Professional Documents
Culture Documents
Forensics Bulletin V3
Forensics Bulletin V3
Bulletin
June 2014 | Volume - 3
Index 1
02 executive summary
eProtect
03 Online complaint portal
whatsApp forensics
05 Recovering & decrypting deleted conversations
biometric fraud
Employee attendance system fraud & RFID trick
07
intelligence gathering
13 Tracking Pakistan Haxor Crew
15 about us
2
executive summary
In this issue we would like to take our readers a step ahead from
cyber security to cyber & digital forensics. In this high-tech world
variety of computer crimes that take place in small scale as well
as large scale. The loss caused is dependent upon the sensitivity
of the computer data or the information for which the crime has
been committed. So computer forensics has become a vital
part in our corporate world.
Those golden days are gone when
criminals were using only guns and other “Believe it or not
offensive equipment to commit a crime. but we all have
Now a day’s a mobile is used to connect committed some
lives, run business, and same mobile is used cyber-crimes
to commit crimes and hence it is next to intentionally or by
impossible to predict that who is actual mistake”
criminal when everyone is carrying
weapons i.e. phones in their pockets.
Someone who is carrying unauthorized guns can be declared a
criminal but what if billions of peoples are carrying same digital
weapons in their pockets?
We at CCFIS faced and solved several forensics cases that
cannot be solved by traditional pre-defined forensics
technologies and protocols. Sometimes forensics is more of a
research and behavioral analysis.
3
eProtect
Online complaint portal
Most of the time, we don’t want to share cybercrime happened
with us with anyone and that’s why they are remain unsolved and
culprits are getting encouragement to repeat it again. To
maintain anonymity and to resolve these cases we started
eProtect initially for students and staffs of Amity Education Group.
eProtect is an online complaint portal developed by CCFIS team
for students of Amity University to report any case ranging from
cyber-harassment incident on social media to online fraud. Once
a complaint is registered CCFIS incident response team gets
notified and acts to resolves it in minimum possible time.
4
Biometric attendance
devices are used in almost
all offices. Every morning
we punch our card &
fingerprint before starting
our work and repeat the
same every day. But what
if data of these security
appliance can be manipulated? Most of the bio-metric devices
works on database authentication and comparison model.
Whenever an RFID enabled card is punched along with
fingerprint, it compares the data to original database and
authenticate the uses. Once the user is verified, a database entry
is made into ERP system that particular used punched at particular
timestamp.
Recently we resolved one biometric fraud case, in which none of
traditional forensics methodologies worked. Every day over 800s of
employee were using that biometric attendance system before
stating their work. The data from all 10 biometric devices were
saved in one central database and from there it was taken to
organization’s ERP and other departments like HR and accounts.
System administrators created rules to take automated regular
backup of everyday’s database.
8
The fraud was came to knowledge of management when
employee was called up for a meeting and employee didn’t
showed up and mentioned that employee is not in office but em-
ployee was marked present in biometric attendance system and
everything was normal in ERP as well as all databases. Biometric
device vendor was called up and he checked all biometric de-
vices by taking 100s of sample, but everything was normal.
Management later on decided to have a forensics investigation
over this issues and case was handed over to CCFIS team for
further analysis. Initially we tested all biometric devices and realize
that everything was normal. Then we started comparing original
and backup database manually, and data were same
everywhere. We also found that few database entries were
deleted form database of both original and backup database.
After recovering those deleted database, we realized that
administrator who was in close relationship with employee
created several SQL scripts to manipulate both original as well as
backup database. This issue was resolved, management was
informed and employee was fired from office.
We thought that this was the end of investigation. But problem
started again when one busy day biometric device stopped
working and all employees were standing in line to punch their
card making chaos. Again the vendor was called, they checked
everything and blamed CCFIS forensics team that forensics
vendor CCFIS had done something with these devices. CCFIS
team again visited the premises, to investigate the issues.
9
After investigation, we found that one sticker based small RFID
chip was pasted on side of biometric device. So whenever
anyone was trying to punch their card, the device wasn’t working
as it was busy in reading that sticker based hidden RFID chip that
was hidden on side of device and it was so small that it left
unsuspicious to everyone.
After removing this sicker RFID sticker, everything was normal like
before and system started reading and processing all the cards.
And unfortunately these stickers are available at very low price
and accessible to anyone to purchase. Even few mobiles comes
with free RFID sticker to customize according to their needs.
10
encrypted document
malware
Malware that encrypts your documents
Noida Office: Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida,
UP-201301, India, Email Id: info@ccfis.net, Phone no: +91-120-4659156
Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India
Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees,
nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, appa-
ratus, product, or process disclosed, or represents that its use would not infringe privately owned rights.