Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Crime and IT Forensics – The Edison Chen Story

Similar presentations

Presentation on theme: "Cyber Crime and IT Forensics – The Edison Chen Story"— Presentation transcript:

1 Cyber Crime and IT Forensics – The Edison Chen Story
22-March-2004 Cyber Crime and IT Forensics – The Edison Chen Story Ir Dr. K.P. Chow Computer Forensics Research Group Center for Information Security and Cryptography University of Hong Kong August 2010 CISC 1

2 22-March-2004 Agenda A practitioner approach to introduce cyber crime and IT forensics Internet investigation Digital forensics Our research roadmap CISC 2 2

3 A practitioner approach to introduce cyber crime and IT forensics

4 Key topics in cyber crime and forensics
Internet investigation Digital forensics Any interesting case? Edison Chen photo scandal Let’s travel back to 27 Jan 2008 CISC

5 Who is Edison Chen? Who else? Who is him? CISC

6 The story begins in Jan 2008 Jan 27 evening: 1 photo of Edison and Gillian is posted in discussion forums in Hong Kong Jan 28 afternoon: 1 photo of Edison and Bobo is posted in many forums, Edison and Gillian announced that the photos were hoaxes Jan 29: 5 photos of Gillian and 2 photos of Cecilia are posted Jan 30: 4 photos of Cecilia are posted CISC

7 What are the forensics questions?
Are the photos real or hoaxes? Who posted the photos on the forums? CISC

8 Are the photos real? Not our current research focus
Factors to be considered: Lighting Eyes and positions Specular highlights Send in the clones Camera fingerprints Forensic photography Not our current research focus CISC

9 Who posted the photos on the forums?
Forum B outside HK User YT Chung IP address A On Jan 31, first person, YT Chung, is arrested for the case Photos downloaded Photos uploaded to a forum outside HK Forum A in HK Photos of G and C Photos of G CISC

10 Investigation techniques
Tracing using the IP address Most forums keep the IP addresses of users who create the posts Most ISPs keep records of the assignment of IP addresses to his subscribed users Different between IP address and fingerprint CISC

11 Forensics techniques Digital evidence in the suspect’s PC
Different between IP address and fingerprint CISC

12 The Law What was the crime act?
Violates the “Control of Obscene and Indecent Articles Ordinance” in Hong Kong: publishing obscene articles Different between IP address and fingerprint CISC

13 Limitations Cross jurisdiction: requires supports from other countries 國際刑警 CISC

14 Difficulties ?= Who was using the computer? Fingerprint vs. IP address
User YT Chung Photos downloaded Who am I? CISC

15 The story continues Feb 2: 4 men and 2 women are arrested, all from the computer repair shop Elite 1 hoax photo of Cecilia was posted Feb 4: HC Sze is arrested Feb 5: 4 more obscene photos are posted, involve Gillian, Cecilia, BoBo and Rachel Feb 6: 209 photos are posted by Kira Feb 9: another 237 photos are posted by Kira again, involve Gillian, Cecilia, BoBo and Vincy CISC

16 What are the forensics questions?
How the computer repair shop Elite was located? Traditional investigation technique What was the charge of HC Sze? HC Sze was charged with “access to computer with criminal or dishonest intent” Why him? Who is Kira? HC Sze? Not sure CISC

17 Some events Date (2008) Event Jan 29
Photos of Edison and celebrities available on the Internet Feb 1 Mak’s CD was seized Feb 2 6:55am Janet’s CD (with “X” mark) and PCs at home were seized Feb 2 7:45pm Sze was arrested Feb 2 10:10pm Sze’s home PCs were seized Feb 3 Tse’s home PC was seized (nothing relevant was found) Feb 16 Yip’s home PC was seized (Edison’s photos from the Internet were found) Feb 18 Chan’s home PC was seized (nothing relevant was found) Feb 21 Edison’s home PCs were seized Feb 27 Store’s PC was seized Feb 28 Elite’s server was seized CISC

18 Who were Mak and Janet? Mr Wong (PW6) Edison Mac Book Pro CD “X” Mak
Driver belongs Mr Wong (PW6) Edison Mac Book Pro CD “X” Mak give to Loan / Return Janet Mak’s CD belongs Purchase Power Mac G5 Duo Computer Service Purchase belongs Elite Computer Shop Store Computer Service Emp Emp Emp Chung (PW5) Supervisor Supervisor Fanny (PW1) Janet (PW2) CISC 18

19 The Beginning: Edison’s MacBook Pro brought to Elite for service
belongs to Mac Book Pro Employer driver Bring to service Tse Wong (PW6) inside Harddisk CISC

20 When, where and how were the photos found?
Service Day to +4 days: photos inside the MacBook Pro were found Chan Emp Elite Yip Boss Emp Emp inform Mac Book Pro Sze Tse inside Harddisk View together Delete 3-4 days afterwards Back up Profile Do not leave evidence External Harddisk Folder Lifestyle inside CISC

21 How the photos get to the store?
8 June 2008: Sze performed computer service at “Store” Elite Store belongs Sze Service Power Mac G5 Duo Mak’s CD Logon / Password Some Server (unknown) belongs Fanny Mak View photos Janet Download To Power Mac G5 Loan / Return give to Folder Burn to CD CD “X” CISC

22 For the court The story: crime scene reconstruction Witness statements
Evidence CISC

23 Digital Evidence Where is the source?
Partition edison/Desktop/the others 4.0/Pictures from Feb Mac Book Pro (P5) Pictures from Feb Harddisk inside Where is the source? inside Elite Yip belongs to Server (shared Password) Internet PC inside contained download 239 photos Not the same ≃ 600 photos ( to ) (P4) CD “X” identical CD from Mok Created :54 or :54 CISC

24 Witness statement CISC

25 Crime Scene Reconstruction
Other Server Power Mac G5 Sze’s Home Server External Harddisk Folder Lifestyles Copy Folder Make Copy Upload to Server Download knowledge Elite Server Create CD charge 1 Yip charge 2 Tse charge 3 Chan CD “X” Sze 3 charges of access to computer with criminal or dishonest intent: witness statements: Mak and Janet digital evidence: CD “X” digital crime scene reconstruction CISC

26 Questions about the digital evidence
Who and when the CD marked “X” was created? 2 interpretations of the folder creation date/time in the CD How long would it take to download the photos? What was the bandwidth of the broadband link? Which server was used for download? Elite server: with shared password Home PC: no trace Where is the “copy” from the original disk? CISC

27 The story never ends Who is Kira?
YT Chung – very unlikely HC Sze – unlikely Can we trace Kira using IP address traceback? Some more details CISC


29 Photos by Kira The photos by Kira uses Foxy peer to peer software to share: Whenever new photos surface on the internet, they pass on the messages using the code: “hurry on bit the fox” and using the keyword “新閃卡” (flash card) Users share the files with names 新閃卡 by putting those files in their share folder The photos spread rapidly on the Foxy network Can we find the first uploader in the Foxy network? CISC

30 What is Foxy? A Traditional Chinese peer to peer file transfer program
Initially published by Foxy Media, Inc. Widely used in Hong Kong, Mainland China and Taiwan Very popular in upper primary schools and secondary schools Close source program CISC 30

31 Foxy Architecture Connecting to the Foxy network
Search for files on the Foxy network Based on Gnutella 2 protocol Download file from a peer Based on http download CISC 31

32 Connecting to the Foxy network
(5) USER now part of the Foxy network (1) USER connects to Foxy server to obtain a peer list (2) Server returns a peer list to USER (4) The peer returns a PONG request to the USER (3) USER sends a PING request to each peer Foxy Server CISC 32

33 Keyword searching in FOXY
Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer I don’t have the file, and I don’t know any of my peers have the file, I’ll forward to my peers The Gnutella “Query 2” (Q2) request will return a list of peers (IP addresses) that has a full copy that matches the request The Foxy “Download” request guarantees such copy still available for download “新閃卡” “新閃卡” Ultra- peer “新閃卡” I have that file … I also have that file … CISC 33

34 Downloading a file from the peer
Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer HTTP GET /uri-res/N2R?urn:sha1:… Ultra- peer “新閃卡” CISC I have that file … 34

35 Some findings All peers in the Foxy network are identical
All peers has a copy that matches a “Query” request will return its IP address to the requester Unable to confirm a peer is the source in the Foxy network when a file is widely distributed Hey, I need a file with name “新閃卡” “新閃卡” Ultra- peer Ultra- peer “新閃卡” I have that file … I also have that file … CISC 35

36 How can we find Kira? In the Foxy network, we have concluded that all peers in the Foxy network are identical How can we find Kira (the first uploader of a file)? On Jan 2005: The first man (古惑天王 Big Crooke) in the world was arrested by Hong Kong Customs and Excise officers for distributing movies using BT How can they find the Big Crooke if all peers are identical? CISC

37 Observation: file distribution in Foxy

38 Who may be the source? No definite answer today: more research ongoing
May be able to find under the following conditions: At the slow rising period The file is large Impossible after the slow rising period: unable to confirm who was the first source No definite answer today: more research ongoing CISC

39 Today’s Technology Cyber crime investigation Digital forensics
IP address traceback with International cooperation Traditional investigation technique: interviewing suspect and witnesses Digital forensics Preservation of digital evidence from hard disk Collection of logs from ISP and forums’ owners Special equipment/software for different types of devices, e.g. CDs CISC

40 Today’s Ordinances in Hong Kong
Publishing obscene articles Access to computers with criminal or dishonest intent Others Distributing copyright protected materials CISC

41 The Limitations Across jurisdictions
Linking the digital evidence to a specific person Finding the first uploader in a Peer-to-Peer network CISC

42 What have we done? What’s next?
Crime scene reconstruction → crime model Investigating peer-to-peer network What’s next? CISC

43 Our Research Roadmap in Digital Investigation and Forensics
Bayesian network model, Wigmore chart Intelligence Gathering FAT allocation analysis tool, Bayesian network Investigation Forensics Social media mining, P2P monitoring Legal Reasoning BTM, FoxyMon, DESK, Internet surveillance Cost effective investigation model, live system consistency analysis DESK/QQ, BTM 2.0, Cost-effective investigation tool CISC

44 Intelligence Gathering/ Investigation
Internet surveillance platform Social media mining Monitoring systems BT monitoring (BTM) Foxy network monitoring (FoxyMon) Auction site monitoring (ASM) Applications: cyber patrol, early warning detection CISC

45 The BIG Picture: Internet Surveillance Platform
Forum analysis Internet Text analysis Web Analyzer Newsgroup analysis Rule-based Data Analyzer Image analysis Blog analysis Internet Surveillance Engine Video analysis BT analysis Crime Model Auction fraud Protocol Analyzer eMule analysis Data Mining Illegal file sharing using BT Others Foxy analysis Malware analysis

46 Internet Surveillance Platform

47 Internet Surveillance Platform
Top 30 hot topics CISC

48 Internet Surveillance Platform
TimeLine for Topic (e.g.T7) CISC

49 Internet Surveillance Platform: Research problems
Timeline analysis Internet criminal profiling Internet pirates user profiling Internet auction fraud user profiling Principal investigator: Pierre Lai (PhD student) Tom Lai (MPhil student) CISC

50 Investigation/Forensics
BT monitoring (version 2): Able to collect evidence from the Internet in a forensically sound process DESK version 2 Digital crime and investigation models based on Bayesian Network Live systems forensic analysis techniques: evidence integrity and consistency issue CISC

51 A Cost-Effective Digital Forensics Investigation Model
Practical issue: Resource constraints and challenges Cost-effective investigation model Based on Bayesian Network CISC

52 How to balance? Resources Constraints and Challenges
Anti-forensic skills Limited forensic tools Security measures Limited manpower Complexity of system Limited time frame Large volume of data Resources Constraints Challenges How to balance? 52

53 Purpose the Model Identify minimum cost path for the forensics investigation Formulate a “cut-off” point that can avoid resources wastage Offer systematic approach in forensics investigation Maintain evidential consistency 53

54 The Model Schema Phase 1 Phase 2 Enumerate the traces
Assign investigation cost Rank the traces in order of investigation costs Assign importance weights to each ranked traces Set up a Bayesian Network model with the traces Run the BN model with all expected traces to get α, the evidential threshold value Set , the evidential weight, equal to zero Set , the remaining total of evidential weight, to α Phase 2 Search for traces according to the ranked order Subtract the importance weight from (i.e - ) If trace presents, add importance to If W closes to α, then proceed phase 3 If ( ) does not sufficiently meet α, abandon the examination; otherwise conduct the full digital forensics processes 54

55 Live Systems Forensics Analysis
Collect digital evidence from a live running system, e.g. transient network connection Research questions: How to make use of the digital evidence collected from a live running system, filter out irrelevant information, and reconstruct the crime scene Integrity and consistent issues Ref: F. Law, K.P. Chow, M. Kwan and P. Lai, Consistency Issue on Live Systems Forensics, to appear in 2007 International Workshop on Forensics for Future Generation Communication Environments (F2GC-07), Korea

56 Forensics/Legal reasoning
Heuristic rules to analyze MAC time on NTFS Bayesian network approach for digital forensics analysis Legal reasoning model for digital crime Analyzing digital photos temporal relationship in a FAT file system based on sector allocation Software forensics model and process CISC

57 Bayesian Network for Digital Forensics
Use Bayesian Network model to analyze and interpret digital evidence for digital forensics cases Bayesian network and belief propagation will be used to determine the “likelihood” of a crime when validity of some of the digital evidence cannot be established.

58 Bayesian Network Crime Models
5 Bayesian Network models are defined Sharing of copyright protected materials using BitTorrent Online auction fraud Online games weapon theft DDoS attack Cyber-locker CISC

59 Activate Torrent file & connect to Tracker server
BitTorrent – Sharing copyright protected material Newsgroup / Discussion Forum Publish Torrent file 3 Data to share Tracker Server Activate Torrent file & connect to Tracker server 4 Torrent File Copy to Computer 1 2 Create Torrent file 5 Through communication, Tracker server knows Computer A has 100% of data. Computer A is labeled as a seeder When connects to Tracker server : 1. Activate the BT program 2. Notify a peer’s joining 3. Tracker asks how many (%) of the file a peer has 4. Broadcast the latest peer list to connected peers Torrent contains metadata about the file – time of creation, file name, size, stored location, address of Tracker server, hash values of fragments, etc. Computer A BT program “chops” file into fragments of 256 KB for transmission 59

60 Graphical Representation of Digital Evidence in the BT case
Based on the reported digital evidence from the case, the calculated chance that H is valid is 92.27% It is then the Judge who decides whether it is beyond reasonable doubt that the forensic hypothesis H is valid Indeed, there are other physical evidence around the case 60

61 The Bayesian Network Model of the BitTorrent Case

62 Digital Evidence of Online Auction Fraud
Prosecution Hypotheses Hp : The computer has been used as transaction tool for the auctioning of the fake item Hp1 : Uploading of auction item material related to the fake item has been performed Hp2 : Manipulation of the corresponding auction item has taken place Hp3 : Communication between the seller and the buyer on the fake item has occurred 62

63 Digital Evidence of Online Auction Fraud

64 Software Forensics Model and Process A Case Study in Hong Kong
2000 – Oct 2005 D was working in Company A, owned by Y, as a key programmer who was responsible for 1/3 of the coding of the accounting software P Nov 2005 D left Company A D set up a new company, Company B, selling accounting software Q, similar to P (Since then, Company A’s revenue dropped significantly)

65 Software Forensics Case Study
May 2006 Someone in Company A bought a set of Q and found its functions and applications are very similar to P Company A laid a complaint to C&E Dept

66 Software Forensics Model
Different versions of T’s software system from shops Do source codes exist in the seized hard disk? Can the source codes be used to generate different versions of T’s software system from shops? Key Questions PC with Hard disks Any relationship between G’s source code and T’s source code? Source code of copyright owner G

67 Questions 1 & 2 Do source codes exist in the seized hard disks?
Yes, … Can the source codes be used to generate different versions of T’s software system from shops?

68 Questions 3 Any relationship between G’s source code and T’s source code? Delphi source codes G’s source code Comparison T’s source code Name analysis Source code comparison (line by line) Search for evidence that infers copying

69 Software Forensics Process
Name analysis Filename comparison Function and procedure name comparison Database comparison Source code comparison Line by line comparison Search for “core functions” as identified by the copyright owner, e.g. IncOrDecStockLocQty CheckJnlNo

70 Software Forensic Analysis

71 Evidence that infers copying
Locard’s exchange principle: “with contact between two items, there will be an exchange” Search for unusual “things” in the hard disks: Copyright notice of G Dead program statements and commented program statements Dead files

72 Identical dead files

73 Found copyright notices embedded in the source code

74 Sample commented program statement

75 Sample dead program statement


77 Computer Forensics Research Group
22-March-2004 Computer Forensics Research Group Our team: 5+ PhD students + 3+ MPhil students 3+ faculty members + 2 researchers (with PhD) 3 full time engineers + several part-time engineers MSc project students + final year project students Our work: Applied research: forensic and investigation tools, video analysis tools Basic digital forensics research Our website: CISC CISC 77

78 Project – DESK (2005) 22-March-2004 CISC

79 DESK/QQ QQ分析的屏幕截屏 合作伙伴: 山东科学院的山东省计算中心 CISC

80 22-March-2004 Project – BTM (2006) CISC

81 BTM v2 自动下载屏幕截屏 CISC

82 BTM v2 CISC

83 International Collaborations
DESK enhancement and China customization with Shandong Computer Science Center of Shandong Academy of Sciences Bayesian network for digital crimes with King’s College, University of London, UK Harbin Institute of Technology, ShenZhen Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics was hosted in HKU in Jan 3-6, 2010

84 Resources
Eastweek magazine, vol. 233, 13 Feb 2008 P. Crowley, CD and DVD Forensics, Syngress, 2007 R. Jones, Internet Forensics, O’Reilly, 2006 R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse, Forensic Investigation of Peer-to-Peer Networks, Handbook of Research on Computational Forensics, Digital Crime and Investigation: Methods and Solution, IGI Global, 2009. R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law, Is it an Initial Seeder? Derived Rules that Indicate a Seeder is within the Slow-Rising Period, Sixth IFIP WG 11.9 International Conference on Digital Forensics, 2010. Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse, A Host-based Approach to BotNet Investigation, 1st International Conference on Digital Forensics and Cyber Crime, 2009. CISC

85 22-March-2004 Thank You CISC 85

Download ppt "Cyber Crime and IT Forensics – The Edison Chen Story"

Similar presentations

Ads by Google