• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.1
• /
• pp.51-61
• /
• 2023

Messengers such as KakaoTalk, LINE, and Facebook Messenger are universal means of communication used by anyone. As the convenience functions provided to users and their usage time increase, so does the user behavior information remaining in the artifacts, which is being used as important evidence from the perspective of digital forensic investigation. However, for security reasons, most of the data is currently stored encrypted. In addition, cover-up behaviors such as intentional manipulation, concealment, and deletion are increasing, causing the problem of delaying digital forensic analysis time. In this paper, we conducted a study on the data decryption and artifacts analysis in a Windows environment for KakaoTalk, the messenger with the largest number of users in Korea. An efficient way of obtaining a decryption key and a method of identifying and decrypting messages attempted to be deleted are presented, and thumbnail artifacts are analyzed.

• The KIPS Transactions:PartC
• /
• v.19C no.1
• /
• pp.1-8
• /
• 2012

Recently, due to the development of broadband, there is a significant increase in utilizing on-demand Saas (Software as a Service) which takes advantage of the technology. Nevertheless, the academic and practical levels of digital forensics have not yet been established in cloud computing environment. In addition, the data of user behavior is not likely to be stored on the local system. The relevant data may be stored across the various remote servers. Therefore, the investigators may encounter some problems in performing digital forensics in cloud computing environment. it is important to analysis History files, Cookie files, Temporary Internet Files, physical memory, etc. in a viewpoint of client, since the SaaS basically uses the web to connects the internet service. In this paper, we propose the method that analysis the usuage trace of the Saas which is the one of the most popular cloud computing services.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.6
• /
• pp.55-65
• /
• 2011

Recently, use of cloud computing service is dramatically increasing due to wired and wireless communications network diffusion in a field of high performance Internet technique. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. In a view of digital forensic investigation, it is difficult to obtain data from cloud computing service environments. therefore, this paper suggests analysis method of AWS(Amazon Web Service) and Rackspace which take most part in cloud computing service where IaaS formats presented for data acquisition in order to get an evidence.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.10a
• /
• pp.343-345
• /
• 2017

With the development of IoT technology, terminals connected with IoT are being used. However, security incidents are occurring as IoT is applied to society as a whole. IoT security incidents can be linked to personal risk and social disruption. In this study, we extract the evidence of security breach in IoT device. Analyze IoT security breach environment and extract Hashing function to secure original integrity and integrity. Then, the Forensic evidence is extracted from the IoT security device to verify the integrity of the original and Forensic reports should be written and studied to be used as legal evidence.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.04a
• /
• pp.457-460
• /
• 2014

클라우드 컴퓨팅은 IT 자원의 효율적인 관리와 비용 대비 양질의 서비스 제공을 위한 새로운 패러다임으로써, 국내외의 기업뿐만 아니라 많은 사용자들에게 주목 받고 있다. 하지만 관련 시장의 빠른 성장과 함께 다양한 사이버 범죄에 노출될 수 있는 위험이 높아졌음에도 불구하고, 클라우드 컴퓨팅에 대한 디지털 포렌식은 실질적인 역할을 수행하기에 아직 미비한 실정이다. 클라우드 컴퓨팅은 증거 데이터가 물리적으로 분산되어 있고, 자원이 가상공간에 존재할 수 있기 때문에 기존의 디지털 포렌식 수사와는 다르게 접근해야 한다. 이에, 본 논문에서는 추상화된 클라우드 계층에 따른 기존 포렌식 절차 상의 데이터 수집 방법에 관한 한계를 분석하고, 확보한 증거 데이터의 신뢰성 보장 및 다양한 클라우드 환경에 보다 유연하게 적용할 수 있는 디지털 증거 수집 절차를 제안한다. 해당 절차는 클라우드 구성 요소들 중 물리적인 자원들을 가상화하여 논리적으로 구성할 수 있도록 하며, 가상화된 자원들을 서비스 목적에 따라 폭넓게 활용할 수 있도록 관리 체계를 제공해주는 클라우드 플랫폼을 기반으로 한다.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2008.06a
• /
• pp.175-182
• /
• 2008

2008년에 있었던 우리나라 금융기관과 정부기관에 대한 DoS 공격에 대한 연구이다. 실험실 환경에서 실제 DoS 공격 툴을 이용하여 공격을 실시한다. DoS 공격을 탐지하기 위하여 네트워크 상에서 Snort를 이용한 N-IDS를 설치하고, 패킷을 탐지하기 위한 Winpcap과 패킷의 저장 및 분석하기 위한 MySQL, HSC, .NET Framework 등을 설치한다. e-Watch 등의 패킷 분석 도구를 통해 해커의 DoS 공격에 대한 패킷량과 TCP, UDP 등의 정보, Port, MAC과 IP 정보 등을 분석한다. 본 논문 연구를 통하여 유비쿼터스 정보화 사회의 역기능인 사이버 DoS, DDoS 공격에 대한 자료를 분석하여 공격자에 대한 포렌식자료 및 역추적 분석 자료를 생성하여 안전한 인터넷 정보 시스템을 확보하는데 의의가 있다.

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2021.11a
• /
• pp.139-141
• /
• 2021

In the maritime digital forensic part, it is very important and difficult process that analysis of data and information with vessel navigation system's binary log data for situation awareness of maritime accident. In recent years, anaysis of vessel's navigation system's trajectory information is an essential element of maritime accident investigation for vessel digital forensic process. So, we analysis of maritime navigation systems of vessel and feature of device and environments. In the future, we will research on information of ship's trajectory and movement for useful forensic service.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.545-550
• /
• 2006

최근 정보통신 및 컴퓨터 산업이 발달함에 따라 해킹 및 바이러스, 산업정보 유출과 같은 컴퓨터를 이용한 범죄가 증가하고 있으며, 범죄에 사용되는 프로그램들이 점차 다양화 되고, 사용되는 데이터의 양 또한 급격히 증가하고 있다. 이에 따라 컴퓨터 범죄를 수사하는 디지털 포렌식 과정에서 시간과 인력 및 범용적인 면에서 방대한 정보들을 모두 분석하기란 현실적으로 어려운 일이다. 그러므로 디지털 증거 분석과정에 앞서 획득한 정보들 중 컴퓨터 범죄와 상관이 없는 정보들을 제거하여 분석할 데이터의 양을 줄이므로 디지털 증거 분석 과정에서 소요되는 인력 및 각종 비용 등을 줄일 수 있다. 이를 위해 국외에서는 이러한 정보들을 웹사이트를 통해 공개 및 제공하고 있다. 그러나 이러한 정보들은 국내에서 발생하는 컴퓨터 범죄를 수사 및 분석하는데 적합하지 않은 경우가 많다. 그러므로 국내의 환경에 맞는 정보를 제공하기 위한 방법 및 제도적인 개선이 필요하다. 본 논문에서는 이러한 정보를 제공하기 위한 방법 및 제도개선 방안을 제안하였다.

• Convergence Security Journal
• /
• v.22 no.5
• /
• pp.21-35
• /
• 2022

The use of digital information according to the development of information and communication technology and the 4th industrial revolution is continuously increasing and diversifying, and in proportion to this, crimes using digital information are also increasing. However, there are few cases of establishing an environment for processing and analysis of digital evidence in Korea. The budget allocated for each organization is different and the digital forensics laboratory built without solving the chronic problem of securing space has a problem in that there is no standard that can be referenced from the initial configuration stage. Based on this awareness of the problem, this thesis conducted an exploratory study focusing on tools and equipment necessary for building a digital forensics laboratory. As a research method, focus group interviews were conducted with 15 experts with extensive practical experience in the digital forensic laboratory or digital forensics field and experts' opinions were collected on the following 9 areas: network configuration, analyst computer, personal tools·equipment, imaging devices, dedicated software, open source software, common tools/equipment, accessories, and other considerations. As a result, a list of tools and equipment for digital forensic laboratories was derived.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.2
• /
• pp.31-42
• /
• 2014

Debugger systems are necessary to apply dynamic program analysis when evaluating security properties of embedded system software. It may be possible to make the use of software-based debugger and/or DBI framework if target devices support general purpose operating systems, however, constraints on applicability as well as environmental transparency might be incurred thereby hindering overall analyzability. Analysis with JTAG (IEEE 1149.1) debugging devices can overcome these difficulties in that no change would be involved in terms of internal software environment. In that sense, JTAG API can facilitate to practically perform dynamic program analysis for evaluating security properties of target device software. In this paper, we introduce an implementation of JTAG API to enable analysis of ARM core based embedded systems. The API function set includes the categories of debugger and target device controls: debugging environment and operation. To verify API applicability, we also provide example analysis tool implementations: our JTAG API could be used to build kernel function fuzzing and live memory forensics modules.