Progress Report: Developing Seizure Framework

on a Webserver to Support Acquisition Validity

Nama : Irwan Hariyanto

NIM : 2302210002

Concentration : Cybersecurity and Forensic

E-mail :

irwanhariyanto@student.telkomuniversity.ac.id
Supervisor 1 : Rimba Whidiana Ciptasari, S.Si., M.T.,
Ph.D

Supervisor 2 : Dr. Yudi Prayudi, S.Kom, M.Kom

Submited Date : 29 January 2023

Fakultas informatika

Progress Summary:
This is a summary and a word length of 300 words. Summary is
written briefly from the entire contents of the thesis/proposal and so

on until it is finished.

1
1 INTRODUCTION
At the collection stage in the digital forensics framework on the webserver,

there is still no proper seizure section. The current condition, when seizing

a webserver, the method used is to deface the main page of the website and

perform a takedown on the server. This is done to stop the flow of data that

affects the collection so that the acquisition process can run properly. The

seizure of the webserver here can be a physical webserver or in the cloud that

can be accessed by the investigator, provided that it is owned by a company

that has criminal law problems in the area to be seized.

In conducting forensic efforts on websites, there are stages in NIST (800-86),

namely Collection, Examination, Analysis, and Reporting as shown in Figure 1.

In the NIST collection stage, there is a process of identifying, labeling, record-

ing, and acquiring data from relevant data sources, while following procedures

that maintain data integrity. In the collection stage, it is not clearly explained

how to seize the web server. The new private cloud computing investigation

framework was previously based on SNI 27037:2014 called the Private Cloud

Computing Investigation Framework (PCCIF) but there is no explanation of

how to seize as shown in figure 2. Likewise, the framework in the Standard

Operating Procedure of Digital Evidence Collection Digital Forensics Depart-

ment, CyberSecurity Malaysia has a methodology that involves 5 basic phases;

Identification, Collection, Analysis, Presentation and Preservation. This paper

explains how the collection process in selecting files/folders, copying, to identifi-

2
 Figure 1: NIST Framework [2]

cation calculates the hash of the copied files as shown in figure 3. The seizure of

web servers has the same position as a physical seizure such as seizure of PCs,

smartphones, hard disks, flash drives, and other storage media., but there is

still no framework for seizing web servers in particular, which is very important

to support the validity of data acquisition. This affects the validity of website

acquisition whether it can be said to be legitimate or not both in terms of pro-

cess and legal aspects.

From the previous framework, it can be seen that there is no method to

seize the webserver clearly to support the validity of the acquisition and its

legal aspects. In the seizure carried out previously by defacing and takedown

of the webserver, it is necessary to review whether it is in accordance with

the validity of its aspects or its legal standing is correct or not. Therefore, a

special framework is needed to seize the webserver so that the acquisition of the

webserver is considered valid both in process and legally.

3
Figure 2: Forensic Investigation Framework [10]

4
Figure 3: Forensic Investigation Framework [6]

5
2 Preliminary Literature Review
In the Operation Seizing Our Sites: How The Federal Government is Taking Do-

main Names Without Prior Notice Document Journal this enforcement effort is

grounded in noble policy reasons and backed by legitimate industry concerns,

the process that the National Intellectual Property Rights Coordination Center

(“IPR Center”), ICE, and the Department of Justice (“DOJ”) employ to seize

these domains has raised red flags among members of Congress and the public

in general. The ex parte in rem forfeiture proceedings allow the government to

seize a domain name without any prior notice to the website operator, essen-

tially leaving them in the dark. ICE agents and DOJ attorneys only need to

show probable cause that the website in question engaged in one of the enumer-

ated intellectual property violations in order to obtain a seizure warrant from a

judge.[7]

In Advanced evidence collection and analysis of web browser activity [5] there

is a division of ways to perform analysis on web browsers, namely presents

a new evidence collection and analysis methodology, the new tool based on

the proposed methodology and a comparison with other tools is reported [5].

Whereas in the context seizuring of a website, there are at least the parameters

of the domain name (registered), ip address, webserver, content that must be

seizured.

In the ISO 27037:2012 framework, it is contained in clause 6.7.3 Other brief-

ing information, namely in the ”Details of search warrants and other authorities

6
applicable to the investigation, including the limits of the search and seizure”

section. Meanwhile, the NIST does not explain clearly how to do seizures, but

the collection section only explains how to retrieve data for acquisition. Specifi-

cally for The Private Cloud Investigation Framework, there is a collection section

of the seizure sub-section where this can be seen in Figure 1.

In some cases, there is a takedown method that is part of a collection. This

is intended to do a seizure of the storage media hosting the webserver. There

is currently no standard procedure or oversight for website takedown, apart

from the requirements associated with law enforcement entering a location and

seizing a server. [8] Additionally there are ’adversarial scraping’ studies for

academic research, which involve collecting data from websites that employ

defenses against traditional web scraping tools. [12] In the event of a cybercrime

it is temporary, with new sites starting and ceasing operations quickly (eg due

to police takedowns). [8] From the several cybercrime cases above, an additional

takedown methodology can be provided in maintaining the integrity of data on a

web server. However, it should be considered that while most website takedown

is done to interrupt and prevent criminal activities, there are different disruption

mechanisms at play, such as stopping visitors from accessing the website, or

discouraging offenders by making it harder for them to continue their illicit

enterprises. [8]

In doing a collection on the webserver, what must be considered is taking

the logs contained on the webserver. Web server log records entries related to

the Web pages running on the Web server. The entries contain history for a

7
page request, client IP address, date and time, HTTP code, and bytes served

for the request. [11]

In terms of legal aspect, there is Law No. 11 of 2008 on Electronic informa-

tion and transactions for the territory of Indonesia. In some countries there are

also rules governing electronic documents or digital evidence. Article 6 states

that ”Where other provisions are in place other than those regulated in Article

5 paragraph (4) requiring that information must be in writing or original form,

Electronic Information and/or Electronic Documents shall be deemed to be

lawful to the extent the information contained therein is accessible, displayable,

assured as to its integrity, and accountable in order to be explanatory.” [3]

Laws of The Republic of Indonesia Number 8 of 1981 about Criminal Pro-

cedure Law Article 38 (1) Seizure may only be carried out by an investigator

with the permission of the head of the local district court. Article 39 (1) What

can be subject to seizure are: a. objects or bills of the suspect or defendant in

whole or in part allegedly obtained from a criminal act or as the result of an

act criminal; b. objects that have been used directly to perform acts crime or

to prepare it; c. objects used to obstruct the investigation of criminal acts; d.

objects specially made or intended to commit a criminal act; e. other objects

that have a direct relationship with the criminal act conducted. (2) Objects

that are in seizure due to civil cases or due to bankruptcy can also be seizured

for the purposes of investigation, prosecution and trial criminal case, as long

as it complies with the provisions of paragraph (1). [1] in the context of pro

justitia, there must be an official report of seizure.

8
 From the several papers and references above, there has not been a webserver

seizure framework that complies with seizure rules. The seizure process on the

website has not been conveyed in a framework to achieve validity in accordance

with applicable legal norms. Currently there is only a framework for conducting

the collection process, so it was deemed necessary to create a website seizure

framework.

9
3 Problem Statement
Based on the existing framework, the framework still has shortcomings, among

others:

• Seizure process against webserver

• Legal aspects of webserver seizure

• Handling of webservers when seized (whether it is relevant to deface or

takedown)

• Validity aspects of the acquisition

it is necessary to develop a webserver framework to support validiy acquisition

4 Objective and Hypothesis

The purpose of this research is to develop a forensic seizure website framework

to maintain its validity in accordance with applicable legal norms so that the

forensic process becomes legal to support valid investigative methods.

With the establishment of this website seizure framework, the validity of the

website seizure procedure can be maintained. Each stage in the framework will

go through a process of verification and validation to the parties applicable to

the investigation.

10
5 Proposed Framework
More specifically, the section comprises the following components:

1. Requirement identification

From some of the existing frameworks, there are requirements for con-

ducting seizures that can be taken into account, including:

– This framework can be run under the condition that it is owned

by an individual/body whose main webserver backend is accessible.

Of course, investigators accompanied by digital forensic practitioners

must seize the website administrator’s account.

– Dataset used in this research will be obtained from webserver. In col-

lecting datasheets, researchers used a webserver that was created in-

dependently just for research. The webserver was built using vmware

on the server, then installed mysql, apache, and wordpress to simplify

installation. The researcher obtained a backend account to create the

website content, then acquired the content of the website content.

Acquisition is done by downloading the content then copying it on a

flashdisk and acquiring it using FTK Imager. The results are in the

picture.

– The location of webserver will be in cloud/physical machine. The

location of the webserver is on the vmware installed on one of the

servers.

11
2. Design process

The method that can be implemented to develop this framework is by

conducting interviews, authentication, and validation with subject matter

experts. The to do list carried out in the design of this framework devel-

opment is contained in the following table:

Table 1: Seizure Requirement

Before developing the framework, by looking at previous frameworks and

the Spiral Model for Digital Forensics Investigation [9] and DFMF: A Dig-

ital Forensic Management Framework [4] in order to make the framework

practically implementable.

12
 Figure 4: Spiral Model for Digital Forensics Investigation [9]

The spiral model explains how to compare several frameworks which are

then used as models to support the investigation. This spiral model is

needed to use several existing frameworks so that they can be directly

implemented when there is an investigation in the field. This helps exper-

tise in presenting in court when explaining what methodology is used in

conducting digital forensic investigations.

While in the dissertation DFMF (Digital Forensic Management Frame-

work): A Digital Forensic Management Framework there is a section on

the construction of DFMF Relationship between the dimension Legal and

Judicial, here it describes how to get the requirements to implement the

13
 Figure 5: Relationship between the dimensions [4]

framework so that it can be run in digital forensic investigations. The fo-

cus is on the legal and judicial dimension as shown in the figure 5. There

is a to-do-list which is described as follows [4]:

- Determine the legal and regulatory requirements applicable to the

operational and investigation infrastructure. Consider requirements

related to evidence, processes, admissibility of investigation tools,

and the configuration of the operational and investigation infrastruc-

ture.

- Identify the legal and regulatory requirements applicable to digital

and physical evidence.

- Determine the technical, legal, judicial and regulatory requirements

to accredit education and training programmes and certify staff to

be competent.

- Identify the legal and judicial requirements for the specific incident.

From the four to-do-lists, it can be concluded that legal and judicial

14
 Figure 6: Proposed Framework Design

are important in conducting digital forensic investigations.

From the to-do-list above, there is a view to design the seizure framework

to obtain valid evidence in the investigation shown in figure 6. There are

Legal, Procedure, and People sections which validate the seizure process.

In the Legal section, we must look at the applicable regulations or policies

and laws that apply when conducting seizures. The Criminal Procedure

Law [1] outlines who conducts the seizure and how. Whereas in other

regulations such as the Regulation of the Minister of Communication and

Information Technology there is also how to treat electronic evidence but

does not show validation of seizure because it is only found in the Criminal

Procedure Code.

In the procedure section, there should be how the procedure is described,

when it takes effect, and to whom it applies. This will have an impact on

the competence of humans who carry out seizures in the People section.

In the use of digital forensic tools, it must be clear how these tools are

used in making seizures and whether they are included in the applicable

15
 Figure 7: Proposed Seizure Framework Process

standards.

In the People section, of course, we must look at the competence of the

personnel who do it. This can be seen from certificates of competence, ex-

perience based on warrants and other documents, and attitude in carrying

out the digital forensic investigation process. Techniques or methods in

carrying out investigative procedures are needed to account for the inves-

tigation process.

The three stages are simplified into the Proposed Seizure Framework Pro-

cess as shown in Figure 7. In the Legal, Procedure, and Human Resources

Sections there are processes that can be unified into the same work section

into Legality of seizure, Procedure of seizure, and Technique of seizure. To

obtain validation that the seizure is carried out correctly, there must be

legal guidance in the form of applicable laws and regulations. This is very

important so that the seizure procedure runs according to the rules and

legally. The procedure for seizing electronic evidence, in this case the web

server, must exist so that the process of taking the web server can be

16
 Figure 8: Design on seizure acquisition webserver

traced according to the steps. Techniques in seizing electronic evidence

are required as in the retrieval of webservers. It must be clear what per-

sonnel do, what competencies they have, and the techniques used. This

can be done by physically seizing the webserver, the cloud account, or the

backend account.

If combined with the NIST framework, there will be additional foreclosures

in the framework where it must be carried out. From the collection section

of NIST 800-86, the stages of legality, procedures, and techniques in seizing

websites are added as shown in the following figure.

17
 Figure 9: Flashdisk used to store server dumps

3. Implementation process

In conducting experiments to seize the webserver, a website was created

as a test material. The website is installed on a webserver located in one

of the data centers with the following specifications:

- Domain: https://serving03.sibernet.id/wordpress

- Backend: https://server03.sibernet.id/wordpress/wp-login.php?

- ip address 1 : server03.sibernet.idserver03.sibernet.id./172.67.149.86

- ip address 2 : server03.sibernet.idserver03.sibernet.id./104.21.55.167

Next, log into the webserver account and dump the contents of the web-

server. Then the results are copied into a flashdisk (because the size is

small) and acquired like a forensic computer as in the following figure.

18
Figure 10: The Flashdik is plugged into a writeblocker to maintain the integrity
of the data it contains

Figure 11: Acquisition using Tableau Imager

19
Figure 12: Fill in the identity parameters of electronic evidence

Figure 13: Acquisition process

20
Figure 14: Completed acquisition

Figure 15: Acquisition process log

21
Figure 16: Analysis process using FTK Imager

Figure 17: input the acquired image file

22
Figure 18: input the acquired image file

Figure 19: input the acquired image file

23
 Figure 20: Finish extraction

Figure 21: The dump can see at the FTK Imager

24
 4. Experiment design and plan (including data collection process)

5. Analysis/Evaluation method which will be used for analyzing the experi-

ment result

The analysis method using subject matter expert. The expertise can in-

teview at Indonesia Digital Forensic Expert there are

6 Work Plan and Time Schedule

Write a work plan along with the schedule for completion. The following is

the example. You may adjust the activities and time schedule according to the

problem.

25
 Table 2: Activity Schedule
SEMESTER
Activity 1 2 3 4
1 Literature study
2 Problem identification
3 Contribution formulation
4 Hypothesis formulation
5 Proposal
6 Data collection
7 Requirement identification
8 Design process
9 Implementation process
10 Experiment design
11 Evaluation and analysis
12 Thesis draft

Supervisor (I)’s Comments:

Comments about the title

Comments about the research method

26
 Sign Date:

( )

Supervisor (II)’s Comments:

Comments about the title

Comments about the research method

Sign Date:

( )

27
References
[1] Republik Indonesia, “Undang-Undang Republik Indonesia Nomor 8 Tahun

1981 tentang Hukum Acara Pidana,” pp. 1–17, 1981.

[2] H. D. Karen Kent Suzanne Chevalier Tim Grance, “Guide to integrating

forensic techniques into incident response (NIST Special Publication 800-

86),” NIST Special Publication, vol. 10, no. August, pp. 800–886, 2006.

[Online]. Available: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/

nistspecialpublication800-86.pdf.

[3] Republik Indonesia, “Undang-Undang tentang Informasi dan Transaksi

Elektronik,” Bi.Go.Id, no. September, pp. 1–2, 2008. [Online]. Available:

https : / / peraturan . bpk . go . id / Home / Details / 37589 / uu - no - 11 -

tahun-2008.

[4] C. P. Grobler, S. H. von Solms, and C. P. Louwrens, “DFMF : A Dig-

ital Forensic Management Framework,” PQDT - Global, no. November,

p. 274, 2011. [Online]. Available: https://login.ezproxy.leidenuniv.

nl/login??url=https://www.proquest.com/dissertations-theses/

dfmf-digital-forensic-management-framework/docview/2566013646/

se - 2 ? accountid = 12045 % 0Ahttp : / / catalogue . leidenuniv . nl /

openurl/UBL/UBL_services_page?url_ver=Z39.88-2.

[5] J. Oh, S. S. Lee, and S. S. Lee, “Advanced evidence collection and analysis

of web browser activity,” Digital Investigation, vol. 8, no. SUPPL. S62–

28
 S70, 2011, issn: 17422876. doi: 10.1016/j.diin.2011.05.008. [Online].

Available: http://dx.doi.org/10.1016/j.diin.2011.05.008.

[6] S. Khadijah, T. Mohd, Z. Adil, and B. Talib, “STANDARD OPERATING

PROCEDURE OF DIGITAL EVIDENCE COLLECTION Digital Foren-

sics Department, CyberSecurity Malaysia,” Tech. Rep., 2013.

[7] K. Kopel, “OPERATION SEIZING OUR SITES: HOW THE FEDERAL

GOVERNMENT IS TAKING DOMAIN NAMES WITHOUT PRIOR

NOTICE,” The Sciences, vol. 35, no. 3, pp. 41–45, 2013. [Online]. Avail-

able: https://lawcat.berkeley.edu/record/1125659/files/fulltext.

pdf.

[8] A. Hutchings, R. Clayton, and R. Anderson, “Taking down websites to pre-

vent crime,” eCrime Researchers Summit, eCrime, vol. 2016-June, pp. 102–

111, 2016, issn: 21591245. doi: 10.1109/ECRIME.2016.7487947.

[9] S. Kothari and H. Hasija, “Spiral Model for Digital Forensics Investiga-

tion,” Communications in Computer and Information Science, vol. 746,

pp. 312–324, 2017, issn: 18650929. doi: 10.1007/978- 981- 10- 6898-

0_26.

[10] D. Sudyana, N. Lizarti, and E. Erlin, “Forensic Investigation Framework

on Server Side of Private Cloud Computing,” Lontar Komputer : Jurnal

Ilmiah Teknologi Informasi, vol. 10, no. 3, p. 181, 2019, issn: 2088-1541.

doi: 10.24843/lkjiti.2019.v10.i03.p06.

29
[11] T. Raja Sree and S. Mary Saira Bhanu, “Data Collection Techniques for

Forensic Investigation in Cloud,” Digital Forensic Science, no. Vm, 2020.

doi: 10.5772/intechopen.82013.

[12] K. Turk, S. Pastrana, and B. Collier, “A tight scrape: Methodological

approaches to cybercrime research data collection in adversarial environ-

ments,” Proceedings - 5th IEEE European Symposium on Security and

Privacy Workshops, Euro S and PW 2020, pp. 428–437, 2020. doi: 10.

1109/EuroSPW51379.2020.00064.

30