Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard E Overill & Jantje A M Silomon Department of Informatics, King’s College London K P Chow & Y W Law Department of Computer Science, University of.

Published byBertina Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Richard E Overill & Jantje A M Silomon Department of Informatics, King’s College London K P Chow & Y W Law Department of Computer Science, University of."— Presentation transcript:

1 Richard E Overill & Jantje A M Silomon Department of Informatics, King’s College London K P Chow & Y W Law Department of Computer Science, University of Hong Kong Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography

2 Synopsis Trojan Horse Defence Possession of Child Pornography Digital Forensic Sub-hypotheses Evidential Traces Recovered Enhanced Complexity Model Trojan Horse Model Complexities & Posterior Odds Conclusions & Further Work

3 Trojan Horse Defence First reported use in the UK October 2003 (Aaron Caffrey, 19, Port of Houston hack) It concedes that the offence was committed, but contends that it was not by the defendant (Some Other Dude Did It - SODDI) In the absence of other evidence (e.g. DNA, fingerprint) tying defendant to crime scene, it requires the prosecution to prove a negative – that there was no Trojan Horse in operation at the material time

4 Possession of Child Pornography Trojan Horse Defence is highly successful globally in countering prosecutions of various e-crimes, including possession of child pornography (CP) (HK) law enforcement generally requires at least five items of digital CP before bringing charges

5 Digital Forensic Sub-hypotheses (Prosecution) Downloading of CP has been performed –three alternative possibilities: browser, email, peer-to-peer (P2P) –this study models browser download Copying of CP has been performed –two alternative possibilities: USB and CD/DVD –this study models USB device Viewing of CP has been performed

6 Evidential Traces Recovered (I) CP (image/video) on computer Internet history / cache from downloading Credit card payment to CP website Metadata on computer matched CP website USB device was plugged into the computer CP on computer matched that on USB device

7 Evidential Traces Recovered (II) Modified timestamp predates created timestamp of CP Image / video viewing tools on computer CP displayed by image / video viewing tools Access timestamp postdates created timestamp of CP

8 Enhanced Complexity Model (Hypotheses & Model) Hypotheses: the more complex a process is, the less likely it is to happen without user awareness effort to implement and integrate TH software components must be taken into account Model process complexity using: computational complexity (CC) GOMS Keyboard Level Model (KLM) Halstead’s Effort (E) metric

9 n 1 – number of distinct operators n 2 – number of distinct operands N 1 – total number of operators N 2 – total number of operands Program vocabulary n = n 1 + n 2 Program length N = N 1 + N 2 Program volume V = N × log 2 n Programming difficulty D = (n 1 × N 2 )/(2 × n 2 ) Programming effort E = D × V

10 Enhanced Complexity Model (Processes) For process i: p i  [ CC i + KLM(CC) i + E i + KLM(E) i ] -1 For two mutually exclusive processes i and j, the ‘posterior odds’ of process i over process j: O(i:j) = Pr(H i |E) / Pr(H j |E) = p i /p j

11 Trojan Horse Model Simplest possible system that produces all of the requisite evidential traces and no others: an electronic, random framing attack Lower bound on complexity implies upper bound on plausibility of Trojan Horse defence Consists of: – Dropper – Installer / Uninstaller – Payload (inc. keylogger, string search algorithm)

12 Complexities & Posterior Odds OCMECM Non-TrojanTrojanNon-TrojanTrojan CC11,569,21619,232,35511,569,21619,232,355 KLM(CC)1,730― ― E―――13,850,047 KLM(E)―――1,381,959 Total11,570,94619,232,35511,570,94634,464,361 OCMECM Unprotected computer1.367 2.979 98% protected computer117.4197.9

13 Conclusions Potential significance for both prosecution and defence sides when assessing their own worst case scenario and their opponents’ best case scenario For an unprotected computer, posterior odds do not favour a successful criminal prosecution For a protected computer, posterior odds strongly favour a successful criminal prosecution Off-the-shelf Trojan models (OCM) are not much harder to prosecute than bespoke ones (ECM)

14 Further Work DOCM – ‘de-parameterised’ OCM, independent of file size N BOCM – ‘buffered’ OCM, with file buffer of length N B, filled/flushed with N F operations, so a block-copy requires N F ⌈ N/N B ⌉ operations Modelling degree of motivation, capability/skill level, opportunity/lack of deterrence Expand model beyond current computer platform (PC with Win-XP & IE browser)

15 Acknowledgement Testwell for the grant of an evaluation licence for their CMT++ Complexity Measures Tool for C/C++ to calculate the Halstead E metric US ONR MINERVA programme “Strategy and the Network Society” research grant UK EPSRC Overseas Travel Grant

16 Thank you! Questions? Comments? Richard E Overill {richard.overill@kcl.ac.uk}

Download ppt "Richard E Overill & Jantje A M Silomon Department of Informatics, King’s College London K P Chow & Y W Law Department of Computer Science, University of."

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Data Security and legal issues Starter :- 5 Minutes Make a list of all the companies and organisations that you believe holds data on you. Write down what.

Data Security and legal issues Starter :- 5 Minutes Make a list of all the companies and organisations that you believe holds data on you. Write down what.
GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.

GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
ICDFI 2013 Keynote Speech 1: Quantifying Likelihood in Digital Forensic Investigations Dr Richard Overill Department of Informatics, King’s College London.

ICDFI 2013 Keynote Speech 1: Quantifying Likelihood in Digital Forensic Investigations Dr Richard Overill Department of Informatics, King’s College London.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.

Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Software Metrics II Speaker: Jerry Gao Ph.D. San Jose State University URL: Sept., 2001.

Software Metrics II Speaker: Jerry Gao Ph.D. San Jose State University URL: Sept., 2001.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
Multimedia Security Digital Video Watermarking Supervised by Prof. LYU, Rung Tsong Michael Presented by Chan Pik Wah, Pat Nov 20, 2002 Department of Computer.

Multimedia Security Digital Video Watermarking Supervised by Prof. LYU, Rung Tsong Michael Presented by Chan Pik Wah, Pat Nov 20, 2002 Department of Computer.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.

Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
1 CRIMINAL LAW (FORENSIC PROCEDURES) AMENDMENT BILL [B 2-2009]: ISSUES FOR CONSIDERATION AND COMPARATIVE ANALYSIS 6 October 2009 Sueanne S. Isaac.

1 CRIMINAL LAW (FORENSIC PROCEDURES) AMENDMENT BILL [B ]: ISSUES FOR CONSIDERATION AND COMPARATIVE ANALYSIS 6 October 2009 Sueanne S. Isaac.
Issues Raised by ICT.

Issues Raised by ICT.
Submitted by: Abhashree Pradhan 0501227096 8CA (1)

Submitted by: Abhashree Pradhan CA (1)
Cyber Crimes.

Cyber Crimes.

Similar presentations

Ads by Google