• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.835-845
• /
• 2019

File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.

• The KIPS Transactions:PartA
• /
• v.8A no.4
• /
• pp.375-384
• /
• 2001

The shared disk file systems use a technique known as file system journaling to support recovery of metadata on the SAN(Storage Area Network). In the existing journaling technique, the metadata that is dirtied by one host must be updated to disk space before some hosts access it. The system performance is decreased because the disk access number is increased. In this paper, we describe a new recovery technique using a global buffer to decrease disk I/O. It transmits the dirtied metadata into the other hosts through Fibre Channel network on the SAN instead of disk I/O and supports recovery of a critical data by journaling a data as well as metadata.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.139-147
• /
• 2019

In this paper we propose a method to distinguish damaged electronic records and an electronic record recovery method according to damage type. The proposed classification engine and recovery engine classify damaged electronic records based on the form and structure of electronic records and increase the probability of recovery according to the damaged form. Through this process, we propose a method to minimize the electronic records that are destroyed and verify them through experiments.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.2
• /
• pp.93-102
• /
• 2013

These days digital data have become essential for digital investigation because most of the crime was occurred by using the digital devices. However, digital data is very easier to falsify or delete. If digital data was deleted, it is necessary to recover the deleted data for obtain digital evidence. Even though file carving is the most important thing to gather. digital evidence in digital forensic investigation, most of popular carving tools don't contemplate methods of selection or restoration for digital forensic investigation. The goal of this research is suggested files which can obtain useful information for digital forensic investigation and proposed new record file carving technique to be able to recover data effectively than before it.

• Journal of Convergence for Information Technology
• /
• v.10 no.5
• /
• pp.23-29
• /
• 2020

These days, digital forensic technologies are being used frequently at crime scenes. There are various electronic devices at the scene of the crime, and digital forensic results of these devices are used as important evidence. In particular, the user's action and the time when the action took place are critical. But there are many limitations for use in real forensics analyses because of the short cycle in which user actions are recorded. This paper proposed an efficient method for recovering deleted user behavior records and applying them to forensics investigations, then the proposed method is compared with previous methods. Although there are difference in recovery result depending on the storage, the results have been identified that the amount of user history data is increased from a minimum of 6% to a maximum of 539% when recovered user behavior was utilized to forensics investigation.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2012.10a
• /
• pp.773-775
• /
• 2012

Compare to mobile system, in case of Android SMART TV Settopbox, power cable connect directly to device, user's power shutdown makes file system damage on memory file system. This paper research the way of check file system before booting SMART TV OS framework.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.947-955
• /
• 2013

Most of the enterprise information is stored in the database. Therefore, in order to investigate the company's criminal behavior, forensic analysis is important for the database and delete record is a need to develop recovery techniques. This paper is explained structure of the oracle database tablespace file and analyzed system tables that stored table information. Further, we suggests a method of recovery for deleted record in oracle tablespace.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.6
• /
• pp.81-93
• /
• 2006

A file system is an evidence resource of cyber crime in computer forensics. Therefore the methods of recovering the file system and searching important information have been offered. However, the methods for finding a malicious fie in free blocks or slack spaces have not been suggested. In this paper, we propose an investigation method to find a maliciously executable fragmented file. After estimating if a file is executable with a machine code rate, we conclude it could be malicious by comparing a similarity of instruction sequences. To examine instruction sequences, we also propose a method of profiling malicious files using file and a method of comparing the continued scores. As the results, we could exactly pick out the malicious execution files, such as buffer overflow attack program, at fitting threshold level.

• Journal of KIISE
• /
• v.42 no.1
• /
• pp.7-14
• /
• 2015

Storage Class Memory(SCM) has been considered as a next-generation storage device because it has positive advantages to be used both as a memory and storage. However, there are significant problems of data consistency in recently proposed file systems for SCM such as insufficient data consistency or excessive data consistency-control overhead. This paper proposes a novel data consistency-control scheme, which changes the write mode for log data depending on the modified data ratio in a block, using a rollback-recovery scheme instead of the Write Ahead Logging (WAL) scheme. The proposed scheme reduces the log data size and the synchronization cost for data consistency. In order to evaluate the proposed scheme, we implemented our scheme on a Linux 3.10.2-based system and measured its performance. The experimental results show that our scheme enhances the write throughput by 9 times on average when compared to the legacy data consistency control scheme.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.13 no.10
• /
• pp.4786-4793
• /
• 2012

In a recent mobile computing environment, the research for a transaction model have been actively carried out to deal with real-time transaction. However, the research for recovery model is relatively insufficient. Therefore, it would be very important for mobile recovery methods for database stability, just in case of data loss due to hand-off in mobile computing system. So, further efficient research should be keenly done to reduce I/O hand-off in mobile computing systems. SLL method increases I/O time due to sequential file. This paper have been suggested to efficient mobile recovery method in mobile computing system. Finally, it has been clearly demonstrated for system efficiency, conducting the performance assessment that currently proposed recovery system.