1. Cyber Crime and IT Forensics – The Edison Chen Story
22-March-2004
Cyber Crime and IT Forensics – The Edison Chen Story
Ir Dr. K.P. Chow
Computer Forensics Research Group
Center for Information Security and Cryptography
University of Hong Kong
August 2010
CISC 1

2. 22-March-2004
Agenda
A practitioner approach to introduce cyber crime and IT forensics
Internet investigation
Digital forensics
Our research roadmap
CISC 2 2

3. A practitioner approach to introduce cyber crime and IT forensics
CISC

4. Key topics in cyber crime and forensics
Internet investigation
Digital forensics
Any interesting case?
Edison Chen photo scandal
Let’s travel back to 27 Jan 2008
CISC

5. Who is Edison Chen?
Who else?
Who is him?
CISC

6. The story begins in Jan 2008
Jan 27 evening: 1 photo of Edison and Gillian is posted in discussion forums in Hong Kong
Jan 28 afternoon: 1 photo of Edison and Bobo is posted in many forums, Edison and Gillian announced that the photos were hoaxes
Jan 29: 5 photos of Gillian and 2 photos of Cecilia are posted
Jan 30: 4 photos of Cecilia are posted
CISC

7. What are the forensics questions?
Are the photos real or hoaxes?
Who posted the photos on the forums?
CISC

8. Are the photos real? Not our current research focus
Factors to be considered:
Lighting
Eyes and positions
Specular highlights
Send in the clones
Camera fingerprints
Forensic photography
Not our current research focus
CISC

9. Who posted the photos on the forums?
Forum B outside HK
User YT Chung
IP address A
On Jan 31, first person, YT Chung, is arrested for the case
Photos downloaded
Photos uploaded to a forum outside HK
Forum A in HK
Photos of G and C
Photos of G
CISC

10. Investigation techniques
Tracing using the IP address
Most forums keep the IP addresses of users who create the posts
Most ISPs keep records of the assignment of IP addresses to his subscribed users
Different between IP address and fingerprint
CISC

11. Forensics techniques Digital evidence in the suspect’s PC
Different between IP address and fingerprint
CISC

12. The Law What was the crime act?
Violates the “Control of Obscene and Indecent Articles Ordinance” in Hong Kong: publishing obscene articles
Different between IP address and fingerprint
CISC

13. Limitations
Cross jurisdiction: requires supports from other countries
國際刑警
CISC

14. Difficulties ?= Who was using the computer? Fingerprint vs. IP address
User YT Chung
Photos downloaded
Who am I?
CISC

15. The story continues
Feb 2: 4 men and 2 women are arrested, all from the computer repair shop Elite
1 hoax photo of Cecilia was posted
Feb 4: HC Sze is arrested
Feb 5: 4 more obscene photos are posted, involve Gillian, Cecilia, BoBo and Rachel
Feb 6: 209 photos are posted by Kira
Feb 9: another 237 photos are posted by Kira again, involve Gillian, Cecilia, BoBo and Vincy
CISC

16. What are the forensics questions?
How the computer repair shop Elite was located?
Traditional investigation technique
What was the charge of HC Sze?
HC Sze was charged with “access to computer with criminal or dishonest intent”
Why him?
Who is Kira?
HC Sze? Not sure
CISC

17. Some events Date (2008) Event Jan 29
Photos of Edison and celebrities available on the Internet
Feb 1
Mak’s CD was seized
Feb 2 6:55am
Janet’s CD (with “X” mark) and PCs at home were seized
Feb 2 7:45pm
Sze was arrested
Feb 2 10:10pm
Sze’s home PCs were seized
Feb 3
Tse’s home PC was seized (nothing relevant was found)
Feb 16
Yip’s home PC was seized (Edison’s photos from the Internet were found)
Feb 18
Chan’s home PC was seized (nothing relevant was found)
Feb 21
Edison’s home PCs were seized
Feb 27
Store’s PC was seized
Feb 28
Elite’s server was seized
CISC

18. Who were Mak and Janet? Mr Wong (PW6) Edison Mac Book Pro CD “X” Mak
Driver
belongs
Mr Wong
(PW6)
Edison
Mac Book Pro CD
“X”
Mak
give to
Loan /
Return
Janet
Mak’s CD
belongs
Purchase
Power Mac
G5 Duo
Computer Service
Purchase
belongs
Elite Computer
Shop
Store
Computer Service
Emp
Emp
Emp
Chung
(PW5)
Supervisor
Supervisor
Fanny
(PW1)
Janet
(PW2)
CISC 18

19. The Beginning: Edison’s MacBook Pro brought to Elite for service
belongs to
Mac Book Pro
Employer
driver
Bring to
service
Tse
Wong
(PW6)
inside
Harddisk
CISC

20. When, where and how were the photos found?
Service Day to +4 days: photos inside
the MacBook Pro were found
Chan
Emp
Elite
Yip
Boss
Emp
Emp
inform
Mac Book Pro
Sze
Tse
inside
Harddisk
View
together
Delete
3-4 days
afterwards
Back up
Profile
Do not leave evidence
External
Harddisk
Folder
Lifestyle
inside
CISC

21. How the photos get to the store?
8 June 2008: Sze performed computer service at “Store”
Elite
Store
belongs
Sze
Service
Power Mac
G5 Duo
Mak’s CD
Logon /
Password
Some Server
(unknown)
belongs
Fanny
Mak
View
photos
Janet
Download To
Power Mac G5
Loan /
Return
give to
Folder
Burn to CD CD
“X”
CISC

22. For the court The story: crime scene reconstruction Witness statements
Evidence
CISC

23. Digital Evidence Where is the source?
Partition edison/Desktop/the others
4.0/Pictures from Feb 6.zip
Mac Book Pro
(P5)
Pictures from Feb 6.zip
Harddisk
inside
Where is the source?
inside
Elite
Yip
belongs to
Server
(shared
Password)
Internet PC
inside
contained
download
239 photos
Not the same
≃ 600 photos (
to )
(P4)
CD “X”
identical
CD from
Mok
Created
:54 or
:54
CISC

24. Witness statement
CISC

25. Crime Scene Reconstruction
Other
Server
Power Mac G5
Sze’s
Home Server
External
Harddisk
Folder
Lifestyles
Copy
Folder
Make
Copy
Upload to
Server
Download
knowledge
Elite
Server
Create CD
charge 1
Yip
charge 2
Tse
charge 3
Chan CD
“X”
Sze
3 charges of access to computer with criminal or dishonest intent:
witness statements: Mak and Janet
digital evidence: CD “X”
digital crime scene reconstruction
CISC

26. Questions about the digital evidence
Who and when the CD marked “X” was created?
2 interpretations of the folder creation date/time in the CD
How long would it take to download the photos? What was the bandwidth of the broadband link?
Which server was used for download?
Elite server: with shared password
Home PC: no trace
Where is the “copy” from the original disk?
CISC

27. The story never ends Who is Kira?
YT Chung – very unlikely
HC Sze – unlikely
Can we trace Kira using IP address traceback?
Some more details
CISC

28. OUR ATTEMPT TO FIND KIRA
CISC

29. Photos by Kira
The photos by Kira uses Foxy peer to peer software to share:
Whenever new photos surface on the internet, they pass on the messages using the code: “hurry on bit the fox” and using the keyword “新閃卡” (flash card)
Users share the files with names 新閃卡 by putting those files in their share folder
The photos spread rapidly on the Foxy network
Can we find the first uploader in the Foxy network?
CISC

30. What is Foxy? A Traditional Chinese peer to peer file transfer program
Initially published by Foxy Media, Inc.
Widely used in Hong Kong, Mainland China and Taiwan
Very popular in upper primary schools and secondary schools
Close source program
CISC 30

31. Foxy Architecture Connecting to the Foxy network
Search for files on the Foxy network
Based on Gnutella 2 protocol
Download file from a peer
Based on http download
CISC 31

32. Connecting to the Foxy network
(5)
USER now part of the Foxy network
(1)
USER connects to Foxy server to obtain a peer list
(2)
Server returns a peer list to USER
(4)
The peer returns a PONG request to the USER
(3)
USER sends a PING request to each peer
Foxy
Server
CISC 32

33. Keyword searching in FOXY
Hey, I need a file with name “新閃卡”
“新閃卡”
Ultra-
peer
I don’t have the file, and I don’t know any of my peers have the file, I’ll forward to my peers
The Gnutella “Query 2” (Q2) request will return a list of peers (IP addresses) that has a full copy that matches the request
The Foxy “Download” request guarantees such copy still available for download
“新閃卡”
“新閃卡”
Ultra-
peer
“新閃卡”
I have that file …
I also have that file …
CISC 33

34. Downloading a file from the peer
Hey, I need a file with name “新閃卡”
“新閃卡”
Ultra-
peer
HTTP GET /uri-res/N2R?urn:sha1:…
Ultra-
peer
“新閃卡”
CISC
I have that file … 34

35. Some findings All peers in the Foxy network are identical
All peers has a copy that matches a “Query” request will return its IP address to the requester
Unable to confirm a peer is the source in the Foxy network when a file is widely distributed
Hey, I need a file with name “新閃卡”
“新閃卡”
Ultra-
peer
Ultra-
peer
“新閃卡”
I have that file …
I also have that file …
CISC 35

36. How can we find Kira?
In the Foxy network, we have concluded that all peers in the Foxy network are identical
How can we find Kira (the first uploader of a file)?
On Jan 2005:
The first man (古惑天王 Big Crooke) in the world was arrested by Hong Kong Customs and Excise officers for distributing movies using BT
How can they find the Big Crooke if all peers are identical?
CISC

37. Observation: file distribution in Foxy
CISC 37

38. Who may be the source? No definite answer today: more research ongoing
May be able to find under the following conditions:
At the slow rising period
The file is large
Impossible after the slow rising period: unable to confirm who was the first source
No definite answer today:
more research ongoing
CISC

39. Today’s Technology Cyber crime investigation Digital forensics
IP address traceback with International cooperation
Traditional investigation technique: interviewing suspect and witnesses
Digital forensics
Preservation of digital evidence from hard disk
Collection of logs from ISP and forums’ owners
Special equipment/software for different types of devices, e.g. CDs
CISC

40. Today’s Ordinances in Hong Kong
Publishing obscene articles
Access to computers with criminal or dishonest intent
Others
Distributing copyright protected materials …
CISC

41. The Limitations Across jurisdictions
Linking the digital evidence to a specific person
Finding the first uploader in a Peer-to-Peer network …
CISC

42. What have we done? What’s next?
Crime scene reconstruction → crime model
Investigating peer-to-peer network
What’s next?
CISC

43. Our Research Roadmap in Digital Investigation and Forensics
Bayesian network model, Wigmore chart
Intelligence Gathering
FAT allocation analysis tool, Bayesian network
Investigation
Forensics
Social media mining,
P2P monitoring
Legal Reasoning
BTM, FoxyMon, DESK, Internet surveillance
Cost effective investigation model, live system consistency analysis
DESK/QQ, BTM 2.0, Cost-effective investigation tool
CISC

44. Intelligence Gathering/ Investigation
Internet surveillance platform
Social media mining
Monitoring systems
BT monitoring (BTM)
Foxy network monitoring (FoxyMon)
Auction site monitoring (ASM)
Applications: cyber patrol, early warning detection
CISC

45. The BIG Picture: Internet Surveillance Platform
Forum analysis
Internet
Text analysis
Web Analyzer
Newsgroup analysis
Rule-based Data Analyzer
Image analysis
Blog analysis
Internet Surveillance Engine
Video analysis
BT analysis
Crime Model
Auction fraud
Protocol Analyzer
eMule analysis
Data Mining
Illegal file sharing using BT
Others
Foxy analysis
Malware analysis

46. Internet Surveillance Platform
CISC

47. Internet Surveillance Platform
Top 30 hot topics
CISC

48. Internet Surveillance Platform
TimeLine for Topic (e.g.T7)
CISC

49. Internet Surveillance Platform: Research problems
Timeline analysis
Internet criminal profiling
Internet pirates user profiling
Internet auction fraud user profiling
Principal investigator:
Pierre Lai (PhD student)
Tom Lai (MPhil student)
CISC

50. Investigation/Forensics
BT monitoring (version 2):
Able to collect evidence from the Internet in a forensically sound process
DESK version 2
Digital crime and investigation models based on Bayesian Network
Live systems forensic analysis techniques: evidence integrity and consistency issue
CISC

51. A Cost-Effective Digital Forensics Investigation Model
Practical issue:
Resource constraints and challenges
Cost-effective investigation model
Based on Bayesian Network
CISC

52. How to balance? Resources Constraints and Challenges
Anti-forensic skills
Limited forensic tools
Security measures
Limited manpower
Complexity of system
Limited time frame
Large volume of data
Resources Constraints
Challenges
How to balance? 52

53. Purpose the Model
Identify minimum cost path for the forensics investigation
Formulate a “cut-off” point that can avoid resources wastage
Offer systematic approach in forensics investigation
Maintain evidential consistency 53

54. The Model Schema Phase 1 Phase 2 Enumerate the traces
Assign investigation cost
Rank the traces in order of investigation costs
Assign importance weights to each ranked traces
Set up a Bayesian Network model with the traces
Run the BN model with all expected traces to get α, the evidential threshold value
Set , the evidential weight, equal to zero
Set , the remaining total of evidential weight, to α
Phase 2
Search for traces according to the ranked order
Subtract the importance weight from (i.e － )
If trace presents, add importance to
If W closes to α, then proceed phase 3
If ( ) does not sufficiently meet α, abandon the examination; otherwise conduct the full digital forensics processes 54

55. Live Systems Forensics Analysis
Collect digital evidence from a live running system, e.g. transient network connection
Research questions:
How to make use of the digital evidence collected from a live running system, filter out irrelevant information, and reconstruct the crime scene
Integrity and consistent issues
Ref: F. Law, K.P. Chow, M. Kwan and P. Lai, Consistency Issue on Live Systems Forensics, to appear in 2007 International Workshop on Forensics for Future Generation Communication Environments (F2GC-07), Korea

56. Forensics/Legal reasoning
Heuristic rules to analyze MAC time on NTFS
Bayesian network approach for digital forensics analysis
Legal reasoning model for digital crime
Analyzing digital photos temporal relationship in a FAT file system based on sector allocation
Software forensics model and process
CISC

57. Bayesian Network for Digital Forensics
Use Bayesian Network model to analyze and interpret digital evidence for digital forensics cases
Bayesian network and belief propagation will be used to determine the “likelihood” of a crime when validity of some of the digital evidence cannot be established.

58. Bayesian Network Crime Models
5 Bayesian Network models are defined
Sharing of copyright protected materials using BitTorrent
Online auction fraud
Online games weapon theft
DDoS attack
Cyber-locker
CISC

59. Activate Torrent file & connect to Tracker server
BitTorrent – Sharing copyright protected material
Newsgroup /
Discussion Forum
Publish Torrent file 3
Data to share
Tracker Server
Activate Torrent file & connect to Tracker server 4
Torrent
File
Copy to Computer 1 2
Create Torrent file 5
Through communication, Tracker server knows Computer A has 100% of data. Computer A is labeled as a seeder
When connects to Tracker server :
1. Activate the BT program
2. Notify a peer’s joining
3. Tracker asks how many (%) of the file a peer has
4. Broadcast the latest peer list to connected peers
Torrent contains metadata about the file – time of creation, file name, size, stored location, address of Tracker server, hash values of fragments, etc.
Computer A
BT program “chops” file into fragments of 256 KB for transmission 59

60. Graphical Representation of Digital Evidence in the BT case
Based on the reported digital evidence from the case, the calculated chance that H is valid is 92.27%
It is then the Judge who decides whether it is beyond reasonable doubt that the forensic hypothesis H is valid
Indeed, there are other physical evidence around the case 60

61. The Bayesian Network Model of the BitTorrent Case61

62. Digital Evidence of Online Auction Fraud
Prosecution Hypotheses
Hp : The computer has been used as transaction tool for the auctioning of the fake item
Hp1 : Uploading of auction item material related to the fake item has been performed
Hp2 : Manipulation of the corresponding auction item has taken place
Hp3 : Communication between the seller and the buyer on the fake item has occurred 62

63. Digital Evidence of Online Auction Fraud63

64. Software Forensics Model and Process A Case Study in Hong Kong
2000 – Oct 2005
D was working in Company A, owned by Y, as a key programmer who was responsible for 1/3 of the coding of the accounting software P
Nov 2005
D left Company A
D set up a new company, Company B, selling accounting software Q, similar to P
(Since then, Company A’s revenue dropped significantly)

65. Software Forensics Case Study
May 2006
Someone in Company A bought a set of Q and found its functions and applications are very similar to P
Company A laid a complaint to C&E Dept

66. Software Forensics Model
Different versions of T’s software system from shops
Do source codes exist in the seized hard disk?
Can the source codes be used to generate different versions of T’s software system from shops?
Key Questions
PC with Hard disks
Any relationship between G’s source code and T’s source code?
Source code of copyright owner G

67. Questions 1 & 2 Do source codes exist in the seized hard disks?
Yes, …
Can the source codes be used to generate different versions of T’s software system from shops?

68. Questions 3
Any relationship between G’s source code and T’s source code?
Delphi source codes
G’s source code
Comparison
T’s
source code
Name analysis
Source code comparison (line by line)
Search for evidence that infers copying

69. Software Forensics Process
Name analysis
Filename comparison
Function and procedure name comparison
Database comparison
Source code comparison
Line by line comparison
Search for “core functions” as identified by the copyright owner, e.g.
IncOrDecStockLocQty
CheckJnlNo

70. Software Forensic Analysis

71. Evidence that infers copying
Locard’s exchange principle:
“with contact between two items, there will be an exchange”
Search for unusual “things” in the hard disks:
Copyright notice of G
Dead program statements and commented program statements
Dead files

72. Identical dead files

73. Found copyright notices embedded in the source code

74. Sample commented program statement

75. Sample dead program statement

76. OUR RESEARCH TEAM AND RESEARCH PRODUCTS
CISC

77. Computer Forensics Research Group
22-March-2004
Computer Forensics Research Group
Our team:
5+ PhD students + 3+ MPhil students
3+ faculty members + 2 researchers (with PhD)
3 full time engineers + several part-time engineers
MSc project students + final year project students
Our work:
Applied research: forensic and investigation tools, video analysis tools
Basic digital forensics research
Our website:
CISC
CISC 77

78. Project – DESK (2005)
22-March-2004
CISC

79. DESK/QQ
QQ分析的屏幕截屏
合作伙伴: 山东科学院的山东省计算中心
CISC

80. 22-March-2004
Project – BTM (2006)
CISC

81. BTM v2
自动下载屏幕截屏
CISC

82. BTM v2
CISC

83. International Collaborations
DESK enhancement and China customization with Shandong Computer Science Center of Shandong Academy of Sciences
Bayesian network for digital crimes with King’s College, University of London, UK
Harbin Institute of Technology, ShenZhen
Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics was hosted in HKU in Jan 3-6, 2010

84. Resources http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal
Eastweek magazine, vol. 233, 13 Feb 2008
P. Crowley, CD and DVD Forensics, Syngress, 2007
R. Jones, Internet Forensics, O’Reilly, 2006
R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse, Forensic Investigation of Peer-to-Peer Networks, Handbook of Research on Computational Forensics, Digital Crime and Investigation: Methods and Solution, IGI Global, 2009.
R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law, Is it an Initial Seeder? Derived Rules that Indicate a Seeder is within the Slow-Rising Period, Sixth IFIP WG 11.9 International Conference on Digital Forensics, 2010.
Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse, A Host-based Approach to BotNet Investigation, 1st International Conference on Digital Forensics and Cyber Crime, 2009.
CISC

85. 22-March-2004
Thank You
CISC 85