• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.357-367
• /
• 2018

As information technology of modern society develops, various malicious codes with the purpose of seizing or destroying important system information are developing together. Among them, ransomware is a typical malicious code that prevents access to user's resources. Although researches on detecting ransomware performing encryption have been conducted a lot in recent years, no additional methods have been proposed to recover damaged files after an attack. Also, because the similarity comparison technique was used without considering the repeated encryption, it is highly likely to be recognized as a normal behavior. Therefore, this paper implements a filter driver to control the file system and performs a similarity comparison method that is verified based on the analysis of the encryption pattern of the ransomware. We propose a system to detect the malicious process of the accessed process and recover the damaged file based on the cloud storage.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.2
• /
• pp.189-196
• /
• 2020

In general, fragmented files without signatures and file meta-information are difficult to recover. Multimedia files, in particular, are highly fragmented and have high entropy, making it almost impossible to recover with signature-based carving at present. To solve this problem, research on fragmented files is underway, but research on multimedia files is lacking. This paper is a study that classifies the types of fragmented multimedia files without signature and file meta-information. Extracts the characteristic values of each file type through the frequency differences of specific byte values according to the file type, and presents a method of designing the corresponding Gray-Scale table and classifying the file types of a total of four multimedia types, JPG, PNG, H.264 and WAV, using the CNN (Convolutional Natural Networks) model. It is expected that this paper will promote the study of classification of fragmented file types without signature and file meta-information, thereby increasing the possibility of recovery of various files.

• Journal of Information Processing Systems
• /
• v.12 no.3
• /
• pp.525-537
• /
• 2016

Data hiding is a wide field that is helpful to secure network communications. It is common that many data hiding researchers consider improving and increasing many aspects such as capacity, stego file quality, or robustness. In this paper, we use an audio file as a cover and propose a reversible steganographic method that is modifying the sample values using modulus function in order to make the reminder of that particular value to be same as the secret bit that is needed to be embedded. In addition, we use a location map that locates these modified sample values. This is because in reversible data hiding it needs to exactly recover both the secret message and the original audio file from that stego file. The experimental results show that, this method (measured by correlation algorithm) is able to retrieve exactly the same secret message and audio file. Moreover, it has made a significant improvement in terms of the following: the capacity since each sample value is carrying a secret bit. The quality measured by peak signal-to-noise ratio (PSNR), signal-to-noise ratio (SNR), Pearson correlation coefficient (PCC), and Similarity Index Modulation (SIM). All of them have proven that the quality of the stego audio is relatively high.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.835-845
• /
• 2019

File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.

• KIPS Transactions on Software and Data Engineering
• /
• v.9 no.4
• /
• pp.123-128
• /
• 2020

As the use of digital devices is becoming more commonplace, digital forensics techniques recover data to collect physical evidence during the investigation. Among them, the file forensics technique recovers deleted files, therefore, it can recover the database by recovering all files which compose the database itself. However, if the record is deleted from the database, the modified record contents will not be restored even if the file is recovered. For this reason, the database forensics technique is required to recover deleted records. Database forensics obtains metadata from database configuration files and recovers deleted records from data files. However, record recovery is difficult if database metadata such as block size cannot be obtained from the database. In this paper, we propose three methods for obtaining block size, which is database metadata. The first method uses the maximum size of free space in the block, and the second method uses the location where the block appears. The third method improves the second method to find the block size faster. The experimental results show that three methods can correctly find the block size of three DBMSes.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.4B
• /
• pp.333-343
• /
• 2006

MANET and P2P applications have a common nature that they don't have any fixed infrastructures that might maintain network topologies. With such common characteristics, a P2P application can be a killer application over MANET. Due to absence of reliable node which serves indexing services in MANET, fully distributed P2P applications are more suitable for MANET. By using DHT like Chord, we can save network bandwidth and avoid a point of failure of a directory server. However, since MANET allows nodes to depart from network freely, P2P file sharing applications using Chord lookup protocol should address how to recover the keys stored at the departed node. In this paper, we propose BU-Chord in order to detect and recover the departure of nodes by creating and storing backup file information in distributed manner. Our BU-Chord shows off better performance than existing Chord especially in case of high departure rate of nodes.

• The Journal of the Korea Contents Association
• /
• v.19 no.5
• /
• pp.417-425
• /
• 2019

Storage snapshot technology allows to preserve data at a specific point in time, and recover and access data at a desired point in time. It is an essential technology for storage protection application. Existing snapshot methods have some problems in that they dependent on storage hardware vendor, file system or virtual block device. In this paper, we propose a new snapshot method for solving the problems and creating snapshots on-line. The proposed snapshot method uses a method of extracting the log records of update operations at the virtual file system layer to enable the snapshot method to operate independently on file systems, virtual block devices, and storage hardwares. In addition, the proposed snapshot mehod creates and manages snapshots for directories and files without interruption to the storage service. Finally, through experiments we measure the snapshot creation time and the performance degradation caused by the snapshot.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.408-411
• /
• 2006

본 논문에서는 원활한 프린터 작업을 위해 컴퓨터와 프린터 사이의 대기시간을 없애기 위한 수단으로 사용되고 있는 스풀작업에 대한 설명과, 포렌식 수사에 있어서 중요한 정보를 가지고 있는 스풀작업정보를 가지고 있는 SHD, SPL 파일의 구조와 분석방법, 스풀 파일을 복구하는 절차와 방법을 제시하였다. SHD, SPL 파일에서 알아낼 수 있는 용의자가 인쇄한 문서의 제목과, 내용, 문서를 인쇄한 시간 정보를 획득하고, 이를 컴퓨터 범죄 수사에 활용하는 방안을 제시하였다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.5 no.11
• /
• pp.2235-2253
• /
• 2011

Digital document file such as Adobe Acrobat or MS-Office is encrypted by its own ciphering algorithm with a user password. When this password is not known to a user or a forensic inspector, it is necessary to recover the password to open the encrypted file. Password cracking by brute-force search is a perfect approach to discover the password but a time consuming process. This paper presents a new method of speeding up password recovery on Graphic Processing Unit (GPU) using a Compute Unified Device Architecture (CUDA). PDF files are chosen as a password cracking target, and the Abode Acrobat password recovery algorithm is examined. Experimental results show that the proposed method gives high performance at low cost, with a cluster of GPU nodes significantly speeding up the password recovery by exploiting a number of computing nodes. Password cracking performance is increased linearly in proportion to the number of computing nodes and GPUs.

• Journal of Korea Multimedia Society
• /
• v.18 no.12
• /
• pp.1492-1500
• /
• 2015

In recent crime scene, there is the captured crime scene video at least one. So video files recorded on storage media often provide important evidence. Criminals often attempt to destroy storage saved crime scene video. For this reason recovery of a damaged or deleted video file is important to resolve criminal cases in aspects of digital forensic. In the recent, there is a study to recover video file based on video frames, but it is very poor time efficiency when the connecting video frames. This paper proposed advanced frame-based recovery technique of a damaged video files using time information. We suggest a new connecting algorithm to connect video frames using recorded time information in front of video frame. We also evaluate performance in aspects of time and experiment result shows that proposed method improves performance.