• The KIPS Transactions:PartC
• /
• v.17C no.2
• /
• pp.159-164
• /
• 2010

The data wiping is a technique which perfectly deletes data in a storage to prevent data recovery. Currently, management of stored data is important because of increasing an accident of personal information leakage. Especially, if you need to discard data contained personal information, using a wiping tool which permanently deletes data to prevent unnecessary personal information leakage. The data wiping is also used for data security and privacy protection. However the data wiping can be used intentionally destruction of evidence. This intentionally destruction of evidence is important clues of forensic investigation. This paper demonstrates the methods for detecting the usage of wiping tools in digital forensic investigation.

• Anxiety and mood
• /
• v.12 no.2
• /
• pp.86-96
• /
• 2016

Paraphilia and paraphilic disorder is one of mental disorders making it difficult to assess and treat. Recently, a number of methods for assessing the paraphilia are being developed gradually outside south Korea. And the reliability and validity of various assessment tools are being reported. The standardization of the assessments and questionnaires was not made yet. For assessment of paraphilia that has been reported from abroad, the author comprehensively organized clinical interview, physical examination, psycho-physiological methods, self-reporting scale of sexual thoughts, fantasies and attitudes and multiple self-reporting scale of sexual interests and described the clinical significance of the assessment tools. The national standardization of both self-reported questionnaire and physical evaluations is expected to be completed later.

• The KIPS Transactions:PartC
• /
• v.17C no.4
• /
• pp.335-346
• /
• 2010

Mac OS X is the Computer Operating System that develop in Apple Inc. Mac OS X is the successor to Mac OS 9 Version which had been Apple's primary operating system since 1984. Recently, Mac OS X 10.6 (Snow Leopard) has been manufactured and is distributed to user. Apple's Mac OS X Operating System is occupying about 10% in the world Operating System market share. But, Forensic tools that is utilized on digital forensic investigation can not forensic analysis about Mac OS X properly. To do forensic investigation about Mac OS X, information connected with user's action and trace can become important digital evidence in Operating System. This paper presents way about user trace data acquisition methodology in Mac OS X.

• The Journal of Industrial Distribution & Business
• /
• v.12 no.6
• /
• pp.47-55
• /
• 2021

Purpose: Organizational crime is an offense committed by an individual or an official in a corporate entity for organizational gain. This study aims to explore the literature on challenges facing digital forensics and further discuss possible solutions to such challenges as far as the protection of corporate crime is concerned. Research design, data and methodology: Qualitative textual methodology matches the interpretative approach since it is a quality method meant to consider the inductivity of strategies. Also, a qualitative approach is vital because it is distinct from the techniques used in optimistic paradigms linked to science laws. Results: For achieving justice through the investigation of digital forensic, there is a need to eradicate corporate crimes. This study suggests several solutions to reduce corporate crime such as 'Solving a problem to Anti-forensic Techniques', 'Cloud computing technique', and 'Legal Framework' etc. Conclusion: As corporate crime increases in rate, the data collected by digital forensics increases. The challenge of analyzing chunks of data requires digital forensic experts, who need tools to analyze them. Research findings shows that a change of the operating system and digital evidence interpretation is becoming a challenge as the new computer application software is not compatible with older software's structure.

• International Journal of Internet, Broadcasting and Communication
• /
• v.8 no.3
• /
• pp.31-40
• /
• 2016

In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100-nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of "year-month-day hour:min:sec" format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.4
• /
• pp.777-785
• /
• 2016

IM(Instant Messenger) chatting service can carry user's various information including life style, geographical position, and psychology & crime history and thus forensic analysis on the IM service is desirable. But, forensic analysis for KakaoTalk's chatting service is not well studied yet. For this reason, we study KakaoTalk's forensic analysis focusing on chatting service. This paper first details a general method of IM forensics investigating the previous articles about IM forensics although there are not many articles. Second, we discuss methodologies for IM forensics wherein we present analysis of table structure and method for reconstruction of chatting message. These result in the basic element of forensic tools of KakaoTalk chatting message. Last, we compare artifacts of KakaoTalk with that of WhatsApp. We conclude that these applications are, at least, different in that table structures and the ways to reconstruct chatting messages are not same and therefore digital evidences or artifacts are not same and somewhat distinct.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.9
• /
• pp.51-58
• /
• 2019

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.2
• /
• pp.93-102
• /
• 2013

These days digital data have become essential for digital investigation because most of the crime was occurred by using the digital devices. However, digital data is very easier to falsify or delete. If digital data was deleted, it is necessary to recover the deleted data for obtain digital evidence. Even though file carving is the most important thing to gather. digital evidence in digital forensic investigation, most of popular carving tools don't contemplate methods of selection or restoration for digital forensic investigation. The goal of this research is suggested files which can obtain useful information for digital forensic investigation and proposed new record file carving technique to be able to recover data effectively than before it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.71-82
• /
• 2011

Live data in physical memory can be acquired by live forensics but not by harddisk file-system analysis. Therefore, in case of forensic investigation, live forensics is widely used these days. But, existing live forensic methods, that use command line tools in live system, have many weaknesses; for instance, it is not easy to re-analyze and results can be modified by malicious code. For these reasons, in this paper we explain the Windows kernel architecture and how to analyze physical memory dump files to complement weaknesses of traditional live forensics. And then, we design and implement the Physical Memory Dump Explorer, and prove the effectiveness of our tool through test results.

• YAKHAK HOEJI
• /
• v.55 no.2
• /
• pp.106-115
• /
• 2011

Systematic toxicological analysis (STA) means the process for general unknown screening of drugs and toxic compounds in biological fluids. In order to establish STA, in previous study we investigated pattern of drugs & poisons in autopsy cases during 2007~2009 in Korea, and finally selected 62 drugs as target drugs for STA. In this study, rapid and simple drug identification and quantitative analytical program by gas chromatography-mass spectrometry(GC-MS) was developed. The in-house program, "DrugMan", consisted of modified chemstation data analysis menu and newly developed macro modules. Total 55 drugs among 62 target drugs were applied to this program, they were 14 antidepressants, 8 anti-histamines, 5 sedatives/hypnotics, 5 narcotic analgesics, 3 antipsychotic drugs, and etc. For calibration curves, fifty five drugs were divided into four groups of range considering their therapeutic or toxic concentrations in blood specimen, i.e. 0.05~1 mg/l, 0.1~1 mg/l, 0.1~5 mg/l or 0.5~10 mg/l. Standards spiked bloods were extracted by solid-phase extraction (SPE) with trimipramine-D3 as internal standard. Parameters such as retention times, 3 mass fragment ions, and calibration curves for each drug were registered to DrugMan. A series of identification, semi quantitation of target drugs and reporting the results were performed automatically. Calibration curves for most drugs were linear with correlation coefficients exceeding 0.98. Sensitivity rate of DrugMan was 0.90 (90%) for 55 drugs at the level of 0.5 mg/l. For standard spiked bloods at the level of 0.5 mg/l for 29 drugs, semi quantitative concentrations were ranged 0.36~0.64 mg/l by DrugMan. If more drugs are registered to database in DrugMan in further study, it will be useful tools for STA in forensic toxicology.