Kibom Kim

A kernel memory collecting method for efficent disk encryption key search

It is hard to extract original data from encrypted data before getting the password in encrypted data with disk encryption software. This encryption key of disk encryption software can be extract by using physical memory analysis. Searching encryption key time in the physical memory increases with the size of memory because it is intended for whole memory. But physical memory data includes a lot of data that is unrelated to encryption keys like system kernel objects and file data. Therefore, it needs the method that extracts valid data for searching keys by analysis. We provide a method that collect only saved memory parts of disk encrypting keys in physical memory by analyzing Windows kernel virtual address space. We demonstrate superiority because the suggested method experimentally reduces more of the encryption key searching space than the existing method.

Understanding Anti-forensic Techniques with Timestamp Manipulation (Invited Paper)

Numerous security incidents caused by malwares and hackers have recently utilized anti-forensic techniques to bypass analysis and detection. It is critical to build a knowledge base that would help understand such anti-forensic techniques. In this paper, we present a forensic analysis method to detect an anti-forensic technique which leverages timestamp manipulation in NTFS file system. Our approach analyzes how timestamp manipulation occurs in NTFS file system and also extracts some features to detect timestamp manipulation behaviors. We also evaluate our approach with several use cases and describe how our approach helps detect timestamp manipulation behaviors.

An improved extraction technique of executable file from physical memory by analyzing file object

ABSTRACT According to the intelligence of the malicious code to extract the executable file in physical memory is emerging as an import researh issue. In previous physical memory studies on ex ecutable file extraction which is targeting running files, they are not extracted as same as original file saved in disc. Therefore, we need a method that can extract files as same as original one saved in disc and also can analyze file-information loaded in physical memory.In this paper, we provide a method that executable file extract ion by analyzing information of Windows kernel file object. Also we analyze the characteristic of physical memory loaded fi le data from the experiment and we demonstrate superiority because the suggested method can effectively extract more of or iginal file data than the existing method.Keywords: Physical Memory Forensic, File Mapped Data, File Object I.서 론 최근 디지털 포렌식 연구에서는 하드디스크를 이 접수일(2014년 8월 6일), 수정일(2014년 9월 11일) 게재확정일(2014년 9월 12일)†주저자, k-dupe@nate.com‡교신저자, hhu@ensec.re.kr(Corresponding author)