- PDF Free Download

...,.

- - - - - - - - - -.

1 1 1 1 2 2 1. 2 2. 2 2 5 1 5 1. 5 2. 9 2 10 1. 10 2. 11 3. 12 4. 16 3 18 1. 18 2. 19 3. 20 4 25 1. 25 2. 27 3 30 1 30 1. 30 2. 33 2 56

1. 56 2. 65 4 72 1 72 1. 72 2. 74 3. 79 4. 87 5. 90 6. 94 2 97 5 101 1 101 1. 101 2. 108 2 119 1. 119 2. 121 3. 122 4. 122 5. 123 6. 123 7. 126 6 128 130

[ 2-1] 22 [ 2-2] 23 [ 3-1] 58 [ 3-2] 61 [ 3-3] 63 [ 3-4] 64 [ 3-5] 67 [ 3-6] 68 [ 3-7] JTAG 69 [ 3-8] JTAG 69 [ 3-9] 70 [ 3-10] 71 [ 4-1] 72 [ 4-2] 77 [ 4-3] 79 [ 4-4] 80 [ 4-5] 87 [ 4-6] 90 [ 4-7] 91 [ 4-8] 93 [ 4-9] 94 [ 5-1] PC 109 [ 5-2] SNS 117 [ 5-3] 120

[ 2-1] ( 18 ) 5 [ 2-2] ( 18 ) 6 [ 2-3] 3 ( 19 ) 7 [ 2-4] 7 [ 2-5] ( 18 ) 8 [ 2-6] ( 19 ) 9 [ 2-7] 10 [ 2-8] 18 [ 2-9] 106 ( ) 27 [ 2-10] 28 [ 3-1] 35 [ 3-2] 40 [ 3-3] 42 [ 3-4] 155 1 43 [ 3-5] 44 [ 3-6] 45 [ 3-7] 49 [ 3-8] 272 2( ) 272 3( ) 53 [ 3-9] 59 [ 4-1] 73 [ 4-2] 75 [ 4-3] 76 [ 4-4] 78 [ 4-5] 09~ 13 78 [ 4-6] 80 [ 4-7] 80 [ 4-8] 81

[ 4-9] 82 [ 4-10] 83 [ 4-11] 84 [ 4-12] 85 [ 4-13] 86 [ 4-14] 92 [ 4-15] 95 [ 4-16] 97 [ 4-17] ( ) 98 [ 5-1] 101 [ 5-2] 104 [ 5-3] 105 [ 5-4] 106 [ 5-5] 107 [ 5-6] (Memory Acquisition) 111 [ 5-7] 112 [ 5-8] 112 [ 5-9] 113 [ 5-10] 115 [ 5-11] 118 [ 5-12] 123 [ 5-13] 127 [ 5-14] 128

1 1.,. PC, PC. SNS(Social Network Service).. 2007 17 2012 18 33.5%. PC SNS,..,..,..

.,,. 2 1.... 2.., (Work Station) (Server), MP3., TV,.,, DDoS..

.,...,,,......,.. SNS....,

2 1,, (SNS, ),. PC,... 1... [ 2-1] ( 18 ) 2012. 12. 17.,,, 3.,,,.

[ 2-2] ( 18 ) 2012. 12. 13. KBS, 8, 8, 1 (USB ) 51.... (Chain of Custody).. PC CCTV.,,.

[ 2-3] 3 ( 19 ),,.. [ 2-4], 20..., (Android, IOS, Embeded Linux, WindowsCE),,..

..,.. [ 2-5] ( 18 ) 2012. 12. 18. 20. PC,,,.,.

[ 2-6] ( 19 ). 010. 8. 26.,,.. 2.,,..... 1

2 3, SNS 4 5 ( ) 2 1.,,.., ㆍ,. [ 2-7]. [ 2-7],,,..

,,.,,. GB TB ㆍ... ㆍ ㆍ,. 2.,,,. (Contents) (Characteristics).,

,,,..,,,,.,.,..,,,,,,.. 3. (admissibility) (weight)..,,.,

,...,..... 308 2(. )... ( 傳聞法則, Hearsay Rule) ( 傳聞, Hearsay). ( ) 17..,

,,.,., 310 2. 311316.,.,..,..,,,.

,,,,,,,. 315.,..,.. (1),.,,,,

. (2), (Business Record)...,. 4.,,,.,, CCTV,..,.,,,,.

,,.., (Chain of Custody).

3 1. 1)... [ 2-8]. [ 2-8],, ( ) 1)..

.. 2). 2.,,,,,,.,... 272 2 2.. 2) 10 2 6.. 10 3 4 10 2 6 8. " " " "..

. 272 2 5... 272 3 3).. 1 2. 3..,,. 3) ( ),, ( ),,,,.

,.... 272 2 2... PC SNS,. PC (SNS, ).. 3. [ 2-1]. PC.. ( ).,

,.,, SNS (mention).,. 4. [ 2-1]. 4).,. 4) (Drag-and-drop) copy( cp),.

.,,....,. [ 2-2]. [ 2-2],,.,

( ).,,,,...,,.,,,.

4 1... 12 3 5)... 272 2 2 6)., 7), 8). 1 5)., 3. 6).,. < 2000.2.16, 2004.3.12> 7) 37 2. 8),.

, 2, 3,,,. 9). 10),. 1., 2. 3.,.,. 9) 2011. 5. 26. 2009 1190. 10),, 27 (2012-12)

2. 17. (Privacy )..,, 3. 2012. [ 2-9] 106 3..,. [ 2-9] 106 ( ) 106 ( ) 1.,. 2,. 3, ( " " ).,. 4 3 2 3.

272 2( ), 272 3( ),.,,.. [ 2-10] 83 3...,,. 272 3.,.

11).,....., [ 2-10],.,,. 11) ( )

3 1 1. (admissibility) (weight)..,,.,,...,.....

308 2(. )... ( 傳聞法則, Hearsay Rule) ( 傳聞, Hearsay). ( ) 17..,,,.,., 310 2. 311316

.,.,..,..,,,.,,,,,,,. 315.,..,..

(1),.,,,,. (2), (Business Record)...,. 2.,,,.

.. (, ), 438.. (1) 2011 2012 106 3., ( ).,.. 307316. [ 3-1].

[ 3-1] 106 ( ) 1.,. ( 2011.7.18.) 2,. 3, ( " " ).,. ( 2011.7.18.) 4 3 2 3. ( 2011.7.18.) 108 ( ),. 113 ( ). 114 ( ) 1,,,,,,,.,. ( 2011.7.18.) 2 75 2. 307 ( ) 1.

2. 308 ( ). 308 2 ( ). 309 ( ),,,. 310 ( ). 310 2 ( ) 311316. 311 ( ). 184 221 2. 312 ( ) 1,. 2 1,

. 3. 4,.,. 5 1 4. 6. 313 ( ) 1 2.,. 2. 314 ( ) 312313

.,. 315 ( ). ( 2007.5.17.) 1., 2., 3. 316 ( ) 1 (. ). ( 2007.6.1.) 2,,,,. ( 2007.6.1.) (2) ( ),...

...,,,,....

( ).,... 24. 48..,,,,..... [ 3-2],. [ 3-2] 133 (, ) 1,,. 2

. 134 ( ). 135 ( ) 3,,. 218 2(, ) 1,,. 2 1. 3 2. 4 1 3.. [ 2011.7.18] 219 ( ) 106, 107, 109112, 114, 115 1, 2, 118 132, 134, 135, 140, 141, 333 2, 486,., 130, 132 134. < 1980.12.18, 2007.6.1., 2011.7.18> 333 ( ) 1. 2

. 3. 4 3. 486 ( ) 1. 2 3. < 1973.1.25> 3. < 2007.6.1>..,,,. [ 3-3] 1 ( ). 2 ( )

. 3 ( ),.. 155 1.,. 12) [ 3-4] 155 1 155 ( ) 1,, 5 700..,. 13, 13 3 (,, ). 12) 2002 3600

[ 3-5] 2 ( ). 1~10. 11. " "........ 12. 9 3 ( ㆍ ㆍ ) 1 ( ) 30. 2 30. ( 2009.5.28) 13 ( ) 1 ( ) ( ).

2 1, (. ).,. ( 2005.5.26) 3~9 13 3( ) 1 13, ( ) 30. 2 1 9 2( 3 ).. 83,,,,,.,,,. [ 3-6] 83 ( ) 1. 2. 3, (,. ),,

( 10 1 3 4, ), ( " " ). 1. 2. 3. 4. 5. ( ) 6. 4 3,, ( " " ).,,. 5 3 4. 6 2, 5. ( 2013.3.23.) 7 3 5.,. 8,. 9.

. (1),,,, 3,,,.,,,.. (2) 3 3.,,,..

,, 3,,, 3. 3 17 2,. (3) 16. (4)., 3. 18 2 3 3. 3 18 3..

, 3,. 3,,,.., 3. [ 3-7] 3 ( ) 1. 2,. 3,. 4. 5,. 6

. 7. 8. 15 ( ) 1. 1. 2. 3. 4. 5. 3,, 6... 2 1 1.. 1. 2. 3. 4. 16 ( ) 1 15 1.

. 2. 17 ( ) 1 3 (. ). 1. 2. 15 1 2 3 5 2 1 1.. 1. 2. 3. 4. 5. 3 3 2,. 18 ( ) 1 15 1 17 1 3 3. 2 1 3 3., 5 9.

1. 2. 3. 3,, 4. 5. 3 6., 7. 8. 9. ( 刑 ), 3 2 1.. 1. 2. ( ) 3. 4. ( ) 5. 4 2 2 6, 8 9 3,. < 2013.3.23> 5 2 3

,,,.. 19 ( ) 1 3. 1. 2... 272 2( ) 2, 3. 272 3( ) (,,,, ).. [ 3-8] 272 2( ) 272 3( ). [ 3-8] 272 2( ) 272 3( ) 272 2( ) 1 (. ), ( )

. 2.,. 3 1. 4.,. 5,. 6 1. 7 1,. 8 ( ). 9 1 8,,.

272 3( ) 1 (. ) ( ) ( ) ( ). 2 ( ),,. 3 1 2 12. 1. 2. 4 1 3. 5 1 3,. 6 1 3.

2 1..,,... (1),. (2),,.,.,.

(3),,.,. (4) ㆍ.. (Chain of Custody)..,,,,,. [ 3-1].. ( ),,,,,.

[ 3-1] (1),,, SW..,,,.,,,,.,,,,,.,.

,,,.,,,..,,.. [ 3-9]. [ 3-9] +/-,,, HDD, HDD, RAID ㆍ USB, CD-R, DVD-R,,,,,,,

,,,,,, (2).,.. [ 3-2].

[ 3-2] (3),..,.,.,,,.,..

...,,,. 3., ㆍ. (4).,..,.. (5).

. 2,... [ 3-3]. [ 3-3]

,,,. [ 3-4]. [ 3-4] (6) ㆍ,.

.. - (Case) -, - ㆍ, - ㆍ - - - -.. 2....,.,

.. 3.5 2.5,,.,,,, USB,, CD DVD.,.,, PDA,,..,. BitLocker,,.,,.,.. [ 3-5].

[ 3-5].. (Imaging).. UNIX dd, (U.S. Department of Defense (DoD)) dfcldd, Guidance Software EnCase. dd raw. EnCase 64,

... [ 3-6] DIBS Rapid Action Imaging Device, Solo-3. [ 3-6].,,. JTAG(Joint Test Action Group). JTAG. [ 3-7, 3-8] JTAG JTAG. JTAG

. [ 3-7] JTAG [ 3-8] JTAG.. [ 3-9].

[ 3-9]. PC USB.,..,,...,.. [ 3-10].

. [ 3-10]

4 1 1.. 1995, 2000 7. 13),. [ 4-1]. [ 4-1] [ 4-1]. 13), http://www.ctrc.go.kr/about/netan_20p.pdf

[ 4-1] 60 14 7 5 1 1 2 3 3 5 2 2 2 3 2 2 2 2 2.. ( ), ( ), ( ),..,,..., EnCase, FTK.,.....

2... (National Digital Forensic Center),... DNA,,,,,,,,,,. 2011. 11 14)... 2013 4,,,,,,..,, 14)

,,. 15). [ 4-2]. 16) [ 4-2] DB,,,, PDA 15), URL: http://www.spo.go.kr/spo/intro/organ/org2.jsp 16), URL: http://www.spo.go.kr/spo/major/forensics/act/forensics10.jsp

. [ 4-3].,.. [ 4-3],,,, (EnCase, FTK ),, DB,,,,,,,,,,,,,.,.

,.,.. ([ 4-2] ) [ 4-2]. 2008 6 1 7884m2, 144. 2009 ~ 2013 596. [ 4-4] [ 4-5]. 17) 17), 2009, 2010. 8. - http://www.google.co.kr/u rl?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0cdyqfjaa&url=http%3a%2f%2fmosf.go.kr%2 F_upload%2Fbbs%2F76%2Fattach%2Fmoj.hwp&ei=wHF_Uf7fGMu_kgWw6IDIDA&usg=AFQjCNG9iTFCEhy5B 3FMPWZ3p5jwhttwaA&sig2=fVBtzaVocFEB25ropIKPsg&bvm=bv.45645796,d.dGI&cad=rjt

[ 4-4], 09 ~ 13 596 [ 4-5] 09~ 13 단위 : 억원 총사업비 09년 10년 11년 12년 13년 596 79 110 150 146 111

3.. (1) 1953, 2006, 18). 3 (,, ), 1 ( ) 3 (,, ). [ 4-3],. ([ 4-4] ) 18). http://www.law.go.kr/lsinfop.do?lsiseq=123414&efyd=20120222#ajax

[ 4-4] 15. (2) [ 4-6]. [ 4-6] (, ), (3) [ 4-7]. [ 4-7] EnCase, FTK 40 65

(4). (5).,.. (1) 3, [ 4-8]. [ 4-8] 3 ( ) 5 3 3 (2) [ 4-9].

[ 4-9],, 3 ( ) (3) [ 4-10].

[ 4-10] : 44 162 : EnCase, FTK, X-Ways Forensics 34 56 : :, : Password : HBgary( ), : 2013 : 70Tera : 10 12 : EnCase, FTK, X-Ways Forensics 30 48 : : Password (Office Crack) : ( ) : 50Tera( ) 3 ( ) : 10 12 : EnCase, FTK, 30 48 : : Password (Office Crack) : 100Tera

(4). (5).,.. 19) (1) 3, [ 4-11]. [ 4-11] 3 : 3 2 ( ) / 1 ( ) / 19).,.

(2) [ 4-12]. [ 4-12], (, ), (, ), (, ) (3),. [ 4-13].

[ 4-13] : EnCase, FTK : MD Smart( ), MD Tool( ) : 2 : EnCase, FTK, X-Ways Forensics ( ) : MD Smart( ), MD Tool( ) : MD Smart( ), MD Tool( ) PC, HDD.., (4). (5).,.

4... [ 4-5]. 20). 10. [ 4-5] 20), URL: https://www.copyright.or.kr/intro/organize/staff.do?hm_s eq=133

..,. ( ) 100%..,,..,,,.

..., ( ).,...,,... [ 4-6]...

[ 4-6] 5.. 2008,,, 4. 2011,, 3, 2012,,.,. [ 4-7].

[ 4-7].,,,,..,,.,,,.

.. ( DEAS ). [ 4-14]. [ 4-14] EnCase FTK Final Forensic UNI-Forensic ( ) : Image Master Ⅲ : Solo Ⅳ : Tableau ( ) FAS(Forensic Analysis System) Mobile. 2012,..,

...,,. [ 4-8]. [ 4-8]..

6.. ( ) 2010 ( 3 ). 2013 7 (TF) 4. TF. TF,. [ 4-9]. [ 4-9]

.,,, TF. TF. 2013.., 2010, 2012 [ 4-15]. [ 4-15] EnCase FTK X-ways SW : SW : SW : ( ) : : ( ) : Mobile :

....

2,,,. (, ).... [ 4-16]. [ 4-16] 272 2( ), 272 3( ) 50 ( ),.

,,,.,.. [ 4-17]..., 50. [ 4-17] ( ) 50 ( ) 1. 1., 2. 3.,, 2 [ 65 ( ) ]

,,,,. 3 2,. 5 15 ( ) 9 ( ) 1 ( " " ) 23 ( ) 1 7 4 37 3( ),. 1. 2. 3. 4. 5. ( 9 9 ) 6. 50 2( ),

. [ 2004.12.31]. (bit),..

5 1 1.. [ 5-1]..,,,.,. [ 5-1] 47 2( ) 57 5( ) 81 ( ) 97 ( ) 118 ( ) 135 ( ) 230 ( )

64 ( ) 82 4( ) 96 ( ) 110 ( ) 250 ( ) 251 ( ) 89 ( ) 255 ( ) 256 ( ) 271 ( ) 57 6( ) 60 ( ) 86 ( ) 90 ( ) 254 ( ) 256 ( ) 261 ( ) 271 ( ) 276 ( ) 62 ( ) 89 ( ) 93 ( ) 254 ( ) 255 ( ) 82 5( ) 230 ( ) 256 ( ) 272 3( )

( ) 82 4( ) 82 6( ) 230 ( ) 272 3( ). (1) OOO. (2) OOO ( )..,.,,.. [ 5-2].

[ 5-2],,,,,,,,,, PC,. (1) A OOO (,, ) B,. (2) OOO PC., PC PC PC, PC,. PC CCTV., ISP,.,, IP.. [ 5-3].

[ 5-3],, ISP, PC,, IP,,, CCTV PC CCTV PC,,. (1),,,, 1 ( 2010.12.17. 2010 229 ). (2), ( ),, SNS,, SNS. PC,

,..,. [ 5-4]. PC ( ) [ 5-4] ( ),, ( ),,. (1) 2008 A, B OO,,, 250~300 1,000 1,200, ( 2009.6.23. 2009 2903 ).

(2) ( ),, SNS.,,. PC,.,. CCTV,,,,,. [ 5-5].,, [ 5-5] ( ),,,,,,

,, PC ( ) (PC ),, ISP,,, CCTV, CCTV,,, 2.. PC,,., (SNS).. PC (1) 4 1. PC [ 5-1]. PC., OS.

,,,. [ 5-1] PC, PC.

,.. (Query).. PC.... IaaS(Infrastructure as a Services). IaaS,.., ( ),,,,. (Write Blocker). (Viewer). (search) (classification)..

(2) [ 5-1].. ( ) [ 5-6]. [ 5-6] (Memory Acquisition) win(32 64)dd Windows Matthieu Suiche mdd Windows ManTech WinPmem Windows Michael, Cohen crashdump file fmem Linux niekt0 Mac Memory Reader Macintosh Mac Marshal Mac Active Defense Windows HBGary binary RAM Live RAM Capturer Windows Belkasoft binary RAM MacQuisition Macintosh BlackBag Mac binary Technologies RAM COFEE Windows Microsoft MacResponse Macintosh AIS, LE

( ) SQLite DB MSSQL, Oracle (RDBMS). [ 5-7]. [ 5-7] Exchange EDB Viewer Windows Lepide Software EDB SQLite Expert Windows Bogdan Ureche SQLite Oxygen SQLite Viewer Windows Oxygen Forensic SQLite SQLite Databases Browser Win&Mac Tabuleiro, csv ( ), ([ 5-8]). [ 5-8] Internet Magnet Dropbox, GoogleDrive, Evidence Win Mac Forensics SkyDirve Finder (IEF) IaaS..

( ),,,. [ 5-9]. [ 5-9] REGA Windows 4&6tech RegRipper Windows Harlan Carvey mft2csv Windows Joakim MFT csv MFTView Windows Sanderson Forensics MFT Viewer Event Log Explorer Windows FSPro Labs Log Parser Windows Microsoft (Query), WEFA Windows 4&6tech Mail Viewer Windows MiTec MS Outlook Express Windows Live Mail Mozilla Thunderbrid

. (1). JTAG(Joint Test Action Group) 21)... PC USB. 22) 23). (2) PC. OS. [ 5-10]. 21) JTAG(Joint Test Action Group)., JTAG(' ' ) IEEE 1149.1,., URL: http://ko.wikipedia.org/wiki/jtag 22) ( : rooting) ( ). :, URL:http://ko.wikipedia.org/wiki/%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C_%EB%A 3%A8%ED%8C%85 23) ios (ios jailbreaking) ios. :, URL:http://ko.wikipedia.org/wiki/IOS_%ED%83%88%EC%98%A5

[ 5-10] XRY Series Windows Micro Systemation Cellebrite UFED Embedded Cellebrite Physical, Logical, MD Series Windows GMD SYSTEM, SMART UMR Windows MOBILE COPS USB. PC, USB, SD.. (Write Blocker).,.. SNS (SNS) PC. SNS,,.,.

SNS.. SNS. (1) SNS [ 5-2]., PC. PC SNS.. SNS.. SNS., SNS,,,.. SNS..,,.

[ 5-2] SNS (2), PC [ 5-6 9]. [ 5-10]. [ 5-11] Belkasoft.,,, MSN.

.. SNS API Query Language. Graph API Facebook Query Language(FQL) Twitter API., SNS App.. [ 5-11]. [ 5-11] Belkasoft Win&Mac &Linux Belkasoft PC SNS SocNetV Win&Mac &Linux Dimitris V. Kalamaras SNS LogAnalysis Win&Unix &Linux XpoLog, NodeXL Windows Microsoft Gephi Win&Mac &Linux Gephi NetMiner4 Windows CYRAM

2,.,,,,. [ 5-3].,. 2 2. 5., case. 1..,.,,,..,,., USB,, SD.

[ 5-3]

. PC.. 2...., SNS 2 SNS. SNS. 2 SNS,. PC..,.,.

3. (Chain of Custody) 24).. PC,, PC,.,, 3. 4... 2,.....,,,., 24),,,,.,.

,.. 5.. PC,,..,. 6.,,,.,,.. [ 5-12]. 25) 25),,,

[ 5-12] ( ) 3,850,000 HDD 150,000 2TB, 7200rpm USB 41,000 32GB 1,700,000 DSLR 1,750,000 (120, 96GB) 450,000 800,000 SNS SNS 875,630 ($799.95) Belkasoft Evidence Center PC 4,400,000 13,397,904 ($12,240) + 43,784 ($40) 1,312,080 ($1,200) tableau write protect full package Active Defense MacQuisition 645,106 ($590) SQLite Expert 217,667 ($199) Oxygen Sqlite viewer

3,165,715 ($2,995) Intella 100 ( ) 6,930,000 Encase Forensic Edition 7 6,600,000 FTK 2,000,000 REGA 2,000,000 WEFA 162,917 ($149) RegRipper EventLog Explorer 2,750,000 Encase Portable 26,700,000 MD-Box 4,100,000 MD-Smart Cable SW 99,100,00 MD-Smart 29,150,000 RoadMASSter3 ( ) 6,232,380 ($5,700) Solo 4 15,000 1,000,000,,,

7.. case.. PC,. 1 PC 3 2. [ 5-13] 1 - - - - - 2 - - -

.. PC 2 USB, 4. 2, 2.... [ 5-14] 2 - - - - - 2 - - -

6 PC PC.,..,. 2.,.,.,. 3,. 3 1,. 3 2. 4,,,,, 6

,. 4 2. 5. 4 1,. 4 2,..,,..

[1],,, 2010. [2],, 2012. [3],,,,, 18 1, pp.49-61, 2008. [4],,, 10 2, pp.139-178, 2008. [5], 2012, 2012. [6],, 2011. [7],,, 2012. [8],,, 2010. [9],,, 2007. [10],, Samsung SDS Journal of IT Services, Vol.9/No.1, pp.128-141, 2012. [11],,, 2, pp.481-510, 2011. [12],,, 19, pp.509-539, 2011. [13],, 2012, 26 1, pp.279-299, 2012.

[14],, 2012. [15], 18, 2013. [16], 19, 2012. [17],,, 17, pp.233-252, 2003. [18],, 2013. [19],, 2013. [20],,, 63, pp.115-150, 2011. [21],,, 37, pp.1-38, 2012. [22],, : SNS,, 26, pp.261-290, 2012.