· 7 years ago · Dec 30, 2018, 07:00 AM
1 ++++++++++++++++++++ police investigation documents ++++++++++++++++++++
2
31st round
4
5Kwak Dong-kyu Q: What is the current state of the suspect? (Investigators wrote that they used a monotonous body when they wrote it, but it is different from the actual one.)
6 Answer: There is no place to be particularly sick.
7
8Kwak Dong-kyu Moon: Is there any obstacle to the investigation?
9 Answer: There is no interference with the investigation.
10
11Kwak Dong-kyu Q: Does the suspect have been sentenced to criminal prosecution or prosecution?
12 Answer: I once went to the Dongdaemun Police Station and wrote a letter of appreciation.
13
14Kwak Dong-kyu Moon: What will happen to the Dongdaemun Police Station?
15 A: In the year of 2011, I was going out of Shinnimun Station subway station and passing through India, and somebody was ahead of me, but I have the fact that the police have just checked me. The reason for the inspection is that I have lost one camera at the Lee Mun Sung Cultural Center. I was taken to the Dongdaemun Police Station because I was a suspect, and I received a DNA test there, but I remember that there was no punishment.
16
17Kwak Dong-kyu Moon: Do you know what the suspect is currently under investigation for?
18 Answer: I know. I know that I have been investigated for threatening to kill White House Obama and for threatening to murder US ambassador to Ripper.
19
20Kwak Dong-kyu Moon: The suspects were arrested on July 14, 2015 at the Seoul Metropolitan Police Agency, Cyber ​​Investigation Division, Is it true?
21 Answer: Yes. At that time, there was a fact that I was arrested and notified of the Miranda principle in my room.
22
23Kwak Dong-kyu Moon: Was there any items that were confiscated at the time of arrest?
24 A: I know I had a hard copy of the computer from the detectives who had executed the seizure before the arrest, and I was told that I had done so, but I know that the computer hard disk was not confiscated. I just heard that the investigator (Kim Young Rae) who was conducting the investigation just before confiscated the notebook and USB original.
25
26Kwak Dong-kyu Moon: Say military service.
27 A: In January 2005, I served the sergeant in the 9th Division of the White Horse.
28
29Kwak Dong-kyu Q: How was your military life?
30 A: Military life was very hard. There were eight senior members for four months, and seven of them were Jeolla people, and it was hard for them to harass.
31
32Kwak Dong-kyu Q: What is blood type and religion?
33 A: He is O, and there is no religion.
34
35Kwak Dong-kyu Q: What is your height and weight?
36 Answer: Height is 168 centimeters, weight is 72 kilograms, blood type is O type.
37
38Kim Young-rae Moon: Just before the arrest, the suspect said that he drank a beer in front of the investigator (Kim Young-rae) in his room and had already mixed beer and liquor.
39 A: Yes, I remember the situation at the time.
40
41Kim Young-rae Q: What is the usual amount of money for the suspect?
42 Answer: Weak beer is between 500cc and 1000cc. Drinking that much is like sleeping.
43
44 (A hangover remained at the time of the first and second police investigations.
45
46Kim Young-rae Q: Do you usually drink regularly?
47 A: I have an irregular life, and I usually drink when I can not sleep.
48
49Kwak Dong-kyu Q: Tell me your academic background.
50 A: I graduated from Kyungbok High School in 2000 and graduated from Yongin Campus (now Global Campus) of Hankuk University of Foreign Studies for 4 years.
51
52Kwak Dong-kyu Moon: Did you have a major or minor in college?
53 A: Major is Digital Information Engineering, minor is Biochemistry (now Chemistry). In the school itself, one day, suddenly, without a proper notification to the students, the major of biochemistry was lost and changed into chemistry. So, when I wrote my graduation thesis, the major was in digital information engineering and the minor was listed in biochemistry. But when I write my resume while working, biochemistry seems to have falsified my resume with a missing department. I became disadvantageous to Hankuk University of Foreign Studies where I graduated.
54
55 (At about 14:59, the suspect has been appointed to the counsel, so he confirms the counsel 's appointment and pauses the investigation to give him time to help.
56
57 (At 15:25, he resumed the investigation with the participation of lawyer Park Chul-Hyun, and participated in the investigation by Nam Sang-wook (cyber criminal investigation investigator). .)
58
59Son Woo-sung Moon: Do you mean that you have negative feelings about Hankuk University of Foreign Studies?
60 A: I have a dissatisfaction rather than a bad reputation.
61
62Son Woo-sung Q: What is the major area of ​​Digital Information Engineering?
63 A: It is related to digital computer, Internet communication.
64
65Son Woo-sung Moon: (in a coercive manner) If the main subject of the suspect is digital information technology, will the suspect have a knowledge of computers?
66 A: Yes, I think so myself. (The accused also gave other answers but only recorded this.)
67
68 (The investigators around me kept asking me to be a computer expert, a hacker, or a hacker, so I went for a high-level test. I asked for an objective test to verify my computer skills, but I did not record any related questions.)
69
70Son Woo-sung Moon: Did you ever do other activities such as student councils at university?
71 A: I did not go to the student council, but I spent about a year in my first year at the school. The suspect stated to the investigator, "I went one day and asked to pay for the subscription fee, but I quit."
72
73Kim Young-rae Q. What happens to property, property, and monthly income in the name of the suspect?
74 Answer: I know that my mother bought my brother's studio in my name, and now I have no savings or savings in my name at all. There is no monthly income.
75
76Kim Young-rae Q: Who is the current cell phone number and name of the suspect?
77 Answer: There is one pink LG mobile phone that I joined as my mother's name. I rarely use it, so I can not remember the phone number.
78
79Kim Young-rae: Do you mean that the suspect can not remember the cell phone number he is using?
80 A: Yes, I can not remember.
81
82Kim Young-rae Q: Why are you using a mobile phone that is subscribed to your mother's name instead of your name?
83 A: I do not like to use a cell phone, and I do not want to use an electric wave.
84
85Son Woo-sung Q: What about family relationships?
86 Answer: I have a parent and a younger brother (OO, OO birth), Mo (Kim OO, OO birth), brother (OO, OO birth).
87
88Son Woo-sung Q: Where is the suspect currently residing?
89 A: I am currently living with my parents at my parents' home.
90
91Son Woo-sung Q: When did you live with your parents?
92 A: I live with my parents from birth to the present, except for one thing I did when I was in college (the suspects stated that they stayed for two years but did not record them).
93
94Kim Young-rae Moon: What is the suspect currently doing?
95 Answer: I am unemployed.
96
97Kim Young-rae Q: How do you use your living expenses?
98 Answer: No special expenditure.
99
100Kim Young-rae Moon: There is no special expenditure. If you are a normal person, you will need to pay a certain amount of money, such as transportation expenses, when you go out.
101 Answer: I use it because I ask my parents, and I do not go out, and I continue studying at home at home.
102
103 (Investigator Kim Young-rae asked the suspect "How did you live in the expensive 45-pyong apartment? Where did you go to buy goods at Costco?" The suspect said, "The apartment is the parent. I have not been listed in the dossier, but I am a man who knew that I was buying goods at Costco, my parents and those who worked at the KBS Press Office. At that time I bought two cakes at Costco, CNN translator, Lee Seung - yeon, a 5 to 6 - year - old woman, said, "I have seen this cake selling at Costco, I am a costco jockey. ? "And I said," I bought it at Costco, I bought it at a reunion point. "The police Knowing to see KBS at home and knowing to see the chief at Costco is very relevant to KBS, or at this time the police investigated all of their parents' financial information and found out that they frequently use Costco .
104
105Kim Young-rae Moon: Do you mean that the suspect is only studying in the house without going out?
106 Answer: Yes, yes. After leaving the company around 2013, I have been living in a house because I do not want to be disturbed by other people.
107
108Son Woo-sung Q: Tell me about social activities after military service.
109 A: In 2005, I was discharged from the military and worked at a gas station for about three months. After graduating from college in 2009, I worked for a chemical company that did not remember my name for about two weeks. I went to KBS reception in 2011 and worked until 2013.
110
111Kim Young-rae Q. What is KBS receptionist?
112 A: I was in charge of English translation work, including foreign news. (The investigator emphasized English translation.) The suspect did not record a statement that "recording the foreign news and delivering it to the editorial office was the main task."
113
114Kim Young-rae Q. Does the suspect become an English speaker, translating foreign news, etc.?
115 A: I think that is enough.
116
117Kim Young-rae Q: So the suspect will speak English very well?
118 A: TOEIC is about 780 points, TOEFL is about 82 points.
119
120Kim Young-rae Q: Have you ever worked in other places related to English?
121 Answer: I just told Citibank that I had worked for about two months in Citibank. When I joined the Citibank, I went into English language grades.
122
123 (Nam Sang-wook's investigator came back and Son Soo-sung investigated him and questioned him, but he did not record it.)
124
125Nam Sang-wook Moon: Looking at the criminal history of the suspects, the Seoul Northern District Prosecutors' Office on Sept. 28, 2012 dismissed the theft of nightly buildings.
126 Answer: In the previous survey, I went to the Dongdaemun Police Station and stated that I was investigated as a camera suspect.
127
128Nam Sang-wook Q: How many computers are installed in the suspect's residence?
129 Answer: I have one integrated PC in my room, and I have a desktop and a laptop in my room.
130
131Nam Sang-wook Q: Does the suspect play internet games?
132 A: I do not play internet games.
133
134 (Nam Sang-Uk investigates again, but does not record it in the dossier)
135
136Kwak Dong-kyu Q: What is the main purpose of computers?
137 Answer: A desktop installed in my room (no built-in personal computer with a special name (brand name) purchased on the internet) (Kim Young-rae instructs investigator Kwak Dong-kyu, who plays keyboard, to insert parentheses in the record and record the contents in parentheses .) Is not used because it is broken and the notebook (Lenovo) is mainly used to study French.
138
139Kim Young-rae Q: How do you study French with a laptop?
140 Answer: I use it as a way to watch a language learning program (Rosetta Stone) through a laptop. (The suspect stated that he also used Fluenz, another language study program, but Kwak Dong-kyu, the investigator, omitted it arbitrarily.)
141
142Kwak Dong-kyu Q: What Internet sites do the suspects access?
143 A: I usually search Google, and I am connecting mainly to 4chan site like this.
144
145Kim Young-rae Q: What is 4chan site?
146 A: It's a site like Dish Inside (a kind of free bulletin board) in Korea, which is used by various people all over the world.
147
148Kwak Dong-kyu Q: What do you usually search on Google or 4chan sites?
149 Answer: Google is used to look up French words in images, while 4chan site is used to watch frivolous videos.
150
151Kim Young-rae Q: When was the last time you searched Google or 4chan site?
152 Answer: I do almost every day, so there is no need to specify a date. (The suspect stated in each of the two questions of the investigator that "Google uses every day for every day of study," "4chan uses one or two times a week," but the investigator ties the two questions together and runs Google and 4chan daily Recorded.
153
154Kwak Dong-kyu Q: What happens to the internet company that is using the subscriber's house?
155 Answer: The internet company we use at home is Tibor Road. (Investigators showed the evidence to the suspect in advance of the question and informed the information. Attorney Park Cheol-hyun does not object.
156
157Kwak Dong-kyu Q: Are the suspects using blogs?
158 A: I am using a blog spot from Google.
159
160Kwak Dong-kyu Q: Do you have a blog created by the suspect?
161 Answer: Yes. I have only about 10 blogs that I've opened only in Google, only bosulachi I can remember the address and I can not remember the rest.
162
163Kwak Dong-kyu Moon: Do you have any blogs that have been opened elsewhere, such as Naver?
164 A: I do not have any other blogs that use Google only.
165
166Kim Young-rae Moon: When did you create a blog such as bosulachi?
167 A: It is remembered that it was opened around 2014 to 2015.
168
169Kwak Dong-kyu Q: What was your blog for?
170 A: It was created to organize political opinions.
171
172Kim Young-rae Moon: What do you mean by political views?
173 A: I am standing on the conservative side and criticizing the North Koreans.
174
175Kwak Dong-kyu Q: Have you ever posted a political opinion through a blog?
176 Answer: Yes. I have expressed my political views on all the blogs I've opened in Google.
177
178Kim Young-rae Moon: What are the details?
179 A: The first is "North Korea's intervention in Gwangju," and the second is "opposing reunification." I will say that much. You can see the blog directly. (These comments were not advocated by the suspect, but discussed blogging issues on the Internet at the time of the investigation.)
180
181Kwak Dong-kyu Q: Does the suspect know the ISS program at Hankuk University of Foreign Studies?
182 Answer: I do not know.
183
184Kwak Dong-kyu Moon: Does the suspect know the hufs?
185 Answer: Yes. Hankuk University of Foreign Studies site.
186
187Kwak Dong-kyu Q: Does the suspect know the mail account at summer@hufs.ac.kr?
188 Answer: I do not know.
189
190Kim Young-rae: Have you used or used the above e-mail?
191 Answer: Never used.
192
193Kwak Dong-kyu Moon: Dr. korea Have you ever used a nickname Isis One?
194 Answer: I have not used it.
195
196Kim Young-rae Moon: Do you know the above nickname?
197 Answer: I have no idea. I saw it for the first time.
198
199Kwak Dong-kyu Q: 8221732061 Do you know your phone number?
200 Answer: I do not know.
201
202Kim Young-rae Q: Have you used the above phone number?
203 Answer: No.
204
205Kwak Dong-kyu Moon: The suspect is July 7, 2015. Have you accessed the White House website around 20:20?
206 Answer: Not at all.
207
208Kim Young-rae Moon: Do you have access to the US White House homepage even if it is not the above date?
209 Answer: No, never.
210
211Kwak Dong-kyu Question: Did the suspect ever visit the website of the White House on the above date and time?
212 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
213 ===========================
214 Hi.
215 I'm HUFS student from Seoul, Korea.
216 How's your president family?
217 I'm sick of my life cause I always mastervating with tranny prons.
218 One day, I realize that I'm not going to die like this.
219 I want to be a famous Korean male in USA history.
220 Therefore, I am going to anal rape your second daughter Natasha.
221 Is that okay?
222 I think that bitch's asshole is much tighter than Malia Ann.
223 So I need parents permission before the nigger anus.
224 Do not worry about me: I eat lots of Kimchi so free from AIDS.
225 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
226 Thanks.
227 A: Not at all.
228
229Kim Young-rae Moon: Did the accused see the English version of the White House homepage that the investigator showed?
230 Answer: Yes.
231
232Kwak Dong-kyu Q: Can I interpret the English content?
233 A: Yes, you can.
234
235Kim Young-rae Moon: So, is it possible to do the opposite?
236 A: It is better than that. And the English content and the writing style I write are wrong.
237
238 At this time, notice the contents of English translated into Hangul against the suspect.
239
240Kim Young-rae Moon: The suspect heard the above-mentioned English content translated into Korean directly from the investigator?
241 Answer: Yes, I heard it.
242
243Kim Young-rae Moon: To summarize the above content, the man who posted the above statement "lacking masturbation, raping the second daughter of President Obama in America, becoming a Korean man famous in American history" It is shown. What do the suspects think about the contents of the above?
244 A: I do not think I posted this on the White House homepage.
245
246Kim Young-rae Moon: Why do you think the suspect was raised by an American student?
247 A: On the streets, Obama is thinking that people are the most likely to approach the United States.
248
249Kwak Dong-kyu Q: If I see Obama, the president of the United States, saying that raping his daughter is rape, I think he feels quite frightened. What do you think of the suspect?
250 Answer: Yes, yes.
251
252Kim Young-rae Moon: What do you mean by "yes, yes"?
253 Answer: Obama is also saying that you can feel the fear. (The investigator asked her whether she was afraid to apply the alleged threat.)
254
255Kwak Dong-kyu Q: Do the suspects know that the US Ambassador to Korea, Ripert, was arrested in Korea in March 2015?
256 A: I've posted articles that I know from the press and strongly criticize people who have tackled my blog.
257
258Kwak Dong-kyu Q: How do you think the suspect will accept if Ambassador Ripper has seen these intimidating posts?
259 A: I feel like I get the same feeling (fear) as Obama before.
260
261Kim Young-rae Moon: In the case of Ambassador Repert, I am living in Korea, and since I have actually received an assassination, is anyone seen to be able to attack if I feel like it?
262 Answer: It is very likely.
263
264Kim Young-rae Moon: Does the suspect think of the relationship between the United States and Korea?
265 Answer: I think it is an alliance.
266
267Kwak Dong-kyu Moon: Is the fact that the suspect stated that he used the notebook (Lenovo) alone in the suspect's residence?
268 Answer: Yes. There is a fact that said. I am using my laptop at home. I have set the password so I can not use my parents or even my brother.
269
270Kwak Dong-kyu Moon: Just before the arrest of the suspect in the residence of the suspect, did the suspect know that he had executed a seizure search warrant at the Cyber ​​Investigation Department of the Seoul Metropolitan Police Department and checked the notebooks used by the suspect?
271 Answer: Yes. I know what I have checked about the laptop I was using at the Cyber ​​Crime Department of the Seoul Metropolitan Police Agency.
272
273Kim Young-rae Moon: The suspect clearly stated that he used the notebook alone (Lenovo)?
274 Answer: Yes, yes.
275
276Kim Young-rae Moon: July 7, 2015. The original text of the intimidating statement about raping the US President Obama's daughter was posted on the White House post. However, according to the cyber criminal investigation center of the Seoul Metropolitan Police Agency, about one minute later, the suspect discovered that the file was saved as 'isis.png' in the M / Bureau / to folder at the bottom of the Document and Setting folder of the suspect, Did not upload the post above?
277 Answer: The OS (Operating System) that was laid on my laptop is in France time zone. If you check it, there will be time difference. I can clearly see that it is not my post based on time difference.
278
279 At this time, I stopped the investigation for dinner. (Investigators gather together to talk in a heated expression.)
280
281Kwak Dong-kyu Q: Is this statement true?
282 Answer: Yes.
283
284Kwak Dong-kyu Moon: Do you have any more to say?
285 Answer: I will leave it at the time of two times. (Although the suspect said, "No," the lawyer Park Chul-hyun, who was sitting there, wrote the suspect as it was written.)
286
287Second round
288
289 At this time, we show one newspaper report to the accused,
290
291Kim Young-rae Q: Are the contents of the one-time statement all right?
292 A: Yes, all right.
293
294 At this time, under the participation of lawyer Park Cheol-hyun,
295
296Kim Young-rae Moon: Detention of the suspect's residence One laptop in the study room, one desktop in the suspect's room (with two computer hard disks, one hard disk next to it), Desktop 1 in the library There was a discovery, and try to make statements about the purpose of each computer use.
297 A: Lenovo, which was kept in the study room, is used by myself only for French study and internet connection. I use the desktop in the room where I sleep, I am not using it because of a computer failure due to a computer breakdown in 2013, and I use the desktop in the library sometimes for the purpose of searching the Internet and it is a computer that my parents use mainly.
298
299Kim Young-rae Moon: Lenovo (s / n: WB09564311), a notebook found in a suspect's residence, is used only by suspects. When did you use the above computer?
300 A: After the desktop computer crashed around 2013, I bought it on the Internet and used it myself.
301
302Kim Young-rae Moon: I have been told that I want to access the Internet.
303 Answer: I am mainly visiting 4Chan.org and the Google blog I run.
304
305 At this time, July 20, 2015, the investigation report (suspects found in the OO computer, the original capture file) isis.png, usa.png file shows the output to the suspect.
306
307Nam Sang-wook Moon, Sang-wook Moon, July 14, 2015 In the Digital Evidence Analysis Center of the Seoul Metropolitan Police Agency, the computer analysis program Encase was used to generate the suspect notebook hard disk as a separate imaging file, As a result of the investigation, it was found in the isis.png and usa.png files found on the suspect's notebook that the US President threatened to rape Obama's daughter and threatened to terrorize US Ambassador Ripper, This is a picture file that you capture.
308 Answer: I mainly visit 4Chan.org and I do not know exactly whether I have read, captured, downloaded, correctly captured or downloaded the posts posted on the above site. (The suspect was suspicious of Google image search in addition to 4Chan, where he investigated the definition and difference of the capture and the download.) The suspect considers the capture and download to be mixed and writes mixed, and the investigator catches the pod This was not recorded in the record.)
309
310Nam Sang-wook Q: What capture program did you usually use?
311 Answer: I use the capture program which is an extension of Google web browser. (The investigator asked for the name of the capture program.) The suspect wrote four or six capture programs from Google search and said they did not know the name of each one.
312
313 (The investigator asked how long it took to write, and stated that the suspect took two to six hours.)
314
315Nam Sang-wook Q: How do I capture it?
316 A: When you look at the Google web browser, you will see a 'camera' icon at the top of your web browser. Click on the icon to capture all the screens you see in your web browser.
317
318Nam Sang-wook: Do you use any extensions to save what path to save when capturing?
319 Answer: I can specify the storage path arbitrarily, and I usually save a lot on the desktop, and use the png file extension. The png file format is mainly used because the picture quality is clear.
320
321Nam Sang-wook Q: Do not you use another capture program?
322 Answer: I use some other programs, but the Google Chrome browser has a convenient capture function.
323
324Nam Sang-wook Q: What kind of website is 4Chan.org?
325 A: There are many different kinds of articles posted. I mainly read political and sexual writings.
326
327Nam Sang-wook Q: What is sexual content?
328 Answer: The most exciting thing I have seen recently is that a woman is pissing.
329
330Nam Sang-wook Q: What information do the suspects post on the site?
331 A: I do not post articles like YAHAN video, but I am posting mostly political content in Korea. (The suspect posted the same thing on the blog as well, with about 2 postings in English, like 4Chan.)
332
333Nam Sang-wook Q: I will check back isis.png, usa.png. (The investigator showed me the file again.) Did you download the above file or capture it?
334 Answer: I read the above picture again and got it.
335
336Nam Sang-wook Moon: July 13, 2015 When we confiscated the seizure, we told our investigator that the above file was captured. And in the previous statement, I stated that I did not know whether I was downloading or capturing. Why am I clarifying again that I have downloaded the statement again?
337 Answer: The photographer showed the photo size of the photo file today. And yesterday, I said capture and download are mixed, so I just say capture. I did not even read the above photo on the 13th.
338
339Nam Sang-wook Moon: 2015. 7.13. At the time of the seizure, the cyber criminal investigator of the Seoul Metropolitan Police Department asked me several times to check the above photo.
340 Answer: Yes. Requested.
341
342Nam Sang-wook Moon: But why did not you read it?
343 Answer: I was lying because I was bored.
344
345Nam Sang-wook Moon: I was searching for confiscation.
346 A: I did not want to get up because I was still sleeping while I was drinking.
347
348Nam Sang-wook Moon: At the end of the seizure search, you saw the picture of the manuscript (White House photo) through your mother and mother.
349 Answer: I confirmed the picture, but it was not the above picture. (The suspect clearly remembered the pictures stored on his mother's cell phone, but it was not 4chan.)
350
351Nam Sang-wook Q: How do I download picture files from the Internet?
352 Answer: When you right-click, there is a download button, which is downloaded by pressing the button above. The save path is mainly saved on the desktop, and sometimes the file name is changed or not.
353
354Nam Sang-wook Q: Why am I changing the file name?
355 Answer: If you do not normally change it, but the file name is too long or the file name contains special characters, change the file name.
356
357Nam Sang-wook Q: What do you usually name the file name?
358 Answer: There is no reason to change the actual filename when downloading. However, if the filename is too long, it is difficult to keep it on my computer and change the filename. (The statement "It is difficult to identify" in the statement is written by the investigator as it is intended.) The suspect stated "I do not change the name to make it easier to identify.
359
360Nam Sang-wook: Do you save the file name with a special name when saving?
361 A: If the file name is long, cut off the last part of the file name, or select the whole file name and save it as short name with no meaning.
362
363Nam Sang-wook Moon: When the suspect downloaded the photo file from the internet, he said that he would save the file as randomly. How was the original text file named "isis" and "usa"
364 Answer: I do not know isis.png and usa.png is my favorite word. (The suspect has demonstrated to the investigators and lawyers the possibility of entering the isis via the keyboard location, but the investigator noted that he was not sure.)
365
366Nam Sang-wook Q: How was the email address used to write the Obama intimidation 'isshufs@gmail.com'? How did the suspect save the file and save the file as 'isis'?
367 A: I think Iss and Isis are different.
368
369Nam Sang-wook: When the above captured file is saved on the suspect computer and the time it was created isis.png (Obama threats) file will be released on July 7, 20:20 pm, usa.png The intimidation article for this article was confirmed on July 8, 2015 at 02:27. Also, the time for the obsession for Obama to be posted on the US White House website is around July 7, 20:20, and the article on the reporter is scheduled for July 8, 2012, It's possible.
370 Serial Number / Content / Time / Time Difference
371 1 / Time Obama Obscene Writes to the White House / June 1, 2015. 7. 20:20 / about 1 minute
372 2 / The Obama intimidating text was created and saved on the suspect computer / July 20, 2015
373 3 / Repert Thousand Times posted on the White House / Jul. 8, 2015 / about 1 minute
374 4 / Time of the protest manuscript created and saved on the suspect computer / June 8, 2015
375 The suspect stated that he had downloaded and stored the contents posted on the Internet to the suspect computer. Did he / she read the threat on the Internet and stored it on the victim's computer as soon as it was posted on the White House?
376 Answer: My computer is set to French time zone and 4Chan.org site is US site, so there will be time error. (The suspect had misunderstood 4Chan.org as a US site, according to Wikipedia, 4Chan.org is a Japanese site.)
377
378Nam Sang-wook Q: The suspect laptops are set up with OS operating system in French language and the time zone is also based on Paris time. So, there is -7 hour time difference with Korea. However, when analyzing with the Encase analysis program used by the investigation agency, it is possible to clearly see the time generated and the modified time by changing the above French time zone to the domestic time zone, and thus the above generation time is the domestic time.
379 At this time, the suspect is shown the access time of the isis.png file, and it is arbitrary.
380 As a result, the cyber criminal investigation center on July 13, 2015 will try to access the above file. Therefore, the above access time will be indicated on July 13, 2015. In conclusion, the time that was created on the suspect computer was the Korean time. So, as in the previous question, is someone reading a post in the White House in just one minute and storing it on the suspect computer, and can this behavior be repeated twice?
381 At this time, the FBI requests the suspect and displays the text and time information sent by the FBI.
382 Answer: I do not know.
383
384Nam Sang-wook Q: Is it possible to do the above work in just one minute?
385 A: It will not be possible in a minute.
386
387Nam Sang-wook Q: If the suspect thinks it is not possible, is the suspect posted?
388 Answer: If it is possible, I think that it is impossible if it can be done by myself and it is impossible. Nam Sang - wook, who had heard the statement, was staring at him for a long time with a very questionable look.
389
390Nam Sang-wook: So the suspect is monitoring the White House intimidation posts posted by others in near real time, then checking them and storing them on the victim's computer?
391 A: You have not monitored it in real time. There is no such ability. (Here, 'real-time monitoring' refers to reading a new article updated in real time by accessing the White House site.)
392
393Nam Sang-wook Q: What type of web browser do suspects use when accessing the Internet?
394 A: I am using a Google Chrome browser.
395
396Nam Sang-wook Moon: Is the fact that the suspect accessed the White House website?
397 Answer: I have never been connected.
398
399 At this time, the picture file 'screencapture-www-whitehouse-gov-thank-you-1436290042624.png' attached to the White House homepage written by the suspect computer is displayed.
400
401Nam Sang-wook: If you look at the above picture file found on the suspect computer, it is the screen capture of the homepage of the US White House and it starts with "Thank you for contacting the White House". It is confirmed that the captured file is captured directly from the suspect computer through Capture, an extension function of the Google Chrome web browser. Is it true that you have written the article by accessing the White House website? ?
402 Answer: I downloaded the picture file with the above file name.
403
404Nam Sang-wook: If you check the date and time of creation of the above capture file, you will be notified of the date and time (June 8, 2015, 2015) The same is true. After the complainant wrote the reputation, did not the output screen of the completion of the caption be captured on the suspect computer using the extension function of the Google Chrome browser and saved?
405 A: I do not know this.
406
407 At this time, July 20, 2015, the investigation report (4Chan and 4Chan about the posted on the backup site) shows the picture file attached to the optional.
408
409Nam Sang-wook Moon: The suspect stated that he had downloaded the above picture file on the 4Chan.org website by referring to Repert's intimidation article. It is about 02:31. And the time of the above threat pictures on the suspect computer is around July 8, 2015. How can the time saved on the suspect computer be faster than the time posted on the 4Chan.org site?
410 Answer: I do not know.
411
412Nam Sang-wook: Did not the suspect write the blackmail and post it on 4Chan.org?
413 A: Not so. I have a problem with my computer and I have some malicious code.
414
415 At this time, the text file s.txt found on the suspect computer is displayed to the suspect and attached to the end of this document.
416
417Nam Sang-wook: If you look at the date of creation of the above text file, the file creation date is around April 10, 2014, 16:59. If you look at the contents, you can see the email 'isshufs@gmail.com' "I will kill Ambassador Ripper by penetrating the US embassy in Korean," "Obama will kidnap a small daughter and rape my anus", and the Twitter address listed in the intimidated article "http://twitter.com/isis_med 'And a text file of the Obama intimidation text was found. When and why did you write the above sentence?
418 Answer: I do not know.
419
420Nam Sang-wook: Did you post the threats in the White House with the above phrase written in English?
421 A: I have not.
422
423 At this time, the photo files found on the suspect computer are shown as 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jpg, 18.jpg, 5oe254mvhpke.jpg .
424
425Nam Sang-wook Q: The above file access time is around Jul. 7, 21:28. In the above photo, Repert was threatened with terrorism by Kim Ki-jong, Kim Kyeong-jong and Obama, and the time for the reporter and Obama to be intimidated by the intimidation was reached on July 7, 2015. You read a picture of the aptitude episode, right?
426 Answer: It's what I saw because it was stored in my folder. However, I did not write intimidation article.
427
428Nam Sang-wook Moon: The threat pictures stored on the suspect computer were created on the suspect computer on March 6, 2015. For some reason, all the threat pictures were uploaded on July 7, Did you read it?
429 A: It seems that all files are accessed at that time while the folder is being organized, and the access time has changed.
430
431Nam Sang-wook: Unfortunately, Obama and Reporter's threats were posted on the White House on July 7, 2015.
432 A: I do not know that.
433
434 At this time, July 27, 2015, the investigation report (for the search warrant application for), attached to the [Foreign Foreign Ministry, the Foreign Ministry confirmed the article on the page] is shown,
435
436Nam Sang-wook Q: In the above article, I used 'email summer@hufs.ac.kr' using ip 124.197.152.111 on July 7, I do not know if this is the case. For reference, the above IP address 124.197.152 is the IP address of the defendant's residence. Because the suspect is a floating IP, the last number can change each time.
437 A: I did not post it.
438
439Nam Sang-wook Q: Then who posted it?
440 Answer: I do not know.
441
442Nam Sang-wook Q: I'm sure you posted the above article in the suspect's IP band. Do you really not know?
443 A: I do not remember.
444
445Nam Sang-wook: When you click the url link posted on the above article, the internet address http://boards.4chan.org/pol/thread/47625963 is verified. If you connect to the above url, 'isshufs @ gmail. com 'e-mail is being written to' isshufs@gmail.com 'Do not you know?
446 At this time, please attach http://boards.4chan.org/pol/thread/47625963 url link printout at the end of this document.
447 Answer: I do not know. I can not remember.
448
449Nam Sang-wook: 'isshufs@gmail.com' is listed in the s.txt file found on the suspect computer.
450 A: I do not remember.
451
452Nam Sang-wook Moon: The e-mail address 'isshufs@gmail.com' is an email used to write a blackmail message to Obama. It is also stored in the s.txt file that the suspect is kept in. Is it listed on the site?
453 A: When I do a search on Google, it looks like it came with me.
454
455Nam Sang-wook Q: Did you say you do not remember the previous statement?
456 Answer: It is regretful to say that it is the reversal of the statement though it is the human being because it is a human being. (The statements of these suspects were recorded without further ado.) Since then, the suspect has been suffering from the mental pressure of a reversal of the statement until he is released from jail and jailed.
457
458Nam Sang-wook Q: Does the suspect mislead him?
459 Answer: I have never posted a blackmail.
460
461Nam Sang-wook Moon: July 14, 2015. During the arrest, is it true that you threw objects at the Seoul Metropolitan Police Department Cybercrime and Ward staff?
462 Answer: Yes.
463
464Nam Sang-wook Moon: What did you throw at?
465 Answer: It's called a cold pack. (A cold pack is an ice pack.) After drinking, I was lying on my forehead with a cold pack with a headache.
466
467Nam Sang-wook Moon: What did you say?
468 A: I can not remember what kind of profanity I have specifically done.
469
470Kwak Dong-kyu Moon: I think the investigator remembered that he had been saying, "Hey, these bastards." Is that right? (This investigator refers to Kwak Dong - gyu who is accompanied by Nam Sang - wook.) Kwak Dong - kyu intervened and questioned.
471 Answer: I can not remember whether I used the word "bastard" or how many times I used it. (The suspect stated that he did not use the word "bastard" but wrote that he did not remember.)
472
473Nam Sang-wook Moon: I came to the Seoul Metropolitan Police Agency's Metropolitan Police Department and lie on the floor of the office to say, "Bring a wheelchair," "Get an executive chair."
474 Answer: I was drunk and drunken.
475
476Nam Sang-wook Moon: You were wearing only panties at the time of arrest?
477 Answer: Yes, yes.
478
479Nam Sang-wook Moon: At the time of the arrest, the investigator of the Seoul Metropolitan Police Department (wearing a walker at the time of the investigation of Choi Sung-sik in the investigation team and stepping on the suspect's neck in the process of cuffing him) You did not wear it?
480 Answer: Yes, I did not wear it.
481
482Nam Sang-wook Moon: Who wore the clothes?
483 Answer: The investigator put on the clothe.
484
485Nam Sang-wook Moon: Why did you continue to do such an action during your arrest or office?
486 A: I feel like I am excited. (Dozens of people came to the house of the suspect and suddenly arrested and was excited).
487
488Nam Sang-wook Moon: Seizure Search You have not lived in bed for about five hours, did you?
489 A: I do not remember the exact time, but it did not happen.
490
491Nam Sang-wook Moon: In the blog (helpkorea.blogspot.kr) of Nam Sang-wook, there is an article called 'How to Make Money from the Internet (Acquisition of Foreign Currency)'. Why did you write this article?
492 Answer: I wrote for the sake of women.
493
494Nam Sang-wook Moon: In the above helpkorea.blogspot.kr, there is an article entitled "My Ministry of Defense Civilization". When I look at the contents of the article, "Ji Sung-woo calls me as a laundry hanger, I have been shaken 20 times and then I have been ejaculated in the anus. "Is this true?
495 Answer: Yes, yes.
496
497Nam Sang-wook Q: Do you have any bad memories about anus?
498 A: I think it is a gag, not a bad memory.
499
500Nam Sang-wook: Do you think that Obama's anus is also a gag and raped an anus?
501 A: I have not.
502
503Nam Sang-wook Moon: In the suspect blog (fuckingkorean.blogspot.kr), I posted the diploma, transcript, graduation certificate and transcript of the suspect under the heading 'SSUL' I have lost my job because I have changed my minor in chemistry unilaterally without prior notice in the university. I have also been suspected of having my own academic background, personal credit, and suffered mental harm from my job as a freelance worker. "Do you have a strong dissatisfaction with foreign language classes?
504 Answer: Yes. I have a complaint. (Although the suspect did not use the word "strong", the investigator Kwak Dong-kyu of the next place repeatedly replied the suspect's answer and continued to write "strong dissatisfaction." Although the suspect pointed out, A suspect asked for removal and dragged two lines and interrupted him.)
505
506Nam Sang-wook Moon: In the blog (unicefusa.blogspot.kr) of Nam Sang-wook, a photograph of a woman wearing only panties and wearing clothes on her head with a pan on her head and expressing her nickname "뀨뀨" Is the suspect posted? (In addition to this question, the investigator changed from time to time during the investigation, but the record did not record the names of the investigators who questioned.)
507 Answer: Yes. I posted it.
508
509Nam Sang-wook Q: Why did you post this picture?
510 Answer: I posted it for fun.
511
512Nam Sang-wook Q: Did you try to get sponsorship by inserting the account number of the suspect in the photo of only the underwear?
513 Answer: Yes, yes.
514
515Nam Sang-wook Q: How much did you sponsor so far?
516 Answer: I got 20,000 won.
517
518Nam Sang-wook Moon: What did you use when you used the word "shit-chill" on the wall?
519 A: I do not remember.
520
521Nam Sang-wook Moon: This is a reporter and Obama intimidation article. The e-mail address is' isshufs@gmail.com ', which is used by the staff of Hankuk University of Foreign Studies. The phone number is' 82 02 2173 2062 ', and the address is Hankook University of Foreign Studies. For what reasons did the person who wrote the above article write the address, phone number, and e-mail of Hankuk University of Foreign Studies?
522 A: This is a common address.
523
524Nam Sang-wook Moon: As far as I think, I think that a person with a strong dissatisfaction with foreign languages ​​would have written a threatening statement. What is the opinion of the suspect?
525 A: I think it would have been written by a person who is dissatisfied with foreign language.
526
527Nam Sang-wook Moon: And if you look at the content of the intimidation article, it says "I'm HUFS student from Seoul, Korea".
528 Answer: Yes, yes.
529
530Nam Sang-wook Moon: Did you graduate from a foreign language college and post the above content in a blackmail message like this?
531 Answer: I would have used the word undergraduated instead of student.
532
533Nam Sang-wook Moon: And both the intimidation against Obama and the intimidation about reporter had strong complaints about foreign universities by writing emails, phone numbers, and addresses of foreign university staff, Do you think that the person who wrote this threat letter impersonated foreign language group like this?
534 A: The same person has written two intimidating documents and is probably one of the students at Hankuk University of Foreign Studies.
535
536Nam Sang-wook Q: What is the name of the second daughter Obama and the name of the first daughter?
537 Answer: The second daughter's name is Natasha, and I know that the first daughter's name does not know exactly and ends in. (The investigator showed the name on the intimidating document and asked the investigator the additional information that the suspect had learned, and he did not record it in the dossier when he said that the suspect had "the document the investigator showed." A lawyer Park Chul Hyun was silent.
538
539Nam Sang-wook Moon: I did not know the name of the first daughter and knew exactly the name of the second daughter.
540 A: I do not remember that.
541
542Nam Sang-wook Q: Does the suspect want to be famous?
543 A: I want to be a successful person rather than a famous person.
544
545Kim Young-rae Moon, July 13, 2015. 13. Seized at the time of the seizure. We told our investigator (Kim Young Rae), "It seems to be famous."
546 Answer: Yes, yes.
547
548Nam Sang-wook Moon: Obama said, "I decided to become a famous Korean man in the US today." Did he decide to become a famous person?
549 A: What I'm saying is that I am a politician and a famous person, not a serial killer.
550
551Nam Sang-wook Moon: Have you ever thought about serial killers?
552 A: I've never thought about it before.
553
554Nam Sang-wook Q: When is the suspect mainly used on the computer?
555 Answer: The time zone is not set, but we use it at night or early morning.
556
557Nam Sang-wook Moon: The time of Obama's intimidation was 20:20 and the reporter's intent was written at 02:26. Is it a time zone where the suspect mainly uses computers (more than 50%)?
558 Answer: Yes, yes.
559
560Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
561 A: I will submit it later.
562
563Nam Sang-wook: Do you have any more to say?
564 A: If you look at the contents of my blog about the referent, you can see that it is contrary to the police claim. Please disclose specific details about the IP band.
565
566 (After consulting the attorney Park Cheol-hyun who joined the investigation and the suspect's first and second journals, they come to the newspaper)
567
568Nam Sang-wook Q: Are all the statements stated in the previous meeting true?
569 Answer: None of the statements made in the previous survey are true.
570
571Nam Sang-wook: Do you have statements that differ from those of the suspect?
572 Answer: Not at all.
573
574Nam Sang-wook Moon: Does the suspect know the current arrest warrant?
575 A: Yes, I know.
576
577Nam Sang-wook Q: What do you think about the arrest warrant for the suspect's crime charges?
578 A: I think it is wrong.
579
580Nam Sang-wook Moon: What is wrong with you?
581 A: I did not intend to harm the US President Young-ae, and I did not intend to risk the riper Foreign Ambassador.
582
583Nam Sang-wook: Do you mean that in the case of the suspect, there was nothing wrong with you and you were unjustly arrested?
584 Answer: Yes, yes.
585
586Nam Sang-wook Moon: Does that mean that the judge and the investigating agency are wrong?
587 Answer: Yes, yes.
588
589Nam Sang-wook: Does the suspect mean that the evidence that the investigative agency can not trust?
590 A: Yes, I can not trust the evidence presented by the police.
591
592Nam Sang-wook Moon: The evidence presented by the police is an objectively obtained data from cyber police officers who are experts in the computer field.
593 A: I do not know exactly what part it is.
594
595Nam Sang-wook Q: What do you mean by not knowing exactly what part you are?
596 A: I am not a computer expert or a forensic examiner.
597
598Nam Sang-wook Q: Is not the suspect a computer engineer?
599 A: Digital and computer engineering are different.
600
601Nam Sang-wook Moon: Which part is different?
602 A: The paper I wrote when I graduated is about sound, about digital signals, and computer engineering is about the computer itself.
603
604Nam Sang-wook: Did not the suspect claim to have a knowledgeable knowledge of the computer in the statement before?
605 A: Yes, it is true.
606
607Nam Sang-wook: In conclusion, you do not trust the police evidence?
608 Answer: There is no partial trust.
609
610Nam Sang-wook Q: Do you mean that there is another part that you can trust that the part is not trusting?
611 Answer: ENCAEC Time-lapse analysis is reliable. (A cybercriminal investigator, a computer expert, continues to spell the ENCASE program incorrectly as ENCAEC, which is one of the reasons for the lack of confidence in the investigation.)
612
613 At this time, the suspect suddenly says that he can not trust the program to analyze ENCAEC parallax. The suspect described "trust", but the investigator wrote that the suspect's statement was heard as gibberish.
614
615Nam Sang-wook Moon: Do you mean to trust the ENCAEC program that the evidence that analyzed the time lapse of the threatening posting presented by the police as evidence is correct?
616 Answer: Yes, yes.
617
618Nam Sang-wook Moon: The suspect clearly said he trusted the ENCAEC program. In the previous statement, I stated that the operating system (OS) laid down in the suspect's laptop was in French time zone and that it would be possible to find out by observing the time difference. Why did you say so?
619 Answer: I heard that the Cyber ​​Police officer explained. (The suspect believed so because he trusted the explanation of the computer expert.)
620
621Nam Sang-wook Moon: Do not you mean that when you interpret the current suspect's statement, the suspect posted a post that intimidates President Obama?
622 Answer: I just want to trust the cyber-forensic investigation technique.
623
624Nam Sang-wook Q: If you have confidence in cyber-forensic investigation, you should trust the evidence presented by cyber-police.
625 Answer: I have a part that I do not understand. The first is the way Porter operates. The way PORCHAN works is, in short, a real-time posting like a daily best. The second is Google search engine exposure time. That means the post is not deleted right away, but exists on the Internet for some time.
626
627Nam Sang-wook Q: What does it mean to have confidence in cyber-investigation techniques and how to operate Pocan?
628 Answer: I trust cyber forensic techniques, but the ENCAEC program is poor. Porter and Google also want to apply cyber-forensic investigation techniques to Porter and Google.
629
630Nam Sang-wook: So, if the objection is not clear and the ENCAEC program is objectively clear about the operation of Pocan or Google, as the suspect claims, how would you accept it?
631 A: I will acknowledge you if you disclose the truth in a public authority.
632
633Nam Sang-wook Q: If the ENCAEC program or cybercriminals in a reputable institution has no problem with the evidence, would you say that you would admit the suspect's allegations?
634 Answer: You are acknowledging the credible result, not the accusation. I have never written or wrote the article.
635
636Nam Sang-wook: If you have been verified by a reputable institution, would not it be the objective evidence to refute the statement even if the accused claims no?
637 Answer: It is objective evidence that we want you to investigate enough evidence.
638
639 (The above questions are typical guidance questions.) The suspect was not able to understand the above questions properly.
640
641Nam Sang-wook Moon: What was the suspect's childhood like?
642 A: My childhood was loved by my parents, and I was surrounded by a lot of single parents who were economically more difficult than their friends, but were relatively happy.
643
644Nam Sang-wook Q: What was your home environment like?
645 Answer: It was generally a harmonious family.
646
647Nam Sang-wook Q: How was your family?
648 Answer: It was a good one.
649
650Nam Sang-wook Q: How was your relationship with your childhood?
651 A: I did not have a lot of friends because I had few words, but there were about 10 really close friends.
652
653Nam Sang-wook Q: What is your relationship now?
654 A: I have no friends at the moment.
655
656Nam Sang-wook: Why do not you have a friend?
657 A: I moved to school often, I came to the army, and I looked for the course of my life, so my relationship became faded. So when I was young I was not in touch with my close friends. Even if my friends want to meet, I do not have anything to do, and I am avoiding it.
658
659Nam Sang-wook Q: What was your grade at school?
660 A: When I was in elementary school, it was mediocre. To make up for what I did not do in high school, I studied really hard not to be matched with college days and motives.
661
662Nam Sang-wook Q: How did you look back on your military life?
663 A: Military life was the worst of the worst.
664
665Nam Sang-wook Moon: Which part was the worst?
666 A: I have made a statement before that. In addition, if you tell me what you are doing when you are discharged, it is likely that OO Sergeant is doing his worst and worst. For example, one of the motivations did not receive cold training, but I received it. That's because it was only for me.
667
668Nam Sang-wook: Why did the suspect quit his job?
669 A: To be honest, it was hard. I wanted to study a little more and go to study abroad and live a better life.
670
671Nam Sang-wook Moon: What part was difficult?
672 A: When I was working at KBS, I was physically struggling to work 5 or 3 shifts.
673
674Nam Sang-wook Q: Why are you not doing a job today?
675 A: I am studying French.
676
677Nam Sang-wook: Can I study while I work?
678 A: Because my style does not do a lot of things and I want to get results in a short time. And French is hard.
679
680Nam Sang-wook Moon: The suspect stated that he was living a secluded life in his home?
681 Answer: Yes. There is a fact that I have stated.
682
683Nam Sang-wook Q: What is your daily routine?
684 A: The morning hours are not fixed. My life is irregular, and I usually live with my rhythm at night time.
685
686Nam Sang-wook Q: What do you usually do at home?
687 A: I sit in a fluffy chair and study French for about 14 to 21 hours.
688
689Nam Sang-wook Moon: Anything else?
690 A: In my free time, I am posting political articles mainly on blogs. (The purpose is to turn my attention and turn my head off).
691
692Nam Sang-wook Q: How much time do you spend on computer during the day?
693 A: I study on a computer, so it is time to study.
694
695Nam Sang-wook: Did the suspect live a night life before he was arrested recently? Or did you live in the morning?
696 A: I was in the transition from an evening human to a morning human.
697
698Nam Sang-wook Moon: This is the date of the alleged suspicion, July 7, and July 8, 2015.
699 A: I think that I was studying 50 or 50, maybe I was sleeping while drinking.
700
701Nam Sang-wook Moon: If you studied, did you use a computer?
702 Answer: Yes. If I had studied, I would have used a computer.
703
704Nam Sang-wook Question: What is the special reason to use poisonous foreign sites in spite of the fact that there are many domestic sites such as Naver?
705 A: As you know, Naver or the next one, Ivara, is a van (blocked) if you make a political comment or post on a site. So it's a relatively free site, such as Pocan and Google Blog Spot.
706
707Nam Sang-wook Moon: The suspect stated that he used the confiscated notebook (Lenovo) alone in the suspect?
708 Answer: I keep using the password myself.
709
710Nam Sang-wook Q: What happens to my password?
711 Answer: Your password is 656565.
712
713Nam Sang-wook: I am going to ask again, the suspects visit the White House website to rape the daughter of President Obama and threaten to murder President Obama and his family and then kill Ambassador Ripper. Did you actually upload it?
714 A: There is no such thing at all.
715
716Nam Sang-wook: Do not the suspects make a false statement because of the fear that they will be seriously punished if the charges are taken?
717 Answer: No.
718
719Nam Sang-wook Q: Is it not the wrong idea of ​​the suspects to deny the charges of reprisals in the previous statement? (The suspects visited the lawyer Park Chul-hyun at the detention center before the investigation of the third investigation, and the lawyer informed the suspect about the sentence, and the investigator Nam Sang-wook knows the contents. can see.)
720 Answer: No.
721
722Nam Sang-wook Moon: The time the Obama intimidation article was posted to the White House on July 7, 2015, 20:20 pm, the time of the original threat file was saved on the suspect computer, After a posting on the White House for about a minute, it was confirmed that it was captured and stored on the suspect computer, and the threat to the reporter was also posted on the White House for about one minute, I did. Is the statement still the same now?
723 Answer: Yes. I still think it is impossible.
724
725Nam Sang-wook Q: Is not the accusation of the accused right?
726 Answer: No. I would like you to disclose this part in digital forensic techniques. (The suspect answered "truth" and not "statement".)
727
728Nam Sang-wook Moon: Obscene texts kept on the suspect computer. The suspects claim to have downloaded the image file from 4Chan.org. However, the original text on the 4Chan.org site is posted on the 4Chan.org site. The deadline for the original sentence (for reporter) on the suspect computer is July 8, 2015, 2015. On August 8, 2015, the suspect's claim is confirmed as a false statement Does the suspect deny the charges?
729 Answer: It is possible but not.
730
731Nam Sang-wook: Why is the suspect denying the contents of his allegations even after checking the Seoul Metropolitan Police Cybercrime investigation to clarify the contents of the allegations?
732 Answer: As I mentioned at first, there are various possibilities.
733
734Nam Sang-wook: What do you think of the usual suspects, President Obama and Ambassador Repert?
735 A: I am a person who wants to get a work visa in the United States. I am a political patriotic conservative. In the ROK - US alliance, President Obama and Ambassador Repert recognize the need to be protected.
736
737Nam Sang-wook: Did the suspect actually see President Obama and Ambassador Repert?
738 A: I've never actually seen it.
739
740Nam Sang-wook Q: What do the suspects think about the United States?
741 A: I am a country that envies the United States.
742
743Nam Sang-wook: Did the suspect have a plan to immigrate to the United States?
744 A: First of all, I was thinking about transferring to a US college after graduating from college before I graduated from college. After graduating from college, I decided to go to immigration because it costs 60 million to 80 million won, I thought that it would be 8 ~ 10 years to collect money and go to immigration or transfer.
745
746Nam Sang-wook Moon: By the way, why did not you go?
747 A: I'm still preparing to go now.
748
749Nam Sang-wook: I suspect the suspect is still preparing to go to the United States, but he is not actually collecting money or making any other efforts.
750 A: In the present situation, I do not collect money because I plan to get money at home.
751
752Nam Sang-wook Moon: Although the suspect says America is a country of envy, is not it because he has dreamed of immigrating to the United States for a long time and has not been able to execute it?
753 Answer: No.
754
755Nam Sang-wook: Did the suspect ever join a social organization?
756 Answer: Not at all.
757
758Nam Sang-wook: I am going to ask you once more. According to the judgment of the investigating agency, the evidence collected by the investigating agency, judging by the evidence, it seems that the suspect posted a threatening statement.
759 A: I think the evidence of the investigation agency was not good and the judgment was wrong.
760
761Nam Sang-wook Moon: Then, what proof would the suspect have to give?
762 Answer: I do not know.
763
764Nam Sang-wook: Did the suspect talk about the lawyer and the polygraph before he started the investigation?
765 Answer: Yes.
766
767Nam Sang-wook: Do you have a willingness to take a lie detector?
768 A: Yes, I will. I will accept anything to clarify my innocence.
769
770Nam Sang-wook Q: What is your current feelings?
771 A: There is no rattling. (The investigator asked the suspect what it meant by "ridiculous" but did not record it.)
772
773Nam Sang-wook Q: Is the statement true?
774 Answer: It is true.
775
776Nam Sang-wook Moon: Do you have any more to say?
777 A: On page 5, it is not the intention of the ENCAEC program to be ill-advised, which means that the investigation is currently inadequate. (The investigator said that he described the suspect as "poor.")
778
779Three times
780
781 At this time, the lawyer Park Chul - hyun participates in the discussion with arbitrary participation. (At the time of the police investigation, the investigators were instructed by a messenger program installed on the computer used for cell phone and dossier to ask questions in real time with the investigators outside the investigation room. )
782
783 At this time, the suspects and lawyers will show the 7th report on July 15, 2015 (the suspect confirms the setting of the OO notebook time zone setting)
784
785Nam Sang-wook: Even if the suspect laptops are set in French time zone, if the computer analysis program Encase is converted into domestic time, the creation date of the file and the access date can all be confirmed by the national standard time. Go?
786 Answer: Yes. I understand what the investigator explained, and I fully understand the time.
787
788 At this time, July 15, 2015 investigation report (about the time posted on 4Chan site) show two pieces, and make an arbitrary answer.
789
790Nam Sang-wook Moon: I analyzed the time posted on the foreign site 4Chan.org at the Seoul Metropolitan Police Agency's cyber criminal investigation office. When I posted the Korean time 17:13, In the end, it appears that the above site is located in the United States. The time posted on this site is printed in domestic time. Do you accept the above?
791 Answer: Yes. I understood and acknowledged the contents that the investigator showed directly. (Not many people watch the posted time zone while writing on the Internet.)
792
793 At this time, I show an investigation report (analysis of the Google Chrome browser capture function and analysis of the writing screen of the website of the US White House).
794
795Nam Sang-wook: The following five files found on the suspect's notebook are generated by capturing directly from the suspect's laptop through the Google Chrome browser, and seencapture-www-whitehouse-gov-contact-submit- comments-1432397652564.png and seencapture-www-whitehouse-gov-contact-submit-questions-and-comments-1432397921271.png files will be posted on the White House website on May 5, 2015 at 01:14 and 01:17 The 13-digit number that is displayed next to the capture file name is the same as the generation time of the generated file, and the above 13-digit number is the time information that is automatically generated when capturing from Google Chrome. The time of the capture file created on the notebook is the same as the date and time of capture, so that if the suspect is downloaded from the Internet, Seen from the above that there's time to capture capture program may be the same, there is confirmation that the suspect has written articles connected directly to the White House website, is not that a suspect directly after article creation, capture? (The investigator attached the Encase analysis screen to the dossier.) This long question is not a question asking the suspect's answer.)
796 A: I do not know who did it. It is not me who wrote. It was not the first time to access the whitehouse.
797
798Nam Sang-wook Moon: The suspect's laptop has a password set?
799 Answer: Yes, yes.
800
801Nam Sang-wook Q: Can not use the laptop above the suspect?
802 Answer: Yes, yes.
803
804Nam Sang-wook Moon: By the way, how can I not only use the suspects, but I have 5 captures of the contents that I write to the white house by connecting to the white house, and the above file creation date and time The date and time when the file was created) is the same, but can I say that the suspect does not know?
805 A: I can not remember it all individually.
806
807Nam Sang-wook Moon: Do not you remember that the suspect did not write? (Investigators tied several questions together or asked a lot of questions to ask questions, but they were forced to answer the suspect only with 'yes' or 'no'.
808
809 The suspect looks at the investigator's eyes for a moment and then answers. (In this case, investigators are attacking through the description of the behavior of the suspect.)
810
811 Answer: I did not. (The suspect responded only to 'yes' or' no ', depending on the investigators' enforcement.)
812
813 The accused continues to write notes on A4 paper notes. (The note used by the suspect at the time of the investigation was written by Park Cheol-hyeon, the lawyer, who told the suspect that he was "unable to carry the paper in the custody") and each time the investigation was completed, he took the suspect's note and handed it to the investigators.
814
815Nam Sang-wook Moon: If the suspect did not do it, who did it?
816 Answer: I do not know.
817
818Nam Sang-wook Q: So what is the origin of the above capture file?
819 A: I have a lot of capture and I do not remember. (It is even more suspicious that the suspect remembers everything he has stored on the laptop.) In this way, the investigators proceeded to coerce the suspects into a lie, remembering all the details.
820
821Nam Sang-wook Moon: Then, where did you download the isis.png, usa.png capturing file?
822 A: You should have downloaded it from 4Chan.org or Google.
823
824 At this time, the suspect showed 35 pictures of Repert Metabolism on OO computer, and gave an arbitrary answer.
825
826Nam Sang-wook Q: What is the above picture source?
827 Answer: It is a picture that is downloaded from the Internet by searching Google with 'KIM KIM Jong', 'Reporter', 'KIMSU'. (At the time of the investigation, the suspect referred to 'Kim Kyeong-jong' as 'Lee Kyeong-jong' because he did not know him well, but the investigators wrote 'Kim Kyeong-jong' without informing the victim.
828
829Nam Sang-wook Q: Why did you download it?
830 Answer: I received a criticism of Kim Ki-jong, who attacked Ripper, to post on the Internet.
831
832Nam Sang-wook Q: Did you write criticism about Kim Ki-jong?
833 Answer: I wrote.
834
835Nam Sang-wook Q: Do you have any material to prove you wrote it?
836 A: Not now. (The suspect was reminded of the motto: "Let's go with" "Let's go with" "Let's go together"). "I said," Let's go together, "the USFK commander in charge of AFKN (USFK) I remembered it shortly after the terrorist attack and cited it in my criticism, "but the investigator did not record it. The next-door investigator said," Let's go with Ambassador Ripper. " "And the accused replied," It is an honor to have inspired Ripper's thoughts. "These statements were not recorded at all.
837
838Nam Sang-wook Moon: If you look at the photos of threats detected on the suspect computer, the file creation date and time will be all around June 3, 2015, and the last access date will be 6.8 to 6.6. Also, it will be 15 times on July 7, 2015. The above date is the date of publication of the intimidation article in the US White House on July 7, 2015. 7. 7. Why did you read the pictures about Kyung Ri Supervisor 15 times?
839 A: I honestly do not know. (The suspect assumed that the access time was changed when moving the photo file.)
840
841Nam Sang-wook Question: 7. 7. Do you remember reading pictures?
842 Answer: I have never seen it.
843
844Nam Sang-wook Q: Do you have any interest in Ripper?
845 A: I have a lot of interest since I was attacked by Kim Ki-jong.
846
847Nam Sang-wook Q: Why did you get interested in Ripper?
848 Answer: I was interested because the traps were shocking.
849
850Nam Sang-wook Q: What is the relationship between the suspect and the reporter?
851 Answer: Not at all.
852
853Nam Sang-wook: It is said that the suspect has been downloaded to post critical criticism of Kim Ki-jong. When the investigator reads the material posted on the suspect blog on his smartphone, , And the time spent on the suspect computer for pictures related to the leak will be on March 6, 2015. I have already posted all the articles about Repertory 3. 6. Why did you download it?
854 A: I have a long memory.
855
856Nam Sang-wook Moon: Looking at the ML.JPG and ML0.JPG files found on the suspect computer, I found that Repert's ambassador blended the blood and jokers in the Batman movie.
857 Answer: Yes, yes.
858
859Nam Sang-wook: Why did you combine the bloody scenes of Repert's blood and the joker's picture from the Batman movie?
860 Answer: I do not know.
861
862Nam Sang-wook Moon: Why did you synthesize?
863 A: I think I downloaded it.
864
865Nam Sang-wook Q: Why do you keep repeating your statements?
866 A: It 's been a long time and I can not remember anything. (May 3, 5, 2015), so it is possible that I may not remember it long before the investigation, and I have also asked forcible investigation questions in the reversal of the statement. )
867
868Nam Sang-wook Q: In the previous question, I am sure that the suspects synthesized.
869 A: It seems to have been downloaded from overseas internet humor site. Honestly, it is an old thing, so I can not remember it.
870
871Nam Sang-wook Q: What do suspects usually think of IS armed groups?
872 A: I think it is an unjustified armed group for IS armed groups.
873
874Nam Sang-wook Do you like IS?
875 Answer: I think it is bad.
876
877Nam Sang-wook Q: Do you know the fact that Koreans have been transferred to an IS militant group?
878 Answer: I heard from the news.
879
880Nam Sang-wook Q: What do you think?
881 A: I think it is the wrong choice.
882
883Nam Sang-wook Moon: Six IS-related images were found on the suspect computer, and the isis.jpg file name shows a combination of a young boy shooting a gun and a young boy with a gunman. Did you combine two photo files into one?
884 Answer: Yes. I combined what I downloaded on the Internet.
885
886Nam Sang-wook Q: Why did you combine the above files?
887 Answer: I joined to write a criticism on IS. The reason we combined the two is to increase persuasiveness.
888
889Nam Sang-wook Q: Is the official name IS?
890 Answer: I do not know exactly whether IS is the official name or ISIS. (In this statement, investigator Nam Sang-wook said, "How do you know whether the official name is IS or ISIS?"
891
892Nam Sang-wook Q: Is the name of the suspect's notebook combined with the name ISIS.JPG?
893 Answer: Yes, yes.
894
895Nam Sang-wook Q: Is ISIS known as ISIS and the file name is ISIS?
896 Answer: I accidentally wrote the keyboard randomly and the file name was ISIS.JPG. I explained this to the lawyer, but I do not know why I made the file name ISIS. (The suspect did not answer "I do not know.") The suspect demonstrated the process of pushing I and S on the keyboard vending machine in front of the investigator as a habit.
897
898Nam Sang-wook Moon: Image of the IS related file stored on the suspect computer When I look at the ISIS gallery.png, I have synthesized a picture of the Korean gallery and the IS terrorist (boy) I made a composite picture that shows that the gallery is the same. Why is it synthesized?
899 Answer: The picture is synthesized as above.
900
901Nam Sang-wook Q: So you're following IS?
902 A: I will not follow.
903
904Nam Sang-wook Q: Then what is the IS's willingness to live up to?
905 A: I saw a sad feeling in the eyes of an IS boy.
906
907 At this time, the accused is in a bad mood. (In this case, the cybercriminals investigator described the behavior in a record.)
908
909Nam Sang-wook Q: Why do you often repeat statements that you have shown a determined will in the previous question but now feel sad once again?
910 A: When I first saw it, I did not remember it.
911
912Nam Sang-wook Moon: In the first question, I stated that there is a certain willingness to be clear. Why do not you tell me now that you did not remember?
913 A: I think that it is possible to interpret several pictures as meaning.
914
915Nam Sang-wook Moon: The author name is 'Dr Korea Isis One' when writing a threat against Reporter Ambassador. The date on which the IS-related images were found on the suspect computer is from June 29, 2015 to 06:53 to 07:36, and the last date that the images were accessed is from July 3, . The time of the crime is 7. 7. and 7. 8. If the suspect sees the IS-related photos and writes the IS-related phrases at the time of the reputation intimidation, is not it?
916 Answer: No.
917
918 At this time, the suspect is shown a screen analyzed by the computer analysis program Encase and the screen posted on 4chan.org, and attached to the end of this document.
919
920Nam Sang-wook: The link file (lnk) is a file that is automatically created on your computer when you view the file. In addition, A0066246.lnk and usa.png link files found on suspect computers are added, and all the time is checked as below. Did you hear from the investigator exactly what was above?
921
922 Serial number / contents / date
923 1 / Rupert Threaten posted on White House / 7. 8. 02:26
924 2 / Screen capture file found on suspect computer (screen shown at the time of writing) screencapture-www-whitehouse-gov-thank-you-1436290042624.png After completing the writing in the White House, File / 7. 8. 02:27
925 3 / The link file of the above 2 file ("usa.lnk" in the parentheses was printed out in the record.) However, every page of the record in which the suspect was printed was taken to prevent forgery prevention, After they chased it, they scratched the line in the "usa.lnk" and made them suspect that the mistake was one of the reasons for the trust in the investigation. The link file is created when the above file 2 is executed (browsed). / 7. 8. 02:27
926 4 / The threats found on the computer of the suspects Original capturing file (screen shown during the blackmail) usa.png
927 5 / 4chan.org Posted by usa.png on 7. August 02:31
928 6/4chan.org posted a usa.png related post on the screen capture of the captured file (screencapture-boards-4chan-org-pol-thread-47640986-1436290789215.png) with the Google browser chrome. * Link file (A0066246.lnk) Creation date / time 7. 8. 02:40
929
930 Answer: Yes. I've heard the exact explanation.
931
932 At this time, I explain it to the lawyer clearly and understand it all. (The Cyber ​​investigator noted that all of them were forcibly comprehended.)
933
934Nam Sang-wook Moon: 02. 26. The police officer completes the Ripper intimidation at the White House, captures the thank-you related webpage completed at 02:27 through the Google Chrome browser, 3 minutes later, the original text of the intimidation was changed to filename usa.png, and after one minute, the captured image was posted on 4chan.org site, and about 9 minutes later, 4chan.org again The file generated by capturing the above site was browsed, and the link file was created on the suspect computer, and the order of the time series was precisely matched. A total of five reporter-related threat files were found and exactly matched in chronological order Is it not the article posted by suspect?
935 Answer: Yes, it is.
936
937 At this time, the suspect smiled and laughed, answered clearly, and wrote notes on the note. (In this case, the investigator added a depiction of aggressive behavior.)
938
939Nam Sang-wook: When I checked the A0066246.lnk file found on the suspect computer, the date of creation was 2015. 7. 8. 02:40, and the above file was generated by 'screencapture-boards-4chan -org-pol-47640986-1436290789215.png 'Because you executed the file, it was confirmed that the above link file' A0066246.lnk 'was created. Did you actually access the 4chan.org site and capture the above site?
940 Answer: Although I have read reporter-related threats on 4chan.org, I can not remember capturing the 4chan.org site with the Google Chrome browser.
941
942Nam Sang-wook Q: So the article about Obama was also read at 4chan.org above?
943 Answer: Yes, yes.
944
945Nam Sang-wook Moon: In the previous statement, I read the original caption (usa.png, isis.png) from 4chan.org or Google.
946 Answer: No. There is no trust in me.
947
948Nam Sang-wook Q: So, is it true that all the statements so far have been wrong without trust?
949 Answer: I can not be confident that I saw it on 4chan.org. (The suspect stated in the sense that "I can not confirm whether I saw Obama's intimidation and Raptor intimidation article at 4chan or Google.")
950
951Nam Sang-wook Moon: The time posted on 4chan.org is 7.8. At 02:31, the time the original text was created on the suspect computer was 7.8. At 02:30, the time saved on the suspect computer is faster. How do you state that you have viewed and downloaded the 4chan.org site?
952 At this time, the accused responded clearly.
953 Answer: I do not know.
954
955Nam Sang-wook Q: Why do you answer the above questions immediately when you think and answer other questions?
956 Answer: Yes. It is not to protect me.
957
958Nam Sang-wook Q: According to the results of the digital evidence analysis, there are a lot of related capture files in the computer of the suspect, the time-series is accurate, and the suspect has not posted any intimidation. Is there evidence?
959 A: There is no current situation.
960
961Nam Sang-wook Q: If the blackmail is posted on 4chan.org, what are the reactions of the others?
962 A: There are people who are not sure about the site. I do not know the reaction.
963
964Nam Sang-wook Q: When people post interesting articles on 4chan.org?
965 Answer: I do not read the comment. (The comment is written in English, so the suspect will not read it because it is difficult to read.)
966
967Nam Sang-wook Q: What points are earned or posted by posting on the site?
968 A: I do not know.
969
970Nam Sang-wook Q: Do people from 4 countries have access to 4chan.org?
971 Answer: It is various. Because it is a US site, there are a lot of people in the United States, and many people from Australia, Belgium and so on. (The suspect described the US, Australia, and Belgian flags in the 4chan capture file presented by Nam Sang-wook.)
972
973Nam Sang-wook: How many times do you usually visit the site?
974 Answer: I study only once or twice a week.
975
976Nam Sang-wook Moon: The suspect was posted on Kyung Cheong University's website on June 29, 2014. If you do not prepare the Civil Defense transportation fee from next year, have you ever posted a post on Mapo Daigyo?
977 Answer: Yes, yes. The police came because of the letter.
978
979Nam Sang-wook Q: Why did you post the above article?
980 A: In case of Civil Defense education, we think that transportation expenses should be paid.
981
982Nam Sang-wook: Did you write that you committed suicide because of transportation expenses?
983 Answer: I did it because it was a must. (The suspect described it as "because it was a matter of course" or "of course, the transportation fee should be paid.")
984
985Nam Sang-wook Moon: What did the police do when they arrived?
986 A: I checked to see if I was well and went back.
987
988Nam Sang-wook Moon: "On July 25, 2014, from 9 am to 6 pm, one of the demonstrators asked," I am on my own, is. The location is the place where the male representative of the Sungjae period served on July 26, 2013. " (The place where the male delegate of the Sungjae period invested was Mapo Bridge.)
989 Answer: Yes, yes.
990
991Nam Sang-wook Q: Why did you write this article?
992 Answer: As mentioned above, I thought that Civil Defense transportation fee should be paid.
993
994Nam Sang-wook Q: Have you written several times in the Blue House or the National Newspaper? (The investigator asked, "How many times did they all go together?")
995 Answer: Cheong Wa Dae once, the National People 's Journal is more than two times, I do not remember exactly how many times.
996
997Nam Sang-wook Q: Do you like to post a civilization like above?
998 A: I do not like it. I am writing because of the absurdity of the policy that did not reflect reality.
999
1000Nam Sang-wook Q: How did you know about the Cheong Wa Dae homepage and the National Newspaper?
1001 A: I went to the reserve army training and learned about the National Newspaper from the executives. After graduating from high school, I got to know the Cheongwadae homepage through search. (The suspect explained, "When the reserve army training was carried out, the reserve army officers told the reserve soldiers," If there is a protest, please file a complaint with the Ministry of Defense. "The Cheongwadae homepage was to inquire about the early enlistment of the army after high school graduation. ").
1002
1003Nam Sang-wook Q: So how many times have you accessed the Blue House homepage so far?
1004 Answer: It is not accurate, but I connected about 2 ~ 3 times.
1005
1006Nam Sang-wook Moon: Did you write other related articles?
1007 A: I have posted 2 or 3 times in the National Newspaper.
1008
1009Nam Sang-wook Q: What post did you post to the National Newspaper?
1010 A: There are a few other complaints about the rape of the army, a request to pay for the reservists, but I do not remember exactly.
1011
1012Nam Sang-wook: The suspect claims to have downloaded the usa.png file. If the above file is downloaded from the Internet, the same Zone.identifier file will be created. However, the above file was not found on the suspect computer. From the above, what do you think the suspect looks like in the file he captured himself?
1013 Answer: I do not know.
1014
1015Nam Sang-wook Q: Do you know the secret of Google Chrome browser?
1016 Answer: Yes, yes.
1017
1018Nam Sang-wook Q: Why did you use the above function?
1019 Answer: I used something because it was a novel. (The accused was used 1 or 2 times for something.)
1020
1021Nam Sang-wook Q: What is incognito?
1022 Answer: I do not know.
1023
1024Nam Sang-wook: The secret feature is to hide secrets of Internet access from the Google Chrome browser without having to store cookies, temporary cache files, etc. when accessing the internet. Now you know?
1025 Answer: I do not know. (The suspect stated that "the explanation does not understand".)
1026
1027Nam Sang-wook Q: Do you use the above functions frequently?
1028 Answer: I used it about 1 ~ 2 times.
1029
1030Nam Sang-wook Q: Do you use any web browser other than Google Chrome browser?
1031 A: I also use opera.
1032
1033Nam Sang-wook Q: Do you have any more to say?
1034 A: I would like to ask 4chan and Google image cache "IP usage history" to the Korea Broadcasting Crime Unit, which is requested by the US government for investigation into the alleged diplomatic threat, and a search warrant for the server to the US FBI investigation unit. The States (The Star Spangles) Oh, oh, say can you see. By the dawn's early light. What so proudly we hail, at the twilight's last gleaming. Who's abroad, and bright stars, through the parelless fight. All the landpots we watch were so gatherly stream. And the rockets red glare then bombs burst in air. They prove through the night, that our flag was still there. Oh, does that star spangles, banners are weaving. For the land of the free, and the home of the braves. I am longing for Americans and trying to acquire citizenship and green card. I want to be a sincere society. God Bless America! I do not mind, but I want to go to the hospital and have blood pressure and ECG. I will pay for my headache and chest pain in the night. I will do it in an hour. (The suspect requested 4chan server, Google server, IP search warrant, but the police ignored the request.
1035
1036Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1037 Answer: Not until now.
1038
1039Nam Sang-wook Q: Are all of these statements true?
1040 Answer: Yes.
1041
1042Four times
1043
1044 At this time, under the participation of lawyer Park Cheol-hyun,
1045
1046Nam Sang-wook Q: Do you have any idea about women?
1047 A: I do not want to pursue benefits, but I have a duty to equip men with various duties, such as duty of defense.
1048
1049Nam Sang-wook Q: Does the suspect ever have a relationship with a girlfriend?
1050 Answer: Yes.
1051
1052Nam Sang-wook Q: When did you meet some people?
1053 Answer: During the sixth grade of elementary school, I have had about three times in total during my college days.
1054
1055Nam Sang-wook Q: How long have you been dating?
1056 Answer: It was a short time, but I can not remember the exact time, and it is sure to be less than 6 months.
1057
1058Nam Sang-wook Q: When was your date of fellowship?
1059 Answer: The army has gone to the first grade of college, and fellowship is in the second, third, and fourth grades of college. (The investigator asked the military when he was in college, and described the answer of the suspect as this question.)
1060
1061Nam Sang-wook Q: Have you recently been dating a woman?
1062 Answer: No.
1063
1064Nam Sang-wook Moon: The blog of the suspect has many articles about women that are hostile to women.
1065 A: I do not feel hostile to women. I think it is better to buy and buy sex rather than having a new woman.
1066
1067Nam Sang-wook Q: Do you not make a woman for the same reason?
1068 A: I do not make contact because I think it will hinder my studies.
1069
1070Nam Sang-wook Q: Does not it make it difficult for women to make friends?
1071 A: I do not want to hurt my girlfriend. I think we should have emotional responsibility if people come together.
1072
1073 At this time, the suspect speaks to the investigator who asked him to rub the suspect's shoulder at the time of the break. (During a break, investigator Kim Young-rae told the suspect, "Why would you stay here if you did not? Walk innocently!" And the suspect is trying to stand up from the chair and sits down with dizziness. The suspect has made such a request to the investigator for health reasons, but omits the post-war situation and records an aggressive depiction.)
1074
1075Nam Sang-wook Q: Does the suspect have a bad feeling about Jeolla?
1076 A: I have bad feelings.
1077
1078Nam Sang-wook Moon: What kind of bad feelings?
1079 A: I do not know where to find the public fund for the Jeolla Province politician (President Kim Dae-jung), but I do not know where he is, but most of the Cholla people are behind the scenes.
1080
1081Nam Sang-wook Q: Have you seen a few people in Cholla?
1082 A: During my elementary school days, during military affairs, during my college days, and during my working life, I met a lot of people from Cholla.
1083
1084Nam Sang-wook: Do not you come from another area?
1085 Answer: It is said that there is a lot of chance. (The suspect thought that Chungcheong - do had more backstriking than Cholla.
1086
1087Nam Sang-wook Q: Why do you have feelings about back door?
1088 A: I do not remember. (The investigator suddenly told me to tell the story behind the back door.
1089
1090Nam Sang-wook Moon: The suspect has stated in his earlier adverse statements that he "does not remember" and clearly says that he hated Cholla before. Why does not he remember it all of a sudden?
1091 A: I can not remember the present situation.
1092
1093Nam Sang-wook Moon: So, according to the suspect's statement, do not you think that not only Jeolla-do, but also those from other regions are hiding all over the people of the world and all the people in the world?
1094 A: I think there are good people.
1095
1096Nam Sang-wook Moon: Who is a good person?
1097 A: I am a free meals person.
1098
1099Nam Sang-wook Q: Do you hate everyone if you are from Cholla?
1100 A: I do not hate everything, but I hate people who do not hate it.
1101
1102Nam Sang-wook Q: Where is the suspect's home?
1103 A: It is Seoul. (The suspect's birthplace is Seoul.)
1104
1105Nam Sang-wook Q: Where is the suspect?
1106 Answer: Andong, Gyeongsangbuk-do. When I was in Seoul, my family stayed in Andong often. (The home of the suspect's parents was Gyeongsangbuk-do, and when the suspect was young, he visited the country every summer.
1107
1108Nam Sang-wook Moon: Did you have a senior from the military?
1109 Answer: Yes, yes.
1110
1111Nam Sang-wook Moon: What were the senior members of the Jeolla Province?
1112 A: When I was working, I wanted to bring a piece of equipment, but I did not like it. I think I was troubled by the man panting.
1113
1114Nam Sang-wook Q: What is the usual amount of money for suspect?
1115 Answer: The beer is 1000cc. If you drink shochu is not good. (There is no specific reason for the suspect to respond in numerical form, but he was questioned by the investigator that he had good memory.)
1116
1117Nam Sang-wook Q: Where and where do you drink alcohol?
1118 A: I drink alone at home.
1119
1120Nam Sang-wook Q: What kind of alcohol do you usually like?
1121 Answer: I like beer.
1122
1123Nam Sang-wook Moon: There is a liquor in the suspect's room, do not you drink liquor?
1124 Answer: Sometimes I mix with the liquor.
1125
1126Nam Sang-wook Q: Why is Yangju and other meat sauces in the suspect's room?
1127 Answer: I usually bring the sauce because I usually eat in my room.
1128
1129Nam Sang-wook Q: Why did you bring dozens of bottled water in the suspect's room?
1130 A: There is nowhere left for my mother to leave it in my room.
1131
1132Nam Sang-wook: Do you mean that there is no place to put the water bottle above the pit house?
1133 Answer: I do not know. Ask your mother.
1134
1135Nam Sang-wook Q: How often do you drink alcohol?
1136 Answer: Drink about once a week.
1137
1138Nam Sang-wook Q: Who is buying alcohol?
1139 A: Sometimes parents come and go with their parents. (The suspect stated, "Sometimes I go to the mart with my parents.")
1140
1141Nam Sang-wook: Do you drink with your father?
1142 Answer: My father does not drink together because he likes rice wine.
1143
1144 At this time, the suspect trims. (Describe behavior for human attack.) The suspect came up from the top with stress and tension and trimmed.
1145
1146Nam Sang-wook Q: After drinking alcohol, do you have any other behaviors other than normal, such as not remembering, singing or sleeping?
1147 A: There is no such activity, and I drink mainly to take a good night's sleep. (Normally, the suspect's drinking habit is to drink beer while watching TV on the other side of the room, and drink alcohol when the alcohol is weak.) The suspect is used to study the notebook by blowing it, not to drink alcohol. Because the study room where the notebook is located is so hateful that it gets dirty with drinking alcohol, it never drinks in the study room, and it often witnesses the families of suspects.)
1148
1149Nam Sang-wook Q: Do you remember if you drink alcohol?
1150 A: At the KBS, after drinking alcohol, the film was broken, but not now. (The suspect has not drunk so much that the film has been severed since he left KBS in 2013.)
1151
1152Nam Sang-wook Q: The suspect is a good memory, a bad one?
1153 Answer: Good.
1154
1155Nam Sang-wook Q: What is the foreign language skill of suspect? (The suspect was treated as a spy who spoke three or four languages ​​to the police officers from the time of the emergency arrest.)
1156 Answer: The TOEIC score is 780, the speaking score is 150, and the French is the beginner level. (Speaking is TOEIC Speaking Test.)
1157
1158Nam Sang-wook Q: Do you have any language skills?
1159 A: I think I have language skills, but others say I can not.
1160
1161Nam Sang-wook Q: Do you have a good memory to have language ability?
1162 A: I think it is a hard work. (The suspect thought that language ability was an effort, not a memory.)
1163
1164Nam Sang-wook Q: How much did you drink at the time of the seizure?
1165 A: You drank about 2,000cc of beer. (The suspect drank two bottles of beer.)
1166
1167Nam Sang-wook Moon: The suspect drank beer during the seizure process, and tried to drink to Yangju?
1168 A: I drank 2 rounds of beer, but Yang tried to drink it, but the investigator told me not to eat it.
1169
1170Nam Sang-wook Q: Do you remember exactly when you were seized?
1171 A: I remember faintly.
1172
1173Nam Sang-wook Moon: Why do I remember a dim light drinking a lot?
1174 A: I had a hangover, and I was sleeping.
1175
1176Nam Sang-wook Q: When did you drink?
1177 Answer: You started drinking at 00:00 or 04:00 on the day of seizure and drinking 2,00cc until 12:00 am. (The day of the seizure is Jul. 13.)
1178
1179Nam Sang-wook Q: What do you like to eat?
1180 A: I just drink.
1181
1182Nam Sang-wook Moon: Did not you eat?
1183 A: I did not eat. (The suspect was starving from 13th to the present.)
1184
1185Nam Sang-wook Moon: I was laying on my bed for more than five hours at the time of the seizure, and after the emergency arrest, do you remember saying "bring an executive chair" or "bring a wheelchair"
1186 Answer: Yes.
1187
1188Nam Sang-wook Q: Do you remember clearly at the time of confiscation?
1189 A: I can recall a dim.
1190
1191Nam Sang-wook Moon: So if the suspect drinks a lot of alcohol, can not he remember all of it?
1192 Answer: Yes.
1193
1194Nam Sang-wook Moon: Maybe you can remember a dimly or not?
1195 Answer: Yes, yes.
1196
1197Nam Sang-wook Moon: At the time of the seizure of the suspect, the suspect made an insult such as "I am sick." Do you remember?
1198 A: I can not remember which word I used, but I remember remembering that I was hurried.
1199
1200Nam Sang-wook Moon: In conclusion, the suspect has a good memory, but the suspect does not remember all the contents when he drinks a lot.
1201 A: It is true that alcohol causes memory loss.
1202
1203Nam Sang-wook Moon: In the room where the suspect was sleeping, several masks were found, and for what purpose did he bring them?
1204 Answer: I bought two from the domestic Internet site for use as a toy. (The investigator did not record the statement in the memorandum that the suspects "bought the same toy when buying a product on the Internet and trying to meet the shipping reduction conditions.")
1205
1206Nam Sang-wook Moon: How do you use a mask as a toy?
1207 A: I had fun with two mothers of relatives on the New Year's Day.
1208
1209Nam Sang-wook Q: Is not that what you bought to use?
1210 A: I have an intention to write and play.
1211
1212Nam Sang-wook Moon: Is it fun to play in the sun?
1213 Answer: Not written. (The suspect stated in the sense of "I have never written a mask since purchasing it.")
1214
1215Nam Sang-wook Moon: What type of mask is it?
1216 Answer: Eyes are white circles, nostrils and mouth are small masks.
1217
1218Nam Sang-wook Moon: This mask is the mask of the famous hacker group Ananimus?
1219 Answer: No.
1220
1221Nam Sang-wook Q: How is it not?
1222 Answer: Ananimus mask has a mustache.
1223
1224Nam Sang-wook Moon: How much did you buy when you went upstairs?
1225 A: I can not remember the price range.
1226
1227Nam Sang-wook Moon: Ananimus is a famous hacker group on the Internet, right?
1228 Answer: Yes, yes.
1229
1230Nam Sang-wook Moon: How did you know Ananimus?
1231 A: I learned from the news.
1232
1233Nam Sang-wook Moon: In the blackmail about the Obama family, there is a post that says, "I am always tired of wearing a sex dresser and doing masturbation." What does a sex dresser mean?
1234 Answer: A sultry costume is high heels in stockings.
1235
1236Nam Sang-wook Moon: Is not mask wearing?
1237 A: I know there is a separate mask for senility. (The suspect stated in the sense that "If you go to a sexual disorder, you will have symptoms.")
1238
1239 At this time, the attorney gives attention to the suspect. The suspect is hesitant for a moment. (Park Cheol-hyeon, an attorney, told the suspect, "This is a place for investigation, not a knowledge hall.")
1240
1241Nam Sang-wook Q: Do the athletes wear masks a lot?
1242 Answer: I have not seen it.
1243
1244Nam Sang-wook Q: Do you have your favorite side dish?
1245 Answer: I prefer meat and meat.
1246
1247Nam Sang-wook: Do you usually like Kimchi?
1248 Answer: Sometimes I eat.
1249
1250Nam Sang-wook Moon: Which kimchi do you like?
1251 A: I like cabbage kimchi that my mother gave me.
1252
1253Nam Sang-wook Q: Are you safe from AIDS if you eat a lot of kimchi?
1254 A: I do not think it is groundless.
1255
1256Nam Sang-wook Q: In what way do you think like this?
1257 Answer: I know there is no evidence in Yang medicine.
1258
1259Nam Sang-wook Moon: Do not you trust TCM?
1260 Answer: I do not trust.
1261
1262Nam Sang-wook Moon: Obama's family intimidation article says "I eat Kimchi and I am safe from AIDS." What do you think about the above?
1263 A: I think it is bullshit. (The accused stated "in the sense of" there is no basis. ")
1264
1265 The suspect responds confidently. (Because it is natural).
1266
1267Nam Sang-wook Q: Then why did you post the above?
1268 Answer: There is no answer for me.
1269
1270Nam Sang-wook Q: What were you doing on July 7th and July 8th, 2015?
1271 A: I was at home and I do not know what I was doing.
1272
1273Nam Sang-wook Q: Who were you with at the time?
1274 Answer: There were only three people like father, mother, me.
1275
1276Nam Sang-wook Moon: Who gets access to the room where the suspect's laptop is found?
1277 Answer: I go in alone and use it. I can not let anyone get in.
1278
1279Nam Sang-wook: Do you have any reason to use this room alone?
1280 A: I do not like anyone who touches my stuff.
1281
1282Nam Sang-wook Q: Are you usually alone in the room above?
1283 Answer: Yes. I am alone.
1284
1285Nam Sang-wook Q: Why did you stop the entrance of the room with a bookcase?
1286 A: It is noisy. I moved the bookcase to the door entrance.
1287
1288Nam Sang-wook: Do you know that the suspect mother at the time of the seizure prevented the entrance to the room above the investigators?
1289 Answer: I first heard. (At the time of the confiscation, the accused continued to stay in the room next to the porch in the surveillance of two police officers.)
1290
1291Nam Sang-wook Q: What do you do alone in the room above?
1292 A: I study and access the internet.
1293
1294Nam Sang-wook Q: What is the identity the suspect uses on the Internet?
1295 Answer: There are several IDs such as helpmeusacom@gmail.com. Domestic mail is not used. (The suspect has Naver and the next ID that he does not use.)
1296
1297Nam Sang-wook Q: Why do you use overseas email only?
1298 Answer: To use the Google blog, Naver and the next time I post my article because the blog is blocked.
1299
1300Nam Sang-wook Q: What kind of content does this block?
1301 Answer: Political writings (such as writings about women) block themselves.
1302
1303Nam Sang-wook: Are you interested in politics as usual?
1304 A: I am not an enthusiastic political follower, but my political orientation is patriot pay. I have never joined a special political party.
1305
1306Nam Sang-wook Q: What do you think of Lim Soo-kyung?
1307 Answer: It is a pen name.
1308
1309Nam Sang-wook Moon: I'm from the school of the suspect. What do you think about Lim Soo Kyung?
1310 A: If Mr. Soo-kyung left Yong-in campus, he would have supported the department elsewhere.
1311
1312Nam Sang-wook Moon: What did Ms. Soo Kyung major in?
1313 A: I graduated from French literature.
1314
1315Nam Sang-wook Q: Then do you hate Lim Su Kyung?
1316 ANSWER: Ms. Soo Kyung Lim is hated by the North Koreans.
1317
1318Nam Sang-wook Moon: So what do you think about the best site for the day?
1319 A: I think they are poor people. (The suspect thought, "Because I can not get a job, and I live with my parents at home.")
1320
1321 At this time, the suspect trims. (Because the suspect was unable to eat, the sperm from above rises.)
1322
1323Nam Sang-wook Q: Who uses the notebook?
1324 Answer: I use it.
1325
1326Nam Sang-wook Q: Do parents and siblings use a laptop?
1327 Answer: No. Not once.
1328
1329Nam Sang-wook Q: Who knows your notebook password?
1330 Answer: I know only.
1331
1332Nam Sang-wook Q: Why did I set a password on my laptop?
1333 Answer: I only use it for myself.
1334
1335Nam Sang-wook Q: What does the password mean?
1336 Answer: No meaning. (The suspect has demonstrated to the investigator that it is an easy location to press the index and stop on the keyboard.)
1337
1338 At this time, we show the screen shot of the SuperHideIp program found on the suspect's laptop desktop to the suspect, and attach it at the end of this document.
1339
1340Nam Sang-wook Q: I have found a program that can hide the SuperHideIp IP on the suspect computer desktop. I analyzed the above program directly by Cybercrime, and it was easy to change my computer's IP with a mouse click. Why can I change it to U.S.IP when I connect to the internet in Korea? Why?
1341 Answer: I downloaded and installed it on the Internet. (The suspect was doing something just once after installation.)
1342
1343Nam Sang-wook Q: Is not it the intention to hide your IP?
1344 Answer: No.
1345
1346Nam Sang-wook Moon: I did not intend to hide. Why did you download it?
1347 Answer: I am interested in seeing the arrest news about IP trace, and got it downloaded.
1348
1349Nam Sang-wook Q: How did you find out that you have the above program?
1350 Answer: I learned from internet search.
1351
1352Nam Sang-wook Q: How exactly did you download it?
1353 Answer: I have downloaded the keyword "ip change" from Google and searched the web page, but I do not know which site I got it from.
1354
1355Nam Sang-wook Q: Why are you trying to hide IP?
1356 Answer: I do not know.
1357
1358Nam Sang-wook Q: Do you make statements that only a disadvantageous statement is "I do not know"?
1359 A: In the news, I found that the police were arrested for tracking down the IP. (The suspect stumbled across KBS News, which reported this incident on a large television set in the Jongno police station detention center.)
1360
1361Nam Sang-wook Q: So, what kind of crime did you download?
1362 Answer: No.
1363
1364Nam Sang-wook Q: How many times have you tried this program?
1365 Answer: I installed Super Hide IP and tried it once after installation.
1366
1367Nam Sang-wook Q: How about running this program?
1368 Answer: It was executed with a single mouse click. I did not check whether the IP was changed, but I tried to execute it.
1369
1370Nam Sang-wook Q: Is it easy to change the IP?
1371 A: I think it depends on the person.
1372
1373Nam Sang-wook Moon: After we have run the above program, it is easy to operate with a single click of the mouse. We also say that the suspect is executed with a single mouse click on the statement. What does it mean by different people? Does it mean that clicking the mouse is difficult?
1374 Answer: It's easy to run, but I think there is a difference between people searching and finding them. To find the above IP change program, it means that no one can find and search well.
1375
1376Nam Sang-wook: Do the suspects ultimately have the ability to find programs that can change the IP?
1377 Answer: I accidentally found it.
1378
1379Nam Sang-wook Q: Anyway, you entered your keyword directly into Google search, and you actively found it?
1380 Answer: No.
1381
1382Nam Sang-wook Moon: In the previous statement, why did you say that you searched for a program by entering keywords directly, and now you accidentally found it accidentally?
1383 Answer: It is not a reversal of a statement. Superhideip is a coincidence that I clicked one of the tens of thousands of search results in the search result called IP change.
1384
1385 (At this time, a police officer Kwak Dong-gyu was sitting beside Nam Sang-wook's investigator and asked him, "Who did you coach?" Kwak Dong-gyu, as an investigator in the first and second police investigations, I asked him with a smile, "OO, is there something wrong with your mind?" Why did you do that? "But when the investigator did not go as planned, he started to press it like this.
1386
1387Nam Sang-wook Q: Did you spend a lot of time looking for the above program?
1388 A: I do not know that. (A suspect could not remember because there were a huge number of suspects who searched the Internet from time to time.)
1389
1390Nam Sang-wook Q: Do you think the suspects search ability is good?
1391 A: I do not think so. (The suspect stated "I do not have an internet search ability certificate".
1392
1393 At this time, take a break for a while. (At this time, police officers from the police department gathered to discuss the next question.)
1394
1395 (At the time of the investigation, an older investigator (Kim Jin-kwang) said to Nam Sang-wook, "Do you have to turn on your laptop?" Nam Sang-wook said, "I need to turn on my laptop to run VMware." The investigator said to Nam Sang-wook, "Then think carefully and turn on the notebook!" Nam Sang-wook went upstairs, and again, from the next investigation, Nam Sang-wook questioned me about the female anatomical image. I guess Nam Sang-wook went to the second floor and manipulated the laptop.
1396
1397Nam Sang-wook Q: I checked the information on cybercrime today with the above IP change program.
1398 Answer: It seems easy to double-click to run the program.
1399
1400Nam Sang-wook Q: What site did you access with the above program running and changing the IP?
1401 A: I do not remember.
1402
1403Nam Sang-wook Q: If you look at the date of installation of the above program, the date of the last access is June 6, 2015. When was the last date used?
1404 Answer: I used it once on the day of installation on July 16, 2014.
1405
1406 At this time, show the observer's photo and picture file (filename: IP address washing method .jpg, any weblock readme.jpg) found on the suspect's notebook and attach it to the end of this article.
1407
1408Nam Sang-wook Moon: The picture file (IP address washing method .jpg) found on the suspect's notebook shows how to download and install the site detour access program which is blocked in Korea. Any weblock readme.jpg Explains how to block access to websites from your computer. Is it possible to keep the above files in order to access some blocked sites in Korea?
1409 A: You were not trying to connect to a blocked site.
1410
1411Nam Sang-wook Moon: How to Wash IP Address Above The .jpg file was created by the defendant's own editing program, right?
1412 A: I've captured and saved the results of searching for "change my ip" on Google.
1413
1414Nam Sang-wook Moon: The suspect has a lot of doubts about IP, asking him to check the IP posted on 4chan.org. According to recent cyber-investigation techniques, IP modulation is very easy, so you can not identify suspects with just one IP. Is not it because I suspect that the suspect has altered the IP or used other means of detouring?
1415 Answer: No. I did not know how to investigate, and I saw the arrest news through IP tracking. (The suspect did not ask for "please confirm the IPs posted on 4chan.org" and asked for the IPs in the news article "I traced the IPs." Of course, There is a number.)
1416
1417Nam Sang-wook Q: There are many ways to change the IP.
1418 Answer: I do not know.
1419
1420Nam Sang-wook Q: What do you usually think about the United States?
1421 A: I am longing for the United States and working for US citizenship and green card.
1422
1423Nam Sang-wook Q: Is Obama Democratic or Republican? (The previous day, the suspect received a long-term investigation of the crime profile, which was not recorded in the memorandum separately from the police investigation. At this time, the suspect had stated that Obama was a Republican in a questionnaire with two crime psychology professors, When the investigator who was observing from the outside tried to search the internet, it was different from the fact, and the police investigation asked this question the next day.
1424 A: As far as I know, Republicans. (The suspect responded to the investigator after commenting in advance that the criminal psych profiler was a question yesterday, but the statement did not record this statement.)
1425
1426 At this time, using a smartphone search through Wikipedia, Obama will show the suspect that he is a Democrat.
1427
1428Nam Sang-wook: Why did you think Obama was a Republican?
1429 A: I do not know about American politics. (The suspect stated "not interested in American politics." The suspect, when the investigator came to the conclusion, "presumed Obama as a Republican because the northern United States, where the liberation of black slaves began, is the base of the Republican Party." But did not record.
1430
1431Nam Sang-wook Q: Is Democratic Party more progressive than Republican Party?
1432 A: I do not know that.
1433
1434Nam Sang-wook Q: Do not you know that you are interested in politics?
1435 A: I do not know about American politics. (The accused stated that they are "interested only in domestic politics.")
1436
1437Nam Sang-wook Q: What do you think about Obama?
1438 A: I think he is respected as the first black president in the United States.
1439
1440Nam Sang-wook Q: Is the image of a monkey synthesized by Obama and Michel synthesized by the suspect?
1441 Answer: No. Downloaded. (I suspect the suspect downloaded the 4chan watermark below the photo.)
1442
1443Nam Sang-wook Q: Where did you download the above file?
1444 Answer: I downloaded it from 4chan. (I suspect that the suspect downloaded the 4chan watermark below the photo and downloaded it from 4chan, but in some cases the source was downloaded from a non-4chan location because it was downloaded from Google's search results.)
1445
1446Nam Sang-wook Q: What is the above picture?
1447 A: This is a picture of Obama as a monkey.
1448
1449Nam Sang-wook Q: Why did you download Obama's image and say that he saved it on the suspect's computer?
1450 At this time, the suspect trims. (Because the suspect was unable to eat and sickness came up inside.)
1451 Answer: I have downloaded it in order to utilize the background of the person who made the picture above as a material for writing criticism.
1452
1453Nam Sang-wook Q: Did you write criticism on your blog?
1454 A: I would not have. I do not know for sure. (The suspect later downloaded the photo because he was going to write if he had time.)
1455
1456Nam Sang-wook Moon: I have a bad feeling about Obama. Did not I download the photo above?
1457 Answer: No.
1458
1459Nam Sang-wook Q: Is not it a fun thing to write because I have not written any articles?
1460 Answer: No.
1461
1462Nam Sang-wook Q: Is it fun to look at the pictures of Above Obama?
1463 Answer: Disgusting.
1464
1465Nam Sang-wook Moon: I told you that Obama's photographs are disgusting, but if you do not write related articles, should not you? Why did you keep it?
1466 Answer: I will use it later when I write again. (When the suspect tried to write, he kept it on his laptop because he could not find it on the internet.)
1467
1468Nam Sang-wook Q: What do you think about black people?
1469 A: I think that black people are the same person and call themselves black people themselves. (The suspect thought that the sword should be replaced with the word 'African American' with the word 'black', because it is a racist word.)
1470
1471Nam Sang-wook Moon: The suspect is very clear about the above question. What belief do you have about racism?
1472 A: Racial discrimination is an ideology by some white supremacists. This includes blacks and asians. Therefore, Koreans can also be victims of racial discrimination.
1473
1474Nam Sang-wook Q: Does the suspect think that I am logical and reasonable?
1475 Answer: I only believe in evidence as much as possible.
1476
1477Nam Sang-wook: By the way, why did you say you did not commit the crime while trusting all the results of computer digital evidence analysis?
1478 Answer: The superhidip is a bit less reliable.
1479
1480Nam Sang-wook Q: Even if you have a friendly feel for the US in general, can you think of it as bad for Obama?
1481 A: Because I work for US citizenship, I do not think separately. (The suspect described the police investigator as "honoring Obama, the first black president," but did not record it.)
1482
1483Nam Sang-wook Q: Have you read a lot of articles about Obama?
1484 A: I have not read much. (The suspect had not read much of the article because he was not interested in American politics.)
1485
1486Nam Sang-wook Q: What do you think about Obama's attack on the terrorist group of is?
1487 A: The attack on the terrorist group is an absolute support.
1488
1489 At this time, the suspect was found in the OO notebook. The brain was blurred, the woman was naked in the grass, the body was naked, the child was naked, the anus was opened with his fingers, , A picture of a child with a knife in his stomach, a picture of inserting a male penis into the anus, a picture of autopsy of the body's head and abdomen, a picture of the body's eye, a picture of the body's head, A photo of a woman showing her blood in her pussy, a photo of a woman showing a broken thorax, a picture of a woman's head being cut off, a picture of a woman's penis, a penis, Two men are fingers of a child's penis, a picture of a woman cutting her head in the body, a picture of a Korean flag in her bowel movement, a picture of her lower body cut off, A photograph of a woman's legs being cut off, a picture of a woman dropping blood, a picture of a man shaking a manpower in North Korea, a picture of Kim Jong Il, a picture of a witch in the body, a picture of Kim Jong Il with children , A photo of women wearing surgical gloves and a woman's anal opening, and showing them at the end of this paper. (The investigator tried to express the meaning of each photo in the blank space on page 591 as much as possible.) The suspect said, "With this kind of investigation, If there is anyone passing by, it is a psycho pass. "
1490
1491Nam Sang-wook Moon: A total of 35,438 picture files (extension jpg, png) were stored on the suspect computer. About one quarter of them were stored. As shown to the suspect, many female anus pictures and body pictures Why was the above picture file stored on the suspect computer?
1492 Answer: I was interested in death, so I downloaded the above photo, and the woman's anal photo was downloaded because it was porn. Nam Sang-wook, a cyber investigator who led the interrogation process from the third police investigation, said, "I am guilty only by possession of the above photo file. I can add more charges that I did not prosecute." He threatened the suspect to feel frightened, I went ahead.)
1493
1494Nam Sang-wook Q: Is the suspect file taken by the suspect himself?
1495 Answer: No. I downloaded it from the Internet.
1496
1497Nam Sang-wook Q: Where did you download the Internet?
1498 A: Google has searched the website for porn related words, and body pictures have also found and downloaded websites based on the results linked from the porn sites. (All the suspects could not remember.)
1499
1500Nam Sang-wook: How do you feel when you look at a photo file like this?
1501 Answer: I am not happy, but when I receive the AP Reuters communication at KBS, I get a lot of cruel pictures. So it seems that I became more interested in the above picture.
1502
1503Nam Sang-wook Q: Then, did you become interested in the above pictures while working at KBS?
1504 Answer: No. After leaving KBS, the pace began to change pessimistically.
1505
1506Nam Sang-wook Q: What does it mean to be pessimistic?
1507 A: I know Nietzsche is pitiful.
1508
1509 At this time, (the investigator did not record "Attorney Park Chul-Hyun"), I checked the dictionary of pitfalls with a smartphone and said "I hate the world and see everything as dark and negative" Show it to the suspect. (The lawyer Park Chul-hyeon, who has been silent, searches for his smartphone and handed his smartphone voluntarily even though the investigator did not ask for it. In the prosecution investigation, Park Cheol-hyeon counseled the suspect along with the prosecution attorney I stood in the position of.
1510
1511Nam Sang-wook Q: Is the above dictionary definition meaningful to the suspect?
1512 A: What I'm talking about is the content of a longing for death.
1513
1514Nam Sang-wook Q: So, did you post a statement to the Blue House about suicide?
1515 A: That was to insist my position for political purposes.
1516
1517Nam Sang-wook Moon: Have you ever tried to die?
1518 Answer: No.
1519
1520Nam Sang-wook Q: So what do you do about death?
1521 Answer: Yes, yes.
1522
1523Nam Sang-wook Q: I think it would be insulting to killing a person if I often see the above picture. What is the opinion of the suspect? (The cyber investigator, Nam Sang-wook, asked the cyber criminal investigation team to expand the scope of the investigation, and tried to prove the suspect's allegations until the murder of the US-based cyber criminal investigators. )
1524 A: I do not know that.
1525
1526Nam Sang-wook Moon: For ordinary people, I do not think I will download unnecessary downloads to my computer even if I see pictures like this once or twice in curiosity. The reason why I downloaded and stored hundreds of such body photographs What is it?
1527 A: It's a habit to download.
1528
1529Nam Sang-wook Q: How do I download it?
1530 Answer: Click the right mouse button to save.
1531
1532Nam Sang-wook Q: Where do you store it?
1533 Answer: Save on your desktop.
1534
1535Nam Sang-wook Moon: Do not you be surprised when you see a picture of a body above a desktop?
1536 Answer: The desktop is not surprised because it does not have a preview function. (Windows XP does not have a preview on the desktop.)
1537
1538Nam Sang-wook: Then, in Windows Explorer, can I preview my desktop picture?
1539 A: I do not even see my desktop by using Windows Explorer.
1540
1541Nam Sang-wook Q: Do I have to use Windows Explorer to work on my computer?
1542 Answer: Use it occasionally. (The police cybercrime investigates and inquires about the computer usage habits of the suspect more than the result of the evidence analysis.) It is suspected that the investigation of the civilians through the hacking of the police before the police seizure.
1543
1544Nam Sang-wook Q: Why do you download only a woman's body image, mostly a female body image, and a male body image is rarely identified?
1545 Answer: There is no particular reason. (Because netizers prefer female body images to male body images, there are more female body images on the internet.)
1546
1547Nam Sang-wook Q: Is not it because of hostility to women?
1548 Answer: There is no hostility.
1549
1550Nam Sang-wook Moon: But why do most women only download photos of women? (I repeatedly asked the question the investigator did.)
1551 Answer: There is no special reason. (At this time, the investigators of the investigators including Kwak Dong-gyu, who also had a visit to Nam Sang-wook, gave examples of experiences such as the autopsy of the twin baby corpse and the autopsy of the pregnant woman's body. Acknowledgment of appropriate behavior.
1552
1553Nam Sang-wook Q: Do you know about the suspects viewing such photos and storing them on the suspect's notebook?
1554 A: You do not know.
1555
1556Nam Sang-wook Q: How do you feel about your parents?
1557 A: I think I should get a family register. (At this time, investigators and police officers laughed aloud.)
1558
1559Nam Sang-wook Q: Have you ever posted the above file to another Internet site?
1560 Answer: Not at all.
1561
1562Nam Sang-wook Moon: In the meantime, if you look at the suspect's statement, you have downloaded it to post on blogs such as Obama's photographs. Did not you download the body photos for posting or posting?
1563 A: The body is not the subject of my blog.
1564
1565Nam Sang-wook Q: What is the subject of the suspect blog?
1566 A: My blog topic is thoroughly political.
1567
1568Nam Sang-wook Moon: In the picture of the female body above, the file name is 'cute-dead-girs-random number'. Does the suspect think that the female body image is cute?
1569 Answer: No. That's not what I made the file name, it's the filename, and I think it's crazy if I think it's cute. (The suspect stated, "The file name was downloaded from the Internet.")
1570
1571Nam Sang-wook Q: So what do you think about who posted the picture of the body above?
1572 Answer: I did not see that the above picture was uploaded on the Internet.
1573
1574Nam Sang-wook Q: Is the above body picture a real body picture?
1575 A: I do not know if I am authentic.
1576
1577Nam Sang-wook Q: How did you find out about the sites that have photos like this on the Internet?
1578 Answer: I ran through Google.
1579
1580Nam Sang-wook Q: Do you usually do a lot of searches on Google?
1581 Answer: I do a search on Google, and I use it to study with Google.
1582
1583Nam Sang-wook Q: Does the suspect have any bad memories about the anus?
1584 Answer: Yes, yes.
1585
1586Nam Sang-wook Moon: According to the complaint filed by the Ministry of National Defense, the suspect was raped by a subordinate and the police officer put the penis in his mouth about 20 times and shook it about 20 times. Did the platoon commander put the penis in the anus?
1587 Answer: Yes, yes.
1588
1589Nam Sang-wook Moon: Do you really have 20 shakes?
1590 A: I do not know that.
1591
1592Nam Sang-wook Q: Why did you write 20 times?
1593 A: At that time, I thought so. (The suspect was estimated 20 times at the time.)
1594
1595Nam Sang-wook Q: Is not it possible to write false content in the complaint?
1596 Answer: Yes.
1597
1598Nam Sang-wook Q: Is not it possible to describe 20 times if there is a basis or a memory for any certain number of times? If not, will the Ministry of Defense be able to deal with it later?
1599 Answer: I did not set the number of times clearly.
1600
1601Nam Sang-wook Moon: I have a bad memory for anus. I only store a female anal picture on a separate computer and say to the White House: "I was tired of wearing a suture costume and doing masturbation. I'm going to rape my fourth daughter, Natasha, in the anus. Because it seemed to be a more polite way to ask. I think that the anus of the second daughter is more resilient than the anus of Malia (the first daughter), so I should get permission from the parents before I feel black anal. "
1602 Answer: No.
1603
1604Nam Sang-wook Q: How did you find out that your second daughter's anus was more resilient?
1605 Answer: No.
1606
1607Nam Sang-wook Q: For what reasons did you keep the photo file with stool on Taegeukgi?
1608 Answer: I saved it to write a criticism against contempt of the flag. (The suspect stated "in order to criticize the act of insulting the flag, the photograph was saved.")
1609
1610Nam Sang-wook Q: Do you have any material to prove that you wrote a blog?
1611 A: Currently, this is not possible.
1612
1613Nam Sang-wook Moon: What did you think about the photo above (photo with stool on the flag)?
1614 A: In this way, blaspheming the country itself was considered insipid. (Investigator erroneously recorded 'national flag' as 'country'.)
1615
1616Nam Sang-wook Moon: Do you have any photos posted on 4chan.org with stool on the top?
1617 Answer: I do not know. (The suspect stated to the investigator that "the posts posted on 4chan are not posted on 4chan unless they are on the blog because they post the same on the blog," but did not record it in the dossier.)
1618
1619Nam Sang-wook Moon: The suspect is stating that the adverse statement is "I do not know".
1620 Answer: I do not judge whether it is a favorable or an unfavorable question, and I do not remember what I do not remember. (The accused stated "not to judge" but not "to judge.")
1621
1622Nam Sang-wook Q: For what reasons did Kim Jong Il and Kim Jong Eun photographs and North Korean artifacts be stored on the suspect computer?
1623 Answer: I downloaded it as a material to write a critical article about Kim Jong Il, Kim Jong Eun, and Kim Il Sung.
1624
1625Nam Sang-wook Q: Did you write the above criticism?
1626 Answer: I am not sure, but I would have written it.
1627
1628Nam Sang-wook Q: Do you have any material to prove?
1629 A: There is currently no documented evidence.
1630
1631Nam Sang-wook Q: What do you think about North Korea?
1632 A: North Korea is a Republic of Korea.
1633
1634Nam Sang-wook Moon: In the text of the intimidation article, "I hope to penetrate the anus of black people before I was killed by Kim Jung Eun" is posted. I usually read Kim Jung Eun's photo, Posted?
1635 Answer: No.
1636
1637Nam Sang-wook Q: Do you often get things that you do not remember well?
1638 A: Two years ago, but not now. (The suspect stated, "Two years ago, when I was working before 2013, I was drinking and the film was broken.")
1639
1640Nam Sang-wook Moon: 7. 20. At the time of the investigation, I posted the following message in the Cheong Wa Dae and the National Newspaper: "I will commit suicide" and "I will demonstrate". In the past, I remember correctly, 7.7 at the time of the crime. And 7.8. The contents do not remember exactly what we did. Does the suspect just state that he wants to remember what he wants to remember and does not know what he does not want to remember? (The military rank of the suspect is the sergeant, and in the complaint, only the name of the subcommittee is listed, not the elder sibling.)
1641 Answer: No.
1642
1643Nam Sang-wook Q: So why do not you remember the recent events?
1644 A: I have lost the concept of time because the same life repeats itself.
1645
1646Nam Sang-wook Moon: 7.7. And 7.8. At the time of the crime, I drank a lot of alcohol and posted blackmail in the White House.
1647 Answer: No. (The police 's claim is different from the fact that "I drink a lot and the film is broken.")
1648
1649Nam Sang-wook Q: When exactly did you find out about 4chan.org?
1650 A: I do not know the exact time, but I got to know it in the early 2000s. (I'm not sure, but the suspect did not know 4chan early on.)
1651
1652Nam Sang-wook Moon: According to the Seoul Central Police Agency's cybercrime investigation report, http://helpkorea.blogspot.kr, http://fuckingkorean.blogspot.kr, http://unicefusa.blogspot.kr, http://antihufs.blogspot.com, http://plus.google.com/112036166079289779835/posts, http://ihatekorea.blogspot.com, http://helpmeusa.tumblr.com, http: // jeolladian. It is confirmed that there are 10 blogspot.kr, http://helpmeusa.egloos.com, and http://sangpyenyeo.blogspot.kr. In the above suspect blog, the suspect Citibank account (370-07421-268-01) ID helpme@usa.com was listed. Is it a blog operated by suspects?
1653 Answer: Yes, yes. (The alleged "http://plus.google.com/112036166079289779835/posts" was an unknown number in the address.)
1654
1655Nam Sang-wook Moon: When I translate the blog url address into http://ihatekorea.blogspot.kr, http://antihufs.blogspot.kr, I hate Korea, I am anti-foreign language, how much I hate Korea and foreign language is anti ? (The next questioner turned to the monitor that was writing the dossier, showed the suspect the blog screen, and told me what was posted before the answer.)
1656 A: This site was created to discuss the absurd aspects of Korean society, unreasonable aspects. Korea does not like it or hate it, and has opened antihufs.blogspot.com to post content for criticizing Lim Soo-kyung. (The investigating officer also knew that there were so many articles posted on the suspect's blog that he could not remember it, and he showed the blog to be quoted in the statement, but the record did not record the act of the investigator. The reason was simply to preempt the blog name, but there was also the intention to prevent them from being exploited by others for malicious purposes. "However, the investigators did not acknowledge the sincerity of the suspect)
1657
1658Nam Sang-wook Q: Was the suspect planning to study in France?
1659 A: I was studying in France or studying in the US.
1660
1661Nam Sang-wook Q: Was the suspect considering foreign immigration?
1662 A: It was the next best thing if you were not studying in France or studying in the US. As soon as the suspects were released from the detention center as a bail, the lawyer Kim Yong-min attending the trial after the lawyer Park Chun-hyun filed a number of documents including the admissions documents from the US university and the contract documents received from the immigration company. Submitted.)
1663
1664Nam Sang-wook Q: Why are you considering foreign immigration?
1665 A: I do not want to send troops to my child.
1666
1667Nam Sang-wook Q: Why are you posting on more than 10 blogs?
1668 A: It was a diary purpose for my political opinion. (The suspect described it in the sense of "It was a leisure time to cool my head while studying.")
1669
1670Nam Sang-wook Q: Why are you posting a lot of articles on the above blog?
1671 A: In the early days, I wrote articles of political beliefs that many people would read and write to, and later to post political articles. (Kwak Dong-kyu investigated how much the suspect had received the donation, and the suspect said, "It is all about donation of 20,000 won, try tracking your Citibank account.") After giving up, studying the blog in French, I changed my mind to use it for leisure. "But the investigators did not record it in the dossier.)
1672
1673Nam Sang-wook Q: How do Internet users respond to the blog of the suspect?
1674 Answer: No comments.
1675
1676Nam Sang-wook: Do you increase the number of visitors if you post interesting and exciting posts on your blog?
1677 Answer: No.
1678
1679Nam Sang-wook Q: What do you think if you write hard and the number of visitors does not increase?
1680 A: I do not care. (The suspect is blogging for hobbies and leisure purposes.)
1681
1682Nam Sang-wook Q: What is the position of the suspect in Internet cyber?
1683 Answer: There is almost no presence.
1684
1685Nam Sang-wook: Do the suspects work only at home rather than at home?
1686 Answer: Yes, yes.
1687
1688Nam Sang-wook Q: Do you want to get attention from others on the internet because you are not doing outside activities?
1689 Answer: I am interested in seeds in jargon, but I am not interested in seeds. (The investigator records the word 'jargon' that the suspect has not written in the record.)
1690
1691Nam Sang-wook Moon: I want to get interested in the White House and posted a blackmail message.
1692 Answer: No.
1693
1694Nam Sang-wook Moon: But why did you post to 4chan.org?
1695 A: I did not post it on 4chan.org.
1696
1697Nam Sang-wook Moon: "If you look at Ripper's intimidation article," I declare President Terror to Obama. Is not it a beautiful night? "The suspect is mostly at night? Is it really a beautiful night? What do you think about this phrase?
1698 A: I do not know that.
1699
1700Nam Sang-wook Moon: The threats posted on the white house's homepage on the suspect's laptop, the file capturing the original text, the file captured after the completion of writing in the White House (Thank you), the trace of viewing the captured file, 4chan.org site to post the original text of the intimidation, again capturing the above posted article, the trace of the above capture file was clearly identified by the time order, but the suspect has not posted, did not acknowledge Why?
1701 Answer: I have not posted.
1702
1703Nam Sang-wook Moon: So the suspect's parents or sister posted the article?
1704 A: My parents are not related to my sister because the notebook is what I use.
1705
1706Nam Sang-wook Q: Is it not your parents, your sister or the suspect?
1707 Answer: No. Please consider the possibility of hacking. (The parents of the suspect and lawyer Park Chul-hyeon said, "The traces of the hacking were found on the suspect's notebook and should be stated in the police investigation." However, the police spread the statement to the press and said, "The suspect is a third- (KCNP News, Internet News Article), "and said," It is the people who say that our house cat is the key to the keyboard "I was tortured and blamed for everything I had never experienced before."
1708
1709Nam Sang-wook Q: What hacking program do you mean?
1710 A: I do not know that either.
1711
1712Nam Sang-wook Moon: Have you ever been hacked?
1713 Answer: I have never been hacked.
1714
1715Nam Sang-wook Moon: Although the suspect clearly remembered his activities during his military service and his posting on the Blue House and the National People's Magazine last year, he continued to lie about the fact that he did not remember his post on the White House site What is it?
1716 A: I never lied. (The investigator responded briefly to each case when the suspect responded.) The suspect responded to the complaint posted in the Blue House and the National Census Bureau by postal mail from the person in charge and kept the post and reply to the post I remember because I had saved it on my blog, and the suspect consistently said "I did not post it" about whether or not to post the blackmail in the White House, and did not say "I do not remember."
1717
1718Nam Sang-wook Q: Does the suspect usually lie well?
1719 A: I can not lie.
1720
1721Nam Sang-wook Moon: I do not recall an important important question. What do you think about the fact that the investigator seems to admit that he posted the article?
1722 Answer: I did not remember, so I made the statement as above.
1723
1724Nam Sang-wook Moon: If I do not remember, can I drink and not remember?
1725 Answer: Not. I think there are multiple factors.
1726
1727Nam Sang-wook: You may not remember a lot of alcohol at the time of the crime?
1728 A: I did not have to break the film because I drank a lot of alcohol.
1729
1730Nam Sang-wook Moon: At the time of the seizure search, I drank a lot of alcohol and stated earlier that I remember faintly. Then you can not remember it because you drank a lot of alcohol at the time of the crime?
1731 At this time, the suspect shakes his head and thinks for a moment. ("I can not remember" is not the word "I do not remember.") The guiding question of the investigator was not logical, so the look of the accused was not understood by the guilty pleasures of lying, I did it.)
1732 Answer: I do not know.
1733
1734Nam Sang-wook Q: What do you think about the fact that the suspect is being denied even though the evidence is clearly revealed by the computer analysis program Encase? Is it a reasonable answer to state that you do not remember well?
1735 A: I do not know because people are beyond their abilities. (The accused stated earlier that "the access time analysis results of SuperHideIp are different from the truth and the credibility of the Encase program is poor.")
1736
1737Nam Sang-wook Q: How did you keep all two of them on the suspect computer, not one of them? What do you think of that?
1738 Answer: I guess that the two intimidation posts are not considered to be much difference, it is estimated to have been uploaded continuously.
1739
1740Nam Sang-wook Moon: The Obama intimidation article is about 6 hours difference on July 7, 2015, about 7:20 pm, and Repert's intimidation article is about 7.8 02:26. Is it?
1741 Answer: I was wrong. (The suspect believes that two blackmails may have appeared in the same search result at the same time.)
1742
1743Nam Sang-wook Q: What is your relationship with your parents?
1744 A: I have a good relationship with my parents.
1745
1746Nam Sang-wook Q: Did your father train hard?
1747 Answer: It was not severe. (The suspect responded with a lawyer, Kim Yong-min, "I played with my father and BB gun at a young age.")
1748
1749Nam Sang-wook Q: What is your father's job?
1750 A: I was a teacher, but I retired this year.
1751
1752Nam Sang-wook Q: Have you ever been beaten by a father when you were a child?
1753 Answer: It is number 1 and nothing else. (The suspect responded to the investigator "I was hit one time.")
1754
1755Nam Sang-wook Moon: Are you sure?
1756 Answer: Ask your father.
1757
1758Nam Sang-wook Q: Do you depend on your parents for everything?
1759 A: I do not depend on you.
1760
1761Nam Sang-wook Moon: In the case of seizure search and emergency arrest, the accused lie down in the room with only panties, and an investigator in Seoul Metropolitan Police Agency explains about two or three hours to arrest her father and mother dozens of times, In case of an emergency arrest, the suspect said, "What does your father say? Did your father agree to an emergency arrest? "
1762 Answer: Yes, yes.
1763
1764Nam Sang-wook Moon: If my father was arrested urgently and the police officers told me to go away, was he going to go on his own?
1765 A: If my father told me to go, he would not have responded. (The police claim that the suspect had been drunk and had a crush on him, but the suspect said he tried to arrest the police officers without revealing that they were police officers, and that he resisted knowing that they were bullets. The family of suspects filed a complaint with the Human Rights Commission that the police had violated human rights during the search and arrest of the police, but both the inspection office and the NHRCK I was ignored.)
1766
1767Nam Sang-wook Moon: You have to judge yourself. Why did you ask your father about it?
1768 A: I was scared because I had more than 30 people in the situation. (The suspect lied on the bed and felt frightened when he covered the bed.)
1769
1770Nam Sang-wook Moon: At that time, 9 to 10 people went to the suspect, and the suspect was lying for four hours at the time of the search.
1771 Answer: I also had a hangover, and it was annoying to be honest. Kim Kyung - hwan, a cyber investigator who participated in the emergency arrest, said to the accused who was lying in bed, "Because of you, 10,000 people suffered from a night spent for a week.
1772
1773Nam Sang-wook Moon: But when my father says he does not agree, the suspect kept lying in bed?
1774 Answer: Yes, yes.
1775
1776Nam Sang-wook: Can the suspect be able to do it alone without the will of his parents?
1777 A: I do not know for sure, but I think it is natural to ask for help if you get caught up in a crisis situation. (Here 'help' means 'family help.')
1778
1779Nam Sang-wook Moon: The suspect brother is living alone as a self-employed person, right?
1780 A: I'm working in Ansan.
1781
1782Nam Sang-wook: Why is the suspect unable to live independently like his brother?
1783 A: I spent two years in college, but I have difficulty getting along with my parents.
1784
1785Nam Sang-wook Moon: What part was difficult?
1786 Answer: It was hard to eat food.
1787
1788Nam Sang-wook: Do you have any reason to tell the suspect when your father visits the jongno police station, "Do not succumb to the police's remorse." (Based on the fact that the investigator had eavesdropped on the suspect.
1789 A: I will not answer the above questions. (The suspect stated, "I will not reply to the fact that I have been tapped." The questioner, Nam Sang-wook, of the Cyber ​​Investigation Team who answered these answers was quite puzzled and omitted the "tapped facts".
1790
1791Nam Sang-wook Q: Does the suspect have his father's instructions unconditionally?
1792 Answer: Half. Sometimes it is unconditional and sometimes not.
1793
1794Nam Sang-wook Moon: Suspect What is your current age?
1795 A: OO year old Korea is 34 years old.
1796
1797Nam Sang-wook Moon: Do you have a separate computer for your father?
1798 Answer: Yes. There is a separate computer.
1799
1800Nam Sang-wook Q: Do you work with your dad computer a lot?
1801 A: I do not know that. (The suspect stated "My father hates my father so much that I do not use it often", but I did not record it in the dossier.)
1802
1803Nam Sang-wook Moon: All the evidence is clear, and a warrant for seizure of the suspect's residence was issued by the judge, and the emergency arrest was approved by the prosecutor. The suspect was given the opportunity to conduct an actual arrest warrant, What is the reason why I do not remember the suspect himself?
1804 A: I do not think so. (The investigator provided false information in order to pressure the suspect, the suspect read the documents presented by the police officer of the police investigation about the reasons for the arrest warrant issued by the judge at the detention center after the probation officer or the detention warrant, The suspect already knew that the judge had been convicted and did not issue because of all the evidence that was evident because of the concerns of escape and evidence of extinction.
1805
1806Nam Sang-wook Question: Who gave the answer to the above?
1807 A: I have never been influenced by external influences.
1808
1809Nam Sang-wook: Do not you think your actions are wrong? (The investigator suddenly questioned the judge.
1810 A: I certainly did not post it.
1811
1812Nam Sang-wook: Even now, I would like my parents to tell me the truth about what I have done, to seek good fortune and to live hard. What do you think of the suspect?
1813 A: I do not think I should cover the truth.
1814
1815Nam Sang-wook Moon: Anyone can make mistakes, do not you think you can correct mistakes?
1816 A: I can not make mistakes because I did not make mistakes.
1817
1818Nam Sang-wook Moon: Looking at the s.txt file found on the suspect's notebook, the text file says, "I'm going to kill the Ambassador Repert by penetrating the US Embassy. Obama kidnapped my little daughter and I will rape my anus. "Why did you list the above?
1819 A: I do not know the keyword on the internet Google but I check the phrase on the website that I have searched for and copy it to s.txt. I copied and pasted it to a file. (The suspect did not know exactly where the Web site was located.) The investigator kept a record of the suspect's response long without a comma in the record, making it look like an excuse, and the meaning changed depending on where the reader was resting.
1820
1821Nam Sang-wook: Did not you post Obama and Repert's intimidating articles in the White House by referring to the threats listed in the above s.txt?
1822 Answer: No.
1823
1824Nam Sang-wook Moon: Looking at the above s.txt file, two emails used in blackmail, isshufs@gmail.com, Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791 Posted by Lifee Iss Crazzyy, Address Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791, Tel + 82-2-2173-2062 , Twitter https://twitter.com/ISIS_Med The address is listed, was not it planned for the crime?
1825 Answer: No. It came with copying and pasting.
1826
1827Nam Sang-wook Q: In addition, the above text file contains an e-mail isshufs@naver.com which is not used for the crime, and the above e-mail address is not also posted on 4chan.org. How is this e-mail address listed?
1828 A: I do not know.
1829
1830Nam Sang-wook Moon: The intimidation is not written in Korean, but is it a Korean word?
1831 Answer: It is taken from the Internet and copied. (The suspect stated "I copied and pasted it."
1832
1833Nam Sang-wook Moon: And look at the s.txt file. Address, email, phone, fax number is "
1834 - Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791
1835 - Website: http://summer.hufs.ac.kr
1836 - Phone: + 82-2-2173-2062
1837 - Fax: + 82-2-2173-2877
1838 - E-mail: summer@hufs.ac.kr / isshufs@gmail.com
1839 "Format. The above format is not listed in the blackmail, is it listed in the above text file in the above format?
1840 A: It's all copied from the Internet. (The suspect stated "I copied and pasted it."
1841
1842Nam Sang-wook Q: Why was the fax number listed even though the fax number was not used in the crime?
1843 Answer: I do not know.
1844
1845Nam Sang-wook Moon: Foreign language site You could access the summer school site http://summer.hufs.ac.kr and get the phone number, fax, e-mail and save it in the above s.txt file?
1846 Answer: Not.
1847
1848Nam Sang-wook Moon: The suspect has an antipathy to the outsider who is usually his alma mater.
1849 Answer: No.
1850
1851Nam Sang-wook Q: Is the Twitter address https://twitter.com/ISIS_Med imported?
1852 Answer: It came from Google search on the internet. (The suspect stated that they "came together when copying and pasting." Same as the answer on page 585.)
1853
1854Nam Sang-wook Q: How did you search on Google?
1855 A: I do not remember the search term.
1856
1857Nam Sang-wook: Do you usually follow IS?
1858 A: I will not follow.
1859
1860Nam Sang-wook Q: Did you find IS-related pictures on the suspect computer?
1861 Answer: Yes, yes.
1862
1863Nam Sang-wook Moon: And you synthesized the above IS-related pictures and edited the picture to be the same by marking the Hwarangdo and IS in Korea equally with '=' symbol?
1864 Answer: Yes, yes.
1865
1866Nam Sang-wook Q: Do you have an interest in IS?
1867 A: I just got to know the news, but I have no interest. (The suspect stated "I do not follow IS.")
1868
1869Nam Sang-wook Q: Is there any fact that the suspect visited the foreign site http://summer.hufs.ac.kr?
1870 Answer: No.
1871
1872 At this time, we show computer analysis program Encase analysis screen directly to the suspect. At this time, the attorney also looks at the above analysis program screen. (At this time, the investigator changed to cyber investigator Kim Kyung - hwan, wearing black - eyed spectacles at.
1873
1874Kim Kyung-hwan Moon: Suspect Computer What is 'bureau' in French at the bottom of my document?
1875 Answer: This is a term for desktop.
1876
1877 The suspect was surrounded by police officers who had been excited for a long time and was subjected to a coercion investigation that he had seen during the military torture film during the military regime of the 1980s. The list of filenames listed shows one by one from the top and goes down one by one. "What is this?" When the suspect did not know, Kim Kyung-hwan cried out loudly, "Why do not you know?" 4 to 5 investigators came into the interrogation room and asked for a high intensity.
1878
1879 At this time, I stopped the investigation for dinner. (The police arrested Park Cheol-hyun, the suspect, and only two people for dinner for a long time.) The lawyer Park Cheol-hyeon repeated the word "confess" to the suspect while eating the two lunch boxes, In the conversation police intercepted, the suspect questioned the blood type of Park Cheol-hyun and answered that he was AB-type, and asked whether he married Park Cheol-hyun's wife because he was pregnant at the time, It was all the congratulations.)
1880
1881 At this time, five pieces of the text file s.txt link file (A0065358.lnk, A0065518.lnk, A0065541.lnk, A0065621.lnk) found on the suspect computer are shown to the suspect and attached at the end of this document.
1882
1883Nam Sang-wook: 7. 20. As described in the 4th meeting, the link file (lnk) is automatically generated when a certain file is executed in the Windows operating system, for example, when viewing the above text file. File and analyze the lnk file to see which file you have opened. The link file creation date and time is the date when the first file is executed, and if you repeatedly execute the same file, the accessed time of the link file changes. The above five link files are link files that are automatically generated by running the s.txt file on the suspect computer. Checking the creation date and the modified date and time (Accessed time)
1884 1) A0065358.lnk 2014. 9. 10. 16:59 (date and time of creation), 2015 7. 7. 14:57 (date and time of access)
1885 2) A0065518.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1886 3) A0065541.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1887 4) A0065621.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1888 And the Obama intimidation article is posted on the White House on July 7, 2015, and the Repert's intimidation article is on July 7, 2015, I read the s.txt file which is written in Hangul on the contents of the intimidation article and write the crime article in the White House on July 7, 2015, I read the file three times on July 7, 21:10, 21:19, and 22:31, and posted a blackmail message about Ripper on July 8, 02:26?
1889 A: I do not know.
1890
1891 At this time, the link file (A0065569.lnk, A0065481.lnk) found on the suspect computer is shown and attached at the end of the document.
1892
1893Nam Sang-wook Q: When I look at the above link file, A0065569.lnk is castration.png file created by browsing on June 7, 2015, and when I check the above picture file, A0065481.lnk is a file created by browsing hufs.png on July 7, 2015. If you check the above picture file, it is a picture of the screen where the foreign language group is searched by Google and the picture of Lim Su Kyung. Have you ever read the above two files in the above list?
1894 A: I do not remember the exact time, but I remember reading two photo files above.
1895
1896Nam Sang-wook Moon: I read about the picture file (hufs.png) on ​​July 7, 2015, and the link file A0065481.lnk was created. The suspect stated that the above picture had memories of reading, and about 50 Minute after s.txt. I have browsed the file and found the link file (A0065358.lnk). Do you remember reading the s.txt file on July 7, 14:57?
1897 A: I do not remember reading. (The suspect stated "I do not remember the exact time.")
1898
1899Nam Sang-wook Question: 7. 7. I have read the s.txt file containing the contents of Hangul at four times in total. Have you ever seen a file?
1900 A: I do not know that.
1901
1902Nam Sang-wook Q: When was the last time you read the s.txt file?
1903 A: I do not remember the last time.
1904
1905Nam Sang-wook Q: Why do you keep denying the crime of reading the text document s.txt, which contains the contents of the Korean text on the intimidation article, four times before the crime was committed?
1906 A: I do not remember whether I read it four times. (The suspect stated "I do not remember the exact number of times.")
1907
1908Nam Sang-wook: I read the blackmail in Korean 4 times before the crime, and the blackmail was posted in the White House since then.
1909 Answer: There is no plan. (The suspect stated "I have never posted a blackmail".)
1910
1911Nam Sang-wook Q: How is your heart?
1912 A: There is no rattling like in the fourth survey.
1913
1914Nam Sang-wook Q: Is the suspect harmed?
1915 Answer: It is unfair. I would like the police to investigate the matter.
1916
1917Nam Sang-wook Moon: Lastly I'll ask. Do you really have access to the White House homepage?
1918 Answer: There is no connection.
1919
1920Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1921 Answer: No. (The suspect stated in the sense of "I can not submit favorable evidence or statements in the present state of detention.")
1922
1923Nam Sang-wook Q: Do you have anything more to say?
1924 Answer: On page 3, "Please ask the police officer to rub your shoulder" is your blood pressure. On page 28, the cruel photographs are downloaded habitually and I regret that I am curious. For the sake of misleading explanation, the child's naked photographs were downloaded from Nudists (naturalists), and the pictures of the baby's penis were cut off to make an essay criticizing the forced ceremony in Indonesia. It was. And I remember that the pictures with the knife in the child's boat are satirical images of the terrorist forces in the Islamic language, and the models in the photographs are pictures taken only by 18 years of age or older. Also, the pictures of blood in the female vagina were to criticize the girl 's forced circumcision tradition, and the picture of the bowel movement on the Taegukgi was to blame the blasphemy of the national flag. In addition, it was to expose the facts of illegal organs extraction and Kim Jung Eun regime. I wish you good judgment.
1925
1926Nam Sang-wook Q: Are all of these statements true? (Despite the fact that there was a lot of blank space in the A4 paper sheet to be printed, the investigator intentionally entered this question in this position to limit the space in which the suspects would state their handwriting. The defendant asked me, "Please give me more space to explain the true meaning of the pictures on page 563," but I was denied, and the suspect has enough of the meaning of the photo. In the written statement, more than half of the 592 pages with this question are blank.
1927 Answer: Yes.
1928
1929 (After finishing the investigation, I asked Nam, "Do you remove the hard copy (or imaging) from the police later?" Nam Sang-wook smiled and laughed, saying, "Yes. Nam Sang-wook did not imagine that the contents of the notebook were useless from the beginning, and did not imagine the prosecution investigation, but also roughly ran the investigation and destroyed the evidence by turning on and off to check the contents of the notebook.
1930
1931
1932
1933
1934 ++++++++++++++++++++ Prosecutor's Office investigation documents ++++++++++++++++++++
1935
19361st round
1937
1938 At this time,
1939
1940Jung Guk Q: Is the suspect punished?
1941 Answer: No.
1942
1943Jung Guk Q: Has the suspect described his / her educational background in the police?
1944 At this time, record 277 ~ 295 shows a police document prepared by the suspect.
1945 Answer: Yes. I have stated the truth.
1946
1947Jung Guk Q: What is the education and experience of the suspect? (The prosecuting attorney handed the police investigation report with the record of the accused and his experience, and made reference to the statement.)
1948 A: I graduated from Cheongyang Elementary School in 1994, graduated from Kyunghee Middle School, graduated from Kyungbok High School in Hyoja-dong, Seoul, Korea in 1999, and graduated from Hankuk University of Foreign Studies in 2009. My career has been part-time from around 2011 to around 2013, recording the foreign news from the gas station part-time and KBS stations and delivering it to the editing room. (The investigator has repeatedly questioned the accused on a number of occasions, focusing on his / her last job, position, and duties.) The same question is then sent to the suspect through detention guards and court judges. I studied. I wanted to major in psychoanalysis in France. After studying, I tried to do a private clinic. (The suspect responded to each statement with a short answer or one or two sentences. Unlike the police investigator, the prosecutor's office always included five to six questions and answers, He then read the dossier printed out and pointed out several times that there was a difference in meaning to the investigator, but every time the investigator dismissed it as not being different.)
1949
1950Jung Guk Q: How is your health?
1951 A: I have a slightly higher blood pressure. I was prescribed medicine only at the private hospital when I was in the jongro police station.
1952
1953Jung Guk Moon: Go to the White House homepage of the US House of Representatives on July 7, 20:20, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies, Do you have any of the following after posting the address of a foreign university? (The prosecution investigator has not been able to figure out the case yet, stuttering throughout the investigation and reading down the questions on the monitor.)
1954 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
1955 ===========================
1956 Hi.
1957 I'm HUFS student from Seoul, Korea.
1958 How's your president family?
1959 I'm sick of my life cause I always mastervating with tranny prons.
1960 One day, I realize that I'm not going to die like this.
1961 I want to be a famous Korean male in USA history.
1962 Therefore, I am going to anal rape your second daughter Natasha.
1963 Is that okay?
1964 I think that bitch's asshole is much tighter than Malia Ann.
1965 So I need parents permission before the nigger anus.
1966 Do not worry about me: I eat lots of Kimchi so free from AIDS.
1967 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
1968 Thanks.
1969 Answer: I have not posted such an article.
1970
1971Jung Guk Moon: The suspect said, "I am President Obama and Mrs. Michelle. I always get tired of wearing sex dressers and doing masturbation. So one day, I thought I had to do this. I decided to become a famous Korean man in America today. So I'm going to rape your second daughter, Natasha, with an anal. Because it seemed to be a more polite way to ask. I think the anus of the second daughter is more resilient than the anus of Malia (first daughter). So I have to get my parents' permission before I feel black anal. Do not worry about it. I eat a lot of kimchi and are safe from AIDS. I hope to penetrate the anus of black before it is killed by Kim Jung Eun. Thank you. "
1972 Answer: No.
1973
1974Jung Guk Q: Is there any fact that the suspect wrote the above?
1975 Answer: No.
1976
1977Jung Guk: Did not the suspects intimidate President Obama and US First Lady Michelle by listing them as above?
1978 Answer: No.
1979
1980 [Intimidation to Foreign Envoys]
1981
1982Jung Guk Moon: The suspect is on July 7, 2015, 02:26. Is it true that you have access to the homepage of the US White House and posted the following text?
1983 'From: Dr. Korea's Isis One ',' Email: summer@hufs.ac.kr ',' Phone: 82221732061 ',' Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea , 130-791, Damascus'
1984 Message: Declaration Terror to Mr. President Obama.
1985 A beautiful Evening is it?
1986 Right this is the warning message from the Terrorist Attack.
1987 Korea, we're g0ing to re-attack US ambassador Mark Lippert in Seoul.
1988 So last time, my a5sassinator's mind is too weak to cut the ambassador's artery perfectly.
1989 End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
1990 Ok? We'll take care of all your political comrades, but surely one by one, until the US army eliminates Bio-Chemical weaons in Korean Peninsular Mother Land.
1991 UltimatuM; 3xects us, our VVIP Archenemy Obama!
1992 LIMFAO, See mark Soon in your After-Life ... ...
1993 : #: #: #: #: #
1994 : # HUFSRO 4ourth 4inger: #: #
1995 : #: #: #:: #: #: #
1996 : #: #: #: #: #
1997 Answer: I have not posted anything.
1998
1999Jung Guk Moon: Describing the suspect as a South Korean student, he said, "I would like to declare terrorism to President Obama. Is not it a beautiful night? This message is a warning of a terrorist attack. We want to attack the US ambassador, Mark Ripert. Last time my assassin 's mind was so fragile that I could not completely break the artery of the US ambassador. At the end of this time, we have prepared a very well trained pro, so we will kill the ambassador with nuclear poisoning. OK? We will slowly and surely kill one of your political comrades ... Until US troops remove chemical and biological weapons from Korea. We will soon meet our greatest Obama, Mark Ripert, in the world. "
2000 A: I have not posted anything.
2001
2002Jung Guk Q: Is there any fact that the suspect wrote the above?
2003 A: I have not written.
2004
2005Jung Guk: Did not the suspects intimidate the Ambassador, Ambassador Rupert, a diplomatic envoy?
2006 Answer: No.
2007
2008Jung Guk Q: Does the suspect save the above documents on the victim's computer?
2009 Answer: Yes. I copied and pasted it on my computer.
2010
2011Jung Guk Q: What is the date and time of copying and storing the suspect in the suspect's computer?
2012 A: I'm sorry, but I do not remember.
2013
2014Jung Guk Q: How about copying and storing it on the suspect's computer?
2015 Answer: I ran a link (I do not know where) through Google search (I do not know what I searched) and put it on my computer.
2016
2017Jung Guk Q: What computer is the suspect's computer?
2018 Answer: The laptop.
2019
2020Jung Guk Q: When did the suspect purchase the notebook?
2021 Answer: I left KBS station to record foreign news and send it to the editing room, then bought a notebook, so I bought it in the first half of 2013.
2022
2023Jung Guk Moon: In fact, the suspect is stating that he is afraid of receiving heavy punishment, even if he puts the same contents as above.
2024 Answer: No.
2025
2026Jung Guk Q: Do you know that a suspect is punished by law if you intimidate others?
2027 Answer: Yes. I know.
2028
2029Jung Guk Q: Does the suspect have a relationship with US President Obama, US First Lady Michelle, US Ambassador Ripert?
2030 A: I have no relationship.
2031
2032Jung Guk Q: Does the suspect have an agreement with the victims?
2033 Answer: There is no agreement.
2034
2035Jung Guk Q: Did you tell the truth?
2036 Answer: Yes.
2037
2038Jung Guk Q: Do you have any more words or favorable evidence?
2039 Answer: None. (If there is no suspect, the investigator told me to write "no" by hand.)
2040
2041Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2042 Answer: (handwritten entry) None.
2043
2044Second round
2045
2046 At this time, the suspect responded 'I will be investigated under the participation of counsel.' After attending lawyer Park Cheol-hyun, the lawyer showed the suspect's mother's complaint to the suspect and said, Hand it over. (The suspect did not acknowledge the statement "I will be investigated under the lawyer's participation" or "I will not answer.") The investigator said in his own words, "The lawyer is not here." While reading the record after the investigation was completed, he read this record and asked the prosecutor to revise the record because he did not answer the question "I will or will not be investigated under the attorney's participation" "I refused.
2047
2048 The suspect reads the complaint (14: 05 ~ 14: 10) and then submits the complaint, saying "I will submit it to the prosecutor."
2049
2050 Towards the suspect,
2051Jung Guk Q: Has the suspect ever stated the truth before?
2052 Answer: Yes. I have stated the truth. It's what I said.
2053
2054Jung Guk Q: Why is the suspect arrested on the police in an emergency?
2055 Answer: ... I know that the arrest of me was an emergency and the police arrested him.
2056
2057Jung Guk Q: What does it mean to be urgent about the suspect?
2058 A: I think that because of my suspicion of terrorism and the destruction of evidence.
2059
2060Jung Guk Q: What do the charges of terrorism and evidence say?
2061 A: I was accused of terrorism against Ambassador Obama and Repert, and I understand that the police misinterpreted me as a computer expert, multilingual.
2062
2063Jung Guk Q: How many countries do suspects speak a foreign language?
2064 A: English is above the upper middle level, and French is the lowest level among the 6 levels.
2065
2066Jung Guk, a police officer, seized the suspect's residence in a search warrant. During the execution of the warrant, the suspects used a laptop to capture US President Barack Obama's intent to rape his daughter. Capturing the contents of the original text Was not the picture file found and the suspect arrested in an emergency?
2067 Answer: Yes.
2068
2069Jung Guk Moon: The suspect is not involved in investigations until the police seizure of five hours of confiscation, including lying on the bed in his underwear, throwing things at police investigators, Is there a consistency in the very uncooperative and insincere attitude, such as the smile, the smile, the laughing, and the repeated trimming? (It is the subjective judgment of the act according to the difference of point of view of the suspect, and I did not actively refute it because the police insisted that the investigation room was recorded by CCTV, The video that was submitted by the police at the first trial had the amount of interrogation taken.
2070 Answer: ... There is. It was because the wine was a little worn at that time.
2071
2072Jung Guk Moon: Is the Lenovo that the suspect was confiscated by the police at the time?
2073 At this time, records 397 to 398 show the confiscated seizure and confiscation list.
2074 Answer: Yes. Yes.
2075
2076Jung Guk Q: I found MS Windows XP (language: France), time zone was set to 'Paris' in France, and shutdown time was July 13, 2015: 18 (GMT 0), the Republic of Korea is GMT + 9 time zone, and when it is +9 in the above time, it becomes the wonder of July 13, 20:47:18, and the time is the police seize the place of the suspect's residence It is time to check the crime data stored on the suspect computer.
2077 At this time, it shows the time when the notebook was last closed at the time of the confiscated seizure search on the 404th page of the record.
2078 A: I did not see my computer until I was confined to police when I was sleeping. At that time, the police told me that they had these files, but I did not see them.
2079
2080Jung Guk Moon: In analyzing the computer analysis program, in order to check the exact time (the time of the crime committed in Korea) that the file used in each crime was generated, the time band in the above analysis program was changed to Korean National Standard Time (GMT + 9) The analysis was conducted by changing to domestic time. As a result, the last access date of the usa.png file related to the crime was confirmed on July 13, 20:42, What is the date when the above file is opened?
2081 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2082
2083Jung Guk Moon: Therefore, even if you set the time of the victim's laptop to the Paris time zone, if you set the Encase program to domestic time, you can check the time that the suspect was committed in the Republic of Korea. When the date of access is confirmed by the seizure time zone, how is the time information confirmed by the above Encase program confirmed to be correct?
2084 Answer: I downloaded the pictures through the Google search engine, and it is possible because of the Google Cache feature. If you have the Google Cache feature, you might be misinterpreting the time, and I'm personally concerned.
2085
2086Jung Guk Moon: The suspect said in the police, "Is not it true that the evidence to trust the Encase program is the evidence that analyzed the time lag where the threatening bulletin was presented by the police as evidence?" The suspect said, . Yes, "he said.
2087 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2088
2089Jung Guk Q: Is the suspect allowed to use the confiscated notebook?
2090 Answer: No. I have a password on my laptop and I have not given it to someone else.
2091
2092Jung Guk Moon: Has the accused ever used a confiscated notebook while traveling around?
2093 A: I left it in my house and I used it alone.
2094
2095Jung Guk Moon: The suspect has set a password for the laptop on the police, uses the suspect alone, and says, "I do not know the evidence that the police presented. I do not remember. "I denied the crime consistently. How about it?
2096 Answer: Police showed the name of the picture file in which the English and the numbers were written. (The suspect replied, "The police did not show the photo, but only list the photo files with English and numbers, and when asked if I remembered, I did not remember," the investigator replied.
2097
2098Jung Guk Q: Is there a blog (http://helpkorea.blogspot.kr) operated by the suspect?
2099 Answer: Yes. It is a diary type blog which I made and operated.
2100
2101Jung Guk Q: What do you usually post on a blog run by a suspect?
2102 A: I have described the media in critical terms. (The suspect defines "media" as "political news of comprehensive channels.")
2103
2104Jung Guk Moon: "A woman's penis is photographed and posted on the Internet under the heading" How to make money from one's eyes on the internet (foreign currency acquisition) "on the blog (http://helpkorea.blogspot.kr) operated by the suspect. You can earn money. "Is it true that you posted the following statement?
2105 At this time, the record is displayed on the blog (http://helpkorea.blogspot.kr) operated by the defendant who is stolen on pages 174 to 195.
2106 Answer: Yes.
2107
2108Jung Guk Moon: After completing "(2)" shooting on the blog (http://helpkorea.blogspot.kr) operated by the suspect, that night, Ji Sung-woo calls me as a laundry hanger and can be beaten at the shooting range. And then shaken about 20 times and then assessed in the anus. But I have not been informed of this until January 22, 2005 ... (Omitted below) "" Is it true that you posted the following statement?
2109 Answer: The Ministry of National Defense responded to the contents of the Ministry of National Defense complaint.
2110
2111Jung Guk Moon: In the blog (http://helpkorea.blogspot.kr) operated by the suspect, "(3)" The foreign university changed the minor in chemistry unilaterally without prior notification in 2012, I have been suspected of forgery every time because of the inconsistency in the name of the graduation paper. So, I have been suffering from economic losses since I have failed to get jobs from companies that have supported more than 1,000 since 2012, and I have also been suspected of my academic background and personal credit in my workplace where I worked freelanc ... (Omitted below) "" Is it true that you posted the following statement?
2112 A: In my remembrance, it is the content of my complaint by the Ministry of Education. (In the statement of the suspect, "KBS Fact Confirmation" received by the suspect at the time of retirement is recorded as "part-time" rather than "freelancer." After the expulsion of the suspect, (02-2639-2341), Moon Tae-sung informed the suspect that he was a self-employed person.
2113
2114Jung Guk Moon: If you look at blogs operated by suspects, you can see all the information such as phone number, e-mail address, and address information as foreign-language affiliates. And if you see 'masturbation', 'anus',' I will be poisoned by the poisoning "and the fact that it has been confirmed to have a strong dissatisfaction with foreign language classes.
2115 A: I remember being told to me during a police investigation, and I have not. (When the suspects repeatedly asked the question they had received during the police investigation, the suspect began to make a statement saying, "As I told you during the police investigation," the lawyer Park Chul-hyeon attended to answer the suspect's question " "Park Cheol-hyun, who was a new lawyer at the time of the prosecution's investigation, tried to build up a network with lawyers through his prosecutors for his success. He identified the prosecutors with the lawyer himself, did.)
2116
2117Jung Guk Moon: The suspect is a police officer, on his laptop, 'isis.png (intimidation against Obama)' original file captures file 'usa.png (threat to reporter)' on July 7, "The original document capture file was created on July 8, 2015 at 02:27, and the time of the obsession with Obama was posted on the US White House website on July 7, 2015, The operating system of the notebook is set to the French time zone on the reason that the intruding article is read on the Internet and stored in the computer of the suspect in about one minute of 2015. 7. 8. 02:26 And 4Chan.org site is a US site, claiming that there was an error in time, and stated that it would be impossible to do this in just one minute.
2118 Answer: That's what I said.
2119
2120Jung Guk Moon: After completing the reporter's intimidation on the White House website, the police officer captured the thank-you related webpage about 1 minute after the capture, through the Google Chrome browser, and ran the captured image again After 3 minutes, the original text of the intimidation was changed to file name usa.png, and after 1 minute, it was posted on 4chan.org site, and after about 9 minutes, I read the file generated by capturing and stated that the link file was created on the suspect computer and that the suspect did not understand it because he was not doing the act.
2121 Answer: That's right, but I do not have it.
2122
2123Jung Guk Moon: The suspects are at the police, and the time of the reporter threats posted on the 4Chan.org website is on July 8, 2015, 8. I am not sure about the reason why the time stored on the suspect computer may be faster than the time posted on 4Chan.org at about 02:27, the suspect is not sure, there is a problem with his computer, How is it?
2124 Answer: That's what I said. I remember Google Cache as well.
2125
2126Jung Guk Moon: The suspect stated that he had a computer problem, some malicious code, a possibility of hacking, Google cache. What do you mean by this statement?
2127 A: I am not a computer expert. (The investigator asked me what the symptoms were.) When I turn on the computer, the strange warning window appears squarely normal size. I'm not a computer expert, so let me investigate that, and Google Cache will ask Google Server to cooperate with the investigation.
2128
2129Jung Guk Q: What is the size and content of the alert window? (Actually, the investigator asked, "How many centimeters?"), And the suspect stated "I have never read it and I do not know."
2130 Answer: The warning window is square in size, but I do not know the exact size and the contents of the warning window are not remembered. (The accused never remembered whether the contents of the warning window were written in English or French, and never interpreted it.)
2131
2132Jung Guk Moon: On the computer of the suspect, 1.JPG, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, 5oe254mvhpke.jpg Is it proper to view the file?
2133 At this time, records 323 ~ 331 and 516 ~ 529 show the contents of the photo related to the reporter found on the computer of the suspect.
2134 A: I have not seen anything on July 7, 2015 because I have nothing to see. (Because the suspect studied or slept on July 7, 2015).
2135
2136Jung Guk Q: Why is the suspect storing the files 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, and 5oe254mvhpke.jpg on the computer? ? (The prosecutor showed him the picture files on the monitor he was writing.)
2137 A: This is a collection of articles written to strongly criticize terrorism against the US Ambassador.
2138
2139Jung Guk Q: Has the suspect written a criticism of the usual acts of terrorism?
2140 A: I do not remember the exact time, but there is something on my blog that says it can threaten the alliance.
2141
2142Jung Guk Moon: The suspect reads the reputation related information as above, and the time of the reporter threat photograph is stored on the suspect's computer on July 8, 2015, and the reporter threats Since the time of the posting was around July 8, 2015, the suspect wrote and saved the above article and posted the reporter threatening article on 4Chan.org website?
2143 At this time, record 260 and 251 ~ 256 of the suspect computer file output is shown.
2144 Answer: No.
2145
2146Jung Guk Q: The suspect was on the police at the laptop. The contents of the text (s.txt) file created on April 10, 2014. The text of the file (s.txt) generated by the suspect was the email 'isshufs@gmail.com' , In Korean, 'I will kill Ambassador Ripper by penetrating the US Embassy', 'Obama will kidnap my little daughter to rape my anus', and the Twitter address 'http://twitter.com/' I do not know why the suspect was found about why it was found.
2147 At this time, the record of the defected notebook file is shown on the pages 332 to 335 of the record.
2148 A: I remember that I stated that I copied and pasted through Google Search.
2149
2150Jung Guk Moon: The file related to the crime that was found on the suspect's notebook is listed in chronological order. "(1) The s.txt file is first created on April 9, 2014, and the last access date is '15. On the 12th of July, the above file contains the phrase "Penetration of the US Embassy to Ambassador Ripper, I will surely kill Obama's little daughter to rape my anus" in Korean. Especially, the email used for the crime 'isshufs @ gmail.com, summer@hufs.ac.kr, and the name of the author 'Lifee Iss Crazzyy', the address of the foreign language, etc. "is listed in the form of the suspect, It appears to be in a free format on the file, how is it?
2151 Answer: Not.
2152
2153Jung Guk Moon: In addition, the suspect discovered that the above text document was scanned four times before the crime, and the link file (the file created automatically when the file was executed on the Windows operating system and the extension is lnk) was generated. ?
2154 Answer: I am not a computer expert, so please do a thorough investigation.
2155
2156Jung Guk Moon: In the suspect's notebook, files related to the crime are listed in chronological order by "(2) capturing files (isis.png, usa.png, etc.) directly related to the threats, I caught the screen while writing a message that intimidates the ambassador, and I found that the file name isis.png, usa.png is being saved as "is being saved.
2157 Answer: I downloaded the photo from the Internet and saved it.
2158
2159Jung Guk Q: Where did you download and store the suspects?
2160 Answer: It was downloaded through Google Image Search.
2161
2162Jung Guk Moon: July 7, 2015 The obscene article about President Obama was published in the White House, and the trail of reading the s.txt file in Korean (Isis.png) about 20:21 after 1 minute of crime time (around 20:20) is confirmed on the computer of suspect computer, and also, at 20:21 and 21:19, What happened to the traces of the file being viewed twice?
2163 Answer: I have just browsed the computer and copied it to a text file, and I do not know whether it was read or not.
2164
2165Jung Guk Moon: After the intimidation of President Obama, the same day, 21:38 on the same day, Ambassador Repert reports about the terrorist incident in 18 times, The file created on the suspect computer appears to be very closely related to the crime because it is re-visited about four months later, on May 7, 2015, at 21:38. (Previous surveys found that 15 traces were found.)
2166 A: I have not seen any of the above photographs on July 7,
2167
2168Jung Guk Moon: After the suspects re-read the s.txt file containing the text of the crime, the threat to Ambassador Ripper was posted on the White House website on July 7, 2015, What about the 'usa.png' file created on the White House website at 02:27 on the suspect computer? It seems that the suspect posted a post on the White House homepage.
2169 A: I have not posted.
2170
2171Jung Guk Moon: After continuing to capture the screens of the suspects' computer at the White House using the Google Chrome browser, the archived details were found, How is it?
2172 At this time, the record of the suspect computer file is shown on page 260 of the record.
2173 Answer: I did not capture it, but I downloaded it from Google.
2174
2175Jung Guk Moon: The suspects (3) The intruding article In addition to this, I visited the US White House website twice on May 24, 2015. I captured the screen while I was writing about black beauties using the Google Chrome browser, I have captured the screens that were shown at the completion of the process, and I caught the screenshot of the White House at the White House on June 25, 2015.
2176 At this time, we show the additional declaration data which is stitched on the record page 198 ~ 204.
2177 A: I did not write it, nor did I post it. It was downloaded through Google Search.
2178
2179Jung Guk Moon: The suspects (4) were found to have been photographed as monkeys by President Obama and Mrs. Michel, on June 25, 2015 before the commission of the crime. What happened after the crime was confirmed around 00:35?
2180 At this time the record shows the printout of the stolen suspect notebook file on page 596.
2181 Answer: This photo was downloaded through Internet Google Search, and I have not seen it more than once.
2182
2183Jung Guk Moon: The suspect is (5) In the photo related to the anus and the girl child nude, the suspect wrote the article to intimidate the second daughter 's anus in the Obama presidential intimidation article. Obama' s second daughter is 14 years old, There was a large number of photos of an anus on the laptop used by the suspect. The last visit was on July 13, 20:46. Especially, the word 'anal' was used 5 times in the blackmail, 6. 6. I have read about it, 7. 8. I have also stored it on my computer,
2184 At this time, the record of the defected notebook file is shown on pages 609 to 664 of the record.
2185 A: This photo is an illegal long-term trafficking, or an additional collection of materials to write about the North Korean regime. (The suspect downloaded the picture files and did not watch it more than 2 times.) In the Windows operating system, when the picture file was moved without moving the picture file, I tried to submit a proof of the screen shot by a smartphone, but Yongmin Kim refused to accept the video without seeing it.
2186
2187Jung Guk Moon: The suspect stated in the police that the photos of Reuters Terror taken on the suspect's computer just before the crime were all read by the suspect.
2188 A: I downloaded and saved the photo, but I do not watch it more than once.
2189
2190Jung Guk Moon: The police suspect that the police are underestimating women and that it is better to have sex rather than socializing with women, and that "I always have sex with a bastard and masturbate "(The suspect was a statement that faithfully replied in a general manner within the bounds of the common sense known to the suspect.) What is it like to make a clear statement of what the costume is? (In this way, the investigator asked a mixed question asking a mixture of questions to make sure the suspects were neither positive nor negative.)
2191 Answer: According to what I know, I have faithfully stated that the statement is correct.
2192
2193Jung Guk Q: The suspect police stated that they knew clearly the name of Obama's second daughter, Natasha, who was used in the blackmail.
2194 A: After I saw the intimidation that the police showed me, I found out.
2195
2196Jung Guk Moon: The suspect described the police officer as saying, "I am likely to be a famous person" at the police investigation, and the statement "I decided to become a famous Korean man in America today." Why is that?
2197 Answer: Famous things are not meant to be misleading. The latter famous Korean man meant to be a famous politician. (The "famous person" that the suspect referred to was "a famous politician," but the future hope of the suspect was not a politician.
2198
2199Jung Guk Moon: (6) Regarding the photographs related to IS terrorists, the accused stated that the name of the author was' Dr. Korea Isis One 'and impersonated IS. The trail of the IS terrorist was discovered four times on July 17, 2015, before the crime was committed. It is stored for the first time, and it is also viewed on the 7th and 3rd, so the file stored in the computer of the suspect is not only saved, but also confirms the sucking after reading.
2200 Answer: I can not be certain how many times I have read the IS estimate picture.
2201
2202Jung Guk Moon: The suspect stated that the police said they had a determined will to the IS terrorist and kept a photo of the IS terrorist on the computer.
2203 Answer: Yes. Yes. (The suspect described what he felt in the photo.)
2204
2205Jung Guk Moon: The suspect is posted on the homepage of the National People's Daily, "I am going to return home with a nylon string on a railing, and I am going to return home." And why are you storing hundreds of pictures of women's bodies and keeping them?
2206 A: The Cheongwadae homepage and Kookmin Shinmunji homepage are for the purpose of one-person demonstration for the payment of Civil Defense transportation expenses. I did not look at the pictures more than once while I habitually stored the photographs in the process of collecting materials for writing.
2207
2208Jung Guk Moon: (7) In relation to the pictures related to North Korean Kim Jong Eun, the suspect wrote in the Obama presidential intimidation article that "I hope to penetrate the anus of black people before I was killed by Kim Jong Eun" The photographs of North Korean artifacts were saved on July 6, 2015, June 25, 2015, and pictures of Kim Jong Eun were stored on the computer. How about 00:09?
2209 A: I have never written such an article. I did not follow the North Korean Kim Jong Il system, but rather habitually stored it in the process of collecting materials for my writing.
2210
2211Jung Guk Moon: (8) In connection with IP change programs, 'SuperHideIP (version 3.3.8.8)' program has been found, which allows users to easily change their IP address on the suspect use notebook. Why did the suspect install the program?
2212 A: In my memory, I saw the news of IP related events at that time, and I changed the IP to Google and installed it. I tried to run it only once and then I did not run it.
2213
2214Jung Guk Q: Is not there a program that can change the IP for use in the offense of the suspect?
2215 Answer: No.
2216
2217Jung Guk Moon: The IPs 124.197.152.48 and 124.197.152.74 used by the suspect in the alleged crime were identified as the IPs assigned to the O-apartment No. 1 apartment at 45, Lee Moon-dong, Dongdaemun-gu, Seoul. As a result of checking the resident card of the subscribers of the broadcasting station, the contents described as 'Hankuk University of Foreign Studies' were confirmed in the school name of the suspect in O residence. (In Korea, the full street address will be enforced from 2014. If you inquire about the IP address of Tibur Road, you will be informed by the street name address starting from the agar route. It is estimated that I have confirmed the personal details of the application form I submitted to KBS before the road name address was put into effect in 2014. The address of the road name of the residence I will appear in the judgment.
2218 At this time, show the tenant card stitched on the side (blank space).
2219 A: I will not be able to confirm the answer, and the tenant card is correct.
2220
2221Jung Guk Moon: The suspects are from Hankook University of Foreign Studies (Hankook University of Foreign Studies) using IPH from the IPA at the US White House in IP on July 7, 20:20, @ gmail.com, etc., and did not intimidate by posting the message that "I am going to rape the second daughter of US President Obama with anal sex."
2222 Answer: No.
2223
2224Jung Guk Moon: The suspect is a member of the Hankook University of Foreign Studies (Hankook University of Foreign Studies) in the summer @ hufs [hufs] I am going to assassinate the US ambassador reporter and post the message of intention to threaten foreign nation.
2225 A: There is no such thing.
2226
2227Jung Guk Moon: A suspect is poisoned by US Ambassador Ripert. A specific phrase mark "4ourth 4inger" (a sign left after a suspect has committed a crime) You may leave a message that only you can tell to know your skills.) How about you?
2228 A: I do not know anything about that phrase.
2229
2230Jung Guk Moon: When I checked the site (http://archive.4plebs.org), which was searched with the keyword '4ourth 4inger' on internet search site 'bing' (Microsoft search site) (US Ambassador Rupert Threat), which was created by accessing the White House website of the United States, and the above text file is a picture file that captures the screen of the suspect who is making a statement on the White House homepage. ?
2231 At this time, it shows the [text capturing image file on the left side, text text on the right side]
2232 A: I have never posted anything.
2233
2234Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2235 At this time, the record [page file 135 captured in the picture file] Show screen being created in homepage input window].
2236 A: (At this time, the suspect thinks for a long time and tilts his head. (The investigator described the behavior with malicious intent.)
2237
2238Jung Guk Moon: The US Ambassador to the suspect and the US President Barack Obama are threatening him.
2239 At this time, you will see the [obama intimidating text capturing picture file and text phrase] stitched on page 136 of the record.
2240 Answer: This is not my post.
2241
2242Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2243 At this time, it shows [the text file captured by the picture file - screen being created in the home page input window] stitched on the 136th page of the record.
2244 Answer: I do not know.
2245
2246Jung Guk Moon: The suspect is July 7, 2015. "Fraud is over. Take care of Lim Su Kyung. Http://boards.4chan.org/pol/thread/47625963 "which was posted on the website of Mr. Soo-Soo University." As a result of IP query with 124.197.152.111, Tibrodeid The IP address assigned to Dongdaemun Broadcasting is the same bandwidth as the IP used by the suspect and the same Internet subscriber.
2247 At this time, I will show you the reason why I checked the page on page 140 of the record.
2248 A: I have not posted anything.
2249
2250Jung Guk Moon: The above email is isshufs@naver.com, the same ID as isshufs@gmail.com, which the suspect used to write White House intimidation, is the same?
2251 Answer: ... This is not something I can tell.
2252
2253Jung Guk Moon: I searched on Google (http://google.com) and Bing (http://bing.com) using the phrase "4ourth 4inger", which was used by the suspect. org site, http://archive.4plebs.org, posted a caption on the US White House site on July 7, 2015, : It was confirmed that it was published in the 31st year.
2254 Answer: I have not posted anything.
2255
2256Jung Guk Moon: In addition, it is confirmed that the article posted on http://archive.4plebs.org using the Korean IP using the article that slanders Hankuk University of Foreign Studies.
2257 Answer: I have not posted anything.
2258
2259Jung Guk Moon: The suspect is dissatisfied with the outsider by failing to work due to the suspicion of academic ability by changing the minor in the foreign language department of his alma mater, the police, without a prior notice, and the above information is also posted on the suspect's blog.
2260 Answer: I first consulted the Ministry of Foreign Affairs about the changes I made at the foreign language school. (The suspect responded to the Ministry of Education complaints and sent the evidence documents to Yongmin Kim after the bail was released.) There is. I am not trying to hate the outside world.
2261
2262Jung Guk Moon: The police officer acknowledged that he had read the picture file (castration.png, hufs.png) that he viewed on his computer before the crime, S.TXT file "denies the fact that the suspect has been denied the fact that the suspect has denied all the crimes related to the crime.
2263 Answer: Not. Rather, I think that picture files and text files should be replaced. The reason for this is that I have read more of the text file because I have stored various contents in the text file. (The suspect has limitations in remembering a lot of computer usage history.)
2264
2265Jung Guk Moon: The suspect stated that the police use the Google Chrome browser when accessing the Internet, and many of the files on the victim's laptop that captured the White House homepage using the Google Chrome browser were found.
2266 A: It's not a capture, it's a download.
2267
2268Jung Guk Q: A capture file (screencapture-www-whitehouse-gov-contact-submit-auestions-and-comments-1432397652564.png) found on the suspect computer is a file captured using a Google Chrome browser, 'Www-whitehouse-gov-contact-submit-auestions-and-comments' consists of the URL address of the captured website and the last 13 digits '1432397652564' Is the time information used by the Unix operating system and can be converted to UTC + 9 using a time conversion program (DCode) to check the captured time.
2269 Answer: I searched on Google and received the download as it is.
2270
2271Jung Guk: The suspect asserts that the capture file (a file that captures the content of the white house and the screen captured at the time of completion) downloaded from the Internet, such as the date and time the capture file was stored on the computer, , The 13-digit Unix time information in the captured file name, such as the date and time of capture of the web site screen, can be converted to the national standard time, so that the date and time of the capture can be confirmed. It is confirmed that it is written, is not it that the suspect wrote it directly and captured it?
2272 Figure 1 shows the date and time the capture file was saved on the computer, and the date and time when the web page was captured, respectively.
2273 Answer: No.
2274
2275Jung Guk Q: If the suspect downloads the above capture file from the Internet, the captured date and time can not be the same as the captured date on the computer, and the storage date and time must be later than the capture time.
2276 Answer: I think there are various possibilities for that. The possibilities are Google Cache, which I think goes beyond what I can explain.
2277
2278Jung Guk Moon: 1) The s.txt file is created on 1) 2014. 9. 10. 16:59 and the above s.txt file will be uploaded to the suspect's notebook (1) "I will kill Ripper Ambassador, Obama will kidnap my little daughter to rape my anus", and (2) I posted it on the intimidating article. Is 'isshufs@gmail.com, summer@hufs.ac.kr' showing the account? (I repeat the same question as the third investigator.)
2279 Answer: It's a copy that I copied through Google Search, not one I wrote.
2280
2281Jung Guk Moon: The suspect is 2) After the attack on "Obama's second daughter will be raped by anal sex, etc." on July 7, 20:20, posted on the White House homepage, 3) 20:21 It seems that the suspect had committed a crime by assuming that the capture file (isis.png) is stored on the victim's notebook and that only the victim has set a password on the laptop.
2282 A: I did not write that, and I can only use a laptop.
2283
2284Jung Guk: Did the suspect monitor the White House threats?
2285 Answer: I do not.
2286
2287Jung Guk Q: How can a suspect know the above information and capture it in less than a minute even though he has not been monitoring the White House threats?
2288 Answer: As mentioned above, it is downloaded from Google's cache or portal site.
2289
2290Jung Guk Moon: The suspects 4) July 7, 2015. The article is posted on the back-up site of 4chan site, 4chan site is the foreign site to post anonymously. Http://archive.4plebs.org Is a site that is automatically saved as a backup file format when you post a post to 4chan.
2291 Answer: Yes. (The suspect thinks for a moment and turns his head back and forth). (The suspect thought briefly to remember what the police cyber investigator had explained, and the investigator described it as a depiction of aggressive behavior.)
2292
2293Jung Guk Moon: The suspects are 5) On May 7, 2015, the files of Reuters Ambassador and Kim Ki-jong, who tried to kill him, were searched intensively. 6) 02:26 Do not you think it was a crime that you posted on the White House homepage saying, 'I will assassinate US Ambassador Ripper again'?
2294 Answer: No.
2295
2296Jung Guk Moon: The suspect is 7) May 7, 2015. (1) The capturing file (usa.png), (2) The picture file indicating the completion of the writing on the US White House homepage It is obvious that the suspect had committed a crime because it was stored in a notebook and the suspect stated that he had set a password on the above notebook and said he only used it.
2297 A: I did not write that, and I can only use a laptop.
2298
2299Jung Guk Q: The suspect is posted on 4chan site and its back-up site, and 4chan site is an anonymous foreign site http: //archive.4plebs. Org is a site that is automatically saved as a backup file format when you post to 4chan.
2300 Answer: Yes. It is correct to be saved as a backup file. (It is true that the accused got to know the police explanation).
2301
2302Jung Guk Moon: The suspect wrote that he did not write the article himself, he saw the article posted on 4chan site, and then retrieved it by searching Google. In order to make the excuse of the suspect correct, However, since digital analysis of the time of generation of related files shows that the time of file creation is 4chan posting after storing the suspect notebook, why do you think the suspect's claim is unfounded?
2303 A: Because I am not doing digital analysis, I can not give a definite answer about it. (The suspect did not do a Google search after seeing 4chan's article.)
2304
2305Jung Guk Moon: Go to the White House homepage of the US White House on July 7, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies and the university phone number of foreign universities, I have said that someone who posted a post at a university address did a Google search and downloaded it. Is there any evidence or method to prove it?
2306 Answer: Not currently.
2307
2308Jung Guk Moon: I do not admit that the suspect has committed any crime, but I have two crime capture files found on a notebook that can only be used by a suspect, by setting a password, the time the file is stored is immediately after the crime, A text file that is captured in Hangul, a text document in which the threatening text is kept, traces of reading text documents 4 times before the crime, traces of repetitive terrorist attacks before the crime, dozens of pictures of the terrorist attacks, pictures of IS terrorists Observations on Obama's images, Observations on Observers, Observations on Anus and Children's Nudes, Hundreds of bizarre bodies, Pictures of Kim Jung-eun, and precisely matching crimes by time How does the suspect appear to have committed the crime?
2309 At this time, records 761 to 763 show the stolen suspect computer usage chart.
2310 A: It's different from the truth, the capture is downloaded, the photos of North Korea artificial airplanes, the photos of Ambassador Repertor, and photos of IS terrorists are misleading. (In the police investigation, the suspect described the actual meaning of the photograph by hand, from the bottom of page 591 to the page 592. The suspect viewed the photograph one or two times (accessed) And estimates that the movement of the picture file for the picture was counted as a reading.)
2311
2312Jung Guk Q: Has the suspect ever made the statement?
2313 Answer: Yes. I have stated the truth. It's what I said.
2314
2315Jung Guk Q: Are there any proofs or other things that are favorable to the suspect?
2316 A: I'm willing to take a lie detector test. Thank you. I received a request from the police investigation stage. (At the time of the police investigation, the suspect and Park Cheol-hyeon lawyer, only two people remain in the investigation room, Park Chul-hyun told the suspect, "You can get a lie detector test." After the investigation began, The suspect was asked to check the police's lie detector, and when the suspect made the handwritten statement at the prosecution's investigation, he used the expression "requested" "I refused," the suspect said, "I received a request from the police, but I will not fix it because I am not asking.") Finally, I think my blog post is wrong. (At the conclusion of all the blog posts of the suspect, the paragraph begins with "I hope my thoughts are wrong anyway ..." which emphasizes a neutral position on the topic.)
2317
2318Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2319 Answer: No. (The prosecutor investigated slowly when he started the investigation, but when the suspect became tired at the end, he launched a question.)
2320
2321Three times
2322
2323 In the middle of the summer, the suspect was seated in a chair by a prosecutor, and after seeing his lawyer Park, he asked him to "float the water." Park Chul-hyun refused, "I want you to eat it," and the suspect obtained the permission of the prosecutor's office and drank water. Park Cheol-hyeon came to the police station with a Mercedes Benz car and asked him more importantly about the location of the parking lot at the first meeting with the investigators. Park Cheol-hyun, who asked me to hand him over to the suspect's parents because he would not receive a bargaining fee of 3 million won, came in well, but in front of the suspect under investigation,
2324
2325 The prosecutor's office was changed to a regular inspection.
2326
2327Jung Moon-sik Moon: (A regular checkup shows the analysis result and the isis.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, I gave up the two files.) [Present the above isis.png file and analysis result (isis.png_REPORT.txt) from the suspect's notebook.] The above file came out of the suspect notebook. Have you ever seen it?
2328 Answer: I saved this file on my notebook. I searched this file on the internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file from Google search results was not verified. At the time, I do not remember what I put my search terms into while doing a Google search. At that time, I do not remember what kind of search I was doing specifically. The file contains the phrase "I am going to anal rape your second daughter Natasha." However, I think you'll need to know how I searched for the file with that content. (The official testimony showed the intimidation to the suspect, and then recorded in the record, 'I am going to anal rape your second daughter Natasha.'
2329
2330Jung Moon-sik Q: When did you download the above file?
2331 Answer: It seems to have been downloaded from the middle of June 2015 until the day of my confiscation (May 13, 2015).
2332
2333Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 7, 20:21. Is the suspect downloaded on the date above?
2334 Answer: (At this time, the suspect nods his head.) Yes, I had downloaded one time and remembered that it was downloaded in July, so I downloaded it on July 7, 20:21, (The suspect stated that he was studying French at 50:50 on the 7-8th day, or taking a sleep, but he recorded what the attorney understood.)
2335
2336Jung Moon-sik Moon: (A regular checkup shows the analysis results and the usa.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, (The file was found on the suspect's notebook.) The above file was presented on the suspect's notebook. Have you ever seen it?
2337 Answer: Yes, I have seen this file. I downloaded it through internet search and saved it on my laptop. I searched on Google. I do not remember which search terms I entered into Google, and I can not remember which sites I downloaded from Google search results. I do not remember the exact date and time when I searched for this file. I did not remember why I searched this file, and I searched for no reason. I do not remember entering the White House as my search term. I seem to have downloaded and saved this file at once with a file (isis.png file) containing the phrase 'I am going to anal rape your second daughter Natasha.'
2338
2339Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 8, 2015 at 02:27. Is the suspect downloaded on the date above?
2340 A: I remember downloading this file (usa.png file) in July 2015. However, I do not remember exactly whether I downloaded it on July 8, 2015.
2341
2342Jung Moon-sik Moon: (The official test shows the file attribute picture file and the picture file of this file to the suspect who printed it on the A4 paper screencapture-www-whitehouse-gov-thank-you-1436290042624.png " I had to copy this file to the computer on my computer, so the location of the file attribute would say "check", and I put on a stapler with an exaggerated gesture to pressurize the suspect. ) [The above screencapture-www-whitehouse-gov-thank-you-1436290042624.png file from the suspect's notebook and presenting the file property output] The above file came from the suspect's notebook. Have you ever seen it?
2343 Answer: I searched this file on the Internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file, which comes from Google search results, is hard to remember. It's hard to remember what you put your search terms into while doing a Google search. I did not search for a specific purpose.
2344
2345Jung Moon-sik Q: When did you download the above file?
2346 A: I can not remember the exact date. It seems to have been downloaded from the middle of June, 2015 to the beginning of July, 2015.
2347
2348Jung Moon-sik Statement: As a result of the above file analysis, the above file appears to have been generated on July 8, 2015. Is the suspect downloaded on the date above?
2349 A: I do not remember the exact date, but it is between mid-June and mid-July 2015.
2350
2351Jung Moon-sik Moon: (Record 674 pages photo file) Above castration.png What is photo file?
2352 Answer: The above castration.png file is a picture file I downloaded. I remember that I was downloaded from mid-June to 2015. 7. Cops. Castration means 'castration'. The above file is a scene of a movie. I can not remember being a movie with a lot of content. I guess I did not put the word "castration" into my query. Because it's about Google search results, I'm beyond the scope of what I'm describing.
2353
2354Jung Moon-sik Moon: (Record 675, 677, Representative Lim Seong-Kyung) What are the photo files?
2355 Answer: I searched for photos of Mr. Soo - kyung who showed me to use as a resource for criticism. I received a Google search and download. It is to criticize the main North Korean government. I store criticisms in my diary-style personal blog. I can not remember the exact date when I downloaded these files. In the material shown, the date and time of creation of these files is July 7, 2015. I think that the reason why the file creation date and time is analyzed as above dates is beyond the range that I can answer. I posted an article about Lim Soo Kyung in my blog (antihufs.blogspot.kr) on July 7, 2015, and the above pictures are included in the article. That blog is still open. (It was impossible to remember all three or four thousand articles written by suspects.) At first, the suspect did not know what was on this blog. When the suspect said, "It was between the middle of June and the beginning of July," the lawyer Park Chul-hyeon said, "Why do you lie to the suspect? ? "), And showed the date of the suspect's blog on his cell phone. The suspect responded that he saw his cell phone and posted it on July 7, 2015.)
2356
2357Jung Moon-sik: Does the suspect use a router when using a laptop?
2358 Answer: I have never written a program to change Internet IP, but I use a router. I purchased an internet router for 12,000 won ten years ago. Again, I can not remember exactly when I bought it. I have a router in my house, and I have 3 computers (my laptop, my desktop, my dad, and my computer are using that router). I use the router every time I use the internet. I have not changed my Router setting since I have never used it, but I have not changed my Router setting any more. When I use my Router, I enter ID (ADMIN) and Password (494) in the Router. I have not touched the case of the suspect.
2359
2360Jung Moon-sik Moon: Is there anything the suspect wants in the prosecution investigation process?
2361 A: Now that I have sealed my laptop, I did not break it. It is difficult to tell which part I should investigate because I am not an expert. (The prosecution extended the detention period of the suspects by 10 days in the name of investigating notebook hacks.)
2362
2363Jung Moon-sik Moon: Do you have any more to say?
2364 Answer: No.
2365
2366Jung Moon-sik Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2367 Answer: (handwritten entry) None.
2368
2369Four times
2370
2371 At this time, the defendant is attending lawyer Park Cheol-hyeon attorney, saying that he will be investigated under the participation of counsel. Toward the suspect, (The official examination did not participate in the interrogation of the suspect, but did not record it in the prosecution dossier.)
2372Jung Guk Q: Has the suspect ever stated the truth before?
2373 Answer: Yes. I have stated the truth. It's what I said.
2374
2375Jung Guk Moon: The suspect described last time that he used the mobile phone of the suspect's mojo OO. Does he remember the cell phone number used by the suspect?
2376 Answer: I used a number other than 5787 from my mother's cell phone number.
2377
2378Jung Guk Moon: The suspect is Mo-Kim OO's cell phone number is 010-2359-8775, 010-3687-5787. If the suspect has not used 010-3687-5787, the remaining 010-2359-8775 is used Is that right?
2379 Answer: It's true that I used my mother's cell phone, but I can not remember the cell phone number I used.
2380
2381Jung Guk Moon: How long did the suspect use the cell phone (010-2359-8775) of Mo Kim OO?
2382 Answer: We used until recently.
2383
2384Jung Guk Q: How long has the suspect used the mobile phone (010-2359-8775)?
2385 Answer: I can not remember the exact date.
2386
2387Jung Guk Moon: The suspect has not used the phone since April 4, 2015, as shown below on 010-2359-8775.
2388 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2389 LGU + / 29 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:25 / 0: 1: 17/641 Shinna-
2390 LGU + / 30 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:44 / 0: 0: 32/641 Shinna-
2391 LGU + / 31 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:47 / 0:01:37 / 641 Shinnap-dong,
2392 LGU + / 32 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:57 / 0: 0: 29/641 Shinna-
2393 LGU + / 33 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 16:03 / 0: 0: 34 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2394 Answer: Yes. After that, it is not used.
2395
2396 (The prosecuting attorney said, "How is April 4 recently?", And the suspect answered "I can do that."
2397
2398Jung Guk Moon: The suspect called 010-2359-8775 is the mobile phone (010-3687-57787) that uses the suspect's mobile phone. Is this correct?
2399 Answer: Yes. Yes.
2400
2401Jung Guk Moon: The suspect is 010-2359-8775. Did anyone else talk to anyone other than the suspect?
2402 A: I rarely spoke to anyone.
2403
2404Jung Guk Q: Why does not the suspect have a call history from April 4, 2015 to 010-2359-8775?
2405 A: You did not call because you had nothing to call.
2406
2407Jung Guk Moon: As the phone call (010-3687-5787) of the suspect, Mo Kim OO's cell phone (010-3687-5787) will be shown as below. July 7, 2015. Gangwon-do, Gangwon-do, I made a phone call from the suspect, did not I use the cell phone? (The prosecution violated the privacy and privacy of the suspect 's mother without a court warrant or investigation.)
2408 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2409 LGU + / 1232 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 8:50 / :: /
2410 LGU + / 1233 / Voice / 010-3687-5787 / 054-840-5466 / 2015-07-07 8:51 / 0:01:20 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2411 LGU + / 1234 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 16:29 / :: /
2412 LGU + / 1235 / SMS / 010-3687-5787 / 010-4050-7402 / 2015-07-07 16:32 / :: /
2413 LGU + / 1236 / Voice / 010-3687-5787 / 010-8230-2824 / 2015-07-07 18:01 / 0:00:51 / 346-3, Sansuri, Namsan-myeon, Chuncheon-
2414 LGU + / 1237 / MMS / 010-3687-5787 / 010-792-9484 / 2015-07-08 14:31 / :: /
2415 LGU + / 1238 / Voice / 010-3687-5787 / 010-5660-7804 / 2015-07-09 13:12 / 0:01:11 / 3rd Floor, Canaan Church 207, Jung-hwa-dong,
2416
2417 A: It's not my own, it's my mother's cell phone.
2418
2419 (The prosecution investigator questioned the accused about why her mother went to Chuncheon city in Gangwon province, and the suspect did not know that this was not recorded in the record.)
2420
2421Jung Guk Moon: The suspect is going to the village resort of Gonggok-ri (San-suri) on July 7, 2015. Kangwon-do 346-3, Sansuri, Namsan-myeon, Chuncheon,
2422 A: I was at home.
2423
2424Jung Guk Moon: Was the suspect alone on July 7, 2015?
2425 Answer: Yes. I was at home alone.
2426
2427Jung Guk Moon: Do you remember when the suspect's mother Kim came home?
2428 A: My parents are out with me and I do not remember the exact date of my return home, but I remember coming back home about the weekend.
2429
2430Jung Guk Moon: Looking at the phone call (010-3687-5787) of the defendant Mo Kim OO's name, it is reported to be the third floor base station of Canaan Church 207 Junganghwa-dong, Jungnang-gu, Seoul, It looks like you're back in Seoul.
2431 A: I can not remember the exact date my parents returned home.
2432
2433Jung Guk Q: So, is the suspect alone at home from July 7, 2015 to July 8, 2015?
2434 Answer: Yes, yes.
2435
2436Jung Guk Q: What did the suspect do at home alone?
2437 A: I do not remember exactly what I did.
2438
2439Jung Guk Moon: The suspects last, "2015. 7. 7. At 20:20, the obsession for President Obama was posted on the White House, and on the same day 14:57 on the same day, there were traces of reading the s.txt file in Korean, : 20) 1 minute after 20:21, capturing of threats (isis.png) is confirmed on the computer of the suspect, and the above s.txt file is read twice (ahead of 21:10 and 21:19) The suspect said, "I just scanned the computer and copied it to a text file, and I do not know whether it was scanned or not." How is it?
2440 Answer: Yes. It is correct as I stated before.
2441
2442Jung Guk Moon: The suspect is on July 7, 2015, 20:20, 20:20. Is it the correct time to copy the text from the suspect computer and paste it into a text file?
2443 Answer: I do not know the exact time. It is correct that I copied and pasted the results from Internet search.
2444
2445 At this time, the defendant responded by saying, "Let's rest for about 10 minutes and proceed with the investigation again." After taking a rest for 10 minutes (15:05), the defendant's lawyer sits again next to the suspect : 17). (Attorney Park Cheol-hyeon asked the prosecutor "Let's take a break because I have to deliver the papers to another client.")
2446
2447Jung Moon-sik Moon: The suspect is posted on the White House website on June 7, 2015, about the Ambassador Repertory. One minute later, at about 02:27, The file was created on the suspect computer. Is the time at which the suspect was copied from the suspect computer through Internet search and pasted to the text file?
2448 Answer: The exact time zone is ... (At this time the suspect closed his eyes and thought for a while) ... It's a little hard to remember. It is correct that I copied and pasted the results from Internet search. (The prosecution officer exaggerated that the suspect thought for a while, through the depiction of the act of aggression.
2449
2450Jung Moon-sik Q: How about a detailed explanation of how the suspect copied and pasted the results of Internet search?
2451 A: I went into the internet and searched, but the search terms were hard to remember and I copied the search results and pasted them into a text file.
2452
2453Jung Moon-sik Q: How do I get the search result when I can not remember the search term?
2454 Answer: ... It's a bit difficult to identify the exact query. (The suspect searches a large number of search terms to find search results just like ordinary people, remembering only the search results, and not remembering what search terms you searched for.)
2455
2456Jung Moon-sik Moon: The suspects are www.blogger.com, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com, avstats.avira.com Do you know these sites?
2457 A: Of the above sites, www.blogger.com, avstats.avira.co is an unknown site, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com , antihufs.blogspot.com, antihufs.blogspot.com are my blogs. Bosulachi is an Internet language that refers to a woman whose conduct is the subject of social criticism.
2458
2459Jung Moon-sik Moon: The suspects access the above sites on July 7th and 8th, 2015, and the hackers are running the suspects' jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea. Do you know how many URLs you know, such as blogspot.kr, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com?
2460 A: I'm not sure, but I do not have access to all of the above. (The suspect opened multiple blogs with one Google mail account.) I insisted on 'Google Cache', and my parents and lawyers claimed that my laptop might have been hacked at this time. (Attorney Park Cheol-hyun who heard this statement stared at the suspect for a while without saying anything.)
2461
2462Jung Moon-sik Question: Why did you tell the log records that you have access to the above sites on July 7th and 8th, 2015, and that you have not accessed all of the above?
2463 A: I do not remember what I did at the time. (The suspect has not been able to access all of the blogs because he did not manage them by creating multiple blogs.
2464
2465Jung Moon-sik Moon: When the prosecution re-imaged the suspect's laptop, Jung Moon-sik said, "I did not have Hangul input function on the laptop used by the suspect, but I entered Hangul using Internet input device. How do I input / output Hangul? (When imaging at the Cyber ​​Office of the Public Prosecutors' Office, Cyber ​​Investigator of the Chief Prosecutor's Office showed the process of analyzing the laptop to the suspect.
2466 A: Find the site that comes up with 'Hangul input device' on Google and click on the search result to input Hangul using the keyboard. There is a Korean keyboard on the notebook I bought and confiscated. The alphabet and Korean are shown on the keyboard. I used a French version of Windows XP on the laptop. I have installed a French version of Windows to enter French special characters. (The official testified, "Why do you write it?") And the suspect stated "I bought the cheap laptop because I was unemployed, I wrote it with inconvenience." But I did not record it in the record. However, the prosecution cyber investigator estimates it to be between two and three million won, "from the beginning," the laptop's hard disk capacity is quite large. "
2467
2468Jung Moon-sik Q: How do you describe the process of entering Korean into Google in detail?
2469 Answer: First, enter Google (www.google.com) into the Internet address bar, and when the Google window appears, enter the Korean input device (gksrmfdlqfurrl) in English into the search box. Then, the Korean input method site appears in order, and from the top of the Korean input method site, click downward to find a site where you can input Korean. If you find a Hangul input site, you can input Hangul by using computer keyboard and then copy the Hangul input and paste it in the place where Hangul input is needed. (The suspect's laptop is in French, so typing www.google.com leads to www.google.fr.) Even if you search for both sites with the same search terms, the order of the search results displayed is different.)
2470
2471Jung Moon-sik Moon: As a result of the prosecution's hacking test on the suspect's laptop, there are no signs of specially remote control (especially July 7, 2015, and July 8, 2015). How about this? And the suspect did not delete the access log from the laptop router?
2472 Answer: (The suspect does not answer the hacking test result.) I just entered the ID and password on the router, and I do not remember when I entered it. I did not delete the Router Access Log on June 25, 2015, June 7, 2015, and July 8, 2015.
2473
2474
2475
2476
2477 ++++++++++++++++++++ Forensic Investigation for Brother 6666 Case 2015 Verification Statement ++++++++++++++++++ ++
2478 Author: In-Sung Kim, Professor, 010-5270-5779, No. 819-5, Bangbae-dong, Seocho-gu, Seoul,
2479 (On January 19, 2016, Kim Yong-Min attorney handed in the opinion of professor Kim In-Sung)
2480
2481 1. Whether hacking outside
2482 No external hacking traces were found.
2483 2. The legitimacy of the forensic process
2484 There was no expert to judge the legitimacy of forensic work in the seizure process.
2485 3. The fact that White House access records do not exist on the computer
2486 If you use the Web browser's secret access feature,
2487 4. Whether to change the router MAC address
2488 The router MAC address can be changed and there is also a trace of change.
2489 5. Whether the 7.21 date file exists,
2490 7.21 Date The created file does not exist. The date of file creation in the report is considered to be the date of creation of the report, which is the author of the report.
2491 6. If the hash value of the hard disk imaging file is different
2492 It is judged that the hash value has changed because reimaging was performed after rebooting the computer to check the time zone after imaging in the seizure search process.
2493 7. White House screen capture file
2494 The White House screen capture file is captured and stored on this computer.
2495 This statement is a review of the evidence only and is not a definitive opinion and may be subject to change if additional evidence is available.
2496 2015.12.29 Kim In Sung. (signature)
2497
2498 If you use the web browser's secret access function, you may not record the connection.
2499 It's hard to rule out the possibility of using the incognito feature because you asked about the incognito access in the newspaper process and answered that you knew about it.
2500
2501 -------------------------------------------------- --------------------------------------------------
2502 1 Record the proof of the record .pdf - Adobe Acrobat Pro - â–¡ XQ Notch, Flickr, Flickr, ? â– City, | | N â– Tools Comment j Share
2503
2504 If downloaded from the Internet, the above file name and the Zornjdm file will be created. By the way, the above file is not found on the computer. If you look at the above, what do you think the suspect looks like in a file
2505 Answer: I'll take good care of you.
2506 Law? : Google has 4 secrets on each of the browsers. That's right.
2507 Q: What is your reason for using the above sounds? Answer: It is useful to use something because it is a novel.
2508 Moon. What is Incognito? Answer: I do not know.
2509 Q: The secret function is to set the internet connection speed in case of internet browsing, and it is a function to access the Internet without saving the file temporarily. Do you know Lee?
2510 Answer: I do not know.
2511 50! 1
2512 -------------------------------------------------- --------------------------------------------------
2513 [Picture that opens this OO evidence record .pdf file with Adobe Acrobat Pro]
2514
2515 4. Whether to change the router MAC address
2516 The router MAC address can be changed and there is a trace of change.
2517 Router Shows the log when changing the MAC address, but it has the function to prevent the log setting from being saved in the router setting.
2518
2519 It is difficult to say that the MAC address associated with the IP address assigned by the vendor is found on the router, and that the MAC address is not used because the change log is not left on the router.
2520
2521 -------------------------------------------------- --------------------------------------------------
2522 hole! This OO Evidence .pdf - Adobe Acrobat Pro X | fi Making things 0 â– ? â– ? p P ç ë—¬ wind year t, 4; 6221S! ^ 10 +, 7% 1 ^ B 'tool 1} Lube
2523
2524 | UM & wks iptlMI Q x 'Itetvork # ipTiMEdDS </ tltia> vl.count Cfd timeprQfl], html? I have bought a school. I was not able to address you at the address
2525 j medicinal medicine 5.7 bottom 7
2526 2551255.255.0 CMW> 8 コ ン ​​公 滿
2527 5MA0 $ - $ .7 SM4 1 1 Company name Address
2528 1 SZJM0 minutes) MAC appeal 0S-60-B € -E4-F9- $ A liia
2529 Peek a: Well,
2530
2531 [Picture] timeproUltxl om Mini language display
2532 - At the time of the crime, the user's Internet Router <Administrator's Page
2533 - Internet access routers from 2015, 7 7, .19: 57, 7, 8: 02: 44, which were found on the commissioned notebook,
2534 To connect to the Internet Router, connect the two terminals of the Noto Book. 4. Save the configuration file.
2535 Why do you check your internet connection information call? 룔 7. 7. 20:03:05 룔 7.8 02:33:24
2536 On the White House Web site, the threats are changed between the time the two messages were published, and the time that the change was made to the router.
2537 -------------------------------------------------- --------------------------------------------------
2538 [Picture 4 of this OO proof record with Adobe Acrobat Pro opens .pdf file]
2539
2540 5. Whether the 7.21 date file exists,
2541 7.21 Date The created file does not exist.
2542 There is no file that matches the creation date of the file specified in the report.
2543 The creation date of the file, such as the name of the file submitted as evidence in the report, is prior to the seizure.
2544
2545 The s.txt file submitted as evidence in the report matches the file creation date recorded in the hard disk imaging data.
2546 The date of file creation on the report except s.txt is determined as the date of the report creation.
2547 Therefore, it is a mistake of the report author to make the file creation date as 7.21.
2548
2549 -------------------------------------------------- --------------------------------------------------
2550 Fruit: F: \ 15, Terrorist, with a lot of light, 653, txt _Z0l5-07-21, 9 ^ 7? 06; 30
2551 AG public. € 53 ts 6,1 nJt and public hOO65356.Ink ti 1? Of f t C5
2552 Sase? Tce & qcujs ^ nts ar? Iiig§ \ H \ Sur? SAu \ s. txt
2553 Machine Na service o
2554 ft public .l public fcive Path? *, 3 public t
2555 Volujj? Lafcei XPwFR
2556 Socking .Wrector class, 0 min. ç 想 å¹» æ–‡ å…¬ å…¬ nd S? T * vi? \ M \ Buceau
2557 Volism C 然) :) stone ct QUID {F3 $ SACOA-mt3-4e ^ 7-S34 8 ~ 公 *? l Public name 6 義 504.1.1
2558 Fil. Good Gbj Public T I I I I I F F F F F F 38 38 n n n n n n n n n n n n n n n n n
2559 Tim stone tarap: U / Q9 / IQ C7: 27J'ja IAACT -0-50-8 ^ -S4-F? -5A)
2560 Target VoiuKto C? UXD (P36SACDA-FB13-4 617-S34ij-D7162E & A5De I?
2561 Target File Suppression 2D (nUTBBA-388® ~ I; S4--0? 5; F9 & A) (Sequence: 1BF1 tisiestasp: U / Q9 / lb Q7: 2 ?: 3E: CK? -5A)
2562 Creased 14 / C9 / IQ 1 Public: SHK * 46 Modified 15/01/07 i4: 57: 58 Accessed 15/07/0? 4: 5'7: S name Co4? Paae 0
2563 Drive Type Minutes RIVE FIXER Tiia Attributes 32 tCriawa Folder Type C Kno- # n Folder value 0 1.1 nk 155-
2564 Liuk t? N ^ th 429
2565 icp-erty Storage Si model 0 Sg>? cl public 1 Folder'type public 0 5jj? cl * a Foid6? Value 0 Vist? And Msove ID hi $ t Voims Serie ai 84e? 20fb IDList siZB 56
2566 ,,, voice
2567 V ':' '
2568
2569 Q Q, 0 S g) S? , | | | | | | | | | 3 3 3 3 3 3 3 3 3?????????????????? i Comment: i? u
2570 ., Hitcher. .fesl: i
2571
2572 F: \ 15 "D / I, _ / minute, school strikes \ AOG65516> txt This is the astigmatism?
2573 A00S5513.ink
2574     A0065SJ8.i? Km? ? ff? #to
2575 B & se Path C; S & ocie nents S tt t. tx%
2576 MAchine: Nai 公 好 o
2577 R? Iativ? P name th ?, \ Bureau \ public, txt
2578 Volume Label X? _FB
2579 Working 01 rectory C:, D eu n osts and Settir, y ?? \ H \ ByC-SSA?
2580 Vt> U? Ws GUID C F3SEACDA-PBX3-4 € 27 ~ BM 8-D? 162K € A5C! 41 i
2581 School tsjdet; I am a member of the lima-esza-ap: H / 09/4: I am a member of SGS, 10 0 * 7: 27: 3 Shiki Kouichi 3 '* 54-F 多 玄 玄 公 1
2582 Target V? U GUID i F36? BA-F8J3-4? N, B343: 71S2E vs. S if target Target GUID \ F116P3 & A-3esa-1 IS4'9Bn-0050B654r95A) ^ S? ; 1BF1 Ti group est, provision: 14 / 0t / lS 01: 21z3B me: 00- * 5Q-S6 ~ 5 <-r9-5A}
2583 Created 14/09/10 1.6 i 5 多: <8 Ho <U? I? Mi 15/07/0? 2i; 10; 5f>
2584 Aiicftaaed 15/07/07 21:10:56 Cod® ge 0
2585 Dt'iv? ?> * p? DRIVE__FIXED Plie Attributes 32 Kn public wi Folder Type 0 Known Folder Value 0 Utik: rug * i5S Link Length 4 * 3
2586 Storage 3i and Good G
2587 Special? Oidd? Type C Special Faider V & ia & 0 Vista And Above ID List S. Left.
2588 Example:
2589 K (~ 6 *
2590
2591 This OO evidence record .pdf - Adobe Acrobat Pro, gse view
2592 Not taking, | Cotton @? El | Incense â‘© [5 yes urine CS>
2593 File: r: U5 terrorist attack v. 11 file UCH36S way, Uct 2D 15-07-21, afternoon; 5i52
2594 A00? 5S4i.Ink
2595 N * 3 ?? AaG65S41.1nk
2596 m? orraat o
2597 Minute as? fdth C:, D Phantom n StstUags \ &. txt HaChlne ç‚Ž æ¾ Tf? Q
2598 H? Slativ? Path. .
2599 VoJuaw 1 ^ 1 5C ^? Hi
2600 寒) orKing 多 ㄠレ イ ト å…¬ r CiXPmrasssrsts aj '技! Receiving ttiR 寒 效 然 '8 ì»; r 公用 u
2601 Voi_ Object QU10 jf36KAC Show * Each 1 ^; 8348-
2602 File Oblct GUID {fl 16IT35A-38BB-U- ^ 8F.l -00500654F9> h) (Sequence aoe;
2603 Ti 3? T? P; 14/09/10 07:21:38 ma00-SO-BS-54-r5-5A}
2604 Target V public lame GUID lr36? ACDA-F8i3-5? S34t ~ nil62E4ASG41}
2605 Target file GUID after rii6rBSA-383S-liE4-9BFl- public t> 5G distribution name (Stance; lBF1 Ti? F9-5A)
2606 Crmi ^ a 14/09/10 15:59:48 Modifisd 15/07/07 21:19:06 Accessed 15/07/07 23: l.9: C!
2607 C min d? Page 0
2608 0Reg9 Type DRIVE ^ FIXED Fils fttTribufCSSS 32 Known Folder? Yi> 0 Known Folder Value 0 Link Flags 13S Link length 428 Property Storage Folder 0 Special Folder Value 0 Special folder Value 0 Vise * AJKJ Above ID List Size 0 V? lvna? Serial 34ecZ0ffo lDIxi *? T $ ji x? 5 people
2609
2610 Rupture; F? \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ "
2611 worship- y? y.
2612 And zhe ir.snu says the price is esc Hye after tiftng for higher s If you puni ^ hmecst skill, You * v & rae eiy hit your body Yu public t 10 times times per day.
2613 And youi: â– name ge conaectln ^ i tim? is about 2 houra p * er day.
2614 3o you ?? rn ç”° inimai. 68 d ^ llacs per day c ^ Iy 5 hours of your par: tz, isse jo minutes,
2615 house name r; if yoti tec ^ xvr? Percent frow myfr Opinion: è°· e 身 ä¿ ....
2616 You also as ç”° d to be a cranny, r.iqitt?
2617 X 3 Nine the scar aroimd your artificial pussy t> ut no .scars airouiKl yoar boobs,
2618 Should I get gander xr? AJs * i <jn? ERt korean pera.ti korean ok my p * r: is onlyl
2619 t want to q & t into that buainesas after ft .t -s \ jt ~ off ray 建 文 ck,
2620 l thin I can qualify that public u ir> e and it ito after ad sonr و wuch plastic surgery 强 分?! 公 y by acit cast ration.
2621 In South K Public Corporation, I Ciir. als-o ijenefiql.ai t effective free af military service l
2622 have no tej? Licln.
2623 Anyway l no? D your consuitatior, - and I want to ch? T ;. with you,
2624 Pieaae, show your gonsro-city 3, nd sve my pcor a public ui.
2625 I votahlp you and ad 然 主 r 接 your g? Nic (skill a idea,
2626 寒 ë± å¥½ t regai: d3f i.jsahu? A ^ g ^ aii.coir}
2627 Lii ^ a Is and Cr and ssyy
2628 I am going to be raped by the abductee of Obama's public office.
2629 - Addreiss:
2630 Office of Infccrrui.doaai Sw. Koxtian & E 效 t; , S S S S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
2631 - Website: htqfK // jsufiiflwsf. memory
2632 -? hon? : + 82-2-2173-2062
2633 - FAX; i82-2-2n3-28T?
2634 - 玄 一: 的 si 玉:? UJ 田 meirdhufs ■a 公> kr / irsfnsf ^^ gisaSJ ^ ccsc;
2635 TSL. i-92-2-2173-2062 c ~ r * aii, T ^ E8HUFs. ac.kr / i3shuf sig ^ sax; .C; XR
2636 Paige! ?
2637 OUTP
2638
2639 -------------------------------------------------- --------------------------------------------------
2640 [Record this OO evidence in Adobe Acrobat Pro. 5 photos opening a .pdf file and 5 photos analyzing the evidence file with EnCase Forensic]
2641
2642 6. If the hash value of the hard disk imaging file is different
2643 The difference between the initial imaging and secondary imaging hash values ​​is determined by the reimaging after rebooting to check the time zone after the initial imaging.
2644
2645 -------------------------------------------------- --------------------------------------------------
2646 ! О о | , Seok Seok-cheon Information | 4: Surname Name Contact I Investigation of the Cyber ​​Investigation Team, Seoul Metropolitan Government Inspector Nam Sang Wook 02-700-5923 1
2647 Carpenter | ! If the accused has contacted the White House Web site on July 7, 2015, and 7 * 8, 2015, and intends to threaten the US President's family and US Ambassador to Korea,
2648
2649 Cancellation request information (duplicate image)
2650 Model (manufacturer) and duplicate image file name's hash value yugeu a slow ^ ACHI HDD Z5K500-500 500GB attached to the laptop lenovo B490 3 ^ 500GB ^ NOTEBOOKM1 ~? 29 round 29 files 2a2ff60f03143ff34eelel 65830e322a2 (MD5) blood, 'Seagate HDD ST500DM002 Clone image of â–
2651 ab5b3e7f256963d5cfe9 150713J00GBM1? E12 12 files fll.94964dbf5 (MD5)? Agate Replication of HDD ST3250820AS 50713J50GB.E01 ~ E15 15 files 9e! 50077d753fl01e733 <52ece3a246e7 (MD5) 1
2652 -------------------------------------------------- --------------------------------------------------
2653 [Photo taken with a document tied up with a mobile phone camera and wired]
2654 Hash value generated at initial imaging
2655
2656 -------------------------------------------------- --------------------------------------------------
2657 (3) Fruit and hash value
2658 i number of extracted file name hash value _5) | ? Chapter 11 on ienovo B490 laptop image file of a è€ yudoen j 1 HITACHI HDD Z5K500-500 / 1 1 500GB 1 1 i507I ^ 500GELNOTEBOOK.EQl 1 1 ~ 29 * 29 files a result, the water commission llzip 288354CFC1A94D552 |
2659 1 6Aim24? D181F0 \ / 2 I 150713J00GB.E01 ~ E12 / 12 No fruits 'None \ I 3 I 150713J50GB.E01 - E15 1 15 No file I â– 1/4 1 [20150713-segateJOgM' â– 12 No file * 1 None \! 51 150713J0GB.E01 ~ Ell f- 11 fruits m \ ^ \? It can be used as a tool, ? J \ Row 1 1 1 1
2660 -------------------------------------------------- --------------------------------------------------
2661 [Photo taken with a document tied up with a mobile phone camera and wired]
2662 Hash values ​​created when imaging after turning on the computer for time zone verification
2663
2664 Note that copying an imaging file does not change the hash value. The prosecution needs to explain why the hash value reimaged after the time zone check and the hash value imaged by the prosecution are different.
2665
2666 7. White House screen capture file
2667 The White House screen capture file is assumed to have been captured and stored by the suspect on this computer.
2668 There is no possibility of a hacking because the suspect has acknowledged that he or she has copied it directly (through testimony that he has been downloaded from the Internet and downloaded it).
2669 The file creation time differs by one minute from the time of writing to the White House, and the posting of the same contents on another site is after the time saved, and it is unlikely that it was downloaded from another site.
2670 End
2671
2672
2673
2674
2675 ++++++++++++++++++++ Witness Newspaper Proclamation (part of the eighth trial) ++++++++++++++++++ ++
2676 Event 2015 Torture 4685 Threatening
2677 Name Nam Sang Wook
2678 Date of birth August 22, 1978
2679 Housing Seoul Chongno-gu Sajikro 8 Gil 31, Seoul Metropolitan Police Agency Cyber ​​Investigation Department (Investigation Section)
2680 judge
2681 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
2682 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321141735).
2683 March 21, 2016.
2684 Hwang,
2685 The judge (doctor)
2686
2687 A statement on the testimony veto notice
2688 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
2689 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
2690 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
2691 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
2692 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
2693 Witness Nam Sang Wook (signature) or signature (signature)
2694
2695 Oath
2696 According to the conscience,
2697 In fact,
2698 If there is a lie
2699 To be punished for perjury
2700 I am a wanderer.
2701 Witness Nam Sang Wook (signature) or signature (signature)
2702
2703
2704 Recording book (main point)
2705
2706 Case Number 2015 Highland 4685
2707 Due Date: March 21, 2014
2708 Remarks Inadequate question, the Attorney's objection to the Attorney General's 25th article of the State Newspaper is on page 16, pages 21-22, page 17, pages 12-13, Part.
2709
2710 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
2711 1. Attachment: A copy of the witness newspaper on the witness Shin Nam Suk (Total: 52 pages)
2712 March 21, 2016.
2713 Stenographer Park Sang Ki (Painting) (Painting)
2714
2715 ※ This transcript was written in a way that summarizes only the main parts of the statement _
2716 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
2717
2718 judge
2719 Witness Shin Nam Wook, a witness for the New Testament, acknowledges the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
2720 Notice of testimony veto. Witnesses' testimony may deny the witness or any person who has a close relative relationship with the witness to be subject to criminal penalties or to testify about the confidentiality of the other person whom the witness has known for work. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. And if a witness lied after an oath or if his memory is unclear, but his memory is clear, he is punished as a perjury. Please swear.
2721
2722 witness
2723 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Nam Sang Wook.
2724
2725 inspection
2726 To witnesses
2727 (Provide an investigation report on page 172 of the Investigation Record No. 10 in the Evidence List)
2728 Q: Is it true that the witness wrote the investigation report that the defendant's blog was confirmed and the relevant article was printed and attached.
2729 A: Yes, that's what I wrote.
2730 If you look at the printouts attached to this page, you can attach a copy of your diploma titled "I am a student at Chonnam National University," a copy of your graduation certificate, a copy of your graduation certificate in English, a transcript of your transcripts, Ministry of Education 's complaints Title' I have been suspected of forgery of education and plagiarism due to the unilateral graduation change of university '. And the content of the complaint is confirmed by the defendant 's blog, and is it attached to the output?
2731 Answer: Yes.
2732 Question: Is it true that this article was also printed on the defendant's blog, on page 185 of the Investigative Record, "What is HUFS?"
2733 Answer: Yes.
2734 Question: Is it true that the content of the complaint posted on the defendant 's blog on the title page of the Investigation Record on the 188th page titled "My Civil Service Complaint (Civil Title - Good Morning)" is correct.
2735 Answer: Yes.
2736 Question: Is it true that the post on the page 192 of the Investigation Record entitled "Aversion to feelings when I am good at English" on a blog called "Korean Anxiety Antisocial" is also printed on the defendant's blog?
2737 Answer: Yes.
2738 Q: On the 193 page of the Investigation Record, is the posting on the defendant's blog the subject of "Why do I go to the brothel and buy a woman?"
2739 Answer: Yes.
2740 (Proof of the investigation report No. 238 of Investigation Record No. 13 in the Evidence List)
2741 Q: Is this the report of the investigation titled 'The original file of the intimidation document that the suspect was found on the OO computer?'
2742 Answer: Yes.
2743 Q: What is the content of this investigation?
2744 Answer: This is an investigation report on the time, file name, and file path created for the original text capture file found on this OO computer.
2745 Q: Isis.png, usa.png Meta information of file, information of file attribute information, and printouts of original text are attached.
2746 Answer: The attachments that follow are attached by Kim Kyung-hwan, an analyst who analyzes digital evidence, and I wrote the investigation report.
2747 Q: Are you handing it from an analyst and attaching it?
2748 Answer: Yes.
2749 (Proof of Investigation Report No. 15, Investigation Record # 258)
2750 Q: Is it true that the witness wrote the investigation report titled 'The White House homepage written by the suspect computer'?
2751 Answer: Yes, this is just the same thing as I mentioned before, with the fact that I received the data from the digital evidence analyst and attached the report.
2752 (Proof of Investigation Report # 401, Investigation Record # 25)
2753 Q: Is it true that the witness wrote the investigation report titled 'The suspect is checking the OO notebook time zone setting'.
2754 Answer: Yes.
2755 Q: Please explain the contents briefly.
2756 A: The description of the operating system in French language, the initial installation time of the operating system, and the time when the notebook was last terminated. 13. 20:47:18 and we started the 7. 13th light-duty search at that time and found the evidence file on the laptop and turned off the computer to see if the integrity was changed immediately, so the final shutdown time came out at 20:47:18 I will. On the next page you will see the time that you booted the notebook for the first time. On that day, on July 13th, it is time when this OO's computer was booted, and when we see the time, it comes out at 20:07, and we can see this time when we handed the laptop to the defendant's mother on the spot and turned it on. And it is usa.png which is image file related to crime which is found in notebook. The file creation time is 2015. 7. 8. 02:27, and when I run the image file, it shows the link file creation time and I took a picture of the notebook screen at the time to confirm that we did not change the image The camera I shot was Samsung SHV230S and the recording time is 20:47. It is the material that can prove that I took a picture right before the time I turned off the computer and turned off the computer exactly, and the last time I left the notebook on the next page was 20:47:18. After taking a picture, we can see that we shut down the computer immediately to ensure integrity. And this is International Standard Time, which explains that there was an error of -7 hours between France and Domestic time because Paris was using summer time, usa.png The date of the last access to the key evidence file and the date of access. It will be July 13, 20:42, UTC and July 13, 2015, UTC. Because the last time we saw and accessed the file in the field, the exact time of the seizure was 20:42. It is the investigation report that explains what is related to such a time.
2757 (Exhibit # 4 of Evidence # 25-2 on the Evidence List)
2758 Q: Is it true that the witness wrote "Google Chrome Capture Function Analysis, Analysis of White House Screening Screen"?
2759 Answer: Yes.
2760 Q: Is the witness actually testing the front page of the White House website? Contact us?
2761 Answer: Yes.
2762 Q: When I created a post using the full screen capture function associated with the Google Chrome browser and then captured it, did you notice that it was saved in the png file format?
2763 Answer: Yes.
2764 Q: Does the file name capture the url address and then capture time information automatically?
2765 Answer: Yes, it contains the captured time information.
2766 Q: And did you check the result screen when you click submit button?
2767 Answer: Yes.
2768 Q: What is the following?
2769 Answer: The defendant has also found five lists of photo files that were captured using Google's screen capture feature on his computer.
2770 Q: These files do not have a direct relationship with the subject, but are they still captured before the crime?
2771 Answer: Yes, you can tell that the defendant used the Google Chrome browser's capture function to capture it.
2772 Q: Have you captured screenshots of the White House homepage?
2773 Answer: Yes, I did it again when I finished capturing the screen that was on the captured screen.
2774 (Present evidence page 285, Investigation Record, page 465)
2775 Q: Is it true that the suspect is an investigation report titled "Cheong Wa Dae and the National Newspaper Articles Found on the OO Computer", which was written by a witness?
2776 Answer: Yes.
2777 Q: Here is a blue house .png file and a questionnaire report for two .pdf files. What is it?
2778 Answer: Blue House.png is the defendant's access to the Cheongwadae homepage. 26. Foreclosure Notice I received a civil defense training in Dongdaemun District this April. I went by taxi to the corner where I went by subway. It is a file that I wrote and wrote with the message "I will do the transfer from Mapo side in Goat."
2779 Q: We will have a one-person demonstration in the direction of Mapo Grand Bridge Yeoido. Please pay Civil Defense transportation expenses. 20,000 won "written on a lm box paper horizontally, hanging on a railing, I am bound by a nylon string on a railing alone, and I am planning to return home. The location is July 26, 2013. 26. Is this the place where the male representative of Sungjae period was sent by the representative?
2780 Answer: Yes, it was written that way.
2781 Q: Is this all found on the defendant's laptop?
2782 Answer: Yes.
2783 (Proof # 486 of Record # 30 of the Evidence List)
2784 Q: Is it true that this investigation is written by a witness? This is an investigation report titled 'Analysis of time information generated by capture using the Google Chrome browser capture function'.
2785 Answer: Yes.
2786 Q: What is the content of this investigation?
2787 A: When you use the capture function of the Google Chrome browser to capture the url information and the time after it comes up, the time is the time information of the capture and the time information is the number 143. If you decode it, It is contents that we can confirm domestic time information.
2788 Q: Is it true that you can decode the capture time information in the file name generated when you capture with the full-screen screen capture program using the Google Chrome browser?
2789 Answer: Yes, and I have tested it myself.
2790 (Proposition 971 of Record No. 62 of the Evidence List)
2791 Question: This is an investigation report titled 'Attorney's Statement of Contents (existence of job file on July 21st, 2015) and attached photo attached to this OO notebook.' Is this investigation written by the witness?
2792 Answer: Yes.
2793 Q: Is the text explaining that the defendant had a problem that the text file was written after the search?
2794 Answer: Yes.
2795 Q: Are the photos attached to the crime after the accused found on the defendant's computer?
2796 Answer: Yes.
2797 Q: Are the printouts attached to the investigation report that I have just verified to capture the original articles or photos posted on the Internet site, such as the defendant's blogs, or the information or material found on the defendant's notebook, ?
2798 Answer: Yes.
2799
2800 inspection
2801 Record 393. We will present the evidence list number 22-1.
2802 Lawyer
2803 I think this part is not written by the witness but sent from America.
2804 inspection
2805 I want to know how I got the evidence and where I got it to judge it.
2806
2807 inspection
2808 To witnesses
2809 (Provide evidence page 391 of the evidence list No. 22-1)
2810 Q: Is this a document titled 'Documents for expressing intention to punish the US government', is this the document received from the US government?
2811 A: I did not receive it, but I do not know that it was attached to it by Gwak Dong-kyu of the Ward investigation department at that time.
2812 Q: Does Gwak Dong-kyu directly received from the US side?
2813 A: I do not know because it is not attached to me.
2814 Q: Have you seen this document yourself?
2815 I have seen. I have seen ...
2816 Q: Is the witness unaware of the availability?
2817 A: Yes, I've seen it because I did an investigation with a broadcaster at the time, but I'm not sure how to get it.
2818 Q: Is the witness a police officer?
2819 Answer: Yes.
2820 Q: What is your position and rank?
2821 A: It is librarian Nam Sang Wook of Cyber ​​Security and Cyber ​​Investigation Department of Seoul Metropolitan Police Agency.
2822 Q: Is the witness involved in the investigation?
2823 Answer: Yes.
2824 Q: When was the investigation started?
2825 A: I do not remember exactly. In June of last year or about July, I was threatened by Ambassador Ripper. The letter was posted on the White House website of the US Embassy. We contacted the cyber security office of the US through the US Embassy. I started to investigate immediately.
2826 Q: Where exactly did you receive the investigation leads?
2827 A: The National Police Agency Cyber ​​Safety Bureau.
2828 Q: Is not it from the US?
2829 A: I know you are an American Embassy. We received a case from the main office and received it from the US embassy in the main office.
2830
2831 judge
2832 To witnesses
2833 Q: Is the US Embassy the US Embassy in Korea?
2834 A: I have been ordered by Cyber ​​Security Bureau of the National Police Agency.
2835
2836 inspection
2837 To witnesses
2838 Q: Is the witness received from the Cyber ​​Security Bureau and does not know exactly when and from whom it was received?
2839 Answer: It 's right that I got it from Safety Bureau.
2840 Q: Do not you know where you got it from the US?
2841 A: Yes, I do not know exactly.
2842 Q: Do you know the name and position of the person who provided the investigation lead directly from the US side?
2843 A: It is Kim Sung-hoon, the captain of the Cyber ​​Security Bureau International Cooperation Team.
2844 In this case, the date of publication of the "Obituary rape against the second daughter of US President Obama" is based on EDT (American Summer Time) applied on July 7, 2015 July 20, 2015) and the connection IP was confirmed as 124.197.152.74?
2845 Answer: Yes.
2846 In this case, "Mark Ripper," the publication date of the murder intimidation article 1 for US Ambassador to Korea, is based on EDT (Eastern Time) 7. 8. 02:26), and the connection IP was confirmed as 124.197.152.48?
2847 Answer: Yes.
2848 Q: How did you check each posting date and connection IP above?
2849 A: I also logged on to the White House homepage, and I received it from the police and handed it to us.
2850 Q: Please describe the reason why the defendant was identified as the suspect of each crime in this case.
2851 Answer: Once there was no clue except for the connection IP, I received a reply that I could not confirm the subscriber because I requested the subscriber information on Dongdaemun Cable TV Road TV with that IP.
2852 So, when we check the area where we can get the IP to check the subscribers, we can not remember exactly in Dongdaemun-gu, Seoul.
2853 We have heard that there is a possibility that it can be allocated from about 2, 500 households, and when we check the MAC address on the computer, we can find the investigation lead to the MAC address. I checked to the closest apartment complex I was assigned.
2854 When I narrowed it down, it was O apartment where I can check it, it was the defendant's apartment.
2855 I do not know how many apartments there are in the apartment, but if there are 20 floors, it is 20th floor because there are 20th floor and 20th floor. I have only recruited subscribers to Dongdaemun cable TV from 20th generation.
2856 I do not remember exactly, but it has been reduced to about 5 ~ 6 generations, and I had to look through 5 ~ 6 generations and I could not do that.
2857 I analyzed the crime trends and impersonated isis. I also impersonated the Korean foreign affairs staff from the phone number and e - mail address of the Korea Foreign Student Summer School.
2858 So a team of our investigation team was sent out to the outside world to check if there really is such a person, and there is no such thing there is a person who has a bad tendency to the outside world is not an optical investigation, I confirmed the propensity of.
2859 And there are two criminal intimidation articles: the first is the daughter 's intimidation to President Obama and the second is the intimidation to Ambassador Ripper that the second daughter of Obama, Natasha, is raped by anus.
2860 This can be seen as a bit of a kinky tendency of the writer, and the second is to threaten Ambassador Repert, whose weapon is called a nuclear weapon.
2861 I found a tendency that I could not imagine in a mental state, which is a little impolite. I checked the apartment tenant management card because I thought it was very likely to be an outside official in O apartment. So I think that the defendant goes to a foreign language university I confirmed that.
2862 So I checked the defendant's regular phone number, searched Google, and found ten defendant blogs.
2863 There was a criticism of the foreign ministry, and the reason why I criticized it was that my majors were changed and I was disadvantageous to my job. The second time I was raped by my ancestor, I saw a picture of him taking off his clothes, wearing panties and wearing a bucket, and checking his account to ask him to donate himself a little.
2864 I was criticizing many other foreigners, and after all that was the right thing, I applied for a seizure search warrant and got a warrant for seizure search at Seoul Central District Court.
2865 So I went to the house with a formal search warrant.
2866 The computer in the defendant's room was unused, there was a computer in the next room study, I looked at both computers and found nothing related to the crime.
2867 Then there was another room next to the kitchen, and the visit was locked, so I asked my mother to open the door and I knew that maybe I could have entered one.
2868 I went in and got a laptop and I saw that the computer language was in French so we did not know French so I had no idea what folder my computer was or what folder it was. When we checked the digital evidence analyzer, President Obama and two of the original captures of Ambassador Ripper were found immediately, so I suspected the defendant had written it, and then shut it down.
2869 It was probably about 20:42. I then disconnected the hard disk from the notebook.
2870 After we disconnected it, we connected it to the computer cloning equipment, then we had the original hard disk, reconnected the copy hard disk and cloned the same.
2871 When you make a copy, the hash value of the hard disk on the defendant's laptop is the same as the replicated hard disk.
2872 For example, a hash value is a tool for proving integrity. If the defendant's computer hash value is A, then the hash value of our copy hard disk will be equal to A.
2873 Then, in the state of A, if we do not touch the copy, we do the analysis in the same A state whether or not it is sealed.
2874 When analyzing a copy of computer A, there is a write-protect device, not just an analysis.
2875 Since the integrity of a computer hard disk is immediately broken when we connect it to the hard disk protector, no matter what I analyze by connecting the copy, the copy hard disk is not changed at all.
2876 And the file called Imaging is created as a file, and the file can not be changed.
2877 If it changes, if you change the hash on the hard disk of the copy, it will be changed to B instead of A.
2878 That's why the hard disk you image is the same as analyzing with the same original A anytime and anywhere.
2879 It was discovered, and we proceeded with the seizure search for four hours at that time, and the defendant was lying in his room with only panties and not at all until we went.
2880 I asked him, "Is this the right thing you wrote on your laptop," and then I drank a little and said, "I do not know at all. We talked that way, and we persuaded him for three hours, even though he was able to arrest an emergency at the time because of the destruction of the evidence and the reasons for it in the future.
2881 Q: Is the date and time of the seizure of the seizure on July 13, 1945?
2882 A: Yes, I would have probably started from then.
2883 Q: Was the confiscated lenovo B490 laptop computer, four hard disks, and a USB stick?
2884 Answer: There was a bit of a mistake, but I checked my laptop for evidence and immediately shut down my computer and immediately started imaging.
2885 I opened the imaging and sealed my laptop right away. Because the integrity was changed, I sealed it. When I sealed it, my mother wrote it, and I put my mother 's letter, we rolled it with tape and sealed it.
2886 There was a virtual machine program called VMware installed.
2887 If you do not have a computer notebook, then you may not be able to analyze it in the future, so we need the original, so the notebook is seized separately.
2888 Q: On the defendant's laptop computer, isis.png, usa.png, a file capturing screen captures of each blackmail?
2889 Answer: Yes.
2890 Q: Did the defendant confirm the source of each file shortly after the discovery?
2891 A: I asked, but I can not remember exactly whether you talked in the way that you downloaded it from the internet or you did not talk at all.
2892 Anyway, he denied that he did not.
2893 Because I received too many surveys, I did not know exactly what I said at the time, but I told him that I did not do it anyway.
2894 Q: I checked the creation date and time of each capture file. Was it confirmed within 1 minute immediately after each crime?
2895 Answer: Yes.
2896 Q: After I image the defendant's laptop, why did I confiscate the original because the original laptop computer needed to be analyzed?
2897 Answer: Yes, yes. This is because the virtual machine VMware was installed. VMware is a virtual machine computer, and now you have a computer in it, and you can create a computer to run multiple computers. If you have a computer in your computer, you can not leave any trace of it on this computer, but if you log in to the virtual machine again and enter it, it will crime the virtual machine and delete the related files for the virtual machine The need to analyze the machine has confiscated the original.
2898
2899 judge
2900 To witnesses
2901 Q: Because the defendant's laptop computer had VMware installed ...
2902 A: Yes, it was and was a forfeit.
2903 Q: Is it because the original reason for the confiscation of the original was that VMware was installed on the defendant's laptop computer?
2904 A: Yes, if you do not have a laptop, you may not be able to analyze it.
2905 Q: Why did you confiscate the original after imaging?
2906 A: I have an image and the file of the virtual machine is once again in the imaging file. The original notebook is required to run the file.
2907
2908 inspection
2909 To witnesses
2910 Q: After you confiscated the defendant's laptop computer, did you get confirmation from the Mo Kim OO of the defendant's Confirmation of Confirmation of the Confirmation of the Confidential Material and Confidential Information?
2911 Answer: It was not received by me, but analyst Kim Kyung-hwan received it.
2912 Q: Did you stay together at the reception desk?
2913 Answer: Yes.
2914 Q: After that, did you arrest the defendant in an emergency and arrange it in the office of the Seoul Metropolitan Police Agency?
2915 Answer: Yes. We did not do it in. We went with the broadcaster and us and once in.
2916 Q: Is there any fact that the defendant raped at the time?
2917 Answer: Yes.
2918 Q: How did you get upset?
2919 A: We had an investigation with us and the cybercrime detective. Inch was in the broadcaster 's office. We were not with the defendant. As you can see from the video attached, I heard that you have kicked your feet from the "Bring your chair from your boss" and you can see exactly how it got into the riot. The record is attached as a CD.
2920 Q: Who was the person who identified the situation at the time?
2921 A: I was an investigator at a broad-based investigation. The person who wrote the CD investigation report attached to the record probably would have taken it.
2922 In the analysis of the defendant's laptop computer, the e-mail address, Twitter address, and phone number of the case were listed, and the Korean ambassador said, "I will surely kill Ambassador Ripper, I will give you an anal rape. "Also, did you find a file called 's.txt' that contains the same content as the case of this case report?
2923 Answer: Yes, the intimidating text was written in English at the White House, but I found a text file containing the blackmail in Korean on the defendant's notebook.
2924 Q: The creation date and time of link files 'A0065359.1nk', _A0065518.1nk, 'A0065541.1nk' and 'A0065621.1nk' linked to 's.txt' file are all 2014. 9. 10. 16:59 , And the date and time of access were confirmed on July 7, 2014, at 14:57, 21:10, 21:19, 22:31.
2925 Answer: Yes.
2926 In addition, the defendant's notebook also includes photos of Ambassador Ripper and Kim Kyeong-jong, who have been terrorized, photos of Mr. and Mrs. Obama as monkeys, and Cheongwadae's homepage. Did you find a capture file that you uploaded?
2927 A: Yes, many photos were found. In particular, an article or photograph was found about the Kim Kyeong-jong case to threaten the Ambassador Ripper. The date and time the file was stored was reported by Kim Kyeong-jong. The defendant captured it and stored it. The date the file was last accessed, so the date it was read was almost immediately before the incident. I remember so.
2928 In addition, a small boy 'isis.jpg' file that combines shooting shot and armed robbery, a picture of a young boy shooting a prisoner with a gun, and a picture of our gallery, Did you find the 'ISIS Gallery.png' file?
2929 ANSWER: Yes, many photos related to ISIS have been found.
2930 Q: Did the defendant tell you that he or she synthesized the pictures and pictures of each file at the time of the police investigation?
2931
2932 Lawyer
2933 Your Honor, this part is not appropriate because we are asking the defendant's denial of the contents of the police investigation at the time of the investigation.
2934 inspection
2935 Because the Criminal Procedure Law has introduced the investigator testimony system, I think it is safe to hear how I made statements at the time.
2936 Lawyer
2937 I would like to say that it is not inappropriate to listen again to the content denied.
2938 judge
2939 Once this part is just ask.
2940 inspection
2941 To witnesses
2942 Q: I'll ask you again. Did the defendant state that at the time of the police investigation, he had synthesized photos and pictures of each file?
2943 A: I can not remember exactly because I did not see the suspect newspaper report now.
2944 Q: Also, did the defendant's laptop have a program called 'SuperHideIP' that allows you to change your IP once a mouse is clicked?
2945 Answer: Yes.
2946 Q: And did you find a capture file called 'IP address washing method .jpg'?
2947 Answer: Yes.
2948 Q: On the other hand, did you find that the defendant is running 10 blogs of blogspot, the Google blog?
2949 Answer: Yes.
2950 Q: In each blog, were the defendant's Citibank account number and the defendant's PayPal ID listed?
2951 Answer: Yes.
2952 Question: Did the defendant's blog reveal or condemn the complaints about Hankuk University of Foreign Studies, and the images depicting women and the bizarre situation?
2953 Answer: Yes.
2954 Q: Did the witness investigate the accused person during the investigation?
2955 Answer: Yes.
2956 Q: Did the defendant claim that he did not commit the crime at the time?
2957 Answer: Yes.
2958 Q: How did the accused describe the 'isis.png' and 'usa.png' files found on the defendant's laptop?
2959 Answer: I stated that I did not know at all.
2960 Q: What did you say about the source?
2961 Answer: I asked a few questions about the source, and I did not remember exactly because I made a different statement every time. I replied that I had captured and downloaded it from 4chan site and saved it or I did not know it at all.
2962 Q: How did the defendant describe the 's.txt' file?
2963 A: I just do not know ... I've been asking that a lot, but at first I thought it was the one I wrote, and then I did not answer at all.
2964 Q: How did the defendant tell us about the photos of the Ambassador Repertor, the photos of the Obama couple and the photos of armed robbers, etc.
2965 A: I think I talked about not knowing much about the questions I asked.
2966
2967 Lawyer
2968 In the bottom of the main newspaper, section 25, the defendant questioned that he had synthesized the photos and pictures of each file at the time of the police investigation, and that the contents of paragraphs 32 to 34 of the main newspaper were irrelevant Please indicate in the record that the complaint is filed.
2969 Lawyer
2970 To witnesses
2971 Q: Is it true that I have imaged the whole of the defendant's laptop and did not seal that part?
2972 Answer: Sealed.
2973 Q: Is it true that you did not seal the imaged file but the laptop?
2974 Answer: Imaging files are not sealed.
2975 Q: I asked if I did or did not.
2976 A: How do you analyze when you seal?
2977 Q: It has precedents and regulations. Where did you store the imaged file?
2978 Answer: We took one hard disk, cloned it, and brought it.
2979 Q: Did you seal that hard disk?
2980 A: Do not ask me that.
2981 Q: It is asking what the witness remembers.
2982 A: I do not remember much. Because I did not image it.
2983 Q: You do not remember if you sealed the hard disk?
2984 A: Yes, I remember I sealed the laptop ...
2985 Q: What was the role of the witness in the investigation?
2986 A: We participated in the seizure search, investigated the suspects, and almost everything was done. I do a little bit of research to help each other.
2987 Q: Have you ever seen a document requesting cooperation in the US?
2988 A: I have never seen it.
2989 Q: When I contacted the US Embassy, ​​I heard someone wrote a blackmail in an e-mail. Have you heard this story?
2990 Answer: No.
2991 Q: How many people were involved in the seizure and search?
2992 A: Five Cybercrime detectives, five forensic investigators. When I got there, my father told me to leave. So there were about 6 ~ 7 people in the place, but I did not know exactly and some went out.
2993 Q: Do you think six or seven people have been around?
2994 Answer: Yes.
2995 The witness explained the details of the process of tracing the defendant in advance, saying, "The clue only had an IP address, but it was difficult to find by IP address alone. I checked the subscriber on Dongdaemun Tibur Road, but I could not confirm it, so I made a request to the Mac address again. "
2996 Answer: You have checked your Mac to investigate with a Mac address.
2997 Q: Who identified the Mac?
2998 Answer: When IP is allocated from the carrier, IP and MAC are connected to the carrier. If you know the MAC of the IP you used for the crime at the time, you can do the investigation again with the MAC address.
2999 But that Mac did not come out correctly either. Anyway, I have a network switch, and I've finally assigned that IP ... So you have confirmed the last switch.
3000 Q: Is it confirmed that you have three sets of equipment?
3001 Answer: Yes, I have to explain the connection ...
3002 Q: When the attorney heard this, the witness first asked for the Mac address and asked the carrier to recall the Mac address.
3003 Answer: To investigate with a Mac address ...
3004 judge
3005 I heard that I wanted to know the MAC address, but I do not know it.
3006 witness
3007 Yes, that's why we proceeded with the investigation.
3008 judge
3009 To witnesses
3010 Q: In the end, you did not check your Mac address?
3011 Answer: I understand that you tampered with the Mac.
3012 Q: At that time, at first ...
3013 A: I can not confirm it right away.
3014 Lawyer
3015 To witnesses
3016 Q: Is it about collecting digital evidence, and what experts have participated?
3017 A: The analyst Kim Kyung-hwan participated and I participated. I had to undergo a little bit of analysis. I have a license to analyze digital evidence.
3018 Q: During the seizure process, was the digital evidence analyst one of Kim Kyung Hwan's analysts?
3019 A: Yes, but I was not an official digital evidence analyst. While doing the investigation ...
3020 Q: Witnesses also have that knowledge?
3021 A: Yes, I did it.
3022 Q: So, at the time of the seizure, did two or more people have expertise in digital evidence?
3023 Answer: Yes.
3024 Q: What did the related equipment bring?
3025 Answer: I did not get a hard disk replicator and ... I think you should ask Kim Kyung-hwan, but I only took the warrant.
3026 Q: What is the process of identifying the date and time of White House intimidation during the investigation?
3027 A: Our International Cooperation Team of the National Police Agency told us that this was the case at this time ...
3028 Q: Do you not know how the team works?
3029 Answer: I do not know exactly.
3030 Q: I found a picture of a blackmail on the defendant's laptop, was it the time of the confiscation, or is it afterwards?
3031 A: I did not discover it first, but I know that Kim Kyeong-hwan or Kim Jin-kwang, one of the investigators, found it.
3032 Q: You were discovered at the time of the seizure?
3033 ANSWER: Yes, I just found a picture, shot it on my phone and shut down my laptop.
3034
3035 -------------------------------------------------- --------------------------------------------------
3036 -------------------------------------------------- --------------------------------------------------
3037 -------------------------------------------------- --------------------------------------------------
3038
3039 A: The 4chan site is USA, so we can not verify the subscribers.
3040 Q: Did not you know who posted it?
3041 Answer: Yes. But ask Kim Jin-kwang again for this question.
3042 Moon: Looking at the flow of investigation, it's like ...
3043 A: I remember that there was such a situation, but I do not know exactly, so I can ask Kim Jin-kwang.
3044 Q: Who wrote the seizure?
3045 A: There must be an author of the seizure.
3046 Moon: Lieutenant Kim Sang-guk, Lieutenant Cho Yong-woo is like this ...
3047 Answer: Yes.
3048 Q: Witnesses were with you at the time?
3049 A: Yes, I was with you. I can not do everything because I work in the office while doing the division of labor.
3050 Q: In the confiscation list, the confiscation of the defendant's laptop itself is listed, but the imaging file for the defendant's laptop imaging is not on the confiscation list, do you know?
3051 A: I did not know it because I did not write it. I know that I need to write a notebook imaging number 1 on the serial number.
3052 Q: Anyway, is it obvious that the laptop imaging was done at the time of the search?
3053 Answer: Yes.
3054 Q: How many hours did it take?
3055 A: You can ask Kim Kyung-hwan, a digital evidence analyst.
3056 Q: Because I have experience analyzing digital evidence, I'll ask. What does hash value mean in digital evidence collection and analysis?
3057 Answer: MD5 and SHA1 are one of the functions for proving integrity. For example, if you put this stuff into this hash function, you get some specific result. But it is not an inverse function. For example, if you put a file called A and B into a hash function, you will get a certain unique value, which means that if the unique value is the same, it is the same information. So if you turn the hash value of the hard disk in the original and get A, and you get the A by rotating the hash of the hard disk that replicated the original, you can prove that the original and replicated hard disk information is the same.
3058 Q: Do you see that digital evidence is in a specific state at the time you generate the hash value, and then do you assume the integrity and authenticity of the original until it is examined by the court?
3059 Answer: The question is ambiguous, not a specific state ...
3060 Q: I'll ask you a little bit. When I image the defendant's laptop and get the hashed value, the defendant's laptop is at that point in time, right?
3061 Answer: If you run a hash function on a file named A instead of a state, you will get a specific result. Whenever it does, the same result is produced, not the state at that point ...
3062 Q: The hash value is telling you when the first was created.
3063 Answer: Yes, that's right.
3064 Q: What is the point of creating the integrity of a file at a particular point in time?
3065 Answer: Yes.
3066 Q: After that, of course, you can come up several times, and I'll tell you when it was first created.
3067 A: I do not understand the question.
3068 Q: When I image the defendant's laptop, is the state of the defendant's laptop at that time imitated as evidence in the court?
3069 Answer: Imaged files can not be changed.
3070 Q: Is it still maintained?
3071 A: I guarantee that my police will not change until I send them to the prosecution. But after that, I do not know.
3072 Q: If you look at the notebook imaging file at the court, the file we're looking at is the same as the file at the time the witness did the imaging at the time of the seizure?
3073 Answer: Yes.
3074 Q: Is it fixed at that point?
3075 Answer: Yes.
3076 Q: So is not the hash value guaranteeing the integrity of the earlier steps we collected in the first time we collected the confidential search?
3077 Answer: Because it is the hash value at the time of imaging ...
3078 Q: From then on, to guarantee integrity, not to guarantee the integrity of the old, right?
3079 A: Yes, it does not make sense.
3080 Q: So, if someone logs out a hash after logically manipulating the computer, does not it provide information about the operation or operation before the hash value is created?
3081 Answer: Of course.
3082 Q: At the time of the seizure, was the defendant's notebook turned off?
3083 A: I do not remember exactly. That's not what I brought ...
3084 Q: I turned on the notebook and said that I saw one or the other.
3085 A: I can not remember exactly because my mother brought me something in the other room. We could not get in that room.
3086 Q: The seizure start time was around July 13, 2015, and the power of the notebook was turned on and off from July 13, 2015 to 20:47. The laptop was on for about 41 minutes. What did you do on the laptop at this time?
3087 A: At that time, I did not work, and I would probably have been working on finding analysts and files.
3088 Q: Did you write protection at that time?
3089 A: I did not do it then.
3090 Q: In the process of looking at the defendant's laptop, did he / she guarantee the right of the defendant or the defendant's parents to participate?
3091 Answer: It was said.
3092 Q: Who did you ask to see?
3093 Answer: I do not know that, I talk to you again ...
3094 Q: Did you talk to the defendant?
3095 A: Yes, I keep coming and going now ...
3096 Q: Have you ever taken a video of a defendant's laptop or imaging process?
3097 A: It might have been done by a broadcaster, but I do not know exactly. Oh, I tried to shoot it, but I can not, so why do I just shoot my house?
3098 Q: Who has not let me?
3099 A: I do not know if they were parents or defendants who were there, but I strongly resisted them and I would have taken our picture there. If you look at the mobile phone, there might be some videos that we took pictures of. And then he just threw something at us and made it a bit harder. In the case of Kim Kyung-Hwan, the analyst would have been hit.
3100 Q: When I said that I needed an original copy of VMware for the reason why I confiscated the defendant's laptop, would not it be necessary to have a laptop if the program that runs VMware is on another PC?
3101 Answer: No. Depending on the version, it may not work.
3102 Q: Can I check the version in the imaging file?
3103 A: It was not a situation where you could do it on the spot, and if you wanted to drive it ...
3104 Q: It is technically possible to ask. Is it possible to have a program that can run VMware on another PC even if it is not a defendant's laptop?
3105 Answer: It is possible but not 100% guaranteed. So there were many cases where we were not able to drive properly.
3106
3107 judge
3108 To witnesses
3109 Q: Is it common to have the notebook itself confiscated after imaging files?
3110 A: If we are confiscated, we will do all the confiscation.
3111 Q: Do you confiscate the imaging files as well as the notebook itself if you are in confiscation?
3112 A: Yes, because it is a laptop used for crime.
3113
3114 Lawyer
3115 To witnesses
3116 Q: Did you say the witness took the seizure search warrant?
3117 Answer: We took it from our team.
3118 Q: Have you read it?
3119 Answer: Yes.
3120 Q: If you look at it, it is stated that "the original that has been taken out will be opened and reproduced with the participation of the intruder, etc. and returned without any delay, but not exceeding 10 days from the original date of export unless there are special circumstances" Why did not you return it?
3121 Answer: Computers have a very important time relationship in the evidence of digital evidence analysis. At that time, we analyzed the digital evidence analysis of the seized material to confirm the creation and access times.
3122 Last but not least, you can change your laptop's CMOS (cmos) time accordingly. There is an error depending on the time of the CMOS.
3123 So what if my laptop is at 1 o'clock, but the current time is 1: 5?
3124 We need to check the error in time. We need a laptop to check the error. We can return it before we send it to the last time. We asked our attorney and computer to turn on and check only the error with the defendant. Probably will be in the investigation report.
3125 So the prosecution has to check it out, it can not be sealed.
3126 So I know that the prosecution has confirmed the exact time information after taking a video of the whole process of releasing and releasing it. So it's been over a week.
3127 Q: What did the witness know to return?
3128 Answer: Yes.
3129 But you did not return, right?
3130 Answer: Yes.
3131 Moon: White House Contact us Write on the web page and select "Thank you!" Was there a picture on the defendant's notebook that captured the screen to write the previous post?
3132 A: I do not understand.
3133 Q: I have a screen that I'm writing before submitting. When I submit it, I get a screen saying 'Thank you!'. Can not these two screens exist at the same time?
3134 Answer: Yes.
3135 Q: Do you have a picture of the screen after the last submission of the statement "Thank you!" On the defendant's notebook?
3136 Answer: Yes.
3137 Q: Then you should have a screenshot of the scene you're writing in. Have you seen it?
3138 Answer, isis.png and usa.png are being written and Thank you! Screen and combine ...
3139 Q: It's a composite, is not it?
3140 Answer: Yes. Perhaps you have not found what you are writing. It did not exist because it was edited and made into a png file. Maybe, if you can explain it.
3141 Q: You said that five files were found on the defendant's laptop using Google Chrome, remember?
3142 Answer: Yes.
3143 Q: In the first post, I do not have a caption of an isis.png file that says I will rape my daughter, do you know why?
3144 A: That's probably what you see in the investigation report, but if you capture and delete it and then change the filename or the file does not exist, or if you capture it using the Google Chrome browser's incognito mode, There are many technical ways that you can and can not keep up with many things.
3145 Q: But what about the file 'Thank you!', What happened?
3146 A: I can not tell you that because I have nothing to do with the evidence, it's because I want to leave it and I want to keep it.
3147 Q: Is that technically possible?
3148 Answer: Yes.
3149 Q: You did not find any traces of access to the White House on the defendant's laptop?
3150 Answer: I did not find it at all.
3151 Q: By the way, 'Thank you!' I have found that I captured the part, how should I explain it?
3152 A: If you use the Google Chrome browser's incognito mode, the Internet connection itself will not be saved as a file at all. It will only be saved as a cache, but it will not be saved as soon as you close the web browser. I will.
3153 Q: As the witness has just testified, it would be nice to have no screenshot of 'Thank you!' ,
3154 A: That means you do not have a record of your Internet connection and you can leave a capture file.
3155 Q: After the capture file, the number is actually a Unix number, so you can log in to Google Chrome to get information on when you captured it, but the witness does not have an article written right now and it probably does not capture it in Google Incognito mode. You just did. That's why I do not ask you to leave the "Thank you!" Section in incognito mode.
3156 A: Internet access records and captions are completely different.
3157 Q: Why do not you leave a screenshot called "Thank you!" In response to an incognito answer saying that you may not have a captured file.
3158 Answer: The defendant remains on the defendant's computer because he has captured and saved it.
3159 Q: So it is possible that you have to do it in the same conditions that you captured before that ...
3160 Answer: If you do not want to leave, you can not leave.
3161 Q: Then you can find the erased trail? Now that I've imaged the defendant's laptop, I'm not just looking at it, have I removed the deleted file?
3162 Answer: When I go into incognito mode, I have worked and can not restore it. Why did Google create incognito mode? I have tested it myself.
3163
3164 judge
3165 To witnesses
3166 Q: Did you know whether the defendant used incognito mode?
3167 Answer: It can not be confirmed. Google has made the feature available to you when you're trying to do it in secret, and of course you can not tell whether or not you used it.
3168
3169 Lawyer
3170 To witnesses
3171 Q: When I go into incognito mode, I do not think the capture screen should be saved.
3172 Answer: No. Saved is that the internet connection is stored in the index.dat and various computer hard disks, and the connection record is not stored. In the case of the captured file, it is possible to store it anywhere in the desired location, The captured files are completely separate.
3173 Q: Did the witness confirm the blog posts that the defendant usually wrote?
3174 Answer: Yes.
3175 Q: Have you seen any criticism of Kim Kyeong-jong about the case of Repert's ambassador in the defendant's blog post?
3176 A: I do not remember everything right now. I only remember what I said before.
3177 Q: I do not remember?
3178 Answer: Yes.
3179 Q: I had an emergency arrest of the defendant at the time, but was there any reason for the emergency arrest?
3180 A: Because I did not do it, I would look at the reasons for the arrest.
3181 Q: I do not have a reason for an emergency arrest, so what do you ask?
3182 A: Why is not the reason written? You have to write down your reasons for getting an emergency arrest proposal.
3183 (Suggesting an investigation record, page 455)
3184 Q: The reason for the arrest has been listed all the time. Please write down the details according to the reason for the emergency arrest. That's it. do not have.
3185 A: I did not write it, but at the metro ... Oh, that's what you said about the notice.
3186 In the notice, we wrote the reason for the emergency arrest for the approval from the prosecutor's office without writing the reason, and is not the suspect notified to the suspect when the emergency arrest occurs?
3187 Because it is putting in notice, it is because it is because it is very simple to summarize the fact of crime.
3188 That is not what I wrote. Do not ask me.
3189 Q: Who wrote it?
3190 Answer: There will be a writer.
3191
3192 judge
3193 Is there an emergency arrest warrant?
3194 witness
3195 Yes.
3196
3197 Lawyer
3198 To witnesses
3199 Q: Is there a reason listed there? Not on record ...
3200 Answer: Yes, detailed.
3201 inspection
3202 An Emergency Arrest Form with detailed description of the reason is available.
3203
3204 Lawyer
3205 To witnesses
3206 Q: The witness did not write the confiscation list?
3207 Yes, I did not write it.
3208 Q: Do you know who wrote it?
3209 A: Then several people are working on it ...
3210 Q: What are the threats and screen capture files that the defendant claims to have downloaded and that the witness or investigating agency believes that the defendant has written and captured it?
3211 Answer: Yes.
3212 Q: If I download a screened file and save it on the defendant's laptop, is it possible that it exists in the same format as the one captured by the defendant's laptop as the witness verified?
3213 A: There are two ways. Probably Kim Jin-kwang will test it and have an investigation report because of 4chan.
3214 If you click on the original file to download it, it will be downloaded. Otherwise, if you click on the original file, the image file will pop up and you can download it with right mouse click.
3215 That is another report from our investigation. I did not test it ...
3216 Q: Is there a file name that might be the same as the one you captured?
3217 A: I do not understand. Again only a description ...
3218 Q: If I downloaded the defendant's laptop, I just analyzed the file name just like the one I captured on the defendant's laptop, can it exist with the same file name?
3219 A: You should be in the record. Ask Kim Jin-kwang because I have not tested it.
3220 Q: Do you not know the witness?
3221 Answer: We have tested and simulated in the investigation report.
3222 Q: The time order is the time the defendant posted on the White House, the time they saved on the laptop after the screen capture, and the time they posted on the site 4chan.org?
3223 A: If it is so in the investigation report, it will. Because I can not remember correctly now, I made a table, and I look at it.
3224
3225 Lawyer
3226 I will present evidence. I present one or two of the fifth certificate.
3227 judge
3228 What is the source?
3229 Lawyer
3230 This is what the defendant's brother searched on Google after he had been arrested after the incident.
3231 If you look at the same thing on Google ... you know, but you searched on Google.
3232 Here you see 'dear. Mr.president Obama, Mrs.first lady Mishelle ', and the time it was found that this article was written is posted on 4chan site on July 7, 2015. 7. 07:24:52.
3233 inspection
3234 How can I confirm that this is the same as this article?
3235
3236 Lawyer
3237 To witnesses
3238 Q: If you see below, 'Hi I'm sufs student from Seoul' because some part of the post is behind it?
3239 It seems that the article is the same, but the time zone is quite different now.
3240 The time is 07:24:52 AM. Now, the time to write the article is July 7, 20:20.
3241 By the way, the time posted on 4chan site is July 7, 2015, 07:24:52.
3242 A: In our investigation report, we have captured the exact time on 4chan site.
3243 That's precise, because it's from a Google search, so you can not tell exactly what time it was on Google or 4chan.
3244 Q: If you saved it from Google, is it any time sooner than we know it?
3245 Answer: There is no guarantee for low-time information.
3246 Q: Witnesses have never seen this?
3247 Answer: Yes. There is not. And whether it is US storage time, domestic storage time ...
3248 Q: For the second article, it looks like it was written on July 7, 2015. Did you know that the 4chan site time that the witness checked was stored in domestic time when posting in Korea?
3249 A: Ask Kim Jin-kwang, the investigator.
3250 Q: Do you not know the witness?
3251 Answer: We have posted the post on 4chan site and we have the current time and the test time. That's exactly what we tested. If you look at it, you can check whether the 4chan site has domestic time or US time.
3252 Q: Have you ever checked your time zone separately?
3253 A: Yes, I have not done it, so I can not tell you exactly.
3254 Q: Did you say that the defendant used a program called SuperHideIP, an IP change program?
3255 A: It's not a confirmation, it's a program that was installed. It was discovered.
3256 Q: Are there any facts that have been analyzed that the last approach was made on June 6, 2015, before the date on which the blackmail was written?
3257 Answer: The file was found, the date the file was first saved, and the date the file was last accessed.
3258 Q: I analyzed it as the last access on June 6, 2015. Is it possible to interpret the IP as having no change since then?
3259 A: It may or may not have been because there are too many technical methods, which I do not know exactly.
3260 Q: Because the witness did not see whether the defendant wrote the program or not, but after all, did you look at the defendant's laptop? Is there a similar program in the program that changes the IP found this one?
3261 A: You can not see the whole thing. When we analyze ...
3262 Q: Do you have to search and search? So, what was the one that was discovered in connection with the IP change program?
3263 Answer: Yes.
3264 Q: Did you investigate the router?
3265 A: I heard there was a router, but I did not investigate.
3266 Question: Do you think that the defendant's notebook imaging file was the first image of the notebook file, or was it replicated again?
3267 A: Because I did not analyze it ...
3268 Q: What did you do to replicate that day?
3269 A: Did we bring the clone?
3270 Q: Who took it?
3271 A: The analyst Kim Kyung Hwan should have brought it.
3272
3273 -------------------------------------------------- --------------------------------------------------
3274
3275 It seems that the time has changed to Korean time in the process of being seated.
3276 Answer: The analysis report is the final one, and we have to investigate a little bit before we start the analysis.
3277 So I took the printout, put it in the investigation report, and made a note when I checked it out. How do you investigate having a fully written report?
3278 Q: The decisive reason for suspicion that the defendant wrote the blackmail was that the capture file that was left on the defendant's notebook was created about a minute after it was posted on the White House?
3279 ANSWER: When I was threatened, however, I wrote two blackmails on the White House website in English, which was in the S.txt file written in Hangul and the summer @ hufs You said you stole your .ac.kr email and phone number? Maybe that phone number and address were in the s.txt file and ...
3280 Q: Witness, I tried to ask this, not many charges. Was it one of the decisive proofs that the creation time of the capture file was one minute after the article was published?
3281 Answer: There were many things.
3282 Q: What is the difference between the time the article was posted in the White House and the time the capture file was stored on the defendant's laptop,
3283 A: It's not an analysis, but an objective fact ...
3284 Q: How did you know when the post was posted on the White House?
3285 A: You asked us that, but we have only received data from the international team.
3286 Q: I think the one minute car will be a very important basis, right?
3287 Answer: Yes.
3288 Q: Then I ask you in terms of whether the investigation should be done enough about time.
3289 I have to be specific from the time it is posted on the White House, but the time posted on the White House is probably the time that the person administering the White House homepage gave me, and that time could be time lag in the end?
3290 A: When we told it, we were GMT + 9? The United States has several times, including Eastern Time.
3291 I'm not exactly sure if we are Eastern Standard Time for letting us know what the error is, but it probably will.
3292 It calculates the time and the error, and when domestic time is converted into Korea Standard Time, it is time to calculate the exact time and the IP connected to the time is Dongdaemun Cable TV ...
3293 Q: I do not ask for the calculation method. For example, if this computer now has 16:00 on the front of the laptop, is there any error in that?
3294 I'm looking at it. There may be an error in the time given by the White House, and there may be an error in the time when the witness etc.
3295 So I'm asking how the time difference can be determined to be one minute.
3296 Answer: Because we are made by objective data, we have confirmed that we know the time we have stored on our computers and the time we have been threatened.
3297 Q: Do you know that there is a program that can change the date of creation of saved files?
3298 Answer: Yes.
3299 Q: I have a couple of things, but can I use a program like SetFileDate to change the creation date of a saved file?
3300 Answer: Yes.
3301 Q: Is it possible that the defendant 's notebook has changed so much?
3302 Answer: Not all computers, as well as the defendant's laptop, are capable of such manipulation. However, when you analyze the MFT, the information about the time is stored in various ways. If you analyze MFT's standard information information and file name information information and analyze that the information is different, you can check whether the time has been manipulated or not, whether the file name has been changed.
3303 Q: Did you check it at the time?
3304 A: I did not check at the time.
3305 Q: When the MAC address of the router is changed, is the dynamic IP connected to it also changed?
3306 A: It may or may not appeal, but it is the policy of the telecommunications company.
3307 Q: Did the witness verify the MAC address corresponding to the IP address associated with this case during the investigation?
3308 Answer: Yes.
3309 Q: Is it a witness?
3310 A: I would have done it together.
3311 Q: What was the result?
3312 A: I put it in the comments, but the contents of the mac are too complicated, so I think I should look at the written statement. I do not remember exactly now.
3313 Q: Have you found any signs of changing the MAC address of the router on the defendant's laptop?
3314 A: The digital evidence analyst found it.
3315 Q: Is the witness unaware of this part?
3316 Answer: I heard that there is a trace of change that I am not familiar with.
3317 Q: Does the analyst in the role of analyst only do the analysis, or did he conduct additional investigations besides analysis?
3318 Answer: I just did analysis.
3319 Q: According to the results of the analysis, was the witness doing any further investigations?
3320 Answer: What is the additional investigation?
3321 Q: For example, if you find a trace of a change in your mac address, I would ask you if you needed to check the defendant's router, did not you?
3322 Answer: The MAC address is the manufacturer of the first six digits, and the manufacturer assigns the last six digits of the MAC address. We have probably seen a counter-report of the defendant's comment on the mac address, but if the manufacturer makes a random change to it I can not do the investigation anymore.
3323 Your lawyer tells you that if the mac has been changed, and if you have not done any further investigations about it, there is no clue that you can investigate anymore if mac has changed that way.
3324 Q: I asked if I needed to check the defendant's router.
3325 A: When we did the transcription, the digital evidence analysis was at the end, and I have to hand over the suspect's recruits to the prosecution office tomorrow. What do you do?
3326 Q: Did you mean you could not do it on time?
3327 Answer: Yes.
3328 Q: There was a trace of changing the MAC address on the defendant's laptop, and there was analysis that released the log record at the time of the crime, remember?
3329 A: I told you I did not do it.
3330 Q: Do you know this by Kim Kyung Hwan?
3331 Answer: Yes.
3332 Question: According to the statement of witness submitted by the witness in relation to the mac address, there are several mac addresses that are not confirmed by the manufacturer. If the maker changes to an unconfirmed mac address, Go?
3333 Answer: I do not know the carrier policy, so I can not answer exactly, I know it is not.
3334 Q: Do you know that if you change to an unconfirmed mac address depending on your carrier policy, Internet access may be restricted?
3335 ANSWER: Yes, there is a case where the switch is allowed to access the internet when only a certain MAC address is connected, which is called NAC. If you do not set this policy, you are allowed to connect from the internet regardless of the MAC address. This is the carrier policy. There are two technologies on the switch that can or may not be blocked.
3336 Q: I know that if you change your router or MAC address arbitrarily, you may be restricted from accessing the Internet. Do you know? For example, have you ever heard of such cases in Windows 7 or Windows 8?
3337 Answer: Not at all. However, if you change the mac address, there is no problem with internet access.
3338 Q: Is there any problem with the computer?
3339 A: Yes, it takes less than a minute and you can do it right away.
3340 judge
3341 To witnesses
3342 Q: I have a question about the defendant's question. "I wrote on the White House Contact us webpage, and I found 'Thank you!' In response to the question "Did the defendant have a picture of the screen capturing the screen before writing the screen?", The witness said, "No one was writing, because it was edited and made into a png file." I have an answer, please tell me about it again.
3343 A: The screen you are composing and the screen where you have completed the 'Thank you! 1' screen was synthesized as a png file, but the screen you were composing was not saved and only the pictures that were composited were correct . But it's technically possible to synthesize it.
3344 Q: Please explain how technically possible.
3345 Answer: Take a picture of A with a capture tool such as Paint or Snap-in, capture a picture of B, put B under A, select the file again and save the file as a different file.
3346 I will explain it again. When you capture the screen you are creating with the Google Chrome browser, you will see the url address and the time next to it.
3347 Then, when you save it to the defendant's computer in that state, click the right mouse button and save it under the same name.
3348 Then, when you capture the screen 'Thank you!', You will see the url address and time information at the top and 'Thank you!'.
3349 And if you save it under a different name, it will be saved on the defendant's computer.
3350 However, technically you can right click on the 'Thank you!' Screen and save it to your computer. You can take the first screen without saving it, and then use the Paint or other capture tool If you save this file as usa.png or isis.png, you will not be able to save the first image you created, and the second image will be saved You can save only the final result at the end.
3351 Q: I was wondering if it was possible technically, but you answered with the idea that it is possible?
3352 Answer: Yes.
3353
3354 inspection
3355 To witnesses
3356 Q: I heard that the screen of the writing on the defendant's notebook is not found, but the relevant screen is not found, and the capture file of the process of posting on the White House site is found.
3357 A: Yes, it does not matter, but I do not know exactly what happened before in June, but before that I had a copy of the White House story that I was capturing and capturing.
3358 If you are writing a webpage, you will see a wave in Internet Explorer, Google Chrome, Safari, and spelling. If you're writing on the White House website, Due to the law of alignment, a tilde appears at the bottom of the English alphabet.
3359 If you look at it, you can see that it is a screen that you are writing. I captured it and kept other articles, but I do not remember it correctly. I think it was related to black slaves at that time.
3360 Q: In regards to the reporter ambassador threatening text, did you also find a separate screen capture of only the result screen "Thank you!"?
3361 Answer: Yes.
3362 Q: I heard that the defendant posted the file on 4chan earlier than the defendant posted at the White House. Did you confirm this in the police investigation?
3363 Answer: Yes.
3364 Q: Did you find that a capture file with the same contents as the intimidation of this case was posted on 4chan site at the time?
3365 Answer: Yes.
3366 Q: The capture files found at 4chan site at that time were posted earlier than the date of creation of the crime-related capture file found on the defendant's computer.
3367 A: I do not remember exactly.
3368 Q: By default, when you use the internet through an ISP like Dongdaemun Tibur Road, is the IP assigned by the carrier?
3369 Answer: Yes.
3370 Q: How many IPs can be changed by turning the computer off and on, or changing the Mac address randomly?
3371 Answer: Yes.
3372 Q: In the case of Dongdaemun Tiburdo IP, which is used in this case, I do not want the IP to be assigned to a specific user for a certain period of time and use only that IP, but then the IP will be changed.
3373 Answer: Yes.
3374 Q: I do not know whether SuperHideIP was used, but how can I change IP even if SuperHideIP is not used?
3375 Answer: Yes.
3376 Q: Did you find a program on the defendant's computer to change the file's creation date?
3377 Answer: None at all.
3378 Q: Is it possible that the defendant changed the creation date of the capture file stored on his computer to the date and time of the crime of this case by confirming the time of the crime?
3379 A: If you are a suspect, do not you need to change? I do not need to change the time on my computer, even if I change the IP to conceal it. I can not be certain who I am. So even if you try to hide your IP, you do not need to change the file on your computer.
3380
3381 Lawyer
3382 To witnesses
3383 Q: The second file 'Thank you!' I found that only the part of the captured file was found, the second threatening 'Thank you!' How do you know if it's a part?
3384 Answer: Maybe in time ...
3385 Q: Is it specific in time?
3386 Answer: Yes.
3387 Q: You do not know what you wrote?
3388 A: Yes, I do not know what it is, but what I am writing ...
3389 Q: Thank you! Even after writing a different article, it can exist at the same time.
3390 Answer: That's possible.
3391 Q: And have you ever seen the "Rules for the Collection and Handling of Digital Evidence", which is a Witness Ordinance?
3392 A: I think I've seen it.
3393 Q: Here are the details of the procedures for seizure search and the request for analysis, and I will ask if I have kept the procedure.
3394 I did not refuse to shoot the seizure process, and I have to take measures such as the identity of the digital evidence, such as the storage seal, and the proper method of not having a reasonable suspicion of integrity.
3395 Answer: We sealed the notebook.
3396 Q: I have to ask Kim Kyung Hwan. You said you did not know if you sealed the hard disk you were imaging before?
3397 I asked the analyst to analyze the digital seizure. According to the analysis result report, the analyst was a witness.
3398 A: Because I'm the same team, I could do it, or someone next to me could do it.
3399 Q: Do you think you made an analysis request on July 13, 2015?
3400 A: I did not go to the scene from the beginning. I do not even ask for it.
3401 Q: Is not there a formal request for a separate request?
3402 A: Yes, I went to the scene together.
3403 Q: When the analysis request is made, the analyst has to send the original or duplicate of the digital seizure in a container that can be safely stored so as not to be damaged by shock, magnetic field, moisture and dust.
3404 Answer: It is because I confiscated analytical data from other crime scenes and submitted it to the Digital Evidence Analysis Office of the Cyber ​​Crime Investigation Department of Seoul Metropolitan City, so I have to do such a thing in the course of the process. At that time, This is not what we do, because the digital analyst in the field is doing it.
3405 Q: Is it the right thing to take in such a container?
3406 Answer: Ask your digital evidence analyst.
3407 Q: Do you not know the witness?
3408 Answer: Yes.
3409
3410 judge
3411 To witnesses
3412 Q: In the end, I think it is the intent that the witness is handed over to the digital witness analyst on the spot, right?
3413 Answer: Yes.
3414
3415 judge
3416 I will finish the witness newspaper about the witness Nam Sang Wook.
3417
3418 Witness newspaper report (part of the eighth trial)
3419 Event 2015 Torture 4685 Threatening
3420 Name Kim Jin-kwang
3421 Date of birth December 5, 1976
3422 Housing 305, Hyundai Apartment 1-dong, Cheongryangri, Dongdaemun-gu, Seoul
3423
3424 judge
3425 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3426 The contents of the newspaper about the witness are the same as the recording file of the court recording system (original number 160321162216).
3427 March 21, 2016.
3428 Hwang,
3429 The judge (doctor)
3430
3431 A statement on the testimony veto notice
3432 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3433 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3434 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3435 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3436 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3437 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3438
3439 Oath
3440 According to the conscience,
3441 In fact,
3442 If there is a lie
3443 To be punished for perjury
3444 I am a wanderer.
3445 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3446
3447
3448
3449 Recording book (main point)
3450 Case No. 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None) Please submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3451 1. Attachment: Witness newspaper recording of Kim Jin-kwang (total face: 19 pages) 1 copy
3452 March 21, 2016.
3453 Stamped stamping machine (seal) (painted)
3454
3455 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3456 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3457
3458 judge
3459 Witness Kim Jin - kwang 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3460 Notice of testimony veto. The witness's testimony may refuse to testify about the confidentiality of someone else who has a relationship with you or a prospective witness, or about the confidentiality of someone else whom the witness has known about the job. After the oath, for the same reason, you can refuse to testify about individual newspapers. After the oath, you must state the truth and if you lie, you can be punished for perjury. Please swear.
3461
3462 witness
3463 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Jin-kwang.
3464
3465 inspection
3466 To witnesses
3467 (Present evidence page 45 of the evidence list Sequence No. 5)
3468 Q: Is it true that this was an essay by a witness, entitled 'Check for additional posts on 4plebs.org'?
3469 Answer: Yes.
3470 Q: Please explain briefly what it is.
3471 Answer: When I searched Google about the e-mail that the defendant wrote to a foreign language university, 4plebs.org was searched and the site related to 4chan.org was confirmed to be backed up. That's why there are some contacts and e-mails that a defendant wrote to a foreign language university.
3472 Q: Is 4plebs.org the right site?
3473 Answer: Yes.
3474 Q: Is this site the backup site of 4chan.org site?
3475 Answer: Yes.
3476 Q: Is it the intention of attaching the information that comes from searching for the contents of the intimidating article?
3477 Answer: Yes.
3478 Question: On page 48 of the attached documents, did you identify the captures and captions of rape intimidation articles for the first Obama daughter in this intimidating article?
3479 Answer: Yes.
3480 Q: Is it true that you have your own ID number, and the post number is '47628036' on July 7, 20:24:52.
3481 Answer: Yes.
3482 Q: Do you see the Korean flag on the side, and can you think that this post was saved at this time in Korea time?
3483 Answer: Yes.
3484 Q: In the top of the investigation record, on the top of page 49, there is a post called 'Korea isis1', which is similar to this, Is it the right thing to find?
3485 Answer: Yes.
3486 Q: Here is the date posted on July 8, 2015, 02:31:29, post number '47640986', and next to the Korean national flag pattern, this is also the date this post was posted on the site Is it possible to look at it from July 8, 2015 to 02:31:29?
3487 Answer: Yes.
3488 (Provision of Record No. 7, Investigation Record # 71 on the Evidence List)
3489 Q: Is it true that a witness wrote a report titled 'Crime Facts and Hankuk University of Foreign Studies'.
3490 Answer: Yes.
3491 Q: Please explain briefly what it is.
3492 Answer: At the time of the defendant 's writing, there was the phrase' 4ourth, 4inger ', which is the result of searching on that specific phrase on Google search and bing search sites. And when the defendant searched the contacts and e-mails that he wrote to a foreign language university backwards, there were writings that slandered Hankuk University of Foreign Studies,
3493 Q: Is this the intent to attach the result of the search using POS Finger's phrase in the intimidating article?
3494 Answer: Yes.
3495 (Present evidence page 79 on page 8 of the evidence list)
3496 Q: Is it true that the witness wrote the following questionnaire titled 'Confirmation of Hankuk University of Foreign Studies' on WordPress site?
3497 Answer: Yes.
3498 Q: Please explain the contents of this investigation report.
3499 A: There is a site called WordPress, which is managed by Hankuk University of Foreign Studies, and there were articles written against Hankuk University of Foreign Studies. Then have a written article haeteotgo actually enter the admin page to visit the Korea University of Foreign Studies confirm the contents of these posts, the materials attached to chaejeung that this article 'ended the scam business "as it is written in the report that was me.
3500 Q: When there is here described as "the White House post was written, IP and South Korea is shown to be the same as watching the suspects created by the IP range used to price match Hankuk University of Foreign blame," This IP geotingayo confirming what?
3501 A: When I visited Hankuk University of Foreign Studies, I went to the administrator site with my cooperation. So I wrote an investigation report about that part.
3502 (Exhibit # 196 of the Record of Evidence No. 11 in the Evidence List)
3503 Q: Is it true that the witness wrote a report titled 'Confirming additional reporting to the White House'?
3504 Answer: Yes.
3505 Q: Please explain this briefly.
3506 A: The 4plebs.org site is the backup site of 4chan.org, and if it goes past the backup site, everything will be deleted. When the defendant published the article, I decided that I could post more than one post, and I checked every post related to the foreign language university. I did not check it by any search words but checked it by eye. I confirmed it by clicking on the site one by one. I also confirmed the post on May 5, 2015, and confirmed the post on June 25, There is more to the point of denouncing a foreign language university, and it is attached to it.
3507 Q: Are postings attached to the contents of the post at the time?
3508 Answer: Yes.
3509 (Exhibit # 251 of Investigation Record No. 14 in Evidence List)
3510 Q: Is it true that the witness wrote a report titled 'About posts posted on 4chan and 4chan backup sites'?
3511 Answer: Yes. I wrote it.
3512 Q: I found that the file usa.png was on the 4plebs.org site, the backup site of 4chan.org, and the attached screen captures the internet page that I confirmed at that time.
3513 Answer: Yes.
3514 Q: Isis.png Is there any indication that the file was retrieved from 4chan.org but it was not found?
3515 Answer: Yes.
3516 Q: Finally, did you put together the contents found on 4chan.org site and 4chan.org site backup site?
3517 Answer: Yes.
3518 In this case, the time for the rape of Obama's daughter on the White House site was posted on July 7, 2015 at 20:20, the post was deleted on 4chan.org site, and the backup site of 4chan.org site Did you confirm that the same content was posted on July 7, 2015 at 20:24?
3519 Answer: Yes.
3520 Q: Regarding the threat of terrorist attack on US Ambassador to the Republic of Korea, the time it took to go to the White House on July 8, 2015 was confirmed to be posted on 4chan.org on July 8, 2015 Does the backup site on 4chan.org also confirm that the same time was saved on July 8, 2015?
3521 Answer: Yes.
3522 Q: Are you confirming everything yourself?
3523 Answer: Yes, I have.
3524 (Present evidence page 263 of the evidence list Sequence No. 16)
3525 Question: Isis.png, usa.png About file analysis, isis.png title is isis.png?
3526 Answer: Yes.
3527 Q: Is it true that the above investigation report was written by a witness?
3528 A: Yes, this is the part where I downloaded the direct download from 4chan.org site and checked the image and these parts.
3529 Q: Please explain in detail.
3530 Answer: There are picture files named isis.png and usa.png in the 4chan.org site post. You can check the update date or specific values ​​of the file by downloading the files. You can check the unique value of the image you uploaded . In order to compare the values ​​with others, we then use the flash hash value to determine the MD5 for the file, and the flash hash program to check for any unique value.
3531 Q: If you click the isis.png file posted on 4chan.org site and save it as an image, the file name will be automatically saved as a random number, and you can download it by clicking the download button. , It says that the isis.png file has been downloaded, is that correct?
3532 Answer: Yes.
3533 Q: I tried to calculate the hash value of this file and it says the image is the same as the original one.
3534 Answer: The file itself differs in how to download it, but if you check MD5 for a unique hash value for the file, isis.png or 1436268292526.png tells you that the file is received differently, The name is the same, but it means the same.
3535 Q: Did you download the usa.png file from 4chan.org site?
3536 Answer: Yes.
3537 Q: In the same way, we can see that there are two ways of downloading, and in that case, the hash values ​​calculated using MD5 function are found to be the same?
3538 Answer: Yes.
3539 (Present evidence page 176, Investigation Record, page 266)
3540 Q: Is it true that the witness wrote a report titled "About Nouveau dossier folders identified on suspect laptops"?
3541 Answer: Yes.
3542 Q: Please explain what it is.
3543 A: In the New Folder, images related to terrorism related to Kim Kyeong-jong or Ripert were stored.
3544 Q: Here is a description of 'I do not see the Internet history, but the images of the suspects have created folders and saved them.'
3545 Answer: When you create a file, when you automatically surf or surf the Internet, some files are stored on your computer in the form of numeric random numbers or complex cryptosystem ... numbers, So, I did not surf the internet and checked something. Instead, I saved my file and saved it under a certain name.
3546 Q: If I check again, is it correct that the user is checking the file that saved the image, not the cache file which is saved automatically during the internet surfing process?
3547 Answer: Yes.
3548 Q: When I look at the contents of the next page, 'Folder creation date and time, images, etc. are created and collected on June 3, 2015. If you check the last access date and time, What is it?
3549 Answer: Yes.
3550 (Suggesting the record number 35 of the No. 20 book)
3551 Q: Is it true that the witness wrote the following investigation report entitled "About Identification of Additional Evidence Related to Terrorism"?
3552 Answer: Yes.
3553 Q: Please explain what it is.
3554 Answer: There was a file named s.txt on the notebook, and a text file similar to the one raping the Obama daughter was stored under the file.
3555 Q: After the investigation, is it appropriate to print out the characteristics of the file and the original text of the file?
3556 Answer: Yes, this part is the same with the digital analyst Kim Kyung-hwan.
3557 (Proof # 408 of Record No. 25-1 of Evidence List)
3558 Q: Is it true that the witness wrote the investigation report titled 'About 4chan site publication time'?
3559 Answer: Yes.
3560 Q: Please explain this.
3561 A: Because 4chan is not a Korean site, I think that the way the posted post is shown will not be seen in Korea at first. If you think that it is different from the post posted by the suspect, Since I have posted all the articles, 4chan site has service to all the countries in the world, so it is shown as a part that shows the time to turn off according to the country. So if you connect in Korea, you will show your time in Korea, This is a rhetorical report showing that.
3562 Q: Did you test it by yourself?
3563 Answer: Yes.
3564 (Proof No. 463 of Record No. 27 of the Evidence List)
3565 Q: Is it a witness' s report on the title of '4chan' s time on the site?
3566 Answer: Yes.
3567 Q: Is it the same as the investigation report you just saw?
3568 Answer: Yes.
3569 Q: Is it true that the articles or photographs posted on internet sites such as blogs, which are stored in the investigation reports created by the witnesses, and the information or materials found on the defendant's notebooks are captured or output as they were originally attached?
3570 Answer: Yes.
3571 (Proof No. 22-1, Investigation Record, Section 393 of Evidence List)
3572 Q: Is it true that you have seen this document?
3573 A: I have seen this while working together.
3574 Q: Do you know from whom you received this papers from?
3575 A: I know it from the White House, through the Cooperatives.
3576 Q: Do not know the details?
3577 Answer: Yes.
3578 Q: Is the witness a police officer?
3579 Answer: Yes.
3580 Q: What is your position and rank?
3581 A: It is Kim Jin-kwang, a member of Cyber ​​Safety Bureau, Seoul Metropolitan Police Agency.
3582 Q: Is the witness involved in the investigation?
3583 Answer: Yes.
3584 Q: What role did the witness play in the investigation?
3585 A: At that time, we were on duty. I was trying to find out if there was the same post as the one posted by the defendant because I was on duty and I should have started the case immediately after receiving the case.
3586 Q: In a little more detail, did you participate at the time of the seizure?
3587 A: Yes, I also participated in the seizure search and I had to check a lot of posts first to get a warrant, and I had a lot of focus on that part, and when I was in the seizure search site, When I did not have a laptop or something like this. So, there are some parts that we have fielded with other investigators to secure evidence.
3588 Q: What role did you play in the seized search site?
3589 Answer: First, I thought it was important to find a laptop. The defendant posted a blog on the blog. So I made a lot of efforts to secure the laptop, and I asked the analyst to analyze the computer or something.
3590 Q: Was there a picture of your laptop on the defendant's blog?
3591 A: Yes, so I tried hard to find a laptop.
3592 Q: Do you remember how you found your laptop?
3593 Answer: Yes, when I first entered, the defendant was lying in bed, and when I tried to go into the room with a search warrant, I could not go in for about 30 minutes because the defendant 's parents never entered. So, first of all, I went into the room alone and told me that I had to check my laptop, so I told her that I could not go in there, so she asked me for a laptop, so the defendant's mother brought her laptop from the defendant's room. So I received a laptop and sent it to Kim Kyung-Hwan, and asked him to check if there was an image, and Kim Kyung-Hwan analyzed it because he had an image.
3594 Q: Did you shoot the situation at the time of the seizure?
3595 A: Yes, I have done video recording.
3596 In the case of Lieutenant General Nam Sang-wook, he tried to shoot and testified that the defendant's family members were not able to shoot against him.
3597 A: Not all of them were shot, but there were some parts that I had to shoot.
3598 Q: Did the defendant 's family prevent him from filming?
3599 Answer: Yes.
3600 Q: Was the defendant lying in bed throughout the search process?
3601 Answer: Yes.
3602 Q: Did you search the defendant's laptop to find the relevant evidence?
3603 Answer: Yes.
3604 Q: Isis.png, usa.png, s.txt file?
3605 Answer: Yes.
3606 Q: After confirming it at that time, did the defendant find out where these files came from?
3607 A: I told him to look, but I kept seeing him and he lay there.
3608 Q: Did the defendant analyze the room?
3609 Answer: No. I analyzed it in the next room study, and the defendant 's mother attended to confirm the contents.
3610 Q: At that time, I received the Confirmation of Confirmation of the Confirmation of the Confiscated Water, Confirmation of the Confirmation of the Confirmation of the Confiscated Water Information, etc. Who received it?
3611 Answer: Kim Kyung-hwan was given by the analyst.
3612 Q: In addition to what the witness has so far testified, is there any fact that I have verified during the investigation of this case?
3613 A: I do not remember well because the incident is long.
3614
3615 Lawyer
3616 To witnesses
3617 Q: Has the commencement of the investigation been initiated by the US Embassy?
3618 A: We know that the incident has come down to us.
3619 Q: Have you ever seen an 'urgent cooperation request' from the US Embassy?
3620 Answer: Yes.
3621 Do you know that the Koreans in the Buddhist e - mail sent a blackmail message saying that they sent a warning email to President Obama on terrorism against Ambassador Ripper?
3622 Answer: As far as I know, I posted on the White House site.
3623 Q: I know so, and it's been investigated, but it says that I sent it by e-mail to the initial cooperation letter.
3624 A: Is not it supposed to be sent by email?
3625 Q: Does the witness know anything about this?
3626 Answer: Yes.
3627 Q: There are some documents attached to the investigation report written by witnesses, some of which have been downloaded from the Internet. Where did the data from the defendant's notebook come from?
3628 Answer: Most of the Internet postings are written by me, and the parts of the investigation report are written by Kim, Kyung-Hwan, because they can not share the system because the team is different. So I made this same data with me, so I checked it out. I wrote this investigation report together with Kim Kyung Hwan, and I printed it out.
3629 Q: Does the analyst Kim have output?
3630 Answer: Yes.
3631
3632 judge
3633 To witnesses
3634 Q: I said I wrote an Internet post, but I misstated it?
3635 Answer: First of all, 4chan or something like this is what I did after capturing separately, and the parts from the defendant's notebook were written by me because Kim Kyung-hwan's analyst could not write the investigation report.
3636
3637 Lawyer
3638 To witnesses
3639 (Presenting an investigation report, page 263)
3640 Q: I have downloaded the witness from 4chan site and changed it to another file. The first isis.png file is downloaded on July 7, 2015 at 3:23:30 pm What does this time mean?
3641 Answer:
3642 Q: I do not seem to remember well, but w will answer the question. The time at the White House was written on July 7, 2015, 20:20 and the file isis.png on the defendant's laptop is 20:21, remember?
3643 Answer: Yes.
3644 Q: I have two hours to show evidence that there is evidence so far, so I know what it is. I am talking about the 3:23:30, the 24 hour hour, the 15:23? Please explain what this time means. You do not know because you wrote it?
3645 A: I did not focus on the time when writing, but instead of backing up the original files on my desktop computer, I created a folder called "Terrorist" and had an original under it, There is a method and a download button called isis.png below it.
3646 I clicked on that button and downloaded it in two ways, but the important thing is that the investigation report was written to specify that 'MD5 is the same, if MD5 is the same, this file is the same' I saved the file to my computer and compared it with it, and I do not remember the date exactly.
3647 Q: Is not it time you saved your witness computer?
3648 A: Yes, it is not.
3649 Q: Now, three files have the same MD5, but the same thing means that the first file is the same file?
3650 Answer: Yes.
3651 (Presenting an investigation report on page 264 of the investigation record)
3652 Q: How long does it take for usa.png to be downloaded on July 8, 2015 at 2:28:52?
3653 A: I do not remember the details, but it seems to be the investigation report about the part where the original file on the defendant's laptop was referred by the pumice team and compared with the file.
3654 Q: What is the meaning of time now that you do not know exactly?
3655 A: I guess it's probably the time on the defendant's laptop, but where did the source of usa.png come from? So I do not know exactly what the file was from when the usa.png was uploaded.
3656 (Suggesting an investigation record, page 334)
3657 Q: Here is the 'Photovoltaic vs. Work File, Text File' on July 12, 2015 at 4:53:58 PM ...
3658 Answer: This is the data that the analysis of Kim Kyung Hwan analyzed.
3659 Q: Is the witness unaware of this time?
3660 A: Well, I've seen it together, but analyst Kim Kyun-hwan will know better.
3661 Q: Does the witness mean that you do not know about this?
3662 Answer: Yes.
3663 Q: Witnesses also participated at the time of the seizure, did you see the process of imaging the defendant's laptop?
3664 Answer: Yes.
3665 Where was the witness at that time?
3666 A: I was in the same room and went to the room where the defendant was lying.
3667 Q: Before imaging on a laptop, I turned on my laptop and searched for related files first. Who did it?
3668 Answer: Kim Kyung Hwan was the analyst.
3669 Q: In the process of looking at the defendant's laptop, did the defendant or defendant guarantee the right to participate in the parents?
3670 Answer: Yes.
3671 Q: Who did?
3672 A: There were several investigators.
3673 Q: Did you participate?
3674 Answer: The defendant did not participate, and the defendant 's mother said that she participated, so she did the imaging in front of the defendant' s mother.
3675 Q: How many hours did the imaging work take?
3676 A: I do not remember exactly, but it seems to take about two hours.
3677 Q: Did you film the process of examining or imaging the defendant's laptop?
3678 A: I think I just took a picture when I first went in.
3679 Q: Did you take videos or pictures about the process of imaging?
3680 A: I think I did not.
3681 Q: It is related to the witness who wrote the investigation report. If there is a screen-captured file and you download the file from 4chan and save it, the two will clearly distinguish between the captured and downloaded files from the defendant's notebook. Can you do it?
3682 Answer: Although the name of the file can be changed because the computer is clearly distinguished, the root cause of the screen capture is a program called full page screen capture on the defendant's computer. When you capture using this program, the file name is created uniquely. Because there is a name and a date and it is hard for ordinary people to write it, so if there is such a thing, it should be said that it was programmed ...
3683 Q: Even if you download the same thing, you are asking if you are following it.
3684 Answer: If the filename remains the same, if you receive usa.png when you download it, then usa.png follows, and the url where the full-page screen was originally printed does not appear.
3685 Moon: usa.png but not url ...
3686 Answer: If you have url, you can get it as it is.
3687 Q: If you download it in that state, is not it well separated?
3688 Answer: Yes.
3689 Q: And can you download and rename it?
3690 Answer: Yes.
3691 Q: If I remove the value of zone.identifier attached to the downloaded file, will it be impossible to check whether it is a downloaded file or not?
3692 A: I do not know.
3693 (Presenting the first and second Google search screens of the certificate No. 5)
3694 Q: I searched on Google that the first blackmail related article was stored on 4chan site. This is what I came up with in search of the text, which is exactly the same as the number you saw. It is the first blackmail article that I have been suspected to have written by the defendant. There is a time called July 7, 07. 07:24:52, and the time of the first blackmail was written on July 7, 20:20, right? The time to upload to 4chan is much faster, do you have any idea about this?
3695 A: I do not know because it is not confirmed.
3696 Q: This is what the witness made when he wrote the investigation report. If you posted in Korea, you would be posting Korean time on 4chan site? So the time I posted on the 4chan site was later than the time of the file on the laptop because the defendant wrote it. But now the time I searched on Google is much faster than the time I posted on the case. That 's why I ask.
3697 Q: I do not know exactly what I am talking about. But first of all, this is Google. I do not know how to write url in 4chan, and the way it's written in Google would be wrong, because I did not see it.
3698 Q: Does the witness have any experience in analyzing digital evidence?
3699 A: I joined Cyber ​​Special, basically there is no digital analysis and I have listened to education or lecture.
3700 Q: Is not there a career?
3701 A: I have to go to work because I needed to do it, but I did not get a license or anything like that, and I had a lot of training related to database and hacking.
3702 Q: You have been trained in the National Police Agency?
3703 A: I have a police station and I'm in a database.
3704 Q: Was the witness involved in the investigation that changed the defendant's MAC address?
3705 A: I joined the investigation together but I do not remember exactly. The story seems to have done a lot.
3706 Q: Have you been involved in the investigation that led you to receive a Mac address that matched the IP address that you sent the search warrant to Tibur Road?
3707 A: It was not me.
3708 Q: I have an analysis that says that the defendant's laptop analysis results have been released so that the logs stored in the router are not released in the adjacent time zone of the time when they wrote the article. Do you know this part?
3709 A: That part is written by Kim Kyung-Hwan.
3710 Q: Does the witness know this part well?
3711 Answer: Yes.
3712
3713 judge
3714 To witnesses
3715 Q: Is it true that the witness's statement is unclear, and that he was working at a private database company in relation to his career in analyzing digital evidence, and then joined Cybercrime as a specialist?
3716 A: Sometimes the process of coming to the police comes to the general public, and if you have more than a few years of social work, you may be able to get a special bond. The part I majored in is the database, and I've come across a lot of hacks and stuff like that.
3717 Q: I have an editorial story ...
3718 Answer: It is the part of the license.
3719 Q: Did you major in the database, joined the police as a specialist, and then took the training related to hacking, and did you not only learn about the digital analysis related to the work, but also the training?
3720 Answer: Yes.
3721
3722 judge
3723 I will finish the witness newspaper for Kim Jin-kwang.
3724
3725
3726 Witness newspaper report (part of the eighth trial)
3727 Event 2015 Torture 4685 Threatening
3728 Name Kim Kyung Hwan
3729 Date of Birth February 5, 1976
3730 Housing Seoul, Gangseo-gu, Woohyeon-ro 67, 109, 402 (Hwagok-dong, Kangseo Hill State)
3731
3732 judge
3733 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3734 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321171323).
3735 March 21, 2016.
3736 Hwang,
3737 The judge (doctor)
3738
3739 A statement on the testimony veto notice
3740 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3741 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3742 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3743 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3744 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3745 Witness Kim, Kyung-hwan (signature) or signature (signature)
3746
3747 Oath
3748 According to the conscience,
3749 In fact,
3750 If there is a lie
3751 To be punished for perjury
3752 I am a wanderer.
3753 Witness Kim, Kyung-hwan (signature) or signature (signature)
3754
3755
3756 Recording book (main point)
3757 Case Number 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None)
3758 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3759 1. Attachment: A copy of the witness newspaper on the witness Kim Kyung-hwan (total face: 24 pages) 1 copy
3760 March 21, 2016.
3761 Stamped stamping machine (seal) (painted)
3762
3763 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3764 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3765
3766 judge
3767 Witness Kim Kyung - hwan 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3768 Notice of testimony veto. Because of witness testimony, the witness may deny his / her testimony about the confidentiality of someone else who has a business relationship with the witness because he / she is concerned about his / her criminal penalties. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. After the oath, you must state the truth, and if you lie, you will be punished for perjury. Please swear.
3769
3770 witness
3771 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Kyung Hwan.
3772
3773 inspection
3774 To witnesses
3775 (Proof No. 68, page 69 of the evidence list No. 33, No. 1)
3776 Q: Is it true that the results of this digital evidence analysis were true of the witness's experience?
3777 Answer: Yes.
3778 (Proof No. 73-2 of Investigation Record # 33-2)
3779 The CD is attached with the title of 'Digital Evidence Analysis Result'. The digital evidence analysis result stored on this CD contains the defendant's notebook image file and the main data or information found in the analysis of the incident Is that right?
3780 Answer: Yes.
3781 Q: Witness is the Digital Evidence Analyst at the Seoul Metropolitan Police Department Cyber ​​Crime Investigation Division?
3782 A: Yes, I am currently working at Cyber ​​Crime Lab. We shared with the Evidence Analysis team earlier this year and worked in the Digital Evidence Analysis team until last year, and this year we are in charge of Detectives who are out of cyberspace.
3783 Q: What was the work of the witness during the investigation?
3784 A: As a digital analyst, I was collecting and analyzing evidence on digital evidence from the incident at the police investigation room under the Seoul Metropolitan Police Agency.
3785 Q: Did the witness participate in the seizure of this case?
3786 Answer: Yes.
3787 Q: Have you participated in the whole process of seizure search?
3788 A: Yes, that scene from that date.
3789 Q: Did you participate from the beginning to the end?
3790 Answer: Yes.
3791 Q: Tell the defendant's notebook the discovery and imaging process as the witness has experienced.
3792 A: I do not find it. I remember it was discovered by Kim Jin-kwang. And the defendant was in the room and there was a room in front of him where the defendant's father seemed to write, and while I was searching the room for an all-in-one PC used by the defendant's father, he found a laptop and searched and analyzed the laptop .
3793 Q: When I first got the defendant's laptop, was the laptop on or off?
3794 Answer: I remember it was turned off because it was folded.
3795 Q: After turning the power on and searching, we found evidence related to the incident, shut it down, and imaged it immediately?
3796 Answer: Yes.
3797 Q: Did you take the seizure process or imaging process at the time?
3798 A: I did not take the shoot, and I remember that the staff of the WTC and our cybercrime staff shot it together.
3799 Q: Did you take all the steps?
3800 Answer: Yes. I remember that two or more cameras were spinning.
3801 Ms. Sang-wook said that she had stopped at the time while she was filming the opposite of the defendants' families. Is that right?
3802 Answer: Yes, that's right. I remember that there was an argument.
3803 Q: Do you remember which course of filming was discontinued?
3804 Answer: I can not remember correctly.
3805 Q: After I image the defendant's laptop hard disk, who do I get such as integrity verification or hash verification?
3806 Answer: I got it from the defendant's mother.
3807 Q: Did the witness directly receive it?
3808 Answer: Yes, I got a confirmation from my defendant mother that I wrote the hash value by hand.
3809 Question: Did the witness claim that the defendant confiscated a hard disk on the lenovo B490 laptop computer, seized five hard disks, and analyzed one replica of SanDisk USB memory?
3810 Answer: Yes.
3811 Q: Was the time of the defendant's laptop computer in Paris, France?
3812 Answer: Yes.
3813 Q: So, when the crime of this case is on, July 7, 2015, was the daylight saving time set to be 7 hours earlier than Korea's standard time?
3814 Answer: Yes.
3815 Q: When Witnesses used EnCase, a digital forensic program, to analyze the defendant's laptop computer, did you set it to display in Korean Standard Time?
3816 Answer: Yes.
3817 Question: Isis.png and usa.png files found on the defendant's laptop computer hard disk?
3818 Answer: Yes.
3819 Q: Isis.png file creation date and time is July 7, 20:21:12, the last revised date is July 20, 2015. 7. 7. 20:23:30, and the creation date of usa.png file is 2015. 7 8. Was it confirmed at 02:27:07 and the last revised city date was July 8, 2015 at 02:28:51?
3820 Answer: It is correct in the analysis report.
3821 Q: I found isis.png.lnk and usa.png.lnk linked to the above isis.png and usa.png files.
3822 Answer: Yes.
3823 Q: When and how are these link files created and stored?
3824 Answer: Generally, when you open a file on a Windows system, a link file called a shortcut file is created.
3825 Q: If you analyze the meta information of this link file, ie file attribute information, what kind of information can you check?
3826 Answer: Once you open the Ink file, you will see the name of the file you opened. When you open it, the computer name, volume name, and hardware Mac address will be saved.
3827 Question: Did you check the hard disk volume name, serial number, computer name, MAC address of each link file mentioned above and the information of the defendant's laptop computer?
3828 Answer: Yes, it has been confirmed.
3829 Q: Isis.png and usa.png files are exactly the same date and time, but link files with different file names were found on the defendant's notebook.
3830 Answer: Yes, I remember that part of the file name is different, but the original date and time of creation of the analysis is the result of analyzing the file name when I changed the source file ... So, if the file name is changed, the creation date and time will not change. It has been confirmed that the creation date and time of the original file remain in the link file.
3831 Q: Is it possible to interpret the link file as a file name that is created when the original isis.png or usa.png file is created, but the original file has a different file name?
3832 A: Yes, I interpreted it that way.
3833 Q: In addition to the isis.png and usa.png files, there are many screens on the White House site, as well as a screen capture of the post completion screen, found on the defendant's laptop computer?
3834 Answer: Yes.
3835 In addition, the email address Twitter address, phone number, 'HUFSRO 4ourth 4inger' in this case is listed, and the 'Embassy of the US Embassy will surely kill Ambassador Ripper' I will give you an anal rape. "And there was a s.txt file with the same contents as the case of this incident.
3836 Answer: Yes.
3837 Q: Are the link files A0065359.1nk, A0065518.1nk, A0065541.1nk, and A0065621.1nk found in the s.txt file found?
3838 Answer: Yes.
3839 Q: How are these link files created and where are they stored?
3840 Answer: The link files that are randomly numbered starting with A are the volumes used by the system called system volume information. At first, when I explained the time when the volume was used, I tried using it in Windows 7 As you know, there is a feature called Restore Computer. I have a feature called restoring the computer that will take a snapshot, so Windows 7 will automatically back up. So, at that time, I automatically backed up the list of files or files in a certain period of time, and the backup location is the system volume information folder, and a folder is created under each backed up day. A link file pointing to txt has been found.
3841 Q: The operating system of the defendant's laptop is XP. Does XP have the same function?
3842 Answer: Yes.
3843 Q: What events are required to generate these link files?
3844 Answer: The system automatically backs up the function. If you do not specifically make a backup, I know that the backup is basically based on the operating system settings.
3845 Q: The date of creation of each link file just mentioned is 2014. 9. 10. 16:59, and the final access date and time is July 7, 14:57, 21:10, 21:10 , 22:31?
3846 Answer: Yes, as you can see in the report.
3847 Q: Have you found any more link files that link to s.txt other than the four link files?
3848 Answer: Yes, at that time, the link file pointing to the s.tet file was analyzed to be it.
3849 Q: Can I see the date and time of the last access to the s.txt file on July 7, 2015?
3850 Answer: At the end of the last one, what if the link file was on July 7, 2015, 22:31, then you can interpret the s.txt file as the last time you opened it.
3851 Q: On the other hand, when the defendant analyzed the Internet access rate of laptop computers, did you check the records of accessing through Internet Explorer, Chrome, Mozilla and Opera web browser?
3852 Q: Did you also find a record of 'Michelle obama' on Google search site via Internet Explorer?
3853 Answer: Yes.
3854 Q: Is the record of accessing the Internet Router Management page verified on July 7, 2015, and July 8, 2015 at the time of the crime of this case?
3855 Answer: Yes.
3856 Q: Did you check the details of the settings such as setting the router to not record the log in the time zone adjacent to the crime of this case?
3857 A: I do not know what the intent was, but I've confirmed that I changed the settings.
3858 Q: How do I change my router settings?
3859 A: Router management is to connect the IP address and router IP of the network to the web browser, and the management page will appear. You can go to the management page and change the general setting value of the network or the MAC address or the MAC address. .
3860 Q: So I usually access the administration page through the web browser, so I have a record of my internet connection history?
3861 Answer: Yes.
3862 Q: Is there a way to keep the record of the connection?
3863 A: There are a variety of ways you can stay away. Nowadays, web browsers like Explorer and Chrome have features like incognito, which keeps browsing history from being left, so I know that if you use it, your records will not be checked.
3864 Q: Is there an incite comb in the case of explorer, and an incognito mode in case of Google Chrome, and if there is such a mode, there will be no connection record at all?
3865 A: Yes, I did not have any results.
3866 Q: Has the defendant's laptop been able to change the MAC address of the Internet router 9 times between June 8, 2015 and June 3, 2015?
3867 Answer: Yes, Mac address changes have been verified through Internet history.
3868
3869 Lawyer
3870 To witnesses
3871 Q: In the confiscation search site, did you direct the witness to image the defendant's laptop?
3872 Answer: Yes.
3873 Q: How did you save the imaged file and how did you take it?
3874 Answer: We made a copy on the hard disk we brought with Falcon, and cloned the image through the Falcon by attaching the original hard disk to the original.
3875 Q: How did you make a copy of your hard disk? Did not you seal that part separately?
3876 Deep: Yes, it does not have to be sealed.
3877 Q: Is it true that the regulations of the National Police Agency, such as the "Regulations on the Collection and Processing of Digital Evidence", require the seal to be sealed. Is it not necessary to seal?
3878 Answer: The storage medium is intended to be sealed, but the duplicate image is not explicitly marked as sealed.
3879 Q: How do you keep the duplicate image and keep it?
3880 A: Since the image is the result of integrity, it is necessary to have an integrity hash value for the image file and the image file.
3881 Q: In the case law, I have a sealing process as one of the methods of ensuring the integrity of the image file, and I am shooting the process.
3882 Answer: I shot it.
3883 Q: I do not ask opinions from witnesses. We will later ...
3884 A: I think you denied what I did, but I do not know that.
3885 Question: Is the witness bringing the file itself to the National Police Agency?
3886 A: I was in the car and I was in the car.
3887 Q: Have you received an analysis request separately?
3888 Answer: I understand that I have received an analysis request form.
3889 Q: From whom?
3890 A: Because it is computerized, I do not receive it directly.
3891 Q: Have you taken it in a container that can be safely stored so that it will not be damaged by impact, magnetic fields, moisture or dust when you take it?
3892 Answer: Yes, that's right.
3893 Q: What equipment did you bring at the time of the seizure?
3894 Answer: Replicate Falcons and their accessories, laptops, EnCase for analyzing the scene, hard disk for copying the original, and then the police office which extracts the file list for simple use. There is a program called CIP which I developed.
3895 (Suggesting an investigation record, page 334)
3896 Q: I think you've seen it in the process of writing the statement, but the text file in the Photovoltaic vs. Work file. July 12, 2015 04:53:58 What is the meaning of this time I will ask you about this?
3897 Answer: I work with a program called UltraEdit. When I print it there, I know that it shows the attributes related to creating or modifying the file.
3898 Q: I think it is written in the opinion letter that the file will be automatically released based on the last access date. Does that mean?
3899 Answer: As stated.
3900 (Suggesting an investigation record, page 665)
3901 Q: I have the same photovoltaic versus work file and this is on July 21, 2015 at 07:06 pm?
3902 Answer: Yes.
3903 Q: Under that, the Modified time and the Accesed time are from July 7, 2015 to July 7, 2015. What does the witness say now and what does it mean, different?
3904 A: Of course, the structure is different.
3905 Q: What is the reason?
3906 Answer: This is the information in the file, and the one above it shows the computer time when you did the work.
3907 Q: Does July 12, 2015 tell the time of the computer that the witness worked on?
3908 Answer: Yes.
3909 Q: Witness, is that certain? Were you working on July 12, 2015?
3910 A: I did not work at that time, but I printed what was missing.
3911 Q: What does it mean to be missing then?
3912 A: I guess I did not do it at the time.
3913 Q: Witnesses, do you know how many days a search has been made? It was on July 13, 2015. But what does it mean to say that we have removed all of our records the day before the seizure?
3914 Answer: What?
3915 Q: The file was on July 12th, right?
3916 Answer: Where?
3917 (Suggesting an investigation record, page 334)
3918 Q: Is not it July 12, 2015?
3919 Answer: At the time of the last revision.
3920 Q: What does it mean?
3921 Answer: You just got what you got there and printed it from your analysis computer.
3922 Q: So, is it a time stamped by the police?
3923 Answer: I have to see exactly how s.txt comes out, but I was too busy to see the case record. The output is the output of UltraEdit on my analysis computer. The opinions remain intact.
3924 Q: Does it mean that the output was on July 12, 2015?
3925 Answer: No. This is not what I printed on July 12, but the attribute of that file named s.txt is recorded.
3926 Q: I have shown the properties of the file before July 7, 2015. There is a part of the file, please describe it.
3927 Answer: It was changed because I put the save separately.
3928 (Suggesting an investigation record, page 665)
3929 Q: What does that mean? It looks like here on July 21, 2015. What does this mean?
3930 A: That's '.txt'. There is no file called '.txt' on the notebook. When I change '.lnk' to '.txt', that file is not a file on the defendant's notebook, but a reporting screen that is displayed as EnCase. I pulled it out and I made it into a text file.
3931 Q: So this is not a file on the defendant's laptop, is it a separate file created by the witness?
3932 Answer: It is a file created by EnCase, which is not a file but implies its contents.
3933 Q: So is the date you worked on July 21, 2015?
3934 Answer: Yes. I created a file called Text.
3935
3936 judge
3937 To witnesses
3938 (Suggesting an investigation record, page 334)
3939 Q: The seizure was on July 13, 2015, and the date and time of the seizure on July 12, 2015, before the seizure, is written in the s.txt file. Please summarize and explain once again what this time and date means.
3940 A: There is a date attribute called s.txt which is the creation date of the file, the last modified date, or the last access date. The last modified date is displayed there, followed by the "A number.txt" Since I can not subtract it, the attribute of the original file is not displayed. Therefore, I use EnCase tool to display the properties of the original file managed by EnCase. I copied it completely and made it randomly on my analysis computer as a text file. . To show the screen, to show the letter, on that date.
3941
3942 Lawyer
3943 To witnesses
3944 Q: Do you remember who wrote the seizure?
3945 Answer: If my letter is correct ...
3946 Q: The writer is not a witness, did you see that he made the list of seizures that day?
3947 Answer: Yes.
3948 Q: In the list of seizures, the file on the defendant's laptop is in the list, do you know?
3949 A: I do not remember, but I do not remember seeing exactly what the output is because I can not connect to the system called kicks.
3950 Q: The seizure of the seizure is written by Lieutenant Kim Sang-Kuk and Joo Yoo-Woo, but since the witness has imaged it, he / she will ask for it because the witness confirmed it when he made the seizure list.
3951 A: Is not the confiscation list written in the office?
3952 Q: Before that, did you use the handwriting on your confiscation list?
3953 A: It's not a confiscation list, it's an electronic information confirmation.
3954 (Presenting the confiscation record, page 398)
3955 Q: On the confiscation list, it says that the imaging files were confiscated in 2, 3, 4, 5, but the imaging file is not listed on the 1st notebook. Of course, the witness did not write it, but the writer Kim Sang-Kuk proved his confession to the mother of the defendant and wrote it by hand. There is also no imaging file here, but below is the imaging file. The imaging file is not listed here either. Do you know about this?
3956 Answer: I do not know.
3957 Q: Did the witness check these documents at the time?
3958 Answer: I have no reason to be involved in the proof of confiscation or the record.
3959 Q: At the time of the seizure search, did the lieutenant Kim Sang Kook confirm or get confirmed by the witness when he wrote such a document?
3960 Answer: There was.
3961 Q: Did the witness go through the process of verifying this document?
3962 Answer: Whether or not it should be written by my confirmation ...
3963 Q: Witness, please tell me the facts you remember.
3964 A: Are you asking exactly the month?
3965 Q: At the time of the seizure, did the witness check this document and say, 'This is a confiscation list'?
3966 Answer: I have a memorable memory of the results.
3967 Q: Do you mean that you confirmed this list because you confirmed the output?
3968 Answer: As you remember, I did not think it was the end of the seizure at that time, and I think the process of seizure is ongoing ... Q: Are you telling me when to write this list? A: Yes, so for the final confiscated object, I have to hand over the file to the investigative team through my analysis. Q: How long did it take to image that day? Answer: It takes about an hour and a half to two hours per hard disk, so I know that 3 o'clock that day ended at 4 o'clock. Q: Is it finished on July 14, 2015? Answer: Yes.
3969 -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------------------------------
3970
3971 It is not exactly what I remember coming and going back and forth when I found it. So I told you to keep coming, not to go out.
3972 Q: Witness is now working as an analyst on digital evidence. What is your career history?
3973 Answer: I received the police assignment on April 4, 2009, and I have been working in the cybercrime to date. I also analyzed the digital evidence. I worked for two years from 2014 to 2015 as a whole.
3974 Q: Is there a separate education or a degree?
3975 A: Yes, I have a master's degree in Information and Communications.
3976 Q: Is there anything else that was trained in the police department?
3977 A: I have been trained about once a year, once a year for about a month, trained as a hacking professional investigator at the Police Investigation Training Center, then at the Seoul Metropolitan Police Department as a network investigation last year I have lectured about 600 people.
3978 Q: I have two intrusive articles, but I do not have a capture file to write the first one. Isis.png I am writing a text file from the last one, and the screen that says 'Thank you!' I see it as one file, do you remember it?
3979 Answer: I do not know.
3980 Q: If there is only one file, but the defendant actually wrote it, then there are two files that should be present. There are only files that are combined with the part that says. Please explain if it is technically possible.
3981 A: I can not remember the result of this, honestly. I remember that 'Thank you!' Was just a single file.
3982 Q: There is that one, and then the evidence found on the defendant's notebook isis.png, usa.png file that wrote the entire article, remember?
3983 Answer: Yes.
3984 Q: It was a single file that was synthesized up to 'Thank you!'
3985 A: Was there 'Thank you!' Below?
3986 Q: Yes, there is a 'Thank you!' Below, and there is a writing on top of it, so please explain why the file that captures the writing should be separately existed.
3987 A: I do not know why.
3988 Q: Have you confirmed that you have captured using Chrome Full Page Capture?
3989 Answer: Yes.
3990 Q: Do you know that if you capture a full page, it will be saved automatically on your laptop and that the save file will be created, or you will have to save it with a different name or press Save but save it?
3991 A: I do not know why I have not used it. What I put in my analysis report is that I did not know exactly when the capture was done that the filename was created that way, whether it was dropped when the user saved it, or whether the file was temporary before it was saved.
3992 Q: According to the analysis of the witness, the defendant's internet router MAC address has been changed, remember?
3993 Answer: Yes.
3994 Q: And at the end of the crime at the time of the log records are stored in the analysis that you have released, do you remember?
3995 Answer: If you are in the report, you are right.
3996 Q: After that, I do not think that the investigation related to the router is going to be carried out. Do you usually not investigate the router? For example, if you change the MAC address of the router, you should have done an additional investigation. How do you normally investigate?
3997 A: At the time, I was not handled by a mobile investigator, so I do not know if I did an investigation into the router.
3998 Q: There were two IPs in which the blackmail was written, and the IP address was confirmed. If there is a corresponding IP that has committed the crime at the specified time of the crime, then the MAC address that matches the existing 1P can be confirmed through the carrier?
3999 Answer: At that time, I knew that on the Tibur Road it had not been confirmed well.
4000 Q: I once went through the process of confiscating the MAC address for the existence of a MAC address on the Tibudoad. Do you know about that?
4001 Answer: I do not know about that.
4002 Q: I asked Tibor to have a Mac address that matched the IP address as stated, but it was not certain that the defendant did. If so, if you check the router in the defendant's home, is it possible to change the MAC address or not?
4003 A: I do not know if it should be confirmed.
4004 Q: Is it possible, technically possible or not?
4005 Answer: Yes.
4006 Q: Anyway, the witness does not know that he has further investigated the router.
4007 A: I do not know that. I did not receive a router analysis request.
4008 Q: Was the imaging file analyzed by the witness first imaging the laptop at the defendant's home?
4009 Answer: Yes.
4010 Q: Did the witness analyze it and replicate the imaging file again?
4011 Answer: Yes.
4012 Q: What about the storage device of the analyzed imaging file?
4013 A: Then I took two hard disks, one was the investigation team, the other was my team, so I remember what I included in my team ... I do not remember which team the notebook was on, but anyway, I used to send it to the investigative team, so I told them to copy it, final.
4014 Q: Did you replicate what you had on the witness team to the investigation team?
4015 A: I did not replicate it, I gave it a hard disk.
4016 Q: If you look at the reports you have asked for analysis, there are 5 or 6 imaging files. It looks like it was copied to a hard disk and commissioned for analysis. Is this correct?
4017 A: I do not know that. As I said, I came in two ...
4018 Q: When I witnessed it, did I put it on one hard disk?
4019 Answer: No. There are two.
4020 Q: Then you have one on your laptop ...
4021 A: So I do not remember how it was stored on my laptop.
4022 Q: And the original of the image was passed back to the investigation team?
4023 Answer: Yes.
4024 Q: Do not you know who you turned over?
4025 A: Yes, I do not know.
4026 Q: I think the analysis is finished on July 23, 2015.
4027 A: I do not know. Because the report is urgent, you should have given it as a file first.
4028 Q: And did the witness print out the evidence from the imaging file and provide it to the investigators in the middle of the analysis?
4029 Answer: Yes.
4030 Q: Do you usually do that?
4031 Answer: Yes.
4032 Q: Do you mean that even before the analysis report comes out?
4033 Answer: Yes, what I convey is in the analysis report.
4034 (Suggesting Investigation Record # 722)
4035 Q: What is the page in the analysis report that the witness made?
4036 Answer: Yes.
4037 Q: It is related to the router here, it says 'Disable logging setting'. What is the source of this screen?
4038 A: You probably have a file called Time Pro, which you run on the analysis computer.
4039 Q: Is it not a screen printed on the notebook of the witness, or a screen printed on the defendant's notebook?
4040 A: You have a time pro and a text file. But there is an HTML file that opens up there. The text file was stored on the defendant's laptop, and since I only need to convert the extension after the text file to open it in the web browser, it seems that I have been converted to HTML to increase visibility.
4041 Q: Is this screen now on the witness's computer in the process of analyzing the witness?
4042 A: Yes, I will. It's my Chrome browser environment.
4043 (Suggesting Investigation Record # 736)
4044 Q: It is almost the last part of the report that the witness analyzes the file. I extracted the file extraction result and the hash value, and I gave the hash value of the notebook imaging file separately at the first time. Does the witness have a hash value?
4045 Answer: Yes, result request.
4046 Q: The hash value here is different from the hash value of the imaging file that initially imaged the defendant's laptop?
4047 Answer: That 's not it. The hash value for the compressed file for the final output I made.
4048 Q: The hash value has changed, so I'm looking at it.
4049 Answer: It is not a new, hash value of just another file that has nothing to do with imaging files.
4050 Q: Is the result of the request attached to the CD now?
4051 Answer: Yes.
4052 Q: Is it not possible to recognize the originality of the original file attached to this CD and the imaging file that the witness first imaged?
4053 Answer: Of course, the originals are not the same because they are different. Inside the imaging file, I put this file in here, but the hash value for this file came out like this, but the hash value is different and the identity is different? Not that. I can prove it again.
4054 Q: How can you prove that you came out?
4055 Answer: You can export the output here and extract the hash value.
4056
4057 judge
4058 To witnesses
4059 (Presenting section 2 of the Attorney's Statement on December 12, 2015)
4060 Q: The attorney's claim is that the file before the file was merged because the picture file was merged, but it did not exist. Is the file before merging necessarily exist?
4061 Answer: It may not be.
4062 Q: Please explain in what case it might not be.
4063 Answer: I do not know what features the Chrome Extension Tool has, but a common capture tool is that once you capture a screen and then try to put it underneath it, you capture it first, and if you do not save it, , So you do not need to save it, but if you put the second captured screen just below the area that was left in the memory, and then save it, the first thing you saved will not be saved.
4064
4065 Lawyer
4066 To witnesses
4067 Q: Is it possible to remain in the memory area at first?
4068 Answer: Yes.
4069 Q: Does it disappear from the memory area over time?
4070 A: Normally I keep the clipboard, but the program I use remains, and I do not know how the date is set, but if I capture it yesterday and save it, it will be shown on the screen again.
4071 Q: So if you stay in the memory area, is it possible?
4072 Answer: Yes.
4073
4074 inspection
4075 To witnesses
4076 Q: Is it possible that the original text and the result screen are both saved as a file, and then the result screen is pasted in the original text and the synthesized file is saved under a new name. ?
4077 Answer: Yes, there are many possibilities.
4078
4079 Lawyer
4080 To witnesses
4081 Q: The writing screen is so large that you can not see it on one page. Is it possible to capture it as a single file when you capture a full screen, or capture it separately?
4082 Answer: It can also be captured as a single file. But I do not know the full page capture program because I did not use it. The capture function provided by Naver or most of the recent capture programs are scrolled all the time, and when I select the whole screen, the one below is captured as one screen.
4083
4084 judge
4085 I will finish the newspaper about Kim Wonhwan. Thank you.
4086
4087 After the prison sentence in Seoul detention center, I added 15 sheets of staples to the sentence, followed by a document that shows how to file a copy of the sentence, and 16 sheets of staples.
4088 I added a copy of the document stating that I added a copy of the document stating how to apply for viewing and copying restrictions. I suspect that the court has done this by worrying about the disclosure of the ruling.
4089
4090 Seoul Central District Court
4091 verdict
4092
4093 Event 2015 Torture 4685 Intimidation (Recognition of Torture)
4094 The defendants were OO (OOOOOO-OOOOOOO), unemployed
4095 Housing Seoul, Dongdaemun-gu, Hancheon-ro 58, Gil 139, O-dong O (I-moon-dong, O-apartment)
4096 Registration Criteria Gyeongbuk, Andong-gun Il-kyung-myeon Dongfang Dong 408
4097 Inspection Jungmun-sik (Prosecution), Jung Jun-jun (trial)
4098 Counsel
4099 Attorney Kim Yong Min, Kim Jin Hyeong, Park In Sook
4100 Judgment sentenced Nov. 11, 2016
4101
4102 order
4103 The accused shall be sentenced to one year and six months in prison.
4104 Confiscate one seized notebook (model name: lenovo B490, S / N: WB09564311)
4105
4106 Reason
4107 Crime Facts
4108 1. Defendant's first intimidation attempted
4109 The defendant used the defendant's laptop (model: lenovo B490) at the defendant's residence to contact the White House Consumer Affairs Corner (Contact the White House, "in English," to President Obama and First Lady Michelle. ... I am a college student at Hankuk University of Foreign Studies in Seoul, Korea. How are your families doing? I am tired of my life because I always masturbate watching sex transsexual pornography. One day I realized that I did not want to die like this. I decided to stay as a famous Korean man in American history. I will eventually rape your second daughter, Natasha. I think it would be a bit politicky to ask beforehand, but is it okay? I think the second daughter (first daughter) is more than Malia Ann ... (Omitted) ... so I am ... Parental consent is required prior to the application. Do not worry about me. I have a lot of kimchi and I do not have AIDS. I am going to rape black people before they die. ... 1).
4110 -------------------------------------------------- --------------------------------------------------
4111 1) The following is the original text of the post.
4112 From: Mr. Lifee Iss Crazzyyjr. / Submitted: 7/7/2015 7:20 AM EDT (US Eastern Time) Email: isshufs@gmail.com / Phone: 82221732062 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro , Dongdaemun-gu, Seoul, Korea, 130-791, Damascus, Message: Dear Mr. President Obama and Mrs. First lady Michelle.
4113 Hi.
4114 I'm HUFS student from Seoul, Korea.
4115 How's your president family?
4116 I'm sick of my life cause I always mastervating with tranny prons. One day, I realize that I'm not going to die like this.
4117 2 decide to be a famous Korean male in USA history.
4118 Therefore, I am going to anal rape your second daughter Natasha. Is that okay?
4119 I think that bitch's asshole is much tighter than Malia Ann. So I need parents permission before the nigger anus.
4120 Do not worry about me: I eat lots of Kimchi so free from AIDS.
4121 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
4122 Thanks.
4123
4124 As a result, the defendant tried to intimidate both US President Barack Obama and his first wife, Barack Michelle, but the victims did not reach the above postings, so they tried.
4125 2. Attempted second intimidation of defendant
4126 The defendant accessed the white house in the White House section of the White House in the above manner at the defendant's residence as described in paragraph 1 of the " . ... This is a warning message to terrorist attacks. In Korea, we will attack the US Ambassador Mark Ripert in Seoul again. Last time, the assassin 's heart I sent was so weak that I could not break Ripper' s artery. This time we will be preparing a well-trained assassin {traditional Cuisine-Professor) and kill the metabolism with a nuclear poison. Until the US forces dispose of chemical weapons on the Korean peninsula, we will slowly and surely discipline all your political comrades. It is an ultimatum. Wait for us, WIP Satan, Obama! I will see the dialogue soon after. ... 2).
4127 -------------------------------------------------- --------------------------------------------------
4128 2) The original text of the post is as follows.
4129 From: Dr. Korea Isis One / Submitted: 7/7/2015 1:26 PM EDT / Email: summer@hufs.ackr Phone: 82221732061 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu , Seoul, Korea, 130-791 Message: Declaration Terror to Mr. President Obama.
4130 A beautiful Evening is it?
4131 Right this is the warning message from the Terrorist Attack.
4132 Korea, we're going to re-attack US ambassador Mark Lippert in Seoul.
4133 So last time, my a5sassirator's mind is too weak to cut the ambassador's artery perfectly. End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
4134 Ok? We'll keep you amputated all your political comrades slowly but surely one by one, until the US army eliminates Bio-chemical weapons in Korean Peninsular Mother Land.
4135 UltimatuM; 3xpects us, our WIP Archenemy Obama!
4136 LIMFAO, See mark Soon in your After-Life ......
4137 HUFSRO 4ourth 4inger
4138
4139 As a result, the defendant threatened to assassinate US Ambassador Mark Ripert, a foreign envoy to the Republic of Korea, if his intention was not met by US President Barack Obama, but he did not reach the victim.
4140 The point of evidence
4141 1. Witnesses Nam Sang-wook, Kim Jin-kwang, Kim Kyung-hwan
4142 1. Intimidating texts, English texts typed into each white house homepage, 4plebs.org site postings
4143 1. Digital evidence analysis report
4144 1. Investigative reporting (see additional postings on 4plebs.org site), investigation reports (crime facts and Hankuk University of Foreign Studies lectures), investigation reports (suspects found on OO computers, original capturing files) (Evidence list 13-1 to 13-4), investigation reports (for posts posted on 4Chan and 4Chan backup sites), investigation reports (for isis.png, usa.png file analysis), investigation reports (For the Nouveau dossier folder identified on the defendant's laptop), the 's.txt' file found on the defendant's notebook, the investigation report (the suspect for the OO laptop time zone setting confirmation), the investigation report (using the Google Chrome browser capture function Analysis of generated time information), investigation reporting (this OO notebook time information confirmation and re-imaging)
4145 1. Confiscation Record and Confiscation List
4146 1. Confidentiality (submission) integrity verification, seized material (submission) information
4147 Application of statutes
4148 1. The applicable law on crime
4149 Article 286 of each criminal law, Article 283 (1)
4150 1. Imaginative competition
4151 Article 40 of the Criminal Act, Article 50
4152 1. Type selection
4153 Jail option
4154 1. Weighting
4155 Article 37 of the Criminal Act, Article 38 Paragraph (1) Item 2, Article 50
4156 1. Confiscation
4157 Criminal Law Article 48 Clause 1 first
4158 Judgment of defendant's and defendant's claims
4159 1. On the illegality of seizure and search procedures
4160 end. Seizure method restriction violation
4161 1) The point of the claim
4162 The Seoul Central District Court on July 13, 2015 (the "Warrant for Warrant," 2015-18545, hereinafter referred to as "the warrant for this case") restricts the objects and methods of seizure, and in principle, The method of outputting the evidence is sufficient and the notebook computer itself can be duplicated. If the duplication is not possible at the execution site, the original export of the storage medium is allowed and returned within 10 days from the date of export.
4163 However, the defendant's laptop computer had already been cloned at the execution site, so it was taken out and stored as a seizure, even though it was not necessary to remove it.
4164 This is an unlawful seizure violation against a warrant, and the illegality may affect the entire seizure process, so all the evidence obtained from the seizure corresponds to evidence of illegal collection.
4165
4166 2) Judgment
4167 The object and method of confiscation of the electronic information set forth in this case warrant are as follows.
4168 The warrant is for confiscation, "computer hard disk, tablet PC related to the crime" is listed, and the confiscation of the storage device itself is allowed, the defendant's laptop computer is set to French time zone, It is confirmed that VMware is installed as an operating system operating program, so it is necessary to clarify time information and check and analyze the usage history of virtual computer in the future, thereby seizing and exporting the notebook computer itself, It is expected that the recognition of identity will be problematic and it seems to be an action according to necessity of confiscation of the storage medium itself in order to confirm the original electronic information. It is stated that the case warrant should not exceed 10 days from the original date of export unless there is special circumstances However, since this method stipulates the seizure method when seizing only electronic information, In this case, in addition to electronic information, if the original of the notebook computer itself is confiscated as an object of seizure, it can not be said that it is a violation of the method of confiscation of electronic information. In such a case, the seizure of this case is illegal seizure It can not be called search.
4169 I. Seizure search without guarantee of participation
4170 1) The point of the claim
4171 The search for electronic information should be regarded as a seizure process in the whole process of searching electronic information related to a criminal offense and outputting the corresponding electronic information in a document or copying a file. In this case, Not guaranteed.
4172 2) Judgment
4173 In summary, the following facts recognized by the evidence that the court has legally adopted and investigated suggest that, even if the investigating agency does not fully comply with some of the proceedings, the offense is the assurance of the participation of the defendant in the proceedings It can not be regarded as illegal.
4174 â‘ The defendant was lying in the bed with only his underwear in the execution process of the seizure search at the defendant's residence, and the defendant's family refused to film the seizure process, and the defendant and the defendant's family showed uncooperative attitude (The defendant was arrested in an emergency and lied on the floor with his / her clothes taken off after he was in. In the office of the police department of the Seoul Metropolitan Police Agency. Etc.).
4175 (2) The defendant's mother Kim OO participated in the confiscation process of the confiscated materials, and the contents of the storage device were modified, unchanged, and the seals were seized while creating the hash value and hash value of the defendant's laptop computer hard disk And that there was no abnormality in the seal, and the signatures of the integrity of the seized water and the information on the seized materials were unattended.
4176 ③ On the other hand, the defendant 's Mo Kim OO informed the police officer that he could participate in the seizure process such as the release of seizure of the seizure, duplication, etc. The police officer analyzed the hard disk imaging file of the notebook computer without participation of the defendant on the grounds that Kim OO 's decision to participate in the analysis process did not have a separate statement, but because the defendant (Article 121 and Article 122 of the Criminal Procedure Code states that if a participant does not participate in the execution of a seizure search warrant, he / It is difficult to say that the defendant raced after the emergency arrest and that the time of the emergency arrest was so rapid as to omit the notice of participation of the defendant's family in the process of analyzing the seizure. However, the seal and hash values ​​of the storage medium are preserved, the hash value of the hard disk of the laptop computer in this case is the same as the hash value of the file generated through the imaging operation, In view of the integrity of the document and the recognition of the identity, the imaging file appears to have not changed from the time of initial seizure until the time of submission of the evidence. Therefore, it is difficult to say that the analysis of the imaging file was done without the defendant '
4177 2. Proof of original identity and integrity of digital evidence
4178 end. opinion
4179 The defendant 's lawyer argues that the proof of the integrity of the digital evidence is not proven, so the evidence of the files and images printed on the defendant' s laptop hard disk should be excluded.
4180 ①Confirmation of integrity by comparing hash values ​​confirms that there has not been any change until the status of the digital evidence at the specific time (imaging time) is submitted to the court afterwards. Therefore, Identification can not be a guarantee of integrity. Before the police officer imaged the information stored in the defendant's laptop computer hard disk, the defendant made a search and browse for 40 minutes without taking measures to prevent a minimum of breaks such as " It is not possible to exclude the possibility that unsaved files or pictures are stored and written.
4181 â‘¡ The storage medium that needs to be sealed should also include an 'imaging file storage medium', and the police officer did not seal the storage medium of the file that imaged the defendant's laptop computer hard disk.
4182 I. judgment
4183 The evidence of integrity and identity in judging the evidence ability of digital evidence can be verified objectively and rationally according to the free trial of the authors by collecting the hash value confirmation, the testimony of investigator or digital potentiometer expert, It is important to note that the original identity and integrity of the digital evidence presented in this case has been proven in light of the following circumstances. Therefore, the defendant's claim is not accepted.
4184 â‘ According to the warrant for seizure of the case, the confiscated object is a computer hard disk, tablet PC, etc. related to the crime, and the investigation officer searched for electronic information in order to determine the relevance to the crime and the necessity of seizure, Of the total number of applicants.
4185 â‘¡ The seizure of the incident began on July 13, 1945, 2014. The investigating officer found the defendant's laptop computer, turned on the power on July 13, 2018, and searched for electronic information related to the alleged crime of the incident, and found a file, usa.png, And then shut down the notebook computer from 2015. 7. 13. 20:47:18 2015. 7. 13. 21:56:08 on the same day until 23:37:11 notebook HDD imaging operation .
4186 â‘¢ As a result of analyzing the defendant's computer imaging file with Encase, a digital evidence analysis tool, the image file isis.png, usa, which captures the contents of the 'Contact the White House' page of the white house website related to each case of this case. The creation and last modified date of the png was confirmed before the seizure of the incident.
4187 â‘£ The investigating officer found the isis.png, usa.png, and s.txt files related to the offense on the defendant's laptop computer and checked the source of the file to the defendant. In the presence of the defendant's OO, In the process of seizing the incident, police officers do not show the circumstances in which they excluded the right of participation of the defendant and the family member.
4188 ⑤ The defendant's mother Kim OO participated in the seizure process of the confiscated materials, and after the defendant's computer hard disk was cloned, the contents of the storage device were modified while the hash value was generated and the hash value was generated, The fact that the seal was sealed and that there was no abnormality in the seal and the integrity of the seizure and signature of the information on the seizure were unattended.
4189 (6) The hash value of the hard disk of the notebook computer in this case is the same as the hash value of the file generated through the imaging operation, and the integrity and the identity of the document output from the file generated through the imaging operation are recognized. As long as the seal and hash values ​​for the storage medium are preserved, the defendant's argument that the storage medium of the duplicated copy (imaging file) must be sealed at the confiscation site and that evidence capability should be excluded in case of violation.
4190 Reason for sentencing
4191 The defendant caused an international wave not only in Korea but also in Korea by posting a rape on Obama's young daughter and an attempt to assassinate US Ambassador to the United States, Mark Ripert, in the column of the US White House complaints column. Although the crime of each of these cases has been attempted, it is very inferior in light of the crime method and crime.
4192 On behalf of the US government, the Embassy of the United States of America (the US Embassy) has indicated that the offense is a serious threat to the US government and that it intends to seek thorough investigation and punishment.
4193 The defendant is not satisfied with the situation after the crime, such as showing the defendant 's attitude from the investigation stage to the court, the defendant' s behavior and the risk of re - punishment.
4194 However, considering the fact that the defendant is the first person, and the defendant's age, family relationship, home environment, the motive and means of the crime, and the circumstance after the crime, To be determined.
4195 Innocent part
4196 1. Point of circumstance
4197 The defendant accessed the White House Contact Us White House by using the defendant's laptop (model: lenovo B490) at each time and place listed in the crime of criminal offense, Obama and Barack Michelle (first threat), and victim Barack Obama (second threat).
4198 2. Judgment
4199 end. As long as the other person recognizes the meaning of the harmfulness enough to cause the person to be afraid, regardless of whether or not the other person is frightened realistically, If the applicant does not acknowledge the meaning of the evil, or if the opponent fails to perceive the meaning of the evil, he / she will only be tried for the threat of intimidation (Supreme Court Dec. 2007, Dec. 2007, Dec. 606) Reference).
4200 I. The content of each case in this case is considered to be a notice of harmfulness enough to cause victims to fear, but the evidence submitted by the attorney about whether or not the notice of such harm has actually reached the other It is not enough to admit it and there is no other evidence to admit it. Therefore, it is difficult to see threats reach the nose.
4201 All. conclusion
4202 In the end, the circumstantial indictment of the crime shall be deemed innocent by the end of Article 325 of the Criminal Procedure Act, but if the accused is a preliminary indictment, Not.
4203 The judge (with no signature)
4204
4205 [Seizure, search, and verification of electronic information stored in information storage media such as computer disks]
4206 end. Search and verification of electronic information
4207 If the purpose of the investigation can be accomplished only by search and verification, search and verification without confiscation are required.
4208 I. Seizure of electronic information
4209 (1) Principle
4210 Only the electronic information related to the allegations after the search and verification in the storage media can be confiscated or copied to a storage medium carried by the investigation agency.
4211 (2) Hard copying, imaging (hereinafter referred to as "reproduction") of the storage medium is permitted
4212 (A) Replication at the execution site
4213 If it is impossible to execute by output or copy, or if it is considerably difficult to achieve the purpose of confiscation 3) Only the storage medium can be copied
4214 -------------------------------------------------- --------------------------------------------------
4215 3) The following cases shall apply.
4216 1. If the person to be eavesdroppers do not cooperate or can not expect cooperation
4217 2. Where electronic information that is likely to be related to the allegation is deleted or found to be obsolete
4218 3. If execution by copying or printing violates the tranquility of the business activities or privacy of the person to be eavesdropped
4219 4. Other equivalent
4220
4221 (B) The export of the original of the storage medium is permitted.
4222 (1) In the case of (a) above, if the reproduction of the storage medium is impossible or extremely difficult in the current edition of the executive act, (4) only the original of the storage medium is sealed under the participation of the suspect, Can do
4223 -------------------------------------------------- --------------------------------------------------
4224 4) The following cases shall be referred to.
4225 1. Hard copying and imaging in the field is physically and technically impossible or extremely difficult.
4226 2. Hard copying, execution by imaging, violates the tranquility of the business activities or privacy of the person to be confiscated
4227 3. Other equivalent
4228
4229 2) The original exported by method 1) above shall be opened with the participation of the intruder, reproduced and returned without any delay, but not more than 10 days from the original export date, unless there are special circumstances.
4230 Middle omission
4231 (3) Precautions for confiscation of electronic information
4232 (A) A list of electronic information confiscated by the person to be confiscated shall be issued. (The grant of the list may be replaced by the issuance of a copy of the final confiscated printed matter or electronic information through the procedure of paragraph (2) above.
4233 (B) Sealing and unsealing may be done in physical way or in the way of both parties such as the investigating authority and the person to be confiscated by setting the password. When copying or duplicating, it is necessary to check the hash function value, seize, And a method to confirm the identity with
4234 (C) The right to participate should be ensured through the whole process of seizure and search, and in case of refusal to participate, seizure and search should be done in a considerable way to ensure reliability and professionalism.
4235
4236 It is a copy.
4237 November 15, 2016.
4238 Seoul Central District Court
4239 Hwang Mi-young
4240
4241 ※ You can check whether the document has been faked or not by using the issue number search menu of the event search computer installed at each court's civil affairs office or by inquiring the court in charge and inquiring the issuance number shown at the bottom of this document.
4242
4243 Criminal judgment, reading, copy restriction application
4244 1. Reason for application
4245 A litigant in a criminal case may apply to limit the reading and copying of a criminal judgment, etc. in the following cases:
4246 â—‹ If the disclosure of the lawsuit records is likely to seriously undermine the honor and privacy of your identity or the life, safety of your body or the calmness of your life
4247 â—‹ If there is a concern that the trade secret of the applicant (the "trade secret" in Article 2 (2) of the Act on the Prevention of Unfair Competition and Trade Secrets)
4248 2. Eligibility: Legal person involved in a criminal case
4249 A representative of a defendant who is a defendant, a defendant, an assistant, a legal representative, a special representative under Article 28 of the Criminal Procedure Act, a complainant, a victim or a legal representative thereof, a witness or a legal representative thereof in accordance with Article 340 and Article 341
4250 3. How to Apply
4251 Apply to the court clerk, court clerk, court clerk, court chief of the court holding the litigation record (after the judgment is finalized, the court that sent the judgment)
4252 4. Legal basis: Article 59-3 of the Criminal Procedure Act