• Journal of the Korea Society of Computer and Information
• /
• v.24 no.9
• /
• pp.51-58
• /
• 2019

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.10a
• /
• pp.394-397
• /
• 2014

Most of Koreans have smartphone. By using smartphone, they have done internet-banking, e-commerce and private scheduling. However, convenience of smart phone has been made side effect such as tool of fraud and crime. Especially, Smishing on smartphone has been increased rapidly since 2013. Smishing have utilized social-engineering technique with social issue such as Korean near-sea cruse ship, 'Sewol-Ho', Sinking and traditional thanks-giving holiday, 'Chu-Seok', etc. This paper proposed the oncoming trend of smishing on smartphone after 2014. This paper also analyzed the process and technique of smishing on internal financial fraud. It also covered smartphone forensic for using legal evidence. By discovering the connectivity of smishing and financial fraud, this paper could be reference for social security on smartphone.

• Analytical Science and Technology
• /
• v.33 no.3
• /
• pp.151-158
• /
• 2020

Alcohol, which can easily be obtained in the same way as ordinary beverages, is harmful enough to cause death due to excessive drinking and chronic alcohol intake, so it is important to maintain a proper amount of drinking and healthy drinking habits. In addition, the incidence of behavioral disturbances and impaired judgments that can be caused by chronic alcohol drinking of more than adequate amounts of alcohol is also significant. Accordingly it is very useful for forensic science to check whether the person involved is drunken or is alcoholism state in various accidents. Currently, in Korea, alcohol consumption is determined by detecting the level of alcohol or alcohol metabolism 'ethyl glucuronide (EtG)' in blood or urine samples. However, analysis of alcohol or EtG in blood or urine can only provide information about the current state of alcohol consumption because of a narrow window of detection time. Therefore, it is important to analyze the EtG as a long-term direct alcohol metabolite bio-marker in human hair and to investigate relationship between alcohol consumption and EtG concentration for the evaluation of chronic ethanol consumption. In this study, we established an analytical method for the detection of EtG in Korean hair efficiently and validated selectivity, linearity, limits of detection (LOD), limits of quantification (LOQ), matrix effect, recovery, process efficiency, accuracy and precision using liquid chromatography tandem mass spectrometry (LC-MS/MS). In addition, the assay performance was evaluated in Korean social drinker's hair and the postmortem hair of a chronic alcoholism. The results of this study can be useful in monitoring the alcohol abuse of Korean in clinical cases and legal procedures related to custody and provide a useful tool to evaluate postmortem diagnosis of alcoholic ketoacidosis in forensics.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.591-603
• /
• 2018

Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.

• Analytical Science and Technology
• /
• v.23 no.4
• /
• pp.414-422
• /
• 2010

In forensic examinations of question document, analysis about inks components and the dating of ink entries is often of considerable importance and forensic examination of inks is principally concerned with the classification and comparison of chemically complex mixtures. The authenticity about inks analysis of a questioned document may be examined through the analysis of inks used to TLC, HPLC/MS, GC/MS, LDI/MS. We collected 56 difference types of black ballpoint pen inks manufactured from 5 country groups. We identified major 6 species volatile organic components (VOCs), ethylbenzene ($0.089-0.244\;{\mu}g$/mL), o-xylene ($0.072-0.331\;{\mu}g$/mL), m,p-xylene ($0.062-0.318\;{\mu}g$/mL), benzene ($0.003-0.173\;{\mu}g$/mL), 1,1-dichloroethylene ($0.003-0.295\;{\mu}g$/mL), toluene ($0.007-0.484\;{\mu}g$/mL) using HS-SPME GC/MS. The results of this study indicated that determined VOCs of black ballpoint pen inks could make a discriminating tool of inks analysis for forensic question document and can supply methodology for classification and identification of between ballpoints pen inks.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.11
• /
• pp.101-105
• /
• 2012

Various social problems through violating personal information and privacy are growing with the rapid spread of smartphones. For this reason, variety of researches and technology developments to protect personal information being made. The smartphone, contains almost all of the personal information, can cause data spill at any time. Collecting or analyzing evidence is not an easy job with forensic analyzing tool. Android forensics research has been focused on techniques to collect and analyze data from non-volatile memory but research for volatile data is very slight. Android log is the non-volatile data that can be collected by volatile storage. It is enough to use as a material to track the usage of the Android phone because all of the recent driven records from system to application are stored. In this paper, we propose a method to respond to determining the existence of personal information leakage by filtering logs without forensic analysis tools.

• Journal of Advanced Navigation Technology
• /
• v.18 no.5
• /
• pp.494-500
• /
• 2014

Recently the leak of personal information from in-house and contract-managed companies has been continually increasing, which leads a regular observation on outsourcing companies that perform the personal information management system to prevent dangers from the leakage, stolen and loss of personal information. However, analyzing many numbers of computers in limited time has found few difficulties in some circumstances-such as outsourcing companies that own computers that have personal information system or task continuities that being related to company's profits. For the reason, it is necessary to select an object of examination through identifying a high-risk of personal data leak. In this paper, this study will formulate a proposal for the selection of high-risk subjects, which is based on the user interface, by digital forensic. The study designs the integrated analysis tool and demonstrates the effects of the tool through the test results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1373-1383
• /
• 2017

Deduplication is a function to effectively manage data and improve the efficiency of storage space. When the deduplication is applied to the system, it makes it possible to efficiently use the storage space by dividing the stored file into chunks and storing only unique chunk. However, the commercial digital forensic tool do not support the file system analysis, and the original file extracted by the tool can not be executed or opened. Therefore, in this paper, we analyze the process of generating chunks of data for a Windows Server 2012 system that can apply deduplication, and the structure of the resulting file(Chunk Storage). We also analyzed the case where chunks that are not covered in the previous study are compressed. Based on these results, we propose the method to collect deduplicated data and reconstruct the original file for digital forensic investigation.

• Proceedings of the Korean Institute of Intelligent Systems Conference
• /
• 2004.04a
• /
• pp.97-100
• /
• 2004

The identification of the DNA structure as a double-stranded helix consting of two nucleotide chain molecules was a milestone in modern molecular biology. The DNA chip technology is based on reverse hybridization that follows the principle of complementary binding of double-stranded DNA. DNA chip can be described as the deposition of defined nucleic acid sequences, probes, on a solid substrate to form a regular array of elements that are available for hybridization to complementary nucleic acids, targets. DNA chips based on cDNA clons, oligonucleotides and genomic clons have been developed for gene expression studies, genetic variation analysis and genomic changes associated with disease including cancers and genetic diseases. DNA chips for gene expression profiling can be used for functional analysis in human eel Is and animal models, disease-related gene studies, assessment of gene therapy, assessment of genetically modified food, and research for drug discovery. DNA chips for genetic variation detection can be used for the detection of mutations or chromosomal abnormalities in cnacers, drug resistances in cancer cells or pathogenic microbes, histocompatibility analysis for transplantation, individual identification for forensic medicine, and detection and discrimination of pathogenic microbes. The DNA chip will be generalized as a useful tool in clinical diagnostics in near future. Lab-on-a chip and informatics will facilitate the development of a variety of DNA chips for diagnostic purpose.

• Journal of Korea Society of Industrial Information Systems
• /
• v.12 no.3
• /
• pp.104-115
• /
• 2007

As soon as an intrusion is detected by kernel backdoor, the proposed method can be preserve secure and trustworthy evidence even in a damaged system. As an experimental tool, we implement a backup and analysis system, which can be response quickly, to minimize the damages. In this paper, we propose a method, which can restore the deleted log file and analyze the image of a hard disk, to be able to expose the location of a intruder.