Cloud Data Collection and Analysis

FACT

FACT (Forensic Acquisition and Criminal Investigation Tool), an integrated digital forensic solution developed by the Digital Forensic Research Center at Korea University and Plainbit Co., Ltd., provides capabilities for collecting and analysing data from services related to secure messaging, cloud storage, anonymous networks, and cryptocurrencies, in order to counter anti-forensic activities encountered in real-world investigative environments.
Secure messenger data collection and analysis: FACT collects cloud resources using user credentials stored on local devices, and reconstructs contacts, chat histories, posts, and other relevant artefacts. It supports various services, including Telegram, Instagram, and Facebook Messenger, for chat data collection and visualization.
Metadata-based cloud forensics: FACT collects various types of metadata such as thumbnails, OCR results, and file history, and selectively retrieves data stored on the server based on metadata search results. It supports seven cloud services, including MS OneDrive, Google Drive, MEGA, Box, Dropbox, Naver Mybox, and iCloud Drive.

Tracking of API Evolutions

FOREST: Inspecting and Tracking RESTful APIs for Cloud Forensic Readiness

As digital evidence increasingly resides in the cloud, forensic investigations must navigate constantly changing service interfaces. Many RESTful APIs—responsible for handling authentication, file access, and communication—are undocumented or evolve silently, breaking reproducibility and obscuring user traces. FOREST (Forensic Readiness via RESTful API Schema Tracking) introduces an automated framework that discovers, analyzes, and tracks undocumented APIs directly from live network traffic. By parsing HTTP sessions captured during natural user interactions, FOREST identifies user-relevant endpoints, extracts forensic artifacts such as identities and messages, and reconstructs their structures into OpenAPI Specifications.
The framework integrates AI-based filtering to detect user-related responses, dependency testing to infer required request parameters, and schema-based comparison to monitor API evolution over time. Applied to Microsoft OneDrive, Teams, and Mattermost, FOREST achieved over 90% precision in identifying forensic endpoints and successfully traced schema-level changes across service versions. FOREST establishes a foundation for API-centric cloud forensics, ensuring that investigators can reproduce and verify evidence acquisition in rapidly evolving environments while contributing standardized knowledge to the SOLVE-IT forensic database.

Copyright Infringement Response

Illigal Streaming Devices

Recent developments have led to the emergence of illegal streaming services that are difficult to detect because they are offered only to those who have purchased specific settop boxes. Even when such infringements are identified, the hardware-based nature of the service makes tracking extremely challenging. This paper focuses on analyzing the services provided through one such device, EVPAD. Upon installation, as of January 19, 2025, EVPAD allows users to watch real-time broadcasts of 1,260 channels from 18 countries and access 24,934 VoD contents, including Netflix and Disney Plus, as well as locally produced broadcasts. Through reverse engineering and detailed analysis, we identified 131,175 unique users and 78 servers dedicated to providing illegal streaming services over the course of two months. Beyond copyright infringement, EVPAD devices distributed worldwide could be misused by operators for cyberattacks. This paper proposes two blocking strategies based on EVPAD’s service characteristics to curb copyright infringement and track key service nodes to dismantle illegal services and prevent potential cyber threats.

Virtual Asset Forensics

Wallet Applications

Monero is a privacy-preserving cryptocurrency that leverages advanced cryptographic mechanisms to conceal transaction participants and amounts, ensuring strong untraceability. Nevertheless, forensic techniques can still uncover sensitive information through the analysis of off-chain artifacts such as memory and wallet files.
In our study, we perform a comprehensive forensic investigation of Monero’s wallet application, emphasizing the internal management of public and private keys as well as its data storage structures. We demonstrate how these cryptographic keys are maintained in memory and propose a memory scanning algorithm capable of detecting key-related data structures. Additionally, we examine the wallet’s key and cache files, introducing a method to decrypt and interpret serialized keys and transaction data encrypted with a user-defined passphrase. Our implementation, developed as an open-source Volatility3 plugin accompanied by dedicated decryption scripts, was evaluated across various cryptocurrency wallets that include Monero components.

Exchange Services

Cryptocurrencies are virtual assets that enhance anonymity through their inherent cryptographic properties. However, since transaction records stored on the blockchain are publicly accessible, criminals have been employing obfuscation techniques to make transaction tracking more difficult. Instead of mixing transactions within the same blockchain network, the use of cross-chain bridges to exchange assets across different blockchain networks has been increasing.
In our study, we generated cryptocurrency exchange traces using four web-based cryptocurrency exchange services and identified artifacts remaining on local systems. Additionally, our study proposes a method for effectively collecting users' asset exchange records stored on the servers of cryptocurrency exchange service providers through web API calls. A procedural framework for investigating cryptocurrency exchange services is proposed based on the analyzed artifacts.

Multi-source Off-chain Data Forensic Framework Against Transaction Obfuscation

Cryptocurrencies operate on their respective blockchains. Chain-hopping is a technique of exchanging one cryptocurrency for another. Criminals employ cross-chain exchanges, which is a form of transaction obfuscation, to launder illicit money. Although all transactions are recorded on blockchains, enabling investigators to trace cryptocurrency flows, assets moved via cross-chain exchanges are considerably more difficult to trace.
Our study performs digital forensic analysis not only on suspects’ devices but also on data stored in the cloud to trace obfuscated transaction flows. A multi-wallet can hold multiple cryptocurrencies and may offer an in-app exchange function to convert one currency into another. A web-interface exchange enables rapid conversion between cryptocurrencies using only a web browser. Because such exchange services retain records of exchange operations, digital forensics can be used to reconstruct a suspect’s cryptocurrency exchange history.

Monitoring of Online Data for Cybersecurity and Forensics

Internet-Exposed Sensitive Systems

Network printers commonly provide web-based management interfaces, referred to as a printer web server (PWS), to support convenient administration for users. Since these printers often process sensitive information, their exposure to the public Internet could pose serious security threats.
In this study, we conducted an attack surface analysis of PWS from major vendors and discovered critical security risks: inadequate security features, API endpoints with insecure protocol, and an API authentication vulnerability that circumvents administrator-configured access controls.
Our findings reveal that such exposure is rarely transient, as nearly half of accessible PWS instances remained active at the analysis endpoint while new instances continuously appeared. This persistent exposure can result in unauthorized access to sensitive information such as user accounts, email addresses, and printed file metadata linked to specific organizations.

National Security Threat Activities

This study investigates a multimodal AI framework for monitoring and detecting terrorist propaganda, recruitment, and fundraising activities across social media and online communities. Through social media mining, the research collects and analyzes open-source data, integrating OCR, ASR, and NER across text, image, audio, and video modalities to identify key indicators such as Telegram IDs, cryptocurrency wallets, and donation messages. The framework aims to provide early evidence and investigative leads that can assist law enforcement in tracing financial networks and initiating formal investigations.