Formal Education: (some)
2006: Indonesian Advanced Police College Award: The Best Graduate in Academic 2009: MSc in Forensic Informatics, University of Strathclyde, UK Final Result: Distinction for Dissertation on Steganography Forensic
Professional Qualifications: (some)
2004: Professional Commendation on Crime Scene Management from Senior Investigator (Retired) of New York Police, US
2005: Expert Degree on Computer Forensic from Puslabfor Polri 2007: Computer Hacking Forensic Investigator (CHFI) from EC-Council, US 2008: Certified EC-Council Instructor (CEI) from EC-Council, US 2009: Professional Member (MBCS) from British Computer Society, UK
Professional Awards: (some)
2005: 8 year loyalty medal from Indonesian National Police 2008: British Chevening Scholarships Award from UK FCO 2010: Indonesian Super Six UK Alumni from British Council 2013: 16 year loyalty medal from the Republic of Indonesia
Membership/Networking: (some)
2007: EC-Council 2009: British Computer Society 2010: Interpol Asian and South Pacific Working Party on IT Crime 2012: Manager of Digital Forensic Analyst Team – Indonesia at LinkedIn 2013: Manager of ADFA (Association of Digital Forensic Analyst) at LinkedIn Association of Certified Fraud Examiners
Experience as Instructor/Speaker: (some)
Indonesian Police Criminal Investigation Board (Bareskrim)
Indonesian Police Education Institute (Lemdikpol)
Indonesian Police Forensic Lab. Centre (Puslabfor)
President Secretary Office of the Republic of Indonesia (Sespri Presiden RI)
Indonesian General Attorney Training and Education Board (Badiklat Kejagung)
Indonesian Ministry of Communication and Information (Kemenkominfo)
Indonesian Ministry of Finance (Kemenkeu)
Indonesian Corruption Eradication Commission (KPK)
Indonesian State Intelligent Board (BIN)
Indonesian Military Attaché in London, UK
Banks such as Mandiri Bank, CIMB Niaga Bank, OCBC NISP Bank
Universities:
- University of Strathclyde, Glasgow, UK - University of Indonesia, Depok
- University of Islamic Indonesia, Yogyakarta - Paramadina University, Jakarta
- Krida Wacana University, Jakarta - Airlangga University, Surabaya
- State Islamic University, Tangerang - Muhammadiyah University, Jember
- State Crytptography Institute, Tangerang - State Polytechnic, Batam
United Nations Office for Drugs and Crime (UNODC)
Asian Pacific – Computer Emergency Response Team (AP-CERT)
EC-Council Indonesia
Association of Certified Fraud Examiners (ACFE), etc.
Chief of Forensic Lab Centre
Physics and Computer
Forensic Dept.
Fire and Accidents
Special Detection
Computer Forensic
Ballistic and Metallurgy
Forensic Dept.
Ballistic
Metallurgy
Explosive
Document and Counterfeit
Forensic Dept.
Document
Counterfeit
Printed Product
Chemistry and Biology Forensic
Dept.
Chemistry
Biology
Toxicology
Narcotics Forensic Dept.
Narcotics
Psychotropic
Drugs
Forensic Lab Branches: 6
Secretary
2000: Started to discuss about the significance of digital forensic to support examination on electronic evidence
2007-2008: Awards of EC-Council’s Computer Hacking Forensic Investigator (CHFI)
2009: Award of MSc in Forensic Informatics from the University of Strathclyde, UK
2010: DFAT (Digital Forensic Analyst Team) was founded
2011: Computer Forensic Sub-Department was founded
2014: Computer Forensic Lab. in progress for ISO 17025
0
100
200
300
400
500
600
2006 2007 2008 2009 2010 2011 2012 2013
3 3 7 15 52 60
81 86
4 6 12 21
214
422
488
582
Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Centre
Number of Cases and Evidence, 2006-2013
Number of Cases Number of Evidence
35%
40%
14%
6% 3% 1% 1%
Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Centre
Types of Electronic Evidence, 2013
Handphone/Modem/Tablet
Simcard
Memory Card
PC/Laptop/External HD
CD/DVD
Flashdisk
DVR
Computer Forensic
Mobile Forensic
Audio Forensic
Video Forensic
Digital Image Forensic
Network Forensic
Mobile Networks
2G: GSM (Global System for Mobile Communication) for voice and text
2.5G: GPRS (Global Packet radio Service) for data with low speed transfer 160 Kbit per second
2.75G: EDGE (Enhanced Data rates for GSM Evolution) for data transfer 400 Kbps
3G: 3rd Generation, data transfer 800 Kbps, good for video call
3.5G: HSDPA (High Speed Data Packet Access) for 14 Mbps
4G: 4th Generation, for 1Gbps (in progress for whole implementation)
ME (Mobile Equipment)
BTS Tower (Base Transceiver Station)
BSC (Base Station Controller)
ME (Mobile Equipment)
BTS Tower (Base Transceiver Station)
MSC (Mobile Switching Centre)
MSC (Mobile Switching Centre)
BSC (Base Station Controller)
Cellular Operator A Cellular Operator B
Caller A as MO (Mobile Originating)
Receiver B as MT (Mobile Terminating)
Network SS7 for Internet Access
Its main function is to switch telecommunication networks between one/two providers, or data networks between provider and SS7 for internet access
To route calls or SMSs from MO to MT
To route internet access from/to MO
It has database of permanent HLR (Home Location Register) and VLR(Visitor Location Register) of the roaming subscribers
It has database regarding with BTS-based subscriber location
It has database of CDR (Calls Data Record) containing calls, SMSs, etc.
As the location for lawful interceptor
Flash Memory
External Memory
EEPROM (Electronically Erasable and Programmable Read-Only Memory)
SIM (Subscriber Identity Module) card
RAM (Random Access Memory)
RAM (Random Access Memory)
Date/Time (mostly old fashioned)
Current running applications
EEPROM (Electronically Erasable Programmable ROM)
Date/Time (latest fashioned)
Manufacturer’s data: merk, model, version, etc.
IMEI (International Mobile Electronic Identifier)
Operating System and Software
Flash Memory
SMS messages
Contacts
MMS messages
Incoming Calls
Dialed Calls
Missed Calls
Calendar
Tasks
Files, etc.
SIM Card
IMSI (International Mobile Subscriber Identity)
ICCID (Integrated Circuit Card ID)
Contacts
SMS messages
Dialed calls
IMSI = 3 digits of MCC (Mobile Country Code) +
2 digits of MNC (Mobile Network Code) + 9 - 10 digits of MSIN (Mobile Subscription Id. Number)
ICCID = 2 digits of MII (Major Industry Identifier: 89 for telp.) +
1-3 digits of Country Code (62 for Indonesia) + 1-4 digits of Issuer Identifier + remaining digits for administrative of provider
MSC of Operator
MSISDN (Mobile Subscribers Identity Services Digital Network)
Voice mails
CDR (Call Data Records): calls, SMSs, etc.
BTS-based location
HLR (Home Location Register)
VLR (Visitor Location Register)
Logs of SS7 network
SMS Centre, etc.
Various OS: Symbian, Windows Mobile, Blackberry, Android, iOS, etc.
Applications: limited depending on the OS and make/model
It requires SOP (Standard Operating Procedure) as well as other digital forensic branches, to guide all processes done properly
Connection:
Data Cable Bluetooth Infra Red
Forensic Tools:
Hardware-based Software-based
Mobile Field Kit of Paraben’s Device Seizure
Mobiledit Forensic
Oxygen Forensic
Software-based Tools: (some)
Physical acquisition is based on sectors of memory, while logical acquisition is based on file system
Logical acquisition is faster than physical acquisition
Physical can retrieve any information stored in the memory, including deleted data such as deleted SMSs, calls, chats, emails, contacts, etc.
Logical can only retrieve available data of file system, excluding deleted data. Logical is less sensitive than physical
Logical is wider than physical in phone database which can be accessed
Physical is firstly performed. If it fails, then do logical
Do not switch the handphone evidence off, leave it ON
In the case of no forensic analyst, switch it off to avoid contamination. The procedure will use the OFF condition
Document it by taking forensic photography and date/time as well as specification such as make, model and IMEI by pressing *#06#
IMEI = mobile equipment ID number
For avoiding contamination, setting up an area without radio signal by jammer or Faraday bag, or switch the handphone into flight mode
Prepare analysis workstation with drivers installed and write-protect or prepare portable forensic analysis device
Attach the handphone evidence to the workstation/device
If possible, do physical acquisition at first, otherwise do logical
Physical acquisition/analysis can retrieve deleted data
When it finishes, switch it off then pull out the battery
Verify the IMEI on the back with the previous one
Take simcard, and take a note its make and ICCID, then put it into simcard reader
ICCID = administrative numbers of cellular operator
Attach the reader to the workstation/device
Do physical analysis for the best results
Take a note IMSI = authentication numbers
When it finishes, put the simcard and battery back to the handphone, do not switch it on
If the handphone has external memory card, pull out the card, then put it in the memory card reader
Attach the reader to the workstation
Do forensic imaging, then verify the md5 hash
Search the contents of the card by mounting it physically/logically, or do physical/logical recovery directly on the image
When it finishes, put it back to the handphone
Comprehensive findings and analysis is confirmed to the investigators in order to configure it out for solving the case
Do not switch it ON
Take photograph and a note about its make, model and IMEI
Pull the simcard out, then do physical acquisition/analysis as the same as the ON condition
If external memory is available, do the same as the ON condition
Technical procedures are almost the same as the ON condition. The differences:
Simcard and memory card acquisition/analysis is performed firstly
At last, put the simcard and memory card back to the handphone, then switch it ON. The procedure will be the same as the ON condition
Mobile-related electronic evidence: MOBILE PHONE, SIMCARD and MEMORY CARD
One of digital forensic measures: MOBILE FORENSIC
Mechanism of forensic data: FLASH MEMORY, EXTERNAL MEMORY, SIM CARD, EEPROM and RAM
Analysis methodologies: PHYSICAL and LOGICAL