• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.3
• /
• pp.353-363
• /
• 2021

As the Untact era is rapidly changing, collaboration tools are increasing their utilization and value as digital technologies for non-face-to-face work. While instant messenger-based collaboration tools support a variety of functions, crime and accident concerns are also increasing in proportion to their convenience, such as information leakage and security incidents. Meanwhile, the digital forensics perspective on collaborative tools is not enough, so forensics research is needed. This study analyzes significant artifacts in the two operating environments through Windows and Android forensics research on Microsoft Teams, the collaboration tool with the highest share in the world. Also, based on differences in artifacts and data attributes according to the operating environment, by applying 'differential forensic', we proved that the usefulness of evidence can be improved by presenting a complementary analysis method and timeline configuration through information linkage.

• Convergence Security Journal
• /
• v.23 no.3
• /
• pp.37-47
• /
• 2023

The growth of the metaverse has been accelerated by the increased demand for non-face-to-face interactions due to COVID-19 and advancements in technologies such as blockchain and NFTs. However, with the emergence of various metaverse platforms and the corresponding rise in users, criminal cases such as ransomware attacks, copyright infringements, and sexual offenses have occurred within the metaverse. Consequently, the need for artifacts that can be utilized as digital evidence within metaverse systems has increased. However, there is a lack of information about artifacts that can be used as digital evidence. Furthermore, metaverse security evaluation and forensic analysis are also insufficient, and the absence of attack scenarios and related guidelines makes forensics challenging. To address these issues, this paper presents artifacts that can be used for user behavior analysis and timeline analysis through dynamic analysis of Roblox, a representative metaverse gaming solution. Based on analyzing interrelationship between identified artifacts through memory forensics and log file analysis, this paper suggests the potential usability of artifacts in metaverse crime scenarios. Moreover, it proposes improvements by analyzing the current legal and regulatory aspects to address institutional deficiencies.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.565-573
• /
• 2012

To investigate the business corruption, the obtainments of the business data such as personnel, manufacture, accounting and distribution etc., is absolutely necessary. Futhermore, the investigator should have the systematic extraction solution from the business data of the enterprise database, because most company manage each business data through the distributed database system, In the general business environment, the database exists in the system with upper layer application and big size file server. Besides, original resource data which input by user are distributed and stored in one or more table following the normalized rule. The earlier researches of the database structure analysis mainly handled the table relation for database's optimization and visualization. But, in the point of the digital forensic, the data, itself analysis is more important than the table relation. This paper suggests the extraction technique from the table relation which already defined in the database. Moreover, by the systematic analysis process based on the domain knowledge, analyzes the original business data structure stored in the database and proposes the solution to extract table which is related incident.

• Journal of Advanced Navigation Technology
• /
• v.17 no.1
• /
• pp.63-68
• /
• 2013

Recently, companies seek a way to overcome their financial crisis by reducing costs in the field of IT. In such a circumstance, cloud computing is rapidly emerging as an optimal solution to the crisis. Even in a digital forensic investigation, whether users of an investigated system have used a cloud service is a very important factor in selecting additional investigated subjects. When a user has used cloud services, such as Daum Cloud and Google Docs, it is possible to connect to the could service from a remote place by acquiring the user's log-in information. In such a case, evidence data should be collected from the remote place for an efficient digital forensic investigation, and it is needed to conduct research on the collection and analysis of data from various kinds of cloud services. Thus, this study suggested a digital forensic framework considering cloud environments by investigating collection and analysis techniques for each cloud service.

• Journal of Platform Technology
• /
• v.11 no.4
• /
• pp.35-49
• /
• 2023

Recently, real-time cyber threats are constantly occurring for various reasons. Most companies have the characteristic of digitizing important internal information and storing it centrally, so it can be said that the impact is very high when an Computer Security Incident occurs. All electronic device information collected and analyzed in the process of responding to an Computer Security Incident has the characteristic of being subject to change at any time. Submission of related evidence is required in future investigations and courts. At this time, the basic principles of digital forensics, such as the principle of integrity and the principle of chain of custody, must be followed to ensure legitimacy and accuracy of the evidence. In this paper, we propose a digital forensic-based Computer Security Incident Inspection and Response procedure in the Windows 10 environment to secure the legitimacy and accuracy of digital evidence collected and analyzed when an intrusion occurs, prevent intrusion in advance, and quickly recognize it.

• Journal of Internet Computing and Services
• /
• v.23 no.5
• /
• pp.69-78
• /
• 2022

As the use of Internet of Things (IoT) devices has expanded, digital forensics coverage of the National Police Agency has expanded to smart home areas. Accordingly, most of the existing studies conducted to acquire smart home platform data were mainly conducted to analyze local data of mobile devices and analyze network perspectives. However, meaningful data for evidence analysis is mainly stored on cloud storage on smart home platforms. Therefore, in this paper, we study how to acquire stored in the cloud in a Hey Home Air environment by extracting accessToken of user accounts through a cookie database of browsers such as Microsoft Edge, Google Chrome, Mozilia Firefox, and Opera, which are recorded on a PC when users use the Hey Home app-based "Hey Home Square" service. In this paper, the it was configured with smart temperature and humidity sensors, smart door sensors, and smart motion sensors, and artifacts such as temperature and humidity data by date and place, device list used, and motion detection records were collected. Information such as temperature and humidity at the time of the incident can be seen from the results of the artifact analysis and can be used in the forensic investigation process. In addition, the cloud data acquisition method using OpenAPI proposed in this paper excludes the possibility of modulation during the data collection process and uses the API method, so it follows the principle of integrity and reproducibility, which are the principles of digital forensics.

• Journal of Internet of Things and Convergence
• /
• v.5 no.1
• /
• pp.35-39
• /
• 2019

With the rapid development of the information society, the use of digital devices has increased dramatically and the importance of technology for analyzing them has increased. Digital evidence is stored in many places such as Prefetch, Recent, Registry, and Event Log even if the user has deleted it. Therefore, there is a disadvantage that the forensic analyst can not grasp the files used by the user at the beginning. Therefore, in this paper, we propose a method that the RemoveList folder exists so that the user can grasp the information of the deleted file first, and the information about the deleted file is automatically saved by using AES in RemoveList. Through this, it can be expected that the analyst can alleviate the difficulty of initially grasping the user's PC.

• Journal of Platform Technology
• /
• v.11 no.1
• /
• pp.11-22
• /
• 2023

Various video conferencing and collaboration applications have emerged due to the global epidemic of new viral infections. In addition to real-time video conferencing, video conferencing applications provide features such as chat and file sharing on various platforms. Because various personal information is stored through functions such as chatting, file and screen sharing, these video conferencing applications are the major target of analysis from a digital forensic investigation. In the case of applications that provide cross-platform, the form of stored data is different depending on the platform. Therefore, to utilize data of video conferencing application for forensic investigation, preliminary research on artifacts stored by platform is required. In this paper, we used the video conferencing applications GoToWebinar and GoToMeeting and analyzed the artifacts generated. As a result, we list the main data from a digital forensic investigation. We identify data stored for each platform provided by GoToWebinar and GoToMeeting and organize artifacts that can estimate user behavior. Also, we classify the data that can be acquired according to the role and environment within the video conference.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.1
• /
• pp.57-67
• /
• 2013

Lately, intrusive incidents (including system hacking, viruses, worms, homepage alterations, and data leaks) have not involved the distribution of an virus or worm, but have been designed to acquire private information or trade secrets. Because an attacker uses advanced intelligence and attack techniques that conceal and alter data in a computer, the collector cannot trace the digital evidence of the attack. In an initial incident response first responser deals with the suspect or crime scene data that needs investigative leads quickly, in accordance with forensic process methodology that provides the identification of digital evidence in a systematic approach. In order to an effective initial response to first responders, this paper analyzes the collection data such as user usage profiles, chronology timeline, and internet data according to CFFPM(computer forensics field triage process model), proceeds to design, and implements a collection application to deploy the client/server architecture on the Windows based computer.

• Convergence Security Journal
• /
• v.23 no.3
• /
• pp.13-20
• /
• 2023

This study conducted a digital forensic analysis of Signal and Telegram, two secure messengers widely used in the Android environment. As mobile messengers currently play an important role in daily life, data management and security within these apps have become very important issues. Signal and Telegram, among others, are secure messengers that are highly reliable among users, and they safely protect users' personal information based on encryption technology. However, much research is still needed on how to analyze these encrypted data. In order to solve these problems, in this study, an in-depth analysis was conducted on the message encryption of Signal and Telegram and the database structure and encryption method in Android devices. In the case of Signal, we were able to successfully decrypt encrypted messages that are difficult to access from the outside due to complex algorithms and confirm the contents. In addition, the database structure of the two messenger apps was analyzed in detail and the information was organized into a folder structure and file format that could be used at any time. It is expected that more accurate and detailed digital forensic analysis will be possible in the future by applying more advanced technology and methodology based on the analyzed information. It is expected that this research will help increase understanding of secure messengers such as Signal and Telegram, which will open up possibilities for use in various aspects such as personal information protection and crime prevention.