• The Journal of Korea Institute of Information, Electronics, and Communication Technology
• /
• v.8 no.4
• /
• pp.327-337
• /
• 2015

This work provides new forensic techinque to a hide message on a directory index in Windows NTFS file system. Behavior characteristics of B-tree, which is apoted to manage an index entry, is utilized for hiding message in slack space of an index record. For hidden message not to be exposured, we use a disguised file in order not to be left in a file name attribute of a MFT entry. To understand of key idea of the proposed technique, we describe B-tree indexing method and the proposed of this work. We show the proposed technique is practical for anti-forensic usage with a real message hiding case using a developed software tool.

• The Journal of Industrial Distribution & Business
• /
• v.12 no.6
• /
• pp.47-55
• /
• 2021

Purpose: Organizational crime is an offense committed by an individual or an official in a corporate entity for organizational gain. This study aims to explore the literature on challenges facing digital forensics and further discuss possible solutions to such challenges as far as the protection of corporate crime is concerned. Research design, data and methodology: Qualitative textual methodology matches the interpretative approach since it is a quality method meant to consider the inductivity of strategies. Also, a qualitative approach is vital because it is distinct from the techniques used in optimistic paradigms linked to science laws. Results: For achieving justice through the investigation of digital forensic, there is a need to eradicate corporate crimes. This study suggests several solutions to reduce corporate crime such as 'Solving a problem to Anti-forensic Techniques', 'Cloud computing technique', and 'Legal Framework' etc. Conclusion: As corporate crime increases in rate, the data collected by digital forensics increases. The challenge of analyzing chunks of data requires digital forensic experts, who need tools to analyze them. Research findings shows that a change of the operating system and digital evidence interpretation is becoming a challenge as the new computer application software is not compatible with older software's structure.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.1
• /
• pp.25-30
• /
• 2017

The influence of the data deletion method which is one of anti-forensic techniques is substantial in terms of forensic analysis compared to its simplicity of the act. In academic world, recovery techniques on deleted files have been continuously studied in response to the data deletion method and representatively, the file system-based file recovery technique and file format based recovery technique exist. If there's metadata of deleted file in file system, the file can be easily recovered by using it, but if there's no metadata, the file is recovered by using the signature-based carving technique or the file format based recovery technique has to be applied. At this time, in the file format based recovery technique, the file structure analysis and possible recovery technique should be provided. This paper proposes the page recovery technique on deleted PDF file based on the structural characteristics of PDF file. This technique uses the tag value of page object which constitutes one page of PDF file. Object is extracted by utilizing each tag value as a kind of signature and by analyzing extracted object, the metadata of PDF file is recombined and then it's reconfigured page by page. Recovering by page means that even if deleted PDF file is damaged, even some pages consisting of PDF file can be recovered. Generally, if the file system based file is not recoverable, deleted file is recovered by applying the signature based carving technique. The technique which we proposed in this paper can recover PDF files that are damaged. In the digital forensic perspective, it can be utilized to recover more data than previously.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.11 no.4
• /
• pp.69-79
• /
• 2015

This research proposes a modified data hiding method to hide data in a slack space of an NTFS index record. The existing data hiding method is for anti-forensics, which uses traces of file names of an index entry in an index record when files are deleted in a direcotry. The proposed method in this paper modifies the existing method to make non-admittable ASCII characters for a file name applicable. By improving the existing method, problems of a file creation error due to non-admittable characters are remedied; including the non-admittable 9 characters (i. e. slash /, colon :, greater than >, less than <, question mark ?, back slash ${\backslash}$, vertical bar |, semi-colon ;, esterisk * ), reserved file names(i. e. CON, PRN, AUX, NUL, COM1~COM9, LPT1~LPT9) and two non-admittable characters for an ending character of the file name(i. e. space and dot). Two results of the two message with non-admittable ASCII characters by keyboard inputs show the applicability of the proposed method.

• Convergence Security Journal
• /
• v.15 no.7
• /
• pp.75-84
• /
• 2015

In an "NTFS Index Record Data Hiding" method messages are hidden by using file names. Windows NTFS file naming convention has some forbidden ASCII characters for a file name. When inputting Hangul with the Roman alphabet, if the forbidden characters for the file name and binary data are used, the codes are convert to a designated unicode point to avoid a file creation error due to unsuitable characters. In this paper, the problem of a file creation error due to non-admittable characters for the file name is fixed, which is used in the index record data hiding method. Using Hangul with Roman alphabet the characters cause a file creation error are converted to an arbitrary unicode point except Hangul and Roman alphabet area. When it comes to binary data, all 256 codes are converted to designated unicode area except an extended unicode(surrogate pairs) and ASCII code area. The results of the two cases, i.e. the Hangul with Roman alphabet case and the binary case, show the applicability of the proposed method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.369-378
• /
• 2020

Due to the widespread use of mobile devices, smartphone penetration and usage rate continue to increase and there is also an increasing amount of data that need to be stored and managed in applications. Therefore, recent applications use mobile databases to store and manage user data. Realm database, developed in 2014, is attracting more attention from developers because of advantages of continuous updating, high speed, low memory usage, simplicity and readability of the code. It also supports an encryption to provide confidentiality and integrity of personal information stored in the database. However, since the encryption can be used as an anti-forensic technique, it is necessary to analyze the encryption and decryption processes provided by Realm Database. In this paper, we analyze the structure of Realm Database and its encryption and decryption process in detail, and analyze an application that supports an encryption to propose the use cases of the Realm Database.