KR20140075393A - Apparatus and method for forensic document filter of smart device - Google Patents

Apparatus and method for forensic document filter of smart device Download PDF

Info

Publication number
KR20140075393A
KR20140075393A KR1020120143686A KR20120143686A KR20140075393A KR 20140075393 A KR20140075393 A KR 20140075393A KR 1020120143686 A KR1020120143686 A KR 1020120143686A KR 20120143686 A KR20120143686 A KR 20120143686A KR 20140075393 A KR20140075393 A KR 20140075393A
Authority
KR
South Korea
Prior art keywords
document
forensic
digital
smart device
filter
Prior art date
Application number
KR1020120143686A
Other languages
Korean (ko)
Inventor
조수형
은성경
길연희
김건우
김영수
이상수
이주영
최우용
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120143686A priority Critical patent/KR20140075393A/en
Publication of KR20140075393A publication Critical patent/KR20140075393A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/93Document management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Library & Information Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

In the forensic evidence document extraction and analysis of a digital forensic system using a smart device, the file size is classified in the smart device, and the forensic analysis is performed on the proof document below the reference capacity to extract the document information, It is possible to collect and analyze digital evidence in real time at the scene of the incident, thereby providing convenience of investigation.

Description

FIELD OF THE INVENTION The present invention relates to a smart device,

The present invention relates to a forensic system, and in particular for extracting and analyzing forensic proof documents of a digital forensic system using a smart device, the file size due to the limited memory capacity of a smart device, For the evidence documents below the reference capacity, the smart device performs direct forensic analysis to extract document information, or for evidence documents exceeding the reference capacity, a proof document is sent to a remote server to extract the document The present invention relates to a smart device forensic document filter apparatus and method capable of providing convenience of investigation by enabling digital evidence collection and analysis in real time at an incident site by presenting results of performing a forensic analysis.

Recently, as the size of the hard disk of a computer increases to a tera byte and the size of stored digital data increases, it takes much time for a digital forensic process such as evidence collection and analysis. In addition, there is a demand for technology that can investigate within a short period of time in accordance with the change of the IT environment, in which the types of crimes are varied and the number of objects to be investigated increases.

However, in order to perform forensic analysis in the conventional investigation process, the storage device of the hard disk including the evidence secured at the scene of the accident is transferred to the remote investigation agency capable of forensic analysis, and the evidence document is extracted using the forensic analysis system installed in the investigation agency And analyzing it. As a result, rapid on-the-spot analysis of digital evidence was difficult.

Therefore, there is a need for a real-time digital forensic analysis function that allows an investigator to collect and analyze digital evidence at the scene of an incident.

To do this, forensic analysis using various smart devices that can be carried by users such as smart phone, smart pad, etc., can analyze the digital evidence collected in the field in real time It is expected to be possible.

When previewing the contents of a forensic proof document in a smart device, a document view application is often not installed in a smart device. Therefore, document information is extracted so that the document can be opened and the content can be viewed Software for smart devices is needed. In addition, since a general document filter uses a large amount of memory to process a large file, it may not operate in a smart device having limited resources.

Korea Registered Patent No. 10-0961179 Registration Date May 26, 2010 discloses a technique for digital forensic method and apparatus.

Accordingly, the present invention provides a smart device forensic document filter apparatus and method for providing convenience of investigation using a smart device in digital forensic investigation and analyzing evidence in real time at an incident site.

In order to solve the problem that the digital data to be investigated increases due to the increase of the capacity of the storage medium and thus the investigation time increases, the present invention provides a smart device forensic analysis And to provide a document filter apparatus and method.

The present invention also relates to a method and apparatus for extracting and analyzing a forensic proof document of a digital forensic system using a smart device by dividing a file size in a smart device and extracting document information by performing direct forensic analysis on a proof document below a reference capacity Forensic documents for smart devices that can provide convenience of investigation by enabling digital evidence collection and analysis in real-time at the scene of the incident by transmitting evidence documents to a remote server for proof documents of a standard capacity or more, Filter device and method.

The present invention provides a forensic document filter apparatus comprising: a filter client for extracting information of a document having a preset reference capacity or less by checking a data size of a digital forensic document collected as evidence; A filter server for transmitting the document to a server at a remote site when the document is exceeded; a document type discrimination unit for discriminating a type of the document by examining file extension information of the document extracted from the filter client; And a document extracting unit for extracting contents and metadata of the document from the document.

In the forensic evidence document extraction and analysis of a digital forensic system using a smart device, the file size is classified in the smart device, and the forensic analysis is performed on the proof document below the reference capacity to extract the document information, , It is advantageous that the digital evidence can be collected and analyzed in real time at the scene of the incident by transmitting the evidence document to the remote server for performing the forensic analysis.

In addition, it is possible to perform evidence analysis in real-time at the crime scene, which can shorten the investigation time for digital evidence, and has an advantage in that the convenience of investigation can be enhanced by using a portable smart device.

In addition, it is advantageous to reduce the time required for document extraction by using the extension information of the file in order to identify the type of document in the information extraction process of the evidence document, thereby shortening the investigation time.

1 is a detailed block diagram of a forensic document filter device of a smart device according to an embodiment of the present invention;
2 is a flowchart illustrating a forensic document filtering operation control in a forensic document filter apparatus according to an embodiment of the present invention;
3 is a flowchart of a forensic document analysis operation control in a forensic document filter apparatus according to an embodiment of the present invention.

Hereinafter, the operation principle of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intentions or customs of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification.

1 is a detailed block diagram of a forensic document filter device of a smart device according to an embodiment of the present invention.

1, a smart device forensic document filter apparatus 100 according to the present invention includes a filter client 102, a filter server 104, a document type determination unit 106, An extraction unit 108, a mass storage unit 110, a display unit 112, a control unit 114, and the like.

Hereinafter, the operation of each component of the forensic document filter device 100 of the smart device of the present invention will be described in detail.

First, the filter client 102 selects a document whose data size is equal to or less than a predetermined standard capacity with respect to digital data collected from a digital storage device such as a hard disk secured by evidence, and performs a direct analysis on the document in the smart device do. At this time, the reference capacity may be set to, for example, 10-50 MB, and the size that can be set according to the memory capacity of the smart device is different.

The filter server 104 selects a document whose data size exceeds a predetermined reference capacity for digital data collected from a digital storage device such as a hard disk or the like, and transmits the selected document to a remote server. At this time, the server at the remote site may be a server of an investigation agency equipped with a device capable of forensic analysis of a large-sized document.

The document type determination unit 106 determines the type of the forensic analysis target document extracted from the filter client 102 by using the extension information of the file of the document. The document discrimination unit 106 compares the header information of the document to determine the document format, and the document extracting unit 108 extracts the contents. At this time, it takes a long time to determine if all kinds of formats used in the computer are compared. Therefore, in many cases, the extension matches the document type. Therefore, the document format is first compared based on the extension. If the document format is different from the extension, the type of the document is determined by comparing the header information with the order of document formats such as word, hwp, excel, powerpoint, etc. which are frequently used by users.

The document extracting unit 108 extracts document content and meta data from the forensic analysis target document selected by the filter client 102 in the format type determined by the document discrimination unit 106. [

The mass storage unit 110 stores a forensic image that is imaged on a digital storage device such as a hard disk secured by evidence.

The display unit 112 displays document contents and metadata extracted from the document extracting unit 108. [

The control unit 114 controls the overall operation of the forensic document filter apparatus 100 of the smart device according to the operation program stored in the memory and controls the operation of the filter client 102, The document type determining unit 106, the document extracting unit 108, the mass storage unit 110, the display unit 112, and the like.

That is, the control unit 114 controls the filter client 120 and the filter server 104 on digital data collected from a digital storage device such as a hard disk, And forensic analysis is performed to directly display the analysis result. If the document exceeds the predetermined reference capacity, the document is transmitted to a remote server so that the forensic analysis is performed in the investigation agency or the like.

2 illustrates a flow of forensic document filtering operation control in a forensic document filter apparatus 100 according to an embodiment of the present invention. Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 1 and 2. FIG.

First, when a digital forensic document collected from a digital storage device such as a hard disk secured as evidence is input (S200), the forensic document filter device 100 measures the size of the inputted digital forensic document (S202). At this time, the digital forensic document may be input from a forensic image obtained by performing imaging on a digital storage device such as a hard disk collected as evidence at an incident site.

Next, the forensic document filter apparatus 100 checks whether the size of the data of the digital forensic document exceeds a predetermined reference capacity (S204). The reference capacity may be set to, for example, 10 to 50 MB.

At this time, if the size of the data of the digital forensic document is checked to exceed the predetermined reference capacity, the forensic document filter apparatus 100 transmits the corresponding document to a remote server having a device capable of forensic analysis of a large- So that the server extracts the document (S206). At this time, the server located at the remote site can be a server of the investigation agency equipped with a device capable of forensic analysis of a large amount of documents.

However, if the size of the data of the digital forensic document is checked to be less than the predetermined reference capacity, the forensic document filter apparatus 100 determines the document format directly from the smart device and extracts the document (S208).

FIG. 3 shows a flow of forensic document analysis operation control in the forensic document filter apparatus 100 according to the embodiment of the present invention. Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 1 and 3. FIG.

First, data is collected from a digital storage device such as a hard disk secured as evidence (S300), and the corresponding digital forensic data is stored as a forensic image in the mass storage 110 (S302).

Next, the forensic document filter apparatus 100 checks the size of the digital forensic document obtained from the image of the mass storage unit 110, and checks whether the size of the digital forensic document can be extracted from the smart device (S304). In this case, for example, when the data size of the document is checked to be equal to or less than a preset reference capacity, the forensic document filter device may determine that forensic analysis can be performed directly on the smart device by connecting the document to the smart device have.

If the size of the digital forensic document is determined and the document is determined to be a document that can be extracted from the smart device, the forensic document filter apparatus 100 uses the file extension information of the document to determine the type of the document (S306).

When the type of the document is determined as described above, the forensic document filter apparatus 100 extracts document content and metadata from the document (S308), and displays the extracted result through the display unit 112 (S310) .

As described above, according to the present invention, in the extraction and analysis of the forensic evidence document of the digital forensic system using the smart device, the smart device classifies the file size and performs direct forensic analysis on the evidence document below the reference capacity, And forensic analysis is performed by transmitting evidence documents to a remote server for evidence documents exceeding the reference capacity, it is possible to provide digital evidence collection and analysis in real time at the incident site, thereby providing convenience of investigation.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should not be limited by the described embodiments but should be defined by the appended claims.

102: Filter Client 104: Filter Server
106: document type discrimination unit 108: document extracting unit
110: Mass storage unit 112: Display unit
114:

Claims (1)

A filter client for examining a data size of a digital forensic document collected as evidence and extracting information of a document having a preset reference capacity or less,
A filter server for transmitting the document to a remote server when the size of the digital forensic document exceeds the reference capacity;
A document type determining unit for examining file extension information of the document extracted from the filter client to determine a type of the document;
A document extracting unit for extracting contents and metadata of the document from the document in which the type of the document is determined;
Wherein the forensic document filter device comprises:
KR1020120143686A 2012-12-11 2012-12-11 Apparatus and method for forensic document filter of smart device KR20140075393A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120143686A KR20140075393A (en) 2012-12-11 2012-12-11 Apparatus and method for forensic document filter of smart device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120143686A KR20140075393A (en) 2012-12-11 2012-12-11 Apparatus and method for forensic document filter of smart device

Publications (1)

Publication Number Publication Date
KR20140075393A true KR20140075393A (en) 2014-06-19

Family

ID=51128125

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120143686A KR20140075393A (en) 2012-12-11 2012-12-11 Apparatus and method for forensic document filter of smart device

Country Status (1)

Country Link
KR (1) KR20140075393A (en)

Similar Documents

Publication Publication Date Title
US20110153748A1 (en) Remote forensics system based on network
US8422730B2 (en) System for analyzing forensic evidence using image filter and method thereof
Quick et al. Big forensic data management in heterogeneous distributed systems: quick analysis of multimedia forensic data
US10740858B2 (en) System and method for collecting forensic data via a mobile device
Song et al. Integrity verification of the ordered data structures in manipulated video content
US9081801B2 (en) Metadata supersets for matching images
Mezaris et al. Video verification in the fake news era
Husnjak et al. Uav forensics: Dji mavic air noninvasive data extraction and analysis
KR101647371B1 (en) STL file including text information and, STL file searching and management system therefor
US8161023B2 (en) Inserting a PDF shared resource back into a PDF statement
CN111386711A (en) Method, device and system for managing electronic fingerprints of electronic files
KR102192039B1 (en) Method and system for managing traffic violation using video/image device
EP3944111B1 (en) System and method for generating a minimal forensic image of a dataset of interest
KR20140075393A (en) Apparatus and method for forensic document filter of smart device
KR20150080058A (en) Video sharing system and method of black box for vehicle
KR20110070767A (en) Remote forensics system based on network
WO2021058936A2 (en) Imagery acquisition method and apparatus
Lim et al. A framework for unified digital evidence management in security convergence
KR20120072119A (en) Apparatus for information extract of large scale forensic image
Shayau et al. Digital forensics investigation reduction model (DIFReM) framework for Windows 10 OS
WO2016101006A1 (en) Data reduction method for digital forensic data
CA2899139C (en) Method and system for creating optimized images for data identification and extraction
KR101871407B1 (en) Apparatus for identifying work history of removable storage media and method using the same
CN116881915B (en) File detection method, electronic device and storage medium
Murphy The fraternal clone method for CDMA cell phones

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination