Professional Documents
Culture Documents
Mada R Perdhana
About Me
Information Security Researcher at STMIK AKAKOM Jogjakarta Senior Trainer at IS2C Chief Security Strategist at Spentera Technology Computer/Digital Forensic Practitioner, Trainer and Consultant Blogger at http://infosecnewbie.blogspot.com Book writer, Harmless Hacking: Malware Analysis dan Vulnerability Development
Linkedin : http://id.linkedin.com/in/mrpbpp
Objectives
To provide a general awareness of Cybercrime To understand Cybercrime methods To identify Internet crime To understand forensic method To identify evidence
What is Cybercrime ?
Any crime that involves computer system and network. The computer may have been used in the commission of a crime, or it may be the target.
Wikipedia, cybercrime
Example of Cybercrime
Web defacement Unauthorized network access Cyber-Stalking Internet fraud Harassment Illegal data black market Terrorist activities Political activities
Identity theft Child pornography Interception and fabrication of emails Theft of passwords Drug trafficking
Not just Hackers. Companies seeking competitors trade secrets Terrorist Pedophiles / Pornographic lover Disgruntled employees Accidental criminals The Internet should be viewed as another medium in which criminals can conduct illegal acts.
The Victims
Cybercrime Method
Technical
Non Technical
Web defacement
Dozens of Indonesian website, defaced by Indonesian hacker every day.
Fraud
Online FOREX, business transaction, Skimmer
Terrorist
How to Handle ?
Educate society with cybercrime awareness Educate law enforcement with digital forensic awareness
PCs / Laptops PDAs Mobile Phones GPS Digital TV systems CCTV Other Embedded Devices
The Process
Identification Preservation Collection Examination Analysis Presentation (Report) Decision
Investigative Process
Identification Event/Crime Detection Resolve Signature Profile Detection Preservation Case Management Imaging Technology Chain of Custody Collection Preservation Approved Method Approved Software Approved Hardware Recovery Technique Examination Preservation Trace Ability Validation Technique Filtering Technique Pattern Filtering Analysis Preservation Data Mining Time-lining Presentation Documentation Expert Witness Statistical Interpretation Decision
The Tools
Hardware
Hardware write-block device PC/Laptop Portable disk imaging Cellebrite Mobile Forensics Radio Tactics Aceso Paraben Device Seizure MicroSystemation XRY/XACT
The Tools
Software
Open source Proprietary
Example
SANS Investigative Forensics Toolkit SIFT EnCase FTK PTK Forensics The Coroner's Toolkit CAINE HELIX
COFEE The Sleuth Kit Categoriser 4 Pictures Paraben P2 Commander Open Computer Forensics Architecture SafeBack Forensic Assistant PeerLab Stagos FSE
Case
Phase 1 Identification
Identified that the suspect has a flash disk on his hand. Seize the evidence. Take a picture of the evidence using camera Identify the device
Example
root@bt:~# dmesg | tail [ 498.557433] sd 6:0:0:0: [sdb] Write Protect is off [ 498.557442] sd 6:0:0:0: [sdb] Mode Sense: 03 00 00 00 [ 498.558175] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.558183] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.561177] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.561187] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.844887] sdb: sdb1 [ 498.849174] sd 6:0:0:0: [sdb] No Caching mode page present [ 498.849184] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 498.849191] sd 6:0:0:0: [sdb] Attached SCSI removable disk root@bt:~#lshw *-scsi root@bt:~# lsusb Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub physical id: a bus info: usb@1:2 Bus 001 Device 002: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub logical name: scsi6 capabilities: emulated scsi-host configuration: driver=usb-storage *-disk description: SCSI Disk physical id: 0.0.0 bus info: scsi@6:0.0.0 logical name: /dev/sdb size: 2004MiB (2101MB) capabilities: partitioned partitioned:dos *-volume description: Windows FAT volume vendor: )o-H]IHC physical id: 1 bus info: scsi@6:0.0.0,1 logical name: /dev/sdb1 logical name: /media/KINGSTON version: FAT16 serial: 4ef6-bc26 size: 2002MiB capacity: 2003MiB capabilities: primary fat initialized configuration: FATs=2 filesystem=fat label=KINGSTON mount.fstype=vfat mount.options=rw,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso88591,shortname=mixed,utf8,flush,errors=remount-ro state=mounted
root@bt:~# hwinfo 51: SCSI 600.0: 10600 Disk [Created at block.243] UDI: /org/freedesktop/Hal/devices/storage_serial_Kingston_DataTraverG2_036A2FBB_0_0 Unique ID: cLrx.nKYfTnE4Hz6 Parent ID: ruGf.BCw9p0wcXuC SysFS ID: /class/block/sdb SysFS BusID: 6:0:0:0 SysFS Device Link: /devices/pci0000:00/0000:00:02.1/usb1/1-2/1-2:1.0/host6/target6:0:0/6:0:0:0 Hardware Class: disk Model: "Kingston DataTraverG2" Vendor: usb 0x058f "Kingston" Device: usb 0x6387 "DataTraverG2" Revision: "8.07" Serial ID: "036A2FBB" Driver: "usb-storage", "sd" Driver Modules: "usb_storage" Device File: /dev/sdb (/dev/sg2) Device Files: /dev/sdb, /dev/block/8:16, /dev/disk/by-id/usb-Kingston_DataTraverG2_036A2FBB-0:0, /dev/disk/by-path/pci-0000:00:02.1-usb-0:2:1.0-scsi-0:0:0:0 Device Number: block 8:16-8:31 (char 21:2) Features: Hotpluggable Geometry (Logical): CHS 1018/65/62 Size: 4104192 sectors a 512 bytes Speed: 480 Mbps Module Alias: "usb:v058Fp6387d0104dc00dsc00dp00ic08isc06ip50" Driver Info #0: Driver Status: uas is active Driver Activation Cmd: "modprobe uas" Driver Info #1: Driver Status: usb_storage is active Driver Activation Cmd: "modprobe usb_storage" Config Status: cfg=new, avail=yes, need=no, active=unknown Attached to: #17 (USB Controller)
root@bt:~# fdisk -l /dev/sdb Disk /dev/sdb: 2101 MB, 2101346304 bytes 58 heads, 57 sectors/track, 1241 cylinders Units = cylinders of 3306 * 512 = 1692672 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot /dev/sdb1 Start 1 End Blocks Id System 1242 2051340 6 FAT16
root@bt:~# sfdisk -l /dev/sdb Disk /dev/sdb: 1018 cylinders, 65 heads, 62 sectors/track Warning: The partition table looks like it was made for C/H/S=*/58/57 (instead of 1018/65/62). For this listing I'll assume that geometry. Units = cylinders of 1692672 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdb1 0+ 1241- 1241- 2051340 6 FAT16 start: (c,h,s) expected (0,26,31) found (0,24,1) end: (c,h,s) expected (1023,57,57) found (1017,57,57)
Phase 2 Preservation
Time synchronize (if disk with operating system) Chain of custody the evidence Clone (hw/sw) Disk cloner dd / sdd / dcfldd / ddrescue Generate fingerprint of the device using: md5sum sha512sum Etc Generate fingerprint from all readable data inside the device using: md5sum Sha512sum Compare the fingerprint from the device and the image file.Write down all the information which has been generated.
Example root@bt:~# dcfldd if=/dev/sdb of=usb_bb.dd bs=512 4104192 blocks (2004Mb) written. 4104192+0 records in 4104192+0 records out root@bt:~# md5sum /dev/sdb 87a4841adb9475c775e634d82102eef1 /dev/sdb root@bt:~# md5sum usb_bb.dd 87a4841adb9475c775e634d82102eef1 usb_bb.dd PoC Chain of Custody
root@bt:~# split -b 1000m usb_bb.dd split_ root@bt:~# ls Desktop split_aa split_ab split_ac usb_bb.dd root@bt:~# ls -al split_a* -rw-r--r-- 1 root root 1048576000 2011-05-18 15:57 split_aa -rw-r--r-- 1 root root 1048576000 2011-05-18 15:57 split_ab -rw-r--r-- 1 root root 4194304 2011-05-18 15:57 split_ac
root@bt:~# fdisk -l usb_bb.dd You must set cylinders. You can do this from the extra functions menu. Disk usb_bb.dd: 0 MB, 0 bytes 58 heads, 57 sectors/track, 0 cylinders Units = cylinders of 3306 * 512 = 1692672 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System usb_bb.dd1 1 1242 2051340 6 FAT16 Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 24, 1) logical=(0, 26, 31) Partition 1 has different physical/logical endings: phys=(1017, 57, 57) logical=(1241, 25, 21)
Phase 3 Collection
Make sure to do preservation phase first! Prepare the Write blocker (hw/sw) Analyze the image file and DO NOT touch the real device (evidence) Mount the image with write blocker (hw/sw) prevent atime update Generate fingerprint for all read-able file, using : md5sum sha512sum Try to recover deleted file Testdisk TSK Autopsy SMART FTK Build timeline Write down all activity into a temporary report
Example root@bt:~# fdisk -ul usb_bb.dd You must set cylinders. You can do this from the extra functions menu. Disk usb_bb.dd: 0 MB, 0 bytes 58 heads, 57 sectors/track, 0 cylinders, total 0 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System usb_bb.dd1 1512 4104191 2051340 6 FAT16 Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 24, 1) logical=(0, 26, 31) Partition 1 has different physical/logical endings: phys=(1017, 57, 57) logical=(1241, 25, 21) root@bt:~# mount -o loop,ro,noatime,noexec,offset=774144 -t vfat usb_bb.dd /mnt/
root@bt:~# ls /mnt/ DAFTAR PERUSAHAAN.xlsx kuis_uas_kal1_2010.doc PENYEMPURNAAN_SOP RECYCLER SOALuts-gnp_06.doc FORM.doc MATERI PELATIHAN PENULISAN PROPOSAL DAN MANAJEMEN RISET - LPPM UGM - 3-5 NOVEMBER 2010 PHKI sem ganjil
List all data (allocated and unallocated) root@bt:~# fls -f fat16 -i raw -o 1512 -m / -r usb_bb.dd > data_usb root@bt:~# cat data_usb | grep (deleted) | more 0|/trz7D55.tmp (deleted)|101|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597503 0|/trz81C0.tmp (deleted)|103|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300597504 0|/trz7E41.tmp (deleted)|105|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300597503 0|/trz7EBF.tmp (deleted)|107|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597504 0|/trz821E.tmp (deleted)|109|r/rrwxrwxrwx|0|0|161|1300554000|1300569492|0|1300597504 0|/zlK.lnk (deleted)|111|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/_br.lnk (deleted)|112|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/zmV.lnk (deleted)|114|r/rrwxrwxrwx|0|0|161|1300554000|1300569512|0|1300569510 0|/_P (deleted)|115|d/drwxrwxrwx|0|0|32768|1300554000|1300569706|0|1300569705
Recovery File
D E M O Testdisk
Phase 4 Examination
Don't forget preservation phase! Identify related data with case String File Using forensic tools, to help examination TSK Encase PTK FTK Etc Search for hidden data Stenography Encrypted data Write down all data has been found to temporary report
Example Test Chain of Custody root@bt:~# md5sum usb_bb.dd > md5usb root@bt:~# md5sum -c md5usb usb_bb.dd: OK Search for related keyword root@bt:~# pico keywords_list root@bt:~# grep -abif keywords_list usb_bb.dd > hits.txt
root@bt:~# cat hits.txt | more 21267045: Kota SLT: dikan ______________________________________________________________________________ Tahun Lulusinggi:IPLOMA ___________________3 (lingkari jawaban yg dipilih)_________ Ingin Meb.mar paNama Perusahaanr: (urut ____________________________n : pada posisi : _______________________ acc.akakom.ac.ida :_____ )bagi Penyelenggara :an/saudara________( Radio/TV_____( Perguruan Tinggi______________ nya jika telah mengisi Formulir Data Pengunjung J 21369790:
Go to the byte offset root@bt:~# xxd -s 21267045 usb_bb.dd | more 1449005: 6e67 093a 0944 4950 4c4f 4d41 2020 2f20 ng.:.DIPLOMA / 1449015: 2053 3120 202f 2020 5332 2020 2f20 2053 S1 / S2 / S 1449025: 3320 2020 286c 696e 676b 6172 6920 6a61 3 (lingkari ja 1449035: 7761 6261 6e20 7967 2064 6970 696c 6968 waban yg dipilih 1449045: 290d 5461 6875 6e20 4c75 6c75 7309 3a09 ).Tahun Lulus.:. 1449055: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 1449065: 5f5f 5f0d 0808 2873 6562 616c 696b 6e79 ___...(sebalikny 1449075: 6120 2020 2820 2029 0d08 0d0d 0854 494b a ( ).....TIK 1449085: 4554 2054 414e 4441 204d 4153 554b 0d50 ET TANDA MASUK.P 1449095: 454e 4755 4e4a 554e 4720 414b 414b 4f4d ENGUNJUNG AKAKOM 14490a5: 2043 4152 4545 5220 4441 5953 2032 3031 CAREER DAYS 201 14490b5: 310d 0d4e 616d 6120 093a 095f 5f5f 5f5f 1..Nama .:._____ 14490c5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 14490d5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f 5f5f ________________ 14490e5: 5f5f 5f5f 5f5f 5f5f 5f5f 5f0d 0853 7461 ___________..Sta 14490f5: 7475 7309 3a09 5065 6e67 756e 6a75 6e67 tus.:.Pengunjung 1449105: 2050 656e 6361 7269 204b 6572 6a61 0d0d Pencari Kerja.. 1449115: 0d0d 0d0d 0d4b 4152 4952 2044 414e 2050 .....KARIR DAN P 1449125: 454b 4552 4a41 414e 0d53 7461 7475 7320 EKERJAAN.Status 1449135: 4b65 726a 6109 3a0d 0928 2020 4265 6c75 Kerja.:..( Belu 1449145: 6d20 5065 726e 6168 2042 656b 6572 6a61 m Pernah Bekerja 1449155: 0920 2863 6f6e 7472 656e 6720 206a 6177 . (contreng jaw
Phase 5 Analysis
Preservation phase Timelining (Timeline Analysis) Compare all the data already gain with Computer Knowledge+Crime (Case) Analysis, search for the relation! Go natural with investigator instinct! Write down every information had found
Phase 6 Presentation
Compile all the documentation has made Be an expert witness, explain detail with all knowledge which was used when analyzing the evidence
Any Question ?
mrp.bpp@gmail.com
Opening Batch II
What you will learn in this course : Information security audit to computer forensic. With over than 90 topics to learn in 2 months.
For more information and registration please send email to : pendaftaran@is2c-dojo.com
Phone/SMS : 085255424164