KR102387169B1 - Digital forensic data decoding device - Google Patents

Abstract

According to an embodiment of the present invention, provided is a device for decrypting digital forensic data. The device comprises: a preprocessing unit extracting a password from an application encrypting a media file and a password to the same encryption key and an initialization vector (IV); and a decrypting unit decrypting the encrypted media file by using the password.

Description

Digital forensic data decoding device {DIGITAL FORENSIC DATA DECODING DEVICE}

One embodiment of the present invention relates to a media data decryption apparatus, and more particularly, to a digital forensic data decryption apparatus that can be applied to an application for securely storing files such as photos, moving pictures, and documents.

With the spread of smartphones, various cyber crimes through mobile devices are rapidly increasing. Cybercrime is a crime that occurs using information and communication technologies such as Internet, tablet, PC, and smartphone, and refers to acts that violate the Act on Information Protection and Promotion of Information and Communications Network Utilization, etc. and the Criminal Act. Such crimes include hacking, phishing, virus infection, spam distribution, malicious comments, personal information theft, and online defamation of pornography. However, cyber crimes have difficulties in punishing them even though there are violations of laws and criminal laws.

There is a limit to punishment due to the lack of cyber legislation, even if there is mental and physical damage to the victim in case there is no practical punishment for receiving a report of a cyber crime in cyberspace or if the existing criminal law is violated. Cybercrime, like real-world crimes, requires evidence to prove a crime, but the evidence is in digital form, so even if the suspect's PC, tablet PC, smartphone, etc. Or, it is difficult to prove cybercrime due to the problem of reliability of evidence.

Recently, as interest in personal information protection increases, a number of 'Vault Apps' that encrypt and store files such as photos, videos, and documents in a separate storage and allow access through user authentication are emerging. These applications encrypt and store some data, making it difficult to perform data analysis in the process of forensic investigations. In addition, there is a problem in that it is being used to hide or cover up evidence related to a specific criminal act.

An object of the present invention is to provide a digital forensic data decoding apparatus capable of decoding digital data to be recognized as digital evidence.

According to an embodiment, a preprocessor for extracting a password from an application that encrypts a media file and a password with the same encryption key and an initialization vector (Initialization Vector, IV); and a decryption unit for decrypting the encrypted media file using the password.

The preprocessor may extract the password by applying an XOR operation to the original media file, the encrypted media file, and the encryption key.

The preprocessor may extract the password according to Equation 1 below.

In Equation 1, C ₁ and C ₂ are encrypted passwords and media files, respectively, P ₁ and P ₂ are unencrypted original passwords and original media files, respectively, and K is to encrypt the original password and original media files. It may be an encryption key applied when

The decryption unit may decrypt the media file according to a hash function and an Advanced Encryption Standard (AES) algorithm.

The hash function may be a SHA-1 function, and the AES algorithm may be an AES-128-CTR algorithm.

The digital forensic data decryption apparatus of the present invention can decrypt encrypted media files such as photos and videos through collection and analysis of mobile data.

1 is a block diagram of a digital forensic data decoding apparatus according to an embodiment.
2 to 4 are diagrams for explaining the operation of the preprocessor according to the embodiment.
5 is a diagram for explaining an operation of a decoder according to an embodiment.
6 is a flowchart of a digital forensic data decoding method according to an embodiment.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

However, the technical spirit of the present invention is not limited to some embodiments described, but may be implemented in various different forms, and within the scope of the technical spirit of the present invention, one or more of the components may be selected between the embodiments. It can be used by combining or substituted with .

In addition, terms (including technical and scientific terms) used in the embodiments of the present invention may be generally understood by those of ordinary skill in the art to which the present invention belongs, unless specifically defined and described explicitly. It may be interpreted as a meaning, and generally used terms such as terms defined in advance may be interpreted in consideration of the contextual meaning of the related art.

In addition, the terminology used in the embodiments of the present invention is for describing the embodiments and is not intended to limit the present invention.

In the present specification, the singular form may also include the plural form unless otherwise specified in the phrase, and when it is described as "at least one (or more than one) of A and (and) B, C", it is combined as A, B, C It may include one or more of all possible combinations.

In addition, in describing the components of the embodiment of the present invention, terms such as first, second, A, B, (a), (b), etc. may be used.

These terms are only for distinguishing the component from other components, and are not limited to the essence, order, or order of the component by the term.

And, when it is described that a component is 'connected', 'coupled' or 'connected' to another component, the component is not only directly connected, coupled or connected to the other component, but also with the component It may also include a case of 'connected', 'coupled' or 'connected' due to another element between the other elements.

In addition, when it is described as being formed or disposed on "above (above) or under (below)" of each component, top (above) or under (below) is one as well as when two components are in direct contact with each other. Also includes a case in which another component as described above is formed or disposed between two components. In addition, when expressed as “upper (upper) or lower (lower)”, a meaning of not only an upper direction but also a lower direction based on one component may be included.

Hereinafter, the embodiment will be described in detail with reference to the accompanying drawings, but the same or corresponding components are given the same reference numerals regardless of reference numerals, and overlapping descriptions thereof will be omitted.

1 is a block diagram of a digital forensic data decoding apparatus 10 according to an embodiment. Referring to FIG. 1 , an apparatus 10 for decoding digital forensic data according to an embodiment may include a preprocessor 11 and a decoder 12 .

The digital forensic data decryption apparatus 10 according to the embodiment may be applied to a counter (Counter, CTR) type block encryption operation mode. The counter method has a structure that converts a block cipher into a stream cipher. In the counter method, the current block number is obtained for each block, and the number and nonce are combined to be used as an input of the block cipher. Through this, successive random numbers are obtained from each block cipher, and then an XOR operation is performed with the string to be encrypted. In counter mode, encryption and decryption of each block does not depend on the previous block, so it is possible to operate in parallel. Alternatively, it is also possible to decrypt only the desired part of the encrypted string.

The digital forensic data decryption apparatus 10 according to the embodiment may decrypt files such as photos, videos, and documents of a 'Vault App' such as LockMyPix. The application applied to the embodiment is a type of 'Vault app' and may refer to any application that stores media files and passwords after encrypting them using the same encryption key and initialization vector.

In an embodiment, the preprocessor 11 may extract a password from an application that encrypts the media file and the password with the same encryption key and initialization vector (IV).

The application to which the digital forensic data decryption apparatus 10 according to the embodiment is applied generates the upper 128-bit value of the hash value hashed by the SHA-1 function as an encryption key and an initialization vector as shown in FIG. 2, and the extracted encryption By applying the key and initialization vector to AES (Advanced Encryption Standard)-128-CTR algorithm, the media file can be encrypted and then stored.

In addition, the application to which the digital forensic data decryption apparatus 10 according to the embodiment is applied extracts the upper 128-bit value of the hash value hashed by the SHA-1 function as an encryption key and an initialization vector as shown in FIG. 3, By applying the extracted encryption key and initialization vector to the AES-128-CTR algorithm, the password can be encrypted and then stored. The encrypted password is named '.ini.keyfile.ctr' and can be stored in a designated storage space.

That is, the application to which the digital forensic data decryption apparatus 10 according to the embodiment is applied extracts the upper 128-bit value of the hash value hashed by the SHA-1 function as an encryption key and an initialization vector, and then uses the same encryption key and initialization vector. You can use it to encrypt passwords and media files. Accordingly, the preprocessor 11 may extract the encryption key by tracing the process in which the password and the media file are encrypted according to the same encryption key and initialization vector in reverse.

For example, the preprocessor 11 may generate a password using the original media file, the media file encrypted with the encryption key, and the encryption key. The preprocessor 11 may extract the password by applying an XOR operation to the original media file, the encrypted media file, and the encryption key.

For example, the preprocessor 11 may extract the password according to Equation 2 below.

In Equation 2, C ₁ and C ₂ may be encrypted passwords and media files, respectively, and P ₁ and P ₂ may be unencrypted original passwords and original media files, respectively. Also, in Equation 2, K may be a password and an encryption key applied when encrypting a media file.

Referring to Equation 2, it can be seen that the password and the media file are each encrypted by applying the XOR operator to the same encryption key K. Therefore, the preprocessor 11 can extract the password by using the same result value of applying the XOR operator to the encrypted password and the encrypted media file as the original password and the result of applying the XOR operator to the original media file.

4 is a view for explaining a process in which the preprocessor 11 extracts a password based on Equation 2;

Referring to FIG. 4 , the pre-processing unit 11 includes an original media file and a pair of encrypted media files, and an encrypted password 'ini. keyfile. You can extract the password (PIN/PASSWORD) by applying the XOR operator to Ctr'. The pre-processing unit 11 '%external storage%/. LockMyPix/ db/ sort. db', extract the original media file from the path specified in '%external storage%/. LoCkMyPix/. Extract the encrypted media file from the path specified in 'encrypt/' and '%external storage%/. LockMyPix/' in the path specified in 'ini. keyfile.ctr' file can be extracted. The preprocessor 11 extracts the original media file, the encrypted media file, and the 'ini. You can extract the password by sequentially applying the XOR operator to the 'keyfile.ctr' file.

The decryption unit 12 may decrypt the encrypted media file using a password.

The decryption unit may decrypt the media file according to a hash function and an AES (Advanced Encryption Standard) algorithm.

In an embodiment, the hash function may be a SHA-1 function, and the AES algorithm may be an AES-128-CTR algorithm.

5 is a diagram for explaining an operation of a decoder according to an embodiment. Referring to FIG. 5 , the decryption unit 12 may input the password extracted from the preprocessor 11 into the SHA-1 function and extract the upper 128-bit value of the hash value as an encryption key and an initialization vector. The decryption unit 12 may decrypt the original media file by inputting the encryption key, the initialization vector, and the encrypted media file to the AES-128-CTR algorithm. At this time, the encrypted media file is stored in '%external storage%/ . It can be located in the path specified in 'LockMyPix/.encrypt/'.

6 is a flowchart of a digital forensic data decoding method according to an embodiment.

Referring to FIG. 6 , the preprocessor may extract a password from an application that encrypts a media file and a password with the same encryption key and an initialization vector (IV). For example, the preprocessor may extract the password using the original media file, the media file encrypted with the encryption key, and the encryption key extracted from the preprocessor. The preprocessor may extract the password by applying an XOR operation to the original media file, the encrypted media file, and the encryption key (S610).

Next, the decryption unit may input the password extracted from the preprocessor into the SHA-1 function to extract the upper 128-bit value of the hash value as an encryption key and an initialization vector (S620).

Next, the decryption unit may decrypt the original media file by inputting the encryption key, the initialization vector, and the encrypted media file to the AES-128-CTR algorithm (S630).

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable recording medium. In this case, the medium may be to continuously store a program executable by a computer, or to temporarily store it for execution or download. In addition, the medium may be various recording means or storage means in the form of a single or several hardware combined, it is not limited to a medium directly connected to any computer system, and may exist distributed over a network. Examples of the medium include hard disks, magnetic 'media such as floppy disks and magnetic tapes, optical recording media such as CD-ROM and DVD, magneto-optical medium such as floppy disks. , and those configured to store program instructions, including ROM, RAM, flash memory, and the like. In addition, examples of other media include an app store that distributes applications, and a recording medium or storage medium managed by a site or server that supplies or distributes other various software.

The term '~ unit' used in this embodiment means software or hardware components such as field-programmable gate array (FPGA) or ASIC, and '~ unit' performs certain roles. However, '-part' is not limited to software or hardware. '~' may be configured to reside on an addressable storage medium or may be configured to refresh one or more processors. Accordingly, as an example, '~' indicates components such as software components, object-oriented software components, class components, and task components, and processes, functions, properties, and procedures. , subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functions provided in the components and '~ units' may be combined into a smaller number of components and '~ units' or further separated into additional components and '~ units'. In addition, components and '~ units' may be implemented to play one or more CPUs in a device or secure multimedia card.

Although the above has been described with reference to the preferred embodiment of the present invention, those skilled in the art can variously modify and change the present invention within the scope without departing from the spirit and scope of the present invention as described in the claims below. You will understand that it can be done.

10: Digital forensic data decoding device
11: preprocessor
12: decryption unit

Claims (5)

In the digital forensic data decryption device applied to the counter (Counter, CTR) type block encryption operation mode,
a preprocessor for extracting a password from an application that encrypts a media file and a password with the same encryption key and an initialization vector (IV); and
A decryption unit for decrypting the encrypted media file using the password,
The preprocessor extracts the password according to Equation 3 below.
[Equation 3]

(In Equation 3, C ₁ , C ₂ are encrypted passwords and media files, respectively, P ₁ , P ₂ are unencrypted original passwords and original media files, respectively, and K is to encrypt the original password and original media files. It is the encryption key applied when
According to claim 1,
The pre-processing unit applies an XOR operation to the original media file, the encrypted media file, and the encryption key to extract the password.
delete According to claim 1,
The decryption unit decrypts the media file according to a hash function and an Advanced Encryption Standard (AES) algorithm.
5. The method of claim 4,
The hash function is a SHA-1 function, and the AES algorithm is an AES-128-CTR algorithm.

Images