• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.111-122
• /
• 2018

Using OAuth protocol, third-party applications on the Android operating system use user's credentials or access tokens that have access authority on user's resources to gain user's account and personal information from account information providers. These credentials and token information are stored in the device by the OAuth data management method provided by the Android operating system. If this information is leaked, the attacker can use the leaked credential and token data to get user's personal data without login. This feature enables the digital forensic investigator to collect data directly from the remote server of the services used by the target of investigation in terms of collecting evidence data. Evidence data collected at a remote location can be a basis for secondary warranties and provide evidence which can be very important evidence when an attacker attempts to destroy evidence, such as the removal of an application from an Android device. In this paper, we analyze the management status of OAuth tokens in various Android operating system and device environment, and show how to collect data of various third party applications using it. This paper introduces a method of expanding the scope of data acquisition by collecting remote data of the services used by the subject of investigation from the viewpoint of digital forensics.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.163-177
• /
• 2008

As many companies are considering to use server virtualization technology to reduce cost, the crime rates in virtual server environment are expected to be increasing rapidly. The server virtualization solution has a basic function to produce virtual machine images without using any other disk imaging tools, so that investigating virtual servers are more efficient because the investigator only has to collect the virtual machine image and submit it to the court. However, the virtual machine image has no admissibility to be the legal evidence because of security, authenticity, procedural problems in collecting virtual machine images on virtual servers. In this research, we are going to provide requirements to satisfy security, authenticity and chain of custody conditions for the admissibility of the virtual machine image in server virtualization environment. Additionally, we suggest definite roles and driving plans for related organizations to produce virtual machine image as a admissible evidence.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• Journal of Korean Society of Archives and Records Management
• /
• v.16 no.1
• /
• pp.89-120
• /
• 2016

This study aims to understand the concept and changes of the records management of InterPARES based on the analysis of background, main research interests, and major achievements of IP3 and ITrust. To this end, this study conducted a content analysis of IP3 and ITrust to drive main keywords. This study also utilized word clouds from IP project titles. In addition, a comparative analysis of IP3 and ITrust was conducted based on the environment, scope, core research areas, keywords, objectives, and record management life cycle perspectives. The research identified that InterPARES research was widely expanding the content and subject areas of the study: 1) to apply across the life cycle, as well as long-term preservation; 2) to focus on the concept of trust as well as the concept of authenticity; and 3) to include the concept of the Internet, digital forensics, and the open government along with electronic records.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1059-1065
• /
• 2015

Hard disk passwords are commonly not well known. If the passwords are set, forensic investigators are not allowed to access data on hard disks, so they can be used to obstruct investigations. Expensive tools such as PC-3000 are necessary for unlocking such hard disk passwords. But it would be a burden on both organizations that should pay for these tools and forensic investigators that are unfamiliar with these tools. This paper discusses knowledge required for unlocking hard disk passwords and proposes methods for unlocking the passwords without high-priced tools. And with a vendor-specific method, this paper provides procedures for acquiring passwords and unlocking hard disk drives.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.39-48
• /
• 2015

As a growing number of people are concerned about the protection of personal information, the use of encryption solution has been increased. In addition, with the end of support for Windows XP and the improvement of operating system, the use of the Full Disk Encryption solution like Bitlocker will be increased. Therefore, it is necessary to consider countermeasures against Full Disk Encryption for the future digital forensic investigation. This paper provides the digital evidence acquisition procedure that responds to the Full Disk Encryption environment and introduces the countermeasures and detection tool against Full Disk Encryption solutions that are widely used.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.193-201
• /
• 2013

Sharing copyrighted files without copyright holder's permission is illegal. But, a number of illegal file sharers using BitTorrent increase. However, it is difficult to find appropriate digital evidences and legal basis to punish them. And, there are no framework for digital investigation of illegal sharing using BitTorrent. Additionally, role of server in BitTorrent had been reduced than server in conventional P2P. So, It is difficult to apply investigation framework for illegal sharing using conventional P2P to investigation process of illegal sharing using BitTorrent. This paper proposes the methodology about punishing illegal sharer using BitTorrent by suggesting the digital investigation framework.

• Journal of Korea Society of Industrial Information Systems
• /
• v.17 no.7
• /
• pp.95-100
• /
• 2012

Currently, crimes are becoming increasingly dense, the technique is also very tricky. Pickpocket, the theft of crime, is occurred at the most crowded or congested places. However, nowadays occurs more commonly at the rare and secluded place in the human. In this paper, we investigate the techniques and types of pickpockets. And realistically to submit classified video, to standing, sitting, and lying to the classification. Target for pickpockets, we classify it to submit a video forensic evidence. This paper will be needed in order to prevent and cope with pickpockets crimes.

• The Journal of the Korea Contents Association
• /
• v.7 no.2
• /
• pp.180-190
• /
• 2007

Recently investigation institutions have found the clue leading to solution of the problem by digital evidence. Digital medium is used extensively in real life. Accordingly, offender is leaving from traces of crime to digital form. But, Korea's digital evidence investigation is low level yet. Definite legislation about digital evidence is not readied in present our country. And professional investigation manpower about digital evidence is insufficient. These problem may have to be supplemented urgently. Systematic, technological supporting is required. Specialize and discussed digital evidence investigation's controversial point and capacity reinforcement way for efficient confrontation in cyber crime who is diversified gradually in text.

• The KIPS Transactions:PartC
• /
• v.16C no.5
• /
• pp.555-562
• /
• 2009

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.