Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

1.3 FINDINGS OF THE RESEARCH The research summarizes findings relevant to the digital forensic investigation of a compromised RFID based stock management system. The findings from the investigation prove that the theft of SI has occurred in a RFID based retail system. Hence, the perpetrator could be identified and later be prosecuted according to the court of law if more evidence (which are the limitations of this research; see Section 3.4 in Chapter 3) such as images from the Closed Circuit Television (CCTV) monitoring system and the interview evidence from human participants are taken into consideration during the investigation. In order to investigate the presence of digital evidence after theft of SI, a prototype of stabilized commercial retail environment using RFID stock management system is constructed in the laboratory according to the proposed system design (Section 3.3.1). As part of the proposed system design, a customized RFID middleware software (source code can be seen in Appendix 4) is developed based on the Software Development Kit (SDK) of RFID reader’s manufacturing company. The developed programme allows users to configure the RFID reader, to collect the tag data, and write the tag data to the backend database. Basically, it enables reading and writing the tag data from the RFID scanner to the BIS SQL 2005 Server (and vice versa). By design, one real and one poisoned RFID Read/Write tags are also applied in a stabilized system. The Tripwire for Servers (Version 4.8) and Tripwire Managers (Version 4.8) are utilised to establish the baseline of a stabilized/trusted system in operation. Hence, the previous studies such as compromising the backend database by using a RFID tag as an attack vector (Section 3.1.2), and the acquisition of backend SQL server artefacts methods (Sections 3.1.3 and 3.1.4) are replicated in this simulated research. Subsequently, SQL poisoning attack (Section 3.3.2) is initiated via a fake tag to compromise the backend database of the stock management system and then each entity in the RFID BS (see Table 2.5 in Chapter 2) such as the tag, POS, scanner, and the backend SQL Server are investigated for evidence of the SI theft. Thus, the evidence is collected from the tag, the scanner, the POS and the backend SQL server. However, the ReaderLogExtraction tool (see Appendix 3) is developed based on SDK of RFID reader’s manufacturing company in order to acquire bit-to-bit evidence data from the RFID reader’s memory during the 5
investigation. Likewise, all the required software forensic tools for data collection (such as ReaderLogExtraction tool, WinEn, extended WFT, and the like) are integrated into the customized Helix_RFID_IncidentResonse (Helix_RFID_IR DVD) toolkit (see Appendix 2 for steps in creating Helix_RFID_IR toolkit) and the live data acquisition is performed by placing RIFD_IR into the compromised machine’s DVD drive in order to avoid any modifications or affect minimum impact to the original evidence during the acquisition phase (Jones, Bejtlich, & Rose, 2006b; Jones, 2007; Fowler, 2007, 2009). Hence, the details of the tools and techniques used to collect the digital evidence, findings and analysis of collected data are presented in (Chapter 4). During the simulation experiment, the traces of evidence after the attack are able to be identified, acquired, preserved and analysed according to the digital forensic principles and guidelines for handling the digital evidence. Hence, the evidence of values of the original stock items are changed in the backend database during the investigation (see Figure 4.37 in Section 4.2.3.4.4). Likewise, the evidence of malicious transaction traces including the tag ID, date and timestamp are found in logs of the RFID reader’s memory (Section 4.3.1) and in the memory of the POS station (POS RAM) (Section 4.3.2). Similarly, significant evidence is found in the acquired current table data of the stock management database (Figure 4.37) from the backend SQL Server. Moreover, the acquisition result of current table data of transaction log file - RFID_test_log.ldf (see Figure 4.41) shows the significant evidence of the attack in which the malicious SQL poisoning code is found and the SI (Tag IDs starting with E004) are updated to the values $600 at 06:39:48pm on the 12 October 2010. Hence, a fake tag is also found and preserved as proof of the theft of SI, in the simulation experiment. 1.4 CONCLUSION (STRUCTURE OF THE THESIS) In conclusion, Chapter 1 introduces the motivational factors in connection with the study of the digital forensic investigation in a compromised RFID tag based stock management system in the retail environment. It also reviews the motivation of the research and emphasizes the gap in the digital forensic research area. Chapter 2 includes a literature review of relevant research. For instance, the three-tier model of a RFID system such as the material layer (Section 2.1), the 6
Page 1 and 2: Digital Forensics in Small Devices:
Page 3 and 4: iii Acknowledgements This thesis wa
Page 5 and 6: v Abstract Read/Write Radio Frequen
Page 7 and 8: vii Table of Contents (Volume 1) De
Page 9 and 10: ix 3.2.2.2 The POS Entity Security
Page 11 and 12: xi 4.3.4 Analysis of the Physical D
Page 13 and 14: xiii List of Tables Table 2.1 Chara
Page 15 and 16: Figure 4.3: Error encountered durin
Page 17 and 18: xvii Figure 4.53: Acquisitions of a
Page 19 and 20: LF Low Frequency xix LLRP Low Level
Page 21 and 22: process (see Chalasani, Boppana, &
Page 23: of potential evidence after an even
Page 27 and 28: practices concerned with the forens
Page 29 and 30: defines different types of malware
Page 31 and 32: 2.1.1 RFID Transponders or Tags The
Page 33 and 34: Table 2.1: Characteristics and Clas
Page 35 and 36: Moreover, depending on the complexi
Page 37 and 38: However, according to EPCglobal (El
Page 39 and 40: According to Harmon (2006, pp. 45-4
Page 41 and 42: 2.2.1 Memory Technologies for RFID
Page 43 and 44: y the reader as the tag‟s address
Page 45 and 46: wavelength long and depends on the
Page 47 and 48: Karygiannis et al., (2007, pp. 2-15
Page 49 and 50: attacker can perform eavesdropping
Page 51 and 52: 2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54: Figure 2.15: RFID Business System S
Page 55 and 56: 3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58: etrieve data to an external data so
Page 59 and 60: firstly affect the back-end RFID mi
Page 61 and 62: Figure 3.2: Scenario 1 illustration
Page 63 and 64: Unlike SQL Server forensics, the tr
Page 65 and 66: forensic workstation must be prepar
Page 67 and 68: Then, the researcher verified the S
Page 69 and 70: within the affected records”. In
Page 71 and 72: can also be found not only in the d
Page 73 and 74: Likewise, Relevancy is related to t
Page 75 and 76:
3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78:
e investigated for evidence of the
Page 79 and 80:
3.2.2 Review of Problem Areas in RF
Page 81 and 82:
participants, the Information Syste
Page 83 and 84:
3.2.3 Case Study The researcher int
Page 85 and 86:
3.2.6 Research Question As stated i
Page 87 and 88:
3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90:
software (see Appendix 4) that can
Page 91 and 92:
and Deng (2007) illustrated two eff
Page 93 and 94:
system of the target machine (Jones
Page 95 and 96:
other collected evidence data by us
Page 97 and 98:
SQL Server artefacts (for the purpo
Page 99 and 100:
presence of digital evidence after
Page 101 and 102:
4.0 INTRODUCTION Chapter 4 - Resear
Page 103 and 104:
Figure 4.1: Error encountered durin
Page 105 and 106:
server (Figure 4.6) due to the user
Page 107 and 108:
Section 4.2 include the snippets of
Page 109 and 110:
4.2.2 Live Extraction of Binaries R
Page 111 and 112:
4.2.3.1 Automated Artefact Collecti
Page 113 and 114:
4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116:
4.2.3.3.1 Active VLF Data After gat
Page 117 and 118:
The acquisition result of ring buff
Page 119 and 120:
Depending on the version of the vic
Page 121 and 122:
syntax was used to acquire a server
Page 123 and 124:
:out E:\SystemDatabaseRoleMembers.t
Page 125 and 126:
However, according to Fowler (2009,
Page 127 and 128:
After collecting the table statisti
Page 129 and 130:
Thus, the result of the current tab
Page 131 and 132:
4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134:
components of database were enabled
Page 135 and 136:
The record of shutting down the ser
Page 137 and 138:
“application logic and extend the
Page 139 and 140:
4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142:
4.2.4 Physical Disk Drive Finally,
Page 143 and 144:
Figure 4.56: Analyzing the image co
Page 145 and 146:
could not. Hence, the artefacts cou
Page 147 and 148:
5.0 INTRODUCTION Chapter 5 - Resear
Page 149 and 150:
the laboratory to simulate a RFID t
Page 151 and 152:
and confirmed the database was obvi
Page 153 and 154:
SUMMARY: After analysing all the ac
Page 155 and 156:
all the collected digital evidence
Page 157 and 158:
Table 5.5: Secondary Research Quest
Page 159 and 160:
write blocker (Tableau Forensic USB
Page 161 and 162:
collected digital evidence files (b
Page 163 and 164:
5.2.3 Discussion of Conducted Attac
Page 165 and 166:
forensic work-station (Appendix 10)
Page 167 and 168:
forensic test-station for the inves
Page 169 and 170:
the trusted forensic toolkits. In a
Page 171 and 172:
6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174:
Table 6.1: Specific forensic tools
Page 175 and 176:
the evidential data are the importa
Page 177 and 178:
(Chapter 5; Section 5.3) for both d
Page 179 and 180:
Bolan, C. (2007). A single channel
Page 181 and 182:
El-Said, M. M., & Woodring, I. (200
Page 183 and 184:
Hunt, V. D., Puglia, A., & Puglia,
Page 185 and 186:
Kou, D., Zhao, K., Tao, Y., & Kou,
Page 187 and 188:
Notes in Computer Science 5379(2009
Page 189 and 190:
Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192:
Digital Forensics in Small Devices:
Page 193 and 194:
Appendix 1: Volatile and Non-volati
Page 195 and 196:
3 Activity Endpoints* ● md5deep N
Page 197 and 198:
Appendix 2: Steps for Creating Radi
Page 199 and 200:
14. Gather the latest versions of W
Page 201 and 202:
The following is the detail record
Page 203 and 204:
COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206:
(md5=A2993744A56BA83ADE52948062C968
Page 207 and 208:
'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210:
22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212:
Record any checksum(s) below to lat
Page 213 and 214:
22. Although the extended version o
Page 215 and 216:
Appendix 3: Source Code of the Deve
Page 217 and 218:
{ } else { MessageBox.Show("No read
Page 219 and 220:
} } btnConnect.Enabled = true; btnD
Page 221 and 222:
MessageBox.Show(this, "Connection t
Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
Page 225 and 226:
add it to the list box LogItem.szID
Page 227 and 228:
if(fdialog.FileName != "") { FileSt
Page 229 and 230:
private string constr = @"Data Sour
Page 231 and 232:
} } else { } catch (Exception ex) {
Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
Page 387 and 388:
Step 3: The SQL poisoning attack wa
Page 389 and 390:
Appendix 17: Live Acquisition of Ph
Page 391 and 392:
The problem issue was clearly state
Page 393 and 394:
Figure A17.9: Evidence item informa
Page 395 and 396:
Figure A17.13: Successful creation
Page 397 and 398:
Physical Drive Acquisition Report b
Page 399 and 400:
Figure A18.2: Screenshot of the Acq
Page 401 and 402:
Figure A18.4: Screenshots of the Ac
Page 403 and 404:
Figure A19.2b: Screenshot of the In
Page 405 and 406:
Figure A19.5: Screenshot of the lau
Page 407 and 408:
Figure A19.10: Choosing the OS path
Page 409 and 410:
Figure A19.16: Avoiding the tools t
Page 411 and 412:
Figure A19.21a: WFT tool in action
Page 413 and 414:
Figure A19.22b: The acquisition of
Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
Page 417 and 418:
SET /P USERQUESTION=Use currently l
Page 419 and 420:
Appendix 21_Screenshots of Hashing
Page 421 and 422:
Appendix 22: Hash Values Comparison
Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?