• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.178-192
• /
• 2021

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

• The KIPS Transactions:PartA
• /
• v.11A no.5
• /
• pp.313-318
• /
• 2004

In this paper, we suggest a checkpoint and recovery facility for the fault-tolerable process which is expected to be executed for a long time. The basic concept of the suggested facility is to allow the process to be executed continuously, when the process was stopped due to a System fault, by storing the execution status of the process periodically and recovering the execution status prior to the fault was occurred. In the suggested facility, it does not need to modify the source code for the fault-tolerable process. It was designed for the user to specify directly the file name and the checkpoint frequency, and two system calls(save, recover) were added. finally, it was implemented on the Linux environment(kernel 2.4.18) for checking the feasibility.

• Journal of KIISE:Computing Practices and Letters
• /
• v.16 no.2
• /
• pp.247-251
• /
• 2010

Using SCM in storage systems introduce new potentials for improving I/O performance and reliability. In this paper, we study the use of SCM as a buffer cache that guarantees transactional unit writes. Our proposed method can improve storage system reliability and performance at the same time and can recover the storage system immediately upon a system crash. The Proposed method is based on the LINUX JBD(Journaling Block Device), thus reliability is equivalent to JBD. In our experiments, the file system that adopts our method shows better I/O performance even while guaranteeing high reliability and shows fast file system recovery time (about 0.2 seconds).

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.12
• /
• pp.487-496
• /
• 2017

In MySQL InnoDB, there are two ways of storing data. One is to create a separate tablespace for each table and store it separately. Another is to store all table and index information in a single system tablespace. You can use this information to recover deleted data from the record. However, in most of the current database forensic studies, the former is actively researched and its structure is analyzed, whereas the latter is not enough to be used for forensics. Both approaches must be analyzed in terms of database forensics because their storage structures are different from each other. In this paper, we propose a method for recovering deleted records in a method of storing records in IBDATA file, which is a single system tablespace. First, we analyze the IBDATA file to reveal its structure. And introduce delete record recovery algorithm which extended to an unallocated page area which was not considered in the past. In addition, we show that the recovery rate is improved up to 68% compared with the existing method through verification using real data by implementing the algorithm as a tool.

• Journal of KIISE:Computer Systems and Theory
• /
• v.37 no.6
• /
• pp.330-338
• /
• 2010

Flash storage devices are very popularly used in portable devices such as cell phones, PDAs and MP3 players. As technology is improved, users want much bigger and faster storage system. Paradoxically, people have to wait more and more time proportionally to the capacity of their storage devices when these are trying to be recovered after file system crash. It is serious problem because booting time of devices is dominated by crash recovery of flash file system. In this paper, we design a crash recovery mechanism, named 'Working Area(WA hereafter)' technique, which has bounded crash recovery execution time. With WA technique, write operations to flash memory are only performed in WA. Therefore, by simply scanning the latest WA. We can recover a file system crash because every change for flash memory is occured only in latest WA. We implement the WA technique based on YAFFS2 and evaluate by comparing with traditional techniques. As a result, WA technique shows that its crash recovery execution time is 25 times faster than Log-based Method when we use 1 gig a bytes NAND flash memory in worst case. This gap will be futher and futher as storage capacity grows.

• Convergence Security Journal
• /
• v.7 no.2
• /
• pp.129-134
• /
• 2007

This paper proposes multiple burst error detection and correction scheme for transmission of Huffman coded string. We use bidirectionally decodable codes and introduce insertion of forbidden symbol to find errors. Additional bits are added to original bit streams to correct errors. The total file size id increased but it can detect errors and recover errors real time.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.49 no.9
• /
• pp.205-214
• /
• 2012

The main thing that IT operation managers consider is protecting assets of corporation from system failure and disaster. Therefore, this research proposed a backup system for a disaster recovery. Previous backup method is that if database update occurs, this record is saved in redo log, and if the size of record file is over than expected, this file is saved in archive log in order. Thus, it is possible to occur errors of data loss from the process of data backup which change in real time while changes of database occur. Suggested backup system is back redo log up to database of transaction log in real time, and back a record that can be omitted from previous backup method up to archive log. When recover the data, it is possible to recover redo log in real time online, and it minimizes data loss. Also, throughout multi thread processing method data recovery is performed and it is designed that system performance is improved. To verify stability of backup system CPN(Coloured Petri Net) is introduced, and each step of backup system is displayed in diagram form, and th e stability is verified based on the definition and theorem of CPN.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.625-633
• /
• 2018

Realm is an open source database developed to replace SQLite, which is commonly used in mobile devices. The data stored in the database must be checked during the digital forensic analysis process for mobile devices because it can help to understand the behavior of the user and whether the mobile device is operating or not. In addition, since the user can intentionally use anti-forensic techniques such as deleting data stored in the database, research on how to recover deleted records is needed. In this paper, we propose a method to recover records that have not been overwritten after deletion based on the analysis of the structure and record and deletion process of the Realm database file.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.885-896
• /
• 2014

The files in computer storages can be deleted due to unexpected failures or accidents. Some malicious users often delete data by himself for anti-forensics. If deleted files are associated with crimes or important documents in business, they should be recovered and the recovery tool is necessary. The recovery methods and tools for some filesystems such as NTFS, FAT, and EXT have been developed actively. However, there has not been any researches for recovering deleted files in XFS filesystem applied to NAS or CCTV. In addition, since the current related tools are based on the traditional signature detection methods, they have low recovery rates. Therefore, this paper suggests the recovery methods for deleted files based on metadata and signature detection in XFS filesystem, and verifies the results by conducting experiment in real environment.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.8
• /
• pp.2708-2721
• /
• 2014

Data outsourcing in the cloud (DOC) is a promising solution for data management at the present time, but it could result in the disclosure of outsourced data to unauthorized users. Therefore, protecting the confidentiality of such data has become a very challenging issue. The conventional way to achieve data confidentiality is to encrypt the data via asymmetric or symmetric encryptions before outsourcing. However, this is computationally inefficient because encryption/decryption operations are time-consuming. In recent years, a few DOC schemes based on secret sharing have emerged due to their low computational complexity. However, Dautrich and Ravishankar pointed out that most of them are insecure against certain kinds of collusion attacks. In this paper, we proposed a novel DOC scheme based on Shamir's secret sharing to overcome the security issues of these schemes. Our scheme can allow an authorized data user to recover all data files in a specified subset at once rather than one file at a time as required by other schemes that are based on secret sharing. Our thorough analyses showed that our proposed scheme is secure and that its performance is satisfactory.