Digital Meta-Forensics: Quantifying the Investigation. Richard E Overill and Jantje A M Silomon
|
|
- Gervais Blair
- 8 years ago
- Views:
Transcription
1 Digital Meta-Forensics: Quantifying the Investigation Richard E Overill and Jantje A M Silomon Department of Computer Science, King's College London, Strand, London WC2R 2LS, UK {richard.overill jantje.a.silomon}(at)kcl.ac.uk Abstract We review, analyse and evaluate recent developments in two related areas of digital forensics. The first involves quantifying the extent to which the recovered digital evidential traces support the prosecution s contention that a particular digital crime has been committed. The second addresses the issue of quantifying the cost-effectiveness of the digital forensic investigative process, in order to optimise the deployment of valuable and scarce resources for maximum efficacy. Keywords: conditional probability; Bayesian network; likelihood ratio; odds ratio; complexity; cost-effectiveness; return on investment; cost-benefit ratio; forensic triage. 1. Introduction and Background Digitial forensic analysis has up to now not kept pace with conventional forensic analysis in the matter of quantifying the degree of certainty with which a hypothesis and a corresponding set of evidential traces can be causally linked. For example, in the case of fingerprint or DNA analyses the probability of two distinct individuals exhibiting a match is known and hence the plausibility of the hypothesis can be determined quantitatively in the form of a likelihood ratio. In the context of digital forensic evidence however, qualitative statements, such as "very likely" are routinely used by forensic examiners and expert witnesses. Not surprisingly, defence lawyers assigned to digital crime cases have become aware of this discrepancy and have attempted to exploit it to persuade the court that the prosecution does not possess evidence of sufficient probative value. However, the development of potentially suitable methodologies and techniques for the quantitative interpretation of digital forensic investigations is underway [1-4] and offers the prospect of bringing a degree of numerical certitude to the recovered evidence in such cases. At the same time, metrics for analysing the cost-effectiveness of digital forensic investigations are also being developed [5, 6], as are their implementation in the form of practical software solutions that can be used by digital forensic technicians to perform a type of forensic triage [7]. These developments are particularly significant in view of the current severe shortage of experienced digital forensic examiners and the accelerating increase in digital crimes, all in the context of a global economic recession. In this paper we review the latest developments in both of the areas referred to above and additionally highlight those issues that remain problematic or have yet to be fully addressed.
2 2. Concepts and Methodologies 2.1 Metrics for Plausibility The remainder of this subsection describes a top-down and a bottom-up approach to quantifying the degree of plausibility of a (prosecution or defence) hypothesis regarding the putative sequence of events in relation to the recovered digital evidential traces. A top-down approach makes use of Bayesian conditional probabilities, i.e. the probability of recovering the evidential traces E given that the hypothesis H is correct: Pr(E H). A bottom-up approach, on the other hand, makes use of Bayesian posterior probabilities, i.e. the probability that the hypothesis H is correct given that the evidential traces E have been recovered: Pr(H E). The Likelihood Ratio (LR) is a top-down plausibility metric, which is used routinely by conventional forensic scientists (see, for example, [8, 9]). The generalised LR [10] is given by: Λ = Pr(E H) / Pr(E H c ) where H c is the logical complement of H. In the context of a Bayesian network representation of an actual digital crime investigation (see, for example, [1, 2] and Figure 1), the numerator of Λ is obtained by setting the value of the main hypothesis to true and then multiplying together the resulting probabilities for each of the evidential traces, under the assumption that the evidential traces are mutually independent; similarly, setting the value of the main hypothesis to false yields the denominator. The Odds Ratio (OR), on the other hand, is a bottom-up plausibility metric, which is also widely used by forensic scientists [9]. The OR is given by: Ο = Pr(H E) / Pr(H c E) and cannot be obtained directly from a Bayesian network representation. Instead, a complexity based model such as the Operational Complexity Model (OCM) [3] can be used to estimate the work (both computational and human) involved in producing the observed evidential traces E via the route specified by H, and also via all the remaining enumerated feasible routes satisfying H c. In the OCM, computational complexity [11] and GOMS-KLM [12] represent the computational and human contributions respectively. A major conceptual step of the OCM is the postulate that the probability of a given feasible route k (as specified by hypothesis H k ) is inversely proportional to its complexity, C k : Pr(H k E) C k -1 where the proportionality constant α is uniquely determined by the normalisation condition on the sum of the probabilities over all feasible routes: α = ( C k -1 ) -1 Thus, by enumerating all feasible routes k leading to the formation of the observed evidential traces E and evaluating their respective complexities C k, a numerical estimation of the OR for any one particular route over all other feasible routes can be obtained.
3 It should be noted that although a simple proportionality relationship exists between LR and OR: Ο Λ, the constant of proportionality in this case is: β = Pr(H) / Pr(H c ) that is, the (prior) odds of H, which is not usually known. For this reason LR and OR are not normally inter-convertible. 2.2 Metrics for Cost-effectiveness With law enforcement resources (principally manpower, money and time) already overstretched in relation to the number of digital forensic investigations requested, it becomes important to develop methods of determining whether or not any particular investigation is worthwhile undertaking. This leads naturally to the concepts of forensic triage and prioritisation. A preliminary filtering or prescreening phase will enable evidentially hopeless investigations to be abandoned quickly, and the remainder to be ranked in probable order of evidential strength. A number of criteria have been proposed for making the initial assessment, including cost-efficiency [5] and return-on-investment (ROI) [6]. Cost-efficiency ranks the recovered evidence against the expected evidence for a known type of crime. A forensic technician is guided through the assessment by a software application (for example, Digital Forensic Advisor [7]) in a pre-determined sequence which seeks out the most evidentially significant traces first, and, among traces of equal evidential weight, the lowest cost traces first [5]. In this way, an evidentially hopeless assessment can be detected early on and abandoned, while only those assessments which exceed a pre-determined evidential threshold (for example, 80% of the expected evidence) are passed on to an experienced forensic examiner for full processing. Return-on-Investment is a familiar business decision making concept which is inversely related to the equally familiar cost-benefit ratio (CBR). If the evidential weight of a given trace i is w i and its corresponding cost is c i then its ROI is given by w i / c i and its CBR by c i / w i. The evidential traces for a known type of crime can be ranked in order of descending ROI (or of ascending CBR) and then assessed in that order. Refinement of this scheme is possible: for example, where a particular trace i contributes to n i >1 evidentiary chains then its effective weight is given by w i = n i w i and the effective ROI is then (n i w i ) / c i [6]. Alternative ranking metrics, such as n i + (c i /10) and (n i /c i ), have also been proposed [6]. Each metric yields a subtly different assessment ranking for the evidentiary traces (see [6], Table 2). A digital forensic laboratory s choice of which ranking to adopt will depend on its individual priorities (for example, throughput versus resources) as well as on the nature of the suspected digital crime (for example, civil versus criminal, or large scale versus small scale).
4 3. Results and Discussion The conceptual frameworks outlined in Section 2.1 above have been applied to the evidential traces from two actual prosecuted digital crimes. 3.1 Top-down analysis In [2], the LR for an online auction fraud case was calculated under the assumption that there are just two feasible routes by which the recovered digital evidential traces could have been produced, corresponding to the prosecution s (criminal) hypothesis H p and the defence s (non-criminal) hypothesis H d. Note that, since the recovered digital evidential traces are not in dispute per se, the Bayesian networks for the two hypotheses differ only in the interpretation of the significance of the traces as reflected in their respective sub-hypotheses. In this case, the calculation yields a LR for H p over H d of 164,000, which can be qualitatively interpreted as indicating very strong evidentiary support for H p over H d [8]. This finding may be taken by the prosecuting authority as one indication inter alia that it is worthwhile proceeding to trial. It should however be pointed out here that this type of calculation may also be employed by the defence side in an adversarial judicial system in an attempt to improve or tune their own hypothesis so that it compares more favourably with the prosecution s. Another approach that the defence might wish to adopt is to challenge the validity of the individual conditional probability values Pr(E i H j ) embedded in the prosecution s Bayesian network. Each value represents the probability that the evidential trace E i is found given that the sub-hypothesis H j is true. These values may be obtained by aggregating the responses of a group of experienced digital forensic examiners to a carefully constructed questionnaire [1]. In order to study the dependence of a Bayesian network on its embedded evidential conditional probabilities, a rigorous sensitivity analysis [4] has been performed on the Bayesian network used for investigating illegal peer-to-peer (P2P) file-sharing over a BitTorrent (BT) network [1]. While simultaneously replacing every aggregated conditional probability with its minimum response value was found to produce the largest change in the Bayesian network ( 25.5%), the chances randomly selecting minimum values for all 18 evidential conditional probabilities is negligible (of order ). However, systematically replacing any one conditional probability consistently produced changes of less than 2.6% in magnitude [4]. The implication of this finding is that the BT network, and, by extension, other similar Bayesian networks for investigating digital crimes, is not particularly sensitive to the precise values employed for each of the evidential conditional probabilities. A similar observation holds with regard to missing (that is, unrecovered) evidential traces. More often than not the complete set of expected digital traces from a suspected crime is not recovered, and the defence might wish to challenge the strength of the prosecution case on these grounds. The BT sensitivity analysis [4] also studied the effect on the Bayesian network of systematically removing each individual trace, all possible pairs of traces, and a selection of groups of three or more traces. The maximum change due to one or two missing traces (out of a possible total of 18 traces for BT) was 10.3%, and the sampled cases involving three and four missing traces also fell within this bound. Taken together, these findings effectively block potential challenges on the grounds of conditional probability values or missing evidential traces.
5 3.2 Bottom-up analysis In [3], the OR for the illegal P2P file-sharing (BT) investigation was calculated under the assumption that the Trojan defence [13] was the only other feasible route to the recovered evidential traces. This approach employed the non-bayesian OCM [3], requiring the enumeration of the human and computational complexities of each step of both feasible routes. A further assumption was made that the user of the seized computer frequently participated in online filesharing. The size of the illegally shared multimedia file was taken as 4GB. In this case the initial calculation yielded an OR of 4.60 in favour of the prosecution hypothesis. However, the initial model assumed that no up-to-date anti-malware defence was operational on the seized PC. Inclusion of an anti-malware defence with a typical Trojan detection probability of 0.98 raised the OR to 277, or, put another way, the probability of the prosecution hypothesis is if the Trojan defence is the sole alternative hypothesis. This is by no means the final word on the topic of calculating the OR ab initio. It is possible to weight the human and computational complexity terms to reflect the difference in cycle times between a human brain and a PC (of order 10 7 ). Disk access, which is of order 10 5 slower than RAM access, may also be included in the model in a straightforward manner [3]. 4. Summary and Conclusions In the first instance, the quantitative analysis methods described in this paper would most naturally be employed in-house by forensic investigators to assess the likely probative value of the recovered evidence, and to decide whether or not a full digital forensic investigation is warranted. At a later stage, they could be adopted by the relevant prosecution authority (e.g. the Crown Prosecution Service of England and Wales) in reaching a decision as to whether or not to mount a prosecution given the evidence recovered from the full digital forensic investigation. Finally, they might be used within trial proceedings (possibly by both prosecution and defence counsels in an adversarial judicial system) as an additional means of persuading the court of the respective strengths and weaknesses of their own and their opponent s cases. For perfectly good reasons judicial systems tend to be inherently conservative and it is to be expected that there would be a natural time lag (of perhaps at least a decade) between each of these three phases of development.
6 References [1] Kwan M, Chow K-P, Law F & Lai P, Reasoning About Digital Evidence Using Bayesian Networks, Advances in Digital Forensics IV, Ch.12, pp , Springer (2008). [2] Kwan Y K, Overill R E, Chow K P, Silomon J A M, Tse H, Law Y W & Lai K Y, Evaluation of Evidence in Internet Auction Fraud Investigations, Proc.6th Annual IFIP WG 11.9 International Conference on Digital Forensics, Hong Kong, 3-6 January 2010, Advances in Digital Forensics VI, Ch.7, pp , Springer (2010). [3] Overill R E, Silomon J A M & Chow K-P, A Complexity Based Model for Quantifying Forensic Evidential Probabilities, Proc.3rd International Workshop on Digital Forensics (WSDF 2010), Krakow, Poland, February 2010, pp [4] Overill R E, Silomon J A M, Kwan Y K, Chow K-P, Law Y W & Lai K Y, Sensitivity Analysis of a Bayesian Network for Reasoning about Digital Forensic Evidence, Proc.4th International Workshop on Forensics for Future Generation Communication environments (F2GC-10), Cebu, Philippines, August 2010 (to appear). [5] Overill R E, Kwan Y K, Chow K-P, Lai K Y & Law Y W, A Cost-Effective Digital Forensics Investigation Model, Proc. 5th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 2009, Advances in Digital Forensics V, Ch.15, pp , Springer (2009). [6] Cohen F, Two Models of Digital Forensic Analysis, Proc.4th International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009), Oakland, CA, 21 May 2009, pp [7] Digital Forensic Advisor, a software application developed jointly by King's College London and Hong Kong University, funded by Innovation China UK (June 2010). [8] Keppens J, Towards Qualitative Approaches to Bayesian Evidential Reasoning, Proc.11th ACM International Conference on Artificial Intelligence and Law (ICAIL 07), Stanford, CA, 4-8 June 2007, pp.17 25, Table2. [9] Lucy D, Introduction to Statistics for Forensic Scientists, Wiley, Chichester, UK (2005). [10] Evett I, Establishing the evidential value of a small quantity of material found at a crime scene, J For Sci Soc, 33(2) (1993) [11] Papadimitriou C H, Computational Complexity, Addison-Wesley, Reading, MA (1994). [12] Kieras D, Using the Keystroke-Level Model to Estimate Execution Times, University of Michigan (2001), available online at: [13] Haagman D and Ghavalas B, Trojan Defence: A Forensic View, Digital Investigation, 2 (2005)
7 HYPOTHESES: H The seized computer was used as the initial seeder to share the pirated file on a BitTorrent network H 1 The pirated file was copied from the seized optical disk to the seized computer H 2 A torrent file was created from the copied file H 3 The torrent file was sent to newsgroups for publishing H 4 The torrent file was activated, which caused the seized computer to connect to the tracker server H 5 The connection between the seized computer and the tracker server was maintained EVIDENCE: E 1 Modification time of the destination file equals that of the source file E 2 Creation time of the destination file is after its own modification time E 3 Hash value of the destination file matches that of the source file E 4 BitTorrent client software is installed on the seized computer E 5 File link for the shared file is created E 6 Shared file exists on the hard disk E 7 Torrent file creation record is found E 8 Torrent file exists on the hard disk E 9 Peer connection information is found E 10 Tracker server login record is found E 11 Torrent file activation time is corroborated by its MAC time and link file E 12 Internet history record about the publishing website is found E 13 Internet connection is available E 14 Cookie of the publishing website is found E 15 URL of the publishing website is stored in the web browser E 16 Web browser software is available E 17 Internet cache record about the publishing of the torrent file is found E 18 Internet history record about the tracker server connection is found Figure 1 BitTorrent Network Diagram [1]
Digital Forensonomics the Economics of Digital Forensics
Digital Forensonomics the Economics of Digital Forensics Richard E Overill Department of Informatics, King s College London, Strand, London WC2R 2LS, UK richard.overill@kcl.ac.uk Abstract. This paper introduces
More informationComputer Forensics using Bayesian Network: A Case Study
Computer Forensics using Bayesian Network: A Case Study Michael Y.K. Kwan, K.P. Chow, Frank Y.W. Law, Pierre K.Y. Lai {ykkwan,chow,ywlaw,kylai}@cs.hku.hk The University of ong Kong Abstract Like the traditional
More informationWhat is Digital Forensics?
DEVELOPING AN UNDERGRADUATE COURSE IN DIGITAL FORENSICS Warren Harrison PSU Center for Information Assurance Portland State University Portland, Oregon 97207 warren@cs.pdx.edu What is Digital Forensics?
More informationTools and Technology for Computer Forensics: Research and Development in Hong Kong (Invited Paper)
Tools and Technology for Computer Forensics: Research and Development in Hong Kong (Invited Paper) Lucas C.K. Hui, K.P. Chow, and S.M. Yiu Department of Computer Science The University of Hong Kong Hong
More informationCONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS
Chapter 22 CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS April Tanner and David Dampier Abstract Research in digital forensics has yet to focus on modeling case domain information involved in investigations.
More informationConcepts of digital forensics
Chapter 3 Concepts of digital forensics Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence
More informationYour Motor Legal Protection Insurance Policy Wording
Your Motor Legal Protection Insurance Policy Wording www.debenhamscarinsurance.co.uk Contents Your Motor Legal Protection Insurance Policy Wording... 3 General Exceptions... 10 2 Your Motor Legal Protection
More informationDigital Evidence Search Kit
Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University
More informationHC 677 SesSIon 2010 2011 17 December 2010. HM Revenue & Customs. Managing civil tax investigations
Report by the Comptroller and Auditor General HC 677 SesSIon 2010 2011 17 December 2010 HM Revenue & Customs Managing civil tax investigations 4 Summary Managing civil tax investigations Summary 1 In 2009-10,
More informationBOR 6432 Cybersecurity and the Constitution. Course Bibliography and Required Readings:
BOR 6432 Cybersecurity and the Constitution Course Description This course examines the scope of cybercrime and its impact on today s system of criminal justice. Topics to be studied include: cybercrime
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationLegal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.
Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.com Why should we care about CYBER CRIME & CYBER SECURITY? Clarification
More informationSpecialists in Strategic, Enterprise and Project Risk Management. PROJECT RISK MANAGEMENT METHODS Dr Stephen Grey, Associate Director
BROADLEAF CAPITAL INTERNATIONAL PTY LTD ACN 054 021 117 23 Bettowynd Road Tel: +61 2 9488 8477 Pymble Mobile: +61 419 433 184 NSW 2073 Fax: + 61 2 9488 9685 Australia www.broadleaf.com.au Cooper@Broadleaf.com.au
More informationCRIMINAL JOURNEY MAPPING
The Quarterly Magazine for Digital Forensics Practitioners Issue 23 May 2015 Digital ForensicS / magazine WIN! an ipod Nano CRIMINAL JOURNEY MAPPING How to use Cyber Criminal Journeys to support forensics
More informationGuiding principles of the Netherlands regarding the implementation of the Council conclusions
Guiding principles of the Netherlands regarding the implementation of the Council conclusions for the realisation of a European Forensic Science Area by 2020. The Netherlands consider the Council conclusions
More informationChapter 14 Managing Operational Risks with Bayesian Networks
Chapter 14 Managing Operational Risks with Bayesian Networks Carol Alexander This chapter introduces Bayesian belief and decision networks as quantitative management tools for operational risks. Bayesian
More informationbriefing Guide to litigation funding
briefing Guide to litigation funding The potential cost of litigation can be a major deterrent to bringing or defending legal proceedings even where there is a good chance of succeeding. Cost can be the
More informationFIGHTING INTELLECTUAL PROPERTY FRAUD
FIGHTING INTELLECTUAL PROPERTY FRAUD Intellectual property frauds have become more and more organized and globalized. Developing innovative enforcement strategies and tactics through private-public partnership
More informationCollaborative Forecasting
Collaborative Forecasting By Harpal Singh What is Collaborative Forecasting? Collaborative forecasting is the process for collecting and reconciling the information from diverse sources inside and outside
More informationReview Protocol Agile Software Development
Review Protocol Agile Software Development Tore Dybå 1. Background The concept of Agile Software Development has sparked a lot of interest in both industry and academia. Advocates of agile methods consider
More informationThe criminal and civil justice systems in England and Wales
The criminal and civil justice systems in England and Wales Introduction Important differences exist between UK civil and criminal proceedings that have implications for fraud investigations, including
More informationGUIDELINES ON COMPLIANCE WITH AND ENFORCEMENT OF MULTILATERAL ENVIRONMENTAL AGREEMENTS
GUIDELINES ON COMPLIANCE WITH AND ENFORCEMENT OF MULTILATERAL ENVIRONMENTAL AGREEMENTS 1. In its decision 21/27, dated 9 February 2001, the Governing Council of the United Nations Environment Programme
More informationBreakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements
Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements 9 April 2013 Facilitator: Dr. Sheau-Dong Lang, Coordinator Master of Science in Digital Forensics University
More information70250 Graduate Certificate in Digital Forensics
70250 Graduate Certificate in Digital Forensics Course overview The certificate course was inspired by experienced practitioners working in academia and the field of Digital Forensics, who saw the benefits
More informationChapter 6A PRIORITY MATTER GUIDELINES FOR LEGAL ASSISTANCE IN STATE MATTERS. Last Amended: 1 July 2006 (Version 3) Manual of Legal Aid
Chapter 6A PRIORITY MATTER GUIDELINES FOR LEGAL ASSISTANCE IN STATE MATTERS Last Amended: 1 July 2006 (Version 3) Manual of Legal Aid TABLE OF CONTENTS CHAPTER 6A - PRIORITY MATTER GUIDELINES FOR LEGAL
More informationLegal view of digital evidence
Chapter 2 Legal view of digital evidence Before developing a model or a theory, it is important to understand the requirements of the domain in which the model or the theory is going to be used. The ultimate
More informationSubmission to the Access to Justice Review
Submission to the Access to Justice Review Summary In this submission, the Human Rights Commission responds to a consultation on reforming the legal aid system. We stress the need to ensure that legal
More informationINTRODUCTION AREAS OF SPECIALIZATION
Eoghan-Intro.qxd 1/6/04 3:01 PM Page 1 INTRODUCTION INTRODUCTION In the years since the first edition of this book, there has been an explosion of interest in digital evidence. This growth has sparked
More informationOnline Storage and Content Distribution System at a Large-scale: Peer-assistance and Beyond
Online Storage and Content Distribution System at a Large-scale: Peer-assistance and Beyond Bo Li Email: bli@cse.ust.hk Department of Computer Science and Engineering Hong Kong University of Science &
More informationThe Role and uses of Peer-to-Peer in file-sharing. Computer Communication & Distributed Systems EDA 390
The Role and uses of Peer-to-Peer in file-sharing Computer Communication & Distributed Systems EDA 390 Jenny Bengtsson Prarthanaa Khokar jenben@dtek.chalmers.se prarthan@dtek.chalmers.se Gothenburg, May
More informationEvaluating the Effectiveness of a BitTorrent-driven DDoS Attack
Evaluating the Effectiveness of a BitTorrent-driven DDoS Attack Jurand Nogiec University of Illinois Fausto Paredes University of Illinois Joana Trindade University of Illinois 1. Introduction BitTorrent
More informationATTORNEY GENERAL S GUIDELINES ON PLEA DISCUSSIONS IN CASES OF SERIOUS OR COMPLEX FRAUD
ATTORNEY GENERAL S GUIDELINES ON PLEA DISCUSSIONS IN CASES OF SERIOUS OR COMPLEX FRAUD A FOREWORD A1. These Guidelines set out a process by which a prosecutor may discuss an allegation of serious or complex
More informationUncovering More Insurance Fraud with Predictive Analytics Strategies for Improving Results and Reducing Losses
white paper Uncovering More Insurance Fraud with Predictive Analytics Strategies for Improving Results and Reducing Losses April 2012 Summary Predictive analytics are a powerful tool for detecting more
More informationDigital Forensics. Larry Daniel
Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters
More informationPinsent Masons. Competition Law Dawn Raid Checklist & Guidelines. What to do in the first hour of a dawn raid
Pinsent Masons Competition Law Dawn Raid Checklist & Guidelines What to do in the first hour of a dawn raid What to do in the first hour of a Competition Dawn Raid Checklist Action Point Done? The Officials
More informationC HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR
Page: 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 Page: 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge
More informationUnited Nations Office on Drugs and Crime
UNODC contribution to combat Crime A UNODC contribution to combat CRIME A A product of the Information Technology Service Nations Office on Drugs and Crime United Nations Office on Drugs and Crime United
More informationthe parties may request a review of the provisions of this MoU.
MEMORANDUM OF UNDERSTANDING between THE CROWN PROSECUTION SERVICE and the AIR ACCIDENTS INVESTIGATION BRANCH, MARINE ACCIDENT INVESTIGATION BRANCH, AND RAIL ACCIDENT INVESTIGATION BRANCH. Introduction
More informationComputer Forensics Preparation
Computer Forensics Preparation This lesson covers Chapters 1 and 2 in Computer Forensics JumpStart, Second Edition. OBJECTIVES When you complete this lesson, you ll be able to Discuss computer forensics
More informationWebsite Disclaimer http://www.website-law.co.uk/ourdocumentlicence.html. Disclaimer 1
Website Disclaimer http://www.website-law.co.uk/ourdocumentlicence.html (1) Introduction Disclaimer 1 This disclaimer governs your use of our website; by using our website, you accept this disclaimer in
More informationDDoS Vulnerability Analysis of Bittorrent Protocol
DDoS Vulnerability Analysis of Bittorrent Protocol Ka Cheung Sia kcsia@cs.ucla.edu Abstract Bittorrent (BT) traffic had been reported to contribute to 3% of the Internet traffic nowadays and the number
More informationPath Selection Methods for Localized Quality of Service Routing
Path Selection Methods for Localized Quality of Service Routing Xin Yuan and Arif Saifee Department of Computer Science, Florida State University, Tallahassee, FL Abstract Localized Quality of Service
More informationThe Best Use of Stop and Search Scheme was announced by the Home Secretary in her statement to Parliament on 30th April 2014.
Summary The Best Use of Stop and Search Scheme was announced by the Home Secretary in her statement to Parliament on 30th April 2014. The principal aims of the Scheme are to achieve greater transparency,
More informationMEMORANDUM OF UNDERSTANDING BETWEEN NHSPROTECT AND THE CROWN PROSECUTION SERVICE
MEMORANDUM OF UNDERSTANDING BETWEEN NHSPROTECT AND THE CROWN PROSECUTION SERVICE Introduction 1. This Memorandum of Understanding (MOU) between NHS Protect!,.the Crown Prosecution Service (CPS) describes
More informationMINIMUM EFFORT AND SHORTEST DEVELOPMENT TIME TO SAFETY AND HEALTH MANAGEMENT SYSTEM
MINIMUM EFFORT AND SHORTEST DEVELOPMENT TIME TO SAFETY AND HEALTH MANAGEMENT SYSTEM GARY CH MA, FENKINS LY CHOW AND JONATHAN F CHUNG The Hong Kong Polytechnic University Hung Hom, Kowloon Hong Kong SAR
More informationNOTTINGHAMSHIRE POLICE JOB DESCRIPTION. Volume Crime Scene Investigator. Divisional Bases
NOTTINGHAMSHIRE POLICE JOB DESCRIPTION Job title: Department/ Location: Responsible to: Responsible for: Volume Crime Scene Investigator Crime Scene Investigation Department, Divisional Bases Crime Scene
More informationCase study on asset tracing
Recovering Stolen Assets: A Practitioner s Handbook ARNO THUERIG * Case study on asset tracing I. Case study background The client adviser of a Swiss private bank transferred approximately USD 1 million
More informationPrediction of Stock Performance Using Analytical Techniques
136 JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 5, NO. 2, MAY 2013 Prediction of Stock Performance Using Analytical Techniques Carol Hargreaves Institute of Systems Science National University
More informationA BEST PRACTICE APPROACH TO LIVE FORENSIC ACQUISITION
A BEST PRACTICE APPROACH TO LIVE FORENSIC ACQUISITION MM Grobler 1, SH von Solms 2 1 Council for Scientific and Industrial Research, Pretoria, South Africa 2 Academy for Information Technology, University
More informationCRIME SCENE INVESTIGATION THROUGH DNA TRACES USING BAYESIAN NETWORKS
CRIME SCENE INVESTIGATION THROUGH DNA TRACES USING BAYESIAN NETWORKS ANDRADE Marina, (PT), FERREIRA Manuel Alberto M., (PT) Abstract. The use of biological information in crime scene identification problems
More informationCyber Crime and Digital Forensics in Japan
Cyber Crime and Digital Forensics in Japan Tetsutaro UEHARA Academic Center for Computing and Media Studies, Kyoto University uehara@media.kyoto-u.ac.jp Table of Contents Introduction: Motivation and Background
More informationQuaternary Privacy-Levels Preservation in Computer Forensics Investigation Process
Quaternary Privacy-Levels Preservation in Computer Forensics Investigation Process Waleed Halboob, Muhammad Abulaish, Khaled S. Alghathbar Center of Excellence in Information Assurance King Saud University
More informationCriminal appeals. Page 1 of 19 Criminal appeals version 3.0 Published for Home Office staff on 08 July 2015
Page 1 of 19 Criminal appeals version 3.0 Published for Home Office staff on 08 July 2015 About this guidance An overview of appeals Appeals relating to immigration enforcement investigation cases The
More informationThe Pros And Cons Of Preliminary Discovery Technology
CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) 2010 October 25 29, 2010 Kuala Lumpur Convention Centre E-Discovery PRELIMINARY DISCOVERY OF ELECTRONIC DOCUMENTS In matters involving
More informationWhitepapers on Imaging Infrastructure for Research Paper 1. General Workflow Considerations
Whitepapers on Imaging Infrastructure for Research Paper 1. General Workflow Considerations Bradley J Erickson, Tony Pan, Daniel J Marcus, CTSA Imaging Informatics Working Group Introduction The use of
More informationComputer Forensics as an Integral Component of the Information Security Enterprise
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
More informationTechnical Questions on Data Retention
Technical Questions on Data Retention 1) The list of data in the annex of the proposed Directive on Data retention is practically identical to the information required in the Council draft Framework Decision.
More informationDebt Recovery Guidance Page 1 of 5
Page 1 of 5 The guidance provided does not cover Insolvency Law but further details can be provided on request. Legal proceedings cannot be commenced until this deadline has passed. ROLE OF THE COURTS
More informationE.33 SOI (2009-2014) Statement of Intent. Crown Law For the Year Ended 30 June 2010
E.33 SOI (2009-2014) Statement of Intent Crown Law For the Year Ended 30 June 2010 Contents Foreword: Attorney-General 3 Introduction from the Solicitor-General 4 Nature and Scope of Functions 6 Strategic
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of computer
More informationVHCC - Legal Aid Agency Clinical Negligence Funding Checklist April 2013 v1 Version: Issue date: Last review date: Owned by:
VHCC - Legal Aid Agency Clinical Negligence Funding Checklist April 2013 v1 Version: Issue date: Last review date: Owned by: 1 01.04.2013 01.04.2013 Special Cases Unit Version History Version: Date Reason
More informationSocial Influence Benchmark Report. December 2009
Social Influence Benchmark Report December 2009 PUBLISHED BY: StrongMail Systems, Inc. StrongMail Systems UK, Ltd 1300 Island Drive, Suite 200 Prospect House, Crendon Street Redwood City, CA 94065 High
More informationSECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY
SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationFuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009
Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009 Abstract Fuzzy hashing allows the investigator to focus on potentially incriminating documents that may not
More informationA brief guide to professional negligence claims
A brief guide to professional negligence claims Contents Introduction Do I have a claim? Important considerations Pre-action protocol procedure Court proceedings Contact information Introduction Claims
More informationTemporal Analysis in Digital Evidence. Frank LAW Department of Computer Science University of Hong Kong
Temporal Analysis in Digital Evidence Frank LAW Department of Computer Science University of Hong Kong Consider the situation An investigator raid a premises and locate a male who is suspected to have
More informationEffectiveness and Cost Efficiency of DNA Evidence in Volume Crime Denver Colorado Site Summary
Effectiveness and Cost Efficiency of DNA Evidence in Volume Crime Denver Colorado Site Summary Simon Ashikhmin 1, Susan G. Berdine 2, Mitchell R. Morrissey 1, and Greggory S. LaBerge 2 1 Denver District
More informationTaxation and the Criminal Law
CHAD J. BROWN Presentation Overview 1. Recent History of CRA s Criminal Investigation Program ( CIP ). 2. Offences and Penalties Overview. 3. Typical Offenders. 4. File Chronology. 5. Search Warrants.
More informationEXECUTIVE SUMMARY. Measuring money laundering at continental level: The first steps towards a European ambition. January 2011 EUROPEAN COMMISSION
MONEY LAUNDERING IN EUROPE Measuring money laundering at continental level: The first steps towards a European ambition EXECUTIVE SUMMARY January 2011 EUROPEAN COMMISSION DG HOME AFFAIRS FIGHT AGAINST
More informationHow To Find Influence Between Two Concepts In A Network
2014 UKSim-AMSS 16th International Conference on Computer Modelling and Simulation Influence Discovery in Semantic Networks: An Initial Approach Marcello Trovati and Ovidiu Bagdasar School of Computing
More informationThe Code. for Crown Prosecutors
The Code for Crown Prosecutors January 2013 Table of Contents Introduction... 2 General Principles... 3 The Decision Whether to Prosecute... 4 The Full Code Test... 6 The Evidential Stage... 6 The Public
More informationPlanning to Fail - Reliability Needs to Be Considered a Priori in Multirobot Task Allocation
Planning to Fail - Reliability Needs to Be Considered a Priori in Multirobot Task Allocation Stephen B. Stancliff, John Dolan The Robotics Institute Carnegie Mellon University Pittsburgh, PA, USA {sbs,jmd}@cmu.edu
More informationThe Government propose to take a zero tolerance approach to the following 8 controlled drugs which are known to impair driving:
Drug-Driving: Proposed New Law New law on drug driving to be introduced in the near future The new law on drug driving is designed, in part, to reduce the number of failed prosecutions under the existing
More informationComputer Forensics US-CERT
Computer Forensics US-CERT Overview This paper will discuss the need for computer forensics to be practiced in an effective and legal way, outline basic technical issues, and point to references for further
More informationAPPENDIX E THE ASSESSMENT PHASE OF THE DATA LIFE CYCLE
APPENDIX E THE ASSESSMENT PHASE OF THE DATA LIFE CYCLE The assessment phase of the Data Life Cycle includes verification and validation of the survey data and assessment of quality of the data. Data verification
More informationTo Catch a Thief: Computer Forensics in the Classroom
To Catch a Thief: Computer Forensics in the Classroom Anna Carlin acarlin@csupomona.edu Steven S. Curl scurl@csupomona.edu Daniel Manson dmanson@csupomona.edu Computer Information Systems Department California
More informationImproved Event Logging for Security and Forensics: developing audit management infrastructure requirements
Improved Event Logging for Security and Forensics: developing audit management infrastructure requirements Atif Ahmad & Anthonie Ruighaver University of Melbourne, Australia Abstract The design and implementation
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationApplication of Backward Chaining Method to Computer Forensic
119 Application of Backward Chaining Method to Computer Forensic Hofstra University, Hempstead New York najib.saylani@hofstra.edu Abstract: This paper proposes the exploration of the use of Backward Chaining
More informationMeasuring Unilateral Market Power in Wholesale Electricity Markets: The California Market, 1998 2000
Measuring Unilateral Market Power in Wholesale Electricity Markets: The California Market, 1998 2000 By FRANK A. WOLAK* * Department of Economics, Stanford University, Stanford, CA 94305-6072, and NBER
More information2011 UK Census Coverage Assessment and Adjustment Methodology. Owen Abbott, Office for National Statistics, UK 1
Proceedings of Q2008 European Conference on Quality in Official Statistics 2011 UK Census Coverage Assessment and Adjustment Methodology Owen Abbott, Office for National Statistics, UK 1 1. Introduction
More informationIdentifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners
Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners Gregory H. Carlton California State Polytechnic University Computer Information Systems Department
More informationCOMPUTER- LINKED TRANSACTIONAL RECORDS FOR CRIMINAL JUSTICE STATISTICS. Steve E. Kolodney and Paul K. Wormeli Public Systems incorporated
COMPUTER- LINKED TRANSACTIONAL RECORDS FOR CRIMINAL JUSTICE STATISTICS Steve E. Kolodney and Paul K. Wormeli Public Systems incorporated For years, national and state authorities, commissions and hearings
More informationPiecing Digital Evidence Together. Service Information
Piecing Digital Evidence Together Service Information Services Overview Mobile and Tablet Forensics Mobile Phone Forensics is the legally tested and approved systematic examination of mobile phones, SIM
More informationFreshfields Bruckhaus Deringer Changes to unfair trade practices law in Hong Kong. Summary
Briefing Changes to unfair trade practices law in Hong Kong Summary Amendments to the Hong Kong Trade Descriptions Ordinance will come into force on 19. The changes broaden the application of the law to
More informationOperation Turning Point: an experiment in offender desistance policing. West Midlands Police and Cambridge University
Operation Turning Point: an experiment in offender desistance policing West Midlands Police and Cambridge University Crim-PORT 1.0: Criminological Protocol for Operating Randomized Trials @ 2009 by Lawrence
More informationTerms of Use (basic) 1
Terms of Use (basic) 1 (1) Introduction These terms of use govern your use of our website; by using our website, you accept these terms of use in full. 2 If you disagree with these terms of use or any
More informationPRE-TRIAL CONFERENCES.. Panel presentation by. The Honourable Chief Justice Mary Batten, G. Patrick Sommervill and Wilfred Tucker
PRE-TRIAL CONFERENCES. Panel presentation by The Honourable Chief Justice Mary Batten, G. Patrick Sommervill and Wilfred Tucker Chairman: Dean Dan Ish PRE-TRIAL CONFERENCES TABLE OF CONTENTS Page No. I.
More informationIntroduction to. Hypothesis Testing CHAPTER LEARNING OBJECTIVES. 1 Identify the four steps of hypothesis testing.
Introduction to Hypothesis Testing CHAPTER 8 LEARNING OBJECTIVES After reading this chapter, you should be able to: 1 Identify the four steps of hypothesis testing. 2 Define null hypothesis, alternative
More informationFRD506. Financial investigation and Forensic Accounting - 30 hours. Objectives
FRD506 Financial investigation and Forensic Accounting - 30 hours Objectives This course Financial Investigation and Forensic Accounting, Third Edition examines different types of offenses with a financial
More informationTerrorist Protection Planning Using a Relative Risk Reduction Approach*
BNL-71383-2003-CP Terrorist Protection Planning Using a Relative Risk Reduction Approach* Session VIII: Technology Forum Focus Groups Dr. Joseph P. Indusi Nonproliferation and National Security Department
More informationTHE USE OF SIMULATION IN DIGITAL FORENSICS TEACHING
THE USE OF SIMULATION IN DIGITAL FORENSICS TEACHING Jonathan Crellin School of Computing, University of Portsmouth Buckingham Building Portsmouth, PO1 3HE jonathan.crellin@port.ac.uk http://userweb.port.ac.uk/~crellinj/in
More informationMemorandum of Understanding between the Competition and Markets Authority and the Crown Office and Procurator Fiscal Service.
Memorandum of Understanding between the Competition and Markets Authority and the Crown Office and Procurator Fiscal Service Introduction July 2014 1. This Memorandum of Understanding (MOU) records the
More informationHARDCAT SABRE IS A COMPLETE END TO END LAW ENFORCEMENT INFORMATION MANAGEMENT SYSTEM
HARDCAT SABRE IS A COMPLETE END TO END LAW ENFORCEMENT INFORMATION MANAGEMENT SYSTEM CASE/EVENT/INCIDENT MANAGEMENT EXHIBIT/PROPERTY MANAGEMENT JOB MANAGEMENT CHAIN OF CUSTODY LABORATORY INFORMATION MANAGEMENT
More informationQUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT
QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT Rok Bojanc ZZI d.o.o. rok.bojanc@zzi.si Abstract: The paper presents a mathematical model to improve our knowledge of information security and
More informationHow do we build and refine models that describe and explain the natural and designed world?
Strand: A. Understand Scientific Explanations : Students understand core concepts and principles of science and use measurement and observation tools to assist in categorizing, representing, and interpreting
More informationGUIDANCE Implementing Section 176 of the Anti-social Behaviour, Crime and Policing Act 2014: Lowvalue
GUIDANCE Implementing Section 176 of the Anti-social Behaviour, Crime and Policing Act 2014: Lowvalue shoplifting Guidance for police in England and Wales First publication: June 2014 1 Introduction 1.
More informationPhillip Kruss Chief, Information Technology Service
The gocase application is UNODC s Case Management System for Member States Law Enforcement and Regulatory Agencies & Criminal Intelligence and Prosecutorial Services gocase.unodc.org UNODC s Information
More informationResearch Note RN 00/91 1 November 2000 DRUG COURTS
Research Note RN 00/91 1 November 2000 DRUG COURTS There will be a Scottish National Party debate on Drug Courts on Thursday 2 November 2000. This brief research note gives information on the background
More information2. Neither the name of SWGIT, nor the names of its contributors, may be used to endorse or promote products derived from its documents.
Disclaimer: As a condition to the use of this document and the information contained herein, the SWGIT requests notification by e-mail before or contemporaneously to the introduction of this document,
More information