• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.16 no.9
• /
• pp.3068-3086
• /
• 2022

Digital Forensics is gaining popularity in adjudication of criminal cases as use of electronic gadgets in committing crime has risen. Traditional approach to collecting digital evidence falls short when the disk is encrypted. Encryption keys are often stored in RAM when computer is running. An approach to acquire forensic data from RAM when the computer is shut down is proposed. The approach requires that the investigator immediately cools the RAM and transplant it into a host computer provisioned with a tool developed based on cold boot concept to acquire the RAM image. Observation of data obtained from the acquired image compared to the data loaded into memory shows the RAM chips exhibit some level of remanence which allows their content to persist after shutdown which is contrary to accepted knowledge that RAM loses its content immediately there is power cut. Results from experimental setups conducted with three different RAM chips labeled System A, B and C showed at a reduced temperature of -25C, the content suffered decay of 2.125% in 240 seconds, 0.975% in 120 seconds and 1.225% in 300 seconds respectively. Whereas at operating temperature of 25℃, there was decay of 82.33% in 60 seconds, 80.31% in 60 seconds and 95.27% in 120 seconds respectively. The content of RAM suffered significant decay within two minutes without power supply at operating temperature while at a reduced temperature less than 5% decay was observed. The findings show data can be recovered for forensic evidence even if the culprit shuts down the computer.

• Journal of KIISE:Databases
• /
• v.37 no.6
• /
• pp.292-299
• /
• 2010

Recently, as flash memory is used as digital storage devices, necessity for digital forensics is growing in a flash memory area for digital evidence analysis. For this purpose, it is important to recover crashed files stored on flash memory efficiently. However, it is inefficient to apply the hard disk based file recovery techniques to flash memory, since hard disk and flash memory have different characteristics, especially flash memory being unable to in-place update. In this paper, we propose a flash-aware file recovery technique for digital forensics. First, we propose an efficient search technique to find all crashed files. This uses meta-data maintained by FTL(Flash Translation Layer) which is responsible for write operation in flash memory. Second, we advise an efficient recovery technique to recover a crashed file which uses data location information of the mapping table in FTL. Through diverse experiments, we show that our file recovery technique outperforms the hard disk based technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.89-100
• /
• 2011

Physical memory analysis has been an issue on a field of live forensic analysis in digital forensics until now. It is very useful to make the result of analysis more reliable, because record of user behavior and data can be founded on physical memory although process is hided. But most memory analysis focuses on windows based system. Because the diversity of target system to be analyzed rises up, it is very important to analyze physical memory based on other OS, not Windows. Mac OS X, has second market share in Operating System, is operated by loading kernel image to physical memory area. In this paper, We propose a methodology for physical memory analysis on Mac OS X using symbol information in kernel image, and acquire a process information, mounted device information, kernel information, kernel extensions(eg. KEXT) and system call entry for detecting system call hooking. In additional to the methodology, we prove that physical memory analysis is very useful though experimental study.

• Proceedings of the IEEK Conference
• /
• 2008.06a
• /
• pp.333-334
• /
• 2008

With the role of cell phones in today's society as a digital personal assistant as well as the primary tool for personal communication, it is possible to imagine the involvement of cell phones in almost any type of crime. The progression of a criminal investigation can hinge on vital clues obtained from a cell phone. This paper will be concentrated on CDMA system phones and focus on the data extraction for cell phone forensics. Especially, the data acquisition method of JTAG interface access to memory chip will be covered.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.861-870
• /
• 2014

According to the intelligence of the malicious code to extract the executable file in physical memory is emerging as an import researh issue. In previous physical memory studies on executable file extraction which is targeting running files, they are not extracted as same as original file saved in disc. Therefore, we need a method that can extract files as same as original one saved in disc and also can analyze file-information loaded in physical memory. In this paper, we provide a method that executable file extraction by analyzing information of Windows kernel file object. Also we analyze the characteristic of physical memory loaded file data from the experiment and we demonstrate superiority because the suggested method can effectively extract more of original file data than the existing method.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.11
• /
• pp.101-105
• /
• 2012

Various social problems through violating personal information and privacy are growing with the rapid spread of smartphones. For this reason, variety of researches and technology developments to protect personal information being made. The smartphone, contains almost all of the personal information, can cause data spill at any time. Collecting or analyzing evidence is not an easy job with forensic analyzing tool. Android forensics research has been focused on techniques to collect and analyze data from non-volatile memory but research for volatile data is very slight. Android log is the non-volatile data that can be collected by volatile storage. It is enough to use as a material to track the usage of the Android phone because all of the recent driven records from system to application are stored. In this paper, we propose a method to respond to determining the existence of personal information leakage by filtering logs without forensic analysis tools.

• The Journal of Korean Institute of Next Generation Computing
• /
• v.13 no.3
• /
• pp.26-33
• /
• 2017

Recently container technologies have been receiving attention for efficient use of the cloud platform. Container virtualization technology has the advantage of a highly portable, high density when compared with the existing hypervisor. Container virtualization technology, however, uses a virtualization technology at the operating system level, which is shared by a single kernel to run multiple instances. For this reason, the feature of container is that the attacker can obtain the root privilege of the host operating system internal the container. Due to the characteristics of the container, the attacker can attack the root privilege of the host operating system in the container utilizing the vulnerability of the kernel. In this paper, we propose a framework for efficiently detecting and responding to root privilege attacks of a host operating system in a container. This framework uses a memory trap technique to detect changes in a specific memory area of a container and to suspend the operation of the container when it is detected.

• Korean Journal of Culture and Social Issue
• /
• v.18 no.2
• /
• pp.215-234
• /
• 2012

The purpose of this study was to explore linkages between stress and a range of individual difference factors on children's memory for a potentially stressful event. Children (N=63) aged from 4 to 10 years, who undergone a minor dental operative procedure were evaluated. Overall, the results of this study replicated and extended previous findings of the related literature, providing some further evidence for a negative relation between stress and children's recall. More considerable variation in individual difference variables, in particular, children 's stress coping strategies, quality of previous experiences, amount of the advanced parental preparation were existed among the children, influencing the relation between the level of stress and children's remembering of a stressful event. Future inquiries for understanding theoretical, clinical, and forensic issues in children's remembering of a stressful event were discussed.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06c
• /
• pp.75-77
• /
• 2012

플래시 메모리가 각종 IT 기기의 저장장치로 많이 사용되면서 범죄 관련 증거나 단서가 기기 내에 저장되는 경우가 증가하고 있다. 이러한 경우에 기기 내에 저장된 데이터를 완전히 삭제하기 위하여 안티 포렌식 기술인 와이핑 기법을 사용하는데 이에 대응하기 위해서는 플래시 메모리에 저장된 디지털 증거를 분석하기 위한 디지털 포렌식 기술이 필요하다. 플래시 메모리에 저장되어 있는 데이터를 복구하는 기법이 연구되었으나 특정한 상황을 가정한 특정 파일의 복원에 초점을 두고 있다. 하지만 디지털 포렌식 수사에서 범죄 증거뿐만 아니라 범죄 행위에 관련한 증거도 확보할 필요성이 있지만 이와 같은 연구가 미흡하다. 본 논문은 플래시 메모리에서 안티 포렌식 기술인 파일 와이핑으로 삭제된 파일에 대한 와이핑 증거 확보 기법을 제안한다. 제안 내용은 장치 내의 원본파일과 와이핑 파일로 추정되는 블록들을 검색한 후 갱신시각, 파일에 대한 정보를 통해 서로 비교하여 검증한다.