• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.405-415
• /
• 2020

With the increase in smartphone user, mobile forensics has become an essential element in modern digital forensic investigation. Mobile messenger data is very important data in mobile forensics because it can acquire information such as user's life pattern and mental state. In order to analyze messenger data, a decryption technique of an encrypted messenger data is required. Since most messengers provide a message deleting function, a technique for recovering deleted messages is required. WeChat Messenger, a messenger used by about 1 billion people around the world, uses IMEI (International Mobile Equipment Identity) information to encrypt data and provides message deletion function. In this paper, we propose a data decryption method in the absence of IMEI information and propose a method for recovering deleted messages using FTS (Full Text Search) database created for full-text search function of SQLite database.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.397-403
• /
• 2020

With the convenience of real-time conversation, multimedia file and contact sharing services, most people use instant messenger, and its usage time is increasing. Because the messengers contain a lot of user behavior information data, in the digital forensic investigation, they can be very useful evidence to identify user behavior. However, some of useful data can be difficult to acquire or recognize because they are encrypted or deleted. Thus, in order to use the messenger data as evidence, the study of message decryption process and message recovery is essential. In this paper, we analyze the database encryption process of the instant messenger, MalangMalang Talkafe, and propose the method to decrypt it. In addition, we propose the methods to identify the deleted messages and recover from the volatile memory area.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.285-294
• /
• 2014

As the utilization rate of smart device increases, various applications for smart device have been developed. Since these applications can contain important data related to user behaviors in digital forensic perspective, the analysis of them should be conducted in advance. However, lots of applications get to have new data format or type when they are updated. Therefore, whether the applications are updated or not should be checked one by one, and if they are, whether their data are changed should be also analyzed. But observing application data repeatedly is a time-consuming task, and that is why the effective method for dealing with this problem is needed. This paper suggests the automatic system which gets updated information and checks changed data by collecting application information.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.2
• /
• pp.345-352
• /
• 2014

As the utilization rate of smart device increases, various applications for smart device have been developed. Since these applications can contain important data related to user behaviors in digital forensic perspective, the analysis of them should be conducted in advance. However, lots of applications get to have new data format or type when they are updated. Therefore, whether the applications are updated or not should be checked one by one, and if they are, whether their data are changed should be also analyzed. But observing application data repeatedly is a time-consuming task, and that is why the effective method for dealing with this problem is needed. This paper suggests the automatic system which gets updated information and checks changed data by collecting application information.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2009.10a
• /
• pp.387-390
• /
• 2009

Digital devices that apply Ubiquitous-IT Convergence in ship manufacture are used as ship automation device. Need sailing data recording of ship black box that equip integrity and consecutiveness as legal confesser fare that inquire responsibility whereabouts of disaster such as fire of ship. It is research that create Forensic data from ship black box using Multidimensional networking that use ZigBee radio short distance communications division Wireless LAN with short distance RFID sensor that is used in ship in this treatise, UWB communication, GPS and artificial satellite. Sailing recording of shipping that is recorded to black box is transmited, and stores doubly by real time on ship insurance company and ship administration recording membrane using SHA-1 hash function and secure consecutiveness and integrity as Forensic data through artificial satellite encoding by 3DES 1024bit.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.835-845
• /
• 2019

File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.

• The Journal of Korean Institute of Information Technology
• /
• v.17 no.8
• /
• pp.11-19
• /
• 2019

Against advanced image-related crimes, a high level of digital forensic methods is required. However, feature-based methods are difficult to respond to new device features by utilizing human-designed features, and deep learning-based methods should improve accuracy. This paper proposes a deep learning model to identify camera models based on DenseNet, the recent technology in the deep learning model field. To extract camera sensor features, a HPF feature extraction filter was applied. For camera model identification, we modified the number of hierarchical iterations and eliminated the Bottleneck layer and compression processing used to reduce computation. The proposed model was analyzed using the Dresden database and achieved an accuracy of 99.65% for 14 camera models. We achieved higher accuracy than previous studies and overcome their disadvantages with low accuracy for the same manufacturer.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.184-186
• /
• 2022

Recently, as interest in personal information protection has increased, various apps for personal information protection have emerged. These apps protect data in various formats, such as photos, videos, and documents containing personal information, using encryption and hide functions. These apps can have a positive effect on personal information protection, but in digital forensics, they act as anti-forensic because they can be difficult to analyze data during the investigation process. In this paper, finds out PIN, an access control function, through reverse engineering on Calculator - photo vault, one of the personal information protection apps, and files such as photos and documents to which encryption and hide were applied. In addition, the vulnerability to this app was analyzed by research decryption for database files where logs for encrypted and hide files are stored.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.753-760
• /
• 2023

KakaoTalk has the highest market share among domestic messengers. As such, KakaoTalk's conversation content is an important evidence in digital forensics, and the conversation is stored in the form of an encrypted database on a user's device. In addition, macOS has the characteristic that it is difficult to access because the disk encryption function is basically activated. The decryption method of the KakaoTalk database for Windows has been studied, but the decryption method has not been studied for KakaoTalk for macOS. In this paper, research the decryption method of the KakaoTalk database for macOS and a way to Brute-Force plan using the characteristics of KakaoTalk's UserID and compare it with KakaoTalk for Windows to examine the commonalities and differences. The results of this paper are expected to be used to analyze users' actions and events when investigating crimes using macOS.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.737-751
• /
• 2023

The importance of digital forensics in the cloud environment is increasing as businesses and individuals move their data from On-premise to the cloud. Cloud data can be stored on various devices, including mobile devices and desktops, and encompasses a variety of user behavior artifacts, such as information generated from linked accounts and cloud services. However, there are limitations in securing and analyzing digital evidence due to environmental constraints of the cloud, such as distributed storage of data and lack of artifact linkage. One solution to address this is archiving services, and Google's Takeout is prime example. In this paper, user behavior data is analyzed for cloud forensics based on archiving data and necessary items are selected from an investigation perspective. Additionally, we propose the process of analyzing selectively collected data based on time information and utilizing web-based visualization to meaningfully assess artifact associations and multi-behaviors. Through this, we aim to demonstrate the value of utilizing archiving data in response to the increasing significance of evidence collection for cloud data.