• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.109-120
• /
• 2018

The smartphone is the communication device that is the most personal to the user, and it keeps a lot of information related to the user and makes information communication with other devices. With these characteristics, forensics on smartphones are one of the most basic methods of investigation in criminal investigations, and have actually contributed to the settlement of the case by providing many clues. However, recently, it is designed to encrypt data stored as a social issue related to the protection of user's personal information, or to delete deleted data or to delete log data together. So, any solutions? In this paper, I try to find the answer from cloud data stored by smartphone user account. Cloud forensics should approach complementary relationships rather than smartphone forensics. There are a lot of data stored in the cloud that can be meaningfully used in the investigation. Online activity information of users, such as Internet usage, YouTube view, and contents purchase information, cloud service such as e-mail, cloud drive, and location information are the most representative data. These data can be unvaluable, but here are some important clues in various types of criminal investigations. In this paper, I propose a method to extract data from the google cloud so that the data can be used for investigation, and to utilize the extracted data for investigation. And it explains the role of the extracted artifacts in the actual investigation business through virtual cases and proves its value.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.859-866
• /
• 2019

Cybersecurity attack targeting a specific user is rising in number, even enterprises are trying to strengthen their cybersecurity. Network segmentation environment where public network and private network are separated could block information coming from the outside, however, it is unable to control outside information for business efficiency and productivity. Even if enterprises try to enhance security policies and introduce the network segmentation system and a solution incorporating CDR technology to remove unnecessary data contained in files, it is still exposed to security threats. Therefore, we suggest a system that uses file format conversion to transmit a secure file in the network separation environment. The secure file is converted into an image file from a document, as it reflects attack patterns of inserting malicious code into the document file. Additionally, this paper proposes a system in the environment which functions that a document file can keep information for incident response, considering forensic readiness.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.471-485
• /
• 2023

Recently, due to the nature of blockchain that guarantees users' anonymity, more and more cases are being exploited for crimes such as illegal transactions. However, cryptocurrency is protected in cryptocurrency wallets, making it difficult to recover criminal funds. Therefore, this study acquires artifacts from the data and memory area of a local PC based on user behavior from four browser extension wallets (Metamask, Binance, Phantom, and Kaikas) to track and retrieve cryptocurrencies used in crime, and analyzes how to use them from a digital forensics perspective. As a result of the analysis, the type of wallet and cryptocurrency used by the suspect was confirmed through the API name obtained from the browser's cache data, and the URL and wallet address used for the remittance transaction were obtained. We also identified Client IDs that could identify devices used in cookie data, and confirmed that mnemonic code could be obtained from memory. Additionally, we propose an algorithm to measure the persistence of obtainable mnemonic code and automate acquisition.

• Proceedings of the Korean Information Science Society Conference
• /
• 2001.04a
• /
• pp.856-858
• /
• 2001

지적 재산권 보호 중에서 디지털 저작물 보호는 근래에 활발히 연구되고 있으며 법 과학 분야는 지문감식, 치아감정, DNA 등 많은 분야가 있다. 법과학 분야 중 법적용 컴퓨팅(Forensic Computing)에 관한 응용은 새로운 연구 과제이다. 그 중에서도 디지털 저작물에 대하여 증거를 보전 하고자 많은 연구가 진행되고 있지만 디지털 저작물에 관하여 네트워크를 통한 능동적 저작물 보호는 미약하다. 현재의 데이터 추출(Extraction), 발굴(Exploitation), 복구, 암호 해독, 패스워스 풀기(Defeat), 미러 이미징 등의 방법 가지고 해결 못하는 경우와 인터넷 상에서 온라인으로 이루어지는 불법 복제에서 결정적 기여(smoking gun)를 찾아내려고 하는 것이 본 논문에서 해결 하고자 하는 부분이다. 오프라인일 경우도 가능하며 분석된 결과는 변호사/대리인, 법인, 보험회사, 법집행관 등에게 온라인으로 제공한다. 진행 과정은 서버에서 파견시킨, 미션을 부여받은 에이전트가 저작물 불법 복제 상황을 트래킹 한 후, 네트워크를 통하여 정해진 시간별로 서버에 전달하면, 법 조항과 매핑시켜서 분석한 다음 서버의 지식베이스에 저장되어 사용자의 요구에 응하는 능동형 디지털 저작물 보호 관리 시스템이다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.05a
• /
• pp.207-210
• /
• 2014

Damage is increasing by (Smishing) hacking attack Smishing you use a smart phone after entering 2013. Takeover of personal information and direct financial damage in collaboration with graphics sewing machine hacking attack has occurred. Monetary damage that leads to Internet payment service (ISP) and secure payment system in conjunction with graphics sewing machine hacking attack on a smartphone has occurred. In this paper, I will study analysis in the laboratory examples of actual infringement vinegar sewing machine hacking attack. It is a major power security measures to prevent damage to the secure payment system that a case analysis and practical principle technical nest sewing machine hacking attack, using Smishing. In this paper, I will be to research to be able to through a smart phone, to the online payment safer and more convenient.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.4
• /
• pp.911-919
• /
• 2016

Compared to the past, the current disk storages have dramatically increased and extremely many data are transferred on the network everyday. In spite of the anticipation that such development will be continued, there have been lack of studies for improving the data-imaging time in terms of the digital forensics. In this paper, we firstly investigate the time due to hash functions during the data Imaging and secondly propose a method for improving the efficiency of the EWF-File imaging time from a cryptographic perspective.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.271-274
• /
• 2017

점차 늘어나는 클라우드 서비스 이용률과 더불어 보안 위협 또한 증가하고 공격 방법 또한 다양해지고 있다. 하지만 클라우드 환경에서 보안사고가 발생했을 시 대응을 위한 조치나 정책은 여전히 미흡한 실정이다. 보안사고 대응을 위한 디지털 포렌식에 대한 연구를 통해 많은 해결 방법이 제시되고 있으나 클라우드 환경에서는 가상화 기술이 적용되어 있어 기존의 방법으로 증거의 수집 및 보관에 대한 무결성 증명이 까다롭다. 본 논문에서는 클라우드 서비스 이용자가 제공자로부터 서비스를 제공받는 클라우드 환경에서 보안사고 사후 대응을 위해 클라우드 환경에서 포렌식 절차를 수행 시 제안하는 참조모델을 바탕으로 필요한 역할 및 보안 고려사항에 대해 다루고자 한다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.3
• /
• pp.21-28
• /
• 2016

File Time information has a significant meaning in digital forensic investigation. File time information in Linux Ext4 (Extended File System 4) environment is the Access Time, Modification Time, Inode Change Time, Deletion Time and Creation Time. File time is variously changed by user manipulations such as creation, copy and edit. And, the study of file time change is necessary for evidence analysis. This study analyzes the change in time information of files or folders resulting from user manipulations in Linux operating system and analyzes ways to determine real time of malware infection and whether the file was modulation.

• Convergence Security Journal
• /
• v.8 no.2
• /
• pp.111-118
• /
• 2008

Computer forensics have been used for verify a crime when industry secret information or cyber crime occurred. However, these methods are simple analysis which cannot find the problem of deleted files. Therefore these cannot be a trusty evidence in a law court. We studied with focus on connectivity principle because it has never tried yet. In this paper, we developed optimizing detection model through systemized analysis between user-delete method and operating system-delete method. Detection model has 3 cases; Firstly, case of deleted by a user, secondly, case of deleted by application. Thirdly case of deleted by operating system. Detection model guarantees optimized performance because it is used in actual field.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.05a
• /
• pp.265-268
• /
• 2010

Current Traceback is difficult due to the development of bypass technique Proxy and IP-driven to trace the real IP Source IP is the IP traceback after the actual verification is difficult. In this paper, an intelligent about SQL Query field, column, table elements such as analysis of the value and the matching key values and Data used here to analyze source user hit point values for the user to trace the Application Layer IP for the analysis of forensic evidence guided by In this study, including forensic DB security will contribute to the development of electronic trading.