Pierre K. Y. Lai

The Rules of Time on NTFS File System

With the rapid development and popularity of IT technology, criminals and mischievous computer users are given avenues to commit crimes and malicious activities. As forensic science has long been used to resolve legal disputes regarding different branches of science, computer forensics is developed naturally in the aspects of computer crimes or misbehaviors. In computer forensics, temporal analysis plays a significant role in the reconstruction of events or crimes. Indeed, temporal analysis is one of the attractive areas in computer forensics that caused a large number of researches and studies. It is the purpose of this paper to focus on temporal analysis on NTFS file system and to project intuitional rules on the behavioral characteristics of related digital files

BTM - An Automated Rule-based BT Monitoring System for Piracy Detection

With the advent of peer-to-peer communication technologies, individuals can easily connect to one another over Internet for file sharing and online chatting. Although these technologies provide wonderful platforms for users to share their digital materials, its illegitimate use on unauthorized sharing of copyrighted files is increasingly rampant. With the BitTorrent (BT) technology, the tracking down of these illegal activities is even more difficult as the downloaders can also act as the distributors and cooperate to provide different parts of the same file for sharing. It is close to impossible for law enforcement agencies to trace these distributed and short-duration Internet piracy activities with limited resources. In this paper, we present the first automated rule-based software system, the BitTorrent monitoring (BTM) system, for monitoring, recording, and analyzing suspicious BT traffic on the Internet. From a preliminary experiment on a real case, the system successfully located 126 distributors (a.k.a. seeders) for some Cantonese pop songs within 90 minutes.

Evaluation of Evidence in Internet Auction Fraud Investigations

Internet auction fraud has become prevalent. Methodologies for detecting fraudulent transactions use historical information about Internet auction participants to decide whether or not a user is a potential fraudster. The information includes reputation scores, values of items, time frames of various activities and transaction records. This paper presents a distinctive set of fraudster characteristics based on an analysis of 278 allegations about the sale of counterfeit goods at Internet auction sites. Also, it applies a Bayesian approach to analyze the relevance of evidence in Internet auction fraud cases.

Sensitivity Analysis of Bayesian Networks Used in Forensic Investigations

Research on using Bayesian networks to enhance digital forensic investigations has yet to evaluate the quality of the output of a Bayesian network. The evaluation can be performed by assessing the sensitivity of the posterior output of a forensic hypothesis to the input likelihood values of the digital evidence. This paper applies Bayesian sensitivity analysis techniques to a Bayesian network model for the well-known Yahoo! case. The analysis demonstrates that the conclusions drawn from Bayesian network models are statistically reliable and stable for small changes in evidence likelihood values.

Protecting Digital Data Privacy in Computer Forensic Examination

Privacy is a fundamental human right defined in the Universal Declaration of Human Rights. To enable the protection of data privacy, personal data that are not related to the investigation subject should be excluded during computer forensic examination. In the physical world, protection of privacy is controlled and regulated in most countries by laws. Legislation for handling private data has been established in various jurisdictions. In the modern world, the massive use of computers generates a huge amount of private data and there is correspondingly an increased expectation to recognize and respect human rights in digital investigation. However, there does not exist a forensically sound model for protecting private data in the context of digital investigation, and it poses a threat to privacy if the investigation involves the processing of such kind of data. In this paper, we try to address this important issue and present a cryptographic model designed to be incorporated into the current digital investigation framework, thereby adding a possible way to protect data privacy in digital investigation.

A Host-Based Approach to BotNet Investigation?

Robot Networks (BotNets) are one of the most serious threats faced by the online community today. Since their appearance in the late 1990’s, much effort has been expended in trying to thwart their unprecedented growth. However, with robust and advanced capabilities, it is very difficult for average users to avoid or prevent infection by BotNet malware. Moreover, whilst BotNets have increased in scale, scope and sophistication, the dearth of standardized and effective investigative procedures poses huge challenges to digital investigators in trying to probe such cases. In this paper we present a practical (and repeatable) host-based investigative methodology to the collection of evidentiary information from a Bot-infected machine. Our approach collects digital traces from both the network and physical memory of the infected local host, and correlates this information to identify the resident BotNet malware involved.

Improving Disk Sector Integrity Using 3-dimension Hashing Scheme

To keep the evidence that a stored hard disk does not modify its content, the intuitive scheme is to calculate a hash value of the data in all the sectors in a specific order. However, since one or more sectors, with some probability, may become a bad sector after some time, this scheme fails to prove the integrity of all other sectors that are still good. In this paper, we suggest a scheme which calculates three hash values for each sector, in a three dimensional manner, such that the integrity proof of a sector depends only on the sectors in any one of the three dimensions, in stead of all sectors in the hard disk. Our analysis shows that this new scheme can greatly reduce the effect of bad sector formation in proving the integrity of the disk sectors.

Sensitivity Analysis of a Bayesian Network for Reasoning about Digital Forensic Evidence

A Bayesian network representing an actual prosecuted case of illegal file sharing over a peer-to-peer network has been subjected to a systematic and rigorous sensitivity analysis. Our results demonstrate that such networks are usefully insensitive both to the occurrence of missing evidential traces and to the choice of conditional evidential probabilities. The importance of this finding for the investigation of digital forensic hypotheses is highlighted.

A Model for Foxy Peer-to-Peer Network Investigations

In recent years, peer-to-peer (P2P) applications have become the dominant form of Internet traffic. Foxy, a Chinese community focused filesharing tool, is increasingly being used to disseminate private data and sensitive documents in Hong Kong. Unfortunately, its scattered design and a highly distributed network make it difficult to locate a file originator. This paper proposes an investigative model for analyzing Foxy communications and identifying the first uploaders of files. The model is built on the results of several experiments, which reveal behavior patterns of the Foxy protocol that can be used to expose traces of file originators.

A Cost-Effective Model for Digital Forensic Investigations

Because of the way computers operate, every discrete event potentially leaves a digital trace. These digital traces must be retrieved during a digital forensic investigation to prove or refute an alleged crime. Given resource constraints, it is not always feasible (or necessary) for law enforcement to retrieve all the related digital traces and to conduct comprehensive investigations. This paper attempts to address the issue by proposing a model for conducting swift, practical and cost-effective digital forensic investigations.