Journal of Convergence for Information Technology (융합정보논문지)

Convergence Society for SMB (중소기업융합학회)
권호 표지
DOI QR코드

DOI QR Code

Analyzing Past User History through Recovering Deleted $UsnJrnl file

삭제된 $UsnJrnl 파일 복구를 통한 과거 사용자 행위 확인

  • Kim, Dong-Geon (Department of Electrical and Semiconductor Engineering, Chungbuk National University) ;
  • Park, Seok-Hyeon (Department of Computer Science, Chungbuk National University) ;
  • Jo, Ohyun (Department of Computer Science, Chungbuk National University)
  • 김동건 (충북대학교 전자정보공학과) ;
  • 박석현 (충북대학교 소프트웨어학과) ;
  • 조오현 (충북대학교 소프트웨어학과)
  • Received : 2020.04.22
  • Accepted : 2020.05.20
  • Published : 2020.05.28
Download PDF
⟨ Previous Next ⟩

Abstract

These days, digital forensic technologies are being used frequently at crime scenes. There are various electronic devices at the scene of the crime, and digital forensic results of these devices are used as important evidence. In particular, the user's action and the time when the action took place are critical. But there are many limitations for use in real forensics analyses because of the short cycle in which user actions are recorded. This paper proposed an efficient method for recovering deleted user behavior records and applying them to forensics investigations, then the proposed method is compared with previous methods. Although there are difference in recovery result depending on the storage, the results have been identified that the amount of user history data is increased from a minimum of 6% to a maximum of 539% when recovered user behavior was utilized to forensics investigation.

최근 디지털 범죄 수사는 많은 범죄 현장에서 사용되고 있다. 범죄 현장에서는 다양한 전자 장치가 존재하며, 이러한 장치의 디지털포렌식(Digital Forensics) 결과는 중요한 증거로 사용된다. 특히, 디지털포렌식에서 사용자의 행동과 해당 행동이 발생한 시간은 매우 중요한 정보이다. 하지만 사용자의 행동이 기록되는 주기가 짧은 한계점을 가지고 있다. 이러한 특징은 실제 디지털포렌식의 제한 요소로 작용한다. 본 논문에서는 삭제된 사용자 행동 레코드를 복구하고 이를 디지털포렌식에 적용하였으며, 이전 조사 방법과 차이점을 비교하였다. 스토리지에 따라 복구 결과에는 차이가 존재하지만 복구 된 사용자의 동작이 디지털포렌식에 활용 될 때, 사용자 행위 기록이 최소 6%에서 최대 539%로 증가하는 결과를 보여준다.

Keywords

References

  1. H. Carvey. (2013). HowTo: Determine User Access To Files. http://windowsir.blogspot.kr/2013/07/howto-determine-user-access-to-files.html
  2. D. Y. Won. (2015). A Study on Digital Evidence Collection Procedures Improvement. Journal of Digital Forensics, 9(2), 27-41. https://doi.org/10.22798/KDFS.2015.9.2.27
  3. G. Palmer. (2001). A Road Map for Digital Forensic Research. technical report DTR-T001-0, Utica, New York
  4. C. Boyd & P. Forster. (2004). Time and Date issues in forensic computing - a case study. Digital Investigation, 1(1), 18-23. https://doi.org/10.1016/j.diin.2004.01.002
  5. B. Carrier. (2005). File System Forensic Analysis. Addison-Wesley, 340-341.
  6. R. Russon & Y. Fledel. (2004). NTFS Documentation, Chapter 3. NTFS files:$LogFile, pp. 38-42. http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf
  7. S. Neuner et al. (2016). Time is on my side: Stegan graphy in filesystem metadata. Digital Investigation, 18(2016), S76-S86. https://doi.org/10.1016/j.diin.2016.04.010
  8. H. J Yoon. (2018). A study on user behavior trackingusing $UsnJrnl. Doctoral dissertation, Graduate School of Seoul National University.
  9. J. H. Oh. (2013). NTFS Log Tracker. Forensic Insight ; Digitalforensic community in korea.
  10. M. S. Park. (2012). Record File Carving Technique for Efficient File Recovery in Digital Forensic Investigation. Graduate School of Information Security Korea University.