Cybercrime Awareness And Introduction to Digital Forensic

Mada R Perdhana

About Me

Information Security Researcher at STMIK AKAKOM Jogjakarta Senior Trainer at IS2C Chief Security Strategist at Spentera Technology Computer/Digital Forensic Practitioner, Trainer and Consultant Blogger at http://infosecnewbie.blogspot.com Book writer, Harmless Hacking: Malware Analysis dan Vulnerability Development

More about me...

Linkedin : http://id.linkedin.com/in/mrpbpp

Objectives

To provide a general awareness of Cybercrime To understand Cybercrime methods To identify Internet crime To understand forensic method To identify evidence

What is Cybercrime ?
Any crime that involves computer system and network. The computer may have been used in the commission of a crime, or it may be the target.
Wikipedia, cybercrime

Example of Cybercrime

Web defacement Unauthorized network access Cyber-Stalking Internet fraud Harassment Illegal data black market Terrorist activities Political activities

Identity theft Child pornography Interception and fabrication of emails Theft of passwords Drug trafficking

Who are the Perpetrators?

Not just Hackers. Companies seeking competitors trade secrets Terrorist Pedophiles / Pornographic lover Disgruntled employees Accidental criminals The Internet should be viewed as another medium in which criminals can conduct illegal acts.

The Victims

Nation Government Companies Individual Society

Cybercrime Method
Technical

Hacking & Cracking Coding - Malware - Bot - Fake Website

Non Technical

Phising Social Engineering

Cybercrime Cases In Indonesia

Illegal Pornographic Content
Hundred of pornographic content made in Indonesia, ready to be downloaded.

Web defacement
Dozens of Indonesian website, defaced by Indonesian hacker every day.

Fraud
Online FOREX, business transaction, Skimmer

Terrorist

Spread terror through internet

How to Handle ?

Educate society with cybercrime awareness Educate law enforcement with digital forensic awareness

What is Digital Forensic?

The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
Source: (2001). Digital Forensic Research Workshop (DFRWS)

The Digital Evidence

Any probative information stored or transmitted in digital form that a party to a court case may use at trial.

Source of Digital Evidence

Every electronic device which might save any digital data, not limited to

PCs / Laptops PDAs Mobile Phones GPS Digital TV systems CCTV Other Embedded Devices

The Process
Identification Preservation Collection Examination Analysis Presentation (Report) Decision

Investigative Process
Identification Event/Crime Detection Resolve Signature Profile Detection Preservation Case Management Imaging Technology Chain of Custody Collection Preservation Approved Method Approved Software Approved Hardware Recovery Technique Examination Preservation Trace Ability Validation Technique Filtering Technique Pattern Filtering Analysis Preservation Data Mining Time-lining Presentation Documentation Expert Witness Statistical Interpretation Decision

The Tools
Hardware

Hardware write-block device PC/Laptop Portable disk imaging Cellebrite Mobile Forensics Radio Tactics Aceso Paraben Device Seizure MicroSystemation XRY/XACT

The Tools
Software
Open source Proprietary

Example

SANS Investigative Forensics Toolkit SIFT EnCase FTK PTK Forensics The Coroner's Toolkit CAINE HELIX

COFEE The Sleuth Kit Categoriser 4 Pictures Paraben P2 Commander Open Computer Forensics Architecture SafeBack Forensic Assistant PeerLab Stagos FSE

Case
Phase 1 Identification
Identified that the suspect has a flash disk on his hand. Seize the evidence. Take a picture of the evidence using camera Identify the device

lshw dmesg and lsusb hwinfo fdisk cfdisk

Write down all the information.

Example
root@bt:~# dmesg | tail [ 498.557433] sd 6:0:0:0: [sdb] Write Protect is off [ 498.557442] sd 6:0:0:0: [sdb] Mode Sense: 03 00 00 00 [ 498.558175] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.558183] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.561177] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.561187] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.844887] sdb: sdb1 [ 498.849174] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.849184] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.849191] sd 6:0:0:0: [sdb] Attached SCSI removable disk root@bt:~#lshw *-scsi root@bt:~# lsusb Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub physical id: a bus info: usb@1:2 Bus 001 Device 002: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub logical name: scsi6 capabilities: emulated scsi-host configuration: driver=usb-storage *-disk description: SCSI Disk physical id: 0.0.0 bus info: scsi@6:0.0.0 logical name: /dev/sdb size: 2004MiB (2101MB) capabilities: partitioned partitioned:dos *-volume description: Windows FAT volume vendor: )o-H]IHC physical id: 1 bus info: scsi@6:0.0.0,1 logical name: /dev/sdb1 logical name: /media/KINGSTON version: FAT16 serial: 4ef6-bc26 size: 2002MiB capacity: 2003MiB capabilities: primary fat initialized configuration: FATs=2 filesystem=fat label=KINGSTON mount.fstype=vfat mount.options=rw,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso88591,shortname=mixed,utf8,flush,errors=remount-ro state=mounted

root@bt:~# hwinfo 51: SCSI 600.0: 10600 Disk [Created at block.243] UDI: /org/freedesktop/Hal/devices/storage_serial_Kingston_DataTraverG2_036A2FBB_0_0 Unique ID: cLrx.nKYfTnE4Hz6 Parent ID: ruGf.BCw9p0wcXuC SysFS ID: /class/block/sdb SysFS BusID: 6:0:0:0 SysFS Device Link: /devices/pci0000:00/0000:00:02.1/usb1/1-2/1-2:1.0/host6/target6:0:0/6:0:0:0 Hardware Class: disk Model: "Kingston DataTraverG2" Vendor: usb 0x058f "Kingston" Device: usb 0x6387 "DataTraverG2" Revision: "8.07" Serial ID: "036A2FBB" Driver: "usb-storage", "sd" Driver Modules: "usb_storage" Device File: /dev/sdb (/dev/sg2) Device Files: /dev/sdb, /dev/block/8:16, /dev/disk/by-id/usb-Kingston_DataTraverG2_036A2FBB-0:0, /dev/disk/by-path/pci-0000:00:02.1-usb-0:2:1.0-scsi-0:0:0:0 Device Number: block 8:16-8:31 (char 21:2) Features: Hotpluggable Geometry (Logical): CHS 1018/65/62 Size: 4104192 sectors a 512 bytes Speed: 480 Mbps Module Alias: "usb:v058Fp6387d0104dc00dsc00dp00ic08isc06ip50" Driver Info #0: Driver Status: uas is active Driver Activation Cmd: "modprobe uas" Driver Info #1: Driver Status: usb_storage is active Driver Activation Cmd: "modprobe usb_storage" Config Status: cfg=new, avail=yes, need=no, active=unknown Attached to: #17 (USB Controller)

root@bt:~# fdisk -l /dev/sdb Disk /dev/sdb: 2101 MB, 2101346304 bytes 58 heads, 57 sectors/track, 1241 cylinders Units = cylinders of 3306 * 512 = 1692672 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot /dev/sdb1 Start 1 End Blocks Id System 1242 2051340 6 FAT16

root@bt:~# sfdisk -l /dev/sdb Disk /dev/sdb: 1018 cylinders, 65 heads, 62 sectors/track Warning: The partition table looks like it was made for C/H/S=*/58/57 (instead of 1018/65/62). For this listing I'll assume that geometry. Units = cylinders of 1692672 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdb1 0+ 1241- 1241- 2051340 6 FAT16 start: (c,h,s) expected (0,26,31) found (0,24,1) end: (c,h,s) expected (1023,57,57) found (1017,57,57)

Phase 2 Preservation
Time synchronize (if disk with operating system) Chain of custody the evidence Clone (hw/sw) Disk cloner dd / sdd / dcfldd / ddrescue Generate fingerprint of the device using: md5sum sha512sum Etc Generate fingerprint from all readable data inside the device using: md5sum Sha512sum Compare the fingerprint from the device and the image file.Write down all the information which has been generated.

Example root@bt:~# dcfldd if=/dev/sdb of=usb_bb.dd bs=512 4104192 blocks (2004Mb) written. 4104192+0 records in 4104192+0 records out root@bt:~# md5sum /dev/sdb 87a4841adb9475c775e634d82102eef1 /dev/sdb root@bt:~# md5sum usb_bb.dd 87a4841adb9475c775e634d82102eef1 usb_bb.dd PoC Chain of Custody
root@bt:~# split -b 1000m usb_bb.dd split_ root@bt:~# ls Desktop split_aa split_ab split_ac usb_bb.dd root@bt:~# ls -al split_a* -rw-r--r-- 1 root root 1048576000 2011-05-18 15:57 split_aa -rw-r--r-- 1 root root 1048576000 2011-05-18 15:57 split_ab -rw-r--r-- 1 root root 4194304 2011-05-18 15:57 split_ac

root@bt:~# cat split_a* | md5sum 87a4841adb9475c775e634d82102eef1 -

root@bt:~# fdisk -l usb_bb.dd You must set cylinders. You can do this from the extra functions menu. Disk usb_bb.dd: 0 MB, 0 bytes 58 heads, 57 sectors/track, 0 cylinders Units = cylinders of 3306 * 512 = 1692672 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System usb_bb.dd1 1 1242 2051340 6 FAT16 Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 24, 1) logical=(0, 26, 31) Partition 1 has different physical/logical endings: phys=(1017, 57, 57) logical=(1241, 25, 21)

Phase 3 Collection
Make sure to do preservation phase first! Prepare the Write blocker (hw/sw) Analyze the image file and DO NOT touch the real device (evidence) Mount the image with write blocker (hw/sw) prevent atime update Generate fingerprint for all read-able file, using : md5sum sha512sum Try to recover deleted file Testdisk TSK Autopsy SMART FTK Build timeline Write down all activity into a temporary report

Example root@bt:~# fdisk -ul usb_bb.dd You must set cylinders. You can do this from the extra functions menu. Disk usb_bb.dd: 0 MB, 0 bytes 58 heads, 57 sectors/track, 0 cylinders, total 0 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System usb_bb.dd1 1512 4104191 2051340 6 FAT16 Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 24, 1) logical=(0, 26, 31) Partition 1 has different physical/logical endings: phys=(1017, 57, 57) logical=(1241, 25, 21) root@bt:~# mount -o loop,ro,noatime,noexec,offset=774144 -t vfat usb_bb.dd /mnt/
root@bt:~# ls /mnt/ DAFTAR PERUSAHAAN.xlsx kuis_uas_kal1_2010.doc PENYEMPURNAAN_SOP RECYCLER SOALuts-gnp_06.doc FORM.doc MATERI PELATIHAN PENULISAN PROPOSAL DAN MANAJEMEN RISET - LPPM UGM - 3-5 NOVEMBER 2010 PHKI sem ganjil

root@bt:~# find /mnt/ -exec md5sum {} \;

md5sum: /mnt/PENYEMPURNAAN_SOP/SOP/ADAK_OK/tambahan: Is a directory 952f7e5052be781ca04429ed991f1237 /mnt/PENYEMPURNAAN_SOP/SOP/ADAK_OK/tambahan/SP-AKM-AA11.doc 56b450ae59588afe095996ef38ee4b40 /mnt/PENYEMPURNAAN_SOP/SOP/ADAK_OK/tambahan/SP-AKM-AA14.doc md5sum: /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK: Is a directory 611376fefc4e2862608cfa46496997d3 /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-01.doc 902099bae63d874a15ebdd0f5271a2d7 /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-02.doc 6d9d33846b49c47134e20b8d6ba58619 /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-03.doc 21b58b03daa3e88abfa17f36d3f7f9fe /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-04.doc 170851dbb2cad15bf912f698def83d4b /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-05.doc 0b69a1331573a183c54c097c2b7b418a /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-06.doc ff3b1e1d05f518c6d53c61994dd4a956 /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-07.doc 47e70527880793a9c21ac1b6ea8bcd5c /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-08.doc e790acac43338b345186c06984e61bb4 /mnt/PENYEMPURNAAN_SOP/SOP/ASET_OK/SP-AKM-AS-09.doc

List all data (allocated and unallocated) root@bt:~# fls -f fat16 -i raw -o 1512 -m / -r usb_bb.dd > data_usb root@bt:~# cat data_usb | grep (deleted) | more 0|/trz7D55.tmp (deleted)|101|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597503 0|/trz81C0.tmp (deleted)|103|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300597504 0|/trz7E41.tmp (deleted)|105|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300597503 0|/trz7EBF.tmp (deleted)|107|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597504 0|/trz821E.tmp (deleted)|109|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597504 0|/zlK.lnk (deleted)|111|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/_br.lnk (deleted)|112|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/zmV.lnk (deleted)|114|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/_P (deleted)|115|d/drwxrwxrwx|0|0|32768|1300554000|1300569706|0|1300569705

List for filetype

/mnt/PENYEMPURNAAN_SOP/SOP/SDM_OK/SP-AKM-SD-10.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Kode, Author: Your User Name, Template: SOP AKAKOM -template.dotx, Last Saved By: attuna, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sat Dec 11 00:47:00 2010, Last Saved Time/Date: Sat Dec 11 00:47:00 2010, Number of Pages: 6, Number of Words: 636, Number of Characters: 3627, Security: 0 /mnt/PENYEMPURNAAN_SOP/SOP/SDM_OK/SP-AKM-SD-11.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Kode, Author: Your User Name, Template: SOP AKAKOM -template.dotx, Last Saved By: attuna, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sat Dec 11 01:03:00 2010, Last Saved Time/Date: Sat Dec 11 01:03:00 2010, Number of Pages: 4, Number of Words: 417, Number of Characters: 2380, Security: 0 /mnt/PENYEMPURNAAN_SOP/SOP/SDM_OK/SP-AKM-SD-12.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Kode, Author: Your User Name, Template: SOP AKAKOM -template.dotx, Last Saved By: attuna, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sat Dec 11 01:01:00 2010, Last Saved Time/Date: Sat Dec 11 01:01:00 2010, Number of Pages: 4, Number of Words: 464, Number of Characters: 2649, Security: 0 /mnt/PENYEMPURNAAN_SOP/SOP/SDM_OK/SP-AKM-SD-13.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Kode, Author: Your User Name, Template: SOP AKAKOM -template.dotx, Last Saved By: attuna, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Sat Dec 11 21:33:00 2010, Last Saved Time/Date: Sat Dec 11 21:33:00 2010, Number of Pages: 5, Number of Words: 728, Number of Characters: 4152, Security: 0 /mnt/PENYEMPURNAAN_SOP/SOP/SDM_OK/SP-AKM-SD-14.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Kode, Author: Your User Name, Template: SOP AKAKOM -template.dotx, Last Saved By: attuna, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sat Dec 11 21:41:00 2010, Last Saved Time/Date: Sat Dec 11 21:41:00 2010, Number of Pages: 4, Number of Words: 438, Number of Characters: 2502, Security: 0 /mnt/DAFTAR PERUSAHAAN.xlsx: Zip archive data, at least v2.0 to extract

Recovery File

D E M O Testdisk

Phase 4 Examination
Don't forget preservation phase! Identify related data with case String File Using forensic tools, to help examination TSK Encase PTK FTK Etc Search for hidden data Stenography Encrypted data Write down all data has been found to temporary report

Example Test Chain of Custody root@bt:~# md5sum usb_bb.dd > md5usb root@bt:~# md5sum -c md5usb usb_bb.dd: OK Search for related keyword root@bt:~# pico keywords_list root@bt:~# grep -abif keywords_list usb_bb.dd > hits.txt
root@bt:~# cat hits.txt | more 21267045: Kota SLT: dikan ______________________________________________________________________________ Tahun Lulusinggi:IPLOMA ___________________3 (lingkari jawaban yg dipilih)_________ Ingin Meb.mar paNama Perusahaanr: (urut ____________________________n : pada posisi : _______________________ acc.akakom.ac.ida :_____ )bagi Penyelenggara :an/saudara________( Radio/TV_____( Perguruan Tinggi______________ nya jika telah mengisi Formulir Data Pengunjung J 21369790:

Go to the byte offset root@bt:~# xxd -s 21267045 usb_bb.dd | more 1449005: 6e67 093a 0944 4950 4c4f 4d41 2020 2f20 ng.:.DIPLOMA / 1449015: 2053 3120 202f 2020 5332 2020 2f20 2053 S1 / S2 / S 1449025: 3320 2020 286c 696e 676b 6172 6920 6a61 3 (lingkari ja 1449035: 7761 6261 6e20 7967 2064 6970 696c 6968 waban yg dipilih 1449045: 290d 5461 6875 6e20 4c75 6c75 7309 3a09 ).Tahun Lulus.:. 1449055: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 1449065: 5f5f 5f0d 0808 2873 6562 616c 696b 6e79 ___...(sebalikny 1449075: 6120 2020 2820 2029 0d08 0d0d 0854 494b a ( ).....TIK 1449085: 4554 2054 414e 4441 204d 4153 554b 0d50 ET TANDA MASUK.P 1449095: 454e 4755 4e4a 554e 4720 414b 414b 4f4d ENGUNJUNG AKAKOM 14490a5: 2043 4152 4545 5220 4441 5953 2032 3031 CAREER DAYS 201 14490b5: 310d 0d4e 616d 6120 093a 095f 5f5f 5f5f 1..Nama .:._____ 14490c5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 14490d5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 14490e5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f0d 0853 7461 ___________..Sta 14490f5: 7475 7309 3a09 5065 6e67 756e 6a75 6e67 tus.:.Pengunjung 1449105: 2050 656e 6361 7269 204b 6572 6a61 0d0d Pencari Kerja.. 1449115: 0d0d 0d0d 0d4b 4152 4952 2044 414e 2050 .....KARIR DAN P 1449125: 454b 4552 4a41 414e 0d53 7461 7475 7320 EKERJAAN.Status 1449135: 4b65 726a 6109 3a0d 0928 2020 4265 6c75 Kerja.:..( Belu 1449145: 6d20 5065 726e 6168 2042 656b 6572 6a61 m Pernah Bekerja 1449155: 0920 2863 6f6e 7472 656e 6720 206a 6177 . (contreng jaw

Phase 5 Analysis

Preservation phase Timelining (Timeline Analysis) Compare all the data already gain with Computer Knowledge+Crime (Case) Analysis, search for the relation! Go natural with investigator instinct! Write down every information had found

Phase 6 Presentation

Compile all the documentation has made Be an expert witness, explain detail with all knowledge which was used when analyzing the evidence

Any Question ?

mrp.bpp@gmail.com

Opening Batch II

IS2C Information Security Course

What you will learn in this course : Information security audit to computer forensic. With over than 90 topics to learn in 2 months.
For more information and registration please send email to : pendaftaran@is2c-dojo.com
Phone/SMS : 085255424164