• Proceedings of the IEEK Conference
• /
• 2008.06a
• /
• pp.333-334
• /
• 2008

With the role of cell phones in today's society as a digital personal assistant as well as the primary tool for personal communication, it is possible to imagine the involvement of cell phones in almost any type of crime. The progression of a criminal investigation can hinge on vital clues obtained from a cell phone. This paper will be concentrated on CDMA system phones and focus on the data extraction for cell phone forensics. Especially, the data acquisition method of JTAG interface access to memory chip will be covered.

• Journal of KIISE:Computing Practices and Letters
• /
• v.16 no.4
• /
• pp.497-501
• /
• 2010

A software montage means information that can be extracted quickly from software and includes inherent characteristics. If a montage is made from well-known programs, we can filter candidates of similar programs among the group of programs based on the montage. In this paper, we suggest software montages based on two characteristics: API calls and strings. To evaluate the proposed montages, we performed experiments to filter candidates of some similar programs to instant messenger programs. From the experiments, we confirmed that the proposed montages can be used as a forensic tool that filters a group of similar programs even when their functions are not known in advance.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.3
• /
• pp.21-28
• /
• 2016

File Time information has a significant meaning in digital forensic investigation. File time information in Linux Ext4 (Extended File System 4) environment is the Access Time, Modification Time, Inode Change Time, Deletion Time and Creation Time. File time is variously changed by user manipulations such as creation, copy and edit. And, the study of file time change is necessary for evidence analysis. This study analyzes the change in time information of files or folders resulting from user manipulations in Linux operating system and analyzes ways to determine real time of malware infection and whether the file was modulation.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06c
• /
• pp.245-247
• /
• 2012

We know that JPEG image format is one of the most popular image formats in the digital area and distribution of digital photographic drawing it is interested frequently in certain types of forensic investigation. In most case, corrupted images are shown gaudiness with the boundary of the corrupted parts. In the paper, we propose a technique to carve correct JPEG images using transformation method and the approach can be used for JPEG image file carving tool development.

• Journal of KIISE
• /
• v.45 no.3
• /
• pp.311-320
• /
• 2018

Recently, the use of digital audio and video as proof in criminal and all kinds of litigation is increasing, and scientific investigation using digital forensic technique is developing. With the development of computing and file editing technologies, anyone can simply manipulate video files, and the number of cases of manipulating digital data is increasing. As a result, the integrity of the evidence and the reliability of the evidence Is required. In this paper, we propose a technique for extracting the Electrical Network Frequency (ENF) through a grid of power grids according to the geographical environment for power supply, and then performing signal processing for peak detection using QIFFT. Through the detection algorithm using the standard deviation, it was confirmed that the video file was falsified with 73% accuracy and the forgery point was found.

• The KIPS Transactions:PartC
• /
• v.19C no.4
• /
• pp.215-224
• /
• 2012

Today, individuals and businesses are a lot of paperwork through a computer. So many documents files are creating to digital type. And the digital type files are copied, moved by various media such as USB, E-mail and so on. A careful analysis of these digital materials can be tracked that occurred during the document editing work history. About these research are on the compound document file format, but has not been studied about the new OOXML format that how to analyze linkages between different document files, tracking an internal order, finding unsaved file for identify the process of creating the file. Future, the use of OOXML format digital documents will further increase, these document work history traceability in digital forensic investigation would be a big help. Therefore, this paper on the new OOXML format(has a forensic viewpoint) will show you how to track the internal order and analyze linkages between the files.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.1
• /
• pp.98-115
• /
• 2012

New trend called ubiquitous leads the recent business by standardization and integration. It should be the main issue how to guarantee the integration and accountability on each business, especially in mission critical system which is mainly supported by M2M (Machine to Machine) control mechanism. This study is from the analysis of digital forensics case study that is from the M2M Sensing Control Mechanism problem of the "Imjin River" case in 2009, where a group of family is swept away to death by water due to M2M control error. The ubiquitous surroundings bring the changes in the field of criminal investigation to real time controls such as M2M systems. The needs of digital forensics on M2M control are increasing on every crime scene but we suffer from the lack of control metrics to get this done efficiently. The court asks for more accurately analyzed results accounting high quality product development design. Investigators in the crime scene need real-time analysis against the crime caused by poor quality of mission critical systems. It seems to be every need of Real-Time-Enterprise, so called ubiquitous society on the case. We try to find the efficiency and productivity in discovering non-functional design defects in M2M convergence products focusing on three metrics in study model with quick implementation. Digital forensics system in present status depends on know-how of each investigator and is hard to expect professional analysis on every field. This study set up a hypothesis "Co-working of professional investigators on each field will qualify Performance and Integrity" especially in mission critical system such as M2M and suggests "Online co-work analysis model" to efficiently detect and prevent mission critical errors in advance. At the conclusion, this study proved the statistical research that was surveyed by digital forensics specialists around M2M crime scene cases with quick implementation of dash board.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.397-403
• /
• 2020

With the convenience of real-time conversation, multimedia file and contact sharing services, most people use instant messenger, and its usage time is increasing. Because the messengers contain a lot of user behavior information data, in the digital forensic investigation, they can be very useful evidence to identify user behavior. However, some of useful data can be difficult to acquire or recognize because they are encrypted or deleted. Thus, in order to use the messenger data as evidence, the study of message decryption process and message recovery is essential. In this paper, we analyze the database encryption process of the instant messenger, MalangMalang Talkafe, and propose the method to decrypt it. In addition, we propose the methods to identify the deleted messages and recover from the volatile memory area.

• Journal of Information Processing Systems
• /
• v.18 no.3
• /
• pp.402-410
• /
• 2022

Digital data can be manipulated easily, so information related to the timestamp is important in establishing the reliability of the data. The time values for a certain file can be extracted following the analysis of the filesystem metadata or file internals, and the information can be utilized to organize a timeline for a digital investigation. Suppose the reversal of a timestamp is found on a mobile device during this process. In this case, a more detailed analysis is required due to the possibility of anti-forensic activity, but little previous research has investigated the handling and possible manipulation of timestamps on mobile devices. Therefore, in this study, we determine how time values for multimedia files are handled according to the operating system or filesystem on mobile devices. We also discuss five types of timestamps-file created (C), last modified (M), last accessed (A), digitalized (Di), and filename (FN) of multimedia files, and experimented with their operational features across multiple devices such as smartphones and cameras.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1397-1404
• /
• 2017

When a digital forensic investigation is conducted on a damaged storage medium, recovery is performed using a recovery tool. But the result of each recovery tool is different depending on the tools. Therefore, it is necessary to identify and use the performance and limitations of the tool for accurate investigation. In this paper, we propose a scenario considering the disk recognition type such as MBR, GPT and the structural characteristics of FAT32 and NTFS filesystem to verify the performance of the partition recovery tool. And then We validate the existing tools with the data set built on the scenarios.