• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.97-107
• /
• 2023

With the popularization of digital devices in the era of the 4th industrial revolution and the increase in cyber crimes targeting them, the importance of securing digital data evidence is emerging. However, the difficulty in securing digital data evidence is due to the use of anti-forensic techniques that increase analysis time or make it impossible, such as manipulation, deletion, and obfuscation of digital data. Such anti-forensic is defined as a series of actions to damage and block evidence in terms of digital forensics, and is classified into data destruction, data encryption, data concealment, and data tampering as anti-forensic techniques. Therefore, in this study, anti-forensic techniques are categorized into data concealment and deletion (obfuscation and encryption), investigate and analyze recent research trends, and suggest future anti-forensic research directions.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.184-186
• /
• 2022

Recently, as interest in personal information protection has increased, various apps for personal information protection have emerged. These apps protect data in various formats, such as photos, videos, and documents containing personal information, using encryption and hide functions. These apps can have a positive effect on personal information protection, but in digital forensics, they act as anti-forensic because they can be difficult to analyze data during the investigation process. In this paper, finds out PIN, an access control function, through reverse engineering on Calculator - photo vault, one of the personal information protection apps, and files such as photos and documents to which encryption and hide were applied. In addition, the vulnerability to this app was analyzed by research decryption for database files where logs for encrypted and hide files are stored.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2008.02a
• /
• pp.55-58
• /
• 2008

디지털 증거분석 단계에서 조사관은 용의자 시스템을 통해 사건 날짜와 시간에 실행된 응용 프로그램이나 악성 프로그램의 설치 여부 등을 유추하여 관련 증거를 발견할 수 있다. 그러나 대부분의 범죄자는 혐의 부인을 위해 대상 시스템에서 특정 프로그램의 설치 및 사용 정보를 삭제하여 증거를 인멸한다. 이와 같이 디지털 포렌식 조사를 방해하는 기술이나 도구와 관련된 분야를 안티포렌식(Anti-Forensics)이라 한다. 사이버 범죄의 증가로 인해 디지털 포렌식 기술이 발전할수록 범죄의 흔적을 남기지 않기 위한 안티포렌식 기술 또한 발전하고 있다. 이러한 안티포렌식에 대응하기 위해, 본 논문에서는 프로그램 사용 또는 설치와 같은 흔적을 시스템에서 삭제한 경우 시스템 복원지점을 이용한 증거탐지 방법을 제시한다. 또한 실제 발생 가능한 상황을 예로 들어 설명하고 수사 시 유용하게 쓰일 수 있는 도구 개발에 대한 계획을 제시한다.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.9
• /
• pp.51-58
• /
• 2019

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2019.07a
• /
• pp.391-392
• /
• 2019

본 논문에서는 타임스탬프의 위변조를 위한 안티포렌식의 도구로 사용되는 타임스탬프 변경도구들에 기능에 대하여 디지털 포렌식 관점에서 분석을 수행한다. 타임스탬프 변경도구들로써 수행할 수 있는 타임스탬프 변경작업의 범위와 특징을 찾아본다. NTFS파일시스템에서 사용하는 타임스탬프 변경도구들의 기능상의 분류는 그것들이 변경할 수 있는 타임스탬프 종류와 정밀도를 기준으로 정하고 그 도구들을 사용한 후에 기록된 타임스탬프의 특징들을 디지털 포렌식 관점에서 분석을 수행하기로 한다. 이 연구에서의 분류 형태 중 타입 I은 FileTouch.exe, SKTimeStamp, BulkFileChanger류의 도구들과 타입 II는 timestomp, 타입 III은 SetMACE로 분류하고 각 도구들을 사용한 후에 변경된 타임스탬프들의 특징을 살펴보기로 한다.

• The Journal of Industrial Distribution & Business
• /
• v.12 no.6
• /
• pp.47-55
• /
• 2021

Purpose: Organizational crime is an offense committed by an individual or an official in a corporate entity for organizational gain. This study aims to explore the literature on challenges facing digital forensics and further discuss possible solutions to such challenges as far as the protection of corporate crime is concerned. Research design, data and methodology: Qualitative textual methodology matches the interpretative approach since it is a quality method meant to consider the inductivity of strategies. Also, a qualitative approach is vital because it is distinct from the techniques used in optimistic paradigms linked to science laws. Results: For achieving justice through the investigation of digital forensic, there is a need to eradicate corporate crimes. This study suggests several solutions to reduce corporate crime such as 'Solving a problem to Anti-forensic Techniques', 'Cloud computing technique', and 'Legal Framework' etc. Conclusion: As corporate crime increases in rate, the data collected by digital forensics increases. The challenge of analyzing chunks of data requires digital forensic experts, who need tools to analyze them. Research findings shows that a change of the operating system and digital evidence interpretation is becoming a challenge as the new computer application software is not compatible with older software's structure.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.39-54
• /
• 2018

Recently, discussions for the eradication of illegal shooting have been carried out in a socially-oriented way. The government has established comprehensive measures to eradicate cyber sexual violence crimes such as illegal shooting. Although the social interest in illegal shooting has increased, the illegal film shooting case is evolving more and more due to the development of information and communication technology. Applications that can hide confused videos are constantly circulating around the market and community sites. As a result, field investigators and professional analysts are experiencing difficulties in collecting and analyzing evidence. In this paper, we propose an evidence collection and analysis framework for illegal shooting cases in order to give practical help to illegal shooting investigation. We also proposed a system that can detect hidden applications, which is one of the main obstacles in evidence collection and analysis. We developed a detection tool to evaluate the effectiveness of the proposed system and confirmed the feasibility and scalability of the system through experiments using commercially available concealed apps.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.107-122
• /
• 2014

The DDoS attacks and the APT attacks occurred by the zombie computers simultaneously attack target systems at a fixed time, caused social confusion. These attacks require many zombie computers running attacker's commands, and unknown malware that can bypass detecion of the anti-virus products is being executed in those computers. A that time, many methods have been proposed for the detection of unknown malware against the anti-virus products that are detected using the signature. This paper proposes a method of unknown malware detection using digital forensic techniques and describes the results of experiments carried out on various samples of malware and normal files.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1059-1065
• /
• 2015

Hard disk passwords are commonly not well known. If the passwords are set, forensic investigators are not allowed to access data on hard disks, so they can be used to obstruct investigations. Expensive tools such as PC-3000 are necessary for unlocking such hard disk passwords. But it would be a burden on both organizations that should pay for these tools and forensic investigators that are unfamiliar with these tools. This paper discusses knowledge required for unlocking hard disk passwords and proposes methods for unlocking the passwords without high-priced tools. And with a vendor-specific method, this paper provides procedures for acquiring passwords and unlocking hard disk drives.

• The KIPS Transactions:PartC
• /
• v.16C no.5
• /
• pp.555-562
• /
• 2009

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.