Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

Juels, A., & Weis, S. (2005). Authenticating pervasive devices with human protocols. In V. Shoup (Ed.), Advances in Cryptology (CRYPTO 2005) – Lecture Notes in Computer Science, 3126(2005), 293-308. doi:10.1007/11535218_18 Juels, A. (2006). RFID security and privacy: a research survey. IEEE Journal on Selected Areas in Communications, 24(2), 381-394. doi:10.1109/JSAC.2005.861395 Kamoun, F. (2009). RFID system management: State-of-the art and open research issues. Journal of IEEE Transactions on Network and Service Management, 6(3), 190-205. doi: 10.1109/TNSM.2009.03.090305 Karygiannis, A., Phillips, T., & Tsibertzopoulos, A. (2006). RFID security: a taxonomy of risk. In Proceedings of the First International Conference on Communications and Networking (ChinaCom ’06), China (pp. 1-8). doi:10.1109/CHINACOM.2006.344722 Karygiannis, T., Eydt, B., Barber, G., Bunn, L., & Phillips, T. (2007). Guidelines for securing radio frequency identification (RFID) systems, Special Publication 800-98, National Institute of Standards and Technology, April. Retrieved from http://csrc.nist.gov/publications/nistpubs/800- 98/SP800-98_RFID-2007.pdf Khannaa, N., Mikkilinenia, A. K., Martonea, A. F., Alia, G. N., Chiub, G. T., Allebacha, J. P., & Delpa, E. J. (2006). A survey of forensic characterization methods for physical devices. Digital Investigation, 3S(2006), S17-S28. Kim, D. S., Shin, T., & Park, J. S. (2007). A security framework in RFID multidomain system. The Second International Conference on Availability, Reliability and Security, ARES 2007, vol., no., pp.1227-1234, 10-13 April 2007. Knospe, H., & Pohl, H. (2004). RFID security. Information Security Technical Report, 9(4), 39-50. doi:10.1016/S1363-4127(05)70039-X Konidala, D. M., Kim, Z., & Kim, K. (2007). A simple and cost-effective RFID tag-reader mutual authentication scheme. In Proceedings of International Conference on RFID Security 2007 (RFIDSec07), Malaga, Spain (141- 152). 165
Kou, D., Zhao, K., Tao, Y., & Kou, W. (2006). RFID technologies and applications. In W. Kou & Y. Yesha (Eds.), Enabling technologies for wireless e-business (pp. 89-108). The Netherlands: Springer. Landt, J. (2005, December 5). The history of RFID. IEEE Potentials Magazine, 24(4), 8-11. doi:10.1109/MP.2005.1549751 Laurie, A. (2007). Practical attacks against RFID. Network Security, 2007(9), 4–7. doi:10.1016/S1353-4858(07)70080-6 Li, X., Xu, G., & Yu, D. (2008). Security architecture for RFID application in home environment. The 2 nd International Conference on Anti- counterfeiting, Security and Identification, ASID 2008, 467-470. Li, H., Yuan, C., Yen, C., Huang, Y., & Lin, W. (2009). Design and implementation of RFID mutual authentication Protocol. In Proceedings of the Third International Conference on Anti-counterfeiting, Security and Identification in Communication, ASID 2009, Hong Kong (pp. 229- 232). United States of America: IEEE Computer Society. 10.1109/ICASID.2009.5276910 Li, T., & Deng, R. H. (2007). Vulnerability analysis of EMAP-An efficient RFID mutual authentication protocol. Proceedings of the Second International Conference on Availability, Reliability and Security, ARES 2007, Vienna, Austria (238-245). doi:ieeecomputersociety.org/10.1109/ARES.2007.159 Martone, A. F., & Delp, E. J. (2007). Characterization of RF devices using twotone probe signals. IEEE/SP 14 th Workshop on Statistical Signal Processing, SSP '07, vol., no., pp.161-165, 26-29. Martone, A. F., Mikkilineni, A. K., & Delp, E. J. (2006). Forensics of things. 2006 IEEE Southwest Symposium on Image Analysis and Interpretation, 149-152. Masters, G., & Turner, P. (2007). Forensic data recovery and examination of magnetic swipe card cloning devices. Journal of Digital Investigation, 4S(2007), S16-S22. Michael, K., & McCathie, L. (2005). The pros and cons of RFID in supply chain management. In Proceedings of the International Conference on Mobile Business (ICMB’05). USA: IEEE Computer Society. Middleton, B. (2004). Cyber crime investigator’s field guide (2nd ed.). United States of America: Auerbach Publications. 166
Page 1 and 2:
Digital Forensics in Small Devices:
Page 3 and 4:
iii Acknowledgements This thesis wa
Page 5 and 6:
v Abstract Read/Write Radio Frequen
Page 7 and 8:
vii Table of Contents (Volume 1) De
Page 9 and 10:
ix 3.2.2.2 The POS Entity Security
Page 11 and 12:
xi 4.3.4 Analysis of the Physical D
Page 13 and 14:
xiii List of Tables Table 2.1 Chara
Page 15 and 16:
Figure 4.3: Error encountered durin
Page 17 and 18:
xvii Figure 4.53: Acquisitions of a
Page 19 and 20:
LF Low Frequency xix LLRP Low Level
Page 21 and 22:
process (see Chalasani, Boppana, &
Page 23 and 24:
of potential evidence after an even
Page 25 and 26:
investigation. Likewise, all the re
Page 27 and 28:
practices concerned with the forens
Page 29 and 30:
defines different types of malware
Page 31 and 32:
2.1.1 RFID Transponders or Tags The
Page 33 and 34:
Table 2.1: Characteristics and Clas
Page 35 and 36:
Moreover, depending on the complexi
Page 37 and 38:
However, according to EPCglobal (El
Page 39 and 40:
According to Harmon (2006, pp. 45-4
Page 41 and 42:
2.2.1 Memory Technologies for RFID
Page 43 and 44:
y the reader as the tag‟s address
Page 45 and 46:
wavelength long and depends on the
Page 47 and 48:
Karygiannis et al., (2007, pp. 2-15
Page 49 and 50:
attacker can perform eavesdropping
Page 51 and 52:
2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54:
Figure 2.15: RFID Business System S
Page 55 and 56:
3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58:
etrieve data to an external data so
Page 59 and 60:
firstly affect the back-end RFID mi
Page 61 and 62:
Figure 3.2: Scenario 1 illustration
Page 63 and 64:
Unlike SQL Server forensics, the tr
Page 65 and 66:
forensic workstation must be prepar
Page 67 and 68:
Then, the researcher verified the S
Page 69 and 70:
within the affected records”. In
Page 71 and 72:
can also be found not only in the d
Page 73 and 74:
Likewise, Relevancy is related to t
Page 75 and 76:
3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78:
e investigated for evidence of the
Page 79 and 80:
3.2.2 Review of Problem Areas in RF
Page 81 and 82:
participants, the Information Syste
Page 83 and 84:
3.2.3 Case Study The researcher int
Page 85 and 86:
3.2.6 Research Question As stated i
Page 87 and 88:
3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90:
software (see Appendix 4) that can
Page 91 and 92:
and Deng (2007) illustrated two eff
Page 93 and 94:
system of the target machine (Jones
Page 95 and 96:
other collected evidence data by us
Page 97 and 98:
SQL Server artefacts (for the purpo
Page 99 and 100:
presence of digital evidence after
Page 101 and 102:
4.0 INTRODUCTION Chapter 4 - Resear
Page 103 and 104:
Figure 4.1: Error encountered durin
Page 105 and 106:
server (Figure 4.6) due to the user
Page 107 and 108:
Section 4.2 include the snippets of
Page 109 and 110:
4.2.2 Live Extraction of Binaries R
Page 111 and 112:
4.2.3.1 Automated Artefact Collecti
Page 113 and 114:
4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116:
4.2.3.3.1 Active VLF Data After gat
Page 117 and 118:
The acquisition result of ring buff
Page 119 and 120:
Depending on the version of the vic
Page 121 and 122:
syntax was used to acquire a server
Page 123 and 124:
:out E:\SystemDatabaseRoleMembers.t
Page 125 and 126:
However, according to Fowler (2009,
Page 127 and 128:
After collecting the table statisti
Page 129 and 130:
Thus, the result of the current tab
Page 131 and 132:
4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134: components of database were enabled
Page 135 and 136: The record of shutting down the ser
Page 137 and 138: “application logic and extend the
Page 139 and 140: 4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142: 4.2.4 Physical Disk Drive Finally,
Page 143 and 144: Figure 4.56: Analyzing the image co
Page 145 and 146: could not. Hence, the artefacts cou
Page 147 and 148: 5.0 INTRODUCTION Chapter 5 - Resear
Page 149 and 150: the laboratory to simulate a RFID t
Page 151 and 152: and confirmed the database was obvi
Page 153 and 154: SUMMARY: After analysing all the ac
Page 155 and 156: all the collected digital evidence
Page 157 and 158: Table 5.5: Secondary Research Quest
Page 159 and 160: write blocker (Tableau Forensic USB
Page 161 and 162: collected digital evidence files (b
Page 163 and 164: 5.2.3 Discussion of Conducted Attac
Page 165 and 166: forensic work-station (Appendix 10)
Page 167 and 168: forensic test-station for the inves
Page 169 and 170: the trusted forensic toolkits. In a
Page 171 and 172: 6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174: Table 6.1: Specific forensic tools
Page 175 and 176: the evidential data are the importa
Page 177 and 178: (Chapter 5; Section 5.3) for both d
Page 179 and 180: Bolan, C. (2007). A single channel
Page 181 and 182: El-Said, M. M., & Woodring, I. (200
Page 183: Hunt, V. D., Puglia, A., & Puglia,
Page 187 and 188: Notes in Computer Science 5379(2009
Page 189 and 190: Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192: Digital Forensics in Small Devices:
Page 193 and 194: Appendix 1: Volatile and Non-volati
Page 195 and 196: 3 Activity Endpoints* ● md5deep N
Page 197 and 198: Appendix 2: Steps for Creating Radi
Page 199 and 200: 14. Gather the latest versions of W
Page 201 and 202: The following is the detail record
Page 203 and 204: COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206: (md5=A2993744A56BA83ADE52948062C968
Page 207 and 208: 'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210: 22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212: Record any checksum(s) below to lat
Page 213 and 214: 22. Although the extended version o
Page 215 and 216: Appendix 3: Source Code of the Deve
Page 217 and 218: { } else { MessageBox.Show("No read
Page 219 and 220: } } btnConnect.Enabled = true; btnD
Page 221 and 222: MessageBox.Show(this, "Connection t
Page 223 and 224: } } } dwNumEntries = usbRFID.GetNum
Page 225 and 226: add it to the list box LogItem.szID
Page 227 and 228: if(fdialog.FileName != "") { FileSt
Page 229 and 230: private string constr = @"Data Sour
Page 231 and 232: } } else { } catch (Exception ex) {
Page 233 and 234: } } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
Page 387 and 388:
Step 3: The SQL poisoning attack wa
Page 389 and 390:
Appendix 17: Live Acquisition of Ph
Page 391 and 392:
The problem issue was clearly state
Page 393 and 394:
Figure A17.9: Evidence item informa
Page 395 and 396:
Figure A17.13: Successful creation
Page 397 and 398:
Physical Drive Acquisition Report b
Page 399 and 400:
Figure A18.2: Screenshot of the Acq
Page 401 and 402:
Figure A18.4: Screenshots of the Ac
Page 403 and 404:
Figure A19.2b: Screenshot of the In
Page 405 and 406:
Figure A19.5: Screenshot of the lau
Page 407 and 408:
Figure A19.10: Choosing the OS path
Page 409 and 410:
Figure A19.16: Avoiding the tools t
Page 411 and 412:
Figure A19.21a: WFT tool in action
Page 413 and 414:
Figure A19.22b: The acquisition of
Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
Page 417 and 418:
SET /P USERQUESTION=Use currently l
Page 419 and 420:
Appendix 21_Screenshots of Hashing
Page 421 and 422:
Appendix 22: Hash Values Comparison
Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?