Formal Education: (some)

2006: Indonesian Advanced Police College Award: The Best Graduate in Academic 2009: MSc in Forensic Informatics, University of Strathclyde, UK Final Result: Distinction for Dissertation on Steganography Forensic

Professional Qualifications: (some)

2004: Professional Commendation on Crime Scene Management from Senior Investigator (Retired) of New York Police, US

2005: Expert Degree on Computer Forensic from Puslabfor Polri 2007: Computer Hacking Forensic Investigator (CHFI) from EC-Council, US 2008: Certified EC-Council Instructor (CEI) from EC-Council, US 2009: Professional Member (MBCS) from British Computer Society, UK

Professional Awards: (some)

2005: 8 year loyalty medal from Indonesian National Police 2008: British Chevening Scholarships Award from UK FCO 2010: Indonesian Super Six UK Alumni from British Council 2013: 16 year loyalty medal from the Republic of Indonesia

Membership/Networking: (some)

2007: EC-Council 2009: British Computer Society 2010: Interpol Asian and South Pacific Working Party on IT Crime 2012: Manager of Digital Forensic Analyst Team – Indonesia at LinkedIn 2013: Manager of ADFA (Association of Digital Forensic Analyst) at LinkedIn Association of Certified Fraud Examiners

Experience as Instructor/Speaker: (some)

Indonesian Police Criminal Investigation Board (Bareskrim)

Indonesian Police Education Institute (Lemdikpol)

Indonesian Police Forensic Lab. Centre (Puslabfor)

President Secretary Office of the Republic of Indonesia (Sespri Presiden RI)

Indonesian General Attorney Training and Education Board (Badiklat Kejagung)

Indonesian Ministry of Communication and Information (Kemenkominfo)

Indonesian Ministry of Finance (Kemenkeu)

Indonesian Corruption Eradication Commission (KPK)

Indonesian State Intelligent Board (BIN)

Indonesian Military Attaché in London, UK

Banks such as Mandiri Bank, CIMB Niaga Bank, OCBC NISP Bank

Universities:

- University of Strathclyde, Glasgow, UK - University of Indonesia, Depok

- University of Islamic Indonesia, Yogyakarta - Paramadina University, Jakarta

- Krida Wacana University, Jakarta - Airlangga University, Surabaya

- State Islamic University, Tangerang - Muhammadiyah University, Jember

- State Crytptography Institute, Tangerang - State Polytechnic, Batam

United Nations Office for Drugs and Crime (UNODC)

Asian Pacific – Computer Emergency Response Team (AP-CERT)

EC-Council Indonesia

Association of Certified Fraud Examiners (ACFE), etc.

Chief of Forensic Lab Centre

Physics and Computer

Forensic Dept.

Fire and Accidents

Special Detection

Computer Forensic

Ballistic and Metallurgy

Forensic Dept.

Ballistic

Metallurgy

Explosive

Document and Counterfeit

Forensic Dept.

Document

Counterfeit

Printed Product

Chemistry and Biology Forensic

Dept.

Chemistry

Biology

Toxicology

Narcotics Forensic Dept.

Narcotics

Psychotropic

Drugs

Forensic Lab Branches: 6

Secretary

2000: Started to discuss about the significance of digital forensic to support examination on electronic evidence

2007-2008: Awards of EC-Council’s Computer Hacking Forensic Investigator (CHFI)

2009: Award of MSc in Forensic Informatics from the University of Strathclyde, UK

2010: DFAT (Digital Forensic Analyst Team) was founded

2011: Computer Forensic Sub-Department was founded

2014: Computer Forensic Lab. in progress for ISO 17025

0

100

200

300

400

500

600

2006 2007 2008 2009 2010 2011 2012 2013

3 3 7 15 52 60

81 86

4 6 12 21

214

422

488

582

Computer Forensic Sub-Department

Indonesian Police Forensic Laboratory Centre

Number of Cases and Evidence, 2006-2013

Number of Cases Number of Evidence

35%

40%

14%

6% 3% 1% 1%

Computer Forensic Sub-Department

Indonesian Police Forensic Laboratory Centre

Types of Electronic Evidence, 2013

Handphone/Modem/Tablet

Simcard

Memory Card

PC/Laptop/External HD

CD/DVD

Flashdisk

DVR

Computer Forensic

Mobile Forensic

Audio Forensic

Video Forensic

Digital Image Forensic

Network Forensic

Mobile Networks

2G: GSM (Global System for Mobile Communication) for voice and text

2.5G: GPRS (Global Packet radio Service) for data with low speed transfer 160 Kbit per second

2.75G: EDGE (Enhanced Data rates for GSM Evolution) for data transfer 400 Kbps

3G: 3rd Generation, data transfer 800 Kbps, good for video call

3.5G: HSDPA (High Speed Data Packet Access) for 14 Mbps

4G: 4th Generation, for 1Gbps (in progress for whole implementation)

Coverage Area of BTS (Base Transceiver Station)

ME (Mobile Equipment)

BTS Tower (Base Transceiver Station)

BSC (Base Station Controller)

ME (Mobile Equipment)

BTS Tower (Base Transceiver Station)

MSC (Mobile Switching Centre)

MSC (Mobile Switching Centre)

BSC (Base Station Controller)

Cellular Operator A Cellular Operator B

Caller A as MO (Mobile Originating)

Receiver B as MT (Mobile Terminating)

Network SS7 for Internet Access

Its main function is to switch telecommunication networks between one/two providers, or data networks between provider and SS7 for internet access

To route calls or SMSs from MO to MT

To route internet access from/to MO

It has database of permanent HLR (Home Location Register) and VLR(Visitor Location Register) of the roaming subscribers

It has database regarding with BTS-based subscriber location

It has database of CDR (Calls Data Record) containing calls, SMSs, etc.

As the location for lawful interceptor

Flash Memory

External Memory

EEPROM (Electronically Erasable and Programmable Read-Only Memory)

SIM (Subscriber Identity Module) card

RAM (Random Access Memory)

RAM (Random Access Memory)

Date/Time (mostly old fashioned)

Current running applications

EEPROM (Electronically Erasable Programmable ROM)

Date/Time (latest fashioned)

Manufacturer’s data: merk, model, version, etc.

IMEI (International Mobile Electronic Identifier)

Operating System and Software

Flash Memory

SMS messages

Contacts

MMS messages

Incoming Calls

Dialed Calls

Missed Calls

Calendar

Tasks

Files, etc.

SIM Card

IMSI (International Mobile Subscriber Identity)

ICCID (Integrated Circuit Card ID)

Contacts

SMS messages

Dialed calls

IMSI = 3 digits of MCC (Mobile Country Code) +

2 digits of MNC (Mobile Network Code) + 9 - 10 digits of MSIN (Mobile Subscription Id. Number)

ICCID = 2 digits of MII (Major Industry Identifier: 89 for telp.) +

1-3 digits of Country Code (62 for Indonesia) + 1-4 digits of Issuer Identifier + remaining digits for administrative of provider

External Memory

Digital image files

Video files

Audio files

Office files

Notes, etc.

MSC of Operator

MSISDN (Mobile Subscribers Identity Services Digital Network)

Voice mails

CDR (Call Data Records): calls, SMSs, etc.

BTS-based location

HLR (Home Location Register)

VLR (Visitor Location Register)

Logs of SS7 network

SMS Centre, etc.

Various OS: Symbian, Windows Mobile, Blackberry, Android, iOS, etc.

Applications: limited depending on the OS and make/model

It requires SOP (Standard Operating Procedure) as well as other digital forensic branches, to guide all processes done properly

Connection:

Data Cable Bluetooth Infra Red

Forensic Tools:

Hardware-based Software-based

UFED of Cellebrite XRY of Microsystemation

Hardware-based Tools: (some)

Mobile Field Kit of Paraben’s Device Seizure

Mobiledit Forensic

Oxygen Forensic

Software-based Tools: (some)

Physical acquisition is based on sectors of memory, while logical acquisition is based on file system

Logical acquisition is faster than physical acquisition

Physical can retrieve any information stored in the memory, including deleted data such as deleted SMSs, calls, chats, emails, contacts, etc.

Logical can only retrieve available data of file system, excluding deleted data. Logical is less sensitive than physical

Logical is wider than physical in phone database which can be accessed

Physical is firstly performed. If it fails, then do logical

Do not switch the handphone evidence off, leave it ON

In the case of no forensic analyst, switch it off to avoid contamination. The procedure will use the OFF condition

Document it by taking forensic photography and date/time as well as specification such as make, model and IMEI by pressing *#06#

IMEI = mobile equipment ID number

For avoiding contamination, setting up an area without radio signal by jammer or Faraday bag, or switch the handphone into flight mode

Prepare analysis workstation with drivers installed and write-protect or prepare portable forensic analysis device

Attach the handphone evidence to the workstation/device

If possible, do physical acquisition at first, otherwise do logical

Physical acquisition/analysis can retrieve deleted data

When it finishes, switch it off then pull out the battery

Verify the IMEI on the back with the previous one

Take simcard, and take a note its make and ICCID, then put it into simcard reader

ICCID = administrative numbers of cellular operator

Attach the reader to the workstation/device

Do physical analysis for the best results

Take a note IMSI = authentication numbers

When it finishes, put the simcard and battery back to the handphone, do not switch it on

If the handphone has external memory card, pull out the card, then put it in the memory card reader

Attach the reader to the workstation

Do forensic imaging, then verify the md5 hash

Search the contents of the card by mounting it physically/logically, or do physical/logical recovery directly on the image

When it finishes, put it back to the handphone

Comprehensive findings and analysis is confirmed to the investigators in order to configure it out for solving the case

Do not switch it ON

Take photograph and a note about its make, model and IMEI

Pull the simcard out, then do physical acquisition/analysis as the same as the ON condition

If external memory is available, do the same as the ON condition

Technical procedures are almost the same as the ON condition. The differences:

Simcard and memory card acquisition/analysis is performed firstly

At last, put the simcard and memory card back to the handphone, then switch it ON. The procedure will be the same as the ON condition

Mobile-related electronic evidence: MOBILE PHONE, SIMCARD and MEMORY CARD

One of digital forensic measures: MOBILE FORENSIC

Mechanism of forensic data: FLASH MEMORY, EXTERNAL MEMORY, SIM CARD, EEPROM and RAM

Analysis methodologies: PHYSICAL and LOGICAL