The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Analysis of File Time Change by File Manipulation of Linux System

리눅스 시스템에서의 파일 조작에 따른 시간변화 분석

  • Received : 2016.05.02
  • Accepted : 2016.06.10
  • Published : 2016.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

File Time information has a significant meaning in digital forensic investigation. File time information in Linux Ext4 (Extended File System 4) environment is the Access Time, Modification Time, Inode Change Time, Deletion Time and Creation Time. File time is variously changed by user manipulations such as creation, copy and edit. And, the study of file time change is necessary for evidence analysis. This study analyzes the change in time information of files or folders resulting from user manipulations in Linux operating system and analyzes ways to determine real time of malware infection and whether the file was modulation.

디지털 포렌식 조사에서 파일의 시간정보는 중요한 의미를 가진다. 리눅스의 Ext4(Extended File System 4) 환경에서 획득할 수 있는 파일의 시간정보는 파일 접근 시간(Access Time), 수정 시간(Modification Time), Inode 변경 시간(Change Time), 삭제 시간(Deletion Time), 생성 시간(Creation Time)이다. 일반적으로 파일의 생성, 수정, 복사 등 여러 가지 행위에 따라 시간 정보가 변화되며, 증거 분석을 위해 행위에 따른 파일 시간변화에 대한 연구가 필요하다. 본 논문에서는 리눅스 Ext4 환경에서 파일 및 폴더의 다양한 행위에 따른 시간정보를 분석하였고 이를 이용하여 악성코드의 실제 감염시간과 파일의 변조 여부를 확인하는 방안을 연구하였다.

Keywords

References

  1. Jewan Bang, Byeongyeong Yoo, Sangjin Lee, "Analysis of changes in file time attributes with file manipulation", Digital Investigation, Vol. 7, Issues 3-4, pp. 135-144, 2011. https://doi.org/10.1016/j.diin.2010.12.001
  2. Jewan Bang, Byeongyeong Yoo, Jongsung Kim, Sangjin Lee, "Analysis of Time Information for Digital Investigation" INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference on, pp. 1858-1864, 2009.
  3. Val Henson, Zach Brown, Theodore Ts'o, and Arjan van de Ven, "Reducing fsck time for ext2 file systems," Proceeding of the Linux Symposium, Vol. 1, 2006.
  4. Philip Craiger, "Recovering Digital Evidence from Linux Systems," IFIP The International Federation for Information Processing, Vol. 194, pp. 233-244, 2005.
  5. SANS Information, Network, Computer Security Training, Research, Resources, http://www.sans.org.
  6. Hal Pomeranz, "EXT3 File Recovery via Indirect Blocks," http://computer-forensics.sans.org/summit-archives/2011/EXT3-file-recovery.pdf.
  7. Gregorio Narvaez, "Taking advantage of Ext3 journaling file system in a forensic investigation," SANS Institute Reading Room, 2007.
  8. Kevin D. Fairbanks, "An analysis of Ext4 for digital forensics," Digital Investigation, Vol. 9, pp. 118-130, 2012. https://doi.org/10.1016/j.diin.2012.05.010
  9. Dohyun Kim, Jungheum Park, Keun-gi Lee, and Sangjin Lee, "Forensic Analysis of Android Phone using Ext4 File System Journal Log," Lecture Notes in Electrical Engineering, Vol. 164, pp. 435-446, 2012.
  10. Dohyun Kim, Jungheum Park, Sangjin Lee, "File Carving for Ext4 File System on Android OS", Journal of The Korea Institute of Information Security & Cryptology(JKIISC), Vol. 23, No. 3, 2013.
  11. Soeui Kim, Duri Choi, Beongku An, "Detection and Prevention Method by Analyzing Malignant Code of Malignant Bot,, The Journal of The Institute of Internet, Broadcasting and Communication(JIIBC), Vol. 8, No. 2, pp. 199-207, 2013.
  12. Operation Windigo Analysis Report, http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf.
  13. Se-Ryoung Kim, Huy-Kang Kim, "Fuzzy Expert System for Detecting Anti-Forensic Activities", Journal of Internet Computing and Services, Volume 12, Issue 5, pp. 47-61, 2011