• Journal of Digital Forensics
• /
• v.13 no.4
• /
• pp.231-244
• /
• 2019

Digital evidence is crucial to issues that require not only cybercrime but also to prove the facts of the cyber environment. While digital evidence has traditionally been collected from physically specific media, it is often impossible to specify the physical location of the data as cloud and distributed processing technologies evolve, requiring a ways of collecting data remotely. However, existing procedures or rules for collecting data from remote locations only emphasize fundamental conditions such as integrity and audit tracking, but there are many ambiguity when applied to actual collection. In addition, the threat of falsification that occurs when collecting data from remote locations was not considered. In this paper, we propose a framework that can ensure the reliability of the collection environment and the reliability of the network to show that it has not been falsified and that data that exists remotely has been collected as it was originally. It also implements this framework as a virtual environment and collects digital evidence from remote locations through case studies to discuss its effectiveness.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.403-407
• /
• 2006

완벽한 디지털 범죄 수사를 위해서는 우수한 디지털 포렌식 기술이 우선적으로 요구되겠지만, 범죄수사의 특성상 기술이외에도 법적, 제도적 측면들이 적절하게 조합되어야만 한다. 본 논문에서는 디지털 포렌식의 제도 및 정책적인 면에서 디지털 범죄 수사의 절차가 현실적으로 적용 가능하고, 범죄 해결에 효율적이며 합법성을 유지하면서 진행될 수 있도록 새로운 형태의 디지털 포렌식 절차를 제안하고자 한다.

• Annual Conference of KIPS
• /
• 2011.11a
• /
• pp.960-963
• /
• 2011

국내에 디지털 포렌식 연구가 시작된 2000년 초반에는 디지털 증거의 취약성에 주의하여 디지털 증거의 보존을 중심으로 조사 분석을 어떻게 할 것인가에 초점을 맞추었다. 이를 통해 수집한 데이터와 분석한 결과를 법적인 증거 자료로 어떻게 인정받을 것인지가 주요 이슈였다. 하지만 최근에는 디지털 포렌식 조사가 일반 민사 형사 사건에 모두 활용되면서 디지털 증거 처리만이 아닌 사건 발생부터 법정 증언까지 고려한 전체 조사 과정을 아우르는 모델로 발전하고 있다. 따라서 이러한 변화에 따르고 국내 환경에 적합한 디지털 포렌식 조사 모델이 필요하다. 본 논문은 국내외 디지털 포렌식 조사 모델에 대한 연구를 살펴보고, 이를 국내 환경에 적합하도록 정립하기 위한 방안을 기술한다.

• Journal of Arbitration Studies
• /
• v.32 no.4
• /
• pp.53-85
• /
• 2022

Small and medium-sized enterprises ("SMEs") are vulnerable to trade secret misappropriation. Korea's legislation for the protection of SMEs' trade secrets and provision of civil, criminal, and administrative remedies includes the SME Technology Protection Act, the Unfair Competition Prevention Act, the Industrial Technology Protection Act, the Mutually Beneficial Cooperation Act, and the Subcontracting Act. Among these acts, the revised SME Technology Protection Act of 2018 introduced the "administrative technology misappropriation investigation system" to facilitate a rapid resolution of SMEs' technology misappropriation disputes. On September 27, 2021, Korea's Ministry of SMEs announced that it had reached an agreement to resolve the dispute between Hyundai Heavy Industries and Samyeong Machinery through the administrative technology misappropriation investigation system. However, not until 3 years and a few months passed since the introduction of the system could it be used to resolve an SME's technology misappropriation dispute with a large corporation. So there arose a question on the usefulness of the system. Therefore, we conducted a comparative legal analysis of Korea's laws enacted to protect trade secrets of SMEs and to address technology misappropriation, focusing on their legislative purpose, protected subject matter, types of misappropriation, and legal remedies. Then we analyzed the administrative technology misappropriation investigation system and the cases where this system was applied. We developed a proposal to enhance the usefulness of the system. The expert interviews of 4 attorneys who are experienced in the management of the system to check the practical value of the proposal. Our analysis shows that the lack of compulsory investigation and criminal sanctions is the fundamental limitation of the system. We propose revising the SME Technology Protection Act to provide correction orders, criminal sanctions, and compulsory investigation. We also propose training professional workforces to conduct digital forensics, enabling terminated SMEs to utilize the system, and assuring independence and fairness of the mediation and arbitration of the technology misappropriation disputes.

• The Journal of Society for e-Business Studies
• /
• v.23 no.3
• /
• pp.129-143
• /
• 2018

Recently, the use of digital media such as computers and smart devices has been rapidly increasing, The vast and diverse information contained in the warrant of the investigating agency also includes the one irrelevant to the crime. Therefore, when confiscating the information, the basic rights, defense rights and privacy invasion of the person to be seized have been the center of criticism. Although the investigation agency guarantees the right to participate, it does not have specific guidelines, so they are various by the contexts and environments. In this process, the abuse of the participation right is detrimental to the speed and integrity of the investigation, and there is a side effect that the digital evidence might be destroyed by remote initialization. In this study, we conducted surveys of digital evidence analysts across the country based on four domains and thirty measurement items for enabling environment for participation in information storage media export and digital evidence search process. The difference between the level of importance and the performance was analyzed by the IPA matrix based on process, location, people, and technology dimensions. Seven items belonging to "concentrate here" area are one process-related, three location-related, and three people-related items. This study is meaningful to be a basis for establishing the proper policies and strategies for ensuring participation right, as well as for minimizing the side effects.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.541-547
• /
• 2019

As leakage cases of personal information increase, the concern of personal information protection is also increasing. As a result, most applications encrypt and store sensitive information such as personal information. Especially, in case of instant messengers, it is more difficult to find database where is not encrypted and stored. However, this kind of database encryption acts as anti-forensic from the point of view of digital forensic investigation. In this paper, we analyze database encryption process of MalangMalang Talkcafe application which is one of instant messenger. Based on our analysis, we propose a decryption method and explain the meaningful information collected in the database.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.9-17
• /
• 2018

Smartphone have become commonplace because they have the advantage of facilitating communication with others and making life easier. The smartphone's system log stores various data related to the user actions. Since 2015, Huawei has been growing rapidly, with its sales volume increasing and it was ranked second in the world in three years. The use of Huawei smartphones by many users means that Huawei smartphones are likely to be used to detect traces of criminal investigations, so we need to study system logs of Huawei smartphones. Therefore, in this paper, we analyze system log which is forensically meaningful for Huawei smartphone. We also propose how to use logs in forensic investigation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.737-751
• /
• 2023

The importance of digital forensics in the cloud environment is increasing as businesses and individuals move their data from On-premise to the cloud. Cloud data can be stored on various devices, including mobile devices and desktops, and encompasses a variety of user behavior artifacts, such as information generated from linked accounts and cloud services. However, there are limitations in securing and analyzing digital evidence due to environmental constraints of the cloud, such as distributed storage of data and lack of artifact linkage. One solution to address this is archiving services, and Google's Takeout is prime example. In this paper, user behavior data is analyzed for cloud forensics based on archiving data and necessary items are selected from an investigation perspective. Additionally, we propose the process of analyzing selectively collected data based on time information and utilizing web-based visualization to meaningfully assess artifact associations and multi-behaviors. Through this, we aim to demonstrate the value of utilizing archiving data in response to the increasing significance of evidence collection for cloud data.

• Annual Conference of KIPS
• /
• 2021.05a
• /
• pp.521-524
• /
• 2021

HEIF (High Efficiency File Format)는 MPEG에서 개발된 이미지 포맷으로써, 비디오 코덱인 H.265를 활용하여 정지된 화면을 하나의 이미지 형태로 저장할 수 있도록 개발된 컨테이너이다. 아이폰은 2017년부터 HEIF를 사용하고 있으며, 2019년부터는 갤럭시 S10과 같은 안드로이드 기기도 해당 포맷을 지원하고 있다. 이 포맷은 우수한 압축률을 가지도록 이미지를 제공할 수 있으나, 복잡한 내부 구조를 가지고 있으며 기기나 소프트웨어 간 호환성이 현저하게 부족하여 일반적으로 사용되는 JPEG(또는 JPG) 파일을 대체하기에는 아직 대중적이지 못한 상황이다. 하지만 이미 많은 기기에서 HEIF를 사용하고 있음에도 불구하고 디지털 포렌식 연구는 부족한 상황이다. 이는 디지털 포렌식 조사 과정에서 파일 내부에 포함된 정보의 파악이 미흡하여 잠재적인 증거를 놓칠 수 있는 위험에 노출될 수 있다. 따라서 본 논문에서는 아이폰에서 촬영된 HEIF 형식의 사진 파일과 갤럭시에서 촬영된 모션 포토 파일을 분석하여 파일 내부에 포함된 정보와 특징들을 알아본다. 또한 이미지 뷰어기능을 지원하는 소프트웨어를 대상으로 HEIF에 대한 지원 여부를 조사하고 HEIF 뷰어를 분석하는 포렌식 도구의 요구사항을 제시한다.