• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.463-470
• /
• 2016

With the growing demand for MAC-based system, the need for digital forensic techniques of these system has been increasing. In the digital forensic analysis process, sometimes analysts have recovered the deleted files when they prove the allegations if system user try to remove the evidence deliberately. Research and analysis that recover the deleted files from a file system constantly been made and HFS+ that is a file system of MAC-based system also has been researched. Carving techniques primarily has been used to recover the deleted file from HFS+ a file system because metadata of folder or file overwrite metadata of a deleted file when file is deleted from a file system on HFS+ characteristic. But if the file content is saved by separated state in a file system, Carving techniques also can't recover the whole or a part of the deleted file. In this paper we describe technique the deleted file recovery technique using HFS+ file system a journal. This technique that is suggested by existing research and analysis result is the technique that recover the deleted file by metadata that is maintained in a journal on HFS+ file system. but this technique excludes specific files and this problem needs to be reformed. In this paper we suggest algorithm that analysis a journal of HFS+ file system in detail. And we demonstrate that the deleted file cat be recovered from the extracted metadata by this algorithm without the excluded file.

• International Journal of Internet, Broadcasting and Communication
• /
• v.11 no.3
• /
• pp.64-70
• /
• 2019

Video files of video devices such as black box and CCTV may be damaged due to repetitive file read / write and physical environment factors. Even though there are available parts of video information, it may happen that playback can't be performed due to damage of some information. To playback the remaining video information normally, it is necessary to recover damaged areas of the files. For this, it is necessary to accurately check the damage range of the files. In this paper, we propose the design and implementation of a tool which detects damaged areas of a video file and recovers the usable area of the file to playback. The proposed tool can analyze and recover without additional information by analyzing common information of video container format and can check detailed damaged ranges with chunks. It is possible to perform recovery just only with the target file and reference file without any other information such as codec specification.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.3
• /
• pp.417-429
• /
• 2013

A lot of OS(Operating Systems) such as Linux and Android selected Ext4 as the official file system. Therefore, a recovery of deleted file from Ext4 is becoming a pending issue. In this paper, we suggest how to recover the deleted file by analyzing the entire structure of Ext4 file system, the study of metadata area, the distinct feature when file is assigned and deleted. Particularly, we focus on studying the features of file which is assigned in Ext4 file system in Android OS and also suggest the method to recover the deleted file that is fragmented from the un-allocated area.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.2
• /
• pp.93-102
• /
• 2013

These days digital data have become essential for digital investigation because most of the crime was occurred by using the digital devices. However, digital data is very easier to falsify or delete. If digital data was deleted, it is necessary to recover the deleted data for obtain digital evidence. Even though file carving is the most important thing to gather. digital evidence in digital forensic investigation, most of popular carving tools don't contemplate methods of selection or restoration for digital forensic investigation. The goal of this research is suggested files which can obtain useful information for digital forensic investigation and proposed new record file carving technique to be able to recover data effectively than before it.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.118-123
• /
• 2021

Recently, digital crime is becoming more intelligent, and efficient digital forensic techniques are required to collect evidence for this. In the case of important files related to crime, a specific person may intentionally delete the file. In such a situation, data recovery is a very important procedure that can prove criminal charges. Although there are various methods to recover deleted files, we focuses on the recovery technique using HxD editor. When recovering a deleted file using the HxD editor, check the file structure and access the file data area through calculation. However, there is a possibility that errors such as arithmetic errors may occur when a file approach through calculation is used. Therefore, in this paper, we propose an algorithm that automatically calculates the header and footer of a file after checking the file signature in the root directory for efficient file recovery. If the algorithm proposed in this paper is used, it is expected that the error rate of arithmetic errors in the file recovery process can be reduced.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.1
• /
• pp.25-30
• /
• 2017

The influence of the data deletion method which is one of anti-forensic techniques is substantial in terms of forensic analysis compared to its simplicity of the act. In academic world, recovery techniques on deleted files have been continuously studied in response to the data deletion method and representatively, the file system-based file recovery technique and file format based recovery technique exist. If there's metadata of deleted file in file system, the file can be easily recovered by using it, but if there's no metadata, the file is recovered by using the signature-based carving technique or the file format based recovery technique has to be applied. At this time, in the file format based recovery technique, the file structure analysis and possible recovery technique should be provided. This paper proposes the page recovery technique on deleted PDF file based on the structural characteristics of PDF file. This technique uses the tag value of page object which constitutes one page of PDF file. Object is extracted by utilizing each tag value as a kind of signature and by analyzing extracted object, the metadata of PDF file is recombined and then it's reconfigured page by page. Recovering by page means that even if deleted PDF file is damaged, even some pages consisting of PDF file can be recovered. Generally, if the file system based file is not recoverable, deleted file is recovered by applying the signature based carving technique. The technique which we proposed in this paper can recover PDF files that are damaged. In the digital forensic perspective, it can be utilized to recover more data than previously.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1107-1115
• /
• 2017

The most commonly used PKZIP format is a ZIP file, as well as a file format used in MS Office files and application files for Android smartphones. PKZIP format files, which are widely used in various areas, require structural analysis from the viewpoint of digital forensics and should be able to recover when files are damaged. However, previous studies have focused only on recovering data or extracting meaningful data using the Deflate compression algorithm used in ZIP files. Although most of the data resides in compressed data in the ZIP file, there is also forensically meaningful data in the rest of the ZIP file, so you need to restore it to a normal ZIP file format. Therefore, this paper presents a technique to recover a damaged ZIP file to a normal ZIP file when given.

• Journal of Information Technology Applications and Management
• /
• v.12 no.1
• /
• pp.125-140
• /
• 2005

Nowadays, we have many embedded systems which store and process multimedia data. For multimedia systems using hard disks as storage media such as DVR, existing file systems are not the right choice to store multimedia data in terms of cost. performance and reliability. In this study we designed a reliable file system with very high performance for embedded multimedia applications. The proposed file system runs with quite simple disk layout to reduce time to initialize and to recover after power failures, uses a large data block to speed up the sequential accesses, incorporates a time-based indexing scheme to improve the time-based random accesses and boosts reliability by backing up the important meta data on a small NVRAM. We implemented the file system on a Linux-based DVR and verified the performance by comparing with existing file systems.

• Journal of information and communication convergence engineering
• /
• v.22 no.2
• /
• pp.121-126
• /
• 2024

In enterprise environments, file owners are often required to share critical files with other users, with encryption-based file delivery systems used to maintain confidentiality. However, important information might be leaked if the cryptokey used for encryption is exposed. To recover confidentiality, the file owner must then re-encrypt and redistribute the file along with its new encryption key, which requires considerable resources. To address this, we propose a key management server that minimizes the distribution of encryption keys when critical files are compromised, with unique encryption keys assigned for each registered user to access critical files. While providing the targeted functions, the server employs a level of system resources comparable to that of legacy digital rights management. Thus, when implemented in an enterprise environment, the proposed server minimizes cryptokey redistribution while maintaining accessibility to critical files in the event of an information breach.

• Journal of KIISE:Databases
• /
• v.37 no.6
• /
• pp.292-299
• /
• 2010

Recently, as flash memory is used as digital storage devices, necessity for digital forensics is growing in a flash memory area for digital evidence analysis. For this purpose, it is important to recover crashed files stored on flash memory efficiently. However, it is inefficient to apply the hard disk based file recovery techniques to flash memory, since hard disk and flash memory have different characteristics, especially flash memory being unable to in-place update. In this paper, we propose a flash-aware file recovery technique for digital forensics. First, we propose an efficient search technique to find all crashed files. This uses meta-data maintained by FTL(Flash Translation Layer) which is responsible for write operation in flash memory. Second, we advise an efficient recovery technique to recover a crashed file which uses data location information of the mapping table in FTL. Through diverse experiments, we show that our file recovery technique outperforms the hard disk based technique.