KR20080096031A - A collection method of volatile evidence data with computer - Google Patents

A collection method of volatile evidence data with computer Download PDF

Info

Publication number
KR20080096031A
KR20080096031A KR1020070040878A KR20070040878A KR20080096031A KR 20080096031 A KR20080096031 A KR 20080096031A KR 1020070040878 A KR1020070040878 A KR 1020070040878A KR 20070040878 A KR20070040878 A KR 20070040878A KR 20080096031 A KR20080096031 A KR 20080096031A
Authority
KR
South Korea
Prior art keywords
data
evidence
hash value
computer
volatile
Prior art date
Application number
KR1020070040878A
Other languages
Korean (ko)
Inventor
김귀남
이동휘
Original Assignee
김귀남
이동휘
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 김귀남, 이동휘 filed Critical 김귀남
Priority to KR1020070040878A priority Critical patent/KR20080096031A/en
Publication of KR20080096031A publication Critical patent/KR20080096031A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a method of safely obtaining volatile data or important data when a computer system is compromised and the network is unavailable. The first investigator goes directly to the incident and volatile by a script made in the form of CD or USB. Collecting data and generating and storing the hash value, and storing the stored data and the hash value in a server which is a safe system, and in the authentication of the volatile data, the hash value stored together with the data and the hash value stored in the server It is a method of comparing and analyzing the stored volatile data to prove that it is integrity data unchanged.

Description

A collection method of volatile evidence data with computer}

1 is a flow chart of a forensic procedure.

2 is a flowchart of a volatile data acquisition and verification procedure according to the present invention.

3 is the contents of a CD stored in accordance with the present invention.

The present invention relates to a method of safely obtaining volatile data or important data when a computer system is compromised and the network is unavailable. The first investigator goes directly to the incident and volatile by a script made in the form of CD or USB. Collecting data and generating and storing the hash value, and storing the stored data and the hash value in a server which is a safe system, and in the authentication of the volatile data, the hash value stored together with the data and the hash value stored in the server It is a method of comparing and analyzing the stored volatile data to prove that it is integrity data unchanged.

Digital evidence can be classified into original digital evidence and copy digital evidence. Another way to classify 'documented' evidence is to classify it as descriptive and documentary evidence.

Basically, submitted documents must be original unless the original document has been destroyed and there are no special exceptions. That is, the presenter must show that the content of the evidence is intact and that no changes have been made to the evidence since it was seized. Otherwise it cannot be admitted as evidence in a court of law and must not be admitted.

There are several requirements for evidence that can be adopted in court. Evidence must be credible, relevant (substantiate the facts about the event), and material (substantiate the subject matter associated with the event).

Unlike general crimes, many difficulties arise in dealing with computer-based crimes.

In particular, data temporarily stored in the system memory of a computer is called volatile data. The memory stores data using power, and the data stored in the memory disappears when the system is powered off.

The IEEE Internet draft, "Guidelines for Evidence Collection and Archiving," suggests collecting first-hand evidence of a computer's volatility.

This is because the most volatile evidence in a computer is most likely to be lost. The 'volatile data order' is the register and cache, routing table, ARP cache, process table, kernel statistics, system memory contents, temporary file system, and disk data.

The process of collecting the volatile data raises one problem.

In other words, the state of the system is changed while collecting volatile data. Some computer experts recommend investigators or crime scene technicians documenting a running process, network status and connection information, a 'dump' of RAM data, and storing and executing the above to perform a task or command.

Computer digital materials are not only easy to copy, but also difficult to distinguish between originals and copies, and are very easy to manipulate, create, transmit and delete. Therefore, in order for digital data to have legal evidence, it must be carried out in a special procedure and method throughout the entire process of collecting, storing, analyzing and reporting the data. These processes and methods for making digital data legally documented are collectively called 'computer forensics'.

Computer forensics is primarily a method of identifying and proving the facts of an action that takes place on the basis of digital data embedded in a computer.

The method can be used to detect corruption or obtain evidence of employees during corporate activities as well as civil and criminal criminal investigations. In particular, it is important to secure important evidence in the settlement of disputes with customers.

In today's increasingly high-tech crime through digital media, the process of proving and dealing with the integrity of obtaining hard disk data or digital evidence from computer systems is urgently needed. Therefore, there is a need for a procedure for proving that the data stored in the computer forensics is an unchanged integrity data.

According to the present invention, a hash value generated as a file in a removable storage medium (CD, USB memory, etc.) that is a script for extracting variable volatile data and used as an integrity means of original data in a disk forensic type in the removable storage medium. Proof of the change of data through the installation, and by installing the authentication server on the Internet to transfer the hash value at the time of the volatile data is made in the form of a file to the authentication server, the hash value of the authentication server and the removable when submitting evidence Its purpose is to provide a way to verify that evidence has not changed by comparing and verifying the hash values stored on disk.

Hereinafter, preferred examples of the present invention will be described with reference to the accompanying drawings.

Figure 1 shows a simplified forensic procedure.

Procedures for processing evidence in forensics are obtained after the evidence has been obtained and analyzed. Evidence reports should be presented along with the evidence, and each piece of evidence must be tagged to demonstrate that there is no problem with the process. The following sections describe each step in detail.

Obtaining evidence;

Acquisition of evidence involves various activities such as seizing the target computer used in crime to generate copy data from original data, storing the contents of volatile memory, and finding backup data. In the process of obtaining evidence, the evidence should not be inadvertently damaged. As a simple example, if a file's last access time changes because of a click, it becomes difficult to prove that the document at the time of the event was created. Therefore, in order to maintain the integrity of the original data, the process of obtaining evidence requires processes such as data imaging, checking the time of the computer used in crime, photographs of the monitor screen, and checking the running process.

Evidence analysis step;

As an analysis step for the acquired evidence, various techniques are used in the analysis. In general, programs used in forensics provide evidence acquisition and analysis. For analysis, the file is first identified using the imaging copied during the acquisition process. If evidence of crime is found during the verification process, documenting the verification process of the file and documenting the original data was not directly touched, thus providing integrity of the original data. That is, the file of the copy data has changed the execution time, but the file of the original has not changed the execution time, and it can show that the file exists on the criminal's computer. These analyzes include criminals recovering deleted files, concealing and finding encrypted data.

Evidence storage step;

If selected as evidence, the integrity of the evidence should be provided and maintained. Even when a crime occurs in the general society, that is, the evidence does not become effective due to contamination in the process of storing and managing the evidence. Suspicion may occur. Therefore, for the storage of evidence, transport must have a case or storage place that is safe from shock and physical attack.

Report writing step;

Evidences that go through a series of steps from the acquisition, analysis, and storage of the evidence should be tagged and documented. Such documentation should provide an indication of the acquisition process and provide justification as evidence when taken as evidence. In particular, it should be possible to prove that the evidence has not been manipulated in such a way that the expert can verify the process of obtaining and analyzing the evidence. Because digital evidence is easy to create, mistakes can be suspected even if it is legitimate. Therefore, a series of processes must be clearly understood, and documentation is necessary to prevent problems even when verified by a third party expert.

Based on the forensic procedure described above, the volatile data acquisition and verification procedures according to the present invention will be described.

2 illustrates a volatile data acquisition and verification process according to the present invention.

The order of acquiring flawless volatile data according to the present invention

Arriving at the crime scene and checking the current state of the evidence (S_10);

Storing the volatile data in the form of a script that automatically executes a command when the CD is executed in the computer at the event site, and simultaneously generates and stores a hash value (S_20);

Preparing a collection time of the data stored in the CD, a name of an on-site evidence obtainer, and related evidence (S_30);

Moving the data stored in the removable storage device to a safe place where a network can be used (S_40);

Transmitting the stored data, the acquired person's name, and a hash value to an authentication server (S_50);

Comparing the hash value with the authentication of the person who acquired the data and confirming whether the data is identical (S_60);

Checking whether the hash value stored in the authentication server and the hash value stored in the portable storage device match to verify that the stored data is integrity (S_70);

If the hash value is matched in the above step to submit to the relevant institutions (S_80);

Is made of.

In the step of checking whether the hash value is matched with the authentication of the person who obtained the data, it is preferable that the consent of the concerned person is proved to be the same person by a certificate issued by the certification authority and is not accessible to other people.

The important thing in the above process is that the command automation CD is used. The command automation CD automatically executes the commands simply by executing the CD to prevent errors due to the uniformity of the evidence and the immaturity of the original evidence. It is preferable to be produced in the form of script.

If the storage space of the CD is insufficient, it is advisable to respond to the situation by recreating the CD or making it into USB memory with the help of a professional. This is because, as the storage space of a computer is rapidly increased, all data cannot be stored on a single CD.

The space for saving files created by the commands created on the CD can be saved back to floppy disk or USB memory. In recent years, USB memory has been activated, but if a new type of portable storage device is developed in the future, it will be obvious that the new portable storage device is also included in the scope of the present invention.

The floppy drive is a device that should be avoided because of lack of storage space and common use of computers.

The hash function used above will be described.

Hashing algorithms are called hash functions. In addition to fast data retrieval, hashing is used to encrypt and decrypt digital signatures. The digital signature is converted using a hash function, and then the hash value (called the summary message) and the digital signature are sent separately. The receiver extracts a summary message from the signature using the same hash function used by the sender and compares the extracted summary message with the summary message already received. The digital signature is valid only when the comparison result is the same.

The hash function is used to index the original value or key and is used again whenever the data associated with that value is retrieved. However, hashing always works in one direction. Thus, there is no need for backward engineering to extract the hash function by analyzing the hashed values. In fact, the ideal hash function should not be deduced by such an analysis. Also, good hash functions should not produce the same hash value for two different inputs. If so, a collision occurs. A hash function with very low collision risk is considered a good hash function.

Encryption and decryption algorithms vary. However, in the present invention, a method of verifying data using a hash algorithm, which is a representative encryption / decryption algorithm, is described as an embodiment, but a method of performing the procedure of the present invention using another algorithm is naturally included in the scope of the present invention. something to do.

Fig. 3 shows the contents of a CD made by the above procedure.

Looking at the contents of the CD, there are automatically generated hash values and data.

If you have a lot of files, you can also have a compressed file compressed with a compression program. Unpack the archive and create a document with the date and time at the time of creation of the volatile data with the hash value in it.

The observer's signature is important data that later proves that the volatile data has been obtained securely by the CD at that location and time. In the content of the document, there is a separate part including the time at which the file was acquired and the generated hash value. It can also be signed to verify the identity of the data physically and logically, and at the same time double verify the integrity at the time of creation.

The RFC 3227 document defines the main uses of volatile data, but there are a number of scripts that can be written to extract volatile data on a case-by-case basis.

The above script cannot be produced and applied as a single script file in all cases, that is, the CPU, memory, hard disk, VGA card, network adapter, operating system (OS), software version of the computer, etc. You can't apply the script every time you do it.

Therefore, it is advisable to create and use some standard scripts, and to create a script that is suitable for the situation whenever it is out of standard.

The script to be produced as a standard is divided into Windows and Linux. First, the script contents of Windows are written as follows.

Standard script content for Windows

1) abnormal network

   ① Check for abnormal network connection

   ② Check the process mapped with the abnormal network

   ③ Check for abnormal NetBIOS connection

2) Check for abnormal processes

3) Check for abnormal service

4) Check the autorun program registered in the registry

Standard script content for Linux

1) Collect important configuration file information

2) Collect file vulnerability information

3) Collect system log information

4) Collect System Memory Information

It is preferable to make the above standard and to use scripts for other operating systems or unusual issues or in other cases. The reason for using the command script in the form of CD is to reduce the omission and errors caused by the investigator's mistake.

Unlike the script used as an example in the present invention, it is also a good way to produce a script that can respond to infringement incidents for each institution. Volatile data can be changed once it has been acquired, so care must be taken. Acknowledgments of related parties cannot be obtained at that time, so accurate data must be obtained at once.

When data is collected by the above method, the collected contents are compressed in the form of a compressed file, and at the same time, the generated time and hash values are generated.

Finally, a single printout is generated, and the printout is a document that obtains the generated time, hash value, and the consent of the person concerned. The document is read and signed by the owner or the related person.

The person acquiring the data must be signed by the relevant official. The document can be an important resource later when the court asks for proof of impeccable data.

As described above, the present invention has been described through an embodiment, but the implementation of the present invention may be variously changed within the scope of the claims.

As described above, in the present invention, the volatile data is generated in a file format on a removable storage medium (CD, USB memory, etc.) by a script for extracting variable volatile data, and the original data in a disk forensic type on the removable storage medium. The hash value used as a means of integrity of the data proves the change of the data, the authentication server on the Internet is collected and the hash value is transmitted to the authentication server at the same time. Providing a hash of can provide a way to prove that the evidence has not changed.

Claims (3)

The method of acquiring and verifying volatile data in computer crime is Arriving at the crime scene and checking the current state of the evidence (S_10); Storing the volatile data in the form of a script that automatically executes a command when the CD is executed in the computer at the event site, and simultaneously generates and stores a hash value (S_20); Preparing a collection time of the data stored in the CD, a name of an on-site evidence obtainer, and related evidence (S_30); Moving the data stored in the removable storage device to a safe place where a network can be used (S_40); Transmitting the stored data, the acquired person's name, and a hash value to an authentication server (S_50); Comparing the hash value with the authentication of the person who acquired the data and confirming whether the data is identical (S_60); Checking whether the hash value stored in the authentication server and the hash value stored in the portable storage device match to verify that the stored data is integrity (S_70); If the hash value is matched in the above step to submit to the relevant institutions (S_80); Method of securing computer volatile evidence, characterized in that consisting of. The method according to claim 1, If the computer is Windows, the script format for automatically executing the command, A method of acquiring computer volatile evidence, characterized by an abnormal network connection check, a process mapped to an abnormal network, an abnormal NetBIOS connection check, an abnormal process check, an abnormal service check, or an auto-launch program registered in the registry. The method according to claim 1, If the computer is Linux, the script format for automatically executing the command is How to obtain computer volatile evidence characterized by collecting important configuration file information, file vulnerability information collection, system log information collection, and system memory information collection.
KR1020070040878A 2007-04-26 2007-04-26 A collection method of volatile evidence data with computer KR20080096031A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020070040878A KR20080096031A (en) 2007-04-26 2007-04-26 A collection method of volatile evidence data with computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020070040878A KR20080096031A (en) 2007-04-26 2007-04-26 A collection method of volatile evidence data with computer

Publications (1)

Publication Number Publication Date
KR20080096031A true KR20080096031A (en) 2008-10-30

Family

ID=40155462

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020070040878A KR20080096031A (en) 2007-04-26 2007-04-26 A collection method of volatile evidence data with computer

Country Status (1)

Country Link
KR (1) KR20080096031A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160083614A (en) 2014-12-31 2016-07-12 서울과학기술대학교 산학협력단 Booth structures using a pipe
CN114692144A (en) * 2022-04-08 2022-07-01 哈尔滨理工大学 Dll injection detection method based on memory forensics

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160083614A (en) 2014-12-31 2016-07-12 서울과학기술대학교 산학협력단 Booth structures using a pipe
CN114692144A (en) * 2022-04-08 2022-07-01 哈尔滨理工大学 Dll injection detection method based on memory forensics

Similar Documents

Publication Publication Date Title
US7603344B2 (en) Methods for searching forensic data
US7941386B2 (en) Forensic systems and methods using search packs that can be edited for enterprise-wide data identification, data sharing, and management
Sindhu et al. Digital forensics and cyber crime datamining
CN110995673B (en) Case evidence management method and device based on block chain, terminal and storage medium
US20110055590A1 (en) Apparatus and method for collecting evidence data
Khan et al. Digital forensics and cyber forensics investigation: security challenges, limitations, open issues, and future direction
Akbal et al. Forensics image acquisition process of digital evidence
US20200278948A1 (en) Method, apparatus and system for managing electronic fingerprint of electronic file
CN113742745A (en) Audit process evidence obtaining link management system and management method
KR101497067B1 (en) Electric document transfer method and apparatus based digital forensic
KR20080096031A (en) A collection method of volatile evidence data with computer
Hildebrandt et al. A common scheme for evaluation of forensic software
Sansurooah Taxonomy of computer forensics methodologies and procedures for digital evidence seizure.
Lessing et al. Live forensic acquisition as alternative to traditional forensic processes
US11853451B2 (en) Controlled data access
KR102294926B1 (en) Automated system for forming analyzed data by extracting original data
KR102066439B1 (en) Digital data management system and method for managing the same
KR101182692B1 (en) Method and system for presrving digital information evidence for computer of retired or inspection object
Moric et al. ENTERPRISE TOOLS FOR DATA FORENSICS.
Li et al. Forensic computing
Abdalla et al. Guideline model for digital forensic investigation
CN111724155A (en) Electronic contract management method and device
Prakash et al. Cloud and Edge Computing-Based Computer Forensics: Challenges and Open Problems. Electronics 2021, 10, 1229
KR20130049437A (en) Dual forensic apparatus and method thereof
Jang et al. A study on block-based recovery of damaged digital forensic evidence image

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application