公开(公告)号：US20230024682A1

公开(公告)日：2023-01-26

申请号：US17868930

申请日：2022-07-20

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Hyun-Uk HWANG ,  Seung-Yong LEE ,  Joong-Soo HAN ,  Jung-Hoon OH ,  Jun-Su KIM ,  Ki-Bom KIM ,  Won-Ho KIM

IPC: G06F16/14 ,  G06F16/54

Abstract: Disclosed herein are a logical imaging apparatus and method for digital forensic triage. The logical imaging method for digital forensic triage includes receiving files selected as a digital evidence target, creating a logical imaging file, inside of which is formatted in a predetermined file system structure, recording the selected files in accordance with the file system structure of the created logical imaging file, and storing selected file list information about a list of the recorded selected files, and creating a separate selected list information file and a separate logical imaging summary file outside the logical imaging file.

公开(公告)号：US20140059313A1

公开(公告)日：2014-02-27

申请号：US13958541

申请日：2013-08-03

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Hyun-Uk HWANG ,  Ki-Bom KIM ,  Seung-Yong LEE ,  Young-Chan SHIN ,  Tae-Joo CHANG

IPC: G06F11/14

CPC classification number: G06F11/1435 ,  G06F11/1417 ,  G06F17/30117

Abstract: In a method for recovering a partition using backup boot record information, an unallocated area is separated from a disk or an evidence image. The unallocated area is searched for a location of a backup boot record. Whether is backup boot record of a file system to be detected is present in found sectors is analyzed. If the backup boot record is found to be the backup boot record of the file system desired to be detected as a result of the analysis, it is verified whether the backup boot record is a boot record of a valid partition. If it is verified that the backup boot record is the boot record of the valid partition, a file system of a deleted partition is parsed using the backup boot record and a deleted directory or file is recovered.

Abstract translation: 在使用备份引导记录信息恢复分区的方法中，将未分配区域与磁盘或证据图像分离。 搜索未分配区域的备份启动记录的位置。 分析是否存在待检测文件系统的备份启动记录。 如果发现备份启动记录是文件系统的备份引导记录，作为分析结果需要检测的文件系统，则验证备份引导记录是否是有效分区的引导记录。 如果验证备份引导记录是有效分区的引导记录，则使用备份引导记录解析已删除分区的文件系统，并恢复已删除的目录或文件。

公开(公告)号：US20240020039A1

公开(公告)日：2024-01-18

申请号：US17863634

申请日：2022-07-13

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Jung-Hoon OH ,  Hyun-Uk HWANG ,  Seung-Yong LEE ,  Jun-Su KIM ,  Joong-Soo HAN ,  Hye-Jin JEONG

IPC: G06F3/06

CPC classification number: G06F3/0643 ,  G06F3/0653 ,  G06F3/0604 ,  G06F3/0673

Abstract: Disclosed herein are an evidence collection guidance method and apparatus for file selection. The evidence collection guidance method includes generating pieces of preliminary analysis information that are pieces of collection target information, setting levels of the pieces of preliminary analysis information based on predefined rules, and generating and outputting notification information including summary description information and follow-up measure items related to the pieces of preliminary analysis information corresponding to the levels.