- Page 1 and 2:
Digital Forensics in Small Devices:
- Page 3 and 4:
iii Acknowledgements This thesis wa
- Page 5 and 6:
v Abstract Read/Write Radio Frequen
- Page 7 and 8:
vii Table of Contents (Volume 1) De
- Page 9 and 10:
ix 3.2.2.2 The POS Entity Security
- Page 11 and 12:
xi 4.3.4 Analysis of the Physical D
- Page 13 and 14:
xiii List of Tables Table 2.1 Chara
- Page 15 and 16:
Figure 4.3: Error encountered durin
- Page 17 and 18:
xvii Figure 4.53: Acquisitions of a
- Page 19 and 20:
LF Low Frequency xix LLRP Low Level
- Page 21 and 22:
process (see Chalasani, Boppana, &
- Page 23 and 24:
of potential evidence after an even
- Page 25 and 26:
investigation. Likewise, all the re
- Page 27 and 28:
practices concerned with the forens
- Page 29 and 30:
defines different types of malware
- Page 31 and 32:
2.1.1 RFID Transponders or Tags The
- Page 33 and 34:
Table 2.1: Characteristics and Clas
- Page 35 and 36:
Moreover, depending on the complexi
- Page 37 and 38:
However, according to EPCglobal (El
- Page 39 and 40: According to Harmon (2006, pp. 45-4
- Page 41 and 42: 2.2.1 Memory Technologies for RFID
- Page 43 and 44: y the reader as the tag‟s address
- Page 45 and 46: wavelength long and depends on the
- Page 47 and 48: Karygiannis et al., (2007, pp. 2-15
- Page 49 and 50: attacker can perform eavesdropping
- Page 51 and 52: 2.5 RFID STOCK MANAGEMENT SECURITY
- Page 53 and 54: Figure 2.15: RFID Business System S
- Page 55 and 56: 3.0 INTRODUCTION Chapter 3 - Resear
- Page 57 and 58: etrieve data to an external data so
- Page 59 and 60: firstly affect the back-end RFID mi
- Page 61 and 62: Figure 3.2: Scenario 1 illustration
- Page 63 and 64: Unlike SQL Server forensics, the tr
- Page 65 and 66: forensic workstation must be prepar
- Page 67 and 68: Then, the researcher verified the S
- Page 69 and 70: within the affected records”. In
- Page 71 and 72: can also be found not only in the d
- Page 73 and 74: Likewise, Relevancy is related to t
- Page 75 and 76: 3.2 THE RESEARCH DESIGN In the prev
- Page 77 and 78: e investigated for evidence of the
- Page 79 and 80: 3.2.2 Review of Problem Areas in RF
- Page 81 and 82: participants, the Information Syste
- Page 83 and 84: 3.2.3 Case Study The researcher int
- Page 85 and 86: 3.2.6 Research Question As stated i
- Page 87 and 88: 3.2.8 Data Map Figure 3.9: Data Map
- Page 89: software (see Appendix 4) that can
- Page 93 and 94: system of the target machine (Jones
- Page 95 and 96: other collected evidence data by us
- Page 97 and 98: SQL Server artefacts (for the purpo
- Page 99 and 100: presence of digital evidence after
- Page 101 and 102: 4.0 INTRODUCTION Chapter 4 - Resear
- Page 103 and 104: Figure 4.1: Error encountered durin
- Page 105 and 106: server (Figure 4.6) due to the user
- Page 107 and 108: Section 4.2 include the snippets of
- Page 109 and 110: 4.2.2 Live Extraction of Binaries R
- Page 111 and 112: 4.2.3.1 Automated Artefact Collecti
- Page 113 and 114: 4.2.3.2 Ad Hoc Artefact Collection
- Page 115 and 116: 4.2.3.3.1 Active VLF Data After gat
- Page 117 and 118: The acquisition result of ring buff
- Page 119 and 120: Depending on the version of the vic
- Page 121 and 122: syntax was used to acquire a server
- Page 123 and 124: :out E:\SystemDatabaseRoleMembers.t
- Page 125 and 126: However, according to Fowler (2009,
- Page 127 and 128: After collecting the table statisti
- Page 129 and 130: Thus, the result of the current tab
- Page 131 and 132: 4.2.3.4.6 Data Page Allocation Arte
- Page 133 and 134: components of database were enabled
- Page 135 and 136: The record of shutting down the ser
- Page 137 and 138: “application logic and extend the
- Page 139 and 140: 4.2.3.6.5 SQL Server Error Logs Usu
- Page 141 and 142:
4.2.4 Physical Disk Drive Finally,
- Page 143 and 144:
Figure 4.56: Analyzing the image co
- Page 145 and 146:
could not. Hence, the artefacts cou
- Page 147 and 148:
5.0 INTRODUCTION Chapter 5 - Resear
- Page 149 and 150:
the laboratory to simulate a RFID t
- Page 151 and 152:
and confirmed the database was obvi
- Page 153 and 154:
SUMMARY: After analysing all the ac
- Page 155 and 156:
all the collected digital evidence
- Page 157 and 158:
Table 5.5: Secondary Research Quest
- Page 159 and 160:
write blocker (Tableau Forensic USB
- Page 161 and 162:
collected digital evidence files (b
- Page 163 and 164:
5.2.3 Discussion of Conducted Attac
- Page 165 and 166:
forensic work-station (Appendix 10)
- Page 167 and 168:
forensic test-station for the inves
- Page 169 and 170:
the trusted forensic toolkits. In a
- Page 171 and 172:
6.0 INTRODUCTION Chapter 6 - Conclu
- Page 173 and 174:
Table 6.1: Specific forensic tools
- Page 175 and 176:
the evidential data are the importa
- Page 177 and 178:
(Chapter 5; Section 5.3) for both d
- Page 179 and 180:
Bolan, C. (2007). A single channel
- Page 181 and 182:
El-Said, M. M., & Woodring, I. (200
- Page 183 and 184:
Hunt, V. D., Puglia, A., & Puglia,
- Page 185 and 186:
Kou, D., Zhao, K., Tao, Y., & Kou,
- Page 187 and 188:
Notes in Computer Science 5379(2009
- Page 189 and 190:
Tripwire, Inc. (2010a). Tripwire Ma
- Page 191 and 192:
Digital Forensics in Small Devices:
- Page 193 and 194:
Appendix 1: Volatile and Non-volati
- Page 195 and 196:
3 Activity Endpoints* ● md5deep N
- Page 197 and 198:
Appendix 2: Steps for Creating Radi
- Page 199 and 200:
14. Gather the latest versions of W
- Page 201 and 202:
The following is the detail record
- Page 203 and 204:
COMPLETE 'Logins.txt' (md5=A2993744
- Page 205 and 206:
(md5=A2993744A56BA83ADE52948062C968
- Page 207 and 208:
'Schemas.htm' (md5=30BB65A20F1381D7
- Page 209 and 210:
22:02:26: Hashing 'wft_cfg.txt' (md
- Page 211 and 212:
Record any checksum(s) below to lat
- Page 213 and 214:
22. Although the extended version o
- Page 215 and 216:
Appendix 3: Source Code of the Deve
- Page 217 and 218:
{ } else { MessageBox.Show("No read
- Page 219 and 220:
} } btnConnect.Enabled = true; btnD
- Page 221 and 222:
MessageBox.Show(this, "Connection t
- Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
- Page 225 and 226:
add it to the list box LogItem.szID
- Page 227 and 228:
if(fdialog.FileName != "") { FileSt
- Page 229 and 230:
private string constr = @"Data Sour
- Page 231 and 232:
} } else { } catch (Exception ex) {
- Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
- Page 235 and 236:
} break; case ("Protection"): { uiB
- Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
- Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
- Page 241 and 242:
private void insertTagtoDB(string T
- Page 243 and 244:
} } } private void btnLOGload_Click
- Page 245 and 246:
Step 4: Then, the Tripwire will per
- Page 247 and 248:
Similarly, Tripwire user account sh
- Page 249 and 250:
Figure A5.5: Installation of the Tr
- Page 251 and 252:
Appendix 6: An Example of the Condu
- Page 253 and 254:
Sync” allowing the users to confi
- Page 255 and 256:
Figure A6.8: RFID Sync Application
- Page 257 and 258:
Figure A6.10: Screenshot of writing
- Page 259 and 260:
Step 3: Configure the reader’s Ta
- Page 261 and 262:
Step 8: Edit the Tripwire configura
- Page 263 and 264:
Step 12: Record of the fictitious l
- Page 265 and 266:
Step 16: Similarly, check whether t
- Page 267 and 268:
Step 20: Check the primary database
- Page 269 and 270:
Appendix 7: Steps taken before the
- Page 271 and 272:
insert into rfid_log ( Tag, User_da
- Page 273 and 274:
Figure A7.3: Pre-keyed data in the
- Page 275 and 276:
Figure A7.7: Pre-keyed data in the
- Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
- Page 279 and 280:
Step 10: Once Tripwire database was
- Page 281 and 282:
Appendix 8: Steps taken after the S
- Page 283 and 284:
Step 3: The integrity check was ini
- Page 285 and 286:
Figure A8.8: Screenshot of the Trip
- Page 287 and 288:
Figure A8.12: Screenshot of the bac
- Page 289 and 290:
Figure A9.3: Network Interface Card
- Page 291 and 292:
Figure A9.7: Enterprise Version of
- Page 293 and 294:
Appendix 10: Screenshots of Forensi
- Page 295 and 296:
Appendix 11: Forensically Sterilizi
- Page 297 and 298:
Figure A11. 4: Wiping all the secto
- Page 299 and 300:
Appendix 12: Steps for Copying and
- Page 301 and 302:
Figure A12.6: Acquiring the forensi
- Page 303 and 304:
12. However, the acquisition was ca
- Page 305 and 306:
15. Then, the original evidence dri
- Page 307 and 308:
18. Then, a bad signature file was
- Page 309 and 310:
Appendix 13: Artefacts Collected by
- Page 311 and 312:
Figure A13.5: Acquired backend SQL
- Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
- Page 315 and 316:
Figure A13.15: Fragment of the acqu
- Page 317 and 318:
Figure A13.18: Result of the Acquir
- Page 319 and 320:
Figure A13.23: Result of the Acquir
- Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
- Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
- Page 325 and 326:
Appendix 15: WFT Tool Log during th
- Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
- Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
- Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
- Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
- Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
- Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
- Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
- Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
- Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
- Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
- Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
- Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
- Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
- Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
- Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
- Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
- Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
- Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
- Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
- Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
- Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
- Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
- Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
- Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
- Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
- Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
- Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
- Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
- Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
- Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
- Page 387 and 388:
Step 3: The SQL poisoning attack wa
- Page 389 and 390:
Appendix 17: Live Acquisition of Ph
- Page 391 and 392:
The problem issue was clearly state
- Page 393 and 394:
Figure A17.9: Evidence item informa
- Page 395 and 396:
Figure A17.13: Successful creation
- Page 397 and 398:
Physical Drive Acquisition Report b
- Page 399 and 400:
Figure A18.2: Screenshot of the Acq
- Page 401 and 402:
Figure A18.4: Screenshots of the Ac
- Page 403 and 404:
Figure A19.2b: Screenshot of the In
- Page 405 and 406:
Figure A19.5: Screenshot of the lau
- Page 407 and 408:
Figure A19.10: Choosing the OS path
- Page 409 and 410:
Figure A19.16: Avoiding the tools t
- Page 411 and 412:
Figure A19.21a: WFT tool in action
- Page 413 and 414:
Figure A19.22b: The acquisition of
- Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
- Page 417 and 418:
SET /P USERQUESTION=Use currently l
- Page 419 and 420:
Appendix 21_Screenshots of Hashing
- Page 421 and 422:
Appendix 22: Hash Values Comparison
- Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
- Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
- Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
- Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
- Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
- Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
- Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
- Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
- Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
- Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
- Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
- Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
- Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
- Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
- Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
- Page 453 and 454:
CollationAndDataType.txt Text 37a07
- Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
- Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
- Page 459 and 460:
Appendix 23: Analysis of Acquired S
- Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
- Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
- Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
- Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
- Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
- Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
- Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
- Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
- Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
- Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
- Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
- Page 483 and 484:
processed. Likewise, the acquired r
- Page 485:
Figure 24A.3: There is no record in