• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.3
• /
• pp.417-429
• /
• 2013

A lot of OS(Operating Systems) such as Linux and Android selected Ext4 as the official file system. Therefore, a recovery of deleted file from Ext4 is becoming a pending issue. In this paper, we suggest how to recover the deleted file by analyzing the entire structure of Ext4 file system, the study of metadata area, the distinct feature when file is assigned and deleted. Particularly, we focus on studying the features of file which is assigned in Ext4 file system in Android OS and also suggest the method to recover the deleted file that is fragmented from the un-allocated area.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.407-416
• /
• 2018

Instagram is a Social Network Service(SNS) that has recently become popular among people of all ages and it makes people to construct social relations and share hobbies, daily routines, and useful information. However, since the uploaded information can be accessed by arbitrary users and it is easily shared with others, frauds, stalking, misrepresentation, impersonation, an infringement of copyright and malware distribution are reported. For this reason, it is necessary to analyze Instagram from a view of digital forensics but the research involved is very insufficient. So in this paper, We performed reverse engineering and dynamic analysis of Instagram from a view of digital forensics in the Android environment. As a result, we checked three database files that contain user behavior analysis data such as chat content, chat targets, posted photos, and cookie information. And we found the path to save 4 files and the xml file to save various data. Also we propose ways to use the above results in digital forensics.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.4
• /
• pp.777-785
• /
• 2016

IM(Instant Messenger) chatting service can carry user's various information including life style, geographical position, and psychology & crime history and thus forensic analysis on the IM service is desirable. But, forensic analysis for KakaoTalk's chatting service is not well studied yet. For this reason, we study KakaoTalk's forensic analysis focusing on chatting service. This paper first details a general method of IM forensics investigating the previous articles about IM forensics although there are not many articles. Second, we discuss methodologies for IM forensics wherein we present analysis of table structure and method for reconstruction of chatting message. These result in the basic element of forensic tools of KakaoTalk chatting message. Last, we compare artifacts of KakaoTalk with that of WhatsApp. We conclude that these applications are, at least, different in that table structures and the ways to reconstruct chatting messages are not same and therefore digital evidences or artifacts are not same and somewhat distinct.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.1-8
• /
• 2018

A random chat application is a type of social dating application that helps people find a lover or spouse by randomly connecting and providing services such as text, voice and video chat. Recently, there has been globally a rapid increase in its use due to the fact that it provides people to quick and convenient encounters at low cost. However, it is used as one of method to prostitute or to trade drugs and become a cause of violent crimes due to various criminal occurring after actual meeting between app users. For this reason, a random chat application is likely to provide proof of prostitution or drug trade and clues to arrest rape, kidnapping and murder suspects. Thus, it is necessary to analyse random chat applications from the viewpoint of digital forensics investigation, but there is no related research at all. Therefore, in this paper, we analyzed artifacts of 6 Korea random chat application's user behaviors; Ranchat, AngTalk, SsumgThing, DaTalk, EveryTalk and Sail. As a result, we found that it is remain on mobile device that time and contents of message transmission/reception, sender/receiver, friend profile and user account creation time when user is using the applications.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.1
• /
• pp.109-115
• /
• 2016

Nowadays, smart devices are the target of the digital forensic investigation. Among various smart devices, we can obtain much information from smart phone which is provided with continuous power and used for data communication. This paper deals with the traces to be left in Android smart phones after using the navigation applications with the GPS function. We selected navigation applications(domestic and overseas) which have a high number of download times, anaylzed them and discussed the meaning of the analysis result in digital forensic investigation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1057-1067
• /
• 2013

The market share of smartphones has been increasing more and more at the recent mobile market and smart devices and applications that are based on a variety of operating systems has been released. Given this reality, the importance of smart devices analysis is coming to the fore and the most important thing is to minimize data corruption when extracting data from the device in order to analyze user behavior. In this paper, we compare and analyze the area-specific changes that are the file system of collected image after obtaining root privileges on the Android OS and iOS based devices, and then propose the most efficient method to obtain root privileges.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.3
• /
• pp.353-363
• /
• 2021

As the Untact era is rapidly changing, collaboration tools are increasing their utilization and value as digital technologies for non-face-to-face work. While instant messenger-based collaboration tools support a variety of functions, crime and accident concerns are also increasing in proportion to their convenience, such as information leakage and security incidents. Meanwhile, the digital forensics perspective on collaborative tools is not enough, so forensics research is needed. This study analyzes significant artifacts in the two operating environments through Windows and Android forensics research on Microsoft Teams, the collaboration tool with the highest share in the world. Also, based on differences in artifacts and data attributes according to the operating environment, by applying 'differential forensic', we proved that the usefulness of evidence can be improved by presenting a complementary analysis method and timeline configuration through information linkage.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.10
• /
• pp.421-428
• /
• 2021

The High Efficiency Image File Format (HEIF) is an MPEG-developed image format that utilizes the video codec H.265 to store still screens in a single image format. The iPhone has been using HEIF since 2017, and Android devices such as the Galaxy S10 have also supported the format since 2019. The format can provide images with good compression rates, but it has a complex internal structure and lacks significant compatibility between devices and software, making it not popular to replace commonly used JPEG (or JPG) files. However, despite the fact that many devices are already using HEIF, digital forensics research regarding it is lacking. This means that we can be exposed to the risk of missing potential evidence due to insufficient understanding of the information contained inside the file during digital forensics investigations. Therefore, in this paper, we analyze the HEIF formatted photo file taken on the iPhone and the motion photo file taken on the Galaxy to find out the information and features contained inside the file. We also investigate whether or not the software we tested support HEIF and present the requirement of forensic tools to analyze HEIF.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.214-215
• /
• 2024

삼성 스마트폰 계정 기반 서비스인 다른 기기에서 전화/문자하기(CMC) 기능이 보이스피싱의 새로운 기술로 동원되고 있다. 기존의 심박스와 같은 불법 중계기보다 발신 번호 변작에 쉽게 활용할 수 있어 CMC 기능을 악용한 보이스피싱 범죄가 증가하고 있으나, 이에 대한 연구가 미비한 현실이다. 본 논문에서는 삼성 기기에서의 CMC 활성화 및 기능 사용 여부에 따른 안드로이드 시스템 로그에서의 차이를 분석하고, 이를 바탕으로 보이스피싱 수사에 활용할 수 있는 포렌식 아티팩트 분석 방법을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.95-110
• /
• 2018

With the widespread use of smartphones, various personal information of users is being recorded on a smartphone in real time. For the purpose of preventing the loss of important personal information of users, manufacturer provides a smartphone backup applications. Recently, not only backup programs for PC but also backup mobile apps for smart phones have been provided. From the point of view acquiring forensic data, it is important not to compromise the acquisition possibilities and the integrity of the original data. Especially, in the case of Android smartphones, various studies are being carried out to acquire the data without damaging the integrity of the original data. However, there are limitations to apply the existing research methods. In this paper, we describe the process of acquiring data using the backup mobile app provided by the manufacturer without compromising the integrity of the latest smartphone.