• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.11a
• /
• pp.846-849
• /
• 2011

최근 iPhone, iPad의 높은 사용율과 더불어 Apple 의 Mac 계열 제품에 대한 관심도 높아지고 있다. 이는 Apple의 운영체제인 Mac OS X의 사용율 증가와 함께 디지털 포렌식 수사 환경에서의 Mac OS X의 중요성이 높아짐을 의미한다. 디지털 포렌식 관점에서 Mac OS X에는 사용자의 사용 정보를 남기는 주요 Artifacts들이 있다. 외부 저장 장치 연결 정보, 어플리케이션 설치 정보, 사용자 인증 정보, 어플리케이션 설정 정보 등이 대표적인 Artifacts들이며, 이러한 정보들은 특정 위치의 로그 파일에 남게 된다. 본 논문은 Mac OS X의 대표적 Artifacts 들을 대상으로 사용 흔적 정보가 남는 파일을 분석하여 디지털 포렌식 수사 시 활용할 수 있도록 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.2
• /
• pp.387-396
• /
• 2016

As the number of people using digital devices has increased, the digital forensic, which aims at finding clues for crimes in digital data, has been developed and become more important especially in court. Together with the development of the digital forensic, the anti-forensic which aims at thwarting the digital forensic has also been developed. As an example, with anti-forensic technology the criminal would delete an digital evidence without which the investigator would be hard to find any clue for crimes. In such a case, recovery techniques on deleted or damaged information will be very important in the field of digital forensic. Until now, even though EVTX(event log)-based recovery techniques on deleted files have been presented, but there has been no study to retrieve event log data itself, In this paper, we propose some recovery algorithms on deleted or damaged event log file and show that our recovery algorithms have high success rate through experiments.

• Journal of Internet of Things and Convergence
• /
• v.5 no.1
• /
• pp.35-39
• /
• 2019

With the rapid development of the information society, the use of digital devices has increased dramatically and the importance of technology for analyzing them has increased. Digital evidence is stored in many places such as Prefetch, Recent, Registry, and Event Log even if the user has deleted it. Therefore, there is a disadvantage that the forensic analyst can not grasp the files used by the user at the beginning. Therefore, in this paper, we propose a method that the RemoveList folder exists so that the user can grasp the information of the deleted file first, and the information about the deleted file is automatically saved by using AES in RemoveList. Through this, it can be expected that the analyst can alleviate the difficulty of initially grasping the user's PC.

• The KIPS Transactions:PartC
• /
• v.19C no.1
• /
• pp.1-8
• /
• 2012

Recently, due to the development of broadband, there is a significant increase in utilizing on-demand Saas (Software as a Service) which takes advantage of the technology. Nevertheless, the academic and practical levels of digital forensics have not yet been established in cloud computing environment. In addition, the data of user behavior is not likely to be stored on the local system. The relevant data may be stored across the various remote servers. Therefore, the investigators may encounter some problems in performing digital forensics in cloud computing environment. it is important to analysis History files, Cookie files, Temporary Internet Files, physical memory, etc. in a viewpoint of client, since the SaaS basically uses the web to connects the internet service. In this paper, we propose the method that analysis the usuage trace of the Saas which is the one of the most popular cloud computing services.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.491-498
• /
• 2016

Recently leakages of confidential information and internal date have been steadily increasing by using booting technique on portable OS such as Windows PE stored in portable storage devices (USB or CD/DVD etc). This method allows to bypass security software such as USB security or media control solution installed in the target PC, to extract data or insert malicious code by mounting the PC's storage devices after booting up the portable OS. Also this booting method doesn't record a log file such as traces of removable storage devices. Thus it is difficult to identify whether the data are leaked and use trace-back technique. In this paper is to propose method to help facilitate the process of digital forensic investigation or audit of a company by collecting and analyzing BIOS firmware images that record data relating to BIOS settings in flash memory and finding traces of portable storage devices that can be regarded as abnormal events.

• Journal of Internet Computing and Services
• /
• v.13 no.3
• /
• pp.49-59
• /
• 2012

Throughout developing digital technology, reproduction of image is growing better day by day. And at the same time, diverse image editing softwares are developed to manage images easily. In the process of editing images, those programs could delete or modify EXIF files which have the original image information; therefore images without the origin source are widely spread on the web site after editing. This matter could affect analysis of images due to the distortion of originality. Especially in the court of law, the source of evidence should be expressed clearly; therefore digital image EXIF file without deletion or distortion could not be the objective evidence. In this research, we try to trace the identification of a digital camera in order to solve digital images originality, and also we focus on lens distortion correction algorism which is used in digital image processing. Lens distortion correction uses mapping algorism, and at this moment it also uses interpolation algorism to prevent aliasing artifact and reconstruction artifact. At this point interpolation shows the similar mapping pattern; therefore we want to find out the interpolation evidence. We propose a minimum filter algorism in order to detect interpolation pattern and adjust the same minimum filter coefficient in two areas; one has interpolation and the second has no interpolation. Throughout DFT, we confirm frequency character between each area. Based on this result, we make the final detection map by using differences between two areas. In other words, thereby the area which has the interpolation caused by mapping is adjusted using minimum filter for detection algorism; the second area which has no interpolation tends to different frequency character.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.223-230
• /
• 2013

Recently, a large number of corporations are adopting cloud solution in order to reduce IT-related costs. By the way, Digital Trace should have admissibility to be accepted as digital evidence in court, and integrity is one of the factors for admissibility. In this context, this research implemented integrity verification test to VM Data which was collected by well-known private cloud solutions such as Citrix, VMware, and MS Hyper-V. This paper suggests the effective way to verify integrity of VM data collected in private cloud computing environment based on the experiment and introduces the error that EnCase fails to mount VHD (Virtual Hard Disk) files properly.