Presentation on theme: "CISC 1 Cyber Crime and IT Forensics – The Edison Chen Story Ir Dr. K.P. Chow Computer Forensics Research Group Center for Information Security and Cryptography."— Presentation transcript:
CISC 1 Cyber Crime and IT Forensics – The Edison Chen Story Ir Dr. K.P. Chow Computer Forensics Research Group Center for Information Security and Cryptography University of Hong Kong August 2010
CISC 2 2 Agenda A practitioner approach to introduce cyber crime and IT forensics –Internet investigation –Digital forensics Our research roadmap
CISC 3 A practitioner approach to introduce cyber crime and IT forensics
CISC 4 Key topics in cyber crime and forensics Internet investigation Digital forensics Any interesting case? Edison Chen photo scandal Lets travel back to 27 Jan 2008 Any interesting case? Edison Chen photo scandal Lets travel back to 27 Jan 2008
Who is Edison Chen? Who else? CISC 5 Who is him?
CISC 6 The story begins in Jan 2008 Jan 27 evening: 1 photo of Edison and Gillian is posted in discussion forums in Hong Kong Jan 28 afternoon: 1 photo of Edison and Bobo is posted in many forums, Edison and Gillian announced that the photos were hoaxes Jan 29: 5 photos of Gillian and 2 photos of Cecilia are posted Jan 30: 4 photos of Cecilia are posted
CISC 7 What are the forensics questions? Are the photos real or hoaxes? Who posted the photos on the forums?
CISC 8 Are the photos real? Factors to be considered: –Lighting –Eyes and positions –Specular highlights –Send in the clones –Camera fingerprints Forensic photography Not our current research focus
CISC 9 Who posted the photos on the forums? Forum B outside HK User YT Chung IP address A On Jan 31, first person, YT Chung, is arrested for the case Photos downloaded Photos uploaded to a forum outside HK Forum A in HK Photos of G and C Photos of G
CISC 10 Investigation techniques Tracing using the IP address –Most forums keep the IP addresses of users who create the posts –Most ISPs keep records of the assignment of IP addresses to his subscribed users
CISC 11 Forensics techniques Digital evidence in the suspects PC
CISC 12 The Law What was the crime act? –Violates the Control of Obscene and Indecent Articles Ordinance in Hong Kong: publishing obscene articles
CISC 13 Limitations Cross jurisdiction: requires supports from other countries
CISC 14 Difficulties Who was using the computer? –Fingerprint vs. IP address User YT Chung Photos downloaded Who am I? ?=
CISC 15 The story continues Feb 2: 4 men and 2 women are arrested, all from the computer repair shop Elite –1 hoax photo of Cecilia was posted Feb 4: HC Sze is arrested Feb 5: 4 more obscene photos are posted, involve Gillian, Cecilia, BoBo and Rachel Feb 6: 209 photos are posted by Kira Feb 9: another 237 photos are posted by Kira again, involve Gillian, Cecilia, BoBo and Vincy
CISC 16 What are the forensics questions? How the computer repair shop Elite was located? –Traditional investigation technique What was the charge of HC Sze? –HC Sze was charged with access to computer with criminal or dishonest intent –Why him? Who is Kira? –HC Sze? Not sure
CISC 17 Some events Date (2008)Event Jan 29Photos of Edison and celebrities available on the Internet Feb 1Maks CD was seized Feb 2 6:55amJanets CD (with X mark) and PCs at home were seized Feb 2 7:45pmSze was arrested Feb 2 10:10pmSzes home PCs were seized Feb 3Tses home PC was seized (nothing relevant was found) Feb 16Yips home PC was seized (Edisons photos from the Internet were found) Feb 18Chans home PC was seized (nothing relevant was found) Feb 21Edisons home PCs were seized Feb 27Stores PC was seized Feb 28Elites server was seized
CISC 18 Elite Computer Shop Store Janet (PW2) Fanny (PW1) Chung (PW5) Power Mac G5 Duo Mac Book ProEdison Mr Wong (PW6) Purchase Computer Service belongs Emp Supervisor Driverbelongs CD X Mak give to Loan / Return Janet Maks CD belongs Who were Mak and Janet?
CISC 19 Elite Tse The Beginning: Edisons MacBook Pro brought to Elite for service Harddisk Mac Book Pro Edison Wong (PW6) Bring to service inside belongs to Employer driver
CISC 20 Elite Tse Service Day to +4 days: photos inside the MacBook Pro were found External Harddisk Mac Book Pro Yip Chan inside Delete 3-4 days afterwards Back up Profile View together Harddisk Folder Lifestyle inside Sze inform Emp Boss Emp When, where and how were the photos found?
CISC 21 Elite Sze 8 June 2008: Sze performed computer service at Store CD X Mak Power Mac G5 Duo give to Loan / Return Burn to CD View photos Fanny Folder belongs Some Server (unknown) Service Logon / Password Janet Download To Power Mac G5 Store Maks CD belongs How the photos get to the store?
For the court The story: crime scene reconstruction Witness statements Evidence CISC 22
CISC Elite Yip Digital Evidence (P4) CD X Internet Mac Book Pro Harddisk identical 600 photos ( to ) CD from Mok download Server (shared Password) 239 photos Created :54 or :54 PC (P5) Pictures from Feb 6.zip contained belongs to inside Not the same inside Partition... edison/Desktop/the others 4.0/Pictures from Feb 6.zip Where is the source?
Witness statement CISC 24
CISC 25 Crime Scene Reconstruction External Harddisk Folder Lifestyles Yip Tse Chan Sze knowledge Make Copy Upload to Server Szes Home Server Elite Server Download Folder CD X Create CD Power Mac G5 Other Server 3 charges of access to computer with criminal or dishonest intent: 1.witness statements: Mak and Janet 2.digital evidence: CD X 3.digital crime scene reconstruction charge 1 charge 2 charge 3
CISC 26 Questions about the digital evidence Who and when the CD marked X was created? –2 interpretations of the folder creation date/time in the CD –How long would it take to download the photos? What was the bandwidth of the broadband link? Which server was used for download? –Elite server: with shared password –Home PC: no trace Where is the copy from the original disk?
CISC 27 The story never ends Who is Kira? –YT Chung – very unlikely –HC Sze – unlikely Can we trace Kira using IP address traceback? –Some more details
OUR ATTEMPT TO FIND KIRA CISC 28
CISC 29 Photos by Kira The photos by Kira uses Foxy peer to peer software to share: –Whenever new photos surface on the internet, they pass on the messages using the code: hurry on bit the fox and using the keyword (flash card) –Users share the files with names by putting those files in their share folder –The photos spread rapidly on the Foxy network Can we find the first uploader in the Foxy network?
CISC 30 What is Foxy? A Traditional Chinese peer to peer file transfer program Initially published by Foxy Media, Inc. Widely used in Hong Kong, Mainland China and Taiwan Very popular in upper primary schools and secondary schools Close source program
CISC 31 Foxy Architecture 1.Connecting to the Foxy network 2.Search for files on the Foxy network –Based on Gnutella 2 protocol 3.Download file from a peer –Based on http download
CISC 32 Connecting to the Foxy network FoxyServer (1) USER connects to Foxy server to obtain a peer list (2) Server returns a peer list to USER (3) USER sends a PING request to each peer (4) The peer returns a PONG request to the USER (5) USER now part of the Foxy network
CISC 33 Keyword searching in FOXY Ultra- peer Ultra- peer Hey, I need a file with name I dont have the file, and I dont know any of my peers have the file, Ill forward to my peers I have that file … The Gnutella Query 2 (Q2) request will return a list of peers (IP addresses) that has a full copy that matches the request The Foxy Download request guarantees such copy still available for download I also have that file …
CISC 34 Downloading a file from the peer Ultra- peer Ultra- peer Hey, I need a file with name I have that file … HTTP GET /uri- res/N2R?urn:sha1: …
CISC 35 Some findings Ultra- peer Ultra- peer Hey, I need a file with name I have that file … I also have that file … All peers in the Foxy network are identical All peers has a copy that matches a Query request will return its IP address to the requester Unable to confirm a peer is the source in the Foxy network when a file is widely distributed
CISC 36 How can we find Kira? In the Foxy network, we have concluded that all peers in the Foxy network are identical –How can we find Kira (the first uploader of a file)? On Jan 2005: –The first man ( Big Crooke) in the world was arrested by Hong Kong Customs and Excise officers for distributing movies using BT –How can they find the Big Crooke if all peers are identical?
CISC 37 Observation: file distribution in Foxy
CISC 38 Who may be the source? May be able to find under the following conditions: –At the slow rising period –The file is large Impossible after the slow rising period: unable to confirm who was the first source No definite answer today: more research ongoing No definite answer today: more research ongoing
CISC 39 Todays Technology Cyber crime investigation –IP address traceback with International cooperation –Traditional investigation technique: interviewing suspect and witnesses Digital forensics –Preservation of digital evidence from hard disk –Collection of logs from ISP and forums owners –Special equipment/software for different types of devices, e.g. CDs
CISC 40 Todays Ordinances in Hong Kong Publishing obscene articles Access to computers with criminal or dishonest intent Others –Distributing copyright protected materials –…
CISC 41 The Limitations Across jurisdictions Linking the digital evidence to a specific person Finding the first uploader in a Peer-to-Peer network …
What have we done? Crime scene reconstruction crime model Investigating peer-to-peer network CISC 42 Whats next?
Our Research Roadmap in Digital Investigation and Forensics CISC 43 Intelligence Gathering Investigation Forensics Legal Reasoning Social media mining, P2P monitoring Bayesian network model, Wigmore chart Cost effective investigation model, live system consistency analysis BTM, FoxyMon, DESK, Internet surveillance DESK/QQ, BTM 2.0, Cost-effective investigation tool FAT allocation analysis tool, Bayesian network
Intelligence Gathering/ Investigation Internet surveillance platform Social media mining Monitoring systems –BT monitoring (BTM) –Foxy network monitoring (FoxyMon) –Auction site monitoring (ASM) Applications: cyber patrol, early warning detection CISC 44
The BIG Picture: Internet Surveillance Platform Internet Surveillance Engine Rule-based Data Analyzer Text analysis Image analysis Video analysis Web Analyzer Forum analysis Newsgroup analysis Blog analysis Protocol Analyzer BT analysis eMule analysis Foxy analysis Crime Model Illegal file sharing using BT Auction fraud Others Internet Data Mining Malware analysis
Internet Surveillance Platform CISC46
Internet Surveillance Platform Top 30 hot topics CISC47
Internet Surveillance Platform TimeLine for Topic (e.g.T7) CISC48
Internet Surveillance Platform: Research problems Timeline analysis Internet criminal profiling –Internet pirates user profiling –Internet auction fraud user profiling CISC49 Principal investigator: Pierre Lai (PhD student) Tom Lai (MPhil student)
Investigation/Forensics BT monitoring (version 2): –Able to collect evidence from the Internet in a forensically sound process DESK version 2 Digital crime and investigation models based on Bayesian Network Live systems forensic analysis techniques: evidence integrity and consistency issue CISC 50
A Cost-Effective Digital Forensics Investigation Model Practical issue: –Resource constraints and challenges Cost-effective investigation model –Based on Bayesian Network CISC 51
Resources Constraints and Challenges Limited time frame Limited manpower Limited forensic tools Large volume of data Complexity of system Security measures Anti-forensic skills Resources Constraints Challenges How to balance?
Purpose the Model Identify minimum cost path for the forensics investigation Formulate a cut-off point that can avoid resources wastage Offer systematic approach in forensics investigation Maintain evidential consistency
The Model Schema Phase 1 Enumerate the traces Assign investigation cost Rank the traces in order of investigation costs Assign importance weights to each ranked traces Set up a Bayesian Network model with the traces Run the BN model with all expected traces to get α, the evidential threshold value Set, the evidential weight, equal to zero Set, the remaining total of evidential weight, to α Phase 2 Search for traces according to the ranked order Subtract the importance weight from (i.e. ) If trace presents, add importance to If W closes to α, then proceed phase 3 If ( + ) does not sufficiently meet α, abandon the examination; otherwise conduct the full digital forensics processes
Live Systems Forensics Analysis Collect digital evidence from a live running system, e.g. transient network connection Research questions: –How to make use of the digital evidence collected from a live running system, filter out irrelevant information, and reconstruct the crime scene –Integrity and consistent issues Ref: F. Law, K.P. Chow, M. Kwan and P. Lai, Consistency Issue on Live Systems Forensics, to appear in 2007 International Workshop on Forensics for Future Generation Communication Environments (F2GC-07), Korea
Forensics/Legal reasoning Heuristic rules to analyze MAC time on NTFS Bayesian network approach for digital forensics analysis Legal reasoning model for digital crime Analyzing digital photos temporal relationship in a FAT file system based on sector allocation Software forensics model and process CISC 56
Bayesian Network for Digital Forensics Use Bayesian Network model to analyze and interpret digital evidence for digital forensics cases Bayesian network and belief propagation will be used to determine the likelihood of a crime when validity of some of the digital evidence cannot be established.
Bayesian Network Crime Models 5 Bayesian Network models are defined –Sharing of copyright protected materials using BitTorrent –Online auction fraud –Online games weapon theft –DDoS attack –Cyber-locker CISC 58
Torrent contains metadata about the file – time of creation, file name, size, stored location, address of Tracker server, hash values of fragments, etc. Tracker Server Newsgroup / Discussion Forum Computer A Copy to Computer 1 Activate Torrent file & connect to Tracker server 4 2 Create Torrent file Publish Torrent file 3 5 Through communication, Tracker server knows Computer A has 100% of data. Computer A is labeled as a seeder Data to share BitTorrent – Sharing copyright protected material Torrent File BT program chops file into fragments of 256 KB for transmission When connects to Tracker server : 1. Activate the BT program 2. Notify a peers joining 3. Tracker asks how many (%) of the file a peer has 4. Broadcast the latest peer list to connected peers
Graphical Representation of Digital Evidence in the BT case Based on the reported digital evidence from the case, the calculated chance that H is valid is 92.27% It is then the Judge who decides whether it is beyond reasonable doubt that the forensic hypothesis H is valid Indeed, there are other physical evidence around the case
The Bayesian Network Model of the BitTorrent Case
Digital Evidence of Online Auction Fraud Prosecution Hypotheses Hp : The computer has been used as transaction tool for the auctioning of the fake item Hp1 : Uploading of auction item material related to the fake item has been performed Hp2 : Manipulation of the corresponding auction item has taken place Hp3 : Communication between the seller and the buyer on the fake item has occurred
Digital Evidence of Online Auction Fraud
Software Forensics Model and Process A Case Study in Hong Kong 2000 – Oct 2005 –D was working in Company A, owned by Y, as a key programmer who was responsible for 1/3 of the coding of the accounting software P Nov 2005 –D left Company A –D set up a new company, Company B, selling accounting software Q, similar to P (Since then, Company As revenue dropped significantly)
Software Forensics Case Study May 2006 –Someone in Company A bought a set of Q and found its functions and applications are very similar to P –Company A laid a complaint to C&E Dept
66 of 32 Software Forensics Model Different versions of Ts software system from shops PC with Hard disks 1.Do source codes exist in the seized hard disk? 2.Can the source codes be used to generate different versions of Ts software system from shops? Source code of copyright owner G 3.Any relationship between Gs source code and Ts source code? Key Questions
67 of 32 Questions 1 & 2 1.Do source codes exist in the seized hard disks? –Yes, … 2.Can the source codes be used to generate different versions of Ts software system from shops? –Yes, …
68 of 32 Questions 3 3.Any relationship between Gs source code and Ts source code? a)Name analysis b)Source code comparison (line by line) c)Search for evidence that infers copying Gs source code Delphi source codes Ts source code Comparison
69 of 32 Software Forensics Process a)Name analysis –Filename comparison –Function and procedure name comparison –Database comparison b)Source code comparison –Line by line comparison c)Search for core functions as identified by the copyright owner, e.g. –IncOrDecStockLocQty –CheckJnlNo
Software Forensic Analysis
Evidence that infers copying Locards exchange principle: –with contact between two items, there will be an exchange Search for unusual things in the hard disks: –Copyright notice of G –Dead program statements and commented program statements –Dead files 71 of 32
72 of 32 Identical dead files
73 of 32 Found copyright notices embedded in the source code
74 of 32 Sample commented program statement
75 of 32 Sample dead program statement
OUR RESEARCH TEAM AND RESEARCH PRODUCTS CISC 76
CISC 77 CISC Computer Forensics Research Group Our team: –5+ PhD students + 3+ MPhil students –3+ faculty members + 2 researchers (with PhD) –3 full time engineers + several part-time engineers –MSc project students + final year project students Our work: –Applied research: forensic and investigation tools, video analysis tools –Basic digital forensics research –http://i.cs.hku.hk/~cisc/forensics/papers/ComputerForensi csInHK.pdfhttp://i.cs.hku.hk/~cisc/forensics/papers/ComputerForensi csInHK.pdf Our website:
CISC 78 Project – DESK (2005)
CISC79 DESK/QQ QQ :
CISC 80 Project – BTM (2006)
CISC81 BTM v2
CISC82 BTM v2
International Collaborations DESK enhancement and China customization with Shandong Computer Science Center of Shandong Academy of Sciences Bayesian network for digital crimes with Kings College, University of London, UK Harbin Institute of Technology, ShenZhen Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics was hosted in HKU in Jan 3-6, 2010 –http://www.ifip119.org
CISC 84 Resources Eastweek magazine, vol. 233, 13 Feb 2008 P. Crowley, CD and DVD Forensics, Syngress, 2007 R. Jones, Internet Forensics, OReilly, 2006 R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse, Forensic Investigation of Peer-to-Peer Networks, Handbook of Research on Computational Forensics, Digital Crime and Investigation: Methods and Solution, IGI Global, R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law, Is it an Initial Seeder? Derived Rules that Indicate a Seeder is within the Slow- Rising Period, Sixth IFIP WG 11.9 International Conference on Digital Forensics, Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse, A Host-based Approach to BotNet Investigation, 1 st International Conference on Digital Forensics and Cyber Crime, 2009.