• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.4
• /
• pp.175-185
• /
• 2008

It is meaningful to investigate data in unallocated space because we can investigate the deleted data. However the data in unallocated space is formed to fragmented and it cannot be read by application in most cases. Especially in case of being compressed or encrypted, the data is more difficult to be read. If the fragmented data is encrypted and damaged, it is almost impossible to be read. If the fragmented data is compressed and damaged, it is very difficult to be read but we can read and interpret it sometimes. Therefore if the computer forensic investigator wants to investigate data in unallocated space, formal work of determining the data is encrypted of compressed and decompressing the damaged compressed data. In this paper, I suggest the method of analyzing data in unallocated space from a viewpoint of computer forensics.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.1
• /
• pp.67-80
• /
• 2012

Recently as the number of smartphone user is growing rapidly, android is also getting more interest in digital forensic. However, there is not enough research on digital data acquisition and analysis based on android platform's unique characteristics so far. Android system stores all the related recent systemwide logs from the system components to applications in volatile memory, and therefore, the logs can potentially serve as important evidences. In this paper, we propose a digital data acquisition and analysis system for android which extracts meaningful information based on the correlation of android logs and user activities from a device at runtime. We also present an efficient search scheme to facilitate realtime analysis on site. Finally, we demonstrate how the proposed system can be used to reconstruct the sequence of user activities in a more intuitive manner, and show that the proposed search scheme can reduce overall search and analysis time approximately 10 times shorter than the normal regular search method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.6
• /
• pp.1113-1120
• /
• 2022

Recently, the investigation has been difficult due to the emergence of messengers that encrypt and store data for the purpose of protecting personal information and provide services such as end-to-end encryption with a focus on security. Accordingly, the number of crime cases using security messengers is increasing, but research on data decoding for security messengers is needed. Element security messengers provide end-to-end encryption functions so that only conversation participants can check conversation history, but research on decoding them is insufficient. Therefore, in this paper, we analyze the instant messenger Element, which provides end-to-end encryption, and propose a plaintext verification of the history of encrypted secure chat rooms using decryption keys stored in the Windows Credential Manager service without user passwords. In addition, we summarize the results of analyzing significant general and secure chat-related artifacts from a digital forensics investigation perspective.

• Journal of Internet of Things and Convergence
• /
• v.9 no.3
• /
• pp.7-12
• /
• 2023

One of the most important characteristics of digital forensics is integrity. Integrity means that the data has not been tampered with. If evidence is collected during digital forensic and later tampered with, it cannot be used as evidence. With analog evidence, it's easy to see if it's been tampered with, for example, by taking a picture of it. However, the data on the storage media, or digital evidence, is invisible, so it is difficult to tell if it has been tampered with. Therefore, hash values are used to prove that the evidence data has not been tampered with during the process of collecting evidence and submitting it to the court. The hash value is collected from the stored data during the evidence collection phase. However, due to the internal behavior of NAND flash memory, the physical data shape may change over time from the acquisition phase. In this paper, we study the characteristics and techniques of flash memory that can cause the physical shape of flash memory to change even if no intentional data corruption is attempted.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.1
• /
• pp.51-61
• /
• 2023

Messengers such as KakaoTalk, LINE, and Facebook Messenger are universal means of communication used by anyone. As the convenience functions provided to users and their usage time increase, so does the user behavior information remaining in the artifacts, which is being used as important evidence from the perspective of digital forensic investigation. However, for security reasons, most of the data is currently stored encrypted. In addition, cover-up behaviors such as intentional manipulation, concealment, and deletion are increasing, causing the problem of delaying digital forensic analysis time. In this paper, we conducted a study on the data decryption and artifacts analysis in a Windows environment for KakaoTalk, the messenger with the largest number of users in Korea. An efficient way of obtaining a decryption key and a method of identifying and decrypting messages attempted to be deleted are presented, and thumbnail artifacts are analyzed.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.7
• /
• pp.307-314
• /
• 2017

Stick-PC is small and portable, So it can be used like a desktop if you connect it to a display device such as a monitor or TV anytime and anywhere. Accordingly, Stick-PC can related to various crimes, and various evidence may remain. Stick-PC uses the same Windows version of the operating system as the regular Desktop, the artifacts to be analyzed are the same. However, unlike the Desktop, it can be used as a meaningful information for forensic investigation if it is possible to identify the actual user and trace the usage by finding the traces of peripheral devices before analyzing the system due to the mobility. In this paper, We presents a method of collecting images using Bootable OS, which is one of the image collection methods of Stick-PC. In addition, we show how to analyze the trace of peripheral connection and network connection trace such as Display, Bluetooth through the registry and event log, and suggest the application method from the forensic point of view through experimental scenario.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.04a
• /
• pp.758-761
• /
• 2010

악성코드는 P2P, 전자메일, 메신저나 저장매체, 인터넷 사이트 등 여러 가지 경로를 통해 전파된다. 특히 USB 기반 악성코드는 USB가 시스템에 연결될 때 악성코드를 자동 실행시키고, 로컬 드라이브 영역에 자기복제를 하는 등 특정 행위를 보인다. 포렌식 수사에서는 이러한 악의적 행위를 빠르게 분석하고 여러 가지 증거를 수집하여 감염의 원인을 신속하게 파악하는 것이 요구된다. 본 논문에서는 USB 기반 악성코드에 감염된 시스템의 피해 흔적을 분석하고 패턴을 정형화하여 USB 기반 악성코드의 감염 여부를 판별하는 방법론을 제시한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.25-38
• /
• 2017

Many security threats are occurring around the world due to the characteristics of industrial control systems that can cause serious damage in the event of a security incident including major national infrastructure. Therefore, the industrial control system network traffic should be analyzed so that it can identify the attack in advance or perform incident response after the accident. In this paper, we research the visualization technique as network forensics to enable reasonable suspicion of all possible attacks on DNP3 control system protocol, and define normal action based rules and derive visualization requirements. As a result, we developed a visualization tool that can detect sudden network traffic changes such as DDoS and attacks that contain anormal behavior from captured packet files on industrial control system network. The suspicious behavior in the industrial control system network can be found using visualization tool with Digital Bond packet.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.625-633
• /
• 2018

Realm is an open source database developed to replace SQLite, which is commonly used in mobile devices. The data stored in the database must be checked during the digital forensic analysis process for mobile devices because it can help to understand the behavior of the user and whether the mobile device is operating or not. In addition, since the user can intentionally use anti-forensic techniques such as deleting data stored in the database, research on how to recover deleted records is needed. In this paper, we propose a method to recover records that have not been overwritten after deletion based on the analysis of the structure and record and deletion process of the Realm database file.

• Journal of Advanced Navigation Technology
• /
• v.18 no.5
• /
• pp.494-500
• /
• 2014

Recently the leak of personal information from in-house and contract-managed companies has been continually increasing, which leads a regular observation on outsourcing companies that perform the personal information management system to prevent dangers from the leakage, stolen and loss of personal information. However, analyzing many numbers of computers in limited time has found few difficulties in some circumstances-such as outsourcing companies that own computers that have personal information system or task continuities that being related to company's profits. For the reason, it is necessary to select an object of examination through identifying a high-risk of personal data leak. In this paper, this study will formulate a proposal for the selection of high-risk subjects, which is based on the user interface, by digital forensic. The study designs the integrated analysis tool and demonstrates the effects of the tool through the test results.