Development of Digital Evidence Collection Methods ...

Development of Digital Evidence Collection Methods in Case of Digital Forensic Using Two Step Inject Methods Nana Rachmana Syambas and Naufal El Farisi School of Electrical Engineering and Informatics, Bandung Institute of Technology Jalan Ganesha no.10 Bandung 40132 Indonesia e-mail: [email protected], [email protected]

Abstract— Digital Forensics is a branch of forensic science related to legal evidence found in computers and digital storage media. In the process of the investigation, the investigators took digital evidence from computers, laptops, HP, and other electronic goods. But there are times when a suspect or a witness or related person does not want to cooperate with investigators and removing the digital evidence. Therefore a lot of research whose goal is to generate data from the flash memory, a hard disk or other digital storage media data content has been deleted. Unfortunately, such methods can not guarantee the data that has been deleted can be resurrected all, most can only partially and sometimes even then not perfect so the file can not be opened.This paper discusses the development of new methods for retrieval of digital evidence inject the twostep method (TSI), which have focused on the prevention of the loss of digital evidence by suspects or other party.The advantages of this method is the system working in secret and can be combined with other digital evidence excavation applications that already exist so that the accuracy and completeness of the resulting digital evidence can be better. Collaboration with admin-LAN client application also enables future data collection can be performed remotely. Keywords—digital forensic, digital evidence, keyloggers, hidden application

I. INTRODUCTION Digital Forensic is a branch of forensic science related to legal evidence found in computers and digital storage media. The goal of computer forensics is to describe the current state of a digital artifact. The term digital artifact can include a computer system, storage media (such as flash drive, hard disk, or CD-ROM), an electronic document (eg an email message, video, or JPEG), or even a series of data packets in a network switch computer. Explanation could simply "what information that we have here?" until as detail as "what is the sequence of events that led to the current situation?". Until now most of the way to collect data for digital forensic purposes is to openly dig the device or electronic devices commonly used by suspects such as desktop PCs, laptops, and mobile phones. This is accordance with legal procedures, but has a great possibility that the suspect removed the digital evidence that is in the devicefirst. There are actually many way to resurrect deleted data, but there is no guarantee that the data generated can be in perfect terms of the number and content as when before it was removed. Consequently when gathering evidence, many cases the police could not gather enough evidence to change the status of a suspect to be the defendant.

Therefore this paper presents a new method of extracting the data secretly in order to prevent the collection of imperfect evidence if a suspect eliminate it. This method specifically for laptop or computers with Windows operating systems. The applications created based on windows scrypt file and C language. Hope this method can generate a perfect digital evidence after a person is named as a suspect.

II.

DIGITAL FORENSIC

Specifically, digital forensics is a science and skill to identify, collect, analyze and examine digital evidence when dealing with a case that requires the handling and identification of digital evidence [7].

A. Braches of Digital Forensic In general, digital forensics is divided into four branches [7]. (1) Computer Forensics, which activities related to analysis of the contents of a computer such as internet history, log file, and the contents of the various files. (2) Forensic mobile device, which is related to the recovery of digital evidence from mobile devices. Computer forensics is different than mobile device forensics because there are linkages with inbuilt communication systems (eg, GSM) and a proprietary storage mechanism in the operator. Investigations usually focus on a simple data such as call logs and text communication (SMS/Email) rather than the generation of the data that has been deleted. Mobile device forensics is also useful to provide location information, either from GPS or from tracking the location through triangulation of BTS. (3) Network Forensics, which is related to the monitoring and analysis of computer network traffic local, WAN, or the Internet for the purpose of gathering information, gathering evidence, or detection of such interference from outside hackers. (4) Forensic database, which is related to forensic study of databases and metadata. Investigations are usually based on the content of the database, log files and data RAM to build a time-line or recovery of relevant information.

B. Phases of Forensic Digital Based on Figure 1, there are four phases of work on digital forensics [12]. The first is the phaseof collecting digital evidence, which identifies where evidence was located, where the evidence is stored, and how they were taken for the purposes of the investigation.

978-1-4799-7447-4/14/$31.00 ©2014 IEEE

A. Types Of Digital Evidence Testing

Collecting

media

data

Analyze

report

information

evidence

Figure 1. Phases of Digital Forensic

The second is the testing phase of digital evidence, which is the assessment process and extract relevant information from a variety of all the data collected. This phase also includes the process of bypassing or minimizing any feature various operating systems and applications that may eliminate the data, such as compression, encryption, and access control mechanisms. It is vital to note, because only a slight change in the digital evidence will also change the results of the investigation. The third phase is the analysis phase includes a variety of activities, such as user identification or outside users who are not directly involved, the location, the device, the incident, and consider how all the components are linked together to get a final conclusion. The fourth phaseis the reporting phase, which is the process of documentation and reports include an alternative explanation, audience consideration, and identification of actionable information derived from a number of data collection earlier.This study specifically discuss the method for the first phase in the collection of digital evidence.

C. Legal Aspects In Indonesia there are laws regulating electronic information and transactions. Everything is summed up in the ITE Law number 11 of 2008. Inside there are 54 articles that regulates all electronic transactions include electronic information, electronic transactions, information technology, electronic documents, electronic systems, electronic systems implementation, networking of electronic systems, electronic agent, electronic certificates, certificates Electronic organizers, institutions serfitikat reliability, electronic signatures and signatories, and subject access computers, and the Internet [10]. A description of the illegaly collecting data at chapters 30 to 32 with criminal provisions in Articles 46 to 48. While issues relating to this research is about taking digital evidence legaly at chapters 42 to 44.

III.

DIGITAL EVIDENCE

The existence of evidence or digital evidence is critical in the investigation of computer crime cases because with this evidence, investigator and forensic analyst can uncover the cases with complete chronological, and then assign someone as a suspect and more away into defendant.

This digital evidence extracted or recovered from electronic device. The evidence based on the Law No11 of 2008 on Information and Electronic Transactions known as electronic information and electronic documents [10]. As for the types of digital evidence based on that law is divided into: Logical fil, Audio fil, Deleted fil, Video fil, Lost fil, Image file, Slack file, E-mail, Log file, Username & password, Encrypted file, SMS, MMS, BBM, Steganography file, Call log and Office file.

B.Management Of Evidence Good digital evidence collecting system must fulfill the needs of existing parameters. Investigators should be able to filter the information from the available evidence but without changing the authenticity of the evidence. Under federal law in the United States, there are parameters that need to be filled; the chain of custody and rules of evidence [8]. (1) The chain of custody, is the maintenance of evidence to minimize the damage caused by the investigator. The aim is the evidence that still completely original when presented at the trial and it still the same as when it was found [8]. (2) Rules of evidence, means the evidence must have relevant relationships with existing cases. There are four requirements that must be fulfilled: acceptable, authentic, complete, and reliable [8]

IV.

COLLECTING METHODS

So far there have been many studies of digital evidence collection methods for laptop or computer. The study resulted in the presence of applications and tools to collect, generate, and analyze the data, such as tcpdump, Ethereal, Argus, NFR, TCPWrapper, sniffer, nstat, Tripwire, ProDiscover, various keylogger, disk copy (/ v on DOS), DD on Unix. All existing research related to technology uptake and collecting digital evidence can be classified based on the essence of the application work [4].

A. Capturing Network Data Packet This is often done to observe users that are connected to a local network. By using existing tools such as netstat, cain & abel and wireshark, we can obtain valuable data.On Cain and abel, we can see detailed information about the connected users such as IP addresses, mac addresses, the site of what is being opened, the password and username that are entered for login, etc.. While on wireshark we can take the raw data more such as taking the cache and cookies from the user to access a site that opened to see the detail of the tab source, destination, protocol, length, and info on the capture interface.

B. Awakening Deleted Data Criminals often take steps to conceal their crime, and deleted data can often contain the most incriminating digital evidence. Therefore, one of the most useful process is to generate the files and folders that have been deleted. When

dealing with FAT or NTFS file system, almost all of the tools can recover files that have been deleted, but not all can recover folders that have been deleted and that isn’t referenced by the file system. Although generates deleted data from the memory will be very useful when successfully done, but this way still has many weaknesses. Folder and file recovery tools usually make assumptions that are not always appropriate. For example, when recovering deleted file, many applications take the initial cluster and file size of the folder entry and set the next free cluster is part of the sequential file. These assumptions will be made when the cluster initial failure of a file that was removed followed by free cluster which actually refers to a different file that has been deleted equally. Some automated file recovery tools fail to distinguish the directory entry of the file that has been deleted and which are removed and overwritted. That weakness can be covered through an application that can perform file carving, like Foremost, Scalpel, DataLifter, and PhotoRec. But it still can not guarantee the file can be resurrected perfectly and completely.

Figure 2 shows Exchangeable Image File (EXIF) Information that has been obtained from a photo such as date and time the photo was taken, final copy, the camera used, and others. The information itself can be an alibi or can be evidence of a crime.

E. Social Engineering Sometimes collecting data with legal procedures is hard to do. Investigators usually inhibited when will determine the status of a suspect or the accused due to lack of evidence.The reasons may be vary, but most cases have occurred in many countries is that the suspect has the political power so they can hire a lot of lawyers who find loopholes law to impede investigators investigate further. When investigators encounter such blind conditions, he/she is must have a good improvisational skills to perform a trick in an attempt to obtain evidence [8]. Espionage as we often see in the movies is a sample of social engineering, but actually it's just a basic example. For an engineer level, we should be able to think more complex than just a spy based on attractive appearance

C.Solving Encryption and Steganography File When dealing with protected individual files, could use hex editor such as WinHex that works by removing passwords from a file. There are also other specialized tools that can bypass passwords or recovery from many types of files. Today’s most powerful tool and most dependable to save protected and encrypted files is PRTK and DNA from AccessData [4]. Tools like this usually have a deficiency in the hardware limitations of the investigator. There are alternatives that allow working faster, which combine multiple computers. Distributed Network Attack (DNA) can perform brute-force 40-bit encryption of file types including Adobe Acrobat and Microsoft Office. By using a cluster of approximately 100 desktop super computers and proper application, will allow to try every possible 40-bit key in just five days. As for the steganography, investigators must be careful on large files that look unnatural. To break it, investigator must manually search for steganography software that suspect use to hide data. If it already exists, then the file can be opened using steganography software using a password obtained from the encryption solution.

D. Extracting Embedded Metadata As explained previously, embedded metadata can answer avariety of questions regarding a document, including the genuineness and authenticity of the source.

V. TSI SYSTEM DESIGN Two step inject system (TSI) is a digital evidence retrieval system in secret through a two-phases of flash drive injection into the target’s computer or laptop. This method emphasizes the principles of prevention of loss of material due to the action of removing digital evidence by defendant or due to other accident. The first injection is the phases of planting content applications modules and collecting beginning data to be analyzed in order to get any data to take next. While the second injection is an improvement from the first injection and phases of harvesting data from the module content and collecting more data. Table 1. The excess of TSI System Compare with Other Methods

No 1 2 3 4 5 6 7 8 9 10 11 12

Figure 2. EXIF Extracted from Digital Photo Using JPEGsnoop

Excess Does not violate ITE Indonesia law no 11 of 2008 Fulfill the rules of evidence Have a high level of dynamic in terms of collecting data options Cloning folder without contents Cloning, not copy Looking for a password for file encryption effectively with predictions passwords from online accounts Alternative methods of brute force solving encryption Begining for remote investigation Alternative of existing key-loggers that need installation process Automated and run in secret The small size and light when run Can be collaborate directly

Modeling in Figure 3 is represented in the form of use case models. Modeling purposes and the use case is to clarify the description of the application requirements, notably regarding the features and application behavior.

TSI system is built from three main modules, namely social engineering module, in-out module, and the content module. Social Engineering Module is a user manual that will be used by the informant when collecting data in order not to become suspicious when injecting flash disk. Because the modules are not overly concerned with the application of TSI system itself, so what will be discussed here is the core points that need to be done by informant. The Standard Operation Procedure (SOP) of the Informant can be explained as in the Figure 4. start

N

do MoU to participate in the investigation

Figure 3. Use Case Diagram of the TSI System Table 2. The Actor of TSI Systems

Actor Investigator (Ac-TSI-01) Informant (Ac-TSI-02)

Target (Ac-TSI-03)

Description This actor has the authority to give directives and orders directly to the informant The actor has the task of social engineering to successfully run a two way system inject method to the target This actor is a source of data to be retrieved by the system such as internet history, conversation history, documents, photo, history logs, passwords, etc.

Use Case UC-TSI-01 Install Content Module

Description Systems inject LAN client application with a key-logger and setting these applications to run from windows starting-up using in-out module System duplicate the existing folder on suspect’s computer/laptop to your flash disk to locate the layout documents and important information in order to take UC-TSI-02 the analysis of material information for Retrieve the second injection. UC-TSI-02 was Information run in conjunction with the UC-TSI-01 by using the in-out module System retrieves the results of a keyUC-TSI-03 logger file (log.log) using in-out get results of module. Remote investigations for Content monitoring and file transfer can use Module LAN client application that running on the target’s computer or laptop. Systems take other important data like UC-TSI-04 documents, images, internet history, Retrieve other conversation history, etc that needy Important for digital evidence using in-out Information module

preparing pre second injection and waiting investigator’s analysis result to configure the second

getting TSI applications that has configured for the first injection

Y

do the second injection stage do post second injection stage

submit results the second injection

Preparing the plan approach according to the direction of investigators

submit results the first injection

get an insentive from the investigator

do approach to the target in pre inject stage

do post first injection stage

repeatation? Y N

N approach

Table 3. The Use Case of TSI Systems

result analysis Ok?

Ok?

Y

do first injection stage

stop

Figure 4. Flowchart SOP for Informant

In-out module, as the name implies is a module that served to "open the door" in secret way so that the "fill" pass. The module used to start automatically TSI system from auto-run when the informant’s pen drive, flash drive, or external hard disk injected. In-out module consists of four files, the autorun.inf, mulai.bat, in.vbs, and file.bat. Content module is one of the files transferred from the flash disk to the hard disk suspect as a trap. There are two applications to be prioritized for the contents of the module those are Admin-LAN client Application and Key-logger Application. Admin-LAN client Application is the applications that can provide remote access and file transfer between computer admin and client computers on a local area network. Key-logger application, such as applications that perform logging on the client computer like Actual-Spy, Spy-Agent, is application to monitor and provide reports (logs) activities carried out in the form of notes to the target’s computer that will be taken through a file transfer from client-LAN application. Executable file of this keylogger will be copied to the root of drive C. Due to target’s laptops are from Asus, then to disguise the content modules, the keylogger named AsusAssist.exe, and documentation of keylogging proccess is on log.log file.

V. TEST RESULTS AND ANALYSIS TSI system tested to two people who are portrayed as a target. For the storage media used external hard disk from Seagate GoFlex 500GB USB3.0. Table 4 Hardware Specifications of theTarget Mr.X, Apt. Ms. Y PT. Kalbe Farma, Supervision Students of STEI ITB Acer Aspire one 1.0GHz AMD C-50 dual core AMD Radeon HD 6250 2GB RAM, HD 500GB 5400rpm Windows 7 Home Premium 64bit

Asus U36 Intel i5 core 2,3GHz turbo boost up to 2,9GHz nVidia GeForce GT520 4GB RAM, HD 720GB 7200rpm Windows 7 Ultimate 64 bit

A. First Injection’s Testing Results At first injection test, there are two failures. The first is the failure of autorun.inf to automatically start the TSI system due antivirus to block the autorun. The solution is to manually execute the file mulai.bat. Parameter Social Engineering Module Autorun.inf

Mulai.bat In.vbs

Table 5 First Injection’s Test Results Status Information Succed Using cover to copy movies from an old friend Fail There are antivirus AntiVir on the first target that blocking autorun so mulai.bat executed manually Succed File.bat successfully opened with the configuration of in.vbs Succed Managed to make file.bat executed by mulai.bat run as a process so that it becomes invisible

File.bat: Installation of a keylogger module contents and shortcuts Copying windows registry

Copying internet access history from chrome and firefox and copying from yahoo mesangger

Cloning archive of folder My Downloads, My document, and My Picture

Succed

Keylogger renamed to AcerAssist.exe to eliminate suspicion from target and copied to the root of drive C

Fail

Important files like UsrClass.dat, UsrClass.dat.LOG1, and UsrClass.dat.LOG2 failed to be copied

Succed

Internet access History from Google Chrome and Mozilla Firefox as well as with its cache and cookies successfully copied. Archive conversations in Yahoo Mesangger was successfully copied so that it can be a very important digitalevidence.

Succed

All files like photos, video, audio, office document, and other archives with all kinds of attributes successfully cloned without changing the attributes and metadata. The hidden files in My document folder can be cloned perfectly

The second failure was the failure to copy some windows registry files namely UsrClass.dat, UsrClass.dat.LOG1, and UsrClass.dat.LOG2 because it is running file. The solution is to use a batch file application hobocopy.exe (http://github.com/candera). Hobocopy.exe executed through the command from file.bat with syntax: hobocopy% UserProfile% \AppData \Local \Microsoft \Windows \% drive% \all \regcurrentuser UsrClass *. Dat.Aside from the two earlier failures, all copy process and cloning are successful.

B. Second Injection’sTesting Results The second injection will complete what is less in the first injection testing; UsrClass.dat copying and cloning additional results log.log keylogger and office documents from drive D and E. %kloning% "C:*" "%drive%\all" "log.log" %kloning% "D:*" "%drive%\all\Ddoc" "*.docx" %kloning% "E:*" "%drive%\all\Edoc" "*.docx Table 6 Second Injection’s Test Results Parameter Social Engineering Module Autorun.inf

Status Succed

Information Using cover to copy movies from an old friend

Succed

Mulai.bat

Succed

In.vbs

Succed

Antivirus AntiVir has been turned off File.bat successfully opened with the configuration of in.vbs Managed to make file.bat executed by mulai.bat run as a process so that it becomes invisible

File.bat: Copying running file UsrClass.dat

Succed

Cloning log.log from drive C

Cloning file with .docx extension from drive D and drive E

Succed

Succed

hobocopy.exe are successfully executed through the use of command on file.bat to copy running file Log.log files successfully taken from the root of drive C target’s laptop All files with .docx extension successfully cloned. Cloning also yield important information about the composition folder on the target’s computer.

Second injection testing result have success rate reached 100%. Aspects of accuracy and functionality proven to running well and lack in the first injection successfully covered.

VI. CONCLUSIONS  Two step inject method is suitable as starting gate investigation for further investigation, including for surveillance purposes.  Digital evidence that taken by TSI system using the cloning method still retain the original metadata and still

fit like when found. This digital evidence taken by the TSI system fulfill the chain of custody.  TSI system if utilized properly by the investigator can present evidence that can be accepted, original, complete, and trustworthy. This is in accordance with the rules of evidence.  The advantages of the TSI system is simple but effective, has a small size, working invisible, have a high dynamism in the collecting data, and can be collaborated with other applications so that future collecting data can be operated remotely

REFERENCES [1] Carrier, B. (2002). Open Source Digital Forensics Tools. [2] Carrier, B.(2003). Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers. [3] Casey, E. (2002). Error, uncertainty and loss in digital evidence. International Journal of Digital Evidence. [4] Casey, E. (2010). Handbook of Digital Forensics and Investigation. Elsevier. [5] Casey, E., & Stellatos. (2008). The impact of full disk encryption on digital forensics. ACM SIGOPS Operating Systems Review. [6] Cosic, J., & Baca, M. (2010). Digital Evidence Management Framework . [7] Digital Forensik dan Investigasi. (2012). Digital Forensik dan Digital Investigasi. Retrieved from http://digital forensikdaninvestigasi.blogspot.com/ [8] Investigation, Federal Bureau of. (2013). Federal Rules of Evidence. Retrieved from Federal Rules of Evidence Rule 901 (Authentication and Identification Rule used for Chainof Custody): http://federalevidence.com/rules-of evidence#Rule901 [9] Microsoft. (2012, august 15). Command-Line Reference. Retrieved from http://technet.microsoft.com/en-us/library /cc754340.aspx [10] Perpustakaan Nasional Republik Indonesia. (2008). Undang Undang Republik Indonesia nomor 11 tahun 2008. Retrieved from Produk Hukum: http://datahukum. pnri.go.id/undang-undang/2008/uu-no-11-tahun-2008ite.pdf [11] Pladna, B. (2009). Computer Forensics Procedures, Tools, and Digital Evidence Bags. [12] Prayudi, Y. Y., & Afrianto, D. S. (2007). Komputasi Forensik Sebagai Metode Investigasi Cybercrime.