1. Field of the Invention
The present invention relates to a system for analyzing forensic evidence using an image filter and a method thereof, in particular a system for analyzing forensic evidence using an image filter and a method thereof, which allows an examiner to analyze digital evidence using an image filter to which a learning model is applied, without fully examining all of the massive amount of images, when the examiner analyzes the digital evidence for a variety of images stored in a hard disk of a suspect's PC.
This invention was supported by the IT R&D program of MIC/IITA [2007-S-019-01, Development of Digital Forensic System for Information Transparency].
2. Description of the Related Art
Recently, in addition to computer crimes, even in general crimes, important evidence or clues are increasingly stored in a variety of electronic media, such as computer. The digital data is easily duplicated and it is difficult to discriminate the original from a copy. Further, the digital data can be easily falsified, changed, or deleted from the original data. Therefore, a criminal investigation cannot be conducted with only basic data as evidence. As intellectual computer crimes increase, high level of digital forensic technologies are required for tracing and analyzing evidence; as a result, the digital forensic technologies are being continuously developed to satisfy the above requirements.
The digital forensic technology is divided into a digital evidence collection technique, a digital evidence analysis technique including a digital evidence recovery technique and a digital evidence documentation technique. These techniques examine and analyze digital devices, such as computer or mobile phone, to find out potential evidence and include transmission of electronic data, discrimination of stored information, search, documentation, and preservation.
(1) Standardization of Digital Forensic Process
Standardization of digital forensic process is being increasingly developed to restore data that is damaged or deleted by a cyber criminal in a digital device, such as a computer or a mobile phone, and secure reliability of digital evidence so as to be accepted as admissible evidence.
(2) Imaging of Storage Media
It is very important to produce bit stream images that are physically and logically identical to the originals that store digital evidence that can be easily damaged or deleted. Further, the imaging of storage media that produces bit stream images regardless of the types of the storage media, such as hard disk, CD, and USB, and the operating system for the media is very important.
(3) Verification of Digital Evidence
Verification of digital evidence is used to prove that collected data is not falsified or damaged, using hash or error detection code so as to accept the data as admissible evidence.
(4) Collection of Live Data
Collection of live data is used to discriminate volatile data among live data in an active system and collect data in the order of data having the most volatility. For some live data, because it is impossible to duplicate files using common methods, collecting live data requires a technique that directly reads out the sectors of the hard disk to collect data and a technique that does not change an access time, changing time, and creating time of files. In particular, because information, such as registry and cash information, routing information, process information, and password information, may be stored in a memory, memory dump should be performed to acquire the data.
(5) Search and Gain of Password
Search and gain of password is used to search and gain passwords for MS Office, compressed programs, or encrypted file systems.
The search and gain of password needs to discriminate whether documents are encrypted and analyze the password structure of the documents to search the password of MS Office. Further, it needs to analyze the encrypting system and process used by compression programs to discriminate whether compressed files, such as AlZip or WinZip, are encrypted, or search the passwords. Further, in order to find out the password of an encrypted file system that is applied to NTFS, the encrypted file system needs to be analyzed. Furthermore, a technique of detecting and analyzing statistical profiles of images is being consistently researched to decrypt a steganography that hides files by changing empty spaces or some bits in the files.
(6) Visualization of Information
Visualization of information is used to represent the collected information to increase the efficiency of the forensic analysis. The visualization of information is used to visually display information using pictures, tables, and graphs such that a forensic examiner can easily recognize massive data, time-sequentially analyze the data, and filter and normalize large amount of records in the storage media.
(7) Forensic Data Mining
Forensic data mining is a useful forensic technique for huge computer systems that efficiently investigate and control data by finding out the correlation between data through deep analysis of the data.
Data mining is used for inspecting data, such as registry information or configuration information concerning main applications, such as web browser, messenger, and c-mail, installed in an objective system, and extracting evidence relating to the case from the acquired information. Forensic data mining allows a user to examine whether applications that may be used for a crime are installed and used.
Further, forensic data mining may include an investigation profiling technique that removes data that is not related to criminal cases and reduces the range of analysis on the basis of the researches for individual behavior patterns and a database for each case established by integrating and classifying factors that affect the cases.
(8) Mobile Forensic Technique
Mobile forensic technique is needed to collect, verify, analyze, and restore digital data in mobile devices such as mobile phones or PDAs that are commonly used.
The collecting technique includes collecting digital evidence from mobile devices, collecting data of users and hardware information of the terminal stored in the main memories of CDMA mobile phones, and collecting important information of the users, such as IMSI, ICCID, ADN, LND, SMS message, and LOCI, from the USIM card.
The analyzing technique includes verifying the collected data, that is, proving that the data is not falsified or damaged, analyzing and restoring digital evidence from mobile phones, analyzing the evidence from the information collected from CDMA/WCDMA terminals, and restoring damaged or deleted data of the flash memory in mobile phones.
(9) High-Speed Search of Massive Data Used Only for Forensics
With the increase of the capacity of hard disks and evidence to be inspected, high-speed search of massive data used only for forensics that searches desired information from a large amount of digital information within a short time has been researched.
High-speed search of massive data used only for forensics includes a Hashed Search that quickly analyzes data by determining whether the hash values of files correspond to a set of reference data and a technique that improves the search speed by creating index for all of the files by virtually mounting a file system from acquired image files, and then creating meta data information.
However, high-speed search of massive data is limited to search specific texts, but there are many images (pictures or photographs), other than texts, in personal computers used by criminals. For example, if pornographic images of children are stored in a computer, it is a grave crime. Therefore, it is very important to search the images, in addition to texts. Further, the analysis of images may be very important evidence data that determines the suspect's tendency or matter of interest. When a large amount of image files are stored in a personal computer, an urgent crime investigation ineffectively inspects all of the files; therefore, it is strongly required to improve the analysis technique.