Privacy preserving confidential forensic investigation for shared or remote servers

The Best Paper AwardIt is getting popular that customers make use of third party data service providers to store their data and emails. It is common to have a large server shared by many different users. This creates a big problem for forensic investigation. It may not be easy to clone a copy of data from the storage device(s) due to the huge volume of data. Even if it is possible to make a clone, there are many irrelevant information/data stored in the same device for which the investigators have no right to access. The other alternative is to let the service provider search the relevant information and retrieve the data for the investigator provided a warrant can be provided. However, sometimes, due to the confidentiality of the crime, the investigator may not want the service provider to know what information they are looking for or the service provider herself may be one of the suspects. The problem becomes even more obvious in terms of cloud computing technology. In this paper, we address this problem and using homomorphic encryption and commutative encryption, we provide two forensically sound schemes to solve the problem so that the investigators can obtain the necessary evidence while the privacy of other users can be protected and at the same time, the service provider cannot know what information the investigators are interested in. © 2011 IEEE.published_or_final_versionThe 7th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP 2011), Dalian, China, 14-16 October 2011. In Proceedings of the 7th IIHMSP, 2011, p. 378-38

Implicit person theories and change in teacher evaluation: A longitudinal field study

Adopting a longitudinal field study, this paper investigates whether entity theorists (students who believe human attributes are fixed) are less likely than incremental theorists (students who believe human attributes are malleable) to change their evaluations of a teacher in accordance with his behavioral changes. An instructor exhibited some forgetful behaviors in the first half of a course, and ceased doing so in the second half. Consistent with our hypothesis, incremental theorists adjusted their perceptions of the instructor. They rated him as less forgetful accordingly at the end of the course than at the middle. Entity theorists, however, did not show this change. With improved ecological validity, this study extends previous laboratory studies to teacher evaluation. © 2010 Copyright the Authors. Journal compilation © 2010 Wiley Periodicals, Inc.postprin

Towards a better similarity measure for keyword profiling via clustering

Automatic profiling for users and postings can help law enforcement units cluster and classify users and postings effectively so that potential problematic users and postings can be identified easily. A core problem in this application is to come up with effective profiles and a good measure to compare the similarity of two profiles. In this paper, we investigate an existing keyword-based user profiling scheme and identify its limitations. Then, we propose an improved version of it and demonstrate that our proposed version is more consistent than the existing approach with respect to the observed replied rates of a user to a posting based on the similarity of the profiles. © 2013 IEEE.published_or_final_versio

Investigating and analyzing the web-based contents on Chinese Shanzhai mobile phones

Chinese Shanzhai mobile phone has had a huge commercial market in China and overseas and was found to be involved in criminal cases. In this paper, a MTK-based Shanzhai phone with private web browser was investigated to extract user's web browsing data in the form of sites visited, received emails, attempted Internet searches and etc. Based on the findings, extracting Internet search conducted and web email received from the binary image was demonstrated. Besides, deleted browsing history can be recovered from snapshots in memory help reconstruct user's browsing activity and timeline analysis.postprintThe 7th International Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE/SADFE 2012), Vancouver, BC., 26-28 September 2012, p. 1297-130

Review of The Electronic Transaction Ordinance: Can The Personal Identification Number Replace The Digital Signature?

In a recent consultation document, the Information Technology and Broadcasting Bureau proposed that personal identification numbers (PINs) be accepted as a form of signature for the purposes of the Electronic Transactions Ordinance (ETO) (Cap 553). This article explains why this proposal is fundamentally flawed. The article identifies three basic requirements for a signature and examines whether they are satisfied by digital signatures and PINs. It concludes that while a digital signature has built into it all the elements necessary for compliance with the requirements, a PIN can only be used for the purpose of authorisation and cannot be elevated to the status of a signature as required by the ETO.published_or_final_versio

Tropism and innate host responses of a novel avian influenza A H7N9 virus: an analysis of ex-vivo and in-vitro cultures of the human respiratory tract

BACKGROUND: Since March, 2013, an avian-origin influenza A H7N9 virus has caused severe pneumonia in China. The aim of this study was to investigate the pathogenesis of this new virus in human beings. METHODS: We obtained ex-vivo cultures of the human bronchus, lung, nasopharynx, and tonsil and in-vitro cultures of primary human alveolar epithelial cells and peripheral blood monocyte-derived macrophages. We compared virus tropism and induction of proinflammatory cytokine responses of two human influenza A H7N9 virus isolates, A/Shanghai/1/2013 and A/Shanghai/2/2013; a highly pathogenic avian influenza H5N1 virus; the highly pathogenic avian influenza H7N7 virus that infected human beings in the Netherlands in 2003; the 2009 pandemic influenza H1N1 virus, and a low pathogenic duck H7N9 virus that was genetically different to the human disease causing A H7N9 viruses. FINDINGS: Both human H7N9 viruses replicated efficiently in human bronchus and lung ex-vivo cultures, whereas duck/H7N9 virus failed to replicate in either. Both human A H7N9 viruses infected both ciliated and non-ciliated human bronchial epithelial cells and replicated to higher titres than did H5N1 (p<0·0001 to 0·0046) and A/Shanghai/1/2013 replicated to higher titres than did H7N7 (p=0·0002-0·01). Both human A H7N9 viruses predominantly infected type II alveolar epithelial cells and alveolar macrophages in the human lung and replicated to higher titres than did H5N1 (p<0·0001 to 0·0078); A/Shanghai/1/2013 replicated to higher titres than did H1N1 (p=0·0052-0·05) and H7N7 (p=0·0031-0·0151). Human H7N9 viruses were less potent inducers of proinflammatory cytokines compared with H5N1 virus. INTERPRETATION: Collectively, the results suggest that the novel H7N9 viruses are better adapted to infect and replicate in the human conducting and lower airways than are other avian influenza viruses, including H5N1, and pose an important pandemic threat.postprin

Digital evidence search kit

With the rapid development of electronic commerce and Internet technology, cyber crimes have become more and more common. There is a great need for automated software systems that can assist law enforcement agencies in cyber crime evidence collection. This paper describes a cyber crime evidence collection tool called DESK (Digital Evidence Search Kit), which is the product of several years of cumulative efforts of our Center together with the Hong Kong Police Force and several other law enforcement agencies of the Hong Kong Special Administrative Region. We will use DESK to illustrate some of the desirable features of an effective cyber crime evidence collection tool. © 2005 IEEE.published_or_final_versio

A dual cube hashing scheme for solving LPP integrity problem

In digital forensics, data stored in a hard disk usually contains valuable evidence. Preserving the integrity of the data in the hard disk is a critical issue. A single hash value for the whole hard disk is not appropriate as the investigation may take a long time and latent sector errors (LSEs) (bad sectors due to media imperfection, for example) which cause a sector suddenly unreadable will make the hash value inconsistent. On the other hand, using a hash per sector may need to store a lot of hash values. Previous research has been conducted to use fewer hash values, but can resist some of LSEs to decrease the number of unverifiable sectors even if there are LSEs. This integrity problem is more complicated in the presence of Legal Professional Privileged (LPP) data inside a seized hard disk in digital forensic as the hard disk has to be cloned once seized and the original hard disk will be sealed after cloning. Hash values need to be computed during this cloning process. However, the cloned copy will be returned to the suspect for the deletion of LPP data before the investigator can work on the sanitized copy. Thus, the integrity of unmodified sectors has to be verified using the hash values computed based on the original hard disk. This paper found that existing schemes are not good enough to solve the integrity problem in the presence of both LSEs and deletion of LPP data. We then propose the idea of a "Dual Cube" hashing scheme to solve the problem. The experiments show the proposed scheme performs better than the previous schemes and fits easily into the digital forensic procedure. © 2011 IEEE.published_or_final_versionThe 6th International Workshop on Systematic Approaches to Digital Forensic Engineering In conjunction with the IEEE Security and Privacy Symposium (IEEE/SADFE 2011), Oakland, CA., 26 May 2011. In IEEE/SADFE Proceedings, 2011, p. 1-

Maintaining hard disk integrity with digital legal professional privilege (LPP) data

published_or_final_versio

Protecting digital legal professional privilege LPP data

The Best Paper AwardTo enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as Legal professional privilege (LPP) documents, can be excluded as evidence for prosecution. In physical world, protection of LPP information is well addressed and proper procedure for handling LPP articles has been established. However, there does not exist a forensically sound procedure for protecting 'digital' LPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital LPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem. © 2008 IEEE.published_or_final_versionThe 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE/SADFE 2008), Oakland, CA., 22 May 2008. In Proceedings of the 3rd SADFE, 2008, p. 91-10