Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

accessed. The challenge was to follow correct process in extraction and then to conduct an analysis that would locate the attack event amongst the potential of many transaction occurrences. In the laboratory simulation the POS had a hard drive and also a RAM chip, and dumped complete records into the SQL Server on demand. Two data bases (RFID_test.mdf & RFID_test_log.ldf) had been created prior to the simulation to hold the authentic SI records and also to record each transaction (Section 3.3.1). The scanner stored 1Mb of log evidence that recorded transactions line by line (ID & Time Stamp). When the buffer was full then the algorithm started again at line one rewriting each record in the Scanner memory. The evidence acquisitions (Section 3.3.4) were achieved by taking each element of the SI, POS and BIS and then write blocking each extraction (this included using ddcfldd for hashing and acquiring SQL Server data). Helix_RFID_IR tool was taken from the Incident Response Took Kit and customised so that other tools could also be used securely within the extraction framework. This included WinEn for RAM extraction and RFID code extraction. The physical hard drive of the POS was imaged using FTK Imager (Disk Jockey Pro was available as a backup if any problems occurred), and the SQL Server data were acquired by using Windows Forensic Tool Chest (WFT) and ad hoc acquisition methods. Hence, the laboratory context simplified the extraction of evidence phase. In addition, the further investigation of the business system by interviewing the human participants and reviewing CCTV footage was not relevant (Chapter 3; Section 3.4). In the Business context, the evidence extracted from the server logs and the POS and scanner logs (if available) could be utilised to speed the search of CCTV frames. The dates and time that are located in the logs can be matched against frames of visual surveillance and witness statements. 5.2.5 Discussions of Analysis and Presentation The analysis (Section 4.3) of forensic image copy focused on each artefact extracted from the three entities of the simulated BIS and the sub-systems identified in Table 2.5 (Chapter 2; Section 2.3). Prior to performing the forensic analysis, the acquired evidence data were forensically copied on the forensic work-station (see Appendix 12). EnCase forensic software installed on the 145
forensic work-station (Appendix 10) was used as a main forensic analysis tool during the investigation. Initially a visual scan of the Master Server Log was made to quickly identify where SI values had been changed. For instance, it was quick to find out the malicious traces in entries all SIs values of $600 in the acquired current table of RFID_test.mdf database (see Figure 4.37 in Section 4.2.3.4.4). Likewise the fake tag ID, malicious SQL poisoning code and the time stamp were also easily identified (see Figure 4.41 in Section 4.2.3.4.4). Moreover, the acquisition results of current table data of log file - RFID_test_log.ldf (see Figure 4.41) showed the significant evidence of the attack in which the malicious SQL poisoning code was found and the SI (Tag IDs starting with E004) were updated to the values $600 at 06:39:48pm on the 12 October 2010. At this point in the analysis enough evidence had been discovered so that the analysis of the RAM, Tag and Scanner would be for verification and exception evidence. Then, the fake tag ID was used as a keyword to look for the malicious transaction in the image copy of scanner memory and POS RAM (Section 4.3.1 and Section 4.3.2 respectively) when analysing with EnCase. The significant evidence such as malicious tag ID, time stamp, and SQL poisoning code were also discovered. However, in a real business search; the technique to query the transaction logs in the Master Server Log would have been more complex and time consuming. Such a search can be bench marked from stock controls and the legitimate time stamps of value alterations. The time stamp identified was then used as a keyword search in the other images. In a real search the existence of evidence in these subsystems would be a bonus given the volatile state. Nevertheless, in the simulation experiment; the evidence was present in each of the subsystems and it was searched for time stamp and ID strings. The Tag also contained the malicious code that can be signature matched for identification of potential sources. As stated in Section 3.3.5, the comparison of the MD5 hash values before and after the analysis (in order to find out whether the evidence has been modified during analysis and acquisition) was performed as part of preservation. The MD5 hash values were the same as before and after analysis. Thus, the evidence files are not tempered during the analysis phase and the integrity is still intact. However, in the real world investigation; the limitations (Section 3.4) such as interviewing human participants, securing and transporting the acquired evidence 146
Page 1 and 2:
Digital Forensics in Small Devices:
Page 3 and 4:
iii Acknowledgements This thesis wa
Page 5 and 6:
v Abstract Read/Write Radio Frequen
Page 7 and 8:
vii Table of Contents (Volume 1) De
Page 9 and 10:
ix 3.2.2.2 The POS Entity Security
Page 11 and 12:
xi 4.3.4 Analysis of the Physical D
Page 13 and 14:
xiii List of Tables Table 2.1 Chara
Page 15 and 16:
Figure 4.3: Error encountered durin
Page 17 and 18:
xvii Figure 4.53: Acquisitions of a
Page 19 and 20:
LF Low Frequency xix LLRP Low Level
Page 21 and 22:
process (see Chalasani, Boppana, &
Page 23 and 24:
of potential evidence after an even
Page 25 and 26:
investigation. Likewise, all the re
Page 27 and 28:
practices concerned with the forens
Page 29 and 30:
defines different types of malware
Page 31 and 32:
2.1.1 RFID Transponders or Tags The
Page 33 and 34:
Table 2.1: Characteristics and Clas
Page 35 and 36:
Moreover, depending on the complexi
Page 37 and 38:
However, according to EPCglobal (El
Page 39 and 40:
According to Harmon (2006, pp. 45-4
Page 41 and 42:
2.2.1 Memory Technologies for RFID
Page 43 and 44:
y the reader as the tag‟s address
Page 45 and 46:
wavelength long and depends on the
Page 47 and 48:
Karygiannis et al., (2007, pp. 2-15
Page 49 and 50:
attacker can perform eavesdropping
Page 51 and 52:
2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54:
Figure 2.15: RFID Business System S
Page 55 and 56:
3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58:
etrieve data to an external data so
Page 59 and 60:
firstly affect the back-end RFID mi
Page 61 and 62:
Figure 3.2: Scenario 1 illustration
Page 63 and 64:
Unlike SQL Server forensics, the tr
Page 65 and 66:
forensic workstation must be prepar
Page 67 and 68:
Then, the researcher verified the S
Page 69 and 70:
within the affected records”. In
Page 71 and 72:
can also be found not only in the d
Page 73 and 74:
Likewise, Relevancy is related to t
Page 75 and 76:
3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78:
e investigated for evidence of the
Page 79 and 80:
3.2.2 Review of Problem Areas in RF
Page 81 and 82:
participants, the Information Syste
Page 83 and 84:
3.2.3 Case Study The researcher int
Page 85 and 86:
3.2.6 Research Question As stated i
Page 87 and 88:
3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90:
software (see Appendix 4) that can
Page 91 and 92:
and Deng (2007) illustrated two eff
Page 93 and 94:
system of the target machine (Jones
Page 95 and 96:
other collected evidence data by us
Page 97 and 98:
SQL Server artefacts (for the purpo
Page 99 and 100:
presence of digital evidence after
Page 101 and 102:
4.0 INTRODUCTION Chapter 4 - Resear
Page 103 and 104:
Figure 4.1: Error encountered durin
Page 105 and 106:
server (Figure 4.6) due to the user
Page 107 and 108:
Section 4.2 include the snippets of
Page 109 and 110:
4.2.2 Live Extraction of Binaries R
Page 111 and 112:
4.2.3.1 Automated Artefact Collecti
Page 113 and 114: 4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116: 4.2.3.3.1 Active VLF Data After gat
Page 117 and 118: The acquisition result of ring buff
Page 119 and 120: Depending on the version of the vic
Page 121 and 122: syntax was used to acquire a server
Page 123 and 124: :out E:\SystemDatabaseRoleMembers.t
Page 125 and 126: However, according to Fowler (2009,
Page 127 and 128: After collecting the table statisti
Page 129 and 130: Thus, the result of the current tab
Page 131 and 132: 4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134: components of database were enabled
Page 135 and 136: The record of shutting down the ser
Page 137 and 138: “application logic and extend the
Page 139 and 140: 4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142: 4.2.4 Physical Disk Drive Finally,
Page 143 and 144: Figure 4.56: Analyzing the image co
Page 145 and 146: could not. Hence, the artefacts cou
Page 147 and 148: 5.0 INTRODUCTION Chapter 5 - Resear
Page 149 and 150: the laboratory to simulate a RFID t
Page 151 and 152: and confirmed the database was obvi
Page 153 and 154: SUMMARY: After analysing all the ac
Page 155 and 156: all the collected digital evidence
Page 157 and 158: Table 5.5: Secondary Research Quest
Page 159 and 160: write blocker (Tableau Forensic USB
Page 161 and 162: collected digital evidence files (b
Page 163: 5.2.3 Discussion of Conducted Attac
Page 167 and 168: forensic test-station for the inves
Page 169 and 170: the trusted forensic toolkits. In a
Page 171 and 172: 6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174: Table 6.1: Specific forensic tools
Page 175 and 176: the evidential data are the importa
Page 177 and 178: (Chapter 5; Section 5.3) for both d
Page 179 and 180: Bolan, C. (2007). A single channel
Page 181 and 182: El-Said, M. M., & Woodring, I. (200
Page 183 and 184: Hunt, V. D., Puglia, A., & Puglia,
Page 185 and 186: Kou, D., Zhao, K., Tao, Y., & Kou,
Page 187 and 188: Notes in Computer Science 5379(2009
Page 189 and 190: Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192: Digital Forensics in Small Devices:
Page 193 and 194: Appendix 1: Volatile and Non-volati
Page 195 and 196: 3 Activity Endpoints* ● md5deep N
Page 197 and 198: Appendix 2: Steps for Creating Radi
Page 199 and 200: 14. Gather the latest versions of W
Page 201 and 202: The following is the detail record
Page 203 and 204: COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206: (md5=A2993744A56BA83ADE52948062C968
Page 207 and 208: 'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210: 22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212: Record any checksum(s) below to lat
Page 213 and 214: 22. Although the extended version o
Page 215 and 216:
Appendix 3: Source Code of the Deve
Page 217 and 218:
{ } else { MessageBox.Show("No read
Page 219 and 220:
} } btnConnect.Enabled = true; btnD
Page 221 and 222:
MessageBox.Show(this, "Connection t
Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
Page 225 and 226:
add it to the list box LogItem.szID
Page 227 and 228:
if(fdialog.FileName != "") { FileSt
Page 229 and 230:
private string constr = @"Data Sour
Page 231 and 232:
} } else { } catch (Exception ex) {
Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
Page 387 and 388:
Step 3: The SQL poisoning attack wa
Page 389 and 390:
Appendix 17: Live Acquisition of Ph
Page 391 and 392:
The problem issue was clearly state
Page 393 and 394:
Figure A17.9: Evidence item informa
Page 395 and 396:
Figure A17.13: Successful creation
Page 397 and 398:
Physical Drive Acquisition Report b
Page 399 and 400:
Figure A18.2: Screenshot of the Acq
Page 401 and 402:
Figure A18.4: Screenshots of the Ac
Page 403 and 404:
Figure A19.2b: Screenshot of the In
Page 405 and 406:
Figure A19.5: Screenshot of the lau
Page 407 and 408:
Figure A19.10: Choosing the OS path
Page 409 and 410:
Figure A19.16: Avoiding the tools t
Page 411 and 412:
Figure A19.21a: WFT tool in action
Page 413 and 414:
Figure A19.22b: The acquisition of
Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
Page 417 and 418:
SET /P USERQUESTION=Use currently l
Page 419 and 420:
Appendix 21_Screenshots of Hashing
Page 421 and 422:
Appendix 22: Hash Values Comparison
Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?