Hyunji Chung

Hyunji Chung, Jungheum Park, Sangjin Lee

In recent years, as electronic files include personal records and business activities, these files can be used as important evidences in a digital forensic investigation process. In general, the data that can be verified using its own application programs is largely used in the investigation of document files. However, in the case of the PDF file that has been largely used at the present time, certain data, which include the data before some modifications, exist in electronic document files unintentionally. Because such residual information may present the writing process of a file, it can be usefully used in a forensic viewpoint. This paper introduces why the residual information is stored inside the PDF file and explains a way to extract the information. In addition, we demonstrate the attributes of PDF files can be used to hide data.

Jaehyeok Han, Jungheum Park, Hyunji Chung et al.

Telemetry is the automated sensing and collection of data from a remote device. It is often used to provide better services for users. Microsoft uses telemetry to periodically collect information about Windows systems and to help improve user experience and fix potential issues. Windows telemetry service functions by creating RBS files on the local system to reliably transfer and manage the telemetry data, and these files can provide useful information in a digital forensic investigation. Combined with the information derived from traditional Windows forensics, investigators can have greater confidence in the evidence derived from various artifacts. It is possible to acquire information that can be confirmed only for live systems, such as the computer hardware serial number, the connection records for external storage devices, and traces of executed processes. This information is included in the RBS files that are created for use in Windows telemetry. In this paper, we introduced how to acquire RBS files telemetry and analyzed the data structure of these RBS files, which are able to determine the types of information that Windows OS have been collected. We also discussed the reliability and the novelty by comparing the conventional artifacts with the RBS files, which could be useful in digital forensic investigation.

Hyunji Chung

As the number of digital documents requiring investigation increases, it has become more important to identify relevant documents to a given case. There have been continual demands for finding relevant files in order to overcome this kind of issues. Regarding finding similar files, there can be a situation where there is no available metadata such as timestamp, file size, title, subject, template, author, etc. In this situation, investigators will focus on searching document files having specific keywords related to a given case. Although the traditional keyword search with elaborate regular expressions is useful for digital forensics, there is a possibility that closely related documents are missing because they have totally different body contents. In this paper, we introduce a recent actual case on handling large amounts of document files. This case suggests that similar layout search will be useful for more efficient digital investigations if it can be utilized appropriately for supplementing results of the traditional keyword search. Until now, research involving electronic-document similarity has mainly focused on byte streams, format structures and body contents. However, there has been little research on the similarity of visual layouts from the viewpoint of digital forensics. In order to narrow this gap, this study demonstrates a novel framework for retrieving electronic document files having similar layouts, and implements a tool for finding similar Microsoft OOXML files using user-controlled layout queries based on the framework.

Hyunji Chung, Jungheum Park, Sangjin Lee et al.

The demand for cloud computing is increasing because of the popularity of digital devices and the wide use of the Internet. Among cloud computing services, most consumers use cloud storage services that provide mass storage. This is because these services give them various additional functions as well as storage. It is easy to access cloud storage services using smartphones. With increasing utilization, it is possible for malicious users to abuse cloud storage services. Therefore, a study on digital forensic investigation of cloud storage services is necessary. This paper proposes new procedure for investigating and analyzing the artifacts of all accessible devices, such as Windows, Mac, iPhone, and Android smartphone.

Hyunji Chung, Jungheum Park, Sangjin Lee

Internet of Things devices such as the Amazon Echo are undoubtedly great sources of potential digital evidence due to their ubiquitous use and their always on mode of operation, constituting a human life black box. The Amazon Echo in particular plays a centric role for the cloud based intelligent virtual assistant Alexa developed by Amazon Lab126. The Alexa enabled wireless smart speaker is the gateway for all voice commands submitted to Alexa. Moreover, the IVA interacts with a plethora of compatible IoT devices and third party applications that leverage cloud resources. Understanding the complex cloud ecosystem that allows ubiquitous use of Alexa is paramount on supporting digital investigations when need raises. This paper discusses methods for digital forensics pertaining to the IVA Alexa ecosystem. The primary contribution of this paper consists of a new efficient approach of combining cloud native forensics with client side forensics, to support practical digital investigations. Based on a deep understanding of the targeted ecosystem, we propose a proof of concept tool, CIFT, that supports identification, acquisition and analysis of both native artifacts from the cloud and client centric artifacts from local devices.