Jungheum Park

A study on multimedia file carving method

File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. The largely used multimedia files, such as AVI, WAV, and MP3, can be exactly recovered using an internal format in files as they are continuously allocated. In the case of the NTFS, which is one of the most widely used file system, it supports an internal data compression function itself, but the NTFS compression function has not been considered in file carving. Thus, a large part of file carving tools cannot recover NTFS compressed files. Also, for carving the multimedia files compressed by the NTFS, a recovery method for such NTFS compressed files is required. In this study, we propose a carving method for multimedia files and represent a recovery plan for deleted NTFS compressed files. In addition, we propose a way to apply such a recovery method to the carving of multimedia files.

Hamiltonian Decomposition of Recursive Circulants

We show that recursive circulant G(cdm, d) is hamiltonian decomposable. Recursive circulant is a graph proposed for an interconnection structure of multicomputer networks in [8]. The result is not only a partial answer to the problem posed by Alspach that every connected Cayley graph over an abelian group is hamiltonian decomposable, but also an extension of Micheneaus that recursive circulant G(2m, 4) is hamiltonian decomposable.

Analysis Framework to Detect Artifacts of Portable Web Browser

Portable web browser is a stand-alone web browser, which is designed to run on web pages and applications on an operating system independently. Portable web browsers store artifacts in the installed in the folder, while normal web browsers store artifacts in the user’s system. Therefore, portable web browsers are difficult to judge whether that users used portable web browsers. This paper describes whether that manufacturer support portable web browser and find out about the artifact path of portable web browsers. Then, we propose analysis framework to detect artifacts of portable web browsers through ‘UserAssist’ key value and prefetch file and explain the each module of framework.

A research on the investigation method of digital forensics for a VMware Workstation's virtual machine

Abstract Virtualization is a technology that uses a logical environment to overcome physical limitations in hardware. Recently, its coverage has become broader. Because a virtual machine can perform the same role as an actual system, a recorded user’s activity trail in the virtual machine is important factor in terms of digital forensics. If the investigator found trails of the VMware Workstation on the host, he should investigate the virtual machine along with host system. However, due to a lack of understanding of the virtual machine, the investigation process is not clear. Moreover, a damaged virtual machine image is difficult to investigate because of the structural characteristics. Therefore, we need a technical understanding and a research about investigation procedures and recovery methods on the virtual machine. In this research, we suggest an investigation procedure of digital forensics and a recovery method on damaged images for the VMware Workstation that has the largest number of users.

Investigation Methodology of a Virtual Desktop Infrastructure for IoT

Cloud computing for IoT (Internet of Things) has exhibited the greatest growth in the IT market in the recent past and this trend is expected to continue. Many companies are adopting a virtual desktop infrastructure (VDI) for private cloud computing to reduce costs and enhance the efficiency of their servers. As a VDI is widely used, threats of cyber terror and invasion are also increasing. To minimize the damage, response procedure for cyber intrusion on a VDI should be systematized. Therefore, we propose an investigation methodology for VDI solutions in this paper. Here we focus on a virtual desktop infrastructure and introduce various desktop virtualization solutions that are widely used, such as VMware, Citrix, and Microsoft. In addition, we verify the integrity of the data acquired in order that the result of our proposed methodology is acceptable as evidence in a court of law. During the experiment, we observed an error: one of the commonly used digital forensic tools failed to mount a dynamically allocated virtual disk properly.

Digital Forensic Investigation of Virtual Desktop Infrastructure

Recently, cloud computing is one of the parts showing the biggest growth in the IT market and is expected to continue to grow into. Especially, many companies are adopting virtual desktop infrastructure as private cloud computing to achieve in saving the cost and enhancing the efficiency of the servers. However, current digital forensic investigation methodology of cloud computing is not systematized scientifically and technically. To do this, depending on the type of each cloud computing services, digital evidence collection system for the legal enforcement should be established. In this paper, we focus on virtual desktop infrastructure as private cloud computing and introduce the most widely used around the world desktop virtualization solutions of VMware, Citrix, and Microsoft. And We propose digital forensic investigation methodology for private cloud computing that is constructed by these solutions.

Forensic Artifacts Left by Virtual Disk Encryption Tools

A virtual disk encryption tool is a privacy protection tool that uses an encryption method by generating virtual disk images. It cannot mount an encrypted virtual disk without any authentication, such as key, passphrase, and etc. Thus, it can be used as an anti- forensic tool that makes difficult to process a digital forensic investigation because the content of the virtual disk cannot be identified without mounting the disk. This study investigates the installation, runtime, and deletion behaviors of virtual disk encryption tools in a Windows XP SP3 environment through experiments. Also, this study organizes the traces related to the tools and the elements that are able to verify the mount of the virtual disk.

The Automatic Extraction System of Application Update Information in Android Smart Device

ABSTRACT As the utilization rate of smart device increases, various applications for smart device have been developed. Since these applications can contain important data related to user behavio rs in digital forensic perspective, the analysis of them should be conducted in advance. However, lots of applications get to have new data format or type when they are updated. Therefore, whether the applications are updated or not should be checked o ne by one, and if they are, whether their data are changed should be also analyzed. But observing application data repeatedly is a time-consuming task, and that is why the effective method for dealing with this problem is needed. This paper suggests the automatic system which gets updated inf ormation and checks changed data by collecting application information. Keywords: Digital Forensics, Smartphone Forensics, Android Forensics, An droid Application, Android Data Acquisition접수일(2013년 12월 19일), 수정일(2014년 1월 15일), 게재확정일(2014년 1월 16일)* 본 연구는 2013년도 정부(미래창조과학부)의 재원으로 한국연구재단-공공복지안전사업의 지원을 받아 수행되었습니다. [2012M3A2A1051106]†주저자, timemachine@korea.ac.kr‡교신저자, sangjin@korea.ac.kr(Corresponding author)

A research for partition recovery method in a forensic perspective

As the capacity of storage devices becomes larger, most users divide them into several logical partitions for convenience of storing and controlling data. Therefore, recovering partitions stably which are artificially hidden or damaged is the most important issue in the perspective of digital forensic. This research suggests partition recovery algorithm that makes stable and effective analysis using characteristics of each file system. This algorithm is available when partition is not distinguishable due to concealment of partition or damage in partition area.

A Study on a Carving Method for Deleted NTFS Compressed Files

File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.