• Title/Summary/Keyword: Windows Artifacts

Search Result 21, Processing Time 0.02 seconds

Study on The Data Decryption and Artifacts Analysis of KakaoTalk in Windows Environment (윈도우 환경에서 카카오톡 데이터 복호화 및 아티팩트 분석 연구)

  • Minuook Jo;Nam Su Chang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.1
    • /
    • pp.51-61
    • /
    • 2023
  • Messengers such as KakaoTalk, LINE, and Facebook Messenger are universal means of communication used by anyone. As the convenience functions provided to users and their usage time increase, so does the user behavior information remaining in the artifacts, which is being used as important evidence from the perspective of digital forensic investigation. However, for security reasons, most of the data is currently stored encrypted. In addition, cover-up behaviors such as intentional manipulation, concealment, and deletion are increasing, causing the problem of delaying digital forensic analysis time. In this paper, we conducted a study on the data decryption and artifacts analysis in a Windows environment for KakaoTalk, the messenger with the largest number of users in Korea. An efficient way of obtaining a decryption key and a method of identifying and decrypting messages attempted to be deleted are presented, and thumbnail artifacts are analyzed.

Acquiring Credential and Analyzing Artifacts of Wire Messenger on Windows (Windows에서의 Wire 크리덴셜 획득 및 아티팩트 분석)

  • Shin, Sumin;Kim, Soram;Youn, Byungchul;Kim, Jongsung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.31 no.1
    • /
    • pp.61-71
    • /
    • 2021
  • Instant messengers are a means of communication for modern people and can be used with smartphones and PCs respectively or connected with each other. Messengers, which provide various functions such as message, call, and file sharing, contain user behavior information regarded as important evidence in forensic investigation. However, it is difficult to analyze as well as acquire smartphone data because of the security of smartphones or apps. However, messenger data can be extracted through PC when the messenger is used on PC. In this paper, we obtained the credential data of Wire messenger in Windows 10, and showed that it is possible to log-in from another PC without authentication. In addition, we identified and classified major artifacts generated based on user behavior.

Windows Artifacts Analysis for Collecting Cryptocurrency Mining Evidence (암호화폐 채굴 증거 수집을 위한 윈도우 아티팩트 분석 기술 연구)

  • Si-Hyeon Park;Seong-Hun Han;Won-hyung Park
    • Convergence Security Journal
    • /
    • v.22 no.1
    • /
    • pp.121-127
    • /
    • 2022
  • Recently, social issues related to cryptocurrency mining are continuously occurring at the same time as cryptocurrency prices are rapidly increasing. In particular, since cryptocurrency can be acquired through cryptographic operation, anyone with a computer can easily try mining, and as the asset value of major cryptocurrencies such as Bitcoin and Ethereum in creases, public interest is increasing. In addition, the number of cases where individuals who own high-spec computers mine cryptocurrencies in various places such as homes and businesses are increasing. Some miners are mining at companies or public places, not at home, due to the heat problem of computers that consume a lot of electrical energy, causing various problems in companies as well as personal moral problems. Therefore, this study studies the technology to obtain evidence for the traces of mining attempts using the Windows artifacts of the computers that mined cryptocurrency. Through this, it is expected that it can be used for internal audit to strengthen corporate security.

A Study on the Setting Method of the File System Audit Function of Windows for Enhancing Forensic Readiness (포렌식 준비도 제고를 위한 윈도우의 파일 시스템 감사 기능 설정 방안에 관한 연구)

  • Lee, Myeong-Su;Lee, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.1
    • /
    • pp.79-90
    • /
    • 2017
  • If digital forensic investigators can utilize file access logs when they audit insider information leakage cases or incident cases, it would be helpful to understand user's behaviors more clearly. There are many known artifacts related to file access in MS Windows. But each of the artifacts often lacks critical information, and they are usually not preserved for enough time. So it is hard to track down what has happened in a real case. In this thesis, I suggest a method to utilize SACL(System Access Control List) which is one of the audit functions provided by MS Windows. By applying this method of strengthening the Windows's audit settings, even small organizations that cannot adopt security solutions can build better environment for conducting digital forensic when an incident occurs.

Development of Windows forensic tool for verifying a set of data (윈도우 포렌식 도구의 검증용 데이터 세트의 개발)

  • Kim, Min-Seo;Lee, Sang-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.6
    • /
    • pp.1421-1433
    • /
    • 2015
  • For an accurate analysis through the forensic of digital devices and computer, it is a very important validation of the reliability of digital forensic tools. To verify the reliability of the tool, it is necessary to research and development of the data set to be input to the tool. In many-used Windows operating system of the computer, there is a Window forensic artifacts associated with time and system behavior. In this paper, we developed a set of data in the Windows operating system to be able to analyze all of the two Windows artifacts and we conducted a test with published digital forensic tools. Therefore, the developed data set presents the use of the following method. First, artefacts education for growing ability can be analyzed acts standards. Secondly, the purpose of tool tests for verifying the reliability of digital forensics. Lastly, recyclability for new artifact analysis.

The elimination of the linear artifacts by the metal restorations in the three dimensional computed tomographic images using the personal computer and software (개인용 컴퓨터와 소프트웨어를 이용한 3차원 전산화단층영상에서의 금속 수복물에 의한 선상 오류의 제거)

  • Park Hyok;Lee Hee-Cheol;Kim Kee-Deog;Park Chang-Seo
    • Imaging Science in Dentistry
    • /
    • v.33 no.3
    • /
    • pp.151-159
    • /
    • 2003
  • Purpose: The purpose of this study is to evaluate the effectiveness and usefulness of newly developed personal computer-based software to eliminate the linear artifacts by the metal restorations. Materials and Methods: A 3D CT image was conventionally reconstructed using ADVANTAGE WINDOWS 2.0 3D Analysis software (GE Medical System, Milwaukee, USA) and eliminated the linear artifacts manually. Next, a 3D CT image was reconstructed using V-works 4.0/sup TM/(Cybermed Inc., Seoul, Korea) and the linear artifacts eliminated manually in the axial images by a skillful operator using a personal computer. A 3D CT image was reconstructed using V-works 4.0/sup TM/(Cybermed Inc., Seoul, Korea) and the linear artifacts were removed using a simplified algorithm program to eliminate the linear artifacts automatically in the axial images using a personal computer, abbreviating the manual editing procedure. Finally, the automatically edited reconstructed 3D images were compared to the manually edited images. Results and Conclusion: We effectively eliminated the linear artifacts automatically by this algorithm, not by the manual editing procedures, in some degree. But programs based on more complicated and accurate algorithms may lead to a nearly flawless elimination of these linear artifacts automatically.

  • PDF

A Study on the Improvement of Tearing Artifact for Windows-Based Visual Monitoring Systems (윈도우즈 기반 영상 감시 시스템에서의 Tearing 현상 개선)

  • 정연권;이동학;정선태
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.27 no.11C
    • /
    • pp.1097-1105
    • /
    • 2002
  • In display systems employing analog monitors, the tearing artifact such that an window screen is divided into two parts showing different scenes can occur when the change of scenes in the moving pictures is very fast, but the frame buffer's refresh rate does not match the monitor's scanning frequency. It is especially noticeable at high frame rate. DVR system is a recently popularized visual monitoring system. The tearing artifacts becomes more serious since the frame buffer's refresh rate is very high due to the requirement of multi channel display in the DVR. In this paper, we propose an improved display system for windows-based DVR systems which prevents the tearing artifacts without deterioration of display speed performance. The efficiency of the proposed display system is verified through experiments.

Forensic Analysis of Element Instant Messenger Artifacts (포렌식 관점에서의 Element 인스턴트 메신저 아티팩트 분석)

  • Cho, Jae-min;Byun, Hyeon-su;Yun, Hui-seo;Seo, Seung-hee;Lee, Chang-hoon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.6
    • /
    • pp.1113-1120
    • /
    • 2022
  • Recently, the investigation has been difficult due to the emergence of messengers that encrypt and store data for the purpose of protecting personal information and provide services such as end-to-end encryption with a focus on security. Accordingly, the number of crime cases using security messengers is increasing, but research on data decoding for security messengers is needed. Element security messengers provide end-to-end encryption functions so that only conversation participants can check conversation history, but research on decoding them is insufficient. Therefore, in this paper, we analyze the instant messenger Element, which provides end-to-end encryption, and propose a plaintext verification of the history of encrypted secure chat rooms using decryption keys stored in the Windows Credential Manager service without user passwords. In addition, we summarize the results of analyzing significant general and secure chat-related artifacts from a digital forensics investigation perspective.

A Study on Artifact Grouping by Analyzing Artifact Case by Vulnerability : Using Adobe Flash Player Vulnerabilities (취약점 별 아티팩트 사례 분석을 통한 아티팩트 그룹핑 연구 : 어도비 플래시 플레이어 취약점을 이용하여)

  • Song, ByungKwan;Kim, SeonKwang;Kwon, EunJin;Jin, SeungTaek;Kim, JongHyuk;Kim, HyeongCheol;Kim, Minsu
    • Convergence Security Journal
    • /
    • v.19 no.1
    • /
    • pp.87-95
    • /
    • 2019
  • The damage is increasing due to many encroachment accidents caused by increasingly sophisticated cyber attacks. Many institutions and businesses lack early response to invest a lot of resources in the infrastructure for incident detection. The initial response of an intrusion is to identify the route of attack, and many cyber attacks are targeted at software vulnerabilities. Therefore, analyzing the artifacts of a Windows system against software vulnerabilities and classifying the analyzed data can be utilized for rapid initial response. Therefore, the remaining artifacts upon entry of attacks by software are classified, and artifact grouping is presented for use in analysis of encroachment accidents.

A Study On Artifacts Analysis In Portable Software (무 설치 프로그램에서의 사용자 행위 아티팩트 분석)

  • Taeyeong Heo;Taeshik Shon
    • Journal of Platform Technology
    • /
    • v.11 no.2
    • /
    • pp.39-53
    • /
    • 2023
  • Non-installation program (hereinafter referred to as "portable program") is a program that can be used without an installation process, unlike general software. Since there is no separate installation process, portable programs have high mobility and are used in various ways. For example, when initial setup of multiple PCs is required, a portable program can be stored on one USB drive to perform initial setup. Alternatively, when a problem occurs with the PC and it is difficult to boot normally, Windows PE can be configured on the USB drive and portable programs can be stored for PC recovery. And the portable program does not directly affect PC settings, such as changing registry values, and does not leave a trace. This means that the portable program has high security. If a portable program is deleted after using it, it is difficult to analyze behavior in a general way. If a user used a portable program for malicious behavior, analysis in a general way has limitations in collecting evidence. Therefore, portable programs must have a new way of behavioral analysis that is different from ordinary installation software. In this paper, after installing the Windows 10 operating system on a virtual machine, we proceed with the scenario with a portable program of Opera and Notepad++. And we analyze this in various ways such as file analysis of the operating system and memory forensics, collect information such as program execution time and frequency, and conduct specific behavioral analysis of user.

  • PDF