Saturday, 8 December 2012

An Analytical Framework for Digital CCTV Forensic Data Recovery

My 6th paper on Digital Forensics research.
As a solution, this paper provides ‘An Analytical Framework for Digital CCTV Forensic Data Recovery’ that is required by the digital forensics practitioners for their best practice guidelines.

Having read this one, you’ll find another brilliant piece which addresses CCTV forensics and data recovery. The article written by Aswami Ariffin will supply you with knowledge about extracting forensically sound evidences from a digital video recorder (DVR) of a closed-circuit television (CCTV).  It sounds fascinating, doesn’t it?

Sunday, 25 November 2012

Digital CCTV forensics: Data recovery of a DVR hard disk using proprietary file format

My IFIP Working Group 11.9 Digital Forensics paper:

A digital video recorder (DVR) of closed-circuit television (CCTV) commonly has an in-built capability to export video files to an optical storage media such as digital versatile disc. In the event that the DVR is damaged, its contents cannot be easily exported. Hence, it is generally accepted that recovering video files with its timestamps from a DVR hard disk using proprietary file format in a forensically sound manner is an expensive and challenging exercise. In this paper, we propose a technique that allows digital forensics practitioners to carve video files with timestamps (data recovery) without referring to the DVR hard disk’s file system. We then performed a forensic analysis to validate our proposed technique.

- Aswami Ariffin, Jill Slay and Raymond Choo


Thursday, 25 October 2012

Digital Forensics Institute in Malaysia: The way forward

Aswami Ariffin, Jill Slay and Husin Jazri set out the digital forensics landscape in Malaysia, analyze the problems encountered, consider its achievements to date, and proposes the formation of a Digital Forensics Institute.

Index words: digital forensics; digital forensics research; CyberSecurity Malaysia; development of digital forensics in Malaysia; comparison with Japan

Wednesday, 10 October 2012

Digital Camcorder Forensics

If you have time and budget, this could be a conference to attend.
Australasian Information Security Conference (AISC)

Interview: Internet Security - 7 News Australia

Just being interviewed by a reporter on Internet Security - Tracker & Privacy for about half an was recorded :).

Monday, 24 September 2012

eForensics Magazine Interview With Aswami Ariffin

Aswami Ariffin, the founder and the first Head of Digital Forensics Department of CyberSecurity Malaysia, shares his experience gained throughout the years of research and work as a digital forensic practitioner. He reveals how he deals with multiple cases and the storage of ESI, he describes the specificity of the digital forensic sector in Malaysia and declares that he never gave up during an investigation.

PS: This interview is part of my research paper on “Digital Forensics Institute in Malaysia: The way forward” to be published by Digital Evidence and Electronic Signature Law Review. Professor Jill Slay and Dato' Husin Jazri (former CEO of CyberSecurity Malaysia) are co-authors of this paper.

Saturday, 1 September 2012

Solid State Drive (SSD) Forensics: Is it a myth?

I spent two weeks doing solid state drive forensic analysis and found something that I could share with the digital forensics community. Before that I read a couple of papers on this topic, e.g.,

i) Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? By Graeme B. Bell and Richard Boddington.
ii) Empirical Analysis of Solid State Disk Data Retention when used with Contemporary Operating Systems by Christopher King (CERT) and Tim Vidas (CMU ECE).

Both papers gave me quick info so that I could design my own SSD forensic analysis. This is quite important for my research too.

I’ve included EnCase, WinHex, external SSD, videos and pictures for the analysis.
After deleting all video files, I used EnCase to view the SSD contents (see below).

No problem with the pictures but videos, there was an issue. To be precise, 7 video files were copied to the SSD and as you can see in the above snapshot, only 1 video file was discovered by EnCase (it should be 7 because there shouldn’t be overwritten; totally disappeared).

So, what happened here? I’m perplexed! Not for a HD but SSD…? TRIM…garbage collection…wear levelling…? FTL? We got a serious problem here!

All these technologies are making forensic analysis complicated! Why (I’ve written/presented so many times on the difficulties faced by the digital forensics practitioners)?

So, I decided to use my WinHex to ‘peep’ into the SSD image (DD file) and surprisingly I found a few video files.

It wasn’t a nice experience though! Looking at bits and bytes (My vision is getting worse by the day! No more computers after this!).

EnCase?; I’m not trying to condemn EnCase here, in fact I’m using it regularly.
SSD?; the death of digital forensics, then I need to change my profession. Not at this age!

But the best outcome was the retrieval of my favourite videos not seen by EnCase.

Saturday, 11 August 2012

Can you trust your digital forensics tools?

It has been a while I’ve not posted a new topic in my digital forensics blog. I was busy with writing…experimenting…revising and writing again. It was time consuming but you need to ensure as little mistake as possible (nobody is perfect though!). Well, I’m not going to bore you with my researcher’s life.

Umh, what is so interesting on this topic?

It is about digital forensics tools!

Do you trust your tool 100%?

Well, we know that some reputable digital forensics tools were evaluated by NIST.

But, did you really put an effort to evaluate it yourself (or this could be done by your own digital forensics laboratory research team)?

Yes, all of us have gone through lots of trainings conducted in a conducive environment, no technical problem (perhaps a bit of glitches) and the tool seems to be perfect.

This scenario might not be the same when you start using it! Trust me.

It is not my intention to create an issue here (with the people who developed the digital forensics tool; I’m also a developer) but merely to share on the little knowledge that I have on this matter especially with the digital forensics practitioners.

If you are a digital forensics practitioner (only managing cases and have no time for research), you may feel dejected if your tool did not work as per you expectation. It is even more frustrating if the tool cost you a ‘bomb’ (expensive).

This is quite normal. As I said before nobody is perfect and no tool is perfect too. Yes it works but on certain condition it will not (I’m not going to mention which tool and describe the condition in details).

What I want to advise is you must personally put an effort to evaluate your tools as much as possible (or at least refer to those who have used it). Not a simple evaluation but the toughest that you could think off. Just like pushing yourself in a 100 meter run (follow Usain Bolt of Jamaica).

You must be like a hacker not a cracker, know the vulnerability, exploit it and develop a tool/software. Have an in depth understanding of the tool and it will be useful especially when you are called as an expert witness in the court of law.

If not your adversary on the other side of the court will give you the toughest time that you could ever imagine and it going to be dreadful.

So think over and over again on this topic.

It is not easy to be a digital forensics analyst. Loads of certification is not a guarantee.

It is how good you know your field that is DIGITAL FORENSICS.

Monday, 30 July 2012

CCTV Forensics in Malaysia

Last month (12 June 2012), I’ve posted that I’m gonna devise An Analytical Framework for Digital CCTV Forensics and Data Recovery as part of my research. Please refer to the link below if you hadn’t read before.

This idea came as part of my years of experience on the ground as a practitioner in digital forensics. Please refer below link if you want to know about me…not personality or whatsoever…hahaha…but for my work and contribution in digital forensics especially in Malaysia.

And yesterday, I’ve read an online article by Nicholas Cheng on “More homes with CCTVs now”. Fyi, Nicholas works with The Star, the famous and biggest circulation of newpaper in Malaysia. Below is the link if you wish to read further and I’m adding an excerpt of it.

“PETALING JAYA: Concern over house break-ins have led an increasing number of middle-income urbanites to install closed-circuit television that allows them to observe what is going on in their homes even when they are away.
Security equipment distributors said most of their customers are middle- income people living in terrace houses, condominiums and flats who pay between RM3,000 and RM10,000 to install a default package of eight cameras, a television set and a DVR recorder.
Market prices for CCTV cameras range from RM150 to RM600 a unit. A basic DVR recording device costs around RM1,500.
Checks by The Star showed that homeowners usually had CCTV cameras installed in the porch, side and back areas, living room, kitchen, stairs and bedrooms.”

Well, I’ve seen it earlier, you’ve got some CCTV solutions but who’s gonna process it so that the digital video with timestamps could be accepted as an exhibit in the court of law.

Of course we need the CCTV as a solution but it is not enough if the video file extracted is not forensically sound and according to legal requirement/proceeding.

We need a CCTV forensics framework, isn’t it?

Think about it.

Ps: The picture of this post was taken from CyberSecurity Malaysia e-security bulletin.

Sunday, 8 July 2012

Tips on Developing an IT Security Policy

As of 22 June 2012, I’ve written 100 posts on my blog; mainly on digital forensics. It is not easy though. You need to do experiments. You need the facts.

And now I’m busy doing forensic analyses on mobile phones. I do not have much time left to update my blog and write up for publication. Hopefully, I will be successful on my “Mobile Phone Forensic Data Recovery” research. This should be the last few experiments that I need to do for this year.

Today, I want to share on an interesting article by Joe Schembri from University Alliance, my guest blogger. Joe has over 10 years of IT experience including 4 years of IT security. Today, he works with University Alliance and CISSP certification prep courses.

There are obviously many factors to consider when developing an effective IT security policy. Just as when considering home security, inherent vulnerabilities and specific unique factors must be weighed carefully. Identifying parameters like the most critical assets to protect, potential threats, and specific intruder profiles can assist in making security stronger and computer systems less penetrable.

1. Mission and Policy Cohesion
The mission of an organization is important to consider, especially if you are brought in as a consultant with limited knowledge of the corporate culture before the initial consultation. The terminology you use to introduce the project, the manner in which you approach team leaders, and the assets considered most valuable will vary from organization to organization. Effective communication and background knowledge will help build a team dynamic between departments collaborating on the policy.

2. Items to Protect
Part of the IT policy provider’s job is to educate the stakeholders in items they may not consider. Whether it is increasing building security, decreasing after-hours access, enhancing employee responsibility, or initiating the discussion for improved server security, the policy needs to be logical and comprehensive.
From a security perspective, your insider knowledge may be “common sense” to you since you are immersed in these situations with clients every day. For an executive with limited knowledge of more stealthy threats, time is needed to share that information so that informed decisions and more effective policies can be developed and proceed smoothly.

3. Use Data to Convince Stakeholders
When building your case for increased security or specific additions of items in the policy document, use industry examples and other pertinent data. Logically building your case gives managers information to take back to their teams, especially when you are introducing change into employee behavior or corporate culture. The same rule applies for working within a family or civic organization to improve security. People are much more likely to change a routine behavior if they have a tangible example to illustrate how the change will benefit the organization, family or company. Larger organizations will have more at stake, but no matter the size of the organization, using examples, case studies, and other pertinent data in an accessible team-oriented way can greatly contribute toward personal engagement.

Today’s threats to cyber security are constantly evolving in both scope and complexity. Mitigating the threats involves staying current on the issues, but also being able to effectively communicate about the threats in ways that are accessible to all members of a team. While policies can frame the best practice solutions to today’s ubiquitous IT security challenges, the policies are only as strong as the stake-holders’ actions regarding policy protocol. When every effort is made to keep the communication inclusive, informative, and collaborative, the resulting policy has shared ownership. In such an environment, the policy becomes dynamic and continually evolving, supported by many as a way to keep shared assets safe for the good of the entire group.

Friday, 22 June 2012

iPhone forensics: Beware expert witness!

iPhone forensics is not easy as it sounds!

It is not like computer forensics whereby you could apply all sorts of techniques to process it. It is a matured field and there are thousands of references you could get from the Internet. No problem at all.

But for iPhone forensics, it is different. The process is not straightforward as you might have thought. The iOS has security features, complicated mobile phone system and the technical information is difficult to obtain.

Developing a software/tool will double your effort aka ‘headache’ because it is massive. It could be done but need proper planning.

To start with, you must have knowledge on the hardware components that make up the iPhone. Then you need to understand the software components that work together to get the iPhone operational.

This is a daunting task but iPhone Dev Team and Zdziarski have done it even though some may question whether it is forensically sound or not. 

I concur with Carrier that open source tools are better because anyone can review its source code. Just like Foremost by Kornblum et al. 

How did they do it and get all the resources mentioned above?

Most likely with sheer determination, connections, working in a team, hacking skills, equipments and etc, you could do it. Also, you may need some LUCK! Don’t dream of doing it alone with only Internet access. God bless you!

However, for basic iPhone forensics, there are two main things that you need to be familiar with,
  1. Imaging – physical or logical acquisition of data.
  2. Extraction – export of relevant data, e.g. videos and pictures.
Imaging an iPhone is easy when you have an expensive tool but without it is really a painstaking job.

But, can you clearly explain how did the commercial tool conduct the imaging and extraction of all files?

Most probably it would only be brief description and not detail enough because you are not the tool developer.

Then, how are you going to do well as an EXPERT WITNESS?

Bear in mind that the lawyers are not the ones that you met ten years ago! Some of them are tech savvy with technical qualifications and certifications. Or they could consult the other experts to go against you in the court of law (a lot of hackers/digital forensics analysts are becoming technopreneurs these days).

Imaging process of an iPhone is complicated. Just visualize it like having a separate special bootable system to access the iPhone user partition and bit-to-bit copying it.

Let’s say that you have done the imaging, then comes the file system analysis part and user data extraction. File system, container, format and timestamp expertise is essential for you (I will cover this in my next blog). It is not easy and it takes time to understand the iPhone file system. The system is huge and complicated. When the file system is corrupted, you need to resort to file CARVING.

As an EXPERT WITNESS, you are expected to explain the entire process. You can’t afford to rely on the commercial tool report alone. You should know how the tool did its work or the least you must do is to convincingly articulate the imaging and extraction concept.

I must say that tool dependent EXPERT WITNESS is going to have a tough time because you cannot 100% trust your tool. Why, because you won’t get the same results between the two tools [1]. Let me give you some examples.

I’ve used a commercial tool to get the physical image of an iPhone. The same tool retrieved some files e.g. pictures and a total of 657 jpegs were extracted. 

But, when I used a specialized carving tool on the same image, I got more jpeg files, i.e. 1242 altogether and almost double than the commercial tool did. 

What happen here? This is very interesting!

I’m not trying to assert that commercial tools aren’t good enough but merely to find the reason behind this awkward finding (I will cover this in my next blog).

It must be noted that the burden of proof (digital evidence) lies on the EXPERT WITNESS. It will not be an easy ‘journey’.

Usually, in iPhone or mobile phones forensics you need a few tools [1] to process it. There is no one dedicated tool that could do everything.

I would like to remind you again that the ability to understand the whole technology and forensic process (the principle of don’t ever change a single bit) is compulsory. If too complex, the least that you must do is to master the file system, container, format (example below), timestamp and carving.

Whatever it is, I pity the honorable judges for them to understand all these intricacies.

[1] G. Grispos, T. Storer and W. B. Glisson. “A comparison of forensics evidence recovery techniques for a windows mobile smart phone.” The Journal of Digital Investigation, pp. 23-36, 2011.

P.S. Additional info on iPhone and iPhone forensics.

iPhone Forensics Book

Mobile Phone Based Cases

Smart Phone Forensics: Strip 'em all!

Tuesday, 12 June 2012

My PhD Research: An Analytical Framework for Digital CCTV Forensic Data Recovery

For your info, my thesis title is “ An Analytical Framework for Digital CCTV Forensic Data Recovery”. This research outcome could be used in Malaysia and/or in other countries.

Not only the governments but also the households are deploying CCTVs. Therefore, there is a need for a framework to process the CCTV DVR in a case investigation.

Below is the brief abstract.

"The digital forensics process typically involves identification, preservation, analysis and presentation of evidence. Expertise in data recovery is an essential part of the digital forensics process.

Difficulties arise with digital video recorder (DVR) of a closed-circuit television (CCTV) because the manufacturers have generally developed customize and proprietary systems making the data recovery attempts by digital forensics practitioners almost impossible. It is pertinent to delve into data recovery technique of digital CCTV systems for digital forensics discipline advancement.

Hypothetically, this undertaking is achievable through forensic analysis of the video stream attributes. The contribution of this research is to develop a specialized technique and a proof-of-concept tool that is “forensically sound” to carve the video file of digital CCTV systems based on selected timestamp. This sort of reference is lacking and essentially required by the digital forensics practitioners and law enforcement agencies for their best practice guidelines."

I’ve mentioned briefly on this research in my paper “Digital Forensics Institute in Malaysia: The way forward” to be published by Digital Evidence and Electronic Signature Law Review (in progress). I’m hoping to write more this year.

Beside the framework, I’ll also develop a tool to ease the analysis because the amount of data will be typically in the range 500GByte – 1TByte.

Some surveys will be conducted with my colleagues from the Royal Malaysia Police or perhaps my friends from the Australia’s police.

Saturday, 2 June 2012

Digital Forensics in Malaysia

If you wonder what’s going on in Malaysia regarding Digital Forensics, there is a publication on it [1] by The paper was written in 2008, when digital forensics was a big ‘phenomenon’ in Malaysia.

Basically, it covered the legal framework and digital forensics operation in Malaysia.

Personally, I think this paper is important as to inform people around the world on Malaysia’s experience in this field.

When I lectured in Australia or in the UK, some of them unaware that Malaysia has digital forensics capabilities.

In fact, for your information, we had assisted Maldives’s police on one of their case.

Well, this is not to say who is good or who is bad, this notion never came across in my heart.

But most importantly is for us to work together to fight against cybercrimes. They are well coordinated and working together as one.

As a sequel or continuation, I’ve written again this year, 2012, that analysed the cyber crimes and cyber related crimes, the challenges, operation strategies, research initiatives, achievements and lastly with the proposal of a Digital Forensics Institute in Malaysia as the way forward.

This paper will be the ‘blueprint’ for my research efforts in years to come.

More technical papers will ensue based on it.

But, time is really against me.

A chat with Y.B. Senator Tan Sri Dr. Koh Tsu Koon (Minister in the Prime Minister Office) on Digital Forensics in Malaysia.

[1] Aswami Fadillah Mohd Ariffin and Izwan Iskandar Ishak, ‘Digital Forensics in Malaysia’, Digital Evidence and Electronic Signature Law Review 5 (2008), 161-165.

Below are some of the photos taken during VVIPs visit to Digital Forensics Department booth. It was on the day of CyberSecurity Malaysia launching by the Prime Minister, YAB Dato' Seri Abdullah Bin Haji Ahmad Badawi, 20 August 2007.

The PM was gesturing something (, watched by Y.B. Dato' Sri Dr. Ir. Jamaluddin Mohd. Jarjis and my CEO, Y.Bhg. Dato' Husin Jazri.

Y.B. Dato' Seri Kong Cho Ha (Transport Minister) was briefed on Digital Forensics in Malaysia. My CEO, Y.Bhg. Dato' Husin Jazri was next to him.

Y.Bhg. Tan Sri Abdul Halim Ali, Chairman
Multimedia Development Corporation (MDeC), was briefed on Digital Forensics in Malaysia. My COO, Encik Zahri Yunos was next to him.

Sunday, 27 May 2012

Digital Forensics: Is it a science, engineering or an art?

This is another weekend reading for you. Though not for leisure. It might spoil your weekend because for those who bother, might want to think and think about this topic.

As for me, this is important and highly important for those who want to do research in digital forensics.

So, how are we going to conduct a research if the description of digital forensics is still vague?

I don’t know if you have read this paper, “A Comparative Study of Forensic Science and Computer Forensics” [1]. This paper creates the interest to ‘investigate’ more on digital forensics itself but not conclusive (got future work).

Another one is this,

And according to Wikipedia, scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of reasoning.

If you read the second part of Wikipedia definition, you might be relief but some people might create another issue or question it again (just to be polite here, not assertive).

There is another paper that I read, "A comparison of forensic evidence recovery techniques for a windows mobile smart phone" [2]. This is another informative and good reference paper for the practitioner and also researcher.

Well, if you are entangled or over zealous whether digital forensics is science or not than you might question everyone’s papers, e.g. [2]. But to me [2] is very important. There is a lot of ‘knowledge’.

My Mac Book Pro Dictionary says:
Science - the intellectual and practical activity encompassing the systematic study of the structure and behavior of the physical and natural world through observation and experiment.

Hence, isn’t that digital forensic a science?

Is digital forensic ever going to be technological engineered? The tools! Or merely reverse engineering.

The word forensic already means science! What the fuss?

Or is it an art (there are so many ways of doing it)?

It seems that digital forensics is a science, engineering and…an ART.

The keyword is empirical.

What say you?

P.S: Btw, I admire Leonardo da Vincci.
(1452–1519), Italian painter, scientist and engineer. His paintings are notable for their use of the technique of sfumato and include The Virgin of the Rocks (1483–85), The Last Supper (1498) and the Mona Lisa (1504–05). He devoted himself to a wide range of other subjects, from anatomy and biology to mechanics and hydraulics: his 19 notebooks include studies of the human circulatory system and plans for a type of aircraft and a submarine.

[1] R. Hankins, T. Uehara, and J. Liu. “A Comparative Study of Forensic Science and Computer Forensics.” Third IEEE International Conference on Secure Software Integration and Reliability Improvement, 2009.
[2] G. Grispos, T. Storer, and W. B. Glisson. “A comparison of forensics evidence recovery techniques for a windows mobile smart phone.” The Journal of Digital Investigation, pp. 23-36, 2011.

Friday, 11 May 2012

Digital Forensics: Is it a reverse engineering?

A few days ago, I read a paper on Xbox 360 forensics [1]. Personally, I think it was a good paper, not just because it is being published in The Journal of Digital Investigation but most importantly for practitioner reference.

Well, part of my job is to read. Learn and unlearn something. It is worthy and interesting.

As a researcher, if I don’t like reading, then I have to find another job. For me, I could just go back and do some electronics stuff or SCADA design or programming or hacking (hahaha). The pay as an engineer is not bad either. They design things aka products.

For a scientist, discovery is their work. A systematic study…to solve a particular problem…hypothesis…testing/experiment…result and bang! SOLUTION.

So, how do you refer to a person with two specialized backgrounds (to digress a bit from the main topic)?

Digital Forensics Engineer or Computer Forensics Scientist and the funny thing is, some may want to be referred as Principal Specialist…CTO and bla…bla…bla…

It doesn’t really matter to me because money/pay/business is more important. Isn’t it (just joking)?

Whatever it is, the biggest question is on the above title.

Is digital forensics a reverse engineering?

Majority of the literatures, if you refer to, gives the impression digital forensics is a reverse engineering. If not, the paper will be something theoretical, mathematical and with limited dataset (just wondering if it will be useful to the practitioner). I.e. Mobile phone forensics.

What is the new knowledge? New methods? Framework? Practical? How to?

Some may say “clever skullduggery!” You must be kidding!

Nonetheless, most of the literatures are helpful for the practitioner (may be the authors were practitioners).

Some may even argue if digital forensics is a science?

Engineer vs scientist!

Practitioner vs researcher! or

Student vs supervisor!
This situation is even worse. The supervisor might not be an expert in digital forensics and unsure about its research. I’m not trying to offend anybody here but this is a reality.

The least that a supervisor could do is to assist on how to conduct a proper research. Learn together and not act like a “boss”. My Prof did that. Awesome!

I promise you…the student would eventually provide the supervisor with some knowledge. It will not be a waste. I’ve done it. I treat my students just like my buddies. If not, the students are in blunder! God bless them.

Another case is… Author vs reviewer!
Newbie being bullied by the so-called “seasoned researcher.” When I review a paper, I put myself as the author, if not up to standard, try to assist the author, give suggestions on how to improve it. Not empty rejections. Don’t insult their work. Be like a dad, advice the son.

I guess all these questions are debatable. Just like the politicians during an election. Condemning one and another. Who loose? The people!

In this matter, the clear winner is the cyber criminal! Wake up dudes!

P.S: I copied the pic from my student’s Facebook.

[1] K. Xynos, S. Harries, I. Sutherland, G. Davies and A. Blyth. “Xbox 360: A digital forensic investigation of the hard disk drive.” The Journal of Digital Investigation, pp. 104-111, 2010.