· 7 years ago · Dec 30, 2018, 06:48 AM
1Don't we do Moon Jae-in impeach protest?
2
3Moon Jae-in President of South Korea
4moonriver365@president.go.kr
5
6 President Moon Jae-in, please reform the police and the prosecution who interrogate the suspect as a pervert.
7
8 I admit that I have to write this provocative title.
9
10 Please read the imaginative abundant investigation documents attached below.
11
12 Just three years ago, there was an interrogation of the prosecution and the police, who took someone and made him international criminals.
13
14 He asked for the investigation of the investigators, who were investigated in this way, but every time, all of the investigative commands were conducted by the Public Prosecutors' Office's Intelligence Service and none of them were charged with any crimes.
15
16 Unless Mr. President Moon Jae-in reform the old-fashioned way, the next turn will be Mr. President Moon Jae-in.
17
18
19
20
21 ++++++++++++++++++++ police copyrights ++++++++++++++++++++
22
231st round
24
25Kwak Dong-kyu Q: What is the current state of the suspect? (Investigators wrote that they used a monotonous body when they wrote it, but it is different from the actual one.)
26 Answer: There is no place to be particularly sick.
27
28Kwak Dong-kyu Moon: Is there any obstacle to the investigation?
29 Answer: There is no interference with the investigation.
30
31Kwak Dong-kyu Q: Does the suspect have been sentenced to criminal prosecution or prosecution?
32 Answer: I once went to the Dongdaemun Police Station and wrote a letter of appreciation.
33
34Kwak Dong-kyu Moon: What will happen to the Dongdaemun Police Station?
35 A: In the year of 2011, I was going out of Shinnimun Station subway station and passing through India, and somebody was ahead of me, but I have the fact that the police have just checked me. The reason for the inspection is that I have lost one camera at the Lee Mun Sung Cultural Center. I was taken to the Dongdaemun Police Station because I was a suspect, and I received a DNA test there, but I remember that there was no punishment.
36
37Kwak Dong-kyu Moon: Do you know what the suspect is currently under investigation for?
38 Answer: I know. I know that I have been investigated for threatening to kill White House Obama and for threatening to murder US ambassador to Ripper.
39
40Kwak Dong-kyu Moon: The suspects were arrested on July 14, 2015 at the Seoul Metropolitan Police Agency, Cyber ​​Investigation Division, Is it true?
41 Answer: Yes. At that time, there was a fact that I was arrested and notified of the Miranda principle in my room.
42
43Kwak Dong-kyu Moon: Was there any items that were confiscated at the time of arrest?
44 A: I know I had a hard copy of the computer from the detectives who had executed the seizure before the arrest, and I was told that I had done so, but I know that the computer hard disk was not confiscated. I just heard that the investigator (Kim Young Rae) who was conducting the investigation just before confiscated the notebook and USB original.
45
46Kwak Dong-kyu Moon: Say military service.
47 A: In January 2005, I served the sergeant in the 9th Division of the White Horse.
48
49Kwak Dong-kyu Q: How was your military life?
50 A: Military life was very hard. There were eight senior members for four months, and seven of them were Jeolla people, and it was hard for them to harass.
51
52Kwak Dong-kyu Q: What is blood type and religion?
53 A: He is O, and there is no religion.
54
55Kwak Dong-kyu Q: What is your height and weight?
56 Answer: Height is 168 centimeters, weight is 72 kilograms, blood type is O type.
57
58Kim Young-rae Moon: Just before the arrest, the suspect said that he drank a beer in front of the investigator (Kim Young-rae) in his room and had already mixed beer and liquor.
59 A: Yes, I remember the situation at the time.
60
61Kim Young-rae Q: What is the usual amount of money for the suspect?
62 Answer: Weak beer is between 500cc and 1000cc. Drinking that much is like sleeping.
63
64 (A hangover remained at the time of the first and second police investigations.
65
66Kim Young-rae Q: Do you usually drink regularly?
67 A: I have an irregular life, and I usually drink when I can not sleep.
68
69Kwak Dong-kyu Q: Tell me your academic background.
70 A: I graduated from Kyungbok High School in 2000 and graduated from Yongin Campus (now Global Campus) of Hankuk University of Foreign Studies for 4 years.
71
72Kwak Dong-kyu Moon: Did you have a major or minor in college?
73 A: Major is Digital Information Engineering, minor is Biochemistry (now Chemistry). In the school itself, one day, suddenly, without a proper notification to the students, the major of biochemistry was lost and changed into chemistry. So, when I wrote my graduation thesis, the major was in digital information engineering and the minor was listed in biochemistry. But when I write my resume while working, biochemistry seems to have falsified my resume with a missing department. I became disadvantageous to Hankuk University of Foreign Studies where I graduated.
74
75 (At about 14:59, the suspect has been appointed to the counsel, so he confirms the counsel 's appointment and pauses the investigation to give him time to help.
76
77 (At 15:25, he resumed the investigation with the participation of lawyer Park Chul-Hyun, and participated in the investigation by Nam Sang-wook (cyber criminal investigation investigator). .)
78
79Son Woo-sung Moon: Do you mean that you have negative feelings about Hankuk University of Foreign Studies?
80 A: I have a dissatisfaction rather than a bad reputation.
81
82Son Woo-sung Q: What is the major area of ​​Digital Information Engineering?
83 A: It is related to digital computer, Internet communication.
84
85Son Woo-sung Moon: (in a coercive manner) If the main subject of the suspect is digital information technology, will the suspect have a knowledge of computers?
86 A: Yes, I think so myself. (The accused also gave other answers but only recorded this.)
87
88 (The investigators around me kept asking me to be a computer expert, a hacker, or a hacker, so I went for a high-level test. I asked for an objective test to verify my computer skills, but I did not record any related questions.)
89
90Son Woo-sung Moon: Did you ever do other activities such as student councils at university?
91 A: I did not go to the student council, but I spent about a year in my first year at the school. The suspect stated to the investigator, "I went one day and asked to pay for the subscription fee, but I quit."
92
93Kim Young-rae Q. What happens to property, property, and monthly income in the name of the suspect?
94 Answer: I know that my mother bought my brother's studio in my name, and now I have no savings or savings in my name at all. There is no monthly income.
95
96Kim Young-rae Q: Who is the current cell phone number and name of the suspect?
97 Answer: There is one pink LG mobile phone that I joined as my mother's name. I rarely use it, so I can not remember the phone number.
98
99Kim Young-rae: Do you mean that the suspect can not remember the cell phone number he is using?
100 A: Yes, I can not remember.
101
102Kim Young-rae Q: Why are you using a mobile phone that is subscribed to your mother's name instead of your name?
103 A: I do not like to use a cell phone, and I do not want to use an electric wave.
104
105Son Woo-sung Q: What about family relationships?
106 Answer: I have a parent and a younger brother (OO, OO birth), Mo (Kim OO, OO birth), brother (OO, OO birth).
107
108Son Woo-sung Q: Where is the suspect currently residing?
109 A: I am currently living with my parents at my parents' home.
110
111Son Woo-sung Q: When did you live with your parents?
112 A: I live with my parents from birth to the present, except for one thing I did when I was in college (the suspects stated that they stayed for two years but did not record them).
113
114Kim Young-rae Moon: What is the suspect currently doing?
115 Answer: I am unemployed.
116
117Kim Young-rae Q: How do you use your living expenses?
118 Answer: No special expenditure.
119
120Kim Young-rae Moon: There is no special expenditure. If you are a normal person, you will need to pay a certain amount of money, such as transportation expenses, when you go out.
121 Answer: I use it because I ask my parents, and I do not go out, and I continue studying at home at home.
122
123 (Investigator Kim Young-rae asked the suspect "How did you live in the expensive 45-pyong apartment? Where did you go to buy goods at Costco?" The suspect said, "The apartment is the parent. I have not been listed in the dossier, but I am a man who knew that I was buying goods at Costco, my parents and those who worked at the KBS Press Office. At that time I bought two cakes at Costco, CNN translator, Lee Seung - yeon, a 5 to 6 - year - old woman, said, "I have seen this cake selling at Costco, I am a costco jockey. ? "And I said," I bought it at Costco, I bought it at a reunion point. "The police Knowing to see KBS at home and knowing to see the chief at Costco is very relevant to KBS, or at this time the police investigated all of their parents' financial information and found out that they frequently use Costco .
124
125Kim Young-rae Moon: Do you mean that the suspect is only studying in the house without going out?
126 Answer: Yes, yes. After leaving the company around 2013, I have been living in a house because I do not want to be disturbed by other people.
127
128Son Woo-sung Q: Tell me about social activities after military service.
129 A: In 2005, I was discharged from the military and worked at a gas station for about three months. After graduating from college in 2009, I worked for a chemical company that did not remember my name for about two weeks. I went to KBS reception in 2011 and worked until 2013.
130
131Kim Young-rae Q. What is KBS receptionist?
132 A: I was in charge of English translation work, including foreign news. (The investigator emphasized English translation.) The suspect did not record a statement that "recording the foreign news and delivering it to the editorial office was the main task."
133
134Kim Young-rae Q. Does the suspect become an English speaker, translating foreign news, etc.?
135 A: I think that is enough.
136
137Kim Young-rae Q: So the suspect will speak English very well?
138 A: TOEIC is about 780 points, TOEFL is about 82 points.
139
140Kim Young-rae Q: Have you ever worked in other places related to English?
141 Answer: I just told Citibank that I had worked for about two months in Citibank. When I joined the Citibank, I went into English language grades.
142
143 (Nam Sang-wook's investigator came back and Son Soo-sung investigated him and questioned him, but he did not record it.)
144
145Nam Sang-wook Moon: Looking at the criminal history of the suspects, the Seoul Northern District Prosecutors' Office on Sept. 28, 2012 dismissed the theft of nightly buildings.
146 Answer: In the previous survey, I went to the Dongdaemun Police Station and stated that I was investigated as a camera suspect.
147
148Nam Sang-wook Q: How many computers are installed in the suspect's residence?
149 Answer: I have one integrated PC in my room, and I have a desktop and a laptop in my room.
150
151Nam Sang-wook Q: Does the suspect play internet games?
152 A: I do not play internet games.
153
154 (Nam Sang-Uk investigates again, but does not record it in the dossier)
155
156Kwak Dong-kyu Q: What is the main purpose of computers?
157 Answer: A desktop installed in my room (no built-in personal computer with a special name (brand name) purchased on the internet) (Kim Young-rae instructs investigator Kwak Dong-kyu, who plays keyboard, to insert parentheses in the record and record the contents in parentheses .) Is not used because it is broken and the notebook (Lenovo) is mainly used to study French.
158
159Kim Young-rae Q: How do you study French with a laptop?
160 Answer: I use it as a way to watch a language learning program (Rosetta Stone) through a laptop. (The suspect stated that he also used Fluenz, another language study program, but Kwak Dong-kyu, the investigator, omitted it arbitrarily.)
161
162Kwak Dong-kyu Q: What Internet sites do the suspects access?
163 A: I usually search Google, and I am connecting mainly to 4chan site like this.
164
165Kim Young-rae Q: What is 4chan site?
166 A: It's a site like Dish Inside (a kind of free bulletin board) in Korea, which is used by various people all over the world.
167
168Kwak Dong-kyu Q: What do you usually search on Google or 4chan sites?
169 Answer: Google is used to look up French words in images, while 4chan site is used to watch frivolous videos.
170
171Kim Young-rae Q: When was the last time you searched Google or 4chan site?
172 Answer: I do almost every day, so there is no need to specify a date. (The suspect stated in each of the two questions of the investigator that "Google uses every day for every day of study," "4chan uses one or two times a week," but the investigator ties the two questions together and runs Google and 4chan daily Recorded.
173
174Kwak Dong-kyu Q: What happens to the internet company that is using the subscriber's house?
175 Answer: The internet company we use at home is Tibor Road. (Investigators showed the evidence to the suspect in advance of the question and informed the information. Attorney Park Cheol-hyun does not object.
176
177Kwak Dong-kyu Q: Are the suspects using blogs?
178 A: I am using a blog spot from Google.
179
180Kwak Dong-kyu Q: Do you have a blog created by the suspect?
181 Answer: Yes. I have only about 10 blogs that I've opened only in Google, only bosulachi I can remember the address and I can not remember the rest.
182
183Kwak Dong-kyu Moon: Do you have any blogs that have been opened elsewhere, such as Naver?
184 A: I do not have any other blogs that use Google only.
185
186Kim Young-rae Moon: When did you create a blog such as bosulachi?
187 A: It is remembered that it was opened around 2014 to 2015.
188
189Kwak Dong-kyu Q: What was your blog for?
190 A: It was created to organize political opinions.
191
192Kim Young-rae Moon: What do you mean by political views?
193 A: I am standing on the conservative side and criticizing the North Koreans.
194
195Kwak Dong-kyu Q: Have you ever posted a political opinion through a blog?
196 Answer: Yes. I have expressed my political views on all the blogs I've opened in Google.
197
198Kim Young-rae Moon: What are the details?
199 A: The first is "North Korea's intervention in Gwangju," and the second is "opposing reunification." I will say that much. You can see the blog directly. (These comments were not advocated by the suspect, but discussed blogging issues on the Internet at the time of the investigation.)
200
201Kwak Dong-kyu Q: Does the suspect know the ISS program at Hankuk University of Foreign Studies?
202 Answer: I do not know.
203
204Kwak Dong-kyu Moon: Does the suspect know the hufs?
205 Answer: Yes. Hankuk University of Foreign Studies site.
206
207Kwak Dong-kyu Q: Does the suspect know the mail account at summer@hufs.ac.kr?
208 Answer: I do not know.
209
210Kim Young-rae: Have you used or used the above e-mail?
211 Answer: Never used.
212
213Kwak Dong-kyu Moon: Dr. korea Have you ever used a nickname Isis One?
214 Answer: I have not used it.
215
216Kim Young-rae Moon: Do you know the above nickname?
217 Answer: I have no idea. I saw it for the first time.
218
219Kwak Dong-kyu Q: 8221732061 Do you know your phone number?
220 Answer: I do not know.
221
222Kim Young-rae Q: Have you used the above phone number?
223 Answer: No.
224
225Kwak Dong-kyu Moon: The suspect is July 7, 2015. Have you accessed the White House website around 20:20?
226 Answer: Not at all.
227
228Kim Young-rae Moon: Do you have access to the US White House homepage even if it is not the above date?
229 Answer: No, never.
230
231Kwak Dong-kyu Question: Did the suspect ever visit the website of the White House on the above date and time?
232 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
233 ===========================
234 Hi.
235 I'm HUFS student from Seoul, Korea.
236 How's your president family?
237 I'm sick of my life cause I always mastervating with tranny prons.
238 One day, I realize that I'm not going to die like this.
239 I want to be a famous Korean male in USA history.
240 Therefore, I am going to anal rape your second daughter Natasha.
241 Is that okay?
242 I think that bitch's asshole is much tighter than Malia Ann.
243 So I need parents permission before the nigger anus.
244 Do not worry about me: I eat lots of Kimchi so free from AIDS.
245 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
246 Thanks.
247 A: Not at all.
248
249Kim Young-rae Moon: Did the accused see the English version of the White House homepage that the investigator showed?
250 Answer: Yes.
251
252Kwak Dong-kyu Q: Can I interpret the English content?
253 A: Yes, you can.
254
255Kim Young-rae Moon: So, is it possible to do the opposite?
256 A: It is better than that. And the English content and the writing style I write are wrong.
257
258 At this time, notice the contents of English translated into Hangul against the suspect.
259
260Kim Young-rae Moon: The suspect heard the above-mentioned English content translated into Korean directly from the investigator?
261 Answer: Yes, I heard it.
262
263Kim Young-rae Moon: To summarize the above content, the man who posted the above statement "lacking masturbation, raping the second daughter of President Obama in America, becoming a Korean man famous in American history" It is shown. What do the suspects think about the contents of the above?
264 A: I do not think I posted this on the White House homepage.
265
266Kim Young-rae Moon: Why do you think the suspect was raised by an American student?
267 A: On the streets, Obama is thinking that people are the most likely to approach the United States.
268
269Kwak Dong-kyu Q: If I see Obama, the president of the United States, saying that raping his daughter is rape, I think he feels quite frightened. What do you think of the suspect?
270 Answer: Yes, yes.
271
272Kim Young-rae Moon: What do you mean by "yes, yes"?
273 Answer: Obama is also saying that you can feel the fear. (The investigator asked her whether she was afraid to apply the alleged threat.)
274
275Kwak Dong-kyu Q: Do the suspects know that the US Ambassador to Korea, Ripert, was arrested in Korea in March 2015?
276 A: I've posted articles that I know from the press and strongly criticize people who have tackled my blog.
277
278Kwak Dong-kyu Q: How do you think the suspect will accept if Ambassador Ripper has seen these intimidating posts?
279 A: I feel like I get the same feeling (fear) as Obama before.
280
281Kim Young-rae Moon: In the case of Ambassador Repert, I am living in Korea, and since I have actually received an assassination, is anyone seen to be able to attack if I feel like it?
282 Answer: It is very likely.
283
284Kim Young-rae Moon: Does the suspect think of the relationship between the United States and Korea?
285 Answer: I think it is an alliance.
286
287Kwak Dong-kyu Moon: Is the fact that the suspect stated that he used the notebook (Lenovo) alone in the suspect's residence?
288 Answer: Yes. There is a fact that said. I am using my laptop at home. I have set the password so I can not use my parents or even my brother.
289
290Kwak Dong-kyu Moon: Just before the arrest of the suspect in the residence of the suspect, did the suspect know that he had executed a seizure search warrant at the Cyber ​​Investigation Department of the Seoul Metropolitan Police Department and checked the notebooks used by the suspect?
291 Answer: Yes. I know what I have checked about the laptop I was using at the Cyber ​​Crime Department of the Seoul Metropolitan Police Agency.
292
293Kim Young-rae Moon: The suspect clearly stated that he used the notebook alone (Lenovo)?
294 Answer: Yes, yes.
295
296Kim Young-rae Moon: July 7, 2015. The original text of the intimidating statement about raping the US President Obama's daughter was posted on the White House post. However, according to the cyber criminal investigation center of the Seoul Metropolitan Police Agency, about one minute later, the suspect discovered that the file was saved as 'isis.png' in the M / Bureau / to folder at the bottom of the Document and Setting folder of the suspect, Did not upload the post above?
297 Answer: The OS (Operating System) that was laid on my laptop is in France time zone. If you check it, there will be time difference. I can clearly see that it is not my post based on time difference.
298
299 At this time, I stopped the investigation for dinner. (Investigators gather together to talk in a heated expression.)
300
301Kwak Dong-kyu Q: Is this statement true?
302 Answer: Yes.
303
304Kwak Dong-kyu Moon: Do you have any more to say?
305 Answer: I will leave it at the time of two times. (Although the suspect said, "No," the lawyer Park Chul-hyun, who was sitting there, wrote the suspect as it was written.)
306
307Second round
308
309 At this time, we show one newspaper report to the accused,
310
311Kim Young-rae Q: Are the contents of the one-time statement all right?
312 A: Yes, all right.
313
314 At this time, under the participation of lawyer Park Cheol-hyun,
315
316Kim Young-rae Moon: Detention of the suspect's residence One laptop in the study room, one desktop in the suspect's room (with two computer hard disks, one hard disk next to it), Desktop 1 in the library There was a discovery, and try to make statements about the purpose of each computer use.
317 A: Lenovo, which was kept in the study room, is used by myself only for French study and internet connection. I use the desktop in the room where I sleep, I am not using it because of a computer failure due to a computer breakdown in 2013, and I use the desktop in the library sometimes for the purpose of searching the Internet and it is a computer that my parents use mainly.
318
319Kim Young-rae Moon: Lenovo (s / n: WB09564311), a notebook found in a suspect's residence, is used only by suspects. When did you use the above computer?
320 A: After the desktop computer crashed around 2013, I bought it on the Internet and used it myself.
321
322Kim Young-rae Moon: I have been told that I want to access the Internet.
323 Answer: I am mainly visiting 4Chan.org and the Google blog I run.
324
325 At this time, July 20, 2015, the investigation report (suspects found in the OO computer, the original capture file) isis.png, usa.png file shows the output to the suspect.
326
327Nam Sang-wook Moon, Sang-wook Moon, July 14, 2015 In the Digital Evidence Analysis Center of the Seoul Metropolitan Police Agency, the computer analysis program Encase was used to generate the suspect notebook hard disk as a separate imaging file, As a result of the investigation, it was found in the isis.png and usa.png files found on the suspect's notebook that the US President threatened to rape Obama's daughter and threatened to terrorize US Ambassador Ripper, This is a picture file that you capture.
328 Answer: I mainly visit 4Chan.org and I do not know exactly whether I have read, captured, downloaded, correctly captured or downloaded the posts posted on the above site. (The suspect was suspicious of Google image search in addition to 4Chan, where he investigated the definition and difference of the capture and the download.) The suspect considers the capture and download to be mixed and writes mixed, and the investigator catches the pod This was not recorded in the record.)
329
330Nam Sang-wook Q: What capture program did you usually use?
331 Answer: I use the capture program which is an extension of Google web browser. (The investigator asked for the name of the capture program.) The suspect wrote four or six capture programs from Google search and said they did not know the name of each one.
332
333 (The investigator asked how long it took to write, and stated that the suspect took two to six hours.)
334
335Nam Sang-wook Q: How do I capture it?
336 A: When you look at the Google web browser, you will see a 'camera' icon at the top of your web browser. Click on the icon to capture all the screens you see in your web browser.
337
338Nam Sang-wook: Do you use any extensions to save what path to save when capturing?
339 Answer: I can specify the storage path arbitrarily, and I usually save a lot on the desktop, and use the png file extension. The png file format is mainly used because the picture quality is clear.
340
341Nam Sang-wook Q: Do not you use another capture program?
342 Answer: I use some other programs, but the Google Chrome browser has a convenient capture function.
343
344Nam Sang-wook Q: What kind of website is 4Chan.org?
345 A: There are many different kinds of articles posted. I mainly read political and sexual writings.
346
347Nam Sang-wook Q: What is sexual content?
348 Answer: The most exciting thing I have seen recently is that a woman is pissing.
349
350Nam Sang-wook Q: What information do the suspects post on the site?
351 A: I do not post articles like YAHAN video, but I am posting mostly political content in Korea. (The suspect posted the same thing on the blog as well, with about 2 postings in English, like 4Chan.)
352
353Nam Sang-wook Q: I will check back isis.png, usa.png. (The investigator showed me the file again.) Did you download the above file or capture it?
354 Answer: I read the above picture again and got it.
355
356Nam Sang-wook Moon: July 13, 2015 When we confiscated the seizure, we told our investigator that the above file was captured. And in the previous statement, I stated that I did not know whether I was downloading or capturing. Why am I clarifying again that I have downloaded the statement again?
357 Answer: The photographer showed the photo size of the photo file today. And yesterday, I said capture and download are mixed, so I just say capture. I did not even read the above photo on the 13th.
358
359Nam Sang-wook Moon: 2015. 7.13. At the time of the seizure, the cyber criminal investigator of the Seoul Metropolitan Police Department asked me several times to check the above photo.
360 Answer: Yes. Requested.
361
362Nam Sang-wook Moon: But why did not you read it?
363 Answer: I was lying because I was bored.
364
365Nam Sang-wook Moon: I was searching for confiscation.
366 A: I did not want to get up because I was still sleeping while I was drinking.
367
368Nam Sang-wook Moon: At the end of the seizure search, you saw the picture of the manuscript (White House photo) through your mother and mother.
369 Answer: I confirmed the picture, but it was not the above picture. (The suspect clearly remembered the pictures stored on his mother's cell phone, but it was not 4chan.)
370
371Nam Sang-wook Q: How do I download picture files from the Internet?
372 Answer: When you right-click, there is a download button, which is downloaded by pressing the button above. The save path is mainly saved on the desktop, and sometimes the file name is changed or not.
373
374Nam Sang-wook Q: Why am I changing the file name?
375 Answer: If you do not normally change it, but the file name is too long or the file name contains special characters, change the file name.
376
377Nam Sang-wook Q: What do you usually name the file name?
378 Answer: There is no reason to change the actual filename when downloading. However, if the filename is too long, it is difficult to keep it on my computer and change the filename. (The statement "It is difficult to identify" in the statement is written by the investigator as it is intended.) The suspect stated "I do not change the name to make it easier to identify.
379
380Nam Sang-wook: Do you save the file name with a special name when saving?
381 A: If the file name is long, cut off the last part of the file name, or select the whole file name and save it as short name with no meaning.
382
383Nam Sang-wook Moon: When the suspect downloaded the photo file from the internet, he said that he would save the file as randomly. How was the original text file named "isis" and "usa"
384 Answer: I do not know isis.png and usa.png is my favorite word. (The suspect has demonstrated to the investigators and lawyers the possibility of entering the isis via the keyboard location, but the investigator noted that he was not sure.)
385
386Nam Sang-wook Q: How was the email address used to write the Obama intimidation 'isshufs@gmail.com'? How did the suspect save the file and save the file as 'isis'?
387 A: I think Iss and Isis are different.
388
389Nam Sang-wook: When the above captured file is saved on the suspect computer and the time it was created isis.png (Obama threats) file will be released on July 7, 20:20 pm, usa.png The intimidation article for this article was confirmed on July 8, 2015 at 02:27. Also, the time for the obsession for Obama to be posted on the US White House website is around July 7, 20:20, and the article on the reporter is scheduled for July 8, 2012, It's possible.
390 Serial Number / Content / Time / Time Difference
391 1 / Time Obama Obscene Writes to the White House / June 1, 2015. 7. 20:20 / about 1 minute
392 2 / The Obama intimidating text was created and saved on the suspect computer / July 20, 2015
393 3 / Repert Thousand Times posted on the White House / Jul. 8, 2015 / about 1 minute
394 4 / Time of the protest manuscript created and saved on the suspect computer / June 8, 2015
395 The suspect stated that he had downloaded and stored the contents posted on the Internet to the suspect computer. Did he / she read the threat on the Internet and stored it on the victim's computer as soon as it was posted on the White House?
396 Answer: My computer is set to French time zone and 4Chan.org site is US site, so there will be time error. (The suspect had misunderstood 4Chan.org as a US site, according to Wikipedia, 4Chan.org is a Japanese site.)
397
398Nam Sang-wook Q: The suspect laptops are set up with OS operating system in French language and the time zone is also based on Paris time. So, there is -7 hour time difference with Korea. However, when analyzing with the Encase analysis program used by the investigation agency, it is possible to clearly see the time generated and the modified time by changing the above French time zone to the domestic time zone, and thus the above generation time is the domestic time.
399 At this time, the suspect is shown the access time of the isis.png file, and it is arbitrary.
400 As a result, the cyber criminal investigation center on July 13, 2015 will try to access the above file. Therefore, the above access time will be indicated on July 13, 2015. In conclusion, the time that was created on the suspect computer was the Korean time. So, as in the previous question, is someone reading a post in the White House in just one minute and storing it on the suspect computer, and can this behavior be repeated twice?
401 At this time, the FBI requests the suspect and displays the text and time information sent by the FBI.
402 Answer: I do not know.
403
404Nam Sang-wook Q: Is it possible to do the above work in just one minute?
405 A: It will not be possible in a minute.
406
407Nam Sang-wook Q: If the suspect thinks it is not possible, is the suspect posted?
408 Answer: If it is possible, I think that it is impossible if it can be done by myself and it is impossible. Nam Sang - wook, who had heard the statement, was staring at him for a long time with a very questionable look.
409
410Nam Sang-wook: So the suspect is monitoring the White House intimidation posts posted by others in near real time, then checking them and storing them on the victim's computer?
411 A: You have not monitored it in real time. There is no such ability. (Here, 'real-time monitoring' refers to reading a new article updated in real time by accessing the White House site.)
412
413Nam Sang-wook Q: What type of web browser do suspects use when accessing the Internet?
414 A: I am using a Google Chrome browser.
415
416Nam Sang-wook Moon: Is the fact that the suspect accessed the White House website?
417 Answer: I have never been connected.
418
419 At this time, the picture file 'screencapture-www-whitehouse-gov-thank-you-1436290042624.png' attached to the White House homepage written by the suspect computer is displayed.
420
421Nam Sang-wook: If you look at the above picture file found on the suspect computer, it is the screen capture of the homepage of the US White House and it starts with "Thank you for contacting the White House". It is confirmed that the captured file is captured directly from the suspect computer through Capture, an extension function of the Google Chrome web browser. Is it true that you have written the article by accessing the White House website? ?
422 Answer: I downloaded the picture file with the above file name.
423
424Nam Sang-wook: If you check the date and time of creation of the above capture file, you will be notified of the date and time (June 8, 2015, 2015) The same is true. After the complainant wrote the reputation, did not the output screen of the completion of the caption be captured on the suspect computer using the extension function of the Google Chrome browser and saved?
425 A: I do not know this.
426
427 At this time, July 20, 2015, the investigation report (4Chan and 4Chan about the posted on the backup site) shows the picture file attached to the optional.
428
429Nam Sang-wook Moon: The suspect stated that he had downloaded the above picture file on the 4Chan.org website by referring to Repert's intimidation article. It is about 02:31. And the time of the above threat pictures on the suspect computer is around July 8, 2015. How can the time saved on the suspect computer be faster than the time posted on the 4Chan.org site?
430 Answer: I do not know.
431
432Nam Sang-wook: Did not the suspect write the blackmail and post it on 4Chan.org?
433 A: Not so. I have a problem with my computer and I have some malicious code.
434
435 At this time, the text file s.txt found on the suspect computer is displayed to the suspect and attached to the end of this document.
436
437Nam Sang-wook: If you look at the date of creation of the above text file, the file creation date is around April 10, 2014, 16:59. If you look at the contents, you can see the email 'isshufs@gmail.com' "I will kill Ambassador Ripper by penetrating the US embassy in Korean," "Obama will kidnap a small daughter and rape my anus", and the Twitter address listed in the intimidated article "http://twitter.com/isis_med 'And a text file of the Obama intimidation text was found. When and why did you write the above sentence?
438 Answer: I do not know.
439
440Nam Sang-wook: Did you post the threats in the White House with the above phrase written in English?
441 A: I have not.
442
443 At this time, the photo files found on the suspect computer are shown as 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jpg, 18.jpg, 5oe254mvhpke.jpg .
444
445Nam Sang-wook Q: The above file access time is around Jul. 7, 21:28. In the above photo, Repert was threatened with terrorism by Kim Ki-jong, Kim Kyeong-jong and Obama, and the time for the reporter and Obama to be intimidated by the intimidation was reached on July 7, 2015. You read a picture of the aptitude episode, right?
446 Answer: It's what I saw because it was stored in my folder. However, I did not write intimidation article.
447
448Nam Sang-wook Moon: The threat pictures stored on the suspect computer were created on the suspect computer on March 6, 2015. For some reason, all the threat pictures were uploaded on July 7, Did you read it?
449 A: It seems that all files are accessed at that time while the folder is being organized, and the access time has changed.
450
451Nam Sang-wook: Unfortunately, Obama and Reporter's threats were posted on the White House on July 7, 2015.
452 A: I do not know that.
453
454 At this time, July 27, 2015, the investigation report (for the search warrant application for), attached to the [Foreign Foreign Ministry, the Foreign Ministry confirmed the article on the page] is shown,
455
456Nam Sang-wook Q: In the above article, I used 'email summer@hufs.ac.kr' using ip 124.197.152.111 on July 7, I do not know if this is the case. For reference, the above IP address 124.197.152 is the IP address of the defendant's residence. Because the suspect is a floating IP, the last number can change each time.
457 A: I did not post it.
458
459Nam Sang-wook Q: Then who posted it?
460 Answer: I do not know.
461
462Nam Sang-wook Q: I'm sure you posted the above article in the suspect's IP band. Do you really not know?
463 A: I do not remember.
464
465Nam Sang-wook: When you click the url link posted on the above article, the internet address http://boards.4chan.org/pol/thread/47625963 is verified. If you connect to the above url, 'isshufs @ gmail. com 'e-mail is being written to' isshufs@gmail.com 'Do not you know?
466 At this time, please attach http://boards.4chan.org/pol/thread/47625963 url link printout at the end of this document.
467 Answer: I do not know. I can not remember.
468
469Nam Sang-wook: 'isshufs@gmail.com' is listed in the s.txt file found on the suspect computer.
470 A: I do not remember.
471
472Nam Sang-wook Moon: The e-mail address 'isshufs@gmail.com' is an email used to write a blackmail message to Obama. It is also stored in the s.txt file that the suspect is kept in. Is it listed on the site?
473 A: When I do a search on Google, it looks like it came with me.
474
475Nam Sang-wook Q: Did you say you do not remember the previous statement?
476 Answer: It is regretful to say that it is the reversal of the statement though it is the human being because it is a human being. (The statements of these suspects were recorded without further ado.) Since then, the suspect has been suffering from the mental pressure of a reversal of the statement until he is released from jail and jailed.
477
478Nam Sang-wook Q: Does the suspect mislead him?
479 Answer: I have never posted a blackmail.
480
481Nam Sang-wook Moon: July 14, 2015. During the arrest, is it true that you threw objects at the Seoul Metropolitan Police Department Cybercrime and Ward staff?
482 Answer: Yes.
483
484Nam Sang-wook Moon: What did you throw at?
485 Answer: It's called a cold pack. (A cold pack is an ice pack.) After drinking, I was lying on my forehead with a cold pack with a headache.
486
487Nam Sang-wook Moon: What did you say?
488 A: I can not remember what kind of profanity I have specifically done.
489
490Kwak Dong-kyu Moon: I think the investigator remembered that he had been saying, "Hey, these bastards." Is that right? (This investigator refers to Kwak Dong - gyu who is accompanied by Nam Sang - wook.) Kwak Dong - kyu intervened and questioned.
491 Answer: I can not remember whether I used the word "bastard" or how many times I used it. (The suspect stated that he did not use the word "bastard" but wrote that he did not remember.)
492
493Nam Sang-wook Moon: I came to the Seoul Metropolitan Police Agency's Metropolitan Police Department and lie on the floor of the office to say, "Bring a wheelchair," "Get an executive chair."
494 Answer: I was drunk and drunken.
495
496Nam Sang-wook Moon: You were wearing only panties at the time of arrest?
497 Answer: Yes, yes.
498
499Nam Sang-wook Moon: At the time of the arrest, the investigator of the Seoul Metropolitan Police Department (wearing a walker at the time of the investigation of Choi Sung-sik in the investigation team and stepping on the suspect's neck in the process of cuffing him) You did not wear it?
500 Answer: Yes, I did not wear it.
501
502Nam Sang-wook Moon: Who wore the clothes?
503 Answer: The investigator put on the clothe.
504
505Nam Sang-wook Moon: Why did you continue to do such an action during your arrest or office?
506 A: I feel like I am excited. (Dozens of people came to the house of the suspect and suddenly arrested and was excited).
507
508Nam Sang-wook Moon: Seizure Search You have not lived in bed for about five hours, did you?
509 A: I do not remember the exact time, but it did not happen.
510
511Nam Sang-wook Moon: In the blog (helpkorea.blogspot.kr) of Nam Sang-wook, there is an article called 'How to Make Money from the Internet (Acquisition of Foreign Currency)'. Why did you write this article?
512 Answer: I wrote for the sake of women.
513
514Nam Sang-wook Moon: In the above helpkorea.blogspot.kr, there is an article entitled "My Ministry of Defense Civilization". When I look at the contents of the article, "Ji Sung-woo calls me as a laundry hanger, I have been shaken 20 times and then I have been ejaculated in the anus. "Is this true?
515 Answer: Yes, yes.
516
517Nam Sang-wook Q: Do you have any bad memories about anus?
518 A: I think it is a gag, not a bad memory.
519
520Nam Sang-wook: Do you think that Obama's anus is also a gag and raped an anus?
521 A: I have not.
522
523Nam Sang-wook Moon: In the suspect blog (fuckingkorean.blogspot.kr), I posted the diploma, transcript, graduation certificate and transcript of the suspect under the heading 'SSUL' I have lost my job because I have changed my minor in chemistry unilaterally without prior notice in the university. I have also been suspected of having my own academic background, personal credit, and suffered mental harm from my job as a freelance worker. "Do you have a strong dissatisfaction with foreign language classes?
524 Answer: Yes. I have a complaint. (Although the suspect did not use the word "strong", the investigator Kwak Dong-kyu of the next place repeatedly replied the suspect's answer and continued to write "strong dissatisfaction." Although the suspect pointed out, A suspect asked for removal and dragged two lines and interrupted him.)
525
526Nam Sang-wook Moon: In the blog (unicefusa.blogspot.kr) of Nam Sang-wook, a photograph of a woman wearing only panties and wearing clothes on her head with a pan on her head and expressing her nickname "뀨뀨" Is the suspect posted? (In addition to this question, the investigator changed from time to time during the investigation, but the record did not record the names of the investigators who questioned.)
527 Answer: Yes. I posted it.
528
529Nam Sang-wook Q: Why did you post this picture?
530 Answer: I posted it for fun.
531
532Nam Sang-wook Q: Did you try to get sponsorship by inserting the account number of the suspect in the photo of only the underwear?
533 Answer: Yes, yes.
534
535Nam Sang-wook Q: How much did you sponsor so far?
536 Answer: I got 20,000 won.
537
538Nam Sang-wook Moon: What did you use when you used the word "shit-chill" on the wall?
539 A: I do not remember.
540
541Nam Sang-wook Moon: This is a reporter and Obama intimidation article. The e-mail address is' isshufs@gmail.com ', which is used by the staff of Hankuk University of Foreign Studies. The phone number is' 82 02 2173 2062 ', and the address is Hankook University of Foreign Studies. For what reasons did the person who wrote the above article write the address, phone number, and e-mail of Hankuk University of Foreign Studies?
542 A: This is a common address.
543
544Nam Sang-wook Moon: As far as I think, I think that a person with a strong dissatisfaction with foreign languages ​​would have written a threatening statement. What is the opinion of the suspect?
545 A: I think it would have been written by a person who is dissatisfied with foreign language.
546
547Nam Sang-wook Moon: And if you look at the content of the intimidation article, it says "I'm HUFS student from Seoul, Korea".
548 Answer: Yes, yes.
549
550Nam Sang-wook Moon: Did you graduate from a foreign language college and post the above content in a blackmail message like this?
551 Answer: I would have used the word undergraduated instead of student.
552
553Nam Sang-wook Moon: And both the intimidation against Obama and the intimidation about reporter had strong complaints about foreign universities by writing emails, phone numbers, and addresses of foreign university staff, Do you think that the person who wrote this threat letter impersonated foreign language group like this?
554 A: The same person has written two intimidating documents and is probably one of the students at Hankuk University of Foreign Studies.
555
556Nam Sang-wook Q: What is the name of the second daughter Obama and the name of the first daughter?
557 Answer: The second daughter's name is Natasha, and I know that the first daughter's name does not know exactly and ends in. (The investigator showed the name on the intimidating document and asked the investigator the additional information that the suspect had learned, and he did not record it in the dossier when he said that the suspect had "the document the investigator showed." A lawyer Park Chul Hyun was silent.
558
559Nam Sang-wook Moon: I did not know the name of the first daughter and knew exactly the name of the second daughter.
560 A: I do not remember that.
561
562Nam Sang-wook Q: Does the suspect want to be famous?
563 A: I want to be a successful person rather than a famous person.
564
565Kim Young-rae Moon, July 13, 2015. 13. Seized at the time of the seizure. We told our investigator (Kim Young Rae), "It seems to be famous."
566 Answer: Yes, yes.
567
568Nam Sang-wook Moon: Obama said, "I decided to become a famous Korean man in the US today." Did he decide to become a famous person?
569 A: What I'm saying is that I am a politician and a famous person, not a serial killer.
570
571Nam Sang-wook Moon: Have you ever thought about serial killers?
572 A: I've never thought about it before.
573
574Nam Sang-wook Q: When is the suspect mainly used on the computer?
575 Answer: The time zone is not set, but we use it at night or early morning.
576
577Nam Sang-wook Moon: The time of Obama's intimidation was 20:20 and the reporter's intent was written at 02:26. Is it a time zone where the suspect mainly uses computers (more than 50%)?
578 Answer: Yes, yes.
579
580Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
581 A: I will submit it later.
582
583Nam Sang-wook: Do you have any more to say?
584 A: If you look at the contents of my blog about the referent, you can see that it is contrary to the police claim. Please disclose specific details about the IP band.
585
586 (After consulting the attorney Park Cheol-hyun who joined the investigation and the suspect's first and second journals, they come to the newspaper)
587
588Nam Sang-wook Q: Are all the statements stated in the previous meeting true?
589 Answer: None of the statements made in the previous survey are true.
590
591Nam Sang-wook: Do you have statements that differ from those of the suspect?
592 Answer: Not at all.
593
594Nam Sang-wook Moon: Does the suspect know the current arrest warrant?
595 A: Yes, I know.
596
597Nam Sang-wook Q: What do you think about the arrest warrant for the suspect's crime charges?
598 A: I think it is wrong.
599
600Nam Sang-wook Moon: What is wrong with you?
601 A: I did not intend to harm the US President Young-ae, and I did not intend to risk the riper Foreign Ambassador.
602
603Nam Sang-wook: Do you mean that in the case of the suspect, there was nothing wrong with you and you were unjustly arrested?
604 Answer: Yes, yes.
605
606Nam Sang-wook Moon: Does that mean that the judge and the investigating agency are wrong?
607 Answer: Yes, yes.
608
609Nam Sang-wook: Does the suspect mean that the evidence that the investigative agency can not trust?
610 A: Yes, I can not trust the evidence presented by the police.
611
612Nam Sang-wook Moon: The evidence presented by the police is an objectively obtained data from cyber police officers who are experts in the computer field.
613 A: I do not know exactly what part it is.
614
615Nam Sang-wook Q: What do you mean by not knowing exactly what part you are?
616 A: I am not a computer expert or a forensic examiner.
617
618Nam Sang-wook Q: Is not the suspect a computer engineer?
619 A: Digital and computer engineering are different.
620
621Nam Sang-wook Moon: Which part is different?
622 A: The paper I wrote when I graduated is about sound, about digital signals, and computer engineering is about the computer itself.
623
624Nam Sang-wook: Did not the suspect claim to have a knowledgeable knowledge of the computer in the statement before?
625 A: Yes, it is true.
626
627Nam Sang-wook: In conclusion, you do not trust the police evidence?
628 Answer: There is no partial trust.
629
630Nam Sang-wook Q: Do you mean that there is another part that you can trust that the part is not trusting?
631 Answer: ENCAEC Time-lapse analysis is reliable. (A cybercriminal investigator, a computer expert, continues to spell the ENCASE program incorrectly as ENCAEC, which is one of the reasons for the lack of confidence in the investigation.)
632
633 At this time, the suspect suddenly says that he can not trust the program to analyze ENCAEC parallax. The suspect described "trust", but the investigator wrote that the suspect's statement was heard as gibberish.
634
635Nam Sang-wook Moon: Do you mean to trust the ENCAEC program that the evidence that analyzed the time lapse of the threatening posting presented by the police as evidence is correct?
636 Answer: Yes, yes.
637
638Nam Sang-wook Moon: The suspect clearly said he trusted the ENCAEC program. In the previous statement, I stated that the operating system (OS) laid down in the suspect's laptop was in French time zone and that it would be possible to find out by observing the time difference. Why did you say so?
639 Answer: I heard that the Cyber ​​Police officer explained. (The suspect believed so because he trusted the explanation of the computer expert.)
640
641Nam Sang-wook Moon: Do not you mean that when you interpret the current suspect's statement, the suspect posted a post that intimidates President Obama?
642 Answer: I just want to trust the cyber-forensic investigation technique.
643
644Nam Sang-wook Q: If you have confidence in cyber-forensic investigation, you should trust the evidence presented by cyber-police.
645 Answer: I have a part that I do not understand. The first is the way Porter operates. The way PORCHAN works is, in short, a real-time posting like a daily best. The second is Google search engine exposure time. That means the post is not deleted right away, but exists on the Internet for some time.
646
647Nam Sang-wook Q: What does it mean to have confidence in cyber-investigation techniques and how to operate Pocan?
648 Answer: I trust cyber forensic techniques, but the ENCAEC program is poor. Porter and Google also want to apply cyber-forensic investigation techniques to Porter and Google.
649
650Nam Sang-wook: So, if the objection is not clear and the ENCAEC program is objectively clear about the operation of Pocan or Google, as the suspect claims, how would you accept it?
651 A: I will acknowledge you if you disclose the truth in a public authority.
652
653Nam Sang-wook Q: If the ENCAEC program or cybercriminals in a reputable institution has no problem with the evidence, would you say that you would admit the suspect's allegations?
654 Answer: You are acknowledging the credible result, not the accusation. I have never written or wrote the article.
655
656Nam Sang-wook: If you have been verified by a reputable institution, would not it be the objective evidence to refute the statement even if the accused claims no?
657 Answer: It is objective evidence that we want you to investigate enough evidence.
658
659 (The above questions are typical guidance questions.) The suspect was not able to understand the above questions properly.
660
661Nam Sang-wook Moon: What was the suspect's childhood like?
662 A: My childhood was loved by my parents, and I was surrounded by a lot of single parents who were economically more difficult than their friends, but were relatively happy.
663
664Nam Sang-wook Q: What was your home environment like?
665 Answer: It was generally a harmonious family.
666
667Nam Sang-wook Q: How was your family?
668 Answer: It was a good one.
669
670Nam Sang-wook Q: How was your relationship with your childhood?
671 A: I did not have a lot of friends because I had few words, but there were about 10 really close friends.
672
673Nam Sang-wook Q: What is your relationship now?
674 A: I have no friends at the moment.
675
676Nam Sang-wook: Why do not you have a friend?
677 A: I moved to school often, I came to the army, and I looked for the course of my life, so my relationship became faded. So when I was young I was not in touch with my close friends. Even if my friends want to meet, I do not have anything to do, and I am avoiding it.
678
679Nam Sang-wook Q: What was your grade at school?
680 A: When I was in elementary school, it was mediocre. To make up for what I did not do in high school, I studied really hard not to be matched with college days and motives.
681
682Nam Sang-wook Q: How did you look back on your military life?
683 A: Military life was the worst of the worst.
684
685Nam Sang-wook Moon: Which part was the worst?
686 A: I have made a statement before that. In addition, if you tell me what you are doing when you are discharged, it is likely that OO Sergeant is doing his worst and worst. For example, one of the motivations did not receive cold training, but I received it. That's because it was only for me.
687
688Nam Sang-wook: Why did the suspect quit his job?
689 A: To be honest, it was hard. I wanted to study a little more and go to study abroad and live a better life.
690
691Nam Sang-wook Moon: What part was difficult?
692 A: When I was working at KBS, I was physically struggling to work 5 or 3 shifts.
693
694Nam Sang-wook Q: Why are you not doing a job today?
695 A: I am studying French.
696
697Nam Sang-wook: Can I study while I work?
698 A: Because my style does not do a lot of things and I want to get results in a short time. And French is hard.
699
700Nam Sang-wook Moon: The suspect stated that he was living a secluded life in his home?
701 Answer: Yes. There is a fact that I have stated.
702
703Nam Sang-wook Q: What is your daily routine?
704 A: The morning hours are not fixed. My life is irregular, and I usually live with my rhythm at night time.
705
706Nam Sang-wook Q: What do you usually do at home?
707 A: I sit in a fluffy chair and study French for about 14 to 21 hours.
708
709Nam Sang-wook Moon: Anything else?
710 A: In my free time, I am posting political articles mainly on blogs. (The purpose is to turn my attention and turn my head off).
711
712Nam Sang-wook Q: How much time do you spend on computer during the day?
713 A: I study on a computer, so it is time to study.
714
715Nam Sang-wook: Did the suspect live a night life before he was arrested recently? Or did you live in the morning?
716 A: I was in the transition from an evening human to a morning human.
717
718Nam Sang-wook Moon: This is the date of the alleged suspicion, July 7, and July 8, 2015.
719 A: I think that I was studying 50 or 50, maybe I was sleeping while drinking.
720
721Nam Sang-wook Moon: If you studied, did you use a computer?
722 Answer: Yes. If I had studied, I would have used a computer.
723
724Nam Sang-wook Question: What is the special reason to use poisonous foreign sites in spite of the fact that there are many domestic sites such as Naver?
725 A: As you know, Naver or the next one, Ivara, is a van (blocked) if you make a political comment or post on a site. So it's a relatively free site, such as Pocan and Google Blog Spot.
726
727Nam Sang-wook Moon: The suspect stated that he used the confiscated notebook (Lenovo) alone in the suspect?
728 Answer: I keep using the password myself.
729
730Nam Sang-wook Q: What happens to my password?
731 Answer: Your password is 656565.
732
733Nam Sang-wook: I am going to ask again, the suspects visit the White House website to rape the daughter of President Obama and threaten to murder President Obama and his family and then kill Ambassador Ripper. Did you actually upload it?
734 A: There is no such thing at all.
735
736Nam Sang-wook: Do not the suspects make a false statement because of the fear that they will be seriously punished if the charges are taken?
737 Answer: No.
738
739Nam Sang-wook Q: Is it not the wrong idea of ​​the suspects to deny the charges of reprisals in the previous statement? (The suspects visited the lawyer Park Chul-hyun at the detention center before the investigation of the third investigation, and the lawyer informed the suspect about the sentence, and the investigator Nam Sang-wook knows the contents. can see.)
740 Answer: No.
741
742Nam Sang-wook Moon: The time the Obama intimidation article was posted to the White House on July 7, 2015, 20:20 pm, the time of the original threat file was saved on the suspect computer, After a posting on the White House for about a minute, it was confirmed that it was captured and stored on the suspect computer, and the threat to the reporter was also posted on the White House for about one minute, I did. Is the statement still the same now?
743 Answer: Yes. I still think it is impossible.
744
745Nam Sang-wook Q: Is not the accusation of the accused right?
746 Answer: No. I would like you to disclose this part in digital forensic techniques. (The suspect answered "truth" and not "statement".)
747
748Nam Sang-wook Moon: Obscene texts kept on the suspect computer. The suspects claim to have downloaded the image file from 4Chan.org. However, the original text on the 4Chan.org site is posted on the 4Chan.org site. The deadline for the original sentence (for reporter) on the suspect computer is July 8, 2015, 2015. On August 8, 2015, the suspect's claim is confirmed as a false statement Does the suspect deny the charges?
749 Answer: It is possible but not.
750
751Nam Sang-wook: Why is the suspect denying the contents of his allegations even after checking the Seoul Metropolitan Police Cybercrime investigation to clarify the contents of the allegations?
752 Answer: As I mentioned at first, there are various possibilities.
753
754Nam Sang-wook: What do you think of the usual suspects, President Obama and Ambassador Repert?
755 A: I am a person who wants to get a work visa in the United States. I am a political patriotic conservative. In the ROK - US alliance, President Obama and Ambassador Repert recognize the need to be protected.
756
757Nam Sang-wook: Did the suspect actually see President Obama and Ambassador Repert?
758 A: I've never actually seen it.
759
760Nam Sang-wook Q: What do the suspects think about the United States?
761 A: I am a country that envies the United States.
762
763Nam Sang-wook: Did the suspect have a plan to immigrate to the United States?
764 A: First of all, I was thinking about transferring to a US college after graduating from college before I graduated from college. After graduating from college, I decided to go to immigration because it costs 60 million to 80 million won, I thought that it would be 8 ~ 10 years to collect money and go to immigration or transfer.
765
766Nam Sang-wook Moon: By the way, why did not you go?
767 A: I'm still preparing to go now.
768
769Nam Sang-wook: I suspect the suspect is still preparing to go to the United States, but he is not actually collecting money or making any other efforts.
770 A: In the present situation, I do not collect money because I plan to get money at home.
771
772Nam Sang-wook Moon: Although the suspect says America is a country of envy, is not it because he has dreamed of immigrating to the United States for a long time and has not been able to execute it?
773 Answer: No.
774
775Nam Sang-wook: Did the suspect ever join a social organization?
776 Answer: Not at all.
777
778Nam Sang-wook: I am going to ask you once more. According to the judgment of the investigating agency, the evidence collected by the investigating agency, judging by the evidence, it seems that the suspect posted a threatening statement.
779 A: I think the evidence of the investigation agency was not good and the judgment was wrong.
780
781Nam Sang-wook Moon: Then, what proof would the suspect have to give?
782 Answer: I do not know.
783
784Nam Sang-wook: Did the suspect talk about the lawyer and the polygraph before he started the investigation?
785 Answer: Yes.
786
787Nam Sang-wook: Do you have a willingness to take a lie detector?
788 A: Yes, I will. I will accept anything to clarify my innocence.
789
790Nam Sang-wook Q: What is your current feelings?
791 A: There is no rattling. (The investigator asked the suspect what it meant by "ridiculous" but did not record it.)
792
793Nam Sang-wook Q: Is the statement true?
794 Answer: It is true.
795
796Nam Sang-wook Moon: Do you have any more to say?
797 A: On page 5, it is not the intention of the ENCAEC program to be ill-advised, which means that the investigation is currently inadequate. (The investigator said that he described the suspect as "poor.")
798
799Three times
800
801 At this time, the lawyer Park Chul - hyun participates in the discussion with arbitrary participation. (At the time of the police investigation, the investigators were instructed by a messenger program installed on the computer used for cell phone and dossier to ask questions in real time with the investigators outside the investigation room. )
802
803 At this time, the suspects and lawyers will show the 7th report on July 15, 2015 (the suspect confirms the setting of the OO notebook time zone setting)
804
805Nam Sang-wook: Even if the suspect laptops are set in French time zone, if the computer analysis program Encase is converted into domestic time, the creation date of the file and the access date can all be confirmed by the national standard time. Go?
806 Answer: Yes. I understand what the investigator explained, and I fully understand the time.
807
808 At this time, July 15, 2015 investigation report (about the time posted on 4Chan site) show two pieces, and make an arbitrary answer.
809
810Nam Sang-wook Moon: I analyzed the time posted on the foreign site 4Chan.org at the Seoul Metropolitan Police Agency's cyber criminal investigation office. When I posted the Korean time 17:13, In the end, it appears that the above site is located in the United States. The time posted on this site is printed in domestic time. Do you accept the above?
811 Answer: Yes. I understood and acknowledged the contents that the investigator showed directly. (Not many people watch the posted time zone while writing on the Internet.)
812
813 At this time, I show an investigation report (analysis of the Google Chrome browser capture function and analysis of the writing screen of the website of the US White House).
814
815Nam Sang-wook: The following five files found on the suspect's notebook are generated by capturing directly from the suspect's laptop through the Google Chrome browser, and seencapture-www-whitehouse-gov-contact-submit- comments-1432397652564.png and seencapture-www-whitehouse-gov-contact-submit-questions-and-comments-1432397921271.png files will be posted on the White House website on May 5, 2015 at 01:14 and 01:17 The 13-digit number that is displayed next to the capture file name is the same as the generation time of the generated file, and the above 13-digit number is the time information that is automatically generated when capturing from Google Chrome. The time of the capture file created on the notebook is the same as the date and time of capture, so that if the suspect is downloaded from the Internet, Seen from the above that there's time to capture capture program may be the same, there is confirmation that the suspect has written articles connected directly to the White House website, is not that a suspect directly after article creation, capture? (The investigator attached the Encase analysis screen to the dossier.) This long question is not a question asking the suspect's answer.)
816 A: I do not know who did it. It is not me who wrote. It was not the first time to access the whitehouse.
817
818Nam Sang-wook Moon: The suspect's laptop has a password set?
819 Answer: Yes, yes.
820
821Nam Sang-wook Q: Can not use the laptop above the suspect?
822 Answer: Yes, yes.
823
824Nam Sang-wook Moon: By the way, how can I not only use the suspects, but I have 5 captures of the contents that I write to the white house by connecting to the white house, and the above file creation date and time The date and time when the file was created) is the same, but can I say that the suspect does not know?
825 A: I can not remember it all individually.
826
827Nam Sang-wook Moon: Do not you remember that the suspect did not write? (Investigators tied several questions together or asked a lot of questions to ask questions, but they were forced to answer the suspect only with 'yes' or 'no'.
828
829 The suspect looks at the investigator's eyes for a moment and then answers. (In this case, investigators are attacking through the description of the behavior of the suspect.)
830
831 Answer: I did not. (The suspect responded only to 'yes' or' no ', depending on the investigators' enforcement.)
832
833 The accused continues to write notes on A4 paper notes. (The note used by the suspect at the time of the investigation was written by Park Cheol-hyeon, the lawyer, who told the suspect that he was "unable to carry the paper in the custody") and each time the investigation was completed, he took the suspect's note and handed it to the investigators.
834
835Nam Sang-wook Moon: If the suspect did not do it, who did it?
836 Answer: I do not know.
837
838Nam Sang-wook Q: So what is the origin of the above capture file?
839 A: I have a lot of capture and I do not remember. (It is even more suspicious that the suspect remembers everything he has stored on the laptop.) In this way, the investigators proceeded to coerce the suspects into a lie, remembering all the details.
840
841Nam Sang-wook Moon: Then, where did you download the isis.png, usa.png capturing file?
842 A: You should have downloaded it from 4Chan.org or Google.
843
844 At this time, the suspect showed 35 pictures of Repert Metabolism on OO computer, and gave an arbitrary answer.
845
846Nam Sang-wook Q: What is the above picture source?
847 Answer: It is a picture that is downloaded from the Internet by searching Google with 'KIM KIM Jong', 'Reporter', 'KIMSU'. (At the time of the investigation, the suspect referred to 'Kim Kyeong-jong' as 'Lee Kyeong-jong' because he did not know him well, but the investigators wrote 'Kim Kyeong-jong' without informing the victim.
848
849Nam Sang-wook Q: Why did you download it?
850 Answer: I received a criticism of Kim Ki-jong, who attacked Ripper, to post on the Internet.
851
852Nam Sang-wook Q: Did you write criticism about Kim Ki-jong?
853 Answer: I wrote.
854
855Nam Sang-wook Q: Do you have any material to prove you wrote it?
856 A: Not now. (The suspect was reminded of the motto: "Let's go with" "Let's go with" "Let's go together"). "I said," Let's go together, "the USFK commander in charge of AFKN (USFK) I remembered it shortly after the terrorist attack and cited it in my criticism, "but the investigator did not record it. The next-door investigator said," Let's go with Ambassador Ripper. " "And the accused replied," It is an honor to have inspired Ripper's thoughts. "These statements were not recorded at all.
857
858Nam Sang-wook Moon: If you look at the photos of threats detected on the suspect computer, the file creation date and time will be all around June 3, 2015, and the last access date will be 6.8 to 6.6. Also, it will be 15 times on July 7, 2015. The above date is the date of publication of the intimidation article in the US White House on July 7, 2015. 7. 7. Why did you read the pictures about Kyung Ri Supervisor 15 times?
859 A: I honestly do not know. (The suspect assumed that the access time was changed when moving the photo file.)
860
861Nam Sang-wook Question: 7. 7. Do you remember reading pictures?
862 Answer: I have never seen it.
863
864Nam Sang-wook Q: Do you have any interest in Ripper?
865 A: I have a lot of interest since I was attacked by Kim Ki-jong.
866
867Nam Sang-wook Q: Why did you get interested in Ripper?
868 Answer: I was interested because the traps were shocking.
869
870Nam Sang-wook Q: What is the relationship between the suspect and the reporter?
871 Answer: Not at all.
872
873Nam Sang-wook: It is said that the suspect has been downloaded to post critical criticism of Kim Ki-jong. When the investigator reads the material posted on the suspect blog on his smartphone, , And the time spent on the suspect computer for pictures related to the leak will be on March 6, 2015. I have already posted all the articles about Repertory 3. 6. Why did you download it?
874 A: I have a long memory.
875
876Nam Sang-wook Moon: Looking at the ML.JPG and ML0.JPG files found on the suspect computer, I found that Repert's ambassador blended the blood and jokers in the Batman movie.
877 Answer: Yes, yes.
878
879Nam Sang-wook: Why did you combine the bloody scenes of Repert's blood and the joker's picture from the Batman movie?
880 Answer: I do not know.
881
882Nam Sang-wook Moon: Why did you synthesize?
883 A: I think I downloaded it.
884
885Nam Sang-wook Q: Why do you keep repeating your statements?
886 A: It 's been a long time and I can not remember anything. (May 3, 5, 2015), so it is possible that I may not remember it long before the investigation, and I have also asked forcible investigation questions in the reversal of the statement. )
887
888Nam Sang-wook Q: In the previous question, I am sure that the suspects synthesized.
889 A: It seems to have been downloaded from overseas internet humor site. Honestly, it is an old thing, so I can not remember it.
890
891Nam Sang-wook Q: What do suspects usually think of IS armed groups?
892 A: I think it is an unjustified armed group for IS armed groups.
893
894Nam Sang-wook Do you like IS?
895 Answer: I think it is bad.
896
897Nam Sang-wook Q: Do you know the fact that Koreans have been transferred to an IS militant group?
898 Answer: I heard from the news.
899
900Nam Sang-wook Q: What do you think?
901 A: I think it is the wrong choice.
902
903Nam Sang-wook Moon: Six IS-related images were found on the suspect computer, and the isis.jpg file name shows a combination of a young boy shooting a gun and a young boy with a gunman. Did you combine two photo files into one?
904 Answer: Yes. I combined what I downloaded on the Internet.
905
906Nam Sang-wook Q: Why did you combine the above files?
907 Answer: I joined to write a criticism on IS. The reason we combined the two is to increase persuasiveness.
908
909Nam Sang-wook Q: Is the official name IS?
910 Answer: I do not know exactly whether IS is the official name or ISIS. (In this statement, investigator Nam Sang-wook said, "How do you know whether the official name is IS or ISIS?"
911
912Nam Sang-wook Q: Is the name of the suspect's notebook combined with the name ISIS.JPG?
913 Answer: Yes, yes.
914
915Nam Sang-wook Q: Is ISIS known as ISIS and the file name is ISIS?
916 Answer: I accidentally wrote the keyboard randomly and the file name was ISIS.JPG. I explained this to the lawyer, but I do not know why I made the file name ISIS. (The suspect did not answer "I do not know.") The suspect demonstrated the process of pushing I and S on the keyboard vending machine in front of the investigator as a habit.
917
918Nam Sang-wook Moon: Image of the IS related file stored on the suspect computer When I look at the ISIS gallery.png, I have synthesized a picture of the Korean gallery and the IS terrorist (boy) I made a composite picture that shows that the gallery is the same. Why is it synthesized?
919 Answer: The picture is synthesized as above.
920
921Nam Sang-wook Q: So you're following IS?
922 A: I will not follow.
923
924Nam Sang-wook Q: Then what is the IS's willingness to live up to?
925 A: I saw a sad feeling in the eyes of an IS boy.
926
927 At this time, the accused is in a bad mood. (In this case, the cybercriminals investigator described the behavior in a record.)
928
929Nam Sang-wook Q: Why do you often repeat statements that you have shown a determined will in the previous question but now feel sad once again?
930 A: When I first saw it, I did not remember it.
931
932Nam Sang-wook Moon: In the first question, I stated that there is a certain willingness to be clear. Why do not you tell me now that you did not remember?
933 A: I think that it is possible to interpret several pictures as meaning.
934
935Nam Sang-wook Moon: The author name is 'Dr Korea Isis One' when writing a threat against Reporter Ambassador. The date on which the IS-related images were found on the suspect computer is from June 29, 2015 to 06:53 to 07:36, and the last date that the images were accessed is from July 3, . The time of the crime is 7. 7. and 7. 8. If the suspect sees the IS-related photos and writes the IS-related phrases at the time of the reputation intimidation, is not it?
936 Answer: No.
937
938 At this time, the suspect is shown a screen analyzed by the computer analysis program Encase and the screen posted on 4chan.org, and attached to the end of this document.
939
940Nam Sang-wook: The link file (lnk) is a file that is automatically created on your computer when you view the file. In addition, A0066246.lnk and usa.png link files found on suspect computers are added, and all the time is checked as below. Did you hear from the investigator exactly what was above?
941
942 Serial number / contents / date
943 1 / Rupert Threaten posted on White House / 7. 8. 02:26
944 2 / Screen capture file found on suspect computer (screen shown at the time of writing) screencapture-www-whitehouse-gov-thank-you-1436290042624.png After completing the writing in the White House, File / 7. 8. 02:27
945 3 / The link file of the above 2 file ("usa.lnk" in the parentheses was printed out in the record.) However, every page of the record in which the suspect was printed was taken to prevent forgery prevention, After they chased it, they scratched the line in the "usa.lnk" and made them suspect that the mistake was one of the reasons for the trust in the investigation. The link file is created when the above file 2 is executed (browsed). / 7. 8. 02:27
946 4 / The threats found on the computer of the suspects Original capturing file (screen shown during the blackmail) usa.png
947 5 / 4chan.org Posted by usa.png on 7. August 02:31
948 6/4chan.org posted a usa.png related post on the screen capture of the captured file (screencapture-boards-4chan-org-pol-thread-47640986-1436290789215.png) with the Google browser chrome. * Link file (A0066246.lnk) Creation date / time 7. 8. 02:40
949
950 Answer: Yes. I've heard the exact explanation.
951
952 At this time, I explain it to the lawyer clearly and understand it all. (The Cyber ​​investigator noted that all of them were forcibly comprehended.)
953
954Nam Sang-wook Moon: 02. 26. The police officer completes the Ripper intimidation at the White House, captures the thank-you related webpage completed at 02:27 through the Google Chrome browser, 3 minutes later, the original text of the intimidation was changed to filename usa.png, and after one minute, the captured image was posted on 4chan.org site, and about 9 minutes later, 4chan.org again The file generated by capturing the above site was browsed, and the link file was created on the suspect computer, and the order of the time series was precisely matched. A total of five reporter-related threat files were found and exactly matched in chronological order Is it not the article posted by suspect?
955 Answer: Yes, it is.
956
957 At this time, the suspect smiled and laughed, answered clearly, and wrote notes on the note. (In this case, the investigator added a depiction of aggressive behavior.)
958
959Nam Sang-wook: When I checked the A0066246.lnk file found on the suspect computer, the date of creation was 2015. 7. 8. 02:40, and the above file was generated by 'screencapture-boards-4chan -org-pol-47640986-1436290789215.png 'Because you executed the file, it was confirmed that the above link file' A0066246.lnk 'was created. Did you actually access the 4chan.org site and capture the above site?
960 Answer: Although I have read reporter-related threats on 4chan.org, I can not remember capturing the 4chan.org site with the Google Chrome browser.
961
962Nam Sang-wook Q: So the article about Obama was also read at 4chan.org above?
963 Answer: Yes, yes.
964
965Nam Sang-wook Moon: In the previous statement, I read the original caption (usa.png, isis.png) from 4chan.org or Google.
966 Answer: No. There is no trust in me.
967
968Nam Sang-wook Q: So, is it true that all the statements so far have been wrong without trust?
969 Answer: I can not be confident that I saw it on 4chan.org. (The suspect stated in the sense that "I can not confirm whether I saw Obama's intimidation and Raptor intimidation article at 4chan or Google.")
970
971Nam Sang-wook Moon: The time posted on 4chan.org is 7.8. At 02:31, the time the original text was created on the suspect computer was 7.8. At 02:30, the time saved on the suspect computer is faster. How do you state that you have viewed and downloaded the 4chan.org site?
972 At this time, the accused responded clearly.
973 Answer: I do not know.
974
975Nam Sang-wook Q: Why do you answer the above questions immediately when you think and answer other questions?
976 Answer: Yes. It is not to protect me.
977
978Nam Sang-wook Q: According to the results of the digital evidence analysis, there are a lot of related capture files in the computer of the suspect, the time-series is accurate, and the suspect has not posted any intimidation. Is there evidence?
979 A: There is no current situation.
980
981Nam Sang-wook Q: If the blackmail is posted on 4chan.org, what are the reactions of the others?
982 A: There are people who are not sure about the site. I do not know the reaction.
983
984Nam Sang-wook Q: When people post interesting articles on 4chan.org?
985 Answer: I do not read the comment. (The comment is written in English, so the suspect will not read it because it is difficult to read.)
986
987Nam Sang-wook Q: What points are earned or posted by posting on the site?
988 A: I do not know.
989
990Nam Sang-wook Q: Do people from 4 countries have access to 4chan.org?
991 Answer: It is various. Because it is a US site, there are a lot of people in the United States, and many people from Australia, Belgium and so on. (The suspect described the US, Australia, and Belgian flags in the 4chan capture file presented by Nam Sang-wook.)
992
993Nam Sang-wook: How many times do you usually visit the site?
994 Answer: I study only once or twice a week.
995
996Nam Sang-wook Moon: The suspect was posted on Kyung Cheong University's website on June 29, 2014. If you do not prepare the Civil Defense transportation fee from next year, have you ever posted a post on Mapo Daigyo?
997 Answer: Yes, yes. The police came because of the letter.
998
999Nam Sang-wook Q: Why did you post the above article?
1000 A: In case of Civil Defense education, we think that transportation expenses should be paid.
1001
1002Nam Sang-wook: Did you write that you committed suicide because of transportation expenses?
1003 Answer: I did it because it was a must. (The suspect described it as "because it was a matter of course" or "of course, the transportation fee should be paid.")
1004
1005Nam Sang-wook Moon: What did the police do when they arrived?
1006 A: I checked to see if I was well and went back.
1007
1008Nam Sang-wook Moon: "On July 25, 2014, from 9 am to 6 pm, one of the demonstrators asked," I am on my own, is. The location is the place where the male representative of the Sungjae period served on July 26, 2013. " (The place where the male delegate of the Sungjae period invested was Mapo Bridge.)
1009 Answer: Yes, yes.
1010
1011Nam Sang-wook Q: Why did you write this article?
1012 Answer: As mentioned above, I thought that Civil Defense transportation fee should be paid.
1013
1014Nam Sang-wook Q: Have you written several times in the Blue House or the National Newspaper? (The investigator asked, "How many times did they all go together?")
1015 Answer: Cheong Wa Dae once, the National People 's Journal is more than two times, I do not remember exactly how many times.
1016
1017Nam Sang-wook Q: Do you like to post a civilization like above?
1018 A: I do not like it. I am writing because of the absurdity of the policy that did not reflect reality.
1019
1020Nam Sang-wook Q: How did you know about the Cheong Wa Dae homepage and the National Newspaper?
1021 A: I went to the reserve army training and learned about the National Newspaper from the executives. After graduating from high school, I got to know the Cheongwadae homepage through search. (The suspect explained, "When the reserve army training was carried out, the reserve army officers told the reserve soldiers," If there is a protest, please file a complaint with the Ministry of Defense. "The Cheongwadae homepage was to inquire about the early enlistment of the army after high school graduation. ").
1022
1023Nam Sang-wook Q: So how many times have you accessed the Blue House homepage so far?
1024 Answer: It is not accurate, but I connected about 2 ~ 3 times.
1025
1026Nam Sang-wook Moon: Did you write other related articles?
1027 A: I have posted 2 or 3 times in the National Newspaper.
1028
1029Nam Sang-wook Q: What post did you post to the National Newspaper?
1030 A: There are a few other complaints about the rape of the army, a request to pay for the reservists, but I do not remember exactly.
1031
1032Nam Sang-wook: The suspect claims to have downloaded the usa.png file. If the above file is downloaded from the Internet, the same Zone.identifier file will be created. However, the above file was not found on the suspect computer. From the above, what do you think the suspect looks like in the file he captured himself?
1033 Answer: I do not know.
1034
1035Nam Sang-wook Q: Do you know the secret of Google Chrome browser?
1036 Answer: Yes, yes.
1037
1038Nam Sang-wook Q: Why did you use the above function?
1039 Answer: I used something because it was a novel. (The accused was used 1 or 2 times for something.)
1040
1041Nam Sang-wook Q: What is incognito?
1042 Answer: I do not know.
1043
1044Nam Sang-wook: The secret feature is to hide secrets of Internet access from the Google Chrome browser without having to store cookies, temporary cache files, etc. when accessing the internet. Now you know?
1045 Answer: I do not know. (The suspect stated that "the explanation does not understand".)
1046
1047Nam Sang-wook Q: Do you use the above functions frequently?
1048 Answer: I used it about 1 ~ 2 times.
1049
1050Nam Sang-wook Q: Do you use any web browser other than Google Chrome browser?
1051 A: I also use opera.
1052
1053Nam Sang-wook Q: Do you have any more to say?
1054 A: I would like to ask 4chan and Google image cache "IP usage history" to the Korea Broadcasting Crime Unit, which is requested by the US government for investigation into the alleged diplomatic threat, and a search warrant for the server to the US FBI investigation unit. The States (The Star Spangles) Oh, oh, say can you see. By the dawn's early light. What so proudly we hail, at the twilight's last gleaming. Who's abroad, and bright stars, through the parelless fight. All the landpots we watch were so gatherly stream. And the rockets red glare then bombs burst in air. They prove through the night, that our flag was still there. Oh, does that star spangles, banners are weaving. For the land of the free, and the home of the braves. I am longing for Americans and trying to acquire citizenship and green card. I want to be a sincere society. God Bless America! I do not mind, but I want to go to the hospital and have blood pressure and ECG. I will pay for my headache and chest pain in the night. I will do it in an hour. (The suspect requested 4chan server, Google server, IP search warrant, but the police ignored the request.
1055
1056Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1057 Answer: Not until now.
1058
1059Nam Sang-wook Q: Are all of these statements true?
1060 Answer: Yes.
1061
1062Four times
1063
1064 At this time, under the participation of lawyer Park Cheol-hyun,
1065
1066Nam Sang-wook Q: Do you have any idea about women?
1067 A: I do not want to pursue benefits, but I have a duty to equip men with various duties, such as duty of defense.
1068
1069Nam Sang-wook Q: Does the suspect ever have a relationship with a girlfriend?
1070 Answer: Yes.
1071
1072Nam Sang-wook Q: When did you meet some people?
1073 Answer: During the sixth grade of elementary school, I have had about three times in total during my college days.
1074
1075Nam Sang-wook Q: How long have you been dating?
1076 Answer: It was a short time, but I can not remember the exact time, and it is sure to be less than 6 months.
1077
1078Nam Sang-wook Q: When was your date of fellowship?
1079 Answer: The army has gone to the first grade of college, and fellowship is in the second, third, and fourth grades of college. (The investigator asked the military when he was in college, and described the answer of the suspect as this question.)
1080
1081Nam Sang-wook Q: Have you recently been dating a woman?
1082 Answer: No.
1083
1084Nam Sang-wook Moon: The blog of the suspect has many articles about women that are hostile to women.
1085 A: I do not feel hostile to women. I think it is better to buy and buy sex rather than having a new woman.
1086
1087Nam Sang-wook Q: Do you not make a woman for the same reason?
1088 A: I do not make contact because I think it will hinder my studies.
1089
1090Nam Sang-wook Q: Does not it make it difficult for women to make friends?
1091 A: I do not want to hurt my girlfriend. I think we should have emotional responsibility if people come together.
1092
1093 At this time, the suspect speaks to the investigator who asked him to rub the suspect's shoulder at the time of the break. (During a break, investigator Kim Young-rae told the suspect, "Why would you stay here if you did not? Walk innocently!" And the suspect is trying to stand up from the chair and sits down with dizziness. The suspect has made such a request to the investigator for health reasons, but omits the post-war situation and records an aggressive depiction.)
1094
1095Nam Sang-wook Q: Does the suspect have a bad feeling about Jeolla?
1096 A: I have bad feelings.
1097
1098Nam Sang-wook Moon: What kind of bad feelings?
1099 A: I do not know where to find the public fund for the Jeolla Province politician (President Kim Dae-jung), but I do not know where he is, but most of the Cholla people are behind the scenes.
1100
1101Nam Sang-wook Q: Have you seen a few people in Cholla?
1102 A: During my elementary school days, during military affairs, during my college days, and during my working life, I met a lot of people from Cholla.
1103
1104Nam Sang-wook: Do not you come from another area?
1105 Answer: It is said that there is a lot of chance. (The suspect thought that Chungcheong - do had more backstriking than Cholla.
1106
1107Nam Sang-wook Q: Why do you have feelings about back door?
1108 A: I do not remember. (The investigator suddenly told me to tell the story behind the back door.
1109
1110Nam Sang-wook Moon: The suspect has stated in his earlier adverse statements that he "does not remember" and clearly says that he hated Cholla before. Why does not he remember it all of a sudden?
1111 A: I can not remember the present situation.
1112
1113Nam Sang-wook Moon: So, according to the suspect's statement, do not you think that not only Jeolla-do, but also those from other regions are hiding all over the people of the world and all the people in the world?
1114 A: I think there are good people.
1115
1116Nam Sang-wook Moon: Who is a good person?
1117 A: I am a free meals person.
1118
1119Nam Sang-wook Q: Do you hate everyone if you are from Cholla?
1120 A: I do not hate everything, but I hate people who do not hate it.
1121
1122Nam Sang-wook Q: Where is the suspect's home?
1123 A: It is Seoul. (The suspect's birthplace is Seoul.)
1124
1125Nam Sang-wook Q: Where is the suspect?
1126 Answer: Andong, Gyeongsangbuk-do. When I was in Seoul, my family stayed in Andong often. (The home of the suspect's parents was Gyeongsangbuk-do, and when the suspect was young, he visited the country every summer.
1127
1128Nam Sang-wook Moon: Did you have a senior from the military?
1129 Answer: Yes, yes.
1130
1131Nam Sang-wook Moon: What were the senior members of the Jeolla Province?
1132 A: When I was working, I wanted to bring a piece of equipment, but I did not like it. I think I was troubled by the man panting.
1133
1134Nam Sang-wook Q: What is the usual amount of money for suspect?
1135 Answer: The beer is 1000cc. If you drink shochu is not good. (There is no specific reason for the suspect to respond in numerical form, but he was questioned by the investigator that he had good memory.)
1136
1137Nam Sang-wook Q: Where and where do you drink alcohol?
1138 A: I drink alone at home.
1139
1140Nam Sang-wook Q: What kind of alcohol do you usually like?
1141 Answer: I like beer.
1142
1143Nam Sang-wook Moon: There is a liquor in the suspect's room, do not you drink liquor?
1144 Answer: Sometimes I mix with the liquor.
1145
1146Nam Sang-wook Q: Why is Yangju and other meat sauces in the suspect's room?
1147 Answer: I usually bring the sauce because I usually eat in my room.
1148
1149Nam Sang-wook Q: Why did you bring dozens of bottled water in the suspect's room?
1150 A: There is nowhere left for my mother to leave it in my room.
1151
1152Nam Sang-wook: Do you mean that there is no place to put the water bottle above the pit house?
1153 Answer: I do not know. Ask your mother.
1154
1155Nam Sang-wook Q: How often do you drink alcohol?
1156 Answer: Drink about once a week.
1157
1158Nam Sang-wook Q: Who is buying alcohol?
1159 A: Sometimes parents come and go with their parents. (The suspect stated, "Sometimes I go to the mart with my parents.")
1160
1161Nam Sang-wook: Do you drink with your father?
1162 Answer: My father does not drink together because he likes rice wine.
1163
1164 At this time, the suspect trims. (Describe behavior for human attack.) The suspect came up from the top with stress and tension and trimmed.
1165
1166Nam Sang-wook Q: After drinking alcohol, do you have any other behaviors other than normal, such as not remembering, singing or sleeping?
1167 A: There is no such activity, and I drink mainly to take a good night's sleep. (Normally, the suspect's drinking habit is to drink beer while watching TV on the other side of the room, and drink alcohol when the alcohol is weak.) The suspect is used to study the notebook by blowing it, not to drink alcohol. Because the study room where the notebook is located is so hateful that it gets dirty with drinking alcohol, it never drinks in the study room, and it often witnesses the families of suspects.)
1168
1169Nam Sang-wook Q: Do you remember if you drink alcohol?
1170 A: At the KBS, after drinking alcohol, the film was broken, but not now. (The suspect has not drunk so much that the film has been severed since he left KBS in 2013.)
1171
1172Nam Sang-wook Q: The suspect is a good memory, a bad one?
1173 Answer: Good.
1174
1175Nam Sang-wook Q: What is the foreign language skill of suspect? (The suspect was treated as a spy who spoke three or four languages ​​to the police officers from the time of the emergency arrest.)
1176 Answer: The TOEIC score is 780, the speaking score is 150, and the French is the beginner level. (Speaking is TOEIC Speaking Test.)
1177
1178Nam Sang-wook Q: Do you have any language skills?
1179 A: I think I have language skills, but others say I can not.
1180
1181Nam Sang-wook Q: Do you have a good memory to have language ability?
1182 A: I think it is a hard work. (The suspect thought that language ability was an effort, not a memory.)
1183
1184Nam Sang-wook Q: How much did you drink at the time of the seizure?
1185 A: You drank about 2,000cc of beer. (The suspect drank two bottles of beer.)
1186
1187Nam Sang-wook Moon: The suspect drank beer during the seizure process, and tried to drink to Yangju?
1188 A: I drank 2 rounds of beer, but Yang tried to drink it, but the investigator told me not to eat it.
1189
1190Nam Sang-wook Q: Do you remember exactly when you were seized?
1191 A: I remember faintly.
1192
1193Nam Sang-wook Moon: Why do I remember a dim light drinking a lot?
1194 A: I had a hangover, and I was sleeping.
1195
1196Nam Sang-wook Q: When did you drink?
1197 Answer: You started drinking at 00:00 or 04:00 on the day of seizure and drinking 2,00cc until 12:00 am. (The day of the seizure is Jul. 13.)
1198
1199Nam Sang-wook Q: What do you like to eat?
1200 A: I just drink.
1201
1202Nam Sang-wook Moon: Did not you eat?
1203 A: I did not eat. (The suspect was starving from 13th to the present.)
1204
1205Nam Sang-wook Moon: I was laying on my bed for more than five hours at the time of the seizure, and after the emergency arrest, do you remember saying "bring an executive chair" or "bring a wheelchair"
1206 Answer: Yes.
1207
1208Nam Sang-wook Q: Do you remember clearly at the time of confiscation?
1209 A: I can recall a dim.
1210
1211Nam Sang-wook Moon: So if the suspect drinks a lot of alcohol, can not he remember all of it?
1212 Answer: Yes.
1213
1214Nam Sang-wook Moon: Maybe you can remember a dimly or not?
1215 Answer: Yes, yes.
1216
1217Nam Sang-wook Moon: At the time of the seizure of the suspect, the suspect made an insult such as "I am sick." Do you remember?
1218 A: I can not remember which word I used, but I remember remembering that I was hurried.
1219
1220Nam Sang-wook Moon: In conclusion, the suspect has a good memory, but the suspect does not remember all the contents when he drinks a lot.
1221 A: It is true that alcohol causes memory loss.
1222
1223Nam Sang-wook Moon: In the room where the suspect was sleeping, several masks were found, and for what purpose did he bring them?
1224 Answer: I bought two from the domestic Internet site for use as a toy. (The investigator did not record the statement in the memorandum that the suspects "bought the same toy when buying a product on the Internet and trying to meet the shipping reduction conditions.")
1225
1226Nam Sang-wook Moon: How do you use a mask as a toy?
1227 A: I had fun with two mothers of relatives on the New Year's Day.
1228
1229Nam Sang-wook Q: Is not that what you bought to use?
1230 A: I have an intention to write and play.
1231
1232Nam Sang-wook Moon: Is it fun to play in the sun?
1233 Answer: Not written. (The suspect stated in the sense of "I have never written a mask since purchasing it.")
1234
1235Nam Sang-wook Moon: What type of mask is it?
1236 Answer: Eyes are white circles, nostrils and mouth are small masks.
1237
1238Nam Sang-wook Moon: This mask is the mask of the famous hacker group Ananimus?
1239 Answer: No.
1240
1241Nam Sang-wook Q: How is it not?
1242 Answer: Ananimus mask has a mustache.
1243
1244Nam Sang-wook Moon: How much did you buy when you went upstairs?
1245 A: I can not remember the price range.
1246
1247Nam Sang-wook Moon: Ananimus is a famous hacker group on the Internet, right?
1248 Answer: Yes, yes.
1249
1250Nam Sang-wook Moon: How did you know Ananimus?
1251 A: I learned from the news.
1252
1253Nam Sang-wook Moon: In the blackmail about the Obama family, there is a post that says, "I am always tired of wearing a sex dresser and doing masturbation." What does a sex dresser mean?
1254 Answer: A sultry costume is high heels in stockings.
1255
1256Nam Sang-wook Moon: Is not mask wearing?
1257 A: I know there is a separate mask for senility. (The suspect stated in the sense that "If you go to a sexual disorder, you will have symptoms.")
1258
1259 At this time, the attorney gives attention to the suspect. The suspect is hesitant for a moment. (Park Cheol-hyeon, an attorney, told the suspect, "This is a place for investigation, not a knowledge hall.")
1260
1261Nam Sang-wook Q: Do the athletes wear masks a lot?
1262 Answer: I have not seen it.
1263
1264Nam Sang-wook Q: Do you have your favorite side dish?
1265 Answer: I prefer meat and meat.
1266
1267Nam Sang-wook: Do you usually like Kimchi?
1268 Answer: Sometimes I eat.
1269
1270Nam Sang-wook Moon: Which kimchi do you like?
1271 A: I like cabbage kimchi that my mother gave me.
1272
1273Nam Sang-wook Q: Are you safe from AIDS if you eat a lot of kimchi?
1274 A: I do not think it is groundless.
1275
1276Nam Sang-wook Q: In what way do you think like this?
1277 Answer: I know there is no evidence in Yang medicine.
1278
1279Nam Sang-wook Moon: Do not you trust TCM?
1280 Answer: I do not trust.
1281
1282Nam Sang-wook Moon: Obama's family intimidation article says "I eat Kimchi and I am safe from AIDS." What do you think about the above?
1283 A: I think it is bullshit. (The accused stated "in the sense of" there is no basis. ")
1284
1285 The suspect responds confidently. (Because it is natural).
1286
1287Nam Sang-wook Q: Then why did you post the above?
1288 Answer: There is no answer for me.
1289
1290Nam Sang-wook Q: What were you doing on July 7th and July 8th, 2015?
1291 A: I was at home and I do not know what I was doing.
1292
1293Nam Sang-wook Q: Who were you with at the time?
1294 Answer: There were only three people like father, mother, me.
1295
1296Nam Sang-wook Moon: Who gets access to the room where the suspect's laptop is found?
1297 Answer: I go in alone and use it. I can not let anyone get in.
1298
1299Nam Sang-wook: Do you have any reason to use this room alone?
1300 A: I do not like anyone who touches my stuff.
1301
1302Nam Sang-wook Q: Are you usually alone in the room above?
1303 Answer: Yes. I am alone.
1304
1305Nam Sang-wook Q: Why did you stop the entrance of the room with a bookcase?
1306 A: It is noisy. I moved the bookcase to the door entrance.
1307
1308Nam Sang-wook: Do you know that the suspect mother at the time of the seizure prevented the entrance to the room above the investigators?
1309 Answer: I first heard. (At the time of the confiscation, the accused continued to stay in the room next to the porch in the surveillance of two police officers.)
1310
1311Nam Sang-wook Q: What do you do alone in the room above?
1312 A: I study and access the internet.
1313
1314Nam Sang-wook Q: What is the identity the suspect uses on the Internet?
1315 Answer: There are several IDs such as helpmeusacom@gmail.com. Domestic mail is not used. (The suspect has Naver and the next ID that he does not use.)
1316
1317Nam Sang-wook Q: Why do you use overseas email only?
1318 Answer: To use the Google blog, Naver and the next time I post my article because the blog is blocked.
1319
1320Nam Sang-wook Q: What kind of content does this block?
1321 Answer: Political writings (such as writings about women) block themselves.
1322
1323Nam Sang-wook: Are you interested in politics as usual?
1324 A: I am not an enthusiastic political follower, but my political orientation is patriot pay. I have never joined a special political party.
1325
1326Nam Sang-wook Q: What do you think of Lim Soo-kyung?
1327 Answer: It is a pen name.
1328
1329Nam Sang-wook Moon: I'm from the school of the suspect. What do you think about Lim Soo Kyung?
1330 A: If Mr. Soo-kyung left Yong-in campus, he would have supported the department elsewhere.
1331
1332Nam Sang-wook Moon: What did Ms. Soo Kyung major in?
1333 A: I graduated from French literature.
1334
1335Nam Sang-wook Q: Then do you hate Lim Su Kyung?
1336 ANSWER: Ms. Soo Kyung Lim is hated by the North Koreans.
1337
1338Nam Sang-wook Moon: So what do you think about the best site for the day?
1339 A: I think they are poor people. (The suspect thought, "Because I can not get a job, and I live with my parents at home.")
1340
1341 At this time, the suspect trims. (Because the suspect was unable to eat, the sperm from above rises.)
1342
1343Nam Sang-wook Q: Who uses the notebook?
1344 Answer: I use it.
1345
1346Nam Sang-wook Q: Do parents and siblings use a laptop?
1347 Answer: No. Not once.
1348
1349Nam Sang-wook Q: Who knows your notebook password?
1350 Answer: I know only.
1351
1352Nam Sang-wook Q: Why did I set a password on my laptop?
1353 Answer: I only use it for myself.
1354
1355Nam Sang-wook Q: What does the password mean?
1356 Answer: No meaning. (The suspect has demonstrated to the investigator that it is an easy location to press the index and stop on the keyboard.)
1357
1358 At this time, we show the screen shot of the SuperHideIp program found on the suspect's laptop desktop to the suspect, and attach it at the end of this document.
1359
1360Nam Sang-wook Q: I have found a program that can hide the SuperHideIp IP on the suspect computer desktop. I analyzed the above program directly by Cybercrime, and it was easy to change my computer's IP with a mouse click. Why can I change it to U.S.IP when I connect to the internet in Korea? Why?
1361 Answer: I downloaded and installed it on the Internet. (The suspect was doing something just once after installation.)
1362
1363Nam Sang-wook Q: Is not it the intention to hide your IP?
1364 Answer: No.
1365
1366Nam Sang-wook Moon: I did not intend to hide. Why did you download it?
1367 Answer: I am interested in seeing the arrest news about IP trace, and got it downloaded.
1368
1369Nam Sang-wook Q: How did you find out that you have the above program?
1370 Answer: I learned from internet search.
1371
1372Nam Sang-wook Q: How exactly did you download it?
1373 Answer: I have downloaded the keyword "ip change" from Google and searched the web page, but I do not know which site I got it from.
1374
1375Nam Sang-wook Q: Why are you trying to hide IP?
1376 Answer: I do not know.
1377
1378Nam Sang-wook Q: Do you make statements that only a disadvantageous statement is "I do not know"?
1379 A: In the news, I found that the police were arrested for tracking down the IP. (The suspect stumbled across KBS News, which reported this incident on a large television set in the Jongno police station detention center.)
1380
1381Nam Sang-wook Q: So, what kind of crime did you download?
1382 Answer: No.
1383
1384Nam Sang-wook Q: How many times have you tried this program?
1385 Answer: I installed Super Hide IP and tried it once after installation.
1386
1387Nam Sang-wook Q: How about running this program?
1388 Answer: It was executed with a single mouse click. I did not check whether the IP was changed, but I tried to execute it.
1389
1390Nam Sang-wook Q: Is it easy to change the IP?
1391 A: I think it depends on the person.
1392
1393Nam Sang-wook Moon: After we have run the above program, it is easy to operate with a single click of the mouse. We also say that the suspect is executed with a single mouse click on the statement. What does it mean by different people? Does it mean that clicking the mouse is difficult?
1394 Answer: It's easy to run, but I think there is a difference between people searching and finding them. To find the above IP change program, it means that no one can find and search well.
1395
1396Nam Sang-wook: Do the suspects ultimately have the ability to find programs that can change the IP?
1397 Answer: I accidentally found it.
1398
1399Nam Sang-wook Q: Anyway, you entered your keyword directly into Google search, and you actively found it?
1400 Answer: No.
1401
1402Nam Sang-wook Moon: In the previous statement, why did you say that you searched for a program by entering keywords directly, and now you accidentally found it accidentally?
1403 Answer: It is not a reversal of a statement. Superhideip is a coincidence that I clicked one of the tens of thousands of search results in the search result called IP change.
1404
1405 (At this time, a police officer Kwak Dong-gyu was sitting beside Nam Sang-wook's investigator and asked him, "Who did you coach?" Kwak Dong-gyu, as an investigator in the first and second police investigations, I asked him with a smile, "OO, is there something wrong with your mind?" Why did you do that? "But when the investigator did not go as planned, he started to press it like this.
1406
1407Nam Sang-wook Q: Did you spend a lot of time looking for the above program?
1408 A: I do not know that. (A suspect could not remember because there were a huge number of suspects who searched the Internet from time to time.)
1409
1410Nam Sang-wook Q: Do you think the suspects search ability is good?
1411 A: I do not think so. (The suspect stated "I do not have an internet search ability certificate".
1412
1413 At this time, take a break for a while. (At this time, police officers from the police department gathered to discuss the next question.)
1414
1415 (At the time of the investigation, an older investigator (Kim Jin-kwang) said to Nam Sang-wook, "Do you have to turn on your laptop?" Nam Sang-wook said, "I need to turn on my laptop to run VMware." The investigator said to Nam Sang-wook, "Then think carefully and turn on the notebook!" Nam Sang-wook went upstairs, and again, from the next investigation, Nam Sang-wook questioned me about the female anatomical image. I guess Nam Sang-wook went to the second floor and manipulated the laptop.
1416
1417Nam Sang-wook Q: I checked the information on cybercrime today with the above IP change program.
1418 Answer: It seems easy to double-click to run the program.
1419
1420Nam Sang-wook Q: What site did you access with the above program running and changing the IP?
1421 A: I do not remember.
1422
1423Nam Sang-wook Q: If you look at the date of installation of the above program, the date of the last access is June 6, 2015. When was the last date used?
1424 Answer: I used it once on the day of installation on July 16, 2014.
1425
1426 At this time, show the observer's photo and picture file (filename: IP address washing method .jpg, any weblock readme.jpg) found on the suspect's notebook and attach it to the end of this article.
1427
1428Nam Sang-wook Moon: The picture file (IP address washing method .jpg) found on the suspect's notebook shows how to download and install the site detour access program which is blocked in Korea. Any weblock readme.jpg Explains how to block access to websites from your computer. Is it possible to keep the above files in order to access some blocked sites in Korea?
1429 A: You were not trying to connect to a blocked site.
1430
1431Nam Sang-wook Moon: How to Wash IP Address Above The .jpg file was created by the defendant's own editing program, right?
1432 A: I've captured and saved the results of searching for "change my ip" on Google.
1433
1434Nam Sang-wook Moon: The suspect has a lot of doubts about IP, asking him to check the IP posted on 4chan.org. According to recent cyber-investigation techniques, IP modulation is very easy, so you can not identify suspects with just one IP. Is not it because I suspect that the suspect has altered the IP or used other means of detouring?
1435 Answer: No. I did not know how to investigate, and I saw the arrest news through IP tracking. (The suspect did not ask for "please confirm the IPs posted on 4chan.org" and asked for the IPs in the news article "I traced the IPs." Of course, There is a number.)
1436
1437Nam Sang-wook Q: There are many ways to change the IP.
1438 Answer: I do not know.
1439
1440Nam Sang-wook Q: What do you usually think about the United States?
1441 A: I am longing for the United States and working for US citizenship and green card.
1442
1443Nam Sang-wook Q: Is Obama Democratic or Republican? (The previous day, the suspect received a long-term investigation of the crime profile, which was not recorded in the memorandum separately from the police investigation. At this time, the suspect had stated that Obama was a Republican in a questionnaire with two crime psychology professors, When the investigator who was observing from the outside tried to search the internet, it was different from the fact, and the police investigation asked this question the next day.
1444 A: As far as I know, Republicans. (The suspect responded to the investigator after commenting in advance that the criminal psych profiler was a question yesterday, but the statement did not record this statement.)
1445
1446 At this time, using a smartphone search through Wikipedia, Obama will show the suspect that he is a Democrat.
1447
1448Nam Sang-wook: Why did you think Obama was a Republican?
1449 A: I do not know about American politics. (The suspect stated "not interested in American politics." The suspect, when the investigator came to the conclusion, "presumed Obama as a Republican because the northern United States, where the liberation of black slaves began, is the base of the Republican Party." But did not record.
1450
1451Nam Sang-wook Q: Is Democratic Party more progressive than Republican Party?
1452 A: I do not know that.
1453
1454Nam Sang-wook Q: Do not you know that you are interested in politics?
1455 A: I do not know about American politics. (The accused stated that they are "interested only in domestic politics.")
1456
1457Nam Sang-wook Q: What do you think about Obama?
1458 A: I think he is respected as the first black president in the United States.
1459
1460Nam Sang-wook Q: Is the image of a monkey synthesized by Obama and Michel synthesized by the suspect?
1461 Answer: No. Downloaded. (I suspect the suspect downloaded the 4chan watermark below the photo.)
1462
1463Nam Sang-wook Q: Where did you download the above file?
1464 Answer: I downloaded it from 4chan. (I suspect that the suspect downloaded the 4chan watermark below the photo and downloaded it from 4chan, but in some cases the source was downloaded from a non-4chan location because it was downloaded from Google's search results.)
1465
1466Nam Sang-wook Q: What is the above picture?
1467 A: This is a picture of Obama as a monkey.
1468
1469Nam Sang-wook Q: Why did you download Obama's image and say that he saved it on the suspect's computer?
1470 At this time, the suspect trims. (Because the suspect was unable to eat and sickness came up inside.)
1471 Answer: I have downloaded it in order to utilize the background of the person who made the picture above as a material for writing criticism.
1472
1473Nam Sang-wook Q: Did you write criticism on your blog?
1474 A: I would not have. I do not know for sure. (The suspect later downloaded the photo because he was going to write if he had time.)
1475
1476Nam Sang-wook Moon: I have a bad feeling about Obama. Did not I download the photo above?
1477 Answer: No.
1478
1479Nam Sang-wook Q: Is not it a fun thing to write because I have not written any articles?
1480 Answer: No.
1481
1482Nam Sang-wook Q: Is it fun to look at the pictures of Above Obama?
1483 Answer: Disgusting.
1484
1485Nam Sang-wook Moon: I told you that Obama's photographs are disgusting, but if you do not write related articles, should not you? Why did you keep it?
1486 Answer: I will use it later when I write again. (When the suspect tried to write, he kept it on his laptop because he could not find it on the internet.)
1487
1488Nam Sang-wook Q: What do you think about black people?
1489 A: I think that black people are the same person and call themselves black people themselves. (The suspect thought that the sword should be replaced with the word 'African American' with the word 'black', because it is a racist word.)
1490
1491Nam Sang-wook Moon: The suspect is very clear about the above question. What belief do you have about racism?
1492 A: Racial discrimination is an ideology by some white supremacists. This includes blacks and asians. Therefore, Koreans can also be victims of racial discrimination.
1493
1494Nam Sang-wook Q: Does the suspect think that I am logical and reasonable?
1495 Answer: I only believe in evidence as much as possible.
1496
1497Nam Sang-wook: By the way, why did you say you did not commit the crime while trusting all the results of computer digital evidence analysis?
1498 Answer: The superhidip is a bit less reliable.
1499
1500Nam Sang-wook Q: Even if you have a friendly feel for the US in general, can you think of it as bad for Obama?
1501 A: Because I work for US citizenship, I do not think separately. (The suspect described the police investigator as "honoring Obama, the first black president," but did not record it.)
1502
1503Nam Sang-wook Q: Have you read a lot of articles about Obama?
1504 A: I have not read much. (The suspect had not read much of the article because he was not interested in American politics.)
1505
1506Nam Sang-wook Q: What do you think about Obama's attack on the terrorist group of is?
1507 A: The attack on the terrorist group is an absolute support.
1508
1509 At this time, the suspect was found in the OO notebook. The brain was blurred, the woman was naked in the grass, the body was naked, the child was naked, the anus was opened with his fingers, , A picture of a child with a knife in his stomach, a picture of inserting a male penis into the anus, a picture of autopsy of the body's head and abdomen, a picture of the body's eye, a picture of the body's head, A photo of a woman showing her blood in her pussy, a photo of a woman showing a broken thorax, a picture of a woman's head being cut off, a picture of a woman's penis, a penis, Two men are fingers of a child's penis, a picture of a woman cutting her head in the body, a picture of a Korean flag in her bowel movement, a picture of her lower body cut off, A photograph of a woman's legs being cut off, a picture of a woman dropping blood, a picture of a man shaking a manpower in North Korea, a picture of Kim Jong Il, a picture of a witch in the body, a picture of Kim Jong Il with children , A photo of women wearing surgical gloves and a woman's anal opening, and showing them at the end of this paper. (The investigator tried to express the meaning of each photo in the blank space on page 591 as much as possible.) The suspect said, "With this kind of investigation, If there is anyone passing by, it is a psycho pass. "
1510
1511Nam Sang-wook Moon: A total of 35,438 picture files (extension jpg, png) were stored on the suspect computer. About one quarter of them were stored. As shown to the suspect, many female anus pictures and body pictures Why was the above picture file stored on the suspect computer?
1512 Answer: I was interested in death, so I downloaded the above photo, and the woman's anal photo was downloaded because it was porn. Nam Sang-wook, a cyber investigator who led the interrogation process from the third police investigation, said, "I am guilty only by possession of the above photo file. I can add more charges that I did not prosecute." He threatened the suspect to feel frightened, I went ahead.)
1513
1514Nam Sang-wook Q: Is the suspect file taken by the suspect himself?
1515 Answer: No. I downloaded it from the Internet.
1516
1517Nam Sang-wook Q: Where did you download the Internet?
1518 A: Google has searched the website for porn related words, and body pictures have also found and downloaded websites based on the results linked from the porn sites. (All the suspects could not remember.)
1519
1520Nam Sang-wook: How do you feel when you look at a photo file like this?
1521 Answer: I am not happy, but when I receive the AP Reuters communication at KBS, I get a lot of cruel pictures. So it seems that I became more interested in the above picture.
1522
1523Nam Sang-wook Q: Then, did you become interested in the above pictures while working at KBS?
1524 Answer: No. After leaving KBS, the pace began to change pessimistically.
1525
1526Nam Sang-wook Q: What does it mean to be pessimistic?
1527 A: I know Nietzsche is pitiful.
1528
1529 At this time, (the investigator did not record "Attorney Park Chul-Hyun"), I checked the dictionary of pitfalls with a smartphone and said "I hate the world and see everything as dark and negative" Show it to the suspect. (The lawyer Park Chul-hyeon, who has been silent, searches for his smartphone and handed his smartphone voluntarily even though the investigator did not ask for it. In the prosecution investigation, Park Cheol-hyeon counseled the suspect along with the prosecution attorney I stood in the position of.
1530
1531Nam Sang-wook Q: Is the above dictionary definition meaningful to the suspect?
1532 A: What I'm talking about is the content of a longing for death.
1533
1534Nam Sang-wook Q: So, did you post a statement to the Blue House about suicide?
1535 A: That was to insist my position for political purposes.
1536
1537Nam Sang-wook Moon: Have you ever tried to die?
1538 Answer: No.
1539
1540Nam Sang-wook Q: So what do you do about death?
1541 Answer: Yes, yes.
1542
1543Nam Sang-wook Q: I think it would be insulting to killing a person if I often see the above picture. What is the opinion of the suspect? (The cyber investigator, Nam Sang-wook, asked the cyber criminal investigation team to expand the scope of the investigation, and tried to prove the suspect's allegations until the murder of the US-based cyber criminal investigators. )
1544 A: I do not know that.
1545
1546Nam Sang-wook Moon: For ordinary people, I do not think I will download unnecessary downloads to my computer even if I see pictures like this once or twice in curiosity. The reason why I downloaded and stored hundreds of such body photographs What is it?
1547 A: It's a habit to download.
1548
1549Nam Sang-wook Q: How do I download it?
1550 Answer: Click the right mouse button to save.
1551
1552Nam Sang-wook Q: Where do you store it?
1553 Answer: Save on your desktop.
1554
1555Nam Sang-wook Moon: Do not you be surprised when you see a picture of a body above a desktop?
1556 Answer: The desktop is not surprised because it does not have a preview function. (Windows XP does not have a preview on the desktop.)
1557
1558Nam Sang-wook: Then, in Windows Explorer, can I preview my desktop picture?
1559 A: I do not even see my desktop by using Windows Explorer.
1560
1561Nam Sang-wook Q: Do I have to use Windows Explorer to work on my computer?
1562 Answer: Use it occasionally. (The police cybercrime investigates and inquires about the computer usage habits of the suspect more than the result of the evidence analysis.) It is suspected that the investigation of the civilians through the hacking of the police before the police seizure.
1563
1564Nam Sang-wook Q: Why do you download only a woman's body image, mostly a female body image, and a male body image is rarely identified?
1565 Answer: There is no particular reason. (Because netizers prefer female body images to male body images, there are more female body images on the internet.)
1566
1567Nam Sang-wook Q: Is not it because of hostility to women?
1568 Answer: There is no hostility.
1569
1570Nam Sang-wook Moon: But why do most women only download photos of women? (I repeatedly asked the question the investigator did.)
1571 Answer: There is no special reason. (At this time, the investigators of the investigators including Kwak Dong-gyu, who also had a visit to Nam Sang-wook, gave examples of experiences such as the autopsy of the twin baby corpse and the autopsy of the pregnant woman's body. Acknowledgment of appropriate behavior.
1572
1573Nam Sang-wook Q: Do you know about the suspects viewing such photos and storing them on the suspect's notebook?
1574 A: You do not know.
1575
1576Nam Sang-wook Q: How do you feel about your parents?
1577 A: I think I should get a family register. (At this time, investigators and police officers laughed aloud.)
1578
1579Nam Sang-wook Q: Have you ever posted the above file to another Internet site?
1580 Answer: Not at all.
1581
1582Nam Sang-wook Moon: In the meantime, if you look at the suspect's statement, you have downloaded it to post on blogs such as Obama's photographs. Did not you download the body photos for posting or posting?
1583 A: The body is not the subject of my blog.
1584
1585Nam Sang-wook Q: What is the subject of the suspect blog?
1586 A: My blog topic is thoroughly political.
1587
1588Nam Sang-wook Moon: In the picture of the female body above, the file name is 'cute-dead-girs-random number'. Does the suspect think that the female body image is cute?
1589 Answer: No. That's not what I made the file name, it's the filename, and I think it's crazy if I think it's cute. (The suspect stated, "The file name was downloaded from the Internet.")
1590
1591Nam Sang-wook Q: So what do you think about who posted the picture of the body above?
1592 Answer: I did not see that the above picture was uploaded on the Internet.
1593
1594Nam Sang-wook Q: Is the above body picture a real body picture?
1595 A: I do not know if I am authentic.
1596
1597Nam Sang-wook Q: How did you find out about the sites that have photos like this on the Internet?
1598 Answer: I ran through Google.
1599
1600Nam Sang-wook Q: Do you usually do a lot of searches on Google?
1601 Answer: I do a search on Google, and I use it to study with Google.
1602
1603Nam Sang-wook Q: Does the suspect have any bad memories about the anus?
1604 Answer: Yes, yes.
1605
1606Nam Sang-wook Moon: According to the complaint filed by the Ministry of National Defense, the suspect was raped by a subordinate and the police officer put the penis in his mouth about 20 times and shook it about 20 times. Did the platoon commander put the penis in the anus?
1607 Answer: Yes, yes.
1608
1609Nam Sang-wook Moon: Do you really have 20 shakes?
1610 A: I do not know that.
1611
1612Nam Sang-wook Q: Why did you write 20 times?
1613 A: At that time, I thought so. (The suspect was estimated 20 times at the time.)
1614
1615Nam Sang-wook Q: Is not it possible to write false content in the complaint?
1616 Answer: Yes.
1617
1618Nam Sang-wook Q: Is not it possible to describe 20 times if there is a basis or a memory for any certain number of times? If not, will the Ministry of Defense be able to deal with it later?
1619 Answer: I did not set the number of times clearly.
1620
1621Nam Sang-wook Moon: I have a bad memory for anus. I only store a female anal picture on a separate computer and say to the White House: "I was tired of wearing a suture costume and doing masturbation. I'm going to rape my fourth daughter, Natasha, in the anus. Because it seemed to be a more polite way to ask. I think that the anus of the second daughter is more resilient than the anus of Malia (the first daughter), so I should get permission from the parents before I feel black anal. "
1622 Answer: No.
1623
1624Nam Sang-wook Q: How did you find out that your second daughter's anus was more resilient?
1625 Answer: No.
1626
1627Nam Sang-wook Q: For what reasons did you keep the photo file with stool on Taegeukgi?
1628 Answer: I saved it to write a criticism against contempt of the flag. (The suspect stated "in order to criticize the act of insulting the flag, the photograph was saved.")
1629
1630Nam Sang-wook Q: Do you have any material to prove that you wrote a blog?
1631 A: Currently, this is not possible.
1632
1633Nam Sang-wook Moon: What did you think about the photo above (photo with stool on the flag)?
1634 A: In this way, blaspheming the country itself was considered insipid. (Investigator erroneously recorded 'national flag' as 'country'.)
1635
1636Nam Sang-wook Moon: Do you have any photos posted on 4chan.org with stool on the top?
1637 Answer: I do not know. (The suspect stated to the investigator that "the posts posted on 4chan are not posted on 4chan unless they are on the blog because they post the same on the blog," but did not record it in the dossier.)
1638
1639Nam Sang-wook Moon: The suspect is stating that the adverse statement is "I do not know".
1640 Answer: I do not judge whether it is a favorable or an unfavorable question, and I do not remember what I do not remember. (The accused stated "not to judge" but not "to judge.")
1641
1642Nam Sang-wook Q: For what reasons did Kim Jong Il and Kim Jong Eun photographs and North Korean artifacts be stored on the suspect computer?
1643 Answer: I downloaded it as a material to write a critical article about Kim Jong Il, Kim Jong Eun, and Kim Il Sung.
1644
1645Nam Sang-wook Q: Did you write the above criticism?
1646 Answer: I am not sure, but I would have written it.
1647
1648Nam Sang-wook Q: Do you have any material to prove?
1649 A: There is currently no documented evidence.
1650
1651Nam Sang-wook Q: What do you think about North Korea?
1652 A: North Korea is a Republic of Korea.
1653
1654Nam Sang-wook Moon: In the text of the intimidation article, "I hope to penetrate the anus of black people before I was killed by Kim Jung Eun" is posted. I usually read Kim Jung Eun's photo, Posted?
1655 Answer: No.
1656
1657Nam Sang-wook Q: Do you often get things that you do not remember well?
1658 A: Two years ago, but not now. (The suspect stated, "Two years ago, when I was working before 2013, I was drinking and the film was broken.")
1659
1660Nam Sang-wook Moon: 7. 20. At the time of the investigation, I posted the following message in the Cheong Wa Dae and the National Newspaper: "I will commit suicide" and "I will demonstrate". In the past, I remember correctly, 7.7 at the time of the crime. And 7.8. The contents do not remember exactly what we did. Does the suspect just state that he wants to remember what he wants to remember and does not know what he does not want to remember? (The military rank of the suspect is the sergeant, and in the complaint, only the name of the subcommittee is listed, not the elder sibling.)
1661 Answer: No.
1662
1663Nam Sang-wook Q: So why do not you remember the recent events?
1664 A: I have lost the concept of time because the same life repeats itself.
1665
1666Nam Sang-wook Moon: 7.7. And 7.8. At the time of the crime, I drank a lot of alcohol and posted blackmail in the White House.
1667 Answer: No. (The police 's claim is different from the fact that "I drink a lot and the film is broken.")
1668
1669Nam Sang-wook Q: When exactly did you find out about 4chan.org?
1670 A: I do not know the exact time, but I got to know it in the early 2000s. (I'm not sure, but the suspect did not know 4chan early on.)
1671
1672Nam Sang-wook Moon: According to the Seoul Central Police Agency's cybercrime investigation report, http://helpkorea.blogspot.kr, http://fuckingkorean.blogspot.kr, http://unicefusa.blogspot.kr, http://antihufs.blogspot.com, http://plus.google.com/112036166079289779835/posts, http://ihatekorea.blogspot.com, http://helpmeusa.tumblr.com, http: // jeolladian. It is confirmed that there are 10 blogspot.kr, http://helpmeusa.egloos.com, and http://sangpyenyeo.blogspot.kr. In the above suspect blog, the suspect Citibank account (370-07421-268-01) ID helpme@usa.com was listed. Is it a blog operated by suspects?
1673 Answer: Yes, yes. (The alleged "http://plus.google.com/112036166079289779835/posts" was an unknown number in the address.)
1674
1675Nam Sang-wook Moon: When I translate the blog url address into http://ihatekorea.blogspot.kr, http://antihufs.blogspot.kr, I hate Korea, I am anti-foreign language, how much I hate Korea and foreign language is anti ? (The next questioner turned to the monitor that was writing the dossier, showed the suspect the blog screen, and told me what was posted before the answer.)
1676 A: This site was created to discuss the absurd aspects of Korean society, unreasonable aspects. Korea does not like it or hate it, and has opened antihufs.blogspot.com to post content for criticizing Lim Soo-kyung. (The investigating officer also knew that there were so many articles posted on the suspect's blog that he could not remember it, and he showed the blog to be quoted in the statement, but the record did not record the act of the investigator. The reason was simply to preempt the blog name, but there was also the intention to prevent them from being exploited by others for malicious purposes. "However, the investigators did not acknowledge the sincerity of the suspect)
1677
1678Nam Sang-wook Q: Was the suspect planning to study in France?
1679 A: I was studying in France or studying in the US.
1680
1681Nam Sang-wook Q: Was the suspect considering foreign immigration?
1682 A: It was the next best thing if you were not studying in France or studying in the US. As soon as the suspects were released from the detention center as a bail, the lawyer Kim Yong-min attending the trial after the lawyer Park Chun-hyun filed a number of documents including the admissions documents from the US university and the contract documents received from the immigration company. Submitted.)
1683
1684Nam Sang-wook Q: Why are you considering foreign immigration?
1685 A: I do not want to send troops to my child.
1686
1687Nam Sang-wook Q: Why are you posting on more than 10 blogs?
1688 A: It was a diary purpose for my political opinion. (The suspect described it in the sense of "It was a leisure time to cool my head while studying.")
1689
1690Nam Sang-wook Q: Why are you posting a lot of articles on the above blog?
1691 A: In the early days, I wrote articles of political beliefs that many people would read and write to, and later to post political articles. (Kwak Dong-kyu investigated how much the suspect had received the donation, and the suspect said, "It is all about donation of 20,000 won, try tracking your Citibank account.") After giving up, studying the blog in French, I changed my mind to use it for leisure. "But the investigators did not record it in the dossier.)
1692
1693Nam Sang-wook Q: How do Internet users respond to the blog of the suspect?
1694 Answer: No comments.
1695
1696Nam Sang-wook: Do you increase the number of visitors if you post interesting and exciting posts on your blog?
1697 Answer: No.
1698
1699Nam Sang-wook Q: What do you think if you write hard and the number of visitors does not increase?
1700 A: I do not care. (The suspect is blogging for hobbies and leisure purposes.)
1701
1702Nam Sang-wook Q: What is the position of the suspect in Internet cyber?
1703 Answer: There is almost no presence.
1704
1705Nam Sang-wook: Do the suspects work only at home rather than at home?
1706 Answer: Yes, yes.
1707
1708Nam Sang-wook Q: Do you want to get attention from others on the internet because you are not doing outside activities?
1709 Answer: I am interested in seeds in jargon, but I am not interested in seeds. (The investigator records the word 'jargon' that the suspect has not written in the record.)
1710
1711Nam Sang-wook Moon: I want to get interested in the White House and posted a blackmail message.
1712 Answer: No.
1713
1714Nam Sang-wook Moon: But why did you post to 4chan.org?
1715 A: I did not post it on 4chan.org.
1716
1717Nam Sang-wook Moon: "If you look at Ripper's intimidation article," I declare President Terror to Obama. Is not it a beautiful night? "The suspect is mostly at night? Is it really a beautiful night? What do you think about this phrase?
1718 A: I do not know that.
1719
1720Nam Sang-wook Moon: The threats posted on the white house's homepage on the suspect's laptop, the file capturing the original text, the file captured after the completion of writing in the White House (Thank you), the trace of viewing the captured file, 4chan.org site to post the original text of the intimidation, again capturing the above posted article, the trace of the above capture file was clearly identified by the time order, but the suspect has not posted, did not acknowledge Why?
1721 Answer: I have not posted.
1722
1723Nam Sang-wook Moon: So the suspect's parents or sister posted the article?
1724 A: My parents are not related to my sister because the notebook is what I use.
1725
1726Nam Sang-wook Q: Is it not your parents, your sister or the suspect?
1727 Answer: No. Please consider the possibility of hacking. (The parents of the suspect and lawyer Park Chul-hyeon said, "The traces of the hacking were found on the suspect's notebook and should be stated in the police investigation." However, the police spread the statement to the press and said, "The suspect is a third- (KCNP News, Internet News Article), "and said," It is the people who say that our house cat is the key to the keyboard "I was tortured and blamed for everything I had never experienced before."
1728
1729Nam Sang-wook Q: What hacking program do you mean?
1730 A: I do not know that either.
1731
1732Nam Sang-wook Moon: Have you ever been hacked?
1733 Answer: I have never been hacked.
1734
1735Nam Sang-wook Moon: Although the suspect clearly remembered his activities during his military service and his posting on the Blue House and the National People's Magazine last year, he continued to lie about the fact that he did not remember his post on the White House site What is it?
1736 A: I never lied. (The investigator responded briefly to each case when the suspect responded.) The suspect responded to the complaint posted in the Blue House and the National Census Bureau by postal mail from the person in charge and kept the post and reply to the post I remember because I had saved it on my blog, and the suspect consistently said "I did not post it" about whether or not to post the blackmail in the White House, and did not say "I do not remember."
1737
1738Nam Sang-wook Q: Does the suspect usually lie well?
1739 A: I can not lie.
1740
1741Nam Sang-wook Moon: I do not recall an important important question. What do you think about the fact that the investigator seems to admit that he posted the article?
1742 Answer: I did not remember, so I made the statement as above.
1743
1744Nam Sang-wook Moon: If I do not remember, can I drink and not remember?
1745 Answer: Not. I think there are multiple factors.
1746
1747Nam Sang-wook: You may not remember a lot of alcohol at the time of the crime?
1748 A: I did not have to break the film because I drank a lot of alcohol.
1749
1750Nam Sang-wook Moon: At the time of the seizure search, I drank a lot of alcohol and stated earlier that I remember faintly. Then you can not remember it because you drank a lot of alcohol at the time of the crime?
1751 At this time, the suspect shakes his head and thinks for a moment. ("I can not remember" is not the word "I do not remember.") The guiding question of the investigator was not logical, so the look of the accused was not understood by the guilty pleasures of lying, I did it.)
1752 Answer: I do not know.
1753
1754Nam Sang-wook Q: What do you think about the fact that the suspect is being denied even though the evidence is clearly revealed by the computer analysis program Encase? Is it a reasonable answer to state that you do not remember well?
1755 A: I do not know because people are beyond their abilities. (The accused stated earlier that "the access time analysis results of SuperHideIp are different from the truth and the credibility of the Encase program is poor.")
1756
1757Nam Sang-wook Q: How did you keep all two of them on the suspect computer, not one of them? What do you think of that?
1758 Answer: I guess that the two intimidation posts are not considered to be much difference, it is estimated to have been uploaded continuously.
1759
1760Nam Sang-wook Moon: The Obama intimidation article is about 6 hours difference on July 7, 2015, about 7:20 pm, and Repert's intimidation article is about 7.8 02:26. Is it?
1761 Answer: I was wrong. (The suspect believes that two blackmails may have appeared in the same search result at the same time.)
1762
1763Nam Sang-wook Q: What is your relationship with your parents?
1764 A: I have a good relationship with my parents.
1765
1766Nam Sang-wook Q: Did your father train hard?
1767 Answer: It was not severe. (The suspect responded with a lawyer, Kim Yong-min, "I played with my father and BB gun at a young age.")
1768
1769Nam Sang-wook Q: What is your father's job?
1770 A: I was a teacher, but I retired this year.
1771
1772Nam Sang-wook Q: Have you ever been beaten by a father when you were a child?
1773 Answer: It is number 1 and nothing else. (The suspect responded to the investigator "I was hit one time.")
1774
1775Nam Sang-wook Moon: Are you sure?
1776 Answer: Ask your father.
1777
1778Nam Sang-wook Q: Do you depend on your parents for everything?
1779 A: I do not depend on you.
1780
1781Nam Sang-wook Moon: In the case of seizure search and emergency arrest, the accused lie down in the room with only panties, and an investigator in Seoul Metropolitan Police Agency explains about two or three hours to arrest her father and mother dozens of times, In case of an emergency arrest, the suspect said, "What does your father say? Did your father agree to an emergency arrest? "
1782 Answer: Yes, yes.
1783
1784Nam Sang-wook Moon: If my father was arrested urgently and the police officers told me to go away, was he going to go on his own?
1785 A: If my father told me to go, he would not have responded. (The police claim that the suspect had been drunk and had a crush on him, but the suspect said he tried to arrest the police officers without revealing that they were police officers, and that he resisted knowing that they were bullets. The family of suspects filed a complaint with the Human Rights Commission that the police had violated human rights during the search and arrest of the police, but both the inspection office and the NHRCK I was ignored.)
1786
1787Nam Sang-wook Moon: You have to judge yourself. Why did you ask your father about it?
1788 A: I was scared because I had more than 30 people in the situation. (The suspect lied on the bed and felt frightened when he covered the bed.)
1789
1790Nam Sang-wook Moon: At that time, 9 to 10 people went to the suspect, and the suspect was lying for four hours at the time of the search.
1791 Answer: I also had a hangover, and it was annoying to be honest. Kim Kyung - hwan, a cyber investigator who participated in the emergency arrest, said to the accused who was lying in bed, "Because of you, 10,000 people suffered from a night spent for a week.
1792
1793Nam Sang-wook Moon: But when my father says he does not agree, the suspect kept lying in bed?
1794 Answer: Yes, yes.
1795
1796Nam Sang-wook: Can the suspect be able to do it alone without the will of his parents?
1797 A: I do not know for sure, but I think it is natural to ask for help if you get caught up in a crisis situation. (Here 'help' means 'family help.')
1798
1799Nam Sang-wook Moon: The suspect brother is living alone as a self-employed person, right?
1800 A: I'm working in Ansan.
1801
1802Nam Sang-wook: Why is the suspect unable to live independently like his brother?
1803 A: I spent two years in college, but I have difficulty getting along with my parents.
1804
1805Nam Sang-wook Moon: What part was difficult?
1806 Answer: It was hard to eat food.
1807
1808Nam Sang-wook: Do you have any reason to tell the suspect when your father visits the jongno police station, "Do not succumb to the police's remorse." (Based on the fact that the investigator had eavesdropped on the suspect.
1809 A: I will not answer the above questions. (The suspect stated, "I will not reply to the fact that I have been tapped." The questioner, Nam Sang-wook, of the Cyber ​​Investigation Team who answered these answers was quite puzzled and omitted the "tapped facts".
1810
1811Nam Sang-wook Q: Does the suspect have his father's instructions unconditionally?
1812 Answer: Half. Sometimes it is unconditional and sometimes not.
1813
1814Nam Sang-wook Moon: Suspect What is your current age?
1815 A: OO year old Korea is 34 years old.
1816
1817Nam Sang-wook Moon: Do you have a separate computer for your father?
1818 Answer: Yes. There is a separate computer.
1819
1820Nam Sang-wook Q: Do you work with your dad computer a lot?
1821 A: I do not know that. (The suspect stated "My father hates my father so much that I do not use it often", but I did not record it in the dossier.)
1822
1823Nam Sang-wook Moon: All the evidence is clear, and a warrant for seizure of the suspect's residence was issued by the judge, and the emergency arrest was approved by the prosecutor. The suspect was given the opportunity to conduct an actual arrest warrant, What is the reason why I do not remember the suspect himself?
1824 A: I do not think so. (The investigator provided false information in order to pressure the suspect, the suspect read the documents presented by the police officer of the police investigation about the reasons for the arrest warrant issued by the judge at the detention center after the probation officer or the detention warrant, The suspect already knew that the judge had been convicted and did not issue because of all the evidence that was evident because of the concerns of escape and evidence of extinction.
1825
1826Nam Sang-wook Question: Who gave the answer to the above?
1827 A: I have never been influenced by external influences.
1828
1829Nam Sang-wook: Do not you think your actions are wrong? (The investigator suddenly questioned the judge.
1830 A: I certainly did not post it.
1831
1832Nam Sang-wook: Even now, I would like my parents to tell me the truth about what I have done, to seek good fortune and to live hard. What do you think of the suspect?
1833 A: I do not think I should cover the truth.
1834
1835Nam Sang-wook Moon: Anyone can make mistakes, do not you think you can correct mistakes?
1836 A: I can not make mistakes because I did not make mistakes.
1837
1838Nam Sang-wook Moon: Looking at the s.txt file found on the suspect's notebook, the text file says, "I'm going to kill the Ambassador Repert by penetrating the US Embassy. Obama kidnapped my little daughter and I will rape my anus. "Why did you list the above?
1839 A: I do not know the keyword on the internet Google but I check the phrase on the website that I have searched for and copy it to s.txt. I copied and pasted it to a file. (The suspect did not know exactly where the Web site was located.) The investigator kept a record of the suspect's response long without a comma in the record, making it look like an excuse, and the meaning changed depending on where the reader was resting.
1840
1841Nam Sang-wook: Did not you post Obama and Repert's intimidating articles in the White House by referring to the threats listed in the above s.txt?
1842 Answer: No.
1843
1844Nam Sang-wook Moon: Looking at the above s.txt file, two emails used in blackmail, isshufs@gmail.com, Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791 Posted by Lifee Iss Crazzyy, Address Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791, Tel + 82-2-2173-2062 , Twitter https://twitter.com/ISIS_Med The address is listed, was not it planned for the crime?
1845 Answer: No. It came with copying and pasting.
1846
1847Nam Sang-wook Q: In addition, the above text file contains an e-mail isshufs@naver.com which is not used for the crime, and the above e-mail address is not also posted on 4chan.org. How is this e-mail address listed?
1848 A: I do not know.
1849
1850Nam Sang-wook Moon: The intimidation is not written in Korean, but is it a Korean word?
1851 Answer: It is taken from the Internet and copied. (The suspect stated "I copied and pasted it."
1852
1853Nam Sang-wook Moon: And look at the s.txt file. Address, email, phone, fax number is "
1854 - Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791
1855 - Website: http://summer.hufs.ac.kr
1856 - Phone: + 82-2-2173-2062
1857 - Fax: + 82-2-2173-2877
1858 - E-mail: summer@hufs.ac.kr / isshufs@gmail.com
1859 "Format. The above format is not listed in the blackmail, is it listed in the above text file in the above format?
1860 A: It's all copied from the Internet. (The suspect stated "I copied and pasted it."
1861
1862Nam Sang-wook Q: Why was the fax number listed even though the fax number was not used in the crime?
1863 Answer: I do not know.
1864
1865Nam Sang-wook Moon: Foreign language site You could access the summer school site http://summer.hufs.ac.kr and get the phone number, fax, e-mail and save it in the above s.txt file?
1866 Answer: Not.
1867
1868Nam Sang-wook Moon: The suspect has an antipathy to the outsider who is usually his alma mater.
1869 Answer: No.
1870
1871Nam Sang-wook Q: Is the Twitter address https://twitter.com/ISIS_Med imported?
1872 Answer: It came from Google search on the internet. (The suspect stated that they "came together when copying and pasting." Same as the answer on page 585.)
1873
1874Nam Sang-wook Q: How did you search on Google?
1875 A: I do not remember the search term.
1876
1877Nam Sang-wook: Do you usually follow IS?
1878 A: I will not follow.
1879
1880Nam Sang-wook Q: Did you find IS-related pictures on the suspect computer?
1881 Answer: Yes, yes.
1882
1883Nam Sang-wook Moon: And you synthesized the above IS-related pictures and edited the picture to be the same by marking the Hwarangdo and IS in Korea equally with '=' symbol?
1884 Answer: Yes, yes.
1885
1886Nam Sang-wook Q: Do you have an interest in IS?
1887 A: I just got to know the news, but I have no interest. (The suspect stated "I do not follow IS.")
1888
1889Nam Sang-wook Q: Is there any fact that the suspect visited the foreign site http://summer.hufs.ac.kr?
1890 Answer: No.
1891
1892 At this time, we show computer analysis program Encase analysis screen directly to the suspect. At this time, the attorney also looks at the above analysis program screen. (At this time, the investigator changed to cyber investigator Kim Kyung - hwan, wearing black - eyed spectacles at.
1893
1894Kim Kyung-hwan Moon: Suspect Computer What is 'bureau' in French at the bottom of my document?
1895 Answer: This is a term for desktop.
1896
1897 The suspect was surrounded by police officers who had been excited for a long time and was subjected to a coercion investigation that he had seen during the military torture film during the military regime of the 1980s. The list of filenames listed shows one by one from the top and goes down one by one. "What is this?" When the suspect did not know, Kim Kyung-hwan cried out loudly, "Why do not you know?" 4 to 5 investigators came into the interrogation room and asked for a high intensity.
1898
1899 At this time, I stopped the investigation for dinner. (The police arrested Park Cheol-hyun, the suspect, and only two people for dinner for a long time.) The lawyer Park Cheol-hyeon repeated the word "confess" to the suspect while eating the two lunch boxes, In the conversation police intercepted, the suspect questioned the blood type of Park Cheol-hyun and answered that he was AB-type, and asked whether he married Park Cheol-hyun's wife because he was pregnant at the time, It was all the congratulations.)
1900
1901 At this time, five pieces of the text file s.txt link file (A0065358.lnk, A0065518.lnk, A0065541.lnk, A0065621.lnk) found on the suspect computer are shown to the suspect and attached at the end of this document.
1902
1903Nam Sang-wook: 7. 20. As described in the 4th meeting, the link file (lnk) is automatically generated when a certain file is executed in the Windows operating system, for example, when viewing the above text file. File and analyze the lnk file to see which file you have opened. The link file creation date and time is the date when the first file is executed, and if you repeatedly execute the same file, the accessed time of the link file changes. The above five link files are link files that are automatically generated by running the s.txt file on the suspect computer. Checking the creation date and the modified date and time (Accessed time)
1904 1) A0065358.lnk 2014. 9. 10. 16:59 (date and time of creation), 2015 7. 7. 14:57 (date and time of access)
1905 2) A0065518.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1906 3) A0065541.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1907 4) A0065621.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1908 And the Obama intimidation article is posted on the White House on July 7, 2015, and the Repert's intimidation article is on July 7, 2015, I read the s.txt file which is written in Hangul on the contents of the intimidation article and write the crime article in the White House on July 7, 2015, I read the file three times on July 7, 21:10, 21:19, and 22:31, and posted a blackmail message about Ripper on July 8, 02:26?
1909 A: I do not know.
1910
1911 At this time, the link file (A0065569.lnk, A0065481.lnk) found on the suspect computer is shown and attached at the end of the document.
1912
1913Nam Sang-wook Q: When I look at the above link file, A0065569.lnk is castration.png file created by browsing on June 7, 2015, and when I check the above picture file, A0065481.lnk is a file created by browsing hufs.png on July 7, 2015. If you check the above picture file, it is a picture of the screen where the foreign language group is searched by Google and the picture of Lim Su Kyung. Have you ever read the above two files in the above list?
1914 A: I do not remember the exact time, but I remember reading two photo files above.
1915
1916Nam Sang-wook Moon: I read about the picture file (hufs.png) on ​​July 7, 2015, and the link file A0065481.lnk was created. The suspect stated that the above picture had memories of reading, and about 50 Minute after s.txt. I have browsed the file and found the link file (A0065358.lnk). Do you remember reading the s.txt file on July 7, 14:57?
1917 A: I do not remember reading. (The suspect stated "I do not remember the exact time.")
1918
1919Nam Sang-wook Question: 7. 7. I have read the s.txt file containing the contents of Hangul at four times in total. Have you ever seen a file?
1920 A: I do not know that.
1921
1922Nam Sang-wook Q: When was the last time you read the s.txt file?
1923 A: I do not remember the last time.
1924
1925Nam Sang-wook Q: Why do you keep denying the crime of reading the text document s.txt, which contains the contents of the Korean text on the intimidation article, four times before the crime was committed?
1926 A: I do not remember whether I read it four times. (The suspect stated "I do not remember the exact number of times.")
1927
1928Nam Sang-wook: I read the blackmail in Korean 4 times before the crime, and the blackmail was posted in the White House since then.
1929 Answer: There is no plan. (The suspect stated "I have never posted a blackmail".)
1930
1931Nam Sang-wook Q: How is your heart?
1932 A: There is no rattling like in the fourth survey.
1933
1934Nam Sang-wook Q: Is the suspect harmed?
1935 Answer: It is unfair. I would like the police to investigate the matter.
1936
1937Nam Sang-wook Moon: Lastly I'll ask. Do you really have access to the White House homepage?
1938 Answer: There is no connection.
1939
1940Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1941 Answer: No. (The suspect stated in the sense of "I can not submit favorable evidence or statements in the present state of detention.")
1942
1943Nam Sang-wook Q: Do you have anything more to say?
1944 Answer: On page 3, "Please ask the police officer to rub your shoulder" is your blood pressure. On page 28, the cruel photographs are downloaded habitually and I regret that I am curious. For the sake of misleading explanation, the child's naked photographs were downloaded from Nudists (naturalists), and the pictures of the baby's penis were cut off to make an essay criticizing the forced ceremony in Indonesia. It was. And I remember that the pictures with the knife in the child's boat are satirical images of the terrorist forces in the Islamic language, and the models in the photographs are pictures taken only by 18 years of age or older. Also, the pictures of blood in the female vagina were to criticize the girl 's forced circumcision tradition, and the picture of the bowel movement on the Taegukgi was to blame the blasphemy of the national flag. In addition, it was to expose the facts of illegal organs extraction and Kim Jung Eun regime. I wish you good judgment.
1945
1946Nam Sang-wook Q: Are all of these statements true? (Despite the fact that there was a lot of blank space in the A4 paper sheet to be printed, the investigator intentionally entered this question in this position to limit the space in which the suspects would state their handwriting. The defendant asked me, "Please give me more space to explain the true meaning of the pictures on page 563," but I was denied, and the suspect has enough of the meaning of the photo. In the written statement, more than half of the 592 pages with this question are blank.
1947 Answer: Yes.
1948
1949 (After finishing the investigation, I asked Nam, "Do you remove the hard copy (or imaging) from the police later?" Nam Sang-wook smiled and laughed, saying, "Yes. Nam Sang-wook did not imagine that the contents of the notebook were useless from the beginning, and did not imagine the prosecution investigation, but also roughly ran the investigation and destroyed the evidence by turning on and off to check the contents of the notebook.
1950
1951
1952
1953
1954 ++++++++++++++++++++ Prosecutor's Office ++++++++++++++++++++
1955
19561st round
1957
1958 At this time,
1959
1960Jung Guk Q: Is the suspect punished?
1961 Answer: No.
1962
1963Jung Guk Q: Has the suspect described his / her educational background in the police?
1964 At this time, record 277 ~ 295 shows a police document prepared by the suspect.
1965 Answer: Yes. I have stated the truth.
1966
1967Jung Guk Q: What is the education and experience of the suspect? (The prosecuting attorney handed the police investigation report with the record of the accused and his experience, and made reference to the statement.)
1968 A: I graduated from Cheongyang Elementary School in 1994, graduated from Kyunghee Middle School, graduated from Kyungbok High School in Hyoja-dong, Seoul, Korea in 1999, and graduated from Hankuk University of Foreign Studies in 2009. My career has been part-time from around 2011 to around 2013, recording the foreign news from the gas station part-time and KBS stations and delivering it to the editing room. (The investigator has repeatedly questioned the accused on a number of occasions, focusing on his / her last job, position, and duties.) The same question is then sent to the suspect through detention guards and court judges. I studied. I wanted to major in psychoanalysis in France. After studying, I tried to do a private clinic. (The suspect responded to each statement with a short answer or one or two sentences. Unlike the police investigator, the prosecutor's office always included five to six questions and answers, He then read the dossier printed out and pointed out several times that there was a difference in meaning to the investigator, but every time the investigator dismissed it as not being different.)
1969
1970Jung Guk Q: How is your health?
1971 A: I have a slightly higher blood pressure. I was prescribed medicine only at the private hospital when I was in the jongro police station.
1972
1973Jung Guk Moon: Go to the White House homepage of the US House of Representatives on July 7, 20:20, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies, Do you have any of the following after posting the address of a foreign university? (The prosecution investigator has not been able to figure out the case yet, stuttering throughout the investigation and reading down the questions on the monitor.)
1974 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
1975 ===========================
1976 Hi.
1977 I'm HUFS student from Seoul, Korea.
1978 How's your president family?
1979 I'm sick of my life cause I always mastervating with tranny prons.
1980 One day, I realize that I'm not going to die like this.
1981 I want to be a famous Korean male in USA history.
1982 Therefore, I am going to anal rape your second daughter Natasha.
1983 Is that okay?
1984 I think that bitch's asshole is much tighter than Malia Ann.
1985 So I need parents permission before the nigger anus.
1986 Do not worry about me: I eat lots of Kimchi so free from AIDS.
1987 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
1988 Thanks.
1989 Answer: I have not posted such an article.
1990
1991Jung Guk Moon: The suspect said, "I am President Obama and Mrs. Michelle. I always get tired of wearing sex dressers and doing masturbation. So one day, I thought I had to do this. I decided to become a famous Korean man in America today. So I'm going to rape your second daughter, Natasha, with an anal. Because it seemed to be a more polite way to ask. I think the anus of the second daughter is more resilient than the anus of Malia (first daughter). So I have to get my parents' permission before I feel black anal. Do not worry about it. I eat a lot of kimchi and are safe from AIDS. I hope to penetrate the anus of black before it is killed by Kim Jung Eun. Thank you. "
1992 Answer: No.
1993
1994Jung Guk Q: Is there any fact that the suspect wrote the above?
1995 Answer: No.
1996
1997Jung Guk: Did not the suspects intimidate President Obama and US First Lady Michelle by listing them as above?
1998 Answer: No.
1999
2000 [Intimidation to Foreign Envoys]
2001
2002Jung Guk Moon: The suspect is on July 7, 2015, 02:26. Is it true that you have access to the homepage of the US White House and posted the following text?
2003 'From: Dr. Korea's Isis One ',' Email: summer@hufs.ac.kr ',' Phone: 82221732061 ',' Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea , 130-791, Damascus'
2004 Message: Declaration Terror to Mr. President Obama.
2005 A beautiful Evening is it?
2006 Right this is the warning message from the Terrorist Attack.
2007 Korea, we're g0ing to re-attack US ambassador Mark Lippert in Seoul.
2008 So last time, my a5sassinator's mind is too weak to cut the ambassador's artery perfectly.
2009 End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
2010 Ok? We'll take care of all your political comrades, but surely one by one, until the US army eliminates Bio-Chemical weaons in Korean Peninsular Mother Land.
2011 UltimatuM; 3xects us, our VVIP Archenemy Obama!
2012 LIMFAO, See mark Soon in your After-Life ... ...
2013 : #: #: #: #: #
2014 : # HUFSRO 4ourth 4inger: #: #
2015 : #: #: #:: #: #: #
2016 : #: #: #: #: #
2017 Answer: I have not posted anything.
2018
2019Jung Guk Moon: Describing the suspect as a South Korean student, he said, "I would like to declare terrorism to President Obama. Is not it a beautiful night? This message is a warning of a terrorist attack. We want to attack the US ambassador, Mark Ripert. Last time my assassin 's mind was so fragile that I could not completely break the artery of the US ambassador. At the end of this time, we have prepared a very well trained pro, so we will kill the ambassador with nuclear poisoning. OK? We will slowly and surely kill one of your political comrades ... Until US troops remove chemical and biological weapons from Korea. We will soon meet our greatest Obama, Mark Ripert, in the world. "
2020 A: I have not posted anything.
2021
2022Jung Guk Q: Is there any fact that the suspect wrote the above?
2023 A: I have not written.
2024
2025Jung Guk: Did not the suspects intimidate the Ambassador, Ambassador Rupert, a diplomatic envoy?
2026 Answer: No.
2027
2028Jung Guk Q: Does the suspect save the above documents on the victim's computer?
2029 Answer: Yes. I copied and pasted it on my computer.
2030
2031Jung Guk Q: What is the date and time of copying and storing the suspect in the suspect's computer?
2032 A: I'm sorry, but I do not remember.
2033
2034Jung Guk Q: How about copying and storing it on the suspect's computer?
2035 Answer: I ran a link (I do not know where) through Google search (I do not know what I searched) and put it on my computer.
2036
2037Jung Guk Q: What computer is the suspect's computer?
2038 Answer: The laptop.
2039
2040Jung Guk Q: When did the suspect purchase the notebook?
2041 Answer: I left KBS station to record foreign news and send it to the editing room, then bought a notebook, so I bought it in the first half of 2013.
2042
2043Jung Guk Moon: In fact, the suspect is stating that he is afraid of receiving heavy punishment, even if he puts the same contents as above.
2044 Answer: No.
2045
2046Jung Guk Q: Do you know that a suspect is punished by law if you intimidate others?
2047 Answer: Yes. I know.
2048
2049Jung Guk Q: Does the suspect have a relationship with US President Obama, US First Lady Michelle, US Ambassador Ripert?
2050 A: I have no relationship.
2051
2052Jung Guk Q: Does the suspect have an agreement with the victims?
2053 Answer: There is no agreement.
2054
2055Jung Guk Q: Did you tell the truth?
2056 Answer: Yes.
2057
2058Jung Guk Q: Do you have any more words or favorable evidence?
2059 Answer: None. (If there is no suspect, the investigator told me to write "no" by hand.)
2060
2061Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2062 Answer: (handwritten entry) None.
2063
2064Second round
2065
2066 At this time, the suspect responded 'I will be investigated under the participation of counsel.' After attending lawyer Park Cheol-hyun, the lawyer showed the suspect's mother's complaint to the suspect and said, Hand it over. (The suspect did not acknowledge the statement "I will be investigated under the lawyer's participation" or "I will not answer.") The investigator said in his own words, "The lawyer is not here." While reading the record after the investigation was completed, he read this record and asked the prosecutor to revise the record because he did not answer the question "I will or will not be investigated under the attorney's participation" "I refused.
2067
2068 The suspect reads the complaint (14: 05 ~ 14: 10) and then submits the complaint, saying "I will submit it to the prosecutor."
2069
2070 Towards the suspect,
2071Jung Guk Q: Has the suspect ever stated the truth before?
2072 Answer: Yes. I have stated the truth. It's what I said.
2073
2074Jung Guk Q: Why is the suspect arrested on the police in an emergency?
2075 Answer: ... I know that the arrest of me was an emergency and the police arrested him.
2076
2077Jung Guk Q: What does it mean to be urgent about the suspect?
2078 A: I think that because of my suspicion of terrorism and the destruction of evidence.
2079
2080Jung Guk Q: What do the charges of terrorism and evidence say?
2081 A: I was accused of terrorism against Ambassador Obama and Repert, and I understand that the police misinterpreted me as a computer expert, multilingual.
2082
2083Jung Guk Q: How many countries do suspects speak a foreign language?
2084 A: English is above the upper middle level, and French is the lowest level among the 6 levels.
2085
2086Jung Guk, a police officer, seized the suspect's residence in a search warrant. During the execution of the warrant, the suspects used a laptop to capture US President Barack Obama's intent to rape his daughter. Capturing the contents of the original text Was not the picture file found and the suspect arrested in an emergency?
2087 Answer: Yes.
2088
2089Jung Guk Moon: The suspect is not involved in investigations until the police seizure of five hours of confiscation, including lying on the bed in his underwear, throwing things at police investigators, Is there a consistency in the very uncooperative and insincere attitude, such as the smile, the smile, the laughing, and the repeated trimming? (It is the subjective judgment of the act according to the difference of point of view of the suspect, and I did not actively refute it because the police insisted that the investigation room was recorded by CCTV, The video that was submitted by the police at the first trial had the amount of interrogation taken.
2090 Answer: ... There is. It was because the wine was a little worn at that time.
2091
2092Jung Guk Moon: Is the Lenovo that the suspect was confiscated by the police at the time?
2093 At this time, records 397 to 398 show the confiscated seizure and confiscation list.
2094 Answer: Yes. Yes.
2095
2096Jung Guk Q: I found MS Windows XP (language: France), time zone was set to 'Paris' in France, and shutdown time was July 13, 2015: 18 (GMT 0), the Republic of Korea is GMT + 9 time zone, and when it is +9 in the above time, it becomes the wonder of July 13, 20:47:18, and the time is the police seize the place of the suspect's residence It is time to check the crime data stored on the suspect computer.
2097 At this time, it shows the time when the notebook was last closed at the time of the confiscated seizure search on the 404th page of the record.
2098 A: I did not see my computer until I was confined to police when I was sleeping. At that time, the police told me that they had these files, but I did not see them.
2099
2100Jung Guk Moon: In analyzing the computer analysis program, in order to check the exact time (the time of the crime committed in Korea) that the file used in each crime was generated, the time band in the above analysis program was changed to Korean National Standard Time (GMT + 9) The analysis was conducted by changing to domestic time. As a result, the last access date of the usa.png file related to the crime was confirmed on July 13, 20:42, What is the date when the above file is opened?
2101 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2102
2103Jung Guk Moon: Therefore, even if you set the time of the victim's laptop to the Paris time zone, if you set the Encase program to domestic time, you can check the time that the suspect was committed in the Republic of Korea. When the date of access is confirmed by the seizure time zone, how is the time information confirmed by the above Encase program confirmed to be correct?
2104 Answer: I downloaded the pictures through the Google search engine, and it is possible because of the Google Cache feature. If you have the Google Cache feature, you might be misinterpreting the time, and I'm personally concerned.
2105
2106Jung Guk Moon: The suspect said in the police, "Is not it true that the evidence to trust the Encase program is the evidence that analyzed the time lag where the threatening bulletin was presented by the police as evidence?" The suspect said, . Yes, "he said.
2107 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2108
2109Jung Guk Q: Is the suspect allowed to use the confiscated notebook?
2110 Answer: No. I have a password on my laptop and I have not given it to someone else.
2111
2112Jung Guk Moon: Has the accused ever used a confiscated notebook while traveling around?
2113 A: I left it in my house and I used it alone.
2114
2115Jung Guk Moon: The suspect has set a password for the laptop on the police, uses the suspect alone, and says, "I do not know the evidence that the police presented. I do not remember. "I denied the crime consistently. How about it?
2116 Answer: Police showed the name of the picture file in which the English and the numbers were written. (The suspect replied, "The police did not show the photo, but only list the photo files with English and numbers, and when asked if I remembered, I did not remember," the investigator replied.
2117
2118Jung Guk Q: Is there a blog (http://helpkorea.blogspot.kr) operated by the suspect?
2119 Answer: Yes. It is a diary type blog which I made and operated.
2120
2121Jung Guk Q: What do you usually post on a blog run by a suspect?
2122 A: I have described the media in critical terms. (The suspect defines "media" as "political news of comprehensive channels.")
2123
2124Jung Guk Moon: "A woman's penis is photographed and posted on the Internet under the heading" How to make money from one's eyes on the internet (foreign currency acquisition) "on the blog (http://helpkorea.blogspot.kr) operated by the suspect. You can earn money. "Is it true that you posted the following statement?
2125 At this time, the record is displayed on the blog (http://helpkorea.blogspot.kr) operated by the defendant who is stolen on pages 174 to 195.
2126 Answer: Yes.
2127
2128Jung Guk Moon: After completing "(2)" shooting on the blog (http://helpkorea.blogspot.kr) operated by the suspect, that night, Ji Sung-woo calls me as a laundry hanger and can be beaten at the shooting range. And then shaken about 20 times and then assessed in the anus. But I have not been informed of this until January 22, 2005 ... (Omitted below) "" Is it true that you posted the following statement?
2129 Answer: The Ministry of National Defense responded to the contents of the Ministry of National Defense complaint.
2130
2131Jung Guk Moon: In the blog (http://helpkorea.blogspot.kr) operated by the suspect, "(3)" The foreign university changed the minor in chemistry unilaterally without prior notification in 2012, I have been suspected of forgery every time because of the inconsistency in the name of the graduation paper. So, I have been suffering from economic losses since I have failed to get jobs from companies that have supported more than 1,000 since 2012, and I have also been suspected of my academic background and personal credit in my workplace where I worked freelanc ... (Omitted below) "" Is it true that you posted the following statement?
2132 A: In my remembrance, it is the content of my complaint by the Ministry of Education. (In the statement of the suspect, "KBS Fact Confirmation" received by the suspect at the time of retirement is recorded as "part-time" rather than "freelancer." After the expulsion of the suspect, (02-2639-2341), Moon Tae-sung informed the suspect that he was a self-employed person.
2133
2134Jung Guk Moon: If you look at blogs operated by suspects, you can see all the information such as phone number, e-mail address, and address information as foreign-language affiliates. And if you see 'masturbation', 'anus',' I will be poisoned by the poisoning "and the fact that it has been confirmed to have a strong dissatisfaction with foreign language classes.
2135 A: I remember being told to me during a police investigation, and I have not. (When the suspects repeatedly asked the question they had received during the police investigation, the suspect began to make a statement saying, "As I told you during the police investigation," the lawyer Park Chul-hyeon attended to answer the suspect's question " "Park Cheol-hyun, who was a new lawyer at the time of the prosecution's investigation, tried to build up a network with lawyers through his prosecutors for his success. He identified the prosecutors with the lawyer himself, did.)
2136
2137Jung Guk Moon: The suspect is a police officer, on his laptop, 'isis.png (intimidation against Obama)' original file captures file 'usa.png (threat to reporter)' on July 7, "The original document capture file was created on July 8, 2015 at 02:27, and the time of the obsession with Obama was posted on the US White House website on July 7, 2015, The operating system of the notebook is set to the French time zone on the reason that the intruding article is read on the Internet and stored in the computer of the suspect in about one minute of 2015. 7. 8. 02:26 And 4Chan.org site is a US site, claiming that there was an error in time, and stated that it would be impossible to do this in just one minute.
2138 Answer: That's what I said.
2139
2140Jung Guk Moon: After completing the reporter's intimidation on the White House website, the police officer captured the thank-you related webpage about 1 minute after the capture, through the Google Chrome browser, and ran the captured image again After 3 minutes, the original text of the intimidation was changed to file name usa.png, and after 1 minute, it was posted on 4chan.org site, and after about 9 minutes, I read the file generated by capturing and stated that the link file was created on the suspect computer and that the suspect did not understand it because he was not doing the act.
2141 Answer: That's right, but I do not have it.
2142
2143Jung Guk Moon: The suspects are at the police, and the time of the reporter threats posted on the 4Chan.org website is on July 8, 2015, 8. I am not sure about the reason why the time stored on the suspect computer may be faster than the time posted on 4Chan.org at about 02:27, the suspect is not sure, there is a problem with his computer, How is it?
2144 Answer: That's what I said. I remember Google Cache as well.
2145
2146Jung Guk Moon: The suspect stated that he had a computer problem, some malicious code, a possibility of hacking, Google cache. What do you mean by this statement?
2147 A: I am not a computer expert. (The investigator asked me what the symptoms were.) When I turn on the computer, the strange warning window appears squarely normal size. I'm not a computer expert, so let me investigate that, and Google Cache will ask Google Server to cooperate with the investigation.
2148
2149Jung Guk Q: What is the size and content of the alert window? (Actually, the investigator asked, "How many centimeters?"), And the suspect stated "I have never read it and I do not know."
2150 Answer: The warning window is square in size, but I do not know the exact size and the contents of the warning window are not remembered. (The accused never remembered whether the contents of the warning window were written in English or French, and never interpreted it.)
2151
2152Jung Guk Moon: On the computer of the suspect, 1.JPG, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, 5oe254mvhpke.jpg Is it proper to view the file?
2153 At this time, records 323 ~ 331 and 516 ~ 529 show the contents of the photo related to the reporter found on the computer of the suspect.
2154 A: I have not seen anything on July 7, 2015 because I have nothing to see. (Because the suspect studied or slept on July 7, 2015).
2155
2156Jung Guk Q: Why is the suspect storing the files 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, and 5oe254mvhpke.jpg on the computer? ? (The prosecutor showed him the picture files on the monitor he was writing.)
2157 A: This is a collection of articles written to strongly criticize terrorism against the US Ambassador.
2158
2159Jung Guk Q: Has the suspect written a criticism of the usual acts of terrorism?
2160 A: I do not remember the exact time, but there is something on my blog that says it can threaten the alliance.
2161
2162Jung Guk Moon: The suspect reads the reputation related information as above, and the time of the reporter threat photograph is stored on the suspect's computer on July 8, 2015, and the reporter threats Since the time of the posting was around July 8, 2015, the suspect wrote and saved the above article and posted the reporter threatening article on 4Chan.org website?
2163 At this time, record 260 and 251 ~ 256 of the suspect computer file output is shown.
2164 Answer: No.
2165
2166Jung Guk Q: The suspect was on the police at the laptop. The contents of the text (s.txt) file created on April 10, 2014. The text of the file (s.txt) generated by the suspect was the email 'isshufs@gmail.com' , In Korean, 'I will kill Ambassador Ripper by penetrating the US Embassy', 'Obama will kidnap my little daughter to rape my anus', and the Twitter address 'http://twitter.com/' I do not know why the suspect was found about why it was found.
2167 At this time, the record of the defected notebook file is shown on the pages 332 to 335 of the record.
2168 A: I remember that I stated that I copied and pasted through Google Search.
2169
2170Jung Guk Moon: The file related to the crime that was found on the suspect's notebook is listed in chronological order. "(1) The s.txt file is first created on April 9, 2014, and the last access date is '15. On the 12th of July, the above file contains the phrase "Penetration of the US Embassy to Ambassador Ripper, I will surely kill Obama's little daughter to rape my anus" in Korean. Especially, the email used for the crime 'isshufs @ gmail.com, summer@hufs.ac.kr, and the name of the author 'Lifee Iss Crazzyy', the address of the foreign language, etc. "is listed in the form of the suspect, It appears to be in a free format on the file, how is it?
2171 Answer: Not.
2172
2173Jung Guk Moon: In addition, the suspect discovered that the above text document was scanned four times before the crime, and the link file (the file created automatically when the file was executed on the Windows operating system and the extension is lnk) was generated. ?
2174 Answer: I am not a computer expert, so please do a thorough investigation.
2175
2176Jung Guk Moon: In the suspect's notebook, files related to the crime are listed in chronological order by "(2) capturing files (isis.png, usa.png, etc.) directly related to the threats, I caught the screen while writing a message that intimidates the ambassador, and I found that the file name isis.png, usa.png is being saved as "is being saved.
2177 Answer: I downloaded the photo from the Internet and saved it.
2178
2179Jung Guk Q: Where did you download and store the suspects?
2180 Answer: It was downloaded through Google Image Search.
2181
2182Jung Guk Moon: July 7, 2015 The obscene article about President Obama was published in the White House, and the trail of reading the s.txt file in Korean (Isis.png) about 20:21 after 1 minute of crime time (around 20:20) is confirmed on the computer of suspect computer, and also, at 20:21 and 21:19, What happened to the traces of the file being viewed twice?
2183 Answer: I have just browsed the computer and copied it to a text file, and I do not know whether it was read or not.
2184
2185Jung Guk Moon: After the intimidation of President Obama, the same day, 21:38 on the same day, Ambassador Repert reports about the terrorist incident in 18 times, The file created on the suspect computer appears to be very closely related to the crime because it is re-visited about four months later, on May 7, 2015, at 21:38. (Previous surveys found that 15 traces were found.)
2186 A: I have not seen any of the above photographs on July 7,
2187
2188Jung Guk Moon: After the suspects re-read the s.txt file containing the text of the crime, the threat to Ambassador Ripper was posted on the White House website on July 7, 2015, What about the 'usa.png' file created on the White House website at 02:27 on the suspect computer? It seems that the suspect posted a post on the White House homepage.
2189 A: I have not posted.
2190
2191Jung Guk Moon: After continuing to capture the screens of the suspects' computer at the White House using the Google Chrome browser, the archived details were found, How is it?
2192 At this time, the record of the suspect computer file is shown on page 260 of the record.
2193 Answer: I did not capture it, but I downloaded it from Google.
2194
2195Jung Guk Moon: The suspects (3) The intruding article In addition to this, I visited the US White House website twice on May 24, 2015. I captured the screen while I was writing about black beauties using the Google Chrome browser, I have captured the screens that were shown at the completion of the process, and I caught the screenshot of the White House at the White House on June 25, 2015.
2196 At this time, we show the additional declaration data which is stitched on the record page 198 ~ 204.
2197 A: I did not write it, nor did I post it. It was downloaded through Google Search.
2198
2199Jung Guk Moon: The suspects (4) were found to have been photographed as monkeys by President Obama and Mrs. Michel, on June 25, 2015 before the commission of the crime. What happened after the crime was confirmed around 00:35?
2200 At this time the record shows the printout of the stolen suspect notebook file on page 596.
2201 Answer: This photo was downloaded through Internet Google Search, and I have not seen it more than once.
2202
2203Jung Guk Moon: The suspect is (5) In the photo related to the anus and the girl child nude, the suspect wrote the article to intimidate the second daughter 's anus in the Obama presidential intimidation article. Obama' s second daughter is 14 years old, There was a large number of photos of an anus on the laptop used by the suspect. The last visit was on July 13, 20:46. Especially, the word 'anal' was used 5 times in the blackmail, 6. 6. I have read about it, 7. 8. I have also stored it on my computer,
2204 At this time, the record of the defected notebook file is shown on pages 609 to 664 of the record.
2205 A: This photo is an illegal long-term trafficking, or an additional collection of materials to write about the North Korean regime. (The suspect downloaded the picture files and did not watch it more than 2 times.) In the Windows operating system, when the picture file was moved without moving the picture file, I tried to submit a proof of the screen shot by a smartphone, but Yongmin Kim refused to accept the video without seeing it.
2206
2207Jung Guk Moon: The suspect stated in the police that the photos of Reuters Terror taken on the suspect's computer just before the crime were all read by the suspect.
2208 A: I downloaded and saved the photo, but I do not watch it more than once.
2209
2210Jung Guk Moon: The police suspect that the police are underestimating women and that it is better to have sex rather than socializing with women, and that "I always have sex with a bastard and masturbate "(The suspect was a statement that faithfully replied in a general manner within the bounds of the common sense known to the suspect.) What is it like to make a clear statement of what the costume is? (In this way, the investigator asked a mixed question asking a mixture of questions to make sure the suspects were neither positive nor negative.)
2211 Answer: According to what I know, I have faithfully stated that the statement is correct.
2212
2213Jung Guk Q: The suspect police stated that they knew clearly the name of Obama's second daughter, Natasha, who was used in the blackmail.
2214 A: After I saw the intimidation that the police showed me, I found out.
2215
2216Jung Guk Moon: The suspect described the police officer as saying, "I am likely to be a famous person" at the police investigation, and the statement "I decided to become a famous Korean man in America today." Why is that?
2217 Answer: Famous things are not meant to be misleading. The latter famous Korean man meant to be a famous politician. (The "famous person" that the suspect referred to was "a famous politician," but the future hope of the suspect was not a politician.
2218
2219Jung Guk Moon: (6) Regarding the photographs related to IS terrorists, the accused stated that the name of the author was' Dr. Korea Isis One 'and impersonated IS. The trail of the IS terrorist was discovered four times on July 17, 2015, before the crime was committed. It is stored for the first time, and it is also viewed on the 7th and 3rd, so the file stored in the computer of the suspect is not only saved, but also confirms the sucking after reading.
2220 Answer: I can not be certain how many times I have read the IS estimate picture.
2221
2222Jung Guk Moon: The suspect stated that the police said they had a determined will to the IS terrorist and kept a photo of the IS terrorist on the computer.
2223 Answer: Yes. Yes. (The suspect described what he felt in the photo.)
2224
2225Jung Guk Moon: The suspect is posted on the homepage of the National People's Daily, "I am going to return home with a nylon string on a railing, and I am going to return home." And why are you storing hundreds of pictures of women's bodies and keeping them?
2226 A: The Cheongwadae homepage and Kookmin Shinmunji homepage are for the purpose of one-person demonstration for the payment of Civil Defense transportation expenses. I did not look at the pictures more than once while I habitually stored the photographs in the process of collecting materials for writing.
2227
2228Jung Guk Moon: (7) In relation to the pictures related to North Korean Kim Jong Eun, the suspect wrote in the Obama presidential intimidation article that "I hope to penetrate the anus of black people before I was killed by Kim Jong Eun" The photographs of North Korean artifacts were saved on July 6, 2015, June 25, 2015, and pictures of Kim Jong Eun were stored on the computer. How about 00:09?
2229 A: I have never written such an article. I did not follow the North Korean Kim Jong Il system, but rather habitually stored it in the process of collecting materials for my writing.
2230
2231Jung Guk Moon: (8) In connection with IP change programs, 'SuperHideIP (version 3.3.8.8)' program has been found, which allows users to easily change their IP address on the suspect use notebook. Why did the suspect install the program?
2232 A: In my memory, I saw the news of IP related events at that time, and I changed the IP to Google and installed it. I tried to run it only once and then I did not run it.
2233
2234Jung Guk Q: Is not there a program that can change the IP for use in the offense of the suspect?
2235 Answer: No.
2236
2237Jung Guk Moon: The IPs 124.197.152.48 and 124.197.152.74 used by the suspect in the alleged crime were identified as the IPs assigned to the O-apartment No. 1 apartment at 45, Lee Moon-dong, Dongdaemun-gu, Seoul. As a result of checking the resident card of the subscribers of the broadcasting station, the contents described as 'Hankuk University of Foreign Studies' were confirmed in the school name of the suspect in O residence. (In Korea, the full street address will be enforced from 2014. If you inquire about the IP address of Tibur Road, you will be informed by the street name address starting from the agar route. It is estimated that I have confirmed the personal details of the application form I submitted to KBS before the road name address was put into effect in 2014. The address of the road name of the residence I will appear in the judgment.
2238 At this time, show the tenant card stitched on the side (blank space).
2239 A: I will not be able to confirm the answer, and the tenant card is correct.
2240
2241Jung Guk Moon: The suspects are from Hankook University of Foreign Studies (Hankook University of Foreign Studies) using IPH from the IPA at the US White House in IP on July 7, 20:20, @ gmail.com, etc., and did not intimidate by posting the message that "I am going to rape the second daughter of US President Obama with anal sex."
2242 Answer: No.
2243
2244Jung Guk Moon: The suspect is a member of the Hankook University of Foreign Studies (Hankook University of Foreign Studies) in the summer @ hufs [hufs] I am going to assassinate the US ambassador reporter and post the message of intention to threaten foreign nation.
2245 A: There is no such thing.
2246
2247Jung Guk Moon: A suspect is poisoned by US Ambassador Ripert. A specific phrase mark "4ourth 4inger" (a sign left after a suspect has committed a crime) You may leave a message that only you can tell to know your skills.) How about you?
2248 A: I do not know anything about that phrase.
2249
2250Jung Guk Moon: When I checked the site (http://archive.4plebs.org), which was searched with the keyword '4ourth 4inger' on internet search site 'bing' (Microsoft search site) (US Ambassador Rupert Threat), which was created by accessing the White House website of the United States, and the above text file is a picture file that captures the screen of the suspect who is making a statement on the White House homepage. ?
2251 At this time, it shows the [text capturing image file on the left side, text text on the right side]
2252 A: I have never posted anything.
2253
2254Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2255 At this time, the record [page file 135 captured in the picture file] Show screen being created in homepage input window].
2256 A: (At this time, the suspect thinks for a long time and tilts his head. (The investigator described the behavior with malicious intent.)
2257
2258Jung Guk Moon: The US Ambassador to the suspect and the US President Barack Obama are threatening him.
2259 At this time, you will see the [obama intimidating text capturing picture file and text phrase] stitched on page 136 of the record.
2260 Answer: This is not my post.
2261
2262Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2263 At this time, it shows [the text file captured by the picture file - screen being created in the home page input window] stitched on the 136th page of the record.
2264 Answer: I do not know.
2265
2266Jung Guk Moon: The suspect is July 7, 2015. "Fraud is over. Take care of Lim Su Kyung. Http://boards.4chan.org/pol/thread/47625963 "which was posted on the website of Mr. Soo-Soo University." As a result of IP query with 124.197.152.111, Tibrodeid The IP address assigned to Dongdaemun Broadcasting is the same bandwidth as the IP used by the suspect and the same Internet subscriber.
2267 At this time, I will show you the reason why I checked the page on page 140 of the record.
2268 A: I have not posted anything.
2269
2270Jung Guk Moon: The above email is isshufs@naver.com, the same ID as isshufs@gmail.com, which the suspect used to write White House intimidation, is the same?
2271 Answer: ... This is not something I can tell.
2272
2273Jung Guk Moon: I searched on Google (http://google.com) and Bing (http://bing.com) using the phrase "4ourth 4inger", which was used by the suspect. org site, http://archive.4plebs.org, posted a caption on the US White House site on July 7, 2015, : It was confirmed that it was published in the 31st year.
2274 Answer: I have not posted anything.
2275
2276Jung Guk Moon: In addition, it is confirmed that the article posted on http://archive.4plebs.org using the Korean IP using the article that slanders Hankuk University of Foreign Studies.
2277 Answer: I have not posted anything.
2278
2279Jung Guk Moon: The suspect is dissatisfied with the outsider by failing to work due to the suspicion of academic ability by changing the minor in the foreign language department of his alma mater, the police, without a prior notice, and the above information is also posted on the suspect's blog.
2280 Answer: I first consulted the Ministry of Foreign Affairs about the changes I made at the foreign language school. (The suspect responded to the Ministry of Education complaints and sent the evidence documents to Yongmin Kim after the bail was released.) There is. I am not trying to hate the outside world.
2281
2282Jung Guk Moon: The police officer acknowledged that he had read the picture file (castration.png, hufs.png) that he viewed on his computer before the crime, S.TXT file "denies the fact that the suspect has been denied the fact that the suspect has denied all the crimes related to the crime.
2283 Answer: Not. Rather, I think that picture files and text files should be replaced. The reason for this is that I have read more of the text file because I have stored various contents in the text file. (The suspect has limitations in remembering a lot of computer usage history.)
2284
2285Jung Guk Moon: The suspect stated that the police use the Google Chrome browser when accessing the Internet, and many of the files on the victim's laptop that captured the White House homepage using the Google Chrome browser were found.
2286 A: It's not a capture, it's a download.
2287
2288Jung Guk Q: A capture file (screencapture-www-whitehouse-gov-contact-submit-auestions-and-comments-1432397652564.png) found on the suspect computer is a file captured using a Google Chrome browser, 'Www-whitehouse-gov-contact-submit-auestions-and-comments' consists of the URL address of the captured website and the last 13 digits '1432397652564' Is the time information used by the Unix operating system and can be converted to UTC + 9 using a time conversion program (DCode) to check the captured time.
2289 Answer: I searched on Google and received the download as it is.
2290
2291Jung Guk: The suspect asserts that the capture file (a file that captures the content of the white house and the screen captured at the time of completion) downloaded from the Internet, such as the date and time the capture file was stored on the computer, , The 13-digit Unix time information in the captured file name, such as the date and time of capture of the web site screen, can be converted to the national standard time, so that the date and time of the capture can be confirmed. It is confirmed that it is written, is not it that the suspect wrote it directly and captured it?
2292 Figure 1 shows the date and time the capture file was saved on the computer, and the date and time when the web page was captured, respectively.
2293 Answer: No.
2294
2295Jung Guk Q: If the suspect downloads the above capture file from the Internet, the captured date and time can not be the same as the captured date on the computer, and the storage date and time must be later than the capture time.
2296 Answer: I think there are various possibilities for that. The possibilities are Google Cache, which I think goes beyond what I can explain.
2297
2298Jung Guk Moon: 1) The s.txt file is created on 1) 2014. 9. 10. 16:59 and the above s.txt file will be uploaded to the suspect's notebook (1) "I will kill Ripper Ambassador, Obama will kidnap my little daughter to rape my anus", and (2) I posted it on the intimidating article. Is 'isshufs@gmail.com, summer@hufs.ac.kr' showing the account? (I repeat the same question as the third investigator.)
2299 Answer: It's a copy that I copied through Google Search, not one I wrote.
2300
2301Jung Guk Moon: The suspect is 2) After the attack on "Obama's second daughter will be raped by anal sex, etc." on July 7, 20:20, posted on the White House homepage, 3) 20:21 It seems that the suspect had committed a crime by assuming that the capture file (isis.png) is stored on the victim's notebook and that only the victim has set a password on the laptop.
2302 A: I did not write that, and I can only use a laptop.
2303
2304Jung Guk: Did the suspect monitor the White House threats?
2305 Answer: I do not.
2306
2307Jung Guk Q: How can a suspect know the above information and capture it in less than a minute even though he has not been monitoring the White House threats?
2308 Answer: As mentioned above, it is downloaded from Google's cache or portal site.
2309
2310Jung Guk Moon: The suspects 4) July 7, 2015. The article is posted on the back-up site of 4chan site, 4chan site is the foreign site to post anonymously. Http://archive.4plebs.org Is a site that is automatically saved as a backup file format when you post a post to 4chan.
2311 Answer: Yes. (The suspect thinks for a moment and turns his head back and forth). (The suspect thought briefly to remember what the police cyber investigator had explained, and the investigator described it as a depiction of aggressive behavior.)
2312
2313Jung Guk Moon: The suspects are 5) On May 7, 2015, the files of Reuters Ambassador and Kim Ki-jong, who tried to kill him, were searched intensively. 6) 02:26 Do not you think it was a crime that you posted on the White House homepage saying, 'I will assassinate US Ambassador Ripper again'?
2314 Answer: No.
2315
2316Jung Guk Moon: The suspect is 7) May 7, 2015. (1) The capturing file (usa.png), (2) The picture file indicating the completion of the writing on the US White House homepage It is obvious that the suspect had committed a crime because it was stored in a notebook and the suspect stated that he had set a password on the above notebook and said he only used it.
2317 A: I did not write that, and I can only use a laptop.
2318
2319Jung Guk Q: The suspect is posted on 4chan site and its back-up site, and 4chan site is an anonymous foreign site http: //archive.4plebs. Org is a site that is automatically saved as a backup file format when you post to 4chan.
2320 Answer: Yes. It is correct to be saved as a backup file. (It is true that the accused got to know the police explanation).
2321
2322Jung Guk Moon: The suspect wrote that he did not write the article himself, he saw the article posted on 4chan site, and then retrieved it by searching Google. In order to make the excuse of the suspect correct, However, since digital analysis of the time of generation of related files shows that the time of file creation is 4chan posting after storing the suspect notebook, why do you think the suspect's claim is unfounded?
2323 A: Because I am not doing digital analysis, I can not give a definite answer about it. (The suspect did not do a Google search after seeing 4chan's article.)
2324
2325Jung Guk Moon: Go to the White House homepage of the US White House on July 7, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies and the university phone number of foreign universities, I have said that someone who posted a post at a university address did a Google search and downloaded it. Is there any evidence or method to prove it?
2326 Answer: Not currently.
2327
2328Jung Guk Moon: I do not admit that the suspect has committed any crime, but I have two crime capture files found on a notebook that can only be used by a suspect, by setting a password, the time the file is stored is immediately after the crime, A text file that is captured in Hangul, a text document in which the threatening text is kept, traces of reading text documents 4 times before the crime, traces of repetitive terrorist attacks before the crime, dozens of pictures of the terrorist attacks, pictures of IS terrorists Observations on Obama's images, Observations on Observers, Observations on Anus and Children's Nudes, Hundreds of bizarre bodies, Pictures of Kim Jung-eun, and precisely matching crimes by time How does the suspect appear to have committed the crime?
2329 At this time, records 761 to 763 show the stolen suspect computer usage chart.
2330 A: It's different from the truth, the capture is downloaded, the photos of North Korea artificial airplanes, the photos of Ambassador Repertor, and photos of IS terrorists are misleading. (In the police investigation, the suspect described the actual meaning of the photograph by hand, from the bottom of page 591 to the page 592. The suspect viewed the photograph one or two times (accessed) And estimates that the movement of the picture file for the picture was counted as a reading.)
2331
2332Jung Guk Q: Has the suspect ever made the statement?
2333 Answer: Yes. I have stated the truth. It's what I said.
2334
2335Jung Guk Q: Are there any proofs or other things that are favorable to the suspect?
2336 A: I'm willing to take a lie detector test. Thank you. I received a request from the police investigation stage. (At the time of the police investigation, the suspect and Park Cheol-hyeon lawyer, only two people remain in the investigation room, Park Chul-hyun told the suspect, "You can get a lie detector test." After the investigation began, The suspect was asked to check the police's lie detector, and when the suspect made the handwritten statement at the prosecution's investigation, he used the expression "requested" "I refused," the suspect said, "I received a request from the police, but I will not fix it because I am not asking.") Finally, I think my blog post is wrong. (At the conclusion of all the blog posts of the suspect, the paragraph begins with "I hope my thoughts are wrong anyway ..." which emphasizes a neutral position on the topic.)
2337
2338Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2339 Answer: No. (The prosecutor investigated slowly when he started the investigation, but when the suspect became tired at the end, he launched a question.)
2340
2341Three times
2342
2343 In the middle of the summer, the suspect was seated in a chair by a prosecutor, and after seeing his lawyer Park, he asked him to "float the water." Park Chul-hyun refused, "I want you to eat it," and the suspect obtained the permission of the prosecutor's office and drank water. Park Cheol-hyeon came to the police station with a Mercedes Benz car and asked him more importantly about the location of the parking lot at the first meeting with the investigators. Park Cheol-hyun, who asked me to hand him over to the suspect's parents because he would not receive a bargaining fee of 3 million won, came in well, but in front of the suspect under investigation,
2344
2345 The prosecutor's office was changed to a regular inspection.
2346
2347Jung Moon-sik Moon: (A regular checkup shows the analysis result and the isis.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, I gave up the two files.) [Present the above isis.png file and analysis result (isis.png_REPORT.txt) from the suspect's notebook.] The above file came out of the suspect notebook. Have you ever seen it?
2348 Answer: I saved this file on my notebook. I searched this file on the internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file from Google search results was not verified. At the time, I do not remember what I put my search terms into while doing a Google search. At that time, I do not remember what kind of search I was doing specifically. The file contains the phrase "I am going to anal rape your second daughter Natasha." However, I think you'll need to know how I searched for the file with that content. (The official testimony showed the intimidation to the suspect, and then recorded in the record, 'I am going to anal rape your second daughter Natasha.'
2349
2350Jung Moon-sik Q: When did you download the above file?
2351 Answer: It seems to have been downloaded from the middle of June 2015 until the day of my confiscation (May 13, 2015).
2352
2353Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 7, 20:21. Is the suspect downloaded on the date above?
2354 Answer: (At this time, the suspect nods his head.) Yes, I had downloaded one time and remembered that it was downloaded in July, so I downloaded it on July 7, 20:21, (The suspect stated that he was studying French at 50:50 on the 7-8th day, or taking a sleep, but he recorded what the attorney understood.)
2355
2356Jung Moon-sik Moon: (A regular checkup shows the analysis results and the usa.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, (The file was found on the suspect's notebook.) The above file was presented on the suspect's notebook. Have you ever seen it?
2357 Answer: Yes, I have seen this file. I downloaded it through internet search and saved it on my laptop. I searched on Google. I do not remember which search terms I entered into Google, and I can not remember which sites I downloaded from Google search results. I do not remember the exact date and time when I searched for this file. I did not remember why I searched this file, and I searched for no reason. I do not remember entering the White House as my search term. I seem to have downloaded and saved this file at once with a file (isis.png file) containing the phrase 'I am going to anal rape your second daughter Natasha.'
2358
2359Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 8, 2015 at 02:27. Is the suspect downloaded on the date above?
2360 A: I remember downloading this file (usa.png file) in July 2015. However, I do not remember exactly whether I downloaded it on July 8, 2015.
2361
2362Jung Moon-sik Moon: (The official test shows the file attribute picture file and the picture file of this file to the suspect who printed it on the A4 paper screencapture-www-whitehouse-gov-thank-you-1436290042624.png " I had to copy this file to the computer on my computer, so the location of the file attribute would say "check", and I put on a stapler with an exaggerated gesture to pressurize the suspect. ) [The above screencapture-www-whitehouse-gov-thank-you-1436290042624.png file from the suspect's notebook and presenting the file property output] The above file came from the suspect's notebook. Have you ever seen it?
2363 Answer: I searched this file on the Internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file, which comes from Google search results, is hard to remember. It's hard to remember what you put your search terms into while doing a Google search. I did not search for a specific purpose.
2364
2365Jung Moon-sik Q: When did you download the above file?
2366 A: I can not remember the exact date. It seems to have been downloaded from the middle of June, 2015 to the beginning of July, 2015.
2367
2368Jung Moon-sik Statement: As a result of the above file analysis, the above file appears to have been generated on July 8, 2015. Is the suspect downloaded on the date above?
2369 A: I do not remember the exact date, but it is between mid-June and mid-July 2015.
2370
2371Jung Moon-sik Moon: (Record 674 pages photo file) Above castration.png What is photo file?
2372 Answer: The above castration.png file is a picture file I downloaded. I remember that I was downloaded from mid-June to 2015. 7. Cops. Castration means 'castration'. The above file is a scene of a movie. I can not remember being a movie with a lot of content. I guess I did not put the word "castration" into my query. Because it's about Google search results, I'm beyond the scope of what I'm describing.
2373
2374Jung Moon-sik Moon: (Record 675, 677, Representative Lim Seong-Kyung) What are the photo files?
2375 Answer: I searched for photos of Mr. Soo - kyung who showed me to use as a resource for criticism. I received a Google search and download. It is to criticize the main North Korean government. I store criticisms in my diary-style personal blog. I can not remember the exact date when I downloaded these files. In the material shown, the date and time of creation of these files is July 7, 2015. I think that the reason why the file creation date and time is analyzed as above dates is beyond the range that I can answer. I posted an article about Lim Soo Kyung in my blog (antihufs.blogspot.kr) on July 7, 2015, and the above pictures are included in the article. That blog is still open. (It was impossible to remember all three or four thousand articles written by suspects.) At first, the suspect did not know what was on this blog. When the suspect said, "It was between the middle of June and the beginning of July," the lawyer Park Chul-hyeon said, "Why do you lie to the suspect? ? "), And showed the date of the suspect's blog on his cell phone. The suspect responded that he saw his cell phone and posted it on July 7, 2015.)
2376
2377Jung Moon-sik: Does the suspect use a router when using a laptop?
2378 Answer: I have never written a program to change Internet IP, but I use a router. I purchased an internet router for 12,000 won ten years ago. Again, I can not remember exactly when I bought it. I have a router in my house, and I have 3 computers (my laptop, my desktop, my dad, and my computer are using that router). I use the router every time I use the internet. I have not changed my Router setting since I have never used it, but I have not changed my Router setting any more. When I use my Router, I enter ID (ADMIN) and Password (494) in the Router. I have not touched the case of the suspect.
2379
2380Jung Moon-sik Moon: Is there anything the suspect wants in the prosecution investigation process?
2381 A: Now that I have sealed my laptop, I did not break it. It is difficult to tell which part I should investigate because I am not an expert. (The prosecution extended the detention period of the suspects by 10 days in the name of investigating notebook hacks.)
2382
2383Jung Moon-sik Moon: Do you have any more to say?
2384 Answer: No.
2385
2386Jung Moon-sik Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2387 Answer: (handwritten entry) None.
2388
2389Four times
2390
2391 At this time, the defendant is attending lawyer Park Cheol-hyeon attorney, saying that he will be investigated under the participation of counsel. Toward the suspect, (The official examination did not participate in the interrogation of the suspect, but did not record it in the prosecution dossier.)
2392Jung Guk Q: Has the suspect ever stated the truth before?
2393 Answer: Yes. I have stated the truth. It's what I said.
2394
2395Jung Guk Moon: The suspect described last time that he used the mobile phone of the suspect's mojo OO. Does he remember the cell phone number used by the suspect?
2396 Answer: I used a number other than 5787 from my mother's cell phone number.
2397
2398Jung Guk Moon: The suspect is Mo-Kim OO's cell phone number is 010-2359-8775, 010-3687-5787. If the suspect has not used 010-3687-5787, the remaining 010-2359-8775 is used Is that right?
2399 Answer: It's true that I used my mother's cell phone, but I can not remember the cell phone number I used.
2400
2401Jung Guk Moon: How long did the suspect use the cell phone (010-2359-8775) of Mo Kim OO?
2402 Answer: We used until recently.
2403
2404Jung Guk Q: How long has the suspect used the mobile phone (010-2359-8775)?
2405 Answer: I can not remember the exact date.
2406
2407Jung Guk Moon: The suspect has not used the phone since April 4, 2015, as shown below on 010-2359-8775.
2408 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2409 LGU + / 29 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:25 / 0: 1: 17/641 Shinna-
2410 LGU + / 30 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:44 / 0: 0: 32/641 Shinna-
2411 LGU + / 31 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:47 / 0:01:37 / 641 Shinnap-dong,
2412 LGU + / 32 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:57 / 0: 0: 29/641 Shinna-
2413 LGU + / 33 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 16:03 / 0: 0: 34 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2414 Answer: Yes. After that, it is not used.
2415
2416 (The prosecuting attorney said, "How is April 4 recently?", And the suspect answered "I can do that."
2417
2418Jung Guk Moon: The suspect called 010-2359-8775 is the mobile phone (010-3687-57787) that uses the suspect's mobile phone. Is this correct?
2419 Answer: Yes. Yes.
2420
2421Jung Guk Moon: The suspect is 010-2359-8775. Did anyone else talk to anyone other than the suspect?
2422 A: I rarely spoke to anyone.
2423
2424Jung Guk Q: Why does not the suspect have a call history from April 4, 2015 to 010-2359-8775?
2425 A: You did not call because you had nothing to call.
2426
2427Jung Guk Moon: As the phone call (010-3687-5787) of the suspect, Mo Kim OO's cell phone (010-3687-5787) will be shown as below. July 7, 2015. Gangwon-do, Gangwon-do, I made a phone call from the suspect, did not I use the cell phone? (The prosecution violated the privacy and privacy of the suspect 's mother without a court warrant or investigation.)
2428 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2429 LGU + / 1232 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 8:50 / :: /
2430 LGU + / 1233 / Voice / 010-3687-5787 / 054-840-5466 / 2015-07-07 8:51 / 0:01:20 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2431 LGU + / 1234 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 16:29 / :: /
2432 LGU + / 1235 / SMS / 010-3687-5787 / 010-4050-7402 / 2015-07-07 16:32 / :: /
2433 LGU + / 1236 / Voice / 010-3687-5787 / 010-8230-2824 / 2015-07-07 18:01 / 0:00:51 / 346-3, Sansuri, Namsan-myeon, Chuncheon-
2434 LGU + / 1237 / MMS / 010-3687-5787 / 010-792-9484 / 2015-07-08 14:31 / :: /
2435 LGU + / 1238 / Voice / 010-3687-5787 / 010-5660-7804 / 2015-07-09 13:12 / 0:01:11 / 3rd Floor, Canaan Church 207, Jung-hwa-dong,
2436
2437 A: It's not my own, it's my mother's cell phone.
2438
2439 (The prosecution investigator questioned the accused about why her mother went to Chuncheon city in Gangwon province, and the suspect did not know that this was not recorded in the record.)
2440
2441Jung Guk Moon: The suspect is going to the village resort of Gonggok-ri (San-suri) on July 7, 2015. Kangwon-do 346-3, Sansuri, Namsan-myeon, Chuncheon,
2442 A: I was at home.
2443
2444Jung Guk Moon: Was the suspect alone on July 7, 2015?
2445 Answer: Yes. I was at home alone.
2446
2447Jung Guk Moon: Do you remember when the suspect's mother Kim came home?
2448 A: My parents are out with me and I do not remember the exact date of my return home, but I remember coming back home about the weekend.
2449
2450Jung Guk Moon: Looking at the phone call (010-3687-5787) of the defendant Mo Kim OO's name, it is reported to be the third floor base station of Canaan Church 207 Junganghwa-dong, Jungnang-gu, Seoul, It looks like you're back in Seoul.
2451 A: I can not remember the exact date my parents returned home.
2452
2453Jung Guk Q: So, is the suspect alone at home from July 7, 2015 to July 8, 2015?
2454 Answer: Yes, yes.
2455
2456Jung Guk Q: What did the suspect do at home alone?
2457 A: I do not remember exactly what I did.
2458
2459Jung Guk Moon: The suspects last, "2015. 7. 7. At 20:20, the obsession for President Obama was posted on the White House, and on the same day 14:57 on the same day, there were traces of reading the s.txt file in Korean, : 20) 1 minute after 20:21, capturing of threats (isis.png) is confirmed on the computer of the suspect, and the above s.txt file is read twice (ahead of 21:10 and 21:19) The suspect said, "I just scanned the computer and copied it to a text file, and I do not know whether it was scanned or not." How is it?
2460 Answer: Yes. It is correct as I stated before.
2461
2462Jung Guk Moon: The suspect is on July 7, 2015, 20:20, 20:20. Is it the correct time to copy the text from the suspect computer and paste it into a text file?
2463 Answer: I do not know the exact time. It is correct that I copied and pasted the results from Internet search.
2464
2465 At this time, the defendant responded by saying, "Let's rest for about 10 minutes and proceed with the investigation again." After taking a rest for 10 minutes (15:05), the defendant's lawyer sits again next to the suspect : 17). (Attorney Park Cheol-hyeon asked the prosecutor "Let's take a break because I have to deliver the papers to another client.")
2466
2467Jung Moon-sik Moon: The suspect is posted on the White House website on June 7, 2015, about the Ambassador Repertory. One minute later, at about 02:27, The file was created on the suspect computer. Is the time at which the suspect was copied from the suspect computer through Internet search and pasted to the text file?
2468 Answer: The exact time zone is ... (At this time the suspect closed his eyes and thought for a while) ... It's a little hard to remember. It is correct that I copied and pasted the results from Internet search. (The prosecution officer exaggerated that the suspect thought for a while, through the depiction of the act of aggression.
2469
2470Jung Moon-sik Q: How about a detailed explanation of how the suspect copied and pasted the results of Internet search?
2471 A: I went into the internet and searched, but the search terms were hard to remember and I copied the search results and pasted them into a text file.
2472
2473Jung Moon-sik Q: How do I get the search result when I can not remember the search term?
2474 Answer: ... It's a bit difficult to identify the exact query. (The suspect searches a large number of search terms to find search results just like ordinary people, remembering only the search results, and not remembering what search terms you searched for.)
2475
2476Jung Moon-sik Moon: The suspects are www.blogger.com, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com, avstats.avira.com Do you know these sites?
2477 A: Of the above sites, www.blogger.com, avstats.avira.co is an unknown site, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com , antihufs.blogspot.com, antihufs.blogspot.com are my blogs. Bosulachi is an Internet language that refers to a woman whose conduct is the subject of social criticism.
2478
2479Jung Moon-sik Moon: The suspects access the above sites on July 7th and 8th, 2015, and the hackers are running the suspects' jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea. Do you know how many URLs you know, such as blogspot.kr, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com?
2480 A: I'm not sure, but I do not have access to all of the above. (The suspect opened multiple blogs with one Google mail account.) I insisted on 'Google Cache', and my parents and lawyers claimed that my laptop might have been hacked at this time. (Attorney Park Cheol-hyun who heard this statement stared at the suspect for a while without saying anything.)
2481
2482Jung Moon-sik Question: Why did you tell the log records that you have access to the above sites on July 7th and 8th, 2015, and that you have not accessed all of the above?
2483 A: I do not remember what I did at the time. (The suspect has not been able to access all of the blogs because he did not manage them by creating multiple blogs.
2484
2485Jung Moon-sik Moon: When the prosecution re-imaged the suspect's laptop, Jung Moon-sik said, "I did not have Hangul input function on the laptop used by the suspect, but I entered Hangul using Internet input device. How do I input / output Hangul? (When imaging at the Cyber ​​Office of the Public Prosecutors' Office, Cyber ​​Investigator of the Chief Prosecutor's Office showed the process of analyzing the laptop to the suspect.
2486 A: Find the site that comes up with 'Hangul input device' on Google and click on the search result to input Hangul using the keyboard. There is a Korean keyboard on the notebook I bought and confiscated. The alphabet and Korean are shown on the keyboard. I used a French version of Windows XP on the laptop. I have installed a French version of Windows to enter French special characters. (The official testified, "Why do you write it?") And the suspect stated "I bought the cheap laptop because I was unemployed, I wrote it with inconvenience." But I did not record it in the record. However, the prosecution cyber investigator estimates it to be between two and three million won, "from the beginning," the laptop's hard disk capacity is quite large. "
2487
2488Jung Moon-sik Q: How do you describe the process of entering Korean into Google in detail?
2489 Answer: First, enter Google (www.google.com) into the Internet address bar, and when the Google window appears, enter the Korean input device (gksrmfdlqfurrl) in English into the search box. Then, the Korean input method site appears in order, and from the top of the Korean input method site, click downward to find a site where you can input Korean. If you find a Hangul input site, you can input Hangul by using computer keyboard and then copy the Hangul input and paste it in the place where Hangul input is needed. (The suspect's laptop is in French, so typing www.google.com leads to www.google.fr.) Even if you search for both sites with the same search terms, the order of the search results displayed is different.)
2490
2491Jung Moon-sik Moon: As a result of the prosecution's hacking test on the suspect's laptop, there are no signs of specially remote control (especially July 7, 2015, and July 8, 2015). How about this? And the suspect did not delete the access log from the laptop router?
2492 Answer: (The suspect does not answer the hacking test result.) I just entered the ID and password on the router, and I do not remember when I entered it. I did not delete the Router Access Log on June 25, 2015, June 7, 2015, and July 8, 2015.
2493
2494
2495
2496
2497 ++++++++++++++++++++ Forensic Investigation for Brother 6666 Case 2015 Verification Statement ++++++++++++++++++ ++
2498 Author: In-Sung Kim, Professor, 010-5270-5779, No. 819-5, Bangbae-dong, Seocho-gu, Seoul,
2499 (On January 19, 2016, Kim Yong-Min attorney handed in the opinion of professor Kim In-Sung)
2500
2501 1. Whether hacking outside
2502 No external hacking traces were found.
2503 2. The legitimacy of the forensic process
2504 There was no expert to judge the legitimacy of forensic work in the seizure process.
2505 3. The fact that White House access records do not exist on the computer
2506 If you use the Web browser's secret access feature,
2507 4. Whether to change the router MAC address
2508 The router MAC address can be changed and there is also a trace of change.
2509 5. Whether the 7.21 date file exists,
2510 7.21 Date The created file does not exist. The date of file creation in the report is considered to be the date of creation of the report, which is the author of the report.
2511 6. If the hash value of the hard disk imaging file is different
2512 It is judged that the hash value has changed because reimaging was performed after rebooting the computer to check the time zone after imaging in the seizure search process.
2513 7. White House screen capture file
2514 The White House screen capture file is captured and stored on this computer.
2515 This statement is a review of the evidence only and is not a definitive opinion and may be subject to change if additional evidence is available.
2516 2015.12.29 Kim In Sung. (signature)
2517
2518 If you use the web browser's secret access function, you may not record the connection.
2519 It's hard to rule out the possibility of using the incognito feature because you asked about the incognito access in the newspaper process and answered that you knew about it.
2520
2521 -------------------------------------------------- --------------------------------------------------
2522 1 Record the proof of the record .pdf - Adobe Acrobat Pro - â–¡ XQ Notch, Flickr, Flickr, ? â– City, | | N â– Tools Comment j Share
2523
2524 If downloaded from the Internet, the above file name and the Zornjdm file will be created. By the way, the above file is not found on the computer. If you look at the above, what do you think the suspect looks like in a file
2525 Answer: I'll take good care of you.
2526 Law? : Google has 4 secrets on each of the browsers. That's right.
2527 Q: What is your reason for using the above sounds? Answer: It is useful to use something because it is a novel.
2528 Moon. What is Incognito? Answer: I do not know.
2529 Q: The secret function is to set the internet connection speed in case of internet browsing, and it is a function to access the Internet without saving the file temporarily. Do you know Lee?
2530 Answer: I do not know.
2531 50! 1
2532 -------------------------------------------------- --------------------------------------------------
2533 [Picture that opens this OO evidence record .pdf file with Adobe Acrobat Pro]
2534
2535 4. Whether to change the router MAC address
2536 The router MAC address can be changed and there is a trace of change.
2537 Router Shows the log when changing the MAC address, but it has the function to prevent the log setting from being saved in the router setting.
2538
2539 It is difficult to say that the MAC address associated with the IP address assigned by the vendor is found on the router, and that the MAC address is not used because the change log is not left on the router.
2540
2541 -------------------------------------------------- --------------------------------------------------
2542 hole! This OO Evidence .pdf - Adobe Acrobat Pro X | fi Making things 0 â– ? â– ? p P ç ë—¬ wind year t, 4; 6221S! ^ 10 +, 7% 1 ^ B 'tool 1} Lube
2543
2544 | UM & wks iptlMI Q x 'Itetvork # ipTiMEdDS </ tltia> vl.count Cfd timeprQfl], html? I have bought a school. I was not able to address you at the address
2545 j medicinal medicine 5.7 bottom 7
2546 2551255.255.0 CMW> 8 コ ン ​​公 滿
2547 5MA0 $ - $ .7 SM4 1 1 Company name Address
2548 1 SZJM0 minutes) MAC appeal 0S-60-B € -E4-F9- $ A liia
2549 Peek a: Well,
2550
2551 [Picture] timeproUltxl om Mini language display
2552 - At the time of the crime, the user's Internet Router <Administrator's Page
2553 - Internet access routers from 2015, 7 7, .19: 57, 7, 8: 02: 44, which were found on the commissioned notebook,
2554 To connect to the Internet Router, connect the two terminals of the Noto Book. 4. Save the configuration file.
2555 Why do you check your internet connection information call? 룔 7. 7. 20:03:05 룔 7.8 02:33:24
2556 On the White House Web site, the threats are changed between the time the two messages were published, and the time that the change was made to the router.
2557 -------------------------------------------------- --------------------------------------------------
2558 [Picture 4 of this OO proof record with Adobe Acrobat Pro opens .pdf file]
2559
2560 5. Whether the 7.21 date file exists,
2561 7.21 Date The created file does not exist.
2562 There is no file that matches the creation date of the file specified in the report.
2563 The creation date of the file, such as the name of the file submitted as evidence in the report, is prior to the seizure.
2564
2565 The s.txt file submitted as evidence in the report matches the file creation date recorded in the hard disk imaging data.
2566 The date of file creation on the report except s.txt is determined as the date of the report creation.
2567 Therefore, it is a mistake of the report author to make the file creation date as 7.21.
2568
2569 -------------------------------------------------- --------------------------------------------------
2570 Fruit: F: \ 15, Terrorist, with a lot of light, 653, txt _Z0l5-07-21, 9 ^ 7? 06; 30
2571 AG public. € 53 ts 6,1 nJt and public hOO65356.Ink ti 1? Of f t C5
2572 Sase? Tce & qcujs ^ nts ar? Iiig§ \ H \ Sur? SAu \ s. txt
2573 Machine Na service o
2574 ft public .l public fcive Path? *, 3 public t
2575 Volujj? Lafcei XPwFR
2576 Socking .Wrector class, 0 min. ç 想 å¹» æ–‡ å…¬ å…¬ nd S? T * vi? \ M \ Buceau
2577 Volism C 然) :) stone ct QUID {F3 $ SACOA-mt3-4e ^ 7-S34 8 ~ 公 *? l Public name 6 義 504.1.1
2578 Fil. Good Gbj Public T I I I I I F F F F F F 38 38 n n n n n n n n n n n n n n n n n
2579 Tim stone tarap: U / Q9 / IQ C7: 27J'ja IAACT -0-50-8 ^ -S4-F? -5A)
2580 Target VoiuKto C? UXD (P36SACDA-FB13-4 617-S34ij-D7162E & A5De I?
2581 Target File Suppression 2D (nUTBBA-388® ~ I; S4--0? 5; F9 & A) (Sequence: 1BF1 tisiestasp: U / Q9 / lb Q7: 2 ?: 3E: CK? -5A)
2582 Creased 14 / C9 / IQ 1 Public: SHK * 46 Modified 15/01/07 i4: 57: 58 Accessed 15/07/0? 4: 5'7: S name Co4? Paae 0
2583 Drive Type Minutes RIVE FIXER Tiia Attributes 32 tCriawa Folder Type C Kno- # n Folder value 0 1.1 nk 155-
2584 Liuk t? N ^ th 429
2585 icp-erty Storage Si model 0 Sg>? cl public 1 Folder'type public 0 5jj? cl * a Foid6? Value 0 Vist? And Msove ID hi $ t Voims Serie ai 84e? 20fb IDList siZB 56
2586 ,,, voice
2587 V ':' '
2588
2589 Q Q, 0 S g) S? , | | | | | | | | | 3 3 3 3 3 3 3 3 3?????????????????? i Comment: i? u
2590 ., Hitcher. .fesl: i
2591
2592 F: \ 15 "D / I, _ / minute, school strikes \ AOG65516> txt This is the astigmatism?
2593 A00S5513.ink
2594     A0065SJ8.i? Km? ? ff? #to
2595 B & se Path C; S & ocie nents S tt t. tx%
2596 MAchine: Nai 公 好 o
2597 R? Iativ? P name th ?, \ Bureau \ public, txt
2598 Volume Label X? _FB
2599 Working 01 rectory C:, D eu n osts and Settir, y ?? \ H \ ByC-SSA?
2600 Vt> U? Ws GUID C F3SEACDA-PBX3-4 € 27 ~ BM 8-D? 162K € A5C! 41 i
2601 School tsjdet; I am a member of the lima-esza-ap: H / 09/4: I am a member of SGS, 10 0 * 7: 27: 3 Shiki Kouichi 3 '* 54-F 多 玄 玄 公 1
2602 Target V? U GUID i F36? BA-F8J3-4? N, B343: 71S2E vs. S if target Target GUID \ F116P3 & A-3esa-1 IS4'9Bn-0050B654r95A) ^ S? ; 1BF1 Ti group est, provision: 14 / 0t / lS 01: 21z3B me: 00- * 5Q-S6 ~ 5 <-r9-5A}
2603 Created 14/09/10 1.6 i 5 多: <8 Ho <U? I? Mi 15/07/0? 2i; 10; 5f>
2604 Aiicftaaed 15/07/07 21:10:56 Cod® ge 0
2605 Dt'iv? ?> * p? DRIVE__FIXED Plie Attributes 32 Kn public wi Folder Type 0 Known Folder Value 0 Utik: rug * i5S Link Length 4 * 3
2606 Storage 3i and Good G
2607 Special? Oidd? Type C Special Faider V & ia & 0 Vista And Above ID List S. Left.
2608 Example:
2609 K (~ 6 *
2610
2611 This OO evidence record .pdf - Adobe Acrobat Pro, gse view
2612 Not taking, | Cotton @? El | Incense â‘© [5 yes urine CS>
2613 File: r: U5 terrorist attack v. 11 file UCH36S way, Uct 2D 15-07-21, afternoon; 5i52
2614 A00? 5S4i.Ink
2615 N * 3 ?? AaG65S41.1nk
2616 m? orraat o
2617 Minute as? fdth C:, D Phantom n StstUags \ &. txt HaChlne ç‚Ž æ¾ Tf? Q
2618 H? Slativ? Path. .
2619 VoJuaw 1 ^ 1 5C ^? Hi
2620 寒) orKing 多 ㄠレ イ ト å…¬ r CiXPmrasssrsts aj '技! Receiving ttiR 寒 效 然 '8 ì»; r 公用 u
2621 Voi_ Object QU10 jf36KAC Show * Each 1 ^; 8348-
2622 File Oblct GUID {fl 16IT35A-38BB-U- ^ 8F.l -00500654F9> h) (Sequence aoe;
2623 Ti 3? T? P; 14/09/10 07:21:38 ma00-SO-BS-54-r5-5A}
2624 Target V public lame GUID lr36? ACDA-F8i3-5? S34t ~ nil62E4ASG41}
2625 Target file GUID after rii6rBSA-383S-liE4-9BFl- public t> 5G distribution name (Stance; lBF1 Ti? F9-5A)
2626 Crmi ^ a 14/09/10 15:59:48 Modifisd 15/07/07 21:19:06 Accessed 15/07/07 23: l.9: C!
2627 C min d? Page 0
2628 0Reg9 Type DRIVE ^ FIXED Fils fttTribufCSSS 32 Known Folder? Yi> 0 Known Folder Value 0 Link Flags 13S Link length 428 Property Storage Folder 0 Special Folder Value 0 Special folder Value 0 Vise * AJKJ Above ID List Size 0 V? lvna? Serial 34ecZ0ffo lDIxi *? T $ ji x? 5 people
2629
2630 Rupture; F? \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ "
2631 worship- y? y.
2632 And zhe ir.snu says the price is esc Hye after tiftng for higher s If you puni ^ hmecst skill, You * v & rae eiy hit your body Yu public t 10 times times per day.
2633 And youi: â– name ge conaectln ^ i tim? is about 2 houra p * er day.
2634 3o you ?? rn ç”° inimai. 68 d ^ llacs per day c ^ Iy 5 hours of your par: tz, isse jo minutes,
2635 house name r; if yoti tec ^ xvr? Percent frow myfr Opinion: è°· e 身 ä¿ ....
2636 You also as ç”° d to be a cranny, r.iqitt?
2637 X 3 Nine the scar aroimd your artificial pussy t> ut no .scars airouiKl yoar boobs,
2638 Should I get gander xr? AJs * i <jn? ERt korean pera.ti korean ok my p * r: is onlyl
2639 t want to q & t into that buainesas after ft .t -s \ jt ~ off ray 建 文 ck,
2640 l thin I can qualify that public u ir> e and it ito after ad sonr و wuch plastic surgery 强 分?! 公 y by acit cast ration.
2641 In South K Public Corporation, I Ciir. als-o ijenefiql.ai t effective free af military service l
2642 have no tej? Licln.
2643 Anyway l no? D your consuitatior, - and I want to ch? T ;. with you,
2644 Pieaae, show your gonsro-city 3, nd sve my pcor a public ui.
2645 I votahlp you and ad 然 主 r 接 your g? Nic (skill a idea,
2646 寒 ë± å¥½ t regai: d3f i.jsahu? A ^ g ^ aii.coir}
2647 Lii ^ a Is and Cr and ssyy
2648 I am going to be raped by the abductee of Obama's public office.
2649 - Addreiss:
2650 Office of Infccrrui.doaai Sw. Koxtian & E 效 t; , S S S S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
2651 - Website: htqfK // jsufiiflwsf. memory
2652 -? hon? : + 82-2-2173-2062
2653 - FAX; i82-2-2n3-28T?
2654 - 玄 一: 的 si 玉:? UJ 田 meirdhufs ■a 公> kr / irsfnsf ^^ gisaSJ ^ ccsc;
2655 TSL. i-92-2-2173-2062 c ~ r * aii, T ^ E8HUFs. ac.kr / i3shuf sig ^ sax; .C; XR
2656 Paige! ?
2657 OUTP
2658
2659 -------------------------------------------------- --------------------------------------------------
2660 [Record this OO evidence in Adobe Acrobat Pro. 5 photos opening a .pdf file and 5 photos analyzing the evidence file with EnCase Forensic]
2661
2662 6. If the hash value of the hard disk imaging file is different
2663 The difference between the initial imaging and secondary imaging hash values ​​is determined by the reimaging after rebooting to check the time zone after the initial imaging.
2664
2665 -------------------------------------------------- --------------------------------------------------
2666 ! О о | , Seok Seok-cheon Information | 4: Surname Name Contact I Investigation of the Cyber ​​Investigation Team, Seoul Metropolitan Government Inspector Nam Sang Wook 02-700-5923 1
2667 Carpenter | ! If the accused has contacted the White House Web site on July 7, 2015, and 7 * 8, 2015, and intends to threaten the US President's family and US Ambassador to Korea,
2668
2669 Cancellation request information (duplicate image)
2670 Model (manufacturer) and duplicate image file name's hash value yugeu a slow ^ ACHI HDD Z5K500-500 500GB attached to the laptop lenovo B490 3 ^ 500GB ^ NOTEBOOKM1 ~? 29 round 29 files 2a2ff60f03143ff34eelel 65830e322a2 (MD5) blood, 'Seagate HDD ST500DM002 Clone image of â–
2671 ab5b3e7f256963d5cfe9 150713J00GBM1? E12 12 files fll.94964dbf5 (MD5)? Agate Replication of HDD ST3250820AS 50713J50GB.E01 ~ E15 15 files 9e! 50077d753fl01e733 <52ece3a246e7 (MD5) 1
2672 -------------------------------------------------- --------------------------------------------------
2673 [Photo taken with a document tied up with a mobile phone camera and wired]
2674 Hash value generated at initial imaging
2675
2676 -------------------------------------------------- --------------------------------------------------
2677 (3) Fruit and hash value
2678 i number of extracted file name hash value _5) | ? Chapter 11 on ienovo B490 laptop image file of a è€ yudoen j 1 HITACHI HDD Z5K500-500 / 1 1 500GB 1 1 i507I ^ 500GELNOTEBOOK.EQl 1 1 ~ 29 * 29 files a result, the water commission llzip 288354CFC1A94D552 |
2679 1 6Aim24? D181F0 \ / 2 I 150713J00GB.E01 ~ E12 / 12 No fruits 'None \ I 3 I 150713J50GB.E01 - E15 1 15 No file I â– 1/4 1 [20150713-segateJOgM' â– 12 No file * 1 None \! 51 150713J0GB.E01 ~ Ell f- 11 fruits m \ ^ \? It can be used as a tool, ? J \ Row 1 1 1 1
2680 -------------------------------------------------- --------------------------------------------------
2681 [Photo taken with a document tied up with a mobile phone camera and wired]
2682 Hash values ​​created when imaging after turning on the computer for time zone verification
2683
2684 Note that copying an imaging file does not change the hash value. The prosecution needs to explain why the hash value reimaged after the time zone check and the hash value imaged by the prosecution are different.
2685
2686 7. White House screen capture file
2687 The White House screen capture file is assumed to have been captured and stored by the suspect on this computer.
2688 There is no possibility of a hacking because the suspect has acknowledged that he or she has copied it directly (through testimony that he has been downloaded from the Internet and downloaded it).
2689 The file creation time differs by one minute from the time of writing to the White House, and the posting of the same contents on another site is after the time saved, and it is unlikely that it was downloaded from another site.
2690 End
2691
2692
2693
2694
2695 ++++++++++++++++++++ Witness Newspaper Proclamation (part of the eighth trial) ++++++++++++++++++ ++
2696 Event 2015 Torture 4685 Threatening
2697 Name Nam Sang Wook
2698 Date of birth August 22, 1978
2699 Housing Seoul Chongno-gu Sajikro 8 Gil 31, Seoul Metropolitan Police Agency Cyber ​​Investigation Department (Investigation Section)
2700 judge
2701 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
2702 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321141735).
2703 March 21, 2016.
2704 Hwang,
2705 The judge (doctor)
2706
2707 A statement on the testimony veto notice
2708 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
2709 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
2710 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
2711 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
2712 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
2713 Witness Nam Sang Wook (signature) or signature (signature)
2714
2715 Oath
2716 According to the conscience,
2717 In fact,
2718 If there is a lie
2719 To be punished for perjury
2720 I am a wanderer.
2721 Witness Nam Sang Wook (signature) or signature (signature)
2722
2723
2724 Recording book (main point)
2725
2726 Case Number 2015 Highland 4685
2727 Due Date: March 21, 2014
2728 Remarks Inadequate question, the Attorney's objection to the Attorney General's 25th article of the State Newspaper is on page 16, pages 21-22, page 17, pages 12-13, Part.
2729
2730 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
2731 1. Attachment: A copy of the witness newspaper on the witness Shin Nam Suk (Total: 52 pages)
2732 March 21, 2016.
2733 Stenographer Park Sang Ki (Painting) (Painting)
2734
2735 ※ This transcript was written in a way that summarizes only the main parts of the statement _
2736 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
2737
2738 judge
2739 Witness Shin Nam Wook, a witness for the New Testament, acknowledges the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
2740 Notice of testimony veto. Witnesses' testimony may deny the witness or any person who has a close relative relationship with the witness to be subject to criminal penalties or to testify about the confidentiality of the other person whom the witness has known for work. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. And if a witness lied after an oath or if his memory is unclear, but his memory is clear, he is punished as a perjury. Please swear.
2741
2742 witness
2743 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Nam Sang Wook.
2744
2745 inspection
2746 To witnesses
2747 (Provide an investigation report on page 172 of the Investigation Record No. 10 in the Evidence List)
2748 Q: Is it true that the witness wrote the investigation report that the defendant's blog was confirmed and the relevant article was printed and attached.
2749 A: Yes, that's what I wrote.
2750 If you look at the printouts attached to this page, you can attach a copy of your diploma titled "I am a student at Chonnam National University," a copy of your graduation certificate, a copy of your graduation certificate in English, a transcript of your transcripts, Ministry of Education 's complaints Title' I have been suspected of forgery of education and plagiarism due to the unilateral graduation change of university '. And the content of the complaint is confirmed by the defendant 's blog, and is it attached to the output?
2751 Answer: Yes.
2752 Question: Is it true that this article was also printed on the defendant's blog, on page 185 of the Investigative Record, "What is HUFS?"
2753 Answer: Yes.
2754 Question: Is it true that the content of the complaint posted on the defendant 's blog on the title page of the Investigation Record on the 188th page titled "My Civil Service Complaint (Civil Title - Good Morning)" is correct.
2755 Answer: Yes.
2756 Question: Is it true that the post on the page 192 of the Investigation Record entitled "Aversion to feelings when I am good at English" on a blog called "Korean Anxiety Antisocial" is also printed on the defendant's blog?
2757 Answer: Yes.
2758 Q: On the 193 page of the Investigation Record, is the posting on the defendant's blog the subject of "Why do I go to the brothel and buy a woman?"
2759 Answer: Yes.
2760 (Proof of the investigation report No. 238 of Investigation Record No. 13 in the Evidence List)
2761 Q: Is this the report of the investigation titled 'The original file of the intimidation document that the suspect was found on the OO computer?'
2762 Answer: Yes.
2763 Q: What is the content of this investigation?
2764 Answer: This is an investigation report on the time, file name, and file path created for the original text capture file found on this OO computer.
2765 Q: Isis.png, usa.png Meta information of file, information of file attribute information, and printouts of original text are attached.
2766 Answer: The attachments that follow are attached by Kim Kyung-hwan, an analyst who analyzes digital evidence, and I wrote the investigation report.
2767 Q: Are you handing it from an analyst and attaching it?
2768 Answer: Yes.
2769 (Proof of Investigation Report No. 15, Investigation Record # 258)
2770 Q: Is it true that the witness wrote the investigation report titled 'The White House homepage written by the suspect computer'?
2771 Answer: Yes, this is just the same thing as I mentioned before, with the fact that I received the data from the digital evidence analyst and attached the report.
2772 (Proof of Investigation Report # 401, Investigation Record # 25)
2773 Q: Is it true that the witness wrote the investigation report titled 'The suspect is checking the OO notebook time zone setting'.
2774 Answer: Yes.
2775 Q: Please explain the contents briefly.
2776 A: The description of the operating system in French language, the initial installation time of the operating system, and the time when the notebook was last terminated. 13. 20:47:18 and we started the 7. 13th light-duty search at that time and found the evidence file on the laptop and turned off the computer to see if the integrity was changed immediately, so the final shutdown time came out at 20:47:18 I will. On the next page you will see the time that you booted the notebook for the first time. On that day, on July 13th, it is time when this OO's computer was booted, and when we see the time, it comes out at 20:07, and we can see this time when we handed the laptop to the defendant's mother on the spot and turned it on. And it is usa.png which is image file related to crime which is found in notebook. The file creation time is 2015. 7. 8. 02:27, and when I run the image file, it shows the link file creation time and I took a picture of the notebook screen at the time to confirm that we did not change the image The camera I shot was Samsung SHV230S and the recording time is 20:47. It is the material that can prove that I took a picture right before the time I turned off the computer and turned off the computer exactly, and the last time I left the notebook on the next page was 20:47:18. After taking a picture, we can see that we shut down the computer immediately to ensure integrity. And this is International Standard Time, which explains that there was an error of -7 hours between France and Domestic time because Paris was using summer time, usa.png The date of the last access to the key evidence file and the date of access. It will be July 13, 20:42, UTC and July 13, 2015, UTC. Because the last time we saw and accessed the file in the field, the exact time of the seizure was 20:42. It is the investigation report that explains what is related to such a time.
2777 (Exhibit # 4 of Evidence # 25-2 on the Evidence List)
2778 Q: Is it true that the witness wrote "Google Chrome Capture Function Analysis, Analysis of White House Screening Screen"?
2779 Answer: Yes.
2780 Q: Is the witness actually testing the front page of the White House website? Contact us?
2781 Answer: Yes.
2782 Q: When I created a post using the full screen capture function associated with the Google Chrome browser and then captured it, did you notice that it was saved in the png file format?
2783 Answer: Yes.
2784 Q: Does the file name capture the url address and then capture time information automatically?
2785 Answer: Yes, it contains the captured time information.
2786 Q: And did you check the result screen when you click submit button?
2787 Answer: Yes.
2788 Q: What is the following?
2789 Answer: The defendant has also found five lists of photo files that were captured using Google's screen capture feature on his computer.
2790 Q: These files do not have a direct relationship with the subject, but are they still captured before the crime?
2791 Answer: Yes, you can tell that the defendant used the Google Chrome browser's capture function to capture it.
2792 Q: Have you captured screenshots of the White House homepage?
2793 Answer: Yes, I did it again when I finished capturing the screen that was on the captured screen.
2794 (Present evidence page 285, Investigation Record, page 465)
2795 Q: Is it true that the suspect is an investigation report titled "Cheong Wa Dae and the National Newspaper Articles Found on the OO Computer", which was written by a witness?
2796 Answer: Yes.
2797 Q: Here is a blue house .png file and a questionnaire report for two .pdf files. What is it?
2798 Answer: Blue House.png is the defendant's access to the Cheongwadae homepage. 26. Foreclosure Notice I received a civil defense training in Dongdaemun District this April. I went by taxi to the corner where I went by subway. It is a file that I wrote and wrote with the message "I will do the transfer from Mapo side in Goat."
2799 Q: We will have a one-person demonstration in the direction of Mapo Grand Bridge Yeoido. Please pay Civil Defense transportation expenses. 20,000 won "written on a lm box paper horizontally, hanging on a railing, I am bound by a nylon string on a railing alone, and I am planning to return home. The location is July 26, 2013. 26. Is this the place where the male representative of Sungjae period was sent by the representative?
2800 Answer: Yes, it was written that way.
2801 Q: Is this all found on the defendant's laptop?
2802 Answer: Yes.
2803 (Proof # 486 of Record # 30 of the Evidence List)
2804 Q: Is it true that this investigation is written by a witness? This is an investigation report titled 'Analysis of time information generated by capture using the Google Chrome browser capture function'.
2805 Answer: Yes.
2806 Q: What is the content of this investigation?
2807 A: When you use the capture function of the Google Chrome browser to capture the url information and the time after it comes up, the time is the time information of the capture and the time information is the number 143. If you decode it, It is contents that we can confirm domestic time information.
2808 Q: Is it true that you can decode the capture time information in the file name generated when you capture with the full-screen screen capture program using the Google Chrome browser?
2809 Answer: Yes, and I have tested it myself.
2810 (Proposition 971 of Record No. 62 of the Evidence List)
2811 Question: This is an investigation report titled 'Attorney's Statement of Contents (existence of job file on July 21st, 2015) and attached photo attached to this OO notebook.' Is this investigation written by the witness?
2812 Answer: Yes.
2813 Q: Is the text explaining that the defendant had a problem that the text file was written after the search?
2814 Answer: Yes.
2815 Q: Are the photos attached to the crime after the accused found on the defendant's computer?
2816 Answer: Yes.
2817 Q: Are the printouts attached to the investigation report that I have just verified to capture the original articles or photos posted on the Internet site, such as the defendant's blogs, or the information or material found on the defendant's notebook, ?
2818 Answer: Yes.
2819
2820 inspection
2821 Record 393. We will present the evidence list number 22-1.
2822 Lawyer
2823 I think this part is not written by the witness but sent from America.
2824 inspection
2825 I want to know how I got the evidence and where I got it to judge it.
2826
2827 inspection
2828 To witnesses
2829 (Provide evidence page 391 of the evidence list No. 22-1)
2830 Q: Is this a document titled 'Documents for expressing intention to punish the US government', is this the document received from the US government?
2831 A: I did not receive it, but I do not know that it was attached to it by Gwak Dong-kyu of the Ward investigation department at that time.
2832 Q: Does Gwak Dong-kyu directly received from the US side?
2833 A: I do not know because it is not attached to me.
2834 Q: Have you seen this document yourself?
2835 I have seen. I have seen ...
2836 Q: Is the witness unaware of the availability?
2837 A: Yes, I've seen it because I did an investigation with a broadcaster at the time, but I'm not sure how to get it.
2838 Q: Is the witness a police officer?
2839 Answer: Yes.
2840 Q: What is your position and rank?
2841 A: It is librarian Nam Sang Wook of Cyber ​​Security and Cyber ​​Investigation Department of Seoul Metropolitan Police Agency.
2842 Q: Is the witness involved in the investigation?
2843 Answer: Yes.
2844 Q: When was the investigation started?
2845 A: I do not remember exactly. In June of last year or about July, I was threatened by Ambassador Ripper. The letter was posted on the White House website of the US Embassy. We contacted the cyber security office of the US through the US Embassy. I started to investigate immediately.
2846 Q: Where exactly did you receive the investigation leads?
2847 A: The National Police Agency Cyber ​​Safety Bureau.
2848 Q: Is not it from the US?
2849 A: I know you are an American Embassy. We received a case from the main office and received it from the US embassy in the main office.
2850
2851 judge
2852 To witnesses
2853 Q: Is the US Embassy the US Embassy in Korea?
2854 A: I have been ordered by Cyber ​​Security Bureau of the National Police Agency.
2855
2856 inspection
2857 To witnesses
2858 Q: Is the witness received from the Cyber ​​Security Bureau and does not know exactly when and from whom it was received?
2859 Answer: It 's right that I got it from Safety Bureau.
2860 Q: Do not you know where you got it from the US?
2861 A: Yes, I do not know exactly.
2862 Q: Do you know the name and position of the person who provided the investigation lead directly from the US side?
2863 A: It is Kim Sung-hoon, the captain of the Cyber ​​Security Bureau International Cooperation Team.
2864 In this case, the date of publication of the "Obituary rape against the second daughter of US President Obama" is based on EDT (American Summer Time) applied on July 7, 2015 July 20, 2015) and the connection IP was confirmed as 124.197.152.74?
2865 Answer: Yes.
2866 In this case, "Mark Ripper," the publication date of the murder intimidation article 1 for US Ambassador to Korea, is based on EDT (Eastern Time) 7. 8. 02:26), and the connection IP was confirmed as 124.197.152.48?
2867 Answer: Yes.
2868 Q: How did you check each posting date and connection IP above?
2869 A: I also logged on to the White House homepage, and I received it from the police and handed it to us.
2870 Q: Please describe the reason why the defendant was identified as the suspect of each crime in this case.
2871 Answer: Once there was no clue except for the connection IP, I received a reply that I could not confirm the subscriber because I requested the subscriber information on Dongdaemun Cable TV Road TV with that IP.
2872 So, when we check the area where we can get the IP to check the subscribers, we can not remember exactly in Dongdaemun-gu, Seoul.
2873 We have heard that there is a possibility that it can be allocated from about 2, 500 households, and when we check the MAC address on the computer, we can find the investigation lead to the MAC address. I checked to the closest apartment complex I was assigned.
2874 When I narrowed it down, it was O apartment where I can check it, it was the defendant's apartment.
2875 I do not know how many apartments there are in the apartment, but if there are 20 floors, it is 20th floor because there are 20th floor and 20th floor. I have only recruited subscribers to Dongdaemun cable TV from 20th generation.
2876 I do not remember exactly, but it has been reduced to about 5 ~ 6 generations, and I had to look through 5 ~ 6 generations and I could not do that.
2877 I analyzed the crime trends and impersonated isis. I also impersonated the Korean foreign affairs staff from the phone number and e - mail address of the Korea Foreign Student Summer School.
2878 So a team of our investigation team was sent out to the outside world to check if there really is such a person, and there is no such thing there is a person who has a bad tendency to the outside world is not an optical investigation, I confirmed the propensity of.
2879 And there are two criminal intimidation articles: the first is the daughter 's intimidation to President Obama and the second is the intimidation to Ambassador Ripper that the second daughter of Obama, Natasha, is raped by anus.
2880 This can be seen as a bit of a kinky tendency of the writer, and the second is to threaten Ambassador Repert, whose weapon is called a nuclear weapon.
2881 I found a tendency that I could not imagine in a mental state, which is a little impolite. I checked the apartment tenant management card because I thought it was very likely to be an outside official in O apartment. So I think that the defendant goes to a foreign language university I confirmed that.
2882 So I checked the defendant's regular phone number, searched Google, and found ten defendant blogs.
2883 There was a criticism of the foreign ministry, and the reason why I criticized it was that my majors were changed and I was disadvantageous to my job. The second time I was raped by my ancestor, I saw a picture of him taking off his clothes, wearing panties and wearing a bucket, and checking his account to ask him to donate himself a little.
2884 I was criticizing many other foreigners, and after all that was the right thing, I applied for a seizure search warrant and got a warrant for seizure search at Seoul Central District Court.
2885 So I went to the house with a formal search warrant.
2886 The computer in the defendant's room was unused, there was a computer in the next room study, I looked at both computers and found nothing related to the crime.
2887 Then there was another room next to the kitchen, and the visit was locked, so I asked my mother to open the door and I knew that maybe I could have entered one.
2888 I went in and got a laptop and I saw that the computer language was in French so we did not know French so I had no idea what folder my computer was or what folder it was. When we checked the digital evidence analyzer, President Obama and two of the original captures of Ambassador Ripper were found immediately, so I suspected the defendant had written it, and then shut it down.
2889 It was probably about 20:42. I then disconnected the hard disk from the notebook.
2890 After we disconnected it, we connected it to the computer cloning equipment, then we had the original hard disk, reconnected the copy hard disk and cloned the same.
2891 When you make a copy, the hash value of the hard disk on the defendant's laptop is the same as the replicated hard disk.
2892 For example, a hash value is a tool for proving integrity. If the defendant's computer hash value is A, then the hash value of our copy hard disk will be equal to A.
2893 Then, in the state of A, if we do not touch the copy, we do the analysis in the same A state whether or not it is sealed.
2894 When analyzing a copy of computer A, there is a write-protect device, not just an analysis.
2895 Since the integrity of a computer hard disk is immediately broken when we connect it to the hard disk protector, no matter what I analyze by connecting the copy, the copy hard disk is not changed at all.
2896 And the file called Imaging is created as a file, and the file can not be changed.
2897 If it changes, if you change the hash on the hard disk of the copy, it will be changed to B instead of A.
2898 That's why the hard disk you image is the same as analyzing with the same original A anytime and anywhere.
2899 It was discovered, and we proceeded with the seizure search for four hours at that time, and the defendant was lying in his room with only panties and not at all until we went.
2900 I asked him, "Is this the right thing you wrote on your laptop," and then I drank a little and said, "I do not know at all. We talked that way, and we persuaded him for three hours, even though he was able to arrest an emergency at the time because of the destruction of the evidence and the reasons for it in the future.
2901 Q: Is the date and time of the seizure of the seizure on July 13, 1945?
2902 A: Yes, I would have probably started from then.
2903 Q: Was the confiscated lenovo B490 laptop computer, four hard disks, and a USB stick?
2904 Answer: There was a bit of a mistake, but I checked my laptop for evidence and immediately shut down my computer and immediately started imaging.
2905 I opened the imaging and sealed my laptop right away. Because the integrity was changed, I sealed it. When I sealed it, my mother wrote it, and I put my mother 's letter, we rolled it with tape and sealed it.
2906 There was a virtual machine program called VMware installed.
2907 If you do not have a computer notebook, then you may not be able to analyze it in the future, so we need the original, so the notebook is seized separately.
2908 Q: On the defendant's laptop computer, isis.png, usa.png, a file capturing screen captures of each blackmail?
2909 Answer: Yes.
2910 Q: Did the defendant confirm the source of each file shortly after the discovery?
2911 A: I asked, but I can not remember exactly whether you talked in the way that you downloaded it from the internet or you did not talk at all.
2912 Anyway, he denied that he did not.
2913 Because I received too many surveys, I did not know exactly what I said at the time, but I told him that I did not do it anyway.
2914 Q: I checked the creation date and time of each capture file. Was it confirmed within 1 minute immediately after each crime?
2915 Answer: Yes.
2916 Q: After I image the defendant's laptop, why did I confiscate the original because the original laptop computer needed to be analyzed?
2917 Answer: Yes, yes. This is because the virtual machine VMware was installed. VMware is a virtual machine computer, and now you have a computer in it, and you can create a computer to run multiple computers. If you have a computer in your computer, you can not leave any trace of it on this computer, but if you log in to the virtual machine again and enter it, it will crime the virtual machine and delete the related files for the virtual machine The need to analyze the machine has confiscated the original.
2918
2919 judge
2920 To witnesses
2921 Q: Because the defendant's laptop computer had VMware installed ...
2922 A: Yes, it was and was a forfeit.
2923 Q: Is it because the original reason for the confiscation of the original was that VMware was installed on the defendant's laptop computer?
2924 A: Yes, if you do not have a laptop, you may not be able to analyze it.
2925 Q: Why did you confiscate the original after imaging?
2926 A: I have an image and the file of the virtual machine is once again in the imaging file. The original notebook is required to run the file.
2927
2928 inspection
2929 To witnesses
2930 Q: After you confiscated the defendant's laptop computer, did you get confirmation from the Mo Kim OO of the defendant's Confirmation of Confirmation of the Confirmation of the Confidential Material and Confidential Information?
2931 Answer: It was not received by me, but analyst Kim Kyung-hwan received it.
2932 Q: Did you stay together at the reception desk?
2933 Answer: Yes.
2934 Q: After that, did you arrest the defendant in an emergency and arrange it in the office of the Seoul Metropolitan Police Agency?
2935 Answer: Yes. We did not do it in. We went with the broadcaster and us and once in.
2936 Q: Is there any fact that the defendant raped at the time?
2937 Answer: Yes.
2938 Q: How did you get upset?
2939 A: We had an investigation with us and the cybercrime detective. Inch was in the broadcaster 's office. We were not with the defendant. As you can see from the video attached, I heard that you have kicked your feet from the "Bring your chair from your boss" and you can see exactly how it got into the riot. The record is attached as a CD.
2940 Q: Who was the person who identified the situation at the time?
2941 A: I was an investigator at a broad-based investigation. The person who wrote the CD investigation report attached to the record probably would have taken it.
2942 In the analysis of the defendant's laptop computer, the e-mail address, Twitter address, and phone number of the case were listed, and the Korean ambassador said, "I will surely kill Ambassador Ripper, I will give you an anal rape. "Also, did you find a file called 's.txt' that contains the same content as the case of this case report?
2943 Answer: Yes, the intimidating text was written in English at the White House, but I found a text file containing the blackmail in Korean on the defendant's notebook.
2944 Q: The creation date and time of link files 'A0065359.1nk', _A0065518.1nk, 'A0065541.1nk' and 'A0065621.1nk' linked to 's.txt' file are all 2014. 9. 10. 16:59 , And the date and time of access were confirmed on July 7, 2014, at 14:57, 21:10, 21:19, 22:31.
2945 Answer: Yes.
2946 In addition, the defendant's notebook also includes photos of Ambassador Ripper and Kim Kyeong-jong, who have been terrorized, photos of Mr. and Mrs. Obama as monkeys, and Cheongwadae's homepage. Did you find a capture file that you uploaded?
2947 A: Yes, many photos were found. In particular, an article or photograph was found about the Kim Kyeong-jong case to threaten the Ambassador Ripper. The date and time the file was stored was reported by Kim Kyeong-jong. The defendant captured it and stored it. The date the file was last accessed, so the date it was read was almost immediately before the incident. I remember so.
2948 In addition, a small boy 'isis.jpg' file that combines shooting shot and armed robbery, a picture of a young boy shooting a prisoner with a gun, and a picture of our gallery, Did you find the 'ISIS Gallery.png' file?
2949 ANSWER: Yes, many photos related to ISIS have been found.
2950 Q: Did the defendant tell you that he or she synthesized the pictures and pictures of each file at the time of the police investigation?
2951
2952 Lawyer
2953 Your Honor, this part is not appropriate because we are asking the defendant's denial of the contents of the police investigation at the time of the investigation.
2954 inspection
2955 Because the Criminal Procedure Law has introduced the investigator testimony system, I think it is safe to hear how I made statements at the time.
2956 Lawyer
2957 I would like to say that it is not inappropriate to listen again to the content denied.
2958 judge
2959 Once this part is just ask.
2960 inspection
2961 To witnesses
2962 Q: I'll ask you again. Did the defendant state that at the time of the police investigation, he had synthesized photos and pictures of each file?
2963 A: I can not remember exactly because I did not see the suspect newspaper report now.
2964 Q: Also, did the defendant's laptop have a program called 'SuperHideIP' that allows you to change your IP once a mouse is clicked?
2965 Answer: Yes.
2966 Q: And did you find a capture file called 'IP address washing method .jpg'?
2967 Answer: Yes.
2968 Q: On the other hand, did you find that the defendant is running 10 blogs of blogspot, the Google blog?
2969 Answer: Yes.
2970 Q: In each blog, were the defendant's Citibank account number and the defendant's PayPal ID listed?
2971 Answer: Yes.
2972 Question: Did the defendant's blog reveal or condemn the complaints about Hankuk University of Foreign Studies, and the images depicting women and the bizarre situation?
2973 Answer: Yes.
2974 Q: Did the witness investigate the accused person during the investigation?
2975 Answer: Yes.
2976 Q: Did the defendant claim that he did not commit the crime at the time?
2977 Answer: Yes.
2978 Q: How did the accused describe the 'isis.png' and 'usa.png' files found on the defendant's laptop?
2979 Answer: I stated that I did not know at all.
2980 Q: What did you say about the source?
2981 Answer: I asked a few questions about the source, and I did not remember exactly because I made a different statement every time. I replied that I had captured and downloaded it from 4chan site and saved it or I did not know it at all.
2982 Q: How did the defendant describe the 's.txt' file?
2983 A: I just do not know ... I've been asking that a lot, but at first I thought it was the one I wrote, and then I did not answer at all.
2984 Q: How did the defendant tell us about the photos of the Ambassador Repertor, the photos of the Obama couple and the photos of armed robbers, etc.
2985 A: I think I talked about not knowing much about the questions I asked.
2986
2987 Lawyer
2988 In the bottom of the main newspaper, section 25, the defendant questioned that he had synthesized the photos and pictures of each file at the time of the police investigation, and that the contents of paragraphs 32 to 34 of the main newspaper were irrelevant Please indicate in the record that the complaint is filed.
2989 Lawyer
2990 To witnesses
2991 Q: Is it true that I have imaged the whole of the defendant's laptop and did not seal that part?
2992 Answer: Sealed.
2993 Q: Is it true that you did not seal the imaged file but the laptop?
2994 Answer: Imaging files are not sealed.
2995 Q: I asked if I did or did not.
2996 A: How do you analyze when you seal?
2997 Q: It has precedents and regulations. Where did you store the imaged file?
2998 Answer: We took one hard disk, cloned it, and brought it.
2999 Q: Did you seal that hard disk?
3000 A: Do not ask me that.
3001 Q: It is asking what the witness remembers.
3002 A: I do not remember much. Because I did not image it.
3003 Q: You do not remember if you sealed the hard disk?
3004 A: Yes, I remember I sealed the laptop ...
3005 Q: What was the role of the witness in the investigation?
3006 A: We participated in the seizure search, investigated the suspects, and almost everything was done. I do a little bit of research to help each other.
3007 Q: Have you ever seen a document requesting cooperation in the US?
3008 A: I have never seen it.
3009 Q: When I contacted the US Embassy, ​​I heard someone wrote a blackmail in an e-mail. Have you heard this story?
3010 Answer: No.
3011 Q: How many people were involved in the seizure and search?
3012 A: Five Cybercrime detectives, five forensic investigators. When I got there, my father told me to leave. So there were about 6 ~ 7 people in the place, but I did not know exactly and some went out.
3013 Q: Do you think six or seven people have been around?
3014 Answer: Yes.
3015 The witness explained the details of the process of tracing the defendant in advance, saying, "The clue only had an IP address, but it was difficult to find by IP address alone. I checked the subscriber on Dongdaemun Tibur Road, but I could not confirm it, so I made a request to the Mac address again. "
3016 Answer: You have checked your Mac to investigate with a Mac address.
3017 Q: Who identified the Mac?
3018 Answer: When IP is allocated from the carrier, IP and MAC are connected to the carrier. If you know the MAC of the IP you used for the crime at the time, you can do the investigation again with the MAC address.
3019 But that Mac did not come out correctly either. Anyway, I have a network switch, and I've finally assigned that IP ... So you have confirmed the last switch.
3020 Q: Is it confirmed that you have three sets of equipment?
3021 Answer: Yes, I have to explain the connection ...
3022 Q: When the attorney heard this, the witness first asked for the Mac address and asked the carrier to recall the Mac address.
3023 Answer: To investigate with a Mac address ...
3024 judge
3025 I heard that I wanted to know the MAC address, but I do not know it.
3026 witness
3027 Yes, that's why we proceeded with the investigation.
3028 judge
3029 To witnesses
3030 Q: In the end, you did not check your Mac address?
3031 Answer: I understand that you tampered with the Mac.
3032 Q: At that time, at first ...
3033 A: I can not confirm it right away.
3034 Lawyer
3035 To witnesses
3036 Q: Is it about collecting digital evidence, and what experts have participated?
3037 A: The analyst Kim Kyung-hwan participated and I participated. I had to undergo a little bit of analysis. I have a license to analyze digital evidence.
3038 Q: During the seizure process, was the digital evidence analyst one of Kim Kyung Hwan's analysts?
3039 A: Yes, but I was not an official digital evidence analyst. While doing the investigation ...
3040 Q: Witnesses also have that knowledge?
3041 A: Yes, I did it.
3042 Q: So, at the time of the seizure, did two or more people have expertise in digital evidence?
3043 Answer: Yes.
3044 Q: What did the related equipment bring?
3045 Answer: I did not get a hard disk replicator and ... I think you should ask Kim Kyung-hwan, but I only took the warrant.
3046 Q: What is the process of identifying the date and time of White House intimidation during the investigation?
3047 A: Our International Cooperation Team of the National Police Agency told us that this was the case at this time ...
3048 Q: Do you not know how the team works?
3049 Answer: I do not know exactly.
3050 Q: I found a picture of a blackmail on the defendant's laptop, was it the time of the confiscation, or is it afterwards?
3051 A: I did not discover it first, but I know that Kim Kyeong-hwan or Kim Jin-kwang, one of the investigators, found it.
3052 Q: You were discovered at the time of the seizure?
3053 ANSWER: Yes, I just found a picture, shot it on my phone and shut down my laptop.
3054
3055 -------------------------------------------------- --------------------------------------------------
3056 -------------------------------------------------- --------------------------------------------------
3057 -------------------------------------------------- --------------------------------------------------
3058
3059 A: The 4chan site is USA, so we can not verify the subscribers.
3060 Q: Did not you know who posted it?
3061 Answer: Yes. But ask Kim Jin-kwang again for this question.
3062 Moon: Looking at the flow of investigation, it's like ...
3063 A: I remember that there was such a situation, but I do not know exactly, so I can ask Kim Jin-kwang.
3064 Q: Who wrote the seizure?
3065 A: There must be an author of the seizure.
3066 Moon: Lieutenant Kim Sang-guk, Lieutenant Cho Yong-woo is like this ...
3067 Answer: Yes.
3068 Q: Witnesses were with you at the time?
3069 A: Yes, I was with you. I can not do everything because I work in the office while doing the division of labor.
3070 Q: In the confiscation list, the confiscation of the defendant's laptop itself is listed, but the imaging file for the defendant's laptop imaging is not on the confiscation list, do you know?
3071 A: I did not know it because I did not write it. I know that I need to write a notebook imaging number 1 on the serial number.
3072 Q: Anyway, is it obvious that the laptop imaging was done at the time of the search?
3073 Answer: Yes.
3074 Q: How many hours did it take?
3075 A: You can ask Kim Kyung-hwan, a digital evidence analyst.
3076 Q: Because I have experience analyzing digital evidence, I'll ask. What does hash value mean in digital evidence collection and analysis?
3077 Answer: MD5 and SHA1 are one of the functions for proving integrity. For example, if you put this stuff into this hash function, you get some specific result. But it is not an inverse function. For example, if you put a file called A and B into a hash function, you will get a certain unique value, which means that if the unique value is the same, it is the same information. So if you turn the hash value of the hard disk in the original and get A, and you get the A by rotating the hash of the hard disk that replicated the original, you can prove that the original and replicated hard disk information is the same.
3078 Q: Do you see that digital evidence is in a specific state at the time you generate the hash value, and then do you assume the integrity and authenticity of the original until it is examined by the court?
3079 Answer: The question is ambiguous, not a specific state ...
3080 Q: I'll ask you a little bit. When I image the defendant's laptop and get the hashed value, the defendant's laptop is at that point in time, right?
3081 Answer: If you run a hash function on a file named A instead of a state, you will get a specific result. Whenever it does, the same result is produced, not the state at that point ...
3082 Q: The hash value is telling you when the first was created.
3083 Answer: Yes, that's right.
3084 Q: What is the point of creating the integrity of a file at a particular point in time?
3085 Answer: Yes.
3086 Q: After that, of course, you can come up several times, and I'll tell you when it was first created.
3087 A: I do not understand the question.
3088 Q: When I image the defendant's laptop, is the state of the defendant's laptop at that time imitated as evidence in the court?
3089 Answer: Imaged files can not be changed.
3090 Q: Is it still maintained?
3091 A: I guarantee that my police will not change until I send them to the prosecution. But after that, I do not know.
3092 Q: If you look at the notebook imaging file at the court, the file we're looking at is the same as the file at the time the witness did the imaging at the time of the seizure?
3093 Answer: Yes.
3094 Q: Is it fixed at that point?
3095 Answer: Yes.
3096 Q: So is not the hash value guaranteeing the integrity of the earlier steps we collected in the first time we collected the confidential search?
3097 Answer: Because it is the hash value at the time of imaging ...
3098 Q: From then on, to guarantee integrity, not to guarantee the integrity of the old, right?
3099 A: Yes, it does not make sense.
3100 Q: So, if someone logs out a hash after logically manipulating the computer, does not it provide information about the operation or operation before the hash value is created?
3101 Answer: Of course.
3102 Q: At the time of the seizure, was the defendant's notebook turned off?
3103 A: I do not remember exactly. That's not what I brought ...
3104 Q: I turned on the notebook and said that I saw one or the other.
3105 A: I can not remember exactly because my mother brought me something in the other room. We could not get in that room.
3106 Q: The seizure start time was around July 13, 2015, and the power of the notebook was turned on and off from July 13, 2015 to 20:47. The laptop was on for about 41 minutes. What did you do on the laptop at this time?
3107 A: At that time, I did not work, and I would probably have been working on finding analysts and files.
3108 Q: Did you write protection at that time?
3109 A: I did not do it then.
3110 Q: In the process of looking at the defendant's laptop, did he / she guarantee the right of the defendant or the defendant's parents to participate?
3111 Answer: It was said.
3112 Q: Who did you ask to see?
3113 Answer: I do not know that, I talk to you again ...
3114 Q: Did you talk to the defendant?
3115 A: Yes, I keep coming and going now ...
3116 Q: Have you ever taken a video of a defendant's laptop or imaging process?
3117 A: It might have been done by a broadcaster, but I do not know exactly. Oh, I tried to shoot it, but I can not, so why do I just shoot my house?
3118 Q: Who has not let me?
3119 A: I do not know if they were parents or defendants who were there, but I strongly resisted them and I would have taken our picture there. If you look at the mobile phone, there might be some videos that we took pictures of. And then he just threw something at us and made it a bit harder. In the case of Kim Kyung-Hwan, the analyst would have been hit.
3120 Q: When I said that I needed an original copy of VMware for the reason why I confiscated the defendant's laptop, would not it be necessary to have a laptop if the program that runs VMware is on another PC?
3121 Answer: No. Depending on the version, it may not work.
3122 Q: Can I check the version in the imaging file?
3123 A: It was not a situation where you could do it on the spot, and if you wanted to drive it ...
3124 Q: It is technically possible to ask. Is it possible to have a program that can run VMware on another PC even if it is not a defendant's laptop?
3125 Answer: It is possible but not 100% guaranteed. So there were many cases where we were not able to drive properly.
3126
3127 judge
3128 To witnesses
3129 Q: Is it common to have the notebook itself confiscated after imaging files?
3130 A: If we are confiscated, we will do all the confiscation.
3131 Q: Do you confiscate the imaging files as well as the notebook itself if you are in confiscation?
3132 A: Yes, because it is a laptop used for crime.
3133
3134 Lawyer
3135 To witnesses
3136 Q: Did you say the witness took the seizure search warrant?
3137 Answer: We took it from our team.
3138 Q: Have you read it?
3139 Answer: Yes.
3140 Q: If you look at it, it is stated that "the original that has been taken out will be opened and reproduced with the participation of the intruder, etc. and returned without any delay, but not exceeding 10 days from the original date of export unless there are special circumstances" Why did not you return it?
3141 Answer: Computers have a very important time relationship in the evidence of digital evidence analysis. At that time, we analyzed the digital evidence analysis of the seized material to confirm the creation and access times.
3142 Last but not least, you can change your laptop's CMOS (cmos) time accordingly. There is an error depending on the time of the CMOS.
3143 So what if my laptop is at 1 o'clock, but the current time is 1: 5?
3144 We need to check the error in time. We need a laptop to check the error. We can return it before we send it to the last time. We asked our attorney and computer to turn on and check only the error with the defendant. Probably will be in the investigation report.
3145 So the prosecution has to check it out, it can not be sealed.
3146 So I know that the prosecution has confirmed the exact time information after taking a video of the whole process of releasing and releasing it. So it's been over a week.
3147 Q: What did the witness know to return?
3148 Answer: Yes.
3149 But you did not return, right?
3150 Answer: Yes.
3151 Moon: White House Contact us Write on the web page and select "Thank you!" Was there a picture on the defendant's notebook that captured the screen to write the previous post?
3152 A: I do not understand.
3153 Q: I have a screen that I'm writing before submitting. When I submit it, I get a screen saying 'Thank you!'. Can not these two screens exist at the same time?
3154 Answer: Yes.
3155 Q: Do you have a picture of the screen after the last submission of the statement "Thank you!" On the defendant's notebook?
3156 Answer: Yes.
3157 Q: Then you should have a screenshot of the scene you're writing in. Have you seen it?
3158 Answer, isis.png and usa.png are being written and Thank you! Screen and combine ...
3159 Q: It's a composite, is not it?
3160 Answer: Yes. Perhaps you have not found what you are writing. It did not exist because it was edited and made into a png file. Maybe, if you can explain it.
3161 Q: You said that five files were found on the defendant's laptop using Google Chrome, remember?
3162 Answer: Yes.
3163 Q: In the first post, I do not have a caption of an isis.png file that says I will rape my daughter, do you know why?
3164 A: That's probably what you see in the investigation report, but if you capture and delete it and then change the filename or the file does not exist, or if you capture it using the Google Chrome browser's incognito mode, There are many technical ways that you can and can not keep up with many things.
3165 Q: But what about the file 'Thank you!', What happened?
3166 A: I can not tell you that because I have nothing to do with the evidence, it's because I want to leave it and I want to keep it.
3167 Q: Is that technically possible?
3168 Answer: Yes.
3169 Q: You did not find any traces of access to the White House on the defendant's laptop?
3170 Answer: I did not find it at all.
3171 Q: By the way, 'Thank you!' I have found that I captured the part, how should I explain it?
3172 A: If you use the Google Chrome browser's incognito mode, the Internet connection itself will not be saved as a file at all. It will only be saved as a cache, but it will not be saved as soon as you close the web browser. I will.
3173 Q: As the witness has just testified, it would be nice to have no screenshot of 'Thank you!' ,
3174 A: That means you do not have a record of your Internet connection and you can leave a capture file.
3175 Q: After the capture file, the number is actually a Unix number, so you can log in to Google Chrome to get information on when you captured it, but the witness does not have an article written right now and it probably does not capture it in Google Incognito mode. You just did. That's why I do not ask you to leave the "Thank you!" Section in incognito mode.
3176 A: Internet access records and captions are completely different.
3177 Q: Why do not you leave a screenshot called "Thank you!" In response to an incognito answer saying that you may not have a captured file.
3178 Answer: The defendant remains on the defendant's computer because he has captured and saved it.
3179 Q: So it is possible that you have to do it in the same conditions that you captured before that ...
3180 Answer: If you do not want to leave, you can not leave.
3181 Q: Then you can find the erased trail? Now that I've imaged the defendant's laptop, I'm not just looking at it, have I removed the deleted file?
3182 Answer: When I go into incognito mode, I have worked and can not restore it. Why did Google create incognito mode? I have tested it myself.
3183
3184 judge
3185 To witnesses
3186 Q: Did you know whether the defendant used incognito mode?
3187 Answer: It can not be confirmed. Google has made the feature available to you when you're trying to do it in secret, and of course you can not tell whether or not you used it.
3188
3189 Lawyer
3190 To witnesses
3191 Q: When I go into incognito mode, I do not think the capture screen should be saved.
3192 Answer: No. Saved is that the internet connection is stored in the index.dat and various computer hard disks, and the connection record is not stored. In the case of the captured file, it is possible to store it anywhere in the desired location, The captured files are completely separate.
3193 Q: Did the witness confirm the blog posts that the defendant usually wrote?
3194 Answer: Yes.
3195 Q: Have you seen any criticism of Kim Kyeong-jong about the case of Repert's ambassador in the defendant's blog post?
3196 A: I do not remember everything right now. I only remember what I said before.
3197 Q: I do not remember?
3198 Answer: Yes.
3199 Q: I had an emergency arrest of the defendant at the time, but was there any reason for the emergency arrest?
3200 A: Because I did not do it, I would look at the reasons for the arrest.
3201 Q: I do not have a reason for an emergency arrest, so what do you ask?
3202 A: Why is not the reason written? You have to write down your reasons for getting an emergency arrest proposal.
3203 (Suggesting an investigation record, page 455)
3204 Q: The reason for the arrest has been listed all the time. Please write down the details according to the reason for the emergency arrest. That's it. do not have.
3205 A: I did not write it, but at the metro ... Oh, that's what you said about the notice.
3206 In the notice, we wrote the reason for the emergency arrest for the approval from the prosecutor's office without writing the reason, and is not the suspect notified to the suspect when the emergency arrest occurs?
3207 Because it is putting in notice, it is because it is because it is very simple to summarize the fact of crime.
3208 That is not what I wrote. Do not ask me.
3209 Q: Who wrote it?
3210 Answer: There will be a writer.
3211
3212 judge
3213 Is there an emergency arrest warrant?
3214 witness
3215 Yes.
3216
3217 Lawyer
3218 To witnesses
3219 Q: Is there a reason listed there? Not on record ...
3220 Answer: Yes, detailed.
3221 inspection
3222 An Emergency Arrest Form with detailed description of the reason is available.
3223
3224 Lawyer
3225 To witnesses
3226 Q: The witness did not write the confiscation list?
3227 Yes, I did not write it.
3228 Q: Do you know who wrote it?
3229 A: Then several people are working on it ...
3230 Q: What are the threats and screen capture files that the defendant claims to have downloaded and that the witness or investigating agency believes that the defendant has written and captured it?
3231 Answer: Yes.
3232 Q: If I download a screened file and save it on the defendant's laptop, is it possible that it exists in the same format as the one captured by the defendant's laptop as the witness verified?
3233 A: There are two ways. Probably Kim Jin-kwang will test it and have an investigation report because of 4chan.
3234 If you click on the original file to download it, it will be downloaded. Otherwise, if you click on the original file, the image file will pop up and you can download it with right mouse click.
3235 That is another report from our investigation. I did not test it ...
3236 Q: Is there a file name that might be the same as the one you captured?
3237 A: I do not understand. Again only a description ...
3238 Q: If I downloaded the defendant's laptop, I just analyzed the file name just like the one I captured on the defendant's laptop, can it exist with the same file name?
3239 A: You should be in the record. Ask Kim Jin-kwang because I have not tested it.
3240 Q: Do you not know the witness?
3241 Answer: We have tested and simulated in the investigation report.
3242 Q: The time order is the time the defendant posted on the White House, the time they saved on the laptop after the screen capture, and the time they posted on the site 4chan.org?
3243 A: If it is so in the investigation report, it will. Because I can not remember correctly now, I made a table, and I look at it.
3244
3245 Lawyer
3246 I will present evidence. I present one or two of the fifth certificate.
3247 judge
3248 What is the source?
3249 Lawyer
3250 This is what the defendant's brother searched on Google after he had been arrested after the incident.
3251 If you look at the same thing on Google ... you know, but you searched on Google.
3252 Here you see 'dear. Mr.president Obama, Mrs.first lady Mishelle ', and the time it was found that this article was written is posted on 4chan site on July 7, 2015. 7. 07:24:52.
3253 inspection
3254 How can I confirm that this is the same as this article?
3255
3256 Lawyer
3257 To witnesses
3258 Q: If you see below, 'Hi I'm sufs student from Seoul' because some part of the post is behind it?
3259 It seems that the article is the same, but the time zone is quite different now.
3260 The time is 07:24:52 AM. Now, the time to write the article is July 7, 20:20.
3261 By the way, the time posted on 4chan site is July 7, 2015, 07:24:52.
3262 A: In our investigation report, we have captured the exact time on 4chan site.
3263 That's precise, because it's from a Google search, so you can not tell exactly what time it was on Google or 4chan.
3264 Q: If you saved it from Google, is it any time sooner than we know it?
3265 Answer: There is no guarantee for low-time information.
3266 Q: Witnesses have never seen this?
3267 Answer: Yes. There is not. And whether it is US storage time, domestic storage time ...
3268 Q: For the second article, it looks like it was written on July 7, 2015. Did you know that the 4chan site time that the witness checked was stored in domestic time when posting in Korea?
3269 A: Ask Kim Jin-kwang, the investigator.
3270 Q: Do you not know the witness?
3271 Answer: We have posted the post on 4chan site and we have the current time and the test time. That's exactly what we tested. If you look at it, you can check whether the 4chan site has domestic time or US time.
3272 Q: Have you ever checked your time zone separately?
3273 A: Yes, I have not done it, so I can not tell you exactly.
3274 Q: Did you say that the defendant used a program called SuperHideIP, an IP change program?
3275 A: It's not a confirmation, it's a program that was installed. It was discovered.
3276 Q: Are there any facts that have been analyzed that the last approach was made on June 6, 2015, before the date on which the blackmail was written?
3277 Answer: The file was found, the date the file was first saved, and the date the file was last accessed.
3278 Q: I analyzed it as the last access on June 6, 2015. Is it possible to interpret the IP as having no change since then?
3279 A: It may or may not have been because there are too many technical methods, which I do not know exactly.
3280 Q: Because the witness did not see whether the defendant wrote the program or not, but after all, did you look at the defendant's laptop? Is there a similar program in the program that changes the IP found this one?
3281 A: You can not see the whole thing. When we analyze ...
3282 Q: Do you have to search and search? So, what was the one that was discovered in connection with the IP change program?
3283 Answer: Yes.
3284 Q: Did you investigate the router?
3285 A: I heard there was a router, but I did not investigate.
3286 Question: Do you think that the defendant's notebook imaging file was the first image of the notebook file, or was it replicated again?
3287 A: Because I did not analyze it ...
3288 Q: What did you do to replicate that day?
3289 A: Did we bring the clone?
3290 Q: Who took it?
3291 A: The analyst Kim Kyung Hwan should have brought it.
3292
3293 -------------------------------------------------- --------------------------------------------------
3294
3295 It seems that the time has changed to Korean time in the process of being seated.
3296 Answer: The analysis report is the final one, and we have to investigate a little bit before we start the analysis.
3297 So I took the printout, put it in the investigation report, and made a note when I checked it out. How do you investigate having a fully written report?
3298 Q: The decisive reason for suspicion that the defendant wrote the blackmail was that the capture file that was left on the defendant's notebook was created about a minute after it was posted on the White House?
3299 ANSWER: When I was threatened, however, I wrote two blackmails on the White House website in English, which was in the S.txt file written in Hangul and the summer @ hufs You said you stole your .ac.kr email and phone number? Maybe that phone number and address were in the s.txt file and ...
3300 Q: Witness, I tried to ask this, not many charges. Was it one of the decisive proofs that the creation time of the capture file was one minute after the article was published?
3301 Answer: There were many things.
3302 Q: What is the difference between the time the article was posted in the White House and the time the capture file was stored on the defendant's laptop,
3303 A: It's not an analysis, but an objective fact ...
3304 Q: How did you know when the post was posted on the White House?
3305 A: You asked us that, but we have only received data from the international team.
3306 Q: I think the one minute car will be a very important basis, right?
3307 Answer: Yes.
3308 Q: Then I ask you in terms of whether the investigation should be done enough about time.
3309 I have to be specific from the time it is posted on the White House, but the time posted on the White House is probably the time that the person administering the White House homepage gave me, and that time could be time lag in the end?
3310 A: When we told it, we were GMT + 9? The United States has several times, including Eastern Time.
3311 I'm not exactly sure if we are Eastern Standard Time for letting us know what the error is, but it probably will.
3312 It calculates the time and the error, and when domestic time is converted into Korea Standard Time, it is time to calculate the exact time and the IP connected to the time is Dongdaemun Cable TV ...
3313 Q: I do not ask for the calculation method. For example, if this computer now has 16:00 on the front of the laptop, is there any error in that?
3314 I'm looking at it. There may be an error in the time given by the White House, and there may be an error in the time when the witness etc.
3315 So I'm asking how the time difference can be determined to be one minute.
3316 Answer: Because we are made by objective data, we have confirmed that we know the time we have stored on our computers and the time we have been threatened.
3317 Q: Do you know that there is a program that can change the date of creation of saved files?
3318 Answer: Yes.
3319 Q: I have a couple of things, but can I use a program like SetFileDate to change the creation date of a saved file?
3320 Answer: Yes.
3321 Q: Is it possible that the defendant 's notebook has changed so much?
3322 Answer: Not all computers, as well as the defendant's laptop, are capable of such manipulation. However, when you analyze the MFT, the information about the time is stored in various ways. If you analyze MFT's standard information information and file name information information and analyze that the information is different, you can check whether the time has been manipulated or not, whether the file name has been changed.
3323 Q: Did you check it at the time?
3324 A: I did not check at the time.
3325 Q: When the MAC address of the router is changed, is the dynamic IP connected to it also changed?
3326 A: It may or may not appeal, but it is the policy of the telecommunications company.
3327 Q: Did the witness verify the MAC address corresponding to the IP address associated with this case during the investigation?
3328 Answer: Yes.
3329 Q: Is it a witness?
3330 A: I would have done it together.
3331 Q: What was the result?
3332 A: I put it in the comments, but the contents of the mac are too complicated, so I think I should look at the written statement. I do not remember exactly now.
3333 Q: Have you found any signs of changing the MAC address of the router on the defendant's laptop?
3334 A: The digital evidence analyst found it.
3335 Q: Is the witness unaware of this part?
3336 Answer: I heard that there is a trace of change that I am not familiar with.
3337 Q: Does the analyst in the role of analyst only do the analysis, or did he conduct additional investigations besides analysis?
3338 Answer: I just did analysis.
3339 Q: According to the results of the analysis, was the witness doing any further investigations?
3340 Answer: What is the additional investigation?
3341 Q: For example, if you find a trace of a change in your mac address, I would ask you if you needed to check the defendant's router, did not you?
3342 Answer: The MAC address is the manufacturer of the first six digits, and the manufacturer assigns the last six digits of the MAC address. We have probably seen a counter-report of the defendant's comment on the mac address, but if the manufacturer makes a random change to it I can not do the investigation anymore.
3343 Your lawyer tells you that if the mac has been changed, and if you have not done any further investigations about it, there is no clue that you can investigate anymore if mac has changed that way.
3344 Q: I asked if I needed to check the defendant's router.
3345 A: When we did the transcription, the digital evidence analysis was at the end, and I have to hand over the suspect's recruits to the prosecution office tomorrow. What do you do?
3346 Q: Did you mean you could not do it on time?
3347 Answer: Yes.
3348 Q: There was a trace of changing the MAC address on the defendant's laptop, and there was analysis that released the log record at the time of the crime, remember?
3349 A: I told you I did not do it.
3350 Q: Do you know this by Kim Kyung Hwan?
3351 Answer: Yes.
3352 Question: According to the statement of witness submitted by the witness in relation to the mac address, there are several mac addresses that are not confirmed by the manufacturer. If the maker changes to an unconfirmed mac address, Go?
3353 Answer: I do not know the carrier policy, so I can not answer exactly, I know it is not.
3354 Q: Do you know that if you change to an unconfirmed mac address depending on your carrier policy, Internet access may be restricted?
3355 ANSWER: Yes, there is a case where the switch is allowed to access the internet when only a certain MAC address is connected, which is called NAC. If you do not set this policy, you are allowed to connect from the internet regardless of the MAC address. This is the carrier policy. There are two technologies on the switch that can or may not be blocked.
3356 Q: I know that if you change your router or MAC address arbitrarily, you may be restricted from accessing the Internet. Do you know? For example, have you ever heard of such cases in Windows 7 or Windows 8?
3357 Answer: Not at all. However, if you change the mac address, there is no problem with internet access.
3358 Q: Is there any problem with the computer?
3359 A: Yes, it takes less than a minute and you can do it right away.
3360 judge
3361 To witnesses
3362 Q: I have a question about the defendant's question. "I wrote on the White House Contact us webpage, and I found 'Thank you!' In response to the question "Did the defendant have a picture of the screen capturing the screen before writing the screen?", The witness said, "No one was writing, because it was edited and made into a png file." I have an answer, please tell me about it again.
3363 A: The screen you are composing and the screen where you have completed the 'Thank you! 1' screen was synthesized as a png file, but the screen you were composing was not saved and only the pictures that were composited were correct . But it's technically possible to synthesize it.
3364 Q: Please explain how technically possible.
3365 Answer: Take a picture of A with a capture tool such as Paint or Snap-in, capture a picture of B, put B under A, select the file again and save the file as a different file.
3366 I will explain it again. When you capture the screen you are creating with the Google Chrome browser, you will see the url address and the time next to it.
3367 Then, when you save it to the defendant's computer in that state, click the right mouse button and save it under the same name.
3368 Then, when you capture the screen 'Thank you!', You will see the url address and time information at the top and 'Thank you!'.
3369 And if you save it under a different name, it will be saved on the defendant's computer.
3370 However, technically you can right click on the 'Thank you!' Screen and save it to your computer. You can take the first screen without saving it, and then use the Paint or other capture tool If you save this file as usa.png or isis.png, you will not be able to save the first image you created, and the second image will be saved You can save only the final result at the end.
3371 Q: I was wondering if it was possible technically, but you answered with the idea that it is possible?
3372 Answer: Yes.
3373
3374 inspection
3375 To witnesses
3376 Q: I heard that the screen of the writing on the defendant's notebook is not found, but the relevant screen is not found, and the capture file of the process of posting on the White House site is found.
3377 A: Yes, it does not matter, but I do not know exactly what happened before in June, but before that I had a copy of the White House story that I was capturing and capturing.
3378 If you are writing a webpage, you will see a wave in Internet Explorer, Google Chrome, Safari, and spelling. If you're writing on the White House website, Due to the law of alignment, a tilde appears at the bottom of the English alphabet.
3379 If you look at it, you can see that it is a screen that you are writing. I captured it and kept other articles, but I do not remember it correctly. I think it was related to black slaves at that time.
3380 Q: In regards to the reporter ambassador threatening text, did you also find a separate screen capture of only the result screen "Thank you!"?
3381 Answer: Yes.
3382 Q: I heard that the defendant posted the file on 4chan earlier than the defendant posted at the White House. Did you confirm this in the police investigation?
3383 Answer: Yes.
3384 Q: Did you find that a capture file with the same contents as the intimidation of this case was posted on 4chan site at the time?
3385 Answer: Yes.
3386 Q: The capture files found at 4chan site at that time were posted earlier than the date of creation of the crime-related capture file found on the defendant's computer.
3387 A: I do not remember exactly.
3388 Q: By default, when you use the internet through an ISP like Dongdaemun Tibur Road, is the IP assigned by the carrier?
3389 Answer: Yes.
3390 Q: How many IPs can be changed by turning the computer off and on, or changing the Mac address randomly?
3391 Answer: Yes.
3392 Q: In the case of Dongdaemun Tiburdo IP, which is used in this case, I do not want the IP to be assigned to a specific user for a certain period of time and use only that IP, but then the IP will be changed.
3393 Answer: Yes.
3394 Q: I do not know whether SuperHideIP was used, but how can I change IP even if SuperHideIP is not used?
3395 Answer: Yes.
3396 Q: Did you find a program on the defendant's computer to change the file's creation date?
3397 Answer: None at all.
3398 Q: Is it possible that the defendant changed the creation date of the capture file stored on his computer to the date and time of the crime of this case by confirming the time of the crime?
3399 A: If you are a suspect, do not you need to change? I do not need to change the time on my computer, even if I change the IP to conceal it. I can not be certain who I am. So even if you try to hide your IP, you do not need to change the file on your computer.
3400
3401 Lawyer
3402 To witnesses
3403 Q: The second file 'Thank you!' I found that only the part of the captured file was found, the second threatening 'Thank you!' How do you know if it's a part?
3404 Answer: Maybe in time ...
3405 Q: Is it specific in time?
3406 Answer: Yes.
3407 Q: You do not know what you wrote?
3408 A: Yes, I do not know what it is, but what I am writing ...
3409 Q: Thank you! Even after writing a different article, it can exist at the same time.
3410 Answer: That's possible.
3411 Q: And have you ever seen the "Rules for the Collection and Handling of Digital Evidence", which is a Witness Ordinance?
3412 A: I think I've seen it.
3413 Q: Here are the details of the procedures for seizure search and the request for analysis, and I will ask if I have kept the procedure.
3414 I did not refuse to shoot the seizure process, and I have to take measures such as the identity of the digital evidence, such as the storage seal, and the proper method of not having a reasonable suspicion of integrity.
3415 Answer: We sealed the notebook.
3416 Q: I have to ask Kim Kyung Hwan. You said you did not know if you sealed the hard disk you were imaging before?
3417 I asked the analyst to analyze the digital seizure. According to the analysis result report, the analyst was a witness.
3418 A: Because I'm the same team, I could do it, or someone next to me could do it.
3419 Q: Do you think you made an analysis request on July 13, 2015?
3420 A: I did not go to the scene from the beginning. I do not even ask for it.
3421 Q: Is not there a formal request for a separate request?
3422 A: Yes, I went to the scene together.
3423 Q: When the analysis request is made, the analyst has to send the original or duplicate of the digital seizure in a container that can be safely stored so as not to be damaged by shock, magnetic field, moisture and dust.
3424 Answer: It is because I confiscated analytical data from other crime scenes and submitted it to the Digital Evidence Analysis Office of the Cyber ​​Crime Investigation Department of Seoul Metropolitan City, so I have to do such a thing in the course of the process. At that time, This is not what we do, because the digital analyst in the field is doing it.
3425 Q: Is it the right thing to take in such a container?
3426 Answer: Ask your digital evidence analyst.
3427 Q: Do you not know the witness?
3428 Answer: Yes.
3429
3430 judge
3431 To witnesses
3432 Q: In the end, I think it is the intent that the witness is handed over to the digital witness analyst on the spot, right?
3433 Answer: Yes.
3434
3435 judge
3436 I will finish the witness newspaper about the witness Nam Sang Wook.
3437
3438 Witness newspaper report (part of the eighth trial)
3439 Event 2015 Torture 4685 Threatening
3440 Name Kim Jin-kwang
3441 Date of birth December 5, 1976
3442 Housing 305, Hyundai Apartment 1-dong, Cheongryangri, Dongdaemun-gu, Seoul
3443
3444 judge
3445 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3446 The contents of the newspaper about the witness are the same as the recording file of the court recording system (original number 160321162216).
3447 March 21, 2016.
3448 Hwang,
3449 The judge (doctor)
3450
3451 A statement on the testimony veto notice
3452 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3453 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3454 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3455 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3456 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3457 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3458
3459 Oath
3460 According to the conscience,
3461 In fact,
3462 If there is a lie
3463 To be punished for perjury
3464 I am a wanderer.
3465 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3466
3467
3468
3469 Recording book (main point)
3470 Case No. 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None) Please submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3471 1. Attachment: Witness newspaper recording of Kim Jin-kwang (total face: 19 pages) 1 copy
3472 March 21, 2016.
3473 Stamped stamping machine (seal) (painted)
3474
3475 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3476 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3477
3478 judge
3479 Witness Kim Jin - kwang 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3480 Notice of testimony veto. The witness's testimony may refuse to testify about the confidentiality of someone else who has a relationship with you or a prospective witness, or about the confidentiality of someone else whom the witness has known about the job. After the oath, for the same reason, you can refuse to testify about individual newspapers. After the oath, you must state the truth and if you lie, you can be punished for perjury. Please swear.
3481
3482 witness
3483 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Jin-kwang.
3484
3485 inspection
3486 To witnesses
3487 (Present evidence page 45 of the evidence list Sequence No. 5)
3488 Q: Is it true that this was an essay by a witness, entitled 'Check for additional posts on 4plebs.org'?
3489 Answer: Yes.
3490 Q: Please explain briefly what it is.
3491 Answer: When I searched Google about the e-mail that the defendant wrote to a foreign language university, 4plebs.org was searched and the site related to 4chan.org was confirmed to be backed up. That's why there are some contacts and e-mails that a defendant wrote to a foreign language university.
3492 Q: Is 4plebs.org the right site?
3493 Answer: Yes.
3494 Q: Is this site the backup site of 4chan.org site?
3495 Answer: Yes.
3496 Q: Is it the intention of attaching the information that comes from searching for the contents of the intimidating article?
3497 Answer: Yes.
3498 Question: On page 48 of the attached documents, did you identify the captures and captions of rape intimidation articles for the first Obama daughter in this intimidating article?
3499 Answer: Yes.
3500 Q: Is it true that you have your own ID number, and the post number is '47628036' on July 7, 20:24:52.
3501 Answer: Yes.
3502 Q: Do you see the Korean flag on the side, and can you think that this post was saved at this time in Korea time?
3503 Answer: Yes.
3504 Q: In the top of the investigation record, on the top of page 49, there is a post called 'Korea isis1', which is similar to this, Is it the right thing to find?
3505 Answer: Yes.
3506 Q: Here is the date posted on July 8, 2015, 02:31:29, post number '47640986', and next to the Korean national flag pattern, this is also the date this post was posted on the site Is it possible to look at it from July 8, 2015 to 02:31:29?
3507 Answer: Yes.
3508 (Provision of Record No. 7, Investigation Record # 71 on the Evidence List)
3509 Q: Is it true that a witness wrote a report titled 'Crime Facts and Hankuk University of Foreign Studies'.
3510 Answer: Yes.
3511 Q: Please explain briefly what it is.
3512 Answer: At the time of the defendant 's writing, there was the phrase' 4ourth, 4inger ', which is the result of searching on that specific phrase on Google search and bing search sites. And when the defendant searched the contacts and e-mails that he wrote to a foreign language university backwards, there were writings that slandered Hankuk University of Foreign Studies,
3513 Q: Is this the intent to attach the result of the search using POS Finger's phrase in the intimidating article?
3514 Answer: Yes.
3515 (Present evidence page 79 on page 8 of the evidence list)
3516 Q: Is it true that the witness wrote the following questionnaire titled 'Confirmation of Hankuk University of Foreign Studies' on WordPress site?
3517 Answer: Yes.
3518 Q: Please explain the contents of this investigation report.
3519 A: There is a site called WordPress, which is managed by Hankuk University of Foreign Studies, and there were articles written against Hankuk University of Foreign Studies. Then have a written article haeteotgo actually enter the admin page to visit the Korea University of Foreign Studies confirm the contents of these posts, the materials attached to chaejeung that this article 'ended the scam business "as it is written in the report that was me.
3520 Q: When there is here described as "the White House post was written, IP and South Korea is shown to be the same as watching the suspects created by the IP range used to price match Hankuk University of Foreign blame," This IP geotingayo confirming what?
3521 A: When I visited Hankuk University of Foreign Studies, I went to the administrator site with my cooperation. So I wrote an investigation report about that part.
3522 (Exhibit # 196 of the Record of Evidence No. 11 in the Evidence List)
3523 Q: Is it true that the witness wrote a report titled 'Confirming additional reporting to the White House'?
3524 Answer: Yes.
3525 Q: Please explain this briefly.
3526 A: The 4plebs.org site is the backup site of 4chan.org, and if it goes past the backup site, everything will be deleted. When the defendant published the article, I decided that I could post more than one post, and I checked every post related to the foreign language university. I did not check it by any search words but checked it by eye. I confirmed it by clicking on the site one by one. I also confirmed the post on May 5, 2015, and confirmed the post on June 25, There is more to the point of denouncing a foreign language university, and it is attached to it.
3527 Q: Are postings attached to the contents of the post at the time?
3528 Answer: Yes.
3529 (Exhibit # 251 of Investigation Record No. 14 in Evidence List)
3530 Q: Is it true that the witness wrote a report titled 'About posts posted on 4chan and 4chan backup sites'?
3531 Answer: Yes. I wrote it.
3532 Q: I found that the file usa.png was on the 4plebs.org site, the backup site of 4chan.org, and the attached screen captures the internet page that I confirmed at that time.
3533 Answer: Yes.
3534 Q: Isis.png Is there any indication that the file was retrieved from 4chan.org but it was not found?
3535 Answer: Yes.
3536 Q: Finally, did you put together the contents found on 4chan.org site and 4chan.org site backup site?
3537 Answer: Yes.
3538 In this case, the time for the rape of Obama's daughter on the White House site was posted on July 7, 2015 at 20:20, the post was deleted on 4chan.org site, and the backup site of 4chan.org site Did you confirm that the same content was posted on July 7, 2015 at 20:24?
3539 Answer: Yes.
3540 Q: Regarding the threat of terrorist attack on US Ambassador to the Republic of Korea, the time it took to go to the White House on July 8, 2015 was confirmed to be posted on 4chan.org on July 8, 2015 Does the backup site on 4chan.org also confirm that the same time was saved on July 8, 2015?
3541 Answer: Yes.
3542 Q: Are you confirming everything yourself?
3543 Answer: Yes, I have.
3544 (Present evidence page 263 of the evidence list Sequence No. 16)
3545 Question: Isis.png, usa.png About file analysis, isis.png title is isis.png?
3546 Answer: Yes.
3547 Q: Is it true that the above investigation report was written by a witness?
3548 A: Yes, this is the part where I downloaded the direct download from 4chan.org site and checked the image and these parts.
3549 Q: Please explain in detail.
3550 Answer: There are picture files named isis.png and usa.png in the 4chan.org site post. You can check the update date or specific values ​​of the file by downloading the files. You can check the unique value of the image you uploaded . In order to compare the values ​​with others, we then use the flash hash value to determine the MD5 for the file, and the flash hash program to check for any unique value.
3551 Q: If you click the isis.png file posted on 4chan.org site and save it as an image, the file name will be automatically saved as a random number, and you can download it by clicking the download button. , It says that the isis.png file has been downloaded, is that correct?
3552 Answer: Yes.
3553 Q: I tried to calculate the hash value of this file and it says the image is the same as the original one.
3554 Answer: The file itself differs in how to download it, but if you check MD5 for a unique hash value for the file, isis.png or 1436268292526.png tells you that the file is received differently, The name is the same, but it means the same.
3555 Q: Did you download the usa.png file from 4chan.org site?
3556 Answer: Yes.
3557 Q: In the same way, we can see that there are two ways of downloading, and in that case, the hash values ​​calculated using MD5 function are found to be the same?
3558 Answer: Yes.
3559 (Present evidence page 176, Investigation Record, page 266)
3560 Q: Is it true that the witness wrote a report titled "About Nouveau dossier folders identified on suspect laptops"?
3561 Answer: Yes.
3562 Q: Please explain what it is.
3563 A: In the New Folder, images related to terrorism related to Kim Kyeong-jong or Ripert were stored.
3564 Q: Here is a description of 'I do not see the Internet history, but the images of the suspects have created folders and saved them.'
3565 Answer: When you create a file, when you automatically surf or surf the Internet, some files are stored on your computer in the form of numeric random numbers or complex cryptosystem ... numbers, So, I did not surf the internet and checked something. Instead, I saved my file and saved it under a certain name.
3566 Q: If I check again, is it correct that the user is checking the file that saved the image, not the cache file which is saved automatically during the internet surfing process?
3567 Answer: Yes.
3568 Q: When I look at the contents of the next page, 'Folder creation date and time, images, etc. are created and collected on June 3, 2015. If you check the last access date and time, What is it?
3569 Answer: Yes.
3570 (Suggesting the record number 35 of the No. 20 book)
3571 Q: Is it true that the witness wrote the following investigation report entitled "About Identification of Additional Evidence Related to Terrorism"?
3572 Answer: Yes.
3573 Q: Please explain what it is.
3574 Answer: There was a file named s.txt on the notebook, and a text file similar to the one raping the Obama daughter was stored under the file.
3575 Q: After the investigation, is it appropriate to print out the characteristics of the file and the original text of the file?
3576 Answer: Yes, this part is the same with the digital analyst Kim Kyung-hwan.
3577 (Proof # 408 of Record No. 25-1 of Evidence List)
3578 Q: Is it true that the witness wrote the investigation report titled 'About 4chan site publication time'?
3579 Answer: Yes.
3580 Q: Please explain this.
3581 A: Because 4chan is not a Korean site, I think that the way the posted post is shown will not be seen in Korea at first. If you think that it is different from the post posted by the suspect, Since I have posted all the articles, 4chan site has service to all the countries in the world, so it is shown as a part that shows the time to turn off according to the country. So if you connect in Korea, you will show your time in Korea, This is a rhetorical report showing that.
3582 Q: Did you test it by yourself?
3583 Answer: Yes.
3584 (Proof No. 463 of Record No. 27 of the Evidence List)
3585 Q: Is it a witness' s report on the title of '4chan' s time on the site?
3586 Answer: Yes.
3587 Q: Is it the same as the investigation report you just saw?
3588 Answer: Yes.
3589 Q: Is it true that the articles or photographs posted on internet sites such as blogs, which are stored in the investigation reports created by the witnesses, and the information or materials found on the defendant's notebooks are captured or output as they were originally attached?
3590 Answer: Yes.
3591 (Proof No. 22-1, Investigation Record, Section 393 of Evidence List)
3592 Q: Is it true that you have seen this document?
3593 A: I have seen this while working together.
3594 Q: Do you know from whom you received this papers from?
3595 A: I know it from the White House, through the Cooperatives.
3596 Q: Do not know the details?
3597 Answer: Yes.
3598 Q: Is the witness a police officer?
3599 Answer: Yes.
3600 Q: What is your position and rank?
3601 A: It is Kim Jin-kwang, a member of Cyber ​​Safety Bureau, Seoul Metropolitan Police Agency.
3602 Q: Is the witness involved in the investigation?
3603 Answer: Yes.
3604 Q: What role did the witness play in the investigation?
3605 A: At that time, we were on duty. I was trying to find out if there was the same post as the one posted by the defendant because I was on duty and I should have started the case immediately after receiving the case.
3606 Q: In a little more detail, did you participate at the time of the seizure?
3607 A: Yes, I also participated in the seizure search and I had to check a lot of posts first to get a warrant, and I had a lot of focus on that part, and when I was in the seizure search site, When I did not have a laptop or something like this. So, there are some parts that we have fielded with other investigators to secure evidence.
3608 Q: What role did you play in the seized search site?
3609 Answer: First, I thought it was important to find a laptop. The defendant posted a blog on the blog. So I made a lot of efforts to secure the laptop, and I asked the analyst to analyze the computer or something.
3610 Q: Was there a picture of your laptop on the defendant's blog?
3611 A: Yes, so I tried hard to find a laptop.
3612 Q: Do you remember how you found your laptop?
3613 Answer: Yes, when I first entered, the defendant was lying in bed, and when I tried to go into the room with a search warrant, I could not go in for about 30 minutes because the defendant 's parents never entered. So, first of all, I went into the room alone and told me that I had to check my laptop, so I told her that I could not go in there, so she asked me for a laptop, so the defendant's mother brought her laptop from the defendant's room. So I received a laptop and sent it to Kim Kyung-Hwan, and asked him to check if there was an image, and Kim Kyung-Hwan analyzed it because he had an image.
3614 Q: Did you shoot the situation at the time of the seizure?
3615 A: Yes, I have done video recording.
3616 In the case of Lieutenant General Nam Sang-wook, he tried to shoot and testified that the defendant's family members were not able to shoot against him.
3617 A: Not all of them were shot, but there were some parts that I had to shoot.
3618 Q: Did the defendant 's family prevent him from filming?
3619 Answer: Yes.
3620 Q: Was the defendant lying in bed throughout the search process?
3621 Answer: Yes.
3622 Q: Did you search the defendant's laptop to find the relevant evidence?
3623 Answer: Yes.
3624 Q: Isis.png, usa.png, s.txt file?
3625 Answer: Yes.
3626 Q: After confirming it at that time, did the defendant find out where these files came from?
3627 A: I told him to look, but I kept seeing him and he lay there.
3628 Q: Did the defendant analyze the room?
3629 Answer: No. I analyzed it in the next room study, and the defendant 's mother attended to confirm the contents.
3630 Q: At that time, I received the Confirmation of Confirmation of the Confirmation of the Confiscated Water, Confirmation of the Confirmation of the Confirmation of the Confiscated Water Information, etc. Who received it?
3631 Answer: Kim Kyung-hwan was given by the analyst.
3632 Q: In addition to what the witness has so far testified, is there any fact that I have verified during the investigation of this case?
3633 A: I do not remember well because the incident is long.
3634
3635 Lawyer
3636 To witnesses
3637 Q: Has the commencement of the investigation been initiated by the US Embassy?
3638 A: We know that the incident has come down to us.
3639 Q: Have you ever seen an 'urgent cooperation request' from the US Embassy?
3640 Answer: Yes.
3641 Do you know that the Koreans in the Buddhist e - mail sent a blackmail message saying that they sent a warning email to President Obama on terrorism against Ambassador Ripper?
3642 Answer: As far as I know, I posted on the White House site.
3643 Q: I know so, and it's been investigated, but it says that I sent it by e-mail to the initial cooperation letter.
3644 A: Is not it supposed to be sent by email?
3645 Q: Does the witness know anything about this?
3646 Answer: Yes.
3647 Q: There are some documents attached to the investigation report written by witnesses, some of which have been downloaded from the Internet. Where did the data from the defendant's notebook come from?
3648 Answer: Most of the Internet postings are written by me, and the parts of the investigation report are written by Kim, Kyung-Hwan, because they can not share the system because the team is different. So I made this same data with me, so I checked it out. I wrote this investigation report together with Kim Kyung Hwan, and I printed it out.
3649 Q: Does the analyst Kim have output?
3650 Answer: Yes.
3651
3652 judge
3653 To witnesses
3654 Q: I said I wrote an Internet post, but I misstated it?
3655 Answer: First of all, 4chan or something like this is what I did after capturing separately, and the parts from the defendant's notebook were written by me because Kim Kyung-hwan's analyst could not write the investigation report.
3656
3657 Lawyer
3658 To witnesses
3659 (Presenting an investigation report, page 263)
3660 Q: I have downloaded the witness from 4chan site and changed it to another file. The first isis.png file is downloaded on July 7, 2015 at 3:23:30 pm What does this time mean?
3661 Answer:
3662 Q: I do not seem to remember well, but w will answer the question. The time at the White House was written on July 7, 2015, 20:20 and the file isis.png on the defendant's laptop is 20:21, remember?
3663 Answer: Yes.
3664 Q: I have two hours to show evidence that there is evidence so far, so I know what it is. I am talking about the 3:23:30, the 24 hour hour, the 15:23? Please explain what this time means. You do not know because you wrote it?
3665 A: I did not focus on the time when writing, but instead of backing up the original files on my desktop computer, I created a folder called "Terrorist" and had an original under it, There is a method and a download button called isis.png below it.
3666 I clicked on that button and downloaded it in two ways, but the important thing is that the investigation report was written to specify that 'MD5 is the same, if MD5 is the same, this file is the same' I saved the file to my computer and compared it with it, and I do not remember the date exactly.
3667 Q: Is not it time you saved your witness computer?
3668 A: Yes, it is not.
3669 Q: Now, three files have the same MD5, but the same thing means that the first file is the same file?
3670 Answer: Yes.
3671 (Presenting an investigation report on page 264 of the investigation record)
3672 Q: How long does it take for usa.png to be downloaded on July 8, 2015 at 2:28:52?
3673 A: I do not remember the details, but it seems to be the investigation report about the part where the original file on the defendant's laptop was referred by the pumice team and compared with the file.
3674 Q: What is the meaning of time now that you do not know exactly?
3675 A: I guess it's probably the time on the defendant's laptop, but where did the source of usa.png come from? So I do not know exactly what the file was from when the usa.png was uploaded.
3676 (Suggesting an investigation record, page 334)
3677 Q: Here is the 'Photovoltaic vs. Work File, Text File' on July 12, 2015 at 4:53:58 PM ...
3678 Answer: This is the data that the analysis of Kim Kyung Hwan analyzed.
3679 Q: Is the witness unaware of this time?
3680 A: Well, I've seen it together, but analyst Kim Kyun-hwan will know better.
3681 Q: Does the witness mean that you do not know about this?
3682 Answer: Yes.
3683 Q: Witnesses also participated at the time of the seizure, did you see the process of imaging the defendant's laptop?
3684 Answer: Yes.
3685 Where was the witness at that time?
3686 A: I was in the same room and went to the room where the defendant was lying.
3687 Q: Before imaging on a laptop, I turned on my laptop and searched for related files first. Who did it?
3688 Answer: Kim Kyung Hwan was the analyst.
3689 Q: In the process of looking at the defendant's laptop, did the defendant or defendant guarantee the right to participate in the parents?
3690 Answer: Yes.
3691 Q: Who did?
3692 A: There were several investigators.
3693 Q: Did you participate?
3694 Answer: The defendant did not participate, and the defendant 's mother said that she participated, so she did the imaging in front of the defendant' s mother.
3695 Q: How many hours did the imaging work take?
3696 A: I do not remember exactly, but it seems to take about two hours.
3697 Q: Did you film the process of examining or imaging the defendant's laptop?
3698 A: I think I just took a picture when I first went in.
3699 Q: Did you take videos or pictures about the process of imaging?
3700 A: I think I did not.
3701 Q: It is related to the witness who wrote the investigation report. If there is a screen-captured file and you download the file from 4chan and save it, the two will clearly distinguish between the captured and downloaded files from the defendant's notebook. Can you do it?
3702 Answer: Although the name of the file can be changed because the computer is clearly distinguished, the root cause of the screen capture is a program called full page screen capture on the defendant's computer. When you capture using this program, the file name is created uniquely. Because there is a name and a date and it is hard for ordinary people to write it, so if there is such a thing, it should be said that it was programmed ...
3703 Q: Even if you download the same thing, you are asking if you are following it.
3704 Answer: If the filename remains the same, if you receive usa.png when you download it, then usa.png follows, and the url where the full-page screen was originally printed does not appear.
3705 Moon: usa.png but not url ...
3706 Answer: If you have url, you can get it as it is.
3707 Q: If you download it in that state, is not it well separated?
3708 Answer: Yes.
3709 Q: And can you download and rename it?
3710 Answer: Yes.
3711 Q: If I remove the value of zone.identifier attached to the downloaded file, will it be impossible to check whether it is a downloaded file or not?
3712 A: I do not know.
3713 (Presenting the first and second Google search screens of the certificate No. 5)
3714 Q: I searched on Google that the first blackmail related article was stored on 4chan site. This is what I came up with in search of the text, which is exactly the same as the number you saw. It is the first blackmail article that I have been suspected to have written by the defendant. There is a time called July 7, 07. 07:24:52, and the time of the first blackmail was written on July 7, 20:20, right? The time to upload to 4chan is much faster, do you have any idea about this?
3715 A: I do not know because it is not confirmed.
3716 Q: This is what the witness made when he wrote the investigation report. If you posted in Korea, you would be posting Korean time on 4chan site? So the time I posted on the 4chan site was later than the time of the file on the laptop because the defendant wrote it. But now the time I searched on Google is much faster than the time I posted on the case. That 's why I ask.
3717 Q: I do not know exactly what I am talking about. But first of all, this is Google. I do not know how to write url in 4chan, and the way it's written in Google would be wrong, because I did not see it.
3718 Q: Does the witness have any experience in analyzing digital evidence?
3719 A: I joined Cyber ​​Special, basically there is no digital analysis and I have listened to education or lecture.
3720 Q: Is not there a career?
3721 A: I have to go to work because I needed to do it, but I did not get a license or anything like that, and I had a lot of training related to database and hacking.
3722 Q: You have been trained in the National Police Agency?
3723 A: I have a police station and I'm in a database.
3724 Q: Was the witness involved in the investigation that changed the defendant's MAC address?
3725 A: I joined the investigation together but I do not remember exactly. The story seems to have done a lot.
3726 Q: Have you been involved in the investigation that led you to receive a Mac address that matched the IP address that you sent the search warrant to Tibur Road?
3727 A: It was not me.
3728 Q: I have an analysis that says that the defendant's laptop analysis results have been released so that the logs stored in the router are not released in the adjacent time zone of the time when they wrote the article. Do you know this part?
3729 A: That part is written by Kim Kyung-Hwan.
3730 Q: Does the witness know this part well?
3731 Answer: Yes.
3732
3733 judge
3734 To witnesses
3735 Q: Is it true that the witness's statement is unclear, and that he was working at a private database company in relation to his career in analyzing digital evidence, and then joined Cybercrime as a specialist?
3736 A: Sometimes the process of coming to the police comes to the general public, and if you have more than a few years of social work, you may be able to get a special bond. The part I majored in is the database, and I've come across a lot of hacks and stuff like that.
3737 Q: I have an editorial story ...
3738 Answer: It is the part of the license.
3739 Q: Did you major in the database, joined the police as a specialist, and then took the training related to hacking, and did you not only learn about the digital analysis related to the work, but also the training?
3740 Answer: Yes.
3741
3742 judge
3743 I will finish the witness newspaper for Kim Jin-kwang.
3744
3745
3746 Witness newspaper report (part of the eighth trial)
3747 Event 2015 Torture 4685 Threatening
3748 Name Kim Kyung Hwan
3749 Date of Birth February 5, 1976
3750 Housing Seoul, Gangseo-gu, Woohyeon-ro 67, 109, 402 (Hwagok-dong, Kangseo Hill State)
3751
3752 judge
3753 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3754 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321171323).
3755 March 21, 2016.
3756 Hwang,
3757 The judge (doctor)
3758
3759 A statement on the testimony veto notice
3760 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3761 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3762 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3763 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3764 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3765 Witness Kim, Kyung-hwan (signature) or signature (signature)
3766
3767 Oath
3768 According to the conscience,
3769 In fact,
3770 If there is a lie
3771 To be punished for perjury
3772 I am a wanderer.
3773 Witness Kim, Kyung-hwan (signature) or signature (signature)
3774
3775
3776 Recording book (main point)
3777 Case Number 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None)
3778 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3779 1. Attachment: A copy of the witness newspaper on the witness Kim Kyung-hwan (total face: 24 pages) 1 copy
3780 March 21, 2016.
3781 Stamped stamping machine (seal) (painted)
3782
3783 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3784 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3785
3786 judge
3787 Witness Kim Kyung - hwan 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3788 Notice of testimony veto. Because of witness testimony, the witness may deny his / her testimony about the confidentiality of someone else who has a business relationship with the witness because he / she is concerned about his / her criminal penalties. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. After the oath, you must state the truth, and if you lie, you will be punished for perjury. Please swear.
3789
3790 witness
3791 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Kyung Hwan.
3792
3793 inspection
3794 To witnesses
3795 (Proof No. 68, page 69 of the evidence list No. 33, No. 1)
3796 Q: Is it true that the results of this digital evidence analysis were true of the witness's experience?
3797 Answer: Yes.
3798 (Proof No. 73-2 of Investigation Record # 33-2)
3799 The CD is attached with the title of 'Digital Evidence Analysis Result'. The digital evidence analysis result stored on this CD contains the defendant's notebook image file and the main data or information found in the analysis of the incident Is that right?
3800 Answer: Yes.
3801 Q: Witness is the Digital Evidence Analyst at the Seoul Metropolitan Police Department Cyber ​​Crime Investigation Division?
3802 A: Yes, I am currently working at Cyber ​​Crime Lab. We shared with the Evidence Analysis team earlier this year and worked in the Digital Evidence Analysis team until last year, and this year we are in charge of Detectives who are out of cyberspace.
3803 Q: What was the work of the witness during the investigation?
3804 A: As a digital analyst, I was collecting and analyzing evidence on digital evidence from the incident at the police investigation room under the Seoul Metropolitan Police Agency.
3805 Q: Did the witness participate in the seizure of this case?
3806 Answer: Yes.
3807 Q: Have you participated in the whole process of seizure search?
3808 A: Yes, that scene from that date.
3809 Q: Did you participate from the beginning to the end?
3810 Answer: Yes.
3811 Q: Tell the defendant's notebook the discovery and imaging process as the witness has experienced.
3812 A: I do not find it. I remember it was discovered by Kim Jin-kwang. And the defendant was in the room and there was a room in front of him where the defendant's father seemed to write, and while I was searching the room for an all-in-one PC used by the defendant's father, he found a laptop and searched and analyzed the laptop .
3813 Q: When I first got the defendant's laptop, was the laptop on or off?
3814 Answer: I remember it was turned off because it was folded.
3815 Q: After turning the power on and searching, we found evidence related to the incident, shut it down, and imaged it immediately?
3816 Answer: Yes.
3817 Q: Did you take the seizure process or imaging process at the time?
3818 A: I did not take the shoot, and I remember that the staff of the WTC and our cybercrime staff shot it together.
3819 Q: Did you take all the steps?
3820 Answer: Yes. I remember that two or more cameras were spinning.
3821 Ms. Sang-wook said that she had stopped at the time while she was filming the opposite of the defendants' families. Is that right?
3822 Answer: Yes, that's right. I remember that there was an argument.
3823 Q: Do you remember which course of filming was discontinued?
3824 Answer: I can not remember correctly.
3825 Q: After I image the defendant's laptop hard disk, who do I get such as integrity verification or hash verification?
3826 Answer: I got it from the defendant's mother.
3827 Q: Did the witness directly receive it?
3828 Answer: Yes, I got a confirmation from my defendant mother that I wrote the hash value by hand.
3829 Question: Did the witness claim that the defendant confiscated a hard disk on the lenovo B490 laptop computer, seized five hard disks, and analyzed one replica of SanDisk USB memory?
3830 Answer: Yes.
3831 Q: Was the time of the defendant's laptop computer in Paris, France?
3832 Answer: Yes.
3833 Q: So, when the crime of this case is on, July 7, 2015, was the daylight saving time set to be 7 hours earlier than Korea's standard time?
3834 Answer: Yes.
3835 Q: When Witnesses used EnCase, a digital forensic program, to analyze the defendant's laptop computer, did you set it to display in Korean Standard Time?
3836 Answer: Yes.
3837 Question: Isis.png and usa.png files found on the defendant's laptop computer hard disk?
3838 Answer: Yes.
3839 Q: Isis.png file creation date and time is July 7, 20:21:12, the last revised date is July 20, 2015. 7. 7. 20:23:30, and the creation date of usa.png file is 2015. 7 8. Was it confirmed at 02:27:07 and the last revised city date was July 8, 2015 at 02:28:51?
3840 Answer: It is correct in the analysis report.
3841 Q: I found isis.png.lnk and usa.png.lnk linked to the above isis.png and usa.png files.
3842 Answer: Yes.
3843 Q: When and how are these link files created and stored?
3844 Answer: Generally, when you open a file on a Windows system, a link file called a shortcut file is created.
3845 Q: If you analyze the meta information of this link file, ie file attribute information, what kind of information can you check?
3846 Answer: Once you open the Ink file, you will see the name of the file you opened. When you open it, the computer name, volume name, and hardware Mac address will be saved.
3847 Question: Did you check the hard disk volume name, serial number, computer name, MAC address of each link file mentioned above and the information of the defendant's laptop computer?
3848 Answer: Yes, it has been confirmed.
3849 Q: Isis.png and usa.png files are exactly the same date and time, but link files with different file names were found on the defendant's notebook.
3850 Answer: Yes, I remember that part of the file name is different, but the original date and time of creation of the analysis is the result of analyzing the file name when I changed the source file ... So, if the file name is changed, the creation date and time will not change. It has been confirmed that the creation date and time of the original file remain in the link file.
3851 Q: Is it possible to interpret the link file as a file name that is created when the original isis.png or usa.png file is created, but the original file has a different file name?
3852 A: Yes, I interpreted it that way.
3853 Q: In addition to the isis.png and usa.png files, there are many screens on the White House site, as well as a screen capture of the post completion screen, found on the defendant's laptop computer?
3854 Answer: Yes.
3855 In addition, the email address Twitter address, phone number, 'HUFSRO 4ourth 4inger' in this case is listed, and the 'Embassy of the US Embassy will surely kill Ambassador Ripper' I will give you an anal rape. "And there was a s.txt file with the same contents as the case of this incident.
3856 Answer: Yes.
3857 Q: Are the link files A0065359.1nk, A0065518.1nk, A0065541.1nk, and A0065621.1nk found in the s.txt file found?
3858 Answer: Yes.
3859 Q: How are these link files created and where are they stored?
3860 Answer: The link files that are randomly numbered starting with A are the volumes used by the system called system volume information. At first, when I explained the time when the volume was used, I tried using it in Windows 7 As you know, there is a feature called Restore Computer. I have a feature called restoring the computer that will take a snapshot, so Windows 7 will automatically back up. So, at that time, I automatically backed up the list of files or files in a certain period of time, and the backup location is the system volume information folder, and a folder is created under each backed up day. A link file pointing to txt has been found.
3861 Q: The operating system of the defendant's laptop is XP. Does XP have the same function?
3862 Answer: Yes.
3863 Q: What events are required to generate these link files?
3864 Answer: The system automatically backs up the function. If you do not specifically make a backup, I know that the backup is basically based on the operating system settings.
3865 Q: The date of creation of each link file just mentioned is 2014. 9. 10. 16:59, and the final access date and time is July 7, 14:57, 21:10, 21:10 , 22:31?
3866 Answer: Yes, as you can see in the report.
3867 Q: Have you found any more link files that link to s.txt other than the four link files?
3868 Answer: Yes, at that time, the link file pointing to the s.tet file was analyzed to be it.
3869 Q: Can I see the date and time of the last access to the s.txt file on July 7, 2015?
3870 Answer: At the end of the last one, what if the link file was on July 7, 2015, 22:31, then you can interpret the s.txt file as the last time you opened it.
3871 Q: On the other hand, when the defendant analyzed the Internet access rate of laptop computers, did you check the records of accessing through Internet Explorer, Chrome, Mozilla and Opera web browser?
3872 Q: Did you also find a record of 'Michelle obama' on Google search site via Internet Explorer?
3873 Answer: Yes.
3874 Q: Is the record of accessing the Internet Router Management page verified on July 7, 2015, and July 8, 2015 at the time of the crime of this case?
3875 Answer: Yes.
3876 Q: Did you check the details of the settings such as setting the router to not record the log in the time zone adjacent to the crime of this case?
3877 A: I do not know what the intent was, but I've confirmed that I changed the settings.
3878 Q: How do I change my router settings?
3879 A: Router management is to connect the IP address and router IP of the network to the web browser, and the management page will appear. You can go to the management page and change the general setting value of the network or the MAC address or the MAC address. .
3880 Q: So I usually access the administration page through the web browser, so I have a record of my internet connection history?
3881 Answer: Yes.
3882 Q: Is there a way to keep the record of the connection?
3883 A: There are a variety of ways you can stay away. Nowadays, web browsers like Explorer and Chrome have features like incognito, which keeps browsing history from being left, so I know that if you use it, your records will not be checked.
3884 Q: Is there an incite comb in the case of explorer, and an incognito mode in case of Google Chrome, and if there is such a mode, there will be no connection record at all?
3885 A: Yes, I did not have any results.
3886 Q: Has the defendant's laptop been able to change the MAC address of the Internet router 9 times between June 8, 2015 and June 3, 2015?
3887 Answer: Yes, Mac address changes have been verified through Internet history.
3888
3889 Lawyer
3890 To witnesses
3891 Q: In the confiscation search site, did you direct the witness to image the defendant's laptop?
3892 Answer: Yes.
3893 Q: How did you save the imaged file and how did you take it?
3894 Answer: We made a copy on the hard disk we brought with Falcon, and cloned the image through the Falcon by attaching the original hard disk to the original.
3895 Q: How did you make a copy of your hard disk? Did not you seal that part separately?
3896 Deep: Yes, it does not have to be sealed.
3897 Q: Is it true that the regulations of the National Police Agency, such as the "Regulations on the Collection and Processing of Digital Evidence", require the seal to be sealed. Is it not necessary to seal?
3898 Answer: The storage medium is intended to be sealed, but the duplicate image is not explicitly marked as sealed.
3899 Q: How do you keep the duplicate image and keep it?
3900 A: Since the image is the result of integrity, it is necessary to have an integrity hash value for the image file and the image file.
3901 Q: In the case law, I have a sealing process as one of the methods of ensuring the integrity of the image file, and I am shooting the process.
3902 Answer: I shot it.
3903 Q: I do not ask opinions from witnesses. We will later ...
3904 A: I think you denied what I did, but I do not know that.
3905 Question: Is the witness bringing the file itself to the National Police Agency?
3906 A: I was in the car and I was in the car.
3907 Q: Have you received an analysis request separately?
3908 Answer: I understand that I have received an analysis request form.
3909 Q: From whom?
3910 A: Because it is computerized, I do not receive it directly.
3911 Q: Have you taken it in a container that can be safely stored so that it will not be damaged by impact, magnetic fields, moisture or dust when you take it?
3912 Answer: Yes, that's right.
3913 Q: What equipment did you bring at the time of the seizure?
3914 Answer: Replicate Falcons and their accessories, laptops, EnCase for analyzing the scene, hard disk for copying the original, and then the police office which extracts the file list for simple use. There is a program called CIP which I developed.
3915 (Suggesting an investigation record, page 334)
3916 Q: I think you've seen it in the process of writing the statement, but the text file in the Photovoltaic vs. Work file. July 12, 2015 04:53:58 What is the meaning of this time I will ask you about this?
3917 Answer: I work with a program called UltraEdit. When I print it there, I know that it shows the attributes related to creating or modifying the file.
3918 Q: I think it is written in the opinion letter that the file will be automatically released based on the last access date. Does that mean?
3919 Answer: As stated.
3920 (Suggesting an investigation record, page 665)
3921 Q: I have the same photovoltaic versus work file and this is on July 21, 2015 at 07:06 pm?
3922 Answer: Yes.
3923 Q: Under that, the Modified time and the Accesed time are from July 7, 2015 to July 7, 2015. What does the witness say now and what does it mean, different?
3924 A: Of course, the structure is different.
3925 Q: What is the reason?
3926 Answer: This is the information in the file, and the one above it shows the computer time when you did the work.
3927 Q: Does July 12, 2015 tell the time of the computer that the witness worked on?
3928 Answer: Yes.
3929 Q: Witness, is that certain? Were you working on July 12, 2015?
3930 A: I did not work at that time, but I printed what was missing.
3931 Q: What does it mean to be missing then?
3932 A: I guess I did not do it at the time.
3933 Q: Witnesses, do you know how many days a search has been made? It was on July 13, 2015. But what does it mean to say that we have removed all of our records the day before the seizure?
3934 Answer: What?
3935 Q: The file was on July 12th, right?
3936 Answer: Where?
3937 (Suggesting an investigation record, page 334)
3938 Q: Is not it July 12, 2015?
3939 Answer: At the time of the last revision.
3940 Q: What does it mean?
3941 Answer: You just got what you got there and printed it from your analysis computer.
3942 Q: So, is it a time stamped by the police?
3943 Answer: I have to see exactly how s.txt comes out, but I was too busy to see the case record. The output is the output of UltraEdit on my analysis computer. The opinions remain intact.
3944 Q: Does it mean that the output was on July 12, 2015?
3945 Answer: No. This is not what I printed on July 12, but the attribute of that file named s.txt is recorded.
3946 Q: I have shown the properties of the file before July 7, 2015. There is a part of the file, please describe it.
3947 Answer: It was changed because I put the save separately.
3948 (Suggesting an investigation record, page 665)
3949 Q: What does that mean? It looks like here on July 21, 2015. What does this mean?
3950 A: That's '.txt'. There is no file called '.txt' on the notebook. When I change '.lnk' to '.txt', that file is not a file on the defendant's notebook, but a reporting screen that is displayed as EnCase. I pulled it out and I made it into a text file.
3951 Q: So this is not a file on the defendant's laptop, is it a separate file created by the witness?
3952 Answer: It is a file created by EnCase, which is not a file but implies its contents.
3953 Q: So is the date you worked on July 21, 2015?
3954 Answer: Yes. I created a file called Text.
3955
3956 judge
3957 To witnesses
3958 (Suggesting an investigation record, page 334)
3959 Q: The seizure was on July 13, 2015, and the date and time of the seizure on July 12, 2015, before the seizure, is written in the s.txt file. Please summarize and explain once again what this time and date means.
3960 A: There is a date attribute called s.txt which is the creation date of the file, the last modified date, or the last access date. The last modified date is displayed there, followed by the "A number.txt" Since I can not subtract it, the attribute of the original file is not displayed. Therefore, I use EnCase tool to display the properties of the original file managed by EnCase. I copied it completely and made it randomly on my analysis computer as a text file. . To show the screen, to show the letter, on that date.
3961
3962 Lawyer
3963 To witnesses
3964 Q: Do you remember who wrote the seizure?
3965 Answer: If my letter is correct ...
3966 Q: The writer is not a witness, did you see that he made the list of seizures that day?
3967 Answer: Yes.
3968 Q: In the list of seizures, the file on the defendant's laptop is in the list, do you know?
3969 A: I do not remember, but I do not remember seeing exactly what the output is because I can not connect to the system called kicks.
3970 Q: The seizure of the seizure is written by Lieutenant Kim Sang-Kuk and Joo Yoo-Woo, but since the witness has imaged it, he / she will ask for it because the witness confirmed it when he made the seizure list.
3971 A: Is not the confiscation list written in the office?
3972 Q: Before that, did you use the handwriting on your confiscation list?
3973 A: It's not a confiscation list, it's an electronic information confirmation.
3974 (Presenting the confiscation record, page 398)
3975 Q: On the confiscation list, it says that the imaging files were confiscated in 2, 3, 4, 5, but the imaging file is not listed on the 1st notebook. Of course, the witness did not write it, but the writer Kim Sang-Kuk proved his confession to the mother of the defendant and wrote it by hand. There is also no imaging file here, but below is the imaging file. The imaging file is not listed here either. Do you know about this?
3976 Answer: I do not know.
3977 Q: Did the witness check these documents at the time?
3978 Answer: I have no reason to be involved in the proof of confiscation or the record.
3979 Q: At the time of the seizure search, did the lieutenant Kim Sang Kook confirm or get confirmed by the witness when he wrote such a document?
3980 Answer: There was.
3981 Q: Did the witness go through the process of verifying this document?
3982 Answer: Whether or not it should be written by my confirmation ...
3983 Q: Witness, please tell me the facts you remember.
3984 A: Are you asking exactly the month?
3985 Q: At the time of the seizure, did the witness check this document and say, 'This is a confiscation list'?
3986 Answer: I have a memorable memory of the results.
3987 Q: Do you mean that you confirmed this list because you confirmed the output?
3988 Answer: As you remember, I did not think it was the end of the seizure at that time, and I think the process of seizure is ongoing ... Q: Are you telling me when to write this list? A: Yes, so for the final confiscated object, I have to hand over the file to the investigative team through my analysis. Q: How long did it take to image that day? Answer: It takes about an hour and a half to two hours per hard disk, so I know that 3 o'clock that day ended at 4 o'clock. Q: Is it finished on July 14, 2015? Answer: Yes.
3989 -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------------------------------
3990
3991 It is not exactly what I remember coming and going back and forth when I found it. So I told you to keep coming, not to go out.
3992 Q: Witness is now working as an analyst on digital evidence. What is your career history?
3993 Answer: I received the police assignment on April 4, 2009, and I have been working in the cybercrime to date. I also analyzed the digital evidence. I worked for two years from 2014 to 2015 as a whole.
3994 Q: Is there a separate education or a degree?
3995 A: Yes, I have a master's degree in Information and Communications.
3996 Q: Is there anything else that was trained in the police department?
3997 A: I have been trained about once a year, once a year for about a month, trained as a hacking professional investigator at the Police Investigation Training Center, then at the Seoul Metropolitan Police Department as a network investigation last year I have lectured about 600 people.
3998 Q: I have two intrusive articles, but I do not have a capture file to write the first one. Isis.png I am writing a text file from the last one, and the screen that says 'Thank you!' I see it as one file, do you remember it?
3999 Answer: I do not know.
4000 Q: If there is only one file, but the defendant actually wrote it, then there are two files that should be present. There are only files that are combined with the part that says. Please explain if it is technically possible.
4001 A: I can not remember the result of this, honestly. I remember that 'Thank you!' Was just a single file.
4002 Q: There is that one, and then the evidence found on the defendant's notebook isis.png, usa.png file that wrote the entire article, remember?
4003 Answer: Yes.
4004 Q: It was a single file that was synthesized up to 'Thank you!'
4005 A: Was there 'Thank you!' Below?
4006 Q: Yes, there is a 'Thank you!' Below, and there is a writing on top of it, so please explain why the file that captures the writing should be separately existed.
4007 A: I do not know why.
4008 Q: Have you confirmed that you have captured using Chrome Full Page Capture?
4009 Answer: Yes.
4010 Q: Do you know that if you capture a full page, it will be saved automatically on your laptop and that the save file will be created, or you will have to save it with a different name or press Save but save it?
4011 A: I do not know why I have not used it. What I put in my analysis report is that I did not know exactly when the capture was done that the filename was created that way, whether it was dropped when the user saved it, or whether the file was temporary before it was saved.
4012 Q: According to the analysis of the witness, the defendant's internet router MAC address has been changed, remember?
4013 Answer: Yes.
4014 Q: And at the end of the crime at the time of the log records are stored in the analysis that you have released, do you remember?
4015 Answer: If you are in the report, you are right.
4016 Q: After that, I do not think that the investigation related to the router is going to be carried out. Do you usually not investigate the router? For example, if you change the MAC address of the router, you should have done an additional investigation. How do you normally investigate?
4017 A: At the time, I was not handled by a mobile investigator, so I do not know if I did an investigation into the router.
4018 Q: There were two IPs in which the blackmail was written, and the IP address was confirmed. If there is a corresponding IP that has committed the crime at the specified time of the crime, then the MAC address that matches the existing 1P can be confirmed through the carrier?
4019 Answer: At that time, I knew that on the Tibur Road it had not been confirmed well.
4020 Q: I once went through the process of confiscating the MAC address for the existence of a MAC address on the Tibudoad. Do you know about that?
4021 Answer: I do not know about that.
4022 Q: I asked Tibor to have a Mac address that matched the IP address as stated, but it was not certain that the defendant did. If so, if you check the router in the defendant's home, is it possible to change the MAC address or not?
4023 A: I do not know if it should be confirmed.
4024 Q: Is it possible, technically possible or not?
4025 Answer: Yes.
4026 Q: Anyway, the witness does not know that he has further investigated the router.
4027 A: I do not know that. I did not receive a router analysis request.
4028 Q: Was the imaging file analyzed by the witness first imaging the laptop at the defendant's home?
4029 Answer: Yes.
4030 Q: Did the witness analyze it and replicate the imaging file again?
4031 Answer: Yes.
4032 Q: What about the storage device of the analyzed imaging file?
4033 A: Then I took two hard disks, one was the investigation team, the other was my team, so I remember what I included in my team ... I do not remember which team the notebook was on, but anyway, I used to send it to the investigative team, so I told them to copy it, final.
4034 Q: Did you replicate what you had on the witness team to the investigation team?
4035 A: I did not replicate it, I gave it a hard disk.
4036 Q: If you look at the reports you have asked for analysis, there are 5 or 6 imaging files. It looks like it was copied to a hard disk and commissioned for analysis. Is this correct?
4037 A: I do not know that. As I said, I came in two ...
4038 Q: When I witnessed it, did I put it on one hard disk?
4039 Answer: No. There are two.
4040 Q: Then you have one on your laptop ...
4041 A: So I do not remember how it was stored on my laptop.
4042 Q: And the original of the image was passed back to the investigation team?
4043 Answer: Yes.
4044 Q: Do not you know who you turned over?
4045 A: Yes, I do not know.
4046 Q: I think the analysis is finished on July 23, 2015.
4047 A: I do not know. Because the report is urgent, you should have given it as a file first.
4048 Q: And did the witness print out the evidence from the imaging file and provide it to the investigators in the middle of the analysis?
4049 Answer: Yes.
4050 Q: Do you usually do that?
4051 Answer: Yes.
4052 Q: Do you mean that even before the analysis report comes out?
4053 Answer: Yes, what I convey is in the analysis report.
4054 (Suggesting Investigation Record # 722)
4055 Q: What is the page in the analysis report that the witness made?
4056 Answer: Yes.
4057 Q: It is related to the router here, it says 'Disable logging setting'. What is the source of this screen?
4058 A: You probably have a file called Time Pro, which you run on the analysis computer.
4059 Q: Is it not a screen printed on the notebook of the witness, or a screen printed on the defendant's notebook?
4060 A: You have a time pro and a text file. But there is an HTML file that opens up there. The text file was stored on the defendant's laptop, and since I only need to convert the extension after the text file to open it in the web browser, it seems that I have been converted to HTML to increase visibility.
4061 Q: Is this screen now on the witness's computer in the process of analyzing the witness?
4062 A: Yes, I will. It's my Chrome browser environment.
4063 (Suggesting Investigation Record # 736)
4064 Q: It is almost the last part of the report that the witness analyzes the file. I extracted the file extraction result and the hash value, and I gave the hash value of the notebook imaging file separately at the first time. Does the witness have a hash value?
4065 Answer: Yes, result request.
4066 Q: The hash value here is different from the hash value of the imaging file that initially imaged the defendant's laptop?
4067 Answer: That 's not it. The hash value for the compressed file for the final output I made.
4068 Q: The hash value has changed, so I'm looking at it.
4069 Answer: It is not a new, hash value of just another file that has nothing to do with imaging files.
4070 Q: Is the result of the request attached to the CD now?
4071 Answer: Yes.
4072 Q: Is it not possible to recognize the originality of the original file attached to this CD and the imaging file that the witness first imaged?
4073 Answer: Of course, the originals are not the same because they are different. Inside the imaging file, I put this file in here, but the hash value for this file came out like this, but the hash value is different and the identity is different? Not that. I can prove it again.
4074 Q: How can you prove that you came out?
4075 Answer: You can export the output here and extract the hash value.
4076
4077 judge
4078 To witnesses
4079 (Presenting section 2 of the Attorney's Statement on December 12, 2015)
4080 Q: The attorney's claim is that the file before the file was merged because the picture file was merged, but it did not exist. Is the file before merging necessarily exist?
4081 Answer: It may not be.
4082 Q: Please explain in what case it might not be.
4083 Answer: I do not know what features the Chrome Extension Tool has, but a common capture tool is that once you capture a screen and then try to put it underneath it, you capture it first, and if you do not save it, , So you do not need to save it, but if you put the second captured screen just below the area that was left in the memory, and then save it, the first thing you saved will not be saved.
4084
4085 Lawyer
4086 To witnesses
4087 Q: Is it possible to remain in the memory area at first?
4088 Answer: Yes.
4089 Q: Does it disappear from the memory area over time?
4090 A: Normally I keep the clipboard, but the program I use remains, and I do not know how the date is set, but if I capture it yesterday and save it, it will be shown on the screen again.
4091 Q: So if you stay in the memory area, is it possible?
4092 Answer: Yes.
4093
4094 inspection
4095 To witnesses
4096 Q: Is it possible that the original text and the result screen are both saved as a file, and then the result screen is pasted in the original text and the synthesized file is saved under a new name. ?
4097 Answer: Yes, there are many possibilities.
4098
4099 Lawyer
4100 To witnesses
4101 Q: The writing screen is so large that you can not see it on one page. Is it possible to capture it as a single file when you capture a full screen, or capture it separately?
4102 Answer: It can also be captured as a single file. But I do not know the full page capture program because I did not use it. The capture function provided by Naver or most of the recent capture programs are scrolled all the time, and when I select the whole screen, the one below is captured as one screen.
4103
4104 judge
4105 I will finish the newspaper about Kim Wonhwan. Thank you.
4106
4107 After the prison sentence in Seoul detention center, I added 15 sheets of staples to the sentence, followed by a document that shows how to file a copy of the sentence, and 16 sheets of staples.
4108 I added a copy of the document stating that I added a copy of the document stating how to apply for viewing and copying restrictions. I suspect that the court has done this by worrying about the disclosure of the ruling.
4109
4110 Seoul Central District Court
4111 verdict
4112
4113 Event 2015 Torture 4685 Intimidation (Recognition of Torture)
4114 The defendants were OO (OOOOOO-OOOOOOO), unemployed
4115 Housing Seoul, Dongdaemun-gu, Hancheon-ro 58, Gil 139, O-dong O (I-moon-dong, O-apartment)
4116 Registration Criteria Gyeongbuk, Andong-gun Il-kyung-myeon Dongfang Dong 408
4117 Inspection Jungmun-sik (Prosecution), Jung Jun-jun (trial)
4118 Counsel
4119 Attorney Kim Yong Min, Kim Jin Hyeong, Park In Sook
4120 Judgment sentenced Nov. 11, 2016
4121
4122 order
4123 The accused shall be sentenced to one year and six months in prison.
4124 Confiscate one seized notebook (model name: lenovo B490, S / N: WB09564311)
4125
4126 Reason
4127 Crime Facts
4128 1. Defendant's first intimidation attempted
4129 The defendant used the defendant's laptop (model: lenovo B490) at the defendant's residence to contact the White House Consumer Affairs Corner (Contact the White House, "in English," to President Obama and First Lady Michelle. ... I am a college student at Hankuk University of Foreign Studies in Seoul, Korea. How are your families doing? I am tired of my life because I always masturbate watching sex transsexual pornography. One day I realized that I did not want to die like this. I decided to stay as a famous Korean man in American history. I will eventually rape your second daughter, Natasha. I think it would be a bit politicky to ask beforehand, but is it okay? I think the second daughter (first daughter) is more than Malia Ann ... (Omitted) ... so I am ... Parental consent is required prior to the application. Do not worry about me. I have a lot of kimchi and I do not have AIDS. I am going to rape black people before they die. ... 1).
4130 -------------------------------------------------- --------------------------------------------------
4131 1) The following is the original text of the post.
4132 From: Mr. Lifee Iss Crazzyyjr. / Submitted: 7/7/2015 7:20 AM EDT (US Eastern Time) Email: isshufs@gmail.com / Phone: 82221732062 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro , Dongdaemun-gu, Seoul, Korea, 130-791, Damascus, Message: Dear Mr. President Obama and Mrs. First lady Michelle.
4133 Hi.
4134 I'm HUFS student from Seoul, Korea.
4135 How's your president family?
4136 I'm sick of my life cause I always mastervating with tranny prons. One day, I realize that I'm not going to die like this.
4137 2 decide to be a famous Korean male in USA history.
4138 Therefore, I am going to anal rape your second daughter Natasha. Is that okay?
4139 I think that bitch's asshole is much tighter than Malia Ann. So I need parents permission before the nigger anus.
4140 Do not worry about me: I eat lots of Kimchi so free from AIDS.
4141 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
4142 Thanks.
4143
4144 As a result, the defendant tried to intimidate both US President Barack Obama and his first wife, Barack Michelle, but the victims did not reach the above postings, so they tried.
4145 2. Attempted second intimidation of defendant
4146 The defendant accessed the white house in the White House section of the White House in the above manner at the defendant's residence as described in paragraph 1 of the " . ... This is a warning message to terrorist attacks. In Korea, we will attack the US Ambassador Mark Ripert in Seoul again. Last time, the assassin 's heart I sent was so weak that I could not break Ripper' s artery. This time we will be preparing a well-trained assassin {traditional Cuisine-Professor) and kill the metabolism with a nuclear poison. Until the US forces dispose of chemical weapons on the Korean peninsula, we will slowly and surely discipline all your political comrades. It is an ultimatum. Wait for us, WIP Satan, Obama! I will see the dialogue soon after. ... 2).
4147 -------------------------------------------------- --------------------------------------------------
4148 2) The original text of the post is as follows.
4149 From: Dr. Korea Isis One / Submitted: 7/7/2015 1:26 PM EDT / Email: summer@hufs.ackr Phone: 82221732061 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu , Seoul, Korea, 130-791 Message: Declaration Terror to Mr. President Obama.
4150 A beautiful Evening is it?
4151 Right this is the warning message from the Terrorist Attack.
4152 Korea, we're going to re-attack US ambassador Mark Lippert in Seoul.
4153 So last time, my a5sassirator's mind is too weak to cut the ambassador's artery perfectly. End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
4154 Ok? We'll keep you amputated all your political comrades slowly but surely one by one, until the US army eliminates Bio-chemical weapons in Korean Peninsular Mother Land.
4155 UltimatuM; 3xpects us, our WIP Archenemy Obama!
4156 LIMFAO, See mark Soon in your After-Life ......
4157 HUFSRO 4ourth 4inger
4158
4159 As a result, the defendant threatened to assassinate US Ambassador Mark Ripert, a foreign envoy to the Republic of Korea, if his intention was not met by US President Barack Obama, but he did not reach the victim.
4160 The point of evidence
4161 1. Witnesses Nam Sang-wook, Kim Jin-kwang, Kim Kyung-hwan
4162 1. Intimidating texts, English texts typed into each white house homepage, 4plebs.org site postings
4163 1. Digital evidence analysis report
4164 1. Investigative reporting (see additional postings on 4plebs.org site), investigation reports (crime facts and Hankuk University of Foreign Studies lectures), investigation reports (suspects found on OO computers, original capturing files) (Evidence list 13-1 to 13-4), investigation reports (for posts posted on 4Chan and 4Chan backup sites), investigation reports (for isis.png, usa.png file analysis), investigation reports (For the Nouveau dossier folder identified on the defendant's laptop), the 's.txt' file found on the defendant's notebook, the investigation report (the suspect for the OO laptop time zone setting confirmation), the investigation report (using the Google Chrome browser capture function Analysis of generated time information), investigation reporting (this OO notebook time information confirmation and re-imaging)
4165 1. Confiscation Record and Confiscation List
4166 1. Confidentiality (submission) integrity verification, seized material (submission) information
4167 Application of statutes
4168 1. The applicable law on crime
4169 Article 286 of each criminal law, Article 283 (1)
4170 1. Imaginative competition
4171 Article 40 of the Criminal Act, Article 50
4172 1. Type selection
4173 Jail option
4174 1. Weighting
4175 Article 37 of the Criminal Act, Article 38 Paragraph (1) Item 2, Article 50
4176 1. Confiscation
4177 Criminal Law Article 48 Clause 1 first
4178 Judgment of defendant's and defendant's claims
4179 1. On the illegality of seizure and search procedures
4180 end. Seizure method restriction violation
4181 1) The point of the claim
4182 The Seoul Central District Court on July 13, 2015 (the "Warrant for Warrant," 2015-18545, hereinafter referred to as "the warrant for this case") restricts the objects and methods of seizure, and in principle, The method of outputting the evidence is sufficient and the notebook computer itself can be duplicated. If the duplication is not possible at the execution site, the original export of the storage medium is allowed and returned within 10 days from the date of export.
4183 However, the defendant's laptop computer had already been cloned at the execution site, so it was taken out and stored as a seizure, even though it was not necessary to remove it.
4184 This is an unlawful seizure violation against a warrant, and the illegality may affect the entire seizure process, so all the evidence obtained from the seizure corresponds to evidence of illegal collection.
4185
4186 2) Judgment
4187 The object and method of confiscation of the electronic information set forth in this case warrant are as follows.
4188 The warrant is for confiscation, "computer hard disk, tablet PC related to the crime" is listed, and the confiscation of the storage device itself is allowed, the defendant's laptop computer is set to French time zone, It is confirmed that VMware is installed as an operating system operating program, so it is necessary to clarify time information and check and analyze the usage history of virtual computer in the future, thereby seizing and exporting the notebook computer itself, It is expected that the recognition of identity will be problematic and it seems to be an action according to necessity of confiscation of the storage medium itself in order to confirm the original electronic information. It is stated that the case warrant should not exceed 10 days from the original date of export unless there is special circumstances However, since this method stipulates the seizure method when seizing only electronic information, In this case, in addition to electronic information, if the original of the notebook computer itself is confiscated as an object of seizure, it can not be said that it is a violation of the method of confiscation of electronic information. In such a case, the seizure of this case is illegal seizure It can not be called search.
4189 I. Seizure search without guarantee of participation
4190 1) The point of the claim
4191 The search for electronic information should be regarded as a seizure process in the whole process of searching electronic information related to a criminal offense and outputting the corresponding electronic information in a document or copying a file. In this case, Not guaranteed.
4192 2) Judgment
4193 In summary, the following facts recognized by the evidence that the court has legally adopted and investigated suggest that, even if the investigating agency does not fully comply with some of the proceedings, the offense is the assurance of the participation of the defendant in the proceedings It can not be regarded as illegal.
4194 â‘ The defendant was lying in the bed with only his underwear in the execution process of the seizure search at the defendant's residence, and the defendant's family refused to film the seizure process, and the defendant and the defendant's family showed uncooperative attitude (The defendant was arrested in an emergency and lied on the floor with his / her clothes taken off after he was in. In the office of the police department of the Seoul Metropolitan Police Agency. Etc.).
4195 (2) The defendant's mother Kim OO participated in the confiscation process of the confiscated materials, and the contents of the storage device were modified, unchanged, and the seals were seized while creating the hash value and hash value of the defendant's laptop computer hard disk And that there was no abnormality in the seal, and the signatures of the integrity of the seized water and the information on the seized materials were unattended.
4196 ③ On the other hand, the defendant 's Mo Kim OO informed the police officer that he could participate in the seizure process such as the release of seizure of the seizure, duplication, etc. The police officer analyzed the hard disk imaging file of the notebook computer without participation of the defendant on the grounds that Kim OO 's decision to participate in the analysis process did not have a separate statement, but because the defendant (Article 121 and Article 122 of the Criminal Procedure Code states that if a participant does not participate in the execution of a seizure search warrant, he / It is difficult to say that the defendant raced after the emergency arrest and that the time of the emergency arrest was so rapid as to omit the notice of participation of the defendant's family in the process of analyzing the seizure. However, the seal and hash values ​​of the storage medium are preserved, the hash value of the hard disk of the laptop computer in this case is the same as the hash value of the file generated through the imaging operation, In view of the integrity of the document and the recognition of the identity, the imaging file appears to have not changed from the time of initial seizure until the time of submission of the evidence. Therefore, it is difficult to say that the analysis of the imaging file was done without the defendant '
4197 2. Proof of original identity and integrity of digital evidence
4198 end. opinion
4199 The defendant 's lawyer argues that the proof of the integrity of the digital evidence is not proven, so the evidence of the files and images printed on the defendant' s laptop hard disk should be excluded.
4200 ①Confirmation of integrity by comparing hash values ​​confirms that there has not been any change until the status of the digital evidence at the specific time (imaging time) is submitted to the court afterwards. Therefore, Identification can not be a guarantee of integrity. Before the police officer imaged the information stored in the defendant's laptop computer hard disk, the defendant made a search and browse for 40 minutes without taking measures to prevent a minimum of breaks such as " It is not possible to exclude the possibility that unsaved files or pictures are stored and written.
4201 â‘¡ The storage medium that needs to be sealed should also include an 'imaging file storage medium', and the police officer did not seal the storage medium of the file that imaged the defendant's laptop computer hard disk.
4202 I. judgment
4203 The evidence of integrity and identity in judging the evidence ability of digital evidence can be verified objectively and rationally according to the free trial of the authors by collecting the hash value confirmation, the testimony of investigator or digital potentiometer expert, It is important to note that the original identity and integrity of the digital evidence presented in this case has been proven in light of the following circumstances. Therefore, the defendant's claim is not accepted.
4204 â‘ According to the warrant for seizure of the case, the confiscated object is a computer hard disk, tablet PC, etc. related to the crime, and the investigation officer searched for electronic information in order to determine the relevance to the crime and the necessity of seizure, Of the total number of applicants.
4205 â‘¡ The seizure of the incident began on July 13, 1945, 2014. The investigating officer found the defendant's laptop computer, turned on the power on July 13, 2018, and searched for electronic information related to the alleged crime of the incident, and found a file, usa.png, And then shut down the notebook computer from 2015. 7. 13. 20:47:18 2015. 7. 13. 21:56:08 on the same day until 23:37:11 notebook HDD imaging operation .
4206 â‘¢ As a result of analyzing the defendant's computer imaging file with Encase, a digital evidence analysis tool, the image file isis.png, usa, which captures the contents of the 'Contact the White House' page of the white house website related to each case of this case. The creation and last modified date of the png was confirmed before the seizure of the incident.
4207 â‘£ The investigating officer found the isis.png, usa.png, and s.txt files related to the offense on the defendant's laptop computer and checked the source of the file to the defendant. In the presence of the defendant's OO, In the process of seizing the incident, police officers do not show the circumstances in which they excluded the right of participation of the defendant and the family member.
4208 ⑤ The defendant's mother Kim OO participated in the seizure process of the confiscated materials, and after the defendant's computer hard disk was cloned, the contents of the storage device were modified while the hash value was generated and the hash value was generated, The fact that the seal was sealed and that there was no abnormality in the seal and the integrity of the seizure and signature of the information on the seizure were unattended.
4209 (6) The hash value of the hard disk of the notebook computer in this case is the same as the hash value of the file generated through the imaging operation, and the integrity and the identity of the document output from the file generated through the imaging operation are recognized. As long as the seal and hash values ​​for the storage medium are preserved, the defendant's argument that the storage medium of the duplicated copy (imaging file) must be sealed at the confiscation site and that evidence capability should be excluded in case of violation.
4210 Reason for sentencing
4211 The defendant caused an international wave not only in Korea but also in Korea by posting a rape on Obama's young daughter and an attempt to assassinate US Ambassador to the United States, Mark Ripert, in the column of the US White House complaints column. Although the crime of each of these cases has been attempted, it is very inferior in light of the crime method and crime.
4212 On behalf of the US government, the Embassy of the United States of America (the US Embassy) has indicated that the offense is a serious threat to the US government and that it intends to seek thorough investigation and punishment.
4213 The defendant is not satisfied with the situation after the crime, such as showing the defendant 's attitude from the investigation stage to the court, the defendant' s behavior and the risk of re - punishment.
4214 However, considering the fact that the defendant is the first person, and the defendant's age, family relationship, home environment, the motive and means of the crime, and the circumstance after the crime, To be determined.
4215 Innocent part
4216 1. Point of circumstance
4217 The defendant accessed the White House Contact Us White House by using the defendant's laptop (model: lenovo B490) at each time and place listed in the crime of criminal offense, Obama and Barack Michelle (first threat), and victim Barack Obama (second threat).
4218 2. Judgment
4219 end. As long as the other person recognizes the meaning of the harmfulness enough to cause the person to be afraid, regardless of whether or not the other person is frightened realistically, If the applicant does not acknowledge the meaning of the evil, or if the opponent fails to perceive the meaning of the evil, he / she will only be tried for the threat of intimidation (Supreme Court Dec. 2007, Dec. 2007, Dec. 606) Reference).
4220 I. The content of each case in this case is considered to be a notice of harmfulness enough to cause victims to fear, but the evidence submitted by the attorney about whether or not the notice of such harm has actually reached the other It is not enough to admit it and there is no other evidence to admit it. Therefore, it is difficult to see threats reach the nose.
4221 All. conclusion
4222 In the end, the circumstantial indictment of the crime shall be deemed innocent by the end of Article 325 of the Criminal Procedure Act, but if the accused is a preliminary indictment, Not.
4223 The judge (with no signature)
4224
4225 [Seizure, search, and verification of electronic information stored in information storage media such as computer disks]
4226 end. Search and verification of electronic information
4227 If the purpose of the investigation can be accomplished only by search and verification, search and verification without confiscation are required.
4228 I. Seizure of electronic information
4229 (1) Principle
4230 Only the electronic information related to the allegations after the search and verification in the storage media can be confiscated or copied to a storage medium carried by the investigation agency.
4231 (2) Hard copying, imaging (hereinafter referred to as "reproduction") of the storage medium is permitted
4232 (A) Replication at the execution site
4233 If it is impossible to execute by output or copy, or if it is considerably difficult to achieve the purpose of confiscation 3) Only the storage medium can be copied
4234 -------------------------------------------------- --------------------------------------------------
4235 3) The following cases shall apply.
4236 1. If the person to be eavesdroppers do not cooperate or can not expect cooperation
4237 2. Where electronic information that is likely to be related to the allegation is deleted or found to be obsolete
4238 3. If execution by copying or printing violates the tranquility of the business activities or privacy of the person to be eavesdropped
4239 4. Other equivalent
4240
4241 (B) The export of the original of the storage medium is permitted.
4242 (1) In the case of (a) above, if the reproduction of the storage medium is impossible or extremely difficult in the current edition of the executive act, (4) only the original of the storage medium is sealed under the participation of the suspect, Can do
4243 -------------------------------------------------- --------------------------------------------------
4244 4) The following cases shall be referred to.
4245 1. Hard copying and imaging in the field is physically and technically impossible or extremely difficult.
4246 2. Hard copying, execution by imaging, violates the tranquility of the business activities or privacy of the person to be confiscated
4247 3. Other equivalent
4248
4249 2) The original exported by method 1) above shall be opened with the participation of the intruder, reproduced and returned without any delay, but not more than 10 days from the original export date, unless there are special circumstances.
4250 Middle omission
4251 (3) Precautions for confiscation of electronic information
4252 (A) A list of electronic information confiscated by the person to be confiscated shall be issued. (The grant of the list may be replaced by the issuance of a copy of the final confiscated printed matter or electronic information through the procedure of paragraph (2) above.
4253 (B) Sealing and unsealing may be done in physical way or in the way of both parties such as the investigating authority and the person to be confiscated by setting the password. When copying or duplicating, it is necessary to check the hash function value, seize, And a method to confirm the identity with
4254 (C) The right to participate should be ensured through the whole process of seizure and search, and in case of refusal to participate, seizure and search should be done in a considerable way to ensure reliability and professionalism.
4255
4256 It is a copy.
4257 November 15, 2016.
4258 Seoul Central District Court
4259 Hwang Mi-young
4260
4261 ※ You can check whether the document has been faked or not by using the issue number search menu of the event search computer installed at each court's civil affairs office or by inquiring the court in charge and inquiring the issuance number shown at the bottom of this document.
4262
4263 Criminal judgment, reading, copy restriction application
4264 1. Reason for application
4265 A litigant in a criminal case may apply to limit the reading and copying of a criminal judgment, etc. in the following cases:
4266 â—‹ If the disclosure of the lawsuit records is likely to seriously undermine the honor and privacy of your identity or the life, safety of your body or the calmness of your life
4267 â—‹ If there is a concern that the trade secret of the applicant (the "trade secret" in Article 2 (2) of the Act on the Prevention of Unfair Competition and Trade Secrets)
4268 2. Eligibility: Legal person involved in a criminal case
4269 A representative of a defendant who is a defendant, a defendant, an assistant, a legal representative, a special representative under Article 28 of the Criminal Procedure Act, a complainant, a victim or a legal representative thereof, a witness or a legal representative thereof in accordance with Article 340 and Article 341
4270 3. How to Apply
4271 Apply to the court clerk, court clerk, court clerk, court chief of the court holding the litigation record (after the judgment is finalized, the court that sent the judgment)
4272 4. Legal basis: Article 59-3 of the Criminal Procedure Act