KR101026790B1 - Method of forensic evidence analysis based on mobile rfid environment and device thereof - Google Patents

Abstract

The present invention relates to a method and apparatus for collecting and analyzing forensic evidence in a mobile RFID environment, comprising: mobile RFID tag reader means for receiving RFID tag data; Buffer control means for buffering data flowing from the RFID tag reader means; Forensic analysis execution means for extracting data in accordance with the extraction option from the data buffered in the buffer control means; Storage means for storing the extracted data; And forensic analysis control means for receiving the analysis request from the user and forwarding the request to the forensic analysis execution means.

Mobile RFID, Forensic Analysis

Description

METHOD OF FORENSIC EVIDENCE ANALYSIS BASED ON MOBILE RFID ENVIRONMENT AND DEVICE THEREOF

The present invention relates to a method and apparatus for forensic evidence analysis. More specifically, the present invention relates to forensic evidence analysis using a mobile terminal serving as a tag reader in a mobile RFID environment.

The present invention is derived from research conducted as part of the IT growth engine technology development project of the Ministry of Knowledge Economy and the Ministry of Information and Communication Research and Development. Development of Digital Forensic System for Information Transparency.

Recently, important evidences or clues have been kept in various electronic media such as computers, as well as computer crimes. Due to its characteristics, digital materials are not only easy to copy, but also difficult to distinguish between originals and copies, and it is very easy to manipulate, change, or delete original data, which makes it difficult to investigate crimes using simple evidence data. High technology for evidence tracking and analysis has been required, and digital forensic technology has been continuously developed to meet these needs.

On the other hand, the domestic mobile environment is world class, and it is possible to watch digital broadcasting on mobile terminals and to provide various digital contents such as stocks and games as well as listening to music through MP3. It is expected to be. Mobile RFID technology, which enables RFID tags in the UHF band to recognize RFID tags, enables the direct communication of people and objects by integrating online information into offline objects. It is attracting attention as a technology that can realize the ubiquitous era in an environment where consumption is rapidly increasing such as logistics management and inventory management by supplementing the shortcomings of the recognition device and improving the convenience of use.

From a forensic point of view, if a user (suspect or criminal) receives a service using a mobile terminal in a mobile RFID environment, the mobile terminal may be used as evidence to confirm the alleged crime. The usage record as a reader remains in the buffer control portion of the mobile RFID security middleware. The contents of the remaining buffers are very small and there is no way to confirm the contents.

The present invention is to solve the above problems, and relates to a mobile RFID-based forensic evidence analysis method and apparatus equipped with a forensic analysis engine (Forensic Analysis Engine) in the mobile RFID security middleware.

According to an aspect of the present invention, a mobile RFID based forensic evidence analysis device, Mobile RFID tag reader means for receiving RFID tag data; Buffer control means for buffering data flowing from the RFID tag reader means; Forensic analysis execution means for extracting data in accordance with an extraction option from the data buffered in said buffer control means; Storage means for storing the extracted data; And forensic analysis control means for receiving an analysis request from a user and transferring the request to the forensic analysis execution means.

The forensic analysis execution means may receive data stored in the storage means to the forensic analysis control means when receiving the analysis request from the forensic analysis control means.

The storage means may be configured to be encrypted to limit the user's access.

In addition, the storage means may be configured to store the data according to a condition preset for the type or capacity of the storage means.

The excerpt option may include one or more of the type, date and time of the data.

According to an aspect of the present invention, a forensic evidence analysis method for a mobile terminal, comprising: collecting RFID tag data; Extracting data according to an extraction option from the data collected in the collecting step; Storing the extracted information in a storage means; And when the analysis is requested from the user, information is extracted from the storage means by the forensic analysis execution means and transferred to the forensic analysis control means.

The excerpt option may include one or more of the type, date and time of the data.

The forensic evidence analysis method may further include, when the analysis is requested from the user, authentication of whether the authority for the analysis request is justified.

The forensic evidence analysis method may further include converting the information extracted and received by the forensic analysis executing means to be viewed by an analyst by the forensic analysis control means.

In the storing step, the data may be stored according to a condition preset for the type or capacity of the storage means.

The present invention adds a digital forensic function to a mobile terminal serving as a tag reader in a mobile RFID environment, so that the mobile terminal can also be used for obtaining information related to criminal charges from a forensic perspective. As the types of services and applications vary in the mobile RFID environment, the importance of forensic analysis also increases, and thus the present invention may be used for crime investigation based on various services and applications.

Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.

1 illustrates an example of service information flow when receiving an RFID service using a mobile RFID terminal according to the present invention. The mobile RFID network can be largely divided into a tag 10 and a mobile RFID reader terminal 100, a terminal 100 and a base station 500, and a base station 500 and an application server 600. Looking at the characteristics of each element is a communication between the tag 10 and the mobile RFID reader terminal 100 by a wireless access method of passive RFID, the existing mobile communication between the terminal 100 and the base station 500 Wireless access method or wireless Internet wireless access method. In addition, the base station 500 and the mobile RFID application server 600 is connected by the existing Internet network. In order to provide a mobile RFID service, in addition to the tag 10 and the mobile RFID terminal 100 to which the RFID reader is attached, a server (ADS) performing a code analysis process for the terminal, a server (ODS) performing a code analysis, and mobile An RFID service / content server, a server (RPS) that provides user privacy protection, and the like may be included, and only some of these elements may be selectively configured.

For example, a user presses a button for a mobile RFID service of the terminal 100 to purchase an item in a store or receives a traffic information service, or presses a menu button and displays an image, letters, or numbers indicating 'mobile RFID service'. You will select the UI. One or more information or menu items are displayed on the mobile phone screen, and when a desired information is selected, a process such as "request URL information for a code" is performed. That is, the DNS query message can be sent from the mobile phone 100 to the ODS server 600 to obtain the URL information registered for the code number contained in the RFID tag, and this process is called 'code interpretation'. Subsequently, a "URL response" process is performed, and the ODS server 600 sends a DNS Response message containing a result value to the mobile terminal 100. The corresponding URL information is transmitted to the mobile phone 100 through this.

The above process is the simplest form of service scenario, and the actual service is more complicated than this. From a forensic point of view, there are various services that a suspect or criminal can receive using a mobile terminal, and if the trace of service remains on the mobile terminal, all of them may be used as evidence to confirm the alleged crime.

2 shows a brief configuration of a mobile RFID reader terminal used for forensic evidence analysis. The RFID-based forensic evidence analysis device 100 includes an RFID reader module 140 capable of reading data from an RFID tag 10 that stores information and exchanges data with a protocol, a buffer control module 122 into which tag data is introduced, And a storage module 130 in which data of the buffer control module 122 is extracted and stored.

 The buffer control module 122 is configured on the RFID security middleware, and when the usage record as the reader of the mobile terminal possessed by the suspect remains inflow, the forensic evidence storage module 130 is sent to the forensic evidence storage module 130 by the forensic analysis execution module 120. To be extracted and stored.

The RFID reader module 140 is composed of hardware in the form of an RFID reader module or a chip mounted or embedded in a portable terminal, collects tag data from the RFID tag 10, and transmits it. The mobile RFID reader chip 140 communicates with each other according to a wireless access communication protocol such as ISO / IEC 18000-6 A / B / C. The device driver provided by the reader chip manufacturer may operate in the portable terminal and be driven through serial communication such as SPI and UART. An RFID reader module driver may be provided as a system software for providing a function for controlling the RFID reader module 140. The RFID driver module driver may guarantee performance of a device driver for an RFID function defined in the HAL layer, and establish a standard when developing a device driver. The time required for the safety work can be shortened by providing a common interface to applications controlling the RFID terminal (reader) 100.

The storage module 130 may be a specific module such as a memory or a USIM mounted or embedded in the portable terminal. The storage space 130 may be applied to various storage methods such as to prevent the user from accessing through encryption.

In addition, the RFID forensic evidence analysis device 100 includes a forensic analysis execution module 120 and a forensic analysis control module 110 for processing data read by the RFID reader. The forensic analysis execution module 120 of the RFID-based forensic evidence analysis device includes a middleware for forensic evidence collection and analysis that is driven separately from the mobile RFID tag reader function.

 3 is a diagram illustrating a detailed structure of a mobile RFID security middleware system equipped with a forensic analysis engine according to the present invention. The forensic analysis engine 221 extracts the contents of the buffer from the buffer control block 222 and stores the contents of the buffer in a specific space 130, and takes them out when the analysis request is made and delivers them to the forensic analysis application 210. The forensic analysis application 210 may store information collected through the forensic analysis engine 221 in the storage space 130, and convert the information received from the forensic analysis engine to be viewed by the analyst during forensic analysis. Do it. The type or capacity of information collected or extracted, storage type or capacity can be set through options in the forensic analysis application. The information that can be used as evidence of crime varies greatly, including the product, content or service information read through the mobile RFID reader function, and the location information read. In FIG. 3, the forensic analysis application 210 is distinguished from the mobile RFID application 260 because the forensic analysis application 210 is not an application for a user but an forensic analyzer. That is, the forensic analysis application 210 is installed in the pre-launch stage of the mobile terminal so that general users may not use it even if they do not know or know its existence, and only forensic analysts can access and use it for crime investigation. Do. Access control, which can only be used by forensic analysts, not general users, can be implemented in a variety of ways.

Figure 4 illustrates the structure of a mobile RFID security middleware system equipped with a forensic analysis engine according to an embodiment of the present invention. The mobile RFID security middleware system consists of an RFID WIPI API subsystem and an RFID HAL API subsystem. Representative functions are as follows.

-RFID terminal HAL: Abstraction layer to maintain hardware independence of RFID reader. It is provided based on WIPI and handles communication with mobile RFID reader chip device driver. That is, when the WIPI-HAL layer requests a device driver to perform a function operation related to reading and writing a tag, the WIPI-HAL layer receives a response after the function is executed.

RFID terminal control API: An API that provides an application with a function for controlling an RFID reader, and provides basic function processing and control processing functions in a control interface with an RFID reader for a common interface between an application on a portable terminal and an RFID reader.

RFID Code Recognition API: An API for translating information read from RFID tags or converting information to be stored in the application.If a mobile RFID application receives a code converted according to the RFID code system from a simple bit stream stored in the tag, It provides the ability to tell if it's code or to request URI information.

-RFID terminal security API: Application data security that supports the security of data of RFID tag data and application information with various security functions necessary for communication with RFID tag, ODS, OIS, content application server, and service network in mobile RFID terminal. Communication security that supports secure secure communication when communicating with server, terminal security key management for setting security key in RFID tag and setting and management of security key supported by security server, adult authentication for adult service in mobile RFID service, It supports a terminal privacy agent function for personal privacy protection in a mobile RFID service network environment.

-RFID network API: A function that accesses ODS and OIS according to the information read from RFID tag to the application to get related information, ODS communication for 'code interpretation', message transmission for contents transmission and reception between mobile terminal and application server, Communication protocols such as content negotiation that supports mobile RFID service environment and enables optimal content transmission between mobile phone terminal and application server, and session management that enables application to create and manage desired state information during message transmission. Support the service.

Now, the forensic analysis engine mounted in the mobile RFID security middleware system will be described in more detail with reference to FIG. 4.

The RFID WIPI API subsystem 450, 460 includes an extended WIPI API 450 and an extended WIPI runtime engine 460 for RFID, and the RFID HAL API subsystem 470 is an extended HAL API for RFID. It includes.

The forensic analysis engine 420 extracts the contents of the buffer from the buffer control block 453 and stores the contents of the buffer in a separate storage space 130, and extracts the contents of the buffer to the forensic analysis application 400 when the analysis is requested. The forensic analysis application 400 may store the information collected through the forensic analysis engine 420 in the storage space 130, and convert the information received from the forensic analysis engine to be viewed by the analyst during forensic analysis.

The mobile RFID WIPI API subsystems 450 and 460 control RFID readers, perform tag related operations, and provide filtering functions for mobile RFID applications. In addition, it provides basic security-related features as well as high-level security features such as adult authentication and privacy protection. Mobile RFID WIPI API subsystems 450 and 460 have interfaces to mobile RFID applications and interfaces to RFID HAL APIs. The RFID WIPI API subsystems 450 and 460 utilize the functionality of the RFID WIPI HAL subsystem 470 to perform control over readers, control over tags, control over buffers, filtering and security functions. At this time, the runtime engine 460 is not involved in the reader control and is connected to the WIPI C / JAVA API for tag control, buffer control, and filter management to perform a corresponding task.

The mobile RFID WIPI API subsystem 450, 460 includes a reader control block 451, a tag control block 452, a buffer control block 453, a filter control block 454, a security function block 455, an adult authentication function. Block 456, privacy function block 457. The function of each block is as follows.

The reader control block 451 controls the RFID reader, such as powering on, off, resetting, reading or setting various settings. The runtime engine does nothing.

The tag control block 452 is responsible for event processing and callback function calls in the runtime engine 460. Reads an object identifier (OID), user area data recorded in a tag, TID recorded in a tag, and kills a specific tag.

The buffer control block 453 is responsible for the runtime engine 460. Whenever an event is sent from the HAL when a tag is sent, it receives this, reads the value of the buffer, filters the value read from the buffer according to the set rules, and passes it to the application through the callback function.

Filter control block 454 registers or removes filtering rules and stops or starts filtering. The runtime engine 460 is responsible for applying and processing the actual filtering.

The security function block 455 supports an access authorization function through a password when performing a sensitive command requiring security such as write / lock / kill during tag control and reader control. In the case of a mobile RFID application service that requires the use of a password to suspend the function of the tag or control access to the tag, it must be possible to securely manage the password and delegate the password securely to the reader terminal. It is provided by the infrastructure.

The adult authentication function block 456 stores the adult grade in the user data area when the mobile RFID service provides adult content or adult service, and provides the adult grade to the application after reading the tag.

The privacy function block 457 supports applying a personal privacy policy for each user in a terminal through an RFID user privacy management service (RPS) server when privacy protection is required for information provided through a mobile RFID service.

The security library block 458 supports a security function by using a corresponding cryptographic algorithm API whenever a security function is required in an application. In addition, the information of the data processed in the application is securely transmitted to the application server using the mobile RFID service network according to the set rules. The secure communication protocol implements SSL version 3.0 and TLS version 1.0 (3.1) in compliance with international standards, builds a test bed for each mobile company, loads a library on a WIPI-supporting terminal, and supports SSL in a real environment. Provides a secure communication protocol test environment. In addition, it provides a function to securely transmit communication messages to a network server system such as an application server by executing a standard secure communication protocol.

Meanwhile, the RFID reader HAL is an abstraction layer for maintaining hardware independence of the RFID reader. The RFID reader HAL delivers instructions of the WIPI C / JAVA API to the reader module using a device driver and delivers the result. The commands are delivered to the reader module through the actual UART, and the basic operations are processed synchronously, but asynchronously when receiving a lot of data such as a tag read command.

The mobile RFID HAL API subsystem 470 is comprised of a reader control block 471, a reader setting control block 472, a tag control block 473, a buffer control block 474, a filter control block 475, and the like. The function of each block will be described below.

The reader control block 471 is a block for controlling the RFID reader, and provides a process for communicating by driving the mobile RFID reader. In the case of powering on / off and resetting the reader, the GPIO is controlled by the GPIO. In the case of connection open / close, the UART of the terminal is opened / closed.

The reader setting control block 472 reads or stores the setting values of the reader while it is connected to the reader. When the reader setting control block 472 is called from the WIPI (C / Java) API, the HAL transmits to the reader module through the device driver. Pass the command and get the result back to the WIPI (C / Java) API.

The tag control block 473 is a block for processing a tag read command. When the tag module receives a tag information through the device driver by performing a read command in the HAL, the tag control block 473 stores the data in a buffer using the buffer control block and then uses the WIPI C API. It plays a role of delivering event to.

The buffer control block 474 is a block for controlling a buffer that stores tag information. The buffer control block 474 processes buffer creation / deletion, buffer data read / add / remove / initialization, buffer data alignment, and buffer data validation.

The filter control block 475 is a block for registering or removing a filtering rule and processing an enable / disable function of the filtering rule.

5 illustrates a forensic evidence collection process according to the present invention. First, the forensic analysis officer executes the forensic analysis application of the mobile terminal before releasing the mobile terminal (S501). In this case, the type or capacity of information to be collected and the type or capacity of storage space may be selectively set when the analysis application is executed. Collection of forensic information starts to collect forensic information (S502) when the application of the terminal is executed. In this case, it is checked whether the collected information satisfies the extraction condition preset by the analyzer (S503), and when the condition is satisfied, the forensic analysis engine extracts the contents of the buffer from the buffer control block (S504). The extracted information is stored in a separate storage space other than the buffer, and this storage space is encrypted so that a user cannot access it (S505).

6 shows a forensic evidence analysis process according to the present invention. When the suspect's mobile terminal as a crime information collection target is secured, the forensic analysis application of the mobile terminal is executed (S601). Thereafter, authentication is performed as to whether the executor of the application has the right authority (S602). After performing the authentication, if it is confirmed that the executor of the application has the right authority, the forensic analysis engine delivers the data extracted from the buffer and stored in the storage space to the forensic analysis application (S603). The forensic analysis application converts the received data into a form that can be viewed by the analyst (S604). The analyst can then analyze the converted data to find information related to the alleged crime.

As described above, optimal embodiments have been disclosed in the drawings and the specification. Herein, specific terms have been used, but they are used only for the purpose of illustrating the present invention and are not intended to limit the scope of the present invention as defined in the claims or the claims. Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

1 is a mobile RFID service network that can be used forensic evidence analysis method and apparatus.

Figure 2 shows a forensic evidence analysis device is implemented forensic evidence analysis function.

3 shows a schematic structure of a forensic evidence analysis middleware system that performs a forensic evidence analysis function.

Figure 4 shows the detailed structure of the forensic evidence analysis middleware system.

5 shows a process of collecting and storing forensic related information.

6 illustrates a process of analyzing forensic related information collected and stored during forensic investigation.

Claims (10)

Mobile RFID based forensic evidence analysis device, Mobile RFID tag reader means for receiving RFID tag data; Buffer control means for buffering data flowing from the RFID tag reader means; Forensic analysis execution means for extracting data from the data buffered in the buffer control means according to an extraction option including at least one of a kind, date and time of the data; Storage means for storing the extracted data; And And forensic analysis control means for receiving an analysis request from a user and transferring the request to the forensic analysis execution means. The method of claim 1, wherein the forensic analysis execution means, And receiving the analysis request from the forensic analysis control means, and transferring the data stored in the storage means to the forensic analysis control means. The method according to claim 1 or 2, wherein the storage means, RFID-based forensic evidence analysis device, characterized in that encrypted to limit the user's access. The method of claim 3, wherein the storage means, RFID based forensic evidence analysis device, characterized in that for storing the data in accordance with a predetermined condition for the type or capacity of the storage means. delete As forensic evidence analysis method for a mobile terminal, Collecting RFID tag data; Extracting data from the data collected in the collecting step according to an extracting option including at least one of a kind, a date and a dose of the data; Storing the extracted information in a storage means; And Forensic evidence analysis method comprising the step of extracting information from said storage means by forensic analysis execution means and forwarding to forensic analysis control means when an analysis is requested from a user. delete The method according to claim 6, When the analysis is requested from the user, forensic evidence analysis method further comprises the step of authenticating whether the authority for the analysis request is justified. The method according to claim 6, Forensic evidence analysis method further comprises the step of converting the information extracted and received by the forensic analysis execution means for analysis by the forensic analysis control means. delete

Images