OPEN

VOl. 1 NO. 1

CLOUD-BASED MOBILE:
WHAT ABOUT DIGITAL FORENSICS?

REAL-TIME INTRUSION DETECTION FOR CRITICAL

INFRASTRUCTURE PROTECTION: COCKPITCI APPROACH

MALWARE ANALYSIS: Detecting and Defeating Unknown Malware

SIM CARD FORENSICS

HOW TO PREPARE ORACLE FOR EXAMINATION IN THE FORENSIC LAB

SELF COLLECTION IS RISKY BUSINESS

JUSTICE SPEAKS... AN INTERVIEW WITH JOHNNY JUSTICE,

SENIOR INSTRUCTOR FROM MIlE2

HOW KPMG USES ENCASE® TOOLS TO SOLVE CLIENTS’

E-DISCOVERY CHALLENGES IN CANADA
Issue 1/2013 (1) February
 www.InfoSecSkills.com LEAD
2013 PUBLIC SCHEDULE PRACTITIONER

Allow
us to
guide
your
CAREER

SENIOR
PRACTITIONER

2013 PUBLIC COURSE SCHEDULE

CISMP
Mar 18-22, Apr 22-26, May 13-17, Jun 10-14,
Jul 8-12, Sep 30 - Oct 4, Oct 14-18, Nov 18-22 PRACTITIONER

PCiBCM
Mar 18-22, Apr 8-12, Apr 22-26, Jun 10-14, Jul 8-12,
N 11-15, Dec 9-13
Aug 5-9, Sep 16 -20, Oct 14-18, Nov

PCiIRM
Apr 22-26, May 6-10, May 20-24, Jun 3-7, Jun 17-21,
Jul 8-12, Jul 22-26, Aug 5-9, Oct 7-11, Oct 21-25, Nov 4-8,
Nov 18-22, Dec 2-6, Dec 16-20

If you are interested in learning more, get in touch:

contact@infosecskills.com.

TEAM
Editors: Joanna Kretowicz
jaonna.kretowicz@eforensicsmag.com
Senior Consultant/Publisher: Paweł Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Production Director: Andrzej Kuca
andrzej.kuca@software.com.pl
Marketing Director: Joanna Kretowicz
jaonna.kretowicz@eforensicsmag.com
Publisher: Software Media Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.eforensicsmag.com
DISCLAIMER!
The techniques described in our articles may only be
used in private, local networks. The editors hold no
responsibility for misuse of the presented techniques or
consequent data loss.
4
Dear Readers!
We would like to present the latest issue of eForensics Magazine
Open, featuring articles written by digital forensics specialists and
enthusiasts, experts in Mobile, Computer, Network and Database
Forensics covering all aspects of electronic forensics, from theory
to practice. For those who already know us it’s the best practical
pill consisted of great articles from our last four issues, for new
readers – we hope, a valuable invitation to join our experts com-
munity.
Taking advantage of this publication, we would like to inform you
that we are on the right track and, starting this month, you can
expect 4 issues monthly from eForensics Magazine. We’re giving
you the best, checked, professional, exciting content endorsed by
market-leading companies! No mediocre, half-baked articles! At
least not here!
We would also like to thank you for all your feedback and support
and invite you to follow us on Twitter and Facebook, where you
can find the latest news about our magazine and great contests.
Do you like our magazine? Like it, share it! We appreciate your ev-
ery comment as for us eForensics means you and your needs, and
we are here for our readers. We would be more than pleased if
you could let us know what your expectations towards the maga-
zine are? Which topics are you most interested in? I repeat it ev-
erytime but it is You who shape eForensics!
Thank you,
Joanna Kretowicz
& eForensics Team
 contents

How to Prepare Oracle for Examination in the Forensic Lab

by Todd Markley
The Oracle database can present many opportunities for gathering important evidence, but it can
also include serious obstacles for the forensic examiner. 06
14
Real-time Intrusion Detection for Critical Infrastructure
Protection: Cockpitci Approach
by Lasith Yasakethu and Jianmin Jiang
Cyber-attacks against control systems are considered extremely dangerous for critical infrastruc-
ture operation. Today, the protection of critical infrastructures from cyber-attacks is one of the
crucial issues for national and international security. Over the past ten years, intrusion detection
and other security technologies for critical infrastructure protection have increasingly gained in
importance.

22
How Uses ENCASE® Tools to Solve Client’s E-Discovery
Challenges in Canada
by Dominic Jaar
Clients of KPMG in Canada turn to us when e-discovery challenges loom and they’re not sure
they have the internal capability to meet their legal obligations in a cost-effective fashion. What
we bring to those clients is our experience providing tested and reliable processes and solutions
customized to their particular situations.

28
Self Collection is Ricky Business
by Elias Psyllos
Whenever a matter arises that requires the collection or preservation of Electronically Stored Infor-
mation, most companies first thought is to have their internal IT department, create the “images”
of the digital media involved in the matter. This is what is known as a “self collection”. The topic of
“self collection” has been one area of Computer Forensics and E-Discovery that is continuously
discussed and debated.

32
Cloud-Based Mobile: What About Digital Forensics?
by Lamine Aouad and Tahar Kechadi
The significant growth in mobile systems combined with the emergence of the other influencial
field – cloud computing, has created another challenge for digital forensics. How to retrieve data from
cloud-based mobile, has become an intriguing question for every passionate forensic specialist.

38
Sim Card Forensics
by Apurva Rustagi
This article introduces the file-system implemented in Subscriber Identity Module (SIM) cards and
the collection of data contents that might be helpful in a forensic investigation. The author, also,
provides programming code that is designed to extract some of the important data such as Short
Message Service (SMS) traffic and contact information from the SIM Card. A data extraction ap-
plication would be written in ANSI C.

42
Malware Analysis: Detecting and Defeating Unknown Malware
by Kevin McAleavey
It is common for malware to slip right past security solutions undetected and unmitigated, leaving
more system’s infected with each passing day despite these efforts. The malware can not only threaten
the process of conducting investigations, it can also threaten the evidence obtained from those inves-
tigations itself. How to detect and defeat unknown and undetected malware.

54 Justice Speaks... An Intervier with Johny Jusice,

Senior Instructor from JMIlE2
by eforensics Team: Gabriele Biondo, Roshan Harneker, Stanislaw Butowski
As if his name wasn’t sufficient recommendation, this man has been a counterintelligence agent
in the U.S. Army for several years. Recently, he has switched to training and developed a course at
Mile2. Although permanently busy, he did find some time to answer a couple of questions. Here
you are – Justice speaking about the certifications, cyber crime, cyber terrorism, the most common
mistakes made by Digital Forensics Examiners, and testifying at court.

www.eForensicsMag.com 5
 HOW TO PREPARE
ORACLE
for Examination in the Forensic Lab

by Todd Markley

The Oracle database can present many opportunities for

gathering important evidence, but it can also include serious
obstacles for the forensic examiner.

T
raditional forensic examinations of images
using tools like EnCase or FTK often allow
little more than access to fragments of text
in the Oracle files. Examination in the context of
the original schema, using a live Oracle instance,
can provide the best possible perspective of evi-
dence. This article will explore restoring an Oracle
instance from a forensic image.
The Oracle database is a complex application
that will store its data in many locations, often
spread over a number of directories and/or disks.
The configuration files that include the locations
of the data are binary, and are normally only ac-
cessed through the database. The Oracle installer
can use a compiler to link object modules with the
operating system that creates custom executable
files. This linking with the operating system dur-
ing installation can hinder directly running a copy
on another system. These are a few of the obsta-
cles that make the task of recreating an Oracle in-
stance in the lab difficult. In the ideal setting, the
original or identical hardware would be available.
That would allow booting a direct copy of the sub-
ject disk in the lab. The second best option would
require exporting the data from the original Oracle
database, either before or after the collection im-
aging. If the original subject system was running
Linux, which is more forgiving than Windows, it
may allow booting on only similar hardware. The
example in this article will present the more difficult
situation where booting a copy of the original disk
does not work and the examiner has only a source
image without any export backup.
The subject computer in this example is an IBM
ThinkPad laptop with 64bit Windows 7, and has
the Oracle 11gR2 database installed. This data-
base was also loaded with 4,009,021 records with
Figure 1. Oracle Registry entries on Windows

6
 HOW TO PREPARE ORACLE
unique hash values from the NSRL hash set from
http://www.nsrl.nist.gov/.
When Oracle is installed, the location of the soft-
ware and data are provided by the user. Finding
the location of ORACLE_HOME and the supporting da-
ta is the first step. Searching the disk for known Or-
acle files is one way to find ORACLE_HOME. If the sub-
ject was a Unix or Linux system, then the text file
/etc/oratab can provide the information. On Win-
dows, the location is stored in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE. The name
of the target database, also known as the SID, can
also be found in the Unix/Linux oratab file, or in the
Windows registry (see Figure 1).
The next step is to locate the SPFILE and/or
PFILE that is used for startup. On the Unix/Linux
system, this is located in $ORACLE_HOME/dbs, and
on Windows it may be found in $ORACLE_HOME\
database directory. The file names under Unix
are init*.ora or spfile*.ora. The Windows file
names are the same, only in uppercase: INIT*.
ORA or SPFILE*.ORA. These two forms of the start-
up file both contain the same information, but the
default SPFILE format is binary while the PFILE/
INIT format is plain text. The database SID is in
place of the * in each file name. The default in-
stallation only creates the binary SPFILE. Either
one can be used for startup, and sometimes both
will be found. These directories can contain more
than one set of startup files, one set for each SID
instance. The following steps can be repeated for
each SID, but in this example the source database
only has one instance.
The text can be extracted from the binary SP-
FILE using the strings command, which will pro-
vide the needed details. This is the same informa-
tion found in the text PFILE. A line from this text will
include the list of control_files=, which has the
path to one or more copies of the Oracle control
file for this SID (see Figure 2).
Figure 2. Extracting configuration text from SPFILEWIN.ORA
using the strings command
www.eForensicsMag.com
These control files are also binary. Each con-
trol file should contain identical information, un-
less they are out of sync. If the control files are out
of sync then that may indicate that the data files
are also out of sync and need recovery. Using the
strings command again, a list of all the data files
used by this instance can be extracted. This list of
data files will need to be copied to the lab system
(see Figure 3).
The exact version of Oracle that was used on the
subject system is important. By default, part of the
version number is often used in the ORACLE_HOME
path. This allows more than one version to be in-
stalled on the system. One place to find more detail
about the database version is in the $ORACLE_HOME/
inventory/Components21/oracle.server directory
and adjacent directories in Components21 (see Fig-
ure 4).
In this example, the target lab system will be run-
ning Linux. If the source subject computer is using
a 32 bit operating system, then it is better if the tar-
get is also 32 bits. Likewise if the subject is 64 bit,
then the target should be 64 bit. In this example,
the subject system was running a 64 bit version of
Windows 7, so the lab system was installed with
64 bit Linux. The exact Linux distribution used is
Figure 3. Extracting data file names from CONTROL01.CTL
using strings command
Figure 4. Identify Oracle version number from the “oracle.
server” directory listing
7
 not as important as long as you are able to install
the Oracle software. The Oracle web site http://
www.oracle.com/ includes a list of supported sys-
tems, and also makes the Oracle Enterprise Linux
distribution available for download. Instructions for
installing Oracle on supported systems can also
be found on the Oracle web site. Instructions for in-
stalling Oracle on other distributions can be found
Listing 1. Save Control Trace and PFILE
[oracle@cray2 ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on Sat
Sep 22 17:08:44 2012
Copyright (c) 1982, 2011, Oracle. All rights
reserved.
Oracle Database 11g Enterprise Edition Release
11.2.0.1.0 - 64bit Production
many places on the internet. Oracle also makes
current versions of the database installation soft-
ware available on its web site. The version of Ora-
cle installed on the lab system needs be as close
as possible to the subject Oracle version. If the ex-
act version is not available, then a newer version
may work, but the closer the version the better.
The examiner should create a database during the
installation which can be used for baseline startup
and control templates. On the lab system, with the
installed database instance running, login as the
“oracle” user. Verify and/or set the Oracle environ-
ment to match the installed database.
[oracle@cray2 ~]$ printenv|grep ORA
ORACLE_SID=tstdb
ORACLE_BASE=/u01/ora
ORACLE_HOME=/u01/ora/o11g

SQL> ALTER DATABASE BACKUP CONTROLFILE TO Use the following SQL commands to create the
TRACE AS '/tmp/control.trace'; baseline example templates, and shut it down: see
Database altered. Listing 1.
The PFILE will be found in $ORACLE_HOME/dbs/
SQL> CREATE PFILE FROM SPFILE; init*.ora, where the * matches the SID. These
File created. two template files were the only things needed
from the install database, so it is shut down to free
SQL> SHUTDOWN IMMEDIATE; resources which may be needed later.
In this example, all the required files were copied
Listing 2. /etc/oratab from the subject Windows disk to the /s/oracle/
win directory. In this directory, these sub direc-
tstdb:/u01/ora/o11g:N tories were also created: /s/oracle/win/admin/
WIN:/u01/ora/o11g:N adump and /s/oracle/win/fast_recovery_area
(see Figure 5).
Listing 3. Set Oracle Environment It is possible for Oracle to use raw partitions for ta-
blespace data files. If raw partitions are used, then
[oracle@cray2 ~]$ . oraenv these partitions would need to be copied and acces-
ORACLE_SID = [tstdb] ? WIN sible on the lab system. Although this is outside the
The Oracle base for ORACLE_HOME=/u01/ora/o11g scope of this article, the same steps should work
is /u01/ora using the /dev entries for the matching raw parti-
[oracle@cray2 ~]$ printenv|grep ORA tions instead of the paths to the data files.
ORACLE_SID=WIN In previous steps, it was found that the SID of
ORACLE_BASE=/u01/ora the subject was WIN. Copy the $ORACLE_HOME/dbs/
ORACLE_HOME=/u01/ora/o11g init*.ora template that was created to $ORACLE_
HOME/dbs/initWIN.ora and edit this file changing
Listing 4. tnsnames.ora

WIN =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST =
192.168.1.211)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = WIN)
)
)

Figure 5. Listing of /s/oracle/win directory after coping data

files and creating sub directories

8
 HOW TO PREPARE ORACLE
the name of the database, file paths, and directo-
ry paths to match the new WIN instance (see Fig-
ure 6).
The initWIN.ora PFILE is the one that will be
used to start the new WIN instance because, unlike
the SPFILE a text file is easy to edit without using
the database. The lab computer may require differ-
ent configuration parameters than the original sub-
ject system. One example of a difference would
be the parameters for memory usage, because
the lab system may not have the same amount of
memory as the original database. Assume the in-
stalled database had valid configuration parame-
ters for the lab system hardware since it worked.
Adjustments can be made later if needed, but ideal
tuning should not be necessary since this will not
be a production database and performance is not
a priority for most examinations.
Figure 6. After edit of initWIN.ora file for startup of new
instance
Figure 7. After edit of SQL used to create a new control file
for the WIN instance
www.eForensicsMag.com
Copy the /tmp/control.trace file to control_win.
sql and edit it changing the name of the database,
file paths, and sizes to match our new instance.
The file has two sections. In this example, the
NORESETLOGS case will be used, because all the RE-
DO log files from the subject system are available
and they are expected to be in sync. This section
begins with STARTUP NOMOUNT and ends with the
ALTER TABLESPACE TEMP command. The size of the
REDO files is set to 50M, which matches the actu-
al file size of 52429312 that equals 50*1024*1024.
The ALTER TABLESPACE TEMP command is also set to
the new TEMP01.DBF path and the size adjusted to
match the file. Comment out the RECOVER DATABASE
command because it should not be needed (see
Figure 7).
As the root user, the examiner should add a line
to the /etc/oratab file for this new instance. In this
example the /etc/oratab looks like this: see List-
ing 2.
Now as the oracle user, change the Oracle envi-
ronment to match the new WIN instance: see List-
ing 3.
The control_win.sql file can now be used to cre-
ate new control files (see Figure 8).
With this example the control SQL finished with-
out error and the database is now available. If the
control SQL had failed with any errors, then each
would need to examined and resolved.
The ${ORACLE_HOME}/network/admin/tnsnames.
ora file can now be modified to include our new
WIN instance. For example: see Listing 4.
This example is simpler than some because only
one change is necessary to allow network access
to the WIN instance, which may be required by
some utilities. More complex configurations may
require other changes to enable networking.
If the subject database was using a port number
other than 1521, or the lab configuration is not de-
Figure 8. Creating the new control file and starting the WIN
database
9
 Listing 5. Display LOCAL_LISTENER Parameter

[oracle@cray2 nsrl]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Tue Oct 2 13:48:15 2012
Copyright (c) 1982, 2009, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter local_listener;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------
local_listener string

Listing 6. Change LOCAL_LISTENER Parameter

[oracle@cray2 nsrl]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Tue Oct 2 13:54:52 2012
Copyright (c) 1982, 2009, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter system set LOCAL_LISTENER='(ADDRESS = (PROTOCOL=TCP)(HOST=192.168.1.210)(PORT=1522))' scope=both;

System altered.

Listing 7. Changing Passwords

[oracle@cray2 oracle]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Sun Sep 23 16:34:26 2012
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production

SQL> ALTER USER SYS IDENTIFIED BY NEWPASSWORD;

User altered.

SQL> ALTER USER SYSTEM IDENTIFIED BY NEWPASSWORD;

User altered.

Listing 8. extract.sh create or replace directory ${DIRNAM} as '${DIRPTH}';

ENDSQL
#!/bin/sh
# This script will extract data using expdp
date
BIN="${ORACLE_HOME}/bin"
AUTH="system/NEWPASSWORD@WIN" # Extract the table data
DIRNAM="EXPDP_DIR" ${BIN}/expdp userid="'${AUTH}'" full=y
DIRPTH="/s/oracle/win/expdp" dumpfile=data%U.dmp directory=${DIRNAM}
logfile=data.log parallel=2 filesize=2g
echo "Start time: "
date echo "Data export finished: "
date
# Create the directory name needed for the data pump
${BIN}/sqlplus "${AUTH}" 2>&1 <<ENDSQL exit 0

10
 HOW TO PREPARE ORACLE

fault then the LOCAL_LISTENER parameter may need
to be changed. The following can be used to dis-
play the current value: see Listing 5.
If the network details are not the default, then val-
ue of the LOCAL_LISTENER must contain the match-
ing network information used by the listener. Here
is an example of changing this parameter for ad-
dress 192.168.1.210 and port 1522: see Listing 6.
Although many activities will write to the data-
base, some actions are well understood not to
affect the content of the user data. The forensic
examiner must weigh the advantages and disad-
vantages of any actions that will write to the data-
base. Although the database is accessible using
the Linux oracle account with “/ as sysdba”, some
tasks may require knowing database passwords.
If the SYS and/or SYSTEM passwords are not
known, then they can be changed at this point with
these commands: see Listing 7.
Creating a backup of the database with the data
pump utility “expdp” will provide a more portable
snapshot of the data and it will also verify access
to every part of the database. But data pump re-
quires write access. The system and temporary
tables that may be altered by data pump are also
well known and considered safe for preserving us-
er data. The following short script provides a data
pump example for extracting a portable snapshot.
The destination path and system password should
be changed to match the target system. see List-
ing 8.
During an examination, it is often desirable that
the subject data is accessed read-only to protect
it from alteration. The content of the database can

Listing 9. Restarting Read-Only

[oracle@cray2 oracle]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on Sun Sep 23 16:34:26 2012
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production

SQL> shutdown immediate;

Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup mount;

ORACLE instance started.
Database mounted.

SQL> alter database open read only;

Database altered.

Listing 10. nsrl.unique

"000000206738748EDD92C4E3D2E823896700F849","392126E756571EBF112CB1C1CDEDF926","EBD105A0","I05002T2.
PFB",98865,3095,"WIN",""
"0000004DA6391F7F5D2F7FCCF36CEBDA60C6EA02","0E53C14A3E48D94FF596A2824307B492","AA6A7B16","00br2026.
gif",2226,228,"WIN",""
"000000A9E47BD385A0A3685AA12C2DB6FD727A20","176308F27DD52890F013A3FD80F92E51","D749B562","femvo523.
wav",42748,4887,"MacOSX",""
"000001EF1880189B7DE7C15E971105EB6707DE83","B47139415F735A98069ACE824A114399","33FFFCF2","LINUX_
DR.066",1723,8925,"Linux",""
"0000051C1E5A5DECF28FE8B57ABFE2B82A3EDD1C","11A6E2A7EF1273F93ECCB22ACCC15267","9314EB02","EPLQL2PC.
PBD",6076,2866,"Solaris",""
"0000053DD188DB497821D216D9AA50DD0F1529BD","5AEC257B5EEB4AA386C28C52AE7EEC2B","E8C1285A","CMBIZ097.
ccx",19818,228,"WIN",""
"000006F5B59A85CC6133E6F8801A715E466778A5","F9A6430EAAB2A665DFED8EB2350D81E1","AA288908","IMKI003P.
PNG",31306,9011,"WIN95",""
"000007A1255E11E87B40E4877E5865B0A30C3849","B7A367DEFB8802FF4FF357FED346AE6F","D3203AD4","test_
frozen.pyc",840,7935,"Linux",""

www.eForensicsMag.com 11
 Listing 11. verify.pl

#!/usr/bin/perl
# Take records to test on stdin, then verify them as a match in Oracle
#
use DBI qw(:sql_types);
my(@rec);
my($rcnt)=0;
my($total)=0;
my($found)=0;
my($notfound)=0;
my($toomany)=0;

my($dbh) = DBI->connect('DBI:Oracle:WIN', 'SYSTEM', 'NEWPASSWORD')

or die "Couldn't connect to Oracle: " . DBI->errstr;

my($sth) = $dbh->prepare("SELECT * FROM TODD.NSRL WHERE SHA1=?")

or die "Couldn't run SQL: " . DBI->errstr;

while( ($l=<>) ) {
my(@irec);
if( $l =~ /"([^"]*)","([^"]*)","([^"]*)","([^"]*)",([^,]*),([^,]*),"([^"]*)","([^"]*)"/ ) {
$irec[0]=$1; $irec[1]=$2; $irec[2]=$3; $irec[3]=$4; $irec[4]=$5;
$irec[5]=$6; $irec[6]=$7; $irec[7]=$8;
} else {
unset(@irec);
}
$total++;
$sth->execute($irec[0]) or die "Couldn't execute SQL: " . DBI->errstr;

$rcnt=0;
while( @rec = $sth->fetchrow_array() ) {
my($sha) = $rec[0];
my($md5) = $rec[1];
if( $rec[0] eq $irec[0] && $rec[1] eq $irec[1] && $rec[2] eq $irec[2] &&
$rec[3] eq $irec[3] && $rec[4] == $irec[4] && $rec[5] == $irec[5] &&
$rec[6] eq $irec[6]) {
$rcnt++;
} else {
print "Rec: " . $rec[0] . " " . $irec[0] . "\n";
foreach $i ( 0..6 ) {
if( $rec[$i] ne $irec[$i] ) { print $i . ") " . $rec[$i] . " != " . $irec[$i] . "\n";
}
}
}
}
if($rcnt<1) { $notfound++; }
if($rcnt==1) { $found++; }
if($rcnt>1) { $toomany++; }
print DBI->errstr;
}

$sth->finish;

$dbh->disconnect;

print "Total: " . $total . "\n";

print "Match: " . $found . "\n";
if($notfound>0){print "NotFound: " . $notfound . "\n";}
if($toomany>0){print "TooManyERROR: " . $toomany . "\n";}
exit(0);

12
 HOW TO PREPARE ORACLE
be protected by the shutdown and restart of the
database with these commands: see Listing 9.
The image subject included a table containing
records from the NSRL hash database. Here is
a sample of the NSRL source records that were
used: see Listing 10.
To verify the forensic integrity of the user data
in the lab instance, a perl script was used to com-
pare each record to the original NSRL source file.
The NSRL source data is provided as flat text, and
in this case perl was selected because it was well
suited to the task of parsing this format. The fol-
lowing script was used for this test: see Listing 11.
This perl script requires installation of the DBI
and DBD::Oracle software. These installation de-
tails can be found many places on the internet, but
are outside the scope of this article. The test using
this script was successful with 100% of the records
matching with the following output:
[oracle@cray2 nsrl]$ ./verify.pl < nsrl.unique
Total: 4009021
Match: 4009021
CONCLUSION
This article has detailed taking a forensic image
of a Windows 7 laptop and restoring the Oracle
database on a lab computer running Linux. The
processes of identifying the location of all the data
files using the SPFILE/CONTROL files were cov-
ered. Also, details about the Oracle version that
was in use were determined. These data files were
copied to the lab system and the necessary con-
figuration was set up to create a new group of con-
trol files and start an instance. Enabling network
access, changing unknown passwords, exporting
with data pump, and restarting the database in
read-only mode were also discussed. Although the
forensic examination of an Oracle database can
be a difficult challenge, this article has explored
the option of inspecting the data in the lab using
Oracle to retain the original schema context. Un-
der the right circumstances, this process could be
a valuable aid to the forensic examiner.
Author bio
Todd Markley has been an Oracle con-
sultant and computer forensics expert
for 12 years providing litigation sup-
port services involving digital evidence.
You can find more details about his
work at http://www.compusleuth.com
Todd can be contacted personally at:
tmark@CompuSleuth.com or via phone:
1-614-898-7500.
Advertisement
 Real-Time Intrusion
Detection
for Critical Infrastructure Protection:
CockpitCI Approach

by Lasith Yasakethu and Jianmin Jiang

Cyber-attacks against control systems are considered extremely

dangerous for critical infrastructure operation. Today, the
protection of critical infrastructures from cyber-attacks is one
of the crucial issues for national and international security.
Over the past ten years, intrusion detection and other security
technologies for critical infrastructure protection have
increasingly gained in importance.

What you will learn:
Critical Information Infrastruc-
ture Protection, Machine learn-
ing techniques applied to Intru-
sion detection and new European
Framework-7 funded project re-
lated to Critical Infrastructure Pro-
tection.
What you should know:
Very basic understanding of in-
formation technology & machine
learning (references are given to
support this).
H
owever, strictly speaking, they
are not effective intrusion de-
tection methods, as they re-
quire knowing what kind of attack is
expecting, which deviates from the
fundamental object of intrusion de-
tection. In this article we describe
an intelligent intrusion detection ap-
proach, which does not require any
attack signatures, proposed for a
new European Framework-7 (FP7)
funded research project, CockpitCI.
INTRODUCTION
In today’s growing cyber world,
where a nation’s vital communica-
tions and utilities infrastructure can
be impacted depending upon the
level and sophistication of hostile at-
tacks, the need for Critical Infrastruc-
ture Protection (CIP) and advanced
cyber security is at all-time high. In
this article we describe an intelligent
intrusion detection approach pro-
posed for a new European Frame-
work-7 (FP7) funded research proj-
ect, CockpitCI. The article provides
the CockpitCI concept and roles of
intelligent machine learning meth-
ods to prevent cyber-attacks. A dis-
cussion on this concept emphasizes
the need of intelligent risk detection,
analysis and protection techniques
for Critical Infrastructures (CI). With
the intelligence of machine learning
solutions, CockpitCI will contribute
to a safer living environment for peo-
ple especially by providing smart de-
tection tools, early alerting systems
and strategic security system, which
allows isolating default systems and
ensuring the safeguarding of living
environment. The distributed frame-
work of the system will ensure an
operational deployment of the secu-
rity all over Europe and will improve

14
 Real-Time Intrusion Detection for Critical Infrastructure Protection
the European Critical Information Infrastructure
Protection (CIIP) strategy.
CockpitCI will focus on cyber-attacks to control
systems of energy grids that are typically intercon-
nected with public Telco networks. Power grids and
Telco networks have a large impact on daily life and
are typically referred as CI since their correct oper-
ation is essential for the everyday life of our mod-
ern society. There are bi-directional dependent re-
lationships and reciprocal influences among CIs,
named interdependencies. That is especially true
because CIs are more and more reliant on infor-
mation and communication technology and mainly
through this reliance they have become more and
more interdependent. The successful delivery of
any essential CI service depends upon the oper-
ating status not only of the CI which is intended
to deliver such a service but also on the operat-
ing status of any interdependent CIs. Initial distur-
bances in (or even destruction of) parts of one CI,
may result in cascading effects in the infrastructure
itself or/and in the other interdependent CIs.
The paradox is that Power and Telco CIs mas-
sively rely on newest interconnected (and vulnera-
ble) Information and Communication Technologies
(ICT), while the control equipment is typically old,
legacy software/hardware. Such a combination of
factors may lead to very dangerous situations, ex-
posing the systems to a wide variety of attacks.
This article first discusses machine learning based
intrusion detection strategies for CIP and then in-
troduces an advance intrusion detection technique
which will be developed as a part of the CockpitCI
project to protect CI from such cyber-attacks.
MACHINE LEARNING BASED INTRUSION
DETECTION
Intrusion detection is the process of observing and
analysing the events taking place in an informa-
tion system in order to discover signs of security
problems. Traditionally, Intrusion Detection Sys-
tems (IDS) are analysed by human analysts (se-
curity analysts). They evaluate the alerts and take
decisions accordingly. Nevertheless, this is an ex-
tremely difficult and time consuming task as the
number of alerts generated could be quite large
and the environment may also change rapidly.
Machine learning has the capability to: 1) gather
knowledge about the new data, 2) make predic-
tions about the new data based on the knowledge
gained from the previous data. This makes ma-
chine learning techniques more efficient for intru-
sion detection than human analysts.
IDS monitors the activities that occur in a com-
puting resource to detect violations of a security
policy of an organization. These violations may be
caused by people external to the organization (i.e.
attackers) or by employees/contractors of the or-
ganization (i.e. insiders). During the recent past,
www.eForensicsMag.com
intrusion detection has received considerable mo-
tivation owing to the following reasons [1] [2]:
• If an intrusion is detected quickly enough, an
intruder can be identified quickly and ejected
from the system before any damage is done or
any data are compromised. Even if the detec-
tion is not sufficiently timely to pre-empt the in-
truder, the sooner that the intrusion is detected,
the less is the amount of potential damage do-
ne and the more quickly that recovery can be
achieved.
• An effective intrusion detection system can
serve as a deterrent, acting to prevent intru-
sion.
• Intrusion detection enables the collection of in-
formation about intrusion techniques that can
be used to analyses the new threats and to
strengthen the intrusion prevention facility.
Along with the above motivations, the intention of
intrusion detection can be summarized as follows:
• Detect as many types of attacks as possible
(i.e. including internal malicious/non-malicious
and external opportunistic/ deliberate attacks),
thereby increase the detection rate.
• Detect as accurately as possible, thereby re-
ducing the number of false alarms.
• Detect attacks in the shortest possible time,
thereby reducing the damage of the attacks.
The above requirements have prompted research-
ers to develop various types of IDS that fulfil the
above goals to prevent Supervisory Control And Da-
ta Acquisition (SCADA) systems from cyber-attacks.
SCADA systems are vulnerable to cyber-attacks
due to design and implementation flaws in the cyber-
security system. Malicious users attack the cyber-
Events are analysed and patterns are detected
If patterns are known, the relationships between the
data elements are identified
If the relationships are known, context of data
elements are identified
If the context is known, then the meaning of the data
is understood (i.e. whether the data corresponds to
normal or abnormal behaviour of the system)
Figure 1. Core process of threat identification by machine
learning
15
 security system vulnerabilities by using a sequence
of events to break in to the SCADA system [3, 4].
These events result in characteristics that are de-
fined by patterns of attack. The goal of any machine
learning techniques, in intrusion detection, is to anal-
yse the input event data and to detect patterns that
would reflect possible threats to the cyber-infrastruc-
ture. The core process of threat identification by ma-
chine learning is illustrated in Figure 1.
According to the detection principle used for the
process shown in Figure 1, intrusion detection
techniques can be classified into following main
modules (but not limited to): Signature detection
(misuse detection), Anomaly detection. Detection
principles behind each module are discussed in
the following subsections.
Signature Detection (Misuse
Detection)
Signature detection also known as misuse detec-
tion generates alarms when a known cyber-attack
occurs. In this technique the behaviour of the sys-
tem is compared with unique patterns and char-
acteristics of known attacks, called signatures.
This is typically done by measuring the similar-
ity between the input events and signatures of
known attacks. If a match is found, an alarm is
triggered. As a result, known cyber-attacks can
be detected immediately with a low false-positive
rate. However, if there is no similarity match, the
event is classified as normal behaviour and the
detection approach will search for further pat-
terns. Thus, signature detection can only detect
known attacks. Figure 2 illustrates the approach
of signature detection.
Signature detection heavily relies on the prior
knowledge of attack signatures. Thus the effective-
ness of the detection mechanism relies on a fre-
quent updating of the signature database.
Due to the availability of prior knowledge on attack
signatures, hence the availability of labelled data,
supervised machine learning techniques are gen-
erally used for signature based intrusion detection.
Patterns derived from
system behaviour
Database of
No Similarity
match? attack
signatures
Yes
Suspicious behaviour
Figure 2. Signature detection approach
16
Anomaly Detection
Anomaly detection is an IDS triggering method that
generates alarms when an event behaves different
from the normal behaviour patterns. Thus this can
be defined as a problem of finding patterns in da-
ta that are different to the expected behaviour of
a system. Figure 3 illustrates the anomalous da-
ta patterns in a simple 2-dimentional data set. In
this example the data has two normal regions, N1
and N2. Data that sufficiently deviate from these
regions, i.e. point A1, point A2 and region A3 are
considered as anomalies.
The anomaly detection approach has two main
steps: training and detection. In the training step,
machine learning techniques are used to gener-
ate a profile of normal behaviours that define the
healthy cyber-infrastructure. In the detection step,
an event is classified as an attack if the event re-
cords deviates sufficiently from the normal pro-
files. Unlike signature detection, anomaly de-
tection has the potential to detect novel attacks.
However, anomaly detection typically has a high
false-positive rate. This is because in anomaly
detection any sufficient deviation from the base
line is flagged as an intrusion. Thus it is likely
that non-intrusive behaviour that falls outside the
normal region generates an alarm, resulting in a
false-positive.
The key challenge for anomaly detection in in-
trusion detection is the analysis of huge amounts
of data with high dimensional feature space. It re-
quires computationally efficient data mining tech-
niques to handle large amounts of input data. Fur-
thermore, the data typically comes in a streaming
fashion, thus requiring online analysis. As the data
amounts to millions, even a few false alarms can be
overwhelming when it comes to decision making.
In anomaly detection, labelled data correspond-
ing to normal system behaviour are usually avail-
able, while the labelled data for intrusions are not.
As a result, unsupervised machine learning tech-
niques are preferred for anomaly detection.
Y
N1
A1
A2
N2
A3
X
Figure 3. Anomalies in a simple 2-dimentional data set
 Real-Time Intrusion Detection for Critical Infrastructure Protection
The following paragraphs explain the super-
vised and unsupervised machine learning tech-
niques mentioned in the above signature and
anomaly detection.
Supervised and Unsupervised Machine
Learning
Machine learning algorithms are designated as ei-
ther ‘supervised’ or ‘unsupervised’. The distinction is
drawn from how the learning model classifies data.
In supervised machine learning, the algorithm is
fed with sampled data that are labelled. The da-
ta in supervised learning can be represented as
pairs of (X, Y), where Y s are actual labels of dif-
ferent data elements in X. This labelled information
is used for training and obtains a model to clas-
sify new data. Supervised machine learning tech-
niques for intrusion detection are fed with ‘normal’
(which corresponds to the normal behaviour of the
system) and ‘attack’ data along with their labelled
information to train the detection model. In general
the training data needs to be balanced (i.e. amount
of normal and attack data are approximately equal)
for an accurate classification. Most popular super-
vised machine learning methods include k-near-
est neighbour (KNN) [5], artificial neural network
(ANN) [6], support vector machine (SVM) [7] and
hidden Markov model (HMM) [8].
Unsupervised machine learning algorithms are
not provided with labelled data. The basic task of
unsupervised learning is to develop classification
labels automatically. Unsupervised algorithms seek
out similarity between pieces of data in order to de-
termine whether they can be characterized as form-
ing a group. In the context of intrusion detection, un-
supervised learning methods rely on the following
assumptions: 1) normal data covers majority while
intrusion data are minor; 2) normal and intrusion da-
ta are similar in their identity groups while statistically
different in between groups. Unsupervised detection
is an unbalanced learning problem and considers
Kernel
transformation
Figure 4. Example of SVM classification approach
www.eForensicsMag.com
that normal and intrusion data can be clustered.
Thus, most of the solutions to unsupervised intru-
sion detection are clustering based intrusion detec-
tion techniques such as k-means clustering.
COCKPITCI INTRUSION DETECTION
APPROACH
As discussed earlier, the protection of the nation-
al infrastructures from cyber-attacks is one of the
main issues for national and international security.
To overcome such threats, the CockpitCI project
develops machine learning based advance intru-
sion detection tools to provide intelligence to the
field equipment. This will allow the field equipment
to perform local decisions in order to self-identify
and self-react to abnormal situations introduced by
cyber-attacks.
Several techniques and algorithms have been re-
ported by researchers for intrusion detection. One
of them is to define the abnormal conditions, how-
ever due to the difficulty of defining unknown be-
haviours these rules based algorithms are always
not applicable in the real applications. Generally,
anomaly detection can be regarded as a binary
classification problem and thus many classification
algorithms are utilized for detecting the anomalies,
such as artificial neural network, support vector
machines, k-nearest neighbour and Hidden Mar-
kov model. However, strictly speaking, they are not
effective intrusion detection methods, as they re-
quire knowing what kind of intrusion is expecting,
which deviates from the fundamental object of in-
trusion detection. Moreover most of these meth-
ods are sensitive to noise in the training samples.
Segmentation and clustering algorithms seem to
be better choices because they do not need to
know the signatures of the series. The shortages
of such algorithms are that they always need pa-
rameters to specify a proper number of segmenta-
tion or clusters and the detection procedure has
to shift from one state to another state. Negative
Hyperplane
17
 selection algorithms [9] are designed for one-class
classification; however, these algorithms can po-
tentially fail with the increasing diversity of normal
set and they are not meant to the problem with a
small number of self-samples, or general classifi-
cation problem where probability distribution plays
a crucial role. Furthermore, negative selection only
works for a standard sequence, which is not suit-
able for online detection. Other algorithms, such
as time series analysis are also introduced to intru-
sion detections, and again, they may not be suit-
able for most of the real application cases. Table 1
presents and analysis of some of the intrusion de-
tection strategies discussed above.
To minimize the above mention drawbacks, an in-
telligent approach based on OCSVM [One-Class
Support Vector Machine] principles is proposed for
intrusion detection in CockpitCI. OCSVM is a natural
extension of the support vector machine (SVM) al-
gorithm to the case of unlabelled data, especially for
detection of outliers. Hence OCSVM is an unsuper-
vised machine learning technique. Whereas SVM
algorithm is a supervised machine learning method
and it is essentially construed as a two-class classi-
fication algorithm (i.e. it requires class labels of both
positive and negative samples). SVM uses a kernel
function to map data into a space where it is linear-
ly separable. The space where the data is mapped
may be of higher dimension than the initial space.
The SVM allows finding a hyper-plane which opti-
mally separates the classes of data: the hyper-plane
is such that its distance to the nearest training da-

Table 1. Analysis of intrusion detection strategies

Methodology Working mechanism Advantages Disadvantages
Separate data in to 2-classes Produce very accurate classi- Prior knowledge the anomaly
Support vector (normal and potential attacks) fiers type is required
machine (SVM) [7] using a hyper plane in the hi- Low computational time Sensitive to noise samples
gher dimension
Events violating the establi- Strong association rules can All the knowledge of the sys-
shed rules are identified as po- effectively identify causality tem need to be written in the
Rule-based [10] tential attacks between event attributes and form of rules
class labels Difficult to define unknown
behaviours

Transform inputs into outputs
that match targets through
Artificial neural nonlinear processing in a con-
nected group of neurons
network (ANN) [6]
Low computational time
Nonlinear data analysis
Prior knowledge of the ano-
maly type is required
Training data needs to be ade-
quate and balanced. Thus a
large number of attack tra-
ining data is required

Computes the approximate di- Simple to understand and
k-Nearest stances between different input easy to implement
neighbour (KNN) vectors, and then assigns the
[5] unlabelled point to the class of
its k-nearest neighbours
Clusters of temporal data are
specified by a mixture of dy-
namic models
Hidden Markov
model (HMM) [8]
Assigns objects into groups
(clusters) by demining the di-
stance between the objects
over multiple dimensions of
k-Means
the data set
clustering [11]
Suitable for coping with da-
ta dependency among tempo-
ral data
Solid statistical foundation
No signatures (class labels) re-
quired
Simple to understand and
easy to implement
Prior knowledge of the ano-
maly type is required
Sensitive to noise samples
Difficult to classify complex
data
Prior knowledge of the ano-
maly type is required
High computational comple-
xity
Large number of unstructured
parameters
Need large amounts of data
Need parameters to specify
number of segmentations and
the detection procedure has
to shift from one state to ano-
ther state
Different initial partitions can
result in different final clusters
Produce less accurate classi-
fiers for complex data

18
 Real-Time Intrusion Detection for Critical Infrastructure Protection
ta points is maximal (maximum margin). An exam-
ple is shown on the Figure 4. The SVM has shown
superior performance in the classification problem
and has been used successfully in many real-world
problems. However, the weakness of SVM is that it
needs the prior labelled data and is very sensitive
to noise. A relatively small number of mislabelled
samples (noise samples) can dramatically decrease
its performance. In the case of CI monitoring, which
patterns in the data are normal or abnormal may not
be obvious to operators. Thus, although SVM proved
to be a powerful classification tool its implementation
in CI intrusion detection is difficult without the avail-
ability of adequate labelled data. To overcome this
issue and other drawbacks mentioned in Table 1, an
intelligent unsupervised machine learning approach
based on OCSVM principles is proposed for intru-
sion detection in CockpitCI.
Unlike SVM or similar classification methods,
OCSVM does not need any labelled data for train-
ing or any information about the kind of intrusion
is expecting for the detection process. In summa-
ry, the OCSVM possesses several advantages for
processing network performance data and auto-
mate the network performance monitoring, which
can be highlighted as:
• no signatures of training data are required
• robustness to noise samples in the training
process
• algorithm configuration can be controlled by
the user to regulate the percentage of anoma-
lies expected
• each anomaly detector can be trained to pro-
duce a small number of data samples to make
decisions, which makes its implementation effi-
cient and effective
• the detectors can operate fast enough for its
online operations
Most of the current intrusion detection commercial
software’s are based on approaches with statistics
embedded feature processing, time series analysis
and pattern recognition techniques. Some software
Intrusions Normal data
Origin
Figure 5. OCSVM classification
www.eForensicsMag.com
considered elements of machine learning such as
clustering and neural networks. However, none of
them has yet considered using OCSVM principles
in commercial software’s although research have
shown great potential in the area of intrusion detec-
tion [12,13,14].
One Class SVM working mechanism
The OCSVM separates outliers from the major-
ity and the approach can be considered as a regu-
lar two-class SVM where all the data lies in the first
class and the origin is the only member of the sec-
ond class [4, 5] as shown in Figure 5. The basic idea
of the OCSVM is to map the input data into a high
dimensional feature space and construct an optimal
separating hyper-plane, which is defined as the one
with the maximum margin (or separation) between
the two classes. This optimal hyper-plane can be
solved easily using a dual formulation. The solution is
sparse and only support vectors are used to specify
the separating hyper-plane. The number of support
vectors can be very small compared to the size of
the training set and only support vectors are impor-
tant for prediction of future points. By the use of ker-
nel function, it is possible to compute the separating
hyper-plane without explicitly carrying out the map-
ping operations into the feature space and all neces-
sary computations are performed directly in the input
space. A brief description of the intrusion detection
algorithm is given is the in the following paragraphs.
Considering a data set with N = {x1, x2,…, xl}, x∈
RN, the task is to find a function f that takes the value
“+1” for most of the vtectors in the data set (i.e. for
normal or attack free data), and “-1” for the other very
small part (i.e. data corresponding to intrusions). As
explained above, the strategies for the OCSVM are:
first, map the input data into a feature space H (com-
monly known as Hilbert space) according to a map-
ping function X =ɸ(x), and separate the data from
the origin to its maximum margin. A hyper-plane f(x)
is built up to mark the boundary of this separation.
The key idea for the separation is that it doesn’t real-
ly need all the data to be separated to the same side
of the hyper-plane f(x), on controversy, a small num-
ber of points can be lying on the other side of the hy-
per-plane. In order to allow this, slack variables are
introduced to the objective function of support vector
machine, and the OCSVM solves the following qua-
dratic optimization problem:
In equations (1) and (2), w is the norm that per-
pendicular to the hyper-plane and ρ is the bias of
19
 the hyper-plane. ξi are slack variables acting as pe-
nalization in the objective function. v∈(0,1) is the
trade-off parameter to balance between the nor-
mal and data corresponding to intrusions in the
data set and a maximum of vx100% data points
are expected to return negative values according
to f(x)=w.ɸ(x)-ρ. Deriving its dual representations,
the OCSVM is to solve the following problems:
Select the kernel function K(x,x’) in the Hilbert
space H and the trade-off parameter v, construct
and solve the following optimization problem to
find the solution for the Largrangian multiplier α:
The parameter v directly determines the sensitivity
of outlier detection (i.e. intrusions) in the algorithm.
Is called as kernel function and can be with various
format. In literature it is reported that the Radial
Basic Function (RBF), as shown in equation (6) is
the most widely used kernel in SVM [15], and RBF
Figure 6. Procedure of the proposed algorithm
20
kernel is adopted in the proposed approach. is the
standard deviation in equation (6).
For any x, if the f(x) is negative, x is detected as
a possible intrusion, otherwise x is normal. Figure
6 shows the structure of the proposed intrusion
detection algorithm. In the algorithm, the OCSVM
principles are used to train the offline data and
generate the detection model, and then the model
function is employed for intrusion detection. A neg-
ative value returned from the decision function will
imply an abnormal event. Events with negative val-
ues are moved to the threat assessment module
to quantify the risk(s) associated with the attack.
This will allow the field equipment to perform local
decisions in order to self-identify and self-react to
abnormal situations introduced by cyber-attacks.
CONCLUSION
The researches performed during the CockpitCI proj-
ect will allow improving the cyber-security industry. In
the real world application, it is difficult to find sufficient
attack data for training and testing intrusion detection
techniques. Most attacks will remain unknown. Thus,
the design and application of real-time intrusion de-
 Real-Time Intrusion Detection for Critical Infrastructure Protection

References
[1] S.V. Sabnani, Computer Security: A Machine Learning, Approach, Technical report, 2008
[2] William Stallings, Network Security Essentials: Applications and Standards (3rd Edition), Prentice Hall, 2006.
[3] L. O’Murchu N. Falliere. W32.Stuxnet dossier, Symantec White Paper, February 2011.
[4] S. Bologna, and R. Setola, “The Need to Improve Local Self-Awareness in CIP/CIIP”, Proc. of First IEEE International
Workshop on Critical Infrastructure Protection (IWCIP 2005), pp. 84-89, Darmstadt, Germany, 3-4 November 2005.
[5] P. Cunningham and S.J. Delany, k-Nearest Neighbour Classifiers, Technical Report UCD-CSI-2007-4, March 27, 2007.
[6] Gershenson C. Artificial neural networks for beginners. In: Cognitive and computing sciences. University of Sussex.
[7] Christopher. J. C. Burges, A tutorial on support vector machines for pattern recognition, DataMining and Know-
ledge Discovery, 2(2):955-974, Kluwer Academic Publishers, Boston, 1998.
[8] Rabiner, L. R. (1989). “A tutorial on hidden Markov models and selected applications in speech recognition.” Pro-
ceedings of the IEEE 77(2): 257-286.
[9] Zhou Ji, Dipankar Dasgupta, Revisiting Negative Selection Algorithms, Evolutionary Computation, Summer 2007,
Vol. 15, No. 2.
[12] J. Ma and S. Perkins, Time-series novelty detection using one-class support vector machines, Proceedings of the
International Joint Conference on Neural Networks, July, 2003, pp. 1741-1745
[13] K. Li, H. Huang, S. Tian and W. Xu, Improving one-class SVM for anomaly detection, Proceedings of the Second In-
ternational Conference on Machine Learning and Cybernetics, Xi’an, 2003, pp. 3077-3081.
[14] B. Schölkopf, J. Platt, J. Shawe-Taylor, A.J. Smola, and R. Williamson, “Estimating the support of a high-dimensio-
nal distribution,” Neural computation, Vol. 13, No. 7, pp. 1443-1472, 2001.
[15] S.S. Keerthi and C.J. Lin, Asymptotic behaviors of support vector machines with Gaussian Kernel, Neural Compu-
tation, vol. 15, no. 7, 2003, pp. 1667-1689.

tection methods, which does not require any attack
signatures, will be important in developing future CIP
and advanced cyber security solutions. CockpitCI
will develop such smart detection tools for CI protec-
tion and likely to give a real advantage in the security
market. With the developments of intelligent machine
learning based solutions CockpitCI will be able to:
• Deploy smart detection agents to monitor the
potential cyber threats and transmit alerts to the
central control centre belonged to the CI owner.
• Analyse the threat, and perform simulation to
predict cyber risk level and predicted quality of
service (QoS) level for the whole CI.
• Design reaction strategy and assess the im-
pact on QoS.
Author bio
Lasith Yasakethu received his BSc. Engi-
neering degree (First Class Hons.) in Electri-
cal and Electronic Engineering from the Uni-
versity of Peradeniya, Sri Lanka, in 2007. He
was awarded the prize for best performance
in Electronic Communication Engineering by
the University of Peradeniya for his achieve-
ments in undergraduate studies. In Oct. 2007 he was awarded
the Overseas Research Scholarships Award by the Higher Ed-
ucation Funding Council of England to pursue PhD at the Uni-
versity of Surrey UK. After completing his PhD he worked as
a Research Engineer for Technicolor Research & Innovations
(formerly known as THOMSON R&D), in Rennes France, from
Oct. 2010 to March 2012. Currently he is working as Research
Fellow in Computing Department, University of Surrey UK. His
research interests include Cyber-security, Machine Learning,
Quality of Experience (QoE) in multimedia communications,
2D/3D video processing and transmission, Content creation for
3D cinema and 3DTV. He has worked for several EU FP6 and
FP7 projects in the above fields. He is a member of IEEE.
• Broadcast alerting message to other CIs to as-
sess impact and enhance the cyber security of
interconnected CIs.
ACKNOWLEDGMENT
The authors would like to thank the partners of the
CockpitCI consortium and acknowledge the fund-
ing support from European Framework-7 Program
for the project (Grant no. 285647).
Author bio
Jianmin Jiang received B.Sc degree from
Shandong Mining Institute, China, in 1982,
M.Sc degree from China University of Mining
and Technology in 1984, and PhD from the
University of Nottingham, UK, in 1994. From
1985 to 1989, he was a lecturer at Jiangxi
University of Technology, China. In 1989, he
joined Loughborough University, UK, as a visiting scholar and
later moved to the University of Nottingham as a research as-
sistant. In 1992, he was appointed a lecturer of electronics at
Bolton University, UK, and moved back to Loughborough Uni-
versity in 1995 as a lecturer of computer science. From 1997
to 2001, he worked as a full professor of Computing at the Uni-
versity of Glamorgan, Wales, UK. In 2002, he joined the Uni-
versity of Bradford, as a Chair Professor of Digital Media, and
Director of Digital Media & Systems Research Institute. He is
now a Professor of Media Computing at University of Surrey,
United Kingdom. He is also an adjunct professor at Tianjin Uni-
versity, China. He is a chartered engineer, fellow of IEE, fellow
of RSA, member of EPSRC College, and EU FP-6/7 evalua-
tor. His research interests include, image/video processing in
compressed domain, digital video coding, stereo image coding,
medical imaging, computer graphics, machine learning and AI
applications in digital media processing, retrieval and analysis.
He has published around 400 refereed research papers.

www.eForensicsMag.com 21
 How Uses ENCASE®
Tools
to Solve Client’s E-Discovery Challenges in
Canada

by Dominic Jaar

Clients of KPMG in Canada turn to us when e-discovery

challenges loom and they’re not sure they have the internal
capability to meet their legal obligations in a cost-effective
fashion. What we bring to those clients is our experience
providing tested and reliable processes and solutions
customized to their particular situations.

What you will learn:
How EnCase eDiscovery helps
KPMG in Canada perform re-
mote collection for its clients over
their networks.
How KPMG addresses data pri-
vacy issues in the European
Union (EU) for international com-
panies.
A method of simplifying data
transfer, culling, and production.
How EnCase Portable can be
used for clients with offices in re-
mote geographic areas.
What you should know:
The basic principles of digital in-
vestigation.
How e-discovery relates to foren-
sic investigations.
O
ne of the tools that my in-
formation management, e-
discovery and forensic tech-
nology teams use to meet client
expectations is EnCase® eDiscov-
ery from Guidance Software. This
article describes some of the ways
EnCase eDiscovery and EnCase®
Portable can be used and have been
used on behalf of our clients in ways
both conventional and creative.
ENCASE® FORENSIC
CAPABILITIES
First, let me summarize the techno-
logical challenges that EnCase eDis-
covery make manageable. As read-
ers of eForensics Magazine, you’re
likely to be familiar with the basic
EnCase° Forensic product, which
allows for digital investigation and
forensic collection. EnCase Foren-
sic is a standard part of most e-dis-
covery professionals’ toolkits, to col-
lect electronically stored information
(ESI) from laptops, workstations,
servers, and portable devices like
smartphones and USB thumb-drives.
KPMG relies on it because it always
provided us with a complete job but
also because it has the backing of
a decade of published court deci-
sions attesting to its acceptability to
courts. It is used by law enforcement
as well as regulatory, military and in-
telligence investigators. These days
you’ll even hear people in the pro-
fession say to EnCase it, meaning
to prepare a digital collection from a
computer.
The end result of an EnCase Fo-
rensic collection is an EnCase evi-
dence file format consisting of a fo-
rensic image file (E01) or a logical
evidence file (LEF), the second of
which is the company’s proprietary

22
virtual container for holding collected ESI in a way
that makes it possible to verify that the data con-
tained therein is exactly what was collected.
Created using a highly auditable process, these
evidence file formats provide proven chain-of-cus-
tody information that is automatically generated
at the time of acquisition and continually verified
thereafter, as well. Such information cannot be
modified or altered within EnCase software, and
includes:

• The time and date of acquisition

• The system clock readings of the examiner’s
computer
• The acquisition MD5 hash value
• The examiner’s name.

EnCase software will automatically report a verifi-

cation error if the Case Info File is tampered with
or altered in any way. The EnCase evidence file
formats are widely accepted and familiar ESI con-
tainer formats ingestible into other ediscovery pro-
cessing and review tools.

EnCase® eDiscovery Technology

If you think of EnCase Forensic as being like a
state-of-the-art bicycle, EnCase eDiscovery is
more like a high-performance motorcycle. First of
all, whereas EnCase Forensic requires that each
computer to be searched be opened up and its
hard drive connected to a computer running the
EnCase Forensic software application, EnCase
eDiscovery operates from a single location and
reaches out to laptops, workstations and servers
over the network and performs its search and col-
lection capabilities remotely and without disrupt-
ing the employee using his or her computer, even
without the employee being made aware.
Like the EnCase® Enterprise product, EnCase
eDiscovery has the capability to reach any end-
point on the client’s network, as long as the tar-
get machine is turned on and plugged into the
network. Its powerful digital search can perform ro-
bust pre-collection analytics, i.e. rapidly identifying
which files would be collected using a particular
set of search criteria, before actually collecting the
targeted ESI. And when it comes time to collect,
EnCase eDiscovery is equipped to apply identical
search criteria against a wide range of endpoints in
an automated fashion. Collections can be sched-
uled or throttled as desired, with the end result be-
ing a defensible search and collection and output
into the industry-standard EnCase LEF.
When I speak of endpoints on a client’s network,
of course I’m referring not just to workstations, lap-
tops and file servers, but also e-mail servers and
collaborative sites such as SharePoint, which is
growing rapidly as a location of choice for key cor-
porate documents and files of every type. EnCase

www.eForensicsMag.com
 eDiscovery offers the option of having the resulting
LEF with the collected ESI land wherever we wish
on a network. We just identify an output path, and
that’s where the LEF is stored.
Covering the Entire E-Discovery
Cycle
EnCase eDiscovery software provides oversight of
the entire e-discovery process, in that it carries the
process through every phase of e-discovery. We use
it on behalf of our clients to perform early case as-
sessment (ECA) (it offers a web-based viewer that
permits searching and filtering, case-specific tagging
and commenting on individual e-mails or files, as well
as batch coding) and processing. In fact, we at KP-
MG in Canada have worked and continue to work
extensively with EnCase eDiscovery developers at
Guidance Software on components of load files that
meet our needs and those of our clients.
How We Perform Collections
Faster and Better – and Save
Clients Money – Using EnCase
eDiscovery
The first advantage of using EnCase eDiscovery is
simple math: We can conduct collections across a
client’s network with a single consultant from a sin-
gle location. Only one operator is required to per-
form the collection (or pre-collection analytics). Of
course, we spend a good deal of time beforehand
in identifying sources of potentially responsive
ESI, crafting the search criteria and parameters all
in close coordination with the client’s legal and IT
teams, who may be coordinating legal holds, send-
ing legal hold notices, and possibly contending
with privacy considerations (I’ll discuss below how
EnCase eDiscovery can help with collections that
encompass the US, Canada, and Europe).
Unlike collections performed by a team of con-
sultants using one-to-one collection technology,
going from machine to machine, a few per day, a
single consultant using EnCase eDiscovery can
collect from hundreds of custodians across a glob-
al network, including from:
• Laptops and workstations, including PSTs re-
siding there
• Peripheral devices such as thumb-drives and
external hard drives
• Share drives
• Email stores
• SharePoint
• etc.
Many clients prefer that we conduct these collec-
tions from within their corporate firewalls, although,
in the appropriate case, we can do so virtually from
our KPMG offices. We are able to maintain securi-
ty, confidentiality, and integrity of the data over the
24
network using EnCase eDiscovery, in large part
due to the EnCase evidence file formats, which
have been accepted in thousands of courts world-
wide. All communications with the servlets have to
be authenticated by the EnCase Secure Authenti-
cation for EnCase (SAFE) server, which provides
granular, role-based access that defines which
users can connect to which servlets. Integrity is
maintained through the EnCase evidence verifica-
tion process.
The second huge time- and money-saver for our
clients comes from the global reach of EnCase
eDiscovery. Even if we were to use just a single
consultant operating an EnCase eDiscovery col-
lection on a client’s network, that single consul-
tant could be conducting numerous simultaneous
searches around the world.
Because EnCase eDiscovery can also operate
virtually, a single operator can be controlling col-
lections actually launched simultaneously from
various locations and jurisdictions around the
globe. Each can be scheduled individually to al-
low for time zones when machines are likely to be
turned on. We find that an important advantage of
EnCase eDiscovery is that it can search regard-
less of open applications, which means that if an
employee has Outlook® open, for instance, we
can still collect email from that custodian.
To give a sense of the scale and reach, a single
KPMG in Canada consultant can simultaneous-
ly be collecting from 50 or even 100 employees
in five separate continents, something that would
take at least five consultants using manual collec-
tion technology requiring in-person collection. This
manual process requires human collection and re-
view of each and every document, email, or other
piece of ESI at each physical location.
Our new method represents at least an 80% sav-
ings in consultant costs for our clients and the ben-
efit of a standardized approach for all collections.
Data Protection Restrictions:
Collecting employees’ data from
the EU and US from Canada
EnCase eDiscovery can play a significant role
in easing constraints on collection and process-
ing of the personal data of European employ-
ees. When United States (US) litigation calls for
the preservation and production of data collect-
ed from European employees, parties struggle
to comply with their court obligations versus EU
privacy restrictions. The European Union (EU)
data protection laws call for collection approach-
es that are the least intrusive feasible method
for balancing the legitimate business or legal
need to collect the data against the employees’
right to privacy, which is considered a fundamen-
tal human right. The EU also restricts transfer
of personal employee data outside of Europe to
 HOW KPMG USES
ENCASE® TOOLS
countries who do not have what the EU deem to
be adequate protection for privacy.
Canada represents a middle ground between the
US and Europe when it comes to privacy regula-
tion over collection and processing of employee
data. Although located just north of the US, its da-
ta privacy laws are much closer to the tough pro-
tections by the European Union (EU), and the EU
data protection officials have declared Canada to
have adequate protections for those rights, mean-
ing that data collected from European employees
legally can more easily be transferred from Europe
to Canada.
On the other hand, the US’s lax data protection
laws have not earned the adequate protection des-
ignation from the EU, and therefore data collected
from European employees is normally prohibited
from transfer to the US, unless certain stringent re-
quirements are met, including obtaining the signed
written consent of the European employee.
The first of these challenges – collection and
preservation of European employees’ ESI – can be
mitigated through the use of EnCase eDiscovery
and EnCase® Enterprise, which offers remote and
non-disruptive investigation of any endpoint on a
company’s network. EnCase technology has been
approved for use by data officers and works coun-
cils at various companies as a collection tool that is
less intrusive of privacy than alternative collection
methods. Here are the points emphasized by or-
ganizations when seeking approval of data privacy
officers and works councils:
• Emphasize that EnCase® Enterprise can en-
able you to avoid collecting employee personal
E-mail or documents. With EnCase Enterprise,
your collections will cull the data and preserve
only those emails and electronic documents
that meet precise search criteria, including key-
words and file types. Other documents that
do not meet the search criteria – including pri-
vate personal data (“Personal data are defined
as “any information relating to an identified or
identifiable  natural person  (“data subject”); an
identifiable person is one who can be identi-
fied, directly or indirectly, in particular by refer-
ence to an identification number or to one or
more factors specific to his physical, physiolog-
ical, mental, economic, cultural or social identi-
ty;” (art. 2 a),” http://en.wikipedia.org/wiki/Data_
Protection_Directive.
See http://export.gov/safeharbor/index.asp for
an introduction to Safe Harbor principles and
self-certification.) – will be left behind.
• Assure that collections will be done from a ju-
risdiction with “adequate protection” (See
http://export.gov/safeharbor/index.asp for an in-
troduction to Safe Harbor principles and self-
certification) pursuant to EU data protection
www.eForensicsMag.com
authorities. Some works councils are reas-
sured when told that all collections will be do-
ne from a jurisdiction that recognizes strict em-
ployee privacy, rather than from the US.
• Emphasize that existing investigative policies
already approved by the works council will re-
main in place. For example, HR policies relat-
ing to the investigation of potential employee
wrongdoing had long ago been approved by
the works council and will not be affected by
the use of EnCase Enterprise technology. That
data would go directly to the company’s HR
team and would be handled the same as be-
fore.
• Permit employees to create a “personal folder.”
If employees create a folder in their computer
file structure with an agreed-upon folder name
in which they can place all of their personal da-
ta, EnCase Enterprise’s search criteria can be
configured to leave that folder untouched, so
that none of that data will be collected.
• Ability to restrict searches by file type. Employ-
ees can be sensitive about certain types of files
that may not be of interest to the company – per-
sonal photographs, for instance. With EnCase
Enterprise, these file types can be excluded.
With its federal privacy mandate, Germany has
the most stringent privacy rules in the European
Union. For tips on how to obtain German works
council approval for use of EnCase, a white paper
on the topic is available here.
Simplifying Data Transfer, Culling,
and Production
Once targeted portions of European employees’
data has been collected, US litigants still face the
daunting challenge of transferring that data to the
US for review, further culling down, and produc-
tion to adversaries. This is where KPMG in Can-
ada holds a key geographical advantage because
25
 Canada is deemed by the EU to have “adequate
protection.” This means that employees’ person-
al data lawfully collected in Europe can be trans-
ferred more easily to Canada with less EU transfer
restrictions.
Using Canada as a privacy “safe zone,” US liti-
gants can leverage KPMG in Canada’s geographic
and EnCase eDiscovery to collect European em-
ployees’ data remotely from Canada, and then re-
view and process the collected ESI in Canada. En-
Case eDiscovery enables us to collect European
data from Canada by deploying a collection com-
puter to the client’s European network and con-
necting to this computer using the client’s VPN in-
frastructure.
All communications between EnCase eDiscovery
and the collection computer are encrypted to the
Advanced Encryption Standard (AES) with a key
size of 128 bits. Furthermore, the encryption algo-
rithms used are certified FIPS 140-2-compliant.
Once the data is transferred to Canada, legal
teams can review that ESI in Canada and cull it
down to the much smaller subset that needs to
be produced to adversaries or regulators. Once
culled down and ready for production, the organi-
zation must now obtain consent from the employ-
ees whose data are implicated, which is commonly
a smaller number of employees. And at this point,
the employee can be reassured that only a frac-
tion of his or her data need be transferred to the
US. In some cases none of an employee’s ESI will
make it through the review process. In most mat-
ters, using Canada as the discovery hub between
Europe and the US will ease the privacy challenge
significantly.
EnCase Portable
Canada is a country of considerable size, with most
major cities and business centers in the southern-
most part of the country. KPMG in Canada has a
number of clients that operate their businesses in
the northern part of the country. Many of these are
mining or energy companies and collecting from
these remote locations can be complex and ex-
pensive.
Historically, we had to fly people to perform col-
lection, which was very time-consuming for the cli-
ent, particularly when all that was needed, in many
cases, was a snapshot of a hard drive or server.
EnCase Portable is another tool that provides
not only a key capability to our skill and tool set,
but enables a dramatic reduction in the time re-
quired to perform certain steps in data collection
and processing.
EnCase Portable is a powerful search and col-
lection software for field or remote personnel de-
livered on a USB device. Even non-specialists can
plug the EnCase Portable device with pre-config-
ured datacollection jobs into a USB drive and:
26
• Scan for evidence without calling in a specialist
or seizing computers;
• Perform forensically sound triage and collection;
• Pre-screen evidence to reduce data volumes,
allowing forensic professionals to work more
efficiently;
• Return the device and the data to profession-
als for analysis in an encrypted format.
What this means for my team is that we no longer
need to fly to remote locations for a simple task,
but can use express delivery services to our cli-
ent locations or use their own internal mail and
have the appropriate person at each client site run
the data-collection process with our assistance by
phone. Then it’s a simple matter of returning the
EnCase Portable device via delivery service for
analysis and processing in one of our KPMG in
Canada offices.
We’ve found that clients prefer this methodology,
because they feel actively involved in the process,
rather than having a third party come in and disrupt
their business processes.
Using EnCase eDiscovery to
Process Clients’ ESI
A final value-add for KPMG in Canada’s clients is
that we are able to process collected ESI using En-
Case eDiscovery either at their sites or at our offic-
es. While EnCase eDiscovery is better known for its
collection capabilities, it also includes a processing
engine for culling, de-duplication, other processing
and creation of load files in Concordance, Summa-
tion, EDRM-XML or native file formats.
In Summary
The globalization of business for many corpo-
rations and industries has ushered in an era of
complexity with regard to international law and
data collections. Our decades of dedicated experi-
ence at KPMG in Canada and the use of well-es-
tablished technologies and products like EnCase
eDiscovery and EnCase Portable have allowed us
to work creatively within the data protection laws
of different countries. We now can offer our clients
new options in data collection and processing in a
way that enables best practices, complete compli-
ance with the laws of every country and region in-
volved, and the most costeffective and non-disrup-
tive means possible.
Any trademarks represented in this communica-
tion are the property of their respective owner(s).
Author bio
Partner and National Leader, Information Management, eDis-
covery and Forensic Technology Services KPMG
The Premier International Forensics Event for Police, Military, Intelligence Agencies, Lawyers,
Corporate Forensic Analysts, Laboratories, Government Bodies and Agencies together with
leading suppliers, services, equipment and practitioners from across the world.
Conferences – Workshops – Training – Networking – Exhibition

REGISTER FOR FREE ENTRY TODAY

www.ForensicsEuropeExpo.com/digital

Co-located with Sponsored by In Collaboration with Organised in

Partnership with
 SELF COLLECTION IS
RISKY BUSINESS

by Elias Psyllos

This article is not to discredit IT Departments and the individuals

that work inside them, rather, this article is meant to shed light
on why a Certified Forensic Examiner (Investigator, Analyst, etc.)
should be used every time in any electronic discovery matter. For
those companies that have appointed or contracted a forensic
matter expert to handle the electronic discovery process, you are
on the right path.

What you will learn:
• The risks involved with perform-
ing a self-collection
• The importance of having a Fo-
rensic Analyst perform the collec-
tion
• Why using an outside party for
collection purposes is important
• An example of a self-collection
gone wrong for in a court case
What you should know:
• The purpose of performing fo-
rensic collections
• How forensic collections fit into
an E-Discovery matter (EDRM
cycle)
• How forensic collections pertain
to the business world
H
owever, many companies do
not have an internal forensic
matter expert to manage the
electronic discovery process, and
this article is geared toward you.
Whenever a matter arises that re-
quires the collection or preservation
of Electronically Stored Information
(referred throughout the rest of the
article as ESI), most companies first
thought is to have their internal IT de-
partment, create the “images” of the
digital media involved in the matter.
This is what is known as a “self col-
lection”.
IT DEPARTMENT
The topic of “self collection” has been
one area of Computer Forensics and
E-Discovery that is continuously dis-
cussed and debated. Self Collection,
can be defined as “one of the parties
involved in a matter, creating “foren-
sic images” (or copies that they think
are forensically sound) of digital evi-
dence that can possibly be involved
in a matter for preserving, collect-
ing, and/or analyzing Electronically
Stored Information regarding a Digi-
tal Investigation or E-Discovery mat-
ter.”
IT Departments and the individu-
als within may be capable of creating
“images” or copies, however, it may
not be a forensically sound image
and it may not follow the policies and
procedures designated by the courts
for collecting ESI. The outcome of
this is a copy that is not forensically
sound, and in turn may be rejected
as evidence. Alternatively, because
the “image” was not preserved cor-
rectly, relevant data could be miss-
ing, or altered.
Another prevailing aspect of the
“self collection” mentality is compa-

28
nies assume that having their own IT people in-
volved in the forensic process is a good idea. The
assumption that the internal IT personnel know the
systems and data the best may be correct, but it
may cause a negative effect in the overall process.
IT staff, although an expert in the IT field, may not
know or understand the correct procedures for col-
lecting or preserving ESI. As well, internal IT de-
partments may not have the correct paperwork,
such as Chain of Custody forms to include in the
preservation or collection needed in these matters.
Having a neutral third party conduct the forensic
process removes any chance of challenging the
original data that was collected and the methods/
procedures taken to collect the data. The neutral
third party should involve forensic matter expert(s)
that abide(s) by the procedures designated by the
courts and has experience in collecting and pre-
serving ESI.
At the same time, having an IT individual conduct
analysis of the digital media can lead to vital infor-
mation being lost or overlooked, that is related to
the matter. An IT individual may not know exactly
what to look for as they are not trained Forensic
Examiners. They may see relevant data as not so
relevant or may not consider various means of dig-
ital media to be relevant for collection purposes.
Using a third party Forensic Examiner or E-Dis-
covery company, is beneficial because of the ex-
perience they bring to the table in conducting anal-
ysis and in assisting with managing relevant digital
media to be collected/analyzed. The concept here
is the same as if you were going to court for a mat-
ter. Although a paralegal may know the laws and
can essentially guide you through the process, you
wouldn’t hire them to represent you. You would
hire a licensed attorney who has had the experi-
ence and specific skill set to represent you in court
and be able to follow all the correct policies/proce-
dures mandated by the court.
A perfect example of why self collections are not
a good choice can be seen in the case Green v.
Blitz U.S.A., (E.D. Tex. Mar. 1, 2011). In this case
involving ESI, the company had placed one of
their own employees in charge of managing the
ESI. This individual was not a forensic expert and
did not have experience in managing ESI, which
in turn caused relevant data to be lost because no
legal holds were issued. Instead, employees were
urged to delete email and ESI every so often from
there systems.
Relevant data was also left out by the employee
who conducted the search, as they had no experi-
ence in conducting searches on ESI. This resulted in
the court rejecting the data and findings. It cost the
company more money to remedy the situation, then it
would of cost to hire a third party Forensic Examiner
or E-Discovery Company with a Forensics Team to
conduct the matter correctly from the start.

www.eForensicsMag.com
 Aside from the more noticeable reasons why
you want to have a Forensic Examiner or E-Dis-
covery company with a Forensics Team from the
start, here are a few important items to consider.
Forensic Examiners have the knowledge and ex-
perience working with attorneys or companies to
ensure all the relevant digital media is accounted
for and collected in a matter. You don’t want to un-
der collect the digital media or over collect as well;
creating a data set that is either too small or too
large. Over collecting data can end up costing a
large amount of money when related to E-Discov-
ery terms. Under collecting data, can result in ex-
cluding relevant information that is necessary in a
matter or exclude digital media that should have
been collected regarding a matter.
Forensic Examiners are trained to work hand in
hand with attorneys and companies alike, in order
to provide the technical support needed for these
types of matters. The examiner can assist in identi-
fying the digital media associated with the relevant
custodians, (users) involved in a matter by inter-
viewing the custodians and working together with
local IT to understand the IT policies and network
system.
“THE COMPANIES” IT POLICIES &
PROCEDURES
Forensic Examiners or E-Discovery companies
with a Forensics Team also have the experience of
collecting data in any type of environment. Wheth-
er it is for a high profile matter or an “under cov-
er” matter, forensic examiners have the knowledge
and ability to adapt to any scenario.
You may be wondering what the relevance is
to self collection? IT departments and individu-
als alike are not trained to deal with these types
of scenarios, making it even more difficult to per-
form a collection correctly. Asking an IT individual
to make an “image” of a fellow employee’s hard
drive creates a problem for the individual. Having
the matter stay under the radar may be difficult or
may cause the IT individual to make a choice be-
tween a “friend” at work and creating the image
correctly. That is why using a third party Forensic
Examiner or E-Discovery Company with a Foren-
sics Team ensures the matter is handled correctly.
Forensic Examiners have been trained to assess
a situation and adjust their collection approach as
necessary while still staying within the court ap-
proved procedures.
CHAIN OF CUSTODY
Attempting to perform a “self collection” could re-
sult in the original evidence being altered or de-
stroyed if it is not handled properly. If the origi-
nal evidence is altered in any way, the evidence
will not be accepted into court. At the same time
if the original evidence is destroyed prior to cre-
30
ating a forensically sound image, vital information
could be lost forever. That is why having a Foren-
sic Examiner to handle all the evidence, ensures
the chain of custody is being maintained and any
interaction with the evidence will not alter or affect
the evidence.
Overall the risks associated with “self collection”
are heavy in weight. As we discussed throughout
this article, the various situations of one perform-
ing a “self collection” could run into, as well as the
legal ramifications that may follow, as we saw in
Green v. Blitz U.S.A., (E.D. Tex. Mar. 1, 2011) can
cause much larger problems, then by using a Fo-
rensic Examiner or E-Discovery company with a
Forensics Team from the beginning.
Having professionals handle these matters en-
sures that all steps involved follow the governed
policies and procedures accepted by the courts.
For those that continue to perform self collections
or support it, I urge you to do further research of
the legal ramifications as well as the risks involved
in performing these collections.
For further information or to discuss a possible
Forensic Collection, E-Discovery, or Network Se-
curity (Penetration Testing) matter, please feel free
to reach out to us at Forensic Security Solutions
Company. Feel free to contact us through our web-
site at: www.ForensicSSC.com or via email at:
contact@forensicssc.com. Thank you.
Author bio
Elias Psyllos is the Founder/ Managing Direc-
tor of Forensic Security Solutions Company,
a Computer Forensics, E-Discovery, and Net-
work Security consulting firm. Prior to estab-
lishing F.S.S.C, he has served as a Forensic
Examiner, Sr. Forensic Examiner, and Team
Lead in the Corporate and Federal Law En-
forcement Agency sides of Computer Foren-
sics. He has conducted digital forensic projects for Fortune
500 corporations, AmLaw 100 law firms, large and medium
financial institutions and corporations, non-profits, and law en-
forcement agencies. He has vast experience with conducting
forensic acquisitions on digital media, mobile devices, target-
ed, multi-user, and small to large scale collections and analy-
sis. Forensic Security Solutions Company is geared toward
providing their customers with extraordinary project manage-
ment and client interfacing that can be utilized for any size
matter. Feel to visit us at our website, www.ForensicSSC.com.
 BOSTON • May 28-31, 2013
The Westin Boston Waterfront

Get the best real-world Android

developer training anywhere!
• Choose from more than 75 classes
and tutorials
• Network with speakers and other
Android developers
• Check out more than
40 exhibiting companies

“AnDevCon is one of the best

networking and information hubs
available to Android developers.”
—Nate Vogt, Android Developer, Willow Tree Apps

Register NOW at www.AnDevCon.com

A BZ Media Event Follow us: twitter.com/AnDevCon AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robot
is used under terms of the Creative Commons 3.0 Attribution License.
 CLOUD-BASED
MOBILE: WHAT ABOUT
DIGITAL FORENSICS?
by Lamine Aouad& Tahar Kechadi Centre for Cybersecurity and
Cybercrime Investigation,
School of Computer Science and Informatics, University College Dublin, Belfield, Dublin, Ireland.

There has been an exponential growth of mobile systems in the

last few years, and it is set for a double-digit growth for many
years to come. Another area that has been fuelling the global
economic growth is cloud computing. The clouds have been
increasingly making their way in many areas, including the
mobile space. It provides advanced contexts, computational, and
backup services to these systems.

I
n addition of becoming a distributed computing
challenge, this combination raises many chal-
lenges in terms of data security andforensic ev-
idence acquisition. One of the very important is-
sues is howto retrieve the data while insuring the
integrity of the methods for dealing with informa-
tion containedand sourced from different places.
This article describes this aspect andother poten-
tial issues with forensic evidence in the spaceof
cloud-based mobile.
Introduction
Broadly speaking, cloud-based mobile platforms
can be thought of asdata storage and processing
happening outside of the mobile deviceusing cloud
services. This has already enabled new types
ofapplications on mobile devices, such as picture
and video processing, data backup, context-aware
mobile social networks, etc. As a result, running
an application on smartphones is not restricted to
how powerful the device is. This opens up possi-
bilitiesfor a new class of applications by leveraging
features from bothsystems. Mobile devices have
indeed remarkable context awarenessbecause of
all the sensors and various connectivity options
they have. Thesecan be used for advance con-
texts such as fine-grained locations: for instance,
a combination of Bluetooth and Wi-Fi signals can
be sent to the cloudand have that come back with
a more precise location in the closedspace where
GPS signals can be received.
According to Juniper Research, the market for
cloud-basedmobile applications is predicted to grow
from $400 million back in 2009 to nearly $39 billion
by 2016! Inaddition, to all the environments specifi-
cally designed tostore content on the clouds, such
as Dropbox, SugarSync, iCloud, among manyo-
thers, most of the mobile apps are using cloudser-
vices. When we consider top apps for both iOS and
Android, most of them use remote resources, includ-
ing messaging, games, social media, entertainment,
travel, education, multimedia, and many others.
In this context, few questions arose: how to inter-
act with cloud resourcesand services to conduct fo-
rensic investigations? How toinvestigate incidents
or infringements that have occurredusing mobile

32
 CLOUD-BASED MOBILE
devices that are interacting with the cloud? This is
nota straightforward task and there is a need for de-
signing forensic procedurethat takes into account
the characteristics of both systems and their inter-
actions, while preserving the data integrity, its evi-
dence value, and complying with jurisdictional and
regulatory requirements. We believe that these are
very important questions as these devicesare be-
coming knowledge collectors: the data is processed
and potentially backed-up somewhereelse. Cur-
rently, the data and services are consumed over the
networkand, therefore, forensic investigations are
obviously more complex and tedious to conduct.
Moreover, the lack of control over the cloud re-
sources and services for mobile applications
makesit more difficult for the investigators. Anoth-
er important aspect is the limitations on the provid-
ers’ side onwhat can or cannot be done from a fo-
rensic point of view, either if anindividual using the
service as part of an investigation, or if thedata has
been compromised on the cloud. In this article, we
first discuss general issues of conducting forensic-
investigations on cloud data and services. Different
providers have significantly different services, which
makesany digital forensics process quite unique
and complicated. Then we will discuss challenges
for conducting a forensic analysis under specific de-
ployment types and delivery models. We will then
briefly describe legal aspects, followed by asimple
case study. It aims to highlight the importance of un-
derstanding the design considerations andthe data-
flow of mobile applications using the clouds. Con-
cluding remarks and future directions will conclude
this paper.
What is involved?
Digital forensics investigations follow specific step-
simplementing common and best practices for en-
suring a chain of custody that willstand up in court.
While these are well established intraditional com-
puter forensics [1], [2], etc. the cloud ecosystem
presentssome very noticeable differences be-
cause of its distributed nature, volatility of its re-
sources, and the technologies used to implement
it:virtualisation, machine images, databases and
other offerings, etc. An investigation is thus limited
by the implementation ofthe underlying services
and backend systems as well as the waythe devel-
opers are using them. For instance, dealing with
an application using its own database deploymen-
ton EC2 is different from the one using SimpleDB.
The sameapplies when using different providers.
Data isstored and accessible in different ways, as
is the logging of theapplication itself.
Given the large variety of cloud architectures and
systems, there is a huge range of possible use cas-
es. The tools andskills are still relatively immature
as the area is continuallyevolving. A different and-
new mind-set is required, as a range of technology
www.eForensicsMag.com
stacks and implementations need to be wellunder-
stood. Consider virtualisation and shared resourc-
es for instance; the virtualisation allowsthe sharing
of the same physical resourcesamong many ser-
vice/OS instances to be deployed. The hypervisor
is the piece ofsoftware allowing this, and there is a
range of them that can be found in [3], [4], [5]. Note
that the components that make up cloud environ-
ments (CPU, caches, GPUs, etc.) were not nec-
essarily designed to offer strong isolationproper-
ties for multi-tenant usage. The investigator needs
to be aware of the dynamic nature of hypervisors
andunderstand how they work. Another important
consideration to take into account is the level of
security (are they secure enough? is it possible to
access the host or other guests (virtualised) from
a guest instance?). Experience has shown that hy-
pervisors have exhibited flaws that have enabled
guest OSs to gain inappropriate levels of control
orinfluence on physical platform.
With these virtual environments, where nearly
everything is shared, traditional ownership bound-
aries are blurred. This is different in the case of a
SaaS offering because the userdoes not have ac-
cess to the instances in which the data is stored
orthe backend systems that make up the service.
Developers use this type of services, such as da-
tabase or storage services. Theinvestigator needs
to understand the way a service works. A storage
service like Dropbox for instance contains a local
hidden cache folder, which is meant to store de-
leted files, whether users are using theirdesktop
or the mobile app to access and update the data.
This can help an investigationto find out what was
happening on that account (until the permanent
deletion or the clean up cycle has been initiated).
It is also possible to see deleted data through the
Web interface, aswell as events logs, if the inves-
tigator has legal access to the systemto determine
who has been recently looking at the files, editing,
ordeleting them.
The network also plays a crucial role in this, and
is anintegral part in identifying eventual servers,
machine images, etc., that might need to betaken
down or isolated to conduct a more traditional foren-
sicsinvestigation. These would have been nodes or
edges of propagated data orevents. Consequently,
it is of prime importance tounderstandapplications’
dataflow. Another important point is versioning and
restoring earlier states, which are not always sup-
ported, although it can be essential in many cases.
The next few sections identify a number of challeng-
es of cloud-based mobile forensics.
Forensics challenges
Cloud resources provide huge opportunities to
companiesand developers for hosting, computing,
and storing their data and services. As already-
mentioned, this new paradigm presents huge chal-
33
 lenges for forensics investigations. The current
lack of standards, the need for efficient and ge-
nericmonitoring, and data trackingtools are appar-
ent. Obviously, the overall process does not need
to bechanged, but rather the way the investigators
respond to each of cloud types, services, service
models in these environments. In other words, the
forensic process faces huge challenges of com-
bining various logical and physicalentities, rather
than an isolated physical entity such as desktop or
amobile device.
In the context of mobile systems, the client is a
smartphone or atablet accessing a remote service
on the cloud provider. The mobile deviceitself is ob-
viously the primary source of evidence in the case
of aninvestigation. Many studies have been done
in acquiring the data fromthese devices, recovering
deleted datafrom database files, dealing with flash
memories, [6], [7], among others. However, we be-
lieve that remote access and serviceswill play an in-
creasingly important role in future investigations, as
most appswill be outsourcing their data and compu-
tational needs from cloud type infrastructure. There
is alsothe case of attacks and breaches either using
or involving these devices. A recent study, from Arx-
an, a software security company, hasshowed that
more than 90% of top paid mobile apps have been
hacked [8]. The hackers would reverse-engineer
the code of an App, then alter it and return it to the
market, usually via third party markets.
The important question is “how to go beyond the
device itself into the cloud to provideadditional fo-
rensic data to prove or disapprove that an action
has occurred, which can be communication, breach,
etc.? Depending on the remote service, it should be
possible to obtain data (actual data or logs) to recre-
ateaccesses and the sequence of events. The first
technical challenge then is how to findthe informa-
tion source: a particular virtual instance that was
running or supporting a particular service ata par-
ticular time! The time is a very important issue here,
if thelogging is not properly synchronised between
the different componentsof the system, it would be
difficult to present it as valid evidencein court. The
main challenge boils down then to the acquisition,
wherenext generation forensic tools must be able
to identify all thephysical and logical components in
a range of cases among differentarchitectures and
implementations of cloud delivery models. In the fol-
lowing, we briefly present some of the challenges
with basic delivery models.
IaaS
Infrastructure as a Service is the delivery of infra-
structurein the form of virtualised instances. This
is the most openof the delivery models, in terms
of access to the provider side, and is the only one-
where the traditional forensic acquisition may ap-
ply, via snapshotsand machine images. There are
34
however many challenges in relation to the way
differentIaaS offerings are presented:
• The data is not always persistent: in Amazon’s
EC2, for instance, ESB (Elastic Block Store)
has to be used to allow data persistence inde-
pendently from the lifetime of an instance.
• Logs and data might be fragmented and dis-
tributed, which may affect the acquisition.
• Multi-tenancy and shared resources, and the
way the storage space is allocated may also
contaminate the imaging and acquisition.
Also, even with the relative accessibility, low-level
analysis isstill not possible, as well as access to
the hardware.
PaaS
Platform as a Service is the delivery model where
computing anddevelopment platforms and solution
stacks are offered as services. It is supposed to
facilitate the development and deployment of ap-
plicationsby avoiding for the users the complexity
of administrating theinfrastructure, development,
and deployment layers. It provides necessary tools
tosupport the complete life cycle of building and
deliveringapplications and services. In this case,
there is only control on thesource code and devel-
opment cycle on the client side, which makes it a
lotmore challenging. All the challenges described
for IaaS may also applyhere, in addition to the fact
that these are proprietary close systems.
In addition to access and authentication logs,
which are provider-specifics some features of these
systems may be of use in an investigation. Also,
with the emerging of the multi-cloud trend, there
is a possibility of deployments on various clouds.
Manylibraries and PaaS offerings are supporting
a range of provideroperations, languages, frame-
works, and services, including LibCloud [9], Cloud
Foundry [10], and JClouds [11]. Multi-cloud deploy-
ments makean investigation even more challenging
to traceand analyse applications and data. A plat-
form called Feedhenry [12], staging itsservers’ exe-
cution to Cloud Foundry, is an exampleof a support
of multi-cloud deployments, although the current-
multi-cloud support in Cloud Foundry itself is still
limited.
SaaS
Software as a Service is the model in which a pro-
vider licenses applications to customers. It is the
mostclosed model in terms offorensics and acquisi-
tion. An investigation would be very dependent on
thecloud side access and logging features, in ad-
dition to the serviceimplementation and its deploy-
ment. How to isolate a particular processwould also
be a problem in this model. Many companies prefer
to outsource their appsto SaaS providers. The mod-
 CLOUD-BASED MOBILE
elis indeed attractive, offering ready-to-use custom-
isable apps thatcan be used on various devices.
Discussion
There are obviously different possible configura-
tions in terms of whatpart of the application (code
and data) is being hosted on the cloud or the de-
vice itself, in addition to what technology, model,
orsupport are being used.
An emerging trend in creating, deploying, and
managingcloud-based mobile applications is pow-
ered by what is called mobileplatforms, or more
formally Mobile Enterprise Application Platforms
(MEAP). There are many MEAP tools, includ-
ingTiggzi [13], WebMobi [14], SUP from Sybase/
SAP, and Feedhenry [15]. These are not widely-
adopted yet, however, investigators need to build
knowledge about thesetechnologies, as the mar-
ket seems to be moving towards MEAP. There
are alsoapps accessed only through a browser,
called Web apps. Mobilespecific features might not
be available in this case, but a nativeapp can be
wrapped up around it to provide a wider access to
suchfeatures (location-based for instance). These
trends are specificallytargeting the ease of reuse
across different devices andsystems.
In addition to these technologies, any of the de-
livery models can be used to developmobile ap-
ps. Furthermore, mobile middlewarealso can help
companies expose their internal assets to devel-
opers and remote apps as mobile APIs, which
maybe cloud-based as well. All these case stud-
ies and technologies introduce high complexity to
developers, administrators, managers, andobvi-
ously to investigators. In all cases, the data flow
betweenbackend and devices. Therefore, its cach-
ing, encryption, security involved, services, etc., all
need to be well understood.
Legal implications
The challenges in cloud-based forensics are not on-
ly technical. Thereare many legal challenges asso-
ciated with data recording and privacyissues. Da-
ta privacy laws and policies are diverse, what data
can beacquired and how to deal with it for current
or future investigations changeacross borders.The
logged data and type, and its storage duration can
also change. Inaddition, many other questions need
to be addressed including the manner in which the
data is provided to theinvestigator and what is the
process of acquiring it, how long should it take for
the provider to producethe required data, is there
any legal implication for the provider if the data was
not made available on time, etc. These questions
are all hugely important, especially with the clouds
being ubiquitous, multinational, andwidely distribut-
ed.
Compliance to regulations is the main hurdle so far,
as most lawmakers and regulators all over the world
www.eForensicsMag.com
establish control mechanismsto safeguard individual
businesses. The process of acquiring thedata is in-
deed often more scrutinised than the actual eviden-
cerecovered for a criminal investigation. This has a
direct impact on the forensic analysis and the neces-
sary mind-set around the area. It needs to be adapt-
ed to different laws in different jurisdictions, different
organisations recording different levels ofdetails.
Case study
With the increasing success of cloud platforms and
services, most companies anddevelopers are le-
veraging cloud capabilities for theirapplications.
However, as it would have come across from pre-
vioussections, there are large number of possible
scenariosand use cases. We have already men-
tioned the case of cloud storage(sharing, backups,
etc.) supported by many apps, usingservices like
Dropbox and SugarSync. Depending on the back-
endsystem, there are different manners in tracing
data in the caseof breaches or search for informa-
tion. Indeed, in this simple use case, we consider
a global view of a data lifecycle.
Consider the case of sharing data on social me-
dia for instance. Most of the apps cache the data
locally (for performance reasons andnetwork con-
siderations). However, if this data is cleared from
the device itself, it would still be accessiblesome-
where else. For instance, in one of the most popu-
lar photo sharing apps, namely Instagram, the da-
ta is stillavailable and accessible on the cloud after
being cleared out from thedevice. Instagram uses
Amazon servicesincluding EC2, S3, CloudFront as
CDN (Content Delivery Network), and the photos
go straightto Amazon S3. In the case of a user per-
forming a deletion operation, the photos are in fact
removedfrom the CDN. The photos URLs (which
we saved beforehand) return Access Denied er-
rors, which in this case do not say anything about
the existence of the requested data. The data is
not linkable, but it still available on S3 for a certain
period of time. The data flow in this case is quites-
traightforward with data only moving between the
device and Amazon’sservices and resources. This
could be more complicated in othercases, which
combine self-hosting with the cloud or multi-cloud
deployments.
This distribution across multiple physicalloca-
tions of the data, while potentiallyhelping investi-
gators, creates many issues about users data pri-
vacy. Indeed, a quick look at apps data access we
realise that they overreachpermissions. Why does
Instagram for instance, or Yelp, Waze, etc. have
access to call logs? Dozens of apps were actual-
ly found to be taking users address books without
their knowledge, according to VentureBeat, a tech-
nology blog. There is very little indication about
how the information will be usedor how the com-
pany stores it or plans to store it. These issues will
35
 play an important role in the near future in terms of
forensic investigations. Consequently, there is an
increasing tendency to encrypt and even destruct
messages, logs, etc. as an “anti-forensic” function-
ality. Enhanced privacy means more complicated
forensicexaminations. As an example, there is a
service (due to launch in October 2012), called Si-
lent Circle, which offers a whole private network
with an encryptedsuite for all calls and text com-
munications. How to deal with this’ privacy vs. fo-
rensics’ dilemma in the cloud context is an interest-
ing aspect to look at in the near future.
Conclusion
With the emergence of the clouds, computing re-
sources and data are more distributed than ever.
Many systems, including mobile computing sys-
tems, aredrifting to a more efficient IT consump-
tion and delivery within thisparadigm. Therefore,
traditional digital forensics ishardly applicable, and
it becomes urgent to rethink the whole process as-
well as understand the complexity of the backend
systems and theirinteractions with various clients.
The existing technical and jurisdictional challenges
are in factexacerbated in the cloud.
Finally, we described the challenges ahead, as
well as therequirements in the development and
deployment of apps, the delivery models, and the
References
[1] Tony S., Brian J. Forensic Computing. A Practitione-
r’s Guide. Springer-Verlag, 2007.
[2] Forensic Lifecycle. White Paper, Forentech Best
Practices Series, 2005.
[3] Xen.org.Xen: Enterprise Grade Open Source Virtu-
alization. Technical White Paper, 2006.
[4] Vmware.Cloud Infrastructure Architecture Case
Study. VMware vSphere 5.0 and VMware vShield
App 5.0. Technical White Paper, January 2012.
[5] Microsoft, TechNet. Hyper-V Portal. http://technet.
microsoft.com/
[6] Aouad L. and Kechadi. T. ANTS ROAD: A New Tool
for SQLite data Recovery On AndroidDevices. 4th
International Conference on Digital Forensics and
Cyber Crime, October 2012.
[7] Aouad L. and Kechadi T. Android Forensics: a Physi-
cal Approach. The International Conference on Se-
curity and Management. July 2012.
[8] Arxan Technologies. State of security in the App
economy: Mobile Apps Under Attack”. Research re-
port, August 2012.
[9] Apache Libcloud. A unified interface to the cloud.
http://libcloud.apache.org/
[10] Cloud Foundry. http://www.cloudfoundry.com/
[11] jclouds. http://www.jclouds.org/
[12] March C.The Cloud pushes Enterprise Mobile Apps
up a Gear.White paper. Yankee Research, June 2012.
[13] Tiggzi, Cloud-based Mobile App Platform. http://
tiggzi.com/
[14] WebMobi. Simplifying Cloud Mobility. Technical
White Paper, 2011, http://www.webmobi.com/
[15] Sybase Unwired Platform. Mobile Enterprise Ap-
plication Platform. http://www.sybase.com/sup
36
implicationsin terms of forensics analysis. We al-
so discussed legal implicationsand presented a
simple case study to show the importance of un-
derstanding the flow of data and events. In future
work, we will document fundamentals of digital fo-
rensics investigationsfor cloud-based apps and
platforms, with the purpose ofproposing efficient
methods and procedures in acquiring the data,
preserving its integrity and its evidence value.
Author bio
Centre of Cybersecurity and Cybercrime
Investigation, School of Computer Science
and Informatics, University College Dublin,
Belfi eld, Dublin, Ireland. M-Tahar Kechadi
is professor in School of Computer Science
and Informatics, University College Dublin (UCD), Ireland. He
was awarded PhD and a Masters degree in Computer Sci-
ence from University of Lille 1, France. He is currently head
of teaching and Learning and director of the Parallel Compu-
tational Research group in the School, UCD. His research in-
terests span the areas of forensic computing and cybercrime
investigations, data Mining, and distributed data mining tech-
niques and algorithms, and Cloud and Grid computing. He is
in the editorial board of the Journal of Future Generation of
Computer Systems and of IST Transactions of Applied Math-
ematics-Modelling and Simulation. He is a member of the In-
ternational Knowledge Cloud Consortium (IKCC). He is full
member at CERN and He is a visiting professor at the Univer-
sity of Liverpool, UK. Centre of Cybersecurity and Cybercrime
Investigation, School of Computer Science and Informatics,
University College Dublin, Belfi eld, Dublin, Ireland.
Author bio
Centre of Cybersecurity and Cybercrime
Investigation, School of Computer Science
and Informatics, University College Dublin,
Belfi eld, Dublin, Ireland. M-Tahar Kechadi
is professor in School of Computer Science
and Informatics, University College Dublin
(UCD), Ireland. He was awarded PhD and a
Masters degree in Computer Science from
University of Lille 1, France. He is currently head of teach-
ing and Learning and director of the Parallel Computational
Research group in the School, UCD. His research interests
span the areas of forensic computing and cybercrime investi-
gations, data Mining, and distributed data mining techniques
and algorithms, and Cloud and Grid computing. He is in the
editorial board of the Journal of Future Generation of Comput-
er Systems and of IST Transactions of Applied Mathematics-
Modelling and Simulation. He is a member of the International
Knowledge Cloud Consortium (IKCC). He is full member at
CERN and He is a visiting professor at the University of Liver-
pool, UK. Centre of Cybersecurity and Cybercrime Investiga-
tion, School of Computer Science and Informatics, University
College Dublin, Belfi eld, Dublin, Ireland.
 F.S.S.C.
Forensic Security Solutions Co.
A Computer Forensics and Network Security Consulting Co.

 Forensic Imaging &  Risk & Threat

Preservation of Digital Analysis
Data  Vulnerability
 Forensic Analysis & Assessment
Investigations  Penetration Testing
 E-Discovery Collections  Forensic Wiping of
 Targeted & Multi-User Digital Data
Collections Sources (Hard
Drives, Thumb
Drives, etc.)
Forensic Security Solutions Company is geared toward providing
their customers with extraordinary project management and client
interfacing that can be utilized for any size matter. Feel free to check
us out at www.ForensicSSC.com

Tel: (908) 917-1482 Email: Contact@ForensicSSC.com

www.ForensicSSC.com
 SIM CARD
FORENSICS

by Apurva Rustagi

This article introduces the file-system implemented in Subscriber

Identity Module (SIM) cards and the collection of data contents
that might be helpful in a forensic investigation. The author, also,
provides programming code that is designed to extract some of
the important data such as Short Message Service (SMS) traffic
and contact information from the SIM Card. A data extraction
application would be written in ANSI C.

T
he Global System for Mobile communica-
tions, popularly known as GSM, is one of
the primary mobile telephony systems found
around the world, competing with Code Division
Multiple Access (CDMA). Europe, including the
United Kingdom, uses GSM standards for mo-
bile communications. In GSM taxonomy, a cellular
phone is called a Mobile Station, comprised of two
distinct components. The components are namely
the Subscriber Identity Module (SIM) and the Mo-
bile Equipment (ME) – i.e the phone handset. GSM
mainly uses SIM (Subscriber Identity Module) card
technology for implementing user authentication
and accessing subscribed services.
Before going into the technical details, it would be
better to first understand why forensic investigation
of SIM cards is so valuable and what pieces of data
might be available for extraction from a SIM card.
Mobile telephony, which is essentially a means
of communication, implies exchange of voice and
data between two subscribers through a common
network. Such voice and data can be useful in ma-
ny investigations. Secondly, every mobile telepho-
ny system traces the position of handset terminals
for transfer of data between the terminal and the
fixed network. Since a subscriber would need a
mobile device to receive or send data, he would
always carry it on his person. This establishes a
one-to-one relationship between the user and the
mobile device, which may prove to be very inter-
esting to an investigation.
Various kinds of information that can be stored in
the SIM are as follows:
SUBSCRIBER INFORMATION
Every SIM card is identified by a unique Integrated
Circuit Card Identification (ICCID) which can be up
to 20 digits long. It consists of an industry identifier
prefix (“89” for telecommunications), followed by a
country code, an issuer identifier number, and an
individual account identification number. The IC-
CID can be read from the SIM without providing a
PIN and can never be updated. The country code
and issuer identifier can be used to determine the
network operator providing service and to obtain
call data records for the subscriber.

38
 Sim Card Forensics
The SIM stores the International Mobile Sub-
scriber Identity (IMSI), which is a unique identi-
fier for each subscriber in the system. It is simi-
lar to ICCID, comprised of a Mobile Country Code
(MCC), a Mobile Network Code (MNC) and Mobile
Subscriber Identity Number (MSIN). Networks use
IMSIs to identify to which network a device owner
subscribes and, if not the network, whether to al-
low access to the service.
The SIM Card also stores the Mobile Station In-
ternational Subscriber Directory Number (MSIS-
DN), which should contain the telephone number
assigned to the subscriber for receiving calls on
the phone. This value, however, can be updated
by the subscriber, making it a less reliable data
source, since it would, then, be inconsistent with
the actual assigned number.
Phonebook and Call Information
Abbreviated Dialing Numbers (AND): Subscribers
can maintain a list of the numbers they call or from
which they are called more frequently or that are of
more importance to them.
Last Numbers Dialed (LND): This storage is used
to retain most recent phone numbers called by the
device. The presence of a log does not guarantee
a call to this number because it might happen that
there was an attempt to call, but the connection
was unsuccessful on the network.
Messaging Information
Text messaging is a means of communication in
which messages entered on one cell phone are
sent to another via the mobile phone network.
Each SMS contains other information besides the
text itself. This includes the time an incoming mes-
sage was sent, the sender’s phone number, the
SMS Center address, and the status of the entry.
The status of a message entry can be marked as
free space or as occupied by one of the following:
a received message to be read; a received mes-
sage that has been read; an outgoing message to
be sent; or an outgoing message that has been
sent. Deletion of SMS works fundamentally similar
to deletion of files in traditional file systems. When
a user deletes messages using his phone, the
messages are marked as free space and retained
on the SIM until they are overwritten. When a new
message is written to an available slot, the unused
portion is filled with padding, overwriting any rem-
nants of a previous message that might be there.
Location Information
A GSM is a cellular network where it consists of dis-
tinct radio cells used to establish communications
with mobile phones. The SIM keeps track of the ar-
ea under which it falls for both voice and data com-
munications. The Location Information (LOCI) con-
tains the Location Area Information (LAI) for voice
www.eForensicsMag.com
communications. The LAI is composed of the MCC
and MNC of the location area and the Location Ar-
ea Code (LAC), an identifier for a collection of cells.
When the phone is turned off, the LAI is retained,
making it possible to determine the general locale
where the phone was last operating.
Similarly, the GPRS Location Information (LO-
CIGPRS) Elementary File (EF) contains the Rout-
ing Area Information (RAI) for data communi-
cations over the General Packet Radio Service
(GPRS). The RAI is composed of the MCC and
MNC of the routing area and the LAC, as well as
a Routing Area Code (RAC), an identifier of the
routing area within the LAC. Routing areas may be
defined the same as location areas or they may in-
volve fewer cells, providing greater resolution.
File System
(Swenson, Manes, & Shenoi)
Here are some details about the SIM card file sys-
tem and commands for processing it, followed by
an explanation of the prototype application and data
that can be retrieved. A SIM card is a type of smart
card. A smart card’s file system is stored in an inter-
nal Electrically Erasable Programmable Read Only
Memory (EEPROM) chip, protected by security fea-
tures of the card. It has an hierarchical tree structure
with a root called Master File (MF), Figure 1.
As in many other file systems, there are two
classes of files: Directories, called Dedicated Files
(DF); and files, called Elementary Files (EF). They
can be viewed as the nodes and leaves of a tree,
respectively. The MF is a DF. The main difference
between a DF and an EF is that a DF contains only
a header, whereas an EF contains a header and a
body. The header contains all the meta-information
that quantitatively relates the file to the structure of
the file system (available space under a DF, num-
ber of direct children, length of a record, etc.) and
security information, whereas, the body contains
information related to the application for which the
smart card has been issued.
Depending on the structure of the body, four types
of EF are possible in a smart card’s file system:
• Transparent EF: These files are organized as a
sequence of bytes. It is possible to read all or
Figure 1. Hierarchical structure of Erasable Programmable
Read Only Memory (EEPROM) chip
39
 only a subset of their contents by specifying a
numeric interval.
• Linear-fixed EF: The atomic unit for these files
is the record, instead of the byte. A record is a
group of bytes that have a known coding: every
record of the same file represents the same
kind of information. In a linear-fixed EF, all the
records have the same length.
• Linear-variable EF: This is the same as a lin-
ear-fixed EF, but, here, the length may vary
from one record to the other.
• Cyclic EF: These files implement a circular buf-
fer where the atomic unit of manipulation is the
record. Therefore, the concepts of “first and
last” are substituted by those of “previous and
next.”
SIM cards, which are a proper subset of smart
cards, do not allow linear-variable EFs, implement-
ing only transparent, linear-fixed and cyclic EFs.
Every file is unambiguously identified by its ID,
which acts as the name of the file. No two files in
the whole files system can have the same ID.
The allowed file system operations are coded in-
to a set of commands. The interface device (IFD),
which is the device capable of interfacing with a
smart card and setting up a communication ses-
sion, issues the commands to the smart card, and,
then, waits for responses. The IFD acts as the
“master” and the smart card as the “slave.”
The aforementioned commands, by means of
which it is possible to interact with a SIM card’s file
system, are:
• SELECT: This command selects a file for use
and makes the header of that file available to
the IFD;
• STATUS: This command has the meaning of a
SELECT with MF as argument;
• READ BINARY: This command reads a string
of bytes from the current EF;
• UPDATE BINARY: This command updates a
string of bytes in the current EF;
• READ RECORD: This command reads one
complete record in a record-formatted file;
• UPDATE RECORD: This command updates
one complete record in a record-formatted file;
• SEEK: This command searches the records of
a record-formatted file for the first record that
starts with the given pattern;
• INCREASE: This command adds the value
passed as a parameter by the IFD to the last
increased/updated record of the current cy-
clic EF and stores the result in the oldest in-
creased/updated record. It is used for incre-
menting time or charge information.
• GET RESPONSE: The IFD uses this com-
mand to transfer data from the smartcard to
the IFD. It is the IFD itself that has to request it.
40
What is important to note is that there is no com-
mand to eliminate or create files; nor is there a
command to quickly browse the file system.
Smart cards can be compared to safes. Like
safes, they implement many security systems to
protect their content: data. One of such security
systems uses “access conditions.” If any of the
commands were executable by anyone at any
time, all sensitive data stored in the file system
would be readily available to the external world.
Access conditions are constraints to the execution
of commands. They allow command execution
by only authorized entities and only during corre-
sponding authorization times. There are 16 access
conditions, shown in Table 1, and every file in the
file system has its own specific access conditions
for each command. Access conditions are orga-
nized in levels, but this organization is not hierar-
chical: that is, authorization for higher levels does
not imply authorization for lower levels.
Table 1. 16 access conditions
LEVEL Acces Conditions
0 ALWays
1 CHV1
2 CHV2
3 Reserved for Future Us
4-14 ADM
15 NEVer
Briefly, the meaning of these access conditions is:
• ALW: The command is always executable on
the file;
• CHV1: The command is executable on the file
only if one among Card Holder Verification 1
(CHV1) code or Unblock Card Holder Verifica-
tion 1 (UNBLOCK CHV1) code has been suc-
cessfully provided;
• CHV2: This is the same as CHV1, but using Card
Holder Verification 2 (CHV2) code or Unblock
Card Holder Verification 2 (UNBLOCK CHV2);
• ADM: Allocation of these levels is the respon-
sibility of the administrative authority – the card
provider or the telephony provider that issues
cards to its subscribers.
• NEV: The command is never executable on the file.
The SIM operating system typically allows three
attempts to enter the correct CHV, before blocking
further attempts.
If the user fails to the enter the correct CHV
value more than three times, access to the SIM
is blocked, and the correct Unblock CHV value
needs to be submitted. This is also known as a
PIN Unblocking Key or “PUK” and resets the CHV
and the attempt counter.
 Bibliography
• Casadei, F. S. (2006, Fall). Forensics and SIM Cards: an
Overview. International Journal of Digital Evidence.
• Digital cellular telecommunications system (Phase
2+); Specification of the Subscriber Identity Modu-
le – Mobile Equipment (SIM – ME) Interface (3GPP
TS 11.11 version 8.12.0 Release 1999). (n.d.). ETSI.
• GSM 11.11 Specification of the Subscriber Identi-
ty Module – Mobile Equipment (SIM-ME) Interface.
(n.d.). ETSI.
• Savoldi, A. &. (n.d.). SIM and USIM Filesystem: a Fo-
rensics Perspective.
• Subscriber Identity Module-Wikipedia, the free en-
cyclopedia. (n.d.). Retrieved March 23, 2010, from
Wikipedia: http://en.wikipedia.org/wiki/Subscriber_
Identity_Module
• Swenson, C., Manes, G., & Shenoi, S. (n.d.). IMAGING
AND ANALYSIS OF GSM SIM CARDS. Advances in
Digital Forensics .
• Wayne Jansen, R. A. (n.d.). Forensic Software Tools
for Cell Phone Subscriber Identity Modules.

The PUK code is linked with the ICCID. This

number is imprinted on the SIM card and can be
read with a SIM tool from an EF, EFICCID, since
the ALWays access condition applies by definition.
Once the ICCID is obtained, the PUK code can be
retrieved from the network provider.

Forensic Tools
There are various tools for data management on
SIM Card. Such tools give users the ability to read
as well as write data onto the SIM card. Such da-
ta management tools that allow the writing of data
should be avoided for forensic analysis.
Among available forensic tools for SIM card data
acquisition are Cellebrite UFED and Paraben SIM
Card Seizure. More tools are available and use the
same fundamental concepts for acquisition. Tradi-
tional imaging, like those of Hard Disk Drives, is
not possible for SIM cards due to various levels of
access restriction levied on the files. Instead, com-
mand directives called Application Protocol Data
Units (APDUs) are sent to the SIM to extract data,
without modification, from each EF of the file sys-
tem. The APDU protocol is a simple command-re-
sponse exchange. Each element of the file system
defined in the standard has a unique numeric iden-
tifier assignment; these identifiers can be used to
reference the element and perform some opera-
tion, such as reading the contents when using an
acquisition tool.

Author bio
Apurva Rustagi is working for one for
Big 4 consultancy firms and holds spe-
cial interest in mobile forensics.He can be
contacted at apurva.rustagi@ymail.com.

www.eForensicsMag.com
 MALWARE ANALYSIS:
Detecting and Defeating
Unknown Malware
by Kevin McAleavey, The KNOS Project

Cyber-attacks against control systems are considered extremely

dangerous for critical infrastructure operation. Today, the
protection of critical infrastructures from cyber-attacks is one
of the crucial issues for national and international security.
Over the past ten years, intrusion detection and other security
technologies for critical infrastructure protection have
increasingly gained in importance.

What you will learn:
• How to locate suspicious pro-
grams and how to determine if
they’re malware or benign
• Using file hashes in order to
verify the origin and authenticity
of suspicious programs
• How to locate the startups for
malware, all of the associated
components and locations where
malware can hide
• How to locate rogue services
and unkillable malware process-
es and regain access to the sys-
tem
• Useful tools to aid in the diag-
nosis and mitigation of malware
What you should know:
• Familiarity with use of the RE-
GEDIT Windows Registry editor
• Familiarity with use of the Win-
dows CMD Command line
• Familiarity with the normal lay-
out of a Windows file system
A
ccording to antivirus vendor
Symantec, over 1 million new
pieces of malware are cre-
ated every day. In 2011, Symantec
saw over 403 million new malware
samples according to Kevin Haley,
Director of Security Technology and
Response at his “Symantec Security
Awareness” presentation in October
2012. The samples received by Sy-
mantec and other antivirus and an-
timalware vendors are analyzed pri-
marily by automated systems, and
occasionally by human analyst’s to
become “signatures” placed in their
detection databases on a daily basis.
Despite all these known samples,
it is common for malware to slip right
past security solutions undetected
and unmitigated, leaving more sys-
tem’s infected with each passing day
despite these efforts. Those of us
who have been fighting the “war on
malware” know full well that we’ve
been losing the battle badly, and so
do Information Technology Adminis-
trators and Managers.
When malware strike’s a comput-
er, the obligatory response by IT
Department’s is to remove the ma-
chine, wipe and reformat the hard
drive, reload a fresh copy of the op-
erating system and then reimage the
drive, with the normal compliment of
authorized applications and configu-
rations, whereupon it is returned to
the victim in a known and “trusted”
state. While this causes great incon-
venience to the victim, who has now
lost whatever work that may have
been on the machine, it is the on-
ly practical mean’s to remove mal-
ware, given that the antivirus and
antimalware industry has been los-
ing the battle against malware for
years now.

42
 Detecting and Defeating Unknown Malware
In some situations however, the importance of
being able to collect evidence or critical data from
a machine which has been infected with unknown
and undetected malware, requires technician’s with
forensics experience to collect the valuable data
and preserve it without spreading the malware on
the infected machine further. It becomes quite chal-
lenging when malware has caused the machine of
interest to become inoperable or inaccessible.
In this article, I will explain numerous ways by
which malware can be located and circumvented
sufficiently in order to be able to access and re-
cover critical data where required. I caution in ad-
vance that being able to successfully restore the
machine to operable condition does not mean that
there isn’t additional malware which remains hid-
den and continues to pose a risk. I will also refer to
“security software” packages from various vendors
generically as “antivirus” for the sake of simplicity.
Once a machine has been compromised it can
no longer be “trusted”, since it is impossible to be
certain that any cleanup is ever complete. Attempt-
ing to access data from an infected machine must
be carefully considered, as to its values and risk’s,
before proceeding.
Each type of malware is different, and will have
different effects on different machine’s. Some are
easily located and mitigated, some are highly com-
plex and difficult to disable, and some are downright
destructive. Worse, there are so many locations in
which they can hide within’ the Windows operating
system, protecting them from easy discovery.
The one thing that all malware have in common is
finding a means to plant a payload onto the victim’s
machine, and then trying to remain hidden from de-
tection. It is the payload that must be found, and in
most cases, the file or means by which the payload
was “dropped” onto the system in the first place, in
order to prevent the payload from reappearing. Ad-
ditionally, that payload may also consist of “helpers”
in order to keep the malware hidden.
We will assume of course that all security and anti-
virus software is in place, and fully up to date on any
machine in question. And in the case of a forensic’s
investigation that a proper image of the original con-
tent’s of the machine has already been completed.
It is commonplace for even the best security soft-
ware to fail to perform its duties and detect all intrud-
ers. Security software depends on specific “signa-
tures” in order to identify malware, and changing just
one digital bit in a malware file will cause it to slip right
past ordinary antivirus/antimalware “signatures”.
Malware author’s carefully test their code in order
to ensure that it does not match, and therefore “ trig-
ger” AV “signature’s” before they release each ver-
sion, in order to take advantage of this inherent de-
sign weakness. Thus, in order to find “unknowns” it
is necessary to use the same skill set that malware
analyst’s use to hopefully locate and defeat them.
www.eForensicsMag.com
MALWARE TYPES
The computer security industry has a history of
confusing definitions for the various classes of
malware, often based on the limitation’s of a par-
ticular vendors choice’s or design limits in their
coverage of malware. As a result, there is much
confusion as to the specific meaning’s of various
definition’s, and proper classification of specific
threat’s. Therefore, I’d like to explain what those
of us in malware analysis labs define specific mal-
ware types as, and their expected capabilities, re-
gardless of individual vendor naming policies. For
those who are already certain of the definitions
I’m about to present, please feel free to skip to
the next section.
Viruses
Viruses are a self replicating program that infects
individual files on a computer. They modify the
contents of one or more file’s, and usually hide
inside legitimate files. In the old days, they would
append themselves to the end of a file, making it
larger than the original file. In more modern ver-
sions of Windows, compilers leave a lot of dead
space inside legitimate files, making it easy for
viruses to copy their payload into those empty
spaces, thus leaving the size of the file itself un-
changed and harder to detect. Many viruses will
also avoid modifying the date and time stamp,
further complicating forensic detection. They will
change the entry point address in the file header
to point to the viral code, so in order that this new
code will run first before calling the original con-
tent’s.
A practical way of checking on whether a file
contains a virus is to use an MD5 or SHA1 “hash”
against a known good copy of the original file. File
hashing is the “secret sauce” of the antivirus in-
dustry, its how most AV signatures are created and
how samples are managed and shared within the
industry. This hashing method is extremely useful
for efficiently investigating malware and will be de-
tailed later in this article.
Worms
Though closely related, worms and viruses are two
entirely different types of malware. Both have the
ability to self-replicate and propagate by attach-
ing themselves to files although not all worms are
“file infectors.” However, while viruses copy them-
selves from machine to machine through media
such as a USB device, worms replicate through
networks directly. Worms can travel through the in-
ternet or local networks and inflict mayhem ranging
from deleting files to creating backdoors or botnets
that provide remote control of a system. Worms
are designed to perform this function autonomous-
ly without human assistance, through network’s or
through physical media.
43
 Bots
“Bot” is derived from the word “robot” and are au-
tomated malware that controls network communi-
cations or services. Bots often automate tasks and
provide information or services that would other-
wise be conducted by a human being. A typical use
of bots is to gather information, and then interact
automatically with instant messaging (IM), Internet
Relay Chat (IRC), or other web interfaces. They
may also be used to interact dynamically with web-
sites, and recent ones have featured highly cus-
tomized protocols of their own.
Bots are self-propagating malware designed to
infect a host and connect back to a central serv-
er or servers that act as a command and control
(C&C) center for an entire network of compro-
mised devices, or “botnet.” With a botnet, attack-
ers can also launch broad-based, coordinated
“remote-control,” and flood-type DDOS attacks
against their target(s).
Trojan Horses
Trojan horse malware are programs which appear
harmless, and may also appear to be useful and
completely functional. However, they will contain
other components which will install malware onto
the machine while keeping the victim busy with a di-
version, or appearing to fail, causing the end user to
think the trojan was merely defective in some way.
They might arrive as an email attachment, or pres-
ent themselves as a useful application on a website
enticing the user to download and install them. Be-
cause it does not have the ability to self replicate,
trojans are a completely different animal from virus-
es or worms. Trojans require human assistance in
order to spread, usually through “social engineer-
ing” means. They often deliver destructive payloads
and can also install other types of malware.
RATs and “Backdoors”
RATs are “Remote Access Trojans” also called
“Backdoors”, and is the choice for espionage and
exfiltration of data. They provide a “Backdoor” into
the system through which external actor’s can re-
motely control a computer, running other malicious
code if he/she chooses. They can even use these
hijacked systems called “zombies”, to launch at-
tack’s on other’s. RATs provide all the capabilities
of legitimate remote access tools, and then add nu-
merous other capabilities depending on the design.
These are the preferred tools of cyber criminals,
and APT operation’s, and are designed to remain
stealthy when in operation and often install other
malware components as part of the overall infec-
tion. Their primary purpose is remote control of
the individually infected machines through these
“servers” which can be remotely accessed man-
ually. RATs differ from bots in that RATs must be
connected to individually whereas bots normally
44
communicate collectively with other bots or con-
trollers autonomously as a distributed network.
Some RATs also offer bot capabilities, thus blur-
ring definition’s among some vendors.
Spyware
Spyware, also called “adware” by some vendors, is
the most commonly found malware on machines.
Spyware is any program that tracks and reports
your computing activity without consent. While it is
not designed to inflict damage, spyware can seri-
ously affect the performance of machines. Spyware
is often bundled with free software, and automat-
ically installs itself with the program you intended
to use. Sign’s of spyware include sudden modifi-
cations to your web browser, unwanted additional
searchbar’s or “toolkits”, or redirects of your search
attempts and the frequent displaying of pop-ups.
Spyware and “adware” are often defined inter-
changeably, but “adware” simply displays adver-
tisement’s, whereas spyware returns more detailed
information than just a cookie to the site, which dis-
plays the ad’s such as browsing history detail’s, or
other personally identifiable information about surfing
habits. Spyware should not be confused with more
serious malware like keyloggers, RATs or other exfil-
tration tools, these are largely a privacy issue.
Many antiviruse’s do not detect all spyware, giv-
en that numerous purveyors of spyware will sue in
order to have the “false positives” removed from
detection databases in security products. When in-
vestigating strange, undetected program’s on ma-
chines, spyware is often found and can prevent
analysis from continuing further when actual mal-
ware exists. Therefore, when spyware is found, di-
agnosis should not end just because some spy-
ware was found on a victim’s machine, it is often a
sign that the hunt has only begun.
Keyloggers
Keyloggers are a particularly nefarious type of mal-
ware, in that their purpose is to surreptitiously col-
lect critical information such as; logins, passwords
or other sensitive data which is manually entered
from a client machine. Keyloggers will then record
all keystrokes entered on the victim’s machine into a
file, which can be transmitted back to the source of
the infection or to a botnet controlled by that source.
Some more advanced keylogger-type malware will
also index and collect for transmission, critical files
on the victim machine or the network’s to which it
connects as part of a larger espionage campaign.
Droppers
Droppers are a compressed package of malware.
Their design dictates that they be as small as pos-
sible, in order to not raise suspicion of a surrepti-
tious download in progress. They are often hidden
inside email, document’s, or by other means and
 Detecting and Defeating Unknown Malware
are quite compact. Their only purpose is to gain
entry into a system, and once installed they will
download other component’s quietly in the back-
ground, or they will contain various file’s needed
for a successful infection. Whereupon, they will in-
stall all of the other pieces that malware requires
to carry out its function. Droppers are usually com-
pressed with a specially obfuscated “wrapper” that
is designed to elude detection by antiviruse’s by
means of encryption and other techniques.
Rootkits
Rootkits are the most difficult of all malware to de-
tect, as their purpose is to completely hide malware
from the user as well as security software intended to
detect malware. Rootkits operate at the system lev-
el and are designed like other system and hardware
drivers, using special code in order to hide the mal-
ware installed at the user level. Some rootkits are al-
most impossible to detect, even with forensics, and
run as system services, device drivers, or can even
be written to firmware in the system’s hardware such
as; video cards, network cards, BIOS, or any other
device which allows updating of the hardware’s “firm-
ware.” Their entire function is to hide malware, and
the only visible symptom of their presence is unex-
plained reboots, or blue screen crashe’s, if they have
any bugs in their code. Absent programming bugs
however, are extremely difficult to detect. Rootkits
run at the lowest levels of a particular operating sys-
tem for which they are designed.
Bootkits
Bootkits are the latest concern, although despite the
hype, their practical application is still largely theo-
retical and impractical. However, when the specific
hardware configuration in the potential victim’s com-
puter is fully known, it is practical to construct one.
Bootkits consist of custom code designed to func-
tion within a system’s “firmware” such as; BIOS,
printers, video cards, ethernet and WiFi device’s,
and any other hardware that is capable of having
its firmware “flashed” or upgraded. Bootkits are dif-
ferentiated from rootkits because a bootkit does not
require the services of an operating system they are
completely self-contained independently of the op-
erating system, whereas rootkits are designed to
work after the OS has been booted.
As a computer boots, BIOS (or in newer ma-
chines, EFI or UEFI data on the local hard disk)
contains pointers to the various boot firmware in
modern components. By placing malware in the
hardware itself, a “bootkit” can be started before the
operating system and maintain control throughout
a session. However, any such “bootkit” has to be
written specifically for that hardware, and will not
work on another version of that hardware, owing to
the variety of hardware designs. The term “bootkit”
is also often referred to as, “boot sector infectors”
www.eForensicsMag.com
though they’re still technically considered a “virus”,
and because they run independently of the oper-
ating system, antivirus software is highly likely to
never detect them at all.
Bootkits can function regardless of the operating
system that is booted, and therefore a very valuable
tool for APT and other situations where the expense
of such custom malware justifies the effort. It was
one of many considerations in our own KNOS de-
sign despite the current rarity of this threat.
Bootkits can only be defeated by clearing and re-
flashing firmware with tools provided by the manu-
facturer of the hardware itself. Even then, the hard-
ware should no longer be considered “trustworthy”
since most “bootkits” are placed following the last
byte of firmware code in the device, and many “re-
flash” tools fail to overwrite the infection.
Pseudo-rootkits
I coined this term back around 2000 with our BO-
Clean product to describe perfectly legitimate soft-
ware which has been installed onto a machine in or-
der to act as malware. Pseudo-rootkits are legitimate
program’s which were installed without authorization
and when audited, will turn out to be completely le-
gitimate. They include things such as FTP software,
Remote desktop software, keyloggers used by par-
ent’s and corporation’s to monitor use of machine’s,
chat software, torrent software and numerous other
“name brand” products that security software will not
detect because it’s a “legitimate tool.”
However, they are not installed in the normal lo-
cation where they would be installed legitimate-
ly and have been modified with other “legitimate
tools” to remain hidden while they’re in use by
remote actors. Pseudo-rootkits will not be listed
in “Add/Remove software” since they weren’t in-
stalled by legitimate means. Our former BOClean
product was the only security product which set off
warnings when this was the case, warning the user
that such was operating without their knowledge
and gave them the option to remove them. Most
security vendors will not even attempt to detect
these at all even if they are “out of place.”
Exploits
Exploits are malware which are designed to exploit
weaknesses and design errors in existing software
or operating systems and are often embedded in
web sites, documents and file servers which con-
sist of scripts such as; Active X, Java applets, Ja-
vascript, PDF files and multimedia file’s which will,
thanks to poorly written code, perform unauthor-
ized actions on the victims machine. Persistent ex-
ploits require that a copy be stored locally, usual-
ly in the internet browser’s cache file’s, or in the
TEMP space. There are numerous other examples
of exploits as well, which are triggered each time a
malware page is visited.
45
 WARNING SIGNS THAT UNDETECTED
MALWARE MIGHT BE PRESENT
The majority of malware is poorly written and will
often noticeably affect the computer. When mal-
ware fails to be detected by your antivirus or oth-
er security software, the following symptoms merit
further investigation:
• Degraded computer functionality.
• Antivirus, firewall or other security software
has been disabled.
• Odd behavior, such as unexpected reboots or
icons no longer responding.
• Popup windows appearing when not browsing
the internet.
• System errors, blue screens, or reliable pro-
grams suddenly crashing.
• Strange traffic on the network, as well as slow
browsing.
• Disabled functions such as Task Manager, Re-
gedit, User switching, login, logout or shutdown.
• Files or programs on your PC that you do not
recognize.
• While surfing the internet, certain sites such as
www.microsoft.com or sites with antivirus, or
other security software vendors do not work.
• There are folders in your Windows Explorer,
but clicking on them doesn’t open them.
• After a reboot, Windows reports a Data Protec-
tion Violation in “Windows Explorer”, and shuts
down Explorer to restart it right away.
HUNTING FOR MALWARE
Unplug your network cable and manually turn your
computer off. Reboot your computer into “Safe Mode
with Command Prompt”. As the computer is booting
tap the “F8 key” continuously, which should bring up
the “Windows Advanced Options Menu”, as shown
below. Use your arrow keys to move to “Safe Mode
with Command Prompt” and press Enter key.
Make sure you log in to an account with adminis-
trative privileges (login as admin).
Once the Command Prompt appears you have
only a few seconds to type in explorer and hit En-
ter. If you fail to do it quickly within 2-3 seconds,
Malware on the system is likely to take over and
not let you type anymore. Keep trying if necessary
until you succeed.
If you managed to bring up Windows Explorer
you can try to run System Restore with the follow-
ing commands:
• Win XP: C:\windows\system32\restore\rstrui.
exe and press Enter
• Win Vista/Seven: C:\windows\system32\rstrui.
exe and press Enter
Follow the steps to restore your computer into an
earlier day prior to the infection if you have any
46
idea as to when it first started showing symptoms.
System restore often disables recently added mal-
ware and lets you get back into the machine. How-
ever, a large amount of malware disables your
ability to get at many parts of your system. If this is
the case, read below where I describe how to re-
enable deliberately disabled functions.
If you were successful, then you can proceed with
hunting for the malware. A system restore will only
hopefully prevent malware from starting. It will still be
present on the machine, hopefully inactive at least
temporarily in order to allow you to find and remove it.
Now the hunt can begin. This can become quite
involved, but generally you’ll want to proceed in
this order:
• Clean all temp folders and internet caches
from all browsers.
• Perform an Antivirus scan while running in
Safe Mode.
• Audit running processes.
• Audit the ‘startup’ files and registry entries.
• Audit network connections.
• Check the file system for files that have been
hidden and REALLY hidden files.
• Check for unusual services.
• Audit the HOSTS file and Windows TCP/IP
Settings (redirects to incorrect sites are often
done by modifying these).
If the above doesn’t solve the problem, then it’s
time to dive into the system manually. This is the
hard stuff, and requires an absolute need to ac-
cess the data on the infected machine since it can
become quite labor and time intensive now.
MALWARE HUNTING THE HARD WAY
Look for odd processes such as normal service
names which are misspelled. svchost.exe is ex-
pected, scvhost.exe is NOT. Random character file
names are almost always guaranteed to be mal-
ware, and they change each time the system is re-
booted in most cases.
Another frequent indicator of malware are file-
names with double extensions such as program.
pdf.exe where the double extension serves to
trick victims into believing that the file in question
is something other than an executable like in this
case where it might appear to be a PDF file if “show
file extensions” is disabled in the file explorer view.
Incorrect icons for files are also a reason for fur-
ther investigation. With “show file extensions” en-
abled in the file explorer, executables which display
a file folder icon, or an archive file icon or perhaps
a document icon are highly suspicious. Legitimate
programs will provide an icon that shows a prod-
uct logo or an icon logically associated with that
program and won’t mislead the user visually as to
what the icon represents.
 Detecting and Defeating Unknown Malware
Another clue which should be followed is to check
for valid signatures for any executable which claims
to have originated from a large vendor. Most major
enterprises now sign their code and the absence
of a signature, or misspelled “properties” informa-
tion is also an important clue. Here, examining the
“properties” for unknown programs is quite useful.
Unusual processes with high CPU utilization with
seemingly legitimate process names which are un-
expected are also a sign of possible infection by
malware. The Windows Task Manager is usually
circumvented by malware to prevent malware from
appearing in the task list, however you might get
lucky and spot some this way.
Searching the web using process names you
are unsure about will give clues to the legitimacy
of individual processes. There are a few sites that
provide databases which will give a detail listing
of processes, including file sizes and verdict as to
whether they’re legitimate or suspicious.
Installing a tool which will allow you to take an
MD5 or SHA1 “hash” of any suspect files will make
searches for those processes a whole lot saner and
will make it easier to confirm whether the files are le-
gitimate or suspect. Most malware search sites will
use MD5 and/or SHA1 hashes in order to confirm
their verdicts and thus being ready to determine the
MD5 or SHA1 hash of suspect files is strongly rec-
ommended to save time. These tools include:
• Microsoft File Checksum Integrity Verifier (gen-
erates MD5 and SHA1 hashes) which can be
downloaded here: http://www.microsoft.com/
en-us/download/details.aspx?id=11533
• I prefer this tool myself: HASHCHECK, which
installs as a shell extension right into Windows’
file explorer: http://code.kliu.org/hashcheck/
WHY DO WE NEED FILE HASHING?
As I indicated earlier, “file hashes” are, the “secret
sauce” of the antimalware business. By perform-
ing an MD5 or SHA1 hash on a file, a unique long
number is generated that is unique to that specific
file. It’s a means of generating a quick and dirty
“signature” for a known file whether it’s legitimate
or it is malware. It permits security software ven-
dors to feed a file to their signature database with-
out so much as looking at a sample that’s been
flagged as malware. No effort, no time, put it in the
blender, out pops a new “definition.” It’s cheap, it’s
fast and it’s lazy for the security vendors.
The downside with using hashes for antivirus
signatures is that if one single BIT of code chang-
es, due to encryption, a different packer, even add-
ing blank characters to the end of a file making
it one byte larger, that hash will no longer match
the “known malware” signature and thus it will go
undetected until the new variant gets hashed and
added to that signature database. THIS is why
www.eForensicsMag.com
your antivirus failed you! They probably saw a dif-
ferent copy than the one that just got installed on
your machine and the signature will only spot that
other identical copy, not necessarily yours. This is
also the reason why the “body counts” are so high
for malware and so many variant versions of the
same exact malware in their definitions.
Years ago, our operation made a product called
“BOClean.” We actually examined each and every
piece of malware in memory and then created a
memory-based definition for malware that would
always detect the malware no matter how it was
repacked, encrypted, polymorphed or modified
since all programs must shed all that once they
are ready to run in memory on a computer.
As a result of this design, we could detect any
variant knowing that there is a very limited number
of coders who produce malware and we made it a
point to study the authors themselves rather than
their code and zeroed in on specific means of de-
tecting the author. As a result, we detected every-
thing new that they wrote without the need to add
individual definitions. Even in the most sophisticat-
ed of “APT” malware, the authors always manage
to leave some unique “signature” in their work that
can be used to detect their next move.
When I was last directly in charge of antimalware
labs two years ago, the number of “unique au-
thors” was in the vicinity of only about 1,500 cod-
ers. I’d bet that the number today is less than twice
that. But my premise was that each individual au-
thor had their quirks, and you could count on those
showing up in the code they released. It was the
secret of our reputation with BOClean. But it took
a lot of work in the face of an ever expanding num-
ber of samples. Today you only see the security
companies expending that level of money and ef-
fort on the likes of Stuxnet.
Since file hashes are the industry standard
though, that’s what they use for sample and defini-
tion sharing within the industry, as well as databas-
es of malware publicly available to the public which
you can use to research whether or not unknown
files are already known to malware analysts or other
vendors in the industry. MD5 hashes are the older
standard, SHA1 hashes are the currently popular
exchange information. So you will want to obtain
both MD5 and SHA1 hashes of any files which you
suspect and then use those values to perform inter-
net searches at places like virustotal, jotti, or similar
to determine if a file is legitimate or suspicious de-
pending on the results of your search. Doing those
hashes will save you a _lot_ of time in your hunt!
RELEASE THE HOUNDS, ON WITH THE
HUNT!
In addition to the task manager that comes with
Windows, these tools give far more detailed infor-
mation for you to examine them and are less likely
47
 to be fooled into hiding malware unlike the Win-
dows task manager:
• GUI Process Explorer from Sysinternals: http://
technet.microsoft.com/en-us/sysinternals/
bb896653
• GUI Autoruns from sysinternals: http://technet.
microsoft.com/en-us/sysinternals/bb963902
Lacking those tools, the next step is to look for odd
entries in the “startup” sections of the registry using
Windows’ built-in tools. Keep in mind that legitimate
programs are seldom found in multiple start locations,
such as run, runOnce, runOnceEx and runservices, but
it’s quite common for malware to copy its startups
to multiple locations in order to ensure that if one is
found, others will successfully start the malware each
time the machine is rebooted. If you are unable to ac-
cess the registry or built-in tools, or are unable to run
any programs at all, I will explain down below how to
get around disabled functions and services.
To look for the normal startup
locations where malware might be
started
winkey + R | msconfig | Startup Tab
or
winkey + R | regedit | check the following
Audit the ‘startup’ locations. The most commonly
used startup locations in the registry are:
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\
CurrentVersion\Run
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\
CurrentVersion\RunOnce
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\
CurrentVersion\RunOnceEx
• H K L M \ S o f t w a r e\ M i c r o s o f t\ W i n d o w s\
CurrentVersion\RunServices
• H K C U \ S o f t w a r e\ m i c r o s o f t\ w i n d o w s\
CurrentVersion\Run
• HKU\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Run
Audit network connections
winkey + R | cmd | netstat –nao
Connections continually in ‘SYN sent’ state on 445,
139, or other established connections on odd ports,
such as 6667(IRC) established connections on typi-
cal but unexpected ports such as FTP, TELNET,
even 80(http) where inbound connections aren’t
normally expected are a sign of malware running
surreptitiously. Inbound connections to websites
and other services normally occur on ports higher
than 1024, but outbounds on ports below 1024 are
48
highly suspicious when a server is not being delib-
erately run on the machine in question.
A list of TCP and UDP ports and their expected
purposes are listed here: http://en.wikipedia.org/
wiki/List_of_TCP_and_UDP_port_numbers.
Once again, sysinternals to the rescue: http://tech-
net.microsoft.com/en-us/sysinternals/bb897437.
Check for hidden files
There are files that are required for your system to
run, many of these are hidden from accidental dele-
tion. Malware takes advantage of such file attributes
to hide from standard file searches, but the Windows
folder view menu will allow you display any HIDDEN,
SYSTEM and READONLY file settings on your sys-
tem so that you can browse almost all of the files
on the system being examined. There are also files
known as “super-hidden files” which require the ex-
tra step of going into the View tab of the file explorer
and specifically unchecking “Hide protected operat-
ing system files (recommended)” as well as ensuring
that all other file types are made visible. Please be
aware that malware can still hide their files from the
File Explorer through the use of rootkits.
When performing this search pay particular at-
tention to directories in the %PATH% variable such as
C:\windows\system32, most malware tends to be
placed in the system “path” environment setting and
loaded via the registry without an absolute path. DO
NOT delete any of the files listed by this command
unless you are positive they are malware, you can
easily hose a completely functional system by doing
so. To delete files, you will need to UNSET hidden,
system and read-only attributes first.
Be mindful also, that there are “super-hidden”
files that Microsoft will just not let you access which
begin with a $ sign as the first character of the file-
name. These are reserved for the system only and
have been used to hide malware rootkits. One of
the most infamous rootkits which I tracked down
many years ago was the SONY rootkit, installed by
DRM contained on their commercial music CD’s. I
wrote up a set of manual instructions for those who
didn’t use our BOClean product here: http://www.
dslreports.com/forum/remark,14817570.
Malware can also hide in Alternate Data Streams
(ADS), which hides files inside other files. One clev-
er way of hiding malware, as well as purloined files
in the act of espionage is to write the content’s to an
ADS, whereupon they’re almost impossible to find
without knowing the name of the ADS itself. These
files are usually written to important system files and
sometimes buried inside folder entries themselves
rather than as files so as to elude detection. They
will contain a colon (:) between two filenames such
as for example winstart.exe:malware.exe or simi-
lar. The colon is the clue that you’re dealing with
an ADS file that will not appear in a directory listing.
Most antiviruses do not look for these by default.
 Detecting and Defeating Unknown Malware

An excellent tutorial on how ADS works can be
found here: http://windowssecrets.com/top-story/
hide-sensitive-files-with-alternate-data-streams/.
And an even more useful description of what
would be involved in deleting them can be read
here: http://www.bleepingcomputer.com/tutorials/
windows-alternate-data-streams/.
The following tool can locate them: Sysinternals
Streams: http://technet.microsoft.com/en-us/sys-
internals/bb897440.
Some malware will install as a system service.
While removal of services is more difficult, you
can usually at least disable them for temporary
clean up:
winkey + R | msconfig | Services Tab
winkey + R | services.msc |
From the Command shell -> tasklist, taskkill,
tasklist /svc
Once malware has been identified, it’s best to re-
move it while in safe mode. Some malware will have
additional processes and DLL’s (and possibly root-
kits) that can prevent you from removing them by
means of “injecting” their code into legitimate sys-
tem processes. Deleting startup locations and files
while in safe mode can usually restore a system to
working condition but remember, there’s no such
thing as a “trusted machine” once it’s been owned.

Listing 1. Windows registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*service* >ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
HKEY_CLASSES_ROOT\piffile\shell\open\command

www.eForensicsMag.com 49
 Finally, Rootkits: Rootkits are almost impossible
to find although many aren’t all that sophisticated.
There are numerous tools which will attempt to de-
tect a rootkit’s files, but they’re more prone to false
positives than actually finding genuine rootkits.
They include:
• Sysinternals Rootkit Revealer http://technet.mi-
crosoft.com/en-us/sysinternals/bb897445
• Hitman Pro (I recommend this comprehen-
sive scanner which uses multiple AV engines
to scan, but doesn’t remove them) http://www.
surfright.nl/en
Bear in mind that just because a “rootkit detector”
fails to find any rootkits doesn’t mean that there
aren’t any. Rootkits operate at the operating sys-
tem level and can easily hide themselves complete-
ly since most security software operates at the user
level, which is segregated from the operating system
level. In Win7 and later, that isolation is even more
profound than in earlier versions of Windows almost
guaranteeing that rootkits will never be detected un-
less they’re caught in the act of being installed.
Locating malware which might be
located in Startup Folders
The most ordinary autostart locations in Windows
are in folders actually named “Startup.” On all
Windows computers, there is an individual Start-
up folder for every user (account) who has ever
logged on in addition to a Startup folder shared
by all users of a particular system. These folders
can often be managed through the paths above or
Windows Start button → All Programs → Startup
→ Right click. In XP they are:
• C:\Documents and Settings\<USERNAME>\
Start Menu\Programs\Startup
• C:\Documents and Settings\Default User\Start
Menu\Programs\Startup
• C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
• C:\windows\tasks
Whereas in Vista and later they’ve been changed to
• c:\ users\<USERNAME>\appdata\roaming\mi-
crosoft\windows\start menu\programs\startup
• c:\ProgramData\Microsof t\Windows\Star t
Menu\Programs\Startup
Startups can also be tucked away in these locations:
• C:\autoexec.bat
• C:\Windows\Win.ini
• C:\Windows\System.ini
• C:\Documents and Settings\Administrator\Lo-
cal Settings\Temp\
50
• C:\windows\system32\
• C:\WINDOWS\Prefetch
In these file folders, if you opt to sort by date,
you can sometimes see what has recently been
touched, added or changed so long as the mal-
ware didn’t change the particular file’s time and
date stamps. Malware will usually be listed with
DLL, OCX, SCR, VBX, BAT, CMD or EXE file ex-
tensions, sometimes with random file names and
in most cases, you should be able to search the
internet for details by filename to determine if it’s a
known threat or not. This is when it’s helpful to also
know the exact file size in bytes as well as hav-
ing an MD5 or SHA1 hash of the file in question to
make matching your mystery easier.
If the filename doesn’t turn up in an internet
search, it’s likely to be rogue, but again, you can’t
count on that either. Sometimes malware will use
filenames similar to genuine system files such as
rundll32, but will be located in the wrong directory. If
you see something called rundll33 then it’s a pretty
safe bet that it’s malware and should be deleted.
System files are usually in SYSTEM32 and below,
its presence in WINDOWS or TEMP is also suspect.
However, the vast majority of malware is start-
ed by entries in the Windows Registry, and here it
gets dicey because there are just so many places
that malware can be started from such as these
particular Windows registry keys (see Listing 1).
The most difficult part of the registry hunt is that
there are so many entries in each of them which
culminates in an executable, DLL file or other li-
brary file being loaded and started. Unfortunately,
each and every one has to be examined to deter-
mine whether it is legitimate or not. As I indicated
at the outset, there are just too many places for
malware to hide in the Windows operating system.
And these only account for EXE files. DLL’s and
other potential malware have other locations from
which they can be started. Be particularly cautious
when you spot a startup entry which begins with
“RunDll” or “RunDll32” in front of a DLL, OCX or
other file. RunDLL is Microsoft’s “run a DLL as an
executable” function which will allow malware to run
as a library instead of an executable and thus loads
it into the operating system itself instead of running
it as a separate program. Any of those files must
also be examined and verified as legitimate as well.
DLL’s can also be started using entries called
“ImagePath” or “ServiceDll” in the registry, and
these are even harder to find because they’re as-
sociated with “UUID” and “CLSID” entries buried
in the registry. These can be searched for in the
regedit utility and there are a LOT of them. These
keys will directly call DLL’s, OCX’s and other li-
brary type files which can also contain malware.
To further complicate matters, Windows will not
allow you to simply delete malware while it is run-
 Detecting and Defeating Unknown Malware
ning. Running processes and threads are protected
by the operating system, and any attempt to delete
it will be met with one form or another of an “access
denied” message and any attempts to remove the
rogue file will fail. The only way to delete a running
file is to either kill the process (and even here, ma-
ny protect themselves from this possibility) or to re-
move the corresponding startup entry in the startup
folder and/or the registry and then reboot in hopes
that there aren’t other elements of the malware that
will simply put the entry right back into the startup
location and then restart after a reboot.
And it gets even worse with rogue DLL’s and librar-
ies which are used to “inject” code into other legiti-
mate, running processes. Code injection has been
the preferred method of infecting computers since
DLL’s cannot be killed, they must be “unhooked”
by means of “object dereferencing” instead. The
only other alternative to unhooking DLL’s is to kill
the process to which they’ve attached. Malware
authors solved that problem as well by attaching
them to numerous processes including core op-
erating system processes themselves. Kill these
processes and the machine remains infected, but
spontaneously reboots or freezes in order to spank
you.
Hopefully, the entire malware “system” is start-
ed by an executable which then loads its other
components. If you find the main startup, you can
hopefully defeat the rest of the chain upon a reboot
by preventing the starter application from running.
Pay particular attention to any startups however
which include that “RunDLL” command in front of
a library file - that may be the startup as well. If you
can keep the rogue from starting after a reboot,
that’s the major part of the battle won!
SHUTTING DOWN ROGUE SERVICES
Since a Windows service can be turned off, Micro-
soft hasn’t felt the need to let users delete servic-
es outright from the Services window. But services
can cause all sorts of problems, whether they’re
unwanted add-ons to otherwise useful software,
left behind by buggy uninstallers, or inserted sur-
reptitiously by malware. So here’s how to remove
a service completely:
Open the Services window (services.msc) and
double-click the service you want to remove. High-
light the text next to Service name (the first entry
under the General tab) and press Ctrl-C to copy
the name to the clipboard.
Next, open a Command Prompt window in Admin-
istrator mode and type the following at the prompt:
sc delete (“Rogue Service”)
where (Rogue Service) (in quotes) is the name of the
service you just copied. Press Enter, and if the re-
moval was successful, you should see this message:
www.eForensicsMag.com
[SC] DeleteService SUCCESS
Return to the Services window and press F5 to re-
fresh the list, and confirm the service is now gone.
SC (or “Service Control”) is an often neglected, but
useful way to control running services, and can of-
ten stop rogue services.
UNKILLABLE PROCESSES
Antivirus and other security software require ex-
traordinary means in order to kill rogue programs.
Some methods involve the abrupt “TerminatePro-
cess” function in code, while others require an even
more extreme step in providing a kernel device driv-
er that will literally unhook the file from the system
and then delete it. Absent special utilities designed
to terminate unkillable processes, or unhook inject-
ed threads, if the task manager doesn’t allow you to
kill a rogue program, or it keeps coming back after
an apparently successful “kill” there are a few meth-
ods which I’ve found can do the job without these
specially written utilities. They include:
Use the “ntsd” command to kill any process that
thinks it’s special and can’t be killed using the task
manager:
ntsd -p [pid] -c
If that fails, then try this trick using the following ex-
act command line in a command prompt window:
reg add “hklm\software\microsoft\windows nt\
currentversion\image file execution options\
malware.exe” /v Debugger /t REG_SZ /d “C:\Windows\
System32\bogusfile.exe /F /IM malware.exe”
(the quotes are necessary)
Where the name “bogusfile.exe” is a nonexistent
filename, what this does is force Windows to at-
tach a debugger that doesn’t exist and that will
cause the program (named “malware.exe”) to be-
gin to start but not run because it’s waiting for a de-
bugger program that doesn’t exist. A reboot should
keep the program from running.
Another potential malware killer is “RKILL” which
can be found here: http://www.bleepingcomputer.
com/download/rkill/.
FINDING MALWARE
Many malware programs try to keep users and ad-
ministrators from interfering with their operation
and possibly shutting them down by disabling nu-
merous programs such as regedit, task manager,
and in extreme cases, not allowing you to run any-
thing nor even shut down the computer. This slight
of hand is accomplished by changing file associa-
tions in order to ensure that any time you try to
start a program, the malware will be started first,
and then call the program you wanted.
51
 They will also use permissions to disable access
to the system whereupon you will see a message
indicating that the “Administrator” has denied ac-
cess to you. One of the methods of complete deni-
al to any resources is “Association hijacking” which
can prevent programs from running as well as being
yet another automatic startup source for malware.
To check for association hijacking, you’ll want to
check these registry keys:
HKEY_CLASSES_ROOT\.exe\PersistentHandler
• (Default) value should equal: {098f2470-bae0-
11cd-b579-08002b30bfeb}
HKEY_CLASSES_ROOT\exefile\shell\open\com-
mand
• (Default) value should equal: “%1” %*
• IsolatedCommand value should equal: “%1” %*
Hijacking can occur for OTHER file associations
such as HTML, PDF and many others. You will see
those association keys in the same HKEY_CLASS-
ES_ROOT areas as “.exe” and “exefile” but their
entries can often be more complex. It helps when
checking to have the same registry entry open for
cross-checking with a machine that is uninfected
to confirm whether or not to edit the entry.
A cute little brute-force method that also works
when programs cannot be started is to copy the
original utility file and then rename its file exten-
sion. For example, if you can’t start any EXE files,
try renaming the copied “.exe” to “.com” or “.scr”
which are likely to work. If that gets regedit or your
antivirus program running again, you’re home free.
Some additional tips to work around disabled
functions can be read here:
• http://dottech.org/11980/re-enable-critical-win-
dows-components-disabled-by-malware/
• http://malwaretips.com/Thread-Remove-mal-
ware-when-traditional-tools-fail
PREPARING FOR THE INEVITABLE
Install these tools on your machines BEFORE you
need them!
Sysinternals complete suite of system forensics utili-
ties: http://technet.microsoft.com/en-us/sysinternals/.
Being prepared in advance to be able to gen-
erate MD5 or SHA1 “hashes” on suspicious files
against “known good ones” or to identify specific
malware in your searches with the Microsoft File
Checksum Integrity Verifier is highly recommend-
ed: http://www.microsoft.com/en-us/download/de-
tails.aspx?id=11533.
Once again, I prefer this tool myself: HASH-
CHECK, which installs as a shell extension right
into Windows’ file explorer: http://code.kliu.org/
hashcheck/.
Making a recovery USB stick - look for USB
memory sticks that feature a physical write inhibit
52
switch so they don’t get infected too. Having all of
your tools handy on a CD, DVD, or USB stick al-
lows you to bring your arsenal to the machine in
question without risking installing from the internet
on an infected machine. The “write inhibit” switch
on USB devices equipped with one will prevent
any malware from the machines you’re working
on from spreading via that USB device. Of course,
having a bootable CD or DVD is even better be-
cause there’s no possible way to write to it at all.
Most antivirus companies offer a downloadable
“rescue disk” which you can download and burn to
a CD, DVD or USB stick as well. Check with your
security vendor to see if they have one available.
The only downside is that each vendor has their
own and therefore you depend on that vendor to
detect and deal with any malware on the machine
based on their detection database. And given that
you’ll be doing this only if they’ve failed, that might
not help. If you’re unable to boot the suspect ma-
chine, this will at least let you gain access to it.
In my situation, I use a custom build of our own
product on a bootable USB stick, the KNOS Se-
cure Desktop. On it I have all of the necessary
tools, including antivirus, network and malware
scanners as well as other tools that will allow me
to investigate an infected Windows machine using
KNOS itself in GUI mode. It even permits me to lo-
cate and examine super-hidden items such as the
SONY Rootkit I mentioned earlier without difficulty.
Some Linux live cd distributions will also suffice for
accessing Windows machines although they have
limits if there’s no other means available to gain
access to the infected machine.
Having the tools you need beforehand though
cannot be emphasized strongly enough. Locating
and defeating undetected malware is a formidable
challenge, and I hope this lengthy dissertation has
been helpful in proceeding with the task success-
fully. Good hunting!
Author bio
Kevin McAleavey is currently the co-
founder of The KNOS Project, located
in Voorheesville, New York (US) and
serves as its chief architect. The KNOS
Project manufactures a malware-resis-
tant, secure desktop operating system
based on BSD known as the “KNOS Secure Desktop” for
use by client end users which delivers a familiar, user-friendly
and functionally complete desktop environment that can be
run from a DVD, USB memory sticks or installed onto a hard
drive and ensures privacy and security in its operation. Since
it doesn’t use the host computer’s hard drive, it can be run
separately from the existing operating system with no risk or
damage to the original desktop’s contents, nor will it perform
any writes to its host system.
 STAFFCOP
PC monitoring, Corporate Security
and Data Loss Prevention Software
StaffCop Standard allows you to monitor all activities
on company computers and prevent the unauthorized
distribution of sensitive corporate information.

StaffCop will help you:

To locate possible data loss channels and prevent loss
To gain insight into how your employees spend their work time
To increase company and departmentals efficiency

You need StaffCop to:

Main Features of StaffCop:
Gather work time efficiency statistics
Screenshot recording Easily control your employees in real-time mode
Application monitoring Improve discipline and motivation of your employees
E-mail monitoring
Web site monitoring
Chats/IM activity recording Who needs StaffCop:
USB device monitoring
Clipboard monitoring CEO/CTO
Social Networks Monitoring Corporate Security Manager
Search Term Tracking HR Manager
File and Folder tracking System Administrator
Keystroke recording
System Event Monitoring
Whitelists and Blacklists
PC activities reporting More Information, Demo Versions,
Stealth installation/monitoring Videos and Technical Guides -
Strong security
Alert notiications
Remote Install / Uninstall www.STAFFCOP.com

Phone: +1-707 -7098405

Skype: staffcop.com
Email: sales@staffcop.com, paul@atompark.com
 JUSTICE SPEAKS...
An interview with Johnny Justice, Senior
Instructor from Mile2
by Gabriele Biondo, Roshan Harneker, Stanislaw Butowski
As if his name wasn’t sufficient recommendation,
this man has been a counterintelligence agent in
the U.S. Army for several years. Recently, he has
switched to training and developed a course at
Mile2. Although permanently busy, he did find some
time to answer a couple of questions. Here you are
– Justice speaking about the certifications, cyber
crime, cyber terrorism, the most common mistakes
made by Digital Forensics Examiners, and testifying at court.
eForensics: What steps would you suggest
to someone willing to become a Digital
Forensics Examiner?
Johnny Justice: I would suggest taking courses
that are related to digital forensics to get a good sol-
id base of knowledge. One good way to start would
be through community colleges and universities that
tend to offer courses in both Information Security
and Digital Forensics. Another option is to enroll in
technical classes where certification is the objective.
Taking internationally recognized courses that pro-
vide intense hands-on labs is a great start and paves
the way for establishing the foundation of becoming
a Digital Forensics Examiner. Once you have com-
pleted this foundation, you’ll be ready for the job.
eForensics: What is the future of the
digital forensics, in your opinion?
Johnny Justice: With hardware devices and stor-
ages becoming larger, computer forensics tools
are progressively becoming more granular and de-
tractors are continuing to be more sophisticated
in their new schemes – I can only see the market
space expanding and having a greater demand for
experts in the digital forensics discipline.
eForensics: Digital forensics has a
correlation/examination aspect transcending
technology. What would you suggest to our
readers to build up such skills?
54
Johnny Justice: Technology is fluid and the chang-
es keep us behind the power curve. I would suggest
continuing educational forensic courses or webi-
nars. Any reading can always be found on the inter-
net. As technology is released, a vendor or expert
will always be quick to create content to educate the
forensics market space. If you really want to learn
firsthand, I would recommend that you build your
own lab environment. In doing so, you would experi-
ence new technologies and understand the value of
both reports and investigation methodologies.
eForensics: Cyber terrorism is something
becoming bigger and bigger on a
constant basis. What would you suggest
as a sound approach to such problems?
Johnny Justice: I believe that the best way to pro-
tect your company from cyber terrorism is to simply
apply security best practices. By doing this, you’re
able to maintain a standard that meets company ob-
jectives with security features that will help fend off
cyber terrorists. In doing so, your company becomes
a hard target by detering those attackers on the wire.
eForensics: Where do you see the
boundaries between cybercrime and
cyber terrorism?
Johnny Justice: Cybercrime is the overall infor-
mation related to specific illegal acts using cy-
berspace to conduct it. Cybercrime has opened
 interview with Johnny Justice
the door to incidents that are being conducted by
known terrorist organizations whose goal is to at-
tempt to exploit or destroy specific infrastructures
of their adversaries. I think the boundaries are how
the specific attack is conducted over the Internet.
eForensics: What suggestions would you
give to our readers?
Johnny Justice: For your readers who want to
learn these forensic investigative methodologies,
there are two things that I would encourage them
to do. First, I would tell them to seek out local fo-
rensics chapters. These chapters are in most ma-
jor cities world-wide. There you will find many re-
sources for your learning. You will also be able to
find other engineers who have the same interests
and will be able to collaborate with you to be sure
you stay on the right track. Another option is to try
to find the computer forensics team within your or-
ganization. Do your best to tag along, especially
when they are in the process of an investigation.
Request to intern within the company and gain on
the job training. This could give you great insight as
to what a career of a forensics examiner is like and
what you could expect in this ever growing field.
eForensics: What kind of open source/
commercial tools do you use and how do
they weigh up against each other?
Johnny Justice: When conducting computer fo-
rensics, I use either AccessData’s FTK or Guid-
ance Software’s EnCase. They are both great
tools and although, in my estimation, they stack up
to about the same, each has their own functional-
ity that really enables a full investigation process.
eForensics: In your experience, what are
the biggest mistakes digital forensics
investigators make which cause cases to
fall apart?
About mile2 and founder of the C)DFE
certification
Mile2 is a Cyber Security training and consulting com-
pany that develops and delivers information security
training in line with government, military and private
sector specifications. Mile2 was founded in the after-
math of 9/11 as a response to the threat of information
security attacks.
Mile2 governs the Certified Digital Forensics Exa-
miner Certification and is taken through their online
examination system called MACS.
Raymond Friedman, CEO of Mile2, is largely respon-
sible for creating the C)DFE certification and was origi-
nally designed for police personal. Raymond Friedman
is an author and international speaker as an expert in
both cyber warfare and cybercrime. Today, mile2 works
and supports global police agencies such as ICAC (In-
ternet Crimes Against Children) and INTERPOL (Interna-
tional Criminal Police Organization-Interpol).
www.eForensicsMag.com
Johnny Justice: In my experience, I have found
that digital forensic investigators tend to error in
specific forensic examination requests, reporting
information, and in the area of creating case logs.
Many times, I observed investigators invest too
much time in a partial area of the requested exam-
ination. The investigator, at times, gets lost in all
the data, following never ending rabbit holes and
paths that were not even part of the original exami-
nation request. And at times, the information, when
it is found, isn’t even admissible in court because
it was not covered in the discovery process. The
examination requires time consuming extensions
that could have easily been avoided had a focused
and sound forensics methodology been followed.
Report writing is also a problem, especially when
it comes to articulating specific information that is
related to the findings. As it relates to case logs, I
am very careful to create a minute-by-minute log of
each process that I conduct and follow during the
case examination. These logs are so important as
they are not only discoverable but will most like-
ly be repeated by the defense’s expert witness for
the sole purpose of discrediting the case findings.
eForensics: What are the top three tips
you can offer an investigator when they
are expected to present evidence in a
court of law?
Johnny Justice: Intimately know the information
that you are going to expound upon and try to envi-
sion every angle the defense attorney can potential-
ly bring up in respects to the information you pres-
ent. Do not get flustered in court and always keep
a cool head. Don’t forget, your job is to present the
facts. Practice, practice, practice and be prepared.
This is a court of law; the information that you pres-
ent can potentially make or break the case.
eForensics: Thank you very much for the inter-
view and good luck with your work!
Johnny Justice
Johnny Justice has been working with
computers since 2005. He has been
serving in the U.S. Army as a counter-
intelligence agent for over 12 years, 7
years being devoted particularily to Com-
puter Forensics. He has vast experience
in training – he has been teaching UNIX/
LINUX, Network Essentials, and Theo-
ries and Application / Digital Technology
at the college level and has developed
several high level Linux and Digital Forensics courses cur-
ricula. He co-authored the 2012 update to the Certified Digi-
tal Forensics Examiner course at Mile2. He holds a variety of
certifications: C)DFE, CEI, CSSA, ECSA, CHFI, Linux+, and
CEH. In 2012 Johnny Justice graduated Magna Cum-Laude
from Nova Southeastern University with a Master’s of Science
Degree in Computer Science Education.
55
Nevada PI Lic#1948 Expert Data Forensics is a d/b/a ICS of Nevada LLC.
2675 S. Jones St. Suite 207A, Las Vegas NV 89146
PO Box 35006 Las Vegas, NV 89133
T: 702-435-8885 O: 888-355-3888 F: 702-453-8887
[Lic#1498] [Tax ID: 20-4239533]

ExpertDataForensics.com

Digital Forensic & Investigative Services

• First response
• Extraction & preservation of digital contents
• Electronic investigations (Lic#1498)
• Chain of custody
• Expert witness for court/depositions
• Digital data & electronic analysis
• Seizure of digital evidence for forensic purposes
• Investigation of digital evidence
• Recovery of deleted digital content
• Consultation & preventative strategy
• Corporate systems & security analysis
• Data analysis & recovery
• Cell phones & mobile devices data extraction, preservation & analysis
• Retrieve & analyse text messages, emails, images etc.
• Corporate digital crime reconstruction
• Web surfing pattern analysis
• Online hacking, Email investigation
• Authentication of digital data (certificate)
• Password recovery
• Cyber hacking, stalking and activity patterns
• Electronic fraud detection
• Digital corporate sabotage
• Corporate/private infringement
• Employee misuse

Forensic Data Recovery Services

• We specialize in forensic data recovery from computers, cell phones, PDA’s

• Data recovery of hard disk
• Data recovery of deleted files
• Digital imaging from electronic device
• Password recovery
• Digital recovery of deleted data contents (emails, txt messages, web chats)