• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.9
• /
• pp.4567-4587
• /
• 2017

With the growth of the Internet and the extensive applications of image editing software, it has become easier to manipulate digital images without leaving obvious traces. Copy-move is one of the most common techniques for image forgery. Image blind forensics is an effective technique for detecting tampered images. This paper proposes an improved copy-move forgery detection method based on the discrete cosine transform (DCT). The quantized DCT coefficients, which are feature representations of image blocks, are truncated using a truncation factor to reduce the feature dimensions. A method for judging whether two image blocks are similar is proposed to improve the accuracy of similarity judgments. The main transfer vectors whose frequencies exceed a threshold are found to locate the copied and pasted regions in forged images. Several experiments are conducted to test the practicability of the proposed algorithm using images from copy-move databases and to evaluate its robustness against post-processing methods such as additive white Gaussian noise (AWGN), Gaussian blurring, and JPEG compression. The results of experiments show that the proposed scheme effectively detects both copied region and pasted region of forged images and that it is robust to the post-processing methods mentioned above.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.2
• /
• pp.662-675
• /
• 2018

Compression history detection plays an important role in digital multimedia forensics. Most existing works, however, mainly focus on digital image and video. Additionally, the existed audio compression detection algorithms aim to detect the trace of double compression. In real forgery scenario, multiple compression is more likely to happen. In this paper, we proposed a detection algorithm to reveal the compression history for MP3 audio. The statistics of the scale factor and Huffman table index which are the parameters of MP3 codec have been extracted as the detecting features. The experimental results have shown that the proposed method can effectively identify whether the testing audio has been previously treated with single/double/triple compression.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2008.05a
• /
• pp.679-682
• /
• 2008

기존의 웹서버는 텍스트형식의 로그파일을 기록한다. 웹 서버에서 로그파일은 클라이언트의 웹서버에 대한 접속정보와 웹서버의 처리상황 등 모든 상황을 기록하고 저장한다. 이 정보를 분석하면 웹 서비스를 하는데 있어서 웹 서비스의 질을 높이는데 좋은 참고자료가 될 뿐 아니라 웹 서버에 이상이 생겼을 경우 발생한 오류를 조기에 발견하는 데에도 사용되는 중요한 자료이다. 현재 이러한 로그파일은 텍스트 파일로 저장되어있기 때문에 조작의 가능성도 있고 오랜 시간이 지나 해당 웹 페이지가 삭제되었을 경우 로그파일에 기록된 그 시각의 웹 페이지를 볼 수 없다. 본 연구에서는 로그파일에 기록된 그 시간의 웹 URL 페이지 이미지를 저장하여 이미지 로그파일을 만드는 시스템을 구현해 봄으로써 텍스트형식 로그파일의 단점을 보안하고 오랜 시간이 지난 후에도 그 웹 페이지를 볼 수 있는 기법을 연구하였다. 이 기법은 로그파일로써의 역할 뿐만 아니라 Digital Forensics 로 범죄 수사에도 많은 도움이 될 수 있고 휴대전화에서 풀 인터넷 브라우징 연구에도 적용될 수 있다.

• Journal of Software Assessment and Valuation
• /
• v.16 no.2
• /
• pp.153-162
• /
• 2020

Digital image forgery detection is one of very important fields in the field of digital forensics. As the forged images change naturally through the advancement of technology, it has made it difficult to detect forged images. In this paper, we use passive forgery detection for copy paste forgery in digital images. In addition, it detects copy-paste forgery using the L₀ Norm-based LE operator, and compares the detection accuracy with the forgery detection using the existing L₂, L₁ Norm-based LE operator. In comparison of detection rates, the proposed lower triangular(Ayalneh and Choi) window was more robust to BAG mismatch detection than the conventional window filter. In addition, in the case of using the lower triangular window, the performance of image forgery detection was measured increasingly higher as the L₂, L₁ and L₀ Norm LE operator was performed.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.54 no.5
• /
• pp.42-47
• /
• 2017

In the distribution of digital image, the median filtering is used for a forgery. This paper proposed the algorithm of a image forensics detection for the classification of median filtering. For the solution of this grave problem, the feature vector is composed of 42-Dim. The detected quantity 32, 64 and 128 of forgery image edges, respectively, which are processed by the Hough transform, then it extracted from the start-end point coordinates of the Hough Lines. Also, the Hough Peaks of the Angle-Distance plane are extracted. Subsequently, both of the feature vectors are composed of the proposed scheme. The defined 42-Dim. feature vector is trained in SVM (Support Vector Machine) classifier for the MF classification of the forged images. The experimental results of the proposed MF detection algorithm is compared between the 10-Dim. MFR and the 686-Dim. SPAM. It confirmed that the MF forensic classification ratio of the evaluated performance is 99% above with the whole test image types: the unaltered, the average filtering ($3{\times}3$), the JPEG (QF=90 and 70)) compression, the Gaussian filtered ($3{\times}3$ and $5{\times}5$) images, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.4
• /
• pp.839-845
• /
• 2018

Sensitive data is encrypted and stored as privacy policy is strengthened through frequent leakage of personal information. For this reason, the cryptographically owned encrypted data is a very important analysis from the viewpoint of digital forensics. Until now, the digital evidence collection procedure only considers imaging, so hardware specific information is not collected. If the encryption key is generated by information that is not left in the disk image, the encrypted data can not be decrypted. Recently, an application for performing encryption using hardware specific information has appeared. Therefore, in this paper, hardware specific information which does not remain in file form in auxiliary storage device is studied, and hardware specific information collection method is introduced.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.89-100
• /
• 2011

Physical memory analysis has been an issue on a field of live forensic analysis in digital forensics until now. It is very useful to make the result of analysis more reliable, because record of user behavior and data can be founded on physical memory although process is hided. But most memory analysis focuses on windows based system. Because the diversity of target system to be analyzed rises up, it is very important to analyze physical memory based on other OS, not Windows. Mac OS X, has second market share in Operating System, is operated by loading kernel image to physical memory area. In this paper, We propose a methodology for physical memory analysis on Mac OS X using symbol information in kernel image, and acquire a process information, mounted device information, kernel information, kernel extensions(eg. KEXT) and system call entry for detecting system call hooking. In additional to the methodology, we prove that physical memory analysis is very useful though experimental study.

• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.491-498
• /
• 2016

Recently leakages of confidential information and internal date have been steadily increasing by using booting technique on portable OS such as Windows PE stored in portable storage devices (USB or CD/DVD etc). This method allows to bypass security software such as USB security or media control solution installed in the target PC, to extract data or insert malicious code by mounting the PC's storage devices after booting up the portable OS. Also this booting method doesn't record a log file such as traces of removable storage devices. Thus it is difficult to identify whether the data are leaked and use trace-back technique. In this paper is to propose method to help facilitate the process of digital forensic investigation or audit of a company by collecting and analyzing BIOS firmware images that record data relating to BIOS settings in flash memory and finding traces of portable storage devices that can be regarded as abnormal events.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.4
• /
• pp.911-919
• /
• 2016

Compared to the past, the current disk storages have dramatically increased and extremely many data are transferred on the network everyday. In spite of the anticipation that such development will be continued, there have been lack of studies for improving the data-imaging time in terms of the digital forensics. In this paper, we firstly investigate the time due to hash functions during the data Imaging and secondly propose a method for improving the efficiency of the EWF-File imaging time from a cryptographic perspective.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.835-845
• /
• 2019

File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.