• Journal of the Korea Society of Computer and Information
• /
• v.24 no.9
• /
• pp.51-58
• /
• 2019

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2019.07a
• /
• pp.391-392
• /
• 2019

본 논문에서는 타임스탬프의 위변조를 위한 안티포렌식의 도구로 사용되는 타임스탬프 변경도구들에 기능에 대하여 디지털 포렌식 관점에서 분석을 수행한다. 타임스탬프 변경도구들로써 수행할 수 있는 타임스탬프 변경작업의 범위와 특징을 찾아본다. NTFS파일시스템에서 사용하는 타임스탬프 변경도구들의 기능상의 분류는 그것들이 변경할 수 있는 타임스탬프 종류와 정밀도를 기준으로 정하고 그 도구들을 사용한 후에 기록된 타임스탬프의 특징들을 디지털 포렌식 관점에서 분석을 수행하기로 한다. 이 연구에서의 분류 형태 중 타입 I은 FileTouch.exe, SKTimeStamp, BulkFileChanger류의 도구들과 타입 II는 timestomp, 타입 III은 SetMACE로 분류하고 각 도구들을 사용한 후에 변경된 타임스탬프들의 특징을 살펴보기로 한다.

• Journal of information and communication convergence engineering
• /
• v.20 no.4
• /
• pp.280-287
• /
• 2022

Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.

• International Journal of Internet, Broadcasting and Communication
• /
• v.14 no.3
• /
• pp.8-16
• /
• 2022

In this paper, we propose a method of reconstructing the file system to obtain digital forensics information from the APFS file system when meta information that can know the structure of the file system is deleted due to partial damage to the disk. This method is to reconstruct the tree structure of the file system by only retrieving the B-tree node where file/directory information is stored. This method is not a method of constructing nodes based on structural information such as Container Superblock (NXSB) and Volume Checkpoint Superblock (APSB), and B-tree root and leaf node information. The entire disk cluster is traversed to find scattered B-tree leaf nodes and to gather all the information in the file system to build information. It is a method of reconstructing a tree structure of a file/directory based on refined essential data by removing duplicate data. We demonstrate that the proposed method is valid through the results of applying the proposed method by generating numbers of user files and directories.

• International Journal of Internet, Broadcasting and Communication
• /
• v.14 no.1
• /
• pp.10-18
• /
• 2022

Since High Sierra, APFS has been used as the main file system. It is a well-established file system that has been used stably thus far. From the perspective of digital forensics, there are still many areas to be investigated. Apple File System Reference is provided to the apple developer site, but it is not satisfactory to fully analyze APFS. Researchers know more about the structure of APFS than before, but they have not yet fully analyzed its structure to a perfect level about it. In this paper, we develop APFS object identification tool for digital forensics. The most basic and essential object identification and analysis of the APFS filesystem will be conducted with the tool. The analysis in this study serves as the background for an analysis of the checkpoint operation principle and structure, including the more complex B-tree structure of APFS. There are several options for the developed tool, but the results of two use cases will be shown here. Based on the implemented tool, it is hoped that more functions will be added to make APFS a useful tool for faster and more accurate analyses.

• Journal of Platform Technology
• /
• v.11 no.4
• /
• pp.35-49
• /
• 2023

Recently, real-time cyber threats are constantly occurring for various reasons. Most companies have the characteristic of digitizing important internal information and storing it centrally, so it can be said that the impact is very high when an Computer Security Incident occurs. All electronic device information collected and analyzed in the process of responding to an Computer Security Incident has the characteristic of being subject to change at any time. Submission of related evidence is required in future investigations and courts. At this time, the basic principles of digital forensics, such as the principle of integrity and the principle of chain of custody, must be followed to ensure legitimacy and accuracy of the evidence. In this paper, we propose a digital forensic-based Computer Security Incident Inspection and Response procedure in the Windows 10 environment to secure the legitimacy and accuracy of digital evidence collected and analyzed when an intrusion occurs, prevent intrusion in advance, and quickly recognize it.

• Journal of Convergence for Information Technology
• /
• v.10 no.5
• /
• pp.23-29
• /
• 2020

These days, digital forensic technologies are being used frequently at crime scenes. There are various electronic devices at the scene of the crime, and digital forensic results of these devices are used as important evidence. In particular, the user's action and the time when the action took place are critical. But there are many limitations for use in real forensics analyses because of the short cycle in which user actions are recorded. This paper proposed an efficient method for recovering deleted user behavior records and applying them to forensics investigations, then the proposed method is compared with previous methods. Although there are difference in recovery result depending on the storage, the results have been identified that the amount of user history data is increased from a minimum of 6% to a maximum of 539% when recovered user behavior was utilized to forensics investigation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.165-176
• /
• 2011

In this paper, we examine the reliability verification procedure of evidence analysis tools for computer forensics and test the famous tools for their functional requirements using the verification items proposed by standard document, TIAK.KO-12.0112. Also, we carry out performance evaluation based on test results and suggest the way of performance improvement for evidence analysis tools. To achieve this, we first investigate functions that test subjects can perform, and then we set up a specific test plan and create evidence image files which contain the contents of a verification items. We finally verify and analyze the test results. In this process, we can discover some weaknesses of most of analysis tools, such as the restoration for deleted & fragmented files, the identification of the file format which is widely used in the country and the processing of the strings composed of Korean alphabet.

• Journal of the Korea Society of Computer and Information
• /
• v.27 no.10
• /
• pp.115-121
• /
• 2022

In this paper, we analyze trends in the use of mobile forensic technology, focusing on cases where mobile forensics are used, and we predict the development of future mobile forensics technology using linear regression used in future prediction models. For the current status and outlook analysis, we extracted a total of 8 variables by analyzing 1,397 domestic and foreign mobile forensics-related cases and newspaper articles. We analyzed the prospects for each variable using the year of occurrence as an independent variable, seven variables such as text (text message usage information), communication information (cell phone communication information), Internet usage information, messenger usage information, stored files, GPS, and others as dependent variables. As a result of the analysis, among various aspects of the use of mobile devices, the use of Internet usage information, messenger usage information, and data stored in mobile devices is expected to increase. Therefore, it is expected that continuous research on technologies that can effectively extract and analyze characteristic information of mobile devices such as file systems, the Internet, and messengers will be needed As mobile devices increase performance and utilization in the future and security technology.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.1
• /
• pp.467-473
• /
• 2011

The Network-packet in this Paper to ensure the integrity of the legal evidence is effect that can have is to offer an Network-forensics system. The Paper proposed Network-forensics system in the company through legal disputes accident Networking and state agency (with investigative authority) for criminal investigations in networking for the effective and correct way to present a report of user-centric services through effective awareness can be improved.