Ricci S. C. Ieong

A Model for Foxy Peer-to-Peer Network Investigations

In recent years, peer-to-peer (P2P) applications have become the dominant form of Internet traffic. Foxy, a Chinese community focused filesharing tool, is increasingly being used to disseminate private data and sensitive documents in Hong Kong. Unfortunately, its scattered design and a highly distributed network make it difficult to locate a file originator. This paper proposes an investigative model for analyzing Foxy communications and identifying the first uploaders of files. The model is built on the results of several experiments, which reveal behavior patterns of the Foxy protocol that can be used to expose traces of file originators.

Forensic Investigation of Peer-to-Peer Networks

The community of peer-to-peer (P2P) file-sharing networks has been expanding swiftly since the appearance of the very first P2P application (Napster) in 2001. These networks are famous for their excellent file transfer rates and adversely, the flooding of copyright-infringed digital materials. Recently, a number of documents containing personal data or sensitive information have been shared in an unbridled manner over the Foxy network (a popular P2P network in Chinese regions). These incidents have urged the authors to develop an investigation model for tracing suspicious P2P activities. Unfortunately, hindered DOI: 10.4018/978-1-60566-836-9.ch015

IDENTIFYING VOLATILE DATA FROM MULTIPLE MEMORY DUMPS IN LIVE FORENSICS

One of the core components of live forensics is to collect and analyze volatile memory data. Since the dynamic analysis of memory is not possible, most live forensic approaches focus on analyzing a single snapshot of a memory dump. Analyzing a single memory dump raises questions about evidence reliability; consequently, a natural extension is to study data from multiple memory dumps. Also important is the need to differentiate static data from dynamic data in the memory dumps; this enables investigators to link evidence based on memory structures and to determine if the evidence is found in a consistent area or a dynamic memory buffer, providing greater confidence in the reliability of the evidence. This paper proposes an indexing data structure for analyzing pages from multiple memory dumps in order to identify static and dynamic pages.

Validation of Rules Used in Foxy Peer-to-Peer Network Investigations

Rules have been specified for identifying first seeders in the Foxy peer-to-peer (P2P) network. However, these rules have not been validated due to difficulties in repeating download scenarios. This paper describes a rule validation scheme that uses a network simulation environment. The Type I and Type II error rates of Foxy network monitoring rules over 100 simulation experiments covering ten scenarios are measured and analyzed. The error rates reflect the limitations of the monitoring rules and demonstrate the importance of using network simulations for rule validation.

Memory Acquisition: A 2-Take Approach

When more and more people recognize the value of volatile data, live forensics gains more weight in digital forensics. It is often used in parallel with traditional pull-the-plug forensics to provide a more reliable result in forensic examination. One of the core components in live forensics is the collection and analysis of memory volatile data, during which the memory content is acquired for searching of relevant evidential data or investigating various computer processes to unveil the activities being performed by a user. However, this conventional method may have weaknesses because of the volatile nature of memory data and the absence of original data for validation. This may cause implication to the admissibility of memory data at the court of law which requires strict authenticity and reliability of evidence. In this paper, we discuss the impact of various memory acquisition methods and suggest a 2-Take approach which aims to enhance the confidence level of the acquired memory data for legal proceedings.

VALIDATION RULES FOR ENHANCED FOXY P2P NETWORK INVESTIGATIONS

Experiments with the Foxy P2P network have demonstrated that the first uploader of a file can be identified when search queries are submitted to all the network nodes during initial file sharing. However, in real Foxy networks, file search queries are not transmitted to the entire Foxy network and this process may not identify the first uploader. This paper presents a set of validation rules that validate the observed first uploader. The validation rules define the seeder curve that consistently describes the number of uploaders over time. Analysis of four scenarios shows improved accuracy at detecting the first uploader and that, in situations with insufficient competition for file content, the first uploader may not be identified precisely.

Maintaining Hard Disk Integrity With Digital Legal Professional Privilege (LPP) Data

The concept of legal professional privilege (LPP) in the Common Law is to enable a client to make full disclosure to his legal advisor for seeking advice without worrying that anything so disclosed will be used against him. Thus, some of the communications and documents between a legal advisor and his client can be excluded as evidence for prosecution. Protection of LPP information in the physical world is well addressed and proper procedures for handling LPP documents have been established. However, there does not exist a forensically sound procedure for protecting digital LPP information. In this correspondence, motivated by a real case of a commercial crime investigation, we introduce the LPP data integrity problem. While finding an ideal solution to solve the problem is difficult, we propose a practical solution that was adopted to solve the real case investigation. We also analyze the performance of our solution based on simulated data.

Analyzing Storage Media of Digital Camera

Digital photography has become popular in recent years. Photographs have become common tools for people to record every tiny parts of their daily life. By analyzing the storage media of a digital camera, crime investigators may extract a lot of useful information to reconstruct the events. In this work, we will discuss a few approaches in analyzing these kinds of storage media of digital cameras. A hypothetical crime case will be used as case study for demonstration of concepts. Keywords—storage media, FAT, file system analysis, time analysis