• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.01a
• /
• pp.287-288
• /
• 2021

본 논문에서는 macOS의 파일시스템인 HFS+의 B-tree구조를 디지털 포렌식의 관점에서 분석할 수 있는 기능을 갖춘 도구의 구현에 대하여 다룬다. HFS+ 파일시스템의 파일과 디렉토리에 대한 메타정보를 카탈로그 B-tree에서 구하여 디지털 포렌식 정보로 활용한다. HFS+파일시스템 포렌식 분석도구는 C/C++언어로 구현된다. 텍스트 기반의 명령행 프로그램으로 구현되며 macOS/Windows에서 터미널/명령프롬프트에서 각각 실행될 수 있도록 제작된다. 타임스탬프/파일크기/위치 등의 메타데이터의 파싱기능, 리프노드에 저장된 데이터를 이용한 파일/디렉토리 트리 구조의 재구성, B-tree구조에 의한 키워드 탐색 기능, 인덱스 노드 없이 B-tree 리프노드의 구성에 의한 파일/디렉토리 파싱/검색 기능 등이 구현된다.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.178-192
• /
• 2021

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

• Proceedings of the Korean Information Science Society Conference
• /
• 2008.06a
• /
• pp.317-318
• /
• 2008

• Proceedings of the Korean Information Science Society Conference
• /
• 2010.06a
• /
• pp.279-280
• /
• 2010

• International journal of advanced smart convergence
• /
• v.10 no.1
• /
• pp.142-150
• /
• 2021

Open-channel SSD is a new type of Solid-State Disk (SSD) that improves the garbage collection overhead and write amplification due to physical constraints of NAND flash memory by exposing the internal structure of the SSD to the host. However, the host-level Flash Translation Layer (FTL) provided for open-channel SSDs in the current Linux kernel consumes host memory excessively because it use page-level mapping table to translate logical address to physical address. Therefore, in this paper, we implemente a selective mapping table loading scheme that loads only a currently required part of the mapping table to the mapping table cache from SSD instead of entire mapping table. In addition, to increase the hit ratio of the mapping table cache, filesystem information and mapping table access history are utilized for cache replacement policy. The proposed scheme is implemented in the host-level FTL of the Linux kernel and evaluated using open-channel SSD emulator. According to the evaluation results, we can achieve 80% of I/O performance using the only 32% of memory usage compared to the previous host-level FTL.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.77-91
• /
• 2019

Recent Linux operating systems having been increasingly used, ranging from automotive consoles, CCTV, IoT devices, and mobile devices to various versions of the kernel. Because these devices can be used as strong evidence in criminal investigations, there is a risk of destroying evidence through file deletion. Ext filesystem forensics has been studied in depth because it can recovery deleted files without depending on the kind of device. However, studies have been carried out without consideration of characteristics of file system which may vary depending on the kernel. This problem can lead to serious situations, such as those that can impair investigative ability and cause doubt of evidence ability, when an actual investigation attempts to analyze a different version of the kernel. Because investigations can be performed on various distribution and kernel versions of Linux file systems at the actual investigation site, analysis of the metadata changes that occur when files are deleted by Linux distribution and kernel versions is required. Therefore, in this paper, we analyze the difference of metadata according to the Linux kernel as a solution to this and recovery deleted file. After that, the investigating agency needs to consider the metadata change caused by the difference of Linux kernel version when performing Ext filesystem forensics.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.827-839
• /
• 2012

A cell phone is very close to the user and therefore should be considered in digital forensic investigation. Recently, the proportion of smartphone owners is increasing dramatically. Unlike the feature phone, users can utilize various mobile application in smartphone because it has high-performance operating system (e.g., Android, iOS). As acquisition and analysis of user data in smartphone are more important in digital forensic purposes, smartphone forensics has been studied actively. There are two way to do smartphone forensics. The first way is to extract user's data using the backup and debugging function of smartphones. The second way is to get root permission, and acquire the image of flash memory. And then, it is possible to reconstruct the filesystem, such as YAFFS, EXT, RFS, HFS+ and analyze it. However, this methods are not suitable to recovery and analyze deleted data from smartphones. This paper introduces analysis techniques for fragmented flash memory pages in smartphones. Especially, this paper demonstrates analysis techniques on the image that reconstruction of filesystem is impossible because the spare area of flash memory pages does not exist and the pages in unallocated area of filesystem.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06a
• /
• pp.89-91
• /
• 2012

플래시 저장장치는 순차 쓰기패턴에 높은 성능을 보이고, 랜덤 쓰기패턴에 낮은 성능을 보인다고 알려져 있다. 그러나 실제 응용 프로그램은 동작 방식에 따라 복합적인 패턴을 보일 수 있다. 본 논문은 대표적인 모바일 응용으로서 웹 브라우저 응용의 파일시스템 접근 특성을 정량적으로 분석하고자 한다. 최근에 안드로이드 스마트 폰에 채택된 Ext4 파일시스템을 기준으로 웹 브라우저 응용의 파일시스템 요청들을 성능개선점을 지적하고자 한다.

• Journal of Digital Contents Society
• /
• v.17 no.5
• /
• pp.409-416
• /
• 2016

Recently, Big Data issue has become a buzzword and universities, industries and research institutes have been efforts to collect, analyze various data enabled. These things includes accumulated data from the past, even if it is not possible to analysis at this present immediately a which has the potential means. And we are obtained a valuable result from the collected a large amount of data via the semantic analysis. The demand for high-performance storage system that can handle large amounts of data required is increasing around the world. In addition, it must provide a distributed parallel file system that stability to multiple users too perform a variety of analyzes at the same time by connecting a large amount of the accumulated data In this study, we identify the I/O bandwidth of the storage system to be considered, and performance of the metadata in order to provide a file system in stability and propose a method for configuring the optimal environment.

• KIPS Transactions on Computer and Communication Systems
• /
• v.9 no.9
• /
• pp.197-206
• /
• 2020

Collaborative research in science applications based on HPC service needs rapid transfers of massive data between research colleagues over wide area network. With regard to this requirement, researches on enhancing data transfer performance between major superfacilities in the U.S. have been conducted recently. In this paper, we deploy multiple data transfer nodes(DTNs) over high-speed science networks in order to move rapidly large amounts of data in the parallel filesystem of KISTI's Nurion supercomputer, and perform transfer experiments between endpoints with approximately 130ms round trip time. We have shown the results of transfer throughput in different size file sets and compared them. In addition, it has been confirmed that the DTN cluster with three nodes can provide about 1.8 and 2.7 times higher transfer throughput than a single node in two types of concurrency and parallelism settings.