• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1347-1359
• /
• 2017

SQLite database is a file-based DBMS(Database Management System) that provides transactions, and it is loaded on smartphone because it is appropriate for lightweight platform. AS the usage of smartphone increased, SQLite-related crimes can occur. In this paper, we proposed a new concealing method for SQLite db file and a detection method against it. As a result of concealing experiments, it is possible to intentionally conceal 70bytes in the DB file header and conceal original data by inserting artificial pages. But it can be detected by parsing 70bytes based on SQLite structure or using the number of record and index. After that, we proposed detection algorithm for concealed data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1107-1115
• /
• 2017

The most commonly used PKZIP format is a ZIP file, as well as a file format used in MS Office files and application files for Android smartphones. PKZIP format files, which are widely used in various areas, require structural analysis from the viewpoint of digital forensics and should be able to recover when files are damaged. However, previous studies have focused only on recovering data or extracting meaningful data using the Deflate compression algorithm used in ZIP files. Although most of the data resides in compressed data in the ZIP file, there is also forensically meaningful data in the rest of the ZIP file, so you need to restore it to a normal ZIP file format. Therefore, this paper presents a technique to recover a damaged ZIP file to a normal ZIP file when given.

• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.491-498
• /
• 2016

Recently leakages of confidential information and internal date have been steadily increasing by using booting technique on portable OS such as Windows PE stored in portable storage devices (USB or CD/DVD etc). This method allows to bypass security software such as USB security or media control solution installed in the target PC, to extract data or insert malicious code by mounting the PC's storage devices after booting up the portable OS. Also this booting method doesn't record a log file such as traces of removable storage devices. Thus it is difficult to identify whether the data are leaked and use trace-back technique. In this paper is to propose method to help facilitate the process of digital forensic investigation or audit of a company by collecting and analyzing BIOS firmware images that record data relating to BIOS settings in flash memory and finding traces of portable storage devices that can be regarded as abnormal events.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.2
• /
• pp.31-42
• /
• 2014

Debugger systems are necessary to apply dynamic program analysis when evaluating security properties of embedded system software. It may be possible to make the use of software-based debugger and/or DBI framework if target devices support general purpose operating systems, however, constraints on applicability as well as environmental transparency might be incurred thereby hindering overall analyzability. Analysis with JTAG (IEEE 1149.1) debugging devices can overcome these difficulties in that no change would be involved in terms of internal software environment. In that sense, JTAG API can facilitate to practically perform dynamic program analysis for evaluating security properties of target device software. In this paper, we introduce an implementation of JTAG API to enable analysis of ARM core based embedded systems. The API function set includes the categories of debugger and target device controls: debugging environment and operation. To verify API applicability, we also provide example analysis tool implementations: our JTAG API could be used to build kernel function fuzzing and live memory forensics modules.

• KIPS Transactions on Software and Data Engineering
• /
• v.8 no.10
• /
• pp.411-420
• /
• 2019

Camera model identification has been a subject of steady study in the field of digital forensics. Among the increasingly sophisticated crimes, crimes such as illegal filming are taking up a high number of crimes because they are hard to detect as cameras become smaller. Therefore, technology that can specify which camera a particular image was taken on could be used as evidence to prove a criminal's suspicion when a criminal denies his or her criminal behavior. This paper proposes a deep learning model to identify the camera model used to acquire the image. The proposed model consists of four convolution layers and two fully connection layers, and a high pass filter is used as a filter for data pre-processing. To verify the performance of the proposed model, Dresden Image Database was used and the dataset was generated by applying the sequential partition method. To show the performance of the proposed model, it is compared with existing studies using 3 layers model or model with GLCM. The proposed model achieves 98% accuracy which is similar to that of the latest technology.

• Journal of Internet of Things and Convergence
• /
• v.7 no.3
• /
• pp.1-8
• /
• 2021

With the rapid increase in the use of IoT and mobile devices, cyber criminals targeting IoT devices are also on the rise. Among IoT devices, when using a wireless access point (AP), problems such as packets being exposed to the outside due to their own security vulnerabilities or easily infected with malicious codes such as bots, causing DDoS attack traffic, are being discovered. Therefore, in this study, in order to actively respond to cyber attacks targeting IoT devices that are rapidly increasing in recent years, we proposed a method to collect traces of intrusion incidents artifacts from IoT devices, and to improve the validity of intrusion analysis data. Specifically, we presented a method to acquire and analyze digital forensics artifacts in the compromised system after identifying the causes of vulnerabilities by reproducing the behavior of the sample IoT malware. Accordingly, it is expected that it will be possible to establish a system that can efficiently detect intrusion incidents on targeting large-scale IoT devices.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.12
• /
• pp.111-121
• /
• 2021

As the main carrier of information, digital image is becoming more and more important. However, with the popularity of image acquisition equipment and the rapid development of image editing software, in recent years, digital image counterfeiting incidents have emerged one after another, which not only reduces the credibility of images, but also brings great negative impacts to society and individuals. Image copy-paste tampering is one of the most common types of image tampering, which is easy to operate and effective, and is often used to change the semantic information of digital images. In this paper, a method to protect the authenticity and integrity of image content by studying the tamper detection method of image copy and paste was proposed. In view of the excellent learning and analysis ability of deep learning, two tamper detection methods based on deep learning were proposed, which use the traces left by image processing operations to distinguish the tampered area from the original area in the image. A series of experimental results verified the rationality of the theoretical basis, the accuracy of tampering detection, location and classification.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1439-1448
• /
• 2018

Many electronic document files, including Microsoft Office Word (MS Word), have become a major issue in various legal disputes such as privacy, contract forgery, and trade secret leakage. The internal metadata of OOXML (Office Open XML) format, which is used since MS Word 2007, stores the unique Revision Identifier (RSID). The RSID is a distinct value assigned to a corresponding word, sentence, or paragraph that has been created/modified/deleted after a document is saved. Also, document history, such as addition/correction/deletion of contents or the order of creation, can be tracked using the RSID. In this paper, we propose a methodology to investigate discrimination between the original document and copy as well as possible document file leakage by utilizing the changes of the RSID according to the user's behavior.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.519-529
• /
• 2019

Nowadays, intelligent Android malware applies anti-analysis techniques to hide malicious behaviors and make it difficult for anti-virus vendors to detect its presence. Malware can use background components to hide harmful operations, use activity-alias to get around with automation script, or wipe the logcat to avoid forensics. During our study, several static analysis tools can not extract these hidden components like main activity, and dynamic analysis tools also have problem with code coverage due to partial execution of android malware. In this paper, we design and implement a system to analyze intelligent malware that uses anti-analysis techniques to improve detection rate of evasive malware. It extracts the hidden components of malware, runs background components like service, and generates all the intent events defined in the app. We also implemented a real-time logging system that uses modified logcat to block deleting logs from malware. As a result, we improve detection rate from 70.9% to 89.6% comparing other container based dynamic analysis platform with proposed system.

• Journal of Broadcast Engineering
• /
• v.23 no.6
• /
• pp.886-895
• /
• 2018

In this paper, we introduce a technique to detect the video forgery by using the regularity that occurs in the video compression process. The proposed method uses the hierarchical regularity lost by the video double compression and the frame deletion. In order to extract such irregularities, the depth information of CU and TU, which are basic units of HEVC, is used. For improving performance, we make a depth map of CU and TU using local information, and then create input data by grouping them in GoP units. We made a decision whether or not the video is double-compressed and forged by using a general three-dimensional convolutional neural network. Experimental results show that it is more effective to detect whether or not the video is forged compared with the results using the existing machine learning algorithm.