KR20150069182A - Mobile Forensics Integrity Proof and Evidence Management Method using Network Server - Google Patents
Mobile Forensics Integrity Proof and Evidence Management Method using Network Server Download PDFInfo
- Publication number
- KR20150069182A KR20150069182A KR1020130155293A KR20130155293A KR20150069182A KR 20150069182 A KR20150069182 A KR 20150069182A KR 1020130155293 A KR1020130155293 A KR 1020130155293A KR 20130155293 A KR20130155293 A KR 20130155293A KR 20150069182 A KR20150069182 A KR 20150069182A
- Authority
- KR
- South Korea
- Prior art keywords
- server
- file
- information
- dump file
- mobile
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/18—Information format or content conversion, e.g. adaptation by the network of the transmitted or received information for the purpose of wireless delivery to users or terminals
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
The present invention relates to a method for improving the integrity of mobile forensics using a server and efficiently managing and integrating evidence.
Smart phones, tablet PCs, and other personal communication devices, that is, mobile devices, have become popular, making them a necessity for the majority of modern people. Recently, mobile devices have been developed to carry out many tasks that have been done on existing personal computers such as games, cameras, diaries, checking and sending of mail, and surfing the web, as well as call and text sending and receiving functions. It also has GPS function and provides various location based services.
The service provided is increased, and the mobile device having high portability collects and stores general information about the user's behavior such as the communication history and the movement route. Thus, there is a high probability that useful evidence related to criminal investigation will be collected from mobile devices.
Mobile forensics has been developed as a means of investigating the information that mobile devices have. Mobile forensics is a field of digital forensics that involves recovering deleted data from mobile devices or gathering scattered information to get meaningful forensic evidence.
One of the important things to consider in mobile forensics is the authentication of evidence. Proving that the original of the evidence is unimpaired is a very important process from a legal point of view or to convince the case.
Electronic proofs are used to prove the integrity of the file being forensic. As a representative method, an integrity check can be performed to confirm whether the file is original by using an algorithm called MD5 (Message-Digest algorithm 5).
However, MD5 has not been a viable means of ensuring the integrity of the file due to problems such as the recently announced design flaw and the announcement that it is possible to tamper with SSL certificates using MD5 defects.
On the other hand, one important point to consider in mobile forensics is efficient evidence management. Currently, mobile forensics is carried out by connecting mobile devices from suspects to forensic devices.
However, in this case, in order to refer to the original investigation file acquired from the mobile device, the original file should be moved through a removable disk or the like or transferred through a file transfer. This causes delays in the investigation, but also causes problems in managing the original file, such as a large number of copies.
Therefore, there is a need for a method that can efficiently manage the evidence while ensuring the integrity of the file that is the subject of the forensics.
The present invention proposes a mobile forensic integrity verification and evidence management method that integrates and efficiently manages evidence while giving integrity to the results of mobile forensics by using a server.
Other objects and advantages of the present invention will become apparent to those skilled in the art from the following detailed description.
According to another aspect of the present invention, there is provided a smart device, comprising: a dump file generated from a file to be analyzed of a smart device; transmitting the dump file to a server via a network; And a method for managing a mobile forensic integrity verification and evidence using a server including storing a file.
The method further includes the steps of the user terminal requesting the server to analyze the dump file, analyzing the dump file in the server to extract analysis information, and transmitting the extracted analysis information to the user terminal can do.
The method may further include deleting the dump file generated after transmitting the dump file to the server through the network.
The generating of the dump file may include generating a dump file of the information stored in the smart device and executing the generated dump file in one of a PC or a mobile device installed and executed by the application program transmitting the generated dump file to the server .
The analysis object file may include at least one of time information, coordinate information, file system information, file log information, call log information, data log information, and mobile web history information.
According to the embodiment of the present invention, since the integrity of the mobile forensic can be ensured without applying a complicated algorithm, the value as the evidence data of the forensic result is increased, while the original file is stored and managed in the server, It is effective.
The effects of the present invention will be clearly understood and understood by those skilled in the art, either through the specific details described below, or during the course of practicing the present invention.
1 is a block diagram illustrating a system configuration for implementing a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention;
FIG. 2 is a flowchart schematically illustrating a method of managing mobile forensic integrity verification and evidence using a server according to an embodiment of the present invention; FIG.
FIG. 3 is a view showing an implementation state of a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention; FIG.
BRIEF DESCRIPTION OF THE DRAWINGS The above and other features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, It will be possible. The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It is to be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Hereinafter, a mobile forensic integrity verification and evidence management method according to an embodiment of the present invention will be described in detail with reference to the drawings. In the present specification, the same reference numerals are assigned to the same components in different embodiments, and the description thereof is replaced with the first explanation.
A mobile forensic integrity verification and evidence management method according to an embodiment of the present invention includes generating a dump file from an analysis object file of a smart device, transmitting the dump file to a server via a network, And storing the transmitted dump file.
Here, the step of generating a dump file is performed in a user terminal capable of file dumping. The file dump means to copy all or a part of the contents of the storage device or the file to the row printer for error correction of the program or for checking the data. By dumping the analysis target file and generating the dump file, Files can be easily transferred to the server. The dump file may be created and then sent to the server, or it may be sent to the server at the same time the dump file is created.
The transmitted dump file is stored on the server. The server is easy to establish a security operating system, so that the dump file stored in the server can be preserved without any damage, and the integrity of the stored file can be guaranteed by preventing forgery or alteration of the stored file.
In addition, dump files related to various incidents are collectively stored in the server, and the investigator can access the dump file stored in the server through the network using the user terminal, thereby effectively managing the evidence.
Hereinafter, each component of the system for implementing the mobile forensic method according to an embodiment of the present invention will be described in detail.
1 is a block diagram illustrating a configuration of a system for implementing a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention.
A system for implementing a mobile forensic method according to an embodiment includes a
The
In general, digital forensics targeting a storage medium such as a general personal computer, a hard disk, and a memory have been generally used. However, since the
In addition, since most
The
In addition, the
The
An investigator or an investigation agency installs and executes an application program for extracting a dump file to the
That is, the
Meanwhile, the
At this time, the
Although the
In addition, the
The server 300 is in charge of communication with the
The server 300 can be a solution for securing the integrity of the dump file including the personal information and the analysis information analyzing the personal information by facilitating establishment of the security operating system. In particular, it is possible to establish a protective barrier against hacking behavior of an outside group that intends to falsify or falsify the dump file, evidence of tampering, an operating system with added security functions, and system access restrictions, The integrity of the stored evidence file is naturally proven because it is possible to establish a countermeasure against an external attack using a bug of the application program,
In addition, the server 300 can store a plurality of original dump files and manage them integrally and efficiently. In addition, it is easy for multiple related investigators to refer to the original file from the mobile device and it is not necessary to move the original file through a removable disk or a file transfer, so the investigation can be carried out quickly and a copy of the file can be prevented Effective evidence management is possible.
Next, a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 2 is a flowchart schematically illustrating a method of a mobile forensic integrity verification and evidence management using a server according to an embodiment of the present invention.
According to an embodiment, a step (s1) of generating a dump file from an analysis object file of the
In addition, the server 300 further includes a step (s4) of requesting the server 300 to analyze the dump file (s4), a step (s5) of analyzing the dump file and extracting analysis information from the server 300, And transmitting the analysis information to the user terminal 200 (s6).
The method may further include deleting the dump file generated after transmitting the dump file to the server 300 through the network and remaining in the
First, a dump file is generated from the analysis object file of the smart device 100 (s1). This is performed in the
In particular, the analysis target file may be a file having a db extension, and a dump file can be generated by dumping the analysis target file and all related files associated therewith.
The
At this time, the dump file transmitted to the server 300 can be encrypted. Since the dump file includes various information of the
In the next step, the server 300 stores the dump file transmitted to the server 300 (s3). In this case, it is preferable that no dump file is left in the
Accordingly, the
Through the above steps, the file stored in the server 300 is secured for the integrity of the file and the file can be managed integrally and efficiently.
In the next step, the
In this way, when a user such as an investigator wants to access the dump file through the
In the next step, the server 300 analyzes the dump file to extract analysis information (s5). The server 300 analyzes the dump file and extracts analysis information, which is a result of mobile forensic performance.
Here, the analysis information may be behavior information capable of grasping an action using the
The action information may include at least one of transmission and reception of a message at a specific time, transmission and reception of a telephone, photography, installation and execution of an application program, and a visit to a website and a search. For example, although the user has deleted the message itself, the log information on transmission and reception of the message may remain in the
In addition, communication using the chat application program is also recently activated, so that even if the chat conversation itself is unknown, the user's behavior can be grasped through the execution of the chat application program and the time information. In addition, the location information can be extracted from the time information and the coordinate information included in the log information by analyzing the dump file, and the user location can be inferred using the coordinate information of the
In the next step, analysis information is transmitted to the user terminal 200 (s6). That is, the analysis information, which is the result of the forensic process obtained in the previous step, is transmitted to the
At this time, the dump file transmitted to the
In the next step, the behavior of the user may be simulated using the analysis information extracted by the
That is, it is difficult to quickly and accurately grasp the flow of the user's action only by listing the analysis information, and even if the behavior information is listed according to the flow of time, it is difficult to quickly review a large number of data of the
The subject of performing the above-described simulation may be the server 300. [ In this case, the server 300 may visualize and output analysis information or a simulation result based on the analysis information, or may transmit the analysis information to the
Meanwhile, the server 300 may transmit a confirmation message to the
The confirmation message may display a forensic progress window on the
FIG. 3 is a view showing an operation state of a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention.
Referring to the drawings, a plurality of
Here, when the user wants to access the dump file through the
The analysis information obtained by the server 300 is transmitted to the
Meanwhile, the
In this way, a plurality of
While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
100: Smart devices
200: user terminal
300: server
Claims (5)
Transmitting the dump file to a server via a network; and
Storing a dump file transmitted from the server to the server
A method for authentication and evidence management of a mobile forensic integrity using a server.
Causing the user terminal to make an analysis request of the dump file to the server,
Analyzing the dump file and extracting analysis information from the server;
Transmitting the extracted analysis information to the user terminal
And a mobile forensic integrity verification and evidence management method using a server that further includes:
And deleting the dump file created after transmitting the dump file to a server through a network. ≪ RTI ID = 0.0 > 11. < / RTI >
The step of generating the dump file includes:
A mobile forensic integrity verification and evidence management method is performed in any one of a PC or a mobile device in which an application program for generating a dump file of information stored in the smart device and transmitting the generated dump file to the server is installed and executed.
Wherein the analysis object file includes at least one of time information, coordinate information, file system information, file log information, call log information, data log information, and mobile web history information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020130155293A KR20150069182A (en) | 2013-12-13 | 2013-12-13 | Mobile Forensics Integrity Proof and Evidence Management Method using Network Server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020130155293A KR20150069182A (en) | 2013-12-13 | 2013-12-13 | Mobile Forensics Integrity Proof and Evidence Management Method using Network Server |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20150069182A true KR20150069182A (en) | 2015-06-23 |
Family
ID=53516361
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020130155293A KR20150069182A (en) | 2013-12-13 | 2013-12-13 | Mobile Forensics Integrity Proof and Evidence Management Method using Network Server |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20150069182A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180066637A (en) * | 2016-12-09 | 2018-06-19 | 기산전자 주식회사 | Banknote handling apparatus and method |
CN111475465A (en) * | 2020-03-19 | 2020-07-31 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
-
2013
- 2013-12-13 KR KR1020130155293A patent/KR20150069182A/en not_active Application Discontinuation
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180066637A (en) * | 2016-12-09 | 2018-06-19 | 기산전자 주식회사 | Banknote handling apparatus and method |
CN111475465A (en) * | 2020-03-19 | 2020-07-31 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Thing et al. | Live memory forensics of mobile phones | |
Barmpatsalou et al. | A critical review of 7 years of Mobile Device Forensics | |
CN110879903A (en) | Evidence storage method, evidence verification method, evidence storage device, evidence verification device, evidence storage equipment and evidence verification medium | |
Andriotis et al. | Forensic analysis of wireless networking evidence of android smartphones | |
TW201642135A (en) | Detecting malicious files | |
CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
Hegarty et al. | Digital evidence in fog computing systems | |
CN114189553B (en) | Flow playback method, system and computing device | |
CN111386711A (en) | Method, device and system for managing electronic fingerprints of electronic files | |
CN109600257A (en) | Dispositions method, device and the storage medium of tool | |
KR101392624B1 (en) | Mobile forensics method based on network communication | |
KR20150069182A (en) | Mobile Forensics Integrity Proof and Evidence Management Method using Network Server | |
CN116996408A (en) | Data transmission monitoring method and device, electronic equipment and storage medium | |
Zhu | Mobile Cloud Computing: implications to smartphone forensic procedures and methodologies | |
CN114979109B (en) | Behavior track detection method, behavior track detection device, computer equipment and storage medium | |
JP5851311B2 (en) | Application inspection device | |
CN109714371B (en) | Industrial control network safety detection system | |
WO2015178002A1 (en) | Information processing device, information processing system, and communication history analysis method | |
US11283815B2 (en) | Security measure program, file tracking method, information processing device, distribution device, and management device | |
US20160378982A1 (en) | Local environment protection method and protection system of terminal responding to malicious code in link information | |
KR101748116B1 (en) | Smishing blocking appatatus on cloud mobile environments | |
US20180159886A1 (en) | System and method for analyzing forensic data in a cloud system | |
KR101603713B1 (en) | Mobile Forensics Method for field using part extraction | |
US20100293618A1 (en) | Runtime analysis of software privacy issues | |
Iqbal et al. | Forensic investigation of small-scale digital devices: a futuristic view |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |