Professional Documents
Culture Documents
IJDCFFinal
IJDCFFinal
net/publication/273859156
CITATION READS
1 9,821
3 authors:
Shareeful Islam
University of East London
65 PUBLICATIONS 1,569 CITATIONS
SEE PROFILE
All content following this page was uploaded by Benjamin Aziz on 24 March 2015.
Andre Aarnes, Norwegian U. of Science and Technology, Norway Phil Nobles, Cranfield U., UK
Kostas Anagnostakis, Institute for Infocomm Research, Singapore Jong Hyuk Park, Seoul National U. of Technology, Korea
Sergio Barvo-Solorio, U. of Warwick, UK Fei Peng, Hunan U., China
Barry Blundell, South Australia Police, Australia Indrajit Ray, Colorado State U., USA
Ahmed Bouridane, Queen’s U. of Belfast, Northern Ireland Golden G. Richard III, U. of New Orleans, USA
Roberto Caldelli, U.’ degli Studi Firenze, Italy Khaled Salah, King Fahd U. of Petroleum & Minerals, Saudi Arabia
Brian Carrier, Basis Technology, USA Pedro Luis Próspero Sanchez, U. of Sao Paulo, Brazil
François Cayre, GIPSA-Lab / INPG - Domaine U., France Hiroyuki Sato, U. of Tokyo, Japan
Michael Cohen, Australian Federal Police, Australia Qi Shi, Liverpool John Moores U., UK
Heather Dussault, SUNY Institute of Technology, USA Christopher Smith, Southwest Research Institute and U. of Texas
Jordi Forne, Technical U. of Catalonia, Spain at San Antonio, USA
Pavel Gladyshev, U. College Dublin, Ireland Gale Spring, RMIT U., Australia
Julio César Hernández-Castro, Portsmouth U., UK Efstathios Stamatatos, U. of the Aegean, Greece
Raymond Hsieh, California U. of Pennsylvania, USA Martin Steinebach, Fraunhofer-Institute for Secure Information
Arshad Jhumka, U. of Warwick, UK Technology, Germany
Huidong Jin, Nationa ICT, Australia Peter Stephenson, Norwich U., USA
Stefan Katzenbeisser, Technische U. Darmstadt, Germany Natasa Terzija, U. of Manchester, UK
Hae Yong Kim, U. de Sao Paulo, Brazil Helen Trehame, U. of Surrey, UK
Michiharu Kudo, IBM Tokyo Research Lab, Japan Theodore Tryfonas, U. of Bristol, UK
Gian Luca Marcialis, U. of Cagliari, Italy Jianying Zhou, Institute of Infocomm Research, Singapore
IGI Editorial:
Jamie M. Bufton, Managing Editor Jennifer Yoder, Production Manager
Adam Bond, Editorial Assistant Adrienne Freeland, Publishing Systems Analyst
Jeff Snyder, Assistant Copy Editor Ian Leister, Production Assistant
Call for Articles
International Journal of Digital Crime
and Forensics
An official publication of the Information Resources Management Association
MISSION:
The mission of the International Journal of Digital Crime and Foren-
sics (IJDCF) is to provide and foster a forum for advancing research and
development of the theory and practice of digital crime prevention and
forensics. IJDCF addresses a broad range of digital crimes and forensic
disciplines that use electronic devices and software for crime preven-
tion and investigation. This journal informs a broad cross-sectional and
multi-disciplinary readership ranging from the academic and professional
research communities, to industry consultants and practitioners. IJDCF
publishes a balanced mix of high quality theoretical and empirical research
articles, case studies, book reviews, tutorials, and editorials.
COVERAGE/MAJOR TOPICS:
• Computational approaches to digital crime ISSN 1941-6210
• Policy, standards, eISSN 1941-6229
preventions protocols, accredi- Published quarterly
• Computer virology tation, certifica-
•
• IGI GLOBAL PROOF
Crime scene imaging
Criminal investigative criteria and standard
tion, and ethical issues related to digital
crime and forensics
of procedure on computer crime • Practical case studies and reports, legisla-
• Cryptological techniques and tools for tive developments, and limitations, law
crime investigation enforcement
• Data carving and recovery • Small digital device forensics (cell phones,
• Digital document examination smartphone, PDAs, audio/video devices,
• Digital evidence cameras, flash drives, gaming devices,
• Digital signal processing techniques for GPS devices, etc.)
crime investigations • Steganography and steganalysis
• Identity theft and biometrics • Terrorism knowledge portals and databases
• Information warfare • Terrorism related analytical methodologies
• Machine learning, data mining, and in- and software tools
formation retrieval for crime prevention • Terrorist incident chronology databases
and forensics • Watermarking for digital forensics
• Malicious codes
• Network access control and intrusion All submissions should be mailed to:
detection Chang-Tsun Li, Editor-in-Chief
ijdcf@dcs.warwick.ac.uk
Table of Contents
Research Articles
1 A Framework for Digital Forensics and Investigations: The Goal-Driven Approach
Benjamin Aziz, School of Computing, University of Portsmouth, Portsmouth, UK
Clive Blackwell, Department of Computing and Communication Technologies, Oxford Brookes University, Oxford,
UK
Shareeful Islam, School of Architecture, Computing and Engineering, University of East London, London, UK
23Collision Analysis and Improvement of a Parallel Hash Function Based on Chaotic Maps with Changeable
Parameters
Min Long, School of Computer and Communication Engineering, Changsha University of Science and Technology,
Changsha, China
Hao Wang, School of Computer and Communication Engineering, Changsha University of Science and Technology,
Changsha, China
Book Review
63 Computer Forensics: Cybercriminals, Laws, and Evidence
Szde Yu, Department of Criminal Justice, Wichita State University, Wichita, KS, USA
Copyright
The International Journal of Digital Crime and Forensics (IJDCF) (ISSN 1941-6210; eISSN1941-6229), Copyright
© 2013 IGI Global. All rights, including translation into other languages reserved by the publisher. No part of this jour-
nal may be reproduced or used in any form or by any means without witten permission from the publisher, except for
noncommercial, educational use including classroom teaching purposes. Product or company names used in this journal
are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of
ownership by IGI Global of the trademark or registered trademark. The views expressed in this journal are those of the
authors but not neccessarily of IGI Global.
The International Journal of Digital Crime and Forensics is currently listed or indexed in: Applied Social Sciences
Index & Abstracts (ASSIA); Bacon’s Media Directory; Cabell’s Directories; Compendex (Elsevier Engineering In-
dex); DBLP; GetCited; Google Scholar; INSPEC; JournalTOCs; Library & Information Science Abstracts (LISA);
MediaFinder; Norwegian Social Science Data Services (NSD); SCOPUS; The Index of Information Systems Jour-
nals; The Standard Periodical Directory; Ulrich’s Periodicals Directory
IGI GLOBAL PROOF
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 1
ABSTRACT
Digital forensics investigations are an important task for collecting evidence based on the artifacts left in
DOI: 10.4018/jdcf.2013040101
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
2 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
that has grown out of the need to enforce law According to Leigland and Krings (2004),
and justice in cyberspace bringing together the such formalization might have several benefits,
whole body of knowledge in computer sciences which can be classified as follows:
to the legal system.
Generally cyber criminals leave evidence, • Procedural: By reducing the amount of
which is correlated and analyzed by forensics data and their management;
investigators to understand who, what, why, • Technical: By allowing digital forensic
when, where and how a crime was committed. investigations to be modified to take
Forensic evidence should be admissible, authen- account of the technological changes un-
tic, complete, reliable and believable by the legal derlying them;
system to prosecute the criminals (Brezinski • Social: In that the capabilities of an attack
& Killalea, 2002). However, anti-forensics are captured within the social as well as
methods have recently gained popularity by technical dimension, and finally;
criminals who aim to interfere with the forensic • Legal: In that it allows the expression of
processes by destroying digital evidence using the legal requirements in an investigation.
different methods and tools or increasing the
examiners’ overall investigation time and cost. In this paper, we develop a framework to
According to various international reports, the support digital forensics investigations consid-
usage of anti-forensics has recently risen to over ering possible anti-forensic situations. We use
one third of cybercrime cases in recent years a goal-driven formal requirements engineering
(Verizon Business, 2009). Therefore, a reliable methodology called KAOS (van Lamsweerde,
framework for digital forensics investigations in 2009) in formalizing the goals, obstacles, pro-
terms of tools and methods is needed while at cedures and responsibilities involved in any
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 3
the current state of the investigation. This forensics. In the sixth section, we illustrate the
concept distinguishes our approach from use of our framework with the infamous Ceglia
other existing approaches; versus Zuckerberg case, before concluding the
• The inclusion of anti-forensic reasoning in paper in the seventh section and giving some
the framework allows better coverage of insight into future research pathways for our
technical measures for dealing with anti- approach.
forensic techniques deployed by criminals.
RELATED WORKS
A main product of this approach would be
to establish a pattern library for various inves- The work in this paper extends similar idea
tigations and anti-forensic models, in a similar proposed recently (Aziz, 2012), which presents
fashion to the work of Fernandez et al. (2007) the first attempt in literature in utilizing KAOS
in establishing attack patterns. This library can as a methodology for capturing the require-
then be used to the benefit of the investigators ments of digital forensics investigations. The
in guiding an instance of a digital investigation current paper extends that work by including
based on the main goal of the investigation, the anti-forensics dimension, which is naturally
providing suggestions for ways to implement the represented in KAOS using the concept of
requirements of the investigation, and assign- obstacle. It also demonstrates how the KAOS-
ing responsibilities to the qualified personnel based framework is used in a real world case
or automated systems. involving document forgery.
We believe that forensic investigations can There are several works, which consider the
and probably should make their goals and re- forensic investigation process, its challenges and
quirements more explicit. We think our approach tool support. This section presents some of the
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
4 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
tigations and procedures. Again, it is a staged dimension of the model asks the questions who,
model containing all the main investigative why, what, how, when and where for each of the
steps, but incorporating some aspects missing stakeholders, which aligns itself to our KAOS-
from other models. based questioning approach, even though it
Beebe and Clark (2005) argue the need does not follow a refinement process. Carrier
for an objective-based framework for digital and Spafford (2004) consider physical crime
forensics owing to the uniqueness of every scene procedures for the forensic investigation
forensic investigation. They propose a two- process. The framework focuses on preserving
tiered hierarchical framework decomposing the state of as many digital objects as possible
the investigation process into seven stages whilst incorporating the computer crime scene
further divided into sub-stages with particular within the overall crime scene. Table 1 below
goals. However, the focus of this framework is summarizes the models discussed above.
to maintain evidence integrity at all stages of Our model aids the existing frameworks
an investigation. Reith et al. (2002) define an rather than providing a completely new one,
abstract model of the digital forensics procedure, since the other forensic models focus on captur-
which provides a mechanism to support future ing the forensic process itself, rather than the
digital technologies and aid understanding by state of each stage in the forensic process and
non-technical observers. Palmer (2001) sets out its requirements. More specifically, advantages
six phases to define what a digital investigative of our goal-driven approach over the above
process is. These are defined around the concept models include:
of digital evidence and they include the identi-
fication, preservation, collection, examination, • Aiding the explicit determination of the
analysis and presentation of evidence. Finally, investigative goals and potential methods
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 5
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
6 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
possible anti-forensic scenarios during the includes not only the software to be developed
forensic investigation. However, in current but also its environment. Goals are refined and
literature, there is limited work combining operationalized in a top-down manner as the
both forensics and anti-forensics into a single system is designed, or in a bottom-up approach
systematic reasoning framework. This work while reengineering existing systems. The ap-
contributes to this direction. Table 2 provides proach also supports adverse environments,
a comparison of the above existing works on containing possibly malicious agents trying
anti-forensics. to undermine the system goals rather than to
Our model again does not provide an al- collaborate in goal fulfillment.
ternative to the above anti-forensic works and A KAOS model is composed of a number
models, but is also compatible with them. Our of sub-models. We mention here four such sub-
focus is on the goals of the investigation and models that are most relevant to our approach:
the forensic actions to collect the necessary
evidence and overcome obstacles, independent • The goal model captures and structures the
of their specific technical achievement. assumed and required properties of a system
by formalizing a property as a top-level
goal that is then refined to intermediate
BRIEF OVERVIEW OF KAOS sub-goals and finally to low-level require-
Knowledge Acquisition in autOmated Speci- ments that can be operationalized. Goals are
fication or Keep All Objects Satisfied (KAOS) organized in AND/OR refinement/abstrac-
is a generic methodology based on capturing, tion hierarchies, where higher-level goals
structuring and precise formulation of system are generally strategic, coarse-grained and
goals (van Lamsweerde, 2009). A goal is a involve multiple agents, whereas lower-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 7
links relate a goal to a set of sub-goals (LTL) (Vardi, 2001) formulae. In this paper,
possibly conjoined with domain properties we do not delve into LTL encodings of the
or environment assumptions; this means forensic requirements; however, these have
that satisfying all sub-goals in the refine- the potential for establishing formally verified
ment is sufficient for satisfying the goal. pieces of evidence due to the current support
OR-refinement links relate a goal to a set from technologies such as model checking,
of alternative refinements; this means that theorem proving and static analysis.
satisfying one sub-goal in the refinement
is a sufficient condition for satisfying the
goal. KAOS also provides the means for KAOS GOAL-DRIVEN
expressing a set of desirable properties CONCEPTS FOR DIGITAL
of the AND/OR refinements, which in- FORENSICS INVESTIGATIONS
cludes the completeness, consistency and
Our work focuses on the KAOS modeling
minimality of the refined sub-goals. This
language for digital forensics investigations. In
is more systematic than the simpler attack
this section, we demonstrate how elements of a
trees that simply decompose attacks into
digital forensic investigation can be mapped to
their different means of achievement using
KAOS model elements. We assume that a digital
AND/OR refinement without considering
forensic investigation consists of processes and
the context or agents involved (Schneier,
their anti-forensics, actions and the personnel
1999);
including law enforcement agencies and the
• The obstacle model is a linking from ob-
active systems used by the personnel. These
stacles to goals that the obstacles obstruct.
entities map to KAOS concepts such as goals,
The top-level obstacle is the root obstacle,
obstacles, agents and operations.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
8 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
such as a forensic computer system, tool or expectations, and constraints for the forensics
software. Figure 1 shows the conceptual view investigation, which map to the processes in-
of the proposed approach. Goals are derived volved within the forensics investigation. The
from the forensic process, tools and evidence, root goal is refined into sub-goals through AND/
and obstacles are derived from anti-forensic OR refinement links.
situations, tools and obstruction of the digital In the middle level, obstacles obstruct the
evidence. goals of a forensic investigation by destroying,
hiding, manipulating and preventing the creation
Levels of Abstraction of evidence. Obstacles are the different types of
anti-forensics, which confront the availability
The proposed goal-driven digital forensics and usefulness of the evidence for the foren-
investigation model supports different levels sics investigation. Therefore, for a successful
of abstraction from goals to obstacles and forensics investigation, we need to address the
finally to forensics actions. Figure 2 gives an obstacles related to anti-forensics; in particular,
overview of the different levels of abstraction it is necessary to completely prevent, or if not
using exemplary questions that symbolize the feasible then reduce the effectiveness of the
characteristics of the method (Islam, 2011). anti-forensic methods. An identified obstacle
We divide the levels of abstraction into three is refined by AND/OR refinements through the
main areas. These levels build the bridge from obstruction of crime evidence or the forensic
the goals of a forensics investigation to the investigation process.
obstacles, which obstruct the goals to be satis- In the bottom level, forensic actions support
fied, and finally to the actions that oppose the goal fulfillment and obstacle opposition. These
obstacles in order to achieve the goals. On the actions operationalize the requirements for the
top level, there are the goals, i.e. objectives,
IGI GLOBAL PROOF
Figure 1. Conceptual view of digital forensics investigation using the goal-driven approach
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 9
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
10 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
keep in mind that such a root goal is necessarily either the AND or the OR refinement relations.
abstract at this stage, with the next step aiming The refinement of Figure 4 is an example of
at its refinement in terms of more concrete goals. an AND-refinement, which implies that unless
all the sub-goals (identification, preservation,
Forensic Processes as Sub-Goals analysis and presentation) are satisfied, the
main goal of the investigation will not have
The next mapping involves the various steps been achieved. In the analysis of the image
of the investigative process. For simplicity, we of a hard disk acquired from Ceglia (Stroz
adopt McKemmish’s (1999) early and simple Friedberg, 2012), the investigators may need to
model, which defines a digital forensic process achieve both analysis of files’ internal content
as “The process of identifying, preserving, and system log files (AND refinement).
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 11
any further. A requirement is considered a leaf • Reliable: Correct and accurate, and can be
in the goal tree of the main investigation. Once used to make sound inferences;
all the requirements have been identified, it is • Complete: Important evidence is available
necessary to a) operationalize them by means and entire; and
of appropriate forensic actions and b) assign the • Believable: Easy to understand by and
actions to the responsible agents. If it proves credible to a jury (Brezinski & Killalea,
impossible to operationalize all goals, then 2002).
this indicates that the investigation may not
be successful. Anti-forensic methods focus on obstructing
For example, if critical evidence cannot the objective of obtaining evidence in a digital
be collected and there are no alternatives, then forensic investigation, one that exhibits the
it may be possible to detect this early before above properties. Depending on the context,
resources are wasted on fruitless investigation criminals use various types of obstructive ap-
paths. In the case study, Ceglia did not provide proaches to forensics investigation including
the original electronic contract to Zuckerberg’s hiding, wiping or corrupting the evidentiary
expert witnesses, and so file carving was re- artifacts or overwriting data (Guidance Soft-
quired to recover the deleted versions from a ware, 2007; Rekhis & Boudriga, 2012).
hard disk that showed numerous inconsistencies As Figure 5 shows, we consider an anti-
with his account, including timestamps that forensic type as the main obstacle, O, which
appeared to show that the contract was created directly obstructs specific goals or sub-goals of
several years after Ceglia claims. In this case, the forensic investigation. An obstruction link
exhaustive search discovered several other in- from the anti-forensics type to the goal provides
consistent draft versions on Ceglia’s hard disk. traceability regarding the specific goal being
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
12 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
can be decomposed into failing to provide • He failed to identify and supply all relevant
computers, disks, files, documents and email computer systems, storage media and email
at least. He did not supply complete computers accounts that he owned, possessed or used;
only hard disks, several storage devices such as • He failed, amongst other things, to preserve
USB sticks were missing, the original contract the originals of the alleged contract and
had been deleted from a supplied disk, and the the supporting email between himself and
supporting email had been cut-and-pasted into Zuckerberg;
a Word document. Anticipating these obstacles, • He hindered analysis of the contract and
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 13
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
14 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
tively. These then are operationalized in terms tions cannot be carried out adequately, remedial
of the three operations: warrant issuing, PC measures can be taken to overcome the problem
seizure and mobile device seizure. another way, or to the early abandonment of the
In general, the assignment of the require- investigation if the issues cannot be surmounted.
ments to the operations is crucial as it ensures Ideally, potential operational difficulties can be
that every requirement of the forensic investi- planned for and alternative actions placed in the
gation can be satisfied through the application goal tree in advance, discovered from patterns
of some appropriate operation (or method or of previous similar cases.
activity). If it is determined that some opera-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 15
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
16 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
Figure 9. Modeling the goal of the investigation: Investigating a case of document forgery
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 17
StreetFax contract that did not mention Face- null and void if the assumption is found to be
book. The first sub-goal directly aims to prove invalid.
the contract a forgery, whereas the second shows These are OR-refinements of the main
there is a lack of evidence for the validity of the investigation goal, since any of these is suf-
contract. Proving the second goal is easier to ficient to achieve the goal. However, although
satisfy and suffices, as Ceglia did not provide it is sufficient to prove forgery in one way only,
any other compelling evidence. However, it is we might consider proving forgery in multiple
a weaker goal that is not definitive as the op- ways to handle unanticipated obstacles. All
position may obstruct it by providing stronger these three sub-goals are then broken down
evidence for the contract’s existence. in terms of other sub-goals and requirements,
There is also the particular sub-goal in and can be related to the specific parts of the
this case of proving the alternative StreetFax Stroz Friedberg report (2012, Sections VI-XI).
contract is valid. It was agreed between the The report also highlighted (Stroz Fried-
parties that only one contract existed between berg, 2012, Sections XIII and XIV) some ex-
them, so that proving the authenticity of the amples of the use of anti-forensic methods to
StreetFax contract amounted to proving the deter or obstruct the investigators from showing
claimed contract a forgery. It is important to the non-authenticity of the claimed documents.
include the domain assumption of the existence The anti-forensic methods (goals and require-
of only one contract, as it is external evidence ments) given in the report are summarized in
outside the remit of the forensic investigation, Figure 10, and are generally divided into evi-
and the argument for the third goal is rendered dence spoliation (interferes with authenticity
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
18 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
and reliability) and evidence hiding (interferes no alternative, as the discovery of an appar-
with completeness) anti-goals. Similar to the ently legitimate contract later could provide
standard requirements, the operationalization an insurmountable obstacle.
of anti-requirements leads to the specification Finally, Figure 13 demonstrates the opera-
of the actual tools and operations needed to tionalization of the anti-requirements depicted
achieve them. Recall that an anti-goal is simply in Figure 10 with the operationalization of
an obstacle that someone causes deliberately to evidence spoliation (AG1111) above and of
satisfy their needs. We shall refer to an anti-goal evidence hiding (AG1112) below.
as AG and to its refined anti-requirements as AR.
Figure 11 next shows the operationalization
of the requirements for discovery of document CONCLUSION AND
authenticity tampering (G111 in Figure 9) and FUTURE WORK
fraudulent communications (G112 in Figure 9).
The execution of a digital forensic investigation
The next Figure 12 shows the operation-
can be a complex and disorganized exercise,
alization of the requirements for finding the
often leading to trust in invalid pieces of evi-
original of the alleged contract (G13 in Figure
dence or failure in the process leading to the
9) and the lack of authenticity copy of claimed
reconstruction of such evidence. Therefore,
contract (G12 in Figure 9). It would be expected
we agree with Eoghan Casey that the use of a
that if the alleged contract was legitimate, it
formal methodology in describing the process
would be found on the media provided by Ceglia
of a digital forensics investigation “encourages a
or be provided by third parties. However, goal
complete, rigorous investigation, ensures proper
G12 should not be relied upon unless there is
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 19
Figure 12. The operationalization of requirements for the discovery of the alleged contract (G13
below) and the lack of authenticity of the claimed contract (G12 above)
Figure 13. The operationalization of anti-requirements for evidence spoliation (AG1111 top)
and evidence hiding (AG1112 bottom)
evidence handling and reduces the chance of rigorous requirements engineering methodol-
mistakes created by preconceived theories, time ogy, namely KAOS. In addition to its systematic
pressures and other potential pitfalls.” (Casey, approach, KAOS also provides a formal model
2011). In this paper, we defined one such system- for describing its various entities (requirements,
atic approach based on a well-established and agents, operations etc.), which is based on LTL
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
20 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
logic. Such LTL-based semantics could be used in the crime or further undiscovered offenses,
in the future to provide more robust reasoning which requires continuous questioning of the
about the worthiness of the evidence, specifi- assumptions, evidence, obstacles and so forth.
cally when temporal properties are concerned, This is not a problem with the framework per
such as formalizing timeline analysis. se, but of an unthinking acceptance of its results
Our approach focuses on the concept of without question. In particular, the model helps
the state of each stage in the forensic investi- examine alternative hypotheses within the goal
gative process. This facilitates applications to tree helping to avoid tunnel vision. The model
the inherent evidence collection and analysis can also help isolate and make explicit any
issues in investigations relating to the avail- problems allowing subsequent feedback taking
ability, integrity and authenticity of evidence account of the new information with the addi-
that may never have been collected or cannot tion of branches to the generic goal tree for the
be shown to be reliable. In addition, evidential type of case. Some of these questions will be
issues can be caused by benign agents such the focus of our continuing research.
as system administrators trying to be helpful, In addition, this work can be extended in
victims to avoid distress or embarrassment, many other directions. First, we plan to provide
witnesses who detect and correct suspicious a general goal library of some of the most
changes, and other system users who may common patterns of digital forensics investi-
inadvertently alter or destroy evidence. This gations and their requirements. The Common
is known as evidence dynamics, which refers Attack Pattern Enumeration and Classification
to events that may change, relocate, obscure or (CAPEC) (MITRE Corporation, 2013) schema
obliterate evidence after the incident (Casey & has over 400 attack patterns that can possibly be
Rose, 2010). adapted for use in digital forensics. Second, we
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013 21
Blackwell, C., Islam, S., & Aziz, A. (2013). Imple- Harris, R. (2006). Arriving at an anti-forensics
mentation of digital forensics investigations using consensus: Examining how to define and control
a goal-driven approach for a questioned contract. In the anti-forensics problem. In Proceedings of the
Proceedings of the 9th Annual IFIP WG 11.9 Interna- 6th Annual Digital Forensic Research Workshop
tional Conference on Digital Forensics, Orlando, FL. (DFRWS06), Elsevier.
Brezinski, D., & Killalea, T. (2002). Guidelines for Ieong, R. S. C. (2008). FORZA – Digital forensics
evidence collection and archiving. RFC 3227. investigation framework that incorporates legal
issues. In Proceedings of the 8th Digital Forensic
Broom, N. (2012). Declaration of Neil Broom, Ceglia Research Workshop, Baltimore, MD.
v. Zuckerberg and Facebook, Inc. No. 1:10-cv-569-
RJA-LGF, Technical Resource Center, Inc. Islam, S. (2011). Software development risk manage-
ment model – A goal-driven approach. Unpublished
Carrier, B. (2006). A hypothesis-based approach to PhD thesis, Technische Universität München,
digital forensic investigations. PhD thesis, CERIAS, Germany.
Purdue University, CERIAS Tech Report 2006-06.
Islam, S., & Houmb, S. H. (2010). Integrating risk
Carrier, B. D., & Spafford, E. H. (2004). An event- management activities into requirements engineer-
based digital forensic investigation framework. In ing. In Proceedings of the 4th IEEE Research In-
Proceedings of the 2004 Digital Forensics Research ternational Conference on Research Challenges in
Workshop, Baltimore, MD. Information Science (RCIS2010), France.
Casey, E. (2011). Digital evidence and computer Kessler, G. C. (2007). Anti-forensics and the digital
crime – Forensic science, computers and the internet investigator. In Proceedings of the 5th Australian
(3rd ed.). Elsevier. Digital Forensics Conference, Perth, Australia.
Casey, E., & Rose, C. (2010). Forensic discovery, Leigland, R., & Krings, A. W. (2004). a formalization
handbook of digital forensics and investigation. of digital forensics. International Journal of Digital
Academic Press. Evidence, 3(2).
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
22 International Journal of Digital Crime and Forensics, 5(2), 1-22, April-June 2013
Stroz Friedberg. (2012). Report of digital forensic Vardi, M. Y. (2001). Branching vs. linear time: Final
analysis. In Paul D. Ceglia v. Mark Elliot Zuckerberg showdown. In Proceedings of the 7th International
(Eds.), Individually, and Facebook, Inc. Civil Ac- Conference On Tools and Algorithms for the Con-
tion No: 1:10-cv-00569-RJA. Retrieved March 26, struction and Analysis of Systems (TACAS 2001),
2012, from http://www.wired.com/images_blogs/ Springer Lecture Notes in Computer Science 2031
threatlevel/2012/03/celiginvestigation.pdf (pp 1–22), Springer, Genoa, Italy.
van Lamsweerde, A. (2004). Elaborating security Verizon Business (2009). 2009 data breach inves-
requirements by construction of intentional anti- tigations report. A study conducted by the Verizon
models. In Proceedings of the 26th ACM-IEEE In- RISK Team in cooperation with the United States
ternational Conference on Software Engineering Secret Service.
(ICSE’04) (pp. 148-157). IEEE Press, Edinburgh,
U.K.
van Lamsweerde, A. (2009). Requirements engineer-
ing: From system goals to UML models to software
specifications. Wiley.
Benjamin Aziz is a senior lecturer at the School of Computing, University of Portsmouth. Ben-
jamin has research experience in the field of computer and information security spanning 15
years where he worked in the past at Rutherford Appleton Laboratory and Imperial College, and
has published more than 70 articles and book chapters in areas related to the security of large-
scale systems, formal security, requirements engineering and digital forensics. He is on board
program committees for several conferences and working groups in relevant areas, including
the Cloud Computing Security Alliance, ERCIM Formal Methods for Industrial and Critical
Clive Blackwell is currently a research fellow at Oxford Brookes University, where his main area
of research is in cybersecurity and digital forensics. He studied for a PhD at Royal Holloway,
University of London, with his main field of research in security architecture, where he developed
a three-layer security architecture to model complex systems such as the Internet and critical
infrastructure. Clive holds undergraduate degrees in Mathematics from Warwick University, and
in Computer Science from London University where he finished top in his class, and an MSc in
Information Security also from London University. He has more than 50 conference publications
and presentations to his name. He was the co-chair of the Cyberpatterns workshop and regularly
presents to industry both at home and abroad. His is also interested in the science of digital fo-
rensics, and the use of abduction and argumentation to reason about fraud and digital forensics.
Shareeful Islam is currently working at the School of Architecture, Computing and Engineering
(ACE), University of East London, UK. He was awarded his PhD for a thesis on a Software
Risk Management Model using a goal-driven approach by the Chair of Software & Systems
Engineering (I4), Technische Universität München, Germany. He received M.Sc. in Informa-
tion Communication System Security from the Royal Institute of Technology (KTH), Sweden
and MSc in CS and BSc (Hons) in APE from the University of Dhaka, Bangladesh. He is a Fel-
low of the British Higher Education Academy (HEA) and has published more than 40 referred
papers in high-quality journals and international conferences. He participated in EU, industry,
KTP projects. His research interests and fields of expertise are risk management, requirements
engineering, security, privacy, trust, and cloud computing.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 23
ABSTRACT
IGI GLOBAL PROOF
Recently, a parallel hash function based on chaotic maps with changeable parameters was proposed by Li et
al (2011, pp.1305-1312). In this paper, the security of it is analyzed and the weakness of the architecture is
pointed out. It is found that the main limitations are the error using of floor, round and exclusive OR opera-
tions in the algorithm. In order to counterstrike these, some improvements are done to strength its security.
Theoretical analysis and experimental results illustrate that the improved Hash function is more secure and
practical than the original one.
DOI: 10.4018/jdcf.2013040102
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
24 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
Guo & Wang, 2009; Wang & Li, 2012; Wang & other is piecewise linear maps defined in Equa-
Wang, 2008; Wang & Xu, 2010; Wang & Zhao, tion (2) (Box 1), where 0 < P < 0.5 , and
2010). Collisions and flaws exist if two or more 0 ≤ X (t ) ≤ 1 :
distinct messages or keys are found to obtain a
same hash value, which can be implemented by x i
adversary to fabricate fake messages. For this , if (0 ≤ x i ≤ α)
reason, collision resistance is a basic require- x i +1 = α (1)
1 − x i
ment for a secure hash function. , if (α < x i ≤ 1)
Recently, a parallel hash function based 1 − α
on chaotic maps with changeable parameters
is proposed by Li et al. (2011). Detailed analy- The hash function is composed of the fol-
sis is performed to it, and it is found that it lowing three steps:
is vulnerable to collision attacks, thus, some
measurements of how to improve its security Step 1: Message expansion. The message is first
are proposed in this paper. padded with 64 bits, which represents the
The rest of the paper is organized as fol- length of the original message, and then
lows. The original algorithm is described and padded another s bits (1010…10)2 so that
analyzed in the second Section 2, and some the padded message can be partitioned into
improvements are made in Section 3. In Section n blocks. Each block consists of 1016 bits,
4, the experiments and analysis are performed and the padded message can be expressed
to evaluate the performance of the improved by a matrix M:
hash function. Finally, some conclusions are
drawn in the Section 5.
Box 1.
X (t ) / P, 0 ≤ X (t ) < P
(X (t ) − P ) / (0.5 − P ), P ≤ X (t ) < 0.5
X (t + 1) = FP (X (t )) = (2)
(1 − X (t ) − P ) / (0.5 − P ), 0.5 ≤ X (t ) < 1 − P
(1 − X (t )) / P, 1 − P ≤ X (t ) ≤ 1
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 25
initial values of α = 0.6 and x 0 = 0.7654 , iteration times of the chaotic maps. However,
respectively. “ ⊕ ” represents bitwise exclusive it is not sensitive to tiny difference in mes-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
26 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
mi′, j = mi, j ( j ≠ 64 ) and mi′, j = mi, j + 1 ( Z1, Z 2 ∈ {1, 2, 3 } ), and m1,k = m1,k + 1 ,
1 2
k × c ′ −k / Hl ,
H (2 ′) = H (2) hold with a same prob- 1 128−k1 / Hl = k1 × c128 1
ability of 50%. and:
1 − k / Hl × c
( 1 ) 128−k1 = (1-k1 / Hl ) ×c128
′ −k
1
According to the above analysis, it can be hold with a same probability of 66.7%,
inferred that the probability of H (M ′) = H (M ) and the computer exhaustive search-
is 33.35%.Given two different messages Mes- ing is performed by setting
sage1 and Message2 as followings: c128−k = 1, 2, 3 254, 255 and
1
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 27
Message2: kAiyiejskejegaltexcmniuqcjncqpq@. k × c ′ −k / Hl
2 128−k2 / Hl = k2 × c128 2
After calculation, it can be found that they 1 − k / Hl × c
have a same hash value: 0xF9642C04591833D- ( 2 ) 128−k2 ( 2 ) 128−k2
= 1-k / Hl × c ′
0473D0B0FD2ED E857. k × c ′ −k / Hl
1 128−k1 / Hl = k1 × c128 1
2.2.3. Proposition 3
• Proof: Construct another message matrix When ra′ ≠ ra and rb′ ≠ rb , only the last
Me ' = [mi′, j ] , where mi′, j = mi, j (except bit of intermediate hash value is influenced.
ma′,k = ma ,k , ma′,k = ma ,k , mb′,k = mb,k i.e., H (a ′) = H (a ) and H (b ′) = H (b) hold
with a same probability of 50%.
1 2 2 1 1 2
sages and original of that are denoted as inferred that the probability of H (M ′) = H (M )
M ′ and M , respectively. It can be found: is 50%.Give two different messages Message1
and Message2 as followings:
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
28 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
Box 2.
XOR if i mod 2 = 1
⊕ = (10)
XOR after H (i )is circle shifted 64 bits otherwise
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 29
j ×c ′ − j / Hl
/ Hl ≠ j × c128 1 N
128− j
B= ∑B
J i =1 i
and:
• Mean changed probability:
(1-j /Hl ) × c ≠ (1-j /Hl ) × c ′
128− j 128− j
P = (B / H l ) × 100%
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
30 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 31
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
32 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
Figure 4. Distribution of the number of ASCII characters with the same value at the same loca-
tion in the hash value
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013 33
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
34 International Journal of Digital Crime and Forensics, 5(2), 23-34, April-June 2013
Ren, H., Wang, Y., & Xie, Q. (2009). A novel method Wang, X., & Zhao, J. (2010). Cryptanalysis on a
for one-way hash function construction based on parallel keyed hash function based on chaotic neural
spatiotemporal chaos. Chaos, Solitons, and Fractals, network. Neurocomputing, 73(16-18), 3224–3228.
42(4), 2014–2022. doi:10.1016/j.chaos.2009.03.168. doi:10.1016/j.neucom.2010.05.011.
Wang, J., Wang, M., & Wang, Y. (2008). The collision Xiao, D., Liao, X. F., & Deng, S. J. (2008). Parallel
of one keyed hash function based on chaotic map keyed hash function construction based on chaotic
and analysis. Acta Physica Sinica, 57(5), 2737–2743. maps. Physics Letters. [Part A], 37(3), 4682–4688.
doi:10.1016/j.physleta.2008.04.060.
Wang, J., Xu, S., & Tian, M. (2010). The analysis for a
chaos-based one-way hash algorithm. In Proceedings Zhang, J., Wang, X., & Zhang, W. (2007). Chaotic
of the 2010 International Conference on Electrical keyed hash function based on feedforward–feed-
and Control Engineering (pp. 25-27). back. Physics Letters. [Part A], 362(5-7), 439–448.
doi:10.1016/j.physleta.2006.10.052.
Wang, S., Li, D., & Zhou, H. (2012). Collision
analysis of a chaos-based hash function with both
modification detection and localization capability.
Communications in Nonlinear Science and Nu-
merical Simulation, 17(2), 780–784. doi:10.1016/j.
cnsns.2011.06.017.
Min Long received the PhD degree in circuits and systems from the South China University of
Science and Technology, Guangzhou, China, in 2006. She was a visiting fellow with the Depart-
ment of Computer Science at U.K. University of Warwick from 2009 to 2010. Currently, she is an
Hao Wang is a master’s candidate of the College of Computer and Communication, Changsha
University of Science and Technology, Changsha, China. His areas of interest include chaos-
based secure communication and information security analysis.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 35
An Effective Selective
Encryption Scheme for
H.264 Video Based on
Chaotic Qi System
Fei Peng, School of Information Science and Engineering, Hunan University, Changsha,
China
Xiao-wen Zhu, School of Information Science and Engineering, Hunan University, Changsha,
China
Min Long, College of Computer and Communication Engineering, Changsha University of
Science and Technology, Changsha, China
DOI: 10.4018/jdcf.2013040103
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
36 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
may result in serious consequence for the details; experiments and analysis are performed
society. For this reason, many concerns have in the fifth section; finally, some conclusions
been made on the research of the encryption are drawn in the last section.
of H.264 video.
Encryption of video content is proved to
be an effective way to protect videos. Due to RELATED WORKS
the bulk data and real-time requirement, tra-
Encryption is a basic mean for the protection of
ditional encryption algorithms such as DES,
the content of video data. The existed methods
AES or RSA cannot be applied to H.264 video
can be classified into the following two cat-
directly (Stutz T. & Uhl A.,2012). To maintain
egories according to the range of the content
the compression performance and avoid the
to be encrypted:
computational overhead, many researchers
have paid much attention to selective video
encryption, which only some important parts 1. Full encryption of video data
are encrypted (Wu & Kuo, 2001; Ahn, Shim,
Jeon, & Choi, 2004). At the same time, format Full encryption of video data can achieve
(or syntax) compliance also attracts research- the highest security. The video data is simply
ers’ attentions because the encrypted video regarded as a binary sequence and is encrypted as
can be decoded correctly with no destroy in a whole with traditional encryption algorithms,
syntax, which can achieve many advantages, such as DES, AES and RSA. VEA (Video
such as maintaining synchronization and error Encryption Algorithm) is proposed to encrypt
resiliency. However, most of the existing video video data (Qiao & Nahrstedt, 1997). It divides
encryption methods are proposed for MPEG plaintext block into odd-numbered bytes and
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 37
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
38 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
MPEG video encryption scheme is presented excellent mixing characteristic guarantees the
based on two simple chaotic maps (Shang, Sun, diffusion and the confusion of chaotic encryp-
& Cai, 2008). It uses chaotic stream cipher to tion systems.
encrypt fixed length codeword and then shuffles Currently, some encryption algorithms
macro-blocks of each frame. However, the based on chaos have been put forward. The
macro-block is not secure because it has a high existed method can be classified into chaos-
level of visual content. For low-dimensional based block cipher (Chen, Mao, & Chui, 2004)
chaotic systems exist apparent inadequacy, and chaos-based stream cipher (Li, Li, Halang,
an encryption algorithm which combined the & Chen, 2007). Nevertheless, there still exist
process of video compression with encryption some limitations such as finite-precision effect
based on hyper-chaos system is proposed (Chen and degradation of dynamic characteristics of
& Zhang, 2012). However, there is still a gap chaotic system. How to improve the random-
between theory and its practical application. ness of digitalized chaotic signal is becoming
Although some improvements have been a research hot spot. Here, a chaotic stream
made to video encryption, the existed methods cipher based on a 3-dimensional Qi system is
still have limitations such as significant impact proposed and implemented to protect the content
on compression ratio, format-compliance, incre- of H.264 video.
ment of encoding/decoding time and vulnerabil- Qi system is modified from Lorenz sys-
ity in resisting known attacks. To counterstrike tem (Sparrow, 1982), in which each equation
these weaknesses, an effective selective video contains a single quadratic cross-product term.
encryption scheme based on chaotic Qi system According to some non-linear dynamic analysis
is proposed in this paper. (Chen, 2003), a cross-product nonlinear term is
added to the first equation of the Lorenz system
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 39
Figure 1. Phase portraits of Qi system, a=35, c=25. (a) 3D view on the x-y-z space, b=1.5, (b)
3D view on the x-y-z space, b=7 and (c) 3D view on the x-y-z space, b=13.
periodic orbit, and it is shown in Figure 1(a) For example, given encoded 4×4 luminance
when b=1.5 exists. Through calculation, blocks A and B, they are on the above and on
there exist three real equilibria (S1=[0,0,0], the left of the current block C, respectively. If
S2=[7.8838,4.6445,24.4109], S3=[-7.8838,- the prediction mode of A and B are both mode
4.6445, 24.4109]) and two complex equilibria. 2, the prediction mode of C is most likely mode
When b>11.5 holds, the maximum Lyapunov 2. Therefore, if the best prediction mode of C is
exponent becomes negative, which implies the mode 2, the syntactic element prev_intra4×4_
orbit of Equation (1) converges to an equilib- pred_mode_flag will be set as 1; otherwise, it
rium, as shown in Figure 1(c). will be set as 0. After that, the prediction mode
Actually, when a=35, b=8/3, and c ∈ (17, of the current block will be the output. After
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
40 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
Figure 2. Chaotic attractor of Equation (1), a=35, b=8/3, c=80. (a) Projection on x-z plane and
(b) projection on y-z plane.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 41
1.
IGI GLOBAL PROOF
Encryption of IPM (EIPM) Pattern) information, which is difficult to be
encrypted. For this reason, only intra_4×4
In a video sequence, intra-prediction mode prediction modes are considered for encryption
can be easily modified. It represents the predic- in this paper.
tion information between the pixels in a frame, There are 9 intra_4×4 prediction modes in
and it is a basis for the reconstruction of image. H.264. When the current IPM is the best mode,
Besides, error can be propagated during the intra a bit “1” is used to represent it, otherwise, 4
prediction coding. Assuming intra-prediction is bits are used to represent it, where the first bit
used for the first frame and the inter-prediction is “0”, the followed 3 bits are used to encode
mode is used for the followed frames, the first the current intra-prediction mode.
frame will be referenced by the followed frames. The encryption process for intra_4×4
Thus, if the first frame is encrypted, the error prediction modes is described in the following:
in the first frame will result in the distortion
in the followed frames with inter-prediction. Step 1: Extract 16 IPMs from a macroblock,
H.264 provides intra_4×4 and intra_16×16 and put them into a 4×4 matrix;
prediction modes. Actually, intra_4×4 predic- Step 2: Arnold transformation is done to the
tion mode is used by most of the video frames, matrix;
while video frames using intra_16×16 predic- Step 3: Assign the transformed IPMs to the
tion mode are coded with CBP (Code Block original positions of the macroblock;
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
42 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
where ⊕ represent XOR operation, k1 is bit where k2 is a key stream, which is also acquired
stream with a length of 3 bits, which is acquired from a pseudo-random binary sequence gener-
from a pseudo-random binary sequence gener- ated from a chaotic system, INFO and en_INFO
ated from a chaotic system, and en_IPM rep- represented the information bits before and after
resent the encrypted IPM: encryption, respectively:
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 43
According to the decoding rules, it is easy error propagation, which can be implemented
to obtain the number of trailing ±1 and non- for the encryption of video stream (Chen &
zero coefficients. If the syntax elements are Zhang, 2012; Qi, Chen, Du, Chen, & Yuan,
encrypted, the decoder cannot perform normal 2005).
decoding operation to all coefficients. In order Since Qi system is in chaos when a=35,
to guarantee that the encrypted data still follow b=7 and c=25 hold (Qi, Chen, Du, Chen,
the H.264 standard and achieve a better encryp- & Yuan, 2005), i.e., the sequence
tion effect with fewer encrypted data, the sign of {(x n , yn , z n ) | n = 0, 1, 2, } generated from Qi
non-zero coefficients is selected for encryption. system using 4-rank Runge-Kutter method is
The process of the encryption of residual non-periodic, non-convergent, and sensitive to
data is described as follows: initial values. For the chaotic sequence is gen-
erally acquired values in real, binarization
Step 1: Arnold transformation is done to pLevel operation needs to be done to it.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
44 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 45
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
46 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
key, so the attacked image still can protect the ficients are selected for encryption. As for IPMs,
information in the video, which illustrates the there are about 50% blocks are implemented for
good ability of resisting the ECA. encryption when the quantization parameter is
30 and the coding mode is intra_4×4 prediction
Analysis of Computation mode. The data volume for encryption is about
Complexity 50%×W×H/(4×4), where W and H represent the
width and height of the frame in QCIF. As for
Generally, the computation complexity of residual coefficients, only the signs of non-zero
encryption algorithm is depended on the data coefficients are encrypted, therefore, the data
volume and encryption operations. volume is about W×H×16/(4×4). As for P and
In the proposed scheme, the data for en- B frame, every block with a size of 4×4 has one
cryption includes IPMs, MVDs and residual motion vector, so the data volume of MVD for
coefficients. In I-frame, IPMs and residual coef-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 47
encryption is W×H/(4×4). Take the encryption influence to the compression ratio. At the same
of Foreman (W×H=176×144) for example, time, the encryption of IPMs and MVDs both
the encrypted data is at most W×H×16/(4×4)+ have no influence to the length of bit stream,
W×H/(4×4)≈2.8×104. so the whole influence to the compression
Since the encryption of IPMs, MVDs performance is very limited.
and residual coefficients are based on XOR Here, the changed rate of compression
operation, it is efficient. So the computation ratio ∆r is defined in Equation (10) to evalu-
complexity is very low. ate the compression performance as following:
At the same time, experiments are also
done to evaluate the time efficiency. The results (r2 − r1 )
are shown in Table 3 and Table 4, respectively. ∆r = × 100% (10)
As seen in Table 3, comparing with direct r1
compression coding, the time used in the cod-
ing of the video with encryption is only have where r1 , r2 represents the data volume of the
an overhead less than 5%, which indicate the
video before and after encryption, respectively.
low complexity of the proposed scheme. For
The results are listed in Table 5.From
the overhead in the decoder, as seen in Table
Table 5, the bit stream has little increase for
4, it is also less than 5%, which can meet the
the video after encryption, and the increased
needs of real time application.
data is mainly due to scrambling of non-zero
Analysis of Coding coefficients in 4×4 block. Nevertheless, since
Compression Performance the percentage of the increase of bit stream is
very tiny, the proposed scheme still can obtain
According to the encryption process, the length a good coding compression performance.
IGI GLOBAL PROOF
of bit stream before and after encryption is the
Analysis of Operability
same when the signs of residual coefficients
are encrypted. Nevertheless, the scrambling of
In the proposed scheme, there is no change to the
non-zero coefficients in 4×4 block changes the
format and control information of the video, so
positions of the coefficients, and it will destroy
the encryption has no negative influence to the
the statistical characteristics of the non-zero
error robustness. For the key stream is chaotic
coefficients in the block, which will impose
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
48 International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013
Sequence r1 r2 Δr(%)
Foreman 429280 430488 0.28
Salesman 271072 272456 0.51
sequence, the control precision for bit rate can vincial Natural Science Foundation of China
be retained in bit, so the error in the bit stream (Grant No.12JJA006), project supported by
will not bring error propagation, which also Youth Growth Plan of Hunan University
strengthen the error robustness. (53107040055), and project supported by the
For the encrypted bit stream still follow Education Department Foundation of Hunan
the H.264 standard, there is no influence to Province (Grant No.11B002).
the operability of the encrypted bit stream, and
it can be normally decoded with the existed
standard codec. REFERENCES
Ahn, J., Shim, H. J., Jeon, B., & Choi, I. (2004).
CONCLUSION Digital video scrambling method using intra predic-
tion mode. In Proceedings of the 5th Pacific Rim
In this paper, a selective encryption scheme conference on Advances in Multimedia Information
for H.264 video based on chaos is proposed. Processing - Volume Part III, Tokyo, Japan.
It combines chaotic encryption and selective Asghar, M. N., Ghanbari, M., & Reed, M. J. (2012).
This work was supported in part by proj- Dufaux, F., & Ebrahimi, T. (2008). Scrambling for
ect supported by National Natural Science privacy protection in video surveillance systems.
IEEE Transactions on Circuits and Systems for
Foundation of China (Grant No. 61070195, Video Technology, 18(8), 1168–1174. doi:10.1109/
61001004), project supported by Hunan Pro- TCSVT.2008.928225.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 35-49, April-June 2013 49
Jiang, J., Xing, S., & Qi, M. (2009). An intra pre- Shang, F., Sun, K., & Cai, Y. (2008). An efficient
diction mode-based video encryption algorithm in MPEG video encryption scheme based on chaotic
H.264. In Proceedings of International Conference cipher. In Proceedings of Congress on Image and
on Multimedia Information Networking and Security Signal Processing (CISP ‘08) (pp. 12-16).
(MINES ‘09) (pp. 478-482).
Shannon, C. E. (1949). Communication theory of
Joint Video Team (JVT) of ISO/IEC MPEG and secrecy systems. The Bell System Technical Journal,
ITU-T VCEG, JVT-G050. (2005). Draft ITU-T rec- 28(10), 656–715.
ommendation and final draft international standard
of joint video specification (ITU-T Rec. H.264|ISO/ Sparrow, C. (1982). The Lorenz equations: Bifurca-
IEC 14496-10 AVC). tions, chaos, and strange attractors. New York, NY:
Springer-Verlag. doi:10.1007/978-1-4612-5767-7.
Li, P., Li, Z., Halang, W. A., & Chen, G. (2007).
A stream cipher based on a spatiotemporal cha- Stutz, T., & Uhl, A. (2008). Format-compliant en-
otic system. Chaos, Solitons, and Fractals, 32(5), cryption of H.264/AVC and SVC. In Proceedings of
1867–1876. doi:10.1016/j.chaos.2005.12.021. Tenth IEEE International Symposium on Multimedia
(pp. 446-451).
Mao, N., Zhuo, L., Zhang, J., & Li, X. (2012). Fast
compression domain video encryption scheme for Stutz, T., & Uhl, A. (2012). A survey of H.264 AVC/
H.264/AVC streaming. In Proceedings of 14th Inter- SVC encryption. IEEE Transactions on Circuits
national Conference on Advanced Communication and Systems for Video Technology, 22(3), 325–339.
Technology (ICACT) (pp. 425-429). doi:10.1109/TCSVT.2011.2162290.
Meyer, J., & Gadegast, F. (1995). Security mecha- Tang, L. (1996). Methods for encrypting and decrypt-
nisms for multimedia data with the example MPEG-1 ing MPEG video data efficiently. In Proceedings
video. Project Description of SECMPEG. Germany: of the Fourth ACM International Conference on
Technical University of Berlin. Multimedia, Boston, MA.
Qi, G., Chen, G., Du, S., Chen, Z., & Yuan, Z. Tosun, A. S., & Feng, W. C. (2000). Efficient multi-
Qiao, L. T., & Nahrstedt, K. (1997). A new algorithm Tosun, A. S., & Feng, W. C. (2001). Lightweight
for MPEG video encryption. In Proceeding of The security mechanisms for wireless video transmission.
First International Conference on Imaging Science, In Proceedings of the International Conference on
Systems, and Technology (CISST’ 97) (pp. 21-29). Information Technology: Coding and Computing
(pp. 157-161).
Rukhin, A., & Soto, J. (2001). A statistical test suite
for random and pseudorandom number generators Wang, Y., O’Neill, M., & Kurugollu, F. (2012). The
for cryptographic application. NIST Special Publi- improved sign bit encryption of motion vectors for
cation 800-22. H.264/AVC. In Proceedings of the 20th European
Signal Processing Conference (EUSIPCO) (pp.
Shahid, Z., Chaumont, M., & Puech, W. (2009). 1752-1756).
Selective and scalable encryption of enhancement
layers for dyadic scalable H.264/AVC by scrambling Wen, J. T., Severa, M., & Zeng, W. J. (2002). A for-
of scan patterns. In Proceedings of 16th IEEE In- mat-compliant configurable encryption framework
ternational Conference on Image Processing (ICIP) for access control of video. IEEE Transactions on
(pp. 1273-1276). Circuits and Systems for Video Technology, 12(6),
545–557. doi:10.1109/TCSVT.2002.800321.
Shahid, Z., Chaumont, M., & Puech, W. (2011). Fast
protection of H.264/AVC by selective encryption of Wu, C. P., & Kuo, C. C. J. (2001). Efficient multimedia
CAVLC and CABAC for I and P frames. IEEE Trans- encryption via entropy codec design. In Proceed-
actions on Circuits and Systems for Video Technology, ings of SPIE 4314, Security and Watermarking of
21(5), 565–576. doi:10.1109/TCSVT.2011.2129090. Multimedia Contents III (pp. 128-138).
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
50 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
ABSTRACT
The threat of cyber-related crimes due to excessive usage of Internet and current e-behaviour amongst the
younger children is not new in this new millennium but stays as an issue for consideration. This paper provide
Keywords: Cyber Related Crimes, E-Behaviour, Internet Usage, Malaysian Adolescence, Malaysian
Pre-Adolescence, Malaysian Youths, Online Behaviours
DOI: 10.4018/jdcf.2013040104
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 51
Interactive Services in (1996), one out of every As for Malaysia, the Internet usage has
thousand Malaysians had access to the Internet increased 41% in 2010 which has increase 15%
(20,000 Internet users out of a population of 20 over the previous year, based on The Nielsen
million). In 1998, this number grew to 2.6% of Company’s Mobile Insights Survey (Nielsen-
the population. The total number of computer wire, 2011) wherelse Internet usage statistics
units sold, which was 467,000 in 1998 and in terms of overall population was reported as
701,000 in 2000 indicate an increasing growth 56.62% as shown in Figure 1. Economist Intel-
(Lee, 2000). Today, Internet usage or access is ligence Unit (EIU) estimated that the Internet
not limited via a personal computer with LAN usage in Malaysia would be up to 62% in 2011
connection but it could be accessed by using a nevertheless the report from the World Bank
3G mobile phone. Group (2012) records at 60% and by 2015, this
rate is expected to reach 77%. These percent-
ages are an indication of progressive increase
INTERNET USAGE TREND in Internet usage among Malaysian.
Worldwide Internet usage report which
Internet usage among individuals such as
demonstrates an increase in the pattern of
children, adults and professionals are not a
Internet use (Internet World Stats, 2012; NAS
new phenomenon in this new millennium.
Recruitment Communications, 2009) is in line
The world statistics on the Internet usage re-
with Malaysia’s Internet usage as detailed by
corded as of 31st March 2011 compared to 31st
Digital Media Across Asia, (2010), however
December 2000 shows a tremendous increase
the age of the Internet users are reducing in
(Miniwatts Marketing Group (20/12/2011),
many countries (Australian Communications
from 360,985,492 to 2,095,006,005 and latest
& Media Authority, 2010; pg. 42) which in due
report as per recorded in June 30, 2012 (refer
Table 1. Internet usage statistics: World internet users and population stats (modified from
Miniwatts Marketing Group (17/02/2013)
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
52 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
adolescent on the Internet use in many parts 2005). Both pre-adolescent and adolescent are
of the world. Understanding these concerns age categories which are crucial as formations
can support research to be more focused on of behavior are taking place.
the trends and patterns of activities among Internet users are not targeted to just adults
Malaysian pre-adolescents and adolescents on aged above 21 years but reducing to young
their e-behaviour.
IGI GLOBAL PROOF children as well. Most of the young children
(pre-adolescent and adolescent) in this new
millennium are ‘wired’ and to a greater extent
PRE-ADOLESCENCE AND influence the behavior formation (Ybarra &
ADOLESCENCE AND Mitchell, 2004) and lifestyle.
INTERNET USAGE Philips (2010) a senior analyst for eMar-
keters.com reported that in America, 12 – 24
Individual undergoes various stages of life de-
years old represents a major component of the
velopment during their life time (Cherry, 2012).
Internet users at 51.7 million (23.4% of the
It begins from infancy and may end in very old
total). In addition, Philips (2010) estimated
age. The stages can be differentiated accord-
that in 2011 there will be 20.2 million children
ing to the developmental stage and age group
under 11years old going online. Further it noted
(Cherry, 2012; Newman & Newman, 2009).
that this number may increase to 24.9 million
Pre-adolescence is an age category between
American kids by 2014 (refer to Table 2).
8 – 12 years old, in addition it is an age where a
Likewise in United Kingdom, European
child would develop a life outside home circle
Travel Commission (2013) in its website recited
(Hall, 2006), adolescence by comparison will
the Office for National Statistic in August 2011
be those aged between 12 – 24 years old, as
and pointed that the largest Internet users for
exemplified by Newman and Newman (2009).
United Kingdom were in the 16 – 24 age group,
Adolescent represents, “the period when a
which is at 98.8% and that it represents 7.19
person’s identity is formed, and is a common
million people.
period for experiencing confusion and frus-
tration.” (Chapman, 2006 – 2012; Kim et al.,
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 53
Table 2. US internet users by age, 2008 – 2014 (abstracted from Philips, 2010)
Similarly, a survey done in Malaysia Likewise the latest survey made in 2009
confirms the high usage of Internet among the and presented by Koay Hock Eng on behalf of
age group between 15 – 19 years old (refer to Malaysian Communication and Multimedia
Table 3). If fact, Household Use of the Internet Commission in the Asia-Pacific Internet Re-
Survey made between 2005 on a sample size search Alliance, 7th International Conference,
of 4,925 Internet users in private households, New Delhi, India (2010) displayed a table
Table 3. Percentage share of household user base on age group (obtained from Household Use
of the Internet survey, 2005)
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
54 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
Table 4. Percentage share of household user base on age group (Malaysian Communication and
Multimedia Commission, 2010)
Despite the fact that 19 years old age and adolescents and adolescents may be posed
below are just 27.3% from the overall age group towards great dangers if no strategies and
in Malaysia, awareness and emphasis on their action plans are put forth at the initial stage of
online behavior should be researched as these their Internet use. This may also indirectly as-
age group would turn to be the adults using the sist in understanding of their possible reasons
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 55
Table 5. Life stage, age group, development tasks and summary findings from Newman & New-
man, 2009
Figure 2. Typical engagement in online activities (adapted from Pieters & Krupin, 2010, pg 24)
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
56 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
A similar finding was found in UK in 2007, something or even take revenge. According to
whereby a quantitative and qualitative research psychologist playing violent computer games
project was conducted on 1, 1511 children and for just a few minutes is much more harmful
young people’s aged 9 to 19 years old (pre- than watching violence on television or films
adolescents and adolescents) on the use of the (Braid & Craig, 2011). Braid and Craig further
internet (Livingston & Helsper, 2007). The re- added other studies which found that kids who
search output showed that girls do communicate spend more time playing violent video games
more on the Internet than boys, but it concluded are more hostile and more likely to argue than
that it is the age that plays an important factor other teens, kids who play violent games for
more than gender when it comes to involvement less than 10 minutes tend to act aggressively
into risky e-behaviour. shortly after playing.
Malaysian pre-adolescent and adolescent In addition another study was conducted on
shows similar patterns of e-Behaviour such 205 adolescents aged 10 – 14 years revealed that
as reported by Pieters and Krupin (2010). In aggression or the external behaviour problems
Malaysia, based on the survey made in 2009 were identified among early adolescents due
and presented in 2010 Conference in India by to Internet communication, the amount spent
Koay (2010) also show a similar pattern of e- on online gaming and by playing first-person
Behaviour such as in Figure 2, among Malaysian shooters (Holtz & Appel, 2011). Furthermore,
pre-adolescents and adolescents. The details Chen et al (2005) study related to online gam-
presented has been summarised in Table 6. ing-related crimes and other social influences
Some of the e-behaviour listed in Table 6 is in Taiwan discovered that out of 613 cases
associated to risky behaviours identified from reported, young offenders aged between 15
Pieters and Krupin (2010) research. One that and 20 years old makes up the highest statistic
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 57
Table 6. Four main uses of internet by Malaysian (summarised from Malaysian Communications
& Multimedia Commission, 2009)
Besides that, Hussain (2011) indicated ing in any form of social cruelty using the In-
some of the other common e-Behaviour that ternet). Pieters and Krupin (2010) did highlight
seems to be prominent lately is cyber bullying in their research on the increase involvement
(sending and posting harmful material or engag- of pre-adolescence and adolescence into cyber
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
58 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
Percentage
No. Risky Behaviour as Listed by Pieters & Krupin (2010) Base on 1357
Sample Size
1 Allowing their home computer to become infected with a virus or other software 23%
2 Sharing password with friends 13%
3 Downloading programs without their parents knowledge 25%
4 Chatting with people they do not know in offline world 22%
11%
5 Viewing or downloading X-rated content among boys especially 16 – 17 years old.
35%
Boys are more likely than girls to have ever downloaded programs without parental
6 45%
knowledge or those with X-rated material.
Give out personal information such as first name, age and e-mail address but 1/10
7 gives out photo of themselves, their school name, last name, cell phone number or the -
description of what they look like, parents name, home address and school address.
Girls (25%) especially 16 – 17 year old girls (43%) are more likely than boys to chat
8 -
with people online they do not know in offline world)
bullying. Additionally their findings revealed Hussain (2011) added that Cyber stalkers
that 1/10 youth (10%) admit engaging in some (decent anonymous Internet users who steal
form of cyber bullying, kids are more likely to identity to lure victim for evil intentions),
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 59
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
60 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
the actual circumstances faced by Malaysian Christodoulaki, M., & Fragopoulou, P. (2010). Safe-
pre-adolescents and adolescents and the fac- Line: Reporting illegal internet content. Information
Management & Computer Security, 18(1), 54–65.
tors leading them can be a great assistance in
doi:10.1108/09685221011035269.
plotting appropriate action plan by parents and
relevant authorities. Digital Media Across Asia. (2010). Malaysia inter-
net penetration. Retrieved from http://comm215.
wetpaint.com/page/Malaysia+Internet+Penetration
ACKNOWLEDGMENT European Travel Commission. (2013). Usage pat-
terns and demographic. Retrieved from http://www.
newmediatrendwatch.com/markets-by-country/18-
We would like to acknowledge the consider- uk/148-usage-patterns-and-demographics
able contribution of Mr. Ahmad Izham Bin
Khairuddin from Cyber Security Malaysia for Grusser, S., Thalemann, R., & Griffiths, M. (2007).
his valuable insight on the current cyber hap- Excessive computer game playing: Evidence for
addiction and aggression? Cyberpsychology & Be-
pening among Malaysian adolescents. Thanks havior, 10(2), 290–292. doi:10.1089/cpb.2006.9956
are also due to Dr. Kirandeep Kaur for proof PMID:17474848.
reading this paper.
Hall, G. S. (2006). Youths: Its education, regimen,
and hygiene. The Echo Library: Middlesex, 7.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013 61
Kim, K., Ryn, E., Chon, M. Y., Yuen, E. J., Choi, Munusamy, K., & Ismail, M. (2009). Influence
S. Y., Seo, J. S., & Nam, B. W. (2005). Internet of gender role on internet usage pattern at home
addiction in Korean adolescents and its relation to among academicians. The Journal of International
depression and suicidal ideation: A questionnaire Social Research, 2/9. Fall 2009. Retrieved from
survey. International Journal of Nursing Studies, http://www.sosyalarastirmalar.com/cilt2/sayi9pdf/
43(2006), 185–192. munusamy_ismail.pdf
KO. (2009). C. H., Yen, T. Y., Liu, S. C., Huang, C. NAS Recruitment Communications. (2009). Internet
F., & Yen, C. F. (2009). The Associations between usage in the United States. Retrieved from http://
aggressive behaviors and internet addiction and www.nasrecruitment.com/docs/white_papers/Inter-
online activities in adolescents. The Journal of net_Usage_United_States.pdf
Adolescent Health, 44, 598–605. doi:10.1016/j.
jadohealth.2008.11.011 PMID:19465325. Newman, B. M., & Newman, P. R. (2009). Develop-
ment through life: A psychological approach (10th
Koay, H. C. (2010). Household use of internet survey ed.). Balmont.
2009 Malaysia. In Proceedings of the 7th Interna-
tional Conference Asia-Pacific Internet Research Nielsenwire. (2011). Malaysian internet usage takes
Alliance, New Delhi, India. off in 2010. Retrieved from http://blog.nielsen.com/
nielsenwire/global/malaysian-internet-usage-takes-
Kshetri, N. (2009). Positive externality, in- off-in-2010
creasing returns, and the rise in cybercrimes.
Communications of the ACM, 2009, 141–144. Nykodym, N., Ariss, S., & Kurtz, K. (2008). Com-
doi:10.1145/1610252.1610288. puter addiction and cyber crime. Journal of Leader-
ship. Accountability and Ethics, 2008, 78–85.
Lee, W. (2000). Internet took the crown as top
IT growth in Malaysia. MalaysiaCnet. Re- Patrick, C.-H., Wai, S. K., & Arumugam, C. C., Veeri,
trieved from http//www.malaysia.cnet.com/ & Ang, P. H. (2011). Ethnic-based digital divide and
news/2000/04/21/200000421j.html internet use amongst Malaysian students. Akademika,
81(1), 93–100.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
62 International Journal of Digital Crime and Forensics, 5(2), 50-62, April-June 2013
The Star. (2010). Cyberstalking a serious threat. Ybarra, M. L., & Mitchell, K. L. (2004). Youth
Retrieved from http://www.cybersecurity.my/en/ engaging in online harassment: Associations with
knowledge_bank/news/2010/main/detail/1853/ caregiver-child relationships, Internet use, and per-
index.html sonal characteristics. Journal of Adolescence, 27(3),
319–336. doi:10.1016/j.adolescence.2004.03.007
World Bank Group. (2012). Internet us- PMID:15159091.
ers as percentage of population. Retrieved
from http://www.google.com.my/publicdata/
explore?ds=d5bncppjof8f9_&met_y=it_net_user_
p2&idim=country:MYS&dl=en&hl=en&q=intern
et%20usage#!ctype=l&strail=false&bcs=d&nselm
=h&met_y=it_net_user_p2&scale_y=lin&ind_y=f
alse&rdim=region&idim=country:MYS&ifdim=re
gion&hl=en_US&dl=en&ind=false
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 63-66, April-June 2013 63
BOOK REVIEW
Computer Forensics:
Cybercriminals, Laws, and Evidence
Reviewed by Szde Yu, Department of Criminal Justice, Wichita State University, Wichita, KS,
USA
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
64 International Journal of Digital Crime and Forensics, 5(2), 63-66, April-June 2013
and electronic evidence. Chapter 5 talks about nowadays mobile phones are, it is important
cybercrime statutes and the crimes they cover. to know how computer forensics is applied to
The author makes a nice distinction among portable devices. However the discussion in this
different types of cybercrime as the law that chapter is a bit limited as it fails to include some
applies may differ. The crimes covered in the of more advanced and popular devices, such
chapter include hacking, website defacement, as iPad. The discussion of smartphones is also
writing and distributing malicious code, com- lacking in how the applications may facilitate
puter intrusions and attacks, cyberterrorism, crime and hinder forensic works. In chapter 13,
different types of fraud, intellectual property what a computer forensics investigator should be
theft, electronic espionage, cyberharassment, prepared to face in a courtroom is also discussed.
and cyberstalking. In chapter 6, the cyber Evidence is never all about techniques. How it
environment which breeds multiple types of is interpreted and presented is as crucial as how
cybercrime (e.g. cyberbullying, identity theft, it was collected. This chapter is particularly
and online scam) is discussed. Cyberspace can valuable for practitioners who may possess
be and should be seen as a social setting that the skill but lack sufficient knowledge on the
creates or facilitates certain crimes. This is an legal proceedings.
important aspect that is usually missing in a All in all, as mentioned, this book should
book that is too technical to address the social be recommended to people who first started
environment of crime. Nonetheless, in this book studying computer forensics. It is very helpful
the content also covers technical knowledge. in establishing a conceptual framework for
In chapter 7, the tools that can be used to col- computer forensics, and it paints a fairly solid
lect evidence are introduced. It also addresses idea of what to expect in both the technical
the problems investigators may run into when and legal aspects. It is finally a book about
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics, 5(2), 63-66, April-June 2013 65
technology has been embedded in our everyday stress this but the author only shallowly ad-
life, digital evidence can be applicable to any dresses this in the book. This aspect is deemed
crime, because electronic devices could be used important because in my opinion a digital system
in any crime that is not normally construed as as to digital investigation is analogous to a physi-
cybercrime. For example, a murderer could cal crime scene in a street crime investigation.
videotape his killing using his cell phone. It is The structural environment affects how forensic
not a cybercrime but the crucial evidence can be works can or should proceed effectively. The
stored in the form of digital evidence. Email can book may need to emphasize and illustrate this
be used for communication between criminals. more because it is the fundamentals of computer
Even though they did not commit crime through forensics. In addition, I would recommend more
email, the email conversation could still serve as consideration on the “criminal” aspect of com-
evidence. GPS devices also could store impor- puter forensics. As mentioned, in this book the
tant evidence related to a criminal’s whereabouts main focus is still on “crime”. This is a norm
in a case that is not necessarily cybercrime. in most books related to computer forensics.
To think of computer forensics as cybercrime However, since Dr. Maras is a criminologist
investigation is incomprehensive. Computer and a former investigator, it is a shame she
forensics ought to be seen as part of forensic does not integrate the human element into the
science that could be applicable in any crime discussion of digital evidence more extensively.
investigations. Moreover, computer forensics For instance, how have modern technologies
not only generates evidence in a legal sense, changed a criminal’s modus operandi? What
but also provides useful leads for investigation. are the criminological theories that are most
This is to say even if the information extracted applicable to cybercriminals? Discussions in
from electronic devices is not forensic evidence these aspects would engender a more compre-
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
66 International Journal of Digital Crime and Forensics, 5(2), 63-66, April-June 2013
deficiency of computer science would better offered for every chapter. Nonetheless, students
distinguish this book, considering the author’s would have sufficient knowledge to learn about
backgrounds. and some insightful questions for research and
In conclusion, I would recommend this brainstorming. For those who are seeking more
book to anyone, including practitioners, advanced knowledge and detailed techniques
academics, and students, who is interested in on computer forensics, however, there might
computer forensics. It addresses not only the be more suitable books available.
technique, but also the law and the criminal
background. Dr. Maras’ writing style renders
great readability and the organization of the book REFERENCES
is superb. It can serve as a good textbook for
it provides practical exercise, critical thinking Maras, M. (2012). Computer forensics: Cybercrimi-
questions, and review questions at the end of nals, laws, and evidence. Sudbury, MA: Jones &
Bartlett Learning.
each chapter, although they are not consistently
Szde Yu is a former military investigator from Taiwan in charge of computer security and criminal
investigation. He is currently an Assistant Professor of Criminal Justice in the School of Com-
munity Affairs at Wichita State University in USA. He used to serve in the College Information
Security Oversight Committee at the state university of New York. With educational background
in both computer science and criminology, Dr. Yu’s research interests involve cybercrime, com-
IGI GLOBAL PROOF
puter forensics, cyber-psychology, and criminal profiling. He has published journal articles on
subjects such as email forensics, digital piracy, and cyber-profiling. In research, he particularly
appreciates interdisciplinary collaboration. In teaching, Dr. Yu has taught terrorism, research
methods, criminological theory, police problems, and criminal investigations.
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
International Journal of Digital Crime and Forensics
An official publication of the Information Resources Management Association
Mission
The mission of the International Journal of Digital Crime and Forensics (IJDCF) is to provide
and foster a forum for advancing research and development of the theory and practice of digital crime
prevention and forensics. IJDCF addresses a broad range of digital crimes and forensic disciplines
that use electronic devices and software for crime prevention and investigation. This journal informs
a broad cross-sectional and multi-disciplinary readership ranging from the academic and professional
research communities, to industry consultants and practitioners. IJDCF publishes a balanced mix
of high quality theoretical and empirical research articles, case studies, book reviews, tutorials, and
editorials.
Subscription Information
IJDCF is published Quarterly: January-March; April-June; July-September; October-December by
IGI Global. Full subscription information may be found at www.igi-global.com/IJDCF The journal
is available in print and electronic formats.
Institutions may also purchase a site license providing access to the full IGI Global journal collection
featuring more than 100 topical journals in information/computer science and technology applied to
business & public administration, engineering, education, medical & healthcare, and social science.
For information visit www.igi-global.com/isj or contact IGI at eresources@igi-global.com.
The International Journal of Digital Crime and Forensics is currently listed or indexed in: Applied
Social Sciences Index & Abstracts (ASSIA); Bacon’s Media Directory; Cabell’s Directories; Com-
pendex (Elsevier Engineering Index); DBLP; GetCited; Google Scholar; INSPEC; JournalTOCs;
Library & Information Science Abstracts (LISA); MediaFinder; Norwegian Social Science Data
Services (NSD); SCOPUS; The Index of Information Systems Journals; The Standard Periodical
Directory; Ulrich’s Periodicals Directory
IGI GLOBAL PROOF