R.E. Overill, J.A.M. Silomon, Y.K. Kwan, K.P. Chow, Y.W. Law, P. Lai

Proc.4th International Workshop on Forensics for Future Generation Communication environments (F2GC-10)

R.E. Overill, J.A.M. Silomon, K.P. Chow

Third International Workshop on Digital Forensics (WSDF 2010)

M. Kwan, R.E. Overill, K.P. Chow, J.A.M. Silomon, H. Tse, F. Law & P. Lai

Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics

F. Law, P.F. Chan, S.M. Yiu, B. Tang, P. Lai, K.P. Chow, R. Ieong, M. Kwan, W.K. Hon & L. Hui

Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics

R. Ieong, P. Lai, K.P. Chow, M. Kwan & F. Law

Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics

F.F.K. Li, H. Chan, K.P. Chow and P Lai

Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics

Y. Yang, K.P. Chow, L. Hui, C. Wang, L. Chen, Z. Chen & J. Chen

Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics

F. Xu, K.P. Chow, J. He and W. Xu

2009 IEEE International Conference on Parallel and Distributed Systems

K. Tse, K.P. Chow, F. Law, R. Ieong, M. Kwan, H. Tse & P. Lai

The 2009 International Workshop on Forensics for Future Generation Communication environments (F2GC-09)

F. Law, P. Lai, K.P. Chow, R. Ieong & M. Kwan, Memory Acquisition: A 2-Take Approach

The 2009 International Workshop on Forensics for Future Generation Communication environments (F2GC-09)

Frank Y.W. Law, K.P. Chow, Pierre K.Y. Lai & Hayson K.S. Tse

1st International Conference on Digital Forensics and Cyber Crime

R. Ieong, P. Lai, K.P. Chow, M. Kwan, F. Law, H. Tse & K. Tse

Handbook of Research on Computational Forensics, Digital Crime and Investigation: Methods and Solution, IGI Global, United Kingdom9

M. Kwan, K.P. Chow, F. Lai, F. Law and K. Tse

Fifth Annual IFIP WG 11.9 International Conference on Digital Forensics

R.E. Overill, M. Kwan, K.P. Chow, P. Lai and F. Law

Fifth Annual IFIP WG 11.9 International Conference on Digital Forensics

R. Ieong, P. Lai, K.P. Chow, F. Law, M. Kwan and K. Tse

Fifth Annual IFIP WG 11.9 International Conference on Digital Forensics

K. P. Chow, Ricci S. C. Ieong, Michael Y. K. Kwan, Pierre K. Y. Lai, Frank Y. W. Law, Hayson K. S. Tse, Kenneth W. H. Tse

HKU Technical Report TR-2008-09

Frank Y.W. Law, Pierre K.Y. Lai, Zoe L. Jiang, Ricci S.C. Ieong, Michael Y.K. Kwan, K.P. Chow, Lucas C.K. Hui, S.M. Yiu, C.F. Chong

Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27 - 30, 2008 (Best Paper Award)

Abstract: To enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as Legal professional privilege (LPP) documents, can be excluded as evidence for prosecution. In physical world, protection of LPP information is well addressed and proper procedure for handling LPP articles has been established. However, there does not exist a forensically sound procedure for protecting “digital” LPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital LPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem.

Michael Y.K. Kwan, Frank Y.W. Law, Pierre K.Y. Lai, K.P. Chow

Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27 - 30, 2008 (to appear)

Abstract: There is an escalating perception in some quarters that the conclusions drawn from digital evidence are the subjective views of individuals and have limited scientic justication. This paper attempts to address this problem by presenting a formal model for reasoning about digital evidence. A Bayesian network is used to quantify the evidential strengths of hypotheses and, thus, enhance the reliability and traceability of the results produced by digital forensic investigations. The validity of the model is tested using a real court case. The test uses objective probability assignments obtained by aggregating the responses of experienced law enforcement agents and analysts. The results conrmed the guilty verdict in the court case with a probability value of 92.7%.

Frank Y.W. Law, K.P. Chow, Michael Y.K. Kwan, Pierre K.Y. Lai

The 2007 International Workshop on Forensics for Future Generation Communication environments (F2GC-07), Jeju Island, Korea, December 6 - 8, 2007 (to appear)

Abstract: Volatile data, being vital to digital investigation, have become part of the standard items targeted in the course of live response to a computer system. In traditional computer forensics where investigation is carried out on a dead system (e.g. hard disk), data integrity is the first and foremost issue for digital evidence validity in court. In the context of live system forensics, volatile data are acquired from a running system. Due to the ever-changing and volatile nature, it is impossible to verify the integrity of volatile data. Let alone the integrity issue, a more critical problem – data consistency, is present at the data collected on a live system. In this paper, we address and study the consistency issue on live systems forensics. By examining the memory data on a Unix system, we outline a model to distinguish integral data from inconsistent data in a memory dump.

Zoe L. Jiang, Lucas C.K. Hui, K.P. Chow, S.M. Yiu and Pierre K.Y. Lai

The 2007 International Workshop on Forensics for Future Generation Communication environments (F2GC-07), Jeju Island, Korea, December 6 - 8, 2007 (to appear)

Abstract: To keep the evidence that a stored hard disk does not modify its content, the intuitive scheme is to calculate a hash value of the data in all the sectors in a specific order. However, since one or more sectors, with some probability, may become a bad sector after some time, this scheme fails to prove the integrity of all other sectors that are still good. In this paper, we suggest a scheme which calculates three hash values for each sector, in a three dimensional manner, such that the integrity proof of a sector depends only on the sectors in any one of the three dimensions, in stead of all sectors in the hard disk. Our analysis shows that this new scheme can greatly reduce the effect of bad sector formation in proving the integrity of the disk sectors.

K.P. Chow, K.Y. Cheng, L.Y. Man, Pierre K.Y. Lai, Lucas C.K. Hui, C.F. Chong, K.H. Pun, W.W. Tsang, H.W. Chan, S.M. Yiu

Proceedings of the Second International Conference on Internet Monitoring and Protection ( ICIMP 2007 ) , Silicon Valley, USA, July 1-5, 2007. IEEE Computer Society Press

Abstract: With the advent of peer-to-peer communication technologies, individuals can easily connect to one another over Internet for file sharing and online chatting. Although these technologies provide wonderful platforms for users to share their digital materials, its illegitimate use on unauthorized sharing of copyrighted files is increasingly rampant. With the BitTorrent (BT) technology, the tracking down of these illegal activities is even more difficult as the downloaders can also act as the distributors and cooperate to provide different parts of the same file for sharing. It is close to impossible for law enforcement agencies to trace these distributed and short-duration Internet piracy activities with limited resources. In this paper, we present the first automated rule-based software system, the BitTorrent Monitoring (BTM) System, for monitoring, recording, and analyzing suspicious BT traffic on the Internet. From a preliminary experiment on a real case, the system successfully located 126 distributors (a.k.a. seeders) for some Cantonese pop songs within 90 minutes.

Lucas C.K. Hui, K.P. Chow, and S.M. Yiu

Proceedings of The 3rd Information Security Practice and Experience Conference ( ISPEC 2007 ) , Hong Kong, China, 7 - 9 May 2007. LNCS 4464, pp. 11–19

Abstract: With the increased use of Internet and information technology all over the world, there is an increased amount of criminal activities that involve computing and digital data. These digital crimes (e-crimes) impose new challenges on prevention, detection, investigation, and prosecution of the corresponding offences. Computer forensics (also known as cyberforensics) is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This new area combines the knowledge of information technology, forensics science, and law and gives rise to a number of interesting and challenging problems related to computer security and cryptography that are yet to be solved. In this paper, we present and discuss some of these problems together with two successful cases of computer forensics technology developed in Hong Kong that enable the law enforcement departments to detect and investigate digital crimes more efficiently and effectively. We believe that computer forensics research is an important area in applying security and computer knowledge to build a better society.

K.P. Chow, Frank Y.W. Law, Michael Y.K. Kwan, Pierre K.Y. Lai

Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering ( SADFE 2007 ), Seattle, Washington, USA, April 10-12, 2007. IEEE Computer Society Press

Abstract: With the rapid development and popularity of IT technology, criminals and mischievous computer users are given avenues to commit crimes and malicious activities. As forensic science has long been used to resolve legal disputes regarding different branches of science, computer forensics is developed naturally in the aspects of computer crimes or misbehaviors. In computer forensics, temporal analysis plays a significant role in the reconstruction of events or crimes. Indeed, temporal analysis is one of the attractive areas in computer forensics that caused a large number of researches and studies. It is the purpose of this paper to focus on temporal analysis on NTFS file system and to project intuitional rules on the behavioral characteristics of related digital files.

E.Y.K. Chan, H.W. Chan, K.M. Chan, P.S. Chan, S.T. Chanson, M.H. Cheung, C.F. Chong, K.P. Chow, A.K.T. Hui, L.C.K. Hui, S.K. Ip, C.K. Lam, W.C. Lau, K.H. Pun, Y.F. Tsang, W.W. Tsang, C.W. Tso, D.Y. Yeung, K.Y. Yu, S.M. Yiu and W. Ju

The IEEE Journal on Selected Areas in Communications High-speed Network Security , 2006

Abstract: In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks.

K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K.H. Pun, W.W. Tsang, H.W. Chan

Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering ( SADFE 2005 ), Taipei, Taiwan, November 7-10, 2005. IEEE Computer Society Press.

Abstract: With the rapid development of electronic commerce and Internet technology, cyber crimes have become more and more common. There is a great need for automated software systems that can assist law enforcement agencies in cyber crime evidence collection. This paper describes a cyber crime evidence collection tool called DESK (Digital Evidence Search Kit), which is the product of several years of cumulative efforts of our Center together with the Hong Kong Police Force and several other law enforcement agencies of the Hong Kong Special Administrative Region. We will use DESK to illustrate some of the desirable features of an effective cyber crime evidence collection tool.

S. Chow, L.C.K. Hui, S.M. Yiu, K.P. Chow , R. Lui

Journal of Systems and Software , Special issue: Software Engineering Education and Training, 227-234, 2005.

Abstract: Spyware refers to programs that steal the user information stored in the user
s computer and transmit this information via the Internet to a designated home server without the user being aware of this transmission. Existing anti-spyware solutions are not generic and flexible. These solutions either check for the existence of known spyware or try to block the transmission of the private information at the packet level. In this paper, we propose a more generic and flexible anti-spyware solution by utilizing an access control list in kernel mode of the operating system. The major difference between our approach and the existing approaches is that instead of asking a guard to look for the theft (spyware) or control the exit of the computer (and hence giving the spyware enough time to hide the information to be transmitted), we put a guard besides the treasure (the private information) and carefully control the access to it in the kernel mode. We also show the details of an implementation that realizes our proposed solution.
2004 Elsevier Inc. All rights reserved.

L.C.K. Hui, K.P. Chow , K.H. Pun, W.W. Tsang, H.W. Chan, C.F. Chong

Proceedings of the Transnational Organized Crime Conference 2002 , March 2002.

K.H.Pun, L.C.K. Hui, K.P. Chow , K.H. Pun, W.W. Tsang, H.W. Chan, C.F. Chong

Can the Personal Identification Number Replace the Digital Signature, Hong Kong Law Journal , 32:2, 241-257 (2002).

Jacky S-C. Yuk, Kwan-Yee K. Wong, Ronald H-Y. Chung, K. P. Chow, Francis Y-L. Chin, and Kenneth S-H. Tsang

The International Conference on Image Analysis and Recognition ( ICIAR ) , Montreal, Canada, August 22-24, 2007. (To appear)

Abstract: This paper presents a novel surveillance video indexing and retrieval system based on object features similarity measurement. The system firstly extracts moving objects from the videos by an efficient motion segmentation method. The fundamental features of each moving object are then extracted and indexed into the database. During retrieval, the system matches the query with the features indexed in the database without re-processing the videos. Video clips which contain the objects with sufficiently high relevance scores are then returned. The novelty of the system includes: 1. A real-time automatic indexing methodology achieved by a fast motion segmentation, such that the system is able to perform on-the-fly indexing on video sources; and 2. an object-based retrieval system with fundamental features matching approach, which allows user to specify the query by providing an example image or even a sketch of the desired objects. Such an approach can search the desired video clips in a more convenient and unambiguous way comparing with traditional text-based matching.

Xiaochen He, Nelson H. C. Yung, K.P. Chow, Francis Y.L. Chin, Ronald H. Y. Chung, K. Y. K. Wong, Kenneth S.H. Tsang

The Ninth IASTED International Conference on Signal and Image Processing ( SIP 2007 ) , Honolulu, Hawaii, USA, August 20 – 22, 2007. (To appear)

Abstract: This paper proposes to incorporate boundary curvature ratio, region homogeneity and boundary smoothness into a single new merging criterion to improve the oversegmentation of marker-controlled watershed segmentation algorithm. The result is a more refined segmentation result with smooth boundaries and regular shapes. To pursue a final segmentation result with higher inter-variance and lower intra-variance, an optimal number of segments could be self-determined by a proposed formula. Experimental results are presented to demonstrate the merits of this method.