Formal Education

Formal Education: (some)
 2006: Indonesian Advanced Police College
Award: The Best Graduate in Academic
 2009: MSc in Forensic Informatics, University of Strathclyde, UK
Final Result: Distinction for Dissertation on Steganography Forensic
Professional Qualifications: (some)
 2004: Professional Commendation on Crime Scene Management from
Senior Investigator (Retired) of New York Police, US
 2005: Expert Degree on Computer Forensic from Puslabfor Polri
 2007: Computer Hacking Forensic Investigator (CHFI) from EC-Council, US
 2008: Certified EC-Council Instructor (CEI) from EC-Council, US
 2009: Professional Member (MBCS) from British Computer Society, UK
Professional Awards: (some)




2005: 8 year loyalty medal from Indonesian National Police
2008: British Chevening Scholarships Award from UK FCO
2010: Indonesian Super Six UK Alumni from British Council
2013: 16 year loyalty medal from the Republic of Indonesia
Membership/Networking: (some)





2007:
2009:
2010:
2012:
2013:
EC-Council
British Computer Society
Interpol Asian and South Pacific Working Party on IT Crime
Manager of Digital Forensic Analyst Team – Indonesia at LinkedIn
Manager of ADFA (Association of Digital Forensic Analyst) at LinkedIn
Association of Certified Fraud Examiners
Experience as Instructor/Speaker: (some)
















Indonesian Police Criminal Investigation Board (Bareskrim)
Indonesian Police Education Institute (Lemdikpol)
Indonesian Police Forensic Lab. Centre (Puslabfor)
President Secretary Office of the Republic of Indonesia (Sespri Presiden RI)
Indonesian General Attorney Training and Education Board (Badiklat Kejagung)
Indonesian Ministry of Communication and Information (Kemenkominfo)
Indonesian Ministry of Finance (Kemenkeu)
Indonesian Corruption Eradication Commission (KPK)
Indonesian State Intelligent Board (BIN)
Indonesian Military Attaché in London, UK
Banks such as Mandiri Bank, CIMB Niaga Bank, OCBC NISP Bank
Universities:
- University of Strathclyde, Glasgow, UK
- University of Indonesia, Depok
- University of Islamic Indonesia, Yogyakarta - Paramadina University, Jakarta
- Krida Wacana University, Jakarta
- Airlangga University, Surabaya
- State Islamic University, Tangerang
- Muhammadiyah University, Jember
- State Crytptography Institute, Tangerang
- State Polytechnic, Batam
United Nations Office for Drugs and Crime (UNODC)
Asian Pacific – Computer Emergency Response Team (AP-CERT)
EC-Council Indonesia
Association of Certified Fraud Examiners (ACFE), etc.
Chief of Forensic
Lab Centre
Secretary
Forensic Lab
Branches: 6
Physics and
Computer
Forensic Dept.
Ballistic and
Metallurgy
Forensic Dept.
Document and
Counterfeit
Forensic Dept.
Chemistry and
Biology Forensic
Dept.
Narcotics
Forensic Dept.
Fire and
Accidents
Ballistic
Document
Chemistry
Narcotics
Special
Detection
Metallurgy
Counterfeit
Biology
Psychotropic
Computer
Forensic
Explosive
Printed Product
Toxicology
Drugs
 2000: Started to discuss about the significance of digital forensic to
support examination on electronic evidence
 2007-2008: Awards of EC-Council’s Computer Hacking Forensic
Investigator (CHFI)
 2009: Award of MSc in Forensic Informatics from the University of
Strathclyde, UK
 2010: DFAT (Digital Forensic Analyst Team) was founded
 2011: Computer Forensic Sub-Department was founded
 2014: Computer Forensic Lab. in progress for ISO 17025
Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Centre
Number of Cases and Evidence, 2006-2013
582
600
488
500
422
400
300
214
200
100
3
4
3
6
7
12
15
21
52
60
2010
2011
81
86
2012
2013
0
2006
2007
2008
2009
Number of Cases
Number of Evidence
Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Centre
Types of Electronic Evidence, 2013
1%
6%
3%
1%
35%
14%
Handphone/Modem/Tablet
Simcard
Memory Card
PC/Laptop/External HD
CD/DVD
40%
Flashdisk
DVR
Computer Forensic
Mobile Forensic
Audio Forensic
Video Forensic
Digital Image Forensic
Network Forensic
 Mobile Networks
 2G: GSM (Global System for Mobile Communication) for
voice and text
 2.5G: GPRS (Global Packet radio Service) for data with low
speed transfer 160 Kbit per second
 2.75G: EDGE (Enhanced Data rates for GSM Evolution) for
data transfer 400 Kbps
 3G: 3rd Generation, data transfer 800 Kbps, good for video
call
 3.5G: HSDPA (High Speed Data Packet Access) for 14 Mbps
 4G: 4th Generation, for 1Gbps (in progress for whole
implementation)
 Coverage Area of BTS (Base Transceiver Station)
BSC (Base Station
BSC (Base Station
Controller)
Controller)
MSC (Mobile
BTS Tower (Base
BTS Tower (Base
MSC (Mobile
Switching Centre) Switching Centre)
Transceiver Station)
Transceiver Station)
Cellular Operator A
ME (Mobile
Equipment)
Caller A
as MO (Mobile Originating)
Cellular Operator B
ME (Mobile
Equipment)
Network SS7 for
Internet Access
Receiver B
as MT (Mobile Terminating)
 Its main function is to switch telecommunication networks
between one/two providers, or data networks between
provider and SS7 for internet access
 To route calls or SMSs from MO to MT
 To route internet access from/to MO
 It has database of permanent HLR (Home Location Register)
and VLR(Visitor Location Register) of the roaming subscribers
 It has database regarding with BTS-based subscriber location
 It has database of CDR (Calls Data Record) containing calls,
SMSs, etc.
 As the location for lawful interceptor
Flash Memory
External Memory
EEPROM (Electronically Erasable and
Programmable Read-Only Memory)
SIM (Subscriber Identity
Module) card
RAM (Random Access Memory)
 RAM (Random Access Memory)
 Date/Time (mostly old fashioned)
 Current running applications
 EEPROM (Electronically Erasable Programmable ROM)
 Date/Time (latest fashioned)
 Manufacturer’s data: merk, model, version, etc.
 IMEI (International Mobile Electronic Identifier)
 Operating System and Software
 Flash Memory
 SMS messages
 Contacts
 MMS messages
 Incoming Calls
 Dialed Calls
 Missed Calls
 Calendar
 Tasks
 Files, etc.
 SIM Card
 IMSI (International Mobile Subscriber Identity)
 ICCID (Integrated Circuit Card ID)
 Contacts
 SMS messages
 Dialed calls
IMSI = 3 digits of MCC (Mobile Country Code) +
2 digits of MNC (Mobile Network Code) +
9 - 10 digits of MSIN (Mobile Subscription Id. Number)
ICCID = 2 digits of MII (Major Industry Identifier: 89 for telp.) +
1-3 digits of Country Code (62 for Indonesia) +
1-4 digits of Issuer Identifier +
remaining digits for administrative of provider
 External Memory
 Digital image files
 Video files
 Audio files
 Office files
 Notes, etc.
 MSC of Operator
 MSISDN (Mobile Subscribers Identity Services Digital Network)
 Voice mails
 CDR (Call Data Records): calls, SMSs, etc.
 BTS-based location
 HLR (Home Location Register)
 VLR (Visitor Location Register)
 Logs of SS7 network
 SMS Centre, etc.
 Various OS:
Symbian, Windows Mobile, Blackberry, Android, iOS, etc.
 Applications: limited depending on the OS and make/model
 It requires SOP (Standard Operating Procedure) as well as other digital
forensic branches, to guide all processes done properly
 Connection:
 Data Cable
 Bluetooth
 Infra Red
 Forensic Tools:
 Hardware-based
 Software-based
Hardware-based Tools: (some)
UFED of Cellebrite
XRY of
Microsystemation
Software-based Tools: (some)
Mobile Field Kit of Paraben’s
Device Seizure
Oxygen Forensic
Mobiledit Forensic
 Physical acquisition is based on sectors of memory, while logical
acquisition is based on file system
 Logical acquisition is faster than physical acquisition
 Physical can retrieve any information stored in the memory, including
deleted data such as deleted SMSs, calls, chats, emails, contacts, etc.
 Logical can only retrieve available data of file system, excluding deleted
data. Logical is less sensitive than physical
 Logical is wider than physical in phone database which can be accessed
 Physical is firstly performed. If it fails, then do logical
 Do not switch the handphone evidence off, leave it ON
 In the case of no forensic analyst, switch it off to avoid contamination.
The procedure will use the OFF condition
 Document it by taking forensic photography and date/time as well as
specification such as make, model and IMEI by pressing *#06#
 IMEI = mobile equipment ID number
 For avoiding contamination, setting up an area without radio signal by
jammer or Faraday bag, or switch the handphone into flight mode
 Prepare analysis workstation with drivers installed and write-protect or
prepare portable forensic analysis device
 Attach the handphone evidence to the workstation/device
 If possible, do physical acquisition at first, otherwise do logical
 Physical acquisition/analysis can retrieve deleted data
 When it finishes, switch it off then pull out the battery
 Verify the IMEI on the back with the previous one
 Take simcard, and take a note its make and ICCID, then put it
into simcard reader
 ICCID = administrative numbers of cellular operator
 Attach the reader to the workstation/device
 Do physical analysis for the best results
 Take a note IMSI = authentication numbers
 When it finishes, put the simcard and battery back to the
handphone, do not switch it on
 If the handphone has external memory card, pull out the card, then
put it in the memory card reader
 Attach the reader to the workstation
 Do forensic imaging, then verify the md5 hash
 Search the contents of the card by mounting it physically/logically, or
do physical/logical recovery directly on the image
 When it finishes, put it back to the handphone
 Comprehensive findings and analysis is confirmed to the
investigators in order to configure it out for solving the case
 Do not switch it ON
 Take photograph and a note about its make, model and IMEI
 Pull the simcard out, then do physical acquisition/analysis as the
same as the ON condition
 If external memory is available, do the same as the ON condition
 Technical procedures are almost the same as the ON condition.
The differences:
 Simcard and memory card acquisition/analysis is performed
firstly
 At last, put the simcard and memory card back to the
handphone, then switch it ON. The procedure will be the
same as the ON condition
 Mobile-related electronic evidence: MOBILE PHONE,
SIMCARD and MEMORY CARD
 One of digital forensic measures: MOBILE FORENSIC
 Mechanism of forensic data: FLASH MEMORY, EXTERNAL
MEMORY, SIM CARD, EEPROM and RAM
 Analysis methodologies: PHYSICAL and LOGICAL