• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.71-82
• /
• 2011

Live data in physical memory can be acquired by live forensics but not by harddisk file-system analysis. Therefore, in case of forensic investigation, live forensics is widely used these days. But, existing live forensic methods, that use command line tools in live system, have many weaknesses; for instance, it is not easy to re-analyze and results can be modified by malicious code. For these reasons, in this paper we explain the Windows kernel architecture and how to analyze physical memory dump files to complement weaknesses of traditional live forensics. And then, we design and implement the Physical Memory Dump Explorer, and prove the effectiveness of our tool through test results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.89-100
• /
• 2011

Physical memory analysis has been an issue on a field of live forensic analysis in digital forensics until now. It is very useful to make the result of analysis more reliable, because record of user behavior and data can be founded on physical memory although process is hided. But most memory analysis focuses on windows based system. Because the diversity of target system to be analyzed rises up, it is very important to analyze physical memory based on other OS, not Windows. Mac OS X, has second market share in Operating System, is operated by loading kernel image to physical memory area. In this paper, We propose a methodology for physical memory analysis on Mac OS X using symbol information in kernel image, and acquire a process information, mounted device information, kernel information, kernel extensions(eg. KEXT) and system call entry for detecting system call hooking. In additional to the methodology, we prove that physical memory analysis is very useful though experimental study.

• Convergence Security Journal
• /
• v.6 no.3
• /
• pp.59-67
• /
• 2006

Recently the Personal Computer hacking and game hacking for the purpose of gaining an economic profit is increased in Windows system. Malicious code often uses methods which inject dll or code into memory in target process for using covert channel for communicating among them, bypassing secure products like personal firewalls and obtaining sensitive information in system. This paper analyzes the technique for injecting and executing code into memory area in target process. In addition, this analyzes the PE format and IMPORT table for extracting injected dll in running process in affected system and describes a method for extracting and analyzing explicitly loaded dll files related with running process. This technique is useful for finding and analyzing infected processes in affected system.

• Dementia and Neurocognitive Disorders
• /
• v.22 no.4
• /
• pp.148-157
• /
• 2023

Background and Purpose: Episodic memory is a system that receives and stores information about temporally dated episodes and their interrelations. Our study aimed to investigate the relevance of episodic memory to time perception, with a specific focus on simultaneity/order judgment. Methods: Experiment 1 employed the simultaneity judgment task to discern differences in time perception between patients with mild cognitive impairment or dementia, and age-matched normals. A mathematical analysis capable of estimating subjects' time processing was utilized to identify the sensory and decisional components of temporal order and simultaneity judgment. Experiment 2 examined how differences in temporal perception relate to performance in temporal order memory, in which time delays play a critical role. Results: The temporal decision windows for both temporal order and simultaneity judgments exhibited marginal differences between patients with episodic memory impairment, and their healthy counterparts (p = 0.15, t(22) = 1.34). These temporal decision windows may be linked to the temporal separation of events in episodic memory (Pearson's ρ = -0.53, p = 0.05). Conclusions: Based on our findings, the frequency of visual events accumulated and encoded in the working memory system in the patients' and normal group appears to be approximately (5.7 and 11.2) Hz, respectively. According to the internal clock model, a lower frequency of event pulses tends to result in underestimation of event duration, which phenomenon might be linked to the observed time distortions in patients with dementia.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.47 no.5
• /
• pp.35-40
• /
• 2010

NAND flash memory has been widely used than traditional HDD in PDA and other mobile devices, embedded systems, PC because of faster access speed, low power consumption, vibration resistance and other benefits. DiskSim and other HDD simulators has been developed that for find improvements for the software or hardware. But there is a few Linux-based simulators for NAND flash memory and SSD. There is necessary for Windows-based NAND flash simulator because storage devices and PC using Windows. This paper describe for development of simulator-NFSim for FTL performance analysis in NAND flash. NFSim is used to measure performance of various FTL algorithms and FTL wear-level. NAND flash memory model and FTL algorithm developed using Windows Driver Model and class for scalability. There is no need for another tools because NFSim using graph tool for data measure of FTL performance.

• Journal of Platform Technology
• /
• v.11 no.2
• /
• pp.39-53
• /
• 2023

Non-installation program (hereinafter referred to as "portable program") is a program that can be used without an installation process, unlike general software. Since there is no separate installation process, portable programs have high mobility and are used in various ways. For example, when initial setup of multiple PCs is required, a portable program can be stored on one USB drive to perform initial setup. Alternatively, when a problem occurs with the PC and it is difficult to boot normally, Windows PE can be configured on the USB drive and portable programs can be stored for PC recovery. And the portable program does not directly affect PC settings, such as changing registry values, and does not leave a trace. This means that the portable program has high security. If a portable program is deleted after using it, it is difficult to analyze behavior in a general way. If a user used a portable program for malicious behavior, analysis in a general way has limitations in collecting evidence. Therefore, portable programs must have a new way of behavioral analysis that is different from ordinary installation software. In this paper, after installing the Windows 10 operating system on a virtual machine, we proceed with the scenario with a portable program of Opera and Notepad++. And we analyze this in various ways such as file analysis of the operating system and memory forensics, collect information such as program execution time and frequency, and conduct specific behavioral analysis of user.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.661-674
• /
• 2021

Malware, such as a rootkit that modifies the kernel, can adversely affect the analyst's judgment, making the analysis difficult or impossible if a mechanism to evade memory analysis is added. Therefore, we plan to preemptively respond to malware such as rootkits that bypass detection through advanced kernel modulation in the future. To this end, the main structure used in the Windows kernel was analyzed from the attacker's point of view, and a method capable of modulating the kernel object was applied to modulate the memory dump file. The result of tampering is confirmed through experimentation that it cannot be detected by memory analysis tool widely used worldwide. Then, from the analyst's point of view, using the concept of tamper resistance, it is made in the form of software that can detect tampering and shows that it is possible to detect areas that are not detected by existing memory analysis tools. Through this study, it is judged that it is meaningful in that it preemptively attempted to modulate the kernel area and derived insights to enable precise analysis. However, there is a limitation in that the necessary detection rules need to be manually created in software implementation for precise analysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.931-938
• /
• 2013

It is hard to extract original data from encrypted data before getting the password in encrypted data with disk encryption software. This encryption key of disk encryption software can be extract by using physical memory analysis. Searching encryption key time in the physical memory increases with the size of memory because it is intended for whole memory. But physical memory data includes a lot of data that is unrelated to encryption keys like system kernel objects and file data. Therefore, it needs the method that extracts valid data for searching keys by analysis. We provide a method that collect only saved memory parts of disk encrypting keys in physical memory by analyzing Windows kernel virtual address space. We demonstrate superiority because the suggested method experimentally reduces more of the encryption key searching space than the existing method.

• JSTS:Journal of Semiconductor Technology and Science
• /
• v.1 no.2
• /
• pp.116-124
• /
• 2001

We implemented POPeye (Probe of Performance ＋ eye), a system analysis simulator to evaluate DRAM performance in a personal computer environment. When running any real-life application programs such as Microsoft Office and Paint Shop Pro on Windows OS, POPeye simulates detailed transactions between a CPU and a memory system. Using this tool, we comparatively analyzed the performance of a DDR-SDRAM, a D-RDRAM, and a DDR-FCRAM.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.11
• /
• pp.1697-1706
• /
• 2013

Protocol analyzer is being used to analyze proper processing of CMD & data when developing SD slave IP. In this thesis, a protocol analyzer was developed for analyzing SD protocol in Windows environment using Visual C++. SD protocol analyzer consists of embedded Linux software for storing SD memory data and MFC program for analyzing this. As for protocol analysis, it has been designed to collect data transmitted from SD memory card to host by Linux software for its analysis by MFC. It was found through the experiment that the CMD type could be confirmed that occurs when reading and writing data to SD memory card using the developed board, and debugging the problems that occur was possible.