• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.3
• /
• pp.515-530
• /
• 2013

The results of investigations into marine incidents have become an important basis in determining not only possible causes, but also the extent of negligence between the perpetrator and victim. However, marine incidents occur under special circumstances i.e. the marine environment, and this leads to difficulties in identifying causes due to problems in scene preservation, reenactment and acquisition of witnesses. Given the aforementioned characteristic of marine incidents, the International Convention for the Safety of Life at Sea (SOLAS) has adopted mandatory regulations on the carriage of Voyage Data Recorders (VDRs) and Automatic Identification Systems (AIS) for ships of a certain gross tonnage and upwards, so as to reflect recent developments in radio communication and marine technology. Adopted to provide an international standard for investigations and to promote cooperation, the Code of the International Standards and Recommended Practices for a Safety Investigation into a Marine Casualty or Marine Incident (Casualty Investigation Code) recommends member states to build capacity for analysis of VDR data. Against this backdrop, this paper presents methods for efficient investigations into the causes behind marine incidents based on data analysis of VDR, which serves as the black box of ships, as well as digital forensic techniques.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.487-498
• /
• 2023

Security incidents using vulnerabilities in cloud services occur, but it is difficult to collect and analyze traces of incidents in cloud environments with complex and diverse service models. As a result, the importance of cloud forensics research has emerged, and infringement response scenarios must be designed from the perspective of cloud service users (CSUs) and cloud service providers (CSPs) based on representative security threat cases in the public cloud service model. This simulated hacking-based proactive cloud infringement response framework can be used to respond to the cloud service critical resource attack process from the viewpoint of vulnerability detection before cyberattacks occur on the cloud, and can also be expected for data acquisition. Therefore, in this paper, we propose a framework for preventive cloud infringement based on simulated hacking by analyzing and utilizing Cloudfox, a cloud penetration test tool.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.3
• /
• pp.21-28
• /
• 2016

File Time information has a significant meaning in digital forensic investigation. File time information in Linux Ext4 (Extended File System 4) environment is the Access Time, Modification Time, Inode Change Time, Deletion Time and Creation Time. File time is variously changed by user manipulations such as creation, copy and edit. And, the study of file time change is necessary for evidence analysis. This study analyzes the change in time information of files or folders resulting from user manipulations in Linux operating system and analyzes ways to determine real time of malware infection and whether the file was modulation.

• Journal of Korea Multimedia Society
• /
• v.12 no.10
• /
• pp.1450-1456
• /
• 2009

By the explosive growth of IT technologies, mobile phones have embedded a lot of functions and everyone can use them with facility. But there are various cybercrimes as invasions of one's privacy or thefts of company's sensitive information using a built-in digital camera function in a mobile phone. In this paper, we propose a scheme for analyzing evidences by digital pictures on mobile phones. Therefore we analyze the features of digital pictures on mobile phones and make databases of characteristic patterns based on the vendor and the model of mobile phone. The proposed scheme will help to acquire digital evidences by providing a better decision of the vendor and/or the model of mobile phone by cybercrime suspects.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.3
• /
• pp.79-91
• /
• 2010

In digital forensics, the creation time, last modified time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, depending on the user's actions such as copy, transfer, or network transport of files. Specific changes of the time information may be of considerable help in analyzing the user's actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the NTFS and attempts to reconstruct the user's actions.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2008.02a
• /
• pp.187-190
• /
• 2008

디지털 영상기기의 발달과 함께 디지털 영상은 우리의 생활의 일부가 되었다. 이러한 디지털 영상이 생활의 일부가 되면서 범죄자들은 범죄현장의 흔적을 디지털 영상으로 저장하기도 하며, 디지털 영상으로 저장된 CCTV를 통하여 범죄의 현장을 재현하기도 한다[5][6]. 이러한 디지털 영상은 사건을 해결하는데 중요한 역할을 하기에 사건을 수사하는데 있어 수집하여야 할 중요한 대상중의 하나이다. 이러한 디지털 영상은 하나의 분석대상에 다수의 파일로 존재할 수 있으며, 이러한 다수의 디지털 영상 속에서 사건 해결에 도움을 줄 수 있는 중요한 영상을 구분하기 위해서는 많은 시간과 인력이 필요하다. 따라서 다수의 영상 증거물을 디지털 영상 포렌식의 한 분야인 디지털 영상 분류기법을 통하여 수사의 편리함과 정확성을 향상시켜야 할 필요가 있다. 하지만 디지털 영상의 수사를 돕기 위한 디지털 영상의 분류기법은 디지털 영상 포렌식의 영역 중에서 연구가 이루어져 있지 않은 영역중의 하나이며, 연구가 진행되고 있는 방식도 국내가 아닌 국외의 법과 수사 환경을 중심으로 연구되어지고 있다. 따라서 국내의 법과 수사 환경에 적용할 수 있는 디지털 영상 분류기법에 대하여 연구할 필요성이 있다. 이에 대해 본 논문에서는 디지털 영상 포렌식 중 하나의 분야인 디지털 영상 분류기법의 연구현황을 확인하며, 디지털 영상 분류기법의 필요성에 대하여 설명하도록 하겠다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.11a
• /
• pp.460-463
• /
• 2014

클라우드 컴퓨팅의 많은 장점에도 불구하고 클라우드 컴퓨팅은 보안이슈는 줄어들지 않으며, 특히 디지털 포렌식은 실질적인 기능을 수행하기에 미비한 실정이다. 최근, 다양한 사이버 범죄가 증가하면서 클라우드 컴퓨팅 환경은 사이버 범죄에 노출되어 있으며 악의적인 공격의 위험을 가지고 있다. 클라우드 포렌식은 자원이 가상공간에 존재할 수 있고, 증거 데이터가 물리적으로 분산되어 있기 때문에 기존의 포렌식 수사와는 다르게 접근해야 한다. 또한, 클라우드 기반 포렌식에서 획득 가능한 증거 데이터에 대한 정의가 되어 있지 않아서 증거 데이터를 수집하는데 어려움을 겪는다. 이에 본 논문에서는 오픈스택 플랫폼을 이용한 클라우드 환경을 구축하고, 클라우드 플랫폼 기반 포렌식을 위해 획득 가능한 로그 데이터에 대해 정리하고, 실제 획득 가능한 로그를 수집 및 분석하고, 클라우드 컴퓨팅 플랫폼기반 포렌식의 한계점과 해결방안을 알아본다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.1
• /
• pp.61-71
• /
• 2021

Instant messengers are a means of communication for modern people and can be used with smartphones and PCs respectively or connected with each other. Messengers, which provide various functions such as message, call, and file sharing, contain user behavior information regarded as important evidence in forensic investigation. However, it is difficult to analyze as well as acquire smartphone data because of the security of smartphones or apps. However, messenger data can be extracted through PC when the messenger is used on PC. In this paper, we obtained the credential data of Wire messenger in Windows 10, and showed that it is possible to log-in from another PC without authentication. In addition, we identified and classified major artifacts generated based on user behavior.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.737-751
• /
• 2023

The importance of digital forensics in the cloud environment is increasing as businesses and individuals move their data from On-premise to the cloud. Cloud data can be stored on various devices, including mobile devices and desktops, and encompasses a variety of user behavior artifacts, such as information generated from linked accounts and cloud services. However, there are limitations in securing and analyzing digital evidence due to environmental constraints of the cloud, such as distributed storage of data and lack of artifact linkage. One solution to address this is archiving services, and Google's Takeout is prime example. In this paper, user behavior data is analyzed for cloud forensics based on archiving data and necessary items are selected from an investigation perspective. Additionally, we propose the process of analyzing selectively collected data based on time information and utilizing web-based visualization to meaningfully assess artifact associations and multi-behaviors. Through this, we aim to demonstrate the value of utilizing archiving data in response to the increasing significance of evidence collection for cloud data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.89-100
• /
• 2011

Physical memory analysis has been an issue on a field of live forensic analysis in digital forensics until now. It is very useful to make the result of analysis more reliable, because record of user behavior and data can be founded on physical memory although process is hided. But most memory analysis focuses on windows based system. Because the diversity of target system to be analyzed rises up, it is very important to analyze physical memory based on other OS, not Windows. Mac OS X, has second market share in Operating System, is operated by loading kernel image to physical memory area. In this paper, We propose a methodology for physical memory analysis on Mac OS X using symbol information in kernel image, and acquire a process information, mounted device information, kernel information, kernel extensions(eg. KEXT) and system call entry for detecting system call hooking. In additional to the methodology, we prove that physical memory analysis is very useful though experimental study.