• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1363-1374
• /
• 2012

The number and use of Internet connected devices has dramatically increased in the last several years. Therefore many services synchronizing data in real-time is increasing such as mail, calendar and storage service. This service provides convenience to users. However, after devices are seized, the data could be changed because of characteristic about real-time synchronization. Therefore digital investigation could be difficult by this service. This work investigates the traces on each local device and proposes a method for the preservation of real-time synchronized data. Based on these, we propose the procedures of real-time synchronization data.

• Proceedings of the Korean Information Science Society Conference
• /
• 2011.06c
• /
• pp.77-79
• /
• 2011

최근 플래시 메모리가 디지털 기기의 저장장치로 많이 사용되면서 범죄와 관련하여 중요 증거나 단서가 디지털 기기 내에 저장되는 경우가 많아지고 있다. 이러한 현상은 플래시 메모리에 저장된 데이터는 디지털 포렌식 수사에 도움이 될 가능성이 있기 때문에 와이핑 툴(Wiping Tool)을 사용하여 저장된 데이터를 영구 삭제하게 된다. 플래시 메모리는 덮어쓰기가 불가능하기 때문에 와이핑(Wiping) 되어도 이전 데이터가 남아있는 특성이 있다. 이전 데이터를 복구하기 위해서는 기존 하드디스크 기반의 복구기법으로는 복구하기 어렵다. 최근 연구된 플래시 메모리 복구기법은 메타정보의 의존도가 높은 문제가 있다. 그래서 기존 플래시 메모리 복구기법을 보완하여 플래시 메모리 특성을 이용한 다른 방식의 연구가 필요하다. 본 기법은 플래시 메모리에 데이터 와이프로 삭제된 파일을 검색하고, 검증 절차를 거쳐 파일을 복구하는 기법을 제안한다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2004.10a
• /
• pp.337-339
• /
• 2004

오늘날 컴퓨터 보안 분야에서는 이론적인 시스템 보호 방법뿐만 아니라 이미 침입을 당한 시스템으로 부터 침입 과정을 분석하고 이를 바탕으로 문제점을 보완하고 새로운 보호 방법을 찾기도 한다. 이러한 과정은 침입 시스템에 대한 컴퓨터 포렌식이라는 과정을 거쳐 수행하게 된다. 컴퓨터 포렌식은 로그 분석부터 패킷 분석에 이르기까지 다양한 방법을 이용한다. 최근 들어 컴퓨터 포렌식을 우회하는 Remote Execute 공격방법이 발견되었는데 이 공격은 기존의 않은 포렌식 절차를 우려 화시킨다는 위험성을 가진다. 본 논문에서는 Remote Execute 공격 실험을 통하여 그 위험성을 알리고 대처방안을 제안한다. 본 논문에서 제안하는 /proc/kcore 분석 및 백업 메커니즘은 Remote Execute 공격에 대한 컴퓨터 포렌식을 가능하게 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.61-70
• /
• 2011

Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. As a part of cost savings and green IT policies, there is a tendency in which recent businesses increase the adoption of such virtualization. In particular, regarding the virtualization in desktop, it is one of the most widely used technology at the present time. Because it is able to efficiently use various types of operating systems in a physical computer. A virtual machine image that is a key component of virtualization is difficult to investigate. because the structure of virtual machine image is different from hard disk image. Therefore, we need researches about appropriate investigation procedure and method based on technical understanding of a virtual machine. In this research, we suggest a procedure of investigation on a virtual machine image and a method for a corrupted image of the VMware Workstation that has the largest number of users.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.1
• /
• pp.135-152
• /
• 2016

Because of the evolution of mobile devices such as smartphone, the necessity of mobile forensics is increasing. In spite of this necessity, the mobile forensics does not fully reflect the characteristic of the mobile device. For this reason, this paper analyzes the legal, institutional, and technical considerations for figuring out facing problems of mobile forensics. Trough this analysis, this study discuss the limits of screening seizure on the mobile device. Also, analyzes and verify the mobile forensic data acquisition methods and tools for ensuring the admissibility of mobile forensic evidence in digital investigation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.3
• /
• pp.515-530
• /
• 2013

The results of investigations into marine incidents have become an important basis in determining not only possible causes, but also the extent of negligence between the perpetrator and victim. However, marine incidents occur under special circumstances i.e. the marine environment, and this leads to difficulties in identifying causes due to problems in scene preservation, reenactment and acquisition of witnesses. Given the aforementioned characteristic of marine incidents, the International Convention for the Safety of Life at Sea (SOLAS) has adopted mandatory regulations on the carriage of Voyage Data Recorders (VDRs) and Automatic Identification Systems (AIS) for ships of a certain gross tonnage and upwards, so as to reflect recent developments in radio communication and marine technology. Adopted to provide an international standard for investigations and to promote cooperation, the Code of the International Standards and Recommended Practices for a Safety Investigation into a Marine Casualty or Marine Incident (Casualty Investigation Code) recommends member states to build capacity for analysis of VDR data. Against this backdrop, this paper presents methods for efficient investigations into the causes behind marine incidents based on data analysis of VDR, which serves as the black box of ships, as well as digital forensic techniques.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1373-1383
• /
• 2017

Deduplication is a function to effectively manage data and improve the efficiency of storage space. When the deduplication is applied to the system, it makes it possible to efficiently use the storage space by dividing the stored file into chunks and storing only unique chunk. However, the commercial digital forensic tool do not support the file system analysis, and the original file extracted by the tool can not be executed or opened. Therefore, in this paper, we analyze the process of generating chunks of data for a Windows Server 2012 system that can apply deduplication, and the structure of the resulting file(Chunk Storage). We also analyzed the case where chunks that are not covered in the previous study are compressed. Based on these results, we propose the method to collect deduplicated data and reconstruct the original file for digital forensic investigation.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.71-82
• /
• 2018

Using small cameras such as smartphones, criminals shoot secretly in public restrooms and women's changing rooms. And Revenge porn is also increasing. As a result social damage is increasing. Tumblr is an overseas service and it is very difficult to work with Tumbler on international legal cooperation and deletions. Thus In order to block the distribution of videos, victims must find and report the video URL themselves. But it's hard for victims who lack IT expertise to proceed those procedure. In this study, we automatically collect the URL of stored information and hash values of the images from API permlink of Tumbler blog. It is then saved as a document file with and presented to the victim. Through these technical methods, we can help victims report violations easily and quickly.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.1
• /
• pp.17-24
• /
• 2017

As the prevalence of removable device, critical intelligences are often stored in the removable device. For that reason, in seizure and search, the removable device became a important evidence of while it could be has a salient key for prove a crime. When we acquired a removable device for proof, we image it by a imaging device or software with a write protection. However, these are high-priced exclusive equipments and sometimes it could be out of order. In addition, we found that some secure USB and inbuilt vaccine USB are failed to connect to the imaging device. Therefore, in this paper, we provide a suitable digital evidence collection procedure for real.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1059-1065
• /
• 2015

Hard disk passwords are commonly not well known. If the passwords are set, forensic investigators are not allowed to access data on hard disks, so they can be used to obstruct investigations. Expensive tools such as PC-3000 are necessary for unlocking such hard disk passwords. But it would be a burden on both organizations that should pay for these tools and forensic investigators that are unfamiliar with these tools. This paper discusses knowledge required for unlocking hard disk passwords and proposes methods for unlocking the passwords without high-priced tools. And with a vendor-specific method, this paper provides procedures for acquiring passwords and unlocking hard disk drives.