• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1107-1115
• /
• 2017

The most commonly used PKZIP format is a ZIP file, as well as a file format used in MS Office files and application files for Android smartphones. PKZIP format files, which are widely used in various areas, require structural analysis from the viewpoint of digital forensics and should be able to recover when files are damaged. However, previous studies have focused only on recovering data or extracting meaningful data using the Deflate compression algorithm used in ZIP files. Although most of the data resides in compressed data in the ZIP file, there is also forensically meaningful data in the rest of the ZIP file, so you need to restore it to a normal ZIP file format. Therefore, this paper presents a technique to recover a damaged ZIP file to a normal ZIP file when given.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.77-91
• /
• 2019

Recent Linux operating systems having been increasingly used, ranging from automotive consoles, CCTV, IoT devices, and mobile devices to various versions of the kernel. Because these devices can be used as strong evidence in criminal investigations, there is a risk of destroying evidence through file deletion. Ext filesystem forensics has been studied in depth because it can recovery deleted files without depending on the kind of device. However, studies have been carried out without consideration of characteristics of file system which may vary depending on the kernel. This problem can lead to serious situations, such as those that can impair investigative ability and cause doubt of evidence ability, when an actual investigation attempts to analyze a different version of the kernel. Because investigations can be performed on various distribution and kernel versions of Linux file systems at the actual investigation site, analysis of the metadata changes that occur when files are deleted by Linux distribution and kernel versions is required. Therefore, in this paper, we analyze the difference of metadata according to the Linux kernel as a solution to this and recovery deleted file. After that, the investigating agency needs to consider the metadata change caused by the difference of Linux kernel version when performing Ext filesystem forensics.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2011.05a
• /
• pp.633-636
• /
• 2011

In this paper, ordered mode of EXT3 file system offers to use an optional compression algorithm technique. If the system terminates abnormally or an error occurs, data which is being modified will be possibly damaged or a recovery of the existing data can be impossible. To overcome these problems, a journaling file system is used. Journaling file system manages by using an additional space called Journal. EXT3 file system is the most widely used journaling file system. In this paper, When performing a file writing of an existing EXT3 file system, it offers to use an optional compact algorithm technique for an efficient use of a space of storage device.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.6
• /
• pp.43-51
• /
• 2010

It is meaningful to investigate data in unallocated space because we can investigate the deleted data. Consecutively complete file recovery using the File Carving is possible in unallocated area, but noncontiguous or incomplete data recovery is impossible. Typically, the analysis of the data fragments are needed because they should contain large amounts of information. Microsoft Word, Excel, PowerPoint and PDF document file's text are stored using compression or specific document format. If the part of aforementioned document file was stored in unallocated data fragment, text extraction is possible using specific document format. In this paper, we suggest the method of extracting a particular document file text in unallocated data fragment.

• Journal of information and communication convergence engineering
• /
• v.10 no.4
• /
• pp.405-410
• /
• 2012

Several attempts have been made to add journaling capability to a traditional file allocation table (FAT) file system. However, they encountered issues such as excessive system load or instability of the journaling data itself. If journaling data is saved as a file format, it can be corrupted by a user application. However, if journaling data is saved in a fixed area such as a reserved area, the storage can be physically corrupted because of excessive system load. To solve this problem, a new method that dynamically allocates journaling data is introduced. In this method, the journaling data is not saved as a file format. Using a reserved area and reserved FAT status entry of the FAT file system specification, the journaling data can be dynamically allocated and cannot be accessed by user applications. The experimental results show that this method is more stable and scalable than other log-based FAT file systems. HFAT was tested with more than 12,000 power failures and was stable.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.12
• /
• pp.487-496
• /
• 2017

In MySQL InnoDB, there are two ways of storing data. One is to create a separate tablespace for each table and store it separately. Another is to store all table and index information in a single system tablespace. You can use this information to recover deleted data from the record. However, in most of the current database forensic studies, the former is actively researched and its structure is analyzed, whereas the latter is not enough to be used for forensics. Both approaches must be analyzed in terms of database forensics because their storage structures are different from each other. In this paper, we propose a method for recovering deleted records in a method of storing records in IBDATA file, which is a single system tablespace. First, we analyze the IBDATA file to reveal its structure. And introduce delete record recovery algorithm which extended to an unallocated page area which was not considered in the past. In addition, we show that the recovery rate is improved up to 68% compared with the existing method through verification using real data by implementing the algorithm as a tool.

• Journal of Korea Multimedia Society
• /
• v.13 no.2
• /
• pp.161-170
• /
• 2010

ELF, an abbreviation for Executable and Linkable Format, is the basic file format for shared libraries and executable files used in the Linux system, whereas 'Linker' copies the symbol information of static shared libraries into the symbol table in the target file generated by way of static linking. At this time, the symbol table keeps various pieces of debugging-related information including function names provided by the shared libraries, and it can be deleted to avoid debugging for security reasons by utilizing the fact that it does not directly affect the program execution. This paper proposes a method for restoring the symbol information of static shared libraries from the ELF object file in which the symbol table is deleted, and confirms that the symbol information is restored by conducting practical experiments.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.4 no.2
• /
• pp.101-108
• /
• 2008

In this paper, we develop system to backup automatically personal data by real time based on ECA model. This system backups data that is changed in user PC using CDP technology based on ECA model. Proposed ECA model defines file's change such as file creation, update, remove etc. in user PC to event for synchronization between server and user PC. If event is detected about file, proposed system examines condition that is defined and backup the file to server. Backup data that is stored to server can recovery on point of time that user wants. The proposed system can be applied to data management system for business, personal data management system, high-capacity contents management system etc.

• Journal of Information Technology Applications and Management
• /
• v.13 no.2
• /
• pp.115-126
• /
• 2006

Recently, flash memories are one of best media to support portable computer's storages in mobile computing environment. We propose a new transaction recovery scheme for a flash memory database environment which is based on a flash media file system. We improved traditional shadow paging schemes by reusing old data pages which are supposed to be invalidated in the course of writing a new data page in the flash file system environment. In order to reuse these data pages, we exploit deferred cleaning list structure in our flash memory shadow paging (FMSP) scheme. FMSP scheme removes the additional storage overhead for keeping shadow pages and minimizes the I/O performance degradation caused by data page distribution phenomena of traditional shadow paging schemes. We also propose a simulation model to show the performance of FMSP. Based on the results of the performance evaluation, we conclude that FMSP outperforms the traditional scheme.

• Journal of KIISE:Computer Systems and Theory
• /
• v.34 no.12
• /
• pp.683-695
• /
• 2007

NAND flash memory-based file systems cannot store their system-related information in the file system due to wear-leveling of NAND flash memory. This forces NAND flash memory-based file systems to scan the whole flash memory during their mounts. The mount time usually increases linearly according to the size of and the usage pattern of the flash memory. NAND flash memory has been widely used as the storage medium of mobile devices. Due to the fact that mobile devices have unstable power supply, the file system for NAND flash memory requires stable recovery mechanism from power failure. In this paper, we present design and implementation of a new NAND flash memory-based file system that provides fast mount and enhanced stability. Our file system mounts 19 times faster than JFFS2's and 2 times faster than YAFFS's. The stability of our file system is also shown to be equivalent to that of JFFS2.