Frank Y. W. Law

The Rules of Time on NTFS File System

With the rapid development and popularity of IT technology, criminals and mischievous computer users are given avenues to commit crimes and malicious activities. As forensic science has long been used to resolve legal disputes regarding different branches of science, computer forensics is developed naturally in the aspects of computer crimes or misbehaviors. In computer forensics, temporal analysis plays a significant role in the reconstruction of events or crimes. Indeed, temporal analysis is one of the attractive areas in computer forensics that caused a large number of researches and studies. It is the purpose of this paper to focus on temporal analysis on NTFS file system and to project intuitional rules on the behavioral characteristics of related digital files

Evaluation of Evidence in Internet Auction Fraud Investigations

Internet auction fraud has become prevalent. Methodologies for detecting fraudulent transactions use historical information about Internet auction participants to decide whether or not a user is a potential fraudster. The information includes reputation scores, values of items, time frames of various activities and transaction records. This paper presents a distinctive set of fraudster characteristics based on an analysis of 278 allegations about the sale of counterfeit goods at Internet auction sites. Also, it applies a Bayesian approach to analyze the relevance of evidence in Internet auction fraud cases.

Sensitivity Analysis of Bayesian Networks Used in Forensic Investigations

Research on using Bayesian networks to enhance digital forensic investigations has yet to evaluate the quality of the output of a Bayesian network. The evaluation can be performed by assessing the sensitivity of the posterior output of a forensic hypothesis to the input likelihood values of the digital evidence. This paper applies Bayesian sensitivity analysis techniques to a Bayesian network model for the well-known Yahoo! case. The analysis demonstrates that the conclusions drawn from Bayesian network models are statistically reliable and stable for small changes in evidence likelihood values.

Protecting Digital Data Privacy in Computer Forensic Examination

Privacy is a fundamental human right defined in the Universal Declaration of Human Rights. To enable the protection of data privacy, personal data that are not related to the investigation subject should be excluded during computer forensic examination. In the physical world, protection of privacy is controlled and regulated in most countries by laws. Legislation for handling private data has been established in various jurisdictions. In the modern world, the massive use of computers generates a huge amount of private data and there is correspondingly an increased expectation to recognize and respect human rights in digital investigation. However, there does not exist a forensically sound model for protecting private data in the context of digital investigation, and it poses a threat to privacy if the investigation involves the processing of such kind of data. In this paper, we try to address this important issue and present a cryptographic model designed to be incorporated into the current digital investigation framework, thereby adding a possible way to protect data privacy in digital investigation.

A Host-Based Approach to BotNet Investigation?

Robot Networks (BotNets) are one of the most serious threats faced by the online community today. Since their appearance in the late 1990’s, much effort has been expended in trying to thwart their unprecedented growth. However, with robust and advanced capabilities, it is very difficult for average users to avoid or prevent infection by BotNet malware. Moreover, whilst BotNets have increased in scale, scope and sophistication, the dearth of standardized and effective investigative procedures poses huge challenges to digital investigators in trying to probe such cases. In this paper we present a practical (and repeatable) host-based investigative methodology to the collection of evidentiary information from a Bot-infected machine. Our approach collects digital traces from both the network and physical memory of the infected local host, and correlates this information to identify the resident BotNet malware involved.

Sensitivity Analysis of a Bayesian Network for Reasoning about Digital Forensic Evidence

A Bayesian network representing an actual prosecuted case of illegal file sharing over a peer-to-peer network has been subjected to a systematic and rigorous sensitivity analysis. Our results demonstrate that such networks are usefully insensitive both to the occurrence of missing evidential traces and to the choice of conditional evidential probabilities. The importance of this finding for the investigation of digital forensic hypotheses is highlighted.

Protecting Digital Legal Professional Privilege (LPP) Data

To enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as legal professional privilege (TPP) documents, can be excluded as evidence for prosecution. In physical world, protection of TPP information is well addressed and proper procedure for handling TPP articles has been established. However, there does not exist a forensically sound procedure for protecting digital TPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital TPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem.

A Model for Foxy Peer-to-Peer Network Investigations

In recent years, peer-to-peer (P2P) applications have become the dominant form of Internet traffic. Foxy, a Chinese community focused filesharing tool, is increasingly being used to disseminate private data and sensitive documents in Hong Kong. Unfortunately, its scattered design and a highly distributed network make it difficult to locate a file originator. This paper proposes an investigative model for analyzing Foxy communications and identifying the first uploaders of files. The model is built on the results of several experiments, which reveal behavior patterns of the Foxy protocol that can be used to expose traces of file originators.

A Cost-Effective Model for Digital Forensic Investigations

Because of the way computers operate, every discrete event potentially leaves a digital trace. These digital traces must be retrieved during a digital forensic investigation to prove or refute an alleged crime. Given resource constraints, it is not always feasible (or necessary) for law enforcement to retrieve all the related digital traces and to conduct comprehensive investigations. This paper attempts to address the issue by proposing a model for conducting swift, practical and cost-effective digital forensic investigations.

Forensic Investigation of Peer-to-Peer Networks

The community of peer-to-peer (P2P) file-sharing networks has been expanding swiftly since the appearance of the very first P2P application (Napster) in 2001. These networks are famous for their excellent file transfer rates and adversely, the flooding of copyright-infringed digital materials. Recently, a number of documents containing personal data or sensitive information have been shared in an unbridled manner over the Foxy network (a popular P2P network in Chinese regions). These incidents have urged the authors to develop an investigation model for tracing suspicious P2P activities. Unfortunately, hindered DOI: 10.4018/978-1-60566-836-9.ch015