• Journal of information and communication convergence engineering
• /
• v.20 no.4
• /
• pp.280-287
• /
• 2022

Recently, the number of mobile ransomware types has increased. Moreover, the number of cases of damage caused by mobile ransomware is increasing. Representative damage cases include encrypting files on the victim's smart device or making them unusable, causing financial losses to the victim. This study classifies ransomware apps by analyzing several representative ransomware apps to identify trends in the malicious behavior of ransomware. We present a technique for recovering from the damage, from a digital forensic perspective, using reverse engineering ransomware apps to analyze vulnerabilities in malicious functions applied with various cryptographic technologies. Our study found that ransomware applications are largely divided into three types: locker, crypto, and hybrid. In addition, we presented a method for recovering the damage caused by each type of ransomware app using an actual case. This study is expected to help minimize the damage caused by ransomware apps and respond to new ransomware apps.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.17 no.3
• /
• pp.938-957
• /
• 2023

The limited computing power of sensor nodes in wireless sensor networks (WSNs) and data tampering during wireless transmission are two important issues. In this paper, we propose a scheme for independent individual authentication of WSNs data based on digital watermarking technology. Digital watermarking suits well for WSNs, owing to its lower computational cost. The proposed scheme uses independent individual to generate a digital watermark and embeds the watermark in current data item. Moreover, a sink node extracts the watermark in single data and compares it with the generated watermark, thereby achieving integrity verification of data. Inherently, individual validation differs from the grouping-level validation, and avoids the lack of grouping robustness. The improved performance of individual integrity verification based on proposed scheme is validated through experimental analysis. Lastly, compared to other state-of-the-art schemes, our proposed scheme significantly reduces the false negative rate by an average of 5%, the false positive rate by an average of 80% of data verification, and increases the correct verification rate by 50% on average.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.07a
• /
• pp.215-218
• /
• 2021

심캐시(Shimcache, AppCompatCache) 파일은 Windows 운영체제에서 응용 어플리케이션 간의 운영체제 버전 호환성 이슈를 관리하는 파일이다. 호환성 문제가 발생한 응용 어플리케이션에 대한 정보가 심캐시에 기록되며 프리패치 (Prefetch) 파일이나 레지스트리의 UserAssist 키 등과 같이 응용 어플리케이션의 실행 흔적을 기록한다는 점에서 포렌식적 관점에서 중요한 아티팩트이다. 본 논문에서는 심캐시의 구조를 분석하여 심캐시 파일을 통해 얻을 수 있는 응용 어플리케이션의 정보를 소개하고, 기존 툴 상용도구의 개선을 통해 완전 삭제 등 안티 포렌식 도구의 실행 흔적을 탐지하는 방법을 제시한다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.4 no.9
• /
• pp.307-314
• /
• 2015

Recently, market trends of auxiliary storage device HDD and SSD are interchangeable. In the future, the SSD is expected to be used more popular than HDD as an auxiliary storage device. The TRIM command technique has been proposed and used effectively due to the development of the SSD. The TRIM command techniques can be used to solve the problem of Freezing SSD that operating system cooperates with the SSD. The TRIM command techniques are performed in the idle time of the internal SSD that are actually deleted when a user deletes the data. However, in the point of view of computer forensics, the digital crime is increasing year by year due to lack of data recovery. Thus, this rate of arrest is insufficient. In this paper, I propose a solution that selectively manages data to delete based on advantage of the stability and the write speed of the TRIM command. Through experiments, It is verified by measuring the performance of the traditional method and selected method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.25-38
• /
• 2017

Many security threats are occurring around the world due to the characteristics of industrial control systems that can cause serious damage in the event of a security incident including major national infrastructure. Therefore, the industrial control system network traffic should be analyzed so that it can identify the attack in advance or perform incident response after the accident. In this paper, we research the visualization technique as network forensics to enable reasonable suspicion of all possible attacks on DNP3 control system protocol, and define normal action based rules and derive visualization requirements. As a result, we developed a visualization tool that can detect sudden network traffic changes such as DDoS and attacks that contain anormal behavior from captured packet files on industrial control system network. The suspicious behavior in the industrial control system network can be found using visualization tool with Digital Bond packet.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1421-1433
• /
• 2015

For an accurate analysis through the forensic of digital devices and computer, it is a very important validation of the reliability of digital forensic tools. To verify the reliability of the tool, it is necessary to research and development of the data set to be input to the tool. In many-used Windows operating system of the computer, there is a Window forensic artifacts associated with time and system behavior. In this paper, we developed a set of data in the Windows operating system to be able to analyze all of the two Windows artifacts and we conducted a test with published digital forensic tools. Therefore, the developed data set presents the use of the following method. First, artefacts education for growing ability can be analyzed acts standards. Secondly, the purpose of tool tests for verifying the reliability of digital forensics. Lastly, recyclability for new artifact analysis.

• Journal of KIISE:Software and Applications
• /
• v.37 no.8
• /
• pp.599-610
• /
• 2010

Color laser printers are nowadays abused to print or forge official documents and bills. Identifying color laser printers will be a step for media forensics. This paper presents a new method to identify color laser printers with printed color images. Since different printer companies use their own printing process, each of printed papers from different printers has a little different invisible noise. After the wiener-filter is used to analyze the invisible noises from each printer, we extract some features from these noises by calculating a gray level co-occurrence matrix. Then, these features are applied to train and classify the support vector machine for identifying the color laser printer. In the experiment, we use total 2,597 images from 7 color laser printers. The results prove that the presented identification method performs well using the noise features of color printed images.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.407-416
• /
• 2018

Instagram is a Social Network Service(SNS) that has recently become popular among people of all ages and it makes people to construct social relations and share hobbies, daily routines, and useful information. However, since the uploaded information can be accessed by arbitrary users and it is easily shared with others, frauds, stalking, misrepresentation, impersonation, an infringement of copyright and malware distribution are reported. For this reason, it is necessary to analyze Instagram from a view of digital forensics but the research involved is very insufficient. So in this paper, We performed reverse engineering and dynamic analysis of Instagram from a view of digital forensics in the Android environment. As a result, we checked three database files that contain user behavior analysis data such as chat content, chat targets, posted photos, and cookie information. And we found the path to save 4 files and the xml file to save various data. Also we propose ways to use the above results in digital forensics.

• Journal of Advanced Navigation Technology
• /
• v.13 no.5
• /
• pp.639-645
• /
• 2009

It has increased rapidly use of GPS car navigation system in the last few years worldwide. The type of navigation operation is composed of hardware or software. Navigation based on software is stored in exterior storage(e.g. SD card) and executed. One of many navigation software, Mappy, is used most plentifully in Korea. It stores user information such frequently visited place, route and etc. in exterior storage. If it analyzes the dat of navigation, we gain the information such a suspect's movement, route of car. There are important means in a digital forensic perspective because it's available for investigating the crime such kidnapping, murder and etc. This paper provides the necessary information in digital investigation through the analysis of stored data of navigation in a digital forensic perspective.

• Journal of KIISE:Databases
• /
• v.37 no.6
• /
• pp.292-299
• /
• 2010

Recently, as flash memory is used as digital storage devices, necessity for digital forensics is growing in a flash memory area for digital evidence analysis. For this purpose, it is important to recover crashed files stored on flash memory efficiently. However, it is inefficient to apply the hard disk based file recovery techniques to flash memory, since hard disk and flash memory have different characteristics, especially flash memory being unable to in-place update. In this paper, we propose a flash-aware file recovery technique for digital forensics. First, we propose an efficient search technique to find all crashed files. This uses meta-data maintained by FTL(Flash Translation Layer) which is responsible for write operation in flash memory. Second, we advise an efficient recovery technique to recover a crashed file which uses data location information of the mapping table in FTL. Through diverse experiments, we show that our file recovery technique outperforms the hard disk based technique.