Download presentation
Published byMalakai Slye Modified over 10 years ago
1
Cyber Crime and IT Forensics – The Edison Chen Story
22-March-2004 Cyber Crime and IT Forensics – The Edison Chen Story Ir Dr. K.P. Chow Computer Forensics Research Group Center for Information Security and Cryptography University of Hong Kong August 2010 CISC 1
2
22-March-2004 Agenda A practitioner approach to introduce cyber crime and IT forensics Internet investigation Digital forensics Our research roadmap CISC 2 2
3
A practitioner approach to introduce cyber crime and IT forensics
CISC
4
Key topics in cyber crime and forensics
Internet investigation Digital forensics Any interesting case? Edison Chen photo scandal Let’s travel back to 27 Jan 2008 CISC
5
Who is Edison Chen? Who else? Who is him? CISC
6
The story begins in Jan 2008 Jan 27 evening: 1 photo of Edison and Gillian is posted in discussion forums in Hong Kong Jan 28 afternoon: 1 photo of Edison and Bobo is posted in many forums, Edison and Gillian announced that the photos were hoaxes Jan 29: 5 photos of Gillian and 2 photos of Cecilia are posted Jan 30: 4 photos of Cecilia are posted CISC
7
What are the forensics questions?
Are the photos real or hoaxes? Who posted the photos on the forums? CISC
8
Are the photos real? Not our current research focus
Factors to be considered: Lighting Eyes and positions Specular highlights Send in the clones Camera fingerprints Forensic photography Not our current research focus CISC
9
Who posted the photos on the forums?
Forum B outside HK User YT Chung IP address A On Jan 31, first person, YT Chung, is arrested for the case Photos downloaded Photos uploaded to a forum outside HK Forum A in HK Photos of G and C Photos of G CISC
10
Investigation techniques
Tracing using the IP address Most forums keep the IP addresses of users who create the posts Most ISPs keep records of the assignment of IP addresses to his subscribed users Different between IP address and fingerprint CISC
11
Forensics techniques Digital evidence in the suspect’s PC
Different between IP address and fingerprint CISC
12
The Law What was the crime act?
Violates the “Control of Obscene and Indecent Articles Ordinance” in Hong Kong: publishing obscene articles Different between IP address and fingerprint CISC
13
Limitations Cross jurisdiction: requires supports from other countries 國際刑警 CISC
14
Difficulties ?= Who was using the computer? Fingerprint vs. IP address
User YT Chung Photos downloaded Who am I? CISC
15
The story continues Feb 2: 4 men and 2 women are arrested, all from the computer repair shop Elite 1 hoax photo of Cecilia was posted Feb 4: HC Sze is arrested Feb 5: 4 more obscene photos are posted, involve Gillian, Cecilia, BoBo and Rachel Feb 6: 209 photos are posted by Kira Feb 9: another 237 photos are posted by Kira again, involve Gillian, Cecilia, BoBo and Vincy CISC
16
What are the forensics questions?
How the computer repair shop Elite was located? Traditional investigation technique What was the charge of HC Sze? HC Sze was charged with “access to computer with criminal or dishonest intent” Why him? Who is Kira? HC Sze? Not sure CISC
17
Some events Date (2008) Event Jan 29
Photos of Edison and celebrities available on the Internet Feb 1 Mak’s CD was seized Feb 2 6:55am Janet’s CD (with “X” mark) and PCs at home were seized Feb 2 7:45pm Sze was arrested Feb 2 10:10pm Sze’s home PCs were seized Feb 3 Tse’s home PC was seized (nothing relevant was found) Feb 16 Yip’s home PC was seized (Edison’s photos from the Internet were found) Feb 18 Chan’s home PC was seized (nothing relevant was found) Feb 21 Edison’s home PCs were seized Feb 27 Store’s PC was seized Feb 28 Elite’s server was seized CISC
18
Who were Mak and Janet? Mr Wong (PW6) Edison Mac Book Pro CD “X” Mak
Driver belongs Mr Wong (PW6) Edison Mac Book Pro CD “X” Mak give to Loan / Return Janet Mak’s CD belongs Purchase Power Mac G5 Duo Computer Service Purchase belongs Elite Computer Shop Store Computer Service Emp Emp Emp Chung (PW5) Supervisor Supervisor Fanny (PW1) Janet (PW2) CISC 18
19
The Beginning: Edison’s MacBook Pro brought to Elite for service
belongs to Mac Book Pro Employer driver Bring to service Tse Wong (PW6) inside Harddisk CISC
20
When, where and how were the photos found?
Service Day to +4 days: photos inside the MacBook Pro were found Chan Emp Elite Yip Boss Emp Emp inform Mac Book Pro Sze Tse inside Harddisk View together Delete 3-4 days afterwards Back up Profile Do not leave evidence External Harddisk Folder Lifestyle inside CISC
21
How the photos get to the store?
8 June 2008: Sze performed computer service at “Store” Elite Store belongs Sze Service Power Mac G5 Duo Mak’s CD Logon / Password Some Server (unknown) belongs Fanny Mak View photos Janet Download To Power Mac G5 Loan / Return give to Folder Burn to CD CD “X” CISC
22
For the court The story: crime scene reconstruction Witness statements
Evidence CISC
23
Digital Evidence Where is the source?
Partition edison/Desktop/the others 4.0/Pictures from Feb 6.zip Mac Book Pro (P5) Pictures from Feb 6.zip Harddisk inside Where is the source? inside Elite Yip belongs to Server (shared Password) Internet PC inside contained download 239 photos Not the same ≃ 600 photos ( to ) (P4) CD “X” identical CD from Mok Created :54 or :54 CISC
24
Witness statement CISC
25
Crime Scene Reconstruction
Other Server Power Mac G5 Sze’s Home Server External Harddisk Folder Lifestyles Copy Folder Make Copy Upload to Server Download knowledge Elite Server Create CD charge 1 Yip charge 2 Tse charge 3 Chan CD “X” Sze 3 charges of access to computer with criminal or dishonest intent: witness statements: Mak and Janet digital evidence: CD “X” digital crime scene reconstruction CISC
26
Questions about the digital evidence
Who and when the CD marked “X” was created? 2 interpretations of the folder creation date/time in the CD How long would it take to download the photos? What was the bandwidth of the broadband link? Which server was used for download? Elite server: with shared password Home PC: no trace Where is the “copy” from the original disk? CISC
27
The story never ends Who is Kira?
YT Chung – very unlikely HC Sze – unlikely Can we trace Kira using IP address traceback? Some more details CISC
28
OUR ATTEMPT TO FIND KIRA
CISC
29
Photos by Kira The photos by Kira uses Foxy peer to peer software to share: Whenever new photos surface on the internet, they pass on the messages using the code: “hurry on bit the fox” and using the keyword “新閃卡” (flash card) Users share the files with names 新閃卡 by putting those files in their share folder The photos spread rapidly on the Foxy network Can we find the first uploader in the Foxy network? CISC
30
What is Foxy? A Traditional Chinese peer to peer file transfer program
Initially published by Foxy Media, Inc. Widely used in Hong Kong, Mainland China and Taiwan Very popular in upper primary schools and secondary schools Close source program CISC 30
31
Foxy Architecture Connecting to the Foxy network
Search for files on the Foxy network Based on Gnutella 2 protocol Download file from a peer Based on http download CISC 31
32
Connecting to the Foxy network
(5) USER now part of the Foxy network (1) USER connects to Foxy server to obtain a peer list (2) Server returns a peer list to USER (4) The peer returns a PONG request to the USER (3) USER sends a PING request to each peer Foxy Server CISC 32
33
Keyword searching in FOXY
Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer I don’t have the file, and I don’t know any of my peers have the file, I’ll forward to my peers The Gnutella “Query 2” (Q2) request will return a list of peers (IP addresses) that has a full copy that matches the request The Foxy “Download” request guarantees such copy still available for download “新閃卡” “新閃卡” Ultra- peer “新閃卡” I have that file … I also have that file … CISC 33
34
Downloading a file from the peer
Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer HTTP GET /uri-res/N2R?urn:sha1:… Ultra- peer “新閃卡” CISC I have that file … 34
35
Some findings All peers in the Foxy network are identical
All peers has a copy that matches a “Query” request will return its IP address to the requester Unable to confirm a peer is the source in the Foxy network when a file is widely distributed Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer Ultra- peer “新閃卡” I have that file … I also have that file … CISC 35
36
How can we find Kira? In the Foxy network, we have concluded that all peers in the Foxy network are identical How can we find Kira (the first uploader of a file)? On Jan 2005: The first man (古惑天王 Big Crooke) in the world was arrested by Hong Kong Customs and Excise officers for distributing movies using BT How can they find the Big Crooke if all peers are identical? CISC
37
Observation: file distribution in Foxy
CISC 37
38
Who may be the source? No definite answer today: more research ongoing
May be able to find under the following conditions: At the slow rising period The file is large Impossible after the slow rising period: unable to confirm who was the first source No definite answer today: more research ongoing CISC
39
Today’s Technology Cyber crime investigation Digital forensics
IP address traceback with International cooperation Traditional investigation technique: interviewing suspect and witnesses Digital forensics Preservation of digital evidence from hard disk Collection of logs from ISP and forums’ owners Special equipment/software for different types of devices, e.g. CDs CISC
40
Today’s Ordinances in Hong Kong
Publishing obscene articles Access to computers with criminal or dishonest intent Others Distributing copyright protected materials … CISC
41
The Limitations Across jurisdictions
Linking the digital evidence to a specific person Finding the first uploader in a Peer-to-Peer network … CISC
42
What have we done? What’s next?
Crime scene reconstruction → crime model Investigating peer-to-peer network What’s next? CISC
43
Our Research Roadmap in Digital Investigation and Forensics
Bayesian network model, Wigmore chart Intelligence Gathering FAT allocation analysis tool, Bayesian network Investigation Forensics Social media mining, P2P monitoring Legal Reasoning BTM, FoxyMon, DESK, Internet surveillance Cost effective investigation model, live system consistency analysis DESK/QQ, BTM 2.0, Cost-effective investigation tool CISC
44
Intelligence Gathering/ Investigation
Internet surveillance platform Social media mining Monitoring systems BT monitoring (BTM) Foxy network monitoring (FoxyMon) Auction site monitoring (ASM) Applications: cyber patrol, early warning detection CISC
45
The BIG Picture: Internet Surveillance Platform
Forum analysis Internet Text analysis Web Analyzer Newsgroup analysis Rule-based Data Analyzer Image analysis Blog analysis Internet Surveillance Engine Video analysis BT analysis Crime Model Auction fraud Protocol Analyzer eMule analysis Data Mining Illegal file sharing using BT Others Foxy analysis Malware analysis
46
Internet Surveillance Platform
CISC
47
Internet Surveillance Platform
Top 30 hot topics CISC
48
Internet Surveillance Platform
TimeLine for Topic (e.g.T7) CISC
49
Internet Surveillance Platform: Research problems
Timeline analysis Internet criminal profiling Internet pirates user profiling Internet auction fraud user profiling Principal investigator: Pierre Lai (PhD student) Tom Lai (MPhil student) CISC
50
Investigation/Forensics
BT monitoring (version 2): Able to collect evidence from the Internet in a forensically sound process DESK version 2 Digital crime and investigation models based on Bayesian Network Live systems forensic analysis techniques: evidence integrity and consistency issue CISC
51
A Cost-Effective Digital Forensics Investigation Model
Practical issue: Resource constraints and challenges Cost-effective investigation model Based on Bayesian Network CISC
52
How to balance? Resources Constraints and Challenges
Anti-forensic skills Limited forensic tools Security measures Limited manpower Complexity of system Limited time frame Large volume of data Resources Constraints Challenges How to balance? 52
53
Purpose the Model Identify minimum cost path for the forensics investigation Formulate a “cut-off” point that can avoid resources wastage Offer systematic approach in forensics investigation Maintain evidential consistency 53
54
The Model Schema Phase 1 Phase 2 Enumerate the traces
Assign investigation cost Rank the traces in order of investigation costs Assign importance weights to each ranked traces Set up a Bayesian Network model with the traces Run the BN model with all expected traces to get α, the evidential threshold value Set , the evidential weight, equal to zero Set , the remaining total of evidential weight, to α Phase 2 Search for traces according to the ranked order Subtract the importance weight from (i.e - ) If trace presents, add importance to If W closes to α, then proceed phase 3 If ( ) does not sufficiently meet α, abandon the examination; otherwise conduct the full digital forensics processes 54
55
Live Systems Forensics Analysis
Collect digital evidence from a live running system, e.g. transient network connection Research questions: How to make use of the digital evidence collected from a live running system, filter out irrelevant information, and reconstruct the crime scene Integrity and consistent issues Ref: F. Law, K.P. Chow, M. Kwan and P. Lai, Consistency Issue on Live Systems Forensics, to appear in 2007 International Workshop on Forensics for Future Generation Communication Environments (F2GC-07), Korea
56
Forensics/Legal reasoning
Heuristic rules to analyze MAC time on NTFS Bayesian network approach for digital forensics analysis Legal reasoning model for digital crime Analyzing digital photos temporal relationship in a FAT file system based on sector allocation Software forensics model and process CISC
57
Bayesian Network for Digital Forensics
Use Bayesian Network model to analyze and interpret digital evidence for digital forensics cases Bayesian network and belief propagation will be used to determine the “likelihood” of a crime when validity of some of the digital evidence cannot be established.
58
Bayesian Network Crime Models
5 Bayesian Network models are defined Sharing of copyright protected materials using BitTorrent Online auction fraud Online games weapon theft DDoS attack Cyber-locker CISC
59
Activate Torrent file & connect to Tracker server
BitTorrent – Sharing copyright protected material Newsgroup / Discussion Forum Publish Torrent file 3 Data to share Tracker Server Activate Torrent file & connect to Tracker server 4 Torrent File Copy to Computer 1 2 Create Torrent file 5 Through communication, Tracker server knows Computer A has 100% of data. Computer A is labeled as a seeder When connects to Tracker server : 1. Activate the BT program 2. Notify a peer’s joining 3. Tracker asks how many (%) of the file a peer has 4. Broadcast the latest peer list to connected peers Torrent contains metadata about the file – time of creation, file name, size, stored location, address of Tracker server, hash values of fragments, etc. Computer A BT program “chops” file into fragments of 256 KB for transmission 59
60
Graphical Representation of Digital Evidence in the BT case
Based on the reported digital evidence from the case, the calculated chance that H is valid is 92.27% It is then the Judge who decides whether it is beyond reasonable doubt that the forensic hypothesis H is valid Indeed, there are other physical evidence around the case 60
61
The Bayesian Network Model of the BitTorrent Case
61
62
Digital Evidence of Online Auction Fraud
Prosecution Hypotheses Hp : The computer has been used as transaction tool for the auctioning of the fake item Hp1 : Uploading of auction item material related to the fake item has been performed Hp2 : Manipulation of the corresponding auction item has taken place Hp3 : Communication between the seller and the buyer on the fake item has occurred 62
63
Digital Evidence of Online Auction Fraud
63
64
Software Forensics Model and Process A Case Study in Hong Kong
2000 – Oct 2005 D was working in Company A, owned by Y, as a key programmer who was responsible for 1/3 of the coding of the accounting software P Nov 2005 D left Company A D set up a new company, Company B, selling accounting software Q, similar to P (Since then, Company A’s revenue dropped significantly)
65
Software Forensics Case Study
May 2006 Someone in Company A bought a set of Q and found its functions and applications are very similar to P Company A laid a complaint to C&E Dept
66
Software Forensics Model
Different versions of T’s software system from shops Do source codes exist in the seized hard disk? Can the source codes be used to generate different versions of T’s software system from shops? Key Questions PC with Hard disks Any relationship between G’s source code and T’s source code? Source code of copyright owner G
67
Questions 1 & 2 Do source codes exist in the seized hard disks?
Yes, … Can the source codes be used to generate different versions of T’s software system from shops?
68
Questions 3 Any relationship between G’s source code and T’s source code? Delphi source codes G’s source code Comparison T’s source code Name analysis Source code comparison (line by line) Search for evidence that infers copying
69
Software Forensics Process
Name analysis Filename comparison Function and procedure name comparison Database comparison Source code comparison Line by line comparison Search for “core functions” as identified by the copyright owner, e.g. IncOrDecStockLocQty CheckJnlNo
70
Software Forensic Analysis
71
Evidence that infers copying
Locard’s exchange principle: “with contact between two items, there will be an exchange” Search for unusual “things” in the hard disks: Copyright notice of G Dead program statements and commented program statements Dead files
72
Identical dead files
73
Found copyright notices embedded in the source code
74
Sample commented program statement
75
Sample dead program statement
76
OUR RESEARCH TEAM AND RESEARCH PRODUCTS
CISC
77
Computer Forensics Research Group
22-March-2004 Computer Forensics Research Group Our team: 5+ PhD students + 3+ MPhil students 3+ faculty members + 2 researchers (with PhD) 3 full time engineers + several part-time engineers MSc project students + final year project students Our work: Applied research: forensic and investigation tools, video analysis tools Basic digital forensics research Our website: CISC CISC 77
78
Project – DESK (2005) 22-March-2004 CISC
79
DESK/QQ QQ分析的屏幕截屏 合作伙伴: 山东科学院的山东省计算中心 CISC
80
22-March-2004 Project – BTM (2006) CISC
81
BTM v2 自动下载屏幕截屏 CISC
82
BTM v2 CISC
83
International Collaborations
DESK enhancement and China customization with Shandong Computer Science Center of Shandong Academy of Sciences Bayesian network for digital crimes with King’s College, University of London, UK Harbin Institute of Technology, ShenZhen Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics was hosted in HKU in Jan 3-6, 2010
84
Resources http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal
Eastweek magazine, vol. 233, 13 Feb 2008 P. Crowley, CD and DVD Forensics, Syngress, 2007 R. Jones, Internet Forensics, O’Reilly, 2006 R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse, Forensic Investigation of Peer-to-Peer Networks, Handbook of Research on Computational Forensics, Digital Crime and Investigation: Methods and Solution, IGI Global, 2009. R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law, Is it an Initial Seeder? Derived Rules that Indicate a Seeder is within the Slow-Rising Period, Sixth IFIP WG 11.9 International Conference on Digital Forensics, 2010. Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse, A Host-based Approach to BotNet Investigation, 1st International Conference on Digital Forensics and Cyber Crime, 2009. CISC
85
22-March-2004 Thank You CISC 85
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.