• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.61-70
• /
• 2011

Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. As a part of cost savings and green IT policies, there is a tendency in which recent businesses increase the adoption of such virtualization. In particular, regarding the virtualization in desktop, it is one of the most widely used technology at the present time. Because it is able to efficiently use various types of operating systems in a physical computer. A virtual machine image that is a key component of virtualization is difficult to investigate. because the structure of virtual machine image is different from hard disk image. Therefore, we need researches about appropriate investigation procedure and method based on technical understanding of a virtual machine. In this research, we suggest a procedure of investigation on a virtual machine image and a method for a corrupted image of the VMware Workstation that has the largest number of users.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.7
• /
• pp.3268-3283
• /
• 2018

With the advent of the Information Age, the source identification of digital images, as a part of digital image forensics, has attracted increasing attention. Therefore, an effective technique to identify the source of digital images is urgently needed at this stage. In this paper, first, we study and implement some previous work on image source identification based on sensor pattern noise, such as the Lukas method, principal component analysis method and the random subspace method. Second, to extract a purer sensor pattern noise, we propose a sample selection method to improve the random subspace method. By analyzing the image texture feature, we select a patch with less complexity to extract more reliable sensor pattern noise, which improves the accuracy of identification. Finally, experiment results reveal that the proposed sample selection method can extract a purer sensor pattern noise, which further improves the accuracy of image source identification. At the same time, this approach is less complicated than the deep learning models and is close to the most advanced performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.165-176
• /
• 2011

In this paper, we examine the reliability verification procedure of evidence analysis tools for computer forensics and test the famous tools for their functional requirements using the verification items proposed by standard document, TIAK.KO-12.0112. Also, we carry out performance evaluation based on test results and suggest the way of performance improvement for evidence analysis tools. To achieve this, we first investigate functions that test subjects can perform, and then we set up a specific test plan and create evidence image files which contain the contents of a verification items. We finally verify and analyze the test results. In this process, we can discover some weaknesses of most of analysis tools, such as the restoration for deleted & fragmented files, the identification of the file format which is widely used in the country and the processing of the strings composed of Korean alphabet.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.10
• /
• pp.421-428
• /
• 2021

The High Efficiency Image File Format (HEIF) is an MPEG-developed image format that utilizes the video codec H.265 to store still screens in a single image format. The iPhone has been using HEIF since 2017, and Android devices such as the Galaxy S10 have also supported the format since 2019. The format can provide images with good compression rates, but it has a complex internal structure and lacks significant compatibility between devices and software, making it not popular to replace commonly used JPEG (or JPG) files. However, despite the fact that many devices are already using HEIF, digital forensics research regarding it is lacking. This means that we can be exposed to the risk of missing potential evidence due to insufficient understanding of the information contained inside the file during digital forensics investigations. Therefore, in this paper, we analyze the HEIF formatted photo file taken on the iPhone and the motion photo file taken on the Galaxy to find out the information and features contained inside the file. We also investigate whether or not the software we tested support HEIF and present the requirement of forensic tools to analyze HEIF.

• Journal of information and communication convergence engineering
• /
• v.9 no.1
• /
• pp.95-99
• /
• 2011

Digital forensics is the emerging research field for determining digital forgeries. Key issues of the tampered images are to solve the problems for detecting the interpolation factor and the tampered regions. This paper describes a method to detect the interpolation factors and the forged maps using the differential method and fast Fourier transform(FFT) along the horizontal, vertical, and diagonal direction, respectively from digital filtered tampered images. The detection map can be used to find out interpolated regions from the tempered image. Experimental results demonstrate the proposed algorithm proves effective on several filtering images by adobe $Photoshop^{TM}$ and show a ratio of detecting the interpolated regions and factors from digital filtered composite images.

• International journal of advanced smart convergence
• /
• v.8 no.4
• /
• pp.47-57
• /
• 2019

We examine the weaknesses of the existing OOXML-based MS-Word file structure, and analyze how data concealment and forgery are performed in MS-Word digital documents. In case of forgery by including hidden information in MS-Word digital document, there is no difference in opening the file with the MS-Word Processor. However, the computer system may be malfunctioned by malware or shell code hidden in the digital document. If a malicious image file or ZIP file is hidden in the document by using the structural vulnerability of the MS-Word document, it may be infected by ransomware that encrypts the entire file on the disk even if the MS-Word file is normally executed. Therefore, it is necessary to analyze forgery and alteration of digital document through internal structure analysis of MS-Word file. In this paper, we designed and implemented a mechanism to detect this efficiently and automatic detection software, and presented a method to proactively respond to attacks such as ransomware exploiting MS-Word security vulnerabilities.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.12
• /
• pp.111-121
• /
• 2021

As the main carrier of information, digital image is becoming more and more important. However, with the popularity of image acquisition equipment and the rapid development of image editing software, in recent years, digital image counterfeiting incidents have emerged one after another, which not only reduces the credibility of images, but also brings great negative impacts to society and individuals. Image copy-paste tampering is one of the most common types of image tampering, which is easy to operate and effective, and is often used to change the semantic information of digital images. In this paper, a method to protect the authenticity and integrity of image content by studying the tamper detection method of image copy and paste was proposed. In view of the excellent learning and analysis ability of deep learning, two tamper detection methods based on deep learning were proposed, which use the traces left by image processing operations to distinguish the tampered area from the original area in the image. A series of experimental results verified the rationality of the theoretical basis, the accuracy of tampering detection, location and classification.

• Journal of Ubiquitous Convergence Technology
• /
• v.2 no.1
• /
• pp.18-26
• /
• 2008

The invariance relation existing in the non-negative matrix factorization (NMF) is used for constructing robust image hashes in this work. The image is first re-scaled to a fixed size. Low-pass filtering is performed on the luminance component of the re-sized image to produce a normalized matrix. Entries in the normalized matrix are pseudo-randomly re-arranged under the control of a secret key to generate a secondary image. Non-negative matrix factorization is then performed on the secondary image. As the relation between most pairs of adjacent entries in the NMF's coefficient matrix is basically invariant to ordinary image processing, a coarse quantization scheme is devised to compress the extracted features contained in the coefficient matrix. The obtained binary elements are used to form the image hash after being scrambled based on another key. Similarity between hashes is measured by the Hamming distance. Experimental results show that the proposed scheme is robust against perceptually acceptable modifications to the image such as Gaussian filtering, moderate noise contamination, JPEG compression, re-scaling, and watermark embedding. Hashes of different images have very low collision probability. Tampering to local image areas can be detected by comparing the Hamming distance with a predetermined threshold, indicating the usefulness of the technique in digital forensics.

• Journal of Digital Contents Society
• /
• v.16 no.3
• /
• pp.389-395
• /
• 2015

Digital image provides many conveniences at the internet environment recently. A great number of applications, like Digital Library, Stock Image, Personal Image and Important Information, require the use of digital image. However it has fatal defect which is easy to be modified because digital image is only electronic file. Numerous digital image forgeries have become a serious problem due to the sophistication and accessibility of image editing software. Copy-Move forgery is the simplest type of forgery that involves copying portion of an image and paste it on different location within the image. There are many approaches to detect Copy-Move forgery, but all of them have their own limitations. In this paper, visual and invisible feature based forgery detection techniques are tested and analyzed. The analysis shows that pros and cons of these two techniques compensate each other. Therefore, a hybrid of visual based and invisible feature based forgery detection that combine the merits of both techniques is proposed. The experimental results show that the proposed algorithm has enhanced performance compared to individual techniques. Moreover, it provides more information about the forgery, like identifying copy and duplicate regions.