Digital Forensic on Secure Digital High Capacity using DFRWS Method

As evidenced in the trial, between 2015 and the second quarter of 2022, there were 54 cases involving secure digital high capacity (SDHC) storage hardware as evidenced in trials. In 2021 there will be an increase in cases involving SDHC. The three cases with the highest number are corruption cases, special crimes


Introduction
From 2015 to the second quarter of 2022, there were 54 cases involving secure digital high capacity (SDHC) storage hardware as evidence in the trial, according to the records of the supreme court's decision as presented in Figure 1. The spike occurred in 2021; if classified, there are three cases with the highest number of corruption cases, exceptional criminal cases and ITE cases [1]. One of these cases involved the defendant with the initials AUS. The case has a decision number 43/PID.TPK/2021/PT BDG 2022. The defendant with the initials AUS committed a particular crime of corruption. As a result of the case, AUS was threatened with seven years in prison and a fine of Rp. 300,000,000,-(three hundred million rupiahs) [2], the digital evidence, in this case, is in the form of 5 files presented in Table 1; there are various types of file extensions stored on SDHC, namely three compressed files in .zip format and two database files ad1 format, The entire file was in one of the confiscated evidence, namely the defendant's SDHC storage card. SDHC storage cards are hardware with an architecture that has similarities with other types of memory cards, namely monolithic [3]; SDHC is a further development of Secure Digital (SD) card storage hardware which can only accommodate up to a capacity of 2 gigabytes, in contrast to the largest SD card capacity. SDHC-type memory card is 32 gigabytes [4]; based on this capability, not all devices can use SDHC; as a small, thin and large storage device [5], SDHC storage hardware is a minimalist and multifunctional storage device, as shown in the Figure. 2. In cases involving AUS, the data on SDHC can be deleted, transferred or changed; the data is required to verify the authenticity of digital evidence with a digital forensic process. Digital forensics is a scientific effort to recover and investigate material against digital evidence [6]; digital forensics aims to provide choices and recommendations to judges to uncover a criminal case (pro-justice) [7]; the digital forensic process needs to be carried out with measurable and structured steps, various framework methods are commonly used, some of which include the Digital Forensics Research Workshop (DFRWS) [8], Association of Chief Police Officers (ACPO) [9], National Institute of Justice (NIJ) [10], Institute Of Standards And Technology (NIST) [11], Digital Forensic Investigation Framework (IDFIF) V2 [12], in general, the method begins with steps of maintenance, validation, collection, analysis, identification, documentation, interpretation and presentation of digital evidence so that valid evidence is obtained based on the facts strung from the digital evidence investigation process [13].
Digital evidence is not only intended for cyber crimes but can be used for all types of crimes [14]. Digital evidence can result from the extraction or recovery of digital goods, for example, files, email accounts, contacts, documents, photos, videos, images, chat text and log files [15]. The results obtained from the evidence analysis will vary according to the case being worked on. The handling of digital evidence must be handled properly because it is vulnerable and easy to change if not appropriately treated [16]; whatever changes occur in digital evidence will result in the evidence being invalid in court [17]. In the process of processing evidence. there are various platforms that can be used, one of which is Linux.
Linux is an operating system that has a different hierarchy and way of working from other proprietary operating systems [18], but only a few software are capable of running on the Linux operating system, because the operating system is open source and free of charge according to the license [19]. can run on a linux operating system, namely DC3DD which functions to perform acquisitions and software. Most importantly, which aims to perform data carving [20].
Hash or hashing is an algorithm to check the originality of a file [21]. Hashing technique is an act of changing a process to change another data with the same value so that the data cannot be recovered [22]. In other words, the hash is a fingerprint of a file [23]. Every file must have different fingerprints. Hash checks for file validation are carried out after carving data on evidence. There are several types of hashes that are often used, including the SHA-1 and MD5 algorithm [24].
Based on previous literature studies using similar objects, the results of the research conclude that image carving using FTK Imager and Autopsy by Shift+Delete and wipe data have image carving results on shift+delete that are still able to be recovered. Recovery results only get residual files in the image carving process with the wipe model data [25].
Previous research only carried out the acquisition and analysis of evidence using paid forensic tools for proprietary operating systems without a standardized framework. In this study, digital forensics was carried out on SDHC storage media and used Linux-based or open-source forensic tools, namely foremost and dc3dd; this research uses the DFRWS framework method and the static forensic process to retrieve valid digital evidence so that it can be used as legal evidence and can be understood by investigators when solving similar crimes.
This study aims to perform digital forensic analysis on SDHC evidence using forensic applications running on Linux, namely foremost and DC3DD. This study uses the DFRWS method to retrieve evidence for legal evidence in the trial.

Research Methods
In this study, the Digital forensic research workshop (DFRWS) method was chosen to be used as a framework. The DFRWS method has a framework accompanied by several steps or a digital forensic investigation process, as shown in Figure 3. Step of DFRWS Method Figure 3 describes the sequence of steps or the investigation process with the DFRWS framework that will be used to carry out an investigative action. The first step is identification; in the identification step, an in-depth examination process is carried out to determine the needs of the investigation and evidence carried out by the investigator [26]. The second step is preservation; in this step, the protection of the evidence is carried out so that the evidence is protected from unauthorized parties and also ensures the authenticity of the evidence [27]. The next step is the collection; at this step, evidence is preserved so that it can be ascertained that the evidence is genuine; if there is a change in the evidence, then the evidence is invalid/valid to be submitted at the trial [28].
The fourth step is an examination; at this step, an examination of the evidence taken during collection and a search for digital evidence that can potentially become strong evidence and recovery of digital evidence is carried out [29]. The next step is analysis. In this process, digital evidence is validated so that digital evidence can be declared valid/valid when submitted [30]. The last step is presentation. This step is a process of presenting the results of information in detail, detail and informative [31].

Case Simulation
In this study, evidence was obtained through case simulations, not based on actual events. Figure 4 shows a case simulation which is an artificial scenario.  Figure 4 illustrates a case simulation starting from the existence of a mafia organization in a city in Indonesia, one of the members has the title Alpha and is in charge of collecting information and data on assets owned by the organization. These data are stored in the organization's activities through an SDHC storage media. After Performing its duties, Alpha will hand it over to Bravo, who is in charge of maintaining the information and data. After receiving the SDHC, Bravo will sort the files through the cut process (CTRL+X) and delete (Delete) to select files and remove digital evidence from SDHC to the main computer. Investigators found SDHC, which was indicated as electronic evidence of the case.

Results and Discussions
Based on the case simulation described above, two methods of removing evidence will be carried out in this study, namely the cut process (CTRL+X) and the delete process (Delete).

Identification
In this step, the evidence is identified to be used as a reference in the search for digital evidence based on the case that occurred. The evidence used is a Sandisk brand SDHC with specifications presented in Table 5.

Preservation
The evidence must be isolated to maintain its integrity at the preservation stage. A process is needed to ensure the evidence is still in its original state and has not changed logically. The action that needs to be taken is to move the side panel from normal (writeable) to a lock condition on SDHC. This causes the memory to change the mode to read-only, as shown in Figure 5. In read-only conditions, all data contained in the SDHC cannot be added, deleted or changed. This action is taken so that the forensic imaging collection process does not make changes when mirroring the SDHC.

Collection
The third step is the examination and collection of digital evidence. Investigators are required to perform physical imaging or backup methods of evidence. This process is also known as acquisition. The acquisition tool used in this study is DC3DD, which can run on Linux operating systems. The output file after making the acquisition is in .dd format, in Figure 5 shows that the DC3DD process is making acquisitions, In this case DC3DD performs imaging at a speed of 15 Megabits per second, by activating the hash-on-fly feature using the md5 algorithm and generate file log namely "dc3dd laporan". After successfully carrying out the acquisition process, DC3DD will make a report on the results of the acquisition of evidence. To prove the evidence is original/valid, we must match the media hash and the results of the image acquisition carried out with DC3DD. As shown in Figure 7, the hash generated by the DC3DD acquisition process is the same as the hash generated by md5sum command on the digital evidence by linux terminal. It proves that the imaging validation of the evidence is valid. Based on figure 7 the start time for DC3DD to carry out imaging is 13:57 and it will end at 14:32, based on that DC3DD can completed the image acquisition with 35 minute and 16 second for size 31,910,789,120 bytes.

Examination
In the data carving process, a search for files or data deleted and moved from the SDHC has been planned in the case simulation. In this step, a copy of the image that has been validated will then be searched using the foremost software tools. This process is called data carving. For every data carving process performed by foremost, there will be a report summary file that reads Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi) Vol. "audit.txt", The report on the results of the foremost process of data carving is presented in Figure 8, the report shows the version used when carving, namely foremost 1.5.7, in Figure 8, foremost starts doing data carving at 15:22:14, in Figure 9, it can be seen that the finishing time for foremost at 15:36:19, based on this, foremost takes 14 minutes and 5 seconds with a large image file of 29 Gigabytes.

Analysis
In the analysis step, a hash value validation will be carried out for each file that can be successfully returned after carving data using foremost. Table 6 presents the results of string validation in groups of files that have gone through the delete process, there are 8 files that can be recovered by foremost, but 3 of them do not have the same hash value as the original file, then the file is declared invalid or has been manipulated, the remaining 7 files cannot be found. Table 7 presents the results of string validation for groups of files that have gone through the transfer process (Ctrl+X), there are 9 files that can be recovered by foremost, but 5 of them do not have the same hash value as the original file, then the file is declared invalid or has been manipulated, the remaining 6 files cannot be found.  (1) Not Found (Null) file exe (2) Invalid file exe (3) Invalid file gambar (1) valid file gambar (2) valid file gambar (3) valid file pdf (1) Not Found (Null) file pdf (2) Invalid file pdf (3) valid filevideo (1) Not Found (Null) filevideo (2) Not Found (Null) filevideo (3) Not Found (Null) file winrar (1) Not Found (Null) file winrar (2) valid file winrar (3) Not Found (Null) file word (1) valid file word (2) valid file word (3) valid  (4) Not Found (Null) file exe (5) Invalid file exe (6) Invalid file gambar (4) Invalid file gambar (5) Invalid file gambar (6) Invalid file pdf (4) Valid file pdf (5) Not Found (Null) file pdf (6) Not Found (Null) filevideo (4) Not Found (Null) filevideo (5) Not Found (Null) filevideo (6) Not Found (Null) file winrar (4) Valid file winrar (5) Valid file winrar (6) Valid file word (4) Valid file word (5) Valid file word (6) Valid

Presentation
Based on the results obtained when the summary validation is presented in Table 8, in the extraction of the evidence image file as many as 30 files with different extensions, there are 23 files detected by foremost, in the files that can be detected, files with the .exe extension are the files with the smallest number of files to be recovered by foremost, and files with the .JPG extension are the files with the largest number of files to be recovered by foremost.

Conclusion
Based on the research conducted, the results can be obtained, several files can be returned at the examination stage using foremost by 77%, but only 50% of files have a valid hash string. There is a difference in the number of successful recoveries in the delete and transfer processes (Ctrl+X), the percentage of files that are deleted can be restored by foremost with a 73% chance of success, and on file transfers (Ctrl+x) the chance of success in recovery is 80%, the number of valid files after going through the file deletion process (delete) is 53%, and the number of valid files after going through the transfer process (Ctrl+X) is 47%. Therefore, it can be concluded that the results of DC3DD and Foremost processing in this study can be used as valid evidence.