1. Field of the Invention
The present invention relates to an apparatus and method for searching for digital forensic data, and more particularly, to an apparatus and method for searching for digital forensic data capable of automatically determining a character encoding type used in searching for data.
2. Discussion of Related Art
Digital forensics is a structured investigation process for proving factual relationships in cases based on digital data stored in a computer, a PDA, a mobile phone, etc. Digital forensics is widely used for criminal investigations conducted by national investigation agencies such as a public prosecutor's office and the police, and is considered to be important for the private sector such as an enterprise, a financial company, and so on.
Digital forensics roughly involves processes of collecting, analyzing and submitting evidences. Generally, collecting the evidence is performed by collecting data remaining in storage media such as a computer memory, a hard disk drive, a USB memory, etc. An investigator analyzes the data collected in the process of collecting evidence, performs analysis of the evidence, and obtains useful information necessary for an investigation.
Text included in data can be stored in a different value depending on a character encoding type. For example, when the character encoding type is KSC-5601, UTF-8, UTF-16 Little Endian (LE) or UTF-16 Big Endian (BE), a (Korean) character, “” is stored in hexadecimal format such as BOA1, EAB080, 00AC or AC00, respectively. Therefore, in order for the investigator to search for character information included in data in the process of analyzing evidence, it is necessary to select an accurate character encoding type.
In a conventional method for searching for data, which is used in digital forensics, an investigator sets a character encoding type of data included in evidence by himself/herself to conduct a search. For example, in widely known commercially available digital forensic products, including Guidance Software's ENCASE, AccessData's FTK and X-Ways Software Technology's X-Ways Forensics, a user sets a character encoding type by oneself, or uses an active character encoding type which is currently used in an user's system to search for data.
However, in such a method, it is not possible to accurately know an actual character encoding type of data subject to the search, and thus an investigator should attempt to search for data using all selectable character encoding types. Therefore, in the conventional method for searching for data, accuracy and efficiency of a search for data may deteriorate.