• Title/Summary/Keyword: Anti-Forensics

Search Result 38, Processing Time 0.03 seconds

A Study on the Feature Point Extraction Methodology based on XML for Searching Hidden Vault Anti-Forensics Apps (은닉형 Vault 안티포렌식 앱 탐색을 위한 XML 기반 특징점 추출 방법론 연구)

  • Kim, Dae-gyu;Kim, Chang-soo
    • Journal of Internet Computing and Services
    • /
    • v.23 no.2
    • /
    • pp.61-70
    • /
    • 2022
  • General users who use smartphone apps often use the Vault app to protect personal information such as photos and videos owned by individuals. However, there are increasing cases of criminals using the Vault app function for anti-forensic purposes to hide illegal videos. These apps are one of the apps registered on Google Play. This paper proposes a methodology for extracting feature points through XML-based keyword frequency analysis to explore Vault apps used by criminals, and text mining techniques are applied to extract feature points. In this paper, XML syntax was compared and analyzed using strings.xml files included in the app for 15 hidden Vault anti-forensics apps and non-hidden Vault apps, respectively. In hidden Vault anti-forensics apps, more hidden-related words are found at a higher frequency in the first and second rounds of terminology processing. Unlike most conventional methods of static analysis of APK files from an engineering point of view, this paper is meaningful in that it approached from a humanities and sociological point of view to find a feature of classifying anti-forensics apps. In conclusion, applying text mining techniques through XML parsing can be used as basic data for exploring hidden Vault anti-forensics apps.

The Development of Anti-Forensic Tools for Android Smartphones (안드로이드 스마트폰을 위한 앤티-포렌식 도구 개발)

  • Moon, Phil-Joo
    • The Journal of the Korea institute of electronic communication sciences
    • /
    • v.10 no.1
    • /
    • pp.95-102
    • /
    • 2015
  • Smartphone is very useful for use in the real world, but it has been exposed to a lot of crime by smartphone. Also, it occurs attempting to delete a data of smartphone memory by anti-forensic tools. In this paper, we implement an anti-forensic tool used in the Android. In addition, tests to validate the availability of the anti-forensic tool by the Oxygen Forensic Suite that is a commercial forensic tool.

A Study on Analysis of Hidden Areas of Removable Storage Device from a Digital Forensics Point of View (디지털 포렌식 관점에서 이동식 저장매체의 은닉영역 분석 연구)

  • Hong, Pyo-gil;Lee, Dae-sung;Kim, Dohyun
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2021.05a
    • /
    • pp.111-113
    • /
    • 2021
  • USB storage devices, which are represented by removable storage media, are widely used even nowadays when cloud services are common. However, since they are cases where hidden areas are created and exploited in USB storage devices. This research is needed to detect and analyze them from an Anti-forensic point of view. In this paper, we analyze a program that can be exploited as Anti-forensic because it can create a hidden partition and store files there, and the file system created by it from a digital forensic point of view.

  • PDF

The analysis of Windows 7·8 IconCache.db and its application (Windows 7·8 IconCahe.db 파일 포맷 분석 및 활용방안)

  • Lee, Chan-Youn;Lee, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.1
    • /
    • pp.135-144
    • /
    • 2014
  • Since anti-forensics have been developed in order to avoid digital forensic investigation, the forensic methods for analyzing anti-forensic behaviors have been studied in various aspects. Among the factors for user activity analysis, "Iconcache.db" files, which have the icon information of applications, provides meaningful information for digital forensic investigation. This paper illustrates the features of IconCache.db files and suggests the countermeasures against anti-forensics utilizing them.

Data Hiding in NTFS Timestamps for Anti-Forensics

  • Cho, Gyu-Sang
    • International Journal of Internet, Broadcasting and Communication
    • /
    • v.8 no.3
    • /
    • pp.31-40
    • /
    • 2016
  • In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100-nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of "year-month-day hour:min:sec" format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.

A Study on Data Collection and Analysis of NaverWorks Collaboration Tool from a Digital Forensics Perspective (디지털포렌식 관점에서의 협업 도구 네이버웍스의 데이터 수집 및 분석 연구)

  • Hangyeol Kim;Dabin We;Myungseo Park
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.34 no.5
    • /
    • pp.895-905
    • /
    • 2024
  • Even now that the coronavirus pandemic has ended, collaboration tools that connect office work and remote work are showing high usage rates. These collaboration tools are related to sensitive data within an organization, and a lot of data is generated through the interactions of not only individuals but also members of various organizations. However, the generated data is structurally mixed, encrypted, or deleted or hidden through anti-forensic functions supported by collaboration tools. Digital investigations targeting collaboration tools require analysis methods to collect this data and obtain key data. In this paper, we explained how to collect and analyze data using Naver Works, a collaboration tool in the Windows environment.

A SimCache Structural Analysis and A Detection tool for Anti-Forensics Tool Execution Evidence on Windows 10 (Windows 10에서의 심캐시(ShimCache) 구조 분석과 안티 포렌식 도구 실행 흔적 탐지 도구 제안)

  • Kang, Jeong Yoon;Lee, Seung A;Lee, Byong Gul
    • Proceedings of the Korean Society of Computer Information Conference
    • /
    • 2021.07a
    • /
    • pp.215-218
    • /
    • 2021
  • 심캐시(Shimcache, AppCompatCache) 파일은 Windows 운영체제에서 응용 어플리케이션 간의 운영체제 버전 호환성 이슈를 관리하는 파일이다. 호환성 문제가 발생한 응용 어플리케이션에 대한 정보가 심캐시에 기록되며 프리패치 (Prefetch) 파일이나 레지스트리의 UserAssist 키 등과 같이 응용 어플리케이션의 실행 흔적을 기록한다는 점에서 포렌식적 관점에서 중요한 아티팩트이다. 본 논문에서는 심캐시의 구조를 분석하여 심캐시 파일을 통해 얻을 수 있는 응용 어플리케이션의 정보를 소개하고, 기존 툴 상용도구의 개선을 통해 완전 삭제 등 안티 포렌식 도구의 실행 흔적을 탐지하는 방법을 제시한다.

  • PDF

Estimation of Eyewitness Identification Accuracy by Event-Related Potentials (차량 번호판 목격자의 기억 평가를 위한 사건 관련 전위 연구)

  • Ham, Keunsoo;Pyo, Chuyeon;Jang, Taeik;Yoo, Seong Ho
    • The Korean Journal of Legal Medicine
    • /
    • v.39 no.4
    • /
    • pp.115-119
    • /
    • 2015
  • We investigated event-related potentials (ERPs) to estimate the accuracy of eyewitness memories. Participants watched videos of vehicles being driven dangerously, from an anti-impaired driving initiative. The four-letter license plates of the vehicles were the target stimuli. Random numbers were presented while participants attempted to identify the license plate letters, and electroencephalograms were recorded. There was a significant difference in activity 300-500 milliseconds after stimulus onset, between target stimuli and random numbers. This finding contributes to establishing an eyewitness recognition model where different ERP components may reflect more explicit memory that is dissociable from recollection.

Digital forensic framework for illegal footage -Focused On Android Smartphone- (불법 촬영물에 대한 디지털 포렌식 프레임워크 -안드로이드 스마트폰 중심으로-)

  • Kim, Jongman;Lee, Sangjin
    • Journal of Digital Forensics
    • /
    • v.12 no.3
    • /
    • pp.39-54
    • /
    • 2018
  • Recently, discussions for the eradication of illegal shooting have been carried out in a socially-oriented way. The government has established comprehensive measures to eradicate cyber sexual violence crimes such as illegal shooting. Although the social interest in illegal shooting has increased, the illegal film shooting case is evolving more and more due to the development of information and communication technology. Applications that can hide confused videos are constantly circulating around the market and community sites. As a result, field investigators and professional analysts are experiencing difficulties in collecting and analyzing evidence. In this paper, we propose an evidence collection and analysis framework for illegal shooting cases in order to give practical help to illegal shooting investigation. We also proposed a system that can detect hidden applications, which is one of the main obstacles in evidence collection and analysis. We developed a detection tool to evaluate the effectiveness of the proposed system and confirmed the feasibility and scalability of the system through experiments using commercially available concealed apps.

Vulnerability analysis for privacy security Android apps (개인정보보호 안드로이드 앱에 대한 취약점 분석)

  • Lee, Jung-Woo;Hong, Pyo-Gil;Kim, Dohyun
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2022.05a
    • /
    • pp.184-186
    • /
    • 2022
  • Recently, as interest in personal information protection has increased, various apps for personal information protection have emerged. These apps protect data in various formats, such as photos, videos, and documents containing personal information, using encryption and hide functions. These apps can have a positive effect on personal information protection, but in digital forensics, they act as anti-forensic because they can be difficult to analyze data during the investigation process. In this paper, finds out PIN, an access control function, through reverse engineering on Calculator - photo vault, one of the personal information protection apps, and files such as photos and documents to which encryption and hide were applied. In addition, the vulnerability to this app was analyzed by research decryption for database files where logs for encrypted and hide files are stored.

  • PDF