Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

xiv List of Figures Figure 2.1 Block diagram of typical RFID system .......................................................... 11 Figure 2.2 How does RFID work? ................................................................................... 11 Figure 2.3 RFID Tags ...................................................................................................... 12 Figure 2.4 Basic Components of RFID Tag .................................................................... 12 Figure 2.5 Handheld RFID reader ................................................................................... 15 Figure 2.6 RFID reader structure ..................................................................................... 16 Figure 2.7 EPCglobal Standards Overview ..................................................................... 18 Figure 2.8 The Data Protocol standards of ISO/IEC 15961,ISO/IEC 15962 and the Air Interface standards of ISO/IEC 18000 ........................................................... 20 Figure 2.9 RFID technology standards and frequency bands .......................................... 21 Figure 2.10 Memory layout of EPC Gen 2 Tag ............................................................... 23 Figure 2.11 Data transfer techniques between RFID Tad and Reader ............................. 24 Figure 2.12 Enterprise sub-system in RFID system architecture ..................................... 26 Figure 2.13 Information Functions of RFID Middleware Software ................................ 27 Figure 2.14 Classification of RFID Threats ..................................................................... 33 Figure 2.15 Business System RFID Security Risks ......................................................... 34 Figure 3.1: RFID Malware Test Platform ........................................................................ 39 Figure 3.2: Scenario 1 illustration .................................................................................... 42 Figure 3.3: Scenario 2 illustration .................................................................................... 43 Figure 3.4: SQL Server forensic methodology ................................................................ 45 Figure 3.5: Model of Computer Live Forensics Based on Physical Memory Analysis .... 51 Figure 3.6: Digital Forensics Investigation Fundamentals .............................................. 53 Figure 3.7: Process flow between the roles in digital forensics investigation ................. 55 Figure 3.8: Research Phases ............................................................................................ 65 Figure 3.9: Data Map ....................................................................................................... 68 Figure 3.10: The Business System Entity Composition .................................................. 69 Figure 3.11: Test-Station Setup ....................................................................................... 70 Figure 3.12: An Example of Using the Trusted md5deep Hashing Algorithm for Preservation ............................................................................................ 75 Figure 4.1: Error encountered during the tag was read by RIFD scanner ........................ 84 Figure 4.2: Error encountered during Tripwire for Servers set up ................................... 84
Figure 4.3: Error encountered during Tripwire baseline integrity checking software ..... 84 Figure 4.4: Only 62 Bytes of on-tag data can be read by the scanner ............................. 85 Figure 4.5: Error during wiping the USB flash drive ...................................................... 86 Figure 4.6: Error during wiping the USB flash drive ...................................................... 86 Figure 4.7: Connection to the backend server for data collection ................................... 86 Figure 4.8: Problem running WFT from xv Helix_RFID_IR toolkit during pilot test ........................................................ 87 Figure 4.9: Pilot data acquisition was unsuccessful due to unmatched hash value in Wftsql.cfg file ................................................................................................ 87 Figure 4.10: Error when running WFT batch file ............................................................ 87 Figure 4.11: The version of the FTK Imager ................................................................... 88 Figure 4.12: Helix_RFID_IR tool in action on the compromised machine ..................... 89 Figure 4.13: Live memory acquisition of RAM in action ................................................ 89 Figure 4.14: Hashing reader’s memory log by using md5deep ....................................... 90 Figure 4.15: Memory log from RFID reader was saved on the collection drive ............. 90 Figure 4.16: Connection to the SQL Server instance ....................................................... 91 Figure 4.17: Running the SQL Server IR scripts from the Extended WFT ..................... 92 Figure 4.18: SQL Server Version of the Victim’s System from the Result of SSFA_DbSrvInfo.sql .................................................................................. 93 Figure 4.19: Acquired Evidence of Victim’s Server Configurations ............................... 93 Figure 4.20: Connection to the Victim’s Server for ad hoc data acquisition ................... 94 Figure 4.21: Database Console Commands (DBCC) loginfo command results .............. 95 Figure 4.22: Fragment of active VLF data from transaction log ..................................... 96 Figure 4.23: Fragment of Ring Buffer data results from sys.dm_os_ring_buffers .......... 97 Figure 4.24: Ring Buffer security error results from sys.dm_os_ring_buffers ................ 98 Figure 4.25: Authentication mode used by the backend database server ........................ 99 Figure 4.26: Locations of the authorization data ............................................................. 99 Figure 4.27: Acquired evidence of server level authorization data by using sys.server_permissions ............................................................................... 100 Figure 4.28: Acquired evidence of server principals information by using sys.server_principals ................................................................................. 101 Figure 4.29: Acquired evidence of server role membership information ...................... 102 Figure 4.30: Fragment of acquired backend server database user permissions ............. 103
Page 1 and 2: Digital Forensics in Small Devices:
Page 3 and 4: iii Acknowledgements This thesis wa
Page 5 and 6: v Abstract Read/Write Radio Frequen
Page 7 and 8: vii Table of Contents (Volume 1) De
Page 9 and 10: ix 3.2.2.2 The POS Entity Security
Page 11 and 12: xi 4.3.4 Analysis of the Physical D
Page 13: xiii List of Tables Table 2.1 Chara
Page 17 and 18: xvii Figure 4.53: Acquisitions of a
Page 19 and 20: LF Low Frequency xix LLRP Low Level
Page 21 and 22: process (see Chalasani, Boppana, &
Page 23 and 24: of potential evidence after an even
Page 25 and 26: investigation. Likewise, all the re
Page 27 and 28: practices concerned with the forens
Page 29 and 30: defines different types of malware
Page 31 and 32: 2.1.1 RFID Transponders or Tags The
Page 33 and 34: Table 2.1: Characteristics and Clas
Page 35 and 36: Moreover, depending on the complexi
Page 37 and 38: However, according to EPCglobal (El
Page 39 and 40: According to Harmon (2006, pp. 45-4
Page 41 and 42: 2.2.1 Memory Technologies for RFID
Page 43 and 44: y the reader as the tag‟s address
Page 45 and 46: wavelength long and depends on the
Page 47 and 48: Karygiannis et al., (2007, pp. 2-15
Page 49 and 50: attacker can perform eavesdropping
Page 51 and 52: 2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54: Figure 2.15: RFID Business System S
Page 55 and 56: 3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58: etrieve data to an external data so
Page 59 and 60: firstly affect the back-end RFID mi
Page 61 and 62: Figure 3.2: Scenario 1 illustration
Page 63 and 64: Unlike SQL Server forensics, the tr
Page 65 and 66:
forensic workstation must be prepar
Page 67 and 68:
Then, the researcher verified the S
Page 69 and 70:
within the affected records”. In
Page 71 and 72:
can also be found not only in the d
Page 73 and 74:
Likewise, Relevancy is related to t
Page 75 and 76:
3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78:
e investigated for evidence of the
Page 79 and 80:
3.2.2 Review of Problem Areas in RF
Page 81 and 82:
participants, the Information Syste
Page 83 and 84:
3.2.3 Case Study The researcher int
Page 85 and 86:
3.2.6 Research Question As stated i
Page 87 and 88:
3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90:
software (see Appendix 4) that can
Page 91 and 92:
and Deng (2007) illustrated two eff
Page 93 and 94:
system of the target machine (Jones
Page 95 and 96:
other collected evidence data by us
Page 97 and 98:
SQL Server artefacts (for the purpo
Page 99 and 100:
presence of digital evidence after
Page 101 and 102:
4.0 INTRODUCTION Chapter 4 - Resear
Page 103 and 104:
Figure 4.1: Error encountered durin
Page 105 and 106:
server (Figure 4.6) due to the user
Page 107 and 108:
Section 4.2 include the snippets of
Page 109 and 110:
4.2.2 Live Extraction of Binaries R
Page 111 and 112:
4.2.3.1 Automated Artefact Collecti
Page 113 and 114:
4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116:
4.2.3.3.1 Active VLF Data After gat
Page 117 and 118:
The acquisition result of ring buff
Page 119 and 120:
Depending on the version of the vic
Page 121 and 122:
syntax was used to acquire a server
Page 123 and 124:
:out E:\SystemDatabaseRoleMembers.t
Page 125 and 126:
However, according to Fowler (2009,
Page 127 and 128:
After collecting the table statisti
Page 129 and 130:
Thus, the result of the current tab
Page 131 and 132:
4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134:
components of database were enabled
Page 135 and 136:
The record of shutting down the ser
Page 137 and 138:
“application logic and extend the
Page 139 and 140:
4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142:
4.2.4 Physical Disk Drive Finally,
Page 143 and 144:
Figure 4.56: Analyzing the image co
Page 145 and 146:
could not. Hence, the artefacts cou
Page 147 and 148:
5.0 INTRODUCTION Chapter 5 - Resear
Page 149 and 150:
the laboratory to simulate a RFID t
Page 151 and 152:
and confirmed the database was obvi
Page 153 and 154:
SUMMARY: After analysing all the ac
Page 155 and 156:
all the collected digital evidence
Page 157 and 158:
Table 5.5: Secondary Research Quest
Page 159 and 160:
write blocker (Tableau Forensic USB
Page 161 and 162:
collected digital evidence files (b
Page 163 and 164:
5.2.3 Discussion of Conducted Attac
Page 165 and 166:
forensic work-station (Appendix 10)
Page 167 and 168:
forensic test-station for the inves
Page 169 and 170:
the trusted forensic toolkits. In a
Page 171 and 172:
6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174:
Table 6.1: Specific forensic tools
Page 175 and 176:
the evidential data are the importa
Page 177 and 178:
(Chapter 5; Section 5.3) for both d
Page 179 and 180:
Bolan, C. (2007). A single channel
Page 181 and 182:
El-Said, M. M., & Woodring, I. (200
Page 183 and 184:
Hunt, V. D., Puglia, A., & Puglia,
Page 185 and 186:
Kou, D., Zhao, K., Tao, Y., & Kou,
Page 187 and 188:
Notes in Computer Science 5379(2009
Page 189 and 190:
Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192:
Digital Forensics in Small Devices:
Page 193 and 194:
Appendix 1: Volatile and Non-volati
Page 195 and 196:
3 Activity Endpoints* ● md5deep N
Page 197 and 198:
Appendix 2: Steps for Creating Radi
Page 199 and 200:
14. Gather the latest versions of W
Page 201 and 202:
The following is the detail record
Page 203 and 204:
COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206:
(md5=A2993744A56BA83ADE52948062C968
Page 207 and 208:
'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210:
22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212:
Record any checksum(s) below to lat
Page 213 and 214:
22. Although the extended version o
Page 215 and 216:
Appendix 3: Source Code of the Deve
Page 217 and 218:
{ } else { MessageBox.Show("No read
Page 219 and 220:
} } btnConnect.Enabled = true; btnD
Page 221 and 222:
MessageBox.Show(this, "Connection t
Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
Page 225 and 226:
add it to the list box LogItem.szID
Page 227 and 228:
if(fdialog.FileName != "") { FileSt
Page 229 and 230:
private string constr = @"Data Sour
Page 231 and 232:
} } else { } catch (Exception ex) {
Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
Page 387 and 388:
Step 3: The SQL poisoning attack wa
Page 389 and 390:
Appendix 17: Live Acquisition of Ph
Page 391 and 392:
The problem issue was clearly state
Page 393 and 394:
Figure A17.9: Evidence item informa
Page 395 and 396:
Figure A17.13: Successful creation
Page 397 and 398:
Physical Drive Acquisition Report b
Page 399 and 400:
Figure A18.2: Screenshot of the Acq
Page 401 and 402:
Figure A18.4: Screenshots of the Ac
Page 403 and 404:
Figure A19.2b: Screenshot of the In
Page 405 and 406:
Figure A19.5: Screenshot of the lau
Page 407 and 408:
Figure A19.10: Choosing the OS path
Page 409 and 410:
Figure A19.16: Avoiding the tools t
Page 411 and 412:
Figure A19.21a: WFT tool in action
Page 413 and 414:
Figure A19.22b: The acquisition of
Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
Page 417 and 418:
SET /P USERQUESTION=Use currently l
Page 419 and 420:
Appendix 21_Screenshots of Hashing
Page 421 and 422:
Appendix 22: Hash Values Comparison
Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?