Wednesday, 30 November 2011

CNII Forensics

The promotion of IT security must be at national and international level. This promotion can be built-in the Critical National Information Infrastructure (CNII) program. The program can combine the initiative at the level of organization, national and international cooperation.

The CNII program is tedious but indispensable. A lot of coordination must be executed and collaboration among the stakeholders must be improved. The awareness campaign and cyber drill are an admirable kick off with the intention more people are concerned of the complications and disastrous impact.

Jennex [1] wrote on incident response. The author said the guideline must be devised in any organization because incidence is unpredicted. The organization business has to resume and crisis management has to be effective.

In addition on the above, digital forensics has become more prevalent and must be part of the incident response. In fact, Gavin Reid, leader of the Computer Security Incident Response Team at Cisco Systems has mentioned digital forensics and also malware forensics are two of the critical skills in incident response. This is to investigate the root cause of the incident and with malware forensics capability; reverse engineering can be conducted in order to determine the hazard. E.g. Stuxnet…some of the capabilities are as follows.

• Spreads through network and removable media
• Infects Windows systems by installing rootkit
• Using special process to avoid detection
• Targets Siemens WinCC Scada
• Injects command on PLC and the best part is; self removeable, hidden, reinfect and capable of communicating with peer

As such, during this semester break, I’ll be quite busy doing some research on CNII in Australia perspective and how we can apply digital forensics in the incident response. Most probably there will be 7 parts altogether. I will break it down as follows.

1. The correct CNII description (most people talked about Scada security and this nomenclature might be inaccurate), standards, regulations and perspective according to country i.e. Australia.
2. Study on industrial network incidents, perhaps according to country experience. Malaysia can be included, e.g. recent Empire shopping complex gas leakage explosion.
3. Study on core networks and protocols, e.g. Modbus, ICCP, DNP3 and etc.
4. The control electronics and operational parts, i.e. IED, RTU, PLC and etc.
5. Study on the above 3 & 4 weaknesses, hacking, threat, anomaly and etc.
6. Security strategy, e.g. network design deployment, segregation, monitoring and cyber drill.
7. Last but not least CNII forensics (network forensics) including malware forensics to reveal the outcome of the investigation of an incident.

[1] M.E.Jennex. “A Model for Emergency Response Systems,” in Cyber Warfare and Cyber Terrorism, L.J.Janczewski and M.Colarik, Hershey, PA: Information Science Reference, 2008, pp. 383-389.

Thursday, 24 November 2011

Malaysia CNII Program

Today, CNII or Critical National Information Infrastructure is the buzzword or important subject in information security. Many countries are putting a lot of effort to beef up their capabilities to react to such catastrophe. The probability is high that the general public is unaware the repercussion of cyber attacks.

Malaysia is not left behind and continuously putting an effort to plan and mitigate this kind of incident.

My Court Experience as Expert Witness

Senior cop’s phones probed

SHAH ALAM: Two cellphones belonging to a senior police officer had their contents extracted for investigations in the Altantuya Shaariibuu case.

CyberSecurity Malaysia digital forensics department head Aswami Fadillah Mohd Ariffin told a High Court here that the phones belonged to Deputy Supt Musa Mohd Safri.

Asmawi: Said he had been correlating the extracted data from all the cellphones to the details from phone logs provided by Maxis, Celcom and DiGi for Oct 17 to 21 last year
He said police also handed to him the cellphones of private investigator P. Balasubramaniam, his assistant K. Suras Kumar, Abdul Razak Baginda, Kpl Sirul Azhar Umar, C/Insp Azilah Hadri and his ex-girlfriend L/Kpl Rohaniza Roslan, as well as a SIM card that belonged to the deceased.

He said at least one call was made from C/Insp Azilah’s cellphone to one of DSP Musa’s phones.

This came up when DPP Tun Abd Majid Tun Hamzah asked the witness to confirm the call from a phone log that carried the two phone numbers.

Aswami said he extracted the data from the phones and SIM cards using software like SIMCon Version 1.1, Oxygen Phone Manager and Mobile Edit.

Although no exact date was mentioned in court for the call, he said he had been correlating the extracted data from all the cellphones to the details from phone logs provided by Maxis, Celcom and DiGi for Oct 17 to 21 last year.

This act of correlating, he said, was done by matching the dates and times of the extracted data from the phones to the details from the phone logs.

Aswami, 36, said he also took several shots showing SMS messages on DSP Musa’s Nokia 7610 phone after he discovered that the dates and times on the extracted data turned out to be different from those displayed on the phone itself.

“This is due to a software bug. That’s why I double checked this using two other tools,” he said on Day 58 of the murder trial.

Aswami maintained that the dates displayed on the phone were the correct ones, which matched the details in the phone logs from the service providers.

Asked about two other SIM cards and two laptops that the police had handed over to him for the same purpose, the witness replied that he did not find anything of relevance from them.

The trial continues on Monday.

ARKIB : 14/11/2007

Penyiasat persendirian terima SMS Razak, Altantuya


SHAH ALAM 13 Nov. – Pemadanan data yang dilakukan terhadap telefon bimbit milik penyiasat persendirian, P. Balasubramaniam menunjukkan bahawa dia ada membuat atau menerima panggilan telefon serta khidmat pesanan ringkas (SMS) dengan Abdul Razak Abdullah Baginda dan Altantuya Shaariibuu sekitar Oktober tahun lalu.

Ketua Jabatan Digital Forensik Cybersecurity Malaysia, Aswami Fadillah Mohd. Ariffin, 36, memberitahu Mahkamah Tinggi di sini hari ini, pemadanan data dilakukan olehnya terhadap telefon bimbit jenis Nokia 6600 bernombor 012 2409311 milik Subramaniam yang diserahkan oleh pihak polis kepadanya.

Beliau berkata, pemadanan dilakukan dengan berpandukan kepada data-data yang diperoleh daripada telefon bimbit itu dan log (rekod transaksi panggilan suara dan SMS) nombor telefon itu dengan dua buah telefon bimbit dan tiga nombor telefon bimbit 012 2132303, 012 3916082 (kedua-dua milik Abdul Razak) serta 017 3992411 (milik Altantuya) yang dihubungi melalui panggilan suara atau SMS.

Balasubramaniam yang merupakan penyiasat persendirian yang diupah oleh Abdul Razak adalah saksi pendakwa pertama pada perbicaraan kes bunuh wanita Mongolia itu.

Menjelaskan proses pemadanan data yang dilakukannya, juruanalisis itu menyatakan, maklumat mengenai nombor-nombor telefon itu dan nama pemiliknya diperoleh daripada pihak polis dan syarikat penyedia perkhidmatan telekomunikasi, Maxis Communications Bhd. (Maxis).

Menurut Aswami, pemadanan data yang dibuat melibatkan panggilan suara (yang dihantar dan diterima) dan SMS (yang dihantar dan diterima) pada rekod transaksi di telefon bimbit dan rekod transaksi yang dibekalkan oleh Maxis.

Data-data tersebut dimasukkan ke dalam laporannya bagi nombor telefon bimbit terbabit termasuk jenis telefon dan nama pemilik, yang mengandungi enam kolum A hingga F terdiri daripada panggilan keluar, SMS keluar, turutan daripada SMS keluar, panggilan yang diterima, SMS yang diterima dan turutan SMS yang diterima.

Kata beliau, bagi memadankan panggilan yang dilakukan oleh nombor telefon 9311 (mengambil empat digit akhir nombor telefon bimbit Balasubramaniam), beliau perlu melihat log nombor telefon yang dihubungi pada masa dan tarikh yang sama.

Misalnya, kata Aswami, pada waktu 12:25:54, pemilik nombor telefon 9311 telah membuat panggilan telefon ke nombor telefon 012-2132303 (milik Abdul Razak).

“Untuk tujuan pemadanan, saya memerlukan pula log 2303 (empat digit akhir nombor telefon Abdul Razak itu) pada masa dan tarikh panggilan diterima (yang dibekalkan Maxis), di samping log pada telefon bimbit 2303 itu sendiri (yang diterima daripada pihak polis),” ujarnya.

Bagi nombor telefon 017-3992411, kata saksi pendakwa ke-52 itu, tiada telefon bimbit diserahkan tetapi pemadanan dilakukan berdasarkan log yang diperoleh daripada Maxis.

“Ini bermakna pemadanan masih boleh dilakukan berpandukan rekod transaksi daripada syarikat tersebut walaupun tiada telefon bimbit diperoleh, " katanya.

Aswami memberi keterangan demikian semasa disoal dalam pemeriksaan utama oleh Timbalan Pendakwa Raya, Tun Abdul Majid Tun Hamzah pada perbicaraan kes bunuh Altantuya, 28, di hadapan Hakim Datuk Mohd. Zaki Md. Yasin.

Perbicaraan masuk hari ke-58 hari ini.

Dalam kes itu, Cif Inspektor Azilah Hadri, 31, dan Koperal Sirul Azhar Umar, 35, didakwa membunuh wanita Mongolia itu di antara Lot 12843 dan Lot 16735 Mukim Bukit Raja dekat sini antara pukul 10 malam 19 Oktober dan 1 pagi 20 Oktober tahun lalu.

Kedua-dua tertuduh dibicara bersama penganalisis politik, Abdul Razak yang didakwa bersubahat dengan mereka melakukan pembunuhan tersebut di pejabatnya di Tingkat 10, Bangunan Getah Asli, Jalan Ampang, Kuala Lumpur antara pukul 9.45 pagi dan 10.05 pagi pada 18 Oktober tahun lalu.

Berhubung terdapat kolum panggilan telefon atau SMS yang ditulis ‘Data’ tidak ditemui dalam laporannya, Aswami menjelaskan, ia berlaku kerana mungkin data tersebut telah dipadamkan oleh pengguna pada telefon bimbit, data baru dimasukkan di ruangan data lama akibat ruang telah penuh, atau ‘di telefon bimbit lain yang tidak berkenaan’.

Ditanya oleh Tun Abdul Majid apa maksud beliau ‘di telefon bimbit lain yang tidak berkenaan’, jelas Aswami, kemungkinan satu kad SIM (Modul Pengenalan Pelanggan) digunakan untuk dua telefon bimbit yang berbeza.

Tun Abdul Majid: “Jadi, data yang diperoleh dari mana?"

Aswami: “Untuk model terkini, data disimpan pada memori telefon contohnya flash memory. Bagi model lama, selalunya disimpan pada kad SIM kerana telefon bimbit tiada memori.”

Selain telefon bimbit Balasubramaniam, saksi tersebut menyatakan, beliau juga membuat pemadanan rekod transaksi dua buah telefon bimbit jenis Nokia N80 dan Nokia 2100 milik Lans Koperal Rohaniza Roslan, Nokia 3230 milik Sirul Azhar, Nokia 6680 milik Azilah dan Nokia 6680 kepunyaan seorang lagi penyiasat persendirian, K. Suras Kumar.

Turut dibuat pemadanan ialah dua buah telefon bimbit jenis Nokia 6020 dan Nokia 7610 milik Deputi Supritendan Musa Mohd. Safri dan tiga buah telefon bimbit milik Abdul Razak (Palm Treo 650 & 750 dan dua buah telefon bimbit masing-masing jenis Nokia 6280), katanya.

Ketika mengemukakan keterangannya itu, Aswami turut membacakan setiap nombor telefon bimbit tersebut kepada mahkamah.

“Bagi nombor telefon 017-3992411, tidak ada telefon bimbit diberikan. Saya dimaklumkan nombor ini milik mangsa,” katanya.

Perbicaraan bersambung Isnin ini.

ARKIB : 20/11/2007

Aswami: Razak telefon penyiasat


SHAH ALAM 19 Nov. – Ketua Jabatan Digital Forensik Cybersecurity Malaysia hari ini mengemukakan rekod transaksi telefon bimbit antara Abdul Razak Abdullah Baginda, penyiasat persendirian, P. Balasubramaniam dan pembantunya, K. Suras Kumar, tiga hari sebelum wanita Mongolia, Altantuya Shaariibuu dilaporkan hilang.

Ketua Jabatan Digital Forensik itu, Aswami Fadillah Mohd. Ariffin, 36, memberitahu Mahkamah Tinggi di sini hari ini, mereka berkomunikasi menerusi panggilan suara berdasarkan daftar panggilan yang diterima dan panggilan keluar yang berjaya diekstrak daripada nombor telefon yang diberikan.

“Rekod bagi nombor Abdul Razak iaitu 0129042042 mencatatkan panggilan keluar dan masuk serta rekod khidmat pesanan ringkas (SMS) yang dihantar juga ada tetapi tiada rekod penerimaan SMS.

“Telefon bimbit Nokia 6280 bernombor 0123916082 juga milik Abdul Razak pula berbeza. Ini kerana tiada panggilan masuk bagi nombor tersebut dan yang ada hanyalah panggilan yang dibuat,” kata Aswami sambil beliau meneliti dokumen yang kini menjadi bahan bukti pihak pendakwaan.

Begitu juga dengan telefon bimbit Nokia 6600 bernombor 0122409311 yang direkodkan milik Balasubramaniam, kata Aswami, juga ada merekodkan panggilan masuk dan keluar.

Bagi telefon bimbit bernombor 0169939423 milik Suras Kumar (Suras) telah berkomunikasi melalui panggilan masuk dan keluar serta menghantar SMS tetapi tiada sebarang rekod penerimaan SMS tertera, ujar beliau ketika menjawab soalan Timbalan Pendakwa Raya, Tun Abdul Majid Tun Hamzah.

Pendakwaan turut mengemukakan satu sampul surat berlabel Musa Mohd. Safri (G-9466) yang mengandungi telefon bimbit Nokia 7610 dan Nokia 6020. Musa seorang pegawai kanan polis berpangkat Deputi Supritendan (DSP).

Aswami turut mengesahkan bahawa daftar log yang dikemukakan di mahkamah merekodkan dan mencakupi keseluruhan transaksi bagi tarikh 17 hingga 19 Oktober 2006 seperti yang diarahkan.

“Pegawai penyiasat memberikan nombor telefon bimbit dan mengarahkan supaya saya mengenal pasti transaksi (komunikasi) antara mereka,” katanya.

Saksi menambah, beliau juga pernah berhadapan dengan data yang diberikan oleh syarikat penyedia perkhidmatan telekomunikasi, tidak lengkap.

Diminta supaya menerangkan lebih lanjut apa yang dimaksudkan olehnya, Aswami memberikan contoh, misalnya nombor prabayar yang tidak mempunyai rekod panggilan masuk.

Oleh itu, menurut Aswami, beliau akan membuat pertanyaan kepada syarikat penyedia perkhidmatan berhubung rekod tersebut.

Aswami sekali lagi menegaskan bahawa rekod transaksi bagi tarikh 17 hingga 19 Oktober 2006 adalah lengkap.

Beliau ialah saksi pendakwa ke-52 memberikan keterangan pada perbicaraan kes bunuh Altantuya Shaariibuu, 28, yang masuk hari ke-59 hari ini. Perbicaraan didengar di hadapan Hakim Datuk Mohd. Zaki Md. Yasin.

Dalam kes itu, Cif Inspektor Azilah Hadri, 31, dan Koperal Sirul Azhar Umar, 35, didakwa membunuh wanita Mongolia itu di antara Lot 12843 dan Lot 16735 Mukim Bukit Raja dekat sini antara pukul 10 malam 19 Oktober dan 1 pagi 20 Oktober tahun lalu.

Kedua-dua tertuduh dibicara bersama penganalisis politik, Abdul Razak yang didakwa bersubahat dengan mereka melakukan pembunuhan tersebut di pejabatnya di Tingkat 10, Bangunan Getah Asli, Jalan Ampang, Kuala Lumpur antara pukul 9.45 pagi dan 10.05 pagi pada 18 Oktober tahun lalu.

Ketika saksi memberikan keterangan, ketiga-tiga tertuduh mendengar dengan teliti di samping membuat catatan dalam buku nota masing-masing.

Perbicaraan bersambung esok.

KUALA LUMPUR, Oct 29 (Bernama) -- Information from the Anti-Corruption Agency (ACA) and two digital forensic experts will form the basis of the report to be prepared by a panel set up to determine the authenticity of a video clip allegedly showing a lawyer brokering judicial appointments over the telephone.

This was disclosed by Tan Sri Haidar Mohd Noor, chairman of the three-member panel, at a news conference today. The other panel members are National Service Training Council Chairman Tan Sri Lee Lam Thye and former Court of Appeal Judge Datuk Mahadev Shankar.

"So far, no one has come forward to give information," he said after the panel met to gather information from two digital forensic experts from Cyber Security Sdn Bhd.

One of the experts was Aswami Fadilah Mohd Ariffin, chief of digital forensic of the company.

"The panel is almost ready to hand over the report to the government on Nov 9. The government will determine whether to make the report public," he said at the news conference held at the head office of the Human Rights Commission of Malaysia (Suhakam), here.

The eight-minute video clip was recorded four years ago and was put up on the Internet recently. It shows a lawyer brokering the appointment of judges in the year 2002.

Asked about the presence of Inspector-General of Police Tan Sri Musa Hassan and ACA Deputy Director-General I Datuk Abu Kassim Mohamed at the meeting, Haidar said they were there as observers and also to watch the video clip.


Selasa Oktober 30, 2007
Klip video: Panel bebas serah laporan lengkap 9 November ini

KUALA LUMPUR: Panel Bebas Khas akan menyerahkan laporan lengkap kepada kerajaan 9 November ini, mengenai siasatan kesahihan klip video memaparkan visual perbualan telefon seorang peguam terkenal kononnya dengan seorang hakim kanan mengenai pelantikan hakim pada 2002.

Panel tiga anggota itu, yang bersidang kali kedua hari ini, sudah membuat rumusan selepas mendengar keterangan dua pakar dari Cyber Security Sdn Bhd dan Badan Pencegah Rasuah (BPR).

Pengerusi panel Tan Sri Haidar Mohd Noor berkata sehingga ini tiada saksi lain tampil untuk memberi keterangan atau menerima keterangan dari manamana pihak.

"Kita hanya memberi pandangan sahaja. Laporan lengkap itu nanti berdasarkan maklumat daripada BPR dan dua pakar tersebut," katanya pada sidang akhbar selepas mesyuarat di ibu pejabat Suruhanjaya Hak Asasi Manusia (Suhakam) di sini.

Panel itu, yang turut dianggotai aktivis sosial Tan Sri Lee Lam Thye dan bekas Hakim Mahkamah Rayuan Datuk Mahadev Shankar, hari ini mendengar keterangan daripada Ketua Digital Forensik syarikat itu, Aswami Fadilah Mohd Ariffin.

"Terpulang kepada kerajaan untuk mengumumkan hasil siasatan kami kepada umum," kata Haidar, yang juga bekas Hakim Besar Malaya.

Pada 27 Sept lepas, kerajaan menubuhkan panel bebas khas itu untuk menjalankan siasatan terhadap kesahihan klip video berkenaan.

Panel itu diberi tempoh 30 hari bekerja, mulai tarikh pengeluaran surat pelantikan anggotanya 27 September lepas, untuk menyiapkan siasatan dan mengadakan mesyuarat pertama 3 Oktober lepas.

Ditanya mengenai kehadiran Ketua Polis Negara Tan Sri Musa Hassan dan Timbalan Ketua Pengarah I BPR Datuk Abu Kassim Mohamed dalam mesyuarat hari ini, Haidar berkata mereka hanya datang sebagai pemerhati serta menyaksikan klip video itu.

Menyentuh kehadiran anggota parti Keadilan Nasional (Keadilan) ke pejabat Suhakam pagi tadi, beliau berkata mereka datang hanya untuk menyerahkan memorandum sahaja.
Beliau bagaimanapun enggan mengulas lanjut mengenai kandungan memorandum itu. BERNAMA

ARKIB : 13/11/2007

13 telefon bimbit, kad SIM, komputer diambil data

SHAH ALAM 12 Nov. – Mahkamah Tinggi di sini hari ini diberitahu pihak polis telah menyerahkan 13 unit telefon bimbit, dua kad SIM (Modul Pengenalan Pelanggan) dan dua komputer riba kepada Jabatan Digital Forensik Cyber Security Malaysia untuk diekstrak datanya dan bukan bagi tujuan analisis.

Ketua jabatan itu, Aswami Fadillah Mohd. Ariffin berkata, telefon bimbit pertama jenis Nokia model 6280 bernombor siri 357926008217932 diterimanya pada 9 November tahun lalu daripada Deputi Supritendan Abdul Aziz Ahmad.

Menurut beliau, selepas pengekstrakan data dilakukan oleh juruanalisis, Razana Md. Salleh, telefon itu telah dipulangkan semula kepada Abdul Aziz pada pukul 2.45 petang, hari yang sama.

Aswami, 36, menambah pada 22 November 2006, seorang lagi pegawai polis, Supritendan Shukri Abdullah telah meminta bantuannya bagi mendapatkan data daripada 11 telefon bimbit termasuk yang diserahkan pada 9 November 2006, dua kad SIM dan dua komputer riba.

Menurutnya, bahan-bahan bukti itu diterima oleh beliau tetapi borang permintaan diisi oleh Razana dan mereka kemudiannya telah membuat pemeriksaan ke atas kesemua barang tersebut.

Saksi pendakwa ke-52 itu yang memberi keterangan dalam perbicaraan kes bunuh wanita Mongolia, Altantuya Shaaribuu kemudian diminta oleh Timbalan Pendakwa Raya, Tun Abdul Majid Tun Hamzah semasa disoal dalam pemeriksaan utama supaya melihat item pertama iaitu telefon bimbit jenis Nokia 6680 yang mempunyai nombor siri 358358000995498.

Walaupun telefon bimbit di hadapannya tidak mengandungi kad SIM, Aswami melalui catatan rekodnya membacakan nombor kad SIM telefon bimbit tersebut iaitu 502193200040797.

Bagaimanapun apabila diserahkan kad SIM (P66) yang sepatutnya terkandung dalam telefon bimbit itu, nombor siri kad tersebut yang tertera adalah berbeza iaitu 896019050877072879 256-H1WM.

Nombor siri ini, katanya, adalah nombor IMSI yang dibacanya menggunakan alat (tool) sim-con versi 1.1.

Tun Abdul Majid: “Bagaimana untuk tahu jika kad ini adalah sama dengan nombor yang kamu sebut 502193200040797?”

Aswami: “Apa yang kami selalu buat adalah membaca nombor IMSI yang unik kepada kad itu. Kaedahnya menggunakan tool (alat) yang bernama sim-con yang di ‘install’ (diprogram) pada komputer dan dibaca menggunakan slot kad SIM bersama alat yang dinyatakan tadi.”

Jelas beliau lagi, kad SIM (P66) tidak boleh dibaca pada masa ini kerana ia perlu menggunakan komputer.

Berikutan itu, Tun Abdul Majid telah memohon supaya saksi tersebut membawa komputernya ke mahkamah esok bagi pengesahan nombor siri kad SIM itu dan 12 kad SIM yang lain.

Dalam keterangannya, Aswami turut menyatakan kesemua barang-barang bukti itu telah diserahkan oleh Razana kepada Shukri pada 30 November tahun lalu.

Namun begitu, pada 4 Disember tahun yang sama, kesemua 15 barang itu dan dua lagi telefon bimbit jenis Nokia 6600 dan Nokia 3230 telah diserahkan semula kepadanya.

Kali ini, jelas beliau, 15 item yang terdahulu tidak lagi dibuat pengekstrakan data kerana ia mempunyai nombor rujukan yang sama tetapi pengekstrakan dibuat pada dua telefon bimbit baru tersebut.

“Kesemua barang-barang tersebut kemudiannya diserahkan semula kepada pegawai penyiasat Asisten Supritendan Tonny Lunggan pada 11 Mei lalu,” ujar beliau.

Tun Abdul Majid kemudian bertanya mengenai tanda pemotongan pada catatan telefon bimbit jenis Nokia 7610 bagi tujuan penyiasatan lanjut seperti yang terdapat pada borang penyerahan semula barang-barang kepada Tonny.

Aswami menjelaskan catatan itu ditandakan kerana terdapat perbezaan pada tarikh di dalam telefon bimbit itu dan tarikh apabila data diekstrak.

Ini bermakna, katanya, telefon bimbit itu tidak dipulangkan pada tarikh tersebut kerana apabila terdapat perbezaan, beliau bersama Razana telah menggunakan kaedah screen shot (setiap kandungan data diambil menggunakan kamera digital).

Jelas beliau, kaedah screen shot ini juga bukan satu analisis tetapi hanya perbuatan mekanikal.

Barang-barang bukti tersebut, katanya, bagaimanapun telah diserahkan semula kepadanya pada 18 Mei tahun ini sebelum kaedah ‘screen shot’ dibuat pada 21 Mei lalu bagi tujuan pemetaan (co-relation) data yang telah diekstrak dengan log daripada syarikat penyedia perkhidmatan komunikasi.

Katanya, ia bertujuan mengenal pasti sama ada tarikh dan masa khidmat pesanan ringkas (SMS) yang terkandung dalam telefon bimbit tersebut selaras dengan log syarikat komunikasi terbabit.


Mampu kesan penipu

PAKAR komputer menasihatkan orang ramai supaya tidak mudah memberikan maklumat diri serta lokasi di ruang sembang internet bagi mengelak ditipu. – Gambar hiasan

KUALA LUMPUR – Sesiapa yang menipu di ruang sembang internet bukan sahaja boleh dikesan tetapi juga didakwa di bawah Seksyen 420 Kanun Keseksaan dengan penjara maksimum 10 tahun dengan sebatan serta denda.

Menurut Ketua Forensik Digital, CyberSecurity Malaysia, Aswami Fadillah Mohd. Ariffin, kepakaran forensik siber sememangnya boleh digunakan bagi mengesan individu yang terlibat.

“Mengikut prosedur biasa, mangsa akan membuat laporan kepada polis dan kemudian dirujuk kepada kami bagi tujuan siasatan siber.

“Siasatan yang berbentuk teknikal akan dilakukan dan jika komputer yang digunakan adalah milik peribadi, identiti dapat dikesan dengan mudah tapi jika di kafe siber, siasatan menjadi sedikit sukar,” katanya.

Beliau berkata demikian sebagai merujuk pendedahan Kosmo! Jumaat lalu berhubung tiga individu di Terengganu yang ditipu dalam ruangan sembang internet sehingga mengalami kerugian keseluruhannya berjumlah hampir RM25,000.

Modus operandi sindiket yang menggunakan umpan wanita jelita itu hanya bermula dengan sembang biasa namun berjaya mempengaruhi mangsa dengan meminta memasukkan sejumlah wang kononnya membayar cukai Kastam dan lain-lain.

Bagaimanapun kata beliau, siasatan sukar dilakukan jika individu yang menipu itu menggunakan Internet Protokol (IP) luar negara.

“Ini semua ada kaitan dengan amalan perundangan yang berbeza tapi dalam hal ini pihak kita akan memohon kerjasama polis,” katanya.

Dalam pada itu, Ketua Pegawai Eksekutif CyberSecurity, Leftenan Kolonel (B) Husin Jazri menasihatkan pengguna supaya jangan memberikan maklumat peribadi serta pilih nama samaran tanpa jantina semasa berbual di internet.


Klip video: Panel bebas kemuka pendapat Isnin ini

KUALA LUMPUR 1 Nov. – Panel bebas khas akan bermesyuarat Isnin ini bagi membentangkan pendapat ahli-ahlinya sebelum membuat keputusan muktamad mengenai ketulenan rakaman klip video perbualan seorang peguam kanan dan seorang hakim.

Ketua panel, Tan Sri Haidar Mohd. Noor berkata, beliau dan dua ahli panel iaitu aktivis sosial, Tan Sri Lee Lam Thye dan bekas Hakim Mahkamah Rayuan, Datuk Mahadev Shankar sedang menyediakan pandangan masing-masing berdasarkan laporan dua pakar tempatan yang mengkaji ketulenan rakaman video itu.

Beliau yang juga bekas Hakim Besar Malaya berkata, pada pertemuan tersebut, ketiga-tiga ahli panel akan membanding-bandingkan pendapat mereka untuk mencapai kata sepakat bagi membolehkan laporan disediakan dan diserahkan kepada kerajaan sebelum 9 November ini.

Ketika ditanya mengenai pendapat yang dijangka dikemukakan, Haidar menjelaskan, panel perlu berpuas hati dengan pendapat ahli-ahlinya sebelum membuat keputusan sama ada rakaman klip video yang telah disunting itu tulen atau palsu.

Sewaktu diminta kepastian mengenai lokasi mesyuarat, beliau berkata, ia diadakan di tempat lain bukan seperti kebiasaan di pejabat Suruhanjaya Hak Asasi Manusia (Suhakam) di Menara Tun Razak di sini.

Sehubungan itu, beliau menolak laporan sebuah stesen televisyen tempatan semalam yang membayangkan seolah-olah panel tersebut sudah membuat keputusannya.

‘‘Belum ada apa-apa keputusan. Mesyuarat Isnin ini kami akan mencapai kata sepakat sama ada secara majoriti atau sebulat suara mengenai kesahihan klip video itu.

‘‘Keputusan tersebut tidak akan dicapai pada hari yang sama, mungkin sedikit masa lagi sebelum tarikh mati penyerahan laporan kepada kerajaan pada 9 November ini,’’ ujar beliau ketika dihubungi Utusan Malaysia di sini hari ini.

Haidar ditanya hasil keputusan panel terhadap laporan dua pakar tempatan yang dilantik oleh Badan Pencegah Rasuah (BPR) untuk mengkaji ketulenan rakaman klip video selama lapan minit itu.

Mesyuarat panel pada 29 Oktober lalu menerima laporan dua pakar tempatan daripada syarikat Cyber Security diketuai oleh Ketua Forensik Digital, Aswami Fadillah Mohd. Ariffin bagi membantu panel melengkapkan laporan berhubung ketulenan rakaman itu.

Menurut Haidar, panel turut membuat keputusan untuk tidak akan melayan mana-mana pihak yang tampil memberi maklumat mengenai ketulenan klip video tersebut kerana pihaknya sudah memberi tempoh yang mencukupi untuk mereka berbuat demikian.

Beliau berkata, pihaknya mempunyai masa yang terhad untuk menjalankan tugas dan menyediakan pandangan kepada kerajaan iaitu selama 30 hari bekerja selepas ahli-ahli panel menerima surat pelantikan pada 27 September lalu.

Wednesday, 23 November 2011

X Maya 4

Malaysia CNII cyber exercise = Cyber Storm...
Very important program to assess on your resiliency...readiness...etc...
You'll never know...when you are going to be attacked...

Multimedia Forensics 2

The digital forensics scope of services has expended to include digital multimedia analysis over the past few years. The cases involving multimedia analysis is increasing. Some of the analysis is tedious. There was an exemplary paper done Bijhold et al. [1] in reviewing the research works in forensic audio and visual evidence. The review had determined a total number of six expertise fields for this type of evidence.

They are as follows.
· Audio analysis.
  Example of this field includes audio enhancement where some of the noise can be removed using 
  dedicated filters.
· Speaker identification.
  The analysis involves voice comparison and one of the notable products in the market is BATVOX.
· Video analysis.
  The video is break into frames for image enhancement. Some videos may need an analysis first to
  improve the visual using special filters and techniques.
· Facial identification.
  From the video and image enhancement, facial comparison can be analyzed and compared for 
  identification. Quintiliano et al. [2] introduced new algorithms called eigeneyes, eigenmouth and
· Photogrammetry and 3D modeling.
· Forensics linguistic.

[1] J.Bijhold, A.Ruifrok, M.Jessen, Z.Geradts, S.Ehrhardt, and I.Alberink. “Forensic audio and visual evidence 2004-2007: A Review,” in 15th INTERPOL Forensic Science Symposium, Lyon, France, October 2007.
[2] P.Quintiliano and A.Rosa. “Face Recognition Applied to Computer Forensics.” The International Journal of FORENSIC COMPUTER SCIENCE, vol. 1, pp. 19-27, 2006.

It is quite interesting to know that our multimedia forensics capabilities in providing services are on par with the rest of the world.

Sunday, 20 November 2011

ASCLD/LAB-International Accreditation of CyberSecurity Malaysia Digital Forensics Laboratory

On Friday 18 November 2011, I received an email from Mr. John Nuener, ASCLD/LAB program manager regarding our laboratory accreditation. Together with his email were all the official documentations confirming our status as ASCLD/LAB-International accredited digital forensics laboratory. It was indeed good news to us after all the hard work.

However, it was not an easy task as we need to meet all the requirements from both management and technical perspectives. Altogether there were about 25 requirements and after a few years of dedication we achieve this prestigious recognition.

This would not have been possible without the undivided commitment of those people responsible in this project. They are of course the senior management of CyberSecurity Malaysia and the ever hard working of digital forensics analysts of Digital Forensics Department.

Thank you again to Mr. Ralph Keaton, Mr. John Neuner (both are great gentlemen whom I met in the US), Madam Anja Einseln (my trainer) and all in ASCLD/LAB.

Even though I’m away in Australia, I’m proud of this achievement.

Kudos guys!

Thursday, 17 November 2011

Do we need a digital forensics standard?

Why cyber crime is rising every each year and how do we solve this predicament especially those involving cross border.

What is the fundamental reason?

It could be no standardize digital forensics procedures accepted by the world. It has been a limitation in prosecuting a case involving digital evidence without a standard.

Each country has different legislative making the international standard development of digital forensics process unattainable but necessary. It will help the legal proceeding of a case between two countries if the standard available.

The digital forensics procedures in principle consist of identification, preservation, recovery, analysis and presentation of digital evidence. Slay, et al. [1] attempted to refine the principle and provided a review of the development of principles, procedures, models, guides and standards. It is to assert high quality and trustworthy foundations for the development of advice for the court and as a pointer towards a broader agenda for academic researchers.

This article was a novel piece of work because there is no standard in digital forensics process. The study by Slay including the references cited by her can be supportive documentations in the court of law.

It is timely for digital forensics and ISO communities to take charge of this matter. The technology is moving fast but not the legal/standard realm. Investigation, prosecution and combating cyber crime will be dampened.

[1] J.Slay, YC.Lin, B.Turnbull, J.Becket and P.Lin. “Towards a Formalization of Digital Forensics.” The Advances in Digital Forensics V, IFIP Advances in Information and Communication Technology, vol. 306, pp. 37, 2009.

Wednesday, 16 November 2011

Is there a possibility of Cybernuke?

Forensics has become more important in incident response. This capability is required in order to investigate the root cause of the incident. Whether it is intentionally or not!

As such, malware forensics/reverse engineering, has become so important and SANS is providing a training on it. With Stuxnet and Duqu... better arm yourself.

(Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver - specifically "W32k.sys," and its TrueType font parsing engine - to gain rights on the compromised PC sufficient to install the malware.)

This is cyber warfare/ cyber nuclear...

Tuesday, 15 November 2011


For a start, R-Studio is a good tool for data recovery. It can also be used for forensics purpose.

If you have this tool, it will try to read the filesystem and carve the known file specification. It can be anything from an image (jpeg) to a word document file.

After sometime and your familiarization with file specification get better, WinHex can also be used to performed data recovery.

Monday, 14 November 2011


Maybe there are many digital forensics tools out there. The most famous is EnCase. It is not fully automated though. You need to learn how to use EnCase and some of the features, of course, pretty useful. But, when you are working on a case that has big capacity storage media e.g. 1 Terabyte…it can be quite stressful…

I guess it depends to individual whether you like to use EnCase or FTK.

Like myself, I’m more convenient with WinHex…but you really need to know what you are doing. WinHex is manual…and I find it quite flexible to use. If you are called as an Expert Witness, it is easier to explain when you analyze a case using WinHex.

It is just like a knife…and you can do anything with it…

Btw, I have these three tools to verify the output of the overall analysis.

Sunday, 13 November 2011

Cyberspace Driving License

This type of case is not really a typical cyber hacking crime where there is intrusion into the system and stealing loads of financial or important data. 
However, many have been victimized and the money involved is substantial. It is only through social networking. The awareness campaigns by Malaysia and Australia governments have been intensive but these cases are still on the rise.

Why? It is just like educating people not to drive fast, fasten your seat belt, don’t beat the traffic light and etc…but accidents still happen.

It is you that need to be very precaution…isn’t right? Or should we have cyberspace driving license…what say you?

Saturday, 12 November 2011

Data Recovery

I think many will experience problem with their computer hard disk. Not only hard disk but also your thumb drive. It is inevitable…just like a car...where there is no guarantee that it will not break down…and when it happens you must feel really upset. Just imagine, all you important documents or digital pictures are gone.
So how?
I got an answer for you…data recovery…want to know more…it is really2 difficult but doable…

Friday, 11 November 2011

Cybersafety in Malaysia and Australia

A very good effort by both Malaysia and Australia. I found a poster at my daughter's Mawson Lakes school giving information on cybersafety for the young netizens to refer if they encounter any mishaps in the cyberspace. 
In Malaysia we can always refer to There are a lot of advisories for our safety in the cyberspace.

Thursday, 10 November 2011

10 business lessons from Steve Jobs

1. Be innovative
2. Have both foresight and confidence 
3. Focus on product, user experience 
4. Get involved with your organization 
5. Don't fear failure, define success yourself 
6. Provide a persona for your company
7. Be an inspiration 
8. Pay attention to details
9. Passion takes you far
10. Don't get hopes high in premature stages     

Wednesday, 9 November 2011

Institute of Digital Forensics

There is a study on computer forensics in Japan done by Liu,et al. [1]. According to the paper, Japan has been committed on fighting cybercrime and cyber terrorism. The paper analyzes the political structures, legal systems, law enforcement infrastructures and academic development in computer forensics.
It seems the political structure in Malaysia and Japan is similar where both countries consist the components of Executive, Judiciary and Legislative. On the judiciary both countries have supreme and high courts to judge the cybercrime cases. The cybercrime cases in Japan are mainly handled by the National Police Agency for investigation.
According to the paper, the cybercrime in Japan has risen since 2003. Fraud and fraud using the Internet are the highest in 2007 with 1512 and 1229 cases respectively. The lowest is cybercrime of copyright at 165 cases in 2007.
One notable development of digital forensics in Japan is the establishment of The Institute of Digital Forensics a non-profit organization. It looks into the area of development of technology, globalization, legal reform, public awareness, civilian research and development and higher education in computer forensics. It is acting as the intermediary among stakeholders, government, national police agency, industry, education and promoting the development of computer forensics in Japan. 
To have an Institute of Digital Forensics like Japan to move forward the progress of digital forensics further is ideal. It is worthwhile by looking at the contribution of CyberSecurity Malaysia's Digital Forensics Department since year 2000. With this trust and appointment, more programs can be delivered. One of the examples is cooperation among digital forensics organization among other countries. The cooperation can be in terms of research and development initiatives with the aim to reduce the cost to establish a digital forensics outfit.
[1] J. Liu and T. Uehara. “Computer Forensics in Japan: A Preliminary Study.” The 2009 International Conference on Availability, Reliability and Security, pp. 1007-1011, 2009.

Tuesday, 8 November 2011

China’s Cyber Warfare Capabilities

On 4th Nov, I mentioned about Professor Desmond Ball study on Cyber Warfare capabilities. In the paper, it concluded  with this notion...China’s deficiencies and vulnerabilities has led to the adoption of a pre-emptive strategy, as practiced in People’s Liberation Army exercises, in which China’s very destructive but relatively unsophisticated cyber-warfare capabilities are unleashed at the very outset of prospective conflicts.

Read this article for further info and analysis. 

Monday, 7 November 2011

Mark Zuckerberg No.9

The World's Most Powerful People

Bill Gates No.5...

If Steve is still around...

Cyber Espionage

Malaysia is being spared!

Leakage of info and docs can also be done MANUALLY. Social engineering and etc. There is no sophistication...merely sweet talk isn't?;txt

Saturday, 5 November 2011

I know what u did last raya!!!...I know what u did last summer!!!

I have two categories of audience in my blog. Malaysian and international friends. Hopefully, I can share with both since I’m gonna refer to two films and the earlier one might be totally unfamiliar to my international friends.
(google translate it to English to understand the relationship between the two films)

...and it reminds me of a colleague in CyberSecurity Malaysia who presented to a group of people with this title. What is it all about? Raya/Summer? What is it got to do with cyber security!

You don’t understand…well, with the advent of technology many ignorant netizens actually fall prey as cyber victim.

They are so excited about facebook…bla…bla…bla…and put everything over the cyber space…computer hard disk…mobile phone…and later they will regret about it when things turned unruly.

Think twice…! It will remain forever in the digital world!

Btw, I have not seen both films…ha…ha…ha…

Selamat Hari Raya Adil Adha to my muslim friends.

Friday, 4 November 2011

The Fifth Domain - Cyber Warfare

Interesting news on cyber attacks...
We have seen it happening...and I've told you earlier...isn't?
Another interesting study by Professor Desmond Ball.

China’s Cyber Warfare Capabilities  
China has the most extensive and most practised cyber-warfare capabilities in Asia. This article describes the development of these capabilities since the mid-1990s, the intelligence and military organisations involved, and the particular capabilities that have been demonstrated in defence exercises and in attacks on computer systems and networks in other countries. It notes that it is often very difficult to determine whether these attacks have originated with official agencies or private ‘Netizens’. It argues that China’s own computer systems and networks are replete with vulnerabilities, of which Chinese officials are well aware. It concludes that this appreciation of China’s deficiencies and vulnerabilities has led to the adoption of a pre-emptive strategy, as practiced in People’s Liberation Army exercises, in which China’s very destructive but relatively unsophisticated cyber-warfare capabilities are unleashed at the very outset of prospective conflicts.

Thursday, 3 November 2011

Smart Card Hacking

According to Abbott [1], the smart card is not perfect but has improved on security. Hacking it necessitate expensive specialize equipment. This condition has made it less prone to attack. It has lower risk than other conventional IT system. The design of the smart card has made it less susceptible.

Common Criteria (CC) or ISO15408 is a standard used to uplift the smart card security. There is an inclusive Protection Profile (PP) [2] to cover smart card security. This is an ideal security technical guideline to follow by the smart card manufacturer.

All of the security features in the Security Target (ST) are tested in a laboratory. The security modules must strictly follow the PP. With this scheme, the smart card security has some sort of assurance.

[1] J.Abbott. “Smart Cards: How Secure Are They?’ The SANS Institute GSEC Practical Submission, 2002.

[2] “Common Criteria For Information Technology Security Evaluation: Protection Profile Smart Card Integrated Circuit With Embedded.” Registered by the French Certification Body under the reference PP/9911, 1999.

Wednesday, 2 November 2011

The Late Steve Jobs

I’m a fan of Apple products and read some books about Steve Jobs. If you want to be a good presenter, this book could well guide you. This trait is a must to excel.

There is another book written by Walter Isaacson who wrote about Jobs and the most interesting is some of his unknown characters such as mean and abrasive – not the world greatest manager.

His loves for perfectionism came from his adopted father, Paul Jobs.
He did not let money ruin his life and lived in a modest house.

If Jobs is still alive…the next quest could be television…mmm…

Tuesday, 1 November 2011

China vows stricter controls on social media

BEIJING/SHANGHAI (Oct 26, 2011): China will intensify controls of online social media and instant messaging tools, the ruling Communist Party said in an agenda-setting document that marks the government's highest-level reaction so far to the explosive growth of microblogs.

Beijing's vow to strengthen Internet administration and promote content acceptable to the ruling party appeared in the communique of a recent party leadership conclave published in the official People's Daily on Wednesday.

Communiques from the Communist Party's Central Committee, which held its annual meeting this month, set the broad agenda for policy-makers.

This one made clear that party leaders are looking for ways to better control, but not snuff out, the microblog services that have become popular channels for spreading news and opinion that can unsettle the government.

"Strengthen guidance and administration of social Internet services and instant communications tools, and regulate the orderly dissemination of information," said the communique, which made no reference to microblogs as such.

"Apply the law to sternly punish the dissemination of harmful information," added the document. It did not give details of what form firmer regulation may take.

The announcement from the Party meeting builds on a stream of warnings in state media that has exposed how nervous Beijing is about the booming microblogs, called "weibo" in Chinese, and their potential to tear at the seams of censorship and controls.

But analysts said the business impact was likely to be muted, because investors are used to growing official scrutiny of Chinese Internet companies and the government is unlikely to shut down what has become an important valve for monitoring and easing social pressures.

"There will be tighter censorship, but the impact on the platforms won't be much. I don't think the government will implement nation-wide regulations because that will be negative for the government and the companies," said Hong Kong-based CLSA analyst Elinor Leung.

Chinese microblogs, especially Sina Corp's dominant service, carry plenty of gossip and harmless fare.

But they also offer raucous forums for lambasting officials and reporting unrest or official abuses. It is their potential to stoke popular discontent that most worries Beijing.

Microblogs allow users to issue bursts of opinion -- a maximum of 140 Chinese characters -- that can cascade through chains of followers who instantly receive messages, challenging censors who have a hard time monitoring the tens of millions of messages sent every day. Inventive users adopt alternative words to get around censorship filters.

A bullet train crash in Wenzhou this July was a watershed moment for Sina's "Weibo" microblog service as thousands of users expressed anger at the official response and pulled apart official accounts of the crash and rescue response.

More recently, an uproar spread on Sina's Weibo when a two-year old girl who was run over by two trucks and then ignored by passerbys as she lay bleeding. She later died.

The number of Chinese users registered on domestic microblog sites reached 195 million by the end of June, a more than threefold increase on the number at the end of 2010, according to the China Internet Network Information Center.

A top Chinese Internet regulator this month also called for stricter policing of microblogs while encouraging officials to use them to engage with citizens, indicating that Beijing was looking to better control such services, but not shut them down.

Sina and other Chinese microblog operators already deploy technicians and software to monitor content and block and remove comment deemed unacceptable, especially about protests, official scandals and party leaders.

Excessive self-censorship on the microblog platforms risks alienating off users by making them bland, analysts said.

"The more important risk we see for Sina Weibo and other Weibos is that they self-regulate out of business (interests)...and that they self-neuter and that makes the platform so boring no one wants to use it," said Michael Clendenin, the managing director of RedTech Advisors. --Reuters