• Title/Summary/Keyword: 디지털포렌식 조사

Search Result 84, Processing Time 0.026 seconds

A study on the Effective Selection of the Personal Information Audit Subject Using Digital Forensic (디지털 포렌식 기법을 활용한 효율적인 개인정보 감사 대상 선정 방안 연구)

  • Cheon, Jun-Young;Lee, Sang-Jin
    • Journal of Advanced Navigation Technology
    • /
    • v.18 no.5
    • /
    • pp.494-500
    • /
    • 2014
  • Recently the leak of personal information from in-house and contract-managed companies has been continually increasing, which leads a regular observation on outsourcing companies that perform the personal information management system to prevent dangers from the leakage, stolen and loss of personal information. However, analyzing many numbers of computers in limited time has found few difficulties in some circumstances-such as outsourcing companies that own computers that have personal information system or task continuities that being related to company's profits. For the reason, it is necessary to select an object of examination through identifying a high-risk of personal data leak. In this paper, this study will formulate a proposal for the selection of high-risk subjects, which is based on the user interface, by digital forensic. The study designs the integrated analysis tool and demonstrates the effects of the tool through the test results.

The Trace Analysis of SaaS from a Client's Perspective (클라이언트관점의 SaaS 사용 흔적 분석)

  • Kang, Sung-Lim;Park, Jung-Heum;Lee, Sang-Jin
    • The KIPS Transactions:PartC
    • /
    • v.19C no.1
    • /
    • pp.1-8
    • /
    • 2012
  • Recently, due to the development of broadband, there is a significant increase in utilizing on-demand Saas (Software as a Service) which takes advantage of the technology. Nevertheless, the academic and practical levels of digital forensics have not yet been established in cloud computing environment. In addition, the data of user behavior is not likely to be stored on the local system. The relevant data may be stored across the various remote servers. Therefore, the investigators may encounter some problems in performing digital forensics in cloud computing environment. it is important to analysis History files, Cookie files, Temporary Internet Files, physical memory, etc. in a viewpoint of client, since the SaaS basically uses the web to connects the internet service. In this paper, we propose the method that analysis the usuage trace of the Saas which is the one of the most popular cloud computing services.

A Study on Data Acquisition and Analysis Methods for Mac Memory Forensics (macOS 메모리 포렌식을 위한 데이터 수집 및 분석 방법에 대한 연구)

  • Jung Woo Lee;Dohyun Kim
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.34 no.2
    • /
    • pp.179-192
    • /
    • 2024
  • macOS presents challenges for memory data acquisition due to its proprietary system architecture, closed-source kernel, and security features such as System Integrity Protection (SIP), which are exclusive to Apple's product line. Consequently, conventional memory acquisition tools are often ineffective or require system rebooting. This paper analyzes the status and limitations of existing memory forensics research and tools related to macOS. We investigate methods for memory acquisition and analysis across various macOS versions. Our findings include the development of a practical memory acquisition and analysis process for digital forensic investigations utilizing OSXPmem and dd tools for memory acquisition without system rebooting, and Volatility 2, 3 for memory data analysis.

A Study of Method to Restore Deduplicated Files in Windows Server 2012 (윈도우 서버 2012에서 데이터 중복 제거 기능이 적용된 파일의 복원 방법에 관한 연구)

  • Son, Gwancheol;Han, Jaehyeok;Lee, Sangjin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.6
    • /
    • pp.1373-1383
    • /
    • 2017
  • Deduplication is a function to effectively manage data and improve the efficiency of storage space. When the deduplication is applied to the system, it makes it possible to efficiently use the storage space by dividing the stored file into chunks and storing only unique chunk. However, the commercial digital forensic tool do not support the file system analysis, and the original file extracted by the tool can not be executed or opened. Therefore, in this paper, we analyze the process of generating chunks of data for a Windows Server 2012 system that can apply deduplication, and the structure of the resulting file(Chunk Storage). We also analyzed the case where chunks that are not covered in the previous study are compressed. Based on these results, we propose the method to collect deduplicated data and reconstruct the original file for digital forensic investigation.

A Text Mining-based Intrusion Log Recommendation in Digital Forensics (디지털 포렌식에서 텍스트 마이닝 기반 침입 흔적 로그 추천)

  • Ko, Sujeong
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.2 no.6
    • /
    • pp.279-290
    • /
    • 2013
  • In digital forensics log files have been stored as a form of large data for the purpose of tracing users' past behaviors. It is difficult for investigators to manually analysis the large log data without clues. In this paper, we propose a text mining technique for extracting intrusion logs from a large log set to recommend reliable evidences to investigators. In the training stage, the proposed method extracts intrusion association words from a training log set by using Apriori algorithm after preprocessing and the probability of intrusion for association words are computed by combining support and confidence. Robinson's method of computing confidences for filtering spam mails is applied to extracting intrusion logs in the proposed method. As the results, the association word knowledge base is constructed by including the weights of the probability of intrusion for association words to improve the accuracy. In the test stage, the probability of intrusion logs and the probability of normal logs in a test log set are computed by Fisher's inverse chi-square classification algorithm based on the association word knowledge base respectively and intrusion logs are extracted from combining the results. Then, the intrusion logs are recommended to investigators. The proposed method uses a training method of clearly analyzing the meaning of data from an unstructured large log data. As the results, it complements the problem of reduction in accuracy caused by data ambiguity. In addition, the proposed method recommends intrusion logs by using Fisher's inverse chi-square classification algorithm. So, it reduces the rate of false positive(FP) and decreases in laborious effort to extract evidences manually.

Development of a Set of Data for Verifying Partition Recovery Tool and Evaluation of Recovery Tool (파티션 복구 도구 검증용 데이터 세트 개발 및 도구 평가)

  • Park, Songyee;Hur, Gimin;Lee, Sang-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.6
    • /
    • pp.1397-1404
    • /
    • 2017
  • When a digital forensic investigation is conducted on a damaged storage medium, recovery is performed using a recovery tool. But the result of each recovery tool is different depending on the tools. Therefore, it is necessary to identify and use the performance and limitations of the tool for accurate investigation. In this paper, we propose a scenario considering the disk recognition type such as MBR, GPT and the structural characteristics of FAT32 and NTFS filesystem to verify the performance of the partition recovery tool. And then We validate the existing tools with the data set built on the scenarios.

The Research for Digital Evidence Acquisition Procedure within a Full Disk Encryption Environment (Full Disk Encryption 환경에서 디지털 증거 수집 절차에 관한 연구)

  • Jang, Sung-Min;Park, Jung-Heum;Pak, Chan-Ung;Lee, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.1
    • /
    • pp.39-48
    • /
    • 2015
  • As a growing number of people are concerned about the protection of personal information, the use of encryption solution has been increased. In addition, with the end of support for Windows XP and the improvement of operating system, the use of the Full Disk Encryption solution like Bitlocker will be increased. Therefore, it is necessary to consider countermeasures against Full Disk Encryption for the future digital forensic investigation. This paper provides the digital evidence acquisition procedure that responds to the Full Disk Encryption environment and introduces the countermeasures and detection tool against Full Disk Encryption solutions that are widely used.

A study on an investigation procedure of digital forensics for VMware Workstation's virtual machine and a method for a corrupted image recovery (VMware Workstation 가상 머신 이미지에 대한 디지털 포렌식 조사 절차 및 손상된 이미지 복구 방안)

  • Lim, Sung-Su;Yoo, Byeong-Yeong;Park, Jung-Heum;Byun, Keun-Duck;Lee, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.21 no.2
    • /
    • pp.61-70
    • /
    • 2011
  • Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. As a part of cost savings and green IT policies, there is a tendency in which recent businesses increase the adoption of such virtualization. In particular, regarding the virtualization in desktop, it is one of the most widely used technology at the present time. Because it is able to efficiently use various types of operating systems in a physical computer. A virtual machine image that is a key component of virtualization is difficult to investigate. because the structure of virtual machine image is different from hard disk image. Therefore, we need researches about appropriate investigation procedure and method based on technical understanding of a virtual machine. In this research, we suggest a procedure of investigation on a virtual machine image and a method for a corrupted image of the VMware Workstation that has the largest number of users.

A Forensic Methodology for Detecting Image Manipulations (이미지 조작 탐지를 위한 포렌식 방법론)

  • Jiwon Lee;Seungjae Jeon;Yunji Park;Jaehyun Chung;Doowon Jeong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.4
    • /
    • pp.671-685
    • /
    • 2023
  • By applying artificial intelligence to image editing technology, it has become possible to generate high-quality images with minimal traces of manipulation. However, since these technologies can be misused for criminal activities such as dissemination of false information, destruction of evidence, and denial of facts, it is crucial to implement strong countermeasures. In this study, image file and mobile forensic artifacts analysis were conducted for detecting image manipulation. Image file analysis involves parsing the metadata of manipulated images and comparing them with a Reference DB to detect manipulation. The Reference DB is a database that collects manipulation-related traces left in image metadata, which serves as a criterion for detecting image manipulation. In the mobile forensic artifacts analysis, packages related to image editing tools were extracted and analyzed to aid the detection of image manipulation. The proposed methodology overcomes the limitations of existing graphic feature-based analysis and combines with image processing techniques, providing the advantage of reducing false positives. The research results demonstrate the significant role of such methodology in digital forensic investigation and analysis. Additionally, We provide the code for parsing image metadata and the Reference DB along with the dataset of manipulated images, aiming to contribute to related research.

A Digital Forensic Procedure and Service of Ship with VTS and Navigation Device (VTS 및 소형선박 항해장비의 항적추출을 통한 디지털 포렌식 절차 및 모델서비스)

  • Lee, Byung-Gil;Choi, Byeong-Chel
    • Proceedings of the Korean Institute of Navigation and Port Research Conference
    • /
    • 2019.11a
    • /
    • pp.243-245
    • /
    • 2019
  • In the VTS, the predictions of vessel mobility and situation awareness of maritime environment are basic function. In recent years, pilotage information is an essential aware element of VTS personnel for vessel traffic management. So, we designed the structure of pilotage information service with VTS and tested in real environment. In the future, similar pilotage information can be used as a useful VTS service.

  • PDF