• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.417-428
• /
• 2020

With the rapid development of information and communication technology, mobile devices have become an essential tool in our lives. Mobile devices are used as important evidence in criminal proof, as they accumulate data simultaneously with PIM functions while working with users most of the time. The mobile forensics is a procedure for obtaining digital evidence from mobile devices and should be collected and analyzed in accordance with due process, just like other evidence, and the integrity of the evidence is essential because it has aspects that are easy to manipulate and delete. Also, the adoption of evidence relies on the judges' liberalism, which necessitates the presentation of generalized procedures. In this paper, a mobile forensics model is presented to ensure integrity through the generalization of procedures. It is expected that the proposed mobile forensics model will contribute to the formation of judges by ensuring the reliability and authenticity of evidence.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2008.02a
• /
• pp.103-106
• /
• 2008

물리 메모리 영역에는 증거로 활용될 수 있는 프로세스 정보와 이름, ID, 비밀 번호, 전자 메일 주소 등의 정보를 담고 있다. 또 용의자가 행위를 감추기 위해 안티 포렌식 기법을 사용하여 저장매체 상에서 완전 삭제한 파일의 잔여 데이터를 취득할 수 있는 가능성이 있다. 하드 디스크와 같은 저장 매체의 경우 증거 수집 절차시 Hash와 같은 무결성 보장 과정을 거쳐 복사본의 유효성 확인이 가능하지만 물리 메모리 영역의 경우 운용 중인 시스템에서 발생하는 운영체제와 응용 프로그램의 동작에 의한 지속적인 데이터의 변화로 무결성 및 동일한 대상에서 수집되었다는 것을 확인하기 어렵고 소프트웨어 기반의 수집은 시스템의 상태를 변화 시킨다. 본 논문에서는 물리 메모리 영역 수집 기법을 알아보고 IEEE1394의 특성을 이용한 하드웨어 기반 물리 메모리 영역 수집 도구를 구현하였다. 또 수집된 물리 메모리 덤프를 이용하여 물리 메모리에서 얻을 수 있는 정보를 확인하고 동일 대상의 메모리와 다른 대상의 메모리를 비교하여 그 차이를 확인한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1059-1065
• /
• 2015

Hard disk passwords are commonly not well known. If the passwords are set, forensic investigators are not allowed to access data on hard disks, so they can be used to obstruct investigations. Expensive tools such as PC-3000 are necessary for unlocking such hard disk passwords. But it would be a burden on both organizations that should pay for these tools and forensic investigators that are unfamiliar with these tools. This paper discusses knowledge required for unlocking hard disk passwords and proposes methods for unlocking the passwords without high-priced tools. And with a vendor-specific method, this paper provides procedures for acquiring passwords and unlocking hard disk drives.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.6
• /
• pp.893-906
• /
• 2023

Awareness that smartphones can be used as tools for criminal activity is prevalent in many organizations, but the functionally smartphone-like smartwatch's potential as a criminal tool is being overlooked. Considering this situation, this research verifies the possibility of information leakage through an insider's smartwatch in a situation where smartphones are controlled by security regulations and technologies, but smart watch are not. By analyzing information related application usage and Wi-Fi connection generated in the smartwatch during the verification process, forensic information and limitations are identified. Finally, this research proposes preventive methods to prepare for potential smartwatch-related crimes, and reconsiders awareness of the possibility of using smartwatches as criminal tools.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.10
• /
• pp.421-428
• /
• 2021

The High Efficiency Image File Format (HEIF) is an MPEG-developed image format that utilizes the video codec H.265 to store still screens in a single image format. The iPhone has been using HEIF since 2017, and Android devices such as the Galaxy S10 have also supported the format since 2019. The format can provide images with good compression rates, but it has a complex internal structure and lacks significant compatibility between devices and software, making it not popular to replace commonly used JPEG (or JPG) files. However, despite the fact that many devices are already using HEIF, digital forensics research regarding it is lacking. This means that we can be exposed to the risk of missing potential evidence due to insufficient understanding of the information contained inside the file during digital forensics investigations. Therefore, in this paper, we analyze the HEIF formatted photo file taken on the iPhone and the motion photo file taken on the Galaxy to find out the information and features contained inside the file. We also investigate whether or not the software we tested support HEIF and present the requirement of forensic tools to analyze HEIF.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.4
• /
• pp.671-685
• /
• 2023

By applying artificial intelligence to image editing technology, it has become possible to generate high-quality images with minimal traces of manipulation. However, since these technologies can be misused for criminal activities such as dissemination of false information, destruction of evidence, and denial of facts, it is crucial to implement strong countermeasures. In this study, image file and mobile forensic artifacts analysis were conducted for detecting image manipulation. Image file analysis involves parsing the metadata of manipulated images and comparing them with a Reference DB to detect manipulation. The Reference DB is a database that collects manipulation-related traces left in image metadata, which serves as a criterion for detecting image manipulation. In the mobile forensic artifacts analysis, packages related to image editing tools were extracted and analyzed to aid the detection of image manipulation. The proposed methodology overcomes the limitations of existing graphic feature-based analysis and combines with image processing techniques, providing the advantage of reducing false positives. The research results demonstrate the significant role of such methodology in digital forensic investigation and analysis. Additionally, We provide the code for parsing image metadata and the Reference DB along with the dataset of manipulated images, aiming to contribute to related research.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.835-845
• /
• 2019

File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.

• The KIPS Transactions:PartC
• /
• v.16C no.5
• /
• pp.555-562
• /
• 2009

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.5
• /
• pp.125-132
• /
• 2010

Web browser is essential application for using internet. If suspect use a web browser for crime, evidence related crime is stored in log file. Therefore, we obtain the useful information related crime as investigating web browser log file. In this paper, we look at the related work and tools for web browser log file. And we introduce analysis methodology of web browser log file focus on the digital forensics. In addition, we apply to our tool at real case.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2008.06a
• /
• pp.175-182
• /
• 2008

2008년에 있었던 우리나라 금융기관과 정부기관에 대한 DoS 공격에 대한 연구이다. 실험실 환경에서 실제 DoS 공격 툴을 이용하여 공격을 실시한다. DoS 공격을 탐지하기 위하여 네트워크 상에서 Snort를 이용한 N-IDS를 설치하고, 패킷을 탐지하기 위한 Winpcap과 패킷의 저장 및 분석하기 위한 MySQL, HSC, .NET Framework 등을 설치한다. e-Watch 등의 패킷 분석 도구를 통해 해커의 DoS 공격에 대한 패킷량과 TCP, UDP 등의 정보, Port, MAC과 IP 정보 등을 분석한다. 본 논문 연구를 통하여 유비쿼터스 정보화 사회의 역기능인 사이버 DoS, DDoS 공격에 대한 자료를 분석하여 공격자에 대한 포렌식자료 및 역추적 분석 자료를 생성하여 안전한 인터넷 정보 시스템을 확보하는데 의의가 있다.