User Profile
u Population 250 mi, 100 mi users, 165 mi mobile data
u Male 51%, Female 49%, digital native 60% (12-34 years)
u High School 48%, Diploma, Graduate, Post Graduate 34%
u Workers 54%, Student 17%, Housewives 15%, Campus 9%
u White collar 64%, blue collar 16%, entrepreneur 20%
u Income <2 33="" 3="" 40="" mi="">3 mi 27%
spending 50K
u Sources: APJII, ATSI, EMARKETER, COMSCORE
Online Behavior
u Cellular 66%, PC 52%, Laptop 45%, Tablet 2%
u Social Media 87%, WEB 69%, NEWS 68%, Video 58%
u Social Media 80 mi, Facebook 96%, #4, entertainment
u Time spending 20 minutes per session, while alone 70%
u Transaction 10 mi, Facebook 50%, KASKUS 50%, 30 bi
u Payment: bank transfer 70%, EBANKING 40%, CC 30%
u SOURCES: VENITRANS Daily Social, Ecommerce ID
Recent Incidents
u National sensors – 2 million decreasing from 3 million
u Malware – increasing from 600+K to 800+K monthly
u Website – increasing from 700+ to 1400+ monthly
u Vulnerability – increasing from 1400+ to 2400+
u Leakage – increasing from 500+ to 700+ monthly
u Incident report – decreasing from 103 to 102 monthly
TOP Attack
u SQL exploitation 900+K and Malware CNC 800+K
u Server MSSQL 600+K and MYSQL 31+K monthly
u Blacklist 15+K and DDOS 11+K, Botnet CNC 8+K
u Most targeted domain sch.id 30% ac.id 21% go.id 20%
u Incident report cases: phishing 80+, data leakage 20+,
malware 60+, vulnerability 20+, fraud
10+, DDOS 5+
Key Threat
u Targeted retail business sensitive data (customers and
transaction), application as attack vector (not only as victims), mobile
malware exploding, more embracing outsourced IT models (causing an extent of
zero day, insider threat and remote attack), commute working will spread in
transit breach, basic security measures are not yet in place (still) i.e.
password management
u Vulnerabilities: 73% SQL and remote, 70% black hole
exploit kit, 61% malicious ware, 50% memory scraping malware, 25% obfuscated
(encrypted) stolen data
Mobile Malware
u More than 165 million data subscribers, 30+ million
per year or 60+ million smartphones/gadgets shipments
u Android malware are on the rise, more than 400% and
especially on any “rooted” or “jailbroken” devices
u Emerging types i.e. hidden premium SMS subscription or
stealing quota (bloatware), information or credential theft (spyware), turning
device into zombie (CNC, bot nets, DDOS vector - often infected by malicious
games
Sophistications
u Personal data/corporate database exfiltration (Cloud)
u Data exchanged by cyber criminals are encrypted
u APT, Insider Threat and BYOD still the most favorable
vector combine with social engineering type malicious code i.e. click jacking
through social media, embedded malware (multi types, nesting dolls, indirect
executable)
u Exploiting credentials still the most effective method
to gain access to outdated OS or through legacy protocols
Victims Profile
u Government and education sector i.e. unmaintained web
sites - as vector host (malware hosting) to launch targeted attack i.e. DDOS,
DNS amplification, Phishing, SPAM, Bot Net, Automated Banner Click Ads., etc.
u Transactions: e-banking, POS/retailer (merchant) etc.
u End users i.e. online trading fraud, compromised host
- as insider threat vector, CNC and bot nets propagation
u Famous providers i.e. media, entertainment, politics
FORENSIC ROLE
Definition
u Computer Forensics deals with the preservation, identification,
extraction and documentation of computer evidence
u Computer forensics has also been described as the autopsy
of a computer hard disk drive because specialized software tools and
techniques are required to analyze the various levels at which computer
data is stored after the fact
u Recovering and obtain Information no longer seen
Digital Evidence
u Any information in digital format
u Email message, email address
u Word processor/spreadsheet files
u Source code from software/apps
u Image ( .jpeg, .gif, .tiff etc.)
u Web browser bookmarks, cookies
u Calendar, to-do list (task)
u
Video
(.mov, .3gp, .mp4 etc.)
Case Examples
u Recovery of over 1000 E-Mails off of a hard drive a
year and half after the individual left the company
u After the hard drive had been formatted. After the
machine was in use by another user for that year and a half
u "Best way to remove e-mail from a hard drive is
to hit with a sledge hammer and throw it into a furnace” JOHN PATZAKIS,
President and Chief Legal Officer Guidance Software – magnetics stays forever
Triage Forensic
u Identification, where, which, how
u Prioritizing and seizing digital evidence
u Preservation, integrity, chain of custody
u Analyzing, process, interpretation
u Presentation, testing, authenticating, correlating
with another non digital evidence and or information, witnesses
u Documentation and back up materials
Chain of Custody
u Obtain secure access to the evidence
u To protect integrity of digital evidence
u Who, how, where, when (gain, preserve)
u Write down documentation, picture, video recording,
preserve it on secure compartment and activity log
u Preparing presentation to the court
Form Examples
u Evidence Form
u Label everything, start carving evidence
u Log make, model, and serial numbers
u Copy stays with evidence at all times
u Chain of Custody
u Who, What, Where, When, Why, How
u Copy stays with evidence at all times
u Always make copies, never work on original
media/digital evidence
Rules of Evidence
u Admissible, acceptable by the court
u Authentic, protecting integrity of data
u Complete, accepted by prosecutors
u Trusted, no doubt, precisely
u Reliable, easily accessible
Imaging Evidence
u To take an exact copy including deleted files and
areas of the hard drive that a normal backup would not copy
u Never boot off of the hard drive
u Use write protection software to protect the original
evidence (source). Make a copy of the original evidence and do all work off of
the copy
u Document all aspects of the hard drive
u Tag and store original evidence
u Best evidence is original evidence
Area of Analysis
u Email. Temporary Files, Recycle Bin, Info File
Fragments, Recent Link Files, Spool (printed) files, Internet History
(INDEX.DAT), Registry
u Unallocated Space-free space on the hard drive
u File Slack-free space between the end of the logical
file and the end of physical file (cluster)
u RAM Slack-free space between the end of the logical
file and the end of the containing sector
u Sector-the smallest group that can be accessed on the
disk. A group of disk sectors as assigned by the operating system are known as
clusters
Detailed Observation
u Hardware: motherboards, power, RAM, printer, scanner,
fax, mobile devices. OS/Apps: Microsoft, Red Hat, UNIX, Forensic Tools, MS
Office, HTML etc.
u Be patience: “one needs the ability to be able to sit
in front of the computer and analyze the data for what could be an extensive
amount of time. No such thing as point and click forensics.”
INP Procedures #1
u Crime Statement (police report etc.)
u Initial and Lead Evidence Gathering
u Court Order : Foreclosure, Detention
u Search and Seizure Warrant Order
u Crime Scene Sanitation Procedures
u Evidence Preservation and Imaging
u Transporting and Securing Evidence
INP Procedures #2
u Make at least 2 bit stream identical copy
u Allow analysis only to duplicate images
u Preserve MD5 to assure image integrity
u Follow chain of custody and evidence possession
procedures, keep/securing original evidence to the safety storage
u Create forensic detail analysis report
u Prepare expert witness (second opinion)
