KR20150069182A - Mobile Forensics Integrity Proof and Evidence Management Method using Network Server - Google Patents

Mobile Forensics Integrity Proof and Evidence Management Method using Network Server Download PDF

Info

Publication number
KR20150069182A
KR20150069182A KR1020130155293A KR20130155293A KR20150069182A KR 20150069182 A KR20150069182 A KR 20150069182A KR 1020130155293 A KR1020130155293 A KR 1020130155293A KR 20130155293 A KR20130155293 A KR 20130155293A KR 20150069182 A KR20150069182 A KR 20150069182A
Authority
KR
South Korea
Prior art keywords
server
file
information
dump file
mobile
Prior art date
Application number
KR1020130155293A
Other languages
Korean (ko)
Inventor
남기훈
Original Assignee
남기훈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 남기훈 filed Critical 남기훈
Priority to KR1020130155293A priority Critical patent/KR20150069182A/en
Publication of KR20150069182A publication Critical patent/KR20150069182A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/18Information format or content conversion, e.g. adaptation by the network of the transmitted or received information for the purpose of wireless delivery to users or terminals

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a method for proving a mobile forensic integrity and for managing evidence. The present invention provides a method for proving a mobile forensic integrity and for managing evidence by using a server, comprising the steps of: generating a dump file from an analysis object file of a smart device; transmitting the dump file over network to a server; and storing in the server the transmitted dump file.

Description

[0001] Mobile Forensic Integrity Proof and Evidence Management Method using Network Server [

The present invention relates to a method for improving the integrity of mobile forensics using a server and efficiently managing and integrating evidence.

Smart phones, tablet PCs, and other personal communication devices, that is, mobile devices, have become popular, making them a necessity for the majority of modern people. Recently, mobile devices have been developed to carry out many tasks that have been done on existing personal computers such as games, cameras, diaries, checking and sending of mail, and surfing the web, as well as call and text sending and receiving functions. It also has GPS function and provides various location based services.

The service provided is increased, and the mobile device having high portability collects and stores general information about the user's behavior such as the communication history and the movement route. Thus, there is a high probability that useful evidence related to criminal investigation will be collected from mobile devices.

Mobile forensics has been developed as a means of investigating the information that mobile devices have. Mobile forensics is a field of digital forensics that involves recovering deleted data from mobile devices or gathering scattered information to get meaningful forensic evidence.

One of the important things to consider in mobile forensics is the authentication of evidence. Proving that the original of the evidence is unimpaired is a very important process from a legal point of view or to convince the case.

Electronic proofs are used to prove the integrity of the file being forensic. As a representative method, an integrity check can be performed to confirm whether the file is original by using an algorithm called MD5 (Message-Digest algorithm 5).

However, MD5 has not been a viable means of ensuring the integrity of the file due to problems such as the recently announced design flaw and the announcement that it is possible to tamper with SSL certificates using MD5 defects.

On the other hand, one important point to consider in mobile forensics is efficient evidence management. Currently, mobile forensics is carried out by connecting mobile devices from suspects to forensic devices.

However, in this case, in order to refer to the original investigation file acquired from the mobile device, the original file should be moved through a removable disk or the like or transferred through a file transfer. This causes delays in the investigation, but also causes problems in managing the original file, such as a large number of copies.

Therefore, there is a need for a method that can efficiently manage the evidence while ensuring the integrity of the file that is the subject of the forensics.

Korean Patent Publication No. 10-2008-002786 (Mar. 12, 2008)

The present invention proposes a mobile forensic integrity verification and evidence management method that integrates and efficiently manages evidence while giving integrity to the results of mobile forensics by using a server.

Other objects and advantages of the present invention will become apparent to those skilled in the art from the following detailed description.

According to another aspect of the present invention, there is provided a smart device, comprising: a dump file generated from a file to be analyzed of a smart device; transmitting the dump file to a server via a network; And a method for managing a mobile forensic integrity verification and evidence using a server including storing a file.

The method further includes the steps of the user terminal requesting the server to analyze the dump file, analyzing the dump file in the server to extract analysis information, and transmitting the extracted analysis information to the user terminal can do.

The method may further include deleting the dump file generated after transmitting the dump file to the server through the network.

The generating of the dump file may include generating a dump file of the information stored in the smart device and executing the generated dump file in one of a PC or a mobile device installed and executed by the application program transmitting the generated dump file to the server .

The analysis object file may include at least one of time information, coordinate information, file system information, file log information, call log information, data log information, and mobile web history information.

According to the embodiment of the present invention, since the integrity of the mobile forensic can be ensured without applying a complicated algorithm, the value as the evidence data of the forensic result is increased, while the original file is stored and managed in the server, It is effective.

The effects of the present invention will be clearly understood and understood by those skilled in the art, either through the specific details described below, or during the course of practicing the present invention.

1 is a block diagram illustrating a system configuration for implementing a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention;
FIG. 2 is a flowchart schematically illustrating a method of managing mobile forensic integrity verification and evidence using a server according to an embodiment of the present invention; FIG.
FIG. 3 is a view showing an implementation state of a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention; FIG.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, It will be possible. The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It is to be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

Hereinafter, a mobile forensic integrity verification and evidence management method according to an embodiment of the present invention will be described in detail with reference to the drawings. In the present specification, the same reference numerals are assigned to the same components in different embodiments, and the description thereof is replaced with the first explanation.

A mobile forensic integrity verification and evidence management method according to an embodiment of the present invention includes generating a dump file from an analysis object file of a smart device, transmitting the dump file to a server via a network, And storing the transmitted dump file.

Here, the step of generating a dump file is performed in a user terminal capable of file dumping. The file dump means to copy all or a part of the contents of the storage device or the file to the row printer for error correction of the program or for checking the data. By dumping the analysis target file and generating the dump file, Files can be easily transferred to the server. The dump file may be created and then sent to the server, or it may be sent to the server at the same time the dump file is created.

The transmitted dump file is stored on the server. The server is easy to establish a security operating system, so that the dump file stored in the server can be preserved without any damage, and the integrity of the stored file can be guaranteed by preventing forgery or alteration of the stored file.

In addition, dump files related to various incidents are collectively stored in the server, and the investigator can access the dump file stored in the server through the network using the user terminal, thereby effectively managing the evidence.

Hereinafter, each component of the system for implementing the mobile forensic method according to an embodiment of the present invention will be described in detail.

1 is a block diagram illustrating a configuration of a system for implementing a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention.

A system for implementing a mobile forensic method according to an embodiment includes a smart device 100, a user terminal 200, and a server 300. The smart device 100, the user terminal 200 and the server 300 are interconnected via a communication cable or network.

The smart device 100 is an analysis target device analyzed by a mobile forensic method according to an embodiment of the present invention. In recent years, the use of the smart device 100 has become popular, and the user has carried out the smart device 100, and has diversified functions such as web surfing, chatting, and playing games in addition to sending and receiving messages or making calls.

In general, digital forensics targeting a storage medium such as a general personal computer, a hard disk, and a memory have been generally used. However, since the smart device 100 includes comprehensive information on the user's behavior, Korean mobile forensics became important.

In addition, since most smart devices 100 can locate the smart device 100 through the GPS function or the mobile communication network, it is possible to grasp a user's position change through mobile forensics of the smart device 100 It can help a lot of investigations.

The smart device 100 is a kind of mobile device such as a smart phone, a smart note, a tablet PC, and a smart camera. However, the smart device 100 capable of performing the mobile forensic process according to the present invention is not limited to the above-described types of terminals, but may be a smart device having various functions, if it is a device that requires analysis through mobile forensics, The smart device 100 of the present invention can play a role regardless of the form of the terminal.

In addition, the smart device 100 of the present invention may include any type of smart device that is currently being used or will become available in the future.

The user terminal 200 may be a client terminal that extracts an analysis object file from the smart device 100, generates a dump file, and transmits the dump file to the server 300 via the network.

An investigator or an investigation agency installs and executes an application program for extracting a dump file to the user terminal 200 and extracts the analysis object file by connecting the smart device 100 to the user terminal 200 by serial communication such as USB can do.

That is, the user terminal 200 does not necessarily have to be a device dedicated to the mobile forensics, but an application program for generating a dump file of information stored in the smart device 100 and transmitting the generated dump file to the server 300 is installed and / It may be a PC or a mobile device that is executed. Thus, using an application program, mobile forensics can be performed without a dedicated device.

Meanwhile, the user terminal 200 may receive the analysis information from the server 300 through the network and output it so that it can be easily confirmed by the investigating agency or the investigation agency.

At this time, the user terminal 200 can provide the transmitted analysis information as a text type document. That is, the user terminal 200 may output analysis information in the form of a text so that the investigator can check the information. The document of the analysis information may include data that can be analyzed in the form of text such as behavior information according to time, location information according to time, call history, text message, and messenger conversation contents.

Although the user terminal 200 has been described as receiving and outputting the analysis information from the server 300, the user terminal 200 may perform the analysis (forensic) after receiving the dump file from the server 300.

In addition, the user terminal 200 can simulate the behavior of the user using the extracted analysis information. In other words, the user terminal 200 can be configured to simulate the user's behavior, or where and from where the user terminal 200 moves based on the extracted analysis information. Simulation of such analysis information may be performed by the server 300, and the user terminal 200 may simply output the simulation information.

The server 300 is in charge of communication with the user terminal 200 as a client and management of files. The server 300 receives the dump file from the user terminal 200 and stores the dump file. In addition, analysis information can be generated at the request of the user terminal 200 and transmitted. A communication module for this purpose, and a storage module.

The server 300 can be a solution for securing the integrity of the dump file including the personal information and the analysis information analyzing the personal information by facilitating establishment of the security operating system. In particular, it is possible to establish a protective barrier against hacking behavior of an outside group that intends to falsify or falsify the dump file, evidence of tampering, an operating system with added security functions, and system access restrictions, The integrity of the stored evidence file is naturally proven because it is possible to establish a countermeasure against an external attack using a bug of the application program,

In addition, the server 300 can store a plurality of original dump files and manage them integrally and efficiently. In addition, it is easy for multiple related investigators to refer to the original file from the mobile device and it is not necessary to move the original file through a removable disk or a file transfer, so the investigation can be carried out quickly and a copy of the file can be prevented Effective evidence management is possible.

Next, a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 2 is a flowchart schematically illustrating a method of a mobile forensic integrity verification and evidence management using a server according to an embodiment of the present invention.

According to an embodiment, a step (s1) of generating a dump file from an analysis object file of the smart device 100, a step (s2) of transmitting the dump file to the server 300 via the network, And storing the dump file transmitted to the server 300 (s3).

In addition, the server 300 further includes a step (s4) of requesting the server 300 to analyze the dump file (s4), a step (s5) of analyzing the dump file and extracting analysis information from the server 300, And transmitting the analysis information to the user terminal 200 (s6).

The method may further include deleting the dump file generated after transmitting the dump file to the server 300 through the network and remaining in the user terminal 200.

First, a dump file is generated from the analysis object file of the smart device 100 (s1). This is performed in the user terminal 200 connected to the smart device 100 and generates a dump file from the analysis target file stored in the smart device 100. [ At this time, the analysis target file includes at least one of time information, coordinate information, file system information, file log information, call log information, data log information, and mobile web history information. Or the like.

In particular, the analysis target file may be a file having a db extension, and a dump file can be generated by dumping the analysis target file and all related files associated therewith.

The user terminal 200 then transmits the generated dump file to the server 300 via the network (s2). That is, in the previous step, the user terminal 200 transmits the dump file obtained from the smart device 100 to the server 300 through the network.

At this time, the dump file transmitted to the server 300 can be encrypted. Since the dump file includes various information of the smart device 100 as evidence data, the risk of hacking during the process of transmitting the dump file through the network is high. Therefore, the dump file can be encrypted and transmitted to the server 200, thereby enhancing security.

In the next step, the server 300 stores the dump file transmitted to the server 300 (s3). In this case, it is preferable that no dump file is left in the user terminal 200. This can be achieved by a method of deleting the dump file remaining in the user terminal 200 after the transmission is completed, or by transmitting the dump file to the server 300 and storing it.

Accordingly, the user terminal 200 having the dump file can be hacked at a later time, thereby preventing confidential information such as the analysis technique of the mobile forensic device from being leaked.

Through the above steps, the file stored in the server 300 is secured for the integrity of the file and the file can be managed integrally and efficiently.

In the next step, the user terminal 200 requests the server 300 to analyze the dump file (s4).

In this way, when a user such as an investigator wants to access the dump file through the user terminal 200, the server 300 can request the user of the user terminal 200 for information. For example, the requested information may include access to the dump file including the serial number of the accessed user terminal 200, the telephone number, or the serial number in combination with the serial number of the user terminal 200, for example.

In the next step, the server 300 analyzes the dump file to extract analysis information (s5). The server 300 analyzes the dump file and extracts analysis information, which is a result of mobile forensic performance.

Here, the analysis information may be behavior information capable of grasping an action using the smart device 100, location information of the smart device 100, and the like.

The action information may include at least one of transmission and reception of a message at a specific time, transmission and reception of a telephone, photography, installation and execution of an application program, and a visit to a website and a search. For example, although the user has deleted the message itself, the log information on transmission and reception of the message may remain in the smart device 100, so that the mobile forensic device 300 can transmit the message Or information on the behavior of the user who transmitted or received the message.

In addition, communication using the chat application program is also recently activated, so that even if the chat conversation itself is unknown, the user's behavior can be grasped through the execution of the chat application program and the time information. In addition, the location information can be extracted from the time information and the coordinate information included in the log information by analyzing the dump file, and the user location can be inferred using the coordinate information of the smart device 100 at a specific time.

In the next step, analysis information is transmitted to the user terminal 200 (s6). That is, the analysis information, which is the result of the forensic process obtained in the previous step, is transmitted to the user terminal 200 through the network. This analysis information is analytical information that has sufficient value as proof since it is analytical information that has been verified in terms of being transmitted from the server 300.

At this time, the dump file transmitted to the user terminal 200 can be encrypted. The analysis information contains various information about the evidence, so it should be prepared against the risk of hacking through the network. Therefore, security can be enhanced by encrypting the analysis information and transmitting it to the user terminal 200.

In the next step, the behavior of the user may be simulated using the analysis information extracted by the user terminal 200.

That is, it is difficult to quickly and accurately grasp the flow of the user's action only by listing the analysis information, and even if the behavior information is listed according to the flow of time, it is difficult to quickly review a large number of data of the smart device 100, There may be limitations. Therefore, by simulating the behavior of the user, an investigator or the like can quickly and easily intuitively review a large number of data of the smart device 100.

The subject of performing the above-described simulation may be the server 300. [ In this case, the server 300 may visualize and output analysis information or a simulation result based on the analysis information, or may transmit the analysis information to the user terminal 200. That is, through the user terminal 200, an investigator or the like can visually confirm the simulation result. At this time, since the simulation result according to the time is outputted, the visualized information can be changed over time, and the simulation result can be outputted according to the time of the predetermined speed.

Meanwhile, the server 300 may transmit a confirmation message to the user terminal 200 to confirm that the server 300 performs the mobile forensic process. That is, when the forensic request is transmitted from the mobile forensic device to the server 300, the server 300 transmits an acknowledgment message to the user terminal 200 to perform the mobile forensic operation. At this time, if the confirmation message includes the estimated time information required for the mobile forensic service, the convenience of the investigator or the investigation agency can be improved.

The confirmation message may display a forensic progress window on the user terminal 200 used by the investigator or the like and output a confirmation message.

FIG. 3 is a view showing an operation state of a mobile forensic integrity verification and evidence management method using a server according to an embodiment of the present invention.

Referring to the drawings, a plurality of user terminals 200 are connected to a server 300 through a network. The user terminal 200 requests analysis of the analysis target dump file stored in the server 300 and receives the analysis information.

Here, when the user wants to access the dump file through the user terminal 200, the server 300 may request the user of the user terminal 200 for information.

The analysis information obtained by the server 300 is transmitted to the user terminal 200 requesting analysis. The user terminal 200 receiving the analysis information can be limited to the user terminal 200 such as an investigation agency previously registered in the server 300. [

Meanwhile, the user terminal 200 may be a user terminal 200 that generates and transmits a dump file.

In this way, a plurality of user terminals 200 are connected to the server 300, and various investigators related to the server 300 can perform forensic operations using the server 300. The investigation results of the dump file can be secured by multiple investigators at the same time. In addition, the server 300 manages the dump file, which is evidence of various incidents, so that efficient evidence management is possible.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

100: Smart devices
200: user terminal
300: server

Claims (5)

Generating a dump file from the analysis target file of the smart device,
Transmitting the dump file to a server via a network; and
Storing a dump file transmitted from the server to the server
A method for authentication and evidence management of a mobile forensic integrity using a server. The method of claim 1,
Causing the user terminal to make an analysis request of the dump file to the server,
Analyzing the dump file and extracting analysis information from the server;
Transmitting the extracted analysis information to the user terminal
And a mobile forensic integrity verification and evidence management method using a server that further includes: 3. The method according to claim 1 or 2,
And deleting the dump file created after transmitting the dump file to a server through a network. ≪ RTI ID = 0.0 > 11. < / RTI > The method of claim 1,
The step of generating the dump file includes:
A mobile forensic integrity verification and evidence management method is performed in any one of a PC or a mobile device in which an application program for generating a dump file of information stored in the smart device and transmitting the generated dump file to the server is installed and executed. The method of claim 1,
Wherein the analysis object file includes at least one of time information, coordinate information, file system information, file log information, call log information, data log information, and mobile web history information.
KR1020130155293A 2013-12-13 2013-12-13 Mobile Forensics Integrity Proof and Evidence Management Method using Network Server KR20150069182A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130155293A KR20150069182A (en) 2013-12-13 2013-12-13 Mobile Forensics Integrity Proof and Evidence Management Method using Network Server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130155293A KR20150069182A (en) 2013-12-13 2013-12-13 Mobile Forensics Integrity Proof and Evidence Management Method using Network Server

Publications (1)

Publication Number Publication Date
KR20150069182A true KR20150069182A (en) 2015-06-23

Family

ID=53516361

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130155293A KR20150069182A (en) 2013-12-13 2013-12-13 Mobile Forensics Integrity Proof and Evidence Management Method using Network Server

Country Status (1)

Country Link
KR (1) KR20150069182A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180066637A (en) * 2016-12-09 2018-06-19 기산전자 주식회사 Banknote handling apparatus and method
CN111475465A (en) * 2020-03-19 2020-07-31 重庆邮电大学 Intelligent home evidence obtaining method based on body

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180066637A (en) * 2016-12-09 2018-06-19 기산전자 주식회사 Banknote handling apparatus and method
CN111475465A (en) * 2020-03-19 2020-07-31 重庆邮电大学 Intelligent home evidence obtaining method based on body

Similar Documents

Publication Publication Date Title
Thing et al. Live memory forensics of mobile phones
Barmpatsalou et al. A critical review of 7 years of Mobile Device Forensics
CN110879903A (en) Evidence storage method, evidence verification method, evidence storage device, evidence verification device, evidence storage equipment and evidence verification medium
Andriotis et al. Forensic analysis of wireless networking evidence of android smartphones
TW201642135A (en) Detecting malicious files
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
Hegarty et al. Digital evidence in fog computing systems
CN114189553B (en) Flow playback method, system and computing device
CN111386711A (en) Method, device and system for managing electronic fingerprints of electronic files
CN109600257A (en) Dispositions method, device and the storage medium of tool
KR101392624B1 (en) Mobile forensics method based on network communication
KR20150069182A (en) Mobile Forensics Integrity Proof and Evidence Management Method using Network Server
CN116996408A (en) Data transmission monitoring method and device, electronic equipment and storage medium
Zhu Mobile Cloud Computing: implications to smartphone forensic procedures and methodologies
CN114979109B (en) Behavior track detection method, behavior track detection device, computer equipment and storage medium
JP5851311B2 (en) Application inspection device
CN109714371B (en) Industrial control network safety detection system
WO2015178002A1 (en) Information processing device, information processing system, and communication history analysis method
US11283815B2 (en) Security measure program, file tracking method, information processing device, distribution device, and management device
US20160378982A1 (en) Local environment protection method and protection system of terminal responding to malicious code in link information
KR101748116B1 (en) Smishing blocking appatatus on cloud mobile environments
US20180159886A1 (en) System and method for analyzing forensic data in a cloud system
KR101603713B1 (en) Mobile Forensics Method for field using part extraction
US20100293618A1 (en) Runtime analysis of software privacy issues
Iqbal et al. Forensic investigation of small-scale digital devices: a futuristic view

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application