KR102493080B1 - Digital forensic service providing system based on client customization - Google Patents

Abstract

A system for providing digital forensic service based on client customization according to the present invention includes an acceptance module for accepting a digital device to be targeted for digital forensic service for a client; a service item determination module for determining a digital forensic service item for the digital device; an analysis module generating analysis information by performing forensic processing on the digital device via forensic equipment according to the determined digital forensic service item; Characterized in that it includes; a report providing module for generating a report of appraisal based on the analysis information and providing it to the client.
According to the digital forensic service providing system based on client customization according to the present invention, it has an effect of maximizing the convenience of clients by providing various forensic services that can be widely applied to private as well as public use.

Description

Digital forensic service providing system based on client customization {DIGITAL FORENSIC SERVICE PROVIDING SYSTEM BASED ON CLIENT CUSTOMIZATION}

The present invention relates to a system for providing a digital forensic service based on client customization, and more particularly, to a digital forensic service that provides selected digital forensic services to clients in various ways, breaking away from the existing method of providing uniform and fixed digital forensic services to clients. It relates to a sex service providing system.

Forensic is a concept that encompasses scientific investigation methods and techniques to uncover crimes. In the past, it was limitedly used as an evidence analysis technique that analyzes fingerprints or DNA left at a crime scene, but with the development of digital technology, digital devices are analyzed. It is being used and extended to a range of

That is, digital forensic is an investigation method that analyzes or restores data of a digital device that stores various data and information in a hard disk, such as a smartphone, PC, or tablet PC, in a state of having a hard disk.

Such digital forensics can be divided into disk forensics, live forensics (for volatile data), network forensics, web forensics, mobile/embedded forensics, source code forensics, database forensics, etc. Original data collection technologies, such as image recognition technology, network information collection, and memory-based device cloning technology, and evidence analysis technologies, such as log and registry analysis, warrant information analysis, data mining, and network visualization, exist.

With the popularization of digital devices such as smart phones, digital forensics goes beyond the purpose of criminal investigation or data recovery, personal needs such as security of personal/corporate information, data recovery due to mistakes or carelessness, and disks exposed to spyware. It is a trend that the application range is expanding for various uses and purposes, such as treatment.

However, many people mistakenly believe that digital forensic is used only for criminal investigation by criminal investigation agencies such as the police. is a situation where it should be used in public.

Korean Patent Publication No. 10-2016-0096363, an online forensic system and method for acquiring digital evidence, includes the steps of requesting creation of a digital evidence file through a forensic agent of a client terminal; When a client makes a direct request to the forensic server, the forensic agent connects to the forensic server and requests digital evidence file generation, and the customer authentication module of the client management unit of the forensic server performs authentication of the client terminal, permits access, and manages reception. receiving, by a module, a request for generating a digital evidence file by receiving the request and making a payment through billing; transmitting evidence data among data stored in a client terminal to a forensic server; It is disclosed that it includes the step of encrypting the obtained evidence data to generate a digital evidence file, map it to a client, and store it.

However, according to this technology, only the step of authenticating and accepting the client terminal, charging, and then sending and storing the data of the client terminal to the forensic server is presented. In other words, only general steps for performing digital forensic are mentioned. However, there is a disadvantage in that the client cannot break away from the limitations of a uniform forensic service because it cannot provide a separate solution for selecting and customizing various digital forensic services in a way suitable for the client.

Therefore, new and advanced digital forensics aiming at popularization and customization of digital forensic services applicable to various purposes by securing the diversity of digital forensic services and providing the services in various ways by allowing clients to select appropriate forensic services for themselves. There is a need to develop a system that provides services.

The present invention was made to overcome the problems of the above technology, and pursues the universality of forensic service by allowing the client to select a forensic service suitable for his or her situation in the state of having various forensic services such as evidence investigation as well as private security purposes The main purpose is to present a forensic service providing system that can secure the base while doing so.

Another object of the present invention is to provide a means by which a forensic service can be selected according to a client's situation by setting the type of forensic service to a visiting service and a remote service.

Another object of the present invention is to secure a means for setting a forensic service target that can regularly receive service for a digital device.

A further object of the present invention is to provide means for evaluating the security of a digital device in a regular service subject and differentially setting service intervals according to high and low levels of security.

In order to achieve the above object, a system for providing a digital forensic service based on client customization according to the present invention includes an acceptance module for accepting a digital device to be subjected to digital forensic service for a client; a service item determination module for determining a digital forensic service item for the digital device; an analysis module generating analysis information by performing forensic processing on the digital device via forensic equipment according to the determined digital forensic service item; Characterized in that it includes; a report providing module for generating a report of appraisal based on the analysis information and providing it to the client.

In addition, the service item determining module includes a visit service determining unit for determining a visiting service for forensic processing the digital device through face-to-face contact by a forensic expert, and a remote service determining a remote service for forensic processing the digital device remotely. It is characterized in that it includes at least one of the service decision units.

In addition, the service item determination module includes a periodic service determination unit composed of a period setting part for setting a service period and a periodic service determination part for determining a periodic service for forensic processing of the digital device on a regular basis according to the set service period. to be characterized

According to the client customization-based digital forensic service providing system according to the present invention,

1) Maximize client convenience by providing various forensic services that can be widely applied for public as well as private purposes.

2) Provides an environment in which forensic experts can conveniently receive forensic services anytime, anywhere by visiting the client's place with a digital device or seeking forensic services remotely;

3) It is not only possible to increase the satisfaction of clients who are interested in security by having them receive forensic services on a regular basis,

4) Differentially set the regular forensic service cycle according to the high and low level of security, which has the effect of setting a reasonable forensic service execution timing while considering the client's economic burden.

1 is a configuration diagram showing the overall configuration of a system of the present invention;
Figure 2 is a block diagram showing the configuration of the system of the present invention.
3 is a flow chart illustrating a procedure by the system of the present invention;
4 is a conceptual diagram illustrating service items provided by a service item determination module;

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The accompanying drawings are not drawn to scale, and like reference numbers in each drawing indicate like elements.

1 is a configuration diagram showing the overall configuration of the system of the present invention

First of all, the system of the present invention provides various digital forensic services to the client 1 in conjunction with the forensic equipment 10 capable of forensic processing of digital devices. Referring to FIG. 1, the central control server 100 is the standard. It can be seen that the forensic equipment 10 is interlocked with the client (client server) 1.

The central control server 100 can be referred to as the system itself of the present invention, that is, a consultation system, and is provided with a communication unit and transmission means for transmitting communication and information with the client 1 and the forensic equipment 10. means hardware having a CPU and a storage means, and a series of modules and their specific functions, which will be described later, can be derived by software to be executed in the CPU.

That is, the central control server 100 has a central processing unit (CPU) and a hardware-based memory and storage means such as a hard disk, and a program that can be executed in the central processing unit, that is, software is installed and can execute this software. A series of specific configurations of such software will be described later as 'modules', 'parts', and 'interfaces'.

At this time, the central control server 100 temporarily and / or permanently stores the signals (or data) processed therein (RAM: Random Access Memory, not shown) and ROM (ROM: Read-Only Memory, not shown), may include a processor.

The processor may include one or more cores (not shown) and a graphic processing unit (not shown) and/or a connection path (eg, a bus) for transmitting and receiving signals to and from other components, and the memory includes Programs (one or more instructions) for executing and controlling modules or parts described later may be stored. Programs stored in the memory may be divided into a plurality of modules according to functions.

Steps of a method or algorithm described in connection with an embodiment of the present invention may be implemented directly in hardware, implemented in a software module executed by hardware, or implemented by a combination thereof. A software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.

The configuration of these 'modules' or 'units' or 'interfaces' is a configuration of hardware such as software or FPGA or ASIC executed via CPU and memory in a state installed and stored in the storage means of the central control server 100. it means. That is, the configuration of 'module', 'unit', or 'interface' is not limited to hardware, and may be configured to be in an addressable storage medium or configured to reproduce one or more processors.

Functions provided by these 'modules' or 'units' or 'interfaces' may be combined into a smaller number of components and 'units' or 'modules', or may be combined into additional components and 'units' or 'modules'. can be further separated.

In addition, such a central control server 100 is equipped with a website and a mobile application (hereinafter referred to as 'app') to exchange information with the user, and can receive or provide various information from the user through this.

Hereinafter, specific detailed configurations and functions will be described based on the basic configuration of the system of the present invention centered on the central control server 100.

Figure 2 is a block diagram showing the configuration of the system of the present invention, Figure 3 is a flow chart showing the procedure by the system of the present invention.

As can be seen from FIG. 2 , the system of the present invention includes a reception module 110, a service item determination module 120, an analysis module 130, and a report providing module 140.

The acceptance module 110 performs a function of accepting a digital device that is a digital forensic service target for the client 1 .

In the present invention, a digital device refers to an electronic device having a hard disk for storing data, and can be broadly classified into types such as smart phones, tablet PCs, personal computers, and servers.

That is, the reception module 110 of the present invention performs a function of specifying a digital device to perform digital forensics provided by the present invention, more specifically, a digital device possessed by the client 1 .

To this end, for example, by providing a reception window on a web page or a page of a mobile application (hereinafter referred to as 'app') provided by the system of the present invention, the client 1, that is, a client server such as a smartphone or PC At this time, the reception window is provided with an input field for inputting the type of digital device as well as the basic information (name, affiliation, ID, etc.) of the client 1, through which the reception module 110 It is possible to receive and store basic information of the client and digital device.

Furthermore, the acceptance module 110 may include a remote search unit 111 that remotely accesses the digital device of the client 1 to be accepted and searches data stored in the digital device remotely.

That is, the remote search unit 111 requests and receives permission to remotely access the digital device from the client 1 via the aforementioned access window, and then accesses the digital device via a known remote access program to retrieve data. Provides a search function.

At this time, the remote search unit 111 may also request data viewing rights from the client 1 for data to be searched in the digital device and be permitted. For example, data stored in a specific storage space (eg, folder) It is also possible to search all data in a digital device by setting only the search target or receiving the search authority for the entire hard disk.

According to the remote search unit 111, the data of the digital device is grasped in advance to determine the basic state of the digital device, and through this, a specific forensic service is recommended, or a preliminary work to determine the target range of the forensic service is performed in advance. It provides a basis for doing so.

The service item determination module 120 performs a function of receiving, from the client 1, a specific digital forensic service item for a digital device to be received.

For example, the service item determination module 120 displays information on various forensic service items to the client 1 via the above-described connection window, and allows the client 1 to select a specific forensic service item. .

The forensic service provided by the present invention includes not only existing forensic services such as evidence investigation service and data recovery service, but also one-time service according to service cycle, regular service, face-to-face service according to face-to-face/non-face-to-face method, non-face-to-face service, digital device Depending on the number, it may be provided in various types such as one service and multi service.

In other words, the service item determination module 120 diversifies the types of digital forensic services to eliminate the misunderstanding that digital forensic services are applied only to criminal investigations, provide a more popular and universal service environment, and provide a universal service environment as if receiving a universal health examination. As such, digital devices also have the characteristics of providing convenience for easy and convenient diagnosis.

Specific forensic service items for the service item determination module 120 will be described later.

The analysis module 130 of the present invention has a function of receiving a forensic result from the forensic equipment 10 that actually performs forensic on a digital device according to the determined forensic service item, and generating analysis information on the corresponding digital device through the received forensic result. carry out

Here, the forensic equipment 10 may have various known types and structures.

For example, if the digital device is physically damaged, the forensic equipment 10 extracts a disk or USIM from the digital device, mounts it on a separate PCB, reads the data of the disk, and provides a forensic agent to the digital device. A remote forensic system consisting of a transmission device that is installed and transmits data through communication means, and a forensic server that reads, analyzes, or restores the transmitted data. Possessed by a forensic expert, directly accessing a digital device and grasping the overall status of the digital device Of course, it is possible to have various structures and functions such as a portable forensic device that reads, analyzes, and recovers data.

In addition, the forensic equipment 10 has a function of reading data of a digital device or identifying structural problems, a function of data recovery, a function of determining whether or not it is infected with a virus and treating the infection, and a function of diagnosing the installed security program. It may include a security function that identifies a security state or reinforces a security function, and these specific functions will be referred to as well-known forensic equipment.

In the present invention, the analysis information refers to various information such as analysis results analyzed by the forensic equipment described above according to the determined forensic service, for example, data recovered as described above, virus infection, and security status. It may vary according to the previously determined forensic service object and the function of the forensic equipment 10 , in other words, it may be understood that the analysis information is not limited to any specific information.

In addition, the analysis module 130 may encrypt the data obtained from the digital device to ensure the integrity of the data in order to preserve the evidence and secure the value of the digital device. As a method of encrypting data, it is possible to encrypt data by inserting a hash code into the data, and through this, attempts to illegally view or modify encrypted data can be prevented.

The appraisal providing module 140 performs a function of creating an appraisal based on the above analysis information and providing the client 1 with the appraisal.

The appraisal may be prepared as an online document in a file format and provided to the client 1, which is, for example, a smartphone, and may include text as well as images or videos.

This appraisal not only consists of official sentences with evidence that can be used in court, but also can be used for private purposes to help the client's understanding, including explanatory phrases that explain and interpret the analysis information in detail. It can also include appraisal sentences written in That is, the appraisal as meant by the present invention is not limited to a specific form and content.

In addition, the certificate providing module 140 may provide the above-described encrypted data together with the certificate to the client 1 .

In summary, the system of the present invention expands the forensic service, which was uniformly performed in the past, to various types and ranges, and provides a basis for conveniently receiving forensic service by being selected by the client 1 while having the convenience of the client 1 As a result, it provides the characteristics of presenting an environment that secures stability and universality for digital devices.

As mentioned above, the service item determination module 120 provides an environment in which various forensic services can be selected by providing the client 1, and these forensic services will be described with an additional configuration.

4 is a conceptual diagram illustrating service items provided by the service item determination module.

Specifically, the service item determining module 120 may include at least one of the visiting service determining unit 121 and the remote service determining unit 122 .

The visiting service determining unit 121 has a function that allows the client 1 to determine a visiting service for forensic processing of the digital device through a face-to-face contact by a forensic expert through a service selection window provided by a web page or an app page, such as a connection window. Do it.

That is, the visit service determination unit 121 provides a face-to-face forensic service to the client 1, and the forensic expert directly visits the client 1 and uses the above-mentioned portable base for the digital device possessed by the client 1. It can be said that the client 1 determines the digital forensic service that is carried out through the forensic equipment 10 of .

In addition, the remote service determining unit 122 provides a service 1 for remotely forensic processing the digital device of the client 1 in a non-face-to-face manner through the remote-based forensic equipment 10 equipped with a communication means, that is, a remote service. It provides a function that allows the client to decide.

That is, the service item determination module 120 can provide an environment in which the client 1 can conveniently select face-to-face/non-face-to-face forensic services while securing them.

In addition, the service item determining module 120 may include a regular service determining unit 123 for regularly receiving a forensic service according to a predetermined period.

At this time, in the present invention, the regular service means a service that can receive forensics according to a certain period. Here, the 'period' is not necessarily a uniformly fixed period, but a period that can be changed as will be described later. It can be understood as including the concept of.

Specifically, the regular service determining unit 123 includes a period setting part 123a and a determining part 123b.

The period setting part 123a provides a function of setting a service period for performing digital forensic service.

As mentioned above, this service cycle can be set as a cycle based on a certain period of time, such as 1 month or 3 months. To this end, the cycle setting part 123a provides the client 1 with a It is possible to provide a setting window and set the service period from the client 1 through this, or to determine the service period as a predetermined period in the system of the present invention.

The determining part 123b performs a function of determining a regular service for forensic processing of the digital device of the client 1 on a regular basis according to a set service period.

That is, the regular service determination unit 123 provides the client 1 with a service capable of periodically performing forensic processing on a digital device, which is intended to secure security or safety rather than to analyze evidence for investigation. It can be noted for its use for corporate servers.

In other words, if forensic processing of a digital device such as a corporate server is repeatedly performed according to the service cycle, it can be reasonably predicted that the purpose of the client 1 performing digital forensic is to secure security or stable operability. The regular service decision unit 123 can provide a basis for enhancing security and stability of digital devices.

In this way, when forensic processing of a digital device is performed focusing on security or safety, it is desirable to variably and differentially set service cycles according to the security state of the digital device. This will be described in detail.

As described above, although the forensic equipment 10 may mobilize various forensic techniques mentioned above according to specific purposes, in particular, when a regular forensic service is selected, it performs a function of evaluating the security state of the digital device.

For example, the forensic equipment 10 has a function to determine the existence and type of a virus program installed in a digital device, a function to determine whether a password is set stored in a disk, a function to determine the existence of a virus through virus inspection, and a function to determine data attributes vulnerable to viruses. In other words, once the data properties are identified, it is possible to perform various security-related functions for the data, such as a function to determine the security level set for the data.

As a result, the forensic equipment 10 can grasp the security state of the digital device, and it is possible to determine the degree of this security state as a relative level value, which is referred to as a 'security index' in the present invention.

That is, the security index is not an absolute number, but, for example, "level value 1 - security is very weak, level value 2 - security is weak, level value 3 - security is medium, level value 4 - security is good, level value It can be set as a relative value such as "5 - Very good security", and as in the example above, the higher the security, the higher the value from 1 to 5, as well as more detailed values such as 1 to 10 and 1 to 20. It is also possible to set the level step by step.

These security values can be set in the security value setting unit 131 additionally provided in the analysis module 130 .

That is, the security value setting unit 131 provides a function of setting a security index set to a relative level value as described above according to the security state of the digital device evaluated by the forensic equipment 10 .

Correspondingly, the period setting part 123a can differentially set the above-described service period according to the high and low levels of the security index.

For example, when the service cycle is initially set to 1 month based on the security value of 3, if the security value is 5, that is, if security is enhanced, the cycle setting part 123a increases the service cycle to 2 It means that it can be set as months, or if the security value is 2 and security is weakened, the period setting part 123a can reduce the service period and set it to 20 days.

Accordingly, regardless of the security state of the digital device, the service cycle can be varied according to the actual security state of the digital device rather than simply checking the security state according to the uniformly set service cycle, providing more flexible and reasonable regular forensic service. It has a characteristic that can provide to the client (1).

Furthermore, in the present invention, in addition to the security index evaluated by the forensic equipment 10, a security evaluation index evaluated by a forensic expert is additionally presented, and a means for determining a service cycle more reasonably by integrating the security index and security evaluation index to provide.

Specifically, the appraisal providing module 140 provides a function of including an appraisal sentence input as a sentence by a forensic expert for security evaluation of a digital device in the appraisal.

That is, the appraisal providing module 140 allows the forensic expert to evaluate the security status of the digital device from a different angle than the forensic equipment, but a sentence that is not a simple index evaluation such as 1,2,3,4... like a security index. A function of receiving an evaluation through and including it in the appraisal is provided, and through this, it is possible to provide more specific and easy-to-understand security-related information to the client 1.

In addition, the system of the present invention may include a sentence evaluation module 150 that calculates a security evaluation index by analyzing the evaluation sentence written by the forensic expert.

At this time, the forensic expert's security evaluation may also be performed with a relative level value such as the above-mentioned security index, but in this case, as mentioned above, providing the client 1 with only a simple number may seem insincere, Since experts may arbitrarily set service cycles and be misunderstood as having commercial intentions, forensics experts prepare detailed sentences related to security, that is, appraisal sentences, and through them, as mentioned above, provide the client with an easy-to-understand, detailed, and sincere security-related statement. Information is provided, and separately from this, the sentence evaluation module 150 analyzes the appraisal sentence separately to calculate a security evaluation index, which is a concept capable of reinforcing the security index.

The appraisal sentence must include the content of evaluating the security of the digital device. For example, "Your smartphone has two anti-virus programs installed. The ability to handle blocking when receiving is weaker than the well-known XXX program, and the second antivirus program has almost the same function as the first antivirus program, so two antivirus programs are installed, but it is actually different from installing one antivirus program No. In this case, security may be relatively vulnerable during data transmission, so if you click on it carelessly after receiving a spam message, for example, there is a high possibility that a malicious virus will penetrate the system, so it is necessary to further strengthen security. ." etc. This appraisal sentence is an example to help understanding, and in reality, it is preferable to include more detailed sentences for each item.

Specifically, the sentence evaluation module 150 includes a sentence classification unit 1151, a first term extraction unit 152, a second term extraction unit 153, a third term extraction unit 154, a security evaluation index calculation unit ( 155).

The sentence classification unit 151 serves to classify appraisal sentences into verbs, verbs, and adjectives.

Here, cheun means nouns, pronouns, and numbers, verbs mean verbs and adjectives, and modifiers mean adjectives and adverbs.

The first term extraction unit 152 provides a function of extracting a noun with a high frequency of appearance among nouns constituting the pronoun as a first term, and the first term can be said to be a word that is a subject or a key keyword of an appraisal sentence. there is.

That is, in the above-mentioned appraisal sentence, there are 'virus (prevention), program, security, data', etc., and 'virus (prevention)' with the highest frequency can be extracted as the first term.

The second term extraction unit 153 performs a function of extracting, as a second term, verbs with a high frequency of occurrence among verbs constituting verbs, and verbs are the best terms for understanding the behavioral characteristics of digital devices compared to adjectives. Therefore, the second term may be the most representative expression because it represents the behavioral characteristics of the digital device, in particular, the behavioral characteristics of the security function.

At this time, in the above example appraisal sentence, verbs include 'to be installed, to be blocked, to infiltrate, to strengthen' and the like, and among them, the verb with the highest frequency can be extracted as the second term.

The third term extractor 154 serves to extract adverbs having a high frequency of occurrence among adverbs constituting modifiers as third terms, and the adverbs are expressions capable of emphasizing the first and second terms described above.

That is, modifiers in the above-described appraisal sentence may be 'relatively, almost, more', etc., and among them, an adverb having the highest frequency may be extracted as a third term.

In this case, the above-described first, second, and third terms may be extracted in plurality when one of the words having the highest frequency is extracted or when the frequency is the same.

The security evaluation index calculation unit 154 performs a function of calculating a security evaluation index for the digital device based on the frequency of occurrence of the first, second and third terms.

This security evaluation index can also be set to a relative level value like the security index described above. Furthermore, as will be described later, the security evaluation index may be set based on a specialized criterion using a mathematical algorithm proposed in the present invention.

Correspondingly, the period setting part 123a can set the service period according to the security index as well as the security evaluation index.

At this time, the period setting part 123a may set the service period by an arithmetic average of the security index and the security evaluation index, or may set the service period more reasonably by a mathematical algorithm specialized in the present invention, as will be described later.

According to this, the service cycle can be set by integrating the security evaluation index set by adding the expert opinion based on the appraisal sentence analytically written by the forensic expert to the security index mechanically set based on the forensic equipment 10, It is possible to secure a basis for forensic processing by repeating a digital device according to a service cycle that is more reasonable and can be easily accepted by the client 1 .

Additionally, the first term extraction unit 152 extracts 2 to 4 nouns having a high frequency of occurrence among nouns constituting the pronouns as first terms, and correspondingly, the sentence evaluation module 150 uses the target term designation unit 156 may additionally include.

For example, in the above-mentioned appraisal sentence, there are 'virus (prevention), program, security, data', etc., and it is possible to extract all of them as the first term.

The target term designation unit 156 performs a function of designating a term related to 'security' among 2 to 4 first terms as a target term, and this target term can be an important criterion for setting a security evaluation index. there is.

In the above example, 'virus (prevention), security, and data' are terms related to security. Here, security is a description of security as it is, and data is a concept that is subject to security, so 'virus (prevention)' is the target term. It is possible to specify

Correspondingly, the security evaluation index calculation unit 155 calculates the security evaluation index according to the frequency of appearance of the target term and the second and third terms among the first terms. That is, among the first terms, only target terms that are key keywords, excluding nouns that are not related to security or have no meaning by expressing security as it is, are used as criteria for setting the security evaluation index, so that the reliability of the security evaluation index is increased. can be said to have been

Furthermore, the security evaluation index calculator 155 can calculate the security evaluation index through Equation 1 below.

Equation 1.

이 0이거나 0보다 작을 경우에는, 1)(only,

is 0 or less than 0, 1)

Here, N is the security evaluation index, D is the frequency of occurrence of the target term, E is the frequency of occurrence of the second term, and F is the frequency of occurrence of the third term.

Equation 1 is an equation for calculating a security evaluation index based on the frequency of occurrence of the target term and the second and third terms.

Specifically, Equation 1 has a feature that the security evaluation index increases proportionally as the frequency of the target term and the second and third terms increases. Here, when the security evaluation index is high, the security of the digital device is evaluated as good, and when the security evaluation index is low, the security is evaluated as low.

In addition, since there is a difference in importance between the target term and the second and third terms in the appraisal sentence, the security evaluation index can be more reasonably calculated through the algorithm based on Equation 1.

At this time, the hyperbolic tangent has a value between 0 and 1 under the condition that the variable is a positive number greater than or equal to 0, and has a value closer to 1 as the variable becomes larger. It has a characteristic that it grows non-linearly while drawing a parabola.

For example, when the frequency of occurrence of the target term is 3, the frequency of the second term is 4, and the frequency of the third term is 2, the security evaluation index is calculated by substituting these into Equation 1 as follows.

That is, it can be seen that the set security evaluation index is 24 by substituting the above example into Equation 1.

The security evaluation index calculated in this way has the maximum value of the second term to be 2 by the hypertangent processing value of the second term among the preceding term and the second term based on multiplication, so that the numerical value does not increase too greatly and at the same time is limited by a non-linear proportional relationship. As a result, the basis for calculating the security evaluation index more reasonably is presented by complexly reflecting the target term and the second and third terms.

Furthermore, the period setting part 123a can set the service period by uniquely setting the security index and the security evaluation index in Equation 2 below.

Equation 2.

는 기준 서비스 주기(일), L은 보안 지수로서

인 자연수, N은 보안 평가 지수이다.where T is the service period (days),

is the standard service cycle (days), and L is the security index

is a natural number, N is a security evaluation index.

In Equation 2, the arc hyperbolic sine function is introduced with the security index as the main factor and the security evaluation index based on Equation 1 as the auxiliary factor, so that the service cycle is increased or decreased by approximately 2 weeks in a non-linear proportional relationship. Convergence It has characteristics that have been processed so that it can be.

If the standard service cycle is 30 days, the security index is 3, which can be said to be normal, and the security evaluation index is 24 as in the previous example,

로서,

as,

The service period may be set so that the forensic service is performed after 32 days, which is about 3 days more than the initially set service period. That is, if the security is average, a slightly extended service period may be presented without a difference from the preset service period, thereby giving a perception of reducing the economic burden of the client 1 caused by frequent service performance.

On the other hand, if the standard service cycle is 30 days, the security index is 5 as excellent, and the security evaluation index is 30,

로서,

as,

It is possible to receive forensic service at a late point of almost 10 days. In other words, since the security of the digital device is good, it is set to receive the service at a later point in time.

Conversely, if the standard service cycle is 30 days, the security index is bad 1, and the security evaluation index is 18,

As a result, since the service cycle is reduced by almost two weeks and security is weak, it is possible to set the forensic service to be received a little faster.

Through the correlation between the security index and the security evaluation index according to Equation 2, a reasonable service cycle can be set according to the degree of good and bad security, so that a standard for a reasonable service cycle acceptable to the client can be presented. have a characteristic

As described so far, the configuration and operation of the digital forensic service providing system based on client customization according to the present invention are expressed in the above description and drawings, but these are only examples and the spirit of the present invention is limited to the above description and drawings. It is not, and of course, various changes and modifications are possible within a range that does not deviate from the technical spirit of the present invention.

1: client (client server) 10: forensic equipment
100: central control server 110: reception module
111: remote search unit 120: service item determination module
121: visit service decision unit 122: remote service decision unit
123: regular service determination unit 123a: cycle setting part
123b: decision part 130: analysis module
131: security value setting unit 140: report providing module
150: sentence evaluation module 151: sentence classification unit
152: first term extraction unit 153: second term extraction unit
154: third term extraction unit 155: security evaluation index calculation unit
156: target term designation unit

Claims (9)

As a digital forensic service providing system,
An acceptance module for accepting a digital device subject to digital forensic service for a client;
A periodic service comprising a period setting part for determining a digital forensic service item for the digital device and a determination part for determining a periodic service for regularly forensic processing the digital device according to the set service period. a service item determining module, comprising a determining unit;
Forensic processing of the digital device via forensic equipment according to the determined digital forensic service item to generate analysis information, and a security index determined as a relative level value according to the security state evaluated for the digital device by the forensic equipment An analysis module including a security value setting unit to set;
an appraisal providing module that generates an appraisal based on the analysis information and provides it to the client, including an appraisal sentence received as a sentence by a forensic expert for security evaluation of the digital device in the appraisal;
A sentence classification unit that classifies the appraisal sentence into verbs, verbs, and modifiers; a first term extraction unit that extracts, as a first term, a noun with a high frequency of appearance among nouns forming the verb; and a verb appearing among the verbs forming the verb. A second term extractor extracting a verb with a high frequency as a second term; a third term extractor extracting an adverb with a high frequency of appearance among adverbs constituting the modifier as a third term; and A sentence evaluation module comprising a security evaluation index calculation unit for the digital device based on the frequency of occurrence of terms; includes,
The period setting part differentially sets the service period according to the security index and the security evaluation index,
The first term extraction unit extracts 2 to 4 nouns having a high frequency of appearance among the nouns constituting the pronoun as a first term,
The sentence evaluation module includes a target term designation unit for designating a term related to security among the two to four first terms as a target term,
The security evaluation index calculator calculates the security evaluation index through the following Equation 1, digital forensic service providing system.
Equation 1.

(only,

is 0 or less than 0, 1)
(Where N is the security evaluation index, D is the frequency of occurrence of the target term, E is the frequency of occurrence of the second term, and F is the frequency of occurrence of the third term) According to claim 1,
The reception module,
A digital forensic service providing system comprising a remote search unit remotely accessing the digital device and remotely searching for data stored in the digital device. According to claim 1,
The service item determination module,
a visit service determining unit which determines a visit service for forensic processing of the digital device through face-to-face contact by a forensic expert;
A digital forensic service providing system comprising at least one of a remote service determining unit for remotely determining a remote service for forensic processing the digital device. According to claim 1,
The cycle setting part,
Characterized in that the service period is set by the following Equation 2, digital forensic service providing system.
Equation 2.

(Where T is the service cycle (days),

is the standard service cycle (days), and L is the security index

is a natural number, N is the security evaluation index) delete delete delete delete delete

Images