Digital forensics is a digital investigation process of collecting and analyzing digital data that is present in a digital device or system, such as a computer or a mobile phone, and then determining the behavior of a specific user or the cause of an accident.
In digital forensics, as can be seen from a term thereof, digital data is handled. It is easy to copy digital data by its nature, and it is difficult to distinguish a copy from an original. Accordingly, in order for digital data to have legal validity, the digital data needs to be processed and managed so that it can become evidence by securing the authenticity, integrity, reliability and originality of evidence data through proper control in data processing.
In conventional digital forensics, in order to collect evidence data from a target system to be analyzed, the original data within a non-volatile storage medium, such as a disk, is protected through a write-protection function by separating power from the target system. Furthermore, in conventional digital forensics, an evidence copy is generated, the generated evidence copy is transferred to an evidence analyst, and the evidence analyst analyzes the evidence copy.
An evidence collection cost is increased due to the recent increase in the capacity of a non-volatile storage medium, the availability of service becomes important as in a system that needs to continue to provide specific service, and the importance of volatile evidence data as well as the importance of non-volatile evidence data increases. Accordingly, the actions of removing power and collecting and analyzing evidence as in conventional digital forensics are restricted. Furthermore, the number of systems that may become the objects of digital forensics is gradually increasing. Moreover, there is an increasing need to deal with a specific accident by rapidly collecting and analyzing evidence.
For example, Korean Patent Application Publication No. 10-2009-0079568 entitled “Apparatus and Method for Collecting Evidence Data” discloses an apparatus and method for collecting evidence data, which are capable of ensuring admissibility of evidence for data for which it is difficult to ensure a storage medium.
Accordingly, there is an increasing need for an online-based remote digital forensics that can guarantee the availability of a target system that needs to be analyzed, can collect both volatile data and non-volatile evidence data, and can remotely collect or analyze evidence data without physically connecting directly to the target system for rapid handling.
Evidence data collected using digital forensic technology include all data present in systems, and may include information related to the privacy of a user and information sensitive to a system user, such as secret information related to the provision of system service. Furthermore, in the case of remote digital forensics, evidence data that is collected using digital forensic technology is provided based on online service. Accordingly, a problem arises in that the collected evidence data may be exposed to security threats, such as the leakage and alternation of data, a camouflage as a normal evidence collector, denial of transmission and reception of evidence data, and uses (or abuse) other than a use for evidence data, which are inherent in an existing IT environment.
Accordingly, there is a need for an apparatus and method capable of taking measures against security threats, satisfying basic digital forensic requirements for collected evidence data so that the processing of sensitive information can be controlled, and also providing security for evidence data by controlling access to the evidence data.