Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

Appendix 16: Documentation of the SQL Poisoning Attack (An Example of a Pilot Experiment) Step 1: After stabilizing the RFID Business System (as stated in Appendix 7), the fake RFID tag was injected with malicious code. Figure A16.1: Writing the malicious code into the fake tag, successful! Step 2: The genuine tag data was scanned a few times before the attack was initiated. Hence the values of all the products were $1000, as shown in the figure below. Figure A16.2: Scanning the genuine RFID tag 194
Step 3: The SQL poisoning attack was initiated by scanning a fake tag injected with RFID reader. Figure A16.3: Scanning the fake RFID tag (an attack initiation) Step 4: After scanning a fake tag injected with malicious code, the values were changed from 1000 to 10 dollars. Hence, the attack was successful and the injected malicious code was: ');update rfid_db set Value='10' where Tag > 'E004%' -- 195
Page 1 and 2:
Digital Forensics in Small Devices:
Page 3 and 4:
iii Acknowledgements This thesis wa
Page 5 and 6:
v Abstract Read/Write Radio Frequen
Page 7 and 8:
vii Table of Contents (Volume 1) De
Page 9 and 10:
ix 3.2.2.2 The POS Entity Security
Page 11 and 12:
xi 4.3.4 Analysis of the Physical D
Page 13 and 14:
xiii List of Tables Table 2.1 Chara
Page 15 and 16:
Figure 4.3: Error encountered durin
Page 17 and 18:
xvii Figure 4.53: Acquisitions of a
Page 19 and 20:
LF Low Frequency xix LLRP Low Level
Page 21 and 22:
process (see Chalasani, Boppana, &
Page 23 and 24:
of potential evidence after an even
Page 25 and 26:
investigation. Likewise, all the re
Page 27 and 28:
practices concerned with the forens
Page 29 and 30:
defines different types of malware
Page 31 and 32:
2.1.1 RFID Transponders or Tags The
Page 33 and 34:
Table 2.1: Characteristics and Clas
Page 35 and 36:
Moreover, depending on the complexi
Page 37 and 38:
However, according to EPCglobal (El
Page 39 and 40:
According to Harmon (2006, pp. 45-4
Page 41 and 42:
2.2.1 Memory Technologies for RFID
Page 43 and 44:
y the reader as the tag‟s address
Page 45 and 46:
wavelength long and depends on the
Page 47 and 48:
Karygiannis et al., (2007, pp. 2-15
Page 49 and 50:
attacker can perform eavesdropping
Page 51 and 52:
2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54:
Figure 2.15: RFID Business System S
Page 55 and 56:
3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58:
etrieve data to an external data so
Page 59 and 60:
firstly affect the back-end RFID mi
Page 61 and 62:
Figure 3.2: Scenario 1 illustration
Page 63 and 64:
Unlike SQL Server forensics, the tr
Page 65 and 66:
forensic workstation must be prepar
Page 67 and 68:
Then, the researcher verified the S
Page 69 and 70:
within the affected records”. In
Page 71 and 72:
can also be found not only in the d
Page 73 and 74:
Likewise, Relevancy is related to t
Page 75 and 76:
3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78:
e investigated for evidence of the
Page 79 and 80:
3.2.2 Review of Problem Areas in RF
Page 81 and 82:
participants, the Information Syste
Page 83 and 84:
3.2.3 Case Study The researcher int
Page 85 and 86:
3.2.6 Research Question As stated i
Page 87 and 88:
3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90:
software (see Appendix 4) that can
Page 91 and 92:
and Deng (2007) illustrated two eff
Page 93 and 94:
system of the target machine (Jones
Page 95 and 96:
other collected evidence data by us
Page 97 and 98:
SQL Server artefacts (for the purpo
Page 99 and 100:
presence of digital evidence after
Page 101 and 102:
Page 103 and 104:
Figure 4.1: Error encountered durin
Page 105 and 106:
server (Figure 4.6) due to the user
Page 107 and 108:
Section 4.2 include the snippets of
Page 109 and 110:
4.2.2 Live Extraction of Binaries R
Page 111 and 112:
4.2.3.1 Automated Artefact Collecti
Page 113 and 114:
4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116:
4.2.3.3.1 Active VLF Data After gat
Page 117 and 118:
The acquisition result of ring buff
Page 119 and 120:
Depending on the version of the vic
Page 121 and 122:
syntax was used to acquire a server
Page 123 and 124:
:out E:\SystemDatabaseRoleMembers.t
Page 125 and 126:
However, according to Fowler (2009,
Page 127 and 128:
After collecting the table statisti
Page 129 and 130:
Thus, the result of the current tab
Page 131 and 132:
4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134:
components of database were enabled
Page 135 and 136:
The record of shutting down the ser
Page 137 and 138:
“application logic and extend the
Page 139 and 140:
4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142:
4.2.4 Physical Disk Drive Finally,
Page 143 and 144:
Figure 4.56: Analyzing the image co
Page 145 and 146:
could not. Hence, the artefacts cou
Page 147 and 148:
Page 149 and 150:
the laboratory to simulate a RFID t
Page 151 and 152:
and confirmed the database was obvi
Page 153 and 154:
SUMMARY: After analysing all the ac
Page 155 and 156:
all the collected digital evidence
Page 157 and 158:
Table 5.5: Secondary Research Quest
Page 159 and 160:
write blocker (Tableau Forensic USB
Page 161 and 162:
collected digital evidence files (b
Page 163 and 164:
5.2.3 Discussion of Conducted Attac
Page 165 and 166:
forensic work-station (Appendix 10)
Page 167 and 168:
forensic test-station for the inves
Page 169 and 170:
the trusted forensic toolkits. In a
Page 171 and 172:
6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174:
Table 6.1: Specific forensic tools
Page 175 and 176:
the evidential data are the importa
Page 177 and 178:
(Chapter 5; Section 5.3) for both d
Page 179 and 180:
Bolan, C. (2007). A single channel
Page 181 and 182:
El-Said, M. M., & Woodring, I. (200
Page 183 and 184:
Hunt, V. D., Puglia, A., & Puglia,
Page 185 and 186:
Kou, D., Zhao, K., Tao, Y., & Kou,
Page 187 and 188:
Notes in Computer Science 5379(2009
Page 189 and 190:
Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192:
Digital Forensics in Small Devices:
Page 193 and 194:
Appendix 1: Volatile and Non-volati
Page 195 and 196:
3 Activity Endpoints* ● md5deep N
Page 197 and 198:
Appendix 2: Steps for Creating Radi
Page 199 and 200:
14. Gather the latest versions of W
Page 201 and 202:
The following is the detail record
Page 203 and 204:
COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206:
(md5=A2993744A56BA83ADE52948062C968
Page 207 and 208:
'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210:
22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212:
Record any checksum(s) below to lat
Page 213 and 214:
22. Although the extended version o
Page 215 and 216:
Appendix 3: Source Code of the Deve
Page 217 and 218:
{ } else { MessageBox.Show("No read
Page 219 and 220:
} } btnConnect.Enabled = true; btnD
Page 221 and 222:
MessageBox.Show(this, "Connection t
Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
Page 225 and 226:
add it to the list box LogItem.szID
Page 227 and 228:
if(fdialog.FileName != "") { FileSt
Page 229 and 230:
private string constr = @"Data Sour
Page 231 and 232:
} } else { } catch (Exception ex) {
Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336: (md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338: 06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340: 06:32:22: Verifying 'sysinternals\p
Page 341 and 342: 'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344: 'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346: 06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348: 'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350: 06:32:32: Verifying 'netlatency\ser
Page 351 and 352: 06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354: (md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356: (md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358: 06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360: (md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362: 06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364: [FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366: 06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368: 06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370: 'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372: 06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374: 06:33:24: Verifying 'microsoft\reg.
Page 375 and 376: (md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378: 06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380: 06:34:15: Verifying 'microsoft\regd
Page 381 and 382: 06:34:16: Running 'microsoft\reg.ex
Page 383 and 384: [DONE] SKIPPED (via '-nowrite' para
Page 385: 'mail.gif' (md5=38477E98FB3ED60B829
Page 389 and 390: Appendix 17: Live Acquisition of Ph
Page 391 and 392: The problem issue was clearly state
Page 393 and 394: Figure A17.9: Evidence item informa
Page 395 and 396: Figure A17.13: Successful creation
Page 397 and 398: Physical Drive Acquisition Report b
Page 399 and 400: Figure A18.2: Screenshot of the Acq
Page 401 and 402: Figure A18.4: Screenshots of the Ac
Page 403 and 404: Figure A19.2b: Screenshot of the In
Page 405 and 406: Figure A19.5: Screenshot of the lau
Page 407 and 408: Figure A19.10: Choosing the OS path
Page 409 and 410: Figure A19.16: Avoiding the tools t
Page 411 and 412: Figure A19.21a: WFT tool in action
Page 413 and 414: Figure A19.22b: The acquisition of
Page 415 and 416: Appendix 20: Extended wftSQL Batchf
Page 417 and 418: SET /P USERQUESTION=Use currently l
Page 419 and 420: Appendix 21_Screenshots of Hashing
Page 421 and 422: Appendix 22: Hash Values Comparison
Page 423 and 424: DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426: IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428: Endpoints.htm Web Page d23eef6404ca
Page 429 and 430: PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432: IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434: PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436: HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?