase
- Preparing data cable/docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk, including bad sectors in average): 10 hours
Total: 11 hours

6.1.3. Analysis phase
- Extracting investigative data (including physical recovery in average): 8 hours
- Analysing investigative data: 8 hours
Total: 16 hours

6.1.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.1.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.2. Working Hours for examination and analysis on Handphone

Number of working hours commitment for the examination and analysis on 1 unit of handphone is about 25 working hours (about 4 working days) with the details are as follows:

6.2.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.2.2. Acquisition phase
- Preparing data cable for connection: 0.75 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 6 hours
Total: 7 hours

6.2.3. Analysis phase
- Extracting investigative data: 3 hours
- Analysing investigative data: 3 hours
Total: 6 hours

6.2.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.2.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.3. Working Hours for examination and analysis on Flashdisk/Memory Card

Number of working hours commitment for the examination and analysis on 1 unit of flashdisk/memory card is about 21 working hours (about 3 working days) with the details are as follows:

6.3.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.3.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB flashdisk): 1 hour
Total: 2 hours

6.3.3. Analysis phase
- Extracting investigative data (including physical recovery): 3 hours
- Analysing investigative data: 4 hours
Total: 7 hours

6.3.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.3.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.4. Working Hours for examination and analysis on Simcard

Number of working hours commitment for the examination and analysis on 1 unit of simcard is about 16 working hours (about 3 working days) with the details are as follows:

6.4.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.4.2. Acquisition phase
- Preparing for connection: 0.25 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 0.5 hour
Total: 7 hours

6.4.3. Analysis phase
- Extracting investigative data: 1 hour
- Analysing investigative data: 2 hours
Total: 3 hours

6.4.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.4.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.5. Working Hours for examination and analysis on Triage Forensic

Number of working hours commitment for the examination and analysis on 1 unit of PC computer/laptop (ON and OFF) at the scene is about 9 working hours (about 2 working days) with the details are as follows:

6.5.1. Discussing about facts of the case: 2 hours
6.5.2. Searching evidence: 0.5 hour
6.5.3. Checking technical specification: 0.5 hour
6.5.4. Computer is OFF (checking status and power): 1 hour
6.5.5. Computer is ON (inquiry and extracting investigative data): 4 hours
6.5.6. Documentation and labeling: 0.5 hour
6.5.7. Packaging evidence to submit to the lab: 0.5. hour
Total: 9 hours

6.6. Working Hours for examination and analysis on Audio Forensic

Number of working hours commitment for the examination and analysis on 1 case of audio forensic is about 49 working hours (about 7 working days) with the details are as follows:

6.6.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.6.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting audio file, then hash and spectrum analysis: 1 hour
Total: 3 hours

6.6.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.6.4. Audio Enhancement phase
For increasing audio quality: 3 hours

6.6.5. Decoding phase
For transcripting audio (for 30 minute duration): 6 hours

6.6.6.Analysis phase
- Selecting at least 20 different words (between known and unknown samples): 4 hours
- Analysis of statistical (for formant and bandwidth), graphical distribution (for formant) and Spectral pattern (for spectrogram): 20 hours
Total: 24 hours

6.6.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.6.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.7. Working Hours for examination and analysis on Video Forensic

Number of working hours commitment for the examination and analysis on 1 case of video forensic is about 22 working hours (about 4 working days) with the details are as follows:

6.7.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.7.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours

6.7.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.7.4. Frame Analysis phase
For analysing edited parts and descripting activities: 4 hours

6.7.5. Bitrate Histogram Analysis phase
For analysing edited parts: 2 hours

6.7.6. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.7.7. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.8. Working Hours for examination and analysis on Digital Image Forensic

Number of working hours commitment for the examination and analysis on 1 case of digital image forensic is about 23 working hours (about 4 working days) with the details are as follows:

6.8.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.8.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours

6.8.3. Metadata Analysis phase
For file authentication analysis: 1 hour

6.8.4. Enrichment phase
For increasing digital image quality: 3 hours

6.8.5. Pixel and Zooming Analysis phase: 2 hours

6.8.6. Super Resolution
For increasing resolution quality before extracting frames: 2 hours

6.8.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.8.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

6.9. Working Hours for examination and analysis on Network Forensic

Number of working hours commitment for the examination and analysis on 1 case of network forensic is about 39 working hours (about 6 working days) with the details are as follows:

6.9.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours

6.9.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk of server): 10 hour
Total: 11 hours

6.9.3. Email Analysis phase: 2 hours

6.9.4. IP Address Analysis phase: 2 hours

6.9.5. Online Social Media Analysis phase: 2 hours

6.9.6. Online Gambling Analysis phase: 6 hours

6.9.7. Data Mining and Profiling phase: 4 hours

6.9.8. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours

6.9.9. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioners Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police


Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police



Note:
To download the SOP 2 in Indonesian version, please click the link below:
http://db.tt/o7KXuW4m

Saturday 20 April 2013

Study Says Home Routers Vulnerable to Attacks

Again, the phylosophy of "no system is perfect" is proved, including routers used for home and small office. Router is a basic knowledge and device on networking. When it is compromised, it is dangerous for users using the netwoks. They would become victims of hacker's attack although their machine is already protected by the latest patch. I just imagine if it happens at a small network of government, it could cause a leakage of data which could be confidential.

From The SANS Institute:
--Study Says Home Routers Vulnerable to Attacks (April 17 & 18, 2013) Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations.

http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says-study/
http://www.computerworld.com/s/article/9238474/Popular_home_routers_contain_critical_ security_vulnerabilities?taxonomyId=17

Those products were the Linksys WRT310v2, Netgear's WNDR4700, TP-Link's WR1043N, Verizon's FiOS Actiontec MI424WR-GEN3I, D-Link's DIR865L and Belkin's N300, N900 and F5D8236-4 v2 models.
Compromised routers are valuable to hackers, since they can intercept the traffic of anyone on that network. If the traffic is unencrypted, it can be viewed.
Man-in-the-middle attacks can let a hacker launch more sophisticated attacks on all users in the router's domain, ISE said. Hackers can perform attacks such as sniffing and rerouting non-SSL (Secure Sockets Layer) traffic, tampering with DNS (Domain Name System) settings and conducting distributed denial-of-service attacks.
The consultancy divided the attacks into those which required an attacker to be on the same network and those on networks that could be attacked remotely. Two routers from Belkin, the N300 and N900, were vulnerable to a remote attack that did not require the hacker to have authentication credentials.
All of the named products were vulnerable to an authenticated attack if the hacker was on the same network and had login credentials or access to a victim who had an active session on the particular network.

Saturday 13 April 2013

Hadfex at UII Yogyakarta

Today, from morning till afternoon along with other computer professionals, we are attending HADFEX which is workshops and conference on hacking and digital forensic. It is conducted by University of Islamic Indonesia in Yogyakarta. Very good activities involve many computer professionals coming from different areas in Indonesia. This is to be a place where we can share one another about anything on forensic and hacking. As requested by the HADFEX committee, in this conference, I deliver topic about Mobile Forensic Investigation. I share about basic principles on mobile forensic, starting from physical and logical acquisition to forensic data mechanism. I hope such conference/workshops could continue regularly. Good job for the committee for their hard effort to succeed it.

Thursday 11 April 2013

SOP 1 about Digital Forensic Examination Procedure

SOP 1 about Digital Forensic Examination Procedure


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents

1. Introduction

One type of evidence that can be found at the scene, both in civil and criminal cases is electronic evidence such as personal computers (PCs), laptops / notebooks, netbooks, tablet PCs, mobile phones, flashdisk, memory cards etc.. Electronic evidence has a significant role in the disclosure of a case due to store digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 6 s / d 15, which refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be scientifically justified and legal.
In addition to the SOPs, digital forensic examination of the electronic evidence should also be implemented via SOP 2 governing work hours commitments for each  examination including its phases in details. This is aimed to run the examination efficiently and effectively so that it can support to speed up efforts of inquiry/further investigation.
In order to obtain an integrated SOPs in the digital forensic examinations globally, it requires SOP 1 which describes procedures for a comprehensive examination of digital forensic starting from activities at the scene until laboratory analysis activities. Through this SOP 1, it is expected that digital forensic examiners and investigators are able to understand that the function of digital forensics can be started from the initial examination at the scene until further investigation which is more complex in the laboratory. Due to the initial handling of the evidence involves digital forensics function, then the procedural validity of the evidence and the integrity of the chain of custody (trip chain of evidence from the crime scene to the trial) can be justified scientifically. In addition, the speed to get the initial data for inquiry / investigation can be met because the implementation of SOP 1 in the initial examination of electronic evidence at crime scene can be done correctly.

2. Purpose

For the orderly administration and technical in handling electronic evidence in a comprehensive manner starting from the crime scene to the laboratory in order to support inquiry / investigation quickly and correctly.

3. Scope

3.1. Examination Principles
3.2. Triage Forensic
3.3. Further Examination in the laboratory

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk doc ot USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Hardware/Software for write protect
5.9. Jammer
5.10. Faraday bag
5.11. Portable mobile forensic device
5.12. Flashdisk
5.13. Software for forensic imaging
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. SOftware for digital image forensic analysis
5.19. SOftware for network forensic analysis

6. Implementation

6.1. Examination Principles

It refers to ‘Good Practice Guide for Computer-Based Electronic Evidenc’ which is published by Association of Chief Police Officers (ACPO). They are:
6.1.1. Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
6.1.2. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
6.1.3. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
6.1.4. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

6.2. Triage Forensic

6.2.1. Examination procedure when the evidence is in OFF state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic:
- Checking
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.2.2. Examination procedure when the evidence is in ON state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic, except for live acquisition:
- Checking
- Initial Data Extraction
- Live Acquisition, referring to SOP 7
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.3. Further examination in the lab

6.3.1. Examination and Analysis on Harddisk, Flashdisk and Memory Card
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Analysis: SOP 9
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.2. Examination and Analysis on Handphone and Simcard
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 10
- Analysis: SOP 11
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.3. Examination and Analysis on Audio Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Audio Enhancement: SOP 12
- Decoding: SOP 12
- Analysis: SOP 12
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.4. Examination and Analysis on Video Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 13
- Frame Analysis: SOP 13
- Bitrate Histogram Analysis: SOP 13
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.5. Examination and Analysis on Digital Image Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 14
- Enrichment: SOP 14
- Pixel Analysis: SOP 14
- Super Resolution: SOP 14
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.6. Examination and Analysis on Network Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Email Analysis: SOP 15
- IP Address Analysis: SOP 15
- Online Social Media Analysis: SOP 15
- Online Gambling Analysis: SOP 15
- Data Mining and Profiling: SOP 15
- Reporting: SOP 3
- Submitting evidence: SOP 5

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioner’s Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police

Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police


Note:
To download the SOP 1 in Indonesian version, please click the link below:
https://dl.dropboxusercontent.com/u/4868186/DFAT_SOP_2013/SOP1_ProsedurPemeriksaanDigitalForensik.pdf

Friday 5 April 2013

Standard Operating Procedures (SOPs) on Digital Forensic

On this occasion, I'd like to discuss about SOPs on Digital Forensic. As we know, digital forensic is a branch of computer specialization which grows up significantly at this time with high demands in computer market. All over the world, to find out a professional digital forensic analyst/investigator is not as easy as another computer fields, as their number in each country is not much, compared to another computer fields.

To be a good and professional digital forensic analyst/investigators, it needs good technical and academic background, as well as it is supported by good software and hardware. Besides that, it also requires good SOPs in order to guide steps of digital forensic examination/analysis to be done properly. Without good SOPs, the analyst/investigator could be wrong in their examination/analysis. They just rely on hardware/software like ordinary operator. When it hits the wall, they will give up. They becomes not creative to find out the best solution for their problem.

The SOPs are also designed  for accountable examination/analysis. When the results are questionable, it can be re-examined/analyzed by third party of digital forensic analyst/investigator. With the same SOPs, the results should be the same. The SOPs  are also established to show that the proper scientific steps are still better and more valuable than hardware/software. Hardware/software is just tools for the analyst/investigator. They must need it, but they should not put it on the most top sky like God. There is a good phylosophy followed by me and my team: "No system is perfect" and "No hardware/software is perfect". Each of them has their own strengths and weaknesses. That's why a digital forensic analyst/investigator should have many good hardware/software, then they can use it with a proper way to find out which one has the best results for the examination/analysis. The proper ways are the steps guided in SOPs.

A good SOPS should not contain or mention name of hardware/software. It just contain steps of examination/analysis. How to apply it by using hardware/software, it depends on the analyst/investigator to choose which hardware/software which can give the best results. The analyst/investigator plays role as a good chef who can choose which ingredients (without brand name) is the best in order to cook a meal with delicious taste. The ingredients here are hardware/software, and the SOPs are as recipe.

At my digital forensic lab of Indonesian Police Forensic Lab Centre, I've already developed 15 SOPs for digital forensic examination/analysis. They are:

SOP 1 about Digital Forensic Analysis Procedures

SOP 2 about Working Hours Commitment

SOP 3 about Digital Forensic Reporting

SOP 4 about Receiving Electronic/Digital Evidence

SOP 5 about Submitting Electronic/Digital Evidence

SOP 6 about Triage Forensic

SOP 7 about Live Acquisition

SOP 8 about Acquisition on Harddisk, Flashdisk and Memory Card

SOP 9 about Analysis on Harddisk, Flashdisk and Memory Card

SOP 10 about Acquisition on Handphone and Simcard

SOP 11 about Analysis on Handphone and Simcard

SOP 12 about Audio Forensic Analysis

SOP 13 about Video Forensic Analysis

SOP 14 about Digital Image Analysis

SOP 15 about Network Forensic Analysis

The SOPs above have already been implemented at my lab since 2 years ago. We are not rigid on adopting new techniques/methodologies for making our SOPs become better. Since implemented, the SOPs had already been reviewed three times, following the latest technology/methodology. The number of SOPs is most probably to increase. For instance, at this moment, we are in progress to make a new SOP about expert witness. Our SOPs are not confidential. They are based on scientific way and legal, that's why our SOPs are also used by several digital forensic labs of governments and companies in Indonesia. They adopt our SOPs to be implemented at their own labs.

Wednesday 3 April 2013

Attacks on US Financial Institutions Continue

Fron what I know, at this moment the forms of attack targetting banks or financial institutes are dominantly via trojan horses and DDoS. Several incidents show that the trojans are frequently used when the criminals want to obtain bank-related information as much as possible. The news below shows that the attackers want the victim cannot run their financial business properly, even the DDoS attack could be a cover for hiding or disguising any online bank frauds. I hope the bank's security team has already taken some hardening actions to anticipate these attacks.

From The SANS Institute:
Attacks on US Financial Institutions Continue (March 29 & 30, 2013) A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group's efforts appears to be crippling the banks' websites, there is concern that the attacks could provide a cover for fraudulent transactions. http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-amex-attackers-have-big-bankroll/http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service-hack/2030197/