[RAT] Muhammad Nuh Al-Azhar
Muhammad Nuh Al-Azhar
I am a forensic cop who often deal with forensic investigation on computer crime and/or computer-related crime. I have been working at Forensic Laboratory Centre (Puslabfor) of Indonesian National Police Headquarters (Mabes Polri) for more than 14 years. With this blog, I would like to share my forensic knowledge I obtained from the CHFI (Computer Hacking Forensic Investigator) at EC-Council, USA and the MSc in Forensic Informatics at the University of Strathclyde, UK, and my experience on dealing with the computer-based electronic evidence. Besides CHFI, I was also awarded professional certification of CEI (Certified EC-Council Instructor) from EC-Council, professional commendation as Senior Instructor on crime scene management from a retired forensic investigator of New York State Police, and MBCS (Professional Member of British Computer Society). I also got the award of 2010 Super Six UK Alumni from British Council - Indonesia. In order to update the IT information and maintain professionalism, I join to be member of EC-Council, Forensic Focus, SANS and BCS (British Computer Society). I hope this blog could be useful for anybody who would like to develop forensic skills.
In the last two weeks, I was requested by some parties to share the knowledge on digital forensic at two different activities. The first is to be keynote speaker on the digital forensic preview seminar conducted by EC-Council Representative for Indonesia (i.e. PT. Datamation) along with PT. Andalan Nusantara Teknologi. This seminar carried out in Jakarta was attended by about sixty people which are Chief Information Officer (CIO) or IT people from different organisations in Indonesia such as Bank Central Asia (BCA), Pertamina, Bina Nusantara University, Indonesian Foreign Affairs Department and so on. The second is to be guest lecturer at University of Indonesia. This is a program of the British Council (i.e. UK Alumni Road Show) performed jointly with Criminology Department of University of Indonesia. This class moderatored by Prof. Adrianus Meliala was attended by about thirty students which actively followed the session of lecturing.Source: http://forensiccop.blogspot.com
In both moments, I talked about the current development of digital forensic. Following are some core materials delivered:
Investigation flow chart
On this chart, it is explained that computer crime or computer-related crime is investigated in order to solve the case. This investigation is done by applying digital forensic properly. In this case, digital forensic plays some key roles, namely:
- To support and perform scientific crime investigation.
- To carry out forensic analysis on electronic evidence in order to find out digital evidence.
- To be able to describe the link between the perpetrators and their crime.
- To deliver expert testimony at court.
Digital forensic principles
These principles are adopted from ACPO (i.e. Association of Chief Police Officers in the UK) guidelines. It is widely used by digital forensic practitioners in the world. In my point of view, a digital forensic analyst should understand these principles and has to apply it when performing a forensic investigation. Below are the principles quoted from the guidelines.
1. No action taken by law enforcement agencies should change data held on a computer or storage media.
2. The person accessing the data must be competent to do so and able to explain the relevance and implications of the actions taken.
3. An audit trail or record of all processes applied should be created and preserved.
4. The person in charge has overall responsibility to ensure that these principles are adhered to.
First actions at the scene
When a computer is off, following are some actions which should be taken:
1. Make sure it is switched off and never turn it on.
2. Remove the battery (for notebooks / mobile device) or unplug the end of the power cable attached at CPU first, and then from wall socket (for PCs).
3. For mobile device: if any, never remove SIM cards from the device.
4. Label, document and record it; and then seize it for further analysis.
When a computer is on, the actions would be:
1. Record what is running on the screen.
2. Collect data (e.g. running processes, opened ports, decrypted volumes, etc.). Ensure that changes made to the system are understood.
3. When possible, perform live forensic imaging.
4. Never use the shut down procedure of the OS.
5. Unplug the cable power from CPU first; and then from the wall socket (for PCs) or remove the battery (for notebooks / mobile).
6. Label, document and record it; and then seize it for further analysis.
Digital forensic components
These are components which should be well understood in order to perform digital forensic analysis properly.
1. Qualified Human Resource: Professional digital forensic analyst.
2. Forensic Procedure: Implementation of digital forensic principles.
3. Reliable Hardware: High speed processor, reasonable RAM, USB to IDE cable, write protect, etc.
4. Reliable Software: Forensic applications running under Microsoft Windows and Linux Ubuntu.
5. Management: Solution on budget and non-technical problems.
Digital forensic coverage
Based on the type of the evidence analysed, digital forensic is devided into several categories, namely:
1. Computer Forensic.
2. Cyber & Network Forensic.
3. Mobile Forensic.
4. Audio Forensic.
5. Video & Digital Image Forensic.
6. CD/DVD Forensic.
It is defined as techniques implemented by perpetrator in order to against digital forensic.The objectives of anti-forensic are:
1. To conceal the case-related information.
2. To obscure the criminal’s involvement.
3. To obstruct the action of digital forensic analyst.
The techniques of anti forensic which are frequently implemented are:
1. Cryptography. It is a method to conceal essential information by deploying cryptography algorithm.
2. Steganography. It is a method to conceal essential information by embedding it into a carrier, so that it is difficult to detect.
3. Wiping. It is a method for securely deletion by overwriting sectors of deleted target.
That's several materials I delivered on both moments. It is a pride for me to be speaker or lecturer in sharing my knowledge and experience on digital forensic to other people. I always look forward to receiving the invitation like these programmes. Hopefully this could be useful for anybody or any organisations that would like to apply digital forensic on the investigation of computer crime or computer-related crime.