• Proceedings of the IEEK Conference
• /
• 2008.06a
• /
• pp.333-334
• /
• 2008

With the role of cell phones in today's society as a digital personal assistant as well as the primary tool for personal communication, it is possible to imagine the involvement of cell phones in almost any type of crime. The progression of a criminal investigation can hinge on vital clues obtained from a cell phone. This paper will be concentrated on CDMA system phones and focus on the data extraction for cell phone forensics. Especially, the data acquisition method of JTAG interface access to memory chip will be covered.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.571-580
• /
• 2014

Digital Records, which are created, stored, and managed in digital form, contains security vulnerability such as data modification, due to the characteristic of digital data. Therefore it is necessary to guarantee the reliability by verification of integrity and authenticity when managing digital records. This paper propose digital forensics based migration process for electronic records by analyzing legacy digital forensics process, and derives the requirements to develop digital forensics based electronic records migration tool through analyzing trends of abroad digital records migration technique and tool. Based on these develop digital forensic based digital records migration tool to guarantee integrity and authenticity of digital records.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.591-603
• /
• 2018

Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.11
• /
• pp.101-105
• /
• 2012

Various social problems through violating personal information and privacy are growing with the rapid spread of smartphones. For this reason, variety of researches and technology developments to protect personal information being made. The smartphone, contains almost all of the personal information, can cause data spill at any time. Collecting or analyzing evidence is not an easy job with forensic analyzing tool. Android forensics research has been focused on techniques to collect and analyze data from non-volatile memory but research for volatile data is very slight. Android log is the non-volatile data that can be collected by volatile storage. It is enough to use as a material to track the usage of the Android phone because all of the recent driven records from system to application are stored. In this paper, we propose a method to respond to determining the existence of personal information leakage by filtering logs without forensic analysis tools.

• Journal of Advanced Navigation Technology
• /
• v.18 no.5
• /
• pp.494-500
• /
• 2014

Recently the leak of personal information from in-house and contract-managed companies has been continually increasing, which leads a regular observation on outsourcing companies that perform the personal information management system to prevent dangers from the leakage, stolen and loss of personal information. However, analyzing many numbers of computers in limited time has found few difficulties in some circumstances-such as outsourcing companies that own computers that have personal information system or task continuities that being related to company's profits. For the reason, it is necessary to select an object of examination through identifying a high-risk of personal data leak. In this paper, this study will formulate a proposal for the selection of high-risk subjects, which is based on the user interface, by digital forensic. The study designs the integrated analysis tool and demonstrates the effects of the tool through the test results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1373-1383
• /
• 2017

Deduplication is a function to effectively manage data and improve the efficiency of storage space. When the deduplication is applied to the system, it makes it possible to efficiently use the storage space by dividing the stored file into chunks and storing only unique chunk. However, the commercial digital forensic tool do not support the file system analysis, and the original file extracted by the tool can not be executed or opened. Therefore, in this paper, we analyze the process of generating chunks of data for a Windows Server 2012 system that can apply deduplication, and the structure of the resulting file(Chunk Storage). We also analyzed the case where chunks that are not covered in the previous study are compressed. Based on these results, we propose the method to collect deduplicated data and reconstruct the original file for digital forensic investigation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.143-154
• /
• 2011

SQLite is a small sized database engine largely used in embedded devices and local application software. The availability of portable devices, such as smartphones, has been extended over the recent years and has contributed to growing adaptation of SQLite. This implies a high likelihood of digital evidences acquired during forensic investigations to include SQLite database files. Where intentional deletion of sensitive data can be made by a suspect, forensic investigators need to recover deleted records in SQLite at the best possible. This study analyzes data management rules used by SQLite and the structure of deleted data in the system, and in turn suggests a recovery Tool of deleted data. Further, the study examines major SQLite suited software as it validates feasible possibility of deleted data recovery.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.9
• /
• pp.51-58
• /
• 2019

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.8
• /
• pp.3943-3957
• /
• 2016

As digital evidence has a highly influential role in proving the innocence of suspects, methods for integrity verification of such digital evidence have become essential in the digital forensic field. Most surveillance camera systems are not equipped with proper built-in integrity protection functions. Because digital forgery techniques are becoming increasingly sophisticated, manually determining whether digital content has been falsified is becoming extremely difficult for investigators. Hence, systematic approaches to forensic integrity verification are essential for ascertaining truth or falsehood. We propose an integrity determination method that utilizes the structure of the video content in a Video Event Data Recorder (VEDR). The proposed method identifies the difference in frame index fields between a forged file and an original file. Experiments conducted using real VEDRs in the market and video files forged by a video editing tool demonstrate that the proposed integrity verification scheme can detect broken integrity in video content.

• Journal of KIISE:Computing Practices and Letters
• /
• v.16 no.4
• /
• pp.497-501
• /
• 2010

A software montage means information that can be extracted quickly from software and includes inherent characteristics. If a montage is made from well-known programs, we can filter candidates of similar programs among the group of programs based on the montage. In this paper, we suggest software montages based on two characteristics: API calls and strings. To evaluate the proposed montages, we performed experiments to filter candidates of some similar programs to instant messenger programs. From the experiments, we confirmed that the proposed montages can be used as a forensic tool that filters a group of similar programs even when their functions are not known in advance.