This page has only limited features, please log in for full access.
Da-Yu Kao is an Associate Professor at the Department of Information Management, Central Police University, Taiwan. I am responsible for various recruitment efforts and training programs for Taiwan civil servants, police officers, or ICT technicians. I have an extensive background in law enforcement and a keen interest in information security, ICT governance, technology-based investigation, cyber forensics, human resource development, and public sector globalization. I was a detective and forensic police officer at Taiwan's Criminal Investigation Bureau (under the National Police Administration). With a Master's degree in Information Management and a Ph.D. degree in Crime Prevention and Correction, I had led several investigations in cooperation with police agencies from other countries for the past 20 years. I am now the director of Computer Crime Investigation Lab at Central Police University and the webmaster of Cybercrime Investigation and Digital Forensics in the Facebook Group. I can be reached at [email protected]
When computer systems are increasingly important for our daily activities, cybercrime has created challenges for the criminal justice system. Data can be hidden in ADS (Alternate Data Stream) without hindering performance. This feature has been exploited by malware authors, criminals, terrorists, and intelligence agents to erase, tamper, or conceal secrets. However, ADS problems are much ignored in digital forensics. Rare researches illustrated the contact artifacts of ADS timestamps. This paper performs a sequence of experiments from an inherited variety and provides an in-depth overview of timestamp transfer on data hiding operations. It utilizes files or folders as original media and uses the timestamp rules as an investigative approach for the forensic exchange analysis of file sets. This paper also explores timestamp rules using case examples, which allow practical applications of crime scene reconstruction to real-world contexts. The experiment results demonstrate the effectiveness of temporal attributes, help digital forensic practitioners to uncover hidden relations, and trace the contact artifacts among crime scenes, victims, and suspects/criminals.
Da-Yu Kao. Forensic Exchange Analysis of Contact Artifacts on Data Hiding Timestamps. Applied Sciences 2020, 10, 4686 .
AMA StyleDa-Yu Kao. Forensic Exchange Analysis of Contact Artifacts on Data Hiding Timestamps. Applied Sciences. 2020; 10 (13):4686.
Chicago/Turabian StyleDa-Yu Kao. 2020. "Forensic Exchange Analysis of Contact Artifacts on Data Hiding Timestamps." Applied Sciences 10, no. 13: 4686.
Ransomware activities have been rising steadily. The network traffic characteristics in a network packet analysis are available immediately to explore anomalies and find any offensive behaviors. This paper applies a lightweight ICEAP (Identify-Collect-Examine-Analyze-Present) approach for effectively identifying LooCipher ransomware activities instead of establishing complex systems or creating various programs. This proposed approach tracks online behaviors and understands the source/destination entities. With this innovative detection method, analysts can merge the eigenvalues into security mechanisms, uncover network threats by analyzing the full payload, and detect infected ransomware in a minimum effort.
Te-Min Liu; Da-Yu Kao; Yun-Ya Chen. LooCipher Ransomware Detection Using Lightweight Packet Characteristics. Procedia Computer Science 2020, 176, 1677 -1683.
AMA StyleTe-Min Liu, Da-Yu Kao, Yun-Ya Chen. LooCipher Ransomware Detection Using Lightweight Packet Characteristics. Procedia Computer Science. 2020; 176 ():1677-1683.
Chicago/Turabian StyleTe-Min Liu; Da-Yu Kao; Yun-Ya Chen. 2020. "LooCipher Ransomware Detection Using Lightweight Packet Characteristics." Procedia Computer Science 176, no. : 1677-1683.
In recent years, drug abuse and drug addiction have become a major burden to the society. In order to achieve the public expectation for drug crime prevention, law enforcement agencies devote considerable resources hoping to strengthen the intensity of interventions. However, with the rapid changes in social patterns, the drug criminals also look for ways to avoid law enforcement investigations by producing, transporting and selling drugs through different regions, making drug prevention more difficult. Thus, developing dominant strategies to deal with this issue is a main task for police agencies. For more effectively analyze the structural influences of drug crime, we utilize social network analysis (SNA) techniques to discover implications of drug related crime networks. The macro-level perspective of co-offender network indicates that criminals intend to set blocks between network members to prevent law enforcement interventions. The micro-level perspective of individuals provides significant social features to predict drug recidivism. The experimental results indicate superior performance when adopting both personal and social features in classification task. Applying SNA to recidivism prediction is a leading endeavor, and the approach presented in this paper offers remarkable improvement on traditional methods. The results of this paper reveals the advantages of structural implications in analyzing drug related crime, as well as its ability to facilitate the cognition of crime prevention and intervention strategies.
Fu-Ching Tsai; Ming-Chun Hsu; Chien-Ta Chen; Da-Yu Kao. Exploring drug-related crimes with social network analysis. Procedia Computer Science 2019, 159, 1907 -1917.
AMA StyleFu-Ching Tsai, Ming-Chun Hsu, Chien-Ta Chen, Da-Yu Kao. Exploring drug-related crimes with social network analysis. Procedia Computer Science. 2019; 159 ():1907-1917.
Chicago/Turabian StyleFu-Ching Tsai; Ming-Chun Hsu; Chien-Ta Chen; Da-Yu Kao. 2019. "Exploring drug-related crimes with social network analysis." Procedia Computer Science 159, no. : 1907-1917.
Cyber services record almost people’s locations worldwide. Law Enforcement Agencies (LEAs) can use them to find suspects or witnesses near crime scenes. However, it runs the risk of arresting the innocent in a criminal investigation. This paper takes an intimidation case in Taiwan for example. The crime scene investigation from the viewpoint of Google Maps is explored for supporting or refuting a crime. The proposed PETLO (People-Events-Time-Locations-Objects) model is an investigative approach, which can be applied in clarifying some critical issues and explaining how a crime has happened.
Chih-Hung Shih; Fang-Cheng Chen; Shun-Wei Cheng; Da-Yu Kao. Using Google Maps to Track Down Suspects in a Criminal Investigation. Procedia Computer Science 2019, 159, 1900 -1906.
AMA StyleChih-Hung Shih, Fang-Cheng Chen, Shun-Wei Cheng, Da-Yu Kao. Using Google Maps to Track Down Suspects in a Criminal Investigation. Procedia Computer Science. 2019; 159 ():1900-1906.
Chicago/Turabian StyleChih-Hung Shih; Fang-Cheng Chen; Shun-Wei Cheng; Da-Yu Kao. 2019. "Using Google Maps to Track Down Suspects in a Criminal Investigation." Procedia Computer Science 159, no. : 1900-1906.
Da-Yu Kao; Yuan-Pei Chen; Neng-Hsin Shih. Reconstructing ADS data hiding in windows NTFS: A temporal analysis. Digital Investigation 2018, 26, S137 .
AMA StyleDa-Yu Kao, Yuan-Pei Chen, Neng-Hsin Shih. Reconstructing ADS data hiding in windows NTFS: A temporal analysis. Digital Investigation. 2018; 26 ():S137.
Chicago/Turabian StyleDa-Yu Kao; Yuan-Pei Chen; Neng-Hsin Shih. 2018. "Reconstructing ADS data hiding in windows NTFS: A temporal analysis." Digital Investigation 26, no. : S137.
Cyber offenders spread their influence as fast as the Internet and cloud computing develop. Cloud computing enhances challenges in collecting and analyzing digital evidence in a cybercrime investigation. Research on cloud storage forensics is scarce to obtain evidence or analyze metadata. This study proposes a time-based investigation in a complex cloud environment. Establishing timeline information using date-time stamps could help when the law enforcement agents investigate cloud-related crime. Some experiments are observed from three users (creator, coauthor and browser), four computers and five file operation processes (file created, file accessed, file modified, file shared, and file downloaded). This study presents a novel cybercrime investigation countermeasure using a created-accessed-modified (CAM) model to improve the effectiveness of forensic analysis. This may have implications when examiners analyze hard disks or when a user has synchronized files from a cloud account prior to computer seizure. The countermeasure methodology is potentially useful for evidentiary datasets and investigations.
Da-Yu Kao. Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments. The Journal of Supercomputing 2015, 72, 141 -160.
AMA StyleDa-Yu Kao. Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments. The Journal of Supercomputing. 2015; 72 (1):141-160.
Chicago/Turabian StyleDa-Yu Kao. 2015. "Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments." The Journal of Supercomputing 72, no. 1: 141-160.
The law enforcement community has faced difficulties on how best to tackle the complex and dynamic developments on the internet, cloud services, or communications technology. This creates difficulties in the consistency of handling a digital crime scene. Offenders could use cloud storage service as a media to save others’ data through the internet. This study explores the challenges of digital investigation on Windows file system, and proposes an iterative management model to explore date-time stamps in the file metadata of Windows system. We further observe the file metadata and compare their differences in the date-time stamp issues. The analysis techniques of this study may help establish event timeline, and clarify the offender’s actions to the file. It will be useful in investigations and mitigate the impact of time bias across multiple systems.
Da-Yu Kao; Ying-Hsuan Chiu. An Iterative Management Model of Exploring Windows Date-Time Stamps in Cloud Storage Forensics. Transactions on Petri Nets and Other Models of Concurrency XV 2015, 498 -512.
AMA StyleDa-Yu Kao, Ying-Hsuan Chiu. An Iterative Management Model of Exploring Windows Date-Time Stamps in Cloud Storage Forensics. Transactions on Petri Nets and Other Models of Concurrency XV. 2015; ():498-512.
Chicago/Turabian StyleDa-Yu Kao; Ying-Hsuan Chiu. 2015. "An Iterative Management Model of Exploring Windows Date-Time Stamps in Cloud Storage Forensics." Transactions on Petri Nets and Other Models of Concurrency XV , no. : 498-512.