• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.61-70
• /
• 2011

Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. As a part of cost savings and green IT policies, there is a tendency in which recent businesses increase the adoption of such virtualization. In particular, regarding the virtualization in desktop, it is one of the most widely used technology at the present time. Because it is able to efficiently use various types of operating systems in a physical computer. A virtual machine image that is a key component of virtualization is difficult to investigate. because the structure of virtual machine image is different from hard disk image. Therefore, we need researches about appropriate investigation procedure and method based on technical understanding of a virtual machine. In this research, we suggest a procedure of investigation on a virtual machine image and a method for a corrupted image of the VMware Workstation that has the largest number of users.

• Journal of Digital Convergence
• /
• v.20 no.4
• /
• pp.377-388
• /
• 2022

Metaverse, realistic virtual space technology has become a hot topic. However, due to the lack of an institutional system to the metaverse environment, concerns are rising over the leakage of industrial confidentiality, including digital assets produced, stored, processed, and transferred within the metaverse. Digital forensics, a technology to defend against hacking attacks in cyberspace, cannot be used in metaverse space, and there is no basis for calculating the extent of damage and tracking responsibility, making it difficult to respond to human resources leakage and cyberhacking effectively. In this paper, we define the scope of industrial confidentiality information and leakage scenario and propose policy and institutional measures based on problems in each metaverse scenario. As a result of the study, it was necessary to prepare a standardized law on Extra-territorial search and seizure issues and a system for collecting cryptocurrency evidence to respond to industrial confidentiality leaks in the metaverse. The study expects to contribute to industrial technology development by preparing in advance for problems that may arise in metaverse technology.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.52 no.8
• /
• pp.67-73
• /
• 2015

In a distribution of digital image, there is a serious problem that is the image alteration by a forger. For the problem solution, this paper proposes the forensic decision algorithm of a median filtering (MF) image using the feature vector based on a coefficient of variation (c.v.) of Fourier transform. In the proposed algorithm, we compute Fourier transform (FT) coefficients of row and column line respectively of an image first, then c.v. between neighboring lines is computed. Subsquently, 10 Dim. feature vector is defined for the MF detection. On the experiment of MF detection, the proposed scheme is compared to MFR (Median Filter Residual) and Rhee's MF detection schemes that have the same 10 Dim. feature vector both. As a result, the performance is excellent at Unaltered, JPEG (QF=90), Down scaling (0.9) and Up scaling (1.1) images, and it showed good performance at Gaussian filtering ($3{\times}3$) image. However, in the performance evaluation of all measured items of the proposed scheme, AUC (Area Under ROC (Receiver Operating Characteristic) Curve) by the sensitivity and 1-specificity approached to 1 thus, it is confirmed that the grade of the performance evaluation is rated as 'Excellent (A)'.

• Journal of Internet of Things and Convergence
• /
• v.9 no.6
• /
• pp.23-28
• /
• 2023

Windows operating system generates various logs with timestamps. Timestamp tampering is an act of anti-forensics in which a suspect manipulates the timestamps of data related to a crime to conceal traces, making it difficult for analysts to reconstruct the situation of the incident. This can delay investigations or lead to the failure of obtaining crucial digital evidence. Therefore, various techniques have been developed to detect timestamp tampering. However, there is a limitation in detection if a suspect is aware of timestamp patterns and manipulates timestamps skillfully or alters system artifacts used in timestamp tampering detection. In this paper, a method is designed to detect changes in timestamps, even if a suspect alters the timestamp of a file on a storage device, it is challenging to do so with precision beyond millisecond order. In the proposed detection method, the first step involves verifying the timestamp of a file suspected of tampering to determine its write time. Subsequently, the confirmed time is compared with the file size recorded within that time, taking into consideration the performance of the storage device. Finally, the total capacity of files written at a specific time is calculated, and this is compared with the maximum input and output performance of the storage device to detect any potential file tampering.

• The Journal of the Convergence on Culture Technology
• /
• v.8 no.6
• /
• pp.807-812
• /
• 2022

Recently, as the number of voice recording files submitted as court evidence increases, the number of cases claiming forgery is also increasing. If the audio recording file structure and metadata, which are objective grounds, are completely forged, it is actually impossible to detect forgery of the sophisticated audio recording file. It is extremely rare for the court to reject the file structure and metadata analysis performed with the forged audio recording file. The purpose of this study is to prove that forgery of voice recording file structure and metadata is easily possible. To this end, in this study, it was introduced that forgery detection is impossible when the 'mixed paste' function, which enables sophisticated editing based on the typification of the editing method of voice recording files, is applied. Moreover, it has been proven through experiments that forgery of file structure and metadata is possible. Therefore, a stricter standard for judging the admissibility of evidence is required when the audio recording file is adopted as digital evidence. This study will not only contribute to the standard of integrity in the adoption of digital evidence by judges, but will also contribute to the method of constructing a dataset for artificial intelligence in detecting forgery of recorded files that is expected to be developed in the future.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.1
• /
• pp.17-24
• /
• 2017

As the prevalence of removable device, critical intelligences are often stored in the removable device. For that reason, in seizure and search, the removable device became a important evidence of while it could be has a salient key for prove a crime. When we acquired a removable device for proof, we image it by a imaging device or software with a write protection. However, these are high-priced exclusive equipments and sometimes it could be out of order. In addition, we found that some secure USB and inbuilt vaccine USB are failed to connect to the imaging device. Therefore, in this paper, we provide a suitable digital evidence collection procedure for real.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.2
• /
• pp.223-232
• /
• 2017

Previous research on data recovery in Microsoft SQL Server has focused on restoring data based on in the transaction log that might have deleted records exist. However, there was a limit that was not applicable if the related transaction log did not exist or the physical database file was not connected to Server. Since the suspect in the crime scene may delete the data records using a different deletion statements besides "delete", we need to check the remaining data and a recovery possibility of the deleted record. In this paper, we examined the changes "Page Allocation information" of the table, "Unallocation deleted data", "Row Offset Array" in the page according to "delete", "truncate" and "drop" events. Finally it confirmed the possibility of data recovery and availability of management tools in Microsoft SQL Server digital forensic investigation.

• Convergence Security Journal
• /
• v.20 no.3
• /
• pp.21-28
• /
• 2020

In recent years, hacking and malware techniques have evolved and become sophisticated and complex, and numerous cyber-attacks are constantly occurring in various fields. Among them, the most widely used route for compromise incidents such as information leakage and system destruction was found to be E-Mails. In particular, it is still difficult to detect and identify E-Mail APT attacks that employ zero-day vulnerabilities and social engineering hacking techniques by detecting signatures and conducting dynamic analysis only. Thus, there has been an increased demand for indicators of compromise (IOC) to identify the causes of malicious activities and quickly respond to similar compromise incidents by sharing the information. In this study, we propose a method of extracting various forensic artifacts required for detecting and investigating Hacking E-Mails, which account for large portion of damages in security incidents. To achieve this, we employed a digital forensic indicator method that was previously utilized to collect information of client-side incidents.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.65-71
• /
• 2008

According to the capacity of hard disk drive is increasing day by day, the amount of data that forensic investigators should analyze is also increasing. This trend need tremendous time and effort in determining which files are important as evidence on computers. Using the file system APIs provided by Windows system is the easy way to identify those files. This method, however, requires a large amount of time as the number of files increase and changes the access time of files. Moreover, some files cannot be accessed due to the use of operating system. To resolve these problems, forensic analysis should be conducted by using the Master File Table (MFT). In this paper, We implement the file access program which interprets the MFT information in NTFS file system. We also extensibly compare the program with the previous method. Experimental results show that the presented program reduces the file access time then others. As a result, The file access method using MFT information is forensically sound and also alleviates the investigation time.

• Journal of Korean Society of Archives and Records Management
• /
• v.16 no.1
• /
• pp.89-120
• /
• 2016

This study aims to understand the concept and changes of the records management of InterPARES based on the analysis of background, main research interests, and major achievements of IP3 and ITrust. To this end, this study conducted a content analysis of IP3 and ITrust to drive main keywords. This study also utilized word clouds from IP project titles. In addition, a comparative analysis of IP3 and ITrust was conducted based on the environment, scope, core research areas, keywords, objectives, and record management life cycle perspectives. The research identified that InterPARES research was widely expanding the content and subject areas of the study: 1) to apply across the life cycle, as well as long-term preservation; 2) to focus on the concept of trust as well as the concept of authenticity; and 3) to include the concept of the Internet, digital forensics, and the open government along with electronic records.