• Journal of Internet Computing and Services
• /
• v.23 no.2
• /
• pp.61-70
• /
• 2022

General users who use smartphone apps often use the Vault app to protect personal information such as photos and videos owned by individuals. However, there are increasing cases of criminals using the Vault app function for anti-forensic purposes to hide illegal videos. These apps are one of the apps registered on Google Play. This paper proposes a methodology for extracting feature points through XML-based keyword frequency analysis to explore Vault apps used by criminals, and text mining techniques are applied to extract feature points. In this paper, XML syntax was compared and analyzed using strings.xml files included in the app for 15 hidden Vault anti-forensics apps and non-hidden Vault apps, respectively. In hidden Vault anti-forensics apps, more hidden-related words are found at a higher frequency in the first and second rounds of terminology processing. Unlike most conventional methods of static analysis of APK files from an engineering point of view, this paper is meaningful in that it approached from a humanities and sociological point of view to find a feature of classifying anti-forensics apps. In conclusion, applying text mining techniques through XML parsing can be used as basic data for exploring hidden Vault anti-forensics apps.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.10 no.1
• /
• pp.95-102
• /
• 2015

Smartphone is very useful for use in the real world, but it has been exposed to a lot of crime by smartphone. Also, it occurs attempting to delete a data of smartphone memory by anti-forensic tools. In this paper, we implement an anti-forensic tool used in the Android. In addition, tests to validate the availability of the anti-forensic tool by the Oxygen Forensic Suite that is a commercial forensic tool.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2021.05a
• /
• pp.111-113
• /
• 2021

USB storage devices, which are represented by removable storage media, are widely used even nowadays when cloud services are common. However, since they are cases where hidden areas are created and exploited in USB storage devices. This research is needed to detect and analyze them from an Anti-forensic point of view. In this paper, we analyze a program that can be exploited as Anti-forensic because it can create a hidden partition and store files there, and the file system created by it from a digital forensic point of view.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.135-144
• /
• 2014

Since anti-forensics have been developed in order to avoid digital forensic investigation, the forensic methods for analyzing anti-forensic behaviors have been studied in various aspects. Among the factors for user activity analysis, "Iconcache.db" files, which have the icon information of applications, provides meaningful information for digital forensic investigation. This paper illustrates the features of IconCache.db files and suggests the countermeasures against anti-forensics utilizing them.

• International Journal of Internet, Broadcasting and Communication
• /
• v.8 no.3
• /
• pp.31-40
• /
• 2016

In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100-nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of "year-month-day hour:min:sec" format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.

• International Journal of Internet, Broadcasting and Communication
• /
• v.9 no.3
• /
• pp.17-26
• /
• 2017

An anti-forensic data hiding method in an NTFS index record is a method designed for anti-forensics, which records data as a file name in index entries and thereafter the index entries are made to remain in the intentionally generated slack area in a 4KB-sized index record[7]. In this paper, we propose a maximum data allocation rule for an anti-forensic data hiding method in an NTFS index record; i.e., a computational method for storing optimal data to hide data in an index record of NTFS is developed and the optimal solution is obtained by applying the method. We confirm that the result of analyzing the case where the number of index entries n = 7 is the maximum case, and show the screen captures of index entries as experimental results.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.07a
• /
• pp.215-218
• /
• 2021

심캐시(Shimcache, AppCompatCache) 파일은 Windows 운영체제에서 응용 어플리케이션 간의 운영체제 버전 호환성 이슈를 관리하는 파일이다. 호환성 문제가 발생한 응용 어플리케이션에 대한 정보가 심캐시에 기록되며 프리패치 (Prefetch) 파일이나 레지스트리의 UserAssist 키 등과 같이 응용 어플리케이션의 실행 흔적을 기록한다는 점에서 포렌식적 관점에서 중요한 아티팩트이다. 본 논문에서는 심캐시의 구조를 분석하여 심캐시 파일을 통해 얻을 수 있는 응용 어플리케이션의 정보를 소개하고, 기존 툴 상용도구의 개선을 통해 완전 삭제 등 안티 포렌식 도구의 실행 흔적을 탐지하는 방법을 제시한다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.6
• /
• pp.855-861
• /
• 2013

Smartphone is very useful for use in the real life through the improvement of computing power, faster data rate and the variety of applications. On the other hand, using the smartphone has been exposed to a lot of crime. Also, it occurs attempting to delete a data of smartphone memory by anti-forensic tools. In this paper, we investigate and analyze the anti-forensic tools used in the Android smartphone to study the characteristics and techniques of anti-forensic tools. In addition, experiments are performed to validate the availability of anti-forensic tools by the Oxygen Forensic Suite that is a commercial forensic tool.

• The Korean Journal of Legal Medicine
• /
• v.39 no.4
• /
• pp.115-119
• /
• 2015

We investigated event-related potentials (ERPs) to estimate the accuracy of eyewitness memories. Participants watched videos of vehicles being driven dangerously, from an anti-impaired driving initiative. The four-letter license plates of the vehicles were the target stimuli. Random numbers were presented while participants attempted to identify the license plate letters, and electroencephalograms were recorded. There was a significant difference in activity 300-500 milliseconds after stimulus onset, between target stimuli and random numbers. This finding contributes to establishing an eyewitness recognition model where different ERP components may reflect more explicit memory that is dissociable from recollection.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.11 no.4
• /
• pp.69-79
• /
• 2015

This research proposes a modified data hiding method to hide data in a slack space of an NTFS index record. The existing data hiding method is for anti-forensics, which uses traces of file names of an index entry in an index record when files are deleted in a direcotry. The proposed method in this paper modifies the existing method to make non-admittable ASCII characters for a file name applicable. By improving the existing method, problems of a file creation error due to non-admittable characters are remedied; including the non-admittable 9 characters (i. e. slash /, colon :, greater than >, less than <, question mark ?, back slash ${\backslash}$, vertical bar |, semi-colon ;, esterisk * ), reserved file names(i. e. CON, PRN, AUX, NUL, COM1~COM9, LPT1~LPT9) and two non-admittable characters for an ending character of the file name(i. e. space and dot). Two results of the two message with non-admittable ASCII characters by keyboard inputs show the applicability of the proposed method.