• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1421-1433
• /
• 2015

For an accurate analysis through the forensic of digital devices and computer, it is a very important validation of the reliability of digital forensic tools. To verify the reliability of the tool, it is necessary to research and development of the data set to be input to the tool. In many-used Windows operating system of the computer, there is a Window forensic artifacts associated with time and system behavior. In this paper, we developed a set of data in the Windows operating system to be able to analyze all of the two Windows artifacts and we conducted a test with published digital forensic tools. Therefore, the developed data set presents the use of the following method. First, artefacts education for growing ability can be analyzed acts standards. Secondly, the purpose of tool tests for verifying the reliability of digital forensics. Lastly, recyclability for new artifact analysis.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.6
• /
• pp.3258-3279
• /
• 2019

Recently, ransomware has earned itself an infamous reputation as a force to reckon with in the cybercrime landscape. However, cybercriminals are adopting other unconventional means to seamlessly attain proceeds of cybercrime with little effort. Cybercriminals are now acquiring cryptocurrencies directly from benign Internet users without the need to extort a ransom from them, as is the case with ransomware. This paper investigates advances in the cryptovirology landscape by examining the state-of-the-art cryptoviral attacks. In our approach, we perform digital autopsy on the malware's source code and execute the different malware variants in a contained sandbox to deduce static and dynamic properties respectively. We examine three cryptoviral attack structures: browser-based crypto mining, memory resident crypto mining and cryptoviral extortion. These attack structures leave a trail of digital forensics evidence when the malware interacts with the file system and generates noise in form of network traffic when communicating with the C2 servers and crypto mining pools. The digital forensics evidence, which essentially are IOCs include network artifacts such as C2 server domains, IPs and cryptographic hash values of the downloaded files apart from the malware hash values. Such evidence can be used as seed into intrusion detection systems for mitigation purposes.

• Journal of the Korea Society of Computer and Information
• /
• v.22 no.8
• /
• pp.73-83
• /
• 2017

In this paper, we discuss the differences between an ordinary B-tree and B-tree implemented by NTFS. There are lots of distinctions between the two B-tree, if not understand the distinctions fully, it is difficult to utilize and analyze artifacts of NTFS. Not much, actually, is known about the implementation of NTFS, especially B-tree index for directory management. Several items of B-tree features are performed that includes a node size, minimum number of children, root node without children, type of key, key sorting, type of pointer to child node, expansion and reduction of node, return of node. Furthermore, it is emphasized the fact that NTFS use B-tree structure not B+structure clearly.

• The Journal of Information Technology
• /
• v.10 no.4
• /
• pp.41-56
• /
• 2007

In Digital Computing Environment, volatile information such as register, cache memory, and network information are hard to make certain of a real-time collection because such volatile information are easily modified or disappeared. Thus, a collection of volatile information is one of important step for computer forensics system on ubiquitous computing. In this paper, we propose a volatile information collection module, which collects variable volatile information of server system based on memory mapping in real-time.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2012.11a
• /
• pp.1333-1335
• /
• 2012

이 연구에서는 전자기록물의 일반적인 특징과 법적 증거능력에 대해서 조사하고 이를 통해 국가기록원을 비롯한 기록보존소에서 관리하는 전자기록들의 증거능력에 대해 고찰하였다. 또한 디지털 증거를 수집 분석하여 법정에 제출하기 위한 분야인 디지털 포렌식(Digital Forensics)에서의 절차 및 기술을 통해 전자기록관리 프로세스에서 전자기록의 증거능력을 확보하기 위한 기초적인 방안을 제시한다.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.178-192
• /
• 2021

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.97-108
• /
• 2018

Computer technology and Internet advances enable easy massive file transfer by messenger, email, and web hard service users this means that a child pornography file owner who is illegally possessing itself can quickly transfer that to other users However there are currently no specific ways to prevent or block the distribution of child pornography between messenger, email, and web hard service users. in this paper, we propose a method to prevent the distribution of child pornography using the MD5, SHA-1 hash value stored in the 'police Child pornography Profiling system' and to identify the child pornography suspects using the subscriber information. the user extracts the hash value of the file before distributing the file, compared it with police system, and if it has the same value, blocks the transmission of the file and sends warning to the owner. the service provider sends the subscriber information to investigation agency child pornography owners can conduct a quick and accurate investigation.

• International Journal of Computer Science & Network Security
• /
• v.24 no.6
• /
• pp.207-215
• /
• 2024

Cloud computing is now used by most companies, business centres and academic institutions to embrace new computer technology. Cloud Service Providers (CSPs) are limited to certain services, missing some of the assets requested by their customers, it means that different clouds need to interconnect to share resources and interoperate between them. The clouds may be interconnected in different characteristics and systems, and the network may be vulnerable to volatility or interference. While information technology and cloud computing are also advancing to accommodate the growing worldwide application, criminals use cyberspace to perform cybercrimes. Cloud services deployment is becoming highly prone to threats and intrusions. The unauthorised access or destruction of records yields significant catastrophic losses to organisations or agencies. Human intervention and Physical devices are not enough for protection and monitoring of cloud services; therefore, there is a need for more efficient design for cyber defence that is adaptable, flexible, robust and able to detect dangerous cybercrime such as a Denial of Service (DOS) and Distributed Denial of Service (DDOS) in heterogeneous cloud computing platforms and make essential real-time decisions for forensic investigation. This paper aims to develop a framework for digital forensic for the detection of cybercrime in a joined heterogeneous cloud setup. We developed a Digital Forensics model in this paper that can function in heterogeneous joint clouds. We used Unified Modeling Language (UML) specifically activity diagram in designing the proposed framework, then for deployment, we used an architectural modelling system in developing a framework. We developed an activity diagram that can accommodate the variability and complexities of the clouds when handling inter-cloud resources.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.165-176
• /
• 2011

In this paper, we examine the reliability verification procedure of evidence analysis tools for computer forensics and test the famous tools for their functional requirements using the verification items proposed by standard document, TIAK.KO-12.0112. Also, we carry out performance evaluation based on test results and suggest the way of performance improvement for evidence analysis tools. To achieve this, we first investigate functions that test subjects can perform, and then we set up a specific test plan and create evidence image files which contain the contents of a verification items. We finally verify and analyze the test results. In this process, we can discover some weaknesses of most of analysis tools, such as the restoration for deleted & fragmented files, the identification of the file format which is widely used in the country and the processing of the strings composed of Korean alphabet.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.1
• /
• pp.57-67
• /
• 2013

Lately, intrusive incidents (including system hacking, viruses, worms, homepage alterations, and data leaks) have not involved the distribution of an virus or worm, but have been designed to acquire private information or trade secrets. Because an attacker uses advanced intelligence and attack techniques that conceal and alter data in a computer, the collector cannot trace the digital evidence of the attack. In an initial incident response first responser deals with the suspect or crime scene data that needs investigative leads quickly, in accordance with forensic process methodology that provides the identification of digital evidence in a systematic approach. In order to an effective initial response to first responders, this paper analyzes the collection data such as user usage profiles, chronology timeline, and internet data according to CFFPM(computer forensics field triage process model), proceeds to design, and implements a collection application to deploy the client/server architecture on the Windows based computer.