Wednesday, 29 February 2012

Network Forensic Tool Developed By Malaysia Researcher

I’m delighted to know that a Malaysian researcher has developed a network forensic tool called the Forensic Analysis and Discovery System (FADS). The research interest in this field has grown from year to year in Malaysia and I hope more products will prevail in the future.

According to the The Star Online today (, Dr Aman a senior lecturer at Universiti Sains Malaysia had applied to patent the system last month and it is expected to hit the market by the end of the year.

From my past experience, it is also good for this product to go for computer forensic tool testing e.g. by NIST so that a third party could test the said tool.

This is important when the expert witness/digital forensics analyst is being questioned in the court of law.

The work conducted must be forensically sound (

The tools used must be forensically sound too.

Also, if possible Dr Aman can share it with the digital forensics practitioner for the tool to be tested in the real world of digital investigations/operations.

It is good to get some feedback in addition to the test conducted at their facility.

But this depends entirely on their plan.

Once again, congratulations!

When is forensically sound is really forensically sound?

Thanks to Rodney [1] for trying to articulate the actual meaning of “forensically sound”.

I think this term is important because it is an international digital forensics jargon no matter where you’re from. Malaysia, Australia or the United States of America, every digital forensics analysts must and will understand this term.

If not, there’s something wrong. You’re not a truly digital forensics analyst.

I still remember when I started my career as a digital forensics analyst, this jargon must be understood. It will be a guide whenever you are doing the digital forensics work. Be it acquisition, recovery or analysis.

As we all know, in this digital age, everything is made simple. One good example is multimedia.

With multimedia technology, video editing is made easy. Only with a single click!

Just recall the analogue video, it is really troublesome isn’t? If the case exhibit is in analogue form, it means more work to be done.

So, with digital technology, we become so complacent. You can always save any file to any format in a split second.

But, the same technology has aggravated the work of a digital forensics analyst. With the same click, a digital forensics analyst can inadvertently damage the case exhibit.

This is not easy. A digital forensics analyst work is delicate. They are not merely geek but an artist. That’s why the salary of a digital forensics analyst must be competitive because the profession is demanding.

Hahaha…you got to agree with me.

Back to Rodney’s paper, he tried to gather the meaning of forensics computing, forensically sound and the evaluation criteria that consists of meaning, errors, transparency and experience.

Most probably, I would like to add auditable. A digital forensics effort must be written in a work sheet so that you are able to recap what has been done, will be done and also to show the analysis is completed in a “forensically sound” manner. Thus, this process is auditable.

It is to show nothing has been changed and the case exhibit is as good as its original pristine state. Moreover, the work has been conducted on a bit to bit copy that is as good as the original exhibit.

Nothing is changed and every bit is being analyzed. No stone left unturned.

I think this is the truly meaning of forensically sound!

What say you?

[1] R.McKemmish. “When is Digital Evidence Forensically Sound?” The Advances in Digital Forensics IV, IFIP Advances in Information and Communication Technology, pp. 3-15, 2008.

Tuesday, 21 February 2012

CNII Forensics: KLCC Twin Towers & Maroochy Water Incident in Queensland

Most probably you will be asking yourself what is the significance between KLCC Twin Towers and Maroochy Water Incident in Queensland with regard to CNII Forensics.

In case you want to know about CNII Forensics, I've written briefly on CNII Forensics and the subjects associated with it.

Well, after I graduated from the University of Liverpool in Electrical Engineering and Electronics, my first job was a project engineer to oversee the Standby Power and Scada systems development at KLCC Twin Towers.

For a fresh graduate, it was indeed challenging to manage one of the tallest buildings in the world (at that time) and would be the famous landmark in Kuala Lumpur Malaysia. But, it was worthwhile because I’ve learnt a lot on technical and management complexities.

Then, early this year, I read my supervisor’s paper, Professor Jill Slay [1] on “LESSONS LEARNED FROM THE MAROOCHY WATER BREACH”. It is interesting to understand the implications if we don’t protect our critical systems. If breached, the impact would be disastrous, not only in monetary but lives.

It is priceless, isn’t it? (If you can’t imagine it, watch Die Hard 4).

And, as a project engineer, I was ignorant on the consequences and security aspects in the beginning. I think all control engineers were ignorant too until they became aware on this serious issue. But this doesn’t mean my first project is not secured and I will not reveal neither discuss it here.

Nevertheless, I’m grateful that I’ve acquired the required experience in IT security through CyberSecurity Malaysia and now going deeper in the discipline of digital forensics at University of South Australia.

Well, the “Industrial Network Security” is not totally different from the typical network security. That’s why Stuxnet was developed to attack/disrupt Iran’s nuclear facilities.

With proper design we should be able to mitigate the issue but it will not be 100%. Constant monitoring is compulsory with best practice according to standards and regulations. NERC CIP is an exemplary.

I wouldn’t go into detail on the network. However, I must stress that network segregation is very important with detection systems. Again, the network must be monitored 24X7.

If something happens to KLCC Twin Towers, the cost will be in billions of dollars. I still remember when I did the testing on the Scada system, stringent procedures must be followed and it has to be conducted after 12am.

So, the Maroochy Water incident in Queensland is a lesson learned for all of us. Every country must put an effort to safeguard their critical infrastructures.

Malaysia and Australia have high commitment on this matter.

[1] J.Slay and M.Miller. “Lessons Learned From The Maroochy Water Breach”, in IFIP Book Chapter, 2008, pp. 73-82.

Friday, 17 February 2012

CCTV Images: Looks like me, sounds like me but it is not!

Well, as usual, I’m not going to comment on any controversial CCTV videos or images…whether that person is really the person.

Nonetheless, as a researcher, I would like to share on an interesting article by Wilkinson et al. [1]. The title is “Are facial image analysis experts any better than the general public at identifying individuals from CCTV images?”

Interesting topic isn’t it?

In reality, whenever there is a CCTV case, the general public would be the one who will speculate; “I know this person…this guy…this lady.”

To make it worse, with the advent of Internet and YouTube…CCTV images and videos can go viral…in split second. And more and more people will speculate.

And, the reporters may make assumptions and decide to print the thoughts of the general public (I’m not trying to offend anybody here…it is purely based on experience and observation).

This can be bad. Is this good for the judge or jury?

Certainly not when you read the outcomes of Wilkinson paper.

According to the authors, facial image analysis experts are better because they are more consistent. Their identification rates are double and errors are half than the general public.

Experts are trained and their assessment is based on science. They will make analysis according to proven method and experience whereas the general public is on their naked eye. If the image is of high quality, the general public may get it right if not…their opinion may not be considered in the court.

Thus, the expert witness or attorney in the court of law could cite this empirical study (using ANOVA with good sampling).

Better isn’t it? Forensically sound! Scientific assessment!

[1] C.Wilkinson and Raymond Evans. “Are facial image analysis experts any better than the general public at identifying individuals from CCTV images?” Journal of the Forensic Science Society, vol. 49, pp. 191-196, 2008.

Wednesday, 8 February 2012

Are digital forensics guidelines good enough?

I came across an article titled “An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines” that is quite interesting. The authors [1] had written informative argument on both, mobile devices and hard disk drive analysis perspectives with regard to ACPO & NIST guidelines.

I agree that mobile devices are more challenging than hard disk drives. Why? Because hard disk drives technology is more mature if compared to the latter. Above all, the system configurations of mobile devices are different from one to another. It is customized, proprietary and…etc…etc…etc.

Well, the straight forward approach is to reverse engineering and the innovation part will be when you develop a tool based on the “manual experience” (techniques) when you conduct analysis on these  products.

One good book I would like to promote is iPhone Forensics Analysis by Sean Morrissey and Andrew Hoog (I’m not their agent…not getting any commission here). But, these guys are great if you want to succeed in mobile devices forensics.

So, what do you need to do…experiment…experiment…and experiment, coding…coding…and coding.

Guidelines alone are not enough!

[1] P.Owen and P.Thomas. “An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines”. The Journal of Digital Investigation, vol. 8, pp.135-140, 2011.

Monday, 6 February 2012

Cyber recruitment...beware!

I’ve wrote about Tan Sri Vincent investment gain on Facebook IPO. Most probably, a lot of people will gain too from this exercise.

Congrats to Facebook and Mark Zuckerberg. Awesome innovation!

On the other hand, some people aren’t lucky enough…they became drug mule…recruited through Facebook…no monetary gain…but to jail.

I know this is not new…but it puzzles me…despite the information, awareness and advices given…this type of case is still happening…and it is the same in Australia and Malaysia.

Whose fault is it? Obviously not Mark…neither Facebook.

Don’t point your finger at someone because there are four pointing back at you.

For more info read below news.


OUTLAW motorcycle gangs are using social media to recruit drug mules, Australia's top crime body has revealed.

The Australian Crime Commission, investigating "high-risk" crime groups in South Australia, is monitoring a number of drug recruits groomed through websites such as Facebook and has alerted South Australian Police.

Commission chief executive John Lawler told The Advertiser outlaw motorcycle gangs had used social networks to recruit associates and people to help with criminal activity, especially in illicit drug distribution.

Recruiting people on social media to traffic drugs has been a problem across Asia for three years, particularly in the Philippines and Malaysia.

In SA last year a man with no known history of drug crime was recruited online and later charged by police for possessing illegal chemicals.

Mr Lawler said commission intelligence had identified a number of other people buying drugs on behalf of this outlaw motorcycle gang who had been recruited via social media.

He said a bikie associate had befriended the man on social media and referred him to a website connected to the gang.

He said the man was then asked via email to buy chemicals through a company overseas, collect them on their arrival in Adelaide and deliver them to a gang member.

For operational reasons, the commission would not say which gangs have been involved.

SA Police declined to comment in any depth about the recruiting methods of bikie gangs.

The commission has extended its SA investigation to combat organised crime through to June 2014, having identified nine active bikie chapters in the state with about 300 full members.

Its major operation last year was to help SA Police shut down major drug operations.

Sunday, 5 February 2012

Tan: How I made money from Facebook

Can you imagine this guy…Tan Sri Vincent made millions from Facebook IPO.

The funny thing is…he doesn’t even have a Facebook account.

I’ve once met Ganesh in early 2000 discussing about IT security. This guy is young and most importantly talented.

I think both of them are good combination…geek + pure business sense…$$$.

Awesome isn’t it? RM420mil…from an initial investment of US38mil!

Tan: How I made money from Facebook


PETALING JAYA: For a man who does not have a Facebook account, Tan Sri Vincent Tan surely knows the value of the Internet giant.

“I may have one later,” quips Tan on opening an account but he will be counting the windfall from the 3.5 million shares his company, MOL Global Bhd, owns in Facebook once the company is listed on either the New York Stock Exchange or Nasdaq.

Based on an assumption that Facebook shares start trading at US$40 post-initial public offering, Tan’s MOL Global stands to pocket RM420mil for its shares.

Speaking to StarBizWeek, Tan recollects how he came about getting his hands on a tiny but valuable stake in Facebook.
Tan: ‘We don’t want to hold them for too long.’

Friendster was among the first social networking websites. It preceded MySpace and Facebook. Starting operations in 2003, Friendster found the going tough and lost money for years.

The company continued to raise but spent money aggressively. In running up losses, Friendster had, nonetheless, built up a base of 140 million registered users, of which 40 million were active.

Tan said the losses then stemmed from Friendster not monetising its user base. Finding it hard to make money from its users, it was losing an average of US$10mil a year.

Eventually, the patience of the owners and investors in Friendster wore thin and they wanted to exit the business. Friendster then called for a process to sell the business and now Friendster CEO, Ganesh Kumar Bangah, who was then working with Tan, informed him that Friendster was for sale.

“I asked for the numbers and found that 140 million registered users and 40 million active users was interesting. If we could make them spend some money, maybe Friendster would be a good investment. Of course, the downside was the business will continue to lose US$10mil a year,” he said.

Tan said the owners of Friendster initially wanted US$100mil for the business but with losses mounting, he knew no one would pay that much for the company. “At that time, Facebook wanted to buy Friendster’s patents but Facebook was willing to pay US$10mil cash and later increased it to US$20mil cash.”

Tan was made to understand then that the owners felt that taking US$20mil only to lose US$10mil a year will soon see that cash vanish and then decided to accept US$40mil for Friendster but wanted a quick sale. “They gave the potential buyers about a week to decide. Many people were looking, including large firms from China and Japan, at Friendster.

“They were much larger than MOL but with the owners of Friendster needing a fast sale, I told Ganesh to do a quick due diligence on Friendster.

“We took two days for the due diligence and made a bid. We said since Friendster owed people US$2mil, we offered US$38mil.

“With other potential buyers doing their due diligence, I told them that if they accepted US$38mil, we will do the deal right away. They accepted our proposal,” said Tan.

After buying Friendster in 2008, Tan then turned his attention to Facebook, which remained interested in Friendster’s patents and whose offer of US$20mil cash for the technology rights was still on the table. “We had a conference call with the people at Facebook. I accepted their price but I wanted shares.”

Facebook officials told him that Mark Zuckerberg, the boss of Facebook, did not want to dilute the shares in the company but Tan stood firm and said “if there was no shares, forget it”.

Tan insisted on getting shares in Facebook because he felt the company will be big in the future. Finally, Zuckerberg agreed to a share exchange for the patents and Tan got his 700,000 shares. His shares have grown to 3.5 million following a 5-for-1 split in Facebook’s shares before the IPO process.

Tan did not leave Friendster to languish but devised a plan to get the social networking website to breakeven point. He closed the US, Singapore and Australia offices to cut cost and began rebuilding the company.

This year, Friendster has stopped the bleeding and Tan felt the company has become “quite valuable”.

“The number of active users on Friendster has fallen from 40 million to four million but these four million spend money with us. We put games and all kind of things on the website and they spend money. If they didn’t, we cannot monetise the business,” he said.

Potentially, Tan values his Internet business at around RM1bil. It does business in Malaysia, Singapore, Thailand, the Philippines, Indonesia and India and is trying to get into Vietnam and many other countries.

MOL makes money from points people buy to play online games. It is also a payments gateway and is a payment partner for Facebook and Zynga, which is the creator of the hugely popular Farmville.

Tan said business models employed by companies such as Zynga, instead of relying on advertising revenue, was how large sums of money can be made from the Internet.

“People play and buy cows and tractors for their game. It’s amazing why people pay so much for that and I cannot imagine it.

“I tell my kids ‘you don’t play Farmville. If you want to farm, you can go to Bukit Tinggi. I will give you a real farm’,” he laughs.

Will he hold or sell his Facebook shares?

“We will see where it goes,” said Tan. “We will probably sell them for our business. We don’t want to hold them for too long but will see where the shares go after the IPO.”

At any price, the Facebook shares Tan owns has been hugely rewarding and the profit from the shares means the Friendster acquisition was paid for plus a lot extra profit on the side. “We were lucky,” he said.

So where does this investment rank among the many that Tan has executed in his corporate life?

“It’s one of the good ones but none can beat DiGi,” he said. “DiGi was my best investment and I should have stayed with it. I sold when DiGi had a market capitalisation of RM5bil to RM6bil. Today, the company is worth some RM31bil.

“That’s the big one that got away,” he lamented.