포렌식 준비도 향상을 위한 Windows NTFS 저널 로그 크기에 관한 연구

김동헌,오정훈,이상진 한국디지털포렌식학회 2024 디지털 포렌식 연구 Vol.18 No.1

모든 업무가 정보통신시스템으로 수행됨에 따라 침해사고와 정보 유출이 계속 발생하고 있어 신속하고 적절한 대응이 필요하다. 이에 따라 조직에서는 포렌식 준비도 개념을 기반으로 정보보호 대책을 수립하여 신뢰할 수 있는 디지털 증거를 수집할 수 있는 환경을 조성하고 사고 대응 비용을 최소화하려는 노력을 지속하고 있다. Windows NTFS 환경에서는 $LogFile과 $UsnJrnl이 파일 트랜잭션을 분석하기 위한 디지털 포렌식 아티팩트로 주로 활용되고 있다. 그러나 실제로는 아티팩트의 특성상 침해사고가 발생한 시점의 로그가 오래 보존되지 않아 이를 증거로 활용하기 어려운 경우가 많다. 본 논문에서는 윈도우 NTFS 시스템 환경에서 $LogFile과 $UsnJrnl의 크기에 대해 포렌식 준비도 관점에서 조망하여 침해 시도의 체류 시간을 고려한 적절한 기준을 제시하고 실험을 통해 이에 대한 효과성을 입증하고자 한다. 이를 통해 $LogFile과 $UsnJrnl의 크기를 조정한다면 조직의 포렌식 준비도를 제고할 수 있을 것이다. Recently, the need for prompt and appropriate response to threats such as intrusion accidents and data breaches within organizations has emerged. Accordingly, organizations continue to make efforts to establish information protection measures based on the concept of forensic readiness to create an environment in which reliable digital evidence can be collected and to minimize incident response costs. In the Windows NTFS environment, $LogFile and $UsnJrnl are mainly used as digital forensic artifacts to analyze file transactions. However, in reality, due to the nature of artifacts, the log at the time of the initial access of incidents is not preserved for a long time, so it is often difficult to use it as evidence. In this paper, we look at the setting the size of $LogFile and $UsnJrnl in the Windows NTFS system environment from the perspective of forensic readiness, suggest appropriate criteria considering the dwell time of an intrusion attempt, and try to prove its effectiveness through experiments. This will allow you to adjust Windows settings for the size of $LogFile and $UsnJrnl to improve your organization's forensic readiness.

Forensic-based investigation-optimized extreme gradient boosting system for predicting compressive strength of ready-mixed concrete

Chou Jui-Sheng,Chen Li-Ying,Liu Chi-Yun 한국CDE학회 2023 Journal of computational design and engineering Vol.10 No.1

Regulations mandate testing concrete’s compressive strength after the concrete has cured for 28 days. In the ideal situation, cured strength equals the target strength. Advanced estimation of concrete’s compressive strength can facilitate quality management, improve safety, and present economic advantages in sustainable use. Basic statistical methods cannot effectively predict concrete’s strength or its non-linear relationships with the proportions of its constituent materials. In this study, a baseline model for predicting concrete’s compressive strength was constructed using a state-of-the-art machine-learning method. Most related studies have used sets of concrete mix design results concerning concrete specimens for laboratory-produced concrete specimens as training sets and have obtained simple models through regression; however, these models have been unsuitable for onsite prediction of the compressive strength of concrete with the various mix designs. Control over mix proportions is high in laboratories, resulting in low variation; onsite manual operation and environmental factors cause significant variations in assessment data. In this study, machine-learning techniques and a newly developed metaheuristic optimization algorithm were applied to big long-term data from 75 concrete plants to construct the optimal machine-learning model. Our self-developed forensic-based investigation algorithm was employed to fine-tune the hyperparameters of the extreme gradient boosting model and to improve the model’s generalizability. The lowest mean absolute percentage error (MAPE) obtained using this model was 9.29%, which was smaller than the lowest MAPE achieved using the conventional simple regression with the water-to-binder (W/B) ratio (12.73%). The traditional method tends to overestimate the actual compressive strength. Finally, a convenient expert system was developed that facilitates the use of the proposed model by onsite engineers for quality management. This system expedites the judgment of whether a mixed design is reasonable, reducing production costs while maintaining the safety of concrete structures. It can be widely applied in practice and function as an effective decision-making tool.

망분리 환경에서 파일형식 변환을 통한 안전한 파일 전송 및 포렌식 준비도 구축 연구

한재혁,윤영인,허지민,이재연,최정인,홍석준,이상진 한국정보보호학회 2019 정보보호학회논문지 Vol.29 No.4

Cybersecurity attack targeting a specific user is rising in number, even enterprises are trying to strengthen theircybersecurity. Network segmentation environment where public network and private network are separated could blockinformation coming from the outside, however, it is unable to control outside information for business efficiency andproductivity. Even if enterprises try to enhance security policies and introduce the network segmentation system and asolution incorporating CDR technology to remove unnecessary data contained in files, it is still exposed to security threats. Therefore, we suggest a system that uses file format conversion to transmit a secure file in the network separationenvironment. The secure file is converted into an image file from a document, as it reflects attack patterns of insertingmalicious code into the document file. Additionally, this paper proposes a system in the environment which functions that adocument file can keep information for incident response, considering forensic readiness. 최근의 사이버 보안 위협은 특정 표적을 대상으로 하는 특징이 있으며 보안을 강화시키기 위한 지속적인 노력에도불구하고 APT 공격에 의한 피해 사례는 계속 발생하고 있다. 인터넷망과 업무망이 분리된 망분리 환경은 외부 정보의 유입을 봉쇄시킬 수 있으나 업무의 효율성과 생산성을 위해서는 현실적으로 외부 정보의 유입을 모두 통제할 수는없다. 이에 망연계 시스템 등 보안 정책을 강화시키고 파일 내부에 포함된 불필요한 데이터를 제거할 수 있도록CDR 기술이 적용된 솔루션을 도입하더라도 여전히 보안 위협에 노출되어 있다. 본 연구는 망분리 환경에서 망간 파일을 전송할 때 파일의 형식을 변환하여 전송함으로써 문서삽입형 악성코드의 보안 위협을 방지하는 방안을 제안한다. 또한 포렌식 준비도를 고려하여 문서파일이 원활한 사고대응을 위한 정보를 보관할 수 있는 기능을 포함하여 망분리 환경에서 활용할 수 있는 시스템을 제안한다.

Implementation Privacy Reference Architecture for Forensic Readiness

Yong-Nyuo Shin 한국지능시스템학회 2012 INTERNATIONAL JOURNAL of FUZZY LOGIC and INTELLIGE Vol.12 No.1

As the Privacy Act is in force in Korea, the subject of protection responsibility is increased, and continuous efforts are made to protect privacy in overseas countries, as can be seen by standard drafts related to privacy protection. However, the reality is that a formal privacy manual or guidelines are insufficient to help cope with the rapid changes and privacy leak caused by TGIF(Twitter-Google-iPhone- Facebook) these days, and practical effects cannot be expected, even though measures are taken. This paper propose a standard format for satisfying the ISO/IEC 29101 "Privacy Reference Architecture" and shows an implementation example for equipping with forensic readiness capturing indications of the incident rapidly and coming up with an effective counter measure when privacy information is disclosed.

Implementation Privacy Reference Architecture for Forensic Readiness

신용녀 한국지능시스템학회 2012 INTERNATIONAL JOURNAL of FUZZY LOGIC and INTELLIGE Vol.12 No.1

As the Privacy Act is in force in Korea, the subject of protection responsibility is increased, and continuous efforts are made to protect privacy in overseas countries, as can be seen by standard drafts related to privacy protection. However, the reality is that a formal privacy manual or guidelines are insufficient to help cope with the rapid changes and privacy leak caused by TGIF(Twitter-Google-iPhone-Facebook) these days, and practical effects cannot be expected, even though measures are taken. This paper propose a standard format for satisfying the ISO/IEC 29101 "Privacy Reference Architecture" and shows an implementation example for equipping with forensic readiness capturing indications of the incident rapidly and coming up with an effective counter measure when privacy information is disclosed.

Developing Forensic Readiness Secure Network Architecture for Wireless Body Area Network (WBAN)

Abdul Fuad Abdul Rahman,Rabiah Ahmad,Madihah Zulfa Mohamad 보안공학연구지원센터 2014 International Journal of Security and Its Applicat Vol.8 No.5

A Design of Evaluation Framework for the Assets and Insolvency Prediction Depending on the Industry Type Using Data Standardization based on the Forensic Readiness

Jaechun Kim,Youngjun Son,Mokdong Chung 보안공학연구지원센터 2015 International Journal of Multimedia and Ubiquitous Vol.10 No.4

In this paper, analysis scenario, detection and risk and the negative risk classification and measurement industry through Analysis of data for types of topics, including through change according to the situation in Predictive Evaluation and Monitoring Forensic by designing ICANN-based frame based, focusing the arrangements. The proposed system is business through links to the existing legacy systems and operates in the insolvency of corporate assets and the Predictive Evaluation of operational, the firm's assets by managing, and Risk Management for efficient and reliable support for such assets, management and recovery for by business interests can be enhanced. Also Forensic data to utilize an analysis, monitoring the standardization of arrangements are based also, Min, Protos, or corporate disputes such as criminal proceedings for gathering evidence through the data .It can prevent accidents and civil affairs and others, we can provide. For corporations as well as the situation of the Enterprise during system operation and can be verified by analysis of data, by providing the framework that can provide cost, and Software reuse can do.

Implementation Privacy Reference Architecture for Forensic Readiness

Shin, Yong-Nyuo Korean Institute of Intelligent Systems 2012 INTERNATIONAL JOURNAL of FUZZY LOGIC and INTELLIGE Vol.12 No.1

As the Privacy Act is in force in Korea, the subject of protection responsibility is increased, and continuous efforts are made to protect privacy in overseas countries, as can be seen by standard drafts related to privacy protection. However, the reality is that a formal privacy manual or guidelines are insufficient to help cope with the rapid changes and privacy leak caused by TGIF(Twitter-Google-iPhone-Facebook) these days, and practical effects cannot be expected, even though measures are taken. This paper propose a standard format for satisfying the ISO/IEC 29101 "Privacy Reference Architecture" and shows an implementation example for equipping with forensic readiness capturing indications of the incident rapidly and coming up with an effective counter measure when privacy information is disclosed.

항공 응용 분야 : 개인정보보호법 기반 디지털 포렌식 수사 모델 연구

이창훈 ( Chang Hoon Lee ) 한국항행학회 2011 韓國航行學會論文誌 Vol.15 No.6

최근 개인정보보호법이 시행됨에 따라 국내 기업의 개인 정보 관리에 대한 안전 조치 의무의 요구가 높아지고 있으며, 이는 곧 개인정보의 수집, 이용, 제한, 관리, 파기 등과 같이 개인정보 처리에 대한 구체적 규제 조항에 따른 기술적 대응이 필요하고 있다. 이에 따라 기업에 대한 침해 사고가 발생하였을 경우, 개인정보 관리체계가 올바르게 동작하도록 운영되었는지 확인할 수 있도록 안전 조치를 취해야 하며, 이를 확인할 수 있는 구체적인 준비 과정이 수행되어야 하므로, 이는 곧 디지털 포렌식 수사 모델의 첫 번째인 조사 준비 단계에 해당한다. 또한 현장에 출동한 조사팀은 이러한 조치 행위가 올바르게 수행되었는지 점검할 수 있도록 적절한 조사를 수행해야 하므로 이는 현장 대응 단계와 관련이 있다. 본 논문에서는 디지털 포렌식 수사 모델의 조사 준비 및 현장 대응 단계에 대하여 개인정보보호법 이행 및 점검을 위해 보완해야 할 점은 무엇이고, 이를 통해 개인정보보호법에 대응하는 디지털 포렌식 수사모델의 개선 방안을 제시한다. As recently Privacy Acts in Korea enforced in domestic companies` personal information management needs of a growing obligation for the safety measures and the right of personal information collection, use, limitations, management, and destroyed specifically for handling personal information. Such this regulations should be required technical and policy supports. Accordingly, for the enterprise incident has occurred, the personal information management system behave correctly operating to verify that the safety measures taken, and be determined by the specific preparation to be done. So the first, preparation phase corresponds to the upcoming digital forensic investigation model. On the other hand, the response team also carried these measures out correctly, it needs to be done to check the compliance of Privacy Act. Thus a digital forensics investigation model is strictly related with the implementation of the Privacy Acts and improve the coping strategies are needed. In this paper, we suggest a digital forensic investigation model corresponding to Privacy Act.

포렌식 준비도 제고를 위한 윈도우의 파일 시스템 감사 기능 설정 방안에 관한 연구

이명수(Myeong-Su Lee),이상진(Sang-Jin Lee) 한국정보보호학회 2017 정보보호학회논문지 Vol.27 No.1

기업의 내부 정보 유출 감사 및 침해사고 사건에서 파일 처리 이력을 확보할 수 있다면 사용자의 행위를 좀 더 명확하게 추적하여 사건을 입증하는데 많은 도움이 될 수 있다. 윈도우에서는 파일 접근 이력을 확보할 수 있는 아티팩트들이 여럿 존재하나 부분적인 정보만 존재하거나 아티팩트의 특성상 오래 보존되어 있지 않아 사건 입증이 어려운 경우들이 많이 발생한다. 본 논문에서는 윈도우에서 제공하는 파일 감사 기능인 SACL(System Access Control List)을 활용하는 방법을 제안하고자 한다. 외부 솔루션을 도입할 수 없는 소규모 조직이라 하더라도 윈도우 설정을 강화하여 사고 발생 시 사건을 좀 더 명확히 입증할 수 있는 환경을 만들 수 있을 것이다. If digital forensic investigators can utilize file access logs when they audit insider information leakage cases or incident cases, it would be helpful to understand user’s behaviors more clearly. There are many known artifacts related to file access in MS Windows. But each of the artifacts often lacks critical information, and they are usually not preserved for enough time. So it is hard to track down what has happened in a real case. In this thesis, I suggest a method to utilize SACL(System Access Control List) which is one of the audit functions provided by MS Windows. By applying this method of strengthening the Windows’s audit settings, even small organizations that cannot adopt security solutions can build better environment for conducting digital forensic when an incident occurs.