A social graph based text mining framework for chat log investigation

This paper presents a unified social graph based text mining framework to identify digital evidences from chat logs data. It considers both users' conversation and interaction data in group-chats to discover overlapping users' interests and their social ties. The proposed framework applies n-gram technique in association with a self-customized hyperlink-induced topic search (HITS) algorithm to identify key-terms representing users' interests, key-users, and key-sessions. We propose a social graph generation technique to model users' interactions, where ties (edges) between a pair of users (nodes) are established only if they participate in at least one common group-chat session, and weights are assigned to the ties based on the degree of overlap in users' interests and interactions. Finally, we present three possible cyber-crime investigation scenarios and a user-group identification method for each of them. We present our experimental results on a data set comprising 1100 chat logs of 11,143 chat sessions continued over a period of 29 months from January 2010 to May 2012. Experimental results suggest that the proposed framework is able to identify key-terms, key-users, key-sessions, and user-groups from chat logs data, all of which are crucial for cyber-crime investigation. Though the chat logs are recovered from a single computer, it is very likely that the logs are collected from multiple computers in real scenario. In this case, logs collected from multiple computers can be combined together to generate more enriched social graph. However, our experiments show that the objectives can be achieved even with logs recovered from a single computer by using group-chats data to draw relationships between every pair of users.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

The legal aspects of corporate e-mail investigations

The undertaking of e-mail investigations was previously limited mainly to law enforcement agencies. However, UK organisations are increasingly undertaking e-mail investigation activities for incidents such as fraud, accessing or distributing indecent images and harassment amongst others. Organisations are also increasingly using computer forensic analysts to search through e-mail archives in order to gather evidence relating to e-mail misuse. In this paper we examine the legal aspects of UK corporate e-mail investigations.     

网络取证系统的技术分析与模型实现

首先分析了网络取证的基本概念，然后介绍了网络取证系统的分析过程，最后提出和设计了一个分布式网络实时取证系统的实现模型。     

The impact of China's 2016 Cyber Security Law on foreign technology firms,and on China's big data and Smart City dreams

Chinese officials are increasingly turning to a policy known as Informatisation, connecting industry online, to utilise technology to improve efficiency and tackle economic developmental problems in China. However, various recent laws have made foreign technology firms uneasy about perceptions of Rule of Law in China. Will these new laws, under China's stated policy of “Network Sovereignty” (“网络主权” “wangluo zhuquan”) affect China's ability to attract foreign technology firms, talent and importantly technology transfers? Will they slow China's technology and Smart City drive? This paper focuses on the question of whether international fears of China's new Cyber Security Law are justified. In Parts I and II, the paper analyses why China needs a cyber security regime. In Parts III and IV it examines the law itself.     

Cyber Weapons Convention

World leaders are beginning to look beyond temporary fixes to the challenge of securing the Internet. One possible solution may be an international arms control treaty for cyberspace. The 1997 Chemical Weapons Convention (CWC) provides national security planners with a useful model. CWC has been ratified by 98% of the world’s governments, and encompasses 95% of the world’s population. It compels signatories not to produce or to use chemical weapons (CW), and they must destroy existing CW stockpiles. As a means and method of war, CW have now almost completely lost their legitimacy. This article examines the aspects of CWC that could help to contain conflict in cyberspace. It also explores the characteristics of cyber warfare that seem to defy traditional threat mitigation.     

Cybercrime investigation in Finland

Nordic police cooperation concerning cybercrimes has been developed during the last few years, e.g. through the Nordic Computer Forensics Investigators (NCFI) and Nordplus training programmes. More empirical research is needed in order to enhance cybercrime investigation and address the training needs of police officers. There is a knowledge gap concerning organizational models for the police’s cybercrime investigation: How the function is organized, what the professional characteristics of the staff are and how to combine computer forensics with crime investigation? The purpose of this paper was to study the organization of cybercrime investigation in Finland. Data were collected by a questionnaire from all 11 local police districts and the National Bureau of Investigation in July–August 2014. In addition, six thematic interviews of cybercrime investigators were conducted in 2014. Three investigation models of computer integrity crimes were found: (1) Computer forensic investigators conduct the entire pre-trial examination, (2) Computer forensic investigators conduct only the computer forensics, and tactical investigation is done by an occasional investigator, (3) Computer forensic investigators conduct only the computer forensics and tactical investigation is centralized to designated investigators. The recognition of various organizational models and educational backgrounds of investigators will help to develop cybercrime investigation training.     

I shop online – recreationally! Internet anonymity and Silk Road enabling drug use in Australia

Internet technologies are beginning to influence the sale and supply of illicit drugs in Australia. One such technology, an online marketplace known as Silk Road, had dramatically increased in popularity since its worldwide launch in February 2011. This research and paper were completed prior to the Silk Road's founder, Ross Ulbricht being arrested on 2 October 2013 and Silk Road being taken off line. This research paper will consider such factors; as the increasing use of internet by Australians, the popularity of shopping online and the variance in the quality and price of products available on Silk Road to those available in other drug markets. The case study will provide an in-depth look at Silk Road from an Australian perspective and in light of the continuing popularity of illicit drug use in Australia. Though Silk Road is currently off line, ‘Bitcoin’ has survived and it will only be a matter of time before a substitute for Silk Road emerges.     

Out of sight,but not out of mind: Traces of nearby devices' wireless transmissions in volatile memory

An IEEE 802.11 wireless device can leave traces of its presence in the volatile memories of nearby wireless devices. While the devices need to be in radio range of each other for this to happen, they do not need to be connected to the same network—or to any network at all. Traces appear in the form of full wire-type frames; a residue of the signals in the ether. We examine types of information that can be extracted from such residual frames and explore the conditions under which traces develop and persist. Their availability is determined by factors in both in the external environment (the types of signals in the ether) and the internal environment (the configuration and particulars of a device's wifi stack). To isolate some of these factors, we have created memory dumps of devices in various environments and configurations. Analysis of the dumps has offered insights into the conditions determining creation and decay of the traces. The results indicate that they will be available in a limited number of real-world scenarios. We conclude with practical advice on triaging and preservation.     

Cyber terrorism challenges: The need for a global response to a multi-jurisdictional crime

With the widespread concerns about cyber terrorism and the frequent use of the term “cyber terrorism” at the present time, many international organisations have made efforts to combat this threat. Since cyber terrorism is an international crime, local regulations alone are not able to defend against such attacks; they require a transnational response. Therefore, an attacked country will invoke international law to seek justice for any damage caused, through the exercise of universal jurisdiction. Without the aid of international organisations, it is difficult to prevent cyber terrorism. At the same time, international organisations determine which state court, or international court, has the authority to settle a dispute. The objective of this paper is to analyse and review the effectiveness and sufficiency of the current global responses to cyber terrorism through the exercise of international jurisdiction. This article also touches upon the notion of cyber terrorism as a transnational crime and an international threat; thus, national regulations alone cannot prevent it. The need for an international organisation to prevent and defend nations from cyber terrorism attacks is pressing. This paper finds that, as cyber terrorism is a transnational crime, it should be subjected to universal jurisdiction through multinational cooperation, and this would be the most suitable method to counter future transnational crimes such as cyber terrorism.     

A case study on anonymised sharing platforms and digital traces left by their usage

Non-local forms of file storage and transfer provide investigatory concerns. Whilst mainstream cloud providers offer a well-established challenge to those involved in criminal enquiries, there are also a host of services offering non-account based ‘anonymous’ online temporary file storage and transfer. From the context of a digital forensic investigation, the practitioner examining a suspect device must detect when such services have been utilised by a user, as offending files may not be resident on local storage media. In addition, identifying the use of a service may also expose networks of illegal file distribution, supporting wider investigations into criminal activity. This work examines 16 anonymous file transfer services and identifies and interprets the digital traces left behind on a device following their use to support law enforcement investigations.