• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.1
• /
• pp.91-95
• /
• 2008

Flash memory is widely used in embedded systems because of its benefits such as non-volatile, shock resistant, and low power consumption. But NAND flash memory suffers from out-place-update, limited erase cycles, and page based read/write operations. To solve these problems, log-structured filesystem was proposed such as YAFFS. However, YAFFS sequentially retrieves an array of all block information to allocate free block for a write operation. Also before the write operation, YAFPS read the array of block information to find invalid block for erase. These could reduce the performance of the filesystem. This paper suggests fast operation method for NAND flash filesystem that solves the above-mentioned problems. We implemented the proposed methods in YAFFS. And we measured the performance compared with the original technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.885-896
• /
• 2014

The files in computer storages can be deleted due to unexpected failures or accidents. Some malicious users often delete data by himself for anti-forensics. If deleted files are associated with crimes or important documents in business, they should be recovered and the recovery tool is necessary. The recovery methods and tools for some filesystems such as NTFS, FAT, and EXT have been developed actively. However, there has not been any researches for recovering deleted files in XFS filesystem applied to NAS or CCTV. In addition, since the current related tools are based on the traditional signature detection methods, they have low recovery rates. Therefore, this paper suggests the recovery methods for deleted files based on metadata and signature detection in XFS filesystem, and verifies the results by conducting experiment in real environment.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.2
• /
• pp.27-35
• /
• 2021

NAND flash memory-based SSD needs an internal software, Flash Translation Layer(FTL) to provide traditional block device interface to the host because of its physical constraints, such as erase-before-write and large erase block. However, because useful host-side information cannot be delivered to FTL through the narrow block device interface, SSDs suffer from a variety of problems such as increasing garbage collection overhead, large tail-latency, and unpredictable I/O latency. Otherwise, the new type of SSD, open-channel SSD exposes the internal structure of SSD to the host so that underlying NAND flash memory can be managed directly by the host-level FTL. Especially, I/O data classification by using host-side information can achieve the reduction of garbage collection overhead. In this paper, we propose a new scheme to reduce garbage collection overhead of open-channel SSD by separating the journal from other file data for the journaling filesystem. Because journal has different lifespan with other file data, the Write Amplification Factor (WAF) caused by garbage collection can be reduced. The proposed scheme is implemented by modifying the host-level FTL of Linux and evaluated with both Fio and Filebench. According to the experiment results, the proposed scheme improves I/O performance by 46%~50% while reducing the WAF of open-channel SSDs by more than 33% compared to the previous one.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.2
• /
• pp.11-25
• /
• 2020

This study proposes a method to manipulate fragmentation of disks by arbitrarily allocating and releasing the status of a disk cluster in the NTFS file system. This method allows experiments to be performed in several studies related to fragmentation problems on disk cluster. Typical applicable research examples include testing the performance of disk defragmentation tools according to the state of fragmentation, establishing an experimental environment for fragmented file carving methods for digital forensics, setting up cluster fragmentation for testing the robustness of data hiding methods within directory indexes, and testing the file system's disk allocation methods according to the various version of Windows. This method suggests how a single file occupies a cluster and presents an algorithm with a flowchart. It raises three tricky problems to solve the method, and we propose solutions to the problems. Experiments for allocating the disk cluster to be fragmented to the maximum extent possible, it then performs a disk defragmentation experiment to prove the proposed method is effective.

• International Journal of Internet, Broadcasting and Communication
• /
• v.8 no.3
• /
• pp.31-40
• /
• 2016

In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100-nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of "year-month-day hour:min:sec" format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.

• Proceedings of the IEEK Conference
• /
• 2003.11b
• /
• pp.231-234
• /
• 2003

This paper designs and implements fault-tolerant server of meta server for shared filesystem (SANfs) in SAN environment. SANfs is the filesystem that many clients can share data in Network-attached storage in SAN environment and meta server is the server that processes file operation in SANfs. The focus of this paper is the implementation of fault-tolerant server of meta server in SANfs. In the event of a meta server, meta server failovers to a fault-tolerant server where its processing continues seamlessly. If meta server doesn't restore, fault-tolerant server searches reliable client and makes another fault-tolerant server and work as meta server. Heartbeat monitors meta server and shadow server and controls them.

• 한국IT서비스학회:학술대회논문집
• /
• 2005.05a
• /
• pp.519-525
• /
• 2005

이 논문은 리눅스 파일시스템상에 FU(Force Unmount) 기능 구현에 관한 내용을 기술하고 있다. 현재 리눅스는 엔터프라이즈 서버로 진화하기 위해서 많은 기능이 요구 되고 있는 상황이다. OSDL의 CGL문서는 FU 기능 제공에 대해서 Property 1로 정의하고 있다. FU 기능 제공은 다른 기술 제공을 위한 기반 기술로 인식되고 있기 때문이다. 이 논문은 FU 구현 시 문제점과 고려 사항을 기술 하며, 구현 후 안정성과 기능성 검증을 위해서 테스트 결과를 담고 있다.

• International Journal of Internet, Broadcasting and Communication
• /
• v.14 no.3
• /
• pp.8-16
• /
• 2022

In this paper, we propose a method of reconstructing the file system to obtain digital forensics information from the APFS file system when meta information that can know the structure of the file system is deleted due to partial damage to the disk. This method is to reconstruct the tree structure of the file system by only retrieving the B-tree node where file/directory information is stored. This method is not a method of constructing nodes based on structural information such as Container Superblock (NXSB) and Volume Checkpoint Superblock (APSB), and B-tree root and leaf node information. The entire disk cluster is traversed to find scattered B-tree leaf nodes and to gather all the information in the file system to build information. It is a method of reconstructing a tree structure of a file/directory based on refined essential data by removing duplicate data. We demonstrate that the proposed method is valid through the results of applying the proposed method by generating numbers of user files and directories.

• International Journal of Internet, Broadcasting and Communication
• /
• v.14 no.1
• /
• pp.10-18
• /
• 2022

Since High Sierra, APFS has been used as the main file system. It is a well-established file system that has been used stably thus far. From the perspective of digital forensics, there are still many areas to be investigated. Apple File System Reference is provided to the apple developer site, but it is not satisfactory to fully analyze APFS. Researchers know more about the structure of APFS than before, but they have not yet fully analyzed its structure to a perfect level about it. In this paper, we develop APFS object identification tool for digital forensics. The most basic and essential object identification and analysis of the APFS filesystem will be conducted with the tool. The analysis in this study serves as the background for an analysis of the checkpoint operation principle and structure, including the more complex B-tree structure of APFS. There are several options for the developed tool, but the results of two use cases will be shown here. Based on the implemented tool, it is hoped that more functions will be added to make APFS a useful tool for faster and more accurate analyses.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.07a
• /
• pp.221-222
• /
• 2021

본 논문에서는 HFS+ 파일시스템의 클러스터의 상태를 분석하여 디지털 포렌식에 활용하기 위한 기법을 제안한다. 이 방법은 파일시스템의 클러스터 안에 들어있는 정보를 텍스트 형식과 GUI 형식으로 표시하하여 포렌식을 수행하기 위한 정보를 제공하는 것을 목표로 개발한다. 이 기법에서 적용되는 파일시스템은 macOS에서 사용하는 HFS+ 파일시스템으로 파일/디렉토리에 대한 클러스터의 수, 클러스터의 연속정보, 클러스터에 연관된 파일/디렉토리의 고유정보와 시간정보를 표시한다. 이 기법을 위한 도구는 C/C++와 Python언어로 macOS 환경에서 동작하도록 개발된다. 일반적으로 Windows 환경에 비하여 macOS 환경에서 사용할 수 있는 포렌식 분석을 소프트웨어들이 상대적으로 많지 않아서 이 도구에서 제공하는 디스크 클러스터의 할당상태와 그것과 연관된 포렌식 정보를 얻는데 효과적으로 사용될 수 있는 점이 이 연구가 기여하는 바이다.