Digital Forensics in Small Devices: RFID Tag Investigation

More documents

Recommendations

Info

After analyzing the report on the 12 th of October 2010, the administrator finds out the product database has been changed, according to the changes in MD5 hashes of the databases and all the values of SI are changed to $600.00. Thus, the changes on the values of SI are unusual as different products in the shop are tagged with different prices (see Section 3.3.1 and Appendix 8). So, the administrator escalates the event‟s priority and reports it to the incident response team. Then, the report is reviewed and the forensic investigation is initiated by the first responder or forensic investigator. 3.3.4 Data Collection Generally, the main digital evidence can be collected from the target system of interest as the digital evidence can be found in several different areas of target system (Zhang & Lin, 2010). The very first step needs to be performed by the first responder or forensic investigator is to identify and acquire the evidence. There are various procedures that need to be followed. The procedures are followed in such a way that the evidence is acceptable to court of law. For instance, the potential evidence must be identified and located. Similarly, the crime scene must be secured. So, the potential evidence of the compromised RFID BS will not be altered. Likewise, Britz (2009) stated that the preservation is also a part of seizing the evidence such as obtaining the warrant, planning the seizure, securing the crime scene, identifying, locating, documentation and transportation of the evidence, in the real world. As stated in Section 3.2.1, the live forensic acquisition method will be used to collect all the potential evidence from the compromised RFID BS of the retail shop. Hence, the potential evidence data will be identified and acquired from several different locations such as the services, entities and sub-systems of the Business System architecture (see Table 2.5 in Section 2.3) of a compromised RFID stock management system. Therefore, after the identification of the evidence at the crime scene during the investigation; the investigator will acquire the log files including reader‟s memory logs, server transaction logs, volatile and non-volatile artifacts of the SQL Server data, random access memory (RAM) of POS and the like on the live target operation 73
system of the target machine (Jones, Bejlich, & Rose, 2006b; Jones, 2007; Fowler, 2007, 2009; Brobler & Von Solms, 2009). The different data collection methods during live forensic investigation include using the variety of hardware and software tools. For instances; Guidance Software‟s WinEn, RAM imaging tool will be used to acquire RAM of POS while the proposed ReaderLogExtractionTool (Section 3.2.1) will be used to acquire bit- to-bit data acquisition of transaction logs from the RFID reader‟s memory. Similarly, WFT tool (Section 3.1.4) will be applied in order to perform the automated evidence collection of the volatile and non-volatile SQL Server artefacts (Fowler, 2007) whereas the imaging tool like dcfldd (which is an extended version of the imaging tool “dd” and developed by the United States Department of Defense Computer Forensics Lab – DCFL) will be employed for the ac hoc acquisition of the physical SQL Server database files from the compromised RFID BS (Fowler, 2009). Moreover, the hardware write blocker like Tableau Forensic USB Bridge will also be deployed in order to avoid the alternation of any original evidence data and preserve them during the forensic investigation. Likewise, the hardware forensic disk imaging tool, Disk Jokey Pro, will be used if necessary in order to collect and preserve the bit- to-bit image of the physical hard disk of the target server/POS workstation. However, all the required software forensic tools for data collection will be integrated into the customized Helix_RFID_IncidentResonse (Helix_RFID_IR CD/DVD) toolkit (Section 3.2.1) and the live data acquisition will be performed by placing it into the compromised machine‟s CD/DVD drive in order to avoid any modifications or affect minimum impact to the original evidence during the acquisition phase (Jones et al., 2006b; Jones, 2007; Fowler, 2007, 2009; etc.,). For the purpose of preservation; all the collected artefacts will be digitally hashed with trusted Message Digest Algorithm 5 (MD5), which is a 128 bit- cryptographic hashing algorithm, in order to maintain the integrity of the artefacts. MD5 hashing will be performed by using dcfldd and md5deep tools during the data collection. An example of hashing the collected data using the trusted md5deep can be found in the following (Figure 3.12). The outputs of the collected data will also be saved into a sterilized USB flash drive, which is forensically wiped with Guidance 74
Page 1 and 2:
Digital Forensics in Small Devices:
Page 3 and 4:
iii Acknowledgements This thesis wa
Page 5 and 6:
v Abstract Read/Write Radio Frequen
Page 7 and 8:
vii Table of Contents (Volume 1) De
Page 9 and 10:
ix 3.2.2.2 The POS Entity Security
Page 11 and 12:
xi 4.3.4 Analysis of the Physical D
Page 13 and 14:
xiii List of Tables Table 2.1 Chara
Page 15 and 16:
Figure 4.3: Error encountered durin
Page 17 and 18:
xvii Figure 4.53: Acquisitions of a
Page 19 and 20:
LF Low Frequency xix LLRP Low Level
Page 21 and 22:
process (see Chalasani, Boppana, &
Page 23 and 24:
of potential evidence after an even
Page 25 and 26:
investigation. Likewise, all the re
Page 27 and 28:
practices concerned with the forens
Page 29 and 30:
defines different types of malware
Page 31 and 32:
2.1.1 RFID Transponders or Tags The
Page 33 and 34:
Table 2.1: Characteristics and Clas
Page 35 and 36:
Moreover, depending on the complexi
Page 37 and 38:
However, according to EPCglobal (El
Page 39 and 40:
According to Harmon (2006, pp. 45-4
Page 41 and 42: 2.2.1 Memory Technologies for RFID
Page 43 and 44: y the reader as the tag‟s address
Page 45 and 46: wavelength long and depends on the
Page 47 and 48: Karygiannis et al., (2007, pp. 2-15
Page 49 and 50: attacker can perform eavesdropping
Page 51 and 52: 2.5 RFID STOCK MANAGEMENT SECURITY
Page 53 and 54: Figure 2.15: RFID Business System S
Page 55 and 56: 3.0 INTRODUCTION Chapter 3 - Resear
Page 57 and 58: etrieve data to an external data so
Page 59 and 60: firstly affect the back-end RFID mi
Page 61 and 62: Figure 3.2: Scenario 1 illustration
Page 63 and 64: Unlike SQL Server forensics, the tr
Page 65 and 66: forensic workstation must be prepar
Page 67 and 68: Then, the researcher verified the S
Page 69 and 70: within the affected records”. In
Page 71 and 72: can also be found not only in the d
Page 73 and 74: Likewise, Relevancy is related to t
Page 75 and 76: 3.2 THE RESEARCH DESIGN In the prev
Page 77 and 78: e investigated for evidence of the
Page 79 and 80: 3.2.2 Review of Problem Areas in RF
Page 81 and 82: participants, the Information Syste
Page 83 and 84: 3.2.3 Case Study The researcher int
Page 85 and 86: 3.2.6 Research Question As stated i
Page 87 and 88: 3.2.8 Data Map Figure 3.9: Data Map
Page 89 and 90: software (see Appendix 4) that can
Page 91: and Deng (2007) illustrated two eff
Page 95 and 96: other collected evidence data by us
Page 97 and 98: SQL Server artefacts (for the purpo
Page 99 and 100: presence of digital evidence after
Page 101 and 102: 4.0 INTRODUCTION Chapter 4 - Resear
Page 103 and 104: Figure 4.1: Error encountered durin
Page 105 and 106: server (Figure 4.6) due to the user
Page 107 and 108: Section 4.2 include the snippets of
Page 109 and 110: 4.2.2 Live Extraction of Binaries R
Page 111 and 112: 4.2.3.1 Automated Artefact Collecti
Page 113 and 114: 4.2.3.2 Ad Hoc Artefact Collection
Page 115 and 116: 4.2.3.3.1 Active VLF Data After gat
Page 117 and 118: The acquisition result of ring buff
Page 119 and 120: Depending on the version of the vic
Page 121 and 122: syntax was used to acquire a server
Page 123 and 124: :out E:\SystemDatabaseRoleMembers.t
Page 125 and 126: However, according to Fowler (2009,
Page 127 and 128: After collecting the table statisti
Page 129 and 130: Thus, the result of the current tab
Page 131 and 132: 4.2.3.4.6 Data Page Allocation Arte
Page 133 and 134: components of database were enabled
Page 135 and 136: The record of shutting down the ser
Page 137 and 138: “application logic and extend the
Page 139 and 140: 4.2.3.6.5 SQL Server Error Logs Usu
Page 141 and 142: 4.2.4 Physical Disk Drive Finally,
Page 143 and 144:
Figure 4.56: Analyzing the image co
Page 145 and 146:
could not. Hence, the artefacts cou
Page 147 and 148:
5.0 INTRODUCTION Chapter 5 - Resear
Page 149 and 150:
the laboratory to simulate a RFID t
Page 151 and 152:
and confirmed the database was obvi
Page 153 and 154:
SUMMARY: After analysing all the ac
Page 155 and 156:
all the collected digital evidence
Page 157 and 158:
Table 5.5: Secondary Research Quest
Page 159 and 160:
write blocker (Tableau Forensic USB
Page 161 and 162:
collected digital evidence files (b
Page 163 and 164:
5.2.3 Discussion of Conducted Attac
Page 165 and 166:
forensic work-station (Appendix 10)
Page 167 and 168:
forensic test-station for the inves
Page 169 and 170:
the trusted forensic toolkits. In a
Page 171 and 172:
6.0 INTRODUCTION Chapter 6 - Conclu
Page 173 and 174:
Table 6.1: Specific forensic tools
Page 175 and 176:
the evidential data are the importa
Page 177 and 178:
(Chapter 5; Section 5.3) for both d
Page 179 and 180:
Bolan, C. (2007). A single channel
Page 181 and 182:
El-Said, M. M., & Woodring, I. (200
Page 183 and 184:
Hunt, V. D., Puglia, A., & Puglia,
Page 185 and 186:
Kou, D., Zhao, K., Tao, Y., & Kou,
Page 187 and 188:
Notes in Computer Science 5379(2009
Page 189 and 190:
Tripwire, Inc. (2010a). Tripwire Ma
Page 191 and 192:
Digital Forensics in Small Devices:
Page 193 and 194:
Appendix 1: Volatile and Non-volati
Page 195 and 196:
3 Activity Endpoints* ● md5deep N
Page 197 and 198:
Appendix 2: Steps for Creating Radi
Page 199 and 200:
14. Gather the latest versions of W
Page 201 and 202:
The following is the detail record
Page 203 and 204:
COMPLETE 'Logins.txt' (md5=A2993744
Page 205 and 206:
(md5=A2993744A56BA83ADE52948062C968
Page 207 and 208:
'Schemas.htm' (md5=30BB65A20F1381D7
Page 209 and 210:
22:02:26: Hashing 'wft_cfg.txt' (md
Page 211 and 212:
Record any checksum(s) below to lat
Page 213 and 214:
22. Although the extended version o
Page 215 and 216:
Appendix 3: Source Code of the Deve
Page 217 and 218:
{ } else { MessageBox.Show("No read
Page 219 and 220:
} } btnConnect.Enabled = true; btnD
Page 221 and 222:
MessageBox.Show(this, "Connection t
Page 223 and 224:
} } } dwNumEntries = usbRFID.GetNum
Page 225 and 226:
add it to the list box LogItem.szID
Page 227 and 228:
if(fdialog.FileName != "") { FileSt
Page 229 and 230:
private string constr = @"Data Sour
Page 231 and 232:
} } else { } catch (Exception ex) {
Page 233 and 234:
} } } } insertTagtoDB(TagID, TagVal
Page 235 and 236:
} break; case ("Protection"): { uiB
Page 237 and 238:
} } } //this.Cursor = Cursors.Defau
Page 239 and 240:
} } btnReadTag.Enabled = false; tmr
Page 241 and 242:
private void insertTagtoDB(string T
Page 243 and 244:
} } } private void btnLOGload_Click
Page 245 and 246:
Step 4: Then, the Tripwire will per
Page 247 and 248:
Similarly, Tripwire user account sh
Page 249 and 250:
Figure A5.5: Installation of the Tr
Page 251 and 252:
Appendix 6: An Example of the Condu
Page 253 and 254:
Sync” allowing the users to confi
Page 255 and 256:
Figure A6.8: RFID Sync Application
Page 257 and 258:
Figure A6.10: Screenshot of writing
Page 259 and 260:
Step 3: Configure the reader’s Ta
Page 261 and 262:
Step 8: Edit the Tripwire configura
Page 263 and 264:
Step 12: Record of the fictitious l
Page 265 and 266:
Step 16: Similarly, check whether t
Page 267 and 268:
Step 20: Check the primary database
Page 269 and 270:
Appendix 7: Steps taken before the
Page 271 and 272:
insert into rfid_log ( Tag, User_da
Page 273 and 274:
Figure A7.3: Pre-keyed data in the
Page 275 and 276:
Figure A7.7: Pre-keyed data in the
Page 277 and 278:
Figure A7.11: Screenshot of Tripwir
Page 279 and 280:
Step 10: Once Tripwire database was
Page 281 and 282:
Appendix 8: Steps taken after the S
Page 283 and 284:
Step 3: The integrity check was ini
Page 285 and 286:
Figure A8.8: Screenshot of the Trip
Page 287 and 288:
Figure A8.12: Screenshot of the bac
Page 289 and 290:
Figure A9.3: Network Interface Card
Page 291 and 292:
Figure A9.7: Enterprise Version of
Page 293 and 294:
Appendix 10: Screenshots of Forensi
Page 295 and 296:
Appendix 11: Forensically Sterilizi
Page 297 and 298:
Figure A11. 4: Wiping all the secto
Page 299 and 300:
Appendix 12: Steps for Copying and
Page 301 and 302:
Figure A12.6: Acquiring the forensi
Page 303 and 304:
12. However, the acquisition was ca
Page 305 and 306:
15. Then, the original evidence dri
Page 307 and 308:
18. Then, a bad signature file was
Page 309 and 310:
Appendix 13: Artefacts Collected by
Page 311 and 312:
Figure A13.5: Acquired backend SQL
Page 313 and 314:
SQL SERVER - DATABASE SERVER INFORM
Page 315 and 316:
Figure A13.15: Fragment of the acqu
Page 317 and 318:
Figure A13.18: Result of the Acquir
Page 319 and 320:
Figure A13.23: Result of the Acquir
Page 321 and 322:
72CBADAE0A1F9FF34D4A35A9AB26BDB8 Au
Page 323 and 324:
2428169B31C96FE4A767215000AA0008 in
Page 325 and 326:
Appendix 15: WFT Tool Log during th
Page 327 and 328:
06:31:36: Verifying 'sql\runsql.bat
Page 329 and 330:
(md5=A7A43C52521F85BDD6683D9E0E4A00
Page 331 and 332:
(md5=AB700D66945BBC9FBFA34002A808A2
Page 333 and 334:
[DB Configuration] (md5=F416BF7233E
Page 335 and 336:
(md5=FEDD1E9DF1B76C877B8027B62E401B
Page 337 and 338:
06:32:21: Verifying 'xp\mem.exe' OK
Page 339 and 340:
06:32:22: Verifying 'sysinternals\p
Page 341 and 342:
'uptime.htm' (md5=B7456D103CBF5E49F
Page 343 and 344:
'netlgrp.txt' (md5=E6D74D46AECD9692
Page 345 and 346:
06:32:26: Verifying 'cygwin\cygwin1
Page 347 and 348:
'cmdline.txt' (md5=B44C85C704337F00
Page 349 and 350:
06:32:32: Verifying 'netlatency\ser
Page 351 and 352:
06:32:35: Verifying 'diamondcs\ipli
Page 353 and 354:
(md5=BB5127D25439D1B50A305B1CF865FE
Page 355 and 356:
(md5=647578D95B7F3B11B6CCF833E29670
Page 357 and 358:
06:32:41: Verifying 'perl\re.dll' O
Page 359 and 360:
(md5=C4DA0F6D85F641B3E5A0F065AEDB27
Page 361 and 362:
06:33:15: Verifying '2k\res_kit\dum
Page 363 and 364:
[FILE SYSTEM] (md5=E9D558E387FC2208
Page 365 and 366:
06:33:19: Running 'tools\xp\cmd.exe
Page 367 and 368:
06:33:20: Verifying 'tools\xp\cmd.e
Page 369 and 370:
'sys_ini.txt' (md5=B143A6852C9EF93E
Page 371 and 372:
06:33:22: Running 'xp\at.exe' [#132
Page 373 and 374:
06:33:24: Verifying 'microsoft\reg.
Page 375 and 376:
(md5=4380D8F2014A5C35BF59DF30D079F0
Page 377 and 378:
06:34:09: Running 'xp\gpresult.exe'
Page 379 and 380:
06:34:15: Verifying 'microsoft\regd
Page 381 and 382:
06:34:16: Running 'microsoft\reg.ex
Page 383 and 384:
[DONE] SKIPPED (via '-nowrite' para
Page 385 and 386:
'mail.gif' (md5=38477E98FB3ED60B829
Page 387 and 388:
Step 3: The SQL poisoning attack wa
Page 389 and 390:
Appendix 17: Live Acquisition of Ph
Page 391 and 392:
The problem issue was clearly state
Page 393 and 394:
Figure A17.9: Evidence item informa
Page 395 and 396:
Figure A17.13: Successful creation
Page 397 and 398:
Physical Drive Acquisition Report b
Page 399 and 400:
Figure A18.2: Screenshot of the Acq
Page 401 and 402:
Figure A18.4: Screenshots of the Ac
Page 403 and 404:
Figure A19.2b: Screenshot of the In
Page 405 and 406:
Figure A19.5: Screenshot of the lau
Page 407 and 408:
Figure A19.10: Choosing the OS path
Page 409 and 410:
Figure A19.16: Avoiding the tools t
Page 411 and 412:
Figure A19.21a: WFT tool in action
Page 413 and 414:
Figure A19.22b: The acquisition of
Page 415 and 416:
Appendix 20: Extended wftSQL Batchf
Page 417 and 418:
SET /P USERQUESTION=Use currently l
Page 419 and 420:
Appendix 21_Screenshots of Hashing
Page 421 and 422:
Appendix 22: Hash Values Comparison
Page 423 and 424:
DBO_RFIDlog_tblStat_Date.txt Text 4
Page 425 and 426:
IDE_Image.E06 EnCase Image eaa9522a
Page 427 and 428:
Endpoints.htm Web Page d23eef6404ca
Page 429 and 430:
PSLIST.HTM Web Page 79dbea76b982972
Page 431 and 432:
IPXROUTE.HTM Web Page 97d4e1dd9621b
Page 433 and 434:
PSFILE.HTM Web Page d6d58ad5914ef24
Page 435 and 436:
HKLM_RS.HTM Web Page f756a379df8579
Page 437 and 438:
MDM.HTM Web Page a5e04ce095305295ae
Page 439 and 440:
WFT_CFG.TXT Text 1d378b80f8e0e7ea4f
Page 441 and 442:
PCLIP.TXT Text 037130bf88e524d8f61a
Page 443 and 444:
TLIST_V.TXT Text cdf2d49e302522e370
Page 445 and 446:
HUNT.TXT Text 99553ccd8e14cae6db789
Page 447 and 448:
C_hidden.txt Text 5f45b5367c7ed8852
Page 449 and 450:
HKCU_R.TXT Text 9e7b99199b2931e811a
Page 451 and 452:
ARKAR_US.B BASIC Source Code .E01 e
Page 453 and 454:
CollationAndDataType.txt Text 37a07
Page 455 and 456:
RFID_test.md5 45c0868ea943c2171ff35
Page 457 and 458:
errorlog_4.md5 3f7f86d69760b535bd82
Page 459 and 460:
Appendix 23: Analysis of Acquired S
Page 461 and 462:
2010-10-25 12:37:05.56 Server Serve
Page 463 and 464:
2010-10-05 01:22:55.53 Server Detec
Page 465 and 466:
2010-10-07 15:20:54.21 Server Serve
Page 467 and 468:
2010-10-25 12:17:39.26 Server Serve
Page 469 and 470:
2010-10-03 00:59:55.96 Server Dedic
Page 471 and 472:
2010-10-02 00:11:57.85 Server -d C:
Page 473 and 474:
2010-10-02 02:40:05.35 Server SQL S
Page 475 and 476:
2010-10-01 23:20:15.28 Server Dedic
Page 477 and 478:
2010-10-01 23:14:19.50 Server Using
Page 479 and 480:
2010-10-01 23:20:12.40 Server The S
Page 481 and 482:
2010-10-01 23:12:03.65 spid4s Recov
Page 483 and 484:
processed. Likewise, the acquired r
Page 485:
Figure 24A.3: There is no record in
show all

Digital Forensics in Small Devices: RFID Tag Investigation

Create successful ePaper yourself

Delete template?

Save as template?