Ext4 기반 오픈 플랫폼 시스템의 디지털 포렌식 연구
Digital Forensic Techniques for Ext4 based Open Platform Systems
- 주제(키워드) Digital Forensics , File system , Ext4 , File recovery
- 발행기관 아주대학교
- 지도교수 손태식
- 발행년도 2016
- 학위수여년월 2016. 8
- 학위명 석사
- 학과 및 전공 일반대학원 컴퓨터공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000023329
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
Digital forensics is defined as a process and method for inquiring and proving, in a court of law, specific actions and factual grounds of occurrences through digital devices. The importance of digital forensics is becoming heightened as the personal and corporate digital devices, such as smartphones and tablet PC, have become more essential and critical as our daily usage of these devices are diversified in recent years. Crimes that abuse or target digital devices are increasing, and obtaining evidence through digital devices have increased significantly. Among digital forensics area, recovering deleted data is playing an important role because it could discover key evidence stored within the digital devices. Moreover, in order to establish restored data as evidence, all process must observe due process, and data acquisition process must especially be carefully attended to. If due process is not observed during the data acquisition process, a solid evidence acquired in the process may not be admissible as a key evidence. Therefore, laws and institutional matters related to this topic has been actively studied, and there is a necessity for further research on technical areas. Digital device relies on file system structure to store data on the storage. Among these file systems, Ext4 file system is a well-known file system typically used in a Linux distribution version, and are being used in many types of digital devices, from Android to raspberry pi. Therefore, the need for a study on analysis and restoration of deleted file for Ext4 file system is becoming more prominent in the modern digital society. In this study, we proposed new digital forensic technique for Ext4 file system and analyzed a few considerations that are required from the legal and institutional perspective.
more목차
1. Introduction 1
2. Background and related works 4
A. Ext4 filesystem 4
B. Related works 9
3. The issue of admissibility of digital evidence 12
A. Analysis of laws and precedent 12
1. Analysis on the relevant law and finding its limitations 12
2. Analysis of cases related to establishing admissibility 15
B. Acquiring methods for legally admissible digital evidence 20
4. Deleted data recovery for Ext4 based Open Platform Systems 23
A. Acquisition and analysis of digital evidence 23
1. Acquiring digital evidence using a dd command (imaging) 23
2. Analyzing acquired data 24
B. Deleted file recovery using journal area 28
1. Checking unallocated inode number 28
2. Confirming the deleted inode from unallocated inode 29
3. Finding deleted inode at journal area 31
C. File name recovery through directory entry 33
1. Directory entry analysis 34
2. Identify the directory entry of the deleted file 35
3. Understand the directory entry creation mechanism 35
4. The H-tree structure in directory entry 36
D. Design and implementation of recovery tool 37
5. Experiment and result 44
A. Confirming the reliability of the data acquisition methods 44
B. Deleted file recovery 48
6. Conclusion 53
7. References 54
