Kyung Soo Lim

On-the-spot digital investigation by means of LDFS: Live Data Forensic System ☆

The ever growing capacity of hard drives poses a severe problem to forensic practitioners who strive to deal with digital investigations in a timely manner. Therefore, the on-the-spot digital investigation paradigm is emerging as a new standard to select only that evidence which is important for the case being investigated. In the light of this issue, we propose an incident response tool which is able to speed up the investigation by finding crime-related evidence in a faster way compared with the traditional state-of-the-art post-mortem analysis tools. The tool we have implemented is called Live Data Forensic System (LDFS). LDFS is an on-the-spot live forensic toolkit, which can be used to collect and analyze relevant data in a timely manner and to perform a triage of a Microsoft Windows-based system. Particularly, LDFS demonstrates the ability of the tool to automatically gather evidence according to general categories, such as live data, Windows Registry, file system metadata, instant messaging services clients, web browser artifacts, memory dump and page file. In addition, unified analysis tools of ELF provide a fast and effective way to obtain a picture of the system at the time the analysis is done. The result of the analysis from different categories can be easily correlated to provide useful clues for the sake of the investigation.

Applying a Stepwise Forensic Approach to Incident Response and Computer Usage Analysis

While traditional digital investigation is limited to cyber crimes, now it is an essential procedure on most of civil and criminal case. With the proliferation of the digital investigation in this situation, the need for the timely identification, analysis and interpretation of digital evidence is becoming more crucial. The general method of investigating the suspects computer is laborious, time-consuming, complicated tasks and requires specialty on the part of forensic experts. In particular cases, such as child abduction, missing or exploited persons, time is of the essence and rapid incident response is necessary. But the increase in capacity of storage media made this method to take much longer time. Therefore, we need new process model to collect crucial evidence quickly and investigate these cases rapidly. The Stepwise Forensic Process Model (SFPM) provides stepwise and in-situ approach for providing incident identification, acquisition, analysis. The SFPM suggest a new investigational model for selecting the target and analyzing the relevant evidences only.

Methodologies for Detecting Covert Database

Forensic accounting has recently gained great attention in the accounting and computer forensic fields since government regulations such as Health Insurance Portability and accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), sarbanes-oxley Act~\cite{b1} (SOX) were introduced in the United States. Although these regulations force corporations to provide financial transparency, they still commit accounting frauds such as slush fund or tax evasion. moreover, companies have substituted paper-work with IT systems such as DBMS (database management system), EDMS (electronic document management system), and ERP (Enterprise Resource Planning) system. Since the majority of corporations use DBMS we should focus our attention on discovering financial information in a database server. However, frauds are difficult to observe and detect because the perpetrators did their best to conceal their fraudulent activities. In particular, we need to consider the case of a covert database server. This paper proposes a methodology for detecting covert database server, which would be helpful for forensic investigators. Therefore, we describe an example of covert database server and suggest several detection techniques. Finally, we provide our methodology according to classification of investigation cooperation.

Test-driven forensic analysis of satellite automotive navigation systems

The use of satellite automotive navigation systems has increased rapidly worldwide in recent years. Forensic analysis of these devices can be identified information of evidential value in criminal cases. Mappy GPS navigation software is one of the most popular products of satellite navigation software in Korea. Mappy records the usage history, such as the most frequently visited locations and routes, in an external storage medium for convenience and accessibility. These artifacts can be extracted, examined, and analyzed to trace location entries or recent vehicle routes. It can be used to investigate diverse crimes such as kidnap and murder cases; thus, they are of great value in digital forensics. This paper outlines test-driven forensic analysis for Mappy location records and shows how these can be recovered, including deleted location entries.

CFES: Comprehensive Framework for Forensic Analysis of Embedded Systems

Nowadays, embedded systems such as mobile phones, MP3 players, PMPs, and GPS navigation systems have become an integral part of our life. However, the increasing popularity of the use of digital devices has led to an increase in the diversity of cyber crime. Therefore, the forensic community has concentrated on countermeasures against emerging cyber crime techniques and embedded system investigations. While novel forensic analysis methodologies have been proposed for each embedded system known to the forensic community, there is no comprehensive framework for general embedded system forensics. Therefore, in this paper, we introduce a generalpurpose framework for forensic analysis of embedded systems for future communications and computing. The CFES framework (Comprehensive Framework for Forensic analysis of Embedded Systems) is designed for a comprehensive analysis environment and is a general methodology of extracting useful information about various embedded systems. CFES provides an effective analysis environment and various analysis toolkits, which can be applied to most of embedded systems. Further, it can perform a correlation analysis on the results of embedded system investigations.

Forensic Artifacts Left by Virtual Disk Encryption Tools

A virtual disk encryption tool is a privacy protection tool that uses an encryption method by generating virtual disk images. It cannot mount an encrypted virtual disk without any authentication, such as key, passphrase, and etc. Thus, it can be used as an anti- forensic tool that makes difficult to process a digital forensic investigation because the content of the virtual disk cannot be identified without mounting the disk. This study investigates the installation, runtime, and deletion behaviors of virtual disk encryption tools in a Windows XP SP3 environment through experiments. Also, this study organizes the traces related to the tools and the elements that are able to verify the mount of the virtual disk.

Analysis of Window Transactional NTFS(TxF) and Transactional Registry(TxR) in the Digital Forensic Perspective

Transaction indicates that the reservation of original data before committing works by executing a single work as an atomic unit. Transactional NTFS (TxF) is the thing that applies Transaction into on NTFS and is the first introduced in the Windows Vista. As Transactional NTFS, Transactional Registry (TxR) is that applies Transaction functions into Registry.

A novel extension for on-demand routing protocol in event-driven sensor networks

We describe a problem of redundant flooding induced by multiple sensor nodes during route discovery in event-driven wireless sensor networks, and propose a novel extension to the on-demand ad hoc routing protocol, in order to reduce the number of signaling messages during the route discovery phase. That is, our extension reduces energy consumption during route discovery. The heuristically and temporarily selected Path Set-up Coordinator (PSC) plays the role of a route request broker that alleviates redundant route request flooding. The simulation results show that our extension not only helps to conserve energy, but also reduces the disruption caused by the broadcast storm.