Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
ISSN: 2541-1004 e-ISSN: 2622-4615 32493/informatika.
Signature File Analysis Using The National Institute Standard Technology Method Base on Digital Forensic Concepts Randi Rizal1.
Ruuhwan2.
Septian Chandra3 Teknik Informatika.
Fakultas Teknik.
Universitas Perjuangan Tasikmalaya.
Jl.
Pembela Tanah Air (PETA) No.
177 Kahuripan Kec.
Tawang Kota Tasikmalaya Jawa Barat Indonesia, 46115 e-mail : 1randirizal@unper.
id, 2ruuhwan@unper.
id, 3septian@gmail.
Submitted Date: July 08th, 2020 Revised Date: September 27th, 2020 Reviewed Date: September 22nd, 2020 Accepted Date: September 30th, 2020 Abstract The number of crimes committed by utilizing advances in information technology such as information leakage, embezzlement of money in banks, credit card fraud, pornography, terrorism, drug trafficking and many more are definitely related to the name digital data.
File signatures or magic numbers are one of the forensic science techniques that assist in processing this digital data.
The method used in this research is the National Institute Standards Technology method to analyze the authenticity of digital data and the method of proof to obtain valid evidence during the identification process of data or file content.
This research is presented in the form of an analysis of the use of signature files in investigations to determine the type of file in the case of leaking company information xyz, the research stage uses evidence handling procedures in the laboratory.
Contributions made after conducting a series of case investigations using signature files have been successfully carried out using the Access Data FTK Imager application 0 and WinHex version 18.
Signature files can be used for case investigations in identifying and verifying file types so that files that have been modified can be restored and can be read by the operating system by checking file types through hexadecimal values in the header file .
ile prefi.
that show the characteristics of each type file so that the file type can be found and the file can be read by the operating Keywords: digital evidence.
digital forensics.
signature file.
investigation process.
Introduction Advances in technology not only provide various conveniences that are felt but can also have negative impacts such as progress in crime where crime is very closely related to the development of human life and human civilization, especially in terms of technology (Maslin.
Consultant, & Ltd.
Many crimes are also carried out by utilizing information technology advancements such as information leakage, embezzlement of money in banks, credit card fraud, pornography, terrorism, naroba trade and many more (Europol, 2.
, (Ramadani et al.
, 2.
, (Khan.
Nasir.
Ali, & Farooq, 2.
The issue of data validity is also very important for protection in addition to the issue of confidentiality, because if the receiver receives false data then there will be variations of interpretation resulting in confusion and failure on both sides.
One technique is used in the use of http://openjournal.
id/index.
php/informatika digital signatures, so that the recipient is sure that the obtained data is not fake data.
This technique will prevent the receiver from using fake data.
Any data received has a signature that is always different from other data, so a small change can cause the signature to change very quickly (Noroozi.
Daud, & Sabouhi, 2.
Someone expert in the field of forensic will definitely relate to the name digital data, file signature or magic number is one of the digital forensic techniques that help in processing these data (Sitompul.
Handoko, & Rahmat, 2.
The understanding of Magic Number in Tony Sammes's book "Forensic Computing" is a code in the form of hexadecimal numbers to determine the format of a data file that is usually located at the beginning of the file.
When we open a file using certain software, for example SonyVegas, the software will first read the magic number of the file that was opened, then if it matches the magic number will be processed Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
It aims to avoid errors or errors when opening files that are very large in size.
Magic Number is only a few bytes in size (Sammes & Jenkinson, 2.
In a study conducted by (Nugis, 2.
stated that the signature file or magic number is closely related to forensic experts where they use digital data as one method of investigation, while the signature file itself is one of the forensic science techniques that can help in the field of hygiene The signature file is used when identifying data or file contents.
File Signature is one technique that can be used to maintain the authenticity of data, so that the recipient gets a guarantee to know that the data received is authentic or fake data (Harran.
Farrelly, & Curran.
The way to prove it to get valid evidence is to conduct an investigation using the Digital Forensic Examination Procedure approach (Ruuhwan.
Riadi, & Prayudi, 2.
, (Du.
Le-Khac, & Scanlon, 2.
Digital evidence in the form of a USB Flashdisk is carried out forensic imaging process to produce an image file so that from the forensic imaging process digital evidence can be analyzed and examined and original digital evidence can be stored and secured in its place.
Based on the background that has been presented before, this study discusses about the analysis of file signature using the national institute of standards technology method.
Analyze the authenticity of digital data and the method of proof to obtain valid evidence during the identification process of data or file content.
System Design The methods used are varied, including the National Institute of Standards Technology (NIST) as in (Riadi.
Yudhana, & Putra, 2.
, and the National Institute of Justice (NIJ) in (Yudhana.
Riadi, & Anshori, 2.
In his research, he explains about Facebook Messenger's Digital Evidence Analysis.
NIST methode process is the approach used to evaluate digital evidence or stages for obtaining information from digital evidence.
Once data is collected and examined, the first transformation happens, then removes data from the media and transforms it to a format that can be interpreted by forensic instruments.
Second, through analysis, the data is transformed into information.
Finally, the transformation of information into a proof analogy by translating knowledge into practice using ISSN: 2541-1004 e-ISSN: 2622-4615 32493/informatika.
information produced during the reporting process by analysis in one or more ways.
The research method used in solving cases is the National Institute of Standards Technology (NIST) method.
The NIST method is used to perform analysis of digital evidence and as a stage for obtaining information from digital evidence, consisting of 4 stages such as Fig.
1 (Umar.
Riadi, & Muthohirin, 2.
Fig.
1 Stages of Method NIST Based on Fig.
1 this can be explained the forensic analysis stage as follows:
Collection is in charge of collecting evidence in the form of digital evidence.
Examination is the processing of data collected in the use of forensic combinations of various scenarios, both automatic and manual, as well as assessing and releasing data according to your needs while maintaining data integrity.
Analysis is an analysis of the results of examinations using justified and legal technical Reporting is reporting the results of analysis which includes a description of the actions The way of proof to obtain valid evidence is to carry out an investigation using the Digital Forensic Examination Procedure approach.
The software specifications used for the signature file analysis process are presented in Table 1.
Table 1 Software Specification Software Access Data FTK Imager WinHex Version Besides software, hardware requirements for research into the signature file analysis process use the specifications presented in Table 2.
These hardware requirements are essential in carrying out the digital investigation process.
Table 2 Hardware Specification http://openjournal.
id/index.
php/informatika Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
Item PC (Clien.
Flashdisk
ISSN: 2541-1004
e-ISSN: 2622-4615 32493/informatika.
Description CPU: AMD Ryzen 3 1200 Memory: 6 GB OS: Windows 10 Display: 1080 x 1920 pixels V-GEN Memory: 16 Gigabyte Number : AA00000000000489 Result and Analysis The results of the research we have done have obtained results.
The process of getting evidence on a USB Flashdisk using the FTK Access Data forensic software application.
Here are the results that have been obtained.
There are four main stages performed in the experiments in this study, namely are Collection.
Examination.
Analysis and Reporting.
Collection In the Collection Process digital evidence in the form of a USB Flashdisk is performed forensic imaging process to produce an image file so that from the forensic imaging process digital evidence can be analyzed and original digital evidence can be stored and secured in its place.
The forensic imaging process uses the Access Data FTK version 0 application.
Fig.
3 Forensic Imaging Process Fig.
3 is a display of the Forensic Imaging process by using the Access Data FTK Imager application version 4.
0 to get the image file where the image file will be used in the Examination Forensic imaging process has been completed will produce an image file, then proceed with the Examination of the MD5 and SHA1 hash value between the evidence in the form of storage media with the forensic imaging results in the form of an image file.
If the values of the two are the same, the forensic imaging process is successful.
The hashing process using the FTK Imager application version 4.
0 can be seen in Fig.
3 here shows the hashing process running successfully and has been verified.
Fig.
2 Evidence of a USB Flashdisk Fig.
2 is electronic evidence in the form of a USB Flashdisk left by a criminal before running The USB Flashdisk is branded V-GEN with a capacity of 16 giga bytes with the number AA00000000000489.
http://openjournal.
id/index.
php/informatika Fig.
4 Forensic Imaging Results Examination Examination process is carried out in a comprehensive file with the intent to obtain digital data in the investigation process.
The data sought is data relating to data leakage of yxz company This search process uses the Access Data FTK Imager application version 4.
0 and the Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
WinHex application version 18.
Examination process carried out with the Access Data application FTK Imager version 4.
0 and the WinHex application version 18.
6 is to use manual browsing techniques by checking the file type of the contents of digital evidence through hexadecimal values that indicate the file type.
The hexadecimal value is often referred to as the "signature file / four magic number".
The signature file is used to verify the authenticity of the file.
The signature file contains a hexadecimal character set at the beginning .
and the end .
file that forms a characteristic for each file type.
If one of the hexadecimal letters or numbers has changed, the contents of the file have changed or have been The following are the results of the examination of the contents of digital evidence accessed easily by the operating system.
The following display export file that can be seen in Fig.
Fig.
6 Process of Exsport File Pada proses examination merupakan pengujian pada file Backpacker Tasikmalaya menggunakan aplikasi Winhex Versi 18.
Fig.
7 Examination file results Backpacker Tasikmalaya Fig.
5 Examination Image File Results Examination image file using the Access Data FTK Imager application version 4.
0 can be seen in Fig.
3 there are four files, three with the docx with file names : Backpacker Tasikmalaya.
docx, product.
docx, report.
docx and one file with extension .
jpg file : Prewed.
From the results of Examination can be seen that there is one file that was deleted by the perpetrator, namely a file with the name Backpacker Tasikmalaya.
The image file that has been created in the Application Data Access FTK Imager version 4.
is then performed an export file using the export file menu in the Data Access FTK Imager application 0 so that you can check each file using the WinHex application version 18.
6 to see the signature file From a digital evidence file that has been duplicated or forensic imaging performed.
The process data file in the FTK Data Access application version 4.
0 automatically performs the recovery file that has been deleted, the file named Backpacker Tasikmalaya.
docx can be http://openjournal.
id/index.
php/informatika ISSN: 2541-1004 e-ISSN: 2622-4615 32493/informatika.
Viewed from Fig.
7 is the result of the Examination file Backpacker Tasikmalaya.
docx by using the WinHex application version 18.
6 which has been carried out the export process using the Access Data application FTK version 4.
0, the Backpacker Tasikmalaya.
docx file is 50 4B 03 04 14 00 06 00.
Analysis The analysis process is carried out in depth in detail and comprehensively against the files that have been obtained from the Examination process, when the data has become digital evidence that supports the investigation then the data is analyzed by looking at the metadata .
nformation in informatio.
of each file files that support the investigation in order to obtain information that supports the investigation to obtain 4W1H data (Who.
When.
Where.
Why and Ho.
regarding the case of leaking company information xyz.
Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
ISSN: 2541-1004 e-ISSN: 2622-4615 32493/informatika.
Imager application version 4.
0 so that the Backpacker.
docx data or file is in the form of a document explaining the delivery of company xyz information data to competing company workers.
Fig.
8 Metadata file Backpacker Tasikmalaya.
Seen in Fig.
8 is a metadata view of the Backpacker Tasikmalaya.
docx file.
Information can be seen in the information created and the modified data has experienced changes.
Based on the metadata from each file, the digital evidence found has undergone a change.
That is indicated by the information created and modified data.
Digital evidence that has undergone a change / modification, the modified data statement will indicate the time when the data was modified last by the perpetrator.
The results of the modified data are then given to the investigator for further investigation of the perpetrators.
The results of the analysis conducted by the perpetrators changed the file extension and injected the file to hide digital evidence.
The following results of the analysis provide information in support of case investigations in the form of the contents of files from digital evidence:
Reporting Digital evidence obtained in the collection process.
Examination process and analysis obtained data in accordance with the needs of the investigation, the evidence analyzed in the form of a V-GEN USB Flashdisk with a size of sixteen gigabytes with number AA00000000000489 which contains 4 files, namely Backpacker.
Product.
Report.
xlsx and Prewed.
The following is the result of Examination of digital evidence contents that have been carried out forensic imaging processes, export files using the WinHex application version 18.
6 shown in Table 3.
Table 3 File Name and File Signature digital evidence Nama File
Backpacker Ekstensi
Product
Report
Prewed File Signature 50 4B 03 04 14 00
FF D8 FF E0 00 10
4A 46
50 4B 03 04 14 00
FF D8 FF E0 00 10
4A 46 49 46 00
Examination process is obtained by two files that cannot be opened by the existing operating system .
The two files have changed from the signature file, there is a difference from the hexadecimal value which indicates the type of file with the extension listed.
The perpetrator has changed the essence of the two files so that the file is corrupt.
After Examination the signature file turns out that the file called report.
docx has the xlsx and the file named product.
docx has the extension .
The following is a file extension with the correct file signature data shown in Table Table 4 File Name and File Signature are true digital Nama File Backpacker Ekstensi Product Report Prewed Fig.
9 Content of file Backpacker.
Seen in Fig.
9 is the contents of the Backpacker.
docx file that has been automatically recovered in the export file in the Access Data FTK http://openjournal.
id/index.
php/informatika File Signature 50 4B 03 04 14 00
FF D8 FF E0 00
10 4A 46
50 4B 03 04 14 00
FF D8 FF E0 00
10 4A 46 49 46 00
Jurnal Informatika Universitas Pamulang Penerbit: Program Studi Teknik Informatika Universitas Pamulang Vol.
No.
September 2020 .
After the Examination file signature process is performed, an Examination hash is performed from each file to create a hash and identify the authenticity of the file using the Access Data FTK Imager application version 4.
Hash processing is very important in the process of identifying the authenticity of digital evidence.
Table 5 Hash Analysis File Extension Rename Change Extension Save As Change Content File MD5 Hash Results with Original Files Fixed Fixed Different Different Judging from Table 5 on the hash analysis, it can be explained that the MD5 hash results from the file that has been renamed to the file extension and changed the extension to the original file.
The hash value of the file execution by save as will be different from the original file because the application automatically changes the contents such as authors, date modified, revision number and others.
The hash value of the file execution by changing the contents of the file will be different from the original file because the contents of the contents are changed so the hash value changes.
The conclusion from the results of the hash analysis that the results of MD5 hash of files that have been executed file that does not change the contents of the file will not change the hash value, and the results of the MD5 hash of files that have been executed by changing the contents of the original file will change hash value.
Table 6 Hash Process Results Nama File Backpacker Ext.
Product Report Prewed Hash MD5 The result of the hash process shows that the Product.
jpg and Prewed.
jpg files are the same files as the company sensitive files.
From Examination in digital evidence there are five files, namely are Backpacker Tasikmalaya.
xlsx, and prewed.
jpg, hypotheses about cases can be formulated, namely company sensitive http://openjournal.
id/index.
php/informatika ISSN: 2541-1004 e-ISSN: 2622-4615 32493/informatika.
information data contained in one of the files with product names.
jpg and report.
Conclusion Based on the research conducted, by using the Access Data application FTK Imager version 0 and the WinHex application version 18.
6, the signature file analysis has been successfully analyzed in the digital forensic process by looking at the hexadecimal character set in the header so that the file that has changed its extension can be File Signature plays a very important role in the digital forensic process to identify and verify So that files that have been changed changes can be returned to the original extension and can be read by the operating system used by forensic The results of the hash analysis conducted in this study that the hash value will be different if the file has been executed .
ave as, change the contents of the fil.
and the hash value is the same as the original file after the file is executed .
ename and change the file extensio.
References