포렌식 분석을 위한 LockMyPix의 미디어 파일 복호화 방안 연구

In recent years, as interest in personal information protection has increased, a number of applications have emerged that encrypt and store files such as photos, videos, and documents in a separate storage and allow access through user authentication. This is called 'Vault App' or 'Ghost App' and it not only encrypts and stores data, but also makes it difficult to recognize data or removes certain data. Data encryption using such a Vault App may be difficult to perform data analysis during a forensic investigation. In addition, some users are actually using it to conceal or encrypt evidence related to certain criminal activities. Accordingly, the data encrypted through the Vault App is highly likely to contain meaningful data from a forensic point of view, so a study on a decryption method for this is needed. Therefore, in this paper, we analyze LockMyPix, one of the Vault Apps that provide a secure folder function, and propose a method to recover the photo and video data encrypted by the application. A separate hidden directory path and key file for storing photos or videos designated by LockMyPix were identified through debugging analysis, and the encryption key generation and data file encryption process using a PIN were analyzed through reverse engineering analysis. Also, based on the analyzed encryption process, we propose a PIN number extraction method using a key file and an original-encrypted file pair and a method for decrypting all encrypted files. In addition, this paper suggests the limitations of the proposed decoding method and future research plans to improve it.