eChrkg42

· 7 years ago · Dec 29, 2018, 01:52 AM
1ìš°ë¦¬ ë¬¸ìž¬ì¸ í•˜ì•¼ì‹œìœ„ëŠ” ì•ˆí•˜ë‚˜ìš”?
2 
3 
4ë¬¸ìž¬ì¸ ëŒ€í†µë ¹ë‹˜, í”¼ì˜ìžë¥¼ ë³€íƒœì„±ìš•ìžë¡œ ì·¨ì¡°í•˜ëŠ” ê²½ì°°ê³¼ ê²€ì°°ì„ ê°œí˜í•˜ì—¬ì£¼ì‹ì‹œì˜¤
5 
6ì´ëŸ° ìžê·¹ì ì¸ ì œëª©ì„ ì¨ì•¼ í•œ ì  ì–‘í•´ êµ¬í•©ë‹ˆë‹¤
7 
8ì•„ëž˜ ë¶™ì¸ ìƒìƒë ¥ í’ë¶€í•œ ì¡°ì„œë¥¼ ì½ì–´ì£¼ì‹ì‹œì˜¤
9 
10ë¶ˆê³¼ 3ë…„ ì „ì— ì•„ë¬´ë‚˜ ë°ë ¤ë‹¤ ì•‰ížˆê³  êµì œë²”ì£„ìžë¡œ ë§Œë“œëŠ” ê²€ì°°ê³¼ ê²½ì°°ì˜ ì‹¬ë¬¸ì´ ìžˆì—ˆìŠµë‹ˆë‹¤
11 
12ì´ë ‡ê²Œ ìˆ˜ì‚¬í•´ ë…¼ ê²€ê²½ ìˆ˜ì‚¬ê´€ë“¤ì— ëŒ€í•œ ì¡°ì‚¬ë¥¼ ìš”êµ¬í•˜ì˜€ì§€ë§Œ ê·¸ë•Œ ë§ˆë‹¤ ìˆ˜ì‚¬ ì§€íœ˜ë¥¼ ê²€ì°°ì² ì •ë³´ê³¼ì—ì„œ ëª¨ë‘ ë§¡ì•„ ì „ì› í˜ì˜ ì—†ìŒ ì²˜ë¶„ì„ í–ˆìŠµë‹ˆë‹¤
13 
14êµ¬ì‹œëŒ€ë°©ì‹ì„ ê°œí˜í•˜ì§€ ì•ŠëŠ” í•œ ë‹¤ìŒ ì°¨ë¡€ëŠ” ë¬¸ìž¬ì¸ ëŒ€í†µë ¹ë‹˜ì´ ë  ê±°ë¼ê³  ì˜ˆì–¸í•©ë‹ˆë‹¤
15
16
17
18
192. Police and Prosecutor Interrogation
20
21
22Purpose of disclosure
23
24The employees of the police department of the police investigation department conducted a forced labor investigation that did not secure the laptop evidence at the time of the execution of the emergency arrest warrant, and forced investigation that forced only confessions at the time of the arrest investigation. The cyber evidence analysis room systematically manipulated and destroyed the confiscated evidence , The court has guilty of perjury, which is a false statement to witnesses present. It is recognized that the cybercrime staff members of the National Police Agency have committed a crime that shook the roots of the Republic of Korea's judicial system. Also, if these investigative practices are not improved and are accepted through the tacit agreement of the legal profession, there is no possibility that victims of good faith will be further cultivated in our society. 
25As a result, the public will be aware of the situation through public disclosure.
26
27Bottom incidence
28The suspect A and his parents agreed to not disclose to the press the method of civilian inspections by the NIS and Cybercrime investigators on the Internet that were revealed during the Obama threat investigation process after receiving 40 million won from the B inspection.
29
30At the time of writing, the omitted statements and wrong contents were recorded.
31
32In some of the same sentences, there are inconsistencies in spelling mistakes and stylistic errors. The investigator who participated in the investigation was involved in the process of copying and pasting the question received from the external investigator through the messenger as it is in the letter, and correcting the notation to prevent confusion if it does not distort the essence.
33
34Sung Ki Young: Internet Installer Articles
35Kim OO: Cybercrime investigator wearing black horn glasses
36
37Police record
38
39Q: What is the current status of the suspect? (The investigator wrote that he used a monotonous body when he wrote it, but he is different from the actual one.)
40Answer: There is no place to be particularly sick.
41
42Q: Are there any obstacles to being investigated?
43Answer: There is no interference with the investigation.
44
45Q: Has the suspect been sentenced to criminal prosecution or prosecution?
46Answer: I once went to the Dongdaemun Police Station and wrote a letter of appreciation.
47
48Q: What will happen to the Dongdaemun Police Station?
49A: In the year of 2011, I was going out of Shinnimun Station subway station and passing through India, and somebody was ahead of me, but I have the fact that the police have just checked me. The reason for the inspection is that I have lost one camera at the Lee Mun Sung Cultural Center. I was taken to the Dongdaemun Police Station because I was a suspect, and I received a DNA test there, but I remember that there was no punishment.
50
51Q: Do you know what the suspect is currently under investigation for?
52Answer: I know. I know that I have been investigated for threatening to kill White House Obama and for threatening to murder US ambassador to Ripper.
53
54Moon: The suspects were arrested on July 14, 2015 at the 45th O-dong O Dong-dong, Dongdaemun-gu, Seoul, after being informed of the Miranda Principles, and then arrested by police at the Seoul Metropolitan Police Agency and cybercrime suspects. ?
55Answer: Yes. At that time, there was a fact that I was arrested and notified of the Miranda principle in my room.
56
57Q: Have you been confiscated at the time of arrest?
58A: I know I had a hard copy of the computer from the detectives who had executed the seizure before the arrest, and I was told that I had done so, but I know that the computer hard disk was not confiscated. I have just been told that the investigator who was conducting the investigation had confiscated the notebook and the USB original.
59
60Q: Tell me your military service.
61A: In January 2005, I served the sergeant in the 9th Division of the White Horse.
62
63Q: How was your military life?
64A: Military life was very hard. There were eight senior members for four months, and seven of them were Jeolla people, and it was hard for them to harass.
65
66Q: What is blood type and religion?
67A: He is O, and there is no religion.
68
69Q: What is your height and weight?
70Answer: Height is 168 centimeters, weight is 72 kilograms, blood type is O type.
71Q: The suspect said that he drank a beer in front of an investigator in his room and said that he had already mixed beer and liquor.
72A: Yes, I remember the situation at the time.
73
74Q: What is the usual burden of the suspect?
75Answer: Weak beer is between 500cc and 1000cc. Drinking that much is like sleeping.
76
77(A hangover remained at the time of the first and second police investigations.
78
79Q: Do you usually drink alcohol often?
80A: I have an irregular life, and I usually drink when I can not sleep.
81
82Q: What is your academic background?
83A: I graduated from Kyungbok High School in 2000 and graduated from Yongin Campus (now Global Campus) of Hankuk University of Foreign Studies for 4 years.
84
85Q: Did you have a major or minor in college?
86A: Major is Digital Information Engineering, minor is Biochemistry (now Chemistry). In the school itself, one day, suddenly, without a proper notification to the students, the chemistry of biochemistry disappeared. So, when I wrote my graduation thesis, the major was in digital information engineering and the minor was listed in biochemistry. But when I write my resume while working, biochemistry seems to have falsified my resume with a missing department. I became disadvantageous to Hankuk University of Foreign Studies where I graduated.
87
88(At about 14:59, the suspect has been appointed to the counsel, so he confirms the counsel 's appointment and pauses the investigation to give him time to help.
89
90(At 15:25, he resumed the investigation with the participation of lawyer Park Chul-Hyun, and participated in the investigation of cyber criminal investigator as a leading investigator in the second half.) Due to this business relationship, make someone do.)
91
92Q: So you got a bad feeling about Hankuk University of Foreign Studies because of this?
93A: I have a dissatisfaction rather than a bad reputation.
94
95Q: What is the major area of Digital Information Engineering?
96A: It is related to digital computer, Internet communication.
97
98Q: If the principal of the suspect is digital information technology (in a coercive manner), will the accused have a knowledge of computers?
99A: Yes, I think so myself. (The accused also gave other answers but only recorded this.)
100
101(The investigator continued to insist on me being a computer expert, a hacker, and a hacker, so I asked for objective tests to verify my computer skills, but I did not record any of them.)
102
103Q: Have you ever been involved in other activities such as student councils at university?
104A: I did not go to the student council, but I spent about a year in my first year at the school. The suspect stated to the investigator, "I went one day and asked to pay for the subscription fee, but I quit."
105
106Q: What happens to property, property, and monthly income in the name of the suspect?
107Answer: I know that my mother bought my brother's studio in my name, and now I have no savings or savings in my name at all. There is no monthly income.
108
109Q: Who is the current cell phone number and name of the suspect?
110Answer: There is one pink LG mobile phone that I joined as my mother's name. I rarely use it, so I can not remember the phone number.
111
112Q: Do you mean that the suspect can not remember the cell number you are using?
113A: Yes, I can not remember.
114
115Q: Why are you using a mobile phone that is subscribed to your mother's name instead of your name?
116A: I do not like to use a cell phone, and I do not want to use an electric wave.
117
118Q: What about family relations?
119Answer: I have a parent and a younger brother (OO, OO birth), Mo (Kim OO, OO birth), brother (OO, OO birth).
120Q: Where is the suspect currently residing?
121A: I am currently living with my parents at my parents' home.
122
123Q: When did you live with your parents?
124A: I live with my parents from birth to the present, except for one thing I did when I was in college (the suspects stated that they stayed for two years but did not record them).
125
126Q: What is the suspect currently doing?
127Answer: I am unemployed.
128
129Q: How do you spend your living expenses?
130Answer: No special expenditure.
131
132Q: I do not have any special expenses. If you are a normal person, when you go out, it seems that you will need some amount of money such as transportation expenses. How do you solve the money?
133Answer: I use it because I ask my parents, and I do not go out, and I continue studying at home at home.
134
135(The investigator told the suspect, "How did you live in an expensive 45-pye apartment? Where did money go and buy things at Costco?" The suspect said, "The apartment is a parent, I bought a cake twice at Costco and bought it at the KBS International Department Press. I bought it at Costco for 2 times. "I have seen this cake at Costco before," he said, "is a Costco jockey, is not it?" "I have been eating snacks before lunch when I bought the cake for the first time. "And I said," I bought it at Costco, bought it at a reunion point. " It is very relevant to know that KBS is impersonating KBS and knowing to look at the costume at KBS, or at this time the police investigated all of the parents' financial information and found that they often used Costco do.)
136
137Q: Is the suspect only studying in the house without going out?
138Answer: Yes, yes. After leaving the company around 2013, I have been living in a house because I do not want to be disturbed by other people.
139?
140Q: Tell me about social activities after military service.
141A: In 2005, I was discharged from the military and worked at a gas station for about three months. After graduating from college in 2009, I worked for a chemical company that did not remember my name for about two weeks. I went to KBS reception in 2011 and worked until 2013.
142
143Q: What is KBS receptionist?
144A: I was in charge of English translation work, including foreign news. (The investigators emphasized English translation.) The suspects did not record statements that "it was the main task to record the foreign news to the editorial office."
145
146Q: Does the suspect become an English proficiency, such as translating foreign news, etc.?
147A: I think that is enough.
148
149Q: So the suspect will speak English fairly well?
150A: TOEIC is about 780 points, TOEFL is about 82 points.
151
152Q: Have you ever worked in other places related to English?
153Answer: I just told Citibank that I had worked for about two months in Citibank. When I joined the Citibank, I went into English language grades.
154
155Moon: Looking at the criminal history of the suspect, on September 28, 2012, the Seoul Northern District Attorney's Office issued a "no-charge" disposition for burglary at night. What is the content?
156Answer: In the previous survey, I went to the Dongdaemun Police Station and stated that I was investigated as a camera suspect.
157
158Q: How many computers are installed in the suspect's residence?
159Answer: I have a single PC in my room, and I have a desktop and a laptop in my room.
160
161Q: Does the suspect play internet games?
162A: I do not play internet games.
163
164Q: So what is the main purpose of your computer?
165Answer: The desktop installed in my room (I do not have a special name (brand name) as an assembled PC purchased on the internet) is broken and I am not using it. The notebook (Lenovo) is mainly used for studying French.
166
167Q: How do you study French with a laptop?
168Answer: I use it as a way to watch a language learning program (Rosetta Stone) through a laptop. (The suspect stated that he also used Fluenz, another language study program, but the investigator omitted it arbitrarily.)
169Q: What Internet site does the suspect usually access?
170A: I usually search Google, and I am connecting mainly to 4chan site like this.
171
172Q: Which site is 4chan?
173A: It's a site like Dish Inside (a kind of free bulletin board) in Korea, which is used by various people all over the world.
174
175Q: What do you usually search on Google or 4chan sites?
176Answer: Google is used to look up French words in images, while 4chan sites are used to watch frivolous videos.
177
178Q: When was the last time you searched Google or 4chan site?
179Answer: I do almost every day, so there is no need to specify a date. (The suspect stated in each of the two questions of the investigator that "Google uses every day for every day of study," "4chan uses one or two times a week," but the investigator ties the two questions together and runs Google and 4chan daily Recorded.
180
181Q: What happens to the internet company that is using and joining in the house of the suspect?
182A: The internet company we use at home is the Tibur Road.
183
184Q: Are the suspects using blogs?
185A: I am using a blog spot from Google.
186
187Q: Do you have a blog created by the suspect?
188Answer: Yes. I have only about 10 blogs that I've opened only in Google, only bosulachi I can remember the address and I can not remember the rest.
189
190Q: Do you have any blogs that you have opened elsewhere?
191A: I do not have any other blogs that use Google only.
192
193Q: When did you create a blog such as bosulachi?
194A: It is remembered that it was opened around 2014 to 2015.
195
196Q: What was the purpose of your blog?
197A: It was created to organize political opinions.
198
199Q: What do you mean by political opinion?
200A: I am standing on the conservative side and criticizing the North Koreans.
201
202Q: Have you ever posted a political opinion through a blog?
203Answer: Yes. I have expressed my political views on all the blogs I've opened in Google.
204
205Q: What are the specific contents?
206A: The first is "North Korea's intervention in Gwangju," and the second is "opposing reunification." I will say that much. You can see the blog directly. (These comments were not advocated by the suspect, but discussed blogging issues on the Internet at the time of the investigation.)
207
208Q: Does the suspect know the ISS program at Hankuk University of Foreign Studies?
209Answer: I do not know.
210
211Q: Does the suspect know the hufs?
212Answer: Yes. Hankuk University of Foreign Studies site.
213
214Q: Does the suspect know his / her mail address at summer@hufs.ac.kr?
215Answer: I do not know.
216
217Q: Have you ever used or used the above e-mail?
218Answer: Never used.
219
220Moon: Dr. korea Have you ever used a nickname Isis One?
221Answer: I have not used it.
222
223Q: Do you know the above nickname?
224Answer: I have no idea. I saw it for the first time.
225
226Q: Do you know the phone number of 8221732061?
227Answer: I do not know.
228
229Q: Have you used the phone number above?
230Answer: No.
231
232Q: The suspect is July 7, 2015. Have you accessed the White House website around 20:20?
233Answer: Not at all.
234
235Q: Is there any reason to contact the White House homepage of the United States of America, even if it is not the above date?
236Answer: No, never.
237
238Q: Has the suspect ever posted the following content in English on the White House website?
239'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
240===========================
241Hi.
242I'm HUFS student from Seoul, Korea.
243How's your president family?
244I'm sick of my life cause I always mastervating with tranny prons.
245One day, I realize that I'm not going to die like this.
246I want to be a famous Korean male in USA history.
247Therefore, I am going to anal rape your second daughter Natasha.
248Is that okay?
249I think that bitch's asshole is much tighter than Malia Ann.
250so I need parents permission before the nigger anus.
251Do not worry about me: I eat lots of Kimchi so free from AIDS.
252I eager to penetrate nigro asshole before I killed by Kim Jung-un.
253Thanks.
254A: Not at all.
255
256Q: Did the suspect see the English version of the content posted on the White House homepage, which the investigator showed?
257Answer: Yes.
258
259Q: Can I interpret the English content?
260A: Yes, you can.
261
262Q: So, is it possible to do the opposite?
263A: It is better than that. And the English content and the writing style I write are wrong.
264
265At this time, notice the contents of English translated into Hangul against the suspect.
266
267Q: Did the suspect hear the above English translation from the investigator directly?
268Answer: Yes, I heard it.
269
270A brief summary of the above content is that a man who posted the above statement is deficient in masturbation, raping the second daughter of President Obama and becoming a Korean man famous in American history. What do the suspects think about the contents of the above?
271A: I do not think I posted this on the White House homepage.
272
273Q: Why do you think a suspect was raised by an American student?
274A: On the streets, Obama is thinking that people are the most likely to approach the United States.
275
276Q: If Obama, the president of the United States, who is said to be raping his daughter as mentioned above, seems to be very frightened, what do you think of the suspect?
277Answer: Yes, yes.
278
279Q: What does the word 'yes, yes' mean?
280Answer: Obama also feels fear. (The investigator asked her whether she was afraid to apply the alleged threat.)
281
282Q: Does the suspect know that the US Ambassador to South Korea, Ripert, was arrested in March 2015?
283A: I've posted articles that I know from the press and strongly criticize people who have tackled my blog.
284
285Q. How do you think the suspect will accept if Ambassador Ripper has seen these intimidating posts?
286A: I feel like I get the same feeling (fear) as Obama before.
287
288Q: In the case of Ambassador Repert, I am living in Korea, and since I have actually received an assassination, can anyone try to convince me that it is possible to attack it?
289Answer: It is very likely.
290
291Q: What does the suspect think of the relationship between the United States and South Korea?
292Answer: I think it is an alliance.
293
294Q: Is the fact that the suspect stated that he used the notebook (Lenovo) alone in the suspect's residence?
295Answer: Yes. There is a fact that said. I am using my laptop at home. I have set the password so I can not use my parents or even my brother.
296
297Q: Do you know that the suspect has confirmed the fact that he executed a seizure search warrant at the cyber criminal investigation center of the Seoul Metropolitan Police Department and arrested a suspect in the residence of the suspect?
298Answer: Yes. I know what I have checked about the laptop I was using at the Cyber Crime Department of the Seoul Metropolitan Police Agency.
299
300Q: The suspect clearly stated that he used the notebook alone (Lenovo)?
301Answer: Yes, yes.
302
303Written on June 7, 2015, the White House article posted the intimidating content of raping US President Obama's daughter. However, according to the cyber criminal investigation center of the Seoul Metropolitan Police Agency, about one minute later, the suspect discovered that the file was saved as 'isis.png' in the M / Bureau / to folder at the bottom of the Document and Setting folder of the suspect, Did not upload the post above?
304Answer: The OS (Operating System) that was laid on my laptop is in France time zone. If you check it, there will be time difference. I can clearly see that it is not my post based on time difference.
305
306At this time, I stopped the investigation for dinner.
307
308Q: Are the above statements true?
309Answer: Yes.
310
311Q: Do you have any more to say?
312Answer: I will leave it at the time of two times. (Even though the suspect said "No," the lawyer Park Chul-hyun, who was sitting there, wrote it down and wrote the suspect.
313
314At this time, we show one newspaper report to the accused,
315
316Q: Are the contents of the one-time statement all right?
317A: Yes, all right.
318At this time, under the participation of lawyer Park Cheol-hyun,
319
320We found one desktop in the study room, one desktop in the room (two with a computer hard disk, one with a hard disk next to it), a desktop in the library, Make a statement about each computer usage.
321A: Lenovo, which was kept in the study room, is used by myself only for French study and internet connection. I use the desktop in the room where I sleep, I am not using it because of a computer failure due to a computer breakdown in 2013, and I use the desktop in the library sometimes for the purpose of searching the Internet and it is a computer that my parents use mainly.
322
323Question: Lenovo, s / n: WB09564311, found in the house of the suspect, is the suspect alone. When did you use the above computer?
324Answer: After the desktop computer broke down around 2013, I bought it on the Internet and used it myself.
325
326Q: I have been told to mainly access the internet, but which site do you visit?
327Answer: I am mainly visiting 4Chan.org and the Google blog I run.
328
329At this time, July 20, 2015, the investigation report (suspects found in the OO computer, the original capture file) isis.png, usa.png file shows the output to the suspect.
330
331Moon: We used the computer analysis program Encase in the Digital Evidence Analysis Room of the cyber criminal investigation unit of the Seoul Metropolitan Police Agency on July 14, 2015 to generate a separate imaging file of the suspect's notebook hard disk, analyze the imaging file without damaging the original, The isis.png, usa.png file found on the notebook shows the threat of raping the US President Obama's daughter and threatening to terrorize US ambassador to the United States. File, please state the source of the above picture file.
332Answer: I mainly visit 4Chan.org and I do not know exactly whether I have read, captured, downloaded, correctly captured or downloaded the posts posted on the above site. (The suspect was suspicious of Google image search in addition to 4Chan, where he investigated the definition and difference of the capture and the download.) The suspect considers the capture and download to be mixed and writes mixed, and the investigator catches the pod This was not recorded in the record.)
333
334Q: What capture program did you usually use?
335Answer: I use the capture program which is an extension of Google web browser. (The investigator asked for the name of the capture program.) The suspect wrote four or six capture programs from Google search and said they did not know the name of each one.
336
337(The investigator asked how long it took to write, and stated that the suspect took two to six hours.)
338
339Q: How do I capture it?
340A: When you look at the Google web browser, you will see a 'camera' icon at the top of your web browser. Click on the icon to capture all the screens you see in your web browser.
341
342Q: What kind of extension is stored in the storage path when capturing?
343Answer: I can specify the storage path arbitrarily, and I usually save a lot on the desktop, and use the png file extension. The png file format is mainly used because the picture quality is clear.
344
345Q: Do not you use another capture program?
346Answer: I use some other programs, but the Google Chrome browser has a convenient capture function.
347
348Q: What kind of website is 4Chan.org?
349A: There are many different kinds of articles posted. I mainly read political and sexual writings.
350
351Q: What is sexual content?
352Answer: The most exciting thing I have seen recently is that a woman is pissing.
353
354Q: What do the suspects post on the site?
355A: I do not post articles like YAHAN video, but I am posting mostly political content in Korea. (The suspect posted the same thing on the blog as well, with about 2 postings in English, like 4Chan.)
356
357Q: I will check again for the above isis.png and usa.png. (The investigator showed me the file again.) Did you download the above file or capture it?
358Answer: I read the above picture again and got it.
359
360Q: When I was searching for the seizure, I told my investigator that the above file was captured. And in the previous statement, I stated that I did not know whether I was downloading or capturing. Why am I clarifying again that I have downloaded the statement again?
361Answer: The photographer showed the photo size of the photo file today. And yesterday, I said capture and download are mixed, so I just say capture. I did not even read the above photo on the 13th.
362
363Moon: 2015. 7.13. At the time of the seizure, the cyber criminal investigator of the Seoul Metropolitan Police Department asked me several times to check the above photo.
364Answer: Yes. Requested.
365
366Q: But why did not you read it?
367Answer: I was lying because I was bored.
368
369Q: I am in search of confiscation.
370A: I did not want to get up because I was still sleeping while I was drinking.
371
372Q: At the end of the seizure search, did you see the picture of the murderer (White House photo) through your mother?
373Answer: I confirmed the picture, but it was not the above picture. (The suspect clearly remembered the pictures stored on his mother's cell phone, but it was not 4chan.)
374
375Q: How do I download picture files from the Internet?
376Answer: When you right-click, there is a download button, which is downloaded by pressing the button above. The save path is mainly saved on the desktop, and sometimes the file name is changed or not.
377
378Q: Why am I changing the file name?
379Answer: If you do not normally change it, but the file name is too long or the file name contains special characters, change the file name.
380
381Q: What do you usually name the file name?
382Answer: There is no reason to change the actual filename when downloading. However, if the filename is too long, it is difficult to keep it on my computer and change the filename. (The statement "It is difficult to identify" in the statement is written by the investigator as it is intended.) The suspect stated "I do not change the name to make it easier to identify.
383
384Q: Do you save the file name with a special name when saving?
385A: If the file name is long, cut off the last part of the file name, or select the whole file name and save it as short name with no meaning.
386
387Q: When a photo file is downloaded from the Internet, the suspect said that he / she would arbitrarily save the file. How was the original text file named "isis" and "usa" called "proper name"?
388Answer: I do not know isis.png and usa.png is my favorite word. (The suspect has demonstrated to the investigators and lawyers the possibility of entering the isis via the keyboard location, but the investigator noted that he was not sure.)
389
390Question: Is the email address used to write the Obama intimidation 'isshufs@gmail.com', but how did the suspect save the file and rename the file to 'isis'?
391A: I think Iss and Isis are different.
392
393If you check the time that the above captured file was saved on the suspect computer, the file isis.png (Threatening Obama) will be available on July 7, 20:21 pm, usa.png The file was confirmed on July 8, 2015 at 02:27. Also, the time for the obsession for Obama to be posted on the US White House website is July 7, 20:20, and the article on the reporter is scheduled for July 8, 2012, It's possible.
394Serial Number / Content / Time / Time Difference
3951 / Time Obama Obscene Writes to the White House / June 1, 2015. 7. 20:20 / about 1 minute
3962 / The Obama intimidating text was created and saved on the suspect computer / July 20, 2015
3973 / Repert Thousand Times posted on the White House / Jul. 8, 2015 / about 1 minute
3984 / Time of the protest manuscript created and saved on the suspect computer / June 8, 2015
399The suspect stated that he had downloaded and stored the contents posted on the Internet to the suspect computer. Did he / she read the threat on the Internet and stored it on the victim's computer as soon as it was posted on the White House?
400Answer: My computer is set to French time zone and 4Chan.org site is US site, so there will be time error. (The suspect had misunderstood 4Chan.org as a US site, according to Wikipedia, 4Chan.org is a Japanese site.)
401
402Q: The suspect laptops are set up with OS operating system in French language and the time zone is also based on Paris time. So, there is -7 hour time difference with Korea. However, when analyzing with the Encase analysis program used by the investigation agency, it is possible to clearly see the time generated and the modified time by changing the above French time zone to the domestic time zone, and the above generation time is domestic time.
403At this time, the suspect is shown the access time of the isis.png file, and it is arbitrary.
404As a result, the cyber criminal investigation center on July 13, 2015 will try to access the above file. Therefore, the above access time will be indicated on July 13, 2015. In conclusion, the time that was created on the suspect computer was the Korean time. So, as in the previous question, is someone reading a post in the White House in just one minute and storing it on the suspect computer, and can this behavior be repeated twice?
405At this time, the FBI requests the suspect and displays the text and time information sent by the FBI.
406Answer: I do not know.
407
408Q: Is it possible to do the above work in just one minute?
409A: It will not be possible in a minute.
410
411Q: If the suspect thinks that it is not possible, is the suspect posted this article?
412Answer: If it is possible, I think that it is impossible if it can be done by myself and it is impossible. (The investigator who listened to the statement had been idle for a long time with a questionable look.)
413
414Q: So the suspect is monitoring the White House intimidation article posted by someone else almost in real time, then checking it immediately and storing it on the suspect computer?
415A: You have not monitored it in real time. There is no such ability. (Here, 'real-time monitoring' refers to reading a new article updated in real time by accessing the White House site.)
416Q: What type of web browser do the suspects use mainly for Internet access?
417A: I am using a Google Chrome browser.
418
419Q: Is there any reason to contact the White House homepage?
420Answer: I have never been connected.
421
422At this time, the picture file 'screencapture-www-whitehouse-gov-thank-you-1436290042624.png' attached to the White House homepage written by the suspect computer is displayed.
423
424If you look at the image file found on the suspect computer, you can see the screen of the US White House homepage. If you look at the contents, you can start with 'Thank you for contacting the White House' It is the screen that is displayed when you finish writing any of the articles. The above captured file is captured directly from the suspect computer through Capture, which is an extension of Google Chrome web browser. Did you ever access the White House website and write it?
425Answer: I downloaded the picture file with the above file name.
426
427Q: If you check the date and time of creation of the above capture file, it is the same as the date and time of publication (June 8, 2015, 2015) After completing the threats about the reporter, is not the output screen about the completion of the caption captured by the suspect computer using the extension function of the Google Chrome browser and saved?
428A: I do not know this.
429
430At this time, July 20, 2015, the investigation report (4Chan and 4Chan about the posted on the backup site) shows the picture file attached to the optional.
431
432Question: The suspect stated on the 4Chan.org website that he had downloaded the above picture file after seeing the reporter's intimidation article. The time when the reporter threatening article was posted on the 4Chan.org website was posted on July 8, 2015 Sir. And the time of the above threat pictures on the suspect computer is around July 8, 2015. How can the time saved on the suspect computer be faster than the time posted on the 4Chan.org site?
433Answer: I do not know.
434
435Q: After the suspect wrote the blackmail, did not he post it on 4Chan.org?
436A: Not so. I have a problem with my computer and I have some malicious code.
437
438At this time, the text file s.txt found on the suspect computer is displayed to the suspect and attached to the end of this document.
439
440If you look at the date of creation of the above text file, the date of file creation is 2014. 9. 10. 16:59, and the contents of this document are the email used 'wasshufs@gmail.com' 'I will surely kill Ambassador Ripper by infiltrating the US Embassy', 'Obama kidnapped my little daughter to rape my anus', and the twitter address 'http://twitter.com/isis_med' There is also a text file of the Obama intimidating text. When and why did you write the above sentence?
441Answer: I do not know.
442
443Q: You wrote the above phrase and wrote it in English and posted a blackmail in the White House?
444A: I have not.
445
446At this time, the photo files found on the suspect computer are shown as 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jpg, 18.jpg, 5oe254mvhpke.jpg .
447
448Q: The above file access time is around Jul. 7, 21:28. In the above photo, Repert is threatened with terrorist threat to Kim KIM Jong, and photographs of Kim KIM Jong and Obama. It is time to look at the threats to Ripper and Obama and look at the time spent on July 7, 2015. You read a picture of the aptitude episode, right?
449Answer: It's what I saw because it was stored in my folder. However, I did not write intimidation article.
450
451Q: The time of the Raptor Threat picture kept on the suspect computer was created on the suspect computer on March 6, 2015. For what reason, did all the threat pictures come into view on July 7, 2015?
452A: It seems that all files are accessed at that time while the folder is being organized, and the access time has changed.
453
454Unfortunately, Obama and Reporter's threats were posted on the White House on July 7, 2015.
455A: I do not know that.
456
457At this time, July 27, 2015, the investigation report (for the search warrant application for), attached to the [Foreign Foreign Ministry, the Foreign Ministry confirmed the article on the page] is shown,
458
459Q: When I look at the above article, I am using 'email summer@hufs.ac.kr' using IP 124.197.152.111 on July 7, 2015. I do not know if this is the case. For reference, the above IP address 124.197.152 is the IP address of the defendant's residence. Because the suspect is a floating IP, the last number can change each time.
460A: I did not post it.
461
462Q: Then who posted it?
463Answer: I do not know.
464
465Q: I'm sure you posted the above article in the suspect Ip band, do not you know?
466A: I do not remember.
467
468Q: When I click the url link posted on the above article, the Internet address http://boards.4chan.org/pol/thread/47625963 is confirmed. When I visit the above URL, the email 'isshufs@gmail.com' 'Isshufs@gmail.com' Do you not know?
469At this time, please attach http://boards.4chan.org/pol/thread/47625963 url link printout at the end of this document.
470Answer: I do not know. I can not remember.
471
472Q: Isshufs@gmail.com is listed in the s.txt file found on the suspect computer.
473A: I do not remember.
474
475The email address 'isshufs@gmail.com' is used to write a blackmail message to Obama. The email address is also stored in the s.txt file that the suspect is kept in. Is there?
476A: When I do a search on Google, it looks like it came with me.
477
478Q: Did you say you do not remember the previous statement?
479Answer: It is regretful to say that it is the reversal of the statement though it is the human being because it is a human being. (The statements of these suspects were recorded without further ado.) Since then, the suspect has been suffering from the mental pressure of a reversal of the statement until he is released from jail and jailed.
480
481Q: Is it possible that the suspects posted the threats and made them wrong?
482Answer: I have never posted a blackmail.
483
484Q: In the course of the arrest, is it true that you threw objects at the Cybercrime Investigation Division and the Ward staff of the Seoul Metropolitan Police Agency?
485Answer: Yes.
486
487Q: What did you throw at?
488Answer: It's called a cold pack. (A cold pack is an ice pack.) After drinking, I was lying on my forehead with a cold pack with a headache.
489
490Q: What did you say?
491A: I can not remember what kind of profanity I have specifically done.
492
493Q: I think the investigator remembered that they had been told, "Hey, these bastards." Is that right? (This investigator refers to Kwak Dong - gyu who is accompanied by Moo OO.
494Answer: I can not remember whether I used the word "bastard" or how many times I used it. (The suspect stated, "I did not use the word sick", but recorded it as not remembering.)
495
496Q: When you come to Seoul Metropolitan Police Agency 's Metropolitan Police Department, you lie on the floor of the office and say, "Bring a wheelchair," and "Get an executive chair."
497Answer: I was drunk and drunken.
498
499Q: Were you wearing only panties at the time of arrest?
500Answer: Yes, yes.
501
502Q: At that time, the Seoul Metropolitan Police Department investigator asked me to wear clothes during the arrest process.
503Answer: Yes, I did not wear it.
504
505Q: Who has clothed your clothes?
506Answer: The investigator put on the clothe.
507
508Q: Why did you continue in the arrest process or at the office?
509A: I feel like I am excited. (Dozens of people came to the house of the suspect and suddenly arrested and was excited).
510
511Q: Seizure search I was lying in bed for about five hours, did not you?
512A: I do not remember the exact time, but it did not happen.
513
514Q: If you look at the blog of the suspect (helpkorea.blogspot.kr), there is a post on "How to Make Money from the Internet." Why did you write this article?
515Answer: I wrote for the sake of women.
516If you look at the text above, you can see that "Ji Sung-woo calls me as a laundry hanger and can be beaten at the shooting range. I was shaken and then I was in the anus. "Is this true?
517Answer: Yes, yes.
518
519Q: Do you have any bad memories about anus?
520A: I think it is a gag, not a bad memory.
521
522Do you think Obama's anus is also a gag and raped an anus?
523A: I have not.
524
525If you look at the blog of the suspect (fuckingkorean.blogspot.kr), you posted the diploma, transcript, graduation certificate and transcript of the suspect under the heading 'SSUL' I have lost my job by changing my minor in chemistry unilaterally and have suffered economic loss. I have also been suspected of having my own academic background, personal credit, and suffered mental harm from my job as a freelance worker. "Do you have a strong dissatisfaction with foreign language classes?
526Answer: Yes. I have a complaint. (Although the accused did not use the word "strong", Kwak Dong-kyu repeatedly replied the suspect's answer and continued to write "strong dissatisfaction." Even though the suspect pointed out, I asked him to delete it and dragged two lines and interrupted him.)
527
528In the blog of the suspect (unicefusa.blogspot.kr), a photograph is posted on the blog that shows the nickname "ë€¨ ë€¨" with only the middle finger in the head while wearing the panties and all the clothes off. Is it published? (In addition to this question, the investigator changed from time to time during the investigation, but the record did not record the investigator in question.)
529Answer: Yes. I posted it.
530
531Q: Why did you post these pictures?
532Answer: I posted it for fun.
533
534Q: Did you try to get sponsorship by putting the suspect account number on the picture of only the underwear?
535Answer: Yes, yes.
536
537Q: How much did you sponsor so far?
538Answer: I got 20,000 won.
539
540Q: On the wall, what did you use when you used the word "shit"?
541A: I do not remember.
542
543This is a reporter and Obama intimidation article. The email address is 'isshufs@gmail.com', which is used by the staff of Hankuk University of Foreign Studies. The phone number is '82 02 2173 2062' , Address is Hankook University of Foreign Languages address. For what reason did the person who posted above write the address, phone number, e-mail of Hankuk University of Foreign Studies?
544A: This is a common address.
545
546Q: What do you think of the suspect's opinion?
547A: I think it would have been written by a person who is dissatisfied with foreign language.
548
549Q: If you look at the content of the intimidation article, it says 'I'm HUFS student from Seoul, Korea'.
550Answer: Yes, yes.
551
552Q: Did you graduate from a foreign language college and posted the above information in a blackmail message?
553Answer: I would have used the word undergraduated instead of student.
554
555In addition, both the intimidation of Obama and the intimidation of the reporter had strong complaints about foreign language universities by listing the emails, phone numbers, and addresses of foreign language college staff, Do you think that the person who wrote the book impersonated foreign language group like this?
556A: The same person has written two intimidating documents and is probably one of the students at Hankuk University of Foreign Studies.
557
558What is the name of the second daughter and the first daughter of Obama?
559Answer: The second daughter's name is Natasha, and I know that the first daughter's name does not know exactly and ends in. (The investigator showed the name on the intimidation article and asked, "I told the investigator what happened to the suspect, but he did not put it in the dossier.
560
561Q: Did you mention the name of the second daughter, Natasha, in the intimidating letter because she did not know the name of her first daughter and knew exactly the name of her second daughter?
562A: I do not remember that.
563
564Q: Does the suspect want to be a famous person?
565A: I want to be a successful person rather than a famous person.
566
567Q: When we were seized, we told our investigator, "It seems to be famous."
568Answer: Yes, yes.
569
570The Obama intimidation article says, "I have decided to become a famous Korean man in the US today." Did he make a threatening statement and become a famous person?
571A: What I'm saying is that I am a politician and a famous person, not a serial killer.
572
573Q: Have you ever thought about serial killers?
574A: I've never thought about it before.
575
576Q: When is computer used mainly for suspect?
577Answer: The time zone is not set, but we use it at night or early morning.
578
579Q: The Obama intimidating time was about 20:20, and the Repertory intimidating article was written at 02:26. Is it a time zone where the suspect mainly uses computers (more than 50%)?
580Answer: Yes, yes.
581
582Q: Do you have evidence or statements that are favorable to the suspect?
583A: I will submit it later.
584
585Q: Do you have anything more to say?
586A: If you look at the contents of my blog about the referent, you can see that it is contrary to the police claim. Please disclose specific details about the IP band.
587
588(After consulting the attorney Park Cheol-hyun who joined the investigation and the suspect's first and second journals, they come to the newspaper)
589
590Q: Are all the statements stated in the previous meeting true?
591Answer: None of the statements made in the previous survey are true.
592
593Q: Are there any statements that differ from those of the suspect?
594Answer: Not at all.
595
596Q: Does the suspect know that the arrest warrant is currently issued?
597A: Yes, I know.
598
599Q: What do you think about the arrest warrant for the alleged crime of the suspect?
600A: I think it is wrong.
601
602Q: What is wrong with you?
603A: I did not intend to harm the US President Young-ae, and I did not intend to risk the riper Foreign Ambassador.
604
605Q: In the case of a suspect, is there anything wrong with you?
606Answer: Yes, yes.
607
608Q: That means that the judge and the investigating agency are wrong?
609Answer: Yes, yes.
610
611Q: Does the suspect mean that you can not trust the evidence that the investigating agency has secured?
612A: Yes, I can not trust the evidence presented by the police.
613
614Q: The evidence presented by the police is the objectively obtained data from cyber police officers who are specialists in the field of computer. What part can not be trusted?
615A: I do not know exactly what part it is.
616
617Q: What do you mean by not knowing exactly what part?
618A: I am not a computer expert or a forensic examiner.
619
620Q: Is not the suspect a computer engineer?
621A: Digital and computer engineering are different.
622
623Q: What parts are different?
624A: The paper I wrote when I graduated is about sound, about digital signals, and computer engineering is about the computer itself.
625
626Q: Did not the suspect claim to have a knowledge of the computer in the statement before?
627A: Yes, it is true.
628
629Q: In conclusion, you do not trust the police evidence?
630Answer: There is no partial trust.
631
632Q: Do you mean there is another part that you can trust that the part is not trusting?
633Answer: ENCAEC Time-lapse analysis is reliable. (A cybercriminal investigator, a computer expert, continues to spell the ENCASE program incorrectly as ENCAEC, which is one of the reasons for the lack of confidence in the investigation.)
634
635At this time, the suspect suddenly says that he can not trust the program to analyze ENCAEC parallax. The suspect described "trust", but the investigator wrote that the suspect's statement was heard as gibberish.
636
637Q: Does not the fact that we trust the ENCAEC program mean that the evidence that analyzed the time lapse of the threatening posting presented by the police as evidence is correct?
638Answer: Yes, yes.
639
640Q: The suspect clearly said he trusted the ENCAEC program. In the previous statement, I stated that the operating system (OS) laid down in the suspect's laptop was in French time zone and that it would be possible to find out by observing the time difference. Why did you say so?
641Answer: I heard that the Cyber Police officer explained. (The suspect believed so because he trusted the explanation of the computer expert.)
642
643Q: Is not that the interpretation of the current suspect's statement that the suspect posted a threatening message to President Obama?
644Answer: I just want to trust the cyber-forensic investigation technique.
645
646Q: If you trust in cyber-forensic investigation techniques in common sense, do not you trust the evidence presented by the cyber-police?
647Answer: I have a part that I do not understand. The first is the way Porter operates. The way PORCHAN works is, in short, a real-time posting like a daily best. The second is Google search engine exposure time. That means the post is not deleted right away, but exists on the Internet for some time.
648
649Q: What is the relationship between trusting cybercrime and how to operate Pocan?
650Answer: I trust cyber forensic techniques, but the ENCAEC program is poor. Porter and Google also want to apply cyber-forensic investigation techniques to Porter and Google.
651
652Q: If the ENCAEC program is objectively clear and objectively clear about the operation of Pocan or Google, as the suspect claims, then how would you accept it?
653A: I will acknowledge you if you disclose the truth in a public authority.
654
655Q: If the accredited agency does not have any problems with the evidence from the ENCAEC program or cybercriminals, would you admit that the accused is accused?
656Answer: You are acknowledging the credible result, not the accusation. I have never written or posted it.
657
658Q: If you have been verified by an accredited agency, would not it be objective to refute the statement, even if the accused claims no?
659Answer: It is objective evidence that we want you to investigate enough evidence.
660
661(The above questions are typical guidance questions.) The suspect was not able to understand the above questions properly.
662
663Q: What about the suspect 's childhood?
664A: My childhood was loved by my parents, and I was surrounded by a lot of single parents who were economically more difficult than their friends, but were relatively happy.
665Q: What was your home environment like?
666Answer: It was generally a harmonious family.
667
668Q: What was your relationship with your family?
669Answer: It was a good one.
670
671Q: What was your relationship with your childhood?
672A: I did not have a lot of friends because I had few words, but there were about 10 really close friends.
673
674Q: What is your current relationship?
675A: I have no friends at the moment.
676
677Q: Why is not there a friend?
678A: I moved to school often, I came to the army, and I looked for the course of my life, so my relationship became faded. So when I was young I was not in touch with my close friends. Even if my friends want to meet, I do not have anything to do.
679
680Q: What was your grade in school?
681A: When I was in elementary school, it was mediocre. To make up for what I did not do in high school, I studied really hard not to be matched with college days and motives.
682
683Q: How did you look back on your military life?
684A: Military life was the worst of the worst.
685
686Q: Which part was the worst?
687A: I have made a statement before that. In addition, if you tell me what you are doing when you are discharged, it is likely that OO Sergeant is doing his worst and worst. For example, one of the motivations did not receive cold training, but I received it. That's because it was only for me.
688
689Q: Why did the suspect quit his job?
690A: To be honest, it was hard. I wanted to study a little more and go to study abroad and live a better life.
691
692Q: What part was difficult?
693A: When I was working at KBS, I was physically struggling to work 5 or 3 shifts.
694
695Q: What are your reasons for not working recently?
696A: I am studying French.
697
698Q: Can I study while I work?
699A: Because my style does not do a lot of things and I want to get results in a short time. And French is hard.
700
701Q: Did the suspect state that he was living in a seclusion at his home?
702Answer: Yes. There is a fact that I have stated.
703
704Q: What is your daily routine?
705A: The morning hours are not fixed. My life is irregular, and I usually live with my rhythm at night time.
706
707Q: What do you usually do at home?
708A: I sit in a fluffy chair and study French for about 14 to 21 hours.
709
710Q: What else?
711A: In my free time, I am posting political articles mainly on blogs. (The purpose is to turn my attention and turn my head off).
712
713Q: How much time do you spend on computer during the day?
714A: I study on a computer, so it is time to study.
715
716Q: Did the suspect live a night life before he was arrested recently? Or did you live in the morning?
717A: I was in the transition from an evening human to a morning human.
718
719Q: Do you remember what you were doing on July 7, and July 8, 2015, the date of the alleged suspicion?
720A: I think that I was studying 50 or 50, maybe I was sleeping while drinking.
721
722Q: If you studied, did you use a computer?
723Answer: Yes. If I had studied, I would have used a computer.
724
725Q: What is the special reason to use a poisonous foreign site despite the fact that there are many domestic sites such as Naver?
726A: As you know, Naver or the next one, Ivara, is a van (blocked) if you make a political comment or post on a site. So it's a relatively free site, such as Pocan and Google Blog Spot.
727
728Q: The suspect stated that he used the laptops (Lenovo) confiscated in the residence alone?
729Answer: I keep using the password myself.
730
731Q: What is your password?
732Answer: Your password is 656565.
733
734Q: I am going to ask again, the suspect has posted a post on the White House homepage to intimidate President Obama and his family and then murder Ambassador Ripper, including visiting the White House homepage and raping the US President Obama's daughter do you have?
735A: There is no such thing at all.
736
737Q: Is the suspect not making a false statement because of the fear that the charges will be seriously punished?
738Answer: No.
739
740Q: Is not it the wrong idea of the suspects to deny the charges of reprisals in the previous statement? (The suspect had an interview with Park Chul-hyun attorney at the detention center before the third investigation, and the lawyer informed the suspect about the sentence, and the investigator knew the fact, which police intercepted, intercepted, You can be suspicious.)
741Answer: No.
742
743The time of the Obama intimidation article posted on the White House is July 1, 2015, and the time of the threat file on the suspect computer is about 1 minute After the posting on the White House, it was confirmed that it was captured and stored on the suspect computer, and that the threats to the reputation were equally unpublished to the White House about one minute later. Is the statement the same now?
744Answer: Yes. I still think it is impossible.
745
746Q: Is not the accusation of the accused right?
747Answer: No. I would like you to disclose this part in digital forensic techniques. (The suspect answered "truth" and not "statement".)
748
749Question: The suspects, who allegedly downloaded and downloaded the 4Chan.org website on the captive computer's captive picture file, posted the original text on the 4Chan.org site in 2015 7. 8. At 02:31, the time of the original threat (reporter) was stored on the suspect computer was July 8, 2015, and the suspect's claim was confirmed as a false statement, Do you mean to deny?
750Answer: It is possible but not.
751
752Q: Why does the suspect deny the charge of his allegations even after confirming the obvious data to refute the allegations analyzed by Seoul Metropolitan Police Cyber Investigation Service?
753Answer: As I mentioned at first, there are various possibilities.
754
755Q: What do you think of the usual suspects, President Obama and Ambassador Repert?
756A: I am a person who wants to get a work visa in the United States. I am a political patriotic conservative. In the ROK - US alliance, President Obama and Ambassador Repert recognize the need to be protected.
757
758Q: Have you actually seen President Obama and Ambassador Repert to the suspect?
759A: I've never actually seen it.
760
761Q: What do the suspects think about the United States?
762A: I am a country that envies the United States.
763Q: Did the suspect have a plan to immigrate to the United States?
764A: First of all, I was thinking about transferring to a US college after graduating from college before I graduated from college. After graduating from college, I decided to go to immigration because it costs 60 million to 80 million won, I thought that it would be 8 ~ 10 years to collect money and go to immigration or transfer.
765
766Q: By the way, why did not you go?
767A: I'm still preparing to go now.
768
769Q: The suspect is still preparing for immigration to the United States, but he is not actually collecting money or making any other efforts. How do you mean he is preparing?
770A: In the present situation, I do not collect money because I plan to get money at home.
771
772Q: The suspect says America is a country of envy, but is not it because I have dreamed of immigrating to the United States for a long time?
773Answer: No.
774
775Q: Has the suspect ever joined a social organization?
776Answer: Not at all.
777
778Q: I would like to ask you once more, but from the judgment of the investigating agency, the evidence collected by the investigation agency shows that the suspect has posted a blackmail statement based on the evidence based on the evidence.
779A: I think the evidence of the investigation agency was not good and the judgment was wrong.
780
781Q: So what evidence should the accused provide to acknowledge?
782Answer: I do not know.
783
784Q: Did the suspect talk about the lawyer and the polygraph before he started the investigation?
785Answer: Yes.
786
787Q: Are you willing to take a lie detector test?
788A: Yes, I will. I will accept anything to clarify my innocence.
789
790Q: What is your current feelings?
791A: There is no rattling. (The investigator asked the suspect what it meant by "ridiculous" but did not record it.)
792
793Q: Is the statement true?
794Answer: It is true.
795
796Q: Do you have any more to say?
797A: On page 5, it is not the intention of the ENCAEC program to be ill-advised, which means that the investigation is currently inadequate. (The investigator said that he described the suspect as "poor.")
798
799At this time, the lawyer Park Chul - hyun participates in the discussion with arbitrary participation. (At the time of the police investigation, the investigators were instructed by a messenger program installed on the computer used for cell phone and dossier to ask questions in real time with the investigators outside the investigation room. )
800
801At this time, the suspects and lawyers will show the 7th report on July 15, 2015 (the suspect confirms the setting of the OO notebook time zone setting)
802
803Q: Even if the suspect notebook is set to the French time zone, if you convert it to the national standard time through the computer analysis program Encase, you can confirm the creation date of the file and the access date by the national standard time.
804Answer: Yes. I understand what the investigator explained, and I fully understand the time.
805
806At this time, July 15, 2015 investigation report (about the time posted on 4Chan site) show two pieces, and make an arbitrary answer.
807
808When I posted my post on the 4Chan.org site at the Seoul Metropolitan Police Agency's cybercrime investigation office, I found that 4Chan.org posted on the 4Chan.org site, As a result of this, it is reported that the above site is located in the United States and the time posted on this site is output to domestic time. Do you accept the above?
809Answer: Yes. I understood and acknowledged the contents that the investigator showed directly. (Not many people watch the posted time zone while writing on the Internet.)
810
811At this time, I show an investigation report (analysis of the Google Chrome browser capture function and analysis of the writing screen of the website of the US White House).
812If you look at the following five files found on the suspect's laptop, it is a file created by capturing directly from the suspect's laptop through a Google Chrome browser, seencapture-www-whitehouse-gov-contact-submit-questions-and-comments-1432397652564. png and seencapture-www-whitehouse-gov-contact-submit-questions-and-comments-1432397921271.png file on May 5, 2015 at 01:14 and 01:17. And the 13-digit number shown next to the capture file name is the same as the generation time of the generated file. The above 13-digit number is the time information that is automatically generated when the capture is performed by Google Chrome, The time when the capture file was created on the notebook and the date and time when the capture was generated are considered to be the same. 
813As a result, if the suspect is downloaded from the Internet, I've found an hour Capture program can not be the same, there is confirmation that the suspect has written articles connected directly to the White House website, is not that a suspect directly after article creation, capture? (The investigator attached the Encase analysis screen to the record.) This long question is the answer of the suspect
814It is not a question of hope.)
815A: I do not know who did it. It is not me who wrote. It was not the first time to access the whitehouse.
816
817Q: Is the password of the victim's laptop set?
818Answer: Yes, yes.
819
820Q: Can not use the above laptop outside the suspect?
821Answer: Yes, yes.
822
823Q: How can I use the White House on a laptop that can not only be used as a suspect? There are five capture files that are being written by the White House. The above file creation date and time (the date stored on the notebook) and the capture time The date and time are the same. Can the suspect know not to know?
824A: I can not remember it all individually.
825
826Q: Do you remember that the suspect did not write? (Investigators tied several questions together or asked a lot of questions to ask questions, but they were forced to answer the suspect only with 'yes' or 'no'.
827
828The suspect looks at the investigator's eyes for a moment and then answers. (In this case, investigators are attacking through the description of the behavior of the suspect.)
829
830Answer: I did not. (The suspect responded only to 'yes' or' no ', depending on the investigators' enforcement.)
831
832The accused continues to write notes on A4 paper notes. (At the time of the investigation, the note used by the suspect was written by Park Cheol-hyeon's lawyer to the suspect, saying, "The paper is not allowed to go to the detention center." He took the suspect's memo each time and handed it to the investigators.
833
834Q: If the suspect did not do it, who did it?
835Answer: I do not know.
836
837Q: What is the source of the above capture file?
838A: I have a lot of capture and I do not remember. (It is even more suspicious that the suspect remembers everything he has stored on the laptop.) In this way, the investigators proceeded to coerce the suspects into a lie, remembering all the details.
839
840Q: Where did you download the isis.png, usa.png capturing file?
841A: You should have downloaded it from 4Chan.org or Google.
842
843At this time, the suspect shows 35 pictures of Repert Metabolism on OO computer, and he / she answers arbitrarily.
844
845Q: What is the above picture source?
846Answer: It is a picture that is downloaded from the Internet by searching Google with 'KIM KIM Jong', 'Reporter', 'KIMSU'. (At the time of the investigation, the suspect referred to 'Kim Kyeong-jong' as 'Lee Kyeong-jong' because he did not know him well, but the investigators wrote 'Kim Kyeong-jong' without informing the victim.
847
848Q: Why did you download it?
849Answer: I received a criticism of Kim Ki-jong, who attacked Ripper, to post on the Internet.
850
851Q: Did you write criticism about Kim Ki-jong?
852Answer: I wrote.
853
854Q: Do you have any material to prove that you wrote it?
855A: Not now. (The suspect was reminded of the motto: "Let's go with" "Let's go with" "Let's go together"). "I said," Let's go together, "the USFK commander in charge of AFKN (USFK) I remembered it shortly after the terrorist attack and cited it in a criticism. "But the investigator did not record it. Instead, the investigator said," Let's go with Ripper's Ambassador. "Was not it offensive to steal your idea? "And the suspect replied," It is an honor to have inspired Ripper's thoughts. "These statements were not recorded at all.
856
857Q: When I look at the pictures of Reptert threats found on the suspect computer, the file creation date and time are all June 6, 2015, and the last access date is 6.8. Also, it will be 15 times on July 7, 2015. It is the date when the blackmail message was posted to the White House of the United States on July 7, 2015. 7. 7. Why did you read the pictures about Kyung Ri Supervisor 15 times?
858A: I honestly do not know. (The suspect assumed that the access time was changed when moving the photo file.)
859
8607. Do you have any memories of viewing photos?
861Answer: I have never seen it.
862Q: Do you have any interest in Repertoire?
863A: I have a lot of interest since I was attacked by Kim Ki-jong.
864
865Q: Why did you become interested in Repertoire?
866Answer: I was interested because the traps were shocking.
867
868Q: What is the relationship between the suspect and the reporter?
869Answer: Not at all.
870
871Q: When a suspect says that he has been downloaded to post critical criticism of Kim Ki-jong, but the investigator viewed the material posted on the suspect's blog as a smartphone, The time on the suspect computer will be 3/6/2010. I have already posted all the articles about Repertory 3. 6. Why did you download it?
872A: I have a long memory.
873
874Q: When I look at ML.JPG and ML0.JPG files from the reputation photos found on the suspect computer, I have synthesized a picture of Ambassador Repert's blood and a picture of Joker in Batman movie.
875Answer: Yes, yes.
876
877Q: Why did you combine the bloody scenes of Ripper and the photos of Joker in the Batman movie?
878Answer: I do not know.
879
880Q: Why did you synthesize?
881A: I think I downloaded it.
882
883Q: Why do you keep repeating your statements?
884A: It 's been a long time and I can not remember anything. (May 3, 5, 2015), so it is possible that I may not remember it long before the investigation, and I have also asked forcible investigation questions in the reversal of the statement. )
885
886Q: In the previous question, it is clear that the suspect is synthesized. Do you overturn the statement that the question has been downloaded continuously?
887A: It seems to have been downloaded from overseas internet humor site. Honestly, it is an old thing, so I can not remember it.
888
889Q: What do the suspects usually think of IS armed groups?
890A: I think it is an unjustified armed group for IS armed groups.
891
892Q: Do you like IS?
893Answer: I think it is bad.
894
895Q: Do you know about the fact that Koreans have been transferred to IS armed groups?
896Answer: I heard from the news.
897
898Q: What do you think?
899A: I think it is the wrong choice.
900
901There are six IS-related images found on the suspect computer, and the isis.jpg file name shows a combination of a shot of a young boy shooting and a shot of a young boy with a gunshot. To one?
902Answer: Yes. I combined what I downloaded on the Internet.
903
904Q: Why did you combine the above files?
905Answer: I joined to write a criticism on IS. The reason we combined the two is to increase persuasiveness.
906
907Q: Is the official name IS?
908Answer: I do not know exactly whether IS is the official name or ISIS. (In this statement, the investigator said, "How do you know whether the official name is IS or ISIS?"
909
910Q: Is the name of the suspect's notebook combined with the two names listed on the ISIS.JPG?
911Answer: Yes, yes.
912Q: Is ISIS the official name and the file name is ISIS?
913Answer: I accidentally wrote the keyboard randomly and the file name was ISIS.JPG. I explained this to the lawyer, but I do not know why I made the file name ISIS. (The suspect did not answer "I do not know.") The suspect demonstrated the process of pushing I and S on the keyboard vending machine in front of the investigator as a habit.
914
915IS: "ISIS Gallery .png" is an image of the IS file stored on the suspect computer. It is a composite image of a Korean gallery and an IS terrorist (boy). I made a composite picture, why did you synthesize it?
916Answer: The picture is synthesized as above.
917
918Q: So you are following IS?
919A: I will not follow.
920
921Q: Then what is the willingness of IS to live up to?
922A: I saw a sad feeling in the eyes of an IS boy.
923
924At this time, the accused is in a bad mood. (In this case, the cybercriminals investigator described the behavior in a record.)
925
926Q: Why do you often repeat statements that you have shown a determined will in the previous question, but now you feel sad again?
927A: When I first saw it, I did not remember it.
928
929Q: In my first question, I stated that there is a clear will and determination. Why do not you tell me now that you did not remember?
930A: I think that it is possible to interpret several pictures as meaning.
931
932Q: When writing the intimidation letter to Ambassador Repert, the author name is 'Dr Korea Isis One'. The date on which the IS-related images were found on the suspect computer is from June 29, 2015 to 06:53 to 07:36, and the last date that the images were accessed is from July 3, . The time of the crime is 7. 7. and 7. 8. If the suspect sees the IS-related photos and writes the IS-related phrases at the time of the reputation intimidation, is not it?
933Answer: No.
934
935At this time, the suspect is shown a screen analyzed by Encase of computer analysis program and a screen posted on 4chan.org, and attached to the end of this document.
936
937Q: A link file (lnk) is a file that is automatically generated by a computer when a file is viewed. In addition, A0066246.lnk and usa.png link files found on suspect computers are added, and all the time is checked as below. Did you hear from the investigator exactly what was above?
938
939Serial number / contents / date
9401 / Rupert Threaten posted on White House / 7. 8. 02:26
9412 / Screen capture file found on suspect computer (screen shown at the time of writing) screencapture-www-whitehouse-gov-thank-you-1436290042624.png After completing the writing in white house, File / 7. 8. 02:27
9423 / The link file of the above 2 file ("usa.lnk" in the parentheses was printed out in the record.) However, every page of the record of the suspect is printed, and the other cyber agent After they chased it, they scratched the line in the "usa.lnk" and made them suspect that the mistake was one of the reasons for the trust in the investigation. The link file is created when the above file 2 is executed (browsed). / 7. 8. 02:27
9434 / The threats found on the computer of the suspects Original capturing file (screen shown during the blackmail) usa.png
9445 / 4chan.org Posted by usa.png on 7. August 02:31
9456/4chan.org posted a usa.png related post on the screen capture of the captured file (screencapture-boards-4chan-org-pol-thread-47640986-1436290789215.png) with the Google browser chrome. * Link file (A0066246.lnk) Creation date / time 7. 8. 02:40
946
947Answer: Yes. I've heard the exact explanation.
948
949At this time, I explain it to the lawyer clearly and understand it all. (The Cyber investigator noted that all of them were forcibly comprehended.)
950
951Q. 02. 26. The complainant completes the Rupert intimidation article at the White House, captures the thank-you related web page created at 02:27 through the Google Chrome browser, runs the captured image again, After 3 minutes, the original text of the intimidation was changed to file name usa.png, and after one minute, the captured image was posted on 4chan.org, and about 9 minutes later, 4chan.org captured the site again. , The link file was created on the suspect computer and the order of the time series was exactly matched. A total of five reporter-related threat files were found and matched precisely in time order. Is not it an article?
952Answer: Yes, it is.
953
954At this time, the suspect smiled and laughed, answered clearly, and wrote notes on the note. (In this case, the investigator added a depiction of aggressive behavior.)
955
956Question: When I checked the file A0066246.lnk found on the suspect computer, the date of creation was 2015. 7. 8. 02:40, and the process of generating the above file is' screencapture-boards-4chan-org-pol -47640986-1436290789215.png 'Because you executed the file, it was confirmed that the above link file' A0066246.lnk 'was created. Did you actually access the 4chan.org site and capture the above site?
957Answer: Although I have read reporter-related threats on 4chan.org, I can not remember capturing the 4chan.org site with the Google Chrome browser.
958
959Q: So the article on Obama was also read at 4chan.org above?
960Answer: Yes, yes.
961Q: In the previous statement, I read the original capturing text (usa.png, isis.png) from 4chan.org or Google, but it was actually viewed at 4chan.org?
962Answer: No. There is no trust in me.
963
964Q: So, is it true that all the statements so far have gone wrong without trust?
965Answer: I can not be confident that I saw it on 4chan.org. (The suspect stated in the sense that "I can not confirm whether I saw Obama's intimidation and Raptor intimidation article at 4chan or Google").
966
967Q: The time posted on 4chan.org is 7.8. At 02:31, the time the original text was created on the suspect computer was 7.8. At 02:30, the time saved on the suspect computer is faster. How do you state that you have viewed and downloaded the 4chan.org site?
968At this time, the accused responded clearly.
969Answer: I do not know.
970
971Q: Why do you answer the above questions in a straightforward way while you are thinking and responding to other questions?
972Answer: Yes. It is not to protect me.
973
974Q: So far, digital evidence analysis shows that the suspect computer has a lot of related capture files, the time-series is accurate, and the suspect has not posted any threats. Is there any evidence that the suspect did not do it?
975A: There is no current situation.
976
977Q: If 4chan.org has posted such a blackmail, what are the reactions of the others?
978A: There are people who are not sure about the site. I do not know the reaction.
979
980Q: Do people respond well when you post interesting articles on 4chan.org?
981Answer: I do not read the comment. (The comment is written in English, so the suspect will not read it because it is difficult to read.)
982
983Q: What points are earned or posted by posting on the site?
984A: I do not know.
985
986Q: What countries do 4chan.org mainly have access to?
987Answer: It is various. Because it is a US site, there are a lot of people in the United States, and many people from Australia, Belgium and so on. (The suspect refers to the US, Australian, and Belgian flags in the 4chan capture file presented by the investigator.)
988
989Q: How many times do I usually visit the site?
990Answer: I study only once or twice a week.
991
992Moon: The suspects posted on Kyung Cheong University's website on June 29, 2014. If you do not prepare the Civil Defense transportation fee from next year, have you ever posted a post on Mapo Daisho?
993Answer: Yes, yes. The police came because of the letter.
994
995Q: Why did you post the above article?
996A: In case of Civil Defense education, we think that transportation expenses should be paid.
997
998Q: Did you write to commit suicide because of transportation expenses?
999Answer: I did it because it was a must. (The suspect described it as "because it was a matter of course" or "of course, the transportation fee should be paid.")
1000
1001Q: What did the police do when they arrived?
1002A: I checked to see if I was well and went back.
1003
1004Q: In the title of "One person protest from 9:00 am to 6:00 pm on July 25, 2014" on the homepage of Kookmin Shinmunji, "I am planning to return home by tie up with a nylon string by myself on the railing. The location is the place where the male representative of the Sungjae period served on July 26, 2013. " (The place where the male delegate of the Sungjae period invested was Mapo Bridge.)
1005Answer: Yes, yes.
1006
1007Q: Why did you write the above article?
1008Answer: As mentioned above, I thought that Civil Defense transportation fee should be paid.
1009Q: Have you written several times in the Blue House or the National Newspaper? (The investigator asked, "How many times did they all go together?")
1010Answer: Cheong Wa Dae once, the National People 's Journal is more than two times, I do not remember exactly how many times.
1011
1012Q: Do you like to post a civilization like above?
1013A: I do not like it. I am writing because of the absurdity of the policy that did not reflect reality.
1014
1015Q: How did you know about the Blue House homepage and the National Newspaper?
1016A: I went to the reserve army training and learned about the National Newspaper from the executives. After graduating from high school, I got to know the Cheongwadae homepage through search. (The suspect explained, "When the reserve army training was carried out, the reserve army officers told the reserve soldiers," If there is a protest, please file a complaint with the Ministry of Defense. "The Cheongwadae homepage was to inquire about the early enlistment of the army after high school graduation. ").
1017
1018Q: So how many times have you connected to the Blue House homepage?
1019Answer: It is not accurate, but I connected about 2 ~ 3 times.
1020
1021Q: Did you write other articles about civilization?
1022A: I have posted 2 or 3 times in the National Newspaper.
1023
1024Q: What post was posted in the National Newspaper?
1025A: There are a few other complaints about the rape of the army, a request to pay for the reservists, but I do not remember exactly.
1026
1027Q. The suspect claims to have downloaded the usa.png file. If the above file has been downloaded from the Internet, the same Zone.identifier file will be created. However, the above file was not found on the suspect computer. From the above, what do you think the suspect looks like in the file he captured himself?
1028Answer: I do not know.
1029
1030Q: Is there a fact that uses the secret function of the Google Chrome browser?
1031Answer: Yes, yes.
1032
1033Q: Why did you use this feature?
1034Answer: I used something because it was a novel. (The accused was used 1 or 2 times for something.)
1035
1036Q: What is incognito?
1037Answer: I do not know.
1038
1039Q: The secret feature is to keep your Internet access history from being secretly accessed without storing cookies, temporary cache files, etc. when you access the Internet from your Google Chrome browser. Now you know?
1040Answer: I do not know. (The suspect stated that "the explanation does not understand".)
1041
1042Q: Do you use the above functions frequently?
1043Answer: I used it about 1 ~ 2 times.
1044
1045Q: Is there a web browser other than the Google Chrome browser?
1046A: I also use opera.
1047
1048Q: Do you have any more words to reference?
1049A: I would like to ask 4chan and Google image cache "IP usage history" to the Korea Broadcasting Crime Unit, which is requested by the US government to investigate the alleged diplomatic threat, and a search warrant for the server to the US FBI investigation unit. The States (The Star Spangles) Oh, oh, say can you see. By the dawn's early light. What so proudly we hail, at the twilight's last gleaming. Who's abroad, and bright stars, through the parelless fight. All the landpots we watch were so gatherly stream. And the rockets red glare then bombs burst in air. They prove through the night, that our flag was still there. Oh, does that star spangles, banners are weaving. For the land of the free, and the home of the braves. I am longing for Americans and trying to acquire citizenship and green card. I want to be a sincere society. God Bless America! I do not mind, but I want to go to the hospital and have blood pressure and ECG. 
1050I will pay for my headache and chest pain in the night. I will do it in an hour. (The suspect requested 4chan server, Google server, IP search warrant, but the police requested the investigation.
1051?Ignored. The defendant memorized the US nation in English and wrote it in the letter. The lawyer asked, "Do you remember everything?"
1052
1053Q: Do you have evidence or statements that are favorable to the suspect?
1054Answer: Not until now.
1055
1056Q: Are all of these statements true?
1057Answer: Yes.
1058
1059At this time, under the participation of lawyer Park Cheol-hyun,
1060Q: What do you usually think about women?
1061A: I do not want to pursue benefits, but I have a duty to equip men with various duties, such as duty of defense.
1062
1063Q: Does the suspect experience having sex with a girlfriend?
1064Answer: Yes.
1065
1066Q: When did you meet some people?
1067Answer: During the sixth grade of elementary school, I have had about three times in total during my college days.
1068
1069Q: How long have you been dating?
1070Answer: It was a short time, but I can not remember the exact time, and it is sure to be less than 6 months.
1071
1072Q: When was your relationship?
1073Answer: The army has gone to the first grade of college, and fellowship is in the second, third, and fourth grades of college. (The investigator asked the military when he was in college, and described the answer of the suspect as this question.)
1074
1075Q: Have you ever had a relationship with a woman recently?
1076Answer: No.
1077
1078Q: In my blog, I have posted many articles about women. Do you have hostility toward women?
1079A: I do not feel hostile to women. I think it is better to buy and buy sex rather than having a new woman.
1080
1081Q: Do you not make a woman for the same reason?
1082A: I do not make contact because I think it will hinder my studies.
1083
1084Q: Does not it make it difficult for women to make friends?
1085A: I do not want to hurt my girlfriend. I think we should have emotional responsibility if people come together.
1086
1087At this time, the suspect speaks to the investigator who asked him to rub the suspect's shoulder at the time of the break. (The suspect has made such a request to the investigator for health reasons. The detainee detained, and the intense examination for a long time caused the blood pressure to rise, severely pulling the nape.)
1088
1089Q: Does the suspect have a bad feeling about Jeolla?
1090A: I have bad feelings.
1091
1092Q: What kind of bad feelings?
1093A: I do not know where to find the public fund for the Jeolla Province politician (President Kim Dae-jung), but I do not know where they are, but most of the people from Cholla Province are behind the scenes.
1094
1095Q: Have you seen a few people in Cholla?
1096A: During my elementary school days, during military affairs, during college, and during my working life, I met a lot of people from Cholla.
1097
1098Q: So, do not you come from another area?
1099Answer: It is said that there is a lot of chance. (The suspect thought that Chungcheong - do had more backstriking than Cholla.
1100
1101Q: Why do you have feelings about backcountry?
1102A: I do not remember. (The investigator suddenly told me to tell the story behind the back door.
1103
1104Q: The suspect has stated "I do not remember" in all previous adverse statements, and I just said that I hated Cholla right before. Why is it that I do not remember suddenly?
1105A: I can not remember the present situation.
1106
1107Q: Then, according to the suspect's statement, I think that not only Jeolla-do, but also those from other regions are hiding all over the people of the Republic of Korea and all over the world.
1108A: I think there are good people.
1109Q: Who is a good person?
1110A: I am a free meals person.
1111
1112Q: Do you hate everyone if you are from Cholla?
1113A: I do not hate everything, but I hate people who do not hate it.
1114
1115Q: Where is the suspect's home?
1116A: It is Seoul. (The suspect's birthplace is Seoul.)
1117
1118Q: Where is the suspect?
1119Answer: Andong, Gyeongsangbuk-do. When I was in Seoul, my family stayed in Andong often. (The home of the suspect's parents was Gyeongsangbuk-do, and when the suspect was young, he visited the country every summer.
1120
1121Q: In the army, was there a senior from Cholla?
1122Answer: Yes, yes.
1123
1124Q: What were the elders from the Jeolla Province?
1125A: When I was working, I wanted to bring a piece of equipment, but I did not like it. I think I was troubled by the man panting.
1126
1127Q: What is the usual amount of money for the suspect?
1128Answer: The beer is 1000cc. If you drink shochu is not good. (There is no specific reason for the suspect to respond in numerical form, but he was questioned by the investigator that he had good memory.)
1129
1130Q: When and where do you drink alcohol?
1131A: I drink alone at home.
1132
1133Q: What kind of alcohol do you like usually?
1134Answer: I like beer.
1135
1136Q: There is a liquor in the suspect's room, do not you drink liquor?
1137Answer: Sometimes I mix with the liquor.
1138
1139Q: Why do you have miscellaneous meat sauces in your room?
1140Answer: I usually bring the sauce because I usually eat in my room.
1141
1142Q: Why did you bring dozens of bottled water in the room of the suspect?
1143A: There is nowhere left for my mother to leave it in my room.
1144
1145Q: Is there a place where I can put the water bottle above the pit house at 45 pyeong?
1146Answer: I do not know. Ask your mother.
1147
1148Q: How often do you drink alcohol?
1149Answer: Drink about once a week.
1150
1151Q: Who is buying alcohol?
1152A: Sometimes parents come and go with their parents. (The suspect stated, "Sometimes I go to the mart with my parents.")
1153
1154Q: Do you drink with your father?
1155Answer: My father does not drink together because he likes rice wine.
1156
1157At this time, the suspect trims. (Describe behavior for human attack.) The suspect came up from the top with stress and tension and trimmed.
1158Q: After drinking alcohol, do you have actions other than usual, such as not remembering, singing or sleeping?
1159A: There is no such activity, and I drink mainly to take a good night's sleep. (Normally, the suspect's drinking habit is to drink beer while watching TV on the other side of the room, and drink alcohol when the alcohol is weak.) The suspect is used to study the notebook by blowing it, not to drink alcohol. Because the study room where the notebook is located is so hateful that it gets dirty with drinking alcohol, it never drinks in the study room, and it often witnesses the families of suspects.)
1160
1161Q: Do you remember when you drink alcohol?
1162A: At the KBS, after drinking alcohol, the film was broken, but not now. (The suspect has not drunk so much that the film has been severed since he left KBS in 2013.)
1163
1164Q: The suspect is a good memory, a bad one?
1165Answer: Good.
1166
1167Q: What is the foreign language skill of the suspect? (The suspect was treated as a spy who spoke three or four languages to the police officers from the time of the emergency arrest.)
1168Answer: The TOEIC score is 780, the speaking score is 150, and the French is the beginner level. (Speaking is TOEIC Speaking Test.)
1169
1170Q: Do you have language ability?
1171A: I think I have language skills, but others say I can not.
1172
1173Q: Do you have good memory to be able to have language skills?
1174A: I think it is a hard work. (The suspect thought that language ability was an effort, not a memory.)
1175
1176Q: How many drinks did you drink at the time of the seizure?
1177A: You drank about 2,000cc of beer. (The suspect drank two bottles of beer.)
1178
1179Q: The suspect drank beer during the seizure process, and he tried to drink it?
1180A: I drank 2 rounds of beer, but Yang tried to drink it, but the investigator told me not to eat it.
1181
1182Q: Do you remember exactly when you were seized?
1183A: I remember faintly.
1184
1185Q: Is it because I drank a lot of alcohol because I remember dimly?
1186A: I had a hangover, and I was sleeping.
1187
1188Q: When did you drink?
1189Answer: You started drinking at 00:00 or 04:00 on the day of seizure and drinking 2,00cc until 12:00 am. (The day of the seizure is Jul. 13.)
1190
1191Q: What do you like to eat?
1192A: I just drink.
1193
1194Q: Did not you eat?
1195A: I did not eat. (The suspect was starving from 13th to the present.)
1196
1197Q: When I was seized, I lay down on my bed for more than five hours. After the emergency arrest, do you remember saying "bring an executive chair" or "bring a wheelchair" in the office of the broadcaster investigation?
1198Answer: Yes.
1199
1200Q: Do you remember clearly at the time of seizure search?
1201A: I can recall a dim.
1202
1203Q: So if the suspect drinks a lot of alcohol, he can not remember all of it?
1204Answer: Yes.
1205
1206Q: Can you recall a dimly or not?
1207Answer: Yes, yes.
1208
1209Q: When the suspects were seized, they asked the investigator, "Are you sick?"
1210A: I can not remember which word I used, but I remember remembering that I was hurried.
1211
1212Q: In conclusion, the suspect has a good memory, but the suspect does not remember all the contents if he drinks a lot?
1213A: It is true that alcohol causes memory loss.
1214
1215Q: In the room where the suspect sleeps, several masks were found, and for what purpose did he bring them?
1216Answer: I bought two from the domestic Internet site for use as a toy. (The investigator did not record the statement in the memorandum that the suspects "bought the same toy when buying a product on the Internet and trying to meet the shipping reduction conditions.")
1217
1218Q: How do you use masks as toys?
1219A: I had fun with two mothers of relatives on the New Year's Day.
1220
1221Q: Is not that what you bought to use?
1222A: I have an intention to write and play.
1223
1224Q: Is it fun to play with a mask?
1225Answer: Not written. (The suspect stated in the sense of "I have never written a mask since purchasing it.")
1226
1227Q: What kind of mask is it?
1228Answer: Eyes are white circles, nostrils and mouth are small masks.
1229
1230Q: Is this mask the mask of the famous hacker group Ananimus?
1231Answer: No.
1232
1233Q: How is it not?
1234Answer: Ananimus mask has a mustache.
1235
1236Q: How much did you buy on top?
1237A: I can not remember the price range.
1238
1239Q: Ananimus is a popular hacker group on the Internet, right?
1240Answer: Yes, yes.
1241
1242Q: How did Ananimus know?
1243A: I learned from the news.
1244
1245Q: When I look at the obsessions about the Obama family, there is a post that says, "I'm always tired of wearing a sultry costume and doing masturbation." What does a saint costume mean?
1246Answer: A sultry costume is high heels in stockings.
1247
1248Q: Is not mask wearing?
1249A: I know there is a separate mask for senility. (The suspect stated in the sense that "If you go to a sexual disorder, you will have symptoms.")
1250
1251At this time, the lawyer gives attention to the suspect. The suspect is hesitant for a moment. (Park Cheol-hyeon, an attorney, told the suspect, "This is a place for investigation, not a knowledge hall.")
1252
1253Q: Are they wearing masks a lot?
1254Answer: I have not seen it.
1255
1256Q: Do you usually have your favorite side dish?
1257Answer: I prefer meat and meat.
1258
1259Q: Do you usually like Kimchi?
1260Answer: Sometimes I eat.
1261
1262Q: What kind of kimchi do you like?
1263A: I like cabbage kimchi that my mother gave me.
1264
1265Q: Are you safe from AIDS if you eat a lot of kimchi?
1266A: I do not think it is groundless.
1267
1268Q: In what way do you think like this?
1269Answer: I know there is no evidence in Yang medicine.
1270
1271Q: Do not you trust Oriental medicine?
1272Answer: I do not trust.
1273
1274Q: In the Obama family intimidation article, there is an article titled "It is safe to eat Kimchi and be safe from AIDS." What do you think about the above?
1275A: I think it is bullshit. (The accused stated "in the sense of" there is no basis. ")
1276
1277The suspect responds confidently. (Because it is natural).
1278
1279Q: Why did you post the above?
1280Answer: There is no answer for me.
1281
1282Q: What were you doing on July 7, and July 8, 2015?
1283A: I was at home and I do not know what I was doing.
1284
1285Q: Who were you with at the time?
1286Answer: There were only three people like father, mother, me.
1287
1288Q: Who mainly accesses the study room where the suspect laptops are found?
1289Answer: I go in alone and use it. I can not let anyone.
1290
1291Q: Is there any reason to use this room alone?
1292A: I do not like anyone who touches my stuff.
1293
1294Q: Are you usually alone in the room above?
1295Answer: Yes. I am alone.
1296
1297Q: Why did you stop the entrance of the room with a bookcase?
1298A: It is noisy. I moved the bookcase to the door entrance.
1299
1300Do you know that the mother of the suspect at the time of the seizure prevented the entrance to the room above the study room where the investigators could not enter?
1301Answer: I first heard. (At the time of the confiscation, the accused continued to stay in the room next to the porch in the surveillance of two police officers.)
1302
1303Q: What do you do alone in the room above?
1304A: I study and access the internet.
1305
1306Q: What is the identity the suspect uses on the Internet?
1307Answer: There are several IDs such as helpmeusacom@gmail.com. Domestic mail is not used. (The suspect has Naver and the next ID that he does not use.)
1308
1309Q: Why do I only use overseas email?
1310Answer: To use the Google blog, Naver and the next time I post my article because the blog is blocked.
1311
1312Q: What kind of content does this block?
1313Answer: Political writings (such as writings about women) block themselves.
1314
1315Q: Are you usually interested in politics?
1316A: I am not an enthusiastic political follower, but my political orientation is patriot pay. I have never joined a special political party.
1317
1318Q: What do you think of Lim?
1319Answer: It is a pen name.
1320
1321Q: You are from the school of the suspect. What do you think about Lim Soo Kyung?
1322A: If Mr. Soo-kyung left Yong-in campus, he would have supported the department elsewhere.
1323
1324Q: What did Dr. Soo Kyung majored in?
1325A: I graduated from French literature.
1326
1327Q: So do you hate Lim?
1328ANSWER: Ms. Soo Kyung Lim is hated by the North Koreans.
1329
1330Q: What do you think about the best site for the day?
1331A: I think they are poor people. (The suspect thought, "Because I can not get a job, and I live with my parents at home.")
1332
1333At this time, the suspect trims. (Because the suspect was unable to eat, the sperm from above rises.)
1334
1335Q: Who uses the notebook?
1336Answer: I use it.
1337
1338Q: Do parents and siblings use a laptop?
1339Answer: No. Not once.
1340
1341Q: Who knows your notebook password?
1342Answer: I know only.
1343
1344Q: Why did you set a password on your laptop?
1345Answer: I only use it for myself.
1346
1347Q: What does the password mean?
1348Answer: No meaning. (The suspect has demonstrated to the investigator that it is an easy location to press the index and stop on the keyboard.)
1349
1350At this time, we show the screen shot of the SuperHideIp program found on the suspect's laptop desktop to the suspect and attach it at the end of this document.
1351
1352Q: I have found a program that can hide the SuperHideIp IP on the suspect computer desktop. I analyzed the above program directly by Cybercrime, and it was easy to change my computer's IP with a mouse click. Why can I change it to U.S.IP when I connect to the internet in Korea? Why?
1353Answer: I downloaded and installed it on the Internet. (The suspect was doing something just once after installation.)
1354
1355Q: Is not it the intention to hide your IP?
1356Answer: No.
1357Q: Why was it downloaded because I did not intend to hide it?
1358Answer: I am interested in seeing the arrest news about IP trace, and got it downloaded.
1359
1360Q: How did you find out that you have the above program?
1361Answer: I learned from internet search.
1362
1363Q: How exactly did you download it?
1364Answer: I have downloaded the keyword "ip change" from Google and searched the web page, but I do not know from which site I got it.
1365
1366Q: Why are you trying to hide IP?
1367Answer: I do not know.
1368
1369Q: Do you make statements that only an unfavorable statement is "I do not know"?
1370A: In the news, I found that the police were arrested for tracking down the IP. (The suspect stumbled across KBS News, which reported this incident on a large television set in the Jongno police station detention center.)
1371
1372Q: So, what kind of crime did you download the above IP change program?
1373Answer: No.
1374
1375Q: How many times have you tried this program?
1376Answer: I installed Super Hide IP and tried it once after installation.
1377
1378Q: How about running the program above?
1379Answer: It was executed with a single mouse click. I did not check whether the IP was changed, but I tried to execute it.
1380
1381Q: Is it easy to change the IP?
1382A: I think it depends on the person.
1383
1384Q: After we have run the above program, it is easy to operate with a single mouse click, and the suspect is said to be executed with a single mouse click on the statement. What does it mean by different people? Does it mean that clicking the mouse is difficult?
1385Answer: It's easy to run, but I think there is a difference between people searching and finding them. To find the above IP change program, it means that no one can find and search well.
1386
1387Q: Does the suspect have the ability to find a program that can ultimately change the IP?
1388Answer: I accidentally found it.
1389
1390Q: Anyway, you entered your keyword directly into Google search and actively found it?
1391Answer: No.
1392
1393Q: In the previous statement, why did you say that you searched for a program by putting keywords directly into it, and now you have accidentally found it accidentally?
1394Answer: It is not a reversal of a statement. Superhideip is a coincidence that I clicked one of the tens of thousands of search results in the search result called IP change.
1395
1396(At this time, a police officer Kwak Dong-gyu was sitting beside the investigator of the South OO investigating the case, "OO, who did you coach?" Kwak Dong-gyu participated as an investigator in the first and second police investigations I asked the suspect jokingly, "Mr. OO, what's wrong with your mind? Why did you answer that?" But when the investigator did not proceed as intended, he began to press it like this.
1397
1398Q: Did you spend a lot of time looking for the above program?
1399A: I do not know that. (A suspect could not remember because there were a huge number of suspects who searched the Internet from time to time.)
1400
1401Q: Do you think that you have good internet search ability?
1402A: I do not think so. (The suspect stated "I do not have an internet search ability certificate".
1403
1404At this time, take a break for a while. (At this time, police officers from the police department gathered to discuss the next question.)
1405(At the time of the investigation, an older, broader investigator (Kim OO) told M OO, "Do I have to turn on my laptop?" M OO said, "I need to turn on the laptop to run VMware." A large investigator told M OO, "Then think carefully and turn on the laptop!" M OO went upstairs, and M OO, who came downstairs again, questioned me about a woman's body anus And I threatened to add charges even if I just stored these pictures. I guess South OO went upstairs and manipulated the laptop.
1406
1407Q: With the above IP change program, you can see the data from the cybercrime today.
1408Answer: It seems easy to double-click to run the program.
1409
1410Q: Which site did you go to when you run the above program and change your IP?
1411A: I do not remember.
1412
1413Q: If you look at the dates on which the above program was installed, the date of the last access will be June 6, 2015. When was the last date used?
1414Answer: I used it once on the day of installation on July 16, 2014.
1415
1416At this time, show the observer's photo and picture file (filename: IP address washing method .jpg, any weblock readme.jpg) found on the suspect's notebook and attach it to the end of this article.
1417
1418If you look at the picture file (IP address washing method .jpg) found on the suspect's notebook, you will see how to download and install the site bypass program which is blocked in the country. Any weblock readme.jpg It explains how to block access to the website. Is it possible to keep the above files in order to access some blocked sites in Korea?
1419A: You were not trying to connect to a blocked site.
1420
1421Q: How do I delete the address of the IP address above the .jpg file?
1422A: I've captured and saved the results of searching for "change my ip" on Google.
1423
1424Q: The suspect has a lot of doubts about IP, asking him to confirm the IP posted on 4chan.org. According to recent cyber-investigation techniques, IP modulation is very easy, so you can not identify suspects with just one IP. Is not it because I suspect that the suspect has altered IP or used other means of detouring?
1425Answer: No. I did not know how to investigate, and I saw the arrest news through IP tracking. (The suspect did not ask for "please confirm the IPs posted on 4chan.org" and asked for an IP address when he saw the news article "I traced the IP and traced it." Of course, There is a number.)
1426
1427Q: Is there a way to change the IP?
1428Answer: I do not know.
1429
1430Q: What do you usually think about the United States?
1431A: I am longing for the United States and working for US citizenship and green card.
1432
1433Q: Is Obama Democratic or Republican? (The previous day, the suspect received a long-term investigation of the crime profile, which was not recorded in the memorandum separately from the police investigation. At this time, the suspect had stated that Obama was a Republican in a questionnaire with two crime psychology professors, When the investigator who was observing from the outside tried to search the internet, it was different from the fact, and the police investigation asked this question the next day.
1434A: As far as I know, Republicans. (The suspect responded to the investigator after commenting in advance that the criminal psych profiler was a question yesterday, but the statement did not record this statement.)
1435
1436At this time, using a smartphone search through Wikipedia, Obama will show the suspect that he is a Democrat.
1437
1438Q: Why did you think Obama was a Republican?
1439A: I do not know about American politics. (The suspect stated "not interested in American politics." The suspect, when the investigator came to the conclusion, "presumed Obama as a Republican because the northern United States, where the liberation of black slaves began, is the base of the Republican Party." But did not record.
1440
1441Q: Is the Democratic Party more progressive than the Republican Party?
1442A: I do not know that.
1443
1444Q: Do you not know that you are interested in politics?
1445A: I do not know about American politics. (The accused stated that they are "interested only in domestic politics.")
1446
1447Q: What do you think about Obama?
1448A: I think he is respected as the first black president in the United States.
1449
1450Q: Is the image of a monkey synthesized by Obama and Michelle synthesized by the suspect?
1451Answer: No. Downloaded. (I suspect the suspect downloaded the 4chan watermark below the photo.)
1452
1453Q: Where did you download the above file?
1454Answer: I downloaded it from 4chan. (I suspect that the suspect downloaded the 4chan watermark below the photo and downloaded it from 4chan, but in some cases the source was downloaded from a non-4chan location because it was downloaded from Google's search results.)
1455Q: What is the above picture?
1456A: This is a picture of Obama as a monkey.
1457
1458Q: Why did you download the Obama Obituary photo and save it on the suspect computer, saying you respect Obama?
1459At this time, the suspect trims. (Because the suspect was unable to eat and sickness came up inside.)
1460Answer: I have downloaded it in order to utilize the background of the person who made the picture above as a material for writing criticism.
1461
1462Q: Did you write criticism on your blog?
1463A: I would not have. I do not know for sure. (The suspect later downloaded the photo because he was going to write if he had time.)
1464
1465Q: I have a bad feeling about Obama. Did not I download the above photo?
1466Answer: No.
1467
1468Q: Is not it a good idea to download something because I did not write it?
1469Answer: No.
1470
1471Q: Is it fun to see the photo of Upper Obama?
1472Answer: Disgusting.
1473
1474Q: I told you that Obama's photographs are disgusting, but should not you write them if you do not write related articles? Why did you keep it?
1475Answer: I will use it later when I write again. (When the suspect tried to write, he kept it on his laptop because he could not find it on the internet.)
1476
1477Q: What do you think about black people?
1478A: I think that black people are the same people and call themselves black people themselves. (The suspect thought that the word 'black' with 'black' was a racist expression, so it should be replaced with 'African American' in our country.)
1479
1480Q: The suspect is very clear about the above question. What belief do you have about racism?
1481A: Racial discrimination is an ideology by some white supremacists. This includes blacks and asians. Therefore, Koreans can also be victims of racial discrimination.
1482
1483Q: Does the suspect think that I am logical and reasonable?
1484Answer: I only believe in evidence as much as possible.
1485
1486Q: By the way, why did you not commit crime while trusting all the results of computer digital evidence analysis?
1487Answer: The superhidip is a bit less reliable.
1488
1489Q: Even if there is generally a favorable feeling about America, can you think about Obama badly?
1490A: Because I work for US citizenship, I do not think separately. (The suspect described the police investigator as "honoring Obama, the first black president," but did not record it.)
1491
1492Q: Have you read a lot of articles about Obama?
1493A: I have not read much. (The suspect had not read much of the article because he was not interested in American politics.)
1494
1495Q: What do you think of Obama attacking the terrorist group of is?
1496A: The attack on the terrorist group is an absolute support.
1497
1498At this time, the suspect was found in the OO notebook. The brain was blurred, the woman was naked in the grass, the body was naked, the child was naked, the anus was opened with her finger, , A picture of a child with a knife in his stomach, a picture of inserting a male penis into the anus, a picture of autopsy of the body's head and abdomen, a picture of the body's eye, a picture of the body's head, A photo of a woman showing her blood in her genital area, a photo of a woman showing a broken thorax, a picture of a woman's head being cut off, a picture of a woman's penis, a penis, Two men are fingers of a child's penis, a picture of a woman cutting her head in the body, a picture of a Korean flag in her bowel movement, a picture of her lower body cut off, 
1499A photograph of a woman's legs being cut off, a picture of a woman dropping blood, a picture of a man shaking a manpower in North Korea, a picture of Kim Jong Il, a picture of a witch in the body, a picture of Kim Jong Il with children , A photo of women wearing surgical gloves and a woman's anus, and attaching them at the end of this paper. (The investigator is correct
1500I tried to express it as sensational as possible by ignoring one meaning. The suspect then made every effort to write the meaning of each photograph in the blank given on page 591 by hand. The suspect was not able to continue eating, saying, "If you have a person who goes over this kind of investigation, it is a psycho pass.")
1501
1502A total of 35,438 picture files (extension jpg, png) were stored on the suspect computer, and about a quarter of them were found. As shown by the suspect, many female anus pictures and body pictures were found. Why is the picture file stored on the suspect computer?
1503Answer: I was interested in death, so I downloaded the above photo, and the woman's anal photo was downloaded because it was porn. (A South Korean cyber investigator who led the interrogation from the third police investigation said, "I am guilty only by possession of the above photo file. I can add more charges that I did not prosecute." He threatened the suspect to feel frightened, .)
1504Q: Is the above file taken by the suspect himself?
1505Answer: No. I downloaded it from the Internet.
1506
1507Q: Where did you download the Internet?
1508A: Google has searched the website for porn related words, and body pictures have also found and downloaded websites based on results linked from the porn sites. (All the suspects could not remember.)
1509
1510Q: How do you feel when you look at the picture file like above?
1511Answer: I am not happy, but when I receive the AP Reuters communication at KBS, I get a lot of cruel pictures. So it seems that I became more interested in the above picture.
1512
1513Q: So, did you become interested in the above pictures while working at KBS?
1514Answer: No. After leaving KBS, the pace began to change pessimistically.
1515
1516Q: What does it mean to be pessimistic?
1517A: I know Nietzsche is pitiful.
1518
1519At this time, (the investigator did not record "Attorney Park Chul-Hyun"), I checked the dictionary of pitfalls with a smartphone and said "I hate the world and see everything as dark and negative" Show it to the suspect. (The lawyer Park Chul-hyeon, who has been silent, searches for his smartphone and handed his smartphone voluntarily even though the investigator did not ask for it. In the prosecution investigation, Park Cheol-hyeon counseled the suspect along with the prosecution attorney I stood in the position of.
1520
1521Q: Is the above dictionary definition meaningful to the suspect?
1522A: What I'm talking about is the content of a longing for death.
1523
1524Q: So, did you post a statement to the Blue House about suicide?
1525A: That was to insist my position for political purposes.
1526
1527Q: Have you tried to die?
1528Answer: No.
1529
1530Q: So what is it that you only dream about death?
1531Answer: Yes, yes.
1532
1533Q: I think it would be insulting to kill people if I frequently read the above pictures. What is the opinion of the suspect? (The cyber criminal investigation team, the cyber criminal investigation cyber criminal investigation team, expanded the scope of the investigation and tried to prove the suspect's allegations until the murder of the US, excessive cyber criminal investigation, suspicion of cyber criminal investigation expertise .)
1534A: I do not know that.
1535
1536Q: If you are curious about ordinary people, even if you look at pictures like this once or twice, I do not think you will download unnecessary downloads to your computer. Why did you download and keep hundreds of such body photographs?
1537A: It's a habit to download.
1538
1539Q: How do I download it?
1540Answer: Click the right mouse button to save.
1541
1542Q: Where do you store them?
1543Answer: Save on your desktop.
1544
1545Q: Do not you be surprised when you see a picture of a body above the desktop?
1546Answer: The desktop is not surprised because it does not have a preview function. (Windows XP does not have a preview on the desktop.)
1547
1548Q: Can you preview the desktop picture in Windows Explorer?
1549A: I do not even see my desktop by using Windows Explorer.
1550
1551Q: Do I need to use Windows Explorer to work on my computer?
1552Answer: Use it occasionally. (The police cybercrime investigates and inquires about the computer usage habits of the suspect more than the result of the evidence analysis.) It is suspected that the investigation of the civilians through the hacking of the police before the police seizure.
1553Q: Why are you downloading only a female body image, mostly a female body image, and a male body image is rarely identified?
1554Answer: There is no particular reason. (Because netizers prefer female body images to male body images, there are more female body images on the internet.)
1555
1556Q: Is not it because of hostility to women?
1557Answer: There is no hostility.
1558
1559Q: Why do most women download and keep only photos? (I repeatedly asked the question the investigator did.)
1560Answer: There is no special reason. (At this time, investigators of Kwang Dong-gyu, including Kwak Dong-gyu, who accompanied Ms. OO, gave information on experiences such as the autopsy of twin baby corpses and the autopsy of pregnant women's bodies. I was not sure what to do.
1561
1562Q: Do you know about the suspects viewing these photos and storing them on the suspect's notebook?
1563A: You do not know.
1564
1565Q: How do you feel when your parents know?
1566A: I think I should get a family register. (At this time, investigators and police officers laughed aloud.)
1567
1568Q: Have you ever posted the above file to another Internet site?
1569Answer: Not at all.
1570
1571In the meantime, if you look at the suspects' statement, they say that they downloaded Obama's blog and posted it on their blog. Is not that the body image downloaded for posting or posting?
1572A: The body is not the subject of my blog.
1573
1574Q: So what is the subject of the suspect blog?
1575A: My blog topic is thoroughly political.
1576
1577Q: When I look at the picture of the body of a woman in the above, the file name is 'cute-dead-girs-random number'. Do you think that the body image of the woman is also cute?
1578Answer: No. That's not what I made the file name, it's the filename I got, and I think it's crazy if I think it's cute. (The suspect stated, "The file name was downloaded from the Internet.")
1579
1580Q: So what do you think about those who uploaded the picture of the body above?
1581Answer: I did not see that the above picture was uploaded on the Internet.
1582
1583Q: Is the above body picture a real body picture?
1584A: I do not know if I am authentic.
1585
1586Q: How did you get to know the site with the above pictures on the Internet?
1587Answer: I ran through Google.
1588
1589Q: Do you usually do a lot of Google searches?
1590Answer: I do a search on Google, and I use it to study with Google.
1591
1592Q: Does the suspect have any bad memories about the anus?
1593Answer: Yes, yes.
1594
1595In the complaint filed by the Ministry of Defense, the accused was raped by a small commander, and the commander of the police officer inserted the penis into the anal canal 20 times and shook it 20 times. Did you insert your penis?
1596Answer: Yes, yes.
1597
1598Q: Will it really shake about 20 times?
1599A: I do not know that.
1600
1601Q: Why did you write 20 times?
1602A: At that time, I thought so. (The suspect was estimated 20 times at the time.)
1603Q: Is it not possible to write false contents in civil complaint?
1604Answer: Yes.
1605
1606Q: Is not it possible to write 20 times for any sure number of times or memories? If not, will the Ministry of Defense be able to deal with it later?
1607Answer: I did not set the number of times clearly.
1608
1609Q: I have a bad memory for anus. I only store a female anal picture on a separate suspect computer and say to the White House: "I'm tired of wearing sex dressers and doing masturbation. I will rape my fourth daughter, Natasha, with an anal. Because it seemed to be a more polite way to ask. I think that the anus of the second daughter is more resilient than the anus of Malia (the first daughter), so I should get permission from the parents before I feel black anal. "
1610Answer: No.
1611
1612Q: How did you find out that your second daughter's anus was more resilient?
1613Answer: No.
1614
1615Q: For what reasons did you keep the picture file with stool on Taegeukgi?
1616Answer: I saved it to write a criticism against contempt of the flag. (The suspect stated "in order to criticize the act of insulting the flag, the photograph was saved.")
1617
1618Q: Do you have any material to prove that you wrote your blog?
1619Answer: Currently, this is not possible.
1620
1621Q: What did you think about the photo above (photo with stool on the flag)?
1622A: In this way, blaspheming the country itself was considered insipid. (Investigator erroneously recorded 'national flag' as 'country'.)
1623
1624Q: Do you have a photo posted on 4chan.org with the stool on top?
1625Answer: I do not know. (The suspect stated to the investigator that "the posts posted on 4chan are not posted on 4chan unless they are on the blog because they post the same on the blog," but did not record it in the dossier.)
1626
1627Q: The suspect is only saying the adverse statement "I do not know"?
1628Answer: I do not judge whether it is a favorable or an unfavorable question, and I do not remember what I do not remember. (The accused stated "not to judge" but not "to judge.")
1629
1630Q: For what reasons did Kim Jong Il and Kim Jong Eun photographs and North Korean artificial photos be stored on the suspect computer?
1631Answer: I downloaded it as a material to write a critical article about Kim Jong Il, Kim Jong Eun, and Kim Il Sung.
1632
1633Q: Did you write the criticism above?
1634Answer: I am not sure, but I would have written it.
1635
1636Q: Do you have any material to prove?
1637A: There is currently no documented evidence.
1638
1639Q: What do you think about North Korea?
1640A: North Korea is a Republic of Korea.
1641
1642Q: When I look at the text of the intimidation article, I read "I hope to penetrate the black anus before being murdered by Kim Jung Eun". Have you ever posted a picture of Kim Jung Eun in the same intimidating article? ?
1643Answer: No.
1644
1645Q: Do you often get things that you do not remember well?
1646A: Two years ago, but not now. (The suspect stated, "Two years ago, when I was working before 2013, I was drinking and the film was broken.")
1647
16487. In the 20th investigation, we posted "Suicide" and "Demonstrate" in the Cheong Wa Dae and the National Newspaper, and when I posted a complaint to the Ministry of Defense that it had been raped by the military in the past, 7.7 at the time of the crime. And 7.8. The contents do not remember exactly what we did. The suspect is reminding you that you want to remember what you want to remember and that you do not know what you do not want to remember? (The military rank of the suspect is the sergeant, and in the complaint, only the name of the subcommittee is listed, not the elder sibling.)
1649Answer: No.
1650
1651Q: So why do not you remember the recent events?
1652A: I have lost the concept of time because the same life repeats itself.
1653
1654Moon: 7.7. And 7.8. At the time of the crime, I drank a lot of alcohol and posted blackmail in the White House.
1655Answer: No. (The police 's claim is different from the fact that "I drink a lot and the film is broken.")
1656
1657Q: When exactly did you find out about 4chan.org?
1658A: I do not know the exact time, but I got to know it in the early 2000s. (I'm not sure, but the suspect did not know 4chan early.)
1659
1660According to the cybercrime investigation of Seoul Metropolitan Police Agency, the blog of the suspects was found, http://helpkorea.blogspot.kr, http://fuckingkorean.blogspot.kr, http://unicefusa.blogspot.kr, http: // antihufs.blogspot.com, http://plus.google.com/112036166079289779835/posts, http://ihatekorea.blogspot.com, http://helpmeusa.tumblr.com, http://jeolladian.blogspot.com, http://helpmeusa.egloos.com, and http://sangpyenyeo.blogspot.kr, and the above suspects' blogs include the suspect Citibank account (370-07421-268-01) and the suspect PayPal username helpme @ usa .com was listed. Is it a blog operated by suspects?
1661Answer: Yes, yes. (The alleged "http://plus.google.com/112036166079289779835/posts" was an unknown number in the address.)
1662
1663Q: When I translate the blog url address into http://ihatekorea.blogspot.kr and http://antihufs.blogspot.com, I hate Korea, it is anti-foreign language, how much do you hate Korea and foreign language anti? (The next questioner turned to the monitor that was writing the report, showed the suspect the blog screen, and told me what was posted.)
1664A: This site was created to discuss the absurd aspects of Korean society, unreasonable aspects. Korea does not like it or hate it, and has opened antihufs.blogspot.com to post content for criticizing Lim Soo-kyung. (The investigating officer also knew that there were so many articles posted on the suspect's blog that he could not remember it, and he showed the blog to be quoted in the statement, but the record did not record the act of the investigator. The reason was simply the idea of preempting the blog name, but there was also an intention to prevent them from being misused by others for malicious purposes. "However, the investigators did not acknowledge the sincerity of the suspect)
1665
1666Q: Was the suspect planning to study in France?
1667A: I was studying in France or studying in the US.
1668
1669Q: Was the suspect considering foreign immigration?
1670A: It was the next best thing if you were not studying in France or studying in the US. As soon as the suspects were released from the detention center as a bail, the lawyer Kim Yong-min attending the trial after the lawyer Park Chun-hyun filed a number of documents including the admissions documents from the US university and the contract documents received from the immigration company. Submitted.)
1671
1672Q: Why are you considering foreign immigration?
1673A: I do not want to send troops to my child.
1674
1675Q: Why do I post to more than 10 blogs?
1676A: It was a diary purpose for my political opinion. (The suspect described it in the sense of "It was a leisure time to cool my head while studying.")
1677
1678Q: Why are you posting a lot of posts on this blog?
1679A: In the early days, I wrote articles of political beliefs that many people would read and write to, and later to post political articles. (Kwak Dong-kyu investigated how much the suspect had received the donation, and the suspect said, "It is all about donation of 20,000 won, try tracking your Citibank account.") After giving up, studying the blog in French, I changed my mind to use it for leisure. "But the investigators did not record it in the dossier.)
1680
1681Q: How do Internet users respond to the blog of the suspect?
1682Answer: No comments.
1683
1684Q: Do you increase the number of visitors if you post interesting and exciting posts on your blog?
1685Answer: No.
1686
1687Q: What do you think if you write hard but your number of visitors does not increase?
1688A: I do not care. (The suspect is blogging for hobbies and leisure purposes.)
1689
1690Q: What is the position of the suspect in Internet cyber?
1691Answer: There is almost no presence.
1692
1693Q: Are the suspects active only at home rather than at home?
1694Answer: Yes, yes.
1695
1696Q: Do you want to get attention from others on the internet because you are not doing outside activities?
1697Answer: I am interested in seeds in jargon, but I am not interested in seeds. (The investigator erroneously noted in the record that the accused did not use the word 'terminology'.)
1698
1699Q: I want to be interested in publishing blackmail in the White House.
1700Answer: No.
1701Q: Why did you post to 4chan.org?
1702A: I did not post it on 4chan.org.
1703
1704Q: If you look at Ripper 's intimidation article, "I would like to declare terrorism to President Obama. Is not it a beautiful night? "The suspect is mostly at night? Is it really a beautiful night? What do you think about this phrase?
1705A: I do not know that.
1706
1707Q: The 4chan.org site on the suspect's notebook, the file capturing the original text on the White House homepage, the file capturing the screen after the completion of writing in the White House (Thank you) Why do not you admit that the suspects did not post the fact that the traces of the above capturing file were clearly identified by the time sequence after accessing the intrusive text, posting the caption text again, capturing the above posting again, and so on. ?
1708Answer: I have not posted.
1709
1710Q: So the suspect's parents or sister posted the article?
1711A: My parents are not related to my sister because the notebook is what I use.
1712
1713Q: Is it not your parents, your sister or the suspect?
1714Answer: No. Please consider the possibility of hacking. (The parents of the suspect and lawyer Park Chul-hyeon said, "The traces of the hacking were found on the suspect's notebook, and they should be stated in the police investigation." However, the police disseminated the statement to the press, saying, "The suspect is a third- (KCNP News, Internet News Article), "and said," It is the people who say that our house cat is the key to the keyboard "I was tortured and blamed for everything I had never experienced before."
1715
1716Q: What hacking program does it mean?
1717A: I do not know that either.
1718
1719Q: Have you been hacked?
1720Answer: I have never been hacked.
1721
1722Q: Why does the suspect lie that he can not remember the details of his post on the White House site, even though he clearly remembered his activities during his military service and his posting on the Blue House and the National Newspaper last year?
1723A: I never lied. (The investigator responded briefly to each case when the suspect responded.) The suspect responded to the complaint posted in the Blue House and the National Census Bureau by postal mail from the person in charge and kept the post and reply to the post I remember because I had saved it on my blog, I did not say "I do not remember" because the suspect consistently said "I did not post it" about whether or not to post the blackmail in the White House.
1724
1725Q: Does the suspect usually lie well?
1726A: I can not lie.
1727
1728Q: What do you think about the fact that I do not recall a real important question because I think the investigator admits that I posted the article?
1729Answer: I did not remember, so I made the statement as above.
1730
1731Q: If I really do not remember, can I drink and not remember?
1732Answer: Not. I think there are multiple factors.
1733
1734Q: You may not remember a lot of alcohol at the time of the crime?
1735A: I did not have to break the film because I drank a lot of alcohol.
1736
1737Q: At the time of the seizure, I drank a lot of alcohol and stated earlier that I remember faintly. Then you can not remember it because you drank a lot of alcohol at the time of the crime?
1738At this time, the suspect shakes his head and thinks for a moment. ("I can not remember" is not the word "I do not remember.") The guiding question of the investigator was not logical, so the look of the accused was not understood by the guilty pleasures of lying, I did it.)
1739Answer: I do not know.
1740
1741Q: What do you think about the fact that the suspect is being denied even though the evidence is clearly revealed by the computer analysis program Encase? Is it a reasonable answer to state that you do not remember well?
1742A: I do not know because people are beyond their abilities. (The accused stated earlier that "the access time analysis results of SuperHideIp are different from the truth and the credibility of the Encase program is poor.")
1743
1744Q: How did you keep all two of them on the suspect computer, not one of them? What do you think of that?
1745Answer: I guess that the two intimidation posts are not so much difference, it is estimated that the consecutive uploads.
1746
1747Q: What is the difference between the articles posted on July 7, 2015 and the comment posted on June 7, 20:20?
1748Answer: I was wrong. (The suspect believes that two blackmails may have appeared in the same search result at the same time.)
1749
1750Q: What is your relationship with your parents usually?
1751A: I have a good relationship with my parents.
1752
1753Q: Did your father train hard?
1754Answer: It was not severe. (The suspect responded with a lawyer, Kim Yong-min, "I played with my father and BB gun at a young age.")
1755
1756Q: What is your father 's job?
1757A: I was a teacher, but I retired this year.
1758
1759Q: Have you ever been beaten by a father when you were a child?
1760Answer: It is number 1 and nothing else. (The suspect responded to the investigator "I was hit one time.")
1761
1762Q: Are you sure?
1763Answer: Ask your father.
1764
1765Q: Do you depend on your parents for everything?
1766A: I do not depend on you.
1767
1768In the case of seizure search and emergency arrest, the accused lie down in the room with only panties, and the Seoul Metropolitan Police Agency Investigator tells her father and her mother about two or three hours that they will be arrested in emergency for several times, During an emergency arrest, the suspect said, "What does your father say? Did your father agree to an emergency arrest? "
1769Answer: Yes, yes.
1770
1771Q: If my father was arrested in an emergency and the police officers told me to go away, was he going to go on his own?
1772A: If my father told me to go, he would not have responded. (The police claim that the suspect had been drunk and had a crush on him, but the suspect said he tried to arrest the police officers without revealing that they were police officers, and that he resisted knowing that they were bullets. The family of suspects filed a complaint with the Human Rights Commission that the police had violated human rights during the search and arrest of the police, but both the inspection office and the NHRCK I was ignored.)
1773
1774Q: Why do you ask your father about it?
1775A: I was scared because I had more than 30 people in the situation. (The suspect lied on the bed and felt frightened when he covered the bed.)
1776
1777Q: At that time, 9 to 10 people went to the suspect, and at the time of the search, the suspect was lying for 4 hours.
1778Answer: I also had a hangover, and it was annoying to be honest. Kim OO Cyber investigator who was involved in the emergency arrest said to the accused lying in bed, "Because of you, 10,000 people suffered from a night spent for a week.
1779
1780
1781Q: But when my father says he does not agree, the suspect kept lying in bed?
1782Answer: Yes, yes.
1783
1784Q: Is there anything that the suspect can do alone without the will of his parents?
1785A: I do not know for sure, but I think it is natural to ask for help if you get caught up in a crisis situation. (Here 'help' means 'family help.')
1786
1787Q: The suspect brother is living alone with his / her own job, right?
1788A: I'm working in Ansan.
1789
1790Q: Why is the suspect unable to live independently like his brother?
1791A: I spent two years in college, but I have difficulty getting along with my parents.
1792
1793Q: What part was difficult?
1794Answer: It was hard to eat food.
1795
1796Q: When my father visited Jongno police station, did he tell the suspect that he should "do not succumb to the police"? (Based on the fact that the investigator had eavesdropped on the suspect.
1797A: I will not answer the above questions. (The suspect stated, "I will not reply to the fact that I have been tapped." The cyber criminal investigator M OO of this response was quite embarrassed and omitted the "tapped fact".
1798
1799Q: Does the suspect have his father's instructions unconditionally?
1800Answer: Half. Sometimes it is unconditional and sometimes not.
1801Q: What is the current age of suspect?
1802A: OO year old Korea is 34 years old.
1803
1804Q: Do you have a separate computer for your father?
1805Answer: Yes. There is a separate computer.
1806
1807Q: Do you work with your dad computer a lot?
1808A: I do not know that. (The suspect stated "My father hates my father so much that I do not use it often," but I did not record it in the dossier.)
1809
1810Q: All the evidence is clear, and a warrant for seizure of the suspect's residence has been issued by the judge, and an emergency arrest has been approved by the prosecutor, and the suspect has been given an opportunity to review the arrest warrant, What is the reason why I do not remember the suspect only because it is obvious?
1811A: I do not think so. (The investigator provided false information in order to pressure the suspect, the suspect read the documents presented by the police officer of the police investigation about the reasons for the arrest warrant issued by the judge at the detention center after the probation officer or the detention warrant, The suspect already knew that the judge had been convicted and not issued because of all the evidence that was evident to him, due to the concerns of escape and the destruction of evidence.
1812
1813Q: Who gave the answer to the above?
1814A: I have never been influenced by external influences.
1815
1816Q: Do not you think that what you did was wrong? (The investigator suddenly questioned the judge.
1817A: I certainly did not post it.
1818
1819Q: I still think my parents would like to tell me the truth about what I did, seek for good cause, and live hard. What do you think of the suspect?
1820A: I do not think I should cover the truth.
1821
1822Q: Anyone can make a mistake, do not you want to correct the mistake?
1823A: I can not make mistakes because I did not make mistakes.
1824
1825Q: When I look at the s.txt file found on the suspect 's notebook, I will surely kill Repert' s ambassador by penetrating the US Embassy in the text file. Obama kidnapped my little daughter and I will rape my anus. "Why did you list the above?
1826A: I do not know the keyword on the internet Google but I check the phrase on the website that I have searched for and copy it to s.txt. I copied and pasted it to a file. (The suspect did not know exactly where the Web site was located.) The investigator kept a record of the suspect's response long without a comma in the dossier, making it look like an excuse, and the meaning changed depending on where the reader was resting.
1827
1828Q: Is not Obama and Repert's intimidating article published in the White House by referring to the intimidation article in the above s.txt?
1829Answer: No.
1830
1831If you look at the above s.txt file, there are two emails used in blackmail, isshufs@gmail.com, Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, 791 Author Lifee Iss Crazzyy, Address Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791, Tel + 82-2-2173-2062, Twitter https: //twitter.com/ISIS_Med The address is listed, but is not it planned to keep it for the crime?
1832Answer: No. It came with copying and pasting.
1833
1834Q: In the above text file, isshufs@naver.com is not used in the crime, and the above e-mail address is not also posted on 4chan.org. How is this e-mail address listed?
1835A: I do not know.
1836
1837Q: It is not written in Hangul in the original text.
1838Answer: It is taken from the Internet and copied. (The suspect stated "I copied and pasted it."
1839
1840If you look at the s.txt file, your address, email, phone, and fax number will be "
1841- Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791
1842- Website: http://summer.hufs.ac.kr
1843- Phone: + 82-2-2173-2062
1844- Fax: + 82-2-2173-2877
1845- E-mail: summer@hufs.ac.kr / isshufs@gmail.com
1846"Format. The above format is not listed in the blackmail, is it listed in the above text file in the above format?
1847A: It's all copied from the Internet. (The suspect stated "I copied and pasted it."
1848
1849Q: And why was the fax number listed even though the fax number was not used in the crime?
1850Answer: I do not know.
1851
1852Q: Foreign language site I visited the summer school site http://summer.hufs.ac.kr, and I got the phone number, fax and e-mail, and stored it in the above s.txt file?
1853Answer: Not.
1854
1855Q: The suspect has an antipathy to the outsider who is usually his alma mater.
1856Answer: No.
1857
1858Q: Is Twitter address https://twitter.com/ISIS_Med imported?
1859Answer: It came from Google search on the internet. (The suspect stated that they "came together when copying and pasting." Same as the answer on page 585.)
1860
1861Q: How did you search on Google?
1862A: I do not remember the search term.
1863
1864Q: Do you usually follow IS?
1865A: I will not follow.
1866
1867Q: Did you find IS-related pictures on the suspect computer?
1868Answer: Yes, yes.
1869
1870Q: And you edited the photo to be the same by marking the Hwarangdo and IS in Korea equally with the '=' symbol.
1871Answer: Yes, yes.
1872
1873Q: Do you have an interest in IS?
1874A: I just got to know the news, but I have no interest. (The suspect stated "I do not follow IS.")
1875
1876Q: Is there a fact that the suspect visited the foreign site http://summer.hufs.ac.kr?
1877Answer: No.
1878
1879At this time, we show computer analysis program Encase analysis screen directly to the suspect. At this time, the attorney also looks at the above analysis program screen. (At this time, the investigator turned to Kim OO, a cybercrime suspect wearing glasses with black glasses at South OO.
1880
1881Q: What is the French 'bureau' folder at the bottom of the suspect computer's documentation?
1882Answer: This is a term for desktop.
1883
1884(From this time on, the interrogation process was not recorded in the memorandum until dinner.) The suspect was surrounded by police officers who had been excited for a long time and was subjected to a coercion investigation that he had seen during the military torture film during the 1980s military regime. Kim OO said, "Why do not you know?" When the suspect said, "How do you see the file name alone?" ? ", 4 to 5 investigators went into the interrogation room and ran aggressively.
1885
1886At this time, I stopped the investigation for dinner. (The police arrested Park Cheol-hyun, the suspect, and only two people for dinner for a long time.) The lawyer Park Cheol-hyeon repeated the word "confess" to the suspect while eating the two lunch boxes, In the conversation police intercepted, the suspect questioned the blood type of Park Cheol-hyun and answered that he was AB-type, and asked whether he married Park Cheol-hyun's wife because he was pregnant at the time, It was all the congratulations.)
1887
1888At this time, five pieces of the text file s.txt link file (A0065358.lnk, A0065518.lnk, A0065541.lnk, A0065621.lnk) found on the suspect computer are shown to the suspect and attached at the end of this document.
1889
1890The link file (lnk) is a file that is automatically generated when a certain file is executed in the Windows operating system, for example, when browsing a text document in the above s.txt, and the lnk file You can check which file you have opened. The link file creation date and time is the date when the first file is executed, and if you repeatedly execute the same file, the accessed time of the link file changes. The above five link files are link files that are automatically generated by running the s.txt file on the suspect computer. Checking the creation date and the modified date and time (Accessed time)
18911) A0065358.lnk 2014. 9. 10. 16:59 (date and time of creation), 2015 7. 7. 14:57 (date and time of access)
18922) A0065518.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
18933) A0065541.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
18944) A0065621.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1895And the Obama intimidation article is posted on the White House on July 7, 2015, and the Repert's intimidating article is on July 7, 2015, I read the s.txt file, which is written in Korean, and wrote the crime in the White House around July 20, 2015, and again s.txt. I read the file three times on July 7, 21:10, 21:19, and 22:31, and posted a blackmail message about Ripper on July 8, 02:26?
1896A: I do not know.
1897
1898At this time, the link file (A0065569.lnk, A0065481.lnk) found on the suspect computer is shown and attached at the end of the document.
1899If you look at the above link file A0065569.lnk is castration.png file created by browsing on June 7, 2015, and when you check the above picture file, the main character Ellen Page comes out, and A0065481.lnk hufs.png is a file created by browsing on July 7, 2015, and if you check the above picture file, it is a picture of the screen where the foreign language section was searched by Google and the picture of Lim Soo Kyung. Have you ever read the above two files in the above list?
1900A: I do not remember the exact time, but I remember reading two photo files above.
1901
1902Q: I have a link file A0065481.lnk, which is related to the picture file (hufs.png) on July 7, 2015, and the suspect has said that the above picture has a memorized memory. txt. I have browsed the file and found the link file (A0065358.lnk). Do you remember reading the s.txt file on July 7, 14:57?
1903A: I do not remember reading. (The suspect stated "I do not remember the exact time.")
1904
1905Question: 7. 7. I have read the s.txt file containing the contents of Hangul at four times in total. Have you ever seen a file?
1906A: I do not know that.
1907
1908Q: When was the last time you read the above s.txt file?
1909A: I do not remember the last time.
1910
1911Q: Why do you keep denying the crime of reading the text document s.txt, which contains the content of the Korean text for the intimidating article, four times before the crime was committed?
1912A: I do not remember whether I read it four times. (The suspect stated "I do not remember the exact number of times.")
1913
1914Q: I have been reading blackmail in Korean four times, followed by blackmail in the White House, and posted a deliberate post?
1915Answer: There is no plan. (The suspect stated "I have never posted a blackmail".)
1916
1917Q: What is your mind now?
1918A: There is no rattling like in the fourth survey.
1919
1920Q: Is the accused unfair?
1921Answer: It is unfair. I would like the police to investigate the matter.
1922
1923Q: Lastly, I'll ask. Do you really have access to the White House homepage?
1924Answer: There is no connection.
1925
1926Q: Do you have evidence or statements that are favorable to the suspect?
1927Answer: No. (The suspect stated in the sense of "I can not submit favorable evidence or statements in the present state of detention.")
1928
1929Q: Do you have anything more to say?
1930Answer: On page 3, "Please ask the police officer to rub your shoulder" is your blood pressure. On page 28, the cruel photographs are downloaded habitually and I regret that I am curious. For the sake of misleading explanation, the child's naked photographs were downloaded from Nudists (naturalists), and the pictures of the baby's penis were cut off to make an essay criticizing the forced circumcision ceremony in Indonesia It was. And I remember that the pictures with the knife in the child's boat are satirical images of the terrorist forces in the Islamic language, and the models in the photographs are pictures taken only by 18 years or older. Also, the pictures of blood in the female vagina were to criticize the girl 's forced circumcision tradition, and the picture of the bowel movement on the Taegukgi was to blame the blasphemy of the national flag. 
1931In addition, it was to expose the facts of illegal organs extraction and Kim Jung Eun regime. I wish you good judgment.
1932
1933Q: Are all of these statements true? (Despite the fact that there was a lot of blank space in the A4 paper sheet to be printed, the investigator intentionally entered this question in this position to limit the space in which the suspects would state their handwriting. The defendant asked me, "Please give me more space to explain the true meaning of the pictures on page 563," but I was denied, and the suspect has enough of the meaning of the photo. In the written statement, more than half of the 592 pages with this question are blank.
1934Answer: Yes.
1935
1936(After the investigation, I asked Ms. OO, "Do you remove the hard copy (or imaging) from the police later?" M OO smiled and laughed and said, "Of course. "Ms. OO did not imagine that the contents of the notebook were useless from the beginning, did not do the imaging, did not even consider the prosecution investigation, but roughly rushed the investigation, and turned on and off to check the contents of the notebook.
1937
1938Prosecution letter
1939
1940At this time,
1941
1942Q: Does the suspect have been punished?
1943Answer: No.
1944
1945Q: Did the suspects state their educational background in the police?
1946At this time, record 277 ~ 295 shows a police document prepared by the suspect.
1947Answer: Yes. I have stated the truth.
1948
1949Q: What is the education and experience of the suspect? (The prosecuting attorney handed the police investigation report with the record of the accused and his experience, and made reference to the statement.)
1950A: I graduated from Cheongyang Elementary School in 1994, graduated from Kyunghee Middle School, graduated from Kyungbok High School in Hyoja-dong, Seoul, Korea in 1999, and graduated from Hankuk University of Foreign Studies in 2009. My career has been part-time, recording the foreign news from KBS station to the editing room from about 2011 to around 2013. (The investigator has repeatedly questioned the accused on a number of occasions, focusing on his / her last job, position, and duties.) The same question then continues to the suspect through detention guards and court judges. I studied. I wanted to major in psychoanalysis in France. After studying, I tried to do a private clinic. (The suspect responded to each statement with a short answer or one or two sentences. Unlike the police investigator, the prosecutor's office always included five or six questions and answers, and put them together in one record. 
1951He then read the dossier printed out and pointed out several times that there was a difference in meaning to the investigator, but every time the investigator dismissed it as not being different.)
1952
1953Q: How is your health?
1954A: I have a slightly higher blood pressure. I was prescribed medicine only at the private hospital when I was in the jongro police station.
1955
1956Q: Go to the White House homepage of the United States at the residence of the Korean Peninsula on July 7, 2015, and enter the representative e-mail address and foreign university phone number used by foreign exchange students attending Hankuk University of Foreign Studies, Is there any fact that I posted the following after I wrote my university address? (The prosecution investigator has not been able to figure out the case yet, stuttering throughout the investigation and reading down the questions on the monitor.)
1957'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
1958===========================
1959Hi.
1960I'm HUFS student from Seoul, Korea.
1961How's your president family?
1962I'm sick of my life cause I always mastervating with tranny prons.
1963One day, I realize that I'm not going to die like this.
1964I want to be a famous Korean male in USA history.
1965Therefore, I am going to anal rape your second daughter Natasha.
1966Is that okay?
1967I think that bitch's asshole is much tighter than Malia Ann.
1968so I need parents permission before the nigger anus.
1969Do not worry about me: I eat lots of Kimchi so free from AIDS.
1970I eager to penetrate nigro asshole before I killed by Kim Jung-un.
1971Thanks.
1972Answer: I have not posted such an article.
1973
1974Q: The suspect said, "I am President Obama and Mrs. Michelle. I always get tired of wearing sex dressers and doing masturbation. So one day, I thought I had to do this. I decided to become a famous Korean man in America today. So I'm going to rape your second daughter, Natasha, with an anal. Because it seemed to be a more polite way to ask. I think the anus of the second daughter is more resilient than the anus of Malia (first daughter). So I have to get my parents' permission before I feel black anal. Do not worry about it. I eat a lot of kimchi and are safe from AIDS. I hope to penetrate the anus of black before it is killed by Kim Jung Eun. Thank you. "
1975Answer: No.
1976
1977Q: Is the fact that the suspect wrote the above?
1978Answer: No.
1979
1980Question: Did not the suspects intimidate President Obama and US First Lady Michelle as described above?
1981Answer: No.
1982
1983[Intimidation to Foreign Envoys]
1984
1985Q: Is it true that the suspect was sent to the US White House homepage and posted the following statement?
1986'From: Dr. Korea's Isis One ',' Email: summer@hufs.ac.kr ',' Phone: 82221732061 ',' Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea , 130-791, Damascus'
1987Message: Declaration Terror to Mr. President Obama.
1988A beautiful Evening is it?
1989Right this is the warning message from the Terrorist Attack.
1990Korea, we're g0ing to re-attack US ambassador Mark Lippert in Seoul.
1991So last time, my a5sassinator's mind is too weak to cut the ambassador's artery perfectly.
1992End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
1993Ok? We'll take care of all your political comrades, but surely one by one, until the US army eliminates Bio-Chemical weaons in Korean Peninsular Mother Land.
1994UltimatuM; 3xects us, our VVIP Archenemy Obama!
1995LIMFAO, See mark Soon in your After-Life ... ...
1996: #: #: #: #: #
1997: #HUUF.S. R.O. 4ourth 4inger: #: #
1998: #: #: #:: #: #: #
1999: #: #: #: #: #
2000Answer: I have not posted anything.
2001Q: Describing the suspect as a South Korean student, he said, "I would like to declare terrorism to President Obama. Is not it a beautiful night? This message is a warning of a terrorist attack. We want to attack the US ambassador, Mark Ripert. Last time my assassin 's mind was so fragile that I could not completely break the artery of the US ambassador. At the end of this time, we have prepared a very well trained pro, so we will kill the ambassador with nuclear poisoning. OK? We will slowly and surely kill one of your political comrades ... Until US troops remove chemical and biological weapons from Korea. We will soon meet our greatest Obama, Mark Ripert, in the world. "
2002A: I have not posted anything.
2003
2004Q: Is the fact that the suspect wrote the above?
2005A: I have not written.
2006
2007Q: Is not the suspect intimidated by the diplomatic envoy, the US ambassador, Rupert?
2008Answer: No.
2009
2010Q: Is it true that the suspect has stored the above-mentioned articles on the victim's computer?
2011Answer: Yes. I copied and pasted it on my computer.
2012
2013Q: What is the date and time of the copy of the suspect's copy on the suspect's computer?
2014A: I'm sorry, but I do not remember.
2015
2016Q: How about copying and storing it on the suspect's computer?
2017Answer: I ran a link (I do not know where) through Google search (I do not know what I searched) and put it on my computer.
2018
2019Q: What computer is the suspect's computer?
2020Answer: The laptop.
2021
2022Q: When did the suspect purchase the notebook?
2023Answer: I left KBS station to record foreign news and send it to the editing room, then bought a laptop, so I bought it in the first half of 2013.
2024
2025Q: In fact, the suspect is stating that he / she is afraid of receiving heavy punishment even if he / she has written the above statement.
2026Answer: No.
2027
2028Q: Do you know that the suspects are punished by law if they intimidate others?
2029Answer: Yes. I know.
2030
2031Q. Does the suspect have any relationship with US President Obama, US First Lady Michelle, US ambassador Ripert?
2032A: I have no relationship.
2033
2034Q: Does the suspect have an agreement with the victims?
2035Answer: There is no agreement.
2036
2037Q: Have you stated the facts above?
2038Answer: Yes.
2039
2040Q: Do you have any more words or favorable evidence?
2041Answer: None. (If there is no suspect, the investigator told me to write "no" by hand.)
2042
2043Q: Is it not listed as stated in the dossier or is it different from the fact?
2044Answer: (handwritten entry) None.
2045
2046At this time, the suspect responded 'I will be investigated under the participation of counsel.' After attending lawyer Park Cheol-hyun, the lawyer showed the suspect's mother's complaint to the suspect and said, "I will read it and submit it if I want. Hand it over. (The suspect did not acknowledge the statement "I will be investigated under the lawyer's participation" or "I will not accept.") The prosecutor said in his own words, "The lawyer is not here." While reading the record after the investigation was completed, he read the record and asked the prosecutor to revise the record because he did not answer the question "I will or will not be investigated under the attorney's participation" "I refused.
2047
2048The suspect reads the complaint (14: 05 ~ 14: 10) and then submits the complaint, saying "I will submit it to the prosecutor."
2049Towards the suspect,
2050Q: Has the suspect ever stated the facts the last time?
2051Answer: Yes. I have stated the truth. It's what I said.
2052
2053Q: Why was the suspect arrested on the police in an emergency?
2054Answer: ... I know that the arrest of me was an emergency and the police arrested him.
2055
2056Q: What does it mean to be urgent about the suspect?
2057A: I think that because of my suspicion of terrorism and the destruction of evidence.
2058
2059Q: What does the allegation of terrorism and evidence say?
2060A: I was accused of terrorism against Ambassador Obama and Repert, and I understand that the police misunderstood me as a computer expert, a multilingual person.
2061
2062Q: How many countries do suspects speak a foreign language?
2063A: English is above the upper middle level, and French is the lowest level among the 6 levels.
2064
2065In the case of police, the police arrested the suspect's residence. During the execution of the search warrant, a picture file capturing the text of the intimidation of raping the US President Obama's daughter on the notebook used by the suspect, Captive text capturing The picture file was found and the suspect was arrested in an emergency?
2066Answer: Yes.
2067
2068Moon: The suspect was not allowed to investigate at all during the police investigation for about five hours, including lying on the bed alone, lying on the bed, throwing things at police investigators, Is it consistent with a very uncooperative and insincere attitude, such as 'creaking' and laughing and repeating the trim? (The facts and distorted claims of the police are subjective judgment of the act according to the difference of point of view of the suspect, and since the police insisted that the investigation room was recorded by CCTV, they did not actively contradict that The video that was submitted by the police at the first trial had the amount of interrogation taken.
2069Answer: ... There is. It was because the wine was a little worn at that time.
2070
2071Q: Is Lenovo, etc., where the suspect was confiscated by the police at the time?
2072At this time, records 397 to 398 show the confiscated seizure and confiscation list.
2073Answer: Yes. Yes.
2074
2075Q: I found that MS Windows XP (language: France), the time zone was set to France 'Paris', and the last shutdown time was 2015. 7. 13. 11:47:18 GMT 0), the Republic of Korea will be GMT + 9 hours in the above time zone, and if it is +9, it will be on July 13, 20:47:18. In this time, police seized the house of the suspect, It was time to check the crime data stored on the computer.
2076At this time, it shows the time when the notebook was last closed at the time of the confiscated seizure search on the 404th page of the record.
2077A: I did not see the computer until I was confiscated from police when I was sleeping. At that time, the police told me that they had these files, but I did not see them.
2078
2079In order to confirm the exact time (the time of the crime committed in Korea) when the file used for each crime was analyzed during the analysis of the computer analysis program Encase, the above analysis program changed the time zone to Korea National Time (GMT + 9) As a result of analyzing and changing to domestic time, in case of usa.png file related to the crime, the last access date was confirmed on July 13, 20:42, What is the date of this visit?
2080Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2081
2082Therefore, even if you set the time of the victim's laptop to the Paris time zone, if the Encase program is set to the domestic standard time, you can check the time of the crime of the suspect in the Republic of Korea. When the date is confirmed as the seizure time zone, how is the time information confirmed by the above Encase program confirmed to be correct?
2083Answer: I downloaded the pictures through the Google search engine, and it is possible because of the Google Cache feature. If you have the Google Cache feature, you might be misinterpreting the time, and I'm personally concerned.
2084
2085Q: The suspect said in the police, "Is not it true that the evidence supporting the Encase program is the evidence that analyzed the time lag that the police submitted the threatening bulletin as evidence?" The suspect said, "Yes. Yes, "he said.
2086Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2087
2088Q: Is the suspect confiscated by another person?
2089Answer: No. I have a password on my laptop and I have not given it to someone else.
2090
2091Q: Has the accused ever used a confiscated notebook while traveling around?
2092A: I left it in my house and I used it alone.
2093
2094Question: The suspect has set a password for the laptop on the police, uses the suspect alone, and says, "I do not know the evidence that the police are presenting. I do not remember. "I denied the crime consistently. How about it?
2095Answer: Police showed the name of the picture file in which the English and the numbers were written. (The suspect replied, "The police did not show the picture, but only list the picture files with English and numbers, and when asked if I remembered, I did not remember," the investigator replied.
2096
2097Q: Is there a blog operated by suspects (http://helpkorea.blogspot.com)?
2098Answer: Yes. It is a diary type blog which I made and operated.
2099Q: What do you usually post on blogs operated by suspects?
2100A: I have described the media in critical terms. (The suspect defines "media" as "political news of comprehensive channels.")
2101
2102(1) "How to earn money on the Internet (earning foreign currency)" is taken on the blog operated by the suspect. (Http://helpkorea.blogspot.kr) You can earn money. "Is it true that you posted the following statement?
2103At this time, the record is displayed on the blog (http://helpkorea.blogspot.kr) operated by the defendant who is stolen on pages 174 to 195.
2104Answer: Yes.
2105
2106"(2)" After the shooting, Ji Sung-woo calls me as a laundry hanger and he can be beaten in the shooting range, and inserts my penis in my anus, at the blog (http://helpkorea.blogspot.kr) operated by the suspect. I shook it 20 times and I was ejaculated in the anus. But I have not been informed of this until January 22, 2005 ... (Omitted below) '' Is it true that you posted the following statement?
2107Answer: The Ministry of National Defense responded to the contents of the civil service.
2108
2109(3) In the foreign language university, we will change the minor in chemistry unilaterally without prior notice in 2012, due to the inconsistency between the inquiry and the resume. I have been suspected of forgery every time, and I have even been suspected of plagiarizing a four-year college thesis due to the inconsistency in the name of my graduation thesis. So, I have been suffering from economic losses since I have failed to get jobs from companies that have supported more than 1,000 since 2012, and even when I was working as a freelancer, I have been suspected of my academic background as well as my personal credibility and have suffered ... (Omitted below) '' Is it true that you posted the following statement?
2110A: In my remembrance, it is the content of my complaint by the Ministry of Education. (In the statement of the suspect, "KBS Fact Confirmation" received by the suspect at the time of retirement is recorded as "part-time" rather than "freelancer." After the expulsion of the suspect, (02-2639-2341), Moon Tae-sung informed the suspect that he was a self-employed person.
2111
2112When I look at the blog written by the suspect, I see all the information such as phone number, e-mail, and address as imposters of foreign language college and search for poisoning by 'masturbation', 'anal', ' It is confirmed that it has a strong dissatisfaction with foreign language and the related thing such as "Will do."
2113A: I remember being told to me during a police investigation, and I have not. (When the suspects repeatedly asked the question they had received during the police investigation, the suspect began to make a statement saying, "As I told you during the police investigation," the lawyer Park Cheol-hyun, accompanying him, responded unfaithfully to the suspect's question. "Park Cheol-hyun, who was a new lawyer at the time of the prosecution's investigation, tried to build up a network with lawyers through his prosecutors for his success. He identified the prosecutors with the lawyer himself, did.)
2114
2115Moon: The suspect is a police officer on the notebook, "isis.png (intimidation against Obama)" original document capture file on July 7, 20:21, "usa.png (threat to reporter)" original The capture file was created on July 8, 2015, and the obsession for Obama was posted on the US White House website on July 7, 20:20, 7. 8. At 02:26, about one minute, the blackmail was read on the Internet and stored on the victim's computer. The suspect was informed that the operating system (OS) of the laptop was set to the French time zone, The 4Chan.org site is a US site, claiming that there was a time error, and stated that it would be impossible to do this in just one minute.
2116Answer: That's what I said.
2117
2118After completing the reporter's intimidation on the White House website, the suspect is captured by the police through the Google Chrome browser, about 1 minute after completing the thank-you related webpage, then re-running the captured picture After 3 minutes, the original text of the intimidation was changed to file name usa.png, and after 1 minute, it was posted on 4chan.org site, and about 9 minutes later, 4chan.org captured the site again I read the generated file and stated that the reason why the link file was created on the suspect computer was that the suspect did not understand it because it was not his behavior.
2119Answer: That's right, but I do not have it.
2120
2121Q: The time of the reporter's intimidation posting on the 4Chan.org website was posted on the police at the time of July 8, 2015, At 02:27, the suspect is not clear about why the time stored on the suspect computer may be faster than the time posted on 4Chan.org, and that there is a problem with his computer and that there is malicious code and possibility of hacking. How is it?
2122Answer: That's what I said. I remember Google Cache as well.
2123
2124Q: What if the suspect stated "I have a problem with my computer and I have malicious code, possibility of hacking, Google cache".
2125A: I am not a computer expert, so please investigate it enough. (The investigator asked me what the symptoms were.) When I turn on the computer, the strange warning window appears squarely normal size. I'm not a computer expert, so let me investigate that, and Google Cache will ask Google Server to cooperate with the investigation.
2126
2127Q: What is the size and content of the alert window? (Actually, the investigator asked, "How many centimeters?"), And the suspect stated "I have never read it and I do not know."
2128Answer: The warning window is square in size, but I do not know the exact size and the contents of the warning window are not remembered. (The accused never remembered whether the contents of the warning window were written in English or French, and never interpreted it.)
2129
2130Moon: From the computer of the suspect, June 1, 2015, 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, 5oe254mvhpke. Is it correct to view the jpg file?
2131At this time, records 323 ~ 331 and 516 ~ 529 show the contents of the photo related to the reporter found on the computer of the suspect.
2132A: I have not seen anything on July 7, 2015 because I have nothing to see. (Because the suspect studied or slept on July 7, 2015).
2133
2134Q. Why is the suspect storing the files 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, and 5oe254mvhpke.jpg files on the computer? (The prosecutor showed him the picture files on the monitor he was writing.)
2135A: This is a collection of articles written to strongly criticize terrorism against the US Ambassador.
2136
2137Q: Does the suspect write anything criticizing the usual acts of terrorism?
2138A: I do not remember the exact time, but there is something on my blog that says it can threaten the alliance.
2139
2140Question: The suspects read the related information as described above, and the time of the reporter threat pictures on the suspect's computer is around July 8, 2015, and the reporter threatening article is posted on the 4Chan.org website. Since the time of publication is around July 8, 2015, the suspect wrote and saved the above article and posted the reporter threatening article on 4Chan.org website?
2141At this time, record 260 and 251 ~ 256 of the suspect computer file output is shown.
2142Answer: No.
2143
2144Q: The suspect was in the police station on the laptop. The contents of the text file (s.txt) generated on September 10, 2014 were written on the e-mail 'isshufs@gmail.com' 'I will surely kill Ambassador Ripper by infiltrating the US Embassy', 'Obama will kidnap my little daughter to rape my anus', and the Twitter address 'http://twitter.com/isis_med' I do not know why the suspect was not sure about the reason for the discovery.
2145At this time, the record of the defected notebook file is shown on the pages 332 to 335 of the record.
2146Answer: I remember that I stated that I copied and pasted through Google Search.
2147(1) The s.txt file is first created on April 9, 2014, and the last access date is '15. On the 12th of July, the above file contains the phrase "Penetration of the US Embassy to Ambassador Ripper, I will surely kill Obama's little daughter to rape my anus" in Korean. Especially, the email used for the crime 'isshufs @ gmail.com, summer@hufs.ac.kr, and the name of the author 'Lifee Iss Crazzyy', the address of the foreign language, etc. "is listed in the form of the suspect, It appears to be in a free format on the file, how is it?
2148Answer: Not.
2149
2150Also, the suspect discovered that the above text document was scanned 4 times before the crime, and the link file (file created automatically when the file is executed by the Windows operating system and the extension is lnk) was generated.
2151Answer: I am not a computer expert, so please do an adequate investigation.
2152
2153(2) By accessing the White House homepage of the United States with a capture file (isis.png, usa.png, etc.) directly related to the threats, the President and the Ambassador Ripper Capture the screen while writing the intimidating text and change the file name to "isis.png, usa.png".
2154Answer: I downloaded the photo from the Internet and saved it.
2155
2156Q: Where did you download and store the suspects?
2157Answer: It was downloaded through Google Image Search.
2158
2159On June 7, 2015, the obsession for President Obama was posted on the White House, and a trail of reading s.txt file in Korean, which was about 14:57 on the same day, After 1 minute, 20:21, the captive caption (isis.png) recorded on the suspect computer is confirmed. Also, at 20:21 and 21:19, the above s.txt file What happened to the two traces discovered?
2160Answer: I have just browsed the computer and copied it to a text file, and I do not know whether it was read or not.
2161
2162After the intimidation of President Obama, I found a trace of an image file of the terrorist incident of Ambassador Ripper at 21:38 on the same day for 18 times, The file created on the suspect computer appears to be very closely related to the crime because it is re-visited about four months after the date of 2015. 07. 07. 21:38. (Previous surveys found that 15 traces were found.)
2163A: I have not seen any of the above photographs on July 7,
2164
2165After reading the s.txt file containing the text of the crime, the blackmail of the Ambassador Ripper was posted on the White House website on June 7, 2015, : 27 The 'usa.png' file created on the white house website was created on the suspect computer, so it looks like the suspect posted a post on the White House homepage.
2166A: I have not posted.
2167
2168Q: After continuing to capture the screens of the suspects' computer at the White House using the Google Chrome browser, the archived details are found, and the history of the link file is also verified by viewing the above file. ?
2169At this time, the record of the suspect computer file is shown on page 260 of the record.
2170Answer: I did not capture it, but I downloaded it from Google.
2171
2172Q: The suspects (3) are intimidated in this case. We will be browsing the US White House website twice on May 24, 2015, capturing the black screen using the Google Chrome browser. I caught the screen in the same way as above, and on June 25, 2015, I caught the same screen captured at the White House in the United States.
2173At this time, we show the additional declaration data which is stitched on the record paper pages 198 ~ 204.
2174A: I did not write it, nor did I post it. It was downloaded through Google Search.
2175
2176(4) The suspects were found to have stored photographs depicting President Obama and Mrs. Michel as monkeys on June 25, 2015 before the commission of the crime, and the date of the last visit was July 1, 2015: How did you see the trail that was re-opened after the 35th murder?
2177At this time the record shows the printout of the stolen suspect notebook file on page 596.
2178Answer: This photo was downloaded through Internet Google Search, and I have not seen it more than once.
2179
2180(5) The suspect is (5) a photograph related to anus and girl child nude. The suspect described the intention to rape the second daughter 's anus in the Obama presidential intimidation article. Obama' s second daughter is 14 years old, There were many pictures of the anus on the laptop. The last reading date was around June 13, 2015, and the word 'anal' was used 5 times in the blackmail, 6. I was browsing, 7. 8. I saved it on my computer, and on page 13, I found the fact that I read it.
2181At this time, the record of the defected notebook file is shown on pages 609 to 664 of the record.
2182A: This photo is an illegal long-term trafficking, or an additional collection of materials to write about the North Korean regime. (The suspect downloaded the picture files and did not watch it more than 2 times.) In the Windows operating system, when the picture file was moved without moving the picture file, I tried to submit a proof of the screen shot by a smartphone, but Yongmin Kim refused to accept the video without even seeing it.
2183
2184Q: The suspect stated in the police that the photos of Reuters Terror on the suspect's computer just before the crime were all read by the suspect.
2185A: I downloaded and saved the photo, but I do not watch it more than once.
2186
2187The statement says that the police suspect that the police are underestimating women and that it is better to have sex rather than socializing with women, and that "I always get tired of wearing sex dressers and masturbating. "(A suspect is a statement that faithfully replies within the scope of common sense common knowledge that the suspect knows.) Sexual attachment posted on the crime article What is the dress code? (In this way, the investigator asked a mixed question asking a mixture of questions to make sure the suspects were neither positive nor negative.)
2188Answer: According to what I know, I have faithfully stated that the statement is correct.
2189
2190Q: Why did the police say that they knew clearly the name of President Obama's second daughter, Natasha, who was used in intimidating writings?
2191A: After I saw the intimidation that the police showed me, I found out.
2192
2193Moon: The suspect is described by the police as "I am determined to become a famous Korean man in the US today" in the intimidating statement, stating that he is "likely to be a famous person" How is it?
2194Answer: Famous things are not meant to be misleading. The latter famous Korean man meant to be a famous politician. (The "famous person" that the suspect referred to was "a famous politician," but the future hope of the suspect was not a politician.
2195
2196(6) For the photographs related to IS terrorists, the suspects shall refer to the author as " Korea Isis One 'and impersonated IS. The trail of the IS terrorist was discovered four times on July 17, 2015, before the crime was committed. It is stored for the first time, and it is also viewed on the 7th and 3rd, so the file stored in the computer of the suspect is not only saved, but also confirms the sucking after reading.
2197Answer: I can not be certain how many times I have read the IS estimate.
2198
2199Q: The suspect stated that the police stated that they had a determined will to the IS terrorist and kept a picture of the IS terrorist on the computer.
2200Answer: Yes. Yes. (The suspect described what he felt in the photo.)
2201
2202Q: I have posted the contents on the homepage of the National People's Daily on the homepage of the National Newspaper on the website of the Blue House at the Cheongwadae homepage, police said, "I am going to go home with a nylon string on the railing, Why do you keep hundreds of pictures of women's bodies and keep them?
2203A: The Cheongwadae homepage and Kookmin Shinmunji homepage are for the purpose of one-person demonstration for the payment of Civil Defense transportation expenses. I did not look at the pictures more than once while I habitually stored the photographs in the process of collecting materials for writing.
2204
2205(7) Regarding photographs related to North Korean Kim Jong Eun, the accused has expressed interest in Kim Jong Eun by writing "I hope to penetrate the anus of black people before I was killed by Kim Jong Eun" , June 9, 2015, June 25, 2016, and the last photo date was recorded on the computer after the crime was committed. 7. 11. 00: How about 09?
2206A: I have never written such an article. I did not follow the Kim Jong Il system in North Korea, but I habitually stored it in the process of collecting materials for writing.
2207
2208(8) Regarding the IP change program, 'SuperHideIP (version 3.3.8.8)' program which can easily change the IP of the suspect use notebook has been found. The first creation date is on July 16, 2014 Why did the suspect install the program?
2209A: In my memory, I saw the news of IP related events at that time, I changed the IP to Google and installed it. I tried to run it only once and then I did not execute it.
2210
2211Q: Is not there a program that can change the IP to be used in the crime of the suspect?
2212Answer: No.
2213
2214Door: The IPs 124.197.152.48 and 124.197.152.74 used by the suspect in the crime were identified as the IPs assigned to the apartment O of the apartment O at 45, Lee Moon-dong, Dongdaemun-gu, Seoul. I checked the tenant card of the resident card of the residence of the resident of O, and what is written as 'Hankuk University of Foreign Languages' was confirmed. (In Korea, the full street address will be enforced from 2014. If you inquire about the IP address of Tibur Road, you will be informed by the street name address starting from the agar route. It is estimated that I have confirmed the personal details of the application form I submitted to KBS before the road name address was put into effect in 2014. The address of the road name of the residence I will appear in the judgment.
2215At this time, show the tenant card stitched on the side (blank space).
2216A: I will not be able to confirm the answer, and the tenant card is correct.
2217
2218Q: The suspect is an isshufs [Hooks University of Foreign Studies abbreviation in English (Hankook University of Foreign Studies)] who accesses the US White House homepage from IP on July 7, 20:20, .com, etc., and did not intimidate by posting the message that "I am going to rape the second daughter of President Obama of the United States with anal sex."
2219Answer: No.
2220
2221Q: When the IP address of the White House in the United States was accessed from the IP address on July 8, 2015, 2015, the summer @ hufs [hufs is the abbreviation of Hankook University of Foreign Studies] .ac.kr, etc., and "will assassinate the US Ambassador RePart" will not be a threat to foreigners by showing the letter of purpose?
2222A: There is no such thing.
2223
2224When a suspect is poisoned by US Ambassador Ripert, a specific phrase mark "4ourth 4inger" (a sign left by the suspect in the case of hackers hacking a website) I left a phrase that you can only know about to announce.) How about it?
2225A: I do not know anything about that phrase.
2226
2227Question: When I visited the site (http://archive.4plebs.org), which was searched for '4ourth 4inger' on the Internet search site 'bing' (a search site provided by Microsoft) The original text of the blackmail document created by accessing the White House homepage was found and the above text file is a picture file of the screen image of the suspect who is writing on the White House homepage.
2228At this time, it shows the [text capturing image file on the left side, text text on the right side text]
2229A: I have never posted anything.
2230
2231Q: Is the screen you are creating in the homepage input window with the original file captured by the suspect as a picture file?
2232At this time, the record [page file 135 captured in the picture file] Show screen being created in homepage input window].
2233A: (At this time, the suspect thinks for a long time and tilts his head. (The investigator described the behavior with malicious intent.)
2234
2235Q: What about the threatening US President Barack Obama and the US Ambassador?
2236At this time, you will see the [obama intimidating text capturing picture file and text phrase] stitched on page 136 of the record.
2237Answer: This is not my post.
2238
2239Q: Is the screen you are creating in the homepage input window with the original file captured by the suspect as a picture file?
2240At this time, it shows [the text file captured by the picture file - screen being created in the home page input window] stitched on the 136th page of the record.
2241Answer: I do not know.
2242
2243Q. The suspect is on July 7, 2015. "Fraud is over. Take care of Lim Su Kyung. Http://boards.4chan.org/pol/thread/47625963 "which was posted on the website of Mr. Soo-Soo University." As a result of IP query with 124.197.152.111, Tibrodeid The IP address assigned to Dongdaemun Broadcasting is the same bandwidth as the IP used by the suspect and the same Internet subscriber.
2244At this time, I will show you the reason why I checked the page on page 140 of the record.
2245A: I have not posted anything.
2246Q: When I posted above, the email is isshufs@naver.com. What is the same ID as isshufs@gmail.com, which the suspect used to write the White House intimidation letter?
2247Answer: ... This is not something I can tell.
2248
2249Q: When I searched on the Google (http://google.com) and Bing (http://bing.com) sites using the phrase "4ourth 4inger" Posted on http://archive.4plebs.org, a backup site of the White House site, on June 7, 2015, How is it that it is confirmed that it is published in the city?
2250Answer: I have not posted anything.
2251
2252Q: In addition, it is confirmed that the article posted on the http://archive.4plebs.org site using Korean IP is a letter to the University of Foreign Studies.
2253Answer: I have not posted anything.
2254
2255Q: The suspect has been complaining to the police because of a failure to get a job due to a suspicion of scholastic ability by changing his / her minor in the foreign language department, which is a school of his alma mater, and is posted on the suspect's blog.
2256Answer: I first consulted the Ministry of Foreign Affairs about changes I made at the foreign language school, and (the suspect received the answer to the Ministry of Education complaints and afterwards released the evidence document to Yongmin Kim) There is. I am not trying to hate the outside world.
2257
2258Q. The police officer acknowledged that the police officer had read the picture file (castration.png, hufs.png) that he viewed on his computer before the crime, .TXT file 'denies the fact that they are browsing, etc. The accused remembers the facts and denies all the crimes related to the crime.
2259Answer: Not. I think that picture files and text files should be replaced. The reason for this is that you have read a lot of text files because you have stored various contents in a text file. (The suspect has limitations in remembering a lot of computer usage history.)
2260
2261Q: The suspect stated that the police use the Google Chrome browser when accessing the Internet, and found a lot of files that captured the White House homepage using the Google Chrome browser on the suspect's laptop.
2262A: It's not a capture, it's a download.
2263
2264The capture file (screencapture-www-whitehouse-gov-contact-submit-auestions-and-comments-1432397652564.png) that was found on the suspect computer is a file captured using the Google Chrome browser, And the last 13 digits '1432397652564' are the URLs of the URLs of the Unixes, and the last part of the URL How can I check the captured time by converting to UTC + 9 using the time conversion program (DCode) as the time information used by the operating system?
2265Answer: I searched on Google and received the download as it is.
2266
2267Question: The suspect claims that the capture file (a file capturing the contents of the White House and capturing the screen at the time of completion), such as the date and time the capture file was stored on the computer, was downloaded from the Internet, If you convert the 13-digit Unix time information in the captured file name to the national standard time, such as the date and time of capturing the site screen, you can check the date and time of the capturing and the file on the notebook. The suspects access the White House homepage It is confirmed that the suspect was not directly capturing after writing.
2268Figure 1 shows the date and time the capture file was saved on the computer, and the date and time when the web page was captured, respectively.
2269Answer: No.
2270
2271Q: If the suspect downloads the above capture file from the Internet, the captured date and time can not be the same as the captured date on the computer, and the storage date and time must be later than the capture time.
2272Answer: I think there are various possibilities for that. The possibilities are Google Cache, which I think goes beyond what I can explain.
2273
22741) The s.txt file will be generated on 1) 2014. 9. 10. 16:59, and the above s.txt file will be accessed from the suspect until the last time of connection on July 12, 2015. (1) "I will kill Ripper Ambassador, Obama will kidnap my little daughter to rape my anus", and (2) isshufs@gmail.com, summer@hufs.ac.kr 'What is the account displayed? (I repeat the same question as the third investigator.)
2275Answer: It's a copy that I copied through Google Search, not one I wrote.
2276
2277Q: After the offender posted the article on "Obama's second daughter raped on anal sex, etc.," on June 7, 2015, 3) : 21 It is obvious that the suspect had committed a crime because the capture file (isis.png) is stored in the suspect's notebook and the password is set on the notebook.
2278A: I did not write that, and I can only use a laptop.
2279
2280Q: Has the suspect been monitoring White House threats?
2281Answer: I do not.
2282
2283Q: How can a suspect know the above information and capture it in less than a minute, even though he is not monitoring the White House threat?
2284Answer: As mentioned above, it is downloaded from Google's cache or portal site.
2285
2286Question: The suspects are 4) June 7, 2015. The article is posted on the back-up site of 4chan site, 4chan site is foreign site that post anonymously. Http://archive.4plebs.org is 4chan If you post to a site that is automatically saved as a backup file format, how about?
2287Answer: Yes. (The suspect thinks for a moment and turns his head back and forth). (The suspect thought briefly to remember what the police cyber investigator had explained, and the investigator described it as a depiction of aggressive behavior.)
2288
2289Q: The suspects are 5) The picture files of Repert's Ambassador, Kim Ki-jong, who tried to kill him, which were stored in the notebook on July 7, 2015, 2015 were searched intensively, and 6) : Is not it the case that the article "We will assassinate US Ambassador Repertory again in 26" was posted on the White House homepage?
2290Answer: No.
2291
2292(1) The capturing file (usa.png), (2) The picture file indicating that the writing on the US White House homepage has been completed is sent to the suspect's notebook It is obvious that the suspect committed a crime because the suspect stated that he set a password on the above notebook and only used his / her own.
2293A: I did not write that, and I can only use a laptop.
2294
2295Question: The suspects are 8) June 7, 2015. The post is posted on 4chan site and its back-up site, 4chan site is an anonymous foreign site, http://archive.4plebs.org If you post to 4chan, the site is automatically saved as a backup file format.
2296Answer: Yes. It is correct to be saved as a backup file. (It is true that the accused got to know the police explanation).
2297
2298Q: I do not write my own article, I see the article posted on 4chan site and search for it on Google. I am sorry for the accused. One of the digital analysis results of the time of generation of the related files shows that the file creation time appears as 4chan post after saving the suspect notebook.
2299A: Because I am not doing digital analysis, I can not give a definite answer about it. (The suspect did not do a Google search after seeing 4chan's article.)
2300
2301Q: Go to the US White House homepage on July 7, 2015, and enter the representative e-mail address and foreign university phone number used by foreign exchange students attending Hankuk University of Foreign Studies, I heard that someone posted the article on Google and downloaded it. Is there any evidence or method to prove it?
2302Answer: Not currently.
2303
2304Q: Two criminal capturing files found on a laptop that can not be used to identify the criminal but who can use the suspect only by setting a password. The time when the file is stored is immediately after the crime. File, a text document that is kept in Korean language with harsh texts, traces of reading the text document 4 times before the crime, traces of ritual terrorist incident before the crime, intensive dozens of pictures, and pictures of IS terrorist Observers, Observers, Observers, Observers, Observers, Observers, Observers, Observers, Observers, Observers, What do you think?
2305At this time, records 761 to 763 show the stolen suspect computer usage chart.
2306A: It's different from the facts, the capture is downloaded, the photos of North Korea artificial airplanes, the photos of Ambassador Repertors and photos of IS terrorists are misleading. (In the police investigation, the suspect described the actual meaning of the photograph by hand, from the bottom of page 591 to the page 592. The suspect viewed the photograph one or two times (accessed) And estimates that the movement of the picture file for the picture was counted as a reading.)
2307
2308Q: Did the accused state the truth?
2309Answer: Yes. I have stated the truth. It's what I said.
2310
2311Q: Are there any proofs or other things that are favorable to the suspect?
2312A: I'm willing to take a lie detector test. Thank you. I received a request from the police investigation stage. (At the time of the police investigation, the suspect and Park Cheol-hyeon lawyer, only two people remain in the investigation room, Park Chul-hyun told the suspect, "You can get a lie detector test." After the investigation began, The suspects were asked to inspect the police's lie detector, and when the suspects made the handwritten statement during the prosecution investigation, they used the phrase "requested" "I refused," the suspect said, "I received a request from the police, but I will not fix it because I am not asking.") Finally, I think my blog post is wrong. (At the conclusion of all the blog posts of the suspect, the paragraph begins with "I hope my thoughts are wrong anyway ..." which emphasizes a neutral position on the topic.)
2313
2314Q: Is it not listed as stated in the dossier or is it different from the fact?
2315Answer: No. (The prosecutor investigated slowly when he started the investigation, but when the suspect became tired at the end, he launched a question.)
2316
2317In the middle of the summer, the suspect was seated in a chair by a prosecutor, and after seeing his lawyer Park, he asked him to "float the water." Park Chul-hyun refused, "I want you to eat it," and the suspect obtained the permission of the prosecutor's office and drank water. Park Cheol-hyeon came to the police station with a Mercedes-Benz passenger car and asked him more importantly about the location of the parking lot at the first meeting with the investigators. Park Cheol-hyun, who asked me to hand him over to the suspect's parents because he would not be able to receive a bargaining fee of 3 million won, came in well, but in front of the suspect who was under arrest, he disgusted the suspect.
2318
2319The prosecutor 's investigation officer changed to the inspection of general affairs director general.
2320
2321Q: (The ministry official said, "I am sorry that the picture is small.") And he showed the analysis result and the isis.png picture file printed on the A4 paper and said that he was holding a stapler with an exaggerated gesture (The isis.png file and the analysis result (isis.png_REPORT.txt) from the suspect's laptop. The above file came from the suspect's notebook. Have you ever seen it?
2322Answer: I saved this file on my notebook. I searched this file on the internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file from Google search results was not verified. At the time, I do not remember what I put my search terms into while doing a Google search. At that time, I do not remember what kind of search I was doing specifically. The file says "I am going to anal rape your second daughter Natasha." However, I think you need to know how I searched for a file with that content. (The ministry attorney general showed the intimidation to the suspect, then wrote in the record that the suspect did not state 'I am going to anal rape your second daughter Natasha.')
2323
2324Q: When did you download the above file?
2325Answer: It seems to have been downloaded from the middle of June 2015 until the day of my confiscation (May 13, 2015).
2326
2327As a result of the above file analysis, the above file was created on July 7, 20:20. Is the suspect downloaded on the date above?
2328Answer: (At this time, the suspect nods his head.) Yes, I had downloaded one time and remembered that it was downloaded in July, so I downloaded it on July 7, 20:21, (The suspect stated that he was studying French at 50:50 on the 7-8th day, or taking a sleep, but he recorded what he understood.)
2329
2330Moon said: "(The ministry official said," I am sorry that the picture is small. ") He showed the analysis results and the usa.png picture file printed on the A4 paper to the suspect. (The file is usa.png and analysis result (usa.png_REPORT.txt) from the suspect's notebook.] The above file came out from the suspect notebook. Have you ever seen it?
2331Answer: Yes, I have seen this file. I downloaded it through internet search and saved it on my laptop. I searched on Google. I do not remember which search terms I entered into Google, and I can not remember which sites I downloaded from Google search results. I do not remember the exact date and time when I searched for this file. I did not remember why I searched this file, and I searched for no reason. I do not remember entering the White House as my search term. I seem to have downloaded and saved this file at once with a file (isis.png file) containing the phrase 'I am going to anal rape your second daughter Natasha.'
2332
2333Q: As a result of the above file analysis, the above file was created on July 8, 2015 at 02:27. Is the suspect downloaded on the date above?
2334A: I remember downloading this file (usa.png file) in July 2015. However, I do not remember exactly whether I downloaded it on July 8, 2015.
2335
2336Question: The file of the file attribute file and the picture file of this file is displayed to the suspect. "For the purpose of analysis, So I put the stapler in an exaggerated gesture in order to pressurize the suspect and shouted the two sheets out.) [The suspect The above screencapture-www-whitehouse-gov-thank-you-1436290042624.png file from the laptop and its file properties print out] The above file came from the suspect notebook. Have you ever seen it?
2337Answer: I searched this file on the Internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file, which comes from Google search results, is hard to remember. It's hard to remember what you put your search terms into while doing a Google search. I did not search for a specific purpose.
2338
2339Q: When did you download the above file?
2340A: I can not remember the exact date. It seems to have been downloaded from the middle of June, 2015 to the beginning of July, 2015.
2341
2342Q: As a result of the above file analysis, the above file appears to be generated on July 8, 2015 at 02:27. Is the suspect downloaded on the date above?
2343A: I do not remember the exact date, but it is between mid-June and mid-July 2015.
2344
2345Q: (Record 674 pages photo file) Above castration.png What is photo file?
2346Answer: The above castration.png file is a picture file I downloaded. I remember that I was downloaded from mid-June to 2015. 7. Cops. Castration means 'castration'. The above file is a scene of a movie. I can not remember being a movie with a lot of content. I guess I did not put the word "castration" into search terms. Because it's about Google search results, I'm beyond the scope of what I'm describing.
2347
2348Q: What are the photo files of Lee Soo-kyung, a member of the National Assembly?
2349Answer: I searched for photos of Mr. Soo - kyung, who showed me to use as a resource for writing criticism. I received a Google search and download. It is to criticize the main North Korean government. I store criticisms in my diary-style personal blog. I can not remember the exact date when I downloaded these files. In the material shown, the date and time of creation of these files is July 7, 2015. I think that the reason why the file creation date and time is analyzed as above dates is beyond the range that I can answer. I posted an article about Lim Soo Kyung in my blog (antihufs.blogspot.kr) on July 7, 2015, and the above pictures are included in the article. That blog is still open. (It was impossible to remember all three or four thousand articles written by suspects.) At first, the suspect did not know what was on this blog. 
2350When asked, "When did you write the article of Representative Lim Soo Kyung?" The suspect responded, "It was between the middle of June and the beginning of July." Park Cheol-hyun
2351Sara turned to the suspect and said, "Why are you lying?" And showed the date of the suspect's blog on her cell phone. The suspect responded to Park Chul-hyun's mobile phone and posted it on July 7, 2015.)
2352
2353Q: Does the suspect use a router when using a laptop?
2354Answer: I have never written a program to change Internet IP, but I use a router. I purchased an internet router for 12,000 won ten years ago. Again, I can not remember exactly when I bought it. I have a router in my house, and I have 3 computers (my laptop, my desktop, my dad, and my computer are using that router). I use the router every time I use the internet. I have not changed my Router setting since I have never used it, but I have not changed my Router setting anymore. When I add Router, I put ID (ADMIN) and Password (494) on Router, I have not touched the case of the suspect.
2355
2356Q: Is there anything the suspect wants in the prosecution investigation process?
2357A: Now that I have sealed my laptop, I did not break it. It is difficult to tell which part I should investigate because I am not an expert. (The prosecution extended the detention period of the suspects by 10 days in the name of investigating notebook hacks.)
2358
2359Q: Do you have any more to say?
2360Answer: No.
2361
2362Q: Is it not listed as stated in the dossier or is it different from the fact?
2363Answer: (handwritten entry) None.
2364
2365
2366
2367
2368
2369At this time, the defendant is attending lawyer Park Cheol-hyeon attorney, saying that he will be investigated under the participation of counsel. Toward the suspect, (The ministry official did not participate in the interrogation of the suspect, but did not record it in the prosecution dossier.)
2370Q: Has the suspect ever stated the facts the last time?
2371Answer: Yes. I have stated the truth. It's what I said.
2372
2373Q: The suspect described the last time that he used the cell phone of the suspect, Mo Kim OO. Does he remember the cell phone number used by the suspect?
2374Answer: I used a number other than 5787 from my mother's cell phone number.
2375
2376If the suspect has not used 010-3687-5787, then it is correct to use the remaining 010-2359-8775. Go?
2377Answer: It's true that I used my mother's cell phone, but I can not remember the cell phone number I used.
2378
2379Q: How long did the suspect use the mobile phone (010-2359-8775) of Mo Kim?
2380Answer: We used until recently.
2381
2382Q: When did the suspect use the mobile phone (010-2359-8775) recently?
2383Answer: I can not remember the exact date.
2384
2385Q: The suspect has not used the phone since April 4, 2015, as shown below on 010-2359-8775.
2386Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2387LGU + / 29 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:25 / 0: 1: 17/641 Shinna-
2388LGU + / 30 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:44 / 0: 0: 32/641 Shinnap-
2389LGU + / 31 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:47 / 0:01:37 / 641 Shinnap-dong,
2390LGU + / 32 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:57 / 0: 0: 29/641 Shinna-
2391LGU + / 33 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 16:03 / 0: 0: 34 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2392Answer: Yes. After that, it is not used.
2393
2394(The prosecuting attorney said, "How is April 4 recently?", And the suspect answered "I can do that."
2395
2396Q: The suspects called 010-2359-8775 because the suspect's Mo Kim OO mobile phone (010-3687-57787) is correct, right?
2397Answer: Yes. Yes.
2398
2399Q: Is there any person who talked to someone other than Mo Kim OO of suspect in 010-2359-8775?
2400A: I rarely spoke to anyone.
2401
2402Q: Why does not the suspect have a call history from April 4, 2015 to 010-2359-8775?
2403A: You did not call because you had nothing to call.
2404
2405Q. Is it possible to make a phone call to the mobile phone (010-3687-5787) of the defendant Mo Kim OO? (010-3687-5787) as of July 7, 2015 at Gangwon-do? I made a phone call, is not the suspect used the cell phone? (The prosecution violated the privacy and privacy of the suspect 's mother without a court warrant or investigation.)
2406Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2407LGU + / 1232 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 8:50 / :: /
2408LGU + / 1233 / Voice / 010-3687-5787 / 054-840-5466 / 2015-07-07 8:51 / 0:01:20 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2409LGU + / 1234 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 16:29 / :: /
2410LGU + / 1235 / SMS / 010-3687-5787 / 010-4050-7402 / 2015-07-07 16:32 / :: /
2411LGU + / 1236 / Voice / 010-3687-5787 / 010-8230-2824 / 2015-07-07 18:01 / 0:00:51 / 346-3, Sansuri, Namsan-myeon, Chuncheon-
2412LGU + / 1237 / MMS / 010-3687-5787 / 010-792-9484 / 2015-07-08 14:31 / :: /
2413LGU + / 1238 / Voice / 010-3687-5787 / 010-5660-7804 / 2015-07-09 13:12 / 0:01:11 / 3rd Floor, Canaan Church 207, Jung-hwa-dong,
2414
2415A: It's not my own, it's my mother's cell phone.
2416
2417(The prosecution investigator questioned the accused about why her mother went to Chuncheon city in Gangwon province, and the suspect did not know that this was not recorded in the record.)
2418
2419Q: Is the suspect going to the village resort of Gonggok-ri?
2420A: I was at home.
2421
2422Q: Was the suspect alone on July 7, 2015?
2423Answer: Yes. I was at home alone.
2424
2425Q: Do you remember when the suspect, Mo Kim, came home?
2426A: My parents went out together, and I do not remember the exact date of my return home, but I remember coming back home about the weekend.
2427
2428Moon: Look at the phone call (010-3687-5787) of the mobile phone (010-3687-5787) of the defendant Mo Kim OO, and it is described as the 3rd floor base station of 207 Canaan church in Jungang- What do you think it is?
2429A: I can not remember the exact date my parents returned home.
2430
2431Q: If so, was the suspect alone at home from July 7, 2015 to July 8, 2015?
2432Answer: Yes, yes.
2433
2434Q: What did the suspect do at home alone?
2435A: I do not remember exactly what I did.
2436
2437Q: The suspects last, "2015. 7. 7. At 20:20, the obsession for President Obama was posted on the White House, and on the same day 14:57 on the same day, there were traces of reading the s.txt file in Korean, : 20) 1 minute after 20:21, capturing of threats (isis.png) is confirmed on the computer of the suspect, and at 21:10 and 21:19, the above s.txt file is forwarded twice The suspect said, "I just scanned the computer and copied it to a text file, and I do not know whether it was scanned or not." How is it?
2438Answer: Yes. It is correct as I stated before.
2439
2440Q: Is the correct time for the suspects copied from the suspect computer through Internet search and pasted to the text file?
2441Answer: I do not know the exact time. It is correct that I copied and pasted the results from Internet search.
2442
2443At this time, the defendant responded by saying, "Let's rest for about 10 minutes and proceed with the investigation again." After taking a rest for 10 minutes (15:05), the defendant's lawyer sits again next to the suspect : 17). (Attorney Park Cheol-hyeon asked the prosecutor "Let's take a break because I have to deliver the papers to another client.")
2444
2445Moon: The suspects are posted on the White House website on June 7, 2015. The threats to Ambassador Ripper are posted on the homepage of the White House, and one minute later, at 02:27 pm, ) 'File was created on the suspect computer. Is it the time that the suspect was copied from the suspect computer through Internet search and pasted to the text file?
2446Answer: The exact time zone is ... (At this time the suspect closed his eyes and thought for a while) ... It's a little hard to remember. It is correct that I copied and pasted the results from Internet search. (The prosecution officer exaggerated that the suspect thought for a while, through the depiction of the behavior of the aggressive person.
2447Q: How about a detailed explanation of how the suspect copied and pasted the results of Internet search?
2448A: I went into the internet and searched, but the search terms were hard to remember and I copied the search results and pasted them into a text file.
2449
2450Q: How can I get the search result because I can not remember the search term?
2451Answer: ... It's a bit difficult to identify the exact query. (The suspect searches a large number of search terms to find search results just like ordinary people, remembering only the search results, and not remembering what search terms you searched for.)
2452
2453Q: The suspects are www.blogger.com, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot. kr, avstats.avira.com Do you know these sites?
2454A: Of the above sites, www.blogger.com, avstats.avira.co is an unknown site, and jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com , antihufs.blogspot.com, antihufs.blogspot.com are my blogs. Bosulachi is an Internet language that refers to a woman whose conduct is the target of social criticism.
2455
2456Q: I have access to the above sites on July 7th and 8th, 2015, and I am sure that the hackers will be able to access the sites, such as jeolladian.blogspot.com, jeolladian.blogspot.kr, helkorea.blogspot.com, helpkorea.blogspot.kr, Do you know how many URLs such as bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.kr know how?
2457A: I'm not sure, but I do not have access to all of the above. (The suspect opened multiple blogs with one Google mail account.) I insisted on 'Google Cache', and my parents and lawyers claimed that my laptop might have been hacked at this time. (Attorney Park Cheol-hyun who heard this statement stared at the suspect for a while without saying anything.)
2458
2459Question: Why did you tell the log records that you have access to the above sites on July 7th and 8th, 2015, and that you have not accessed all of the above sites?
2460A: I do not remember what I did at the time. (The suspect has not been able to access all of the blogs because he did not manage them by creating multiple blogs.
2461
2462Q. When the prosecution reimages the suspect's laptop, he said, "I do not have Hangul input function on the laptop that the suspect uses, but I entered Hangul using the Internet input device." However, How do you do it? (When imaging at the Cyber Office of the Public Prosecutor 's Office, the Cyber Investigator of the Public Prosecutor' s Office showed the process of analyzing the laptop to the suspect.
2463A: Find the site that comes up with 'Hangul input device' on Google and click on the search result to input Hangul using the keyboard. There is a Korean keyboard on the notebook I bought and confiscated. The alphabet and Korean are shown on the keyboard. I used a French version of Windows XP on the laptop. I have installed a French version of Windows to enter French special characters. (The official testified, "Why do you write it?") And the suspect stated "I bought a cheap laptop because I was unemployed, I wrote it with inconvenience." However, I did not record it in the record. However, the prosecution cyber investigator estimates it to be between two and three million won, "from the beginning," the laptop's hard disk capacity is quite large. "
2464
2465Q: How do you describe the process of entering Hangul in Google in detail?
2466Answer: First, enter Google (www.google.com) into the Internet address bar, and when the Google window appears, enter the Korean input device (gksrmfdlqfurrl) in English into the search box. Then, the Korean input method site appears in order, and from the top of the Korean input method site, click downward to find a site where you can input Korean. If you find a Hangul input site, you can input Hangul by using computer keyboard and then copy the Hangul input and paste it in the place where Hangul input is needed. (The suspect's laptop is in French, so typing www.google.com leads to www.google.fr.) Even if you search for both sites with the same search terms, the order of the search results displayed is different.)
2467
2468Q: As a result of the prosecution's hacking test on the suspect's laptop, there are no signs of remote control, especially on July 7, 2015, and July 8, 2015. How about this? And the suspect did not delete the access log from the laptop router?
2469Answer: (The suspect does not answer the hacking test result.) I just entered the ID and password on the router, and I do not remember when I entered it. I did not delete the Router Access Log on June 25, 2015, June 7, 2015, and July 8, 2015.
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
24915. Forensic Investigation Verification Statement
2492
2493
2494
2495This is the written opinion of Kim In-sung, who was delivered by Yong-Min Kim, on January 19, 2016.
2496(Kim, In Sung: Professor of Hard Disk Analysis, 010-5270-5779, No. 819-5, No. 4, Bangbae 4-dong, Seocho-gu, Seoul)
2497Kim Yong-in received 1 million won for the imaging cost of hard disk at professor Kim In-Sung.
2498A year later, the family members who were suspicious of Kim In Sung 's identity asked him to send an image. Kim In - Sung sent two hard disks using the convenience store courier postbox.
2499However, my mother was not a hard disk that I gave her to keep the imaging, and when I asked her lawyer to return her hard disk, Yoon Min Kim told her that the woman was lost.
2500
2501Forensic Investigation Assurance Statement for Brother 6666 Case in 2015
25021. Whether hacking outside
2503No external hacking traces were found.
25042. The legitimacy of the forensic process
2505There was no expert to judge the legitimacy of forensic work in the seizure process.
25063. The fact that White House access records do not exist on the computer
2507If you use the Web browser's secret access feature,
25084. Whether to change the router MAC address
2509The router MAC address can be changed and there is also a trace of change.
25105. Whether the 7.21 date file exists,
25117.21 Date The created file does not exist. The date of file creation in the report is considered to be the date of creation of the report, which is the author of the report.
25126. If the hash value of the hard disk imaging file is different
2513It is judged that the hash value has changed because reimaging was performed after rebooting the computer to check the time zone after imaging in the seizure search process.
25147. White House screen capture file
2515The White House screen capture file is captured and stored on this computer.
2516This statement is a review of the evidence only and is not a definitive opinion and may be subject to change if additional evidence is available.
25172015.12.29 Kim In Sung. (signature)
2518
2519If you use the web browser's secret access function, you may not record the connection.
2520It's hard to rule out the possibility of using the incognito feature because you asked about the incognito access in the newspaper process and answered that you knew about it.
2521
2522-------------------------------------------------- --------------------------------------------------
25231 Com oo evidence recording .pdf - Adobe Acrobat Pro - â–¡ X Q Not turning, Accounting, Office, ? â–  City, | | N â–  Tools Comment j Share
2524
2525If downloaded from the Internet, the above file name and the Zornjdm file will be created. By the way, the above file is not found on the computer. If you look at the above, what do you think the suspect looks like in a file
2526Answer: I'll take good care of you.
2527Law? : Google has 4 secrets on each of the browsers. That's right.
2528Q: What is your reason for using the above sounds? Answer: It is useful to use something because it is a novel.
2529Moon. What is Incognito? Answer: I do not know.
2530Q: The secret function is to set up internet connection in case of internet browsing, but it does not save the temporary file and save the Internet connection. Do you know Lee?
2531Answer: I do not know.
253250! 1
2533-------------------------------------------------- --------------------------------------------------
2534[Picture that opens this OO evidence record .pdf file with Adobe Acrobat Pro]
2535
25364. Whether to change the router MAC address
2537The router MAC address can be changed and there is a trace of change.
2538Router Shows the log when changing the MAC address, but has the function to prevent the log setting from being saved in the router setting.
2539
2540It is difficult to say that the MAC address associated with the IP address assigned by the vendor is found on the router, and that the MAC address is not used because the change log is not left on the router.
2541
2542-------------------------------------------------- --------------------------------------------------
2543hole! This OO evidence symbol .pdf - Adobe Acrobat Pro X | fi Making things 0 â– ? â– ? p P ç ë—¬ wind year t, 4; 6221S! ^ 10 +, 7% 1 ^ B 'tool 1} Lube
2544
2545| U Ms wks iptlMI Q x 'Minute'>>>>>>> Itetvork # ipTiMEdDS </ tltia> vl. Number Cfd timeprQfl], html? I have bought a new college. I was not able to address you at the address
2546j medicinal medicine 5.7 bottom 7
25472551255.255.0 CMW> 8 ã‚³ ãƒ³ å…¬ æ»¿
25485MA0 $ - $ .7 SM4 1 1 Company name Address
25491 SZJM0 minutes) MAC appeal 0S-60-B â‚¬ -E4-F9- $ A liia
2550Peek a: Well,
2551
2552[Picture] timeproUltxl om Mini language display
2553- At the time of the crime, the user's Internet Router <Administrator's Page
2554- Internet access routers from 2015, 7 7, .19: 57, 7, 8: 02: 44, which were found on the commissioned notebook,
2555To connect to the Internet Router, connect the two terminals of the Noto Book. 4. Save the configuration file.
2556Why do you check your internet connection information call? ë£” 7. 7. 20:03:05 ë£” 7.8 02:33:24
2557On the White House Web site, the threats are changed between the time the two messages were published, and the time that the change was made to the router.
2558-------------------------------------------------- --------------------------------------------------
2559[Picture 4 of this OO proof record with Adobe Acrobat Pro opens .pdf file]
2560
25615. Whether the 7.21 date file exists,
25627.21 Date The created file does not exist.
2563There is no file that matches the creation date of the file specified in the report.
2564The creation date of the file, such as the name of the file submitted as evidence in the report, is prior to the seizure.
2565
2566The s.txt file submitted as evidence in the report matches the file creation date recorded in the hard disk imaging data.
2567The date of file creation on the report except s.txt is determined as the date of the report creation.
2568Therefore, it is a mistake of the report author to make the file creation date as 7.21.
2569-------------------------------------------------- --------------------------------------------------
2570Fruit: F: \ 15, Terrorist, with a lot of light, 653, txt _Z0l5-07-21, 9 ^ 7? 06; 30
2571AG public. â‚¬ 53 ts 6,1 nJt and public hOO65356.Ink ti 1? Of f t C5
2572Sase? Tce & qcujs ^ nts ar? IiigÂ§ \ H \ Sur? SAu \ s. txt
2573Machine Na service o
2574ft public .l public fcive Path? *, 3 public t
2575Volujj? Lafcei XPwFR
2576Socking .Wrector class, 0 min. ç æƒ³ å¹» æ–‡ å…¬ å…¬ nd S? T * vi? \ M \ Buceau
2577Volism C ç„¶) :) stone ct QUID {F3 $ SACOA-mt3-4e ^ 7-S34 8 ~ å…¬ *? l Public name 6 ç¾© 504.1.1
2578Fil. Good Gbj Public T I I I I I F F F F F F 38 38 n n n n n n n n n n n n n n n n n n
2579Tim stone tarap: U / Q9 / IQ C7: 27J'ja IAACT -0-50-8 ^ -S4-F? -5A)
2580Target VoiuKto C? UXD (P36SACDA-FB13-4 617-S34ij-D7162E & A5De I?
2581Target File Suppression 2D (nUTBBA-388Â® ~ I; S4--0-5; F9 & A) (Sequence: 1BF1 tisiestasp: U / Q9 / lb Q7: 2 ?: 3E: CK â† 56 ~ M-F5 -5A)
2582Creased 14 / C9 / IQ 1 Public: SHK * 46 Modified 15/01/07 i4: 57: 58 Accessed 15/07/0? 4: 5'7: S name Co4? Paae 0
2583Drive Type RIVE FIXER Tiia Attributes 32 tCriawa Folder Type C Kno- # n Folder value 0 1.1 nk 155-
2584Liuk t? N ^ th 429
2585? icp-erty Storage Si model 0 Sg>? cl public 1 Folder'type public 0 5jj? c.l * a Foid6? Value 0 Vist? And Msove ID hi $ t Voims Series a i 84e? 20fb IDList siZB 56
2586,,, voice
2587V ':' '
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614Q Q, 0 S g) S? , | | | | | | | | | 3 3 3 3 3 3 3 3 3 i Comment: i? u
2615., Hitcher. .fesl: i
2616
2617F: \ 15 "D / I, _ / minute, school strikes \ AOG65516> txt This is the astigmatism?
2618A00S5513.ink
2619A0065SJ8.I? K m? ? ff? #t o
2620B & se Path C; S & ocie nents S tt t. tx%
2621MAchine: Nai å…¬ å¥½ o
2622R? Iativ? P name th ?, \ Bureau \ public, txt
2623Volume Label X? _FB
2624Working 01 rectory C:, D eu n osts and Settir, y  \ H \ ByC-SSA?
2625Vt> U? Ws GUID C F3SEACDA-PBX3-4 â‚¬ 27 ~ BM 8-D? 162K â‚¬ A5C! 41 i
2626?School tsjdet; I am a member of the lima-esza-ap: H / 09/4: I am a member of SGS, 10 0 * 7: 27: 3 Shiki Kouichi 3 '* 54-F å¤š çŽ„ çŽ„ å…¬ 1
2627Target V? U GUID i F36? BA-F8J3-4? N, B343: 71S2E vs. S if target File GUID \ F116P3 & A-3esa-1 IS4'9Bn-0050B654r95A) ^ S? ; 1BF1 Ti group est, provision: 14 / 0t / lS 01: 21z3B me: 00- * 5Q-S6 ~ 5 <-r9-5A}
2628Created 14/09/10 1.6 i 5 å¤š: <8 Ho <U? I? Mi 15/07/0? 2i; 10; 5f>
2629Aiicftaaed 15/07/07 21:10:56 CodÂ® ge 0
2630Dt'iv? ?> * p? DRIVE__FIXED Plie Attributes 32 Kn public wi Folder Type 0 Known Folder Value 0 Utik: rug * i5S Link Length 4 * 3
2631Storage 3i and Good G
2632Special? Oidd? Type C Special Faider V & ia & 0 Vista And Above ID List S. Left.
2633Example:
2634K (~ 6 *
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658This OO evidence record .pdf - Adobe Acrobat Pro, gse view
2659Not taking, | Cotton @? El | Incense â‘© [5 yes urine CS>
2660File: r: U5 terrorist attack v. 11 file UCH36S way, Uct 2D 15-07-21, afternoon; 5i52
2661A00? 5S4i.Ink
2662N * 3  AaG65S41.1nk
2663m? orraat o
2664Minute as? fdth C:, D Phantom n StstUags \ &. txt HaChlne ç‚Ž æ¾ Tf? Q
2665H? Slativ? Path. .
2666VoJuaw 1 ^ 1 5C ^? Hi
2667å¯’) orKing å¤š ã„ ãƒ¬ ã‚¤ ãƒˆ å…¬ r CiXPmrasssrsts aj 'æŠ€! Receiving ttiR å¯’ æ•ˆ ç„¶ '8 ì»; r å…¬ç”¨ u
2668Voi_ Object QU10 jf36KAC Show * Each 1 ^; 8348-Public "71S2 çŽ„ 6
2669File Oblct GUID {fl 16IT35A-38BB-U- ^ 8F.l -00500654F9> h) (Sequence aoe;
2670Ti 3? T? P; 14/09/10 07:21:38 ma00-SO-BS-54-r5-5A}
2671Target V public lame GUID lr36? ACDA-F8i3-5? S34t ~ nil62E4ASG41}
2672Target file GUID after rii6rBSA-383S-liE4-9BFl- public t> 5G distribution name (Stance; lBF1 Ti? F9-5A)
2673Crmi ^ a 14/09/10 15:59:48 Modifisd 15/07/07 21:19:06 Accessed 15/07/07 23: l.9: C!
2674C min d? Page 0
26750Reg9 Type DRIVE ^ FIXED Fils fttTribufCSSS 32 Known Folder? Yi> 0 Known Folder Value 0 Link Flags 13S Link length 428 Property Storage Folder 0 Special Folder Value 0 Special folder Value 0 Vise * AJKJ Above ID List Size 0 V? lvna? Serial 34ecZ0ffo lDIxi *? T $ ji x? 5 people
2676
2677Rupture; F? \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ "
2678worship- y? y.
2679And zhe ir.snu says the price is esc Hye after tiftng for higher s If you puni ^ hmecst skill, You * v & rae eiy hit your body Yu public t 10 times times per day.
2680And youi: â–  name ge conaectln ^ i tim? is about 2 houra p * er day.
26813o you  rn ç”° inimai. 68 d ^ llacs per day c ^ Iy 5 hours o.f your par: t z, isse jo minutes,
2682house name r; if yoti tec ^ xvr? Percent frow myfr Opinion: è°· e èº« ä¿ ....
2683You also as ç”° d to be a cranny, r.iqitt?
2684X 3 Nine the scar aroimd your artificial pussy t> ut no .scars airouiKl yoar boobs,
2685Should I get gander xr? AJs * i <jn? ERt korean pera.ti korean ok my p * r: is onlyl
2686t want to q & t into that buainesas after ft .t -s \ jt ~ off ray å»º æ–‡ ck,
2687l thin I can qualify that public u ir> e and it ito after ad sonr ? wuch plastic surgery å¼º åˆ†?! å…¬ y by acit cast ration.
2688In South K Public Corporation, I Ciir. als-o ijenefiql.ai t effective free af military service l
2689have no tej? Licln.
2690Anyway l no? D your consuitatior, - and I want to ch? T ;. with you,
2691Pieaae, show your gonsro-city 3, nd sve my pcor a public ui.
2692I votahlp you and ad ç„¶ ä¸» r æŽ¥ your g? Nic (skill a idea,
2693å¯’ ë± å¥½ t regai: d3f i.jsahu? A ^ g ^ aii.coir}
2694Lii ^ a Is and Cr and ssyy
2695I am going to be raped by the abductee of Obama's public office.
2696- Addreiss:
2697Office of Infccrrui.doaai Sw. Koxtian & E æ•ˆ t; , S S S S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
2698- Website: htqfK // jsufiiflwsf. memory
2699-? hon? : + 82-2-2173-2062
2700- FAX; i82-2-2n3-28T?
2701- çŽ„ ä¸€: çš„ si çŽ‰:? UJ ç”° meirdhufs â–  a å…¬> kr / irsfnsf ^^ gisaSJ ^ ccsc;
2702TSL. i-92-2-2173-2062 c ~ r * aii, T ^ E8HUFs. ac.kr / i3shuf sig ^ sax; .C; XR
2703Paige! ?
2704OUTP
2705
2706-------------------------------------------------- --------------------------------------------------
2707[Record this OO evidence in Adobe Acrobat Pro. 5 photos opening a .pdf file and 5 photos analyzing the evidence file with EnCase Forensic]
2708
27096. If the hash value of the hard disk imaging file is different
2710The difference between the initial imaging and secondary imaging hash values is determined by the reimaging after rebooting to check the time zone after the initial imaging.
2711
2712-------------------------------------------------- --------------------------------------------------
2713! Ðž Ð¾ | , Seok Seok-cheon Information | 4: Surname Name Contact I Investigation of Cyber Investigation Unit, Seoul Metropolitan Government Liaison Officer OO 02-700-5923 1
2714Carpenter | ! If the accused has contacted the White House Web site on July 7, 2015, and 7 * 8, 2015, and intends to threaten the US President's family and US Ambassador to Korea,
2715
2716Cancellation request information (duplicate image)
2717Model name (manufacturer) and file name Hash value Sennheg notebook ^ ACHI HDD Z5K500-500 mounted on lenovo B490 Replica image of 500GB 3 ^ 500GB ^ NOTEBOOKM1 ~ 29 29 files 2a2ff60f03143ff34eelel 65830e322a2 (MD5) p, 'Seagate HDD ST500DM002 Clone image of â– 
2718ab5b3e7f256963d5cfe9 150713J00GBM1? E12 12 files fll.94964dbf5 (MD5)? Agate Replication of HDD ST3250820AS 50713J50GB.E01 ~ E15 15 files 9e! 50077d753fl01e733 <52ece3a246e7 (MD5) 1
2719-------------------------------------------------- --------------------------------------------------
2720[Photo taken with a document tied up with a mobile phone camera and wired]
2721Hash value generated at initial imaging
2722
2723-------------------------------------------------- --------------------------------------------------
2724(3) Fruit and hash value
2725i number of extracted file name hash value _5) | 1 1 Notebook ienovo B490 j1 HITACHI HDD Z5K500-500 / 1 1 500GB image file 1 1 i507I ^ 500GELNOTEBOOK.EQl 1 1 ~ 29 * 29 files Results, Requests llzip 288354CFC1A94D552 |
27261 6Aim24? D181F0 \ / 2 I 150713J00GB.E01 ~ E12 / 12 No fruits 'None \ I 3 I 150713J50GB.E01 - E15 1 15 No file I â–  1/4 1 [20150713-segateJOgM' â–  12 No file * 1 None \! 51 150713J0GB.E01 ~ Ell f- 11 fruits m \ ^ \? It can be used as a tool, ? J \ Row 1 1 1 1
2727-------------------------------------------------- --------------------------------------------------
2728[Photo taken with a document tied up with a mobile phone camera and wired]
2729Hash values created when imaging after turning on the computer for time zone verification
2730
2731Note that copying an imaging file does not change the hash value. The prosecution needs to explain why the hash value reimaged after the time zone check and the hash value imaged by the prosecution are different.
2732
27337. White House screen capture file
2734The White House screen capture file is assumed to have been captured and stored by the suspect on this computer.
2735There is no possibility of a hacking because the suspect has acknowledged that he or she has copied it directly (through testimony that he has been downloaded from the Internet and downloaded it).
2736The file creation time differs by one minute from the time of writing to the White House, and the posting of the same contents on another site is after the time saved, and it is unlikely that it was downloaded from another site.
2737End
2738
2739Kim, In Sung (Professor of Hard Disk Analysis, 010-5270-5779, No. 819-5, No. 4, Bangbae-dong, Seocho-gu, Seoul)
2740In 2016, I sent two imaged hard disks to my house using a convenience store courier postbox, which is supposed to be a convenience store around Kim In-sun's house.
2741My mother did not image it on a one-terabyte 1-terabyte hard disk (purchased on the trial journal on Feb. 3, 2016) provided by lawyer Kim Yong-min, and the female employee lost it and did not return it.
2742Kim Inseong did not image the hard disk, but left the imaging data recovery company around.
2743It is the home address of Kim In Sung. This area is a redevelopment area.
2744?
2745?
2746It is the location of the private data recovery companies around Kim In - sung 's house.
2747?
2748The order of companies close to Kim In - sung 's house is PC Doctor, Computer Repair Mechanic, Plus Com.
2749And there is one company that runs several business names, computer repair.
2750?
2751However, in order to check, you should check by telephone to see if there is any data recovery in the name of Kim In-sung or Kim Yong-min in December 2015 before it is too late.
2752
2753?
2754It is contents introduction of PC doctor.
2755?
2756Because there is a device that analyzes the computer hard disk in the business guide picture, I did the imaging but I did not introduce it in the business contents.
2757This is the introduction of a computer repair machine maker.
2758?
2759It is a company that provides internet construction.
2760?
2761Pluscom's introduction
2762?
2763Because it is a company that restores the hard disk, it also implements it.
2764
2765
2766
2767?
2768This is the introduction of the company near the exit No. 5 of the No. 7 line.
2769The company is estimated to have a large number of businesses with several businesses, computer repairs, welcome computer repairs, homepages, trustworthy computer repairs.
2770?The basic price for data recovery is 70,000 won.
2771In terms of accessibility and ability to work, computer repair is the most powerful, so it is most likely that Kim In Sung or Kim Yong-min has imaged the hard disk at this company.
2772?
2773The distance is long, but there is also a 13-year-old company named DuriCommet.
2774?
2775This company also provides data recovery.
2776?
2777The parents gave Kim Yong Min lawyer 1 million won in the name of hard disk imaging, and Kim Yong Min lawyer gave the imaging through professor Kim In Sung, but Kim In Sung did not analyze the image.
2778On January 19, 2016, Kim Yong Min submitted a written opinion of the Forensic Investigations to the Dr. Lang 's judge on December 29, 2015, written by Professor Kim In - sung, for the case of Brother 6666 in 2015, and gave it to his parents.
2779Professor Kim In Sung wrote that he confessed that the suspect confessed that he did not make any comment on the imaging analysis, but attached a photo of the surveillance document to the statement of opinions.
2780In addition, it clarifies that the probationary period is a mistake of the investigating officer in the time frame proposed, and also revises and complements the examination documents.
2781Kim Jong-moon, the appellate judge, also complained about the written opinion of the forensic investigation.
2782It is doubtful whether professor Kim In Sung deserves money.
2783Also, Kim, Yong Min attorney 's female employee lost responsibility for lost 500,000 won hard disk was not compensated.
2784On February 3, 2016, this incident was recorded in the trial journal and the parents were informed about the measures.
2785At that time, I was 100% confident that Yong Min Kim was not doing hard disk imaging.
2786However, the parents responded negatively to Kim Yong-min's lawyer, responding to the lawyer's feelings, worrying that the lawyer would not be able to argue well.
2787I want you to be innocent and quietly end the case.
2788But being too passive and coherent gives the court a confidence that he can convict himself.
2789Parents should publicly rebuke the lawyer Kim Yong-min and Professor Kim In-Sung of this behavior.
2790
2791----------------------------------------------------------------------------------------------------
27926. Investigator Testimony
2793
2794
2795Witness newspaper report (part of the eighth trial)
2796Event 2015 Torture 4685 Threatening
2797Name M OO
2798Date of birth 19OO. O.O.
2799Housing Seoul Chongno-gu Sajikro 8 Gil 31, Seoul Metropolitan Police Agency Cyber Investigation Department (Investigation Section)
2800judge
2801If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood on the board and made an oath. The next witnesses did not finance it.
2802The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321141735).
2803March 21, 2016.
2804Hwang,
2805The judge (doctor)
2806
2807A statement on the testimony veto notice
28081. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
2809end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
2810I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
28112. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
28123. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
2813Witness M OO (signature) or signature (handwritten signature)
2814
2815Oath
2816According to the conscience,
2817In fact,
2818If there is a lie
2819To be punished for perjury
2820I am a wanderer.
2821Witness M OO (signature) or signature (handwritten signature)
2822
2823
2824Recording book (main point)
2825
2826Case Number 2015 Highland 4685
2827Due Date: March 21, 2014
2828Remarks Inadequate question, the Attorney's objection to the Attorney General's 25th article of the State Newspaper is on page 16, pages 21-22, page 17, pages 12-13, Part.
2829
2830I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
28311. Attachment: Witness newspaper recording sheet (total number of pages: 52 pages) about the witnesses M: OO 1 copy
2832March 21, 2016.
2833Stenographer Park Sang Ki (Painting) (Painting)
2834
2835â€» This transcript was written in a way that summarizes only the main parts of the statement _
2836â€» Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
2837
2838judge
2839The witness of the witness, Ms. OO, acknowledges the need for recording, and orders recording of the whole thing in accordance with the provisions of the relevant criminal laws. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
2840Notice of testimony veto. Witnesses' testimony may deny the witness or any person who has a close relative relationship with the witness to be subject to criminal penalties or to testify about the confidentiality of the other person whom the witness has known for work. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. And if a witness lied after an oath or if his memory is unclear, but his memory is clear, he is punished as a perjury. Please swear.
2841
2842witness
2843According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness M OO.
2844
2845inspection
2846To witnesses
2847(Provide an investigation report on page 172 of the Investigation Record No. 10 in the Evidence List)
2848Q: Is it true that the witness wrote the investigation report that the defendant's blog was confirmed and the relevant article was printed and attached.
2849A: Yes, that's what I wrote.
2850If you look at the printouts attached to this page, you can attach a copy of your diploma, certificate of graduation, transcript of graduation certificate, copy of transcript, transcript of graduation certificate, transcript of graduation certificate, The Ministry of Education 's complaint titled' I have been suspected of forgery and plagiarism due to the unilateral change of graduation course of the university ', and the contents of the complainant' s contents have been confirmed on the defendant 's blog.
2851Answer: Yes.
2852Question: Is it true that this article was also printed on the defendant's blog, on page 185 of the Investigation Record, "What is HUFS?"
2853Answer: Yes.
2854Question: Is it true that the content of the complaint posted on the defendant 's blog on the title page of the Investigation Record on the 188th page titled "My Civil Service Complaint (Civil Title - Good Morning)" is correct.
2855Answer: Yes.
2856Question: Is it true that the post on the page 192 of the Investigation Record entitled "Aversion to feelings when I am good at English" on a blog called "Korean Anxiety Antisocial" is also printed on the defendant's blog?
2857Answer: Yes.
2858Q: On the 193 page of the Investigation Record, is the posting on the defendant's blog the subject of "Why do I go to the brothel and buy a woman?"
2859Answer: Yes.
2860(Proof of the investigation report No. 238 of Investigation Record No. 13 in the Evidence List)
2861Q: Is this the report of the investigation titled 'The original file of the intimidation document that the suspect was found on the OO computer'. Was this investigation written by the witness?
2862Answer: Yes.
2863Q: What is the content of this investigation?
2864Answer: This is an investigation report on the time, file name, and file path created for the original text capture file found on this OO computer.
2865Q: Isis.png, usa.png Meta information of file, information of file attribute information, and printouts of original text are attached.
2866Answer: The attachments to follow are attached by the Kim OO analyst who analyzes the digital evidence, and the investigation report was written by me.
2867Q: Are you handing it from an analyst and attaching it?
2868Answer: Yes.
2869(Proof of Investigation Report No. 15, Investigation Record # 258)
2870Q: Is it true that the witness wrote the investigation report titled 'The White House homepage written by the suspect computer'?
2871Answer: Yes, this is just the same thing as I mentioned before, with the fact that I received the data from the digital evidence analyst,
2872(Proof of Investigation Report # 401, Investigation Record # 25)
2873Q: Is it true that the witness wrote the investigation report titled 'The suspect is checking the OO notebook time zone setting'.
2874Answer: Yes.
2875Q: Please explain the contents briefly.
2876Answer: The description of the operating system in French language, the initial installation time of the operating system, and the time when the notebook was last shut down. 13. 20:47:18 and we started the 7. 13th light-duty search at that time and found the evidence file on the laptop and turned off the computer to see if the integrity was changed immediately, so the final shutdown time came out at 20:47:18 I will. On the next page you will see the time that you booted the notebook for the first time. On that day, on July 13th, when the time of this OO's computer was booted, the time came out at 20:07, and when we handed the laptop to the defendant's mother on the spot, And it is usa.png which is image file related to crime which is found in notebook. 
2877The file creation time is 2015. 7. 8. 02:27, and when I run the image file, it shows the link file creation time and I took a picture of the notebook screen at the time to confirm that we did not change the image The camera I shot was Samsung SHV230S and the recording time is 20:47. Exactly the computer
2878The last time you left the notebook on the next page is 20:47:18. After taking a picture, we can see that we shut down the computer immediately to ensure integrity. And this is International Standard Time, which explains that there was an error of -7 hours between France and Domestic Time because France applied daylight saving time in Paris at the time, and the date of the last access to the usa.png key evidence file and the date of access. It will be July 13, 20:42, UTC and July 13, 2015, UTC. Because the last time we saw and accessed the file in the field, the exact time of the seizure was 20:42. It is the investigation report that explains what is related to such a time.
2879(Exhibit # 4 of Evidence # 25-2 on the Evidence List)
2880Q: Is it true that the witness wrote "Google Chrome Capture Function Analysis, Analysis of White House Screening Screen"?
2881Answer: Yes.
2882Q: Is the witness actually testing the front page of the White House website? Contact us?
2883Answer: Yes.
2884Q: When I created a post using the full screen capture function associated with the Google Chrome browser and then captured it, did you notice that it was saved as a png file format?
2885Answer: Yes.
2886Q: Does the file name capture the url address and then capture time information automatically?
2887Answer: Yes, it contains the captured time information.
2888Q: And did you check the result screen when you click submit button?
2889Answer: Yes.
2890Q: What is the following?
2891Answer: The defendant has also found five lists of photo files that were captured using Google's screen capture feature on his computer.
2892Q: These files do not have a direct relationship with the subject, but are they still captured before the crime?
2893Answer: Yes, you can tell that the defendant used the Google Chrome browser's capture function to capture it.
2894Q: Have you captured screenshots of the White House homepage?
2895Answer: Yes, I did it again when I finished capturing the screen that was on the captured screen.
2896(Present evidence page 285, Investigation Record, page 465)
2897Q: Is it true that the suspect is an investigation report titled "Cheong Wa Dae and the National Newspaper Articles Found on the OO Computer" by a witness?
2898Answer: Yes.
2899Q: Here is a blue house .png file and a questionnaire report for two .pdf files. What is it?
2900Answer: Blue House.png is the defendant's access to the Cheongwadae homepage. 26. Foreclosure Notice I received a civil defense training in Dongdaemun District this April. I went by taxi to the corner where I went by subway. It is a file that I wrote and wrote with the message "I will do the transfer from Mapo side in Goat."
2901Q: We will have a one-person demonstration in the direction of Mapo Grand Bridge Yeoido. Please pay Civil Defense transportation expenses. 20,000 won "written on a lm box paper horizontally, hanging on a railing, I am bound by a nylon string on a railing alone, and I am planning to return home. The location is July 26, 2013. 26. Is this the place where the male representative of Sungjae period was sent by the representative?
2902Answer: Yes, it was written that way.
2903Q: Is this all found on the defendant's laptop?
2904Answer: Yes.
2905(Proof # 486 of Record # 30 of the Evidence List)
2906Q: Is it true that this investigation is written by a witness? This is an investigation report titled 'Analysis of time information generated by capture using the Google Chrome browser capture function'.
2907Answer: Yes.
2908Q: What is the content of this investigation?
2909A: When you use the capture function of the Google Chrome browser to capture the url information and the time after it comes up, the time is the time information of the capture and the time information is the number 143. If you decode it, It is contents that we can confirm domestic time information.
2910Q: Is it true that you can decode the capture time information in the file name generated when you capture with the full-screen screen capture program using the Google Chrome browser?
2911Answer: Yes, and I have tested it myself.
2912(Proposition 971 of Record No. 62 of the Evidence List)
2913Question: This is an investigation report titled 'Attorney's Statement (existence of job file on July 21st, 2015) and Attachment of Pictures found on this OO Notebook'. Is this report written by a witness?
2914Answer: Yes.
2915Q: Is the text explaining that the defendant had a problem that the text file was written after the search?
2916Answer: Yes.
2917Q: Are the photos attached to the crime after the accused found on the defendant's computer?
2918Answer: Yes.
2919Q: Are the printouts attached to the investigation report that I have just verified to capture the original articles or pictures posted on the Internet site, such as the defendant's blog, or the information or material found on the defendant's notebook, ?
2920Answer: Yes.
2921
2922inspection
2923Record 393. We will present the evidence list number 22-1.
2924Counsel
2925I think this part is not written by the witness but sent from America.
2926inspection
2927I want to know how I got the evidence and where I got it to judge it.
2928
2929inspection
2930To witnesses
2931(Provide evidence page 391 of the evidence list No. 22-1)
2932Q: Is this a document titled 'Documents for expressing intention to punish the US government', is this the document received from the US government?
2933A: I did not receive it, but I do not know that it was attached to it by Gwak Dong-kyu of the Ward investigation department at that time.
2934Q: Does Gwak Dong-kyu directly received from the US side?
2935A: I do not know because it is not attached to me.
2936Q: Have you seen this document yourself?
2937I have seen. I have seen ...
2938Q: Is the witness unaware of the availability?
2939A: Yes, I've seen it because I did an investigation with a broadcaster at the time, but I'm not sure how to get it.
2940Q: Is the witness a police officer?
2941Answer: Yes.
2942Q: What is your position and rank?
2943Answer: Cyber Security and Cyber Investigation Department of Seoul Metropolitan Police Agency.
2944Q: Is the witness involved in the investigation?
2945Answer: Yes.
2946Q: When was the investigation started?
2947A: I do not remember exactly. In June of last year or about July, I was threatened by Ambassador Ripper. The letter was posted on the White House website of the US Embassy. We contacted the cyber security office of the US through the US Embassy. I started to investigate immediately.
2948Q: Where exactly did you receive the investigation leads?
2949A: The National Police Agency Cyber Safety Bureau.
2950Q: Is not it from the US?
2951A: I know you are an American Embassy. We received a case from the main office and received it from the US embassy in the main office.
2952
2953judge
2954To witnesses
2955Q: Is the US Embassy the US Embassy in Korea?
2956A: I have been ordered by Cyber Security Bureau of the National Police Agency.
2957
2958inspection
2959To witnesses
2960Q: Is the witness received from the Cyber Security Bureau and does not know exactly when and from whom it was received?
2961Answer: It 's right that I got it from Safety Bureau.
2962Q: Do not you know where you got it from the US?
2963A: Yes, I do not know exactly.
2964Q: Do you know the name and position of the person who provided the investigation lead directly from the US side?
2965A: It is Kim Sung-hoon, the captain of the Cyber Security Bureau International Cooperation Team.
2966In this case, the date of publication of the "Obituary rape against the second daughter of US President Obama" is based on EDT (American Summer Time) applied on July 7, 2015 July 20, 2015) and the connection IP was confirmed as 124.197.152.74?
2967Answer: Yes.
2968In this case, "Mark Ripper," the publication date of the murder intimidation article 1 for US Ambassador to Korea, is based on EDT (Eastern Time) 7. 8. 02:26), and the connection IP was confirmed as 124.197.152.48?
2969Answer: Yes.
2970Q: How did you check each posting date and connection IP above?
2971A: I also logged on to the White House homepage, and I received it from the police and handed it to us.
2972Q: Please describe the reason why the defendant was identified as the suspect of each crime in this case.
2973Answer: Once there was no clue except for the connection IP, I received a reply that I could not confirm the subscriber because I requested the subscriber information on Dongdaemun Cable TV Road TV with that IP.
2974So when we check the area where the IP can be allocated to check the subscribers, we can not remember exactly what is in Dongdaemun-gu in Seoul.
2975We have heard that there is a possibility that it can be allocated from about 2, 500 households, and when we check the MAC address on the computer, we can find the investigation lead to the MAC address. I checked to the closest apartment complex I was assigned.
2976When I narrowed it down, it was O apartment where I can check it, it was the defendant's apartment.
2977I do not know how many apartments the apartment is in the 20th floor. If there are 20th floor, it is 20th floor because there are 20th floor and 20th floor. I have only recruited subscribers to Dongdaemun cable TV in 20th generation.
2978I do not remember exactly, but it has been reduced to about 5 ~ 6 generations, and I had to look through 5 ~ 6 generations and I could not do that.
2979I analyzed the crime trends and impersonated isis. I also impersonated the Korean foreign affairs staff from the phone number and e - mail address of the Korea Foreign Student Summer School.
2980So a team of our investigation team was sent out to the outside world to check if there really is such a person, and there is no such thing there is a person who has a bad tendency to the outside world is not an optical investigation, I confirmed the propensity of.
2981And there are two criminal intimidation articles, the first being the intimidation of the daughter to President Obama and the second being the intimidation to Ambassador Ripper that the second daughter of Obama, Natasha, is raped by anus.
2982This can be seen as a bit of a kinky tendency of the writer, and the second is to threaten Ambassador Repert, whose weapon is called a nuclear weapon.
2983I found a tendency that I could not imagine in a mental state, which is a little impolite. I checked the apartment tenant management card because I thought it was very likely to be an outside official in O apartment. So I think that the defendant goes to a foreign language university I confirmed that.
2984So I checked the defendant's regular phone number, searched Google, and found ten defendant blogs.
2985There was a criticism of the foreign ministry, and the reason why I criticized it was that my majors were changed and I was disadvantageous to my job. The second time I was raped by my anus in my army, I saw a picture of him taking off his clothes, wearing panties and wearing a bucket, and checking his account to ask him to donate himself a little.
2986I was criticizing many other foreigners, and after all that was the right thing, I applied for a seizure search warrant and got a warrant for seizure search at Seoul Central District Court.
2987So I went to the house with a formal search warrant.
2988The computer in the defendant's room was unused, there was a computer in the next room study, I looked at both computers and found nothing related to the crime.
2989Then there was another room next to the kitchen, and the visit was locked, so I asked my mother to open the door and I knew that maybe I could enter because only one could come in.
2990I went in and got a laptop and I saw that the computer language was French, so we did not know French, so I did not know what folder my computer was or what folder it was. When we checked the digital evidence analyzer, President Obama and two of the original captures of Ambassador Ripper were found immediately, so I suspected the defendant had written it, and then shut it down.
2991It was probably about 20:42. I then disconnected the hard disk from the notebook.
2992After we disconnected it, we connected it to the computer cloning equipment, then we had the original hard disk, reconnected the copy hard disk and cloned the same.
2993When you make a copy, the hash value of the hard disk on the defendant's laptop is the same as the replicated hard disk.
2994For example, a hash value is a tool for proving integrity. If the defendant's computer hash value is A, then the hash value of our copy hard disk will be equal to A.
2995Then, in the state of A, if we do not touch the copy, we do the analysis in the same A state whether or not it is sealed.
2996When analyzing a copy of computer A, there is a write-protect device, not just an analysis.
2997Since the integrity of a computer hard disk is immediately broken when we connect it to the hard disk protector, no matter what I analyze by connecting the copy, the copy hard disk is not changed at all.
2998And the file called Imaging is created as a file, and the file can not be changed.
2999If it changes, if you change the hash on the hard disk of the copy, it will be changed to B instead of A.
3000Therefore, the hard disk you image is the same as analyzing with the same original A even when you analyze it anytime, anywhere.
3001It was discovered, and we proceeded with the seizure search for four hours at that time, and the defendant was lying in his room with only panties and not at all until we went.
3002I asked him, "Is this the right thing you wrote on your laptop," and then I drank a little and said, "I do not know at all. We talked that way, and we persuaded him for three hours even though he was able to arrest an emergency at that time because of the destruction of the evidence and the reasons for that in the future.
3003Q: Is the date and time of the seizure of the seizure on July 13, 1945?
3004A: Yes, I would have probably started from then.
3005Q: Was the confiscated lenovo B490 laptop computer, four hard disks, and a USB stick?
3006Answer: There was a bit of a mistake, but I checked my laptop for evidence and immediately shut down my computer and immediately started imaging.
3007I opened the imaging and sealed my laptop right away. Because the integrity was changed, I sealed it. When I sealed it, my mother wrote it, and I put my mother 's letter, we rolled it with tape and sealed it.
3008There was a virtual machine program called VMware installed.
3009If you do not have a computer notebook, then you may not be able to analyze it in the future, so we need the original, so the notebook is seized separately.
3010Q: On the defendant's laptop computer, isis.png, usa.png, a file capturing screen captures of each blackmail?
3011Answer: Yes.
3012Q: Did the defendant confirm the source of each file shortly after the discovery?
3013A: I asked, but I can not remember exactly whether you talked in the way that you downloaded it from the internet or you did not talk at all.
3014Anyway, he denied that he did not.
3015Because I received too many surveys, I did not know exactly what I said at the time, but I told him that I did not do it anyway.
3016Q: I checked the creation date and time of each capture file. Was it confirmed within 1 minute immediately after each crime?
3017Answer: Yes.
3018Q: After I image the defendant's laptop, why did I confiscate the original because the original laptop computer needed to be analyzed?
3019Answer: Yes, yes. This is because the virtual machine VMware was installed. VMware is a virtual machine computer, and now you have a computer in it, and you can create a computer to run multiple computers. If you have a computer in your computer, you can not leave any trace of it on this computer, but if you log in to the virtual machine again and enter it, it will crime the virtual machine and delete the related files for the virtual machine The need to analyze the machine has confiscated the original.
3020
3021judge
3022To witnesses
3023Q: Because the defendant's laptop computer had VMware installed ...
3024A: Yes, it was and was a forfeit.
3025Q: Is it because the original reason for the confiscation of the original was that VMware was installed on the defendant's laptop computer?
3026A: Yes, if you do not have a laptop, you may not be able to analyze it.
3027Q: Why did you confiscate the original after imaging?
3028A: I have an image and the file of the virtual machine is once again in the imaging file. The original notebook is required to run the file.
3029
3030inspection
3031To witnesses
3032Q: After you confiscated the defendant's laptop computer, did you get confirmation from the Mo Kim OO of the defendant's Confirmation of Confirmation of the Confirmation of the Confidential Material and Confidential Information?
3033Answer: It was not received by me, but by Kim OO analyst.
3034Q: Did you stay together at the reception desk?
3035Answer: Yes.
3036Q: After that, did you arrest the defendant in an emergency and arrange it in the office of the Seoul Metropolitan Police Agency?
3037Answer: Yes. We did not do it in. We went with the broadcaster and us and once in.
3038Q: Is there any fact that the defendant raped at the time?
3039Answer: Yes.
3040Q: How did you get upset?
3041A: We had an investigation with us and the cybercrime detective. Inch was in the broadcaster 's office. We were not with the defendant. As you can see from the video attached, I heard that you have kicked your feet from the "Bring your chair from your boss" and you can see exactly how it got into the riot. The record is attached as a CD.
3042Q: Who was the person who identified the situation at the time?
3043A: I was an investigator at a broad-based investigation. The person who wrote the CD investigation report attached to the record probably would have taken it.
3044In the analysis of the defendant's laptop computer, the e-mail address, Twitter address, and phone number of the case were listed, and the Korean ambassador said, "I will surely kill Ambassador Ripper, I will give you an anal rape. "Also, did you find a file called 's.txt' that contains the same content as the case of this case report?
3045Answer: Yes, the intimidating text was written in English at the White House, but I found a text file containing the blackmail in Korean on the defendant's notebook.
3046Q: The creation date and time of link files 'A0065359.1nk', _A0065518.1nk, 'A0065541.1nk' and 'A0065621.1nk' linked to 's.txt' file are all 2014. 9. 10. 16:59 , And the date and time of access were confirmed on July 7, 2014, at 14:57, 21:10, 21:19, 22:31.
3047Answer: Yes.
3048In addition, the defendant's notebook also includes photos of Ambassador Ripper and Kim Kyeong-jong, who have been terrorized, photos of Mr. and Mrs. Obama as monkeys, and Cheongwadae's homepage. Did you find a capture file that you uploaded?
3049A: Yes, many photos were found. In particular, an article or photograph was found about the Kim Kyeong-jong case to threaten the Ambassador Ripper. The date and time the file was stored was reported by Kim Kyeong-jong. The defendant captured it and stored it. The date the file was last accessed, so the date it was read was almost immediately before the incident. I remember so.
3050In addition, a small boy 'isis.jpg' file that combines shooting shot and armed robbery, a picture of a young boy shooting a prisoner with a gun, and a picture of our gallery, Did you find the 'ISIS Gallery.png' file?
3051ANSWER: Yes, many photos related to ISIS have been found.
3052Q: Did the defendant tell you that he or she synthesized the pictures and pictures of each file at the time of the police investigation?
3053Counsel
3054Your Honor, this part is not appropriate because we are asking the defendant's denial of the contents of the police investigation at the time of the investigation.
3055inspection
3056Because the Criminal Procedure Law has introduced the investigator testimony system, I think it is safe to hear how I made statements at the time.
3057Counsel
3058I would like to say that it is not inappropriate to listen again to the content denied.
3059judge
3060Once this part is just ask.
3061inspection
3062To witnesses
3063Q: I'll ask you again. Did the defendant state that at the time of the police investigation, he had synthesized photos and pictures of each file?
3064A: I can not remember exactly because I did not see the suspect newspaper report now.
3065Q: Also, did the defendant's laptop have a program called 'SuperHideIP' that allows you to change your IP once a mouse is clicked?
3066Answer: Yes.
3067Q: And did you find a capture file called 'IP address washing method .jpg'?
3068Answer: Yes.
3069Q: On the other hand, did you find that the defendant is running 10 blogs of blogspot, the Google blog?
3070Answer: Yes.
3071Q: In each blog, were the defendant's Citibank account number and the defendant's PayPal ID listed?
3072Answer: Yes.
3073Question: Did the defendant's blog reveal or condemn the complaints about Hankuk University of Foreign Studies, post pictures depicting women, and pictures of bizarre situations?
3074Answer: Yes.
3075Q: Did the witness investigate the accused person during the investigation?
3076Answer: Yes.
3077Q: Did the defendant claim that he did not commit the crime at the time?
3078Answer: Yes.
3079Q: How did the accused describe the 'isis.png' and 'usa.png' files found on the defendant's laptop?
3080Answer: I stated that I did not know at all.
3081Q: What did you say about the source?
3082Answer: I asked a few questions about the source, but I did not remember exactly because I made a different statement every time, so I replied that I had captured and downloaded it from 4chan site and saved it or I did not even know it at all.
3083Q: How did the defendant describe the 's.txt' file?
3084A: I just do not know ... I've been asking that a lot, but at first I thought it was the one I wrote, and then I did not answer at all.
3085Q: How did the defendant tell us about the photos of Repert's ambassador, photos of Obama and his monkeys, and pictures of gunmen?
3086A: I think I talked about not knowing much about the questions I asked.
3087
3088Counsel
3089In the bottom of the main newspaper, section 25, the defendant questioned that he had synthesized the photos and pictures of each file at the time of the police investigation, and that the contents of paragraphs 32 to 34 of the main newspaper were irrelevant Please indicate in the record that the complaint is filed.
3090Counsel
3091To witnesses
3092Q: Is it true that I have imaged the whole of the defendant's laptop and did not seal that part?
3093Answer: Sealed.
3094Q: Is it true that you did not seal the imaged file but the laptop?
3095Answer: Imaging files are not sealed.
3096Q: I asked if I did or did not.
3097A: How do you analyze when you seal?
3098Q: It has precedents and regulations. Where did you store the imaged file?
3099Answer: We took one hard disk, cloned it, and brought it.
3100Q: Did you seal that hard disk?
3101Answer: Do not ask me that, but to Kim OO analyst ...
3102Q: It is asking what the witness remembers.
3103A: I do not remember much. Because I did not image it.
3104Q: You do not remember if you sealed the hard disk?
3105A: Yes, I remember I sealed the laptop ...
3106Q: What was the role of the witness in the investigation?
3107A: We participated in the seizure search, investigated the suspects, and almost everything was done. I do a little bit of research to help each other.
3108Q: Have you ever seen a document requesting cooperation in the US?
3109A: I have never seen it.
3110Q: When I contacted the US Embassy, I heard someone wrote a blackmail in an e-mail. Have you heard this story?
3111Answer: No.
3112Q: How many people were involved in the seizure and search?
3113A: Five Cybercrime detectives, five forensic investigators. When I got there, my father told me to leave. So there were about 6 ~ 7 people in the place, but I did not know exactly and some went out.
3114Q: Do you think six or seven people have been around?
3115Answer: Yes.
3116The witness explained the details of the process of tracing the defendant in advance, saying, "The clue only had an IP address, but it was difficult to find by IP address alone. I checked the subscriber on Dongdaemun Tibur Road, but I could not confirm it, so I made a request to the Mac address again. "
3117Answer: You have checked your Mac to investigate with a Mac address.
3118Q: Who identified the Mac?
3119Answer: When IP is allocated from the carrier, IP and MAC are connected to the carrier. If you know the MAC of the IP you used for the crime at the time, you can do the investigation again with the MAC address.
3120But that Mac did not come out correctly either. Anyway, I have a network switch, and I've finally assigned that IP ... So you have confirmed the last switch.
3121Q: Is it confirmed that you have three sets of equipment?
3122Answer: Yes, I have to explain the connection ...
3123Q: When the attorney heard this, the witness first asked for the Mac address and asked the carrier to recall the Mac address.
3124Answer: To investigate with a Mac address ...
3125judge
3126I heard that I wanted to know the MAC address, but I do not know it.
3127witness
3128Yes, that's why we proceeded with the investigation.
3129judge
3130To witnesses
3131Q: In the end, you did not check your Mac address?
3132Answer: I understand that you tampered with the Mac.
3133Q: At that time, at first ...
3134A: I can not confirm it right away.
3135Counsel
3136To witnesses
3137Q: Is it about collecting digital evidence, and what experts have participated?
3138A: The OO analyst Kim participated and I participated. I had to undergo a little bit of analysis. I have a license to analyze digital evidence.
3139Q: During the seizure process, was the digital evidence analyst one of the Kim OO analysts?
3140A: Yes, but I was not an official digital evidence analyst. While doing the investigation ...
3141Q: Witnesses also have that knowledge?
3142A: Yes, I did it.
3143Q: So, at the time of the seizure, did two or more people have expertise in digital evidence?
3144Answer: Yes.
3145Q: What did the related equipment bring?
3146Answer: I did not get a hard disk replicator and ... I think you should ask Kim OO analyst for that. I took the warrant.
3147Q: What is the process of identifying the date and time of White House intimidation during the investigation?
3148A: Our International Cooperation Team of the National Police Agency told us that this was the case at this time ...
3149Q: Do you not know how the team works?
3150Answer: I do not know exactly.
3151Q: I found a picture of a blackmail on the defendant's laptop, was it the time of the confiscation, or is it afterwards?
3152A: I did not find it at first, but I know that one of the Kim OO analysts or Kim OO investigators found him shut down immediately.
3153Q: You were discovered at the time of the seizure?
3154ANSWER: Yes, I just found a picture, shot it on my phone and shut down my laptop.
3155
3156-------------------------------------------------- --------------------------------------------------
3157-------------------------------------------------- --------------------------------------------------
3158-------------------------------------------------- --------------------------------------------------
3159
3160A: The 4chan site is USA, so we can not verify the subscribers.
3161Q: Did not you know who posted it?
3162Answer: Yes. But ask Kim OO again this question.
3163Moon: Looking at the flow of investigation, it's like ...
3164A: I remember that there was such a situation, but I do not know exactly, so I can ask Kim OO investigator.
3165Q: Who wrote the seizure?
3166A: There must be an author of the seizure.
3167Moon: Lieutenant Kim Sang-guk, Lieutenant Cho Yong-woo is like this ...
3168Answer: Yes.
3169Q: Witnesses were with you at the time?
3170A: Yes, I was with you. I can not do everything because I work in the office while doing the division of labor.
3171Q: In the confiscation list, the confiscation of the defendant's laptop itself is listed, but the imaging file for the defendant's laptop imaging is not on the confiscation list, do you know?
3172A: I did not know it because I did not write it. I know that I need to write a notebook imaging number 1 on the serial number.
3173Q: Anyway, is it obvious that the laptop imaging was done at the time of the search?
3174Answer: Yes.
3175Q: How many hours did it take?
3176A: Please contact Kim OO Digital Evidence Analyst.
3177Q: Because I have experience analyzing digital evidence, I'll ask. What does hash value mean in digital evidence collection and analysis?
3178Answer: MD5 and SHA1 are one of the functions for proving integrity. For example, if you put this stuff into this hash function, you get some specific result. But it is not an inverse function. For example, if you put a file called A and B into a hash function, you will get a certain unique value, which means that if the unique value is the same, it is the same information. So if you turn the hash value of the hard disk in the original and get A, and you get the A by rotating the hash of the hard disk that replicated the original, you can prove that the original and replicated hard disk information is the same.
3179Q: Do you see that digital evidence is in a specific state at the time you generate the hash value, and then do you assume the integrity and authenticity of the original until it is examined by the court?
3180Answer: The question is ambiguous, not a specific state ...
3181Q: I'll ask you a little bit. When I image the defendant's laptop and get the hashed value, the defendant's laptop is at that point in time, right?
3182Answer: If you run a hash function on a file named A instead of a state, you will get a specific result. Whenever it does, the same result is produced, not the state at that point ...
3183Q: The hash value is telling you when the first was created.
3184Answer: Yes, that's right.
3185Q: What is the point of creating the integrity of a file at a particular point in time?
3186Answer: Yes.
3187Q: After that, of course, you can come up several times, and I'll tell you when it was first created.
3188A: I do not understand the question.
3189Q: When I image the defendant's laptop, is the state of the defendant's laptop at that time imitated as evidence in the court?
3190Answer: Imaged files can not be changed.
3191Q: Is it still maintained?
3192A: I guarantee that my police will not change until I send them to the prosecution. But after that, I do not know.
3193Q: If you look at the notebook imaging file at the court, the file we're looking at is the same as the file at the time the witness did the imaging at the time of the seizure?
3194Answer: Yes.
3195Q: Is it fixed at that point?
3196Answer: Yes.
3197Q: So is not the hash value guaranteeing the integrity of the earlier steps we have collected during the seizure of the first evidence gathered?
3198Answer: Because it is the hash value at the time of imaging ...
3199Q: From then on, to guarantee integrity, not to guarantee the integrity of the old, right?
3200A: Yes, it does not make sense.
3201Q: So, if someone logs out a hash after logically manipulating the computer, does not it provide information about the operation or operation before the hash value is created?
3202Answer: Of course.
3203Q: At the time of the seizure, was the defendant's notebook turned off?
3204A: I do not remember exactly. That's not what I brought ...
3205Q: I told you that I turned on my laptop and watched it, how about it?
3206A: I can not remember exactly because my mother brought me something in the other room. We could not get in that room.
3207Q: The seizure start time was around July 13, 2015, and the power of the notebook was turned on and off from July 13, 2015 to 20:47. The laptop was on for about 41 minutes. What did you do on the laptop at this time?
3208A: At that time, I did not work, and I would probably have been working on finding analysts and files.
3209Q: Did you write protection at that time?
3210A: I did not do it then.
3211Q: In the process of looking at the defendant's laptop, did he / she guarantee the right of the defendant or the defendant's parents to participate?
3212Answer: It was said.
3213Q: Who did you ask to see?
3214Answer: I do not know that, I talk to you again ...
3215Q: Did you talk to the defendant?
3216A: Yes, I keep coming and going now ...
3217Q: Have you ever taken a video of a defendant's laptop or imaging process?
3218A: It might have been done by a broad investigation, but I do not know exactly. Oh, I tried to shoot it, but I can not, so why do I just shoot my house?
3219Q: Who has not let me?
3220A: I do not know if they were parents or defendants who were there, but I strongly resisted them and I would have taken our picture there. If you look at the mobile phone, there might be some videos that we took pictures of. And then he just threw something at us and made it a bit harder. In the case of Kim OO analysts, things would have been hit.
3221Q: When I said that I needed an original copy of VMware for the reason why I confiscated the defendant's laptop, would not it be necessary to have a laptop if the program that runs VMware is on another PC?
3222Answer: No. Depending on the version, it may not work.
3223Q: Can I check the version in the imaging file?
3224A: It was not a situation where you could do it on the spot, and if you wanted to drive it ...
3225Q: It is technically possible to ask. Is it possible to have a program that can run VMware on another PC even if it is not a defendant's laptop?
3226Answer: It is possible but not 100% guaranteed. So there were many cases where we were not able to drive properly.
3227
3228judge
3229To witnesses
3230Q: Is it common to have the notebook itself confiscated after imaging files?
3231A: If we are confiscated, we will do all the confiscation.
3232Q: Do you confiscate the imaging files as well as the notebook itself if you are in confiscation?
3233A: Yes, because it is a laptop used for crime.
3234
3235Counsel
3236To witnesses
3237Q: Did you say the witness took the seizure search warrant?
3238Answer: We took it from our team.
3239Q: Have you read it?
3240Answer: Yes.
3241Q: If you look at it, it is stated that "the original that has been taken out will be opened and reproduced with the participation of the intruder, etc. and returned without any delay, but not exceeding 10 days from the original date of export unless there are special circumstances" Why did not you return it?
3242Answer: Computers have a very important time relationship in the evidence of digital evidence analysis. At that time, we analyzed the digital evidence analysis of the seized material to confirm the creation and access times.
3243Last but not least, you can change your laptop's CMOS (cmos) time accordingly. There is an error depending on the time of the CMOS.
3244So what if my laptop is at 1 o'clock, but the current time is 1: 5?
3245We need to check the error in time. We need a laptop to check the error. We can return it before we send it to the last time. We asked our attorney and computer to turn on and check only the error with the defendant. Probably will be in the investigation report.
3246So the prosecution has to check it out, it can not be sealed.
3247So I know that the prosecution has confirmed the exact time information after taking a video of the whole process of releasing and releasing it. So it's been over a week.
3248Q: What did the witness know to return?
3249Answer: Yes.
3250But you did not return, right?
3251Answer: Yes.
3252Question: White House Contact us Did you have a picture on your webpage that captured a screen shot of the captured picture that you wrote before the "Thank you!" Screen on the defendant's notebook?
3253A: I do not understand.
3254Q: I have a screen that I'm writing before submitting, and when I submit it, I get a screen saying 'Thank you!'. Can not these two screens exist at the same time?
3255Answer: Yes.
3256Q: Do you have a picture of the screen after the last submission of the statement "Thank you!" On the defendant's notebook?
3257Answer: Yes.
3258Q: Then you should have a screenshot of the scene you're writing in. Have you seen it?
3259Answer, isis.png and usa.png are being written and Thank you! Screen and combine ...
3260Q: It's a composite, is not it?
3261Answer: Yes. Perhaps you have not found what you are writing. It did not exist because it was edited and made into a png file. Maybe, if you can explain it.
3262Q: You said that five files were found on the defendant's laptop using Google Chrome, remember?
3263Answer: Yes.
3264Q: In the first post, I do not have a caption of an isis.png file that says I will rape my daughter, do you know why?
3265A: That's probably what you see in the investigation report, but if you capture and delete it and then change the filename or the file does not exist, or if you capture it using the Google Chrome browser's incognito mode, There are many technical ways that you can and can not keep up with many things.
3266Q: But what about the file 'Thank you!', What happened?
3267A: I can not tell you that because I have nothing to do with the evidence, it's because I want to leave it and I want to keep it.
3268Q: Is that technically possible?
3269Answer: Yes.
3270Q: You did not find any traces of access to the White House on the defendant's laptop?
3271Answer: I did not find it at all.
3272Q: But what we found was a capture of 'Thank you!', How should we explain it?
3273A: If you use the Google Chrome browser's incognito mode, the Internet connection itself will not be saved as a file at all. It will only be saved as a cache, but it will not be saved as soon as you close the web browser. I will.
3274Q: As the witness has just testified, it would be nice to have no screenshot of 'Thank you!' ,
3275A: That means you do not have a record of your Internet connection and you can leave a capture file.
3276Q: After the capture file, the number is actually a Unix number, so you can log in to Google Chrome to get information on when you captured it, but the witness does not have an article written right now and it probably does not capture it in Google Incognito mode. You just did. That's why I do not ask you to leave the "Thank you!" Section in incognito mode.
3277A: Internet access records and captions are completely different.
3278Q: Why do not you leave a screenshot called "Thank you!" In response to an incognito answer saying that you may not have a captured file.
3279Answer: The defendant remains on the defendant's computer because he has captured and saved it.
3280Q: So it is possible that you have to do it in the same conditions that you captured before that ...
3281Answer: If you do not want to leave, you can not leave.
3282Q: Then you can find the erased trail? Now that I've imaged the defendant's laptop, I'm not just looking at it, have I removed the deleted file?
3283Answer: When I go into incognito mode, I have worked and can not restore it. Why did Google create incognito mode? I have tested it myself.
3284
3285judge
3286To witnesses
3287Q: Did you know whether the defendant used incognito mode?
3288Answer: It can not be confirmed. Google has made the feature available to you when you're trying to do it in secret, and of course you can not tell whether or not you used it.
3289
3290Counsel
3291To witnesses
3292Q: When I go into incognito mode, I do not think the capture screen should be saved.
3293Answer: No. Saved is that the internet connection is stored in the index.dat and various computer hard disks, and the connection record is not stored. In the case of the captured file, it is possible to store it anywhere in the desired location, The captured files are completely separate.
3294Q: Did the witness confirm the blog posts that the defendant usually wrote?
3295Answer: Yes.
3296Q: Have you seen any criticism of Kim Kyeong-jong about the case of Repert's ambassador in the defendant's blog post?
3297A: I do not remember everything right now. I only remember what I said before.
3298Q: I do not remember?
3299Answer: Yes.
3300Q: I had an emergency arrest of the defendant at the time, but was there any reason for the emergency arrest?
3301A: Because I did not do it, I would look at the reasons for the arrest.
3302Q: I do not have a reason for an emergency arrest, so what do you ask?
3303A: Why is not the reason written? You have to write down your reasons for getting an emergency arrest proposal.
3304(Suggesting an investigation record, page 455)
3305Q: The reason for the arrest has been mentioned all the time, and at the end, please describe it in detail according to the reason for the emergency arrest. do not have.
3306A: I did not write it, but at the metro ... Oh, that's what you said about the notice.
3307In the notice, we wrote the reason for the emergency arrest for the approval from the prosecutor's office without writing the reason, and is not the suspect notified to the accused if he / she makes an emergency arrest?
3308Because it is putting in notice, it is because it is because it is very simple to summarize the fact of crime.
3309That is not what I wrote. Do not ask me.
3310Q: Who wrote it?
3311Answer: There will be a writer.
3312
3313judge
3314Is there an emergency arrest warrant?
3315witness
3316Yes.
3317
3318Counsel
3319To witnesses
3320Q: Is there a reason listed there? Not on record ...
3321Answer: Yes, detailed.
3322inspection
3323An Emergency Arrest Form with detailed description of the reason is available.
3324
3325Counsel
3326To witnesses
3327Q: The witness did not write the confiscation list?
3328Yes, I did not write it.
3329Q: Do you know who wrote it?
3330A: Then several people are working on it ...
3331Q: What are the threats and screen capture files that the defendant claims to have downloaded and that the witness or the investigating agency believes that the defendant wrote and captured it?
3332Answer: Yes.
3333Q: If I download a screened file and save it on the defendant's laptop, is it possible that it exists in the same format as the one captured by the defendant's laptop as the witness verified?
3334A: There are two ways. Maybe the Kim OO investigator will have a test report, because of 4chan.
3335If you click on the original file to download it, it will be downloaded. Otherwise, if you click on the original file, the image file will pop up and you can right click on it to download it.
3336That is another report from our investigation. I did not test it ...
3337Q: Is there a file name that might be the same as the one you captured?
3338A: I do not understand. Again only a description ...
3339Q: If I downloaded the defendant's laptop, I just analyzed the file name just like the one I captured on the defendant's laptop, can it exist with the same file name?
3340Answer: You should be in the record. Ask Kim OO investigator because I have not tested it.
3341Q: Do you not know the witness?
3342Answer: We have tested and simulated in the investigation report.
3343Q: The time order is the time the defendant posted on the White House, the time they saved on the laptop after the screen capture, and the time they posted on the site 4chan.org?
3344A: If it is so in the investigation report, it will. Because I can not remember correctly now, I made a table, and I look at it.
3345
3346Counsel
3347I will present evidence. I present one or two of the fifth certificate.
3348judge
3349What is the source?
3350Counsel
3351This is what the defendant's brother searched on Google after he had been arrested after the incident.
3352If you look at the same thing on Google ... you know, but you searched on Google.
3353Here you see 'dear. Mr.president Obama, Mrs.first lady Mishelle ', and the time it was found that this article was written is posted on 4chan site on July 7, 2015. 7. 07:24:52.
3354inspection
3355How can I confirm that this is the same as this article?
3356
3357Counsel
3358To witnesses
3359Q: If you see below, 'Hi I'm sufs student from Seoul' because some part of the post is behind it?
3360It seems that the article is the same, but the time zone is quite different now.
3361The time is 07:24:52 AM. Now, the time to write the article is July 7, 20:20.
3362By the way, the time posted on 4chan site is July 7, 2015, 07:24:52.
3363A: In our investigation report, we have captured the exact time on 4chan site.
3364That's precise, because it's from a Google search, so you can not tell exactly what time it was on Google or 4chan.
3365Q: If you saved it from Google, is it any time sooner than we know it?
3366Answer: There is no guarantee for low-time information.
3367Q: Witnesses have never seen this?
3368Answer: Yes. There is not. And whether it is US storage time, domestic storage time ...
3369Q: For the second article, it looks like it was written on July 7, 2015. Did you know that the 4chan site time that the witness checked was stored in domestic time when posting in Korea?
3370Answer: Ask the Kim OO investigator.
3371Q: Do you not know the witness?
3372Answer: We have posted the post on 4chan site and we have the current time and the test time. That's exactly what we tested. If you look at it, you can check whether the 4chan site has domestic time or US time.
3373Q: Have you ever checked your time zone separately?
3374A: Yes, I have not done it, so I can not tell you exactly.
3375Q: Did you say that the defendant used a program called SuperHideIP, an IP change program?
3376A: It's not a confirmation, it's a program that was installed. It was discovered.
3377Q: Are there any facts that have been analyzed that the last approach was made on June 6, 2015, before the date on which the blackmail was written on July 16, 2014?
3378Answer: The file was found, the date the file was first saved, and the date the file was last accessed.
3379Q: I analyzed it as the last access on June 6, 2015. Is it possible to interpret the IP as having no change since then?
3380A: It may or may not have been because there are too many technical methods, which I do not know exactly.
3381Q: Because the witness did not see whether the defendant wrote the program or not, but after all, did you look at the defendant's laptop? Is there a similar program in the program that changes the IP found this one?
3382A: You can not see the whole thing. When we analyze ...
3383Q: Do you have to search and search? So, what was one that was discovered in connection with the IP change program?
3384Answer: Yes.
3385Q: Did you investigate the router?
3386A: I heard there was a router, but I did not investigate it.
3387Q: In the police, Kim OO analyst wrote an analysis report. Is the defendant's notebook imaging file the first image of a notebook file or is it replicated again?
3388A: Because I did not analyze it ...
3389Q: What did you do to replicate that day?
3390A: Did we bring the clone?
3391Q: Who took it?
3392Answer: Kim OO analyst has brought it.
3393
3394-------------------------------------------------- --------------------------------------------------
3395
3396It seems that the time has changed to Korean time in the process of being seated.
3397Answer: The analysis report is the final one, and we have to investigate a little bit before we start the analysis.
3398So I took the printout, put it in the investigation report, and made a note when I checked it out. How do you investigate having a fully written report?
3399Q: The decisive reason for suspicion that the defendant wrote the blackmail was that the capture file that was left on the defendant's notebook was created about a minute after it was posted on the White House?
3400ANSWER: When I was threatened, however, I wrote two blackmails on the White House homepage in English, and the content of the blackmail was in the S.txt file written in Hangul, and the summer @ hufs You said you stole your .ac.kr email and phone number? Maybe that phone number and address were in the s.txt file and ...
3401Q: Witness, I tried to ask this, not many charges. Was it one of the decisive proofs that the creation time of the capture file was one minute after the article was published?
3402Answer: There were many things.
3403Q: What is the difference between the time the article was posted in the White House and the time the capture file was stored on the defendant's laptop,
3404A: It's not an analysis, but an objective fact ...
3405Q: How did you know when the post was posted on the White House?
3406A: You asked us that, but we have only received data from the international team.
3407Q: I think the one minute car will be a very important basis, right?
3408Answer: Yes.
3409Q: Then I ask you in terms of whether the investigation should be done enough about time.
3410I have to be specific from the time it is posted on the White House, but the time posted on the White House is probably the time that the person administering the White House homepage gave me, and that time could be a time difference in the end?
3411A: When we told it, we were GMT + 9? The United States has several times, including Eastern Time.
3412I'm not exactly sure if we are Eastern Standard Time for letting us know what the error is, but it probably will.
3413It calculates the time and the error, and when domestic time is converted into Korea Standard Time, it is time to calculate the exact time and the IP connected to the time is Dongdaemun Cable TV ...
3414Q: I do not ask for the calculation method. For example, if this computer now has a 16:00 clock on the front of the laptop, can it actually be error?
3415I'm looking at it. There may be an error in the time given by the White House, and there may be an error in the time when the witness etc.
3416So I'm asking how the time difference can be determined to be one minute.
3417Answer: Because we are made by objective data, we have confirmed that we know the time we have stored on our computers and the time we have been threatened.
3418Q: Do you know that there is a program that can change the date of creation of saved files?
3419Answer: Yes.
3420Q: I have a couple of things, but can I use a program like SetFileDate to change the creation date of a saved file?
3421Answer: Yes.
3422Q: Is it possible that the defendant 's notebook has changed so much?
3423A: Not only the defendant's laptop, but all computers have the possibility of such manipulation. However, when you analyze the MFT, the information about the time is stored in various ways. If you analyze MFT's standard information information and file name information information and analyze that the information is different, you can check whether the time has been manipulated or not, whether the file name has been changed.
3424Q: Did you check it at the time?
3425A: I did not check at the time.
3426Q: When the MAC address of the router is changed, is the dynamic IP connected to it also changed?
3427A: It may or may not appeal, but it is the policy of the telecommunications company.
3428Q: Did the witness verify the MAC address corresponding to the IP address associated with this case during the investigation?
3429Answer: Yes.
3430Q: Is it a witness?
3431A: I would have done it together.
3432Q: What was the result?
3433A: I put it in the comments, but the contents of mac are too complicated, so I think I should look at the written opinion. I do not remember exactly now.
3434Q: Have you found any signs of changing the MAC address of the router on the defendant's laptop?
3435A: The digital evidence analyst found it.
3436Q: Is the witness unaware of this part?
3437Answer: I heard that there is a trace of change that I am not familiar with.
3438Q: Does Kim OO have an analytical role, or did he conduct additional investigations in addition to analysis?
3439Answer: I just did analysis.
3440Q: According to the results of the analysis, was the witness doing any further investigations?
3441Answer: What is the additional investigation?
3442Q: For example, if you find a trace of a change in your mac address, I would ask you if you needed to check the defendant's router, did not you?
3443Answer: The MAC address is the manufacturer of the first six digits, and the manufacturer assigns the last six digits of the MAC address. We have probably seen a counter-report of the defendant's comment on the mac address, but if the manufacturer makes a random change to it I can not do the investigation anymore.
3444Your lawyer tells you that if the mac has changed, and you have not done any further investigations about it, then the fact that mac has changed is that there is no clue to investigate anymore.
3445Q: I asked if I needed to check the defendant's router.
3446A: When we did the transcription, the digital evidence analysis was at the end, and I have to hand over the suspect's recruits to the prosecution office tomorrow. What do you do?
3447Q: Did you mean you could not do it on time?
3448Answer: Yes.
3449Q: There was a trace of changing the MAC address on the defendant's laptop. There was analysis that released the log record at the time of the crime, remember?
3450A: I told you I did not do it.
3451Q: Does Kim OO know this too?
3452Answer: Yes.
3453Question: According to the statement of witness submitted by the witness in relation to the mac address, there are several mac addresses that are not confirmed by the manufacturer. If the maker changes to an unconfirmed mac address, Go?
3454Answer: I do not know the carrier policy, so I can not answer exactly, I know it is not.
3455Q: Do you know that if you change to an unconfirmed mac address depending on your carrier policy, Internet access may be restricted?
3456ANSWER: Yes, there is a case where the switch is allowed to access the internet when only a specific MAC address is connected, which is called NAC. If you do not set this policy, you are allowed to connect from any internet address. This is the carrier policy. There are two technologies on the switch that can or may not be blocked.
3457Q: I know that if you change your router or MAC address arbitrarily, you may be restricted from accessing the Internet. Do you know? For example, have you ever heard of such cases in Windows 7 or Windows 8?
3458Answer: Not at all. However, if you change the mac address, there is no problem with internet access.
3459Q: Is there any problem with the computer?
3460A: Yes, it takes less than a minute and you can do it right away.
3461judge
3462To witnesses
3463Q: I have a question about the defendant's question. "I wrote on the White House Contact us web page, and I found 'Thank you!' In response to the question "Did the defendant have a picture of the screen capturing the screen before writing the screen?", The witness said, "No one was writing, because it was edited and made into a png file." I have an answer, please tell me about it again.
3464A: The screen you are composing and the screen where you have completed the 'Thank you! 1' screen was synthesized as a png file, but the screen you were composing was not saved and only the pictures that were composited were correct . But it's technically possible to synthesize it.
3465Q: Please explain how technically possible.
3466Answer: Take a picture of A with a capture tool such as Paint or Snap-in, capture a picture of B, put B under A, select the file again and save the file as a different file.
3467I will explain it again. When you capture the screen you are creating with the Google Chrome browser, you will see the url address and the time next to it.
3468Then, when you save it to the defendant's computer in that state, click the right mouse button and save it with the same name.
3469Then, when you capture the screen 'Thank you!', You will see the url address and time information at the top and 'Thank you!'.
3470And if you save it under a different name, it will be saved on the defendant's computer.
3471However, technically you can right click on the 'Thank you!' Screen and save it to your computer. You can take the first screen without saving it, and then use the Paint or other capture tool If you save this file as usa.png or isis.png, you will not be able to save the first image you created, and the second image will be saved You can save only the final result at the end.
3472Q: I was wondering if it was possible technically, but you answered with the idea that it is possible?
3473Answer: Yes.
3474
3475inspection
3476To witnesses
3477Q: I heard that the screen of the writing on the defendant's notebook is not found, but the relevant screen is not found, and the capture file of the process of posting on the White House site is found.
3478A: Yes, it does not matter, but I do not know exactly what happened before in June, but before that I had a copy of the White House story that I was capturing and capturing.
3479If you are writing a webpage, you will see a wave in Internet Explorer, Google Chrome, Safari, and spelling. If you're writing on the White House website, Due to the law of alignment, a tilde appears at the bottom of the English alphabet.
3480If you look at it, you can see that it is a screen that you are writing. I captured it and kept other contents. I do not remember exactly, but I think it was related to black slaves at that time.
3481Q: In regards to the reporter ambassador threatening text, did you also find a separate screen capture of only the result screen "Thank you!"?
3482Answer: Yes.
3483Q: I heard that the defendant posted the file on 4chan earlier than the defendant posted at the White House. Did you confirm this in the police investigation?
3484Answer: Yes.
3485Q: Did you find that a capture file with the same contents as the intimidation of this case was posted on 4chan site at the time?
3486Answer: Yes.
3487Q: Are the capture files found at 4chan site at that time posted before or after the date of creation of the crime-related capture file found on the defendant's computer?
3488A: I do not remember exactly.
3489Q: By default, when you use the internet through an ISP like Dongdaemun Tibur Road, is the IP assigned by the carrier?
3490Answer: Yes.
3491Q: How many IPs can be changed by turning the computer off and on, or changing the Mac address randomly?
3492Answer: Yes.
3493Q: In the case of Dongdaemun Tiburdo IP, which is used in this case, I do not want the IP to be assigned to a specific user for a certain period of time and use only that IP, but then the IP will be changed.
3494Answer: Yes.
3495Q: I do not know whether SuperHideIP was used, but how can I change IP even if SuperHideIP is not used?
3496Answer: Yes.
3497Q: Did you find a program on the defendant's computer to change the file's creation date?
3498Answer: None at all.
3499Q: Is it possible that the defendant changed the creation date of the capture file stored on his computer to the date and time of the crime of this case by confirming the time of the crime?
3500A: If you are a suspect, do not you need to change? I do not need to change the time on my computer, even if I change the IP to conceal it. I can not be certain who I am. So even if you try to hide your IP, you do not need to change the file on your computer.
3501
3502Counsel
3503To witnesses
3504Q: The second file 'Thank you!' I found that only the part of the captured file was found, the second threatening 'Thank you!' How do you know if it's a part?
3505Answer: Maybe in time ...
3506Q: Is it specific in time?
3507Answer: Yes.
3508Q: You do not know what you wrote?
3509A: Yes, I do not know what it is, but what I am writing ...
3510Q: Thank you! Even after writing a different article, it can exist at the same time.
3511Answer: That's possible.
3512Q: And have you ever seen the "Rules for the Collection and Handling of Digital Evidence", which is a Witness Ordinance?
3513A: I think I've seen it.
3514Q: Here are the details of the procedures for seizure search and the request for analysis, and I will ask if I have kept the procedure.
3515I did not refuse to shoot the seizure process, and I have to take measures such as the identity of the digital evidence, such as the storage seal, and the proper method of not having a reasonable suspicion of integrity.
3516Answer: We sealed the notebook.
3517Q: I'll ask Kim OO analyst for that. You said you did not know if you sealed the hard disk you were imaging before?
3518I asked the analyst to analyze the digital seizure. According to the analysis result report, the analyst was a witness. Was it the witness's request?
3519A: Because I'm the same team, I could do it, or someone next to me could do it.
3520Q: Do you think you made an analysis request on July 13, 2015?
3521A: I did not go to the scene from the beginning. I do not even ask for it.
3522Q: Is not there a formal request for a separate request?
3523A: Yes, I went to the scene together.
3524Q: When the analysis request is made, the analyst has to send the original or duplicate of the digital seizure in a container that can be safely stored so as not to be damaged by shock, magnetic field, moisture and dust.
3525Answer: It is because I confiscated analytical data from other crime scenes and submitted it to the Digital Evidence Analysis Office of the Cyber Crime Investigation Department of Seoul Metropolitan City, so I have to do such a thing in the course of the process. At that time, This is not what we do, because the digital analyst in the field is doing it.
3526Q: Is it the right thing to take in such a container?
3527Answer: Ask your digital evidence analyst.
3528Q: Do you not know the witness?
3529Answer: Yes.
3530
3531judge
3532To witnesses
3533Q: In the end, I think it is the intent that the witness is handed over to the digital witness analyst in the field, right?
3534Answer: Yes.
3535
3536judge
3537I will finish the witness newspaper about Mr. OO.
3538
3539Witness newspaper report (part of the eighth trial)
3540Event 2015 Torture 4685 Threatening
3541Name Kim OO
3542Date of birth 19OO. O.O.
3543Housing Seoul O District Dongdaemun-gu Cheongryangri O Apartment O Dong
3544
3545judge
3546If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood on the board and made an oath. The next witnesses did not finance it.
3547The contents of the newspaper about the witness are the same as the recording file of the court recording system (original number 160321162216).
3548March 21, 2016.
3549Hwang,
3550The judge (doctor)
3551
3552A statement on the testimony veto notice
35531. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3554end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3555I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
35562. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
35573. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3558Witness Kim OO (signature) or signature (handwritten signature)
3559
3560Oath
3561According to the conscience,
3562In fact,
3563If there is a lie
3564To be punished for perjury
3565I am a wanderer.
3566Witness Kim OO (signature) or signature (handwritten signature)
3567
3568
3569
3570Recording book (main point)
3571Case No. 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None) Please submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
35721. Attachment: Witness newspaper copy of Witness Kim OO (total face: 19 pages) 1 copy
3573March 21, 2016.
3574Stamped stamping machine (seal) (painted)
3575
3576â€» This transcript was written in a way that summarizes only the main parts of the statement.
3577â€» Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3578
3579judge
3580Witness Kim OO acknowledges the need for the recording of the witness newspaper procedure and orders recording for all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3581Notice of testimony veto. The witness's testimony may refuse to testify about the confidentiality of someone else who has a relationship with you or a prospective witness, or about the confidentiality of someone else whom the witness has known about the job. After the oath, for the same reason, you can refuse to testify about individual newspapers. After the oath, you must state the truth and if you lie, you can be punished for perjury. Please swear.
3582
3583witness
3584According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim OO.
3585
3586inspection
3587To witnesses
3588(Present evidence page 45 of the evidence list Sequence No. 5)
3589Q: Is it true that this was an essay by a witness named 'Check for additional posts on 4plebs.org'?
3590Answer: Yes.
3591Q: Please explain briefly what it is.
3592Answer: When I searched Google about the email the defendant wrote to a foreign language university, 4plebs.org was searched, and the site related to 4chan.org was confirmed to be backed up. That's why there are some contacts and e-mails that a defendant wrote to a foreign language university.
3593Q: Is 4plebs.org the right site?
3594Answer: Yes.
3595Q: Is this site the backup site of 4chan.org site?
3596Answer: Yes.
3597Q: Is it the intention of attaching the information that comes from searching for the contents of the intimidating article?
3598Answer: Yes.
3599Question: On page 48 of the attached documents, did you identify the captures and captions of rape intimidation articles for the first Obama daughter in this intimidating article?
3600Answer: Yes.
3601Q: Is it true that you have your own ID number, and the post number is '47628036' on July 7, 20:24:52.
3602Answer: Yes.
3603Q: Do you see the Korean flag on the side, and can you think that this post was saved at this time in Korea time?
3604Answer: Yes.
3605Q: In the top of the investigation record, on the top of page 49, there is a post called 'Korea isis1', which is similar to this, Is it the right thing to find?
3606Answer: Yes.
3607Q: Here is the date posted on July 8, 2015, 02:31:29, post number '47640986', and next to the Korean national flag pattern, this is also the date this post was posted on the site Is it possible to look at it from July 8, 2015 to 02:31:29?
3608Answer: Yes.
3609(Provision of Record No. 7, Investigation Record # 71 on the Evidence List)
3610Q: Is it true that a witness wrote a report titled 'Crime Facts and Hankuk University of Foreign Studies'.
3611Answer: Yes.
3612Q: Please explain briefly what it is.
3613Answer: At the time of the defendant 's writing, there was the phrase' 4ourth, 4inger ', which is the result of searching the specific phrase on the Google search and bing search sites. And when the defendant searched the contacts and e-mails that he wrote to a foreign language university backwards, there were writings that slandered Hankuk University of Foreign Studies,
3614Q: Is this the intent to attach the result of the search using POS Finger's phrase in the intimidating article?
3615Answer: Yes.
3616(Present evidence page 79 on page 8 of the evidence list)
3617Q: Is it true that the witness wrote the following questionnaire titled 'Confirmation of Hankuk University of Foreign Studies' on WordPress site?
3618Answer: Yes.
3619Q: Please explain the contents of this investigation report.
3620A: There is a site called WordPress, which is managed by Hankuk University of Foreign Studies, and there were articles written against Hankuk University of Foreign Studies. I went to Hankuk University of Foreign Studies and entered the manager's page to check the contents of these posts. I also wrote that the articles "Fraudulent business is over" as written in the report.
3621Q: What is the IP address of the IP address of the White House and the IP address of the University of Foreign Studies?
3622A: When I visited Hankuk University of Foreign Studies, I went to the administrator site with my cooperation. So I wrote an investigation report about that part.
3623(Exhibit # 196 of Record No. 11 on the Evidence List)
3624Q: Is it true that the witness wrote a report titled 'Confirming additional reporting to the White House'?
3625Answer: Yes.
3626Q: Please explain this briefly.
3627A: The 4plebs.org site is the backup site of 4chan.org, and if it goes past the backup site, everything will be deleted. When the defendant published the article, I decided that I could post more than one post, and I checked every post related to the foreign language university. I did not check it by any search words but checked it by eye. I confirmed it by clicking on the site one by one. I also confirmed the post on May 5, 2015, and confirmed the post on June 25, There is more to the point of denouncing a foreign language university, and it is attached to it.
3628Q: Are postings attached to the contents of the post at the time?
3629Answer: Yes.
3630(Exhibit # 251 of Investigation Record No. 14 in Evidence List)
3631Q: Is it true that the witness wrote a report titled 'About posts posted on 4chan and 4chan backup sites'?
3632Answer: Yes. I wrote it.
3633Q: I found that the file usa.png was on the 4plebs.org site, the backup site of 4chan.org, and the attached screen captures the internet page that I confirmed at that time.
3634Answer: Yes.
3635Q: Isis.png Is there any indication that the file was retrieved from 4chan.org but it was not found?
3636Answer: Yes.
3637Q: Finally, did you put together the contents found on 4chan.org site and 4chan.org site backup site?
3638Answer: Yes.
3639In this case, the time for the rape of Obama's daughter on the White House site was posted on July 7, 2015 at 20:20, the post was deleted on 4chan.org site, and the backup site of 4chan.org site Did you confirm that the same content was posted on July 7, 2015 at 20:24?
3640Answer: Yes.
3641Q: Regarding the threat of terrorist attacks on US Ambassador to the Republic of Korea, the time it took to go to the White House on July 8, 2015 was confirmed to be posted on 4chan.org on July 8, 2015 Does the backup site on 4chan.org also confirm that the same time was saved on July 8, 2015?
3642Answer: Yes.
3643Q: Are you confirming everything yourself?
3644Answer: Yes, I have.
3645(Present evidence page 263 of the evidence list Sequence No. 16)
3646Question: Isis.png, usa.png About file analysis, isis.png title is isis.png?
3647Answer: Yes.
3648Q: Is it true that the above investigation report was written by a witness?
3649A: Yes, this is the part where I downloaded the direct download from 4chan.org site and checked the image and these parts.
3650Q: Please explain in detail.
3651Answer: There are picture files named isis.png and usa.png in the 4chan.org site post. You can check the update date or specific values of the file by downloading the files. You can check the unique value of the image you uploaded . In order to compare the values with others, we then use the flash hash value to determine the MD5 for the file, and the flash hash program to check for any unique value.
3652Q: If you click the isis.png file posted on 4chan.org site and save it as an image, the file name will be automatically saved as a random number, and you can download it by clicking the download button. , It says that the isis.png file has been downloaded, is that correct?
3653Answer: Yes.
3654Q: I tried to calculate the hash value of this file and it says the image is the same as the original one.
3655Answer: The file itself differs in how to download it, but if you check MD5 for a unique hash value for the file, isis.png or 1436268292526.png tells you that the file is received differently, The name is the same, but it means the same.
3656Q: Did you download the usa.png file from 4chan.org site?
3657Answer: Yes.
3658Q: In the same way, we can see that there are two ways of downloading, and in that case, the hash values calculated using MD5 function are found to be the same?
3659Answer: Yes.
3660(Present evidence page 176, Investigation Record, page 266)
3661Q: Is it true that the witness wrote a report titled "About the Nouveau dossier folder identified on the suspect's laptop"?
3662Answer: Yes.
3663Q: Please explain what it is.
3664A: In the New Folder, images related to terrorism related to Kim Kyeong-jong or Ripert were stored.
3665Q: Here is a description of 'I do not see the Internet history, but the images of the suspects have created folders and saved them.'
3666Answer: When you create a file, when you automatically surf or surf the Internet, some files are stored on your computer in the form of numeric random numbers or complex cryptosystems ... numbers, So, I did not surf the internet and checked something. Instead, I saved my file and saved it under a certain name.
3667Q: If I check again, is it correct that the user is checking the file that saved the image, not the cache file which is saved automatically during the internet surfing process?
3668Answer: Yes.
3669Q: If you look at the contents below, 'Folder Creation Date and Time, Image, etc. are created and collected on June 3, 2015. If you check the final access date and time, What is it?
3670Answer: Yes.
3671(Suggesting the record number 35 of the No. 20 book)
3672Q: Is it true that the witness wrote the following investigation report entitled "About Identification of Additional Evidence Related to Terrorism"?
3673Answer: Yes.
3674Q: Please explain what it is.
3675Answer: There was a file named s.txt on the notebook, and a text file similar to the one raping the Obama daughter was stored under the file.
3676Q: After the investigation, is it appropriate to print out the characteristics of the file and the original text of the file?
3677Answer: Yes, this part is the same with Kim OO digital analyst.
3678(Proof # 408 of Record No. 25-1 of Evidence List)
3679Q: Is it true that the witness wrote the investigation report titled 'About 4chan site publication time'?
3680Answer: Yes.
3681Q: Please explain this.
3682A: Because 4chan is not a Korean site, I think that the way the posted post is shown will not be seen in Korea at first. If you think that it is different from the post posted by the suspect, Since I have posted all the articles, 4chan site has service to all the countries in the world, so it is shown as a part that shows the time to turn off according to the country. So if you connect in Korea, you will show your time in Korea, This is a rhetorical report showing that.
3683Q: Did you test it by yourself?
3684Answer: Yes.
3685(Proof No. 463 of Record No. 27 of the Evidence List)
3686Q: Is it a witness' s report on the title of '4chan' s time on the site?
3687Answer: Yes.
3688Q: Is it the same as the investigation report you just saw?
3689Answer: Yes.
3690Q: Is it true that the articles or photographs posted on internet sites such as blogs, which are stored in the investigation reports made by the witnesses, and the information or materials found on the defendant's notebooks are captured or output as they are?
3691Answer: Yes.
3692(Proof No. 22-1, Investigation Record, Section 393 of Evidence List)
3693Q: Is it true that you have seen this document?
3694A: I have seen this while working together.
3695Q: Do you know from whom you received this papers from?
3696A: I know it through the White House and through the Cooperatives.
3697Q: Do not know the details?
3698Answer: Yes.
3699Q: Is the witness a police officer?
3700Answer: Yes.
3701Q: What is your position and rank?
3702A: It is Kim OO of the Cyber Safety Bureau of Seoul Metropolitan Police Agency.
3703Q: Is the witness involved in the investigation?
3704Answer: Yes.
3705Q: What role did the witness play in the investigation?
3706A: At that time, we were on duty. I was trying to find out if there was the same post as the one posted by the defendant because I had to take the case and start the case right away.
3707Q: In a little more detail, did you participate at the time of the seizure?
3708A: Yes, I also participated in the seizure search and I had to check a lot of posts first to get a warrant, and I had a lot of focus on that part, and when I was in the seizure search site, When I did not have a laptop or something like this. So, there are some parts that we have fielded with other investigators to secure evidence.
3709Q: What role did you play in the seized search site?
3710Answer: First, I thought it was important to find a laptop. The defendant posted a blog on the blog. So I made a lot of efforts to secure the laptop, and I asked the analyst to analyze the computer or something.
3711Q: Was there a picture of your laptop on the defendant's blog?
3712A: Yes, so I tried hard to find a laptop.
3713Q: Do you remember how you found your laptop?
3714Answer: Yes, when I first entered, the defendant was lying in bed, and when I tried to go into the room with a search warrant, I could not go in for about 30 minutes because the defendant 's parents never entered. So, first of all, I went into the room alone and told me that I had to check my laptop, so I could not get in there, so I asked for a laptop so the defendant's mother brought a laptop from the defendant's room. So I took the laptop and sent it to Kim OO analyst and asked him to check if there was an image.
3715Q: Did you shoot the situation at the time of the seizure?
3716A: Yes, I have done video recording.
3717Q: In the case of Ms. OO Lieutenant, I tried to shoot, but the defendant's family testified that they could not shoot because of their families.
3718A: Not all of them were shot, but there were some parts that I had to shoot.
3719Q: Did the defendant 's family prevent him from filming?
3720Answer: Yes.
3721Q: Was the defendant lying in bed throughout the search process?
3722Answer: Yes.
3723Q: Did you search the defendant's laptop to find the relevant evidence?
3724Answer: Yes.
3725Q: Isis.png, usa.png, s.txt file?
3726Answer: Yes.
3727Q: After confirming it at that time, did the defendant find out where these files came from?
3728A: I told him to look, but I kept seeing him and he lay there.
3729Q: Did the defendant analyze the room?
3730Answer: No. I analyzed it in the next room study, and the defendant 's mother attended to confirm the contents.
3731Q: At that time, I received the Confirmation of Confirmation of the Confirmation of the Confiscated Water, Confirmation of the Confirmation of the Confirmation of the Confiscated Water Information, etc. Who received it?
3732Answer: It was received by Kim OO analyst.
3733Q: In addition to what the witness has so far testified, is there any fact that I have verified during the investigation of this case?
3734A: I do not remember well because the incident is long.
3735
3736Counsel
3737To witnesses
3738Q: Has the commencement of the investigation been initiated by the US Embassy?
3739A: We know that the incident has come down to us.
3740Q: Have you ever seen an 'urgent cooperation request' from the US Embassy?
3741Answer: Yes.
3742Do you know that the Koreans in the Buddhist e - mail sent a blackmail message saying that they sent a warning email to President Obama on terrorism against Ambassador Ripper?
3743Answer: As far as I know, I posted on the White House site.
3744Q: I know so, and it's been investigated, but it says that I sent it by e-mail to the initial cooperation letter.
3745A: Is not it supposed to be sent by email?
3746Q: Does the witness know anything about this?
3747Answer: Yes.
3748Q: There are some documents attached to the investigation report written by witnesses, some of which have been downloaded from the Internet. Where did the data from the defendant's notebook come from?
3749Answer: Most of the Internet postings are written by me, and the Kim OO analysts can not share the system because the teams are different. So I made this same data with me, so I made the same report with the Kim OO analyst, and I printed it out.
3750Q: Does Kim OO's analyst provide the output?
3751Answer: Yes.
3752judge
3753To witnesses
3754Q: I said I wrote an Internet post, but I misstated it?
3755Answer: First of all, 4chan or something like this was what I had done capturing separately, and the parts from the defendant's notebook were written by Kim OO analyst because he could not write the investigation report.
3756
3757Counsel
3758To witnesses
3759(Presenting an investigation report, page 263)
3760Q: I have downloaded the witness from 4chan site and changed it to another file. The first isis.png file is downloaded on July 7, 2015 at 3:23:30 pm What does this time mean?
3761Answer:
3762Q: I do not seem to remember well, but w will answer the question. The time at the White House was written on July 7, 20:20, and the file isis.png on the defendant's laptop is 20:21, remember?
3763Answer: Yes.
3764Q: I have two hours to show evidence that there is evidence so far, so I know what it is. I am talking about the 3:23:30, the 24 hour hour, the 15:23? Please explain what this time means. You do not know because you wrote it?
3765A: I did not focus on the time when writing, but instead of backing up the original files on my desktop computer, I created a folder called "Terrorist" and had an original under it, There is a method and a download button called isis.png below it.
3766I clicked on that button and downloaded it in two ways, but the important thing is that the investigation report was written to specify that 'MD5 is the same, if MD5 is the same, this file is the same' I saved the file to my computer and compared it with it, and I do not remember the date exactly.
3767Q: Is not it time you saved your witness computer?
3768A: Yes, it is not.
3769Q: Now, three files have the same MD5, but the same thing means that the first file is the same file?
3770Answer: Yes.
3771(Presenting an investigation report on page 264 of the investigation record)
3772Q: How long does it take for usa.png to be downloaded on July 8, 2015 at 2:28:52?
3773A: I do not remember the details, but it seems to be the investigation report about the part where the original file on the defendant's laptop was referred by the pumice team and compared with the file.
3774Q: What is the meaning of time now that you do not know exactly?
3775A: I guess it's probably the time on the defendant's laptop, but where did the source of usa.png come from? So I do not know exactly what the file was from when the usa.png was uploaded.
3776(Suggesting an investigation record, page 334)
3777Q: Here is the 'Photovoltaic vs. Work File, Text File' on July 12, 2015 at 4:53:58 PM ...
3778Answer: This is the data that Kim OO analyst analyzed.
3779Q: Is the witness unaware of this time?
3780A: So I've seen it together, but Kim OO analyst will know better.
3781Q: Does the witness mean that you do not know about this?
3782Answer: Yes.
3783Q: Witnesses also participated at the time of the seizure, did you see the process of imaging the defendant's laptop?
3784Answer: Yes.
3785Where was the witness at that time?
3786A: I was in the same room and went to the room where the defendant was lying.
3787Q: Before imaging on a laptop, I turned on my laptop and searched for related files first. Who did it?
3788Answer: Kim OO was the analyst.
3789Q: In the process of looking at the defendant's laptop, did he or she secure the right to participate in the defendant's or the defendant's parents?
3790Answer: Yes.
3791Q: Who did?
3792A: There were several investigators.
3793Q: Did you participate?
3794Answer: The defendant did not participate, and the defendant 's mother was involved, and the defendant' s mother imaged in front of the viewer.
3795Q: How many hours did the imaging work take?
3796A: I do not remember exactly, but it seems to take about two hours.
3797Q: Did you film the process of examining or imaging the defendant's laptop?
3798A: I think I just took a picture when I first went in.
3799Q: Did you take videos or pictures about the process of imaging?
3800A: I think I did not.
3801Q: It is related to the witness who wrote the investigation report. If there is a screen-captured file and you download the file from 4chan and save it, the two will clearly distinguish between the captured and downloaded files from the defendant's notebook. Can you do it?
3802Answer: Although the name of the file can be changed because the computer is clearly distinguished, the root cause of the screen capture is a program called full page screen capture on the defendant's computer. When you capture using this program, the file name is created uniquely. Because there is a name and a date and it is hard for ordinary people to write it, so if there is such a thing, it should be said that it was programmed ...
3803Q: Even if you download the same thing, you are asking if you are following it.
3804Answer: If the filename remains the same, if you receive usa.png when you download it, then usa.png follows, and the url where the full-page screen was originally printed does not appear.
3805Moon: usa.png but not url ...
3806Answer: If you have url, you can get it as it is.
3807Q: If you download it in that state, is not it well separated?
3808Answer: Yes.
3809Q: And can you download and rename it?
3810Answer: Yes.
3811Q: If I remove the value of zone.identifier attached to the downloaded file, will it be impossible to check whether it is a downloaded file or not?
3812A: I do not know.
3813(Presenting the first and second Google search screens of the certificate No. 5)
3814Q: I searched on Google that the first blackmail related article was stored on 4chan site. This is what I came up with in search of the text, which is exactly the same as the number you saw. It is the first blackmail article that I have been suspected to have written by the defendant. There is a time called July 7, 07. 07:24:52, and the time of the first blackmail was written on July 7, 20:20, right? The time to upload to 4chan is much faster, do you know anything about this?
3815A: I do not know because it is not confirmed.
3816Q: This is what the witness made when he wrote the investigation report. If you posted in Korea, you would be posting Korean time on 4chan site? So the time I posted on the 4chan site was later than the time of the file on the laptop because the defendant wrote it. But now the time I searched on Google is much faster than the time I posted on the case. That 's why I ask.
3817Q: I do not know exactly what I am talking about. But first of all, this is Google. I do not know how to write url in 4chan, and the way it's written in Google would be wrong, because I did not see it.
3818Q: Does the witness have any experience in analyzing digital evidence?
3819A: I joined Cyber Special, basically there is no digital analysis and I have listened to education or lecture.
3820Q: Is not there a career?
3821A: I have to go to work because I needed to do it, but I did not get a license or anything like that, and I had a lot of training related to database and hacking.
3822Q: You have been trained in the National Police Agency?
3823A: I have a police station and I'm in a database.
3824Q: Was the witness involved in the investigation that changed the defendant's MAC address?
3825A: I joined the investigation together but I do not remember exactly. The story seems to have done a lot.
3826Q: Have you been involved in the investigation that led you to receive a Mac address that matched the IP address that you sent the search warrant to Tibur Road?
3827A: It was not me.
3828Q: Do you know about this part of the analysis that the defendant's laptop analysis results show that you have disabled the logs stored on the router in the adjacent time zone of the time that you wrote the article?
3829Answer: That part was written by Kim OO analyst.
3830Q: Does the witness know this part well?
3831Answer: Yes.
3832
3833judge
3834To witnesses
3835Q: Is it true that the witness's statement is unclear, and that he was working at a private database company in relation to his career in analyzing digital evidence, and then joined Cybercrime as a specialist?
3836A: Sometimes the process of coming to the police comes to the general public, and if you have more than a few years of social work, you may be given a special bond. The part I majored in is the database, and I've come across a lot of hacks and stuff like that.
3837Q: I have an editorial story ...
3838Answer: It is the part of the license.
3839Q: Did you major in the database, joined the police as a specialist, and then took the training related to hacking, and did you know only about the work related to digital analysis and did not complete any training?
3840Answer: Yes.
3841
3842judge
3843I will finish the witness newspaper about Mr. Kim OO.
3844
3845
3846Witness newspaper report (part of the eighth trial)
3847Event 2015 Torture 4685 Threatening
3848Name Kim OO
3849Date of birth 19OO. O.O.
3850Housing 67, O-Dong O (Hwagok-dong, O)
3851judge
3852If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood on the board and made an oath. The next witnesses did not finance it.
3853The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321171323).
3854March 21, 2016.
3855Hwang,
3856The judge (doctor)
3857
3858A statement on the testimony veto notice
38591. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3860end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3861I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
38622. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
38633. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3864Witness Kim OO (signature) or signature (handwritten signature)
3865
3866Oath
3867According to the conscience,
3868In fact,
3869If there is a lie
3870To be punished for perjury
3871I am a wanderer.
3872Witness Kim OO (signature) or signature (handwritten signature)
3873
3874
3875Recording book (main point)
3876Case Number 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None)
3877I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
38781. Attachment: Witness newspaper copy of Witness Kim OO (total face: 24 pages) 1 copy
3879March 21, 2016.
3880Stamped stamping machine (seal) (painted)
3881
3882â€» This transcript was written in a way that summarizes only the main parts of the statement.
3883â€» Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3884
3885judge
3886Witness Kim OO acknowledges the need for the recording of the witness newspaper procedure and orders recording for all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3887Notice of testimony veto. Because of witness testimony, the witness may deny his / her testimony about the confidentiality of someone else who has a business relationship with the witness because he or she is concerned about criminal penalties. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. After the oath, you must state the truth, and if you lie, you will be punished for perjury. Please swear.
3888
3889witness
3890According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim OO.
3891
3892inspection
3893To witnesses
3894(Proof No. 68, page 69 of the evidence list No. 33, No. 1)
3895Q: Is it true that the results of this digital evidence analysis were true of the witness's experience?
3896Answer: Yes.
3897(Proof No. 73-2 of Investigation Record # 33-2)
3898The CD is attached with the title of 'Digital Evidence Analysis Result'. The digital evidence analysis result stored on this CD contains the defendant's notebook image file and the main data or information found in the analysis of the incident Is that right?
3899Answer: Yes.
3900Q: Witness is the Digital Evidence Analyst at the Seoul Metropolitan Police Department Cyber Crime Investigation Division?
3901A: Yes, I am currently working at Cyber Crime Lab. We shared with the Evidence Analysis team earlier this year and worked in the Digital Evidence Analysis team until last year, and this year we are in charge of Detectives who are out of cyberspace.
3902Q: What was the work of the witness during the investigation?
3903A: As a digital analyst, I was collecting and analyzing evidence on digital evidence from the incident at the police investigation room under the Seoul Metropolitan Police Agency.
3904Q: Did the witness participate in the seizure of this case?
3905Answer: Yes.
3906Q: Have you participated in the whole process of seizure search?
3907A: Yes, that scene from that date.
3908Q: Did you participate from the beginning to the end?
3909Answer: Yes.
3910Q: Tell the defendant's notebook the discovery and imaging process as the witness has experienced.
3911A: I do not find it. I remember it was discovered by Kim OO investigator. And the defendant was in the room and there was a room in front of him where the defendant's father seemed to write, and while I was searching the room for an all-in-one PC used by the defendant's father, he found a laptop and searched and analyzed the laptop .
3912Q: When I first got the defendant's laptop, was the laptop on or off?
3913Answer: I remember it was turned off because it was folded.
3914Q: After turning the power on and searching, we found evidence related to the incident, shut it down, and imaged it immediately?
3915Answer: Yes.
3916Q: Did you take the seizure process or imaging process at the time?
3917A: I did not take the shoot, and I remember that the staff of the WTC and our cybercrime staff shot it together.
3918Q: Did you take all the steps?
3919Answer: Yes. I remember that two or more cameras were spinning.
3920Moon: Ms. OO told me that at that time, the family of the defendants had to stop shooting in the opposite direction, right?
3921Answer: Yes, that's right. I remember that there was an argument.
3922Q: Do you remember which course of filming was discontinued?
3923Answer: I can not remember correctly.
3924Q: After I image the defendant's laptop hard disk, who do I get such as integrity verification or hash verification?
3925Answer: I got it from the defendant's mother.
3926Q: Did the witness directly receive it?
3927Answer: Yes, I got a confirmation from my defendant mother that I wrote the hash value by hand.
3928Question: Did the witness claim that the defendant confiscated a hard disk on the lenovo B490 laptop computer, seized five hard disks, and analyzed one replica of SanDisk USB memory?
3929Answer: Yes.
3930Q: Was the time of the defendant's laptop computer in Paris, France?
3931Answer: Yes.
3932Q: So, when the crime of this case is on, July 7, 2015, was the daylight saving time set to be 7 hours earlier than Korea's standard time?
3933Answer: Yes.
3934Q: When Witnesses used EnCase, a digital forensic program, to analyze the defendant's laptop computer, did they set it to be displayed in Korea's standard time?
3935Answer: Yes.
3936Question: Isis.png and usa.png files found on the defendant's laptop computer hard disk?
3937Answer: Yes.
3938Q. Isis.png file creation date and time is July 7, 20:21:12, the last revised date is July 20, 2015. 7. 7. 20:23:30, and the creation date of usa.png file is 2015. 7 8. Was it confirmed at 02:27:07 and the last revised city date was July 8, 2015 at 02:28:51?
3939Answer: It is correct in the analysis report.
3940Q: I found isis.png.lnk and usa.png.lnk linked to the above isis.png and usa.png files.
3941Answer: Yes.
3942Q: When and how are these link files created and stored?
3943Answer: Generally, when you open a file on a Windows system, a link file called a shortcut file is created.
3944Q: If you analyze the meta information of this link file, ie file attribute information, what kind of information can you check?
3945Answer: Once you open the Ink file, you will see the name of the file you opened. When you open it, the computer name, volume name, and hardware Mac address will be saved.
3946Question: Did you check the hard disk volume name, serial number, computer name, MAC address of each link file mentioned above and the information of the defendant's laptop computer?
3947Answer: Yes, it has been confirmed.
3948Q: Isis.png and usa.png files are exactly the same date and time, but link files with different file names were found on the defendant's notebook.
3949Answer: Yes, I remember that part of the file name is different, but the original date and time of creation of the analysis is the result of analyzing the file name when I changed the source file ... So, if the file name is changed, the creation date and time will not change. It has been confirmed that the creation date and time of the original file remain in the link file.
3950Q: Is it possible to interpret the link file as a file name that is created when the original isis.png or usa.png file is created, but the original file has a different file name?
3951A: Yes, I interpreted it that way.
3952Q: In addition to the isis.png and usa.png files, there are many screens on the White House site, as well as a screen capture of the post completion screen, found on the defendant's laptop computer?
3953Answer: Yes.
3954Q: In addition, the e-mail address Twitter address, phone number, 'H.U.F.S. R.O. 4ourth 4inger 'and' I am going to kill Ambassador Ripper by infiltrating the US Embassy 'in Korean, and' Obama kidnapped my little daughter to give him an anal rape ' Did you find the s.txt file with the same contents as the article?
3955Answer: Yes.
3956Q: Are the link files A0065359.1nk, A0065518.1nk, A0065541.1nk, and A0065621.1nk found in the s.txt file found?
3957Answer: Yes.
3958Q: How are these link files created and where are they stored?
3959Answer: The link files that are randomly numbered starting with A are the volumes used by the system called system volume information. At first, when I explained the time when the volume was used, I tried using it in Windows 7 As you know, there is a feature called Restore Computer. I have a feature called restoring the computer that will take a snapshot, so Windows 7 will automatically back up. So, at that time, I automatically backed up the list of files or files in a certain period of time, and the backup location is the system volume information folder, and a folder is created under each backed up day. A link file pointing to txt has been found.
3960Q: The operating system of the defendant's laptop is XP. Does XP have the same function?
3961Answer: Yes.
3962Q: What events are required to generate these link files?
3963Answer: The system automatically backs up the function. If you do not specifically make a backup, I know that the backup is basically based on the operating system settings.
3964Q: The date of creation of each link file just mentioned is 2014. 9. 10. 16:59, and the final access date and time is July 7, 14:57, 21:10, 21:10 , 22:31?
3965Answer: Yes, as you can see in the report.
3966Q: Have you found any more link files that link to s.txt other than the four link files?
3967Answer: Yes, at that time, the link file pointing to the s.tet file was analyzed to be it.
3968Q: Can I see the date and time of the last access to the s.txt file on July 7, 2015?
3969Answer: At the end of the last one, what if the link file was on July 7, 2015, 22:31, then you can interpret the s.txt file as the last time you opened it.
3970Q: On the other hand, when the defendant analyzed the Internet access rate of laptop computers, did you check the records of Internet Explorer, Chrome, Mozilla and Opera Web browser?
3971Q: Did you also find a record of 'Michelle obama' on Google search site via Internet Explorer?
3972Answer: Yes.
3973Q: Is the record of accessing the Internet Router Management page verified on July 7, 2015, and July 8, 2015 at the time of the crime of this case?
3974Answer: Yes.
3975Q: Did you check the details of the settings such as setting the router to not record the log in the time zone adjacent to the crime of this case?
3976A: I do not know what the intent was, but I've confirmed that I changed the settings.
3977Q: How do I change my router settings?
3978A: Router management is to connect the IP address and router IP of the network to the web browser, and the management page will appear. You can go to the management page and change the general setting value of the network or the MAC address or the MAC address. .
3979Q: So I usually access the administration page through the web browser, so I have a record of my internet connection history?
3980Answer: Yes.
3981Q: Is there a way to keep the record of the connection?
3982A: There are a variety of ways you can stay away. Nowadays, web browsers like Explorer and Chrome have features like incognito, which keeps browsing history from being left, so I know that if you use it, your records will not be checked.
3983Q: Is there an incite comb in the case of explorer and an incognito mode in Google Chrome? Will there be no connection history when using such a mode?
3984A: Yes, I did not have any results.
3985Q: Has the defendant's laptop been able to change the MAC address of the Internet router 9 times between June 8, 2015 and June 3, 2015?
3986Answer: Yes, Mac address changes have been verified through Internet history.
3987
3988Counsel
3989To witnesses
3990Q: In the confiscation search site, did you direct the witness to image the defendant's laptop?
3991Answer: Yes.
3992Q: How did you save the imaged file and how did you take it?
3993Answer: We made a copy on the hard disk we brought with Falcon, and cloned the image through the Falcon by attaching the original hard disk to the original.
3994Q: How did you make a copy of your hard disk? Did not you seal that part separately?
3995Deep: Yes, it does not have to be sealed.
3996Q: Is it true that the regulations of the National Police Agency, such as the "Regulations on the Collection and Processing of Digital Evidence", require the seal to be sealed. Is it not necessary to seal?
3997Answer: The storage medium is intended to be sealed, but the duplicate image is not explicitly marked as sealed.
3998Q: How do you keep the duplicate image and keep it?
3999A: Since the image is the result of integrity, it is necessary to have an integrity hash value for the image file and the image file.
4000Q: In the case law, I have a sealing process as one of the methods of ensuring the integrity of the image file, and I am shooting the process.
4001Answer: I shot it.
4002Q: I do not ask opinions from witnesses. We will later ...
4003A: I think you denied what I did, but I do not know that.
4004Question: Is the witness bringing the file itself to the National Police Agency?
4005A: I was in the car and I was in the car.
4006Q: Have you received an analysis request separately?
4007Answer: I understand that I have received an analysis request form.
4008Q: From whom?
4009A: Because it is computerized, I do not receive it directly.
4010Q: Have you taken it in a container that can be safely stored so that it will not be damaged by impact, magnetic fields, moisture or dust when you take it?
4011Answer: Yes, that's right.
4012Q: What equipment did you bring at the time of the seizure?
4013Answer: Replicate Falcons and their accessories, laptops, EnCase for analyzing the scene, hard disk for copying the original, and then the police office which extracts the file list for simple use. There is a program called CIP which I developed.
4014(Suggesting an investigation record, page 334)
4015Q: I think you've seen it in the process of writing the statement, but the text file in the Photovoltaic vs. Work file. July 12, 2015 04:53:58 What is the meaning of this time I will ask you about this?
4016Answer: I work with a program called UltraEdit. When I print it there, I know that it shows the attributes related to creating or modifying the file.
4017Q: I think it is written in the opinion letter that the file will be automatically released based on the last access date. Does that mean?
4018Answer: As stated.
4019(Suggesting an investigation record, page 665)
4020Q: I have the same photovoltaic versus work file and this is on July 21, 2015 at 07:06 pm?
4021Answer: Yes.
4022Q: Under that, the Modified time and the Accesed time are from July 7, 2015 to July 7, 2015. What does the witness say now and what does it mean, different?
4023A: Of course, the structure is different.
4024Q: What is the reason?
4025Answer: This is the information in the file, and the one above it shows the computer time when you did the work.
4026Q: Does July 12, 2015 tell the time of the computer that the witness worked on?
4027Answer: Yes.
4028Q: Witness, is that certain? Were you working on July 12, 2015?
4029A: I did not work at that time, but I printed what was missing.
4030Q: What does it mean to be missing then?
4031A: I guess I did not do it at the time.
4032Q: Witnesses, do you know how many days a search has been made? It was on July 13, 2015. But what does it mean to say that we have removed all of our records the day before the seizure?
4033Answer: What?
4034Q: The file was on July 12th, right?
4035Answer: Where?
4036(Suggesting an investigation record, page 334)
4037Q: Is not it July 12, 2015?
4038Answer: At the time of the last revision.
4039Q: What does it mean?
4040Answer: You just got what you got there and printed it from your analysis computer.
4041Q: So, is it a time stamped by the police?
4042Answer: I have to see exactly how s.txt comes out, but I was too busy to see the case record. The output is the output of UltraEdit on my analysis computer. The opinions remain intact.
4043Q: Does it mean that the output was on July 12, 2015?
4044Answer: No. This is not what I printed on July 12, but the attribute of that file named s.txt is recorded.
4045Q: I have shown the properties of the file before July 7, 2015. There is a part of the file, please describe it.
4046Answer: It was changed because I put the save separately.
4047(Suggesting an investigation record, page 665)
4048Q: What does that mean? It looks like here on July 21, 2015. What does this mean?
4049A: That's '.txt'. There is no file called '.txt' on the notebook. When I change '.lnk' to '.txt', that file is not a file on the defendant's notebook, but a reporting screen that is displayed as EnCase. I pulled it out and I made it into a text file.
4050Q: So this is not a file on the defendant's laptop, is it a separate file created by the witness?
4051Answer: It is a file created by EnCase, which is not a file but implies its contents.
4052Q: So is the date you worked on July 21, 2015?
4053Answer: Yes. I created a file called Text.
4054
4055judge
4056To witnesses
4057(Suggesting an investigation record, page 334)
4058Q: The seizure was on July 13, 2015, and the date and time of the seizure on July 12, 2015, before the seizure, is written in the s.txt file. Please summarize and explain once again what this time and date means.
4059A: There is a date attribute called s.txt which is the creation date of the file, the last modified date, or the last access date. The last modified date is displayed there, followed by the "A number.txt" Since I can not subtract it, the attribute of the original file is not displayed. Therefore, I use EnCase tool to display the properties of the original file managed by EnCase. I copied it completely and made it randomly on my analysis computer as a text file. . To show the screen, to show the letter, on that date.
4060
4061Counsel
4062To witnesses
4063Q: Do you remember who wrote the seizure?
4064Answer: If my letter is correct ...
4065Q: The writer is not a witness, did you see that he made the list of seizures that day?
4066Answer: Yes.
4067Q: In the list of seizures, the file on the defendant's laptop is in the list, do you know?
4068A: I do not remember, but I do not remember seeing exactly what the output is because I can not connect to the system called kicks.
4069Q: The seizure of the seizure is written by Lieutenant Kim Sang-Kuk and Joo Yoo-Woo, but since the witness has imaged it, he / she will ask for it because the witness confirmed it when he made the seizure list.
4070A: Is not the confiscation list written in the office?
4071Q: Before that, did you use the handwriting on your confiscation list?
4072A: It's not a confiscation list, it's an electronic information confirmation.
4073(Presenting the confiscation record, page 398)
4074Q: On the confiscation list, it says that the imaging files were confiscated in 2, 3, 4, 5, but the imaging file is not listed on the 1st notebook. Of course, the witness did not write it, but the writer Kim Sang-Kuk proved his confession to the mother of the defendant and wrote it by hand. There is also no imaging file here, but below is the imaging file. The imaging file is not listed here either. Do you know about this?
4075Answer: I do not know.
4076Q: Did the witness check these documents at the time?
4077Answer: I have no reason to be involved in the proof of confiscation or the record.
4078Q: At the time of the seizure search, did the lieutenant Kim Sang Kook confirm or get confirmed by the witness when he wrote such a document?
4079Answer: There was.
4080Q: Did the witness go through the process of verifying this document?
4081Answer: Whether or not it should be written by my confirmation ...
4082Q: Witness, please tell me the facts you remember.
4083A: Are you asking exactly the month?
4084Q: At the time of the seizure, did the witness check this document and say, 'This is the confiscation list'?
4085Answer: I have a memorable memory of the results.
4086Q: Do you mean that you confirmed this list because you confirmed the output?
4087Answer: As you remember, I did not think it was the end of the seizure at that time, and I think the process of seizure is ongoing ... Q: Are you telling me when to write this list? A: Yes, so for the final confiscated object, I have to hand over the file to the investigative team through my analysis. Q: How long did it take to image that day? Answer: It takes about an hour and a half to two hours per hard disk, so I know that 3 o'clock that day ended at 4 o'clock. Q: Is it finished on July 14, 2015? Answer: Yes.
4088-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------------------------------
4089
4090It is not exactly what I remember coming and going back and forth when I found it. So I told you to keep coming, not to go out.
4091Q: Witness is now working as an analyst on digital evidence. What is your career history?
4092A: I received a police assignment on April 4, 2009, and I have been working at Cybercrime to date. I also worked on digital evidence analysis. I worked for two years from 2014 to 2015 as a whole.
4093Q: Is there a separate education or a degree?
4094A: Yes, I have a master's degree in Information and Communications.
4095Q: Is there anything else that was trained in the police department?
4096A: I have been trained about once a year, once a year for about a month, trained as a hacking professional investigator at the Police Investigation Training Center, then at the Seoul Metropolitan Police Department as a network investigation last year I have lectured about 600 people.
4097Q: I have two intrusive articles, but I do not have a capture file to write the first one. Isis.png I am writing a text file from the last one, and the screen that says 'Thank you!' I see it as one file, do you remember it?
4098Answer: I do not know.
4099Q: If there is only one file, but the defendant actually wrote it, then two files should be present. If you do not have the file that you captured while writing in front of you, you will not be able to see 'Thank you!' There are only files that are combined with the part that says. Please explain if it is technically possible.
4100A: I can not remember the result of this, honestly. I remember that 'Thank you!' Was just a single file.
4101Q: There is that one, and then the evidence found on the defendant's notebook isis.png, usa.png file that wrote the entire article, remember?
4102Answer: Yes.
4103Q: It was a single file that was synthesized up to 'Thank you!'
4104A: Was there 'Thank you!' Below?
4105Q: Yes, there is a 'Thank you!' Below, and there is a writing on top of it, so please explain why the file that captures the writing should be separately existed.
4106A: I do not know why.
4107Q: Have you confirmed that you have captured using Chrome Full Page Capture?
4108Answer: Yes.
4109Q: Do you know that if you capture a full page, it will be saved automatically on your laptop and that the save file will be created, or you will have to save it with a different name or press Save but save it?
4110A: I do not know why I have not used it. What I put in my analysis report is that I did not know exactly when the capture was done that the filename was created that way, whether it was dropped when the user saved it, or whether the file was temporary before it was saved.
4111Q: According to the analysis of the witness, the defendant's internet router MAC address has been changed, remember?
4112Answer: Yes.
4113Q: And at the end of the crime at the time of the log records are stored in the analysis that you have released, do you remember?
4114Answer: If you are in the report, you are right.
4115Q: After that, I do not think that the investigation related to the router is going to be carried out. Do you usually not investigate the router? For example, if you change the MAC address of the router, you should have done an additional investigation. How do you normally investigate?
4116A: At the time, I was not handled by a mobile investigator, so I do not know if I did an investigation into the router.
4117Q: There were two IPs in which the blackmail was written, and the IP address was confirmed. If there is a corresponding IP that has committed the crime at the specified time of the crime, then the MAC address that matches the existing 1P can be confirmed through the carrier?
4118Answer: At that time, I knew that on the Tibur Road it had not been confirmed well.
4119Q: I once went through the process of confiscating the MAC address for the existence of a MAC address on the Tibudoad. Do you know about that?
4120Answer: I do not know about that.
4121Q: I asked Tibor to have a Mac address that matched the IP address as stated, but it was not certain that the defendant did. If so, if you check the router in the defendant's home, is it possible to change the MAC address or not?
4122A: I do not know if it should be confirmed.
4123Q: Is it possible, technically possible or not?
4124Answer: Yes.
4125Q: Anyway, the witness does not know that he has further investigated the router.
4126A: I do not know that. I did not receive a router analysis request.
4127Q: Was the imaging file analyzed by the witness first imaging the laptop at the defendant's home?
4128Answer: Yes.
4129Q: Did the witness analyze it and replicate the imaging file again?
4130Answer: Yes.
4131Q: What about the storage device of the analyzed imaging file?
4132A: Then I took two hard disks, one was the investigation team, the other was my team, so I remember what I included in my team ... I do not remember which team the notebook was on, but anyway, I used to send it to the investigative team, so I told them to copy it, final.
4133Q: Did you replicate what you had on the witness team to the investigation team?
4134A: I did not replicate it, I gave it a hard disk.
4135Q: If you look at the reports you have requested, there are 5 or 6 imaging files. It looks like it was copied to a hard disk and commissioned for analysis. Is this correct?
4136A: I do not know that. As I said, I came in two ...
4137Q: When I witnessed it, did I put it on one hard disk?
4138Answer: No. There are two.
4139Q: Then you have one on your laptop ...
4140A: So I do not remember how it was stored on my laptop.
4141Q: And the original of the image was passed back to the investigation team?
4142Answer: Yes.
4143Q: Do not you know who you turned over?
4144A: Yes, I do not know.
4145Q: I think the analysis is finished on July 23, 2015.
4146A: I do not know. Because the report is urgent, you should have given it as a file first.
4147Q: And did the witness print out the evidence from the imaging file and provide it to the investigators in the middle of the analysis?
4148Answer: Yes.
4149Q: Do you usually do that?
4150Answer: Yes.
4151Q: Do you mean that even before the analysis report comes out?
4152Answer: Yes, what I convey is in the analysis report.
4153(Suggesting Investigation Record # 722)
4154Q: What is the page in the analysis report that the witness made?
4155Answer: Yes.
4156Q: It is related to the router here, it says 'Disable logging setting'. What is the source of this screen?
4157A: You probably have a file called Time Pro, which you run on the analysis computer.
4158Q: Is it not a screen printed on the notebook of the witness, or a screen printed on the defendant's notebook?
4159A: You have a time pro and a text file. But there is an HTML file that opens up there. The text file was stored on the defendant's laptop, and since I only need to convert the extension after the text file to open it in the web browser, it seems that I have been converted to HTML to increase visibility.
4160Q: Is this screen now on the witness's computer in the process of analyzing the witness?
4161A: Yes, I will. It's my Chrome browser environment.
4162(Suggesting Investigation Record # 736)
4163Q: It is almost the last part of the report that the witness analyzes the file. I extracted the file extraction result and the hash value, and I gave the hash value for the notebook imaging file separately at the first. Does the witness have a hash value?
4164Answer: Yes, result request.
4165Q: The hash value here is different from the hash value of the imaging file that initially imaged the defendant's laptop?
4166Answer: That 's not it. The hash value for the compressed file for the final output I created.
4167Q: The hash value has changed, so I'm looking at it.
4168Answer: It is not a new, hash value of just another file that has nothing to do with imaging files.
4169Q: Is the result of the request attached to the CD now?
4170Answer: Yes.
4171Q: Is it not possible to recognize the originality of the original file attached to this CD and the imaging file that the witness first imaged?
4172Answer: Of course, the originals are not the same because they are different. Inside the imaging file, I put this file in here, but the hash value for this file came out like this, but the hash value is different and the identity is different? Not that. I can prove it again.
4173Q: How can you prove that you came out?
4174Answer: You can export the output here and extract the hash value.
4175
4176judge
4177To witnesses
4178(Presenting section 2 of the Attorney's Statement on December 12, 2015)
4179Q: The attorney's claim is that the file before the files are merged because the picture files are merged, but it does not exist. Does the file before merging have to exist?
4180Answer: It may not be.
4181Q: Please explain in what case it might not be.
4182Answer: I do not know what features the Chrome Extension Tool has, but a common capture tool is that once you capture a screen and then try to put it underneath it, you capture it first, and if you do not save it, , So you do not need to save it, but if you put the second captured screen just below the area that was left in the memory, and then save it, the first thing you saved will not be saved.
4183
4184Counsel
4185To witnesses
4186Q: Is it possible to remain in the memory area at first?
4187Answer: Yes.
4188Q: Does it disappear from the memory area over time?
4189A: Normally I keep the clipboard, but the program I use remains, and I do not know how the date is set, but if I capture it yesterday and save it, it will be shown on the screen again.
4190Q: So if you stay in the memory area, is it possible?
4191Answer: Yes.
4192
4193inspection
4194To witnesses
4195Q: Is it possible that the original text and the result screen are both saved as a file, and then the result screen is pasted in the original text and the synthesized file is saved under a new name. ?
4196Answer: Yes, there are many possibilities.
4197
4198Counsel
4199To witnesses
4200Q: The writing screen is so large that you can not see it on one page. Is it possible to capture it as a single file when you capture a full screen, or capture it separately?
4201Answer: It can also be captured as a single file. But I do not know the full page capture program because I did not use it. The capture function provided by Naver or most of the recent capture programs are scrolled all the time, and when I select the whole screen, the one below is captured as one screen.
4202
4203judge
4204I will finish the newspaper about Kim OO. Thank you.
4205
4206----------------------------------------------------------------------------------------------------
42077. First Judgment
4208
4209
4210After the prison sentence in Seoul detention center, I added 15 sheets of staples to the sentence, followed by a document that shows how to file a copy of the sentence, and 16 pieces of staples.
4211I added a copy of the document stating that I added a copy of the document stating how to apply for viewing and copying restrictions. I suspect that the court did this by worrying about the disclosure of the judgment.
4212
4213Seoul Central District Court
4214verdict
4215
4216Event 2015 Torture 4685 Intimidation (Recognition of Torture)
4217The defendants were OO (OOOOOO-OOOOOOO), unemployed
4218Housing Seoul, Dongdaemun-gu, Hancheon-ro 58, Gil 139, O-dong O (I-moon-dong, O-apartment)
4219Registration Criteria Gyeongbuk, Andong-gun Il-kyung-myeon Dongfang Dong 408
4220Inspection Jungmun-sik (Prosecution), Jung Jun-jun (trial)
4221Counsel
4222Attorney Kim Yong-min, Kim Jin-hyeong, In-Sook Park
4223Judgment sentenced Nov. 11, 2016
4224
4225order
4226The accused shall be sentenced to one year and six months in prison.
4227Confiscate one seized notebook (model name: lenovo B490, S / N: WB09564311)
4228
4229Reason
4230Crime Facts
42311. Defendant's first intimidation attempted
4232The defendant used the defendant's laptop (model: lenovo B490) at the defendant's residence to contact the White House Consumer Affairs Corner (Contact the White House, "in English," to President Obama and First Lady Michelle. ... I am a college student at Hankuk University of Foreign Studies in Seoul, Korea. How are your families doing? I am tired of my life because I always masturbate watching sex transsexual pornography. One day I realized that I did not want to die like this. I decided to stay as a famous Korean man in American history. I will eventually rape your second daughter, Natasha. I think it would be a bit politicky to ask beforehand, but is it okay? I think the second daughter (first daughter) is more than Malia Ann ... (Omitted) ... so I ... Parental consent is required prior to the application. Do not worry about me. I have a lot of kimchi and I do not have AIDS. I am going to rape black people before they die. ... 1).
4233-------------------------------------------------- --------------------------------------------------
42341) The following is the original text of the post.
4235From: Mr. Lifee Iss Crazzyyjr. / Submitted: 7/7/2015 7:20 AM EDT (US Eastern Time) Email: isshufs@gmail.com / Phone: 82221732062 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro , Dongdaemun-gu, Seoul, Korea, 130-791, Damascus, Message: Dear Mr. President Obama and Mrs. First lady Michelle.
4236Hi.
4237I'm HUFS student from Seoul, Korea.
4238How's your president family?
4239I'm sick of my life cause I always mastervating with tranny prons. One day, I realize that I'm not going to die like this.
42402 decide to be a famous Korean male in USA history.
4241Therefore, I am going to anal rape your second daughter Natasha. Is that okay?
4242I think that bitch's asshole is much tighter than Malia Ann. so I need parents permission before the nigger anus.
4243Do not worry about me: I eat lots of Kimchi so free from AIDS.
4244I eager to penetrate nigro asshole before I killed by Kim Jung-un.
4245Thanks.
4246
4247As a result, the defendant tried to intimidate both President Barack Obama and his first wife, Barack Michel, but the victims did not reach the above posting, so they tried.
42482. Attempted second intimidation of defendant
4249?The defendant accessed the white house in the White House section of the White House in the above manner at the residence of the defendant as described in paragraph 1 of the " . ... This is a warning message to terrorist attacks. In Korea, we will attack the US Ambassador Mark Ripert in Seoul again. Last time, the assassin 's heart I sent was so weak that I could not break Ripper' s artery. This time we will be preparing a well-trained assassin {traditional Cuisine-Professor) and kill the metabolism with a nuclear poison. Until the US forces dispose of chemical weapons on the Korean peninsula, we will slowly and surely discipline all your political comrades. It is an ultimatum. Wait for us, WIP Satan, Obama! I will see the dialogue soon after. ... 2).
4250-------------------------------------------------- --------------------------------------------------
42512) The original text of the post is as follows.
4252From: Dr. Korea Isis One / Submitted: 7/7/2015 1:26 PM EDT / Email: summer@hufs.ackr Phone: 82221732061 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu , Seoul, Korea, 130-791 Message: Declaration Terror to Mr. President Obama.
4253A beautiful Evening is it?
4254Right this is the warning message from the Terrorist Attack.
4255Korea, we're going to re-attack US ambassador Mark Lippert in Seoul.
4256So last time, my a5sassirator's mind is too weak to cut the ambassador's artery perfectly. End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
4257Ok? We'll keep you amputated all your political comrades slowly but surely one by one, until the US army eliminates Bio-chemical weapons in Korean Peninsular Mother Land.
4258UltimatuM; 3xpects us, our WIP Archenemy Obama!
4259LIMFAO, See mark Soon in your After-Life ......
4260H.U.F.S. R.O. 4ourth 4inger
4261
4262As a result, the defendant threatened to assassinate US Ambassador Mark Ripert, a foreign envoy sent to the Republic of Korea, if his intention was not met by US President Barack Obama, but he did not reach the victim.
4263The point of evidence
42641. Statutory Statement of Witnesses M OO, Kim OO and Kim OO
42651. Intimidating texts, English texts typed into each white house homepage, 4plebs.org site postings
42661. Digital evidence analysis report
42671. Investigative reporting (see additional postings on 4plebs.org site), investigation reports (crime facts and Hankuk University of Foreign Studies lectures), investigation reports (suspects found on OO computers, original capturing files) (Evidence list 13-1 to 13-4), investigation reports (for posts posted on 4Chan and 4Chan backup sites), investigation reports (for isis.png, usa.png file analysis), investigation reports (For the Nouveau dossier folder identified on the defendant's laptop), the 's.txt' file found on the defendant's notebook, the investigation report (the suspect for the OO laptop time zone setting confirmation), the investigation report (using the Google Chrome browser capture function Analysis of generated time information), investigation reporting (this OO notebook time information confirmation and re-imaging)
42681. Confiscation Record and Confiscation List
42691. Confidentiality (submission) integrity verification, seized material (submission) information
4270Application of statutes
42711. The applicable law on crime
4272Article 286 of each criminal law, Article 283 (1)
42731. Imaginative competition
4274Article 40 of the Criminal Act, Article 50
42751. Type selection
4276Jail option
42771. Weighting
4278Article 37 of the Criminal Act, Article 38 Paragraph (1) Item 2, Article 50
42791. Confiscation
4280Criminal Law Article 48 Clause 1 first
4281Judgment of defendant's and defendant's claims
42821. On the illegality of seizure and search procedures
4283end. Seizure method restriction violation
42841) The point of the claim
4285The Seoul Central District Court on July 13, 2015 (the "Warrant for Warrant," 2015-18545, hereinafter referred to as "the warrant for this case") restricts the objects and methods of seizure, and in principle, The method of outputting the evidence is sufficient and the notebook computer itself can be duplicated. If the duplication is not possible at the execution site, the original export of the storage medium is allowed and it is returned within 10 days from the date of export.
4286However, the defendant's laptop computer had already been cloned at the execution site, so it was taken out and kept as a seizure, even though it was not necessary to remove it.
4287This is an unlawful seizure violation against a warrant, and the illegality may affect the entire seizure process, so all the evidence obtained from the seizure corresponds to evidence of illegal collection.
4288
42892) Judgment
4290The object and method of confiscation of the electronic information set forth in this case warrant are as follows.
4291The warrant is for confiscation, "computer hard disk, tablet PC related to the crime" is listed, and the confiscation of the storage device itself is allowed, the defendant's laptop computer is set to the French time zone, It is confirmed that VMware is installed as an operating system operating program, so it is necessary to clarify time information and check and analyze the usage history of virtual computer in the future, thereby seizing and exporting the notebook computer itself, It is expected that it will be questioned whether or not the identity of the electronic information is confirmed, and it appears that it is an action in accordance with the necessity of seizing the storage medium itself in order to confirm the original electronic information. 
4292However, if the confiscation of electronic information is specified, In addition to the electronic information as in this case, when the original of the notebook computer itself is confiscated as an object of seizure, it can not be said that it is a violation of the electronic information confiscation method. It can not be called a seizure search.
4293I. Seizure search without guarantee of participation
42941) The point of the claim
4295The search for electronic information should be regarded as a seizure process in the whole process of searching electronic information related to a criminal offense and outputting the corresponding electronic information in a document or copying a file. In this case, Not guaranteed.
42962) Judgment
4297In summary, the following facts recognized by the evidence that the court has legally adopted and investigated suggest that, even if the investigating agency does not fully comply with some of the proceedings, the offense is the assurance of the participation of the defendant in the proceedings It can not be regarded as illegal.
4298â‘  The defendant was lying in the bed with only his underwear in the execution process of the seizure search at the defendant's residence, and the defendant's family refused to film the seizure process, and the defendant and the defendant's family showed uncooperative attitude (The defendant was arrested in an emergency and lied on the floor with his / her clothes taken off after he was in. In the office of the police department of the Seoul Metropolitan Police Agency. Etc.).
4299â‘¡ The defendant's mother Kim OO participated in the seizure process of the confiscated materials, and the contents of the storage device were modified, unchanged, and the seals were seized while creating the hash value and hash value of the defendant's laptop computer hard disk And that there was no abnormality in the seal, and the signatures of the integrity of the seized water and the information on the seized materials were unattended.
4300â‘¢ On the other hand, the defendant Mo Kim OO informed the police officer that he could participate in the seizure process such as the release of seizure of the seizure of the seizure, duplication and so on. The police officer analyzed the hard disk imaging file of the notebook computer without participation of the defendant on the grounds that Kim OO 's decision to participate in the analysis process did not have a separate statement, but that the defendant (Article 121 and Article 122 of the Criminal Procedure Code states that if a participant does not participate in the execution of a seizure search warrant, he / It is difficult to say that the defendant raced after the emergency arrest and that the time of the emergency arrest was so rapid as to omit the notice of participation of the defendant's family in the process of analyzing the seizure. 
4301However, the seal and hash values of the storage medium are preserved, the hash value of the hard disk of the laptop computer in this case is the same as the hash value of the file generated through the imaging operation, The integrity of the document,
4302The chuo imaging file appears to have not changed from the initial seizure to the submission of the evidence. Therefore, it is difficult to say that the analysis of the imaging file was done without the defendant '
43032. Proof of original identity and integrity of digital evidence
4304end. opinion
4305The defendant 's lawyer argues that the proof of the integrity of the digital evidence is not proven, so the evidence of the files and images printed on the defendant' s laptop hard disk should be excluded.
4306â‘  Confirmation of integrity by comparing hash values confirms that there has not been any change until after the status of the digital evidence at the specific time (imaging time) is submitted to the court afterwards. Therefore, Identification can not be a guarantee of integrity. Before the police officer imaged the information stored in the defendant's laptop computer hard disk, the defendant made a search and browse for 40 minutes without taking measures to prevent a minimum of breaks such as " It is not possible to exclude the possibility that unsaved files or pictures are stored and written.
4307â‘¡ The storage medium that needs to be sealed should also include an 'imaging file storage medium', and the police officer did not seal the storage medium of the file that imaged the defendant's laptop computer hard disk.
4308I. judgment
4309The evidence of integrity and identity in judging the evidence ability of digital evidence can be verified objectively and rationally according to the free trial of the authors by collecting the hash value confirmation, the testimony of investigator or digital potentiometer expert, It is important to note that the original identity and integrity of the digital evidence presented in this case has been proven in light of the following circumstances. Therefore, the defendant's claim is not accepted.
4310â‘  According to the warrant for seizure of the case, the confiscated object is a computer hard disk, tablet PC, etc. related to the crime, and the investigation officer searched for electronic information in order to determine the relevance to the crime and the necessity of seizure, Of the total number of applicants.
4311â‘¡ The seizure of the incident began on July 13, 1945, 2014. The investigating officer found the defendant's laptop computer, turned on the power on July 13, 2018, and searched for electronic information related to the alleged crime of the incident, and found a file, usa.png, And then shut down the notebook computer from 2015. 7. 13. 20:47:18 2015. 7. 13. 21:56:08 on the same day until 23:37:11 notebook HDD imaging operation .
4312â‘¢ As a result of analyzing the defendant's computer imaging file with Encase, a digital evidence analysis tool, the image file isis.png, usa, which captures the content of the 'Contact the White House' page of the white house website related to each case of this case. The creation and last modified date of the png was confirmed before the seizure of the incident.
4313â‘£ The investigating officer found the isis.png, usa.png, and s.txt files related to the offense on the defendant's laptop computer and checked the source of the file to the defendant. In the presence of the defendant's OO, In the process of seizing the incident, police officers do not show the circumstances in which they excluded the right of participation of the defendant and the family member.
4314?â‘¤ The defendant 's mother Kim OO participated in the seizure process of the confiscated materials, and after the defendant' s computer hard disk was cloned, the contents of the storage device were modified while the hash value was generated and the hash value was created, The fact that the seal was sealed and that there was no abnormality in the seal and the integrity of the seizure and signature of the information on the seizure were unattended.
4315?(6) The hash value of the hard disk of the notebook computer in this case is the same as the hash value of the file generated through the imaging operation, and the integrity and the identity of the document output from the file generated through the imaging operation are recognized. As long as the seal and hash values for the storage medium are preserved, the defendant's argument that the storage medium of the duplicated copy (imaging file) must be sealed at the confiscation site and that evidence capability should be excluded in case of violation.
4316Reason for sentencing
4317The defendant caused an international wave not only in Korea but also in Korea by posting a rape on Obama's aged daughter and an attempt to assassinate US Ambassador to the United States, Mark Ripert, in the White House complaint column. Although the crime of each of these cases has been attempted, it is very inferior in light of the crime method and crime.
4318On behalf of the US government, the Embassy of the United States of America (the US Embassy) has indicated that the offense is a serious threat to the US government and that it intends to seek thorough investigation and punishment.
4319The defendant is not satisfied with the situation after the crime, such as showing the defendant 's attitude from the investigation stage to the court, the defendant' s behavior and the risk of re - punishment.
4320However, considering the fact that the defendant is the first person, and the defendant's age, family relationship, home environment, the motive and means of the crime, and the circumstance after the crime, To be determined.
4321Innocent part
43221. Point of circumstance
4323The defendant accessed the White House Contact Us White House by using the defendant's laptop (model: lenovo B490) at each time and place listed in the crime of criminal offense, Obama and Barack Michelle (first threat), and victim Barack Obama (second threat).
43242. Judgment
4325end. As long as the other person recognizes the meaning of the harmfulness enough to cause the person to be afraid, regardless of whether or not the other person is frightened realistically, If the applicant does not acknowledge the meaning of the evil, or if the opponent fails to perceive the meaning of the evil, he / she will only be tried for the threat of intimidation (Supreme Court Dec. 2007, Dec. 2007, Dec. 606) Reference).
4326I. The content of each case in this case is considered to be a notice of harmfulness enough to cause victims to fear, but the evidence submitted by the attorney about whether or not the notice of such harm has actually reached the other It is not enough to admit it and there is no other evidence to admit it. Therefore, it is difficult to see threats reach the nose.
4327All. conclusion
4328In the end, the circumstantial indictment of the crime shall be deemed innocent by the end of Article 325 of the Criminal Procedure Act, but if the accused is a preliminary indictment, Not.
4329The judge (with no signature)
4330
4331[Seizure, search, and verification of electronic information stored in information storage media such as computer disks]
4332end. Search and verification of electronic information
4333If the purpose of the investigation can be accomplished only by search and verification, search and verification without confiscation are required.
4334I. Seizure of electronic information
4335(1) Principle
4336Only the electronic information related to the allegations after the search and verification in the location of the storage medium can be confiscated by document or copied to a storage medium carried by the investigation agency.
4337(2) Hard copying, imaging (hereinafter referred to as "reproduction") of the storage medium is permitted
4338(A) Replication at the execution site
4339If it is impossible to execute by output or copy, or if it is considerably difficult to achieve the purpose of confiscation 3) Only the storage medium can be copied
4340-------------------------------------------------- --------------------------------------------------
43413) The following cases shall apply.
43421. If the person to be eavesdroppers do not cooperate or can not expect cooperation
43432. Where electronic information that is likely to be related to the allegation is deleted or found to be obsolete
43443. If execution by copying or printing violates the tranquility of the business activities or privacy of the person to be eavesdropped
43454. Other equivalent
4346
4347(B) The export of the original of the storage medium is permitted.
4348(1) In the case of (a) above, if the reproduction of the storage medium is impossible or extremely difficult in the current edition of the executive act, (4) only the original of the storage medium is sealed under the participation of the suspect, Can do
4349-------------------------------------------------- --------------------------------------------------
43504) The following cases shall be referred to.
43511. Hard copying and imaging in the field is physically and technically impossible or extremely difficult.
43522. Hard copying, execution by imaging, violates the tranquility of the business activities or privacy of the person to be confiscated
43533. Other equivalent
4354
43552) The original exported by method 1) above shall be opened with the participation of the intruder, reproduced and returned without any delay, but not more than 10 days from the original export date, unless there are special circumstances.
4356Middle omission
4357(3) Precautions for confiscation of electronic information
4358(A) A list of electronic information confiscated by the person to be confiscated shall be issued. (The grant of the list may be replaced by the issuance of a copy of the final confiscated printed matter or electronic information through the procedure of paragraph (2) above.
4359(B) Sealing and unsealing may be done in physical way or in the way of both parties such as the investigating authority and the person to be confiscated by setting the password. When copying or duplicating, it is necessary to check the hash function value, seize, And a method to confirm the identity with
4360(C) The right to participate should be ensured through the whole process of seizure and search, and in case of refusal to participate, seizure and search should be done in a considerable way to ensure reliability and professionalism.
4361
4362It is a copy.
4363November 15, 2016.
4364Seoul Central District Court
4365Hwang Mi-young
4366
4367â€» You can check whether the document has been faked or not by using the issue number search menu of the event search computer installed at each court's civil affairs office or by inquiring the court in charge and inquiring the issuance number shown at the bottom of this document.
4368
4369Criminal judgment, reading, copy restriction application
43701. Reason for application
4371A litigant in a criminal case may apply to limit the reading and copying of a criminal judgment in the following cases:
4372â—‹ If the disclosure of the lawsuit records is likely to seriously undermine the honor and privacy of your identity or the life, safety of your body or the calmness of your life
4373â—‹ If there is a concern that the trade secret of the applicant (the "trade secret" in Article 2 (2) of the Act on the Prevention of Unfair Competition and Trade Secrets)
43742. Eligibility: Legal person involved in a criminal case
4375A representative of a defendant who is a defendant, an attorney, an assistant, a corporation, a special representative under Article 28 of the Criminal Procedure Act, a complainant, a victim or a legal representative thereof, a witness or a legal representative thereof in accordance with Article 340 and Article 341
43763. How to Apply
4377Apply to the court clerk, court clerk, court clerk, court chief of the court holding the litigation record (after the judgment is finalized, the court that sent the judgment)
43784. Legal basis: Article 59-3 of the Criminal Procedure Act
4379
4380
4381----------------------------------------------------------------------------------------------------
43828. Reason for appeal
4383
4384Seoul Central District Public Prosecutors' Office
4385(530-3114)
4386December 23, 2016.
4387Receiving Seoul Central District Court Chief
4388Outgoing Seoul Central District Prosecutor's Office
4389Title Appeals Reason
4390Inspection Jung Woo-Jun
4391I submit the appeal reason as follows.
4392defendant
4393â‘  Name is OO
4394â‘¡ Resident registration number OOOOOO-OOOOOOO
4395â‘¢ Threats of intimidation (tried to threaten accused)
4396â‘£ Sentencing Court Seoul Central District Court
4397â‘¤ Date of sentence.
4398â‘¥ Date of appeal.
4399â‘¦ Same as the appeal ground
4400â‘§ Remarks 2016 No 4872 (the fourth criminal department)
4401
4402Appeal reason
4403Case Seoul Central District Court 2016 No 4872 Intimidation (Accusation of recognized criminal name)
4404(Centrifugal Court of Seoul Central District Court,
4405Defendant OO
4406The court sentenced the defendant to one year and six months in prison, and the sentence of the sentence is unreasonable because the sentence is too light.
4407- next -
4408I. The point of crime
4409The essence of this incident,
4410"The defendant used the defendant's laptop at the defendant's residence to access the White House Consumer Counseling Section of the United States and said," To Obama and First Lady Michelle, I will rape an African American before I die. "(Abbreviated below)." I tried to intimidate both US President Barack Obama and his wife, Barack Michel,
4411At the defendant's residence, the defendant accessed the White House homepage's complaint section in the same way and said in English, "The declaration of terrorism against President Obama. In Korea, we will attack the US Ambassador Mark Ripert in Seoul again. Last time, the assassin 's heart I sent was so weak that I could not break Ripper' s artery. This time we will prepare the well-trained assassin again and kill the metabolism with a nuclear poison. Until the US forces dispose of chemical weapons on the Korean peninsula, we will slowly and surely discipline all your political comrades. It is an ultimatum. Wait for us, VVIP Satan, Obama! I will see the dialogue soon after. (Abbreviated below), "and tried to intimidate US President Barack Obama.
4412II. Reason for Sentencing
4413The prosecutor tried to assassinate the defendant who was indicted on the above charges, but the court ruled that the defendant attempted to assassinate US President Barack Obama 's young daughter and assassinate US Ambassador Mark Reiter, The US Embassy in Korea has issued an intimidating message to the US White House in the Civil Corner section of the US Department of Justice, which caused an international wave of violence. Although the attack was attempted, On behalf of the United States, this incident was considered a serious threat to the US government and indicated a willingness to seek thorough investigation and punishment, and the defendant's circumstances from the investigation stage to the trial court, In addition, there is a risk of recidivism in view of the accused's sexual activity. It is just yet, for reasons including the fact that the defendant first offense, was sentenced to one year in prison in June against the accused.
4414III. Appeal Reason -
44151. The materiality of this case
4416The defendant's allegations on the Internet White House homepage complaint column, which serves as a reception desk for the President of the United States of America, are the names of the clan as the clan of President Obama, As a diplomat in Korea who represents the US administration, he is very terrible and despicable, saying that he will surely murder US Ambassador Mark Ripper, who has already lost his life due to a terrorist attack.
4417It is clear that the United States would have taken the intimidation of the accused case as a serious threat to the US President 's family and diplomatic envoys. In fact, through the US Embassy in the United States, "
4418As a result, the defendant 's accusation has seriously threatened the security and national interests of the United States, which is responsible for the protection of the US and its diplomatic envoys, and threats and threats to the US head of state and important diplomatic envoys. It is a very serious crime that has greatly damaged the nationality of our country while undermining our relationship with the United States.
44192. Situation after the crime
4420The defendant, in spite of the serious crime above, acknowledges his mistake and does not repent, his laptop from the crime stage to the end of the trial is likely to be hacked from the outside, In this case, the screen captures were downloaded from the Internet, only the edited captures were found on their notebooks, but the original was not found. Since the defendant is different from that of the router, the defendant is not a criminal, the police did not take preventive measures at the time of searching for her laptop, integrity was impaired, the media storing the notebook imaging file was not sealed, Because they did not guarantee participation, they did not have evidence , He confessed his notebook itself and did not return it within 7 days, so that he violated the limit of seizure of the warrant, constantly making false excuses, engaging in all kinds of accusations and accusations against the investigation agency, In the course of the trial, it is clear that the defendant's excuse or accusation is false or unreasonable.
4421In this way, the defendant does not recognize his own faults after the crime, but continues to make false claims to avoid punishment.
4422The context is also not very good.
44233. Risk of recidivism
4424The defendant's notebooks and blogs also include documents related to IS-like militant groups, sexual or anal sex for children, material that reveals a woman's misunderstood sexuality, pictures of cruelly murdering or corrupting a person, In light of the fact that there are a myriad of materials that clearly reveal antisocial propensity, such as a monkey-like photograph, and that the defendant is only committed to avoiding responsibility without acknowledging his crime and being repentant / I think it is very dangerous to commit the same crime again or to commit terrorist acts or sexual crimes such as the content of each blackmail in this case.
44254. Sintering
4426In light of the seriousness of the offense committed by the defendant as described above, it is highly necessary to prevent similar crimes through severe punishment. In addition, strict punishment only prevents the defendant's re-punishment and makes serious reflection from the defendant The defendant must be judged to be the supreme court, even if the defendant is considered to be the first.
4427IV. conclusion
4428If so, the sentence of the sentence against the defendant is too light and judged unfair, so please give the defendant a sentence corresponding to the old one.
4429December 23, 2016.
4430Seoul Central District Public Prosecutors' Office
4431Inspection Jung Woo-Jun