Cyber Crime and IT Forensics – The Edison Chen Story

Download Report

Transcript Cyber Crime and IT Forensics – The Edison Chen Story

Cyber Crime and
IT Forensics –
The Edison Chen Story
Ir Dr. K.P. Chow
Computer Forensics Research Group
Center for Information Security and Cryptography
University of Hong Kong
August 2010
CISC
1
Agenda
• A practitioner approach to introduce cyber
crime and IT forensics
– Internet investigation
– Digital forensics
• Our research roadmap
2
CISC
2
A practitioner
approach to introduce
cyber crime and IT
forensics
3
CISC
Key topics in cyber crime and
forensics
• Internet investigation
• Digital forensics
Any interesting case?
Edison Chen photo scandal
Let’s travel back to 27 Jan 2008
CISC
4
Who is Edison
Chen?
• Who else?
• Who is him?
CISC
5
The story begins in
Jan 2008
• Jan 27 evening: 1 photo of Edison
and Gillian is posted in discussion
forums in Hong Kong
• Jan 28 afternoon: 1 photo of
Edison and Bobo is posted in
many forums, Edison and Gillian
announced that the photos were
hoaxes
• Jan 29: 5 photos of Gillian and 2
photos of Cecilia are posted
• Jan 30: 4 photos of Cecilia are
posted
CISC
6
What are the forensics
questions?
• Are the photos real or hoaxes?
• Who posted the photos on the forums?
7
CISC
Are the photos real?
• Factors to be
considered:
–
–
–
–
–
Lighting
Eyes and positions
Specular highlights
Send in the clones
Camera fingerprints
• Forensic photography
Not our current research focus
8
CISC
Who posted the photos on the
forums?
User YT
Chung
IP address A
Photos uploaded to a
forum outside HK
Forum B
outside HK
Photos
of G
Photos
downloaded
Forum A
in HK
On Jan 31, first person, YT Chung,
CISC
is arrested for the case
Photos of
G and C
9
Investigation techniques
• Tracing using the IP address
– Most forums keep the IP addresses of users
who create the posts
– Most ISPs keep records of the assignment of IP
addresses to his subscribed users
10
CISC
Forensics techniques
• Digital evidence in the suspect’s PC
11
CISC
The Law
• What was the crime act?
– Violates the “Control of
Obscene and Indecent
Articles Ordinance” in Hong
Kong: publishing obscene
articles
12
CISC
Limitations
• Cross jurisdiction: requires supports from
other countries
國際刑警
13
CISC
Difficulties
?=
• Who was using the computer?
– Fingerprint vs. IP address
User YT
Chung
Who am I?
Photos
downloaded
14
CISC
The story continues
• Feb 2: 4 men and 2 women are arrested,
all from the computer repair shop Elite
– 1 hoax photo of Cecilia was posted
• Feb 4: HC Sze is arrested
• Feb 5: 4 more obscene photos are posted,
involve Gillian, Cecilia, BoBo and Rachel
• Feb 6: 209 photos are posted by Kira
• Feb 9: another 237 photos are posted by
Kira again, involve Gillian, Cecilia, BoBo
and Vincy
CISC
15
What are the forensics
questions?
• How the computer repair shop Elite was
located?
– Traditional investigation technique
• What was the charge of HC Sze?
– HC Sze was charged with “access to
computer with criminal or dishonest intent”
– Why him?
• Who is Kira?
– HC Sze? Not sure
16
CISC
Some events
Date (2008)
Event
Jan 29
Photos of Edison and celebrities available on the
Internet
Feb 1
Mak’s CD was seized
Feb 2 6:55am
Janet’s CD (with “X” mark) and PCs at home were seized
Feb 2 7:45pm
Sze was arrested
Feb 2 10:10pm
Sze’s home PCs were seized
Feb 3
Tse’s home PC was seized (nothing relevant was found)
Feb 16
Yip’s home PC was seized (Edison’s photos from the
Internet were found)
Feb 18
Chan’s home PC was seized (nothing relevant was
found)
Feb 21
Edison’s home PCs were seized
Feb 27
Store’s PC was seized
Feb 28
Elite’s server was seized
CISC
17
Elite Computer
Shop
Who were Mak and Janet?
Mr Wong
(PW6)
Driver
belongs
Edison
Mac Book Pro
Mak’s CD
Purchase
Purchase
Power Mac
G5 Duo
belongs
belongs
Computer Service
Store
Emp
Emp
Mak
Emp
Janet
Chung
(PW5)
give to
Loan /
Return
Supervisor
Supervisor
Fanny
(PW1)
Janet
(PW2)
CD
“X”
18
CISC
The Beginning: Edison’s MacBook Pro brought to Elite for service
Elite
Edison
belongs to
Mac Book Pro
Employer
driver
Tse
Bring to
service
Wong
(PW6)
inside
Harddisk
19
CISC
When, where and how were the photos found?
Service Day to +4 days: photos inside
the MacBook Pro were found
Chan
Boss
Elite
Yip
Emp
Emp
Sze
inform
Mac Book Pro
Tse
inside
Harddisk
View
together
Folder
Lifestyle
Delete
3-4 days
afterwards
Back up
Profile
External
Harddisk
inside
20
CISC
How the photos get to the store?
8 June 2008: Sze performed computer service at “Store”
Elite
Store
belongs
Sze
Power Mac
G5 Duo
Service
Mak’s CD
Logon /
Password
Some Server
(unknown)
belongs
Fanny
Mak
View
photos
Janet
Download To
Power Mac G5
give to
Folder
Burn to
CD
CISC
CD
“X”
Loan /
Return
21
For the court
• The story: crime scene reconstruction
• Witness statements
• Evidence
22
CISC
Digital Evidence
Partition . . . edison/Desktop/the others
4.0/Pictures from Feb 6.zip
Mac Book Pro
(P5)
Pictures from Feb 6.zip
inside
Where is the
source?
Harddisk
inside
Elite
Yip
belongs to
Server
(shared
Password)
Internet
PC
inside
contained
download
Not the same
≃ 600 photos
(20080207
to 20080210)
239 photos
identical
CD from
Mok
CISC
(P4)
CD “X”
Created
20060607 13:54 or
20060607 21:54
Witness statement
24
CISC
Crime Scene
Reconstruction
Power Mac
G5
Sze’s
Home Server
External
Harddisk
Folder
Lifestyles
Other
Server
Make
Copy
Copy
knowledge
charge 2
Tse
Download
Elite
Server
charge 1
Yip
Upload to
Server
Folder
Create
CD
charge 3
Chan
Sze
3 charges of access to computer with criminal or dishonest intent:
1. witness statements: Mak and Janet
2. digital evidence: CD “X”
CISC
3. digital crime scene reconstruction
CD
“X”
25
Questions about the digital
evidence
• Who and when the CD marked “X” was
created?
– 2 interpretations of the folder creation date/time
in the CD
– How long would it take to download the photos?
What was the bandwidth of the broadband link?
• Which server was used for download?
– Elite server: with shared password
– Home PC: no trace
• Where is the “copy” from the original disk?
26
CISC
The story never ends
• Who is Kira?
– YT Chung – very unlikely
– HC Sze – unlikely
• Can we trace Kira using IP address
traceback?
– Some more details
27
CISC
OUR ATTEMPT TO FIND KIRA
28
CISC
Photos by Kira
• The photos by Kira uses
Foxy peer to peer software
to share:
– Whenever new photos
surface on the internet, they
pass on the messages
using the code: “hurry on bit
the fox” and using the
keyword “新閃卡” (flash
card)
– Users share the files with
names 新閃卡 by putting
those files in their share
folder
– The photos spread rapidly
on the Foxy network
• Can we find the first
uploader in the Foxy
network?
CISC
29
What is Foxy?
• A Traditional Chinese
peer to peer file
transfer program
• Initially published by
Foxy Media, Inc.
• Widely used in Hong
Kong, Mainland China
and Taiwan
• Very popular in upper
primary schools and
secondary schools
• Close source program
30
CISC
Foxy Architecture
1. Connecting to the Foxy network
2. Search for files on the Foxy network
– Based on Gnutella 2 protocol
3. Download file from a peer
– Based on http download
31
CISC
Connecting to the Foxy network
(1)
USER connects to
Foxy server to
obtain a peer list
(2)
Server
returns a peer
list to USER
59.39.71.220
59.39.71.217
59.39.71.219
(4)
The peer
returns a
PONG request
to the USER
Foxy
Server
(5)
USER now part
of the Foxy
network
(3)
USER sends a
PING request to
each peer
32
CISC
Keyword searching in FOXY
Hey, I need a
file with name
“新閃卡”
“新閃卡”
Ultrapeer
I don’t have the
file, and I don’t
know any of my
peers have the
file, I’ll forward to
my peers
“新閃卡”
“新閃卡”
Ultrapeer
• The Gnutella “Query
2” (Q2) request will
return a list of peers
(IP addresses) that
has a full copy that
matches the request
• The Foxy “Download”
request guarantees
such copy still
available for
download
“新閃卡”
I have that file …
I also have that file …
CISC
33
Downloading a file from the
peer
Hey, I need a
file with name
“新閃卡”
“新閃卡”
Ultrapeer
Ultrapeer
HTTP GET
/urires/N2R?urn:sha1:
…
“新閃卡”
34
I have that file …
CISC
Some findings
• All peers in the Foxy
network are identical
Hey, I need a
file with name
“新閃卡”
“新閃卡”
Ultrapeer
• All peers has a copy that
matches a “Query” request
will return its IP address to
the requester
• Unable to confirm a peer is
the source in the Foxy
network when a file is
widely distributed
Ultrapeer
“新閃卡”
I have that file …
I also have that
file …
CISC
35
How can we find Kira?
• In the Foxy network, we have concluded
that all peers in the Foxy network are
identical
– How can we find Kira (the first uploader of a
file)?
• On Jan 2005:
– The first man (古惑天王 Big Crooke) in the world
was arrested by Hong Kong Customs and
Excise officers for distributing movies using BT
– How can they find the Big Crooke if all peers are
identical?
36
CISC
Observation: file distribution in
Foxy
37
CISC
Who may be the source?
• May be able to find under the following
conditions:
– At the slow rising period
– The file is large
• Impossible after the slow rising period:
unable to confirm who was the first source
No definite answer today:
more research ongoing
38
CISC
Today’s Technology
• Cyber crime investigation
– IP address traceback with International
cooperation
– Traditional investigation technique: interviewing
suspect and witnesses
• Digital forensics
– Preservation of digital evidence from hard disk
– Collection of logs from ISP and forums’ owners
– Special equipment/software for different types
of devices, e.g. CDs
39
CISC
Today’s Ordinances in
Hong Kong
• Publishing obscene articles
• Access to computers with criminal or
dishonest intent
• Others
– Distributing copyright protected materials
–…
40
CISC
The Limitations
• Across jurisdictions
• Linking the digital evidence to a specific
person
• Finding the first uploader in a Peer-to-Peer
network
• …
41
CISC
What have we done?
• Crime scene reconstruction
→ crime model
• Investigating peer-to-peer network
What’s next?
42
CISC
Our Research Roadmap in
Digital Investigation and Forensics
Bayesian network
model, Wigmore
chart
Intelligence
Gathering
FAT allocation
analysis tool,
Bayesian network
Investigation
Social media mining,
P2P monitoring
Forensics
Legal
Reasoning
BTM, FoxyMon,
DESK, Internet
surveillance
CISC
Cost effective investigation
model, live system
DESK/QQ, BTM 2.0,
consistency analysis
Cost-effective
43
investigation tool
Intelligence Gathering/
Investigation
• Internet surveillance platform
• Social media mining
• Monitoring systems
– BT monitoring (BTM)
– Foxy network monitoring (FoxyMon)
– Auction site monitoring (ASM)
• Applications: cyber patrol, early
warning detection
CISC
44
The BIG Picture:
Internet Surveillance Platform
Forum
analysis
Internet
Text
analysis
Image
analysis
Web
Analyzer
Rule-based
Data
Analyzer
Video
analysis
Auction
fraud
Data
Mining
Illegal file
sharing
using BT
Blog
analysis
Internet
Surveillance
Engine
Crime
Model
Newsgroup
analysis
BT
analysis
Protocol
Analyzer
Others
Malware
analysis
eMule
analysis
Foxy
analysis
Internet Surveillance Platform
CISC
46
Internet Surveillance Platform
• Top 30 hot topics
CISC
47
Internet Surveillance Platform
• TimeLine for Topic (e.g.T7)
CISC
48
Internet Surveillance Platform:
Research problems
•Timeline analysis
•Internet criminal profiling
–Internet pirates user profiling
–Internet auction fraud user profiling
CISC
Principal investigator:
Pierre Lai (PhD student)
Tom Lai (MPhil student)
49
Investigation/Forensics
• BT monitoring (version 2):
– Able to collect evidence from the
Internet in a forensically sound process
• DESK version 2
• Digital crime and investigation
models based on Bayesian Network
• Live systems forensic analysis
techniques: evidence integrity and
consistency issue
CISC
50
A Cost-Effective Digital
Forensics Investigation Model
• Practical issue:
– Resource constraints and challenges
• Cost-effective investigation model
– Based on Bayesian Network
CISC
51
Resources Constraints and Challenges
Limited forensic tools
Anti-forensic skills
Security measures
Limited manpower
Complexity of system
Limited time frame
Resources
Constraints
Large volume of data
Challenges
How to balance?
Purpose the Model

Identify minimum cost path for the
forensics investigation

Formulate a “cut-off” point that can
avoid resources wastage

Offer systematic approach in
forensics investigation

Maintain evidential consistency
The Model Schema
● Phase 1
●
●
●
●
●
●
Enumerate the traces
Assign investigation cost
Rank the traces in order of investigation costs
Assign importance weights W i to each ranked traces
Set up a Bayesian Network model with the traces
Run the BN model with all expected traces to get α, the evidential
threshold value
● Set W , the evidential weight, equal to zero
● Set W rem , the remaining total of evidential weight, to α
● Phase 2
●
●
●
●
●
Search for traces according to the ranked order
Subtract the importance weight W i from W rem (i.e.W rem - W i )
If trace presents, add importance W i to W
If W closes to α, then proceed phase 3
If ( W + W rem ) does not sufficiently meet α, abandon the examination;
otherwise conduct the full digital forensics processes
Live Systems Forensics
Analysis
• Collect digital evidence from a live running system,
e.g. transient network connection
• Research questions:
– How to make use of the digital evidence collected from a
live running system, filter out irrelevant information, and
reconstruct the crime scene
– Integrity and consistent issues
•
Ref: F. Law, K.P. Chow, M. Kwan and P. Lai, Consistency
Issue on Live Systems Forensics, to appear in 2007
International Workshop on Forensics for Future Generation
Communication Environments (F2GC-07), Korea
Forensics/Legal reasoning
• Heuristic rules to analyze MAC time on
NTFS
• Bayesian network approach for digital
forensics analysis
• Legal reasoning model for digital crime
• Analyzing digital photos temporal
relationship in a FAT file system based
on sector allocation
• Software forensics model and process
CISC
56
Bayesian Network for Digital
Forensics
• Use Bayesian Network model to
analyze and interpret digital evidence
for digital forensics cases
• Bayesian network and belief
propagation will be used to
determine the “likelihood” of a crime
when validity of some of the digital
evidence cannot be established.
•
http://i.cs.hku.hk/~cisc/forensics/papers/BayesianNetwork.pdf
Bayesian Network Crime
Models
• 5 Bayesian Network models are
defined
– Sharing of copyright protected
materials using BitTorrent
– Online auction fraud
– Online games weapon theft
– DDoS attack
– Cyber-locker
CISC
58
BitTorrent – Sharing copyright
protected material
Data to share
1
Newsgroup /
Discussion Forum
3
Publish Torrent file
Copy to
Computer
Torrent
File
Activate Torrent file &
connect to Tracker
server
Create Torrent
file
2
Torrent contains
metadata about the
file – time of creation,
file name, size, stored
location, address of
Tracker server, hash
values of fragments, etc.
Computer A
BT program “chops” file
into fragments of 256 KB
for transmission
4
5
Through communication,
Tracker server knows
Computer A has 100% of
data. Computer A is labeled
as a seeder
Tracker Server
When connects to
Tracker server :
1. Activate the BT
program
2. Notify a peer’s joining
3. Tracker asks how
many (%) of the file a
peer has
4. Broadcast the latest
peer list to connected
peers
Graphical Representation of Digital
Evidence in the BT case
• Based on the reported digital evidence from the case, the
calculated chance that H is valid is 92.27%
• It is then the Judge who decides whether it is beyond
reasonable doubt that the forensic hypothesis H is valid
• Indeed, there are other physical evidence around the case
The Bayesian Network Model of the
BitTorrent Case
Digital Evidence of Online Auction Fraud
Prosecution Hypotheses
Hp : The computer has been used as transaction tool for the auctioning of the fake item
Hp1 : Uploading of auction item material related to the fake item has been performed
Hp2 : Manipulation of the corresponding auction item has taken place
Hp3 : Communication between the seller and the buyer on the fake item has occurred
Digital Evidence of Online Auction Fraud
Software Forensics Model and Process
A Case Study in Hong Kong
2000 – Oct 2005
– D was working in Company A, owned by Y,
as a key programmer who was responsible
for 1/3 of the coding of the accounting
software P
Nov 2005
– D left Company A
– D set up a new company, Company B,
selling accounting software Q, similar to P
(Since then, Company A’s revenue dropped
significantly)
Software Forensics Case Study
May 2006
– Someone in Company A bought a set of
Q and found its functions and
applications are very similar to P
– Company A laid a complaint to C&E
Dept
Software Forensics Model
1.
Do source codes exist in the seized
hard disk?
2.
Can the source codes be used to
generate different versions of T’s
software system from shops?
Key
Questions
Different versions of T’s
software system from
shops
PC with Hard disks
3.
Source code of copyright
owner G
Any relationship between
G’s source code and T’s
source code?
66 of 32
Questions 1 & 2
1. Do source codes exist in the
seized hard disks?
– Yes, …
2. Can the source codes be used to
generate different versions of T’s
software system from shops?
– Yes, …
67 of 32
Questions 3
3.
Any relationship between G’s source
code and T’s source code?
Delphi source
codes
G’s source code
Comparison
T’s
source code
68 of 32
a)
Name analysis
b)
Source code comparison
(line by line)
c)
Search for evidence that
infers copying
Software Forensics Process
a) Name analysis
–
–
–
Filename comparison
Function and procedure name comparison
Database comparison
b) Source code comparison
–
Line by line comparison
c) Search for “core functions” as identified
by the copyright owner, e.g.
–
–
IncOrDecStockLocQty
CheckJnlNo
69 of 32
Software Forensic Analysis
Evidence that infers copying
• Locard’s exchange principle:
– “with contact between two items, there
will be an exchange”
• Search for unusual “things” in the
hard disks:
– Copyright notice of G
– Dead program statements and
commented program statements
– Dead files
71 of 32
Identical dead files
72 of 32
Found copyright notices
embedded in the source code
73 of 32
Sample commented program statement
74 of 32
Sample dead program
statement
75 of 32
OUR RESEARCH TEAM AND
RESEARCH PRODUCTS
76
CISC
Computer Forensics Research
Group
• Our team:
– 5+ PhD students + 3+ MPhil students
– 3+ faculty members + 2 researchers (with PhD)
– 3 full time engineers + several part-time engineers
– MSc project students + final year project students
• Our work:
– Applied research: forensic and investigation tools, video
analysis tools
– Basic digital forensics research
– http://i.cs.hku.hk/~cisc/forensics/papers/ComputerForensi
csInHK.pdf
• Our website: http://i.cs.hku.hk/~cisc/forensics/
CISC
77
CISC
Project – DESK (2005)
CISC
78
DESK/QQ
CISC
• QQ分析的屏幕截屏
合作伙伴: 山东科学院的山东省计算中心79
Project –
BTM (2006)
CISC
80
BTM v2
CISC
• 自动下载屏幕截屏
81
BTM v2
CISC
82
International Collaborations
• DESK enhancement and China customization with
Shandong Computer Science Center of Shandong
Academy of Sciences
• Bayesian network for digital crimes with King’s
College, University of London, UK
• Harbin Institute of Technology, ShenZhen
• Sixth Annual IFIP WG 11.9 International
Conference on Digital Forensics was hosted in
HKU in Jan 3-6, 2010
– http://www.ifip119.org
Resources
•
•
•
•
•
•
•
http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal
Eastweek magazine, vol. 233, 13 Feb 2008
P. Crowley, CD and DVD Forensics, Syngress, 2007
R. Jones, Internet Forensics, O’Reilly, 2006
R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse,
Forensic Investigation of Peer-to-Peer Networks, Handbook of
Research on Computational Forensics, Digital Crime and
Investigation: Methods and Solution, IGI Global, 2009.
R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law, Is it an Initial
Seeder? Derived Rules that Indicate a Seeder is within the SlowRising Period, Sixth IFIP WG 11.9 International Conference on
Digital Forensics, 2010.
Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse, A
Host-based Approach to BotNet Investigation, 1st International
Conference on Digital Forensics and Cyber Crime, 2009.
84
CISC
Thank You
CISC
85