• Journal of Internet Computing and Services
• /
• v.23 no.6
• /
• pp.1-13
• /
• 2022

As the information and communication environment develops, the environment of military facilities is also development remarkably. In proportion to this, cyber threats are also increasing, and in particular, APT attacks, which are difficult to prevent with existing signature-based cyber defense systems, are frequently targeting military and national infrastructure. It is important to identify attack groups for appropriate response, but it is very difficult to identify them due to the nature of cyber attacks conducted in secret using methods such as anti-forensics. In the past, after an attack was detected, a security expert had to perform high-level analysis for a long time based on the large amount of evidence collected to get a clue about the attack group. To solve this problem, in this paper, we proposed an automation technique that can classify an attack group within a short time after detection. In case of APT attacks, compared to general cyber attacks, the number of attacks is small, there is not much known data, and it is designed to bypass signature-based cyber defense techniques. As an attack model, we used MITRE ATT&CK® which modeled many parts of cyber attacks. We design an impact score considering the versatility of the attack techniques and proposed a group similarity score based on this. Experimental results show that the proposed method classified the attack group with a 72.62% probability based on Top-5 accuracy.

• Journal of the Society of Disaster Information
• /
• v.13 no.2
• /
• pp.267-275
• /
• 2017

This research is about the development of e-forensic tool that extract & analyze different forms of digital evidence that individuals come across in a disaster scene. The tool utilizes digital forensic techniques which makes the tool efficient in any disaster analysis situation. In order for the forensic evidence to be selected as legal evidence, the evidence needs to be proven that it is in its original state with no forgery involved. This is where the e-forensic tool comes in, as its ability to collect digital evidence during investigation has proven; that the tool can keep the evidence in its original state and increase the integrity by generating hash TAG and adding the forensic evidence to a password encoded file.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.65-71
• /
• 2008

According to the capacity of hard disk drive is increasing day by day, the amount of data that forensic investigators should analyze is also increasing. This trend need tremendous time and effort in determining which files are important as evidence on computers. Using the file system APIs provided by Windows system is the easy way to identify those files. This method, however, requires a large amount of time as the number of files increase and changes the access time of files. Moreover, some files cannot be accessed due to the use of operating system. To resolve these problems, forensic analysis should be conducted by using the Master File Table (MFT). In this paper, We implement the file access program which interprets the MFT information in NTFS file system. We also extensibly compare the program with the previous method. Experimental results show that the presented program reduces the file access time then others. As a result, The file access method using MFT information is forensically sound and also alleviates the investigation time.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.523-533
• /
• 2014

It has been spent too much time to figure out the incident route when we are facing computer security incident. The incident often recurs moreover the damage is expanded because critical clues are lost while we are wasting time with hesitation. This paper suggests to build a Digital Evidence Map (DEM) in order to find out the incident cause speedy and accurately. The DEM is consist of the log chain which is a mesh relationship between machine data. And the DEM should be managed constantly because the log chain is vulnerable to various external facts. It could help handle the incident quickly and cost-effectively by acquainting it before incident. Thus we can prevent recurrence of incident by removing the root cause of it. Since the DEM has adopted artifacts in data as well as log, we could make effective response to APT attack and Anti-Forensic.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.369-378
• /
• 2020

Due to the widespread use of mobile devices, smartphone penetration and usage rate continue to increase and there is also an increasing amount of data that need to be stored and managed in applications. Therefore, recent applications use mobile databases to store and manage user data. Realm database, developed in 2014, is attracting more attention from developers because of advantages of continuous updating, high speed, low memory usage, simplicity and readability of the code. It also supports an encryption to provide confidentiality and integrity of personal information stored in the database. However, since the encryption can be used as an anti-forensic technique, it is necessary to analyze the encryption and decryption processes provided by Realm Database. In this paper, we analyze the structure of Realm Database and its encryption and decryption process in detail, and analyze an application that supports an encryption to propose the use cases of the Realm Database.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.143-154
• /
• 2011

SQLite is a small sized database engine largely used in embedded devices and local application software. The availability of portable devices, such as smartphones, has been extended over the recent years and has contributed to growing adaptation of SQLite. This implies a high likelihood of digital evidences acquired during forensic investigations to include SQLite database files. Where intentional deletion of sensitive data can be made by a suspect, forensic investigators need to recover deleted records in SQLite at the best possible. This study analyzes data management rules used by SQLite and the structure of deleted data in the system, and in turn suggests a recovery Tool of deleted data. Further, the study examines major SQLite suited software as it validates feasible possibility of deleted data recovery.

• The Journal of the Convergence on Culture Technology
• /
• v.8 no.6
• /
• pp.807-812
• /
• 2022

Recently, as the number of voice recording files submitted as court evidence increases, the number of cases claiming forgery is also increasing. If the audio recording file structure and metadata, which are objective grounds, are completely forged, it is actually impossible to detect forgery of the sophisticated audio recording file. It is extremely rare for the court to reject the file structure and metadata analysis performed with the forged audio recording file. The purpose of this study is to prove that forgery of voice recording file structure and metadata is easily possible. To this end, in this study, it was introduced that forgery detection is impossible when the 'mixed paste' function, which enables sophisticated editing based on the typification of the editing method of voice recording files, is applied. Moreover, it has been proven through experiments that forgery of file structure and metadata is possible. Therefore, a stricter standard for judging the admissibility of evidence is required when the audio recording file is adopted as digital evidence. This study will not only contribute to the standard of integrity in the adoption of digital evidence by judges, but will also contribute to the method of constructing a dataset for artificial intelligence in detecting forgery of recorded files that is expected to be developed in the future.

• Journal of Digital Contents Society
• /
• v.16 no.3
• /
• pp.389-395
• /
• 2015

Digital image provides many conveniences at the internet environment recently. A great number of applications, like Digital Library, Stock Image, Personal Image and Important Information, require the use of digital image. However it has fatal defect which is easy to be modified because digital image is only electronic file. Numerous digital image forgeries have become a serious problem due to the sophistication and accessibility of image editing software. Copy-Move forgery is the simplest type of forgery that involves copying portion of an image and paste it on different location within the image. There are many approaches to detect Copy-Move forgery, but all of them have their own limitations. In this paper, visual and invisible feature based forgery detection techniques are tested and analyzed. The analysis shows that pros and cons of these two techniques compensate each other. Therefore, a hybrid of visual based and invisible feature based forgery detection that combine the merits of both techniques is proposed. The experimental results show that the proposed algorithm has enhanced performance compared to individual techniques. Moreover, it provides more information about the forgery, like identifying copy and duplicate regions.

• The Journal of Society for e-Business Studies
• /
• v.23 no.3
• /
• pp.129-143
• /
• 2018

Recently, the use of digital media such as computers and smart devices has been rapidly increasing, The vast and diverse information contained in the warrant of the investigating agency also includes the one irrelevant to the crime. Therefore, when confiscating the information, the basic rights, defense rights and privacy invasion of the person to be seized have been the center of criticism. Although the investigation agency guarantees the right to participate, it does not have specific guidelines, so they are various by the contexts and environments. In this process, the abuse of the participation right is detrimental to the speed and integrity of the investigation, and there is a side effect that the digital evidence might be destroyed by remote initialization. In this study, we conducted surveys of digital evidence analysts across the country based on four domains and thirty measurement items for enabling environment for participation in information storage media export and digital evidence search process. The difference between the level of importance and the performance was analyzed by the IPA matrix based on process, location, people, and technology dimensions. Seven items belonging to "concentrate here" area are one process-related, three location-related, and three people-related items. This study is meaningful to be a basis for establishing the proper policies and strategies for ensuring participation right, as well as for minimizing the side effects.