• Journal of Korea Society of Industrial Information Systems
• /
• v.16 no.2
• /
• pp.59-64
• /
• 2011

A lot of computer users use external memory device. But, same time file efflux incidents are also increasing. There are two ways people use for efflux file. One is moving it after checking file which is running on computer and the other is checking file name only. Checking from running file case, we can identify vestige with running information of applied program but, the case of moving as external device without running file there is no evidence running applied program. So there are a lot of difficulty with forensic investigation. In this paper we suggest the way to help forensic investigation which is method of getting external memory device information of volume and time through its awareness method and connection information and moving to external device without running file after compare the external memory device volume information through link file analysis and getting information of link file formation & access time from link file.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.10a
• /
• pp.343-345
• /
• 2017

With the development of IoT technology, terminals connected with IoT are being used. However, security incidents are occurring as IoT is applied to society as a whole. IoT security incidents can be linked to personal risk and social disruption. In this study, we extract the evidence of security breach in IoT device. Analyze IoT security breach environment and extract Hashing function to secure original integrity and integrity. Then, the Forensic evidence is extracted from the IoT security device to verify the integrity of the original and Forensic reports should be written and studied to be used as legal evidence.

• Journal of Korea Multimedia Society
• /
• v.24 no.12
• /
• pp.1641-1652
• /
• 2021

To analyze the crime scene, the role of digital evidence such as CCTV and black box is very important. Such digital evidence is often damaged due to device defects or intentional deletion. In this case, the deleted video can be restored by well-known techniques like the frame-based recovery method. Especially, the data such as the video can be generally fragmented and saved in the case of the memory used almost fully. If the fragmented video were recovered in units of images, the sequence of the recovered images may not be continuous. In this paper, we proposed a new video restoration method to match the sequence of recovered images. First, the images are recovered through a frame-based recovery technique. Then, after analyzing the time information marked on the images, the time information was extracted and recognized via optical character recognition (OCR). Finally, the recovered images are rearranged based on the time information obtained by OCR. For performance evaluation, we evaluate the recovery rate of our proposed video restoration method. As a result, it was shown that the recovery rate for the fragmented video was recovered from a minimum of about 47% to a maximum of 98%.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.11
• /
• pp.461-470
• /
• 2013

This paper proposes high speed kernel data collection method for analysis of memory workload, using technique of direct access to process's memory management structure. The conventional analysis tools have a slower data collection speed and they are lack of scalability due to collection only formalized memory information. The proposed method collects kernel data much faster than the conventional methods using technique of direct collect to process's memory information, page table, page structure in the memory management structure, and it can collect data which user wanted. We collect memory management data of the running process, and analyze its memory workload.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.179-192
• /
• 2024

macOS presents challenges for memory data acquisition due to its proprietary system architecture, closed-source kernel, and security features such as System Integrity Protection (SIP), which are exclusive to Apple's product line. Consequently, conventional memory acquisition tools are often ineffective or require system rebooting. This paper analyzes the status and limitations of existing memory forensics research and tools related to macOS. We investigate methods for memory acquisition and analysis across various macOS versions. Our findings include the development of a practical memory acquisition and analysis process for digital forensic investigations utilizing OSXPmem and dd tools for memory acquisition without system rebooting, and Volatility 2, 3 for memory data analysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.397-403
• /
• 2020

With the convenience of real-time conversation, multimedia file and contact sharing services, most people use instant messenger, and its usage time is increasing. Because the messengers contain a lot of user behavior information data, in the digital forensic investigation, they can be very useful evidence to identify user behavior. However, some of useful data can be difficult to acquire or recognize because they are encrypted or deleted. Thus, in order to use the messenger data as evidence, the study of message decryption process and message recovery is essential. In this paper, we analyze the database encryption process of the instant messenger, MalangMalang Talkafe, and propose the method to decrypt it. In addition, we propose the methods to identify the deleted messages and recover from the volatile memory area.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.1
• /
• pp.67-80
• /
• 2012

Recently as the number of smartphone user is growing rapidly, android is also getting more interest in digital forensic. However, there is not enough research on digital data acquisition and analysis based on android platform's unique characteristics so far. Android system stores all the related recent systemwide logs from the system components to applications in volatile memory, and therefore, the logs can potentially serve as important evidences. In this paper, we propose a digital data acquisition and analysis system for android which extracts meaningful information based on the correlation of android logs and user activities from a device at runtime. We also present an efficient search scheme to facilitate realtime analysis on site. Finally, we demonstrate how the proposed system can be used to reconstruct the sequence of user activities in a more intuitive manner, and show that the proposed search scheme can reduce overall search and analysis time approximately 10 times shorter than the normal regular search method.

• Korean Journal of Forensic Psychology
• /
• v.11 no.1
• /
• pp.1-20
• /
• 2020

Witnesses will be exposed to a variety of misinformation after the witnessing of the event and state at the scene of the investigation after the delay period. This study was conducted to promote correct recall reporting without being affected by factors that against correct recall. Self-Administered Interview(SAI) is known to obtain eyewitness accounts quickly and accurately. Therefore, we performed a SAI to see if it reported more information than the control group that did not perform the SAI. Also, it also performed that correct information was maintained without being affected by misinformation and delay. Eighty-eight participants were asked to perform SAI or game after showing a video of mock crime. Misinformation was presented in the first or second session to see if it affected recall. An analysis of responses from the final test conducted in the second session by participants showed that groups that conducted SAI after a four-week delay reported more correct information than control groups, while there was no difference between incorrect- and confabulation information. In particular, the timing of presenting misinformation did not affect the amount of recall. This suggests that conducting the SAI immediately after witnessing the event protects correct information even after four weeks. Finally, the significance and limitations of this study, and subsequent studies were discussed.

• Journal of Internet Computing and Services
• /
• v.25 no.3
• /
• pp.1-8
• /
• 2024

As the Internet of Things (IoT) has gained significant prominence in our daily lives, most IoT devices rely on over-the-air technology to automatically update firmware or software remotely via the network connection to relieve the burden of manual updates by users. And preserving security for OTA interface is one of the main requirements to defend against potential threats. This paper presents a simulation of an attack scenario on the commoditized System-on-a-chip, ESP32 chip, utilized for drones during their OTA update process. We demonstrate three types of attacks, WiFi cracking, ARP spoofing, and TCP SYN flooding techniques and postpone the OTA update procedure on an ESP32 Drone. As in this scenario, unpatched IoT devices can be vulnerable to a variety of potential threats. Additionally, we review the chip to obtain traces of attacks from a forensics perspective and acquire memory forensic artifacts to indicate the SYN flooding attack.

• The Journal of the Acoustical Society of Korea
• /
• v.41 no.3
• /
• pp.312-318
• /
• 2022

This paper proposes a model which classifies the type of guns and information about sound source location using deep neural network. The proposed classification model is composed of convolutional neural networks (CNN) and long short-term memory (LSTM). For training and test the model, we use the Gunshot Audio Forensic Dataset generated by the project supported by the National Institute of Justice (NIJ). The acoustic signals are transformed to Mel-Spectrogram and they are provided as learning and test data for the proposed model. The model is compared with the control model consisting of convolutional neural networks only. The proposed model shows high accuracy more than 90 %.