• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.178-192
• /
• 2021

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1351-1364
• /
• 2019

When SCADA is exposed to cyber threats and attacks, serious disasters can occur throughout society. This is because various security threats have not been considered when building SCADA. The bigger problem is that it is difficult to patch vulnerabilities quickly because of its availability. Digital forensics procedures and techniques need to be used to analyze and investigate vulnerabilities in SCADA systems in order to respond quickly against cyber threats and to prevent incidents. This paper addresses SCADA forensics taxonomy and research trends for effective digital forensics investigation on SCADA system. As a result, we have not been able to find any research that goes far beyond traditional digital forensics on procedures and methodologies. But it is meaningful to develop an approach methodology using the characteristics of the SCADA system, or an exclusive tool for SCADA. Analysis techniques mainly focused on PLC and SCADA network protocol. It is because the cyber threats and attacks targeting SCADA are mostly related to PLC or network protocol. Such research seems to continue in the future. Unfortunately, there is lack of discussion about the 'Evidence Capability' such as the preservation or integrity of the evidence extracting from SCADA system in the past researches.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.8
• /
• pp.1926-1945
• /
• 2012

In this paper, two practical forensics aided steganalyzers (FA-steganalyzer) for heterogeneous bitmap images are constructed, which can properly handle steganalysis problems for mixed image sources consisting of raw uncompressed images and JPEG decompressed images with different quality factors. The first FA-steganalyzer consists of a JPEG decompressed image identifier followed by two corresponding steganalyzers, one of which is used to deal with uncompressed images and the other is used for mixed JPEG decompressed images with different quality factors. In the second FA-steganalyzer scheme, we further estimate the quality factors for JPEG decompressed images, and then steganalyzers trained on the corresponding quality factors are used. Extensive experimental results show that the proposed two FA-steganalyzers outperform the existing steganalyzer that is trained on a mixed dataset. Additionally, in our proposed FA-steganalyzer scheme, we can select the steganalysis methods specially designed for raw uncompressed images and JPEG decompressed images respectively, which can achieve much more reliable detection accuracy than adopting the identical steganalysis method regardless of the type of cover source.

• The KIPS Transactions:PartC
• /
• v.17C no.5
• /
• pp.391-398
• /
• 2010

Most of digital forensics tools focus on file analysis of allocated area on storage. So, there is a lack of recovery methods for deleted files by suspects or previously used files. To efficiently analyze deleted files, digital forensic tools depend on data recovery tools. These process not appropriate for quick and efficient responses the incident or integrity preservation. This paper suggests the framework for data recovery and analysis tools from digital forensics point of view and presents implementation results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.273-277
• /
• 2013

Recently, according with a sudden increase of records produced and stored by digital way, it becomes more important to maintain reliability and authenticity and to ensure legal effect when digital records are collected, preserved and managed. On the basis of domestic legal procedure law and record management-related legislation, this paper considered judicial admissibility of evidence on electronic records managed by National Archives of Korea and drew potential problems when these are submitted to court as a evidence. Also, this paper suggested a plan applying digital forensics technique to electronic records management to ensure admissibility of evidence about electronic records stored in National Archives of Korea.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1057-1067
• /
• 2013

The market share of smartphones has been increasing more and more at the recent mobile market and smart devices and applications that are based on a variety of operating systems has been released. Given this reality, the importance of smart devices analysis is coming to the fore and the most important thing is to minimize data corruption when extracting data from the device in order to analyze user behavior. In this paper, we compare and analyze the area-specific changes that are the file system of collected image after obtaining root privileges on the Android OS and iOS based devices, and then propose the most efficient method to obtain root privileges.

• Nuclear Engineering and Technology
• /
• v.51 no.2
• /
• pp.384-393
• /
• 2019

An experimental validation of a nuclear forensics methodology for the source reactor-type discrimination of separated weapons-useable plutonium is presented. The methodology uses measured values of intra-element isotope ratios of plutonium and fission product contaminants. MCNP radiation transport codes were used for various reactor core modeling and fuel burnup simulations. A reactor-dependent library of intra-element isotope ratio values as a function of burnup and time since irradiation was created from the simulation results. The experimental validation of the methodology was achieved by performing two low-burnup experimental irradiations, resulting in distinct fuel samples containing sub-milligram quantities of weapons-useable plutonium. The irradiated samples were subjected to gamma and mass spectrometry to measure several intra-element isotope ratios. For each reactor in the library, a maximum likelihood calculation was utilized to compare the measured and simulated intra-element isotope ratio values, producing a likelihood value which is proportional to the probability of observing the measured ratio values, given a particular reactor in the library. The measured intra-element isotope ratio values of both irradiated samples and its comparison with the simulation predictions using maximum likelihood analyses are presented. The analyses validate the nuclear forensics methodology developed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.1
• /
• pp.135-152
• /
• 2016

Because of the evolution of mobile devices such as smartphone, the necessity of mobile forensics is increasing. In spite of this necessity, the mobile forensics does not fully reflect the characteristic of the mobile device. For this reason, this paper analyzes the legal, institutional, and technical considerations for figuring out facing problems of mobile forensics. Trough this analysis, this study discuss the limits of screening seizure on the mobile device. Also, analyzes and verify the mobile forensic data acquisition methods and tools for ensuring the admissibility of mobile forensic evidence in digital investigation.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.17 no.2
• /
• pp.323-331
• /
• 2013

There are three ways how to extract forensic evidence from mobile phone, such as SYN, JTAG, Revolving. However, it should be a different way to extract forensic evidence due to the differences of their usage and technology between them(mobile phone and smart phone). Therefore, in this paper, I will come up with extraction method that forensics evidence by search and seizure of a smart phone. This study aims to analyze specifications and O.S., backup analysis, evidence in smart to analyze for search and seizure of a smart phone commonly used google android and windows mobile smart phone. This study also aim to extract forensics evidence related to google android and phone book, SMS, photos, video of window mobile smart phone to make legal evidence and forensics report. It is expected that this study on smart phone forensics technology will contribute to developing mobile forensics technology.

• Journal of Digital Forensics
• /
• v.12 no.3
• /
• pp.39-54
• /
• 2018

Recently, discussions for the eradication of illegal shooting have been carried out in a socially-oriented way. The government has established comprehensive measures to eradicate cyber sexual violence crimes such as illegal shooting. Although the social interest in illegal shooting has increased, the illegal film shooting case is evolving more and more due to the development of information and communication technology. Applications that can hide confused videos are constantly circulating around the market and community sites. As a result, field investigators and professional analysts are experiencing difficulties in collecting and analyzing evidence. In this paper, we propose an evidence collection and analysis framework for illegal shooting cases in order to give practical help to illegal shooting investigation. We also proposed a system that can detect hidden applications, which is one of the main obstacles in evidence collection and analysis. We developed a detection tool to evaluate the effectiveness of the proposed system and confirmed the feasibility and scalability of the system through experiments using commercially available concealed apps.