• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.491-498
• /
• 2016

Recently leakages of confidential information and internal date have been steadily increasing by using booting technique on portable OS such as Windows PE stored in portable storage devices (USB or CD/DVD etc). This method allows to bypass security software such as USB security or media control solution installed in the target PC, to extract data or insert malicious code by mounting the PC's storage devices after booting up the portable OS. Also this booting method doesn't record a log file such as traces of removable storage devices. Thus it is difficult to identify whether the data are leaked and use trace-back technique. In this paper is to propose method to help facilitate the process of digital forensic investigation or audit of a company by collecting and analyzing BIOS firmware images that record data relating to BIOS settings in flash memory and finding traces of portable storage devices that can be regarded as abnormal events.

• Convergence Security Journal
• /
• v.7 no.2
• /
• pp.91-100
• /
• 2007

Nowadays, there exist many forensic tools in forensic investigation. For common investigator it may cause some difficulty in handling the existing forensic tools. In case of urgent condition, if it takes long time to get the useful evidence from data, then it makes the investigation process difficult. Thus, the common investigator can collect the evidence easily by simple clicking the mouse. The only thing he needs is a tool for examination before investigating in details. Therefore, in this paper we refer to useful information in the forensic investigation, discuss the design and the implementation of tool.

• Journal of Internet of Things and Convergence
• /
• v.7 no.3
• /
• pp.1-8
• /
• 2021

With the rapid increase in the use of IoT and mobile devices, cyber criminals targeting IoT devices are also on the rise. Among IoT devices, when using a wireless access point (AP), problems such as packets being exposed to the outside due to their own security vulnerabilities or easily infected with malicious codes such as bots, causing DDoS attack traffic, are being discovered. Therefore, in this study, in order to actively respond to cyber attacks targeting IoT devices that are rapidly increasing in recent years, we proposed a method to collect traces of intrusion incidents artifacts from IoT devices, and to improve the validity of intrusion analysis data. Specifically, we presented a method to acquire and analyze digital forensics artifacts in the compromised system after identifying the causes of vulnerabilities by reproducing the behavior of the sample IoT malware. Accordingly, it is expected that it will be possible to establish a system that can efficiently detect intrusion incidents on targeting large-scale IoT devices.

• Journal of Internet of Things and Convergence
• /
• v.9 no.6
• /
• pp.23-28
• /
• 2023

Windows operating system generates various logs with timestamps. Timestamp tampering is an act of anti-forensics in which a suspect manipulates the timestamps of data related to a crime to conceal traces, making it difficult for analysts to reconstruct the situation of the incident. This can delay investigations or lead to the failure of obtaining crucial digital evidence. Therefore, various techniques have been developed to detect timestamp tampering. However, there is a limitation in detection if a suspect is aware of timestamp patterns and manipulates timestamps skillfully or alters system artifacts used in timestamp tampering detection. In this paper, a method is designed to detect changes in timestamps, even if a suspect alters the timestamp of a file on a storage device, it is challenging to do so with precision beyond millisecond order. In the proposed detection method, the first step involves verifying the timestamp of a file suspected of tampering to determine its write time. Subsequently, the confirmed time is compared with the file size recorded within that time, taking into consideration the performance of the storage device. Finally, the total capacity of files written at a specific time is calculated, and this is compared with the maximum input and output performance of the storage device to detect any potential file tampering.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.1
• /
• pp.31-42
• /
• 2017

Thumbnail, the small sized graphic file such as JPEG or GIF, serves to help the users to be recognized as a rapidly helps to make it easier recognize while browsing the large sized graphic file. Gallery application, which is installed in a later version of the 4.4.x(Kitkat) Android smartphone records the generated time of graphic file in thumbnail metadata. Thumbnail can be used to draw up the timeline of user action about user's action such as creation, modification, deletion with original graphic file analysis. Also, take advantage of the features thumbnails are stored sequentially in a single thumbcache file, even if the thumbcache is deleted, we can restore the thumbnails. This paper illustrates the feature of thumbnail created by Android OS basic gallery app and methods for utilization in digital forensics.

• Convergence Security Journal
• /
• v.22 no.1
• /
• pp.121-127
• /
• 2022

Recently, social issues related to cryptocurrency mining are continuously occurring at the same time as cryptocurrency prices are rapidly increasing. In particular, since cryptocurrency can be acquired through cryptographic operation, anyone with a computer can easily try mining, and as the asset value of major cryptocurrencies such as Bitcoin and Ethereum in creases, public interest is increasing. In addition, the number of cases where individuals who own high-spec computers mine cryptocurrencies in various places such as homes and businesses are increasing. Some miners are mining at companies or public places, not at home, due to the heat problem of computers that consume a lot of electrical energy, causing various problems in companies as well as personal moral problems. Therefore, this study studies the technology to obtain evidence for the traces of mining attempts using the Windows artifacts of the computers that mined cryptocurrency. Through this, it is expected that it can be used for internal audit to strengthen corporate security.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.2
• /
• pp.59-66
• /
• 2017

MySQL database is the second place in the market share of the current database. Especially InnoDB storage engine has been used in the default storage engine from the version of MySQL5.5. And many companies are using the MySQL database with InnoDB storage engine. Study on the structural features and the log of the InnoDB storage engine in the field of digital forensics has been steadily underway, but for how to restore on a record-by-record basis for the deleted data, has not been studied. In the process of digital forensic investigation, database administrators damaged evidence for the purpose of destruction of evidence. For this reason, it is important in the process of forensic investigation to recover deleted record in database. In this paper, We proposed the method of recovering deleted data on a record-by-record in database by analyzing the structure of MySQL InnoDB storage engine. And we prove this method by tools. This method can be prevented by database anti forensic, and used to recover deleted data when incident which is related with MySQL InnoDB database is occurred.