· 7 years ago · Dec 30, 2018, 06:52 AM
1Don't we do Moon Jae-in impeach protest?
2
3 President Moon Jae-in, please reform the police and the prosecution who interrogate the suspect as a pervert.
4
5 I admit that I have to write this provocative title.
6
7 Please read the imaginative abundant investigation documents attached below.
8
9 Just three years ago, there was an interrogation of the prosecution and the police, who took someone and made him international criminals.
10
11 He asked for the investigation of the investigators, who were investigated in this way, but every time, all of the investigative commands were conducted by the Public Prosecutors' Office's Intelligence Service and none of them were charged with any crimes.
12
13 Unless Mr. President Moon Jae-in reform the old-fashioned way, the next turn will be Mr. President Moon Jae-in.
14
15
16
17
18 ++++++++++++++++++++ police copyrights ++++++++++++++++++++
19
201st round
21
22Kwak Dong-kyu Q: What is the current state of the suspect? (Investigators wrote that they used a monotonous body when they wrote it, but it is different from the actual one.)
23 Answer: There is no place to be particularly sick.
24
25Kwak Dong-kyu Moon: Is there any obstacle to the investigation?
26 Answer: There is no interference with the investigation.
27
28Kwak Dong-kyu Q: Does the suspect have been sentenced to criminal prosecution or prosecution?
29 Answer: I once went to the Dongdaemun Police Station and wrote a letter of appreciation.
30
31Kwak Dong-kyu Moon: What will happen to the Dongdaemun Police Station?
32 A: In the year of 2011, I was going out of Shinnimun Station subway station and passing through India, and somebody was ahead of me, but I have the fact that the police have just checked me. The reason for the inspection is that I have lost one camera at the Lee Mun Sung Cultural Center. I was taken to the Dongdaemun Police Station because I was a suspect, and I received a DNA test there, but I remember that there was no punishment.
33
34Kwak Dong-kyu Moon: Do you know what the suspect is currently under investigation for?
35 Answer: I know. I know that I have been investigated for threatening to kill White House Obama and for threatening to murder US ambassador to Ripper.
36
37Kwak Dong-kyu Moon: The suspects were arrested on July 14, 2015 at the Seoul Metropolitan Police Agency, Cyber ​​Investigation Division, Is it true?
38 Answer: Yes. At that time, there was a fact that I was arrested and notified of the Miranda principle in my room.
39
40Kwak Dong-kyu Moon: Was there any items that were confiscated at the time of arrest?
41 A: I know I had a hard copy of the computer from the detectives who had executed the seizure before the arrest, and I was told that I had done so, but I know that the computer hard disk was not confiscated. I just heard that the investigator (Kim Young Rae) who was conducting the investigation just before confiscated the notebook and USB original.
42
43Kwak Dong-kyu Moon: Say military service.
44 A: In January 2005, I served the sergeant in the 9th Division of the White Horse.
45
46Kwak Dong-kyu Q: How was your military life?
47 A: Military life was very hard. There were eight senior members for four months, and seven of them were Jeolla people, and it was hard for them to harass.
48
49Kwak Dong-kyu Q: What is blood type and religion?
50 A: He is O, and there is no religion.
51
52Kwak Dong-kyu Q: What is your height and weight?
53 Answer: Height is 168 centimeters, weight is 72 kilograms, blood type is O type.
54
55Kim Young-rae Moon: Just before the arrest, the suspect said that he drank a beer in front of the investigator (Kim Young-rae) in his room and had already mixed beer and liquor.
56 A: Yes, I remember the situation at the time.
57
58Kim Young-rae Q: What is the usual amount of money for the suspect?
59 Answer: Weak beer is between 500cc and 1000cc. Drinking that much is like sleeping.
60
61 (A hangover remained at the time of the first and second police investigations.
62
63Kim Young-rae Q: Do you usually drink regularly?
64 A: I have an irregular life, and I usually drink when I can not sleep.
65
66Kwak Dong-kyu Q: Tell me your academic background.
67 A: I graduated from Kyungbok High School in 2000 and graduated from Yongin Campus (now Global Campus) of Hankuk University of Foreign Studies for 4 years.
68
69Kwak Dong-kyu Moon: Did you have a major or minor in college?
70 A: Major is Digital Information Engineering, minor is Biochemistry (now Chemistry). In the school itself, one day, suddenly, without a proper notification to the students, the major of biochemistry was lost and changed into chemistry. So, when I wrote my graduation thesis, the major was in digital information engineering and the minor was listed in biochemistry. But when I write my resume while working, biochemistry seems to have falsified my resume with a missing department. I became disadvantageous to Hankuk University of Foreign Studies where I graduated.
71
72 (At about 14:59, the suspect has been appointed to the counsel, so he confirms the counsel 's appointment and pauses the investigation to give him time to help.
73
74 (At 15:25, he resumed the investigation with the participation of lawyer Park Chul-Hyun, and participated in the investigation by Nam Sang-wook (cyber criminal investigation investigator). .)
75
76Son Woo-sung Moon: Do you mean that you have negative feelings about Hankuk University of Foreign Studies?
77 A: I have a dissatisfaction rather than a bad reputation.
78
79Son Woo-sung Q: What is the major area of ​​Digital Information Engineering?
80 A: It is related to digital computer, Internet communication.
81
82Son Woo-sung Moon: (in a coercive manner) If the main subject of the suspect is digital information technology, will the suspect have a knowledge of computers?
83 A: Yes, I think so myself. (The accused also gave other answers but only recorded this.)
84
85 (The investigators around me kept asking me to be a computer expert, a hacker, or a hacker, so I went for a high-level test. I asked for an objective test to verify my computer skills, but I did not record any related questions.)
86
87Son Woo-sung Moon: Did you ever do other activities such as student councils at university?
88 A: I did not go to the student council, but I spent about a year in my first year at the school. The suspect stated to the investigator, "I went one day and asked to pay for the subscription fee, but I quit."
89
90Kim Young-rae Q. What happens to property, property, and monthly income in the name of the suspect?
91 Answer: I know that my mother bought my brother's studio in my name, and now I have no savings or savings in my name at all. There is no monthly income.
92
93Kim Young-rae Q: Who is the current cell phone number and name of the suspect?
94 Answer: There is one pink LG mobile phone that I joined as my mother's name. I rarely use it, so I can not remember the phone number.
95
96Kim Young-rae: Do you mean that the suspect can not remember the cell phone number he is using?
97 A: Yes, I can not remember.
98
99Kim Young-rae Q: Why are you using a mobile phone that is subscribed to your mother's name instead of your name?
100 A: I do not like to use a cell phone, and I do not want to use an electric wave.
101
102Son Woo-sung Q: What about family relationships?
103 Answer: I have a parent and a younger brother (OO, OO birth), Mo (Kim OO, OO birth), brother (OO, OO birth).
104
105Son Woo-sung Q: Where is the suspect currently residing?
106 A: I am currently living with my parents at my parents' home.
107
108Son Woo-sung Q: When did you live with your parents?
109 A: I live with my parents from birth to the present, except for one thing I did when I was in college (the suspects stated that they stayed for two years but did not record them).
110
111Kim Young-rae Moon: What is the suspect currently doing?
112 Answer: I am unemployed.
113
114Kim Young-rae Q: How do you use your living expenses?
115 Answer: No special expenditure.
116
117Kim Young-rae Moon: There is no special expenditure. If you are a normal person, you will need to pay a certain amount of money, such as transportation expenses, when you go out.
118 Answer: I use it because I ask my parents, and I do not go out, and I continue studying at home at home.
119
120 (Investigator Kim Young-rae asked the suspect "How did you live in the expensive 45-pyong apartment? Where did you go to buy goods at Costco?" The suspect said, "The apartment is the parent. I have not been listed in the dossier, but I am a man who knew that I was buying goods at Costco, my parents and those who worked at the KBS Press Office. At that time I bought two cakes at Costco, CNN translator, Lee Seung - yeon, a 5 to 6 - year - old woman, said, "I have seen this cake selling at Costco, I am a costco jockey. ? "And I said," I bought it at Costco, I bought it at a reunion point. "The police Knowing to see KBS at home and knowing to see the chief at Costco is very relevant to KBS, or at this time the police investigated all of their parents' financial information and found out that they frequently use Costco .
121
122Kim Young-rae Moon: Do you mean that the suspect is only studying in the house without going out?
123 Answer: Yes, yes. After leaving the company around 2013, I have been living in a house because I do not want to be disturbed by other people.
124
125Son Woo-sung Q: Tell me about social activities after military service.
126 A: In 2005, I was discharged from the military and worked at a gas station for about three months. After graduating from college in 2009, I worked for a chemical company that did not remember my name for about two weeks. I went to KBS reception in 2011 and worked until 2013.
127
128Kim Young-rae Q. What is KBS receptionist?
129 A: I was in charge of English translation work, including foreign news. (The investigator emphasized English translation.) The suspect did not record a statement that "recording the foreign news and delivering it to the editorial office was the main task."
130
131Kim Young-rae Q. Does the suspect become an English speaker, translating foreign news, etc.?
132 A: I think that is enough.
133
134Kim Young-rae Q: So the suspect will speak English very well?
135 A: TOEIC is about 780 points, TOEFL is about 82 points.
136
137Kim Young-rae Q: Have you ever worked in other places related to English?
138 Answer: I just told Citibank that I had worked for about two months in Citibank. When I joined the Citibank, I went into English language grades.
139
140 (Nam Sang-wook's investigator came back and Son Soo-sung investigated him and questioned him, but he did not record it.)
141
142Nam Sang-wook Moon: Looking at the criminal history of the suspects, the Seoul Northern District Prosecutors' Office on Sept. 28, 2012 dismissed the theft of nightly buildings.
143 Answer: In the previous survey, I went to the Dongdaemun Police Station and stated that I was investigated as a camera suspect.
144
145Nam Sang-wook Q: How many computers are installed in the suspect's residence?
146 Answer: I have one integrated PC in my room, and I have a desktop and a laptop in my room.
147
148Nam Sang-wook Q: Does the suspect play internet games?
149 A: I do not play internet games.
150
151 (Nam Sang-Uk investigates again, but does not record it in the dossier)
152
153Kwak Dong-kyu Q: What is the main purpose of computers?
154 Answer: A desktop installed in my room (no built-in personal computer with a special name (brand name) purchased on the internet) (Kim Young-rae instructs investigator Kwak Dong-kyu, who plays keyboard, to insert parentheses in the record and record the contents in parentheses .) Is not used because it is broken and the notebook (Lenovo) is mainly used to study French.
155
156Kim Young-rae Q: How do you study French with a laptop?
157 Answer: I use it as a way to watch a language learning program (Rosetta Stone) through a laptop. (The suspect stated that he also used Fluenz, another language study program, but Kwak Dong-kyu, the investigator, omitted it arbitrarily.)
158
159Kwak Dong-kyu Q: What Internet sites do the suspects access?
160 A: I usually search Google, and I am connecting mainly to 4chan site like this.
161
162Kim Young-rae Q: What is 4chan site?
163 A: It's a site like Dish Inside (a kind of free bulletin board) in Korea, which is used by various people all over the world.
164
165Kwak Dong-kyu Q: What do you usually search on Google or 4chan sites?
166 Answer: Google is used to look up French words in images, while 4chan site is used to watch frivolous videos.
167
168Kim Young-rae Q: When was the last time you searched Google or 4chan site?
169 Answer: I do almost every day, so there is no need to specify a date. (The suspect stated in each of the two questions of the investigator that "Google uses every day for every day of study," "4chan uses one or two times a week," but the investigator ties the two questions together and runs Google and 4chan daily Recorded.
170
171Kwak Dong-kyu Q: What happens to the internet company that is using the subscriber's house?
172 Answer: The internet company we use at home is Tibor Road. (Investigators showed the evidence to the suspect in advance of the question and informed the information. Attorney Park Cheol-hyun does not object.
173
174Kwak Dong-kyu Q: Are the suspects using blogs?
175 A: I am using a blog spot from Google.
176
177Kwak Dong-kyu Q: Do you have a blog created by the suspect?
178 Answer: Yes. I have only about 10 blogs that I've opened only in Google, only bosulachi I can remember the address and I can not remember the rest.
179
180Kwak Dong-kyu Moon: Do you have any blogs that have been opened elsewhere, such as Naver?
181 A: I do not have any other blogs that use Google only.
182
183Kim Young-rae Moon: When did you create a blog such as bosulachi?
184 A: It is remembered that it was opened around 2014 to 2015.
185
186Kwak Dong-kyu Q: What was your blog for?
187 A: It was created to organize political opinions.
188
189Kim Young-rae Moon: What do you mean by political views?
190 A: I am standing on the conservative side and criticizing the North Koreans.
191
192Kwak Dong-kyu Q: Have you ever posted a political opinion through a blog?
193 Answer: Yes. I have expressed my political views on all the blogs I've opened in Google.
194
195Kim Young-rae Moon: What are the details?
196 A: The first is "North Korea's intervention in Gwangju," and the second is "opposing reunification." I will say that much. You can see the blog directly. (These comments were not advocated by the suspect, but discussed blogging issues on the Internet at the time of the investigation.)
197
198Kwak Dong-kyu Q: Does the suspect know the ISS program at Hankuk University of Foreign Studies?
199 Answer: I do not know.
200
201Kwak Dong-kyu Moon: Does the suspect know the hufs?
202 Answer: Yes. Hankuk University of Foreign Studies site.
203
204Kwak Dong-kyu Q: Does the suspect know the mail account at summer@hufs.ac.kr?
205 Answer: I do not know.
206
207Kim Young-rae: Have you used or used the above e-mail?
208 Answer: Never used.
209
210Kwak Dong-kyu Moon: Dr. korea Have you ever used a nickname Isis One?
211 Answer: I have not used it.
212
213Kim Young-rae Moon: Do you know the above nickname?
214 Answer: I have no idea. I saw it for the first time.
215
216Kwak Dong-kyu Q: 8221732061 Do you know your phone number?
217 Answer: I do not know.
218
219Kim Young-rae Q: Have you used the above phone number?
220 Answer: No.
221
222Kwak Dong-kyu Moon: The suspect is July 7, 2015. Have you accessed the White House website around 20:20?
223 Answer: Not at all.
224
225Kim Young-rae Moon: Do you have access to the US White House homepage even if it is not the above date?
226 Answer: No, never.
227
228Kwak Dong-kyu Question: Did the suspect ever visit the website of the White House on the above date and time?
229 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
230 ===========================
231 Hi.
232 I'm HUFS student from Seoul, Korea.
233 How's your president family?
234 I'm sick of my life cause I always mastervating with tranny prons.
235 One day, I realize that I'm not going to die like this.
236 I want to be a famous Korean male in USA history.
237 Therefore, I am going to anal rape your second daughter Natasha.
238 Is that okay?
239 I think that bitch's asshole is much tighter than Malia Ann.
240 So I need parents permission before the nigger anus.
241 Do not worry about me: I eat lots of Kimchi so free from AIDS.
242 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
243 Thanks.
244 A: Not at all.
245
246Kim Young-rae Moon: Did the accused see the English version of the White House homepage that the investigator showed?
247 Answer: Yes.
248
249Kwak Dong-kyu Q: Can I interpret the English content?
250 A: Yes, you can.
251
252Kim Young-rae Moon: So, is it possible to do the opposite?
253 A: It is better than that. And the English content and the writing style I write are wrong.
254
255 At this time, notice the contents of English translated into Hangul against the suspect.
256
257Kim Young-rae Moon: The suspect heard the above-mentioned English content translated into Korean directly from the investigator?
258 Answer: Yes, I heard it.
259
260Kim Young-rae Moon: To summarize the above content, the man who posted the above statement "lacking masturbation, raping the second daughter of President Obama in America, becoming a Korean man famous in American history" It is shown. What do the suspects think about the contents of the above?
261 A: I do not think I posted this on the White House homepage.
262
263Kim Young-rae Moon: Why do you think the suspect was raised by an American student?
264 A: On the streets, Obama is thinking that people are the most likely to approach the United States.
265
266Kwak Dong-kyu Q: If I see Obama, the president of the United States, saying that raping his daughter is rape, I think he feels quite frightened. What do you think of the suspect?
267 Answer: Yes, yes.
268
269Kim Young-rae Moon: What do you mean by "yes, yes"?
270 Answer: Obama is also saying that you can feel the fear. (The investigator asked her whether she was afraid to apply the alleged threat.)
271
272Kwak Dong-kyu Q: Do the suspects know that the US Ambassador to Korea, Ripert, was arrested in Korea in March 2015?
273 A: I've posted articles that I know from the press and strongly criticize people who have tackled my blog.
274
275Kwak Dong-kyu Q: How do you think the suspect will accept if Ambassador Ripper has seen these intimidating posts?
276 A: I feel like I get the same feeling (fear) as Obama before.
277
278Kim Young-rae Moon: In the case of Ambassador Repert, I am living in Korea, and since I have actually received an assassination, is anyone seen to be able to attack if I feel like it?
279 Answer: It is very likely.
280
281Kim Young-rae Moon: Does the suspect think of the relationship between the United States and Korea?
282 Answer: I think it is an alliance.
283
284Kwak Dong-kyu Moon: Is the fact that the suspect stated that he used the notebook (Lenovo) alone in the suspect's residence?
285 Answer: Yes. There is a fact that said. I am using my laptop at home. I have set the password so I can not use my parents or even my brother.
286
287Kwak Dong-kyu Moon: Just before the arrest of the suspect in the residence of the suspect, did the suspect know that he had executed a seizure search warrant at the Cyber ​​Investigation Department of the Seoul Metropolitan Police Department and checked the notebooks used by the suspect?
288 Answer: Yes. I know what I have checked about the laptop I was using at the Cyber ​​Crime Department of the Seoul Metropolitan Police Agency.
289
290Kim Young-rae Moon: The suspect clearly stated that he used the notebook alone (Lenovo)?
291 Answer: Yes, yes.
292
293Kim Young-rae Moon: July 7, 2015. The original text of the intimidating statement about raping the US President Obama's daughter was posted on the White House post. However, according to the cyber criminal investigation center of the Seoul Metropolitan Police Agency, about one minute later, the suspect discovered that the file was saved as 'isis.png' in the M / Bureau / to folder at the bottom of the Document and Setting folder of the suspect, Did not upload the post above?
294 Answer: The OS (Operating System) that was laid on my laptop is in France time zone. If you check it, there will be time difference. I can clearly see that it is not my post based on time difference.
295
296 At this time, I stopped the investigation for dinner. (Investigators gather together to talk in a heated expression.)
297
298Kwak Dong-kyu Q: Is this statement true?
299 Answer: Yes.
300
301Kwak Dong-kyu Moon: Do you have any more to say?
302 Answer: I will leave it at the time of two times. (Although the suspect said, "No," the lawyer Park Chul-hyun, who was sitting there, wrote the suspect as it was written.)
303
304Second round
305
306 At this time, we show one newspaper report to the accused,
307
308Kim Young-rae Q: Are the contents of the one-time statement all right?
309 A: Yes, all right.
310
311 At this time, under the participation of lawyer Park Cheol-hyun,
312
313Kim Young-rae Moon: Detention of the suspect's residence One laptop in the study room, one desktop in the suspect's room (with two computer hard disks, one hard disk next to it), Desktop 1 in the library There was a discovery, and try to make statements about the purpose of each computer use.
314 A: Lenovo, which was kept in the study room, is used by myself only for French study and internet connection. I use the desktop in the room where I sleep, I am not using it because of a computer failure due to a computer breakdown in 2013, and I use the desktop in the library sometimes for the purpose of searching the Internet and it is a computer that my parents use mainly.
315
316Kim Young-rae Moon: Lenovo (s / n: WB09564311), a notebook found in a suspect's residence, is used only by suspects. When did you use the above computer?
317 A: After the desktop computer crashed around 2013, I bought it on the Internet and used it myself.
318
319Kim Young-rae Moon: I have been told that I want to access the Internet.
320 Answer: I am mainly visiting 4Chan.org and the Google blog I run.
321
322 At this time, July 20, 2015, the investigation report (suspects found in the OO computer, the original capture file) isis.png, usa.png file shows the output to the suspect.
323
324Nam Sang-wook Moon, Sang-wook Moon, July 14, 2015 In the Digital Evidence Analysis Center of the Seoul Metropolitan Police Agency, the computer analysis program Encase was used to generate the suspect notebook hard disk as a separate imaging file, As a result of the investigation, it was found in the isis.png and usa.png files found on the suspect's notebook that the US President threatened to rape Obama's daughter and threatened to terrorize US Ambassador Ripper, This is a picture file that you capture.
325 Answer: I mainly visit 4Chan.org and I do not know exactly whether I have read, captured, downloaded, correctly captured or downloaded the posts posted on the above site. (The suspect was suspicious of Google image search in addition to 4Chan, where he investigated the definition and difference of the capture and the download.) The suspect considers the capture and download to be mixed and writes mixed, and the investigator catches the pod This was not recorded in the record.)
326
327Nam Sang-wook Q: What capture program did you usually use?
328 Answer: I use the capture program which is an extension of Google web browser. (The investigator asked for the name of the capture program.) The suspect wrote four or six capture programs from Google search and said they did not know the name of each one.
329
330 (The investigator asked how long it took to write, and stated that the suspect took two to six hours.)
331
332Nam Sang-wook Q: How do I capture it?
333 A: When you look at the Google web browser, you will see a 'camera' icon at the top of your web browser. Click on the icon to capture all the screens you see in your web browser.
334
335Nam Sang-wook: Do you use any extensions to save what path to save when capturing?
336 Answer: I can specify the storage path arbitrarily, and I usually save a lot on the desktop, and use the png file extension. The png file format is mainly used because the picture quality is clear.
337
338Nam Sang-wook Q: Do not you use another capture program?
339 Answer: I use some other programs, but the Google Chrome browser has a convenient capture function.
340
341Nam Sang-wook Q: What kind of website is 4Chan.org?
342 A: There are many different kinds of articles posted. I mainly read political and sexual writings.
343
344Nam Sang-wook Q: What is sexual content?
345 Answer: The most exciting thing I have seen recently is that a woman is pissing.
346
347Nam Sang-wook Q: What information do the suspects post on the site?
348 A: I do not post articles like YAHAN video, but I am posting mostly political content in Korea. (The suspect posted the same thing on the blog as well, with about 2 postings in English, like 4Chan.)
349
350Nam Sang-wook Q: I will check back isis.png, usa.png. (The investigator showed me the file again.) Did you download the above file or capture it?
351 Answer: I read the above picture again and got it.
352
353Nam Sang-wook Moon: July 13, 2015 When we confiscated the seizure, we told our investigator that the above file was captured. And in the previous statement, I stated that I did not know whether I was downloading or capturing. Why am I clarifying again that I have downloaded the statement again?
354 Answer: The photographer showed the photo size of the photo file today. And yesterday, I said capture and download are mixed, so I just say capture. I did not even read the above photo on the 13th.
355
356Nam Sang-wook Moon: 2015. 7.13. At the time of the seizure, the cyber criminal investigator of the Seoul Metropolitan Police Department asked me several times to check the above photo.
357 Answer: Yes. Requested.
358
359Nam Sang-wook Moon: But why did not you read it?
360 Answer: I was lying because I was bored.
361
362Nam Sang-wook Moon: I was searching for confiscation.
363 A: I did not want to get up because I was still sleeping while I was drinking.
364
365Nam Sang-wook Moon: At the end of the seizure search, you saw the picture of the manuscript (White House photo) through your mother and mother.
366 Answer: I confirmed the picture, but it was not the above picture. (The suspect clearly remembered the pictures stored on his mother's cell phone, but it was not 4chan.)
367
368Nam Sang-wook Q: How do I download picture files from the Internet?
369 Answer: When you right-click, there is a download button, which is downloaded by pressing the button above. The save path is mainly saved on the desktop, and sometimes the file name is changed or not.
370
371Nam Sang-wook Q: Why am I changing the file name?
372 Answer: If you do not normally change it, but the file name is too long or the file name contains special characters, change the file name.
373
374Nam Sang-wook Q: What do you usually name the file name?
375 Answer: There is no reason to change the actual filename when downloading. However, if the filename is too long, it is difficult to keep it on my computer and change the filename. (The statement "It is difficult to identify" in the statement is written by the investigator as it is intended.) The suspect stated "I do not change the name to make it easier to identify.
376
377Nam Sang-wook: Do you save the file name with a special name when saving?
378 A: If the file name is long, cut off the last part of the file name, or select the whole file name and save it as short name with no meaning.
379
380Nam Sang-wook Moon: When the suspect downloaded the photo file from the internet, he said that he would save the file as randomly. How was the original text file named "isis" and "usa"
381 Answer: I do not know isis.png and usa.png is my favorite word. (The suspect has demonstrated to the investigators and lawyers the possibility of entering the isis via the keyboard location, but the investigator noted that he was not sure.)
382
383Nam Sang-wook Q: How was the email address used to write the Obama intimidation 'isshufs@gmail.com'? How did the suspect save the file and save the file as 'isis'?
384 A: I think Iss and Isis are different.
385
386Nam Sang-wook: When the above captured file is saved on the suspect computer and the time it was created isis.png (Obama threats) file will be released on July 7, 20:20 pm, usa.png The intimidation article for this article was confirmed on July 8, 2015 at 02:27. Also, the time for the obsession for Obama to be posted on the US White House website is around July 7, 20:20, and the article on the reporter is scheduled for July 8, 2012, It's possible.
387 Serial Number / Content / Time / Time Difference
388 1 / Time Obama Obscene Writes to the White House / June 1, 2015. 7. 20:20 / about 1 minute
389 2 / The Obama intimidating text was created and saved on the suspect computer / July 20, 2015
390 3 / Repert Thousand Times posted on the White House / Jul. 8, 2015 / about 1 minute
391 4 / Time of the protest manuscript created and saved on the suspect computer / June 8, 2015
392 The suspect stated that he had downloaded and stored the contents posted on the Internet to the suspect computer. Did he / she read the threat on the Internet and stored it on the victim's computer as soon as it was posted on the White House?
393 Answer: My computer is set to French time zone and 4Chan.org site is US site, so there will be time error. (The suspect had misunderstood 4Chan.org as a US site, according to Wikipedia, 4Chan.org is a Japanese site.)
394
395Nam Sang-wook Q: The suspect laptops are set up with OS operating system in French language and the time zone is also based on Paris time. So, there is -7 hour time difference with Korea. However, when analyzing with the Encase analysis program used by the investigation agency, it is possible to clearly see the time generated and the modified time by changing the above French time zone to the domestic time zone, and thus the above generation time is the domestic time.
396 At this time, the suspect is shown the access time of the isis.png file, and it is arbitrary.
397 As a result, the cyber criminal investigation center on July 13, 2015 will try to access the above file. Therefore, the above access time will be indicated on July 13, 2015. In conclusion, the time that was created on the suspect computer was the Korean time. So, as in the previous question, is someone reading a post in the White House in just one minute and storing it on the suspect computer, and can this behavior be repeated twice?
398 At this time, the FBI requests the suspect and displays the text and time information sent by the FBI.
399 Answer: I do not know.
400
401Nam Sang-wook Q: Is it possible to do the above work in just one minute?
402 A: It will not be possible in a minute.
403
404Nam Sang-wook Q: If the suspect thinks it is not possible, is the suspect posted?
405 Answer: If it is possible, I think that it is impossible if it can be done by myself and it is impossible. Nam Sang - wook, who had heard the statement, was staring at him for a long time with a very questionable look.
406
407Nam Sang-wook: So the suspect is monitoring the White House intimidation posts posted by others in near real time, then checking them and storing them on the victim's computer?
408 A: You have not monitored it in real time. There is no such ability. (Here, 'real-time monitoring' refers to reading a new article updated in real time by accessing the White House site.)
409
410Nam Sang-wook Q: What type of web browser do suspects use when accessing the Internet?
411 A: I am using a Google Chrome browser.
412
413Nam Sang-wook Moon: Is the fact that the suspect accessed the White House website?
414 Answer: I have never been connected.
415
416 At this time, the picture file 'screencapture-www-whitehouse-gov-thank-you-1436290042624.png' attached to the White House homepage written by the suspect computer is displayed.
417
418Nam Sang-wook: If you look at the above picture file found on the suspect computer, it is the screen capture of the homepage of the US White House and it starts with "Thank you for contacting the White House". It is confirmed that the captured file is captured directly from the suspect computer through Capture, an extension function of the Google Chrome web browser. Is it true that you have written the article by accessing the White House website? ?
419 Answer: I downloaded the picture file with the above file name.
420
421Nam Sang-wook: If you check the date and time of creation of the above capture file, you will be notified of the date and time (June 8, 2015, 2015) The same is true. After the complainant wrote the reputation, did not the output screen of the completion of the caption be captured on the suspect computer using the extension function of the Google Chrome browser and saved?
422 A: I do not know this.
423
424 At this time, July 20, 2015, the investigation report (4Chan and 4Chan about the posted on the backup site) shows the picture file attached to the optional.
425
426Nam Sang-wook Moon: The suspect stated that he had downloaded the above picture file on the 4Chan.org website by referring to Repert's intimidation article. It is about 02:31. And the time of the above threat pictures on the suspect computer is around July 8, 2015. How can the time saved on the suspect computer be faster than the time posted on the 4Chan.org site?
427 Answer: I do not know.
428
429Nam Sang-wook: Did not the suspect write the blackmail and post it on 4Chan.org?
430 A: Not so. I have a problem with my computer and I have some malicious code.
431
432 At this time, the text file s.txt found on the suspect computer is displayed to the suspect and attached to the end of this document.
433
434Nam Sang-wook: If you look at the date of creation of the above text file, the file creation date is around April 10, 2014, 16:59. If you look at the contents, you can see the email 'isshufs@gmail.com' "I will kill Ambassador Ripper by penetrating the US embassy in Korean," "Obama will kidnap a small daughter and rape my anus", and the Twitter address listed in the intimidated article "http://twitter.com/isis_med 'And a text file of the Obama intimidation text was found. When and why did you write the above sentence?
435 Answer: I do not know.
436
437Nam Sang-wook: Did you post the threats in the White House with the above phrase written in English?
438 A: I have not.
439
440 At this time, the photo files found on the suspect computer are shown as 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jpg, 18.jpg, 5oe254mvhpke.jpg .
441
442Nam Sang-wook Q: The above file access time is around Jul. 7, 21:28. In the above photo, Repert was threatened with terrorism by Kim Ki-jong, Kim Kyeong-jong and Obama, and the time for the reporter and Obama to be intimidated by the intimidation was reached on July 7, 2015. You read a picture of the aptitude episode, right?
443 Answer: It's what I saw because it was stored in my folder. However, I did not write intimidation article.
444
445Nam Sang-wook Moon: The threat pictures stored on the suspect computer were created on the suspect computer on March 6, 2015. For some reason, all the threat pictures were uploaded on July 7, Did you read it?
446 A: It seems that all files are accessed at that time while the folder is being organized, and the access time has changed.
447
448Nam Sang-wook: Unfortunately, Obama and Reporter's threats were posted on the White House on July 7, 2015.
449 A: I do not know that.
450
451 At this time, July 27, 2015, the investigation report (for the search warrant application for), attached to the [Foreign Foreign Ministry, the Foreign Ministry confirmed the article on the page] is shown,
452
453Nam Sang-wook Q: In the above article, I used 'email summer@hufs.ac.kr' using ip 124.197.152.111 on July 7, I do not know if this is the case. For reference, the above IP address 124.197.152 is the IP address of the defendant's residence. Because the suspect is a floating IP, the last number can change each time.
454 A: I did not post it.
455
456Nam Sang-wook Q: Then who posted it?
457 Answer: I do not know.
458
459Nam Sang-wook Q: I'm sure you posted the above article in the suspect's IP band. Do you really not know?
460 A: I do not remember.
461
462Nam Sang-wook: When you click the url link posted on the above article, the internet address http://boards.4chan.org/pol/thread/47625963 is verified. If you connect to the above url, 'isshufs @ gmail. com 'e-mail is being written to' isshufs@gmail.com 'Do not you know?
463 At this time, please attach http://boards.4chan.org/pol/thread/47625963 url link printout at the end of this document.
464 Answer: I do not know. I can not remember.
465
466Nam Sang-wook: 'isshufs@gmail.com' is listed in the s.txt file found on the suspect computer.
467 A: I do not remember.
468
469Nam Sang-wook Moon: The e-mail address 'isshufs@gmail.com' is an email used to write a blackmail message to Obama. It is also stored in the s.txt file that the suspect is kept in. Is it listed on the site?
470 A: When I do a search on Google, it looks like it came with me.
471
472Nam Sang-wook Q: Did you say you do not remember the previous statement?
473 Answer: It is regretful to say that it is the reversal of the statement though it is the human being because it is a human being. (The statements of these suspects were recorded without further ado.) Since then, the suspect has been suffering from the mental pressure of a reversal of the statement until he is released from jail and jailed.
474
475Nam Sang-wook Q: Does the suspect mislead him?
476 Answer: I have never posted a blackmail.
477
478Nam Sang-wook Moon: July 14, 2015. During the arrest, is it true that you threw objects at the Seoul Metropolitan Police Department Cybercrime and Ward staff?
479 Answer: Yes.
480
481Nam Sang-wook Moon: What did you throw at?
482 Answer: It's called a cold pack. (A cold pack is an ice pack.) After drinking, I was lying on my forehead with a cold pack with a headache.
483
484Nam Sang-wook Moon: What did you say?
485 A: I can not remember what kind of profanity I have specifically done.
486
487Kwak Dong-kyu Moon: I think the investigator remembered that he had been saying, "Hey, these bastards." Is that right? (This investigator refers to Kwak Dong - gyu who is accompanied by Nam Sang - wook.) Kwak Dong - kyu intervened and questioned.
488 Answer: I can not remember whether I used the word "bastard" or how many times I used it. (The suspect stated that he did not use the word "bastard" but wrote that he did not remember.)
489
490Nam Sang-wook Moon: I came to the Seoul Metropolitan Police Agency's Metropolitan Police Department and lie on the floor of the office to say, "Bring a wheelchair," "Get an executive chair."
491 Answer: I was drunk and drunken.
492
493Nam Sang-wook Moon: You were wearing only panties at the time of arrest?
494 Answer: Yes, yes.
495
496Nam Sang-wook Moon: At the time of the arrest, the investigator of the Seoul Metropolitan Police Department (wearing a walker at the time of the investigation of Choi Sung-sik in the investigation team and stepping on the suspect's neck in the process of cuffing him) You did not wear it?
497 Answer: Yes, I did not wear it.
498
499Nam Sang-wook Moon: Who wore the clothes?
500 Answer: The investigator put on the clothe.
501
502Nam Sang-wook Moon: Why did you continue to do such an action during your arrest or office?
503 A: I feel like I am excited. (Dozens of people came to the house of the suspect and suddenly arrested and was excited).
504
505Nam Sang-wook Moon: Seizure Search You have not lived in bed for about five hours, did you?
506 A: I do not remember the exact time, but it did not happen.
507
508Nam Sang-wook Moon: In the blog (helpkorea.blogspot.kr) of Nam Sang-wook, there is an article called 'How to Make Money from the Internet (Acquisition of Foreign Currency)'. Why did you write this article?
509 Answer: I wrote for the sake of women.
510
511Nam Sang-wook Moon: In the above helpkorea.blogspot.kr, there is an article entitled "My Ministry of Defense Civilization". When I look at the contents of the article, "Ji Sung-woo calls me as a laundry hanger, I have been shaken 20 times and then I have been ejaculated in the anus. "Is this true?
512 Answer: Yes, yes.
513
514Nam Sang-wook Q: Do you have any bad memories about anus?
515 A: I think it is a gag, not a bad memory.
516
517Nam Sang-wook: Do you think that Obama's anus is also a gag and raped an anus?
518 A: I have not.
519
520Nam Sang-wook Moon: In the suspect blog (fuckingkorean.blogspot.kr), I posted the diploma, transcript, graduation certificate and transcript of the suspect under the heading 'SSUL' I have lost my job because I have changed my minor in chemistry unilaterally without prior notice in the university. I have also been suspected of having my own academic background, personal credit, and suffered mental harm from my job as a freelance worker. "Do you have a strong dissatisfaction with foreign language classes?
521 Answer: Yes. I have a complaint. (Although the suspect did not use the word "strong", the investigator Kwak Dong-kyu of the next place repeatedly replied the suspect's answer and continued to write "strong dissatisfaction." Although the suspect pointed out, A suspect asked for removal and dragged two lines and interrupted him.)
522
523Nam Sang-wook Moon: In the blog (unicefusa.blogspot.kr) of Nam Sang-wook, a photograph of a woman wearing only panties and wearing clothes on her head with a pan on her head and expressing her nickname "뀨뀨" Is the suspect posted? (In addition to this question, the investigator changed from time to time during the investigation, but the record did not record the names of the investigators who questioned.)
524 Answer: Yes. I posted it.
525
526Nam Sang-wook Q: Why did you post this picture?
527 Answer: I posted it for fun.
528
529Nam Sang-wook Q: Did you try to get sponsorship by inserting the account number of the suspect in the photo of only the underwear?
530 Answer: Yes, yes.
531
532Nam Sang-wook Q: How much did you sponsor so far?
533 Answer: I got 20,000 won.
534
535Nam Sang-wook Moon: What did you use when you used the word "shit-chill" on the wall?
536 A: I do not remember.
537
538Nam Sang-wook Moon: This is a reporter and Obama intimidation article. The e-mail address is' isshufs@gmail.com ', which is used by the staff of Hankuk University of Foreign Studies. The phone number is' 82 02 2173 2062 ', and the address is Hankook University of Foreign Studies. For what reasons did the person who wrote the above article write the address, phone number, and e-mail of Hankuk University of Foreign Studies?
539 A: This is a common address.
540
541Nam Sang-wook Moon: As far as I think, I think that a person with a strong dissatisfaction with foreign languages ​​would have written a threatening statement. What is the opinion of the suspect?
542 A: I think it would have been written by a person who is dissatisfied with foreign language.
543
544Nam Sang-wook Moon: And if you look at the content of the intimidation article, it says "I'm HUFS student from Seoul, Korea".
545 Answer: Yes, yes.
546
547Nam Sang-wook Moon: Did you graduate from a foreign language college and post the above content in a blackmail message like this?
548 Answer: I would have used the word undergraduated instead of student.
549
550Nam Sang-wook Moon: And both the intimidation against Obama and the intimidation about reporter had strong complaints about foreign universities by writing emails, phone numbers, and addresses of foreign university staff, Do you think that the person who wrote this threat letter impersonated foreign language group like this?
551 A: The same person has written two intimidating documents and is probably one of the students at Hankuk University of Foreign Studies.
552
553Nam Sang-wook Q: What is the name of the second daughter Obama and the name of the first daughter?
554 Answer: The second daughter's name is Natasha, and I know that the first daughter's name does not know exactly and ends in. (The investigator showed the name on the intimidating document and asked the investigator the additional information that the suspect had learned, and he did not record it in the dossier when he said that the suspect had "the document the investigator showed." A lawyer Park Chul Hyun was silent.
555
556Nam Sang-wook Moon: I did not know the name of the first daughter and knew exactly the name of the second daughter.
557 A: I do not remember that.
558
559Nam Sang-wook Q: Does the suspect want to be famous?
560 A: I want to be a successful person rather than a famous person.
561
562Kim Young-rae Moon, July 13, 2015. 13. Seized at the time of the seizure. We told our investigator (Kim Young Rae), "It seems to be famous."
563 Answer: Yes, yes.
564
565Nam Sang-wook Moon: Obama said, "I decided to become a famous Korean man in the US today." Did he decide to become a famous person?
566 A: What I'm saying is that I am a politician and a famous person, not a serial killer.
567
568Nam Sang-wook Moon: Have you ever thought about serial killers?
569 A: I've never thought about it before.
570
571Nam Sang-wook Q: When is the suspect mainly used on the computer?
572 Answer: The time zone is not set, but we use it at night or early morning.
573
574Nam Sang-wook Moon: The time of Obama's intimidation was 20:20 and the reporter's intent was written at 02:26. Is it a time zone where the suspect mainly uses computers (more than 50%)?
575 Answer: Yes, yes.
576
577Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
578 A: I will submit it later.
579
580Nam Sang-wook: Do you have any more to say?
581 A: If you look at the contents of my blog about the referent, you can see that it is contrary to the police claim. Please disclose specific details about the IP band.
582
583 (After consulting the attorney Park Cheol-hyun who joined the investigation and the suspect's first and second journals, they come to the newspaper)
584
585Nam Sang-wook Q: Are all the statements stated in the previous meeting true?
586 Answer: None of the statements made in the previous survey are true.
587
588Nam Sang-wook: Do you have statements that differ from those of the suspect?
589 Answer: Not at all.
590
591Nam Sang-wook Moon: Does the suspect know the current arrest warrant?
592 A: Yes, I know.
593
594Nam Sang-wook Q: What do you think about the arrest warrant for the suspect's crime charges?
595 A: I think it is wrong.
596
597Nam Sang-wook Moon: What is wrong with you?
598 A: I did not intend to harm the US President Young-ae, and I did not intend to risk the riper Foreign Ambassador.
599
600Nam Sang-wook: Do you mean that in the case of the suspect, there was nothing wrong with you and you were unjustly arrested?
601 Answer: Yes, yes.
602
603Nam Sang-wook Moon: Does that mean that the judge and the investigating agency are wrong?
604 Answer: Yes, yes.
605
606Nam Sang-wook: Does the suspect mean that the evidence that the investigative agency can not trust?
607 A: Yes, I can not trust the evidence presented by the police.
608
609Nam Sang-wook Moon: The evidence presented by the police is an objectively obtained data from cyber police officers who are experts in the computer field.
610 A: I do not know exactly what part it is.
611
612Nam Sang-wook Q: What do you mean by not knowing exactly what part you are?
613 A: I am not a computer expert or a forensic examiner.
614
615Nam Sang-wook Q: Is not the suspect a computer engineer?
616 A: Digital and computer engineering are different.
617
618Nam Sang-wook Moon: Which part is different?
619 A: The paper I wrote when I graduated is about sound, about digital signals, and computer engineering is about the computer itself.
620
621Nam Sang-wook: Did not the suspect claim to have a knowledgeable knowledge of the computer in the statement before?
622 A: Yes, it is true.
623
624Nam Sang-wook: In conclusion, you do not trust the police evidence?
625 Answer: There is no partial trust.
626
627Nam Sang-wook Q: Do you mean that there is another part that you can trust that the part is not trusting?
628 Answer: ENCAEC Time-lapse analysis is reliable. (A cybercriminal investigator, a computer expert, continues to spell the ENCASE program incorrectly as ENCAEC, which is one of the reasons for the lack of confidence in the investigation.)
629
630 At this time, the suspect suddenly says that he can not trust the program to analyze ENCAEC parallax. The suspect described "trust", but the investigator wrote that the suspect's statement was heard as gibberish.
631
632Nam Sang-wook Moon: Do you mean to trust the ENCAEC program that the evidence that analyzed the time lapse of the threatening posting presented by the police as evidence is correct?
633 Answer: Yes, yes.
634
635Nam Sang-wook Moon: The suspect clearly said he trusted the ENCAEC program. In the previous statement, I stated that the operating system (OS) laid down in the suspect's laptop was in French time zone and that it would be possible to find out by observing the time difference. Why did you say so?
636 Answer: I heard that the Cyber ​​Police officer explained. (The suspect believed so because he trusted the explanation of the computer expert.)
637
638Nam Sang-wook Moon: Do not you mean that when you interpret the current suspect's statement, the suspect posted a post that intimidates President Obama?
639 Answer: I just want to trust the cyber-forensic investigation technique.
640
641Nam Sang-wook Q: If you have confidence in cyber-forensic investigation, you should trust the evidence presented by cyber-police.
642 Answer: I have a part that I do not understand. The first is the way Porter operates. The way PORCHAN works is, in short, a real-time posting like a daily best. The second is Google search engine exposure time. That means the post is not deleted right away, but exists on the Internet for some time.
643
644Nam Sang-wook Q: What does it mean to have confidence in cyber-investigation techniques and how to operate Pocan?
645 Answer: I trust cyber forensic techniques, but the ENCAEC program is poor. Porter and Google also want to apply cyber-forensic investigation techniques to Porter and Google.
646
647Nam Sang-wook: So, if the objection is not clear and the ENCAEC program is objectively clear about the operation of Pocan or Google, as the suspect claims, how would you accept it?
648 A: I will acknowledge you if you disclose the truth in a public authority.
649
650Nam Sang-wook Q: If the ENCAEC program or cybercriminals in a reputable institution has no problem with the evidence, would you say that you would admit the suspect's allegations?
651 Answer: You are acknowledging the credible result, not the accusation. I have never written or wrote the article.
652
653Nam Sang-wook: If you have been verified by a reputable institution, would not it be the objective evidence to refute the statement even if the accused claims no?
654 Answer: It is objective evidence that we want you to investigate enough evidence.
655
656 (The above questions are typical guidance questions.) The suspect was not able to understand the above questions properly.
657
658Nam Sang-wook Moon: What was the suspect's childhood like?
659 A: My childhood was loved by my parents, and I was surrounded by a lot of single parents who were economically more difficult than their friends, but were relatively happy.
660
661Nam Sang-wook Q: What was your home environment like?
662 Answer: It was generally a harmonious family.
663
664Nam Sang-wook Q: How was your family?
665 Answer: It was a good one.
666
667Nam Sang-wook Q: How was your relationship with your childhood?
668 A: I did not have a lot of friends because I had few words, but there were about 10 really close friends.
669
670Nam Sang-wook Q: What is your relationship now?
671 A: I have no friends at the moment.
672
673Nam Sang-wook: Why do not you have a friend?
674 A: I moved to school often, I came to the army, and I looked for the course of my life, so my relationship became faded. So when I was young I was not in touch with my close friends. Even if my friends want to meet, I do not have anything to do, and I am avoiding it.
675
676Nam Sang-wook Q: What was your grade at school?
677 A: When I was in elementary school, it was mediocre. To make up for what I did not do in high school, I studied really hard not to be matched with college days and motives.
678
679Nam Sang-wook Q: How did you look back on your military life?
680 A: Military life was the worst of the worst.
681
682Nam Sang-wook Moon: Which part was the worst?
683 A: I have made a statement before that. In addition, if you tell me what you are doing when you are discharged, it is likely that OO Sergeant is doing his worst and worst. For example, one of the motivations did not receive cold training, but I received it. That's because it was only for me.
684
685Nam Sang-wook: Why did the suspect quit his job?
686 A: To be honest, it was hard. I wanted to study a little more and go to study abroad and live a better life.
687
688Nam Sang-wook Moon: What part was difficult?
689 A: When I was working at KBS, I was physically struggling to work 5 or 3 shifts.
690
691Nam Sang-wook Q: Why are you not doing a job today?
692 A: I am studying French.
693
694Nam Sang-wook: Can I study while I work?
695 A: Because my style does not do a lot of things and I want to get results in a short time. And French is hard.
696
697Nam Sang-wook Moon: The suspect stated that he was living a secluded life in his home?
698 Answer: Yes. There is a fact that I have stated.
699
700Nam Sang-wook Q: What is your daily routine?
701 A: The morning hours are not fixed. My life is irregular, and I usually live with my rhythm at night time.
702
703Nam Sang-wook Q: What do you usually do at home?
704 A: I sit in a fluffy chair and study French for about 14 to 21 hours.
705
706Nam Sang-wook Moon: Anything else?
707 A: In my free time, I am posting political articles mainly on blogs. (The purpose is to turn my attention and turn my head off).
708
709Nam Sang-wook Q: How much time do you spend on computer during the day?
710 A: I study on a computer, so it is time to study.
711
712Nam Sang-wook: Did the suspect live a night life before he was arrested recently? Or did you live in the morning?
713 A: I was in the transition from an evening human to a morning human.
714
715Nam Sang-wook Moon: This is the date of the alleged suspicion, July 7, and July 8, 2015.
716 A: I think that I was studying 50 or 50, maybe I was sleeping while drinking.
717
718Nam Sang-wook Moon: If you studied, did you use a computer?
719 Answer: Yes. If I had studied, I would have used a computer.
720
721Nam Sang-wook Question: What is the special reason to use poisonous foreign sites in spite of the fact that there are many domestic sites such as Naver?
722 A: As you know, Naver or the next one, Ivara, is a van (blocked) if you make a political comment or post on a site. So it's a relatively free site, such as Pocan and Google Blog Spot.
723
724Nam Sang-wook Moon: The suspect stated that he used the confiscated notebook (Lenovo) alone in the suspect?
725 Answer: I keep using the password myself.
726
727Nam Sang-wook Q: What happens to my password?
728 Answer: Your password is 656565.
729
730Nam Sang-wook: I am going to ask again, the suspects visit the White House website to rape the daughter of President Obama and threaten to murder President Obama and his family and then kill Ambassador Ripper. Did you actually upload it?
731 A: There is no such thing at all.
732
733Nam Sang-wook: Do not the suspects make a false statement because of the fear that they will be seriously punished if the charges are taken?
734 Answer: No.
735
736Nam Sang-wook Q: Is it not the wrong idea of ​​the suspects to deny the charges of reprisals in the previous statement? (The suspects visited the lawyer Park Chul-hyun at the detention center before the investigation of the third investigation, and the lawyer informed the suspect about the sentence, and the investigator Nam Sang-wook knows the contents. can see.)
737 Answer: No.
738
739Nam Sang-wook Moon: The time the Obama intimidation article was posted to the White House on July 7, 2015, 20:20 pm, the time of the original threat file was saved on the suspect computer, After a posting on the White House for about a minute, it was confirmed that it was captured and stored on the suspect computer, and the threat to the reporter was also posted on the White House for about one minute, I did. Is the statement still the same now?
740 Answer: Yes. I still think it is impossible.
741
742Nam Sang-wook Q: Is not the accusation of the accused right?
743 Answer: No. I would like you to disclose this part in digital forensic techniques. (The suspect answered "truth" and not "statement".)
744
745Nam Sang-wook Moon: Obscene texts kept on the suspect computer. The suspects claim to have downloaded the image file from 4Chan.org. However, the original text on the 4Chan.org site is posted on the 4Chan.org site. The deadline for the original sentence (for reporter) on the suspect computer is July 8, 2015, 2015. On August 8, 2015, the suspect's claim is confirmed as a false statement Does the suspect deny the charges?
746 Answer: It is possible but not.
747
748Nam Sang-wook: Why is the suspect denying the contents of his allegations even after checking the Seoul Metropolitan Police Cybercrime investigation to clarify the contents of the allegations?
749 Answer: As I mentioned at first, there are various possibilities.
750
751Nam Sang-wook: What do you think of the usual suspects, President Obama and Ambassador Repert?
752 A: I am a person who wants to get a work visa in the United States. I am a political patriotic conservative. In the ROK - US alliance, President Obama and Ambassador Repert recognize the need to be protected.
753
754Nam Sang-wook: Did the suspect actually see President Obama and Ambassador Repert?
755 A: I've never actually seen it.
756
757Nam Sang-wook Q: What do the suspects think about the United States?
758 A: I am a country that envies the United States.
759
760Nam Sang-wook: Did the suspect have a plan to immigrate to the United States?
761 A: First of all, I was thinking about transferring to a US college after graduating from college before I graduated from college. After graduating from college, I decided to go to immigration because it costs 60 million to 80 million won, I thought that it would be 8 ~ 10 years to collect money and go to immigration or transfer.
762
763Nam Sang-wook Moon: By the way, why did not you go?
764 A: I'm still preparing to go now.
765
766Nam Sang-wook: I suspect the suspect is still preparing to go to the United States, but he is not actually collecting money or making any other efforts.
767 A: In the present situation, I do not collect money because I plan to get money at home.
768
769Nam Sang-wook Moon: Although the suspect says America is a country of envy, is not it because he has dreamed of immigrating to the United States for a long time and has not been able to execute it?
770 Answer: No.
771
772Nam Sang-wook: Did the suspect ever join a social organization?
773 Answer: Not at all.
774
775Nam Sang-wook: I am going to ask you once more. According to the judgment of the investigating agency, the evidence collected by the investigating agency, judging by the evidence, it seems that the suspect posted a threatening statement.
776 A: I think the evidence of the investigation agency was not good and the judgment was wrong.
777
778Nam Sang-wook Moon: Then, what proof would the suspect have to give?
779 Answer: I do not know.
780
781Nam Sang-wook: Did the suspect talk about the lawyer and the polygraph before he started the investigation?
782 Answer: Yes.
783
784Nam Sang-wook: Do you have a willingness to take a lie detector?
785 A: Yes, I will. I will accept anything to clarify my innocence.
786
787Nam Sang-wook Q: What is your current feelings?
788 A: There is no rattling. (The investigator asked the suspect what it meant by "ridiculous" but did not record it.)
789
790Nam Sang-wook Q: Is the statement true?
791 Answer: It is true.
792
793Nam Sang-wook Moon: Do you have any more to say?
794 A: On page 5, it is not the intention of the ENCAEC program to be ill-advised, which means that the investigation is currently inadequate. (The investigator said that he described the suspect as "poor.")
795
796Three times
797
798 At this time, the lawyer Park Chul - hyun participates in the discussion with arbitrary participation. (At the time of the police investigation, the investigators were instructed by a messenger program installed on the computer used for cell phone and dossier to ask questions in real time with the investigators outside the investigation room. )
799
800 At this time, the suspects and lawyers will show the 7th report on July 15, 2015 (the suspect confirms the setting of the OO notebook time zone setting)
801
802Nam Sang-wook: Even if the suspect laptops are set in French time zone, if the computer analysis program Encase is converted into domestic time, the creation date of the file and the access date can all be confirmed by the national standard time. Go?
803 Answer: Yes. I understand what the investigator explained, and I fully understand the time.
804
805 At this time, July 15, 2015 investigation report (about the time posted on 4Chan site) show two pieces, and make an arbitrary answer.
806
807Nam Sang-wook Moon: I analyzed the time posted on the foreign site 4Chan.org at the Seoul Metropolitan Police Agency's cyber criminal investigation office. When I posted the Korean time 17:13, In the end, it appears that the above site is located in the United States. The time posted on this site is printed in domestic time. Do you accept the above?
808 Answer: Yes. I understood and acknowledged the contents that the investigator showed directly. (Not many people watch the posted time zone while writing on the Internet.)
809
810 At this time, I show an investigation report (analysis of the Google Chrome browser capture function and analysis of the writing screen of the website of the US White House).
811
812Nam Sang-wook: The following five files found on the suspect's notebook are generated by capturing directly from the suspect's laptop through the Google Chrome browser, and seencapture-www-whitehouse-gov-contact-submit- comments-1432397652564.png and seencapture-www-whitehouse-gov-contact-submit-questions-and-comments-1432397921271.png files will be posted on the White House website on May 5, 2015 at 01:14 and 01:17 The 13-digit number that is displayed next to the capture file name is the same as the generation time of the generated file, and the above 13-digit number is the time information that is automatically generated when capturing from Google Chrome. The time of the capture file created on the notebook is the same as the date and time of capture, so that if the suspect is downloaded from the Internet, Seen from the above that there's time to capture capture program may be the same, there is confirmation that the suspect has written articles connected directly to the White House website, is not that a suspect directly after article creation, capture? (The investigator attached the Encase analysis screen to the dossier.) This long question is not a question asking the suspect's answer.)
813 A: I do not know who did it. It is not me who wrote. It was not the first time to access the whitehouse.
814
815Nam Sang-wook Moon: The suspect's laptop has a password set?
816 Answer: Yes, yes.
817
818Nam Sang-wook Q: Can not use the laptop above the suspect?
819 Answer: Yes, yes.
820
821Nam Sang-wook Moon: By the way, how can I not only use the suspects, but I have 5 captures of the contents that I write to the white house by connecting to the white house, and the above file creation date and time The date and time when the file was created) is the same, but can I say that the suspect does not know?
822 A: I can not remember it all individually.
823
824Nam Sang-wook Moon: Do not you remember that the suspect did not write? (Investigators tied several questions together or asked a lot of questions to ask questions, but they were forced to answer the suspect only with 'yes' or 'no'.
825
826 The suspect looks at the investigator's eyes for a moment and then answers. (In this case, investigators are attacking through the description of the behavior of the suspect.)
827
828 Answer: I did not. (The suspect responded only to 'yes' or' no ', depending on the investigators' enforcement.)
829
830 The accused continues to write notes on A4 paper notes. (The note used by the suspect at the time of the investigation was written by Park Cheol-hyeon, the lawyer, who told the suspect that he was "unable to carry the paper in the custody") and each time the investigation was completed, he took the suspect's note and handed it to the investigators.
831
832Nam Sang-wook Moon: If the suspect did not do it, who did it?
833 Answer: I do not know.
834
835Nam Sang-wook Q: So what is the origin of the above capture file?
836 A: I have a lot of capture and I do not remember. (It is even more suspicious that the suspect remembers everything he has stored on the laptop.) In this way, the investigators proceeded to coerce the suspects into a lie, remembering all the details.
837
838Nam Sang-wook Moon: Then, where did you download the isis.png, usa.png capturing file?
839 A: You should have downloaded it from 4Chan.org or Google.
840
841 At this time, the suspect showed 35 pictures of Repert Metabolism on OO computer, and gave an arbitrary answer.
842
843Nam Sang-wook Q: What is the above picture source?
844 Answer: It is a picture that is downloaded from the Internet by searching Google with 'KIM KIM Jong', 'Reporter', 'KIMSU'. (At the time of the investigation, the suspect referred to 'Kim Kyeong-jong' as 'Lee Kyeong-jong' because he did not know him well, but the investigators wrote 'Kim Kyeong-jong' without informing the victim.
845
846Nam Sang-wook Q: Why did you download it?
847 Answer: I received a criticism of Kim Ki-jong, who attacked Ripper, to post on the Internet.
848
849Nam Sang-wook Q: Did you write criticism about Kim Ki-jong?
850 Answer: I wrote.
851
852Nam Sang-wook Q: Do you have any material to prove you wrote it?
853 A: Not now. (The suspect was reminded of the motto: "Let's go with" "Let's go with" "Let's go together"). "I said," Let's go together, "the USFK commander in charge of AFKN (USFK) I remembered it shortly after the terrorist attack and cited it in my criticism, "but the investigator did not record it. The next-door investigator said," Let's go with Ambassador Ripper. " "And the accused replied," It is an honor to have inspired Ripper's thoughts. "These statements were not recorded at all.
854
855Nam Sang-wook Moon: If you look at the photos of threats detected on the suspect computer, the file creation date and time will be all around June 3, 2015, and the last access date will be 6.8 to 6.6. Also, it will be 15 times on July 7, 2015. The above date is the date of publication of the intimidation article in the US White House on July 7, 2015. 7. 7. Why did you read the pictures about Kyung Ri Supervisor 15 times?
856 A: I honestly do not know. (The suspect assumed that the access time was changed when moving the photo file.)
857
858Nam Sang-wook Question: 7. 7. Do you remember reading pictures?
859 Answer: I have never seen it.
860
861Nam Sang-wook Q: Do you have any interest in Ripper?
862 A: I have a lot of interest since I was attacked by Kim Ki-jong.
863
864Nam Sang-wook Q: Why did you get interested in Ripper?
865 Answer: I was interested because the traps were shocking.
866
867Nam Sang-wook Q: What is the relationship between the suspect and the reporter?
868 Answer: Not at all.
869
870Nam Sang-wook: It is said that the suspect has been downloaded to post critical criticism of Kim Ki-jong. When the investigator reads the material posted on the suspect blog on his smartphone, , And the time spent on the suspect computer for pictures related to the leak will be on March 6, 2015. I have already posted all the articles about Repertory 3. 6. Why did you download it?
871 A: I have a long memory.
872
873Nam Sang-wook Moon: Looking at the ML.JPG and ML0.JPG files found on the suspect computer, I found that Repert's ambassador blended the blood and jokers in the Batman movie.
874 Answer: Yes, yes.
875
876Nam Sang-wook: Why did you combine the bloody scenes of Repert's blood and the joker's picture from the Batman movie?
877 Answer: I do not know.
878
879Nam Sang-wook Moon: Why did you synthesize?
880 A: I think I downloaded it.
881
882Nam Sang-wook Q: Why do you keep repeating your statements?
883 A: It 's been a long time and I can not remember anything. (May 3, 5, 2015), so it is possible that I may not remember it long before the investigation, and I have also asked forcible investigation questions in the reversal of the statement. )
884
885Nam Sang-wook Q: In the previous question, I am sure that the suspects synthesized.
886 A: It seems to have been downloaded from overseas internet humor site. Honestly, it is an old thing, so I can not remember it.
887
888Nam Sang-wook Q: What do suspects usually think of IS armed groups?
889 A: I think it is an unjustified armed group for IS armed groups.
890
891Nam Sang-wook Do you like IS?
892 Answer: I think it is bad.
893
894Nam Sang-wook Q: Do you know the fact that Koreans have been transferred to an IS militant group?
895 Answer: I heard from the news.
896
897Nam Sang-wook Q: What do you think?
898 A: I think it is the wrong choice.
899
900Nam Sang-wook Moon: Six IS-related images were found on the suspect computer, and the isis.jpg file name shows a combination of a young boy shooting a gun and a young boy with a gunman. Did you combine two photo files into one?
901 Answer: Yes. I combined what I downloaded on the Internet.
902
903Nam Sang-wook Q: Why did you combine the above files?
904 Answer: I joined to write a criticism on IS. The reason we combined the two is to increase persuasiveness.
905
906Nam Sang-wook Q: Is the official name IS?
907 Answer: I do not know exactly whether IS is the official name or ISIS. (In this statement, investigator Nam Sang-wook said, "How do you know whether the official name is IS or ISIS?"
908
909Nam Sang-wook Q: Is the name of the suspect's notebook combined with the name ISIS.JPG?
910 Answer: Yes, yes.
911
912Nam Sang-wook Q: Is ISIS known as ISIS and the file name is ISIS?
913 Answer: I accidentally wrote the keyboard randomly and the file name was ISIS.JPG. I explained this to the lawyer, but I do not know why I made the file name ISIS. (The suspect did not answer "I do not know.") The suspect demonstrated the process of pushing I and S on the keyboard vending machine in front of the investigator as a habit.
914
915Nam Sang-wook Moon: Image of the IS related file stored on the suspect computer When I look at the ISIS gallery.png, I have synthesized a picture of the Korean gallery and the IS terrorist (boy) I made a composite picture that shows that the gallery is the same. Why is it synthesized?
916 Answer: The picture is synthesized as above.
917
918Nam Sang-wook Q: So you're following IS?
919 A: I will not follow.
920
921Nam Sang-wook Q: Then what is the IS's willingness to live up to?
922 A: I saw a sad feeling in the eyes of an IS boy.
923
924 At this time, the accused is in a bad mood. (In this case, the cybercriminals investigator described the behavior in a record.)
925
926Nam Sang-wook Q: Why do you often repeat statements that you have shown a determined will in the previous question but now feel sad once again?
927 A: When I first saw it, I did not remember it.
928
929Nam Sang-wook Moon: In the first question, I stated that there is a certain willingness to be clear. Why do not you tell me now that you did not remember?
930 A: I think that it is possible to interpret several pictures as meaning.
931
932Nam Sang-wook Moon: The author name is 'Dr Korea Isis One' when writing a threat against Reporter Ambassador. The date on which the IS-related images were found on the suspect computer is from June 29, 2015 to 06:53 to 07:36, and the last date that the images were accessed is from July 3, . The time of the crime is 7. 7. and 7. 8. If the suspect sees the IS-related photos and writes the IS-related phrases at the time of the reputation intimidation, is not it?
933 Answer: No.
934
935 At this time, the suspect is shown a screen analyzed by the computer analysis program Encase and the screen posted on 4chan.org, and attached to the end of this document.
936
937Nam Sang-wook: The link file (lnk) is a file that is automatically created on your computer when you view the file. In addition, A0066246.lnk and usa.png link files found on suspect computers are added, and all the time is checked as below. Did you hear from the investigator exactly what was above?
938
939 Serial number / contents / date
940 1 / Rupert Threaten posted on White House / 7. 8. 02:26
941 2 / Screen capture file found on suspect computer (screen shown at the time of writing) screencapture-www-whitehouse-gov-thank-you-1436290042624.png After completing the writing in the White House, File / 7. 8. 02:27
942 3 / The link file of the above 2 file ("usa.lnk" in the parentheses was printed out in the record.) However, every page of the record in which the suspect was printed was taken to prevent forgery prevention, After they chased it, they scratched the line in the "usa.lnk" and made them suspect that the mistake was one of the reasons for the trust in the investigation. The link file is created when the above file 2 is executed (browsed). / 7. 8. 02:27
943 4 / The threats found on the computer of the suspects Original capturing file (screen shown during the blackmail) usa.png
944 5 / 4chan.org Posted by usa.png on 7. August 02:31
945 6/4chan.org posted a usa.png related post on the screen capture of the captured file (screencapture-boards-4chan-org-pol-thread-47640986-1436290789215.png) with the Google browser chrome. * Link file (A0066246.lnk) Creation date / time 7. 8. 02:40
946
947 Answer: Yes. I've heard the exact explanation.
948
949 At this time, I explain it to the lawyer clearly and understand it all. (The Cyber ​​investigator noted that all of them were forcibly comprehended.)
950
951Nam Sang-wook Moon: 02. 26. The police officer completes the Ripper intimidation at the White House, captures the thank-you related webpage completed at 02:27 through the Google Chrome browser, 3 minutes later, the original text of the intimidation was changed to filename usa.png, and after one minute, the captured image was posted on 4chan.org site, and about 9 minutes later, 4chan.org again The file generated by capturing the above site was browsed, and the link file was created on the suspect computer, and the order of the time series was precisely matched. A total of five reporter-related threat files were found and exactly matched in chronological order Is it not the article posted by suspect?
952 Answer: Yes, it is.
953
954 At this time, the suspect smiled and laughed, answered clearly, and wrote notes on the note. (In this case, the investigator added a depiction of aggressive behavior.)
955
956Nam Sang-wook: When I checked the A0066246.lnk file found on the suspect computer, the date of creation was 2015. 7. 8. 02:40, and the above file was generated by 'screencapture-boards-4chan -org-pol-47640986-1436290789215.png 'Because you executed the file, it was confirmed that the above link file' A0066246.lnk 'was created. Did you actually access the 4chan.org site and capture the above site?
957 Answer: Although I have read reporter-related threats on 4chan.org, I can not remember capturing the 4chan.org site with the Google Chrome browser.
958
959Nam Sang-wook Q: So the article about Obama was also read at 4chan.org above?
960 Answer: Yes, yes.
961
962Nam Sang-wook Moon: In the previous statement, I read the original caption (usa.png, isis.png) from 4chan.org or Google.
963 Answer: No. There is no trust in me.
964
965Nam Sang-wook Q: So, is it true that all the statements so far have been wrong without trust?
966 Answer: I can not be confident that I saw it on 4chan.org. (The suspect stated in the sense that "I can not confirm whether I saw Obama's intimidation and Raptor intimidation article at 4chan or Google.")
967
968Nam Sang-wook Moon: The time posted on 4chan.org is 7.8. At 02:31, the time the original text was created on the suspect computer was 7.8. At 02:30, the time saved on the suspect computer is faster. How do you state that you have viewed and downloaded the 4chan.org site?
969 At this time, the accused responded clearly.
970 Answer: I do not know.
971
972Nam Sang-wook Q: Why do you answer the above questions immediately when you think and answer other questions?
973 Answer: Yes. It is not to protect me.
974
975Nam Sang-wook Q: According to the results of the digital evidence analysis, there are a lot of related capture files in the computer of the suspect, the time-series is accurate, and the suspect has not posted any intimidation. Is there evidence?
976 A: There is no current situation.
977
978Nam Sang-wook Q: If the blackmail is posted on 4chan.org, what are the reactions of the others?
979 A: There are people who are not sure about the site. I do not know the reaction.
980
981Nam Sang-wook Q: When people post interesting articles on 4chan.org?
982 Answer: I do not read the comment. (The comment is written in English, so the suspect will not read it because it is difficult to read.)
983
984Nam Sang-wook Q: What points are earned or posted by posting on the site?
985 A: I do not know.
986
987Nam Sang-wook Q: Do people from 4 countries have access to 4chan.org?
988 Answer: It is various. Because it is a US site, there are a lot of people in the United States, and many people from Australia, Belgium and so on. (The suspect described the US, Australia, and Belgian flags in the 4chan capture file presented by Nam Sang-wook.)
989
990Nam Sang-wook: How many times do you usually visit the site?
991 Answer: I study only once or twice a week.
992
993Nam Sang-wook Moon: The suspect was posted on Kyung Cheong University's website on June 29, 2014. If you do not prepare the Civil Defense transportation fee from next year, have you ever posted a post on Mapo Daigyo?
994 Answer: Yes, yes. The police came because of the letter.
995
996Nam Sang-wook Q: Why did you post the above article?
997 A: In case of Civil Defense education, we think that transportation expenses should be paid.
998
999Nam Sang-wook: Did you write that you committed suicide because of transportation expenses?
1000 Answer: I did it because it was a must. (The suspect described it as "because it was a matter of course" or "of course, the transportation fee should be paid.")
1001
1002Nam Sang-wook Moon: What did the police do when they arrived?
1003 A: I checked to see if I was well and went back.
1004
1005Nam Sang-wook Moon: "On July 25, 2014, from 9 am to 6 pm, one of the demonstrators asked," I am on my own, is. The location is the place where the male representative of the Sungjae period served on July 26, 2013. " (The place where the male delegate of the Sungjae period invested was Mapo Bridge.)
1006 Answer: Yes, yes.
1007
1008Nam Sang-wook Q: Why did you write this article?
1009 Answer: As mentioned above, I thought that Civil Defense transportation fee should be paid.
1010
1011Nam Sang-wook Q: Have you written several times in the Blue House or the National Newspaper? (The investigator asked, "How many times did they all go together?")
1012 Answer: Cheong Wa Dae once, the National People 's Journal is more than two times, I do not remember exactly how many times.
1013
1014Nam Sang-wook Q: Do you like to post a civilization like above?
1015 A: I do not like it. I am writing because of the absurdity of the policy that did not reflect reality.
1016
1017Nam Sang-wook Q: How did you know about the Cheong Wa Dae homepage and the National Newspaper?
1018 A: I went to the reserve army training and learned about the National Newspaper from the executives. After graduating from high school, I got to know the Cheongwadae homepage through search. (The suspect explained, "When the reserve army training was carried out, the reserve army officers told the reserve soldiers," If there is a protest, please file a complaint with the Ministry of Defense. "The Cheongwadae homepage was to inquire about the early enlistment of the army after high school graduation. ").
1019
1020Nam Sang-wook Q: So how many times have you accessed the Blue House homepage so far?
1021 Answer: It is not accurate, but I connected about 2 ~ 3 times.
1022
1023Nam Sang-wook Moon: Did you write other related articles?
1024 A: I have posted 2 or 3 times in the National Newspaper.
1025
1026Nam Sang-wook Q: What post did you post to the National Newspaper?
1027 A: There are a few other complaints about the rape of the army, a request to pay for the reservists, but I do not remember exactly.
1028
1029Nam Sang-wook: The suspect claims to have downloaded the usa.png file. If the above file is downloaded from the Internet, the same Zone.identifier file will be created. However, the above file was not found on the suspect computer. From the above, what do you think the suspect looks like in the file he captured himself?
1030 Answer: I do not know.
1031
1032Nam Sang-wook Q: Do you know the secret of Google Chrome browser?
1033 Answer: Yes, yes.
1034
1035Nam Sang-wook Q: Why did you use the above function?
1036 Answer: I used something because it was a novel. (The accused was used 1 or 2 times for something.)
1037
1038Nam Sang-wook Q: What is incognito?
1039 Answer: I do not know.
1040
1041Nam Sang-wook: The secret feature is to hide secrets of Internet access from the Google Chrome browser without having to store cookies, temporary cache files, etc. when accessing the internet. Now you know?
1042 Answer: I do not know. (The suspect stated that "the explanation does not understand".)
1043
1044Nam Sang-wook Q: Do you use the above functions frequently?
1045 Answer: I used it about 1 ~ 2 times.
1046
1047Nam Sang-wook Q: Do you use any web browser other than Google Chrome browser?
1048 A: I also use opera.
1049
1050Nam Sang-wook Q: Do you have any more to say?
1051 A: I would like to ask 4chan and Google image cache "IP usage history" to the Korea Broadcasting Crime Unit, which is requested by the US government for investigation into the alleged diplomatic threat, and a search warrant for the server to the US FBI investigation unit. The States (The Star Spangles) Oh, oh, say can you see. By the dawn's early light. What so proudly we hail, at the twilight's last gleaming. Who's abroad, and bright stars, through the parelless fight. All the landpots we watch were so gatherly stream. And the rockets red glare then bombs burst in air. They prove through the night, that our flag was still there. Oh, does that star spangles, banners are weaving. For the land of the free, and the home of the braves. I am longing for Americans and trying to acquire citizenship and green card. I want to be a sincere society. God Bless America! I do not mind, but I want to go to the hospital and have blood pressure and ECG. I will pay for my headache and chest pain in the night. I will do it in an hour. (The suspect requested 4chan server, Google server, IP search warrant, but the police ignored the request.
1052
1053Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1054 Answer: Not until now.
1055
1056Nam Sang-wook Q: Are all of these statements true?
1057 Answer: Yes.
1058
1059Four times
1060
1061 At this time, under the participation of lawyer Park Cheol-hyun,
1062
1063Nam Sang-wook Q: Do you have any idea about women?
1064 A: I do not want to pursue benefits, but I have a duty to equip men with various duties, such as duty of defense.
1065
1066Nam Sang-wook Q: Does the suspect ever have a relationship with a girlfriend?
1067 Answer: Yes.
1068
1069Nam Sang-wook Q: When did you meet some people?
1070 Answer: During the sixth grade of elementary school, I have had about three times in total during my college days.
1071
1072Nam Sang-wook Q: How long have you been dating?
1073 Answer: It was a short time, but I can not remember the exact time, and it is sure to be less than 6 months.
1074
1075Nam Sang-wook Q: When was your date of fellowship?
1076 Answer: The army has gone to the first grade of college, and fellowship is in the second, third, and fourth grades of college. (The investigator asked the military when he was in college, and described the answer of the suspect as this question.)
1077
1078Nam Sang-wook Q: Have you recently been dating a woman?
1079 Answer: No.
1080
1081Nam Sang-wook Moon: The blog of the suspect has many articles about women that are hostile to women.
1082 A: I do not feel hostile to women. I think it is better to buy and buy sex rather than having a new woman.
1083
1084Nam Sang-wook Q: Do you not make a woman for the same reason?
1085 A: I do not make contact because I think it will hinder my studies.
1086
1087Nam Sang-wook Q: Does not it make it difficult for women to make friends?
1088 A: I do not want to hurt my girlfriend. I think we should have emotional responsibility if people come together.
1089
1090 At this time, the suspect speaks to the investigator who asked him to rub the suspect's shoulder at the time of the break. (During a break, investigator Kim Young-rae told the suspect, "Why would you stay here if you did not? Walk innocently!" And the suspect is trying to stand up from the chair and sits down with dizziness. The suspect has made such a request to the investigator for health reasons, but omits the post-war situation and records an aggressive depiction.)
1091
1092Nam Sang-wook Q: Does the suspect have a bad feeling about Jeolla?
1093 A: I have bad feelings.
1094
1095Nam Sang-wook Moon: What kind of bad feelings?
1096 A: I do not know where to find the public fund for the Jeolla Province politician (President Kim Dae-jung), but I do not know where he is, but most of the Cholla people are behind the scenes.
1097
1098Nam Sang-wook Q: Have you seen a few people in Cholla?
1099 A: During my elementary school days, during military affairs, during my college days, and during my working life, I met a lot of people from Cholla.
1100
1101Nam Sang-wook: Do not you come from another area?
1102 Answer: It is said that there is a lot of chance. (The suspect thought that Chungcheong - do had more backstriking than Cholla.
1103
1104Nam Sang-wook Q: Why do you have feelings about back door?
1105 A: I do not remember. (The investigator suddenly told me to tell the story behind the back door.
1106
1107Nam Sang-wook Moon: The suspect has stated in his earlier adverse statements that he "does not remember" and clearly says that he hated Cholla before. Why does not he remember it all of a sudden?
1108 A: I can not remember the present situation.
1109
1110Nam Sang-wook Moon: So, according to the suspect's statement, do not you think that not only Jeolla-do, but also those from other regions are hiding all over the people of the world and all the people in the world?
1111 A: I think there are good people.
1112
1113Nam Sang-wook Moon: Who is a good person?
1114 A: I am a free meals person.
1115
1116Nam Sang-wook Q: Do you hate everyone if you are from Cholla?
1117 A: I do not hate everything, but I hate people who do not hate it.
1118
1119Nam Sang-wook Q: Where is the suspect's home?
1120 A: It is Seoul. (The suspect's birthplace is Seoul.)
1121
1122Nam Sang-wook Q: Where is the suspect?
1123 Answer: Andong, Gyeongsangbuk-do. When I was in Seoul, my family stayed in Andong often. (The home of the suspect's parents was Gyeongsangbuk-do, and when the suspect was young, he visited the country every summer.
1124
1125Nam Sang-wook Moon: Did you have a senior from the military?
1126 Answer: Yes, yes.
1127
1128Nam Sang-wook Moon: What were the senior members of the Jeolla Province?
1129 A: When I was working, I wanted to bring a piece of equipment, but I did not like it. I think I was troubled by the man panting.
1130
1131Nam Sang-wook Q: What is the usual amount of money for suspect?
1132 Answer: The beer is 1000cc. If you drink shochu is not good. (There is no specific reason for the suspect to respond in numerical form, but he was questioned by the investigator that he had good memory.)
1133
1134Nam Sang-wook Q: Where and where do you drink alcohol?
1135 A: I drink alone at home.
1136
1137Nam Sang-wook Q: What kind of alcohol do you usually like?
1138 Answer: I like beer.
1139
1140Nam Sang-wook Moon: There is a liquor in the suspect's room, do not you drink liquor?
1141 Answer: Sometimes I mix with the liquor.
1142
1143Nam Sang-wook Q: Why is Yangju and other meat sauces in the suspect's room?
1144 Answer: I usually bring the sauce because I usually eat in my room.
1145
1146Nam Sang-wook Q: Why did you bring dozens of bottled water in the suspect's room?
1147 A: There is nowhere left for my mother to leave it in my room.
1148
1149Nam Sang-wook: Do you mean that there is no place to put the water bottle above the pit house?
1150 Answer: I do not know. Ask your mother.
1151
1152Nam Sang-wook Q: How often do you drink alcohol?
1153 Answer: Drink about once a week.
1154
1155Nam Sang-wook Q: Who is buying alcohol?
1156 A: Sometimes parents come and go with their parents. (The suspect stated, "Sometimes I go to the mart with my parents.")
1157
1158Nam Sang-wook: Do you drink with your father?
1159 Answer: My father does not drink together because he likes rice wine.
1160
1161 At this time, the suspect trims. (Describe behavior for human attack.) The suspect came up from the top with stress and tension and trimmed.
1162
1163Nam Sang-wook Q: After drinking alcohol, do you have any other behaviors other than normal, such as not remembering, singing or sleeping?
1164 A: There is no such activity, and I drink mainly to take a good night's sleep. (Normally, the suspect's drinking habit is to drink beer while watching TV on the other side of the room, and drink alcohol when the alcohol is weak.) The suspect is used to study the notebook by blowing it, not to drink alcohol. Because the study room where the notebook is located is so hateful that it gets dirty with drinking alcohol, it never drinks in the study room, and it often witnesses the families of suspects.)
1165
1166Nam Sang-wook Q: Do you remember if you drink alcohol?
1167 A: At the KBS, after drinking alcohol, the film was broken, but not now. (The suspect has not drunk so much that the film has been severed since he left KBS in 2013.)
1168
1169Nam Sang-wook Q: The suspect is a good memory, a bad one?
1170 Answer: Good.
1171
1172Nam Sang-wook Q: What is the foreign language skill of suspect? (The suspect was treated as a spy who spoke three or four languages ​​to the police officers from the time of the emergency arrest.)
1173 Answer: The TOEIC score is 780, the speaking score is 150, and the French is the beginner level. (Speaking is TOEIC Speaking Test.)
1174
1175Nam Sang-wook Q: Do you have any language skills?
1176 A: I think I have language skills, but others say I can not.
1177
1178Nam Sang-wook Q: Do you have a good memory to have language ability?
1179 A: I think it is a hard work. (The suspect thought that language ability was an effort, not a memory.)
1180
1181Nam Sang-wook Q: How much did you drink at the time of the seizure?
1182 A: You drank about 2,000cc of beer. (The suspect drank two bottles of beer.)
1183
1184Nam Sang-wook Moon: The suspect drank beer during the seizure process, and tried to drink to Yangju?
1185 A: I drank 2 rounds of beer, but Yang tried to drink it, but the investigator told me not to eat it.
1186
1187Nam Sang-wook Q: Do you remember exactly when you were seized?
1188 A: I remember faintly.
1189
1190Nam Sang-wook Moon: Why do I remember a dim light drinking a lot?
1191 A: I had a hangover, and I was sleeping.
1192
1193Nam Sang-wook Q: When did you drink?
1194 Answer: You started drinking at 00:00 or 04:00 on the day of seizure and drinking 2,00cc until 12:00 am. (The day of the seizure is Jul. 13.)
1195
1196Nam Sang-wook Q: What do you like to eat?
1197 A: I just drink.
1198
1199Nam Sang-wook Moon: Did not you eat?
1200 A: I did not eat. (The suspect was starving from 13th to the present.)
1201
1202Nam Sang-wook Moon: I was laying on my bed for more than five hours at the time of the seizure, and after the emergency arrest, do you remember saying "bring an executive chair" or "bring a wheelchair"
1203 Answer: Yes.
1204
1205Nam Sang-wook Q: Do you remember clearly at the time of confiscation?
1206 A: I can recall a dim.
1207
1208Nam Sang-wook Moon: So if the suspect drinks a lot of alcohol, can not he remember all of it?
1209 Answer: Yes.
1210
1211Nam Sang-wook Moon: Maybe you can remember a dimly or not?
1212 Answer: Yes, yes.
1213
1214Nam Sang-wook Moon: At the time of the seizure of the suspect, the suspect made an insult such as "I am sick." Do you remember?
1215 A: I can not remember which word I used, but I remember remembering that I was hurried.
1216
1217Nam Sang-wook Moon: In conclusion, the suspect has a good memory, but the suspect does not remember all the contents when he drinks a lot.
1218 A: It is true that alcohol causes memory loss.
1219
1220Nam Sang-wook Moon: In the room where the suspect was sleeping, several masks were found, and for what purpose did he bring them?
1221 Answer: I bought two from the domestic Internet site for use as a toy. (The investigator did not record the statement in the memorandum that the suspects "bought the same toy when buying a product on the Internet and trying to meet the shipping reduction conditions.")
1222
1223Nam Sang-wook Moon: How do you use a mask as a toy?
1224 A: I had fun with two mothers of relatives on the New Year's Day.
1225
1226Nam Sang-wook Q: Is not that what you bought to use?
1227 A: I have an intention to write and play.
1228
1229Nam Sang-wook Moon: Is it fun to play in the sun?
1230 Answer: Not written. (The suspect stated in the sense of "I have never written a mask since purchasing it.")
1231
1232Nam Sang-wook Moon: What type of mask is it?
1233 Answer: Eyes are white circles, nostrils and mouth are small masks.
1234
1235Nam Sang-wook Moon: This mask is the mask of the famous hacker group Ananimus?
1236 Answer: No.
1237
1238Nam Sang-wook Q: How is it not?
1239 Answer: Ananimus mask has a mustache.
1240
1241Nam Sang-wook Moon: How much did you buy when you went upstairs?
1242 A: I can not remember the price range.
1243
1244Nam Sang-wook Moon: Ananimus is a famous hacker group on the Internet, right?
1245 Answer: Yes, yes.
1246
1247Nam Sang-wook Moon: How did you know Ananimus?
1248 A: I learned from the news.
1249
1250Nam Sang-wook Moon: In the blackmail about the Obama family, there is a post that says, "I am always tired of wearing a sex dresser and doing masturbation." What does a sex dresser mean?
1251 Answer: A sultry costume is high heels in stockings.
1252
1253Nam Sang-wook Moon: Is not mask wearing?
1254 A: I know there is a separate mask for senility. (The suspect stated in the sense that "If you go to a sexual disorder, you will have symptoms.")
1255
1256 At this time, the attorney gives attention to the suspect. The suspect is hesitant for a moment. (Park Cheol-hyeon, an attorney, told the suspect, "This is a place for investigation, not a knowledge hall.")
1257
1258Nam Sang-wook Q: Do the athletes wear masks a lot?
1259 Answer: I have not seen it.
1260
1261Nam Sang-wook Q: Do you have your favorite side dish?
1262 Answer: I prefer meat and meat.
1263
1264Nam Sang-wook: Do you usually like Kimchi?
1265 Answer: Sometimes I eat.
1266
1267Nam Sang-wook Moon: Which kimchi do you like?
1268 A: I like cabbage kimchi that my mother gave me.
1269
1270Nam Sang-wook Q: Are you safe from AIDS if you eat a lot of kimchi?
1271 A: I do not think it is groundless.
1272
1273Nam Sang-wook Q: In what way do you think like this?
1274 Answer: I know there is no evidence in Yang medicine.
1275
1276Nam Sang-wook Moon: Do not you trust TCM?
1277 Answer: I do not trust.
1278
1279Nam Sang-wook Moon: Obama's family intimidation article says "I eat Kimchi and I am safe from AIDS." What do you think about the above?
1280 A: I think it is bullshit. (The accused stated "in the sense of" there is no basis. ")
1281
1282 The suspect responds confidently. (Because it is natural).
1283
1284Nam Sang-wook Q: Then why did you post the above?
1285 Answer: There is no answer for me.
1286
1287Nam Sang-wook Q: What were you doing on July 7th and July 8th, 2015?
1288 A: I was at home and I do not know what I was doing.
1289
1290Nam Sang-wook Q: Who were you with at the time?
1291 Answer: There were only three people like father, mother, me.
1292
1293Nam Sang-wook Moon: Who gets access to the room where the suspect's laptop is found?
1294 Answer: I go in alone and use it. I can not let anyone get in.
1295
1296Nam Sang-wook: Do you have any reason to use this room alone?
1297 A: I do not like anyone who touches my stuff.
1298
1299Nam Sang-wook Q: Are you usually alone in the room above?
1300 Answer: Yes. I am alone.
1301
1302Nam Sang-wook Q: Why did you stop the entrance of the room with a bookcase?
1303 A: It is noisy. I moved the bookcase to the door entrance.
1304
1305Nam Sang-wook: Do you know that the suspect mother at the time of the seizure prevented the entrance to the room above the investigators?
1306 Answer: I first heard. (At the time of the confiscation, the accused continued to stay in the room next to the porch in the surveillance of two police officers.)
1307
1308Nam Sang-wook Q: What do you do alone in the room above?
1309 A: I study and access the internet.
1310
1311Nam Sang-wook Q: What is the identity the suspect uses on the Internet?
1312 Answer: There are several IDs such as helpmeusacom@gmail.com. Domestic mail is not used. (The suspect has Naver and the next ID that he does not use.)
1313
1314Nam Sang-wook Q: Why do you use overseas email only?
1315 Answer: To use the Google blog, Naver and the next time I post my article because the blog is blocked.
1316
1317Nam Sang-wook Q: What kind of content does this block?
1318 Answer: Political writings (such as writings about women) block themselves.
1319
1320Nam Sang-wook: Are you interested in politics as usual?
1321 A: I am not an enthusiastic political follower, but my political orientation is patriot pay. I have never joined a special political party.
1322
1323Nam Sang-wook Q: What do you think of Lim Soo-kyung?
1324 Answer: It is a pen name.
1325
1326Nam Sang-wook Moon: I'm from the school of the suspect. What do you think about Lim Soo Kyung?
1327 A: If Mr. Soo-kyung left Yong-in campus, he would have supported the department elsewhere.
1328
1329Nam Sang-wook Moon: What did Ms. Soo Kyung major in?
1330 A: I graduated from French literature.
1331
1332Nam Sang-wook Q: Then do you hate Lim Su Kyung?
1333 ANSWER: Ms. Soo Kyung Lim is hated by the North Koreans.
1334
1335Nam Sang-wook Moon: So what do you think about the best site for the day?
1336 A: I think they are poor people. (The suspect thought, "Because I can not get a job, and I live with my parents at home.")
1337
1338 At this time, the suspect trims. (Because the suspect was unable to eat, the sperm from above rises.)
1339
1340Nam Sang-wook Q: Who uses the notebook?
1341 Answer: I use it.
1342
1343Nam Sang-wook Q: Do parents and siblings use a laptop?
1344 Answer: No. Not once.
1345
1346Nam Sang-wook Q: Who knows your notebook password?
1347 Answer: I know only.
1348
1349Nam Sang-wook Q: Why did I set a password on my laptop?
1350 Answer: I only use it for myself.
1351
1352Nam Sang-wook Q: What does the password mean?
1353 Answer: No meaning. (The suspect has demonstrated to the investigator that it is an easy location to press the index and stop on the keyboard.)
1354
1355 At this time, we show the screen shot of the SuperHideIp program found on the suspect's laptop desktop to the suspect, and attach it at the end of this document.
1356
1357Nam Sang-wook Q: I have found a program that can hide the SuperHideIp IP on the suspect computer desktop. I analyzed the above program directly by Cybercrime, and it was easy to change my computer's IP with a mouse click. Why can I change it to U.S.IP when I connect to the internet in Korea? Why?
1358 Answer: I downloaded and installed it on the Internet. (The suspect was doing something just once after installation.)
1359
1360Nam Sang-wook Q: Is not it the intention to hide your IP?
1361 Answer: No.
1362
1363Nam Sang-wook Moon: I did not intend to hide. Why did you download it?
1364 Answer: I am interested in seeing the arrest news about IP trace, and got it downloaded.
1365
1366Nam Sang-wook Q: How did you find out that you have the above program?
1367 Answer: I learned from internet search.
1368
1369Nam Sang-wook Q: How exactly did you download it?
1370 Answer: I have downloaded the keyword "ip change" from Google and searched the web page, but I do not know which site I got it from.
1371
1372Nam Sang-wook Q: Why are you trying to hide IP?
1373 Answer: I do not know.
1374
1375Nam Sang-wook Q: Do you make statements that only a disadvantageous statement is "I do not know"?
1376 A: In the news, I found that the police were arrested for tracking down the IP. (The suspect stumbled across KBS News, which reported this incident on a large television set in the Jongno police station detention center.)
1377
1378Nam Sang-wook Q: So, what kind of crime did you download?
1379 Answer: No.
1380
1381Nam Sang-wook Q: How many times have you tried this program?
1382 Answer: I installed Super Hide IP and tried it once after installation.
1383
1384Nam Sang-wook Q: How about running this program?
1385 Answer: It was executed with a single mouse click. I did not check whether the IP was changed, but I tried to execute it.
1386
1387Nam Sang-wook Q: Is it easy to change the IP?
1388 A: I think it depends on the person.
1389
1390Nam Sang-wook Moon: After we have run the above program, it is easy to operate with a single click of the mouse. We also say that the suspect is executed with a single mouse click on the statement. What does it mean by different people? Does it mean that clicking the mouse is difficult?
1391 Answer: It's easy to run, but I think there is a difference between people searching and finding them. To find the above IP change program, it means that no one can find and search well.
1392
1393Nam Sang-wook: Do the suspects ultimately have the ability to find programs that can change the IP?
1394 Answer: I accidentally found it.
1395
1396Nam Sang-wook Q: Anyway, you entered your keyword directly into Google search, and you actively found it?
1397 Answer: No.
1398
1399Nam Sang-wook Moon: In the previous statement, why did you say that you searched for a program by entering keywords directly, and now you accidentally found it accidentally?
1400 Answer: It is not a reversal of a statement. Superhideip is a coincidence that I clicked one of the tens of thousands of search results in the search result called IP change.
1401
1402 (At this time, a police officer Kwak Dong-gyu was sitting beside Nam Sang-wook's investigator and asked him, "Who did you coach?" Kwak Dong-gyu, as an investigator in the first and second police investigations, I asked him with a smile, "OO, is there something wrong with your mind?" Why did you do that? "But when the investigator did not go as planned, he started to press it like this.
1403
1404Nam Sang-wook Q: Did you spend a lot of time looking for the above program?
1405 A: I do not know that. (A suspect could not remember because there were a huge number of suspects who searched the Internet from time to time.)
1406
1407Nam Sang-wook Q: Do you think the suspects search ability is good?
1408 A: I do not think so. (The suspect stated "I do not have an internet search ability certificate".
1409
1410 At this time, take a break for a while. (At this time, police officers from the police department gathered to discuss the next question.)
1411
1412 (At the time of the investigation, an older investigator (Kim Jin-kwang) said to Nam Sang-wook, "Do you have to turn on your laptop?" Nam Sang-wook said, "I need to turn on my laptop to run VMware." The investigator said to Nam Sang-wook, "Then think carefully and turn on the notebook!" Nam Sang-wook went upstairs, and again, from the next investigation, Nam Sang-wook questioned me about the female anatomical image. I guess Nam Sang-wook went to the second floor and manipulated the laptop.
1413
1414Nam Sang-wook Q: I checked the information on cybercrime today with the above IP change program.
1415 Answer: It seems easy to double-click to run the program.
1416
1417Nam Sang-wook Q: What site did you access with the above program running and changing the IP?
1418 A: I do not remember.
1419
1420Nam Sang-wook Q: If you look at the date of installation of the above program, the date of the last access is June 6, 2015. When was the last date used?
1421 Answer: I used it once on the day of installation on July 16, 2014.
1422
1423 At this time, show the observer's photo and picture file (filename: IP address washing method .jpg, any weblock readme.jpg) found on the suspect's notebook and attach it to the end of this article.
1424
1425Nam Sang-wook Moon: The picture file (IP address washing method .jpg) found on the suspect's notebook shows how to download and install the site detour access program which is blocked in Korea. Any weblock readme.jpg Explains how to block access to websites from your computer. Is it possible to keep the above files in order to access some blocked sites in Korea?
1426 A: You were not trying to connect to a blocked site.
1427
1428Nam Sang-wook Moon: How to Wash IP Address Above The .jpg file was created by the defendant's own editing program, right?
1429 A: I've captured and saved the results of searching for "change my ip" on Google.
1430
1431Nam Sang-wook Moon: The suspect has a lot of doubts about IP, asking him to check the IP posted on 4chan.org. According to recent cyber-investigation techniques, IP modulation is very easy, so you can not identify suspects with just one IP. Is not it because I suspect that the suspect has altered the IP or used other means of detouring?
1432 Answer: No. I did not know how to investigate, and I saw the arrest news through IP tracking. (The suspect did not ask for "please confirm the IPs posted on 4chan.org" and asked for the IPs in the news article "I traced the IPs." Of course, There is a number.)
1433
1434Nam Sang-wook Q: There are many ways to change the IP.
1435 Answer: I do not know.
1436
1437Nam Sang-wook Q: What do you usually think about the United States?
1438 A: I am longing for the United States and working for US citizenship and green card.
1439
1440Nam Sang-wook Q: Is Obama Democratic or Republican? (The previous day, the suspect received a long-term investigation of the crime profile, which was not recorded in the memorandum separately from the police investigation. At this time, the suspect had stated that Obama was a Republican in a questionnaire with two crime psychology professors, When the investigator who was observing from the outside tried to search the internet, it was different from the fact, and the police investigation asked this question the next day.
1441 A: As far as I know, Republicans. (The suspect responded to the investigator after commenting in advance that the criminal psych profiler was a question yesterday, but the statement did not record this statement.)
1442
1443 At this time, using a smartphone search through Wikipedia, Obama will show the suspect that he is a Democrat.
1444
1445Nam Sang-wook: Why did you think Obama was a Republican?
1446 A: I do not know about American politics. (The suspect stated "not interested in American politics." The suspect, when the investigator came to the conclusion, "presumed Obama as a Republican because the northern United States, where the liberation of black slaves began, is the base of the Republican Party." But did not record.
1447
1448Nam Sang-wook Q: Is Democratic Party more progressive than Republican Party?
1449 A: I do not know that.
1450
1451Nam Sang-wook Q: Do not you know that you are interested in politics?
1452 A: I do not know about American politics. (The accused stated that they are "interested only in domestic politics.")
1453
1454Nam Sang-wook Q: What do you think about Obama?
1455 A: I think he is respected as the first black president in the United States.
1456
1457Nam Sang-wook Q: Is the image of a monkey synthesized by Obama and Michel synthesized by the suspect?
1458 Answer: No. Downloaded. (I suspect the suspect downloaded the 4chan watermark below the photo.)
1459
1460Nam Sang-wook Q: Where did you download the above file?
1461 Answer: I downloaded it from 4chan. (I suspect that the suspect downloaded the 4chan watermark below the photo and downloaded it from 4chan, but in some cases the source was downloaded from a non-4chan location because it was downloaded from Google's search results.)
1462
1463Nam Sang-wook Q: What is the above picture?
1464 A: This is a picture of Obama as a monkey.
1465
1466Nam Sang-wook Q: Why did you download Obama's image and say that he saved it on the suspect's computer?
1467 At this time, the suspect trims. (Because the suspect was unable to eat and sickness came up inside.)
1468 Answer: I have downloaded it in order to utilize the background of the person who made the picture above as a material for writing criticism.
1469
1470Nam Sang-wook Q: Did you write criticism on your blog?
1471 A: I would not have. I do not know for sure. (The suspect later downloaded the photo because he was going to write if he had time.)
1472
1473Nam Sang-wook Moon: I have a bad feeling about Obama. Did not I download the photo above?
1474 Answer: No.
1475
1476Nam Sang-wook Q: Is not it a fun thing to write because I have not written any articles?
1477 Answer: No.
1478
1479Nam Sang-wook Q: Is it fun to look at the pictures of Above Obama?
1480 Answer: Disgusting.
1481
1482Nam Sang-wook Moon: I told you that Obama's photographs are disgusting, but if you do not write related articles, should not you? Why did you keep it?
1483 Answer: I will use it later when I write again. (When the suspect tried to write, he kept it on his laptop because he could not find it on the internet.)
1484
1485Nam Sang-wook Q: What do you think about black people?
1486 A: I think that black people are the same person and call themselves black people themselves. (The suspect thought that the sword should be replaced with the word 'African American' with the word 'black', because it is a racist word.)
1487
1488Nam Sang-wook Moon: The suspect is very clear about the above question. What belief do you have about racism?
1489 A: Racial discrimination is an ideology by some white supremacists. This includes blacks and asians. Therefore, Koreans can also be victims of racial discrimination.
1490
1491Nam Sang-wook Q: Does the suspect think that I am logical and reasonable?
1492 Answer: I only believe in evidence as much as possible.
1493
1494Nam Sang-wook: By the way, why did you say you did not commit the crime while trusting all the results of computer digital evidence analysis?
1495 Answer: The superhidip is a bit less reliable.
1496
1497Nam Sang-wook Q: Even if you have a friendly feel for the US in general, can you think of it as bad for Obama?
1498 A: Because I work for US citizenship, I do not think separately. (The suspect described the police investigator as "honoring Obama, the first black president," but did not record it.)
1499
1500Nam Sang-wook Q: Have you read a lot of articles about Obama?
1501 A: I have not read much. (The suspect had not read much of the article because he was not interested in American politics.)
1502
1503Nam Sang-wook Q: What do you think about Obama's attack on the terrorist group of is?
1504 A: The attack on the terrorist group is an absolute support.
1505
1506 At this time, the suspect was found in the OO notebook. The brain was blurred, the woman was naked in the grass, the body was naked, the child was naked, the anus was opened with his fingers, , A picture of a child with a knife in his stomach, a picture of inserting a male penis into the anus, a picture of autopsy of the body's head and abdomen, a picture of the body's eye, a picture of the body's head, A photo of a woman showing her blood in her pussy, a photo of a woman showing a broken thorax, a picture of a woman's head being cut off, a picture of a woman's penis, a penis, Two men are fingers of a child's penis, a picture of a woman cutting her head in the body, a picture of a Korean flag in her bowel movement, a picture of her lower body cut off, A photograph of a woman's legs being cut off, a picture of a woman dropping blood, a picture of a man shaking a manpower in North Korea, a picture of Kim Jong Il, a picture of a witch in the body, a picture of Kim Jong Il with children , A photo of women wearing surgical gloves and a woman's anal opening, and showing them at the end of this paper. (The investigator tried to express the meaning of each photo in the blank space on page 591 as much as possible.) The suspect said, "With this kind of investigation, If there is anyone passing by, it is a psycho pass. "
1507
1508Nam Sang-wook Moon: A total of 35,438 picture files (extension jpg, png) were stored on the suspect computer. About one quarter of them were stored. As shown to the suspect, many female anus pictures and body pictures Why was the above picture file stored on the suspect computer?
1509 Answer: I was interested in death, so I downloaded the above photo, and the woman's anal photo was downloaded because it was porn. Nam Sang-wook, a cyber investigator who led the interrogation process from the third police investigation, said, "I am guilty only by possession of the above photo file. I can add more charges that I did not prosecute." He threatened the suspect to feel frightened, I went ahead.)
1510
1511Nam Sang-wook Q: Is the suspect file taken by the suspect himself?
1512 Answer: No. I downloaded it from the Internet.
1513
1514Nam Sang-wook Q: Where did you download the Internet?
1515 A: Google has searched the website for porn related words, and body pictures have also found and downloaded websites based on the results linked from the porn sites. (All the suspects could not remember.)
1516
1517Nam Sang-wook: How do you feel when you look at a photo file like this?
1518 Answer: I am not happy, but when I receive the AP Reuters communication at KBS, I get a lot of cruel pictures. So it seems that I became more interested in the above picture.
1519
1520Nam Sang-wook Q: Then, did you become interested in the above pictures while working at KBS?
1521 Answer: No. After leaving KBS, the pace began to change pessimistically.
1522
1523Nam Sang-wook Q: What does it mean to be pessimistic?
1524 A: I know Nietzsche is pitiful.
1525
1526 At this time, (the investigator did not record "Attorney Park Chul-Hyun"), I checked the dictionary of pitfalls with a smartphone and said "I hate the world and see everything as dark and negative" Show it to the suspect. (The lawyer Park Chul-hyeon, who has been silent, searches for his smartphone and handed his smartphone voluntarily even though the investigator did not ask for it. In the prosecution investigation, Park Cheol-hyeon counseled the suspect along with the prosecution attorney I stood in the position of.
1527
1528Nam Sang-wook Q: Is the above dictionary definition meaningful to the suspect?
1529 A: What I'm talking about is the content of a longing for death.
1530
1531Nam Sang-wook Q: So, did you post a statement to the Blue House about suicide?
1532 A: That was to insist my position for political purposes.
1533
1534Nam Sang-wook Moon: Have you ever tried to die?
1535 Answer: No.
1536
1537Nam Sang-wook Q: So what do you do about death?
1538 Answer: Yes, yes.
1539
1540Nam Sang-wook Q: I think it would be insulting to killing a person if I often see the above picture. What is the opinion of the suspect? (The cyber investigator, Nam Sang-wook, asked the cyber criminal investigation team to expand the scope of the investigation, and tried to prove the suspect's allegations until the murder of the US-based cyber criminal investigators. )
1541 A: I do not know that.
1542
1543Nam Sang-wook Moon: For ordinary people, I do not think I will download unnecessary downloads to my computer even if I see pictures like this once or twice in curiosity. The reason why I downloaded and stored hundreds of such body photographs What is it?
1544 A: It's a habit to download.
1545
1546Nam Sang-wook Q: How do I download it?
1547 Answer: Click the right mouse button to save.
1548
1549Nam Sang-wook Q: Where do you store it?
1550 Answer: Save on your desktop.
1551
1552Nam Sang-wook Moon: Do not you be surprised when you see a picture of a body above a desktop?
1553 Answer: The desktop is not surprised because it does not have a preview function. (Windows XP does not have a preview on the desktop.)
1554
1555Nam Sang-wook: Then, in Windows Explorer, can I preview my desktop picture?
1556 A: I do not even see my desktop by using Windows Explorer.
1557
1558Nam Sang-wook Q: Do I have to use Windows Explorer to work on my computer?
1559 Answer: Use it occasionally. (The police cybercrime investigates and inquires about the computer usage habits of the suspect more than the result of the evidence analysis.) It is suspected that the investigation of the civilians through the hacking of the police before the police seizure.
1560
1561Nam Sang-wook Q: Why do you download only a woman's body image, mostly a female body image, and a male body image is rarely identified?
1562 Answer: There is no particular reason. (Because netizers prefer female body images to male body images, there are more female body images on the internet.)
1563
1564Nam Sang-wook Q: Is not it because of hostility to women?
1565 Answer: There is no hostility.
1566
1567Nam Sang-wook Moon: But why do most women only download photos of women? (I repeatedly asked the question the investigator did.)
1568 Answer: There is no special reason. (At this time, the investigators of the investigators including Kwak Dong-gyu, who also had a visit to Nam Sang-wook, gave examples of experiences such as the autopsy of the twin baby corpse and the autopsy of the pregnant woman's body. Acknowledgment of appropriate behavior.
1569
1570Nam Sang-wook Q: Do you know about the suspects viewing such photos and storing them on the suspect's notebook?
1571 A: You do not know.
1572
1573Nam Sang-wook Q: How do you feel about your parents?
1574 A: I think I should get a family register. (At this time, investigators and police officers laughed aloud.)
1575
1576Nam Sang-wook Q: Have you ever posted the above file to another Internet site?
1577 Answer: Not at all.
1578
1579Nam Sang-wook Moon: In the meantime, if you look at the suspect's statement, you have downloaded it to post on blogs such as Obama's photographs. Did not you download the body photos for posting or posting?
1580 A: The body is not the subject of my blog.
1581
1582Nam Sang-wook Q: What is the subject of the suspect blog?
1583 A: My blog topic is thoroughly political.
1584
1585Nam Sang-wook Moon: In the picture of the female body above, the file name is 'cute-dead-girs-random number'. Does the suspect think that the female body image is cute?
1586 Answer: No. That's not what I made the file name, it's the filename, and I think it's crazy if I think it's cute. (The suspect stated, "The file name was downloaded from the Internet.")
1587
1588Nam Sang-wook Q: So what do you think about who posted the picture of the body above?
1589 Answer: I did not see that the above picture was uploaded on the Internet.
1590
1591Nam Sang-wook Q: Is the above body picture a real body picture?
1592 A: I do not know if I am authentic.
1593
1594Nam Sang-wook Q: How did you find out about the sites that have photos like this on the Internet?
1595 Answer: I ran through Google.
1596
1597Nam Sang-wook Q: Do you usually do a lot of searches on Google?
1598 Answer: I do a search on Google, and I use it to study with Google.
1599
1600Nam Sang-wook Q: Does the suspect have any bad memories about the anus?
1601 Answer: Yes, yes.
1602
1603Nam Sang-wook Moon: According to the complaint filed by the Ministry of National Defense, the suspect was raped by a subordinate and the police officer put the penis in his mouth about 20 times and shook it about 20 times. Did the platoon commander put the penis in the anus?
1604 Answer: Yes, yes.
1605
1606Nam Sang-wook Moon: Do you really have 20 shakes?
1607 A: I do not know that.
1608
1609Nam Sang-wook Q: Why did you write 20 times?
1610 A: At that time, I thought so. (The suspect was estimated 20 times at the time.)
1611
1612Nam Sang-wook Q: Is not it possible to write false content in the complaint?
1613 Answer: Yes.
1614
1615Nam Sang-wook Q: Is not it possible to describe 20 times if there is a basis or a memory for any certain number of times? If not, will the Ministry of Defense be able to deal with it later?
1616 Answer: I did not set the number of times clearly.
1617
1618Nam Sang-wook Moon: I have a bad memory for anus. I only store a female anal picture on a separate computer and say to the White House: "I was tired of wearing a suture costume and doing masturbation. I'm going to rape my fourth daughter, Natasha, in the anus. Because it seemed to be a more polite way to ask. I think that the anus of the second daughter is more resilient than the anus of Malia (the first daughter), so I should get permission from the parents before I feel black anal. "
1619 Answer: No.
1620
1621Nam Sang-wook Q: How did you find out that your second daughter's anus was more resilient?
1622 Answer: No.
1623
1624Nam Sang-wook Q: For what reasons did you keep the photo file with stool on Taegeukgi?
1625 Answer: I saved it to write a criticism against contempt of the flag. (The suspect stated "in order to criticize the act of insulting the flag, the photograph was saved.")
1626
1627Nam Sang-wook Q: Do you have any material to prove that you wrote a blog?
1628 A: Currently, this is not possible.
1629
1630Nam Sang-wook Moon: What did you think about the photo above (photo with stool on the flag)?
1631 A: In this way, blaspheming the country itself was considered insipid. (Investigator erroneously recorded 'national flag' as 'country'.)
1632
1633Nam Sang-wook Moon: Do you have any photos posted on 4chan.org with stool on the top?
1634 Answer: I do not know. (The suspect stated to the investigator that "the posts posted on 4chan are not posted on 4chan unless they are on the blog because they post the same on the blog," but did not record it in the dossier.)
1635
1636Nam Sang-wook Moon: The suspect is stating that the adverse statement is "I do not know".
1637 Answer: I do not judge whether it is a favorable or an unfavorable question, and I do not remember what I do not remember. (The accused stated "not to judge" but not "to judge.")
1638
1639Nam Sang-wook Q: For what reasons did Kim Jong Il and Kim Jong Eun photographs and North Korean artifacts be stored on the suspect computer?
1640 Answer: I downloaded it as a material to write a critical article about Kim Jong Il, Kim Jong Eun, and Kim Il Sung.
1641
1642Nam Sang-wook Q: Did you write the above criticism?
1643 Answer: I am not sure, but I would have written it.
1644
1645Nam Sang-wook Q: Do you have any material to prove?
1646 A: There is currently no documented evidence.
1647
1648Nam Sang-wook Q: What do you think about North Korea?
1649 A: North Korea is a Republic of Korea.
1650
1651Nam Sang-wook Moon: In the text of the intimidation article, "I hope to penetrate the anus of black people before I was killed by Kim Jung Eun" is posted. I usually read Kim Jung Eun's photo, Posted?
1652 Answer: No.
1653
1654Nam Sang-wook Q: Do you often get things that you do not remember well?
1655 A: Two years ago, but not now. (The suspect stated, "Two years ago, when I was working before 2013, I was drinking and the film was broken.")
1656
1657Nam Sang-wook Moon: 7. 20. At the time of the investigation, I posted the following message in the Cheong Wa Dae and the National Newspaper: "I will commit suicide" and "I will demonstrate". In the past, I remember correctly, 7.7 at the time of the crime. And 7.8. The contents do not remember exactly what we did. Does the suspect just state that he wants to remember what he wants to remember and does not know what he does not want to remember? (The military rank of the suspect is the sergeant, and in the complaint, only the name of the subcommittee is listed, not the elder sibling.)
1658 Answer: No.
1659
1660Nam Sang-wook Q: So why do not you remember the recent events?
1661 A: I have lost the concept of time because the same life repeats itself.
1662
1663Nam Sang-wook Moon: 7.7. And 7.8. At the time of the crime, I drank a lot of alcohol and posted blackmail in the White House.
1664 Answer: No. (The police 's claim is different from the fact that "I drink a lot and the film is broken.")
1665
1666Nam Sang-wook Q: When exactly did you find out about 4chan.org?
1667 A: I do not know the exact time, but I got to know it in the early 2000s. (I'm not sure, but the suspect did not know 4chan early on.)
1668
1669Nam Sang-wook Moon: According to the Seoul Central Police Agency's cybercrime investigation report, http://helpkorea.blogspot.kr, http://fuckingkorean.blogspot.kr, http://unicefusa.blogspot.kr, http://antihufs.blogspot.com, http://plus.google.com/112036166079289779835/posts, http://ihatekorea.blogspot.com, http://helpmeusa.tumblr.com, http: // jeolladian. It is confirmed that there are 10 blogspot.kr, http://helpmeusa.egloos.com, and http://sangpyenyeo.blogspot.kr. In the above suspect blog, the suspect Citibank account (370-07421-268-01) ID helpme@usa.com was listed. Is it a blog operated by suspects?
1670 Answer: Yes, yes. (The alleged "http://plus.google.com/112036166079289779835/posts" was an unknown number in the address.)
1671
1672Nam Sang-wook Moon: When I translate the blog url address into http://ihatekorea.blogspot.kr, http://antihufs.blogspot.kr, I hate Korea, I am anti-foreign language, how much I hate Korea and foreign language is anti ? (The next questioner turned to the monitor that was writing the dossier, showed the suspect the blog screen, and told me what was posted before the answer.)
1673 A: This site was created to discuss the absurd aspects of Korean society, unreasonable aspects. Korea does not like it or hate it, and has opened antihufs.blogspot.com to post content for criticizing Lim Soo-kyung. (The investigating officer also knew that there were so many articles posted on the suspect's blog that he could not remember it, and he showed the blog to be quoted in the statement, but the record did not record the act of the investigator. The reason was simply to preempt the blog name, but there was also the intention to prevent them from being exploited by others for malicious purposes. "However, the investigators did not acknowledge the sincerity of the suspect)
1674
1675Nam Sang-wook Q: Was the suspect planning to study in France?
1676 A: I was studying in France or studying in the US.
1677
1678Nam Sang-wook Q: Was the suspect considering foreign immigration?
1679 A: It was the next best thing if you were not studying in France or studying in the US. As soon as the suspects were released from the detention center as a bail, the lawyer Kim Yong-min attending the trial after the lawyer Park Chun-hyun filed a number of documents including the admissions documents from the US university and the contract documents received from the immigration company. Submitted.)
1680
1681Nam Sang-wook Q: Why are you considering foreign immigration?
1682 A: I do not want to send troops to my child.
1683
1684Nam Sang-wook Q: Why are you posting on more than 10 blogs?
1685 A: It was a diary purpose for my political opinion. (The suspect described it in the sense of "It was a leisure time to cool my head while studying.")
1686
1687Nam Sang-wook Q: Why are you posting a lot of articles on the above blog?
1688 A: In the early days, I wrote articles of political beliefs that many people would read and write to, and later to post political articles. (Kwak Dong-kyu investigated how much the suspect had received the donation, and the suspect said, "It is all about donation of 20,000 won, try tracking your Citibank account.") After giving up, studying the blog in French, I changed my mind to use it for leisure. "But the investigators did not record it in the dossier.)
1689
1690Nam Sang-wook Q: How do Internet users respond to the blog of the suspect?
1691 Answer: No comments.
1692
1693Nam Sang-wook: Do you increase the number of visitors if you post interesting and exciting posts on your blog?
1694 Answer: No.
1695
1696Nam Sang-wook Q: What do you think if you write hard and the number of visitors does not increase?
1697 A: I do not care. (The suspect is blogging for hobbies and leisure purposes.)
1698
1699Nam Sang-wook Q: What is the position of the suspect in Internet cyber?
1700 Answer: There is almost no presence.
1701
1702Nam Sang-wook: Do the suspects work only at home rather than at home?
1703 Answer: Yes, yes.
1704
1705Nam Sang-wook Q: Do you want to get attention from others on the internet because you are not doing outside activities?
1706 Answer: I am interested in seeds in jargon, but I am not interested in seeds. (The investigator records the word 'jargon' that the suspect has not written in the record.)
1707
1708Nam Sang-wook Moon: I want to get interested in the White House and posted a blackmail message.
1709 Answer: No.
1710
1711Nam Sang-wook Moon: But why did you post to 4chan.org?
1712 A: I did not post it on 4chan.org.
1713
1714Nam Sang-wook Moon: "If you look at Ripper's intimidation article," I declare President Terror to Obama. Is not it a beautiful night? "The suspect is mostly at night? Is it really a beautiful night? What do you think about this phrase?
1715 A: I do not know that.
1716
1717Nam Sang-wook Moon: The threats posted on the white house's homepage on the suspect's laptop, the file capturing the original text, the file captured after the completion of writing in the White House (Thank you), the trace of viewing the captured file, 4chan.org site to post the original text of the intimidation, again capturing the above posted article, the trace of the above capture file was clearly identified by the time order, but the suspect has not posted, did not acknowledge Why?
1718 Answer: I have not posted.
1719
1720Nam Sang-wook Moon: So the suspect's parents or sister posted the article?
1721 A: My parents are not related to my sister because the notebook is what I use.
1722
1723Nam Sang-wook Q: Is it not your parents, your sister or the suspect?
1724 Answer: No. Please consider the possibility of hacking. (The parents of the suspect and lawyer Park Chul-hyeon said, "The traces of the hacking were found on the suspect's notebook and should be stated in the police investigation." However, the police spread the statement to the press and said, "The suspect is a third- (KCNP News, Internet News Article), "and said," It is the people who say that our house cat is the key to the keyboard "I was tortured and blamed for everything I had never experienced before."
1725
1726Nam Sang-wook Q: What hacking program do you mean?
1727 A: I do not know that either.
1728
1729Nam Sang-wook Moon: Have you ever been hacked?
1730 Answer: I have never been hacked.
1731
1732Nam Sang-wook Moon: Although the suspect clearly remembered his activities during his military service and his posting on the Blue House and the National People's Magazine last year, he continued to lie about the fact that he did not remember his post on the White House site What is it?
1733 A: I never lied. (The investigator responded briefly to each case when the suspect responded.) The suspect responded to the complaint posted in the Blue House and the National Census Bureau by postal mail from the person in charge and kept the post and reply to the post I remember because I had saved it on my blog, and the suspect consistently said "I did not post it" about whether or not to post the blackmail in the White House, and did not say "I do not remember."
1734
1735Nam Sang-wook Q: Does the suspect usually lie well?
1736 A: I can not lie.
1737
1738Nam Sang-wook Moon: I do not recall an important important question. What do you think about the fact that the investigator seems to admit that he posted the article?
1739 Answer: I did not remember, so I made the statement as above.
1740
1741Nam Sang-wook Moon: If I do not remember, can I drink and not remember?
1742 Answer: Not. I think there are multiple factors.
1743
1744Nam Sang-wook: You may not remember a lot of alcohol at the time of the crime?
1745 A: I did not have to break the film because I drank a lot of alcohol.
1746
1747Nam Sang-wook Moon: At the time of the seizure search, I drank a lot of alcohol and stated earlier that I remember faintly. Then you can not remember it because you drank a lot of alcohol at the time of the crime?
1748 At this time, the suspect shakes his head and thinks for a moment. ("I can not remember" is not the word "I do not remember.") The guiding question of the investigator was not logical, so the look of the accused was not understood by the guilty pleasures of lying, I did it.)
1749 Answer: I do not know.
1750
1751Nam Sang-wook Q: What do you think about the fact that the suspect is being denied even though the evidence is clearly revealed by the computer analysis program Encase? Is it a reasonable answer to state that you do not remember well?
1752 A: I do not know because people are beyond their abilities. (The accused stated earlier that "the access time analysis results of SuperHideIp are different from the truth and the credibility of the Encase program is poor.")
1753
1754Nam Sang-wook Q: How did you keep all two of them on the suspect computer, not one of them? What do you think of that?
1755 Answer: I guess that the two intimidation posts are not considered to be much difference, it is estimated to have been uploaded continuously.
1756
1757Nam Sang-wook Moon: The Obama intimidation article is about 6 hours difference on July 7, 2015, about 7:20 pm, and Repert's intimidation article is about 7.8 02:26. Is it?
1758 Answer: I was wrong. (The suspect believes that two blackmails may have appeared in the same search result at the same time.)
1759
1760Nam Sang-wook Q: What is your relationship with your parents?
1761 A: I have a good relationship with my parents.
1762
1763Nam Sang-wook Q: Did your father train hard?
1764 Answer: It was not severe. (The suspect responded with a lawyer, Kim Yong-min, "I played with my father and BB gun at a young age.")
1765
1766Nam Sang-wook Q: What is your father's job?
1767 A: I was a teacher, but I retired this year.
1768
1769Nam Sang-wook Q: Have you ever been beaten by a father when you were a child?
1770 Answer: It is number 1 and nothing else. (The suspect responded to the investigator "I was hit one time.")
1771
1772Nam Sang-wook Moon: Are you sure?
1773 Answer: Ask your father.
1774
1775Nam Sang-wook Q: Do you depend on your parents for everything?
1776 A: I do not depend on you.
1777
1778Nam Sang-wook Moon: In the case of seizure search and emergency arrest, the accused lie down in the room with only panties, and an investigator in Seoul Metropolitan Police Agency explains about two or three hours to arrest her father and mother dozens of times, In case of an emergency arrest, the suspect said, "What does your father say? Did your father agree to an emergency arrest? "
1779 Answer: Yes, yes.
1780
1781Nam Sang-wook Moon: If my father was arrested urgently and the police officers told me to go away, was he going to go on his own?
1782 A: If my father told me to go, he would not have responded. (The police claim that the suspect had been drunk and had a crush on him, but the suspect said he tried to arrest the police officers without revealing that they were police officers, and that he resisted knowing that they were bullets. The family of suspects filed a complaint with the Human Rights Commission that the police had violated human rights during the search and arrest of the police, but both the inspection office and the NHRCK I was ignored.)
1783
1784Nam Sang-wook Moon: You have to judge yourself. Why did you ask your father about it?
1785 A: I was scared because I had more than 30 people in the situation. (The suspect lied on the bed and felt frightened when he covered the bed.)
1786
1787Nam Sang-wook Moon: At that time, 9 to 10 people went to the suspect, and the suspect was lying for four hours at the time of the search.
1788 Answer: I also had a hangover, and it was annoying to be honest. Kim Kyung - hwan, a cyber investigator who participated in the emergency arrest, said to the accused who was lying in bed, "Because of you, 10,000 people suffered from a night spent for a week.
1789
1790Nam Sang-wook Moon: But when my father says he does not agree, the suspect kept lying in bed?
1791 Answer: Yes, yes.
1792
1793Nam Sang-wook: Can the suspect be able to do it alone without the will of his parents?
1794 A: I do not know for sure, but I think it is natural to ask for help if you get caught up in a crisis situation. (Here 'help' means 'family help.')
1795
1796Nam Sang-wook Moon: The suspect brother is living alone as a self-employed person, right?
1797 A: I'm working in Ansan.
1798
1799Nam Sang-wook: Why is the suspect unable to live independently like his brother?
1800 A: I spent two years in college, but I have difficulty getting along with my parents.
1801
1802Nam Sang-wook Moon: What part was difficult?
1803 Answer: It was hard to eat food.
1804
1805Nam Sang-wook: Do you have any reason to tell the suspect when your father visits the jongno police station, "Do not succumb to the police's remorse." (Based on the fact that the investigator had eavesdropped on the suspect.
1806 A: I will not answer the above questions. (The suspect stated, "I will not reply to the fact that I have been tapped." The questioner, Nam Sang-wook, of the Cyber ​​Investigation Team who answered these answers was quite puzzled and omitted the "tapped facts".
1807
1808Nam Sang-wook Q: Does the suspect have his father's instructions unconditionally?
1809 Answer: Half. Sometimes it is unconditional and sometimes not.
1810
1811Nam Sang-wook Moon: Suspect What is your current age?
1812 A: OO year old Korea is 34 years old.
1813
1814Nam Sang-wook Moon: Do you have a separate computer for your father?
1815 Answer: Yes. There is a separate computer.
1816
1817Nam Sang-wook Q: Do you work with your dad computer a lot?
1818 A: I do not know that. (The suspect stated "My father hates my father so much that I do not use it often", but I did not record it in the dossier.)
1819
1820Nam Sang-wook Moon: All the evidence is clear, and a warrant for seizure of the suspect's residence was issued by the judge, and the emergency arrest was approved by the prosecutor. The suspect was given the opportunity to conduct an actual arrest warrant, What is the reason why I do not remember the suspect himself?
1821 A: I do not think so. (The investigator provided false information in order to pressure the suspect, the suspect read the documents presented by the police officer of the police investigation about the reasons for the arrest warrant issued by the judge at the detention center after the probation officer or the detention warrant, The suspect already knew that the judge had been convicted and did not issue because of all the evidence that was evident because of the concerns of escape and evidence of extinction.
1822
1823Nam Sang-wook Question: Who gave the answer to the above?
1824 A: I have never been influenced by external influences.
1825
1826Nam Sang-wook: Do not you think your actions are wrong? (The investigator suddenly questioned the judge.
1827 A: I certainly did not post it.
1828
1829Nam Sang-wook: Even now, I would like my parents to tell me the truth about what I have done, to seek good fortune and to live hard. What do you think of the suspect?
1830 A: I do not think I should cover the truth.
1831
1832Nam Sang-wook Moon: Anyone can make mistakes, do not you think you can correct mistakes?
1833 A: I can not make mistakes because I did not make mistakes.
1834
1835Nam Sang-wook Moon: Looking at the s.txt file found on the suspect's notebook, the text file says, "I'm going to kill the Ambassador Repert by penetrating the US Embassy. Obama kidnapped my little daughter and I will rape my anus. "Why did you list the above?
1836 A: I do not know the keyword on the internet Google but I check the phrase on the website that I have searched for and copy it to s.txt. I copied and pasted it to a file. (The suspect did not know exactly where the Web site was located.) The investigator kept a record of the suspect's response long without a comma in the record, making it look like an excuse, and the meaning changed depending on where the reader was resting.
1837
1838Nam Sang-wook: Did not you post Obama and Repert's intimidating articles in the White House by referring to the threats listed in the above s.txt?
1839 Answer: No.
1840
1841Nam Sang-wook Moon: Looking at the above s.txt file, two emails used in blackmail, isshufs@gmail.com, Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791 Posted by Lifee Iss Crazzyy, Address Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791, Tel + 82-2-2173-2062 , Twitter https://twitter.com/ISIS_Med The address is listed, was not it planned for the crime?
1842 Answer: No. It came with copying and pasting.
1843
1844Nam Sang-wook Q: In addition, the above text file contains an e-mail isshufs@naver.com which is not used for the crime, and the above e-mail address is not also posted on 4chan.org. How is this e-mail address listed?
1845 A: I do not know.
1846
1847Nam Sang-wook Moon: The intimidation is not written in Korean, but is it a Korean word?
1848 Answer: It is taken from the Internet and copied. (The suspect stated "I copied and pasted it."
1849
1850Nam Sang-wook Moon: And look at the s.txt file. Address, email, phone, fax number is "
1851 - Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea, 130-791
1852 - Website: http://summer.hufs.ac.kr
1853 - Phone: + 82-2-2173-2062
1854 - Fax: + 82-2-2173-2877
1855 - E-mail: summer@hufs.ac.kr / isshufs@gmail.com
1856 "Format. The above format is not listed in the blackmail, is it listed in the above text file in the above format?
1857 A: It's all copied from the Internet. (The suspect stated "I copied and pasted it."
1858
1859Nam Sang-wook Q: Why was the fax number listed even though the fax number was not used in the crime?
1860 Answer: I do not know.
1861
1862Nam Sang-wook Moon: Foreign language site You could access the summer school site http://summer.hufs.ac.kr and get the phone number, fax, e-mail and save it in the above s.txt file?
1863 Answer: Not.
1864
1865Nam Sang-wook Moon: The suspect has an antipathy to the outsider who is usually his alma mater.
1866 Answer: No.
1867
1868Nam Sang-wook Q: Is the Twitter address https://twitter.com/ISIS_Med imported?
1869 Answer: It came from Google search on the internet. (The suspect stated that they "came together when copying and pasting." Same as the answer on page 585.)
1870
1871Nam Sang-wook Q: How did you search on Google?
1872 A: I do not remember the search term.
1873
1874Nam Sang-wook: Do you usually follow IS?
1875 A: I will not follow.
1876
1877Nam Sang-wook Q: Did you find IS-related pictures on the suspect computer?
1878 Answer: Yes, yes.
1879
1880Nam Sang-wook Moon: And you synthesized the above IS-related pictures and edited the picture to be the same by marking the Hwarangdo and IS in Korea equally with '=' symbol?
1881 Answer: Yes, yes.
1882
1883Nam Sang-wook Q: Do you have an interest in IS?
1884 A: I just got to know the news, but I have no interest. (The suspect stated "I do not follow IS.")
1885
1886Nam Sang-wook Q: Is there any fact that the suspect visited the foreign site http://summer.hufs.ac.kr?
1887 Answer: No.
1888
1889 At this time, we show computer analysis program Encase analysis screen directly to the suspect. At this time, the attorney also looks at the above analysis program screen. (At this time, the investigator changed to cyber investigator Kim Kyung - hwan, wearing black - eyed spectacles at.
1890
1891Kim Kyung-hwan Moon: Suspect Computer What is 'bureau' in French at the bottom of my document?
1892 Answer: This is a term for desktop.
1893
1894 The suspect was surrounded by police officers who had been excited for a long time and was subjected to a coercion investigation that he had seen during the military torture film during the military regime of the 1980s. The list of filenames listed shows one by one from the top and goes down one by one. "What is this?" When the suspect did not know, Kim Kyung-hwan cried out loudly, "Why do not you know?" 4 to 5 investigators came into the interrogation room and asked for a high intensity.
1895
1896 At this time, I stopped the investigation for dinner. (The police arrested Park Cheol-hyun, the suspect, and only two people for dinner for a long time.) The lawyer Park Cheol-hyeon repeated the word "confess" to the suspect while eating the two lunch boxes, In the conversation police intercepted, the suspect questioned the blood type of Park Cheol-hyun and answered that he was AB-type, and asked whether he married Park Cheol-hyun's wife because he was pregnant at the time, It was all the congratulations.)
1897
1898 At this time, five pieces of the text file s.txt link file (A0065358.lnk, A0065518.lnk, A0065541.lnk, A0065621.lnk) found on the suspect computer are shown to the suspect and attached at the end of this document.
1899
1900Nam Sang-wook: 7. 20. As described in the 4th meeting, the link file (lnk) is automatically generated when a certain file is executed in the Windows operating system, for example, when viewing the above text file. File and analyze the lnk file to see which file you have opened. The link file creation date and time is the date when the first file is executed, and if you repeatedly execute the same file, the accessed time of the link file changes. The above five link files are link files that are automatically generated by running the s.txt file on the suspect computer. Checking the creation date and the modified date and time (Accessed time)
1901 1) A0065358.lnk 2014. 9. 10. 16:59 (date and time of creation), 2015 7. 7. 14:57 (date and time of access)
1902 2) A0065518.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1903 3) A0065541.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1904 4) A0065621.lnk 2014. 9. 10. 16:59 (date and time of creation), July 7, 2015 (date and time of access)
1905 And the Obama intimidation article is posted on the White House on July 7, 2015, and the Repert's intimidation article is on July 7, 2015, I read the s.txt file which is written in Hangul on the contents of the intimidation article and write the crime article in the White House on July 7, 2015, I read the file three times on July 7, 21:10, 21:19, and 22:31, and posted a blackmail message about Ripper on July 8, 02:26?
1906 A: I do not know.
1907
1908 At this time, the link file (A0065569.lnk, A0065481.lnk) found on the suspect computer is shown and attached at the end of the document.
1909
1910Nam Sang-wook Q: When I look at the above link file, A0065569.lnk is castration.png file created by browsing on June 7, 2015, and when I check the above picture file, A0065481.lnk is a file created by browsing hufs.png on July 7, 2015. If you check the above picture file, it is a picture of the screen where the foreign language group is searched by Google and the picture of Lim Su Kyung. Have you ever read the above two files in the above list?
1911 A: I do not remember the exact time, but I remember reading two photo files above.
1912
1913Nam Sang-wook Moon: I read about the picture file (hufs.png) on ​​July 7, 2015, and the link file A0065481.lnk was created. The suspect stated that the above picture had memories of reading, and about 50 Minute after s.txt. I have browsed the file and found the link file (A0065358.lnk). Do you remember reading the s.txt file on July 7, 14:57?
1914 A: I do not remember reading. (The suspect stated "I do not remember the exact time.")
1915
1916Nam Sang-wook Question: 7. 7. I have read the s.txt file containing the contents of Hangul at four times in total. Have you ever seen a file?
1917 A: I do not know that.
1918
1919Nam Sang-wook Q: When was the last time you read the s.txt file?
1920 A: I do not remember the last time.
1921
1922Nam Sang-wook Q: Why do you keep denying the crime of reading the text document s.txt, which contains the contents of the Korean text on the intimidation article, four times before the crime was committed?
1923 A: I do not remember whether I read it four times. (The suspect stated "I do not remember the exact number of times.")
1924
1925Nam Sang-wook: I read the blackmail in Korean 4 times before the crime, and the blackmail was posted in the White House since then.
1926 Answer: There is no plan. (The suspect stated "I have never posted a blackmail".)
1927
1928Nam Sang-wook Q: How is your heart?
1929 A: There is no rattling like in the fourth survey.
1930
1931Nam Sang-wook Q: Is the suspect harmed?
1932 Answer: It is unfair. I would like the police to investigate the matter.
1933
1934Nam Sang-wook Moon: Lastly I'll ask. Do you really have access to the White House homepage?
1935 Answer: There is no connection.
1936
1937Nam Sang-wook: Do you have evidence or statements that are favorable to the suspect?
1938 Answer: No. (The suspect stated in the sense of "I can not submit favorable evidence or statements in the present state of detention.")
1939
1940Nam Sang-wook Q: Do you have anything more to say?
1941 Answer: On page 3, "Please ask the police officer to rub your shoulder" is your blood pressure. On page 28, the cruel photographs are downloaded habitually and I regret that I am curious. For the sake of misleading explanation, the child's naked photographs were downloaded from Nudists (naturalists), and the pictures of the baby's penis were cut off to make an essay criticizing the forced ceremony in Indonesia. It was. And I remember that the pictures with the knife in the child's boat are satirical images of the terrorist forces in the Islamic language, and the models in the photographs are pictures taken only by 18 years of age or older. Also, the pictures of blood in the female vagina were to criticize the girl 's forced circumcision tradition, and the picture of the bowel movement on the Taegukgi was to blame the blasphemy of the national flag. In addition, it was to expose the facts of illegal organs extraction and Kim Jung Eun regime. I wish you good judgment.
1942
1943Nam Sang-wook Q: Are all of these statements true? (Despite the fact that there was a lot of blank space in the A4 paper sheet to be printed, the investigator intentionally entered this question in this position to limit the space in which the suspects would state their handwriting. The defendant asked me, "Please give me more space to explain the true meaning of the pictures on page 563," but I was denied, and the suspect has enough of the meaning of the photo. In the written statement, more than half of the 592 pages with this question are blank.
1944 Answer: Yes.
1945
1946 (After finishing the investigation, I asked Nam, "Do you remove the hard copy (or imaging) from the police later?" Nam Sang-wook smiled and laughed, saying, "Yes. Nam Sang-wook did not imagine that the contents of the notebook were useless from the beginning, and did not imagine the prosecution investigation, but also roughly ran the investigation and destroyed the evidence by turning on and off to check the contents of the notebook.
1947
1948
1949
1950
1951 ++++++++++++++++++++ Prosecutor's Office ++++++++++++++++++++
1952
19531st round
1954
1955 At this time,
1956
1957Jung Guk Q: Is the suspect punished?
1958 Answer: No.
1959
1960Jung Guk Q: Has the suspect described his / her educational background in the police?
1961 At this time, record 277 ~ 295 shows a police document prepared by the suspect.
1962 Answer: Yes. I have stated the truth.
1963
1964Jung Guk Q: What is the education and experience of the suspect? (The prosecuting attorney handed the police investigation report with the record of the accused and his experience, and made reference to the statement.)
1965 A: I graduated from Cheongyang Elementary School in 1994, graduated from Kyunghee Middle School, graduated from Kyungbok High School in Hyoja-dong, Seoul, Korea in 1999, and graduated from Hankuk University of Foreign Studies in 2009. My career has been part-time from around 2011 to around 2013, recording the foreign news from the gas station part-time and KBS stations and delivering it to the editing room. (The investigator has repeatedly questioned the accused on a number of occasions, focusing on his / her last job, position, and duties.) The same question is then sent to the suspect through detention guards and court judges. I studied. I wanted to major in psychoanalysis in France. After studying, I tried to do a private clinic. (The suspect responded to each statement with a short answer or one or two sentences. Unlike the police investigator, the prosecutor's office always included five to six questions and answers, He then read the dossier printed out and pointed out several times that there was a difference in meaning to the investigator, but every time the investigator dismissed it as not being different.)
1966
1967Jung Guk Q: How is your health?
1968 A: I have a slightly higher blood pressure. I was prescribed medicine only at the private hospital when I was in the jongro police station.
1969
1970Jung Guk Moon: Go to the White House homepage of the US House of Representatives on July 7, 20:20, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies, Do you have any of the following after posting the address of a foreign university? (The prosecution investigator has not been able to figure out the case yet, stuttering throughout the investigation and reading down the questions on the monitor.)
1971 'From: Mr. Dong, Seoul, Korea, Seoul, Korea, Seoul, Korea), Address: Kangwon National University, Korea, 130-791, Damascus', and the following text Message: Dear Mr. President Obama and Mrs. First lady Michelle.
1972 ===========================
1973 Hi.
1974 I'm HUFS student from Seoul, Korea.
1975 How's your president family?
1976 I'm sick of my life cause I always mastervating with tranny prons.
1977 One day, I realize that I'm not going to die like this.
1978 I want to be a famous Korean male in USA history.
1979 Therefore, I am going to anal rape your second daughter Natasha.
1980 Is that okay?
1981 I think that bitch's asshole is much tighter than Malia Ann.
1982 So I need parents permission before the nigger anus.
1983 Do not worry about me: I eat lots of Kimchi so free from AIDS.
1984 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
1985 Thanks.
1986 Answer: I have not posted such an article.
1987
1988Jung Guk Moon: The suspect said, "I am President Obama and Mrs. Michelle. I always get tired of wearing sex dressers and doing masturbation. So one day, I thought I had to do this. I decided to become a famous Korean man in America today. So I'm going to rape your second daughter, Natasha, with an anal. Because it seemed to be a more polite way to ask. I think the anus of the second daughter is more resilient than the anus of Malia (first daughter). So I have to get my parents' permission before I feel black anal. Do not worry about it. I eat a lot of kimchi and are safe from AIDS. I hope to penetrate the anus of black before it is killed by Kim Jung Eun. Thank you. "
1989 Answer: No.
1990
1991Jung Guk Q: Is there any fact that the suspect wrote the above?
1992 Answer: No.
1993
1994Jung Guk: Did not the suspects intimidate President Obama and US First Lady Michelle by listing them as above?
1995 Answer: No.
1996
1997 [Intimidation to Foreign Envoys]
1998
1999Jung Guk Moon: The suspect is on July 7, 2015, 02:26. Is it true that you have access to the homepage of the US White House and posted the following text?
2000 'From: Dr. Korea's Isis One ',' Email: summer@hufs.ac.kr ',' Phone: 82221732061 ',' Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu, Seoul, Korea , 130-791, Damascus'
2001 Message: Declaration Terror to Mr. President Obama.
2002 A beautiful Evening is it?
2003 Right this is the warning message from the Terrorist Attack.
2004 Korea, we're g0ing to re-attack US ambassador Mark Lippert in Seoul.
2005 So last time, my a5sassinator's mind is too weak to cut the ambassador's artery perfectly.
2006 End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
2007 Ok? We'll take care of all your political comrades, but surely one by one, until the US army eliminates Bio-Chemical weaons in Korean Peninsular Mother Land.
2008 UltimatuM; 3xects us, our VVIP Archenemy Obama!
2009 LIMFAO, See mark Soon in your After-Life ... ...
2010 : #: #: #: #: #
2011 : # HUFSRO 4ourth 4inger: #: #
2012 : #: #: #:: #: #: #
2013 : #: #: #: #: #
2014 Answer: I have not posted anything.
2015
2016Jung Guk Moon: Describing the suspect as a South Korean student, he said, "I would like to declare terrorism to President Obama. Is not it a beautiful night? This message is a warning of a terrorist attack. We want to attack the US ambassador, Mark Ripert. Last time my assassin 's mind was so fragile that I could not completely break the artery of the US ambassador. At the end of this time, we have prepared a very well trained pro, so we will kill the ambassador with nuclear poisoning. OK? We will slowly and surely kill one of your political comrades ... Until US troops remove chemical and biological weapons from Korea. We will soon meet our greatest Obama, Mark Ripert, in the world. "
2017 A: I have not posted anything.
2018
2019Jung Guk Q: Is there any fact that the suspect wrote the above?
2020 A: I have not written.
2021
2022Jung Guk: Did not the suspects intimidate the Ambassador, Ambassador Rupert, a diplomatic envoy?
2023 Answer: No.
2024
2025Jung Guk Q: Does the suspect save the above documents on the victim's computer?
2026 Answer: Yes. I copied and pasted it on my computer.
2027
2028Jung Guk Q: What is the date and time of copying and storing the suspect in the suspect's computer?
2029 A: I'm sorry, but I do not remember.
2030
2031Jung Guk Q: How about copying and storing it on the suspect's computer?
2032 Answer: I ran a link (I do not know where) through Google search (I do not know what I searched) and put it on my computer.
2033
2034Jung Guk Q: What computer is the suspect's computer?
2035 Answer: The laptop.
2036
2037Jung Guk Q: When did the suspect purchase the notebook?
2038 Answer: I left KBS station to record foreign news and send it to the editing room, then bought a notebook, so I bought it in the first half of 2013.
2039
2040Jung Guk Moon: In fact, the suspect is stating that he is afraid of receiving heavy punishment, even if he puts the same contents as above.
2041 Answer: No.
2042
2043Jung Guk Q: Do you know that a suspect is punished by law if you intimidate others?
2044 Answer: Yes. I know.
2045
2046Jung Guk Q: Does the suspect have a relationship with US President Obama, US First Lady Michelle, US Ambassador Ripert?
2047 A: I have no relationship.
2048
2049Jung Guk Q: Does the suspect have an agreement with the victims?
2050 Answer: There is no agreement.
2051
2052Jung Guk Q: Did you tell the truth?
2053 Answer: Yes.
2054
2055Jung Guk Q: Do you have any more words or favorable evidence?
2056 Answer: None. (If there is no suspect, the investigator told me to write "no" by hand.)
2057
2058Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2059 Answer: (handwritten entry) None.
2060
2061Second round
2062
2063 At this time, the suspect responded 'I will be investigated under the participation of counsel.' After attending lawyer Park Cheol-hyun, the lawyer showed the suspect's mother's complaint to the suspect and said, Hand it over. (The suspect did not acknowledge the statement "I will be investigated under the lawyer's participation" or "I will not answer.") The investigator said in his own words, "The lawyer is not here." While reading the record after the investigation was completed, he read this record and asked the prosecutor to revise the record because he did not answer the question "I will or will not be investigated under the attorney's participation" "I refused.
2064
2065 The suspect reads the complaint (14: 05 ~ 14: 10) and then submits the complaint, saying "I will submit it to the prosecutor."
2066
2067 Towards the suspect,
2068Jung Guk Q: Has the suspect ever stated the truth before?
2069 Answer: Yes. I have stated the truth. It's what I said.
2070
2071Jung Guk Q: Why is the suspect arrested on the police in an emergency?
2072 Answer: ... I know that the arrest of me was an emergency and the police arrested him.
2073
2074Jung Guk Q: What does it mean to be urgent about the suspect?
2075 A: I think that because of my suspicion of terrorism and the destruction of evidence.
2076
2077Jung Guk Q: What do the charges of terrorism and evidence say?
2078 A: I was accused of terrorism against Ambassador Obama and Repert, and I understand that the police misinterpreted me as a computer expert, multilingual.
2079
2080Jung Guk Q: How many countries do suspects speak a foreign language?
2081 A: English is above the upper middle level, and French is the lowest level among the 6 levels.
2082
2083Jung Guk, a police officer, seized the suspect's residence in a search warrant. During the execution of the warrant, the suspects used a laptop to capture US President Barack Obama's intent to rape his daughter. Capturing the contents of the original text Was not the picture file found and the suspect arrested in an emergency?
2084 Answer: Yes.
2085
2086Jung Guk Moon: The suspect is not involved in investigations until the police seizure of five hours of confiscation, including lying on the bed in his underwear, throwing things at police investigators, Is there a consistency in the very uncooperative and insincere attitude, such as the smile, the smile, the laughing, and the repeated trimming? (It is the subjective judgment of the act according to the difference of point of view of the suspect, and I did not actively refute it because the police insisted that the investigation room was recorded by CCTV, The video that was submitted by the police at the first trial had the amount of interrogation taken.
2087 Answer: ... There is. It was because the wine was a little worn at that time.
2088
2089Jung Guk Moon: Is the Lenovo that the suspect was confiscated by the police at the time?
2090 At this time, records 397 to 398 show the confiscated seizure and confiscation list.
2091 Answer: Yes. Yes.
2092
2093Jung Guk Q: I found MS Windows XP (language: France), time zone was set to 'Paris' in France, and shutdown time was July 13, 2015: 18 (GMT 0), the Republic of Korea is GMT + 9 time zone, and when it is +9 in the above time, it becomes the wonder of July 13, 20:47:18, and the time is the police seize the place of the suspect's residence It is time to check the crime data stored on the suspect computer.
2094 At this time, it shows the time when the notebook was last closed at the time of the confiscated seizure search on the 404th page of the record.
2095 A: I did not see my computer until I was confined to police when I was sleeping. At that time, the police told me that they had these files, but I did not see them.
2096
2097Jung Guk Moon: In analyzing the computer analysis program, in order to check the exact time (the time of the crime committed in Korea) that the file used in each crime was generated, the time band in the above analysis program was changed to Korean National Standard Time (GMT + 9) The analysis was conducted by changing to domestic time. As a result, the last access date of the usa.png file related to the crime was confirmed on July 13, 20:42, What is the date when the above file is opened?
2098 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2099
2100Jung Guk Moon: Therefore, even if you set the time of the victim's laptop to the Paris time zone, if you set the Encase program to domestic time, you can check the time that the suspect was committed in the Republic of Korea. When the date of access is confirmed by the seizure time zone, how is the time information confirmed by the above Encase program confirmed to be correct?
2101 Answer: I downloaded the pictures through the Google search engine, and it is possible because of the Google Cache feature. If you have the Google Cache feature, you might be misinterpreting the time, and I'm personally concerned.
2102
2103Jung Guk Moon: The suspect said in the police, "Is not it true that the evidence to trust the Encase program is the evidence that analyzed the time lag where the threatening bulletin was presented by the police as evidence?" The suspect said, . Yes, "he said.
2104 Answer: I initially trusted the evidence of the police case. However, when I suggested that I used the "Superhyde IP" program, which was proposed by the police, as an in-case, I had not used it since June 6, 2015, Lost.
2105
2106Jung Guk Q: Is the suspect allowed to use the confiscated notebook?
2107 Answer: No. I have a password on my laptop and I have not given it to someone else.
2108
2109Jung Guk Moon: Has the accused ever used a confiscated notebook while traveling around?
2110 A: I left it in my house and I used it alone.
2111
2112Jung Guk Moon: The suspect has set a password for the laptop on the police, uses the suspect alone, and says, "I do not know the evidence that the police presented. I do not remember. "I denied the crime consistently. How about it?
2113 Answer: Police showed the name of the picture file in which the English and the numbers were written. (The suspect replied, "The police did not show the photo, but only list the photo files with English and numbers, and when asked if I remembered, I did not remember," the investigator replied.
2114
2115Jung Guk Q: Is there a blog (http://helpkorea.blogspot.kr) operated by the suspect?
2116 Answer: Yes. It is a diary type blog which I made and operated.
2117
2118Jung Guk Q: What do you usually post on a blog run by a suspect?
2119 A: I have described the media in critical terms. (The suspect defines "media" as "political news of comprehensive channels.")
2120
2121Jung Guk Moon: "A woman's penis is photographed and posted on the Internet under the heading" How to make money from one's eyes on the internet (foreign currency acquisition) "on the blog (http://helpkorea.blogspot.kr) operated by the suspect. You can earn money. "Is it true that you posted the following statement?
2122 At this time, the record is displayed on the blog (http://helpkorea.blogspot.kr) operated by the defendant who is stolen on pages 174 to 195.
2123 Answer: Yes.
2124
2125Jung Guk Moon: After completing "(2)" shooting on the blog (http://helpkorea.blogspot.kr) operated by the suspect, that night, Ji Sung-woo calls me as a laundry hanger and can be beaten at the shooting range. And then shaken about 20 times and then assessed in the anus. But I have not been informed of this until January 22, 2005 ... (Omitted below) "" Is it true that you posted the following statement?
2126 Answer: The Ministry of National Defense responded to the contents of the Ministry of National Defense complaint.
2127
2128Jung Guk Moon: In the blog (http://helpkorea.blogspot.kr) operated by the suspect, "(3)" The foreign university changed the minor in chemistry unilaterally without prior notification in 2012, I have been suspected of forgery every time because of the inconsistency in the name of the graduation paper. So, I have been suffering from economic losses since I have failed to get jobs from companies that have supported more than 1,000 since 2012, and I have also been suspected of my academic background and personal credit in my workplace where I worked freelanc ... (Omitted below) "" Is it true that you posted the following statement?
2129 A: In my remembrance, it is the content of my complaint by the Ministry of Education. (In the statement of the suspect, "KBS Fact Confirmation" received by the suspect at the time of retirement is recorded as "part-time" rather than "freelancer." After the expulsion of the suspect, (02-2639-2341), Moon Tae-sung informed the suspect that he was a self-employed person.
2130
2131Jung Guk Moon: If you look at blogs operated by suspects, you can see all the information such as phone number, e-mail address, and address information as foreign-language affiliates. And if you see 'masturbation', 'anus',' I will be poisoned by the poisoning "and the fact that it has been confirmed to have a strong dissatisfaction with foreign language classes.
2132 A: I remember being told to me during a police investigation, and I have not. (When the suspects repeatedly asked the question they had received during the police investigation, the suspect began to make a statement saying, "As I told you during the police investigation," the lawyer Park Chul-hyeon attended to answer the suspect's question " "Park Cheol-hyun, who was a new lawyer at the time of the prosecution's investigation, tried to build up a network with lawyers through his prosecutors for his success. He identified the prosecutors with the lawyer himself, did.)
2133
2134Jung Guk Moon: The suspect is a police officer, on his laptop, 'isis.png (intimidation against Obama)' original file captures file 'usa.png (threat to reporter)' on July 7, "The original document capture file was created on July 8, 2015 at 02:27, and the time of the obsession with Obama was posted on the US White House website on July 7, 2015, The operating system of the notebook is set to the French time zone on the reason that the intruding article is read on the Internet and stored in the computer of the suspect in about one minute of 2015. 7. 8. 02:26 And 4Chan.org site is a US site, claiming that there was an error in time, and stated that it would be impossible to do this in just one minute.
2135 Answer: That's what I said.
2136
2137Jung Guk Moon: After completing the reporter's intimidation on the White House website, the police officer captured the thank-you related webpage about 1 minute after the capture, through the Google Chrome browser, and ran the captured image again After 3 minutes, the original text of the intimidation was changed to file name usa.png, and after 1 minute, it was posted on 4chan.org site, and after about 9 minutes, I read the file generated by capturing and stated that the link file was created on the suspect computer and that the suspect did not understand it because he was not doing the act.
2138 Answer: That's right, but I do not have it.
2139
2140Jung Guk Moon: The suspects are at the police, and the time of the reporter threats posted on the 4Chan.org website is on July 8, 2015, 8. I am not sure about the reason why the time stored on the suspect computer may be faster than the time posted on 4Chan.org at about 02:27, the suspect is not sure, there is a problem with his computer, How is it?
2141 Answer: That's what I said. I remember Google Cache as well.
2142
2143Jung Guk Moon: The suspect stated that he had a computer problem, some malicious code, a possibility of hacking, Google cache. What do you mean by this statement?
2144 A: I am not a computer expert. (The investigator asked me what the symptoms were.) When I turn on the computer, the strange warning window appears squarely normal size. I'm not a computer expert, so let me investigate that, and Google Cache will ask Google Server to cooperate with the investigation.
2145
2146Jung Guk Q: What is the size and content of the alert window? (Actually, the investigator asked, "How many centimeters?"), And the suspect stated "I have never read it and I do not know."
2147 Answer: The warning window is square in size, but I do not know the exact size and the contents of the warning window are not remembered. (The accused never remembered whether the contents of the warning window were written in English or French, and never interpreted it.)
2148
2149Jung Guk Moon: On the computer of the suspect, 1.JPG, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, 5oe254mvhpke.jpg Is it proper to view the file?
2150 At this time, records 323 ~ 331 and 516 ~ 529 show the contents of the photo related to the reporter found on the computer of the suspect.
2151 A: I have not seen anything on July 7, 2015 because I have nothing to see. (Because the suspect studied or slept on July 7, 2015).
2152
2153Jung Guk Q: Why is the suspect storing the files 1.jpg, 14.jpg, 10.jpg, 8.jpg, 4.jpg, 2.jpg, 1.jg, 18.jg, and 5oe254mvhpke.jpg on the computer? ? (The prosecutor showed him the picture files on the monitor he was writing.)
2154 A: This is a collection of articles written to strongly criticize terrorism against the US Ambassador.
2155
2156Jung Guk Q: Has the suspect written a criticism of the usual acts of terrorism?
2157 A: I do not remember the exact time, but there is something on my blog that says it can threaten the alliance.
2158
2159Jung Guk Moon: The suspect reads the reputation related information as above, and the time of the reporter threat photograph is stored on the suspect's computer on July 8, 2015, and the reporter threats Since the time of the posting was around July 8, 2015, the suspect wrote and saved the above article and posted the reporter threatening article on 4Chan.org website?
2160 At this time, record 260 and 251 ~ 256 of the suspect computer file output is shown.
2161 Answer: No.
2162
2163Jung Guk Q: The suspect was on the police at the laptop. The contents of the text (s.txt) file created on April 10, 2014. The text of the file (s.txt) generated by the suspect was the email 'isshufs@gmail.com' , In Korean, 'I will kill Ambassador Ripper by penetrating the US Embassy', 'Obama will kidnap my little daughter to rape my anus', and the Twitter address 'http://twitter.com/' I do not know why the suspect was found about why it was found.
2164 At this time, the record of the defected notebook file is shown on the pages 332 to 335 of the record.
2165 A: I remember that I stated that I copied and pasted through Google Search.
2166
2167Jung Guk Moon: The file related to the crime that was found on the suspect's notebook is listed in chronological order. "(1) The s.txt file is first created on April 9, 2014, and the last access date is '15. On the 12th of July, the above file contains the phrase "Penetration of the US Embassy to Ambassador Ripper, I will surely kill Obama's little daughter to rape my anus" in Korean. Especially, the email used for the crime 'isshufs @ gmail.com, summer@hufs.ac.kr, and the name of the author 'Lifee Iss Crazzyy', the address of the foreign language, etc. "is listed in the form of the suspect, It appears to be in a free format on the file, how is it?
2168 Answer: Not.
2169
2170Jung Guk Moon: In addition, the suspect discovered that the above text document was scanned four times before the crime, and the link file (the file created automatically when the file was executed on the Windows operating system and the extension is lnk) was generated. ?
2171 Answer: I am not a computer expert, so please do a thorough investigation.
2172
2173Jung Guk Moon: In the suspect's notebook, files related to the crime are listed in chronological order by "(2) capturing files (isis.png, usa.png, etc.) directly related to the threats, I caught the screen while writing a message that intimidates the ambassador, and I found that the file name isis.png, usa.png is being saved as "is being saved.
2174 Answer: I downloaded the photo from the Internet and saved it.
2175
2176Jung Guk Q: Where did you download and store the suspects?
2177 Answer: It was downloaded through Google Image Search.
2178
2179Jung Guk Moon: July 7, 2015 The obscene article about President Obama was published in the White House, and the trail of reading the s.txt file in Korean (Isis.png) about 20:21 after 1 minute of crime time (around 20:20) is confirmed on the computer of suspect computer, and also, at 20:21 and 21:19, What happened to the traces of the file being viewed twice?
2180 Answer: I have just browsed the computer and copied it to a text file, and I do not know whether it was read or not.
2181
2182Jung Guk Moon: After the intimidation of President Obama, the same day, 21:38 on the same day, Ambassador Repert reports about the terrorist incident in 18 times, The file created on the suspect computer appears to be very closely related to the crime because it is re-visited about four months later, on May 7, 2015, at 21:38. (Previous surveys found that 15 traces were found.)
2183 A: I have not seen any of the above photographs on July 7,
2184
2185Jung Guk Moon: After the suspects re-read the s.txt file containing the text of the crime, the threat to Ambassador Ripper was posted on the White House website on July 7, 2015, What about the 'usa.png' file created on the White House website at 02:27 on the suspect computer? It seems that the suspect posted a post on the White House homepage.
2186 A: I have not posted.
2187
2188Jung Guk Moon: After continuing to capture the screens of the suspects' computer at the White House using the Google Chrome browser, the archived details were found, How is it?
2189 At this time, the record of the suspect computer file is shown on page 260 of the record.
2190 Answer: I did not capture it, but I downloaded it from Google.
2191
2192Jung Guk Moon: The suspects (3) The intruding article In addition to this, I visited the US White House website twice on May 24, 2015. I captured the screen while I was writing about black beauties using the Google Chrome browser, I have captured the screens that were shown at the completion of the process, and I caught the screenshot of the White House at the White House on June 25, 2015.
2193 At this time, we show the additional declaration data which is stitched on the record page 198 ~ 204.
2194 A: I did not write it, nor did I post it. It was downloaded through Google Search.
2195
2196Jung Guk Moon: The suspects (4) were found to have been photographed as monkeys by President Obama and Mrs. Michel, on June 25, 2015 before the commission of the crime. What happened after the crime was confirmed around 00:35?
2197 At this time the record shows the printout of the stolen suspect notebook file on page 596.
2198 Answer: This photo was downloaded through Internet Google Search, and I have not seen it more than once.
2199
2200Jung Guk Moon: The suspect is (5) In the photo related to the anus and the girl child nude, the suspect wrote the article to intimidate the second daughter 's anus in the Obama presidential intimidation article. Obama' s second daughter is 14 years old, There was a large number of photos of an anus on the laptop used by the suspect. The last visit was on July 13, 20:46. Especially, the word 'anal' was used 5 times in the blackmail, 6. 6. I have read about it, 7. 8. I have also stored it on my computer,
2201 At this time, the record of the defected notebook file is shown on pages 609 to 664 of the record.
2202 A: This photo is an illegal long-term trafficking, or an additional collection of materials to write about the North Korean regime. (The suspect downloaded the picture files and did not watch it more than 2 times.) In the Windows operating system, when the picture file was moved without moving the picture file, I tried to submit a proof of the screen shot by a smartphone, but Yongmin Kim refused to accept the video without seeing it.
2203
2204Jung Guk Moon: The suspect stated in the police that the photos of Reuters Terror taken on the suspect's computer just before the crime were all read by the suspect.
2205 A: I downloaded and saved the photo, but I do not watch it more than once.
2206
2207Jung Guk Moon: The police suspect that the police are underestimating women and that it is better to have sex rather than socializing with women, and that "I always have sex with a bastard and masturbate "(The suspect was a statement that faithfully replied in a general manner within the bounds of the common sense known to the suspect.) What is it like to make a clear statement of what the costume is? (In this way, the investigator asked a mixed question asking a mixture of questions to make sure the suspects were neither positive nor negative.)
2208 Answer: According to what I know, I have faithfully stated that the statement is correct.
2209
2210Jung Guk Q: The suspect police stated that they knew clearly the name of Obama's second daughter, Natasha, who was used in the blackmail.
2211 A: After I saw the intimidation that the police showed me, I found out.
2212
2213Jung Guk Moon: The suspect described the police officer as saying, "I am likely to be a famous person" at the police investigation, and the statement "I decided to become a famous Korean man in America today." Why is that?
2214 Answer: Famous things are not meant to be misleading. The latter famous Korean man meant to be a famous politician. (The "famous person" that the suspect referred to was "a famous politician," but the future hope of the suspect was not a politician.
2215
2216Jung Guk Moon: (6) Regarding the photographs related to IS terrorists, the accused stated that the name of the author was' Dr. Korea Isis One 'and impersonated IS. The trail of the IS terrorist was discovered four times on July 17, 2015, before the crime was committed. It is stored for the first time, and it is also viewed on the 7th and 3rd, so the file stored in the computer of the suspect is not only saved, but also confirms the sucking after reading.
2217 Answer: I can not be certain how many times I have read the IS estimate picture.
2218
2219Jung Guk Moon: The suspect stated that the police said they had a determined will to the IS terrorist and kept a photo of the IS terrorist on the computer.
2220 Answer: Yes. Yes. (The suspect described what he felt in the photo.)
2221
2222Jung Guk Moon: The suspect is posted on the homepage of the National People's Daily, "I am going to return home with a nylon string on a railing, and I am going to return home." And why are you storing hundreds of pictures of women's bodies and keeping them?
2223 A: The Cheongwadae homepage and Kookmin Shinmunji homepage are for the purpose of one-person demonstration for the payment of Civil Defense transportation expenses. I did not look at the pictures more than once while I habitually stored the photographs in the process of collecting materials for writing.
2224
2225Jung Guk Moon: (7) In relation to the pictures related to North Korean Kim Jong Eun, the suspect wrote in the Obama presidential intimidation article that "I hope to penetrate the anus of black people before I was killed by Kim Jong Eun" The photographs of North Korean artifacts were saved on July 6, 2015, June 25, 2015, and pictures of Kim Jong Eun were stored on the computer. How about 00:09?
2226 A: I have never written such an article. I did not follow the North Korean Kim Jong Il system, but rather habitually stored it in the process of collecting materials for my writing.
2227
2228Jung Guk Moon: (8) In connection with IP change programs, 'SuperHideIP (version 3.3.8.8)' program has been found, which allows users to easily change their IP address on the suspect use notebook. Why did the suspect install the program?
2229 A: In my memory, I saw the news of IP related events at that time, and I changed the IP to Google and installed it. I tried to run it only once and then I did not run it.
2230
2231Jung Guk Q: Is not there a program that can change the IP for use in the offense of the suspect?
2232 Answer: No.
2233
2234Jung Guk Moon: The IPs 124.197.152.48 and 124.197.152.74 used by the suspect in the alleged crime were identified as the IPs assigned to the O-apartment No. 1 apartment at 45, Lee Moon-dong, Dongdaemun-gu, Seoul. As a result of checking the resident card of the subscribers of the broadcasting station, the contents described as 'Hankuk University of Foreign Studies' were confirmed in the school name of the suspect in O residence. (In Korea, the full street address will be enforced from 2014. If you inquire about the IP address of Tibur Road, you will be informed by the street name address starting from the agar route. It is estimated that I have confirmed the personal details of the application form I submitted to KBS before the road name address was put into effect in 2014. The address of the road name of the residence I will appear in the judgment.
2235 At this time, show the tenant card stitched on the side (blank space).
2236 A: I will not be able to confirm the answer, and the tenant card is correct.
2237
2238Jung Guk Moon: The suspects are from Hankook University of Foreign Studies (Hankook University of Foreign Studies) using IPH from the IPA at the US White House in IP on July 7, 20:20, @ gmail.com, etc., and did not intimidate by posting the message that "I am going to rape the second daughter of US President Obama with anal sex."
2239 Answer: No.
2240
2241Jung Guk Moon: The suspect is a member of the Hankook University of Foreign Studies (Hankook University of Foreign Studies) in the summer @ hufs [hufs] I am going to assassinate the US ambassador reporter and post the message of intention to threaten foreign nation.
2242 A: There is no such thing.
2243
2244Jung Guk Moon: A suspect is poisoned by US Ambassador Ripert. A specific phrase mark "4ourth 4inger" (a sign left after a suspect has committed a crime) You may leave a message that only you can tell to know your skills.) How about you?
2245 A: I do not know anything about that phrase.
2246
2247Jung Guk Moon: When I checked the site (http://archive.4plebs.org), which was searched with the keyword '4ourth 4inger' on internet search site 'bing' (Microsoft search site) (US Ambassador Rupert Threat), which was created by accessing the White House website of the United States, and the above text file is a picture file that captures the screen of the suspect who is making a statement on the White House homepage. ?
2248 At this time, it shows the [text capturing image file on the left side, text text on the right side]
2249 A: I have never posted anything.
2250
2251Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2252 At this time, the record [page file 135 captured in the picture file] Show screen being created in homepage input window].
2253 A: (At this time, the suspect thinks for a long time and tilts his head. (The investigator described the behavior with malicious intent.)
2254
2255Jung Guk Moon: The US Ambassador to the suspect and the US President Barack Obama are threatening him.
2256 At this time, you will see the [obama intimidating text capturing picture file and text phrase] stitched on page 136 of the record.
2257 Answer: This is not my post.
2258
2259Jung Guk Q: Is the screen you are creating in the homepage input window of the original file captured by the suspect?
2260 At this time, it shows [the text file captured by the picture file - screen being created in the home page input window] stitched on the 136th page of the record.
2261 Answer: I do not know.
2262
2263Jung Guk Moon: The suspect is July 7, 2015. "Fraud is over. Take care of Lim Su Kyung. Http://boards.4chan.org/pol/thread/47625963 "which was posted on the website of Mr. Soo-Soo University." As a result of IP query with 124.197.152.111, Tibrodeid The IP address assigned to Dongdaemun Broadcasting is the same bandwidth as the IP used by the suspect and the same Internet subscriber.
2264 At this time, I will show you the reason why I checked the page on page 140 of the record.
2265 A: I have not posted anything.
2266
2267Jung Guk Moon: The above email is isshufs@naver.com, the same ID as isshufs@gmail.com, which the suspect used to write White House intimidation, is the same?
2268 Answer: ... This is not something I can tell.
2269
2270Jung Guk Moon: I searched on Google (http://google.com) and Bing (http://bing.com) using the phrase "4ourth 4inger", which was used by the suspect. org site, http://archive.4plebs.org, posted a caption on the US White House site on July 7, 2015, : It was confirmed that it was published in the 31st year.
2271 Answer: I have not posted anything.
2272
2273Jung Guk Moon: In addition, it is confirmed that the article posted on http://archive.4plebs.org using the Korean IP using the article that slanders Hankuk University of Foreign Studies.
2274 Answer: I have not posted anything.
2275
2276Jung Guk Moon: The suspect is dissatisfied with the outsider by failing to work due to the suspicion of academic ability by changing the minor in the foreign language department of his alma mater, the police, without a prior notice, and the above information is also posted on the suspect's blog.
2277 Answer: I first consulted the Ministry of Foreign Affairs about the changes I made at the foreign language school. (The suspect responded to the Ministry of Education complaints and sent the evidence documents to Yongmin Kim after the bail was released.) There is. I am not trying to hate the outside world.
2278
2279Jung Guk Moon: The police officer acknowledged that he had read the picture file (castration.png, hufs.png) that he viewed on his computer before the crime, S.TXT file "denies the fact that the suspect has been denied the fact that the suspect has denied all the crimes related to the crime.
2280 Answer: Not. Rather, I think that picture files and text files should be replaced. The reason for this is that I have read more of the text file because I have stored various contents in the text file. (The suspect has limitations in remembering a lot of computer usage history.)
2281
2282Jung Guk Moon: The suspect stated that the police use the Google Chrome browser when accessing the Internet, and many of the files on the victim's laptop that captured the White House homepage using the Google Chrome browser were found.
2283 A: It's not a capture, it's a download.
2284
2285Jung Guk Q: A capture file (screencapture-www-whitehouse-gov-contact-submit-auestions-and-comments-1432397652564.png) found on the suspect computer is a file captured using a Google Chrome browser, 'Www-whitehouse-gov-contact-submit-auestions-and-comments' consists of the URL address of the captured website and the last 13 digits '1432397652564' Is the time information used by the Unix operating system and can be converted to UTC + 9 using a time conversion program (DCode) to check the captured time.
2286 Answer: I searched on Google and received the download as it is.
2287
2288Jung Guk: The suspect asserts that the capture file (a file that captures the content of the white house and the screen captured at the time of completion) downloaded from the Internet, such as the date and time the capture file was stored on the computer, , The 13-digit Unix time information in the captured file name, such as the date and time of capture of the web site screen, can be converted to the national standard time, so that the date and time of the capture can be confirmed. It is confirmed that it is written, is not it that the suspect wrote it directly and captured it?
2289 Figure 1 shows the date and time the capture file was saved on the computer, and the date and time when the web page was captured, respectively.
2290 Answer: No.
2291
2292Jung Guk Q: If the suspect downloads the above capture file from the Internet, the captured date and time can not be the same as the captured date on the computer, and the storage date and time must be later than the capture time.
2293 Answer: I think there are various possibilities for that. The possibilities are Google Cache, which I think goes beyond what I can explain.
2294
2295Jung Guk Moon: 1) The s.txt file is created on 1) 2014. 9. 10. 16:59 and the above s.txt file will be uploaded to the suspect's notebook (1) "I will kill Ripper Ambassador, Obama will kidnap my little daughter to rape my anus", and (2) I posted it on the intimidating article. Is 'isshufs@gmail.com, summer@hufs.ac.kr' showing the account? (I repeat the same question as the third investigator.)
2296 Answer: It's a copy that I copied through Google Search, not one I wrote.
2297
2298Jung Guk Moon: The suspect is 2) After the attack on "Obama's second daughter will be raped by anal sex, etc." on July 7, 20:20, posted on the White House homepage, 3) 20:21 It seems that the suspect had committed a crime by assuming that the capture file (isis.png) is stored on the victim's notebook and that only the victim has set a password on the laptop.
2299 A: I did not write that, and I can only use a laptop.
2300
2301Jung Guk: Did the suspect monitor the White House threats?
2302 Answer: I do not.
2303
2304Jung Guk Q: How can a suspect know the above information and capture it in less than a minute even though he has not been monitoring the White House threats?
2305 Answer: As mentioned above, it is downloaded from Google's cache or portal site.
2306
2307Jung Guk Moon: The suspects 4) July 7, 2015. The article is posted on the back-up site of 4chan site, 4chan site is the foreign site to post anonymously. Http://archive.4plebs.org Is a site that is automatically saved as a backup file format when you post a post to 4chan.
2308 Answer: Yes. (The suspect thinks for a moment and turns his head back and forth). (The suspect thought briefly to remember what the police cyber investigator had explained, and the investigator described it as a depiction of aggressive behavior.)
2309
2310Jung Guk Moon: The suspects are 5) On May 7, 2015, the files of Reuters Ambassador and Kim Ki-jong, who tried to kill him, were searched intensively. 6) 02:26 Do not you think it was a crime that you posted on the White House homepage saying, 'I will assassinate US Ambassador Ripper again'?
2311 Answer: No.
2312
2313Jung Guk Moon: The suspect is 7) May 7, 2015. (1) The capturing file (usa.png), (2) The picture file indicating the completion of the writing on the US White House homepage It is obvious that the suspect had committed a crime because it was stored in a notebook and the suspect stated that he had set a password on the above notebook and said he only used it.
2314 A: I did not write that, and I can only use a laptop.
2315
2316Jung Guk Q: The suspect is posted on 4chan site and its back-up site, and 4chan site is an anonymous foreign site http: //archive.4plebs. Org is a site that is automatically saved as a backup file format when you post to 4chan.
2317 Answer: Yes. It is correct to be saved as a backup file. (It is true that the accused got to know the police explanation).
2318
2319Jung Guk Moon: The suspect wrote that he did not write the article himself, he saw the article posted on 4chan site, and then retrieved it by searching Google. In order to make the excuse of the suspect correct, However, since digital analysis of the time of generation of related files shows that the time of file creation is 4chan posting after storing the suspect notebook, why do you think the suspect's claim is unfounded?
2320 A: Because I am not doing digital analysis, I can not give a definite answer about it. (The suspect did not do a Google search after seeing 4chan's article.)
2321
2322Jung Guk Moon: Go to the White House homepage of the US White House on July 7, 2015, enter the representative e-mail address used by foreign exchange students attending Hankuk University of Foreign Studies and the university phone number of foreign universities, I have said that someone who posted a post at a university address did a Google search and downloaded it. Is there any evidence or method to prove it?
2323 Answer: Not currently.
2324
2325Jung Guk Moon: I do not admit that the suspect has committed any crime, but I have two crime capture files found on a notebook that can only be used by a suspect, by setting a password, the time the file is stored is immediately after the crime, A text file that is captured in Hangul, a text document in which the threatening text is kept, traces of reading text documents 4 times before the crime, traces of repetitive terrorist attacks before the crime, dozens of pictures of the terrorist attacks, pictures of IS terrorists Observations on Obama's images, Observations on Observers, Observations on Anus and Children's Nudes, Hundreds of bizarre bodies, Pictures of Kim Jung-eun, and precisely matching crimes by time How does the suspect appear to have committed the crime?
2326 At this time, records 761 to 763 show the stolen suspect computer usage chart.
2327 A: It's different from the truth, the capture is downloaded, the photos of North Korea artificial airplanes, the photos of Ambassador Repertor, and photos of IS terrorists are misleading. (In the police investigation, the suspect described the actual meaning of the photograph by hand, from the bottom of page 591 to the page 592. The suspect viewed the photograph one or two times (accessed) And estimates that the movement of the picture file for the picture was counted as a reading.)
2328
2329Jung Guk Q: Has the suspect ever made the statement?
2330 Answer: Yes. I have stated the truth. It's what I said.
2331
2332Jung Guk Q: Are there any proofs or other things that are favorable to the suspect?
2333 A: I'm willing to take a lie detector test. Thank you. I received a request from the police investigation stage. (At the time of the police investigation, the suspect and Park Cheol-hyeon lawyer, only two people remain in the investigation room, Park Chul-hyun told the suspect, "You can get a lie detector test." After the investigation began, The suspect was asked to check the police's lie detector, and when the suspect made the handwritten statement at the prosecution's investigation, he used the expression "requested" "I refused," the suspect said, "I received a request from the police, but I will not fix it because I am not asking.") Finally, I think my blog post is wrong. (At the conclusion of all the blog posts of the suspect, the paragraph begins with "I hope my thoughts are wrong anyway ..." which emphasizes a neutral position on the topic.)
2334
2335Jung Guk Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2336 Answer: No. (The prosecutor investigated slowly when he started the investigation, but when the suspect became tired at the end, he launched a question.)
2337
2338Three times
2339
2340 In the middle of the summer, the suspect was seated in a chair by a prosecutor, and after seeing his lawyer Park, he asked him to "float the water." Park Chul-hyun refused, "I want you to eat it," and the suspect obtained the permission of the prosecutor's office and drank water. Park Cheol-hyeon came to the police station with a Mercedes Benz car and asked him more importantly about the location of the parking lot at the first meeting with the investigators. Park Cheol-hyun, who asked me to hand him over to the suspect's parents because he would not receive a bargaining fee of 3 million won, came in well, but in front of the suspect under investigation,
2341
2342 The prosecutor's office was changed to a regular inspection.
2343
2344Jung Moon-sik Moon: (A regular checkup shows the analysis result and the isis.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, I gave up the two files.) [Present the above isis.png file and analysis result (isis.png_REPORT.txt) from the suspect's notebook.] The above file came out of the suspect notebook. Have you ever seen it?
2345 Answer: I saved this file on my notebook. I searched this file on the internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file from Google search results was not verified. At the time, I do not remember what I put my search terms into while doing a Google search. At that time, I do not remember what kind of search I was doing specifically. The file contains the phrase "I am going to anal rape your second daughter Natasha." However, I think you'll need to know how I searched for the file with that content. (The official testimony showed the intimidation to the suspect, and then recorded in the record, 'I am going to anal rape your second daughter Natasha.'
2346
2347Jung Moon-sik Q: When did you download the above file?
2348 Answer: It seems to have been downloaded from the middle of June 2015 until the day of my confiscation (May 13, 2015).
2349
2350Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 7, 20:21. Is the suspect downloaded on the date above?
2351 Answer: (At this time, the suspect nods his head.) Yes, I had downloaded one time and remembered that it was downloaded in July, so I downloaded it on July 7, 20:21, (The suspect stated that he was studying French at 50:50 on the 7-8th day, or taking a sleep, but he recorded what the attorney understood.)
2352
2353Jung Moon-sik Moon: (A regular checkup shows the analysis results and the usa.png picture file printed on A4 paper and tells the suspect, "I am sorry that the picture is small." And to exert pressure on the suspect, (The file was found on the suspect's notebook.) The above file was presented on the suspect's notebook. Have you ever seen it?
2354 Answer: Yes, I have seen this file. I downloaded it through internet search and saved it on my laptop. I searched on Google. I do not remember which search terms I entered into Google, and I can not remember which sites I downloaded from Google search results. I do not remember the exact date and time when I searched for this file. I did not remember why I searched this file, and I searched for no reason. I do not remember entering the White House as my search term. I seem to have downloaded and saved this file at once with a file (isis.png file) containing the phrase 'I am going to anal rape your second daughter Natasha.'
2355
2356Jung Moon-sik Statement: As a result of the above file analysis, the above file was created on July 8, 2015 at 02:27. Is the suspect downloaded on the date above?
2357 A: I remember downloading this file (usa.png file) in July 2015. However, I do not remember exactly whether I downloaded it on July 8, 2015.
2358
2359Jung Moon-sik Moon: (The official test shows the file attribute picture file and the picture file of this file to the suspect who printed it on the A4 paper screencapture-www-whitehouse-gov-thank-you-1436290042624.png " I had to copy this file to the computer on my computer, so the location of the file attribute would say "check", and I put on a stapler with an exaggerated gesture to pressurize the suspect. ) [The above screencapture-www-whitehouse-gov-thank-you-1436290042624.png file from the suspect's notebook and presenting the file property output] The above file came from the suspect's notebook. Have you ever seen it?
2360 Answer: I searched this file on the Internet, downloaded it and saved it on my laptop. I did a Google search. The source of this file, which comes from Google search results, is hard to remember. It's hard to remember what you put your search terms into while doing a Google search. I did not search for a specific purpose.
2361
2362Jung Moon-sik Q: When did you download the above file?
2363 A: I can not remember the exact date. It seems to have been downloaded from the middle of June, 2015 to the beginning of July, 2015.
2364
2365Jung Moon-sik Statement: As a result of the above file analysis, the above file appears to have been generated on July 8, 2015. Is the suspect downloaded on the date above?
2366 A: I do not remember the exact date, but it is between mid-June and mid-July 2015.
2367
2368Jung Moon-sik Moon: (Record 674 pages photo file) Above castration.png What is photo file?
2369 Answer: The above castration.png file is a picture file I downloaded. I remember that I was downloaded from mid-June to 2015. 7. Cops. Castration means 'castration'. The above file is a scene of a movie. I can not remember being a movie with a lot of content. I guess I did not put the word "castration" into my query. Because it's about Google search results, I'm beyond the scope of what I'm describing.
2370
2371Jung Moon-sik Moon: (Record 675, 677, Representative Lim Seong-Kyung) What are the photo files?
2372 Answer: I searched for photos of Mr. Soo - kyung who showed me to use as a resource for criticism. I received a Google search and download. It is to criticize the main North Korean government. I store criticisms in my diary-style personal blog. I can not remember the exact date when I downloaded these files. In the material shown, the date and time of creation of these files is July 7, 2015. I think that the reason why the file creation date and time is analyzed as above dates is beyond the range that I can answer. I posted an article about Lim Soo Kyung in my blog (antihufs.blogspot.kr) on July 7, 2015, and the above pictures are included in the article. That blog is still open. (It was impossible to remember all three or four thousand articles written by suspects.) At first, the suspect did not know what was on this blog. When the suspect said, "It was between the middle of June and the beginning of July," the lawyer Park Chul-hyeon said, "Why do you lie to the suspect? ? "), And showed the date of the suspect's blog on his cell phone. The suspect responded that he saw his cell phone and posted it on July 7, 2015.)
2373
2374Jung Moon-sik: Does the suspect use a router when using a laptop?
2375 Answer: I have never written a program to change Internet IP, but I use a router. I purchased an internet router for 12,000 won ten years ago. Again, I can not remember exactly when I bought it. I have a router in my house, and I have 3 computers (my laptop, my desktop, my dad, and my computer are using that router). I use the router every time I use the internet. I have not changed my Router setting since I have never used it, but I have not changed my Router setting any more. When I use my Router, I enter ID (ADMIN) and Password (494) in the Router. I have not touched the case of the suspect.
2376
2377Jung Moon-sik Moon: Is there anything the suspect wants in the prosecution investigation process?
2378 A: Now that I have sealed my laptop, I did not break it. It is difficult to tell which part I should investigate because I am not an expert. (The prosecution extended the detention period of the suspects by 10 days in the name of investigating notebook hacks.)
2379
2380Jung Moon-sik Moon: Do you have any more to say?
2381 Answer: No.
2382
2383Jung Moon-sik Q: Are there any items that are not listed or different from the facts as stated in the memorandum?
2384 Answer: (handwritten entry) None.
2385
2386Four times
2387
2388 At this time, the defendant is attending lawyer Park Cheol-hyeon attorney, saying that he will be investigated under the participation of counsel. Toward the suspect, (The official examination did not participate in the interrogation of the suspect, but did not record it in the prosecution dossier.)
2389Jung Guk Q: Has the suspect ever stated the truth before?
2390 Answer: Yes. I have stated the truth. It's what I said.
2391
2392Jung Guk Moon: The suspect described last time that he used the mobile phone of the suspect's mojo OO. Does he remember the cell phone number used by the suspect?
2393 Answer: I used a number other than 5787 from my mother's cell phone number.
2394
2395Jung Guk Moon: The suspect is Mo-Kim OO's cell phone number is 010-2359-8775, 010-3687-5787. If the suspect has not used 010-3687-5787, the remaining 010-2359-8775 is used Is that right?
2396 Answer: It's true that I used my mother's cell phone, but I can not remember the cell phone number I used.
2397
2398Jung Guk Moon: How long did the suspect use the cell phone (010-2359-8775) of Mo Kim OO?
2399 Answer: We used until recently.
2400
2401Jung Guk Q: How long has the suspect used the mobile phone (010-2359-8775)?
2402 Answer: I can not remember the exact date.
2403
2404Jung Guk Moon: The suspect has not used the phone since April 4, 2015, as shown below on 010-2359-8775.
2405 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2406 LGU + / 29 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:25 / 0: 1: 17/641 Shinna-
2407 LGU + / 30 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:44 / 0: 0: 32/641 Shinna-
2408 LGU + / 31 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:47 / 0:01:37 / 641 Shinnap-dong,
2409 LGU + / 32 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 19:57 / 0: 0: 29/641 Shinna-
2410 LGU + / 33 / Voice / 010-2359-8775 / 010-3687-5787 / 2015-04-03 16:03 / 0: 0: 34 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2411 Answer: Yes. After that, it is not used.
2412
2413 (The prosecuting attorney said, "How is April 4 recently?", And the suspect answered "I can do that."
2414
2415Jung Guk Moon: The suspect called 010-2359-8775 is the mobile phone (010-3687-57787) that uses the suspect's mobile phone. Is this correct?
2416 Answer: Yes. Yes.
2417
2418Jung Guk Moon: The suspect is 010-2359-8775. Did anyone else talk to anyone other than the suspect?
2419 A: I rarely spoke to anyone.
2420
2421Jung Guk Q: Why does not the suspect have a call history from April 4, 2015 to 010-2359-8775?
2422 A: You did not call because you had nothing to call.
2423
2424Jung Guk Moon: As the phone call (010-3687-5787) of the suspect, Mo Kim OO's cell phone (010-3687-5787) will be shown as below. July 7, 2015. Gangwon-do, Gangwon-do, I made a phone call from the suspect, did not I use the cell phone? (The prosecution violated the privacy and privacy of the suspect 's mother without a court warrant or investigation.)
2425 Business name / Order number / Usage type / Origination number / Called number / Call start time / Usage time (seconds) / Outgoing base station address
2426 LGU + / 1232 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 8:50 / :: /
2427 LGU + / 1233 / Voice / 010-3687-5787 / 054-840-5466 / 2015-07-07 8:51 / 0:01:20 / 331-1, Seokgung-dong, Seongbuk-gu, Seoul
2428 LGU + / 1234 / SMS / 010-3687-5787 / 010-8230-2824 / 2015-07-07 16:29 / :: /
2429 LGU + / 1235 / SMS / 010-3687-5787 / 010-4050-7402 / 2015-07-07 16:32 / :: /
2430 LGU + / 1236 / Voice / 010-3687-5787 / 010-8230-2824 / 2015-07-07 18:01 / 0:00:51 / 346-3, Sansuri, Namsan-myeon, Chuncheon-
2431 LGU + / 1237 / MMS / 010-3687-5787 / 010-792-9484 / 2015-07-08 14:31 / :: /
2432 LGU + / 1238 / Voice / 010-3687-5787 / 010-5660-7804 / 2015-07-09 13:12 / 0:01:11 / 3rd Floor, Canaan Church 207, Jung-hwa-dong,
2433
2434 A: It's not my own, it's my mother's cell phone.
2435
2436 (The prosecution investigator questioned the accused about why her mother went to Chuncheon city in Gangwon province, and the suspect did not know that this was not recorded in the record.)
2437
2438Jung Guk Moon: The suspect is going to the village resort of Gonggok-ri (San-suri) on July 7, 2015. Kangwon-do 346-3, Sansuri, Namsan-myeon, Chuncheon,
2439 A: I was at home.
2440
2441Jung Guk Moon: Was the suspect alone on July 7, 2015?
2442 Answer: Yes. I was at home alone.
2443
2444Jung Guk Moon: Do you remember when the suspect's mother Kim came home?
2445 A: My parents are out with me and I do not remember the exact date of my return home, but I remember coming back home about the weekend.
2446
2447Jung Guk Moon: Looking at the phone call (010-3687-5787) of the defendant Mo Kim OO's name, it is reported to be the third floor base station of Canaan Church 207 Junganghwa-dong, Jungnang-gu, Seoul, It looks like you're back in Seoul.
2448 A: I can not remember the exact date my parents returned home.
2449
2450Jung Guk Q: So, is the suspect alone at home from July 7, 2015 to July 8, 2015?
2451 Answer: Yes, yes.
2452
2453Jung Guk Q: What did the suspect do at home alone?
2454 A: I do not remember exactly what I did.
2455
2456Jung Guk Moon: The suspects last, "2015. 7. 7. At 20:20, the obsession for President Obama was posted on the White House, and on the same day 14:57 on the same day, there were traces of reading the s.txt file in Korean, : 20) 1 minute after 20:21, capturing of threats (isis.png) is confirmed on the computer of the suspect, and the above s.txt file is read twice (ahead of 21:10 and 21:19) The suspect said, "I just scanned the computer and copied it to a text file, and I do not know whether it was scanned or not." How is it?
2457 Answer: Yes. It is correct as I stated before.
2458
2459Jung Guk Moon: The suspect is on July 7, 2015, 20:20, 20:20. Is it the correct time to copy the text from the suspect computer and paste it into a text file?
2460 Answer: I do not know the exact time. It is correct that I copied and pasted the results from Internet search.
2461
2462 At this time, the defendant responded by saying, "Let's rest for about 10 minutes and proceed with the investigation again." After taking a rest for 10 minutes (15:05), the defendant's lawyer sits again next to the suspect : 17). (Attorney Park Cheol-hyeon asked the prosecutor "Let's take a break because I have to deliver the papers to another client.")
2463
2464Jung Moon-sik Moon: The suspect is posted on the White House website on June 7, 2015, about the Ambassador Repertory. One minute later, at about 02:27, The file was created on the suspect computer. Is the time at which the suspect was copied from the suspect computer through Internet search and pasted to the text file?
2465 Answer: The exact time zone is ... (At this time the suspect closed his eyes and thought for a while) ... It's a little hard to remember. It is correct that I copied and pasted the results from Internet search. (The prosecution officer exaggerated that the suspect thought for a while, through the depiction of the act of aggression.
2466
2467Jung Moon-sik Q: How about a detailed explanation of how the suspect copied and pasted the results of Internet search?
2468 A: I went into the internet and searched, but the search terms were hard to remember and I copied the search results and pasted them into a text file.
2469
2470Jung Moon-sik Q: How do I get the search result when I can not remember the search term?
2471 Answer: ... It's a bit difficult to identify the exact query. (The suspect searches a large number of search terms to find search results just like ordinary people, remembering only the search results, and not remembering what search terms you searched for.)
2472
2473Jung Moon-sik Moon: The suspects are www.blogger.com, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com, avstats.avira.com Do you know these sites?
2474 A: Of the above sites, www.blogger.com, avstats.avira.co is an unknown site, jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea.blogspot.com, bosulachi.blogspot.com , antihufs.blogspot.com, antihufs.blogspot.com are my blogs. Bosulachi is an Internet language that refers to a woman whose conduct is the subject of social criticism.
2475
2476Jung Moon-sik Moon: The suspects access the above sites on July 7th and 8th, 2015, and the hackers are running the suspects' jeolladian.blogspot.com, jeolladian.blogspot.com, helkorea.blogspot.com, helpkorea. Do you know how many URLs you know, such as blogspot.kr, bosulachi.blogspot.com, antihufs.blogspot.com, antihufs.blogspot.com?
2477 A: I'm not sure, but I do not have access to all of the above. (The suspect opened multiple blogs with one Google mail account.) I insisted on 'Google Cache', and my parents and lawyers claimed that my laptop might have been hacked at this time. (Attorney Park Cheol-hyun who heard this statement stared at the suspect for a while without saying anything.)
2478
2479Jung Moon-sik Question: Why did you tell the log records that you have access to the above sites on July 7th and 8th, 2015, and that you have not accessed all of the above?
2480 A: I do not remember what I did at the time. (The suspect has not been able to access all of the blogs because he did not manage them by creating multiple blogs.
2481
2482Jung Moon-sik Moon: When the prosecution re-imaged the suspect's laptop, Jung Moon-sik said, "I did not have Hangul input function on the laptop used by the suspect, but I entered Hangul using Internet input device. How do I input / output Hangul? (When imaging at the Cyber ​​Office of the Public Prosecutors' Office, Cyber ​​Investigator of the Chief Prosecutor's Office showed the process of analyzing the laptop to the suspect.
2483 A: Find the site that comes up with 'Hangul input device' on Google and click on the search result to input Hangul using the keyboard. There is a Korean keyboard on the notebook I bought and confiscated. The alphabet and Korean are shown on the keyboard. I used a French version of Windows XP on the laptop. I have installed a French version of Windows to enter French special characters. (The official testified, "Why do you write it?") And the suspect stated "I bought the cheap laptop because I was unemployed, I wrote it with inconvenience." But I did not record it in the record. However, the prosecution cyber investigator estimates it to be between two and three million won, "from the beginning," the laptop's hard disk capacity is quite large. "
2484
2485Jung Moon-sik Q: How do you describe the process of entering Korean into Google in detail?
2486 Answer: First, enter Google (www.google.com) into the Internet address bar, and when the Google window appears, enter the Korean input device (gksrmfdlqfurrl) in English into the search box. Then, the Korean input method site appears in order, and from the top of the Korean input method site, click downward to find a site where you can input Korean. If you find a Hangul input site, you can input Hangul by using computer keyboard and then copy the Hangul input and paste it in the place where Hangul input is needed. (The suspect's laptop is in French, so typing www.google.com leads to www.google.fr.) Even if you search for both sites with the same search terms, the order of the search results displayed is different.)
2487
2488Jung Moon-sik Moon: As a result of the prosecution's hacking test on the suspect's laptop, there are no signs of specially remote control (especially July 7, 2015, and July 8, 2015). How about this? And the suspect did not delete the access log from the laptop router?
2489 Answer: (The suspect does not answer the hacking test result.) I just entered the ID and password on the router, and I do not remember when I entered it. I did not delete the Router Access Log on June 25, 2015, June 7, 2015, and July 8, 2015.
2490
2491
2492
2493
2494 ++++++++++++++++++++ Forensic Investigation for Brother 6666 Case 2015 Verification Statement ++++++++++++++++++ ++
2495 Author: In-Sung Kim, Professor, 010-5270-5779, No. 819-5, Bangbae-dong, Seocho-gu, Seoul,
2496 (On January 19, 2016, Kim Yong-Min attorney handed in the opinion of professor Kim In-Sung)
2497
2498 1. Whether hacking outside
2499 No external hacking traces were found.
2500 2. The legitimacy of the forensic process
2501 There was no expert to judge the legitimacy of forensic work in the seizure process.
2502 3. The fact that White House access records do not exist on the computer
2503 If you use the Web browser's secret access feature,
2504 4. Whether to change the router MAC address
2505 The router MAC address can be changed and there is also a trace of change.
2506 5. Whether the 7.21 date file exists,
2507 7.21 Date The created file does not exist. The date of file creation in the report is considered to be the date of creation of the report, which is the author of the report.
2508 6. If the hash value of the hard disk imaging file is different
2509 It is judged that the hash value has changed because reimaging was performed after rebooting the computer to check the time zone after imaging in the seizure search process.
2510 7. White House screen capture file
2511 The White House screen capture file is captured and stored on this computer.
2512 This statement is a review of the evidence only and is not a definitive opinion and may be subject to change if additional evidence is available.
2513 2015.12.29 Kim In Sung. (signature)
2514
2515 If you use the web browser's secret access function, you may not record the connection.
2516 It's hard to rule out the possibility of using the incognito feature because you asked about the incognito access in the newspaper process and answered that you knew about it.
2517
2518 -------------------------------------------------- --------------------------------------------------
2519 1 Record the proof of the record .pdf - Adobe Acrobat Pro - â–¡ XQ Notch, Flickr, Flickr, ? â– City, | | N â– Tools Comment j Share
2520
2521 If downloaded from the Internet, the above file name and the Zornjdm file will be created. By the way, the above file is not found on the computer. If you look at the above, what do you think the suspect looks like in a file
2522 Answer: I'll take good care of you.
2523 Law? : Google has 4 secrets on each of the browsers. That's right.
2524 Q: What is your reason for using the above sounds? Answer: It is useful to use something because it is a novel.
2525 Moon. What is Incognito? Answer: I do not know.
2526 Q: The secret function is to set the internet connection speed in case of internet browsing, and it is a function to access the Internet without saving the file temporarily. Do you know Lee?
2527 Answer: I do not know.
2528 50! 1
2529 -------------------------------------------------- --------------------------------------------------
2530 [Picture that opens this OO evidence record .pdf file with Adobe Acrobat Pro]
2531
2532 4. Whether to change the router MAC address
2533 The router MAC address can be changed and there is a trace of change.
2534 Router Shows the log when changing the MAC address, but it has the function to prevent the log setting from being saved in the router setting.
2535
2536 It is difficult to say that the MAC address associated with the IP address assigned by the vendor is found on the router, and that the MAC address is not used because the change log is not left on the router.
2537
2538 -------------------------------------------------- --------------------------------------------------
2539 hole! This OO Evidence .pdf - Adobe Acrobat Pro X | fi Making things 0 â– ? â– ? p P ç ë—¬ wind year t, 4; 6221S! ^ 10 +, 7% 1 ^ B 'tool 1} Lube
2540
2541 | UM & wks iptlMI Q x 'Itetvork # ipTiMEdDS </ tltia> vl.count Cfd timeprQfl], html? I have bought a school. I was not able to address you at the address
2542 j medicinal medicine 5.7 bottom 7
2543 2551255.255.0 CMW> 8 コ ン ​​公 滿
2544 5MA0 $ - $ .7 SM4 1 1 Company name Address
2545 1 SZJM0 minutes) MAC appeal 0S-60-B € -E4-F9- $ A liia
2546 Peek a: Well,
2547
2548 [Picture] timeproUltxl om Mini language display
2549 - At the time of the crime, the user's Internet Router <Administrator's Page
2550 - Internet access routers from 2015, 7 7, .19: 57, 7, 8: 02: 44, which were found on the commissioned notebook,
2551 To connect to the Internet Router, connect the two terminals of the Noto Book. 4. Save the configuration file.
2552 Why do you check your internet connection information call? 룔 7. 7. 20:03:05 룔 7.8 02:33:24
2553 On the White House Web site, the threats are changed between the time the two messages were published, and the time that the change was made to the router.
2554 -------------------------------------------------- --------------------------------------------------
2555 [Picture 4 of this OO proof record with Adobe Acrobat Pro opens .pdf file]
2556
2557 5. Whether the 7.21 date file exists,
2558 7.21 Date The created file does not exist.
2559 There is no file that matches the creation date of the file specified in the report.
2560 The creation date of the file, such as the name of the file submitted as evidence in the report, is prior to the seizure.
2561
2562 The s.txt file submitted as evidence in the report matches the file creation date recorded in the hard disk imaging data.
2563 The date of file creation on the report except s.txt is determined as the date of the report creation.
2564 Therefore, it is a mistake of the report author to make the file creation date as 7.21.
2565
2566 -------------------------------------------------- --------------------------------------------------
2567 Fruit: F: \ 15, Terrorist, with a lot of light, 653, txt _Z0l5-07-21, 9 ^ 7? 06; 30
2568 AG public. € 53 ts 6,1 nJt and public hOO65356.Ink ti 1? Of f t C5
2569 Sase? Tce & qcujs ^ nts ar? Iiig§ \ H \ Sur? SAu \ s. txt
2570 Machine Na service o
2571 ft public .l public fcive Path? *, 3 public t
2572 Volujj? Lafcei XPwFR
2573 Socking .Wrector class, 0 min. ç 想 å¹» æ–‡ å…¬ å…¬ nd S? T * vi? \ M \ Buceau
2574 Volism C 然) :) stone ct QUID {F3 $ SACOA-mt3-4e ^ 7-S34 8 ~ 公 *? l Public name 6 義 504.1.1
2575 Fil. Good Gbj Public T I I I I I F F F F F F 38 38 n n n n n n n n n n n n n n n n n
2576 Tim stone tarap: U / Q9 / IQ C7: 27J'ja IAACT -0-50-8 ^ -S4-F? -5A)
2577 Target VoiuKto C? UXD (P36SACDA-FB13-4 617-S34ij-D7162E & A5De I?
2578 Target File Suppression 2D (nUTBBA-388® ~ I; S4--0? 5; F9 & A) (Sequence: 1BF1 tisiestasp: U / Q9 / lb Q7: 2 ?: 3E: CK? -5A)
2579 Creased 14 / C9 / IQ 1 Public: SHK * 46 Modified 15/01/07 i4: 57: 58 Accessed 15/07/0? 4: 5'7: S name Co4? Paae 0
2580 Drive Type Minutes RIVE FIXER Tiia Attributes 32 tCriawa Folder Type C Kno- # n Folder value 0 1.1 nk 155-
2581 Liuk t? N ^ th 429
2582 icp-erty Storage Si model 0 Sg>? cl public 1 Folder'type public 0 5jj? cl * a Foid6? Value 0 Vist? And Msove ID hi $ t Voims Serie ai 84e? 20fb IDList siZB 56
2583 ,,, voice
2584 V ':' '
2585
2586 Q Q, 0 S g) S? , | | | | | | | | | 3 3 3 3 3 3 3 3 3?????????????????? i Comment: i? u
2587 ., Hitcher. .fesl: i
2588
2589 F: \ 15 "D / I, _ / minute, school strikes \ AOG65516> txt This is the astigmatism?
2590 A00S5513.ink
2591     A0065SJ8.i? Km? ? ff? #to
2592 B & se Path C; S & ocie nents S tt t. tx%
2593 MAchine: Nai 公 好 o
2594 R? Iativ? P name th ?, \ Bureau \ public, txt
2595 Volume Label X? _FB
2596 Working 01 rectory C:, D eu n osts and Settir, y ?? \ H \ ByC-SSA?
2597 Vt> U? Ws GUID C F3SEACDA-PBX3-4 € 27 ~ BM 8-D? 162K € A5C! 41 i
2598 School tsjdet; I am a member of the lima-esza-ap: H / 09/4: I am a member of SGS, 10 0 * 7: 27: 3 Shiki Kouichi 3 '* 54-F 多 玄 玄 公 1
2599 Target V? U GUID i F36? BA-F8J3-4? N, B343: 71S2E vs. S if target Target GUID \ F116P3 & A-3esa-1 IS4'9Bn-0050B654r95A) ^ S? ; 1BF1 Ti group est, provision: 14 / 0t / lS 01: 21z3B me: 00- * 5Q-S6 ~ 5 <-r9-5A}
2600 Created 14/09/10 1.6 i 5 多: <8 Ho <U? I? Mi 15/07/0? 2i; 10; 5f>
2601 Aiicftaaed 15/07/07 21:10:56 Cod® ge 0
2602 Dt'iv? ?> * p? DRIVE__FIXED Plie Attributes 32 Kn public wi Folder Type 0 Known Folder Value 0 Utik: rug * i5S Link Length 4 * 3
2603 Storage 3i and Good G
2604 Special? Oidd? Type C Special Faider V & ia & 0 Vista And Above ID List S. Left.
2605 Example:
2606 K (~ 6 *
2607
2608 This OO evidence record .pdf - Adobe Acrobat Pro, gse view
2609 Not taking, | Cotton @? El | Incense â‘© [5 yes urine CS>
2610 File: r: U5 terrorist attack v. 11 file UCH36S way, Uct 2D 15-07-21, afternoon; 5i52
2611 A00? 5S4i.Ink
2612 N * 3 ?? AaG65S41.1nk
2613 m? orraat o
2614 Minute as? fdth C:, D Phantom n StstUags \ &. txt HaChlne ç‚Ž æ¾ Tf? Q
2615 H? Slativ? Path. .
2616 VoJuaw 1 ^ 1 5C ^? Hi
2617 寒) orKing 多 ㄠレ イ ト å…¬ r CiXPmrasssrsts aj '技! Receiving ttiR 寒 效 然 '8 ì»; r 公用 u
2618 Voi_ Object QU10 jf36KAC Show * Each 1 ^; 8348-
2619 File Oblct GUID {fl 16IT35A-38BB-U- ^ 8F.l -00500654F9> h) (Sequence aoe;
2620 Ti 3? T? P; 14/09/10 07:21:38 ma00-SO-BS-54-r5-5A}
2621 Target V public lame GUID lr36? ACDA-F8i3-5? S34t ~ nil62E4ASG41}
2622 Target file GUID after rii6rBSA-383S-liE4-9BFl- public t> 5G distribution name (Stance; lBF1 Ti? F9-5A)
2623 Crmi ^ a 14/09/10 15:59:48 Modifisd 15/07/07 21:19:06 Accessed 15/07/07 23: l.9: C!
2624 C min d? Page 0
2625 0Reg9 Type DRIVE ^ FIXED Fils fttTribufCSSS 32 Known Folder? Yi> 0 Known Folder Value 0 Link Flags 13S Link length 428 Property Storage Folder 0 Special Folder Value 0 Special folder Value 0 Vise * AJKJ Above ID List Size 0 V? lvna? Serial 34ecZ0ffo lDIxi *? T $ ji x? 5 people
2626
2627 Rupture; F? \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ "
2628 worship- y? y.
2629 And zhe ir.snu says the price is esc Hye after tiftng for higher s If you puni ^ hmecst skill, You * v & rae eiy hit your body Yu public t 10 times times per day.
2630 And youi: â– name ge conaectln ^ i tim? is about 2 houra p * er day.
2631 3o you ?? rn ç”° inimai. 68 d ^ llacs per day c ^ Iy 5 hours of your par: tz, isse jo minutes,
2632 house name r; if yoti tec ^ xvr? Percent frow myfr Opinion: è°· e 身 ä¿ ....
2633 You also as ç”° d to be a cranny, r.iqitt?
2634 X 3 Nine the scar aroimd your artificial pussy t> ut no .scars airouiKl yoar boobs,
2635 Should I get gander xr? AJs * i <jn? ERt korean pera.ti korean ok my p * r: is onlyl
2636 t want to q & t into that buainesas after ft .t -s \ jt ~ off ray 建 文 ck,
2637 l thin I can qualify that public u ir> e and it ito after ad sonr و wuch plastic surgery 强 分?! 公 y by acit cast ration.
2638 In South K Public Corporation, I Ciir. als-o ijenefiql.ai t effective free af military service l
2639 have no tej? Licln.
2640 Anyway l no? D your consuitatior, - and I want to ch? T ;. with you,
2641 Pieaae, show your gonsro-city 3, nd sve my pcor a public ui.
2642 I votahlp you and ad 然 主 r 接 your g? Nic (skill a idea,
2643 寒 ë± å¥½ t regai: d3f i.jsahu? A ^ g ^ aii.coir}
2644 Lii ^ a Is and Cr and ssyy
2645 I am going to be raped by the abductee of Obama's public office.
2646 - Addreiss:
2647 Office of Infccrrui.doaai Sw. Koxtian & E 效 t; , S S S S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
2648 - Website: htqfK // jsufiiflwsf. memory
2649 -? hon? : + 82-2-2173-2062
2650 - FAX; i82-2-2n3-28T?
2651 - 玄 一: 的 si 玉:? UJ 田 meirdhufs ■a 公> kr / irsfnsf ^^ gisaSJ ^ ccsc;
2652 TSL. i-92-2-2173-2062 c ~ r * aii, T ^ E8HUFs. ac.kr / i3shuf sig ^ sax; .C; XR
2653 Paige! ?
2654 OUTP
2655
2656 -------------------------------------------------- --------------------------------------------------
2657 [Record this OO evidence in Adobe Acrobat Pro. 5 photos opening a .pdf file and 5 photos analyzing the evidence file with EnCase Forensic]
2658
2659 6. If the hash value of the hard disk imaging file is different
2660 The difference between the initial imaging and secondary imaging hash values ​​is determined by the reimaging after rebooting to check the time zone after the initial imaging.
2661
2662 -------------------------------------------------- --------------------------------------------------
2663 ! О о | , Seok Seok-cheon Information | 4: Surname Name Contact I Investigation of the Cyber ​​Investigation Team, Seoul Metropolitan Government Inspector Nam Sang Wook 02-700-5923 1
2664 Carpenter | ! If the accused has contacted the White House Web site on July 7, 2015, and 7 * 8, 2015, and intends to threaten the US President's family and US Ambassador to Korea,
2665
2666 Cancellation request information (duplicate image)
2667 Model (manufacturer) and duplicate image file name's hash value yugeu a slow ^ ACHI HDD Z5K500-500 500GB attached to the laptop lenovo B490 3 ^ 500GB ^ NOTEBOOKM1 ~? 29 round 29 files 2a2ff60f03143ff34eelel 65830e322a2 (MD5) blood, 'Seagate HDD ST500DM002 Clone image of â–
2668 ab5b3e7f256963d5cfe9 150713J00GBM1? E12 12 files fll.94964dbf5 (MD5)? Agate Replication of HDD ST3250820AS 50713J50GB.E01 ~ E15 15 files 9e! 50077d753fl01e733 <52ece3a246e7 (MD5) 1
2669 -------------------------------------------------- --------------------------------------------------
2670 [Photo taken with a document tied up with a mobile phone camera and wired]
2671 Hash value generated at initial imaging
2672
2673 -------------------------------------------------- --------------------------------------------------
2674 (3) Fruit and hash value
2675 i number of extracted file name hash value _5) | ? Chapter 11 on ienovo B490 laptop image file of a è€ yudoen j 1 HITACHI HDD Z5K500-500 / 1 1 500GB 1 1 i507I ^ 500GELNOTEBOOK.EQl 1 1 ~ 29 * 29 files a result, the water commission llzip 288354CFC1A94D552 |
2676 1 6Aim24? D181F0 \ / 2 I 150713J00GB.E01 ~ E12 / 12 No fruits 'None \ I 3 I 150713J50GB.E01 - E15 1 15 No file I â– 1/4 1 [20150713-segateJOgM' â– 12 No file * 1 None \! 51 150713J0GB.E01 ~ Ell f- 11 fruits m \ ^ \? It can be used as a tool, ? J \ Row 1 1 1 1
2677 -------------------------------------------------- --------------------------------------------------
2678 [Photo taken with a document tied up with a mobile phone camera and wired]
2679 Hash values ​​created when imaging after turning on the computer for time zone verification
2680
2681 Note that copying an imaging file does not change the hash value. The prosecution needs to explain why the hash value reimaged after the time zone check and the hash value imaged by the prosecution are different.
2682
2683 7. White House screen capture file
2684 The White House screen capture file is assumed to have been captured and stored by the suspect on this computer.
2685 There is no possibility of a hacking because the suspect has acknowledged that he or she has copied it directly (through testimony that he has been downloaded from the Internet and downloaded it).
2686 The file creation time differs by one minute from the time of writing to the White House, and the posting of the same contents on another site is after the time saved, and it is unlikely that it was downloaded from another site.
2687 End
2688
2689
2690
2691
2692 ++++++++++++++++++++ Witness Newspaper Proclamation (part of the eighth trial) ++++++++++++++++++ ++
2693 Event 2015 Torture 4685 Threatening
2694 Name Nam Sang Wook
2695 Date of birth August 22, 1978
2696 Housing Seoul Chongno-gu Sajikro 8 Gil 31, Seoul Metropolitan Police Agency Cyber ​​Investigation Department (Investigation Section)
2697 judge
2698 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
2699 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321141735).
2700 March 21, 2016.
2701 Hwang,
2702 The judge (doctor)
2703
2704 A statement on the testimony veto notice
2705 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
2706 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
2707 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
2708 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
2709 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
2710 Witness Nam Sang Wook (signature) or signature (signature)
2711
2712 Oath
2713 According to the conscience,
2714 In fact,
2715 If there is a lie
2716 To be punished for perjury
2717 I am a wanderer.
2718 Witness Nam Sang Wook (signature) or signature (signature)
2719
2720
2721 Recording book (main point)
2722
2723 Case Number 2015 Highland 4685
2724 Due Date: March 21, 2014
2725 Remarks Inadequate question, the Attorney's objection to the Attorney General's 25th article of the State Newspaper is on page 16, pages 21-22, page 17, pages 12-13, Part.
2726
2727 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
2728 1. Attachment: A copy of the witness newspaper on the witness Shin Nam Suk (Total: 52 pages)
2729 March 21, 2016.
2730 Stenographer Park Sang Ki (Painting) (Painting)
2731
2732 ※ This transcript was written in a way that summarizes only the main parts of the statement _
2733 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
2734
2735 judge
2736 Witness Shin Nam Wook, a witness for the New Testament, acknowledges the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
2737 Notice of testimony veto. Witnesses' testimony may deny the witness or any person who has a close relative relationship with the witness to be subject to criminal penalties or to testify about the confidentiality of the other person whom the witness has known for work. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. And if a witness lied after an oath or if his memory is unclear, but his memory is clear, he is punished as a perjury. Please swear.
2738
2739 witness
2740 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Nam Sang Wook.
2741
2742 inspection
2743 To witnesses
2744 (Provide an investigation report on page 172 of the Investigation Record No. 10 in the Evidence List)
2745 Q: Is it true that the witness wrote the investigation report that the defendant's blog was confirmed and the relevant article was printed and attached.
2746 A: Yes, that's what I wrote.
2747 If you look at the printouts attached to this page, you can attach a copy of your diploma titled "I am a student at Chonnam National University," a copy of your graduation certificate, a copy of your graduation certificate in English, a transcript of your transcripts, Ministry of Education 's complaints Title' I have been suspected of forgery of education and plagiarism due to the unilateral graduation change of university '. And the content of the complaint is confirmed by the defendant 's blog, and is it attached to the output?
2748 Answer: Yes.
2749 Question: Is it true that this article was also printed on the defendant's blog, on page 185 of the Investigative Record, "What is HUFS?"
2750 Answer: Yes.
2751 Question: Is it true that the content of the complaint posted on the defendant 's blog on the title page of the Investigation Record on the 188th page titled "My Civil Service Complaint (Civil Title - Good Morning)" is correct.
2752 Answer: Yes.
2753 Question: Is it true that the post on the page 192 of the Investigation Record entitled "Aversion to feelings when I am good at English" on a blog called "Korean Anxiety Antisocial" is also printed on the defendant's blog?
2754 Answer: Yes.
2755 Q: On the 193 page of the Investigation Record, is the posting on the defendant's blog the subject of "Why do I go to the brothel and buy a woman?"
2756 Answer: Yes.
2757 (Proof of the investigation report No. 238 of Investigation Record No. 13 in the Evidence List)
2758 Q: Is this the report of the investigation titled 'The original file of the intimidation document that the suspect was found on the OO computer?'
2759 Answer: Yes.
2760 Q: What is the content of this investigation?
2761 Answer: This is an investigation report on the time, file name, and file path created for the original text capture file found on this OO computer.
2762 Q: Isis.png, usa.png Meta information of file, information of file attribute information, and printouts of original text are attached.
2763 Answer: The attachments that follow are attached by Kim Kyung-hwan, an analyst who analyzes digital evidence, and I wrote the investigation report.
2764 Q: Are you handing it from an analyst and attaching it?
2765 Answer: Yes.
2766 (Proof of Investigation Report No. 15, Investigation Record # 258)
2767 Q: Is it true that the witness wrote the investigation report titled 'The White House homepage written by the suspect computer'?
2768 Answer: Yes, this is just the same thing as I mentioned before, with the fact that I received the data from the digital evidence analyst and attached the report.
2769 (Proof of Investigation Report # 401, Investigation Record # 25)
2770 Q: Is it true that the witness wrote the investigation report titled 'The suspect is checking the OO notebook time zone setting'.
2771 Answer: Yes.
2772 Q: Please explain the contents briefly.
2773 A: The description of the operating system in French language, the initial installation time of the operating system, and the time when the notebook was last terminated. 13. 20:47:18 and we started the 7. 13th light-duty search at that time and found the evidence file on the laptop and turned off the computer to see if the integrity was changed immediately, so the final shutdown time came out at 20:47:18 I will. On the next page you will see the time that you booted the notebook for the first time. On that day, on July 13th, it is time when this OO's computer was booted, and when we see the time, it comes out at 20:07, and we can see this time when we handed the laptop to the defendant's mother on the spot and turned it on. And it is usa.png which is image file related to crime which is found in notebook. The file creation time is 2015. 7. 8. 02:27, and when I run the image file, it shows the link file creation time and I took a picture of the notebook screen at the time to confirm that we did not change the image The camera I shot was Samsung SHV230S and the recording time is 20:47. It is the material that can prove that I took a picture right before the time I turned off the computer and turned off the computer exactly, and the last time I left the notebook on the next page was 20:47:18. After taking a picture, we can see that we shut down the computer immediately to ensure integrity. And this is International Standard Time, which explains that there was an error of -7 hours between France and Domestic time because Paris was using summer time, usa.png The date of the last access to the key evidence file and the date of access. It will be July 13, 20:42, UTC and July 13, 2015, UTC. Because the last time we saw and accessed the file in the field, the exact time of the seizure was 20:42. It is the investigation report that explains what is related to such a time.
2774 (Exhibit # 4 of Evidence # 25-2 on the Evidence List)
2775 Q: Is it true that the witness wrote "Google Chrome Capture Function Analysis, Analysis of White House Screening Screen"?
2776 Answer: Yes.
2777 Q: Is the witness actually testing the front page of the White House website? Contact us?
2778 Answer: Yes.
2779 Q: When I created a post using the full screen capture function associated with the Google Chrome browser and then captured it, did you notice that it was saved in the png file format?
2780 Answer: Yes.
2781 Q: Does the file name capture the url address and then capture time information automatically?
2782 Answer: Yes, it contains the captured time information.
2783 Q: And did you check the result screen when you click submit button?
2784 Answer: Yes.
2785 Q: What is the following?
2786 Answer: The defendant has also found five lists of photo files that were captured using Google's screen capture feature on his computer.
2787 Q: These files do not have a direct relationship with the subject, but are they still captured before the crime?
2788 Answer: Yes, you can tell that the defendant used the Google Chrome browser's capture function to capture it.
2789 Q: Have you captured screenshots of the White House homepage?
2790 Answer: Yes, I did it again when I finished capturing the screen that was on the captured screen.
2791 (Present evidence page 285, Investigation Record, page 465)
2792 Q: Is it true that the suspect is an investigation report titled "Cheong Wa Dae and the National Newspaper Articles Found on the OO Computer", which was written by a witness?
2793 Answer: Yes.
2794 Q: Here is a blue house .png file and a questionnaire report for two .pdf files. What is it?
2795 Answer: Blue House.png is the defendant's access to the Cheongwadae homepage. 26. Foreclosure Notice I received a civil defense training in Dongdaemun District this April. I went by taxi to the corner where I went by subway. It is a file that I wrote and wrote with the message "I will do the transfer from Mapo side in Goat."
2796 Q: We will have a one-person demonstration in the direction of Mapo Grand Bridge Yeoido. Please pay Civil Defense transportation expenses. 20,000 won "written on a lm box paper horizontally, hanging on a railing, I am bound by a nylon string on a railing alone, and I am planning to return home. The location is July 26, 2013. 26. Is this the place where the male representative of Sungjae period was sent by the representative?
2797 Answer: Yes, it was written that way.
2798 Q: Is this all found on the defendant's laptop?
2799 Answer: Yes.
2800 (Proof # 486 of Record # 30 of the Evidence List)
2801 Q: Is it true that this investigation is written by a witness? This is an investigation report titled 'Analysis of time information generated by capture using the Google Chrome browser capture function'.
2802 Answer: Yes.
2803 Q: What is the content of this investigation?
2804 A: When you use the capture function of the Google Chrome browser to capture the url information and the time after it comes up, the time is the time information of the capture and the time information is the number 143. If you decode it, It is contents that we can confirm domestic time information.
2805 Q: Is it true that you can decode the capture time information in the file name generated when you capture with the full-screen screen capture program using the Google Chrome browser?
2806 Answer: Yes, and I have tested it myself.
2807 (Proposition 971 of Record No. 62 of the Evidence List)
2808 Question: This is an investigation report titled 'Attorney's Statement of Contents (existence of job file on July 21st, 2015) and attached photo attached to this OO notebook.' Is this investigation written by the witness?
2809 Answer: Yes.
2810 Q: Is the text explaining that the defendant had a problem that the text file was written after the search?
2811 Answer: Yes.
2812 Q: Are the photos attached to the crime after the accused found on the defendant's computer?
2813 Answer: Yes.
2814 Q: Are the printouts attached to the investigation report that I have just verified to capture the original articles or photos posted on the Internet site, such as the defendant's blogs, or the information or material found on the defendant's notebook, ?
2815 Answer: Yes.
2816
2817 inspection
2818 Record 393. We will present the evidence list number 22-1.
2819 Lawyer
2820 I think this part is not written by the witness but sent from America.
2821 inspection
2822 I want to know how I got the evidence and where I got it to judge it.
2823
2824 inspection
2825 To witnesses
2826 (Provide evidence page 391 of the evidence list No. 22-1)
2827 Q: Is this a document titled 'Documents for expressing intention to punish the US government', is this the document received from the US government?
2828 A: I did not receive it, but I do not know that it was attached to it by Gwak Dong-kyu of the Ward investigation department at that time.
2829 Q: Does Gwak Dong-kyu directly received from the US side?
2830 A: I do not know because it is not attached to me.
2831 Q: Have you seen this document yourself?
2832 I have seen. I have seen ...
2833 Q: Is the witness unaware of the availability?
2834 A: Yes, I've seen it because I did an investigation with a broadcaster at the time, but I'm not sure how to get it.
2835 Q: Is the witness a police officer?
2836 Answer: Yes.
2837 Q: What is your position and rank?
2838 A: It is librarian Nam Sang Wook of Cyber ​​Security and Cyber ​​Investigation Department of Seoul Metropolitan Police Agency.
2839 Q: Is the witness involved in the investigation?
2840 Answer: Yes.
2841 Q: When was the investigation started?
2842 A: I do not remember exactly. In June of last year or about July, I was threatened by Ambassador Ripper. The letter was posted on the White House website of the US Embassy. We contacted the cyber security office of the US through the US Embassy. I started to investigate immediately.
2843 Q: Where exactly did you receive the investigation leads?
2844 A: The National Police Agency Cyber ​​Safety Bureau.
2845 Q: Is not it from the US?
2846 A: I know you are an American Embassy. We received a case from the main office and received it from the US embassy in the main office.
2847
2848 judge
2849 To witnesses
2850 Q: Is the US Embassy the US Embassy in Korea?
2851 A: I have been ordered by Cyber ​​Security Bureau of the National Police Agency.
2852
2853 inspection
2854 To witnesses
2855 Q: Is the witness received from the Cyber ​​Security Bureau and does not know exactly when and from whom it was received?
2856 Answer: It 's right that I got it from Safety Bureau.
2857 Q: Do not you know where you got it from the US?
2858 A: Yes, I do not know exactly.
2859 Q: Do you know the name and position of the person who provided the investigation lead directly from the US side?
2860 A: It is Kim Sung-hoon, the captain of the Cyber ​​Security Bureau International Cooperation Team.
2861 In this case, the date of publication of the "Obituary rape against the second daughter of US President Obama" is based on EDT (American Summer Time) applied on July 7, 2015 July 20, 2015) and the connection IP was confirmed as 124.197.152.74?
2862 Answer: Yes.
2863 In this case, "Mark Ripper," the publication date of the murder intimidation article 1 for US Ambassador to Korea, is based on EDT (Eastern Time) 7. 8. 02:26), and the connection IP was confirmed as 124.197.152.48?
2864 Answer: Yes.
2865 Q: How did you check each posting date and connection IP above?
2866 A: I also logged on to the White House homepage, and I received it from the police and handed it to us.
2867 Q: Please describe the reason why the defendant was identified as the suspect of each crime in this case.
2868 Answer: Once there was no clue except for the connection IP, I received a reply that I could not confirm the subscriber because I requested the subscriber information on Dongdaemun Cable TV Road TV with that IP.
2869 So, when we check the area where we can get the IP to check the subscribers, we can not remember exactly in Dongdaemun-gu, Seoul.
2870 We have heard that there is a possibility that it can be allocated from about 2, 500 households, and when we check the MAC address on the computer, we can find the investigation lead to the MAC address. I checked to the closest apartment complex I was assigned.
2871 When I narrowed it down, it was O apartment where I can check it, it was the defendant's apartment.
2872 I do not know how many apartments there are in the apartment, but if there are 20 floors, it is 20th floor because there are 20th floor and 20th floor. I have only recruited subscribers to Dongdaemun cable TV from 20th generation.
2873 I do not remember exactly, but it has been reduced to about 5 ~ 6 generations, and I had to look through 5 ~ 6 generations and I could not do that.
2874 I analyzed the crime trends and impersonated isis. I also impersonated the Korean foreign affairs staff from the phone number and e - mail address of the Korea Foreign Student Summer School.
2875 So a team of our investigation team was sent out to the outside world to check if there really is such a person, and there is no such thing there is a person who has a bad tendency to the outside world is not an optical investigation, I confirmed the propensity of.
2876 And there are two criminal intimidation articles: the first is the daughter 's intimidation to President Obama and the second is the intimidation to Ambassador Ripper that the second daughter of Obama, Natasha, is raped by anus.
2877 This can be seen as a bit of a kinky tendency of the writer, and the second is to threaten Ambassador Repert, whose weapon is called a nuclear weapon.
2878 I found a tendency that I could not imagine in a mental state, which is a little impolite. I checked the apartment tenant management card because I thought it was very likely to be an outside official in O apartment. So I think that the defendant goes to a foreign language university I confirmed that.
2879 So I checked the defendant's regular phone number, searched Google, and found ten defendant blogs.
2880 There was a criticism of the foreign ministry, and the reason why I criticized it was that my majors were changed and I was disadvantageous to my job. The second time I was raped by my ancestor, I saw a picture of him taking off his clothes, wearing panties and wearing a bucket, and checking his account to ask him to donate himself a little.
2881 I was criticizing many other foreigners, and after all that was the right thing, I applied for a seizure search warrant and got a warrant for seizure search at Seoul Central District Court.
2882 So I went to the house with a formal search warrant.
2883 The computer in the defendant's room was unused, there was a computer in the next room study, I looked at both computers and found nothing related to the crime.
2884 Then there was another room next to the kitchen, and the visit was locked, so I asked my mother to open the door and I knew that maybe I could have entered one.
2885 I went in and got a laptop and I saw that the computer language was in French so we did not know French so I had no idea what folder my computer was or what folder it was. When we checked the digital evidence analyzer, President Obama and two of the original captures of Ambassador Ripper were found immediately, so I suspected the defendant had written it, and then shut it down.
2886 It was probably about 20:42. I then disconnected the hard disk from the notebook.
2887 After we disconnected it, we connected it to the computer cloning equipment, then we had the original hard disk, reconnected the copy hard disk and cloned the same.
2888 When you make a copy, the hash value of the hard disk on the defendant's laptop is the same as the replicated hard disk.
2889 For example, a hash value is a tool for proving integrity. If the defendant's computer hash value is A, then the hash value of our copy hard disk will be equal to A.
2890 Then, in the state of A, if we do not touch the copy, we do the analysis in the same A state whether or not it is sealed.
2891 When analyzing a copy of computer A, there is a write-protect device, not just an analysis.
2892 Since the integrity of a computer hard disk is immediately broken when we connect it to the hard disk protector, no matter what I analyze by connecting the copy, the copy hard disk is not changed at all.
2893 And the file called Imaging is created as a file, and the file can not be changed.
2894 If it changes, if you change the hash on the hard disk of the copy, it will be changed to B instead of A.
2895 That's why the hard disk you image is the same as analyzing with the same original A anytime and anywhere.
2896 It was discovered, and we proceeded with the seizure search for four hours at that time, and the defendant was lying in his room with only panties and not at all until we went.
2897 I asked him, "Is this the right thing you wrote on your laptop," and then I drank a little and said, "I do not know at all. We talked that way, and we persuaded him for three hours, even though he was able to arrest an emergency at the time because of the destruction of the evidence and the reasons for it in the future.
2898 Q: Is the date and time of the seizure of the seizure on July 13, 1945?
2899 A: Yes, I would have probably started from then.
2900 Q: Was the confiscated lenovo B490 laptop computer, four hard disks, and a USB stick?
2901 Answer: There was a bit of a mistake, but I checked my laptop for evidence and immediately shut down my computer and immediately started imaging.
2902 I opened the imaging and sealed my laptop right away. Because the integrity was changed, I sealed it. When I sealed it, my mother wrote it, and I put my mother 's letter, we rolled it with tape and sealed it.
2903 There was a virtual machine program called VMware installed.
2904 If you do not have a computer notebook, then you may not be able to analyze it in the future, so we need the original, so the notebook is seized separately.
2905 Q: On the defendant's laptop computer, isis.png, usa.png, a file capturing screen captures of each blackmail?
2906 Answer: Yes.
2907 Q: Did the defendant confirm the source of each file shortly after the discovery?
2908 A: I asked, but I can not remember exactly whether you talked in the way that you downloaded it from the internet or you did not talk at all.
2909 Anyway, he denied that he did not.
2910 Because I received too many surveys, I did not know exactly what I said at the time, but I told him that I did not do it anyway.
2911 Q: I checked the creation date and time of each capture file. Was it confirmed within 1 minute immediately after each crime?
2912 Answer: Yes.
2913 Q: After I image the defendant's laptop, why did I confiscate the original because the original laptop computer needed to be analyzed?
2914 Answer: Yes, yes. This is because the virtual machine VMware was installed. VMware is a virtual machine computer, and now you have a computer in it, and you can create a computer to run multiple computers. If you have a computer in your computer, you can not leave any trace of it on this computer, but if you log in to the virtual machine again and enter it, it will crime the virtual machine and delete the related files for the virtual machine The need to analyze the machine has confiscated the original.
2915
2916 judge
2917 To witnesses
2918 Q: Because the defendant's laptop computer had VMware installed ...
2919 A: Yes, it was and was a forfeit.
2920 Q: Is it because the original reason for the confiscation of the original was that VMware was installed on the defendant's laptop computer?
2921 A: Yes, if you do not have a laptop, you may not be able to analyze it.
2922 Q: Why did you confiscate the original after imaging?
2923 A: I have an image and the file of the virtual machine is once again in the imaging file. The original notebook is required to run the file.
2924
2925 inspection
2926 To witnesses
2927 Q: After you confiscated the defendant's laptop computer, did you get confirmation from the Mo Kim OO of the defendant's Confirmation of Confirmation of the Confirmation of the Confidential Material and Confidential Information?
2928 Answer: It was not received by me, but analyst Kim Kyung-hwan received it.
2929 Q: Did you stay together at the reception desk?
2930 Answer: Yes.
2931 Q: After that, did you arrest the defendant in an emergency and arrange it in the office of the Seoul Metropolitan Police Agency?
2932 Answer: Yes. We did not do it in. We went with the broadcaster and us and once in.
2933 Q: Is there any fact that the defendant raped at the time?
2934 Answer: Yes.
2935 Q: How did you get upset?
2936 A: We had an investigation with us and the cybercrime detective. Inch was in the broadcaster 's office. We were not with the defendant. As you can see from the video attached, I heard that you have kicked your feet from the "Bring your chair from your boss" and you can see exactly how it got into the riot. The record is attached as a CD.
2937 Q: Who was the person who identified the situation at the time?
2938 A: I was an investigator at a broad-based investigation. The person who wrote the CD investigation report attached to the record probably would have taken it.
2939 In the analysis of the defendant's laptop computer, the e-mail address, Twitter address, and phone number of the case were listed, and the Korean ambassador said, "I will surely kill Ambassador Ripper, I will give you an anal rape. "Also, did you find a file called 's.txt' that contains the same content as the case of this case report?
2940 Answer: Yes, the intimidating text was written in English at the White House, but I found a text file containing the blackmail in Korean on the defendant's notebook.
2941 Q: The creation date and time of link files 'A0065359.1nk', _A0065518.1nk, 'A0065541.1nk' and 'A0065621.1nk' linked to 's.txt' file are all 2014. 9. 10. 16:59 , And the date and time of access were confirmed on July 7, 2014, at 14:57, 21:10, 21:19, 22:31.
2942 Answer: Yes.
2943 In addition, the defendant's notebook also includes photos of Ambassador Ripper and Kim Kyeong-jong, who have been terrorized, photos of Mr. and Mrs. Obama as monkeys, and Cheongwadae's homepage. Did you find a capture file that you uploaded?
2944 A: Yes, many photos were found. In particular, an article or photograph was found about the Kim Kyeong-jong case to threaten the Ambassador Ripper. The date and time the file was stored was reported by Kim Kyeong-jong. The defendant captured it and stored it. The date the file was last accessed, so the date it was read was almost immediately before the incident. I remember so.
2945 In addition, a small boy 'isis.jpg' file that combines shooting shot and armed robbery, a picture of a young boy shooting a prisoner with a gun, and a picture of our gallery, Did you find the 'ISIS Gallery.png' file?
2946 ANSWER: Yes, many photos related to ISIS have been found.
2947 Q: Did the defendant tell you that he or she synthesized the pictures and pictures of each file at the time of the police investigation?
2948
2949 Lawyer
2950 Your Honor, this part is not appropriate because we are asking the defendant's denial of the contents of the police investigation at the time of the investigation.
2951 inspection
2952 Because the Criminal Procedure Law has introduced the investigator testimony system, I think it is safe to hear how I made statements at the time.
2953 Lawyer
2954 I would like to say that it is not inappropriate to listen again to the content denied.
2955 judge
2956 Once this part is just ask.
2957 inspection
2958 To witnesses
2959 Q: I'll ask you again. Did the defendant state that at the time of the police investigation, he had synthesized photos and pictures of each file?
2960 A: I can not remember exactly because I did not see the suspect newspaper report now.
2961 Q: Also, did the defendant's laptop have a program called 'SuperHideIP' that allows you to change your IP once a mouse is clicked?
2962 Answer: Yes.
2963 Q: And did you find a capture file called 'IP address washing method .jpg'?
2964 Answer: Yes.
2965 Q: On the other hand, did you find that the defendant is running 10 blogs of blogspot, the Google blog?
2966 Answer: Yes.
2967 Q: In each blog, were the defendant's Citibank account number and the defendant's PayPal ID listed?
2968 Answer: Yes.
2969 Question: Did the defendant's blog reveal or condemn the complaints about Hankuk University of Foreign Studies, and the images depicting women and the bizarre situation?
2970 Answer: Yes.
2971 Q: Did the witness investigate the accused person during the investigation?
2972 Answer: Yes.
2973 Q: Did the defendant claim that he did not commit the crime at the time?
2974 Answer: Yes.
2975 Q: How did the accused describe the 'isis.png' and 'usa.png' files found on the defendant's laptop?
2976 Answer: I stated that I did not know at all.
2977 Q: What did you say about the source?
2978 Answer: I asked a few questions about the source, and I did not remember exactly because I made a different statement every time. I replied that I had captured and downloaded it from 4chan site and saved it or I did not know it at all.
2979 Q: How did the defendant describe the 's.txt' file?
2980 A: I just do not know ... I've been asking that a lot, but at first I thought it was the one I wrote, and then I did not answer at all.
2981 Q: How did the defendant tell us about the photos of the Ambassador Repertor, the photos of the Obama couple and the photos of armed robbers, etc.
2982 A: I think I talked about not knowing much about the questions I asked.
2983
2984 Lawyer
2985 In the bottom of the main newspaper, section 25, the defendant questioned that he had synthesized the photos and pictures of each file at the time of the police investigation, and that the contents of paragraphs 32 to 34 of the main newspaper were irrelevant Please indicate in the record that the complaint is filed.
2986 Lawyer
2987 To witnesses
2988 Q: Is it true that I have imaged the whole of the defendant's laptop and did not seal that part?
2989 Answer: Sealed.
2990 Q: Is it true that you did not seal the imaged file but the laptop?
2991 Answer: Imaging files are not sealed.
2992 Q: I asked if I did or did not.
2993 A: How do you analyze when you seal?
2994 Q: It has precedents and regulations. Where did you store the imaged file?
2995 Answer: We took one hard disk, cloned it, and brought it.
2996 Q: Did you seal that hard disk?
2997 A: Do not ask me that.
2998 Q: It is asking what the witness remembers.
2999 A: I do not remember much. Because I did not image it.
3000 Q: You do not remember if you sealed the hard disk?
3001 A: Yes, I remember I sealed the laptop ...
3002 Q: What was the role of the witness in the investigation?
3003 A: We participated in the seizure search, investigated the suspects, and almost everything was done. I do a little bit of research to help each other.
3004 Q: Have you ever seen a document requesting cooperation in the US?
3005 A: I have never seen it.
3006 Q: When I contacted the US Embassy, ​​I heard someone wrote a blackmail in an e-mail. Have you heard this story?
3007 Answer: No.
3008 Q: How many people were involved in the seizure and search?
3009 A: Five Cybercrime detectives, five forensic investigators. When I got there, my father told me to leave. So there were about 6 ~ 7 people in the place, but I did not know exactly and some went out.
3010 Q: Do you think six or seven people have been around?
3011 Answer: Yes.
3012 The witness explained the details of the process of tracing the defendant in advance, saying, "The clue only had an IP address, but it was difficult to find by IP address alone. I checked the subscriber on Dongdaemun Tibur Road, but I could not confirm it, so I made a request to the Mac address again. "
3013 Answer: You have checked your Mac to investigate with a Mac address.
3014 Q: Who identified the Mac?
3015 Answer: When IP is allocated from the carrier, IP and MAC are connected to the carrier. If you know the MAC of the IP you used for the crime at the time, you can do the investigation again with the MAC address.
3016 But that Mac did not come out correctly either. Anyway, I have a network switch, and I've finally assigned that IP ... So you have confirmed the last switch.
3017 Q: Is it confirmed that you have three sets of equipment?
3018 Answer: Yes, I have to explain the connection ...
3019 Q: When the attorney heard this, the witness first asked for the Mac address and asked the carrier to recall the Mac address.
3020 Answer: To investigate with a Mac address ...
3021 judge
3022 I heard that I wanted to know the MAC address, but I do not know it.
3023 witness
3024 Yes, that's why we proceeded with the investigation.
3025 judge
3026 To witnesses
3027 Q: In the end, you did not check your Mac address?
3028 Answer: I understand that you tampered with the Mac.
3029 Q: At that time, at first ...
3030 A: I can not confirm it right away.
3031 Lawyer
3032 To witnesses
3033 Q: Is it about collecting digital evidence, and what experts have participated?
3034 A: The analyst Kim Kyung-hwan participated and I participated. I had to undergo a little bit of analysis. I have a license to analyze digital evidence.
3035 Q: During the seizure process, was the digital evidence analyst one of Kim Kyung Hwan's analysts?
3036 A: Yes, but I was not an official digital evidence analyst. While doing the investigation ...
3037 Q: Witnesses also have that knowledge?
3038 A: Yes, I did it.
3039 Q: So, at the time of the seizure, did two or more people have expertise in digital evidence?
3040 Answer: Yes.
3041 Q: What did the related equipment bring?
3042 Answer: I did not get a hard disk replicator and ... I think you should ask Kim Kyung-hwan, but I only took the warrant.
3043 Q: What is the process of identifying the date and time of White House intimidation during the investigation?
3044 A: Our International Cooperation Team of the National Police Agency told us that this was the case at this time ...
3045 Q: Do you not know how the team works?
3046 Answer: I do not know exactly.
3047 Q: I found a picture of a blackmail on the defendant's laptop, was it the time of the confiscation, or is it afterwards?
3048 A: I did not discover it first, but I know that Kim Kyeong-hwan or Kim Jin-kwang, one of the investigators, found it.
3049 Q: You were discovered at the time of the seizure?
3050 ANSWER: Yes, I just found a picture, shot it on my phone and shut down my laptop.
3051
3052 -------------------------------------------------- --------------------------------------------------
3053 -------------------------------------------------- --------------------------------------------------
3054 -------------------------------------------------- --------------------------------------------------
3055
3056 A: The 4chan site is USA, so we can not verify the subscribers.
3057 Q: Did not you know who posted it?
3058 Answer: Yes. But ask Kim Jin-kwang again for this question.
3059 Moon: Looking at the flow of investigation, it's like ...
3060 A: I remember that there was such a situation, but I do not know exactly, so I can ask Kim Jin-kwang.
3061 Q: Who wrote the seizure?
3062 A: There must be an author of the seizure.
3063 Moon: Lieutenant Kim Sang-guk, Lieutenant Cho Yong-woo is like this ...
3064 Answer: Yes.
3065 Q: Witnesses were with you at the time?
3066 A: Yes, I was with you. I can not do everything because I work in the office while doing the division of labor.
3067 Q: In the confiscation list, the confiscation of the defendant's laptop itself is listed, but the imaging file for the defendant's laptop imaging is not on the confiscation list, do you know?
3068 A: I did not know it because I did not write it. I know that I need to write a notebook imaging number 1 on the serial number.
3069 Q: Anyway, is it obvious that the laptop imaging was done at the time of the search?
3070 Answer: Yes.
3071 Q: How many hours did it take?
3072 A: You can ask Kim Kyung-hwan, a digital evidence analyst.
3073 Q: Because I have experience analyzing digital evidence, I'll ask. What does hash value mean in digital evidence collection and analysis?
3074 Answer: MD5 and SHA1 are one of the functions for proving integrity. For example, if you put this stuff into this hash function, you get some specific result. But it is not an inverse function. For example, if you put a file called A and B into a hash function, you will get a certain unique value, which means that if the unique value is the same, it is the same information. So if you turn the hash value of the hard disk in the original and get A, and you get the A by rotating the hash of the hard disk that replicated the original, you can prove that the original and replicated hard disk information is the same.
3075 Q: Do you see that digital evidence is in a specific state at the time you generate the hash value, and then do you assume the integrity and authenticity of the original until it is examined by the court?
3076 Answer: The question is ambiguous, not a specific state ...
3077 Q: I'll ask you a little bit. When I image the defendant's laptop and get the hashed value, the defendant's laptop is at that point in time, right?
3078 Answer: If you run a hash function on a file named A instead of a state, you will get a specific result. Whenever it does, the same result is produced, not the state at that point ...
3079 Q: The hash value is telling you when the first was created.
3080 Answer: Yes, that's right.
3081 Q: What is the point of creating the integrity of a file at a particular point in time?
3082 Answer: Yes.
3083 Q: After that, of course, you can come up several times, and I'll tell you when it was first created.
3084 A: I do not understand the question.
3085 Q: When I image the defendant's laptop, is the state of the defendant's laptop at that time imitated as evidence in the court?
3086 Answer: Imaged files can not be changed.
3087 Q: Is it still maintained?
3088 A: I guarantee that my police will not change until I send them to the prosecution. But after that, I do not know.
3089 Q: If you look at the notebook imaging file at the court, the file we're looking at is the same as the file at the time the witness did the imaging at the time of the seizure?
3090 Answer: Yes.
3091 Q: Is it fixed at that point?
3092 Answer: Yes.
3093 Q: So is not the hash value guaranteeing the integrity of the earlier steps we collected in the first time we collected the confidential search?
3094 Answer: Because it is the hash value at the time of imaging ...
3095 Q: From then on, to guarantee integrity, not to guarantee the integrity of the old, right?
3096 A: Yes, it does not make sense.
3097 Q: So, if someone logs out a hash after logically manipulating the computer, does not it provide information about the operation or operation before the hash value is created?
3098 Answer: Of course.
3099 Q: At the time of the seizure, was the defendant's notebook turned off?
3100 A: I do not remember exactly. That's not what I brought ...
3101 Q: I turned on the notebook and said that I saw one or the other.
3102 A: I can not remember exactly because my mother brought me something in the other room. We could not get in that room.
3103 Q: The seizure start time was around July 13, 2015, and the power of the notebook was turned on and off from July 13, 2015 to 20:47. The laptop was on for about 41 minutes. What did you do on the laptop at this time?
3104 A: At that time, I did not work, and I would probably have been working on finding analysts and files.
3105 Q: Did you write protection at that time?
3106 A: I did not do it then.
3107 Q: In the process of looking at the defendant's laptop, did he / she guarantee the right of the defendant or the defendant's parents to participate?
3108 Answer: It was said.
3109 Q: Who did you ask to see?
3110 Answer: I do not know that, I talk to you again ...
3111 Q: Did you talk to the defendant?
3112 A: Yes, I keep coming and going now ...
3113 Q: Have you ever taken a video of a defendant's laptop or imaging process?
3114 A: It might have been done by a broadcaster, but I do not know exactly. Oh, I tried to shoot it, but I can not, so why do I just shoot my house?
3115 Q: Who has not let me?
3116 A: I do not know if they were parents or defendants who were there, but I strongly resisted them and I would have taken our picture there. If you look at the mobile phone, there might be some videos that we took pictures of. And then he just threw something at us and made it a bit harder. In the case of Kim Kyung-Hwan, the analyst would have been hit.
3117 Q: When I said that I needed an original copy of VMware for the reason why I confiscated the defendant's laptop, would not it be necessary to have a laptop if the program that runs VMware is on another PC?
3118 Answer: No. Depending on the version, it may not work.
3119 Q: Can I check the version in the imaging file?
3120 A: It was not a situation where you could do it on the spot, and if you wanted to drive it ...
3121 Q: It is technically possible to ask. Is it possible to have a program that can run VMware on another PC even if it is not a defendant's laptop?
3122 Answer: It is possible but not 100% guaranteed. So there were many cases where we were not able to drive properly.
3123
3124 judge
3125 To witnesses
3126 Q: Is it common to have the notebook itself confiscated after imaging files?
3127 A: If we are confiscated, we will do all the confiscation.
3128 Q: Do you confiscate the imaging files as well as the notebook itself if you are in confiscation?
3129 A: Yes, because it is a laptop used for crime.
3130
3131 Lawyer
3132 To witnesses
3133 Q: Did you say the witness took the seizure search warrant?
3134 Answer: We took it from our team.
3135 Q: Have you read it?
3136 Answer: Yes.
3137 Q: If you look at it, it is stated that "the original that has been taken out will be opened and reproduced with the participation of the intruder, etc. and returned without any delay, but not exceeding 10 days from the original date of export unless there are special circumstances" Why did not you return it?
3138 Answer: Computers have a very important time relationship in the evidence of digital evidence analysis. At that time, we analyzed the digital evidence analysis of the seized material to confirm the creation and access times.
3139 Last but not least, you can change your laptop's CMOS (cmos) time accordingly. There is an error depending on the time of the CMOS.
3140 So what if my laptop is at 1 o'clock, but the current time is 1: 5?
3141 We need to check the error in time. We need a laptop to check the error. We can return it before we send it to the last time. We asked our attorney and computer to turn on and check only the error with the defendant. Probably will be in the investigation report.
3142 So the prosecution has to check it out, it can not be sealed.
3143 So I know that the prosecution has confirmed the exact time information after taking a video of the whole process of releasing and releasing it. So it's been over a week.
3144 Q: What did the witness know to return?
3145 Answer: Yes.
3146 But you did not return, right?
3147 Answer: Yes.
3148 Moon: White House Contact us Write on the web page and select "Thank you!" Was there a picture on the defendant's notebook that captured the screen to write the previous post?
3149 A: I do not understand.
3150 Q: I have a screen that I'm writing before submitting. When I submit it, I get a screen saying 'Thank you!'. Can not these two screens exist at the same time?
3151 Answer: Yes.
3152 Q: Do you have a picture of the screen after the last submission of the statement "Thank you!" On the defendant's notebook?
3153 Answer: Yes.
3154 Q: Then you should have a screenshot of the scene you're writing in. Have you seen it?
3155 Answer, isis.png and usa.png are being written and Thank you! Screen and combine ...
3156 Q: It's a composite, is not it?
3157 Answer: Yes. Perhaps you have not found what you are writing. It did not exist because it was edited and made into a png file. Maybe, if you can explain it.
3158 Q: You said that five files were found on the defendant's laptop using Google Chrome, remember?
3159 Answer: Yes.
3160 Q: In the first post, I do not have a caption of an isis.png file that says I will rape my daughter, do you know why?
3161 A: That's probably what you see in the investigation report, but if you capture and delete it and then change the filename or the file does not exist, or if you capture it using the Google Chrome browser's incognito mode, There are many technical ways that you can and can not keep up with many things.
3162 Q: But what about the file 'Thank you!', What happened?
3163 A: I can not tell you that because I have nothing to do with the evidence, it's because I want to leave it and I want to keep it.
3164 Q: Is that technically possible?
3165 Answer: Yes.
3166 Q: You did not find any traces of access to the White House on the defendant's laptop?
3167 Answer: I did not find it at all.
3168 Q: By the way, 'Thank you!' I have found that I captured the part, how should I explain it?
3169 A: If you use the Google Chrome browser's incognito mode, the Internet connection itself will not be saved as a file at all. It will only be saved as a cache, but it will not be saved as soon as you close the web browser. I will.
3170 Q: As the witness has just testified, it would be nice to have no screenshot of 'Thank you!' ,
3171 A: That means you do not have a record of your Internet connection and you can leave a capture file.
3172 Q: After the capture file, the number is actually a Unix number, so you can log in to Google Chrome to get information on when you captured it, but the witness does not have an article written right now and it probably does not capture it in Google Incognito mode. You just did. That's why I do not ask you to leave the "Thank you!" Section in incognito mode.
3173 A: Internet access records and captions are completely different.
3174 Q: Why do not you leave a screenshot called "Thank you!" In response to an incognito answer saying that you may not have a captured file.
3175 Answer: The defendant remains on the defendant's computer because he has captured and saved it.
3176 Q: So it is possible that you have to do it in the same conditions that you captured before that ...
3177 Answer: If you do not want to leave, you can not leave.
3178 Q: Then you can find the erased trail? Now that I've imaged the defendant's laptop, I'm not just looking at it, have I removed the deleted file?
3179 Answer: When I go into incognito mode, I have worked and can not restore it. Why did Google create incognito mode? I have tested it myself.
3180
3181 judge
3182 To witnesses
3183 Q: Did you know whether the defendant used incognito mode?
3184 Answer: It can not be confirmed. Google has made the feature available to you when you're trying to do it in secret, and of course you can not tell whether or not you used it.
3185
3186 Lawyer
3187 To witnesses
3188 Q: When I go into incognito mode, I do not think the capture screen should be saved.
3189 Answer: No. Saved is that the internet connection is stored in the index.dat and various computer hard disks, and the connection record is not stored. In the case of the captured file, it is possible to store it anywhere in the desired location, The captured files are completely separate.
3190 Q: Did the witness confirm the blog posts that the defendant usually wrote?
3191 Answer: Yes.
3192 Q: Have you seen any criticism of Kim Kyeong-jong about the case of Repert's ambassador in the defendant's blog post?
3193 A: I do not remember everything right now. I only remember what I said before.
3194 Q: I do not remember?
3195 Answer: Yes.
3196 Q: I had an emergency arrest of the defendant at the time, but was there any reason for the emergency arrest?
3197 A: Because I did not do it, I would look at the reasons for the arrest.
3198 Q: I do not have a reason for an emergency arrest, so what do you ask?
3199 A: Why is not the reason written? You have to write down your reasons for getting an emergency arrest proposal.
3200 (Suggesting an investigation record, page 455)
3201 Q: The reason for the arrest has been listed all the time. Please write down the details according to the reason for the emergency arrest. That's it. do not have.
3202 A: I did not write it, but at the metro ... Oh, that's what you said about the notice.
3203 In the notice, we wrote the reason for the emergency arrest for the approval from the prosecutor's office without writing the reason, and is not the suspect notified to the suspect when the emergency arrest occurs?
3204 Because it is putting in notice, it is because it is because it is very simple to summarize the fact of crime.
3205 That is not what I wrote. Do not ask me.
3206 Q: Who wrote it?
3207 Answer: There will be a writer.
3208
3209 judge
3210 Is there an emergency arrest warrant?
3211 witness
3212 Yes.
3213
3214 Lawyer
3215 To witnesses
3216 Q: Is there a reason listed there? Not on record ...
3217 Answer: Yes, detailed.
3218 inspection
3219 An Emergency Arrest Form with detailed description of the reason is available.
3220
3221 Lawyer
3222 To witnesses
3223 Q: The witness did not write the confiscation list?
3224 Yes, I did not write it.
3225 Q: Do you know who wrote it?
3226 A: Then several people are working on it ...
3227 Q: What are the threats and screen capture files that the defendant claims to have downloaded and that the witness or investigating agency believes that the defendant has written and captured it?
3228 Answer: Yes.
3229 Q: If I download a screened file and save it on the defendant's laptop, is it possible that it exists in the same format as the one captured by the defendant's laptop as the witness verified?
3230 A: There are two ways. Probably Kim Jin-kwang will test it and have an investigation report because of 4chan.
3231 If you click on the original file to download it, it will be downloaded. Otherwise, if you click on the original file, the image file will pop up and you can download it with right mouse click.
3232 That is another report from our investigation. I did not test it ...
3233 Q: Is there a file name that might be the same as the one you captured?
3234 A: I do not understand. Again only a description ...
3235 Q: If I downloaded the defendant's laptop, I just analyzed the file name just like the one I captured on the defendant's laptop, can it exist with the same file name?
3236 A: You should be in the record. Ask Kim Jin-kwang because I have not tested it.
3237 Q: Do you not know the witness?
3238 Answer: We have tested and simulated in the investigation report.
3239 Q: The time order is the time the defendant posted on the White House, the time they saved on the laptop after the screen capture, and the time they posted on the site 4chan.org?
3240 A: If it is so in the investigation report, it will. Because I can not remember correctly now, I made a table, and I look at it.
3241
3242 Lawyer
3243 I will present evidence. I present one or two of the fifth certificate.
3244 judge
3245 What is the source?
3246 Lawyer
3247 This is what the defendant's brother searched on Google after he had been arrested after the incident.
3248 If you look at the same thing on Google ... you know, but you searched on Google.
3249 Here you see 'dear. Mr.president Obama, Mrs.first lady Mishelle ', and the time it was found that this article was written is posted on 4chan site on July 7, 2015. 7. 07:24:52.
3250 inspection
3251 How can I confirm that this is the same as this article?
3252
3253 Lawyer
3254 To witnesses
3255 Q: If you see below, 'Hi I'm sufs student from Seoul' because some part of the post is behind it?
3256 It seems that the article is the same, but the time zone is quite different now.
3257 The time is 07:24:52 AM. Now, the time to write the article is July 7, 20:20.
3258 By the way, the time posted on 4chan site is July 7, 2015, 07:24:52.
3259 A: In our investigation report, we have captured the exact time on 4chan site.
3260 That's precise, because it's from a Google search, so you can not tell exactly what time it was on Google or 4chan.
3261 Q: If you saved it from Google, is it any time sooner than we know it?
3262 Answer: There is no guarantee for low-time information.
3263 Q: Witnesses have never seen this?
3264 Answer: Yes. There is not. And whether it is US storage time, domestic storage time ...
3265 Q: For the second article, it looks like it was written on July 7, 2015. Did you know that the 4chan site time that the witness checked was stored in domestic time when posting in Korea?
3266 A: Ask Kim Jin-kwang, the investigator.
3267 Q: Do you not know the witness?
3268 Answer: We have posted the post on 4chan site and we have the current time and the test time. That's exactly what we tested. If you look at it, you can check whether the 4chan site has domestic time or US time.
3269 Q: Have you ever checked your time zone separately?
3270 A: Yes, I have not done it, so I can not tell you exactly.
3271 Q: Did you say that the defendant used a program called SuperHideIP, an IP change program?
3272 A: It's not a confirmation, it's a program that was installed. It was discovered.
3273 Q: Are there any facts that have been analyzed that the last approach was made on June 6, 2015, before the date on which the blackmail was written?
3274 Answer: The file was found, the date the file was first saved, and the date the file was last accessed.
3275 Q: I analyzed it as the last access on June 6, 2015. Is it possible to interpret the IP as having no change since then?
3276 A: It may or may not have been because there are too many technical methods, which I do not know exactly.
3277 Q: Because the witness did not see whether the defendant wrote the program or not, but after all, did you look at the defendant's laptop? Is there a similar program in the program that changes the IP found this one?
3278 A: You can not see the whole thing. When we analyze ...
3279 Q: Do you have to search and search? So, what was the one that was discovered in connection with the IP change program?
3280 Answer: Yes.
3281 Q: Did you investigate the router?
3282 A: I heard there was a router, but I did not investigate.
3283 Question: Do you think that the defendant's notebook imaging file was the first image of the notebook file, or was it replicated again?
3284 A: Because I did not analyze it ...
3285 Q: What did you do to replicate that day?
3286 A: Did we bring the clone?
3287 Q: Who took it?
3288 A: The analyst Kim Kyung Hwan should have brought it.
3289
3290 -------------------------------------------------- --------------------------------------------------
3291
3292 It seems that the time has changed to Korean time in the process of being seated.
3293 Answer: The analysis report is the final one, and we have to investigate a little bit before we start the analysis.
3294 So I took the printout, put it in the investigation report, and made a note when I checked it out. How do you investigate having a fully written report?
3295 Q: The decisive reason for suspicion that the defendant wrote the blackmail was that the capture file that was left on the defendant's notebook was created about a minute after it was posted on the White House?
3296 ANSWER: When I was threatened, however, I wrote two blackmails on the White House website in English, which was in the S.txt file written in Hangul and the summer @ hufs You said you stole your .ac.kr email and phone number? Maybe that phone number and address were in the s.txt file and ...
3297 Q: Witness, I tried to ask this, not many charges. Was it one of the decisive proofs that the creation time of the capture file was one minute after the article was published?
3298 Answer: There were many things.
3299 Q: What is the difference between the time the article was posted in the White House and the time the capture file was stored on the defendant's laptop,
3300 A: It's not an analysis, but an objective fact ...
3301 Q: How did you know when the post was posted on the White House?
3302 A: You asked us that, but we have only received data from the international team.
3303 Q: I think the one minute car will be a very important basis, right?
3304 Answer: Yes.
3305 Q: Then I ask you in terms of whether the investigation should be done enough about time.
3306 I have to be specific from the time it is posted on the White House, but the time posted on the White House is probably the time that the person administering the White House homepage gave me, and that time could be time lag in the end?
3307 A: When we told it, we were GMT + 9? The United States has several times, including Eastern Time.
3308 I'm not exactly sure if we are Eastern Standard Time for letting us know what the error is, but it probably will.
3309 It calculates the time and the error, and when domestic time is converted into Korea Standard Time, it is time to calculate the exact time and the IP connected to the time is Dongdaemun Cable TV ...
3310 Q: I do not ask for the calculation method. For example, if this computer now has 16:00 on the front of the laptop, is there any error in that?
3311 I'm looking at it. There may be an error in the time given by the White House, and there may be an error in the time when the witness etc.
3312 So I'm asking how the time difference can be determined to be one minute.
3313 Answer: Because we are made by objective data, we have confirmed that we know the time we have stored on our computers and the time we have been threatened.
3314 Q: Do you know that there is a program that can change the date of creation of saved files?
3315 Answer: Yes.
3316 Q: I have a couple of things, but can I use a program like SetFileDate to change the creation date of a saved file?
3317 Answer: Yes.
3318 Q: Is it possible that the defendant 's notebook has changed so much?
3319 Answer: Not all computers, as well as the defendant's laptop, are capable of such manipulation. However, when you analyze the MFT, the information about the time is stored in various ways. If you analyze MFT's standard information information and file name information information and analyze that the information is different, you can check whether the time has been manipulated or not, whether the file name has been changed.
3320 Q: Did you check it at the time?
3321 A: I did not check at the time.
3322 Q: When the MAC address of the router is changed, is the dynamic IP connected to it also changed?
3323 A: It may or may not appeal, but it is the policy of the telecommunications company.
3324 Q: Did the witness verify the MAC address corresponding to the IP address associated with this case during the investigation?
3325 Answer: Yes.
3326 Q: Is it a witness?
3327 A: I would have done it together.
3328 Q: What was the result?
3329 A: I put it in the comments, but the contents of the mac are too complicated, so I think I should look at the written statement. I do not remember exactly now.
3330 Q: Have you found any signs of changing the MAC address of the router on the defendant's laptop?
3331 A: The digital evidence analyst found it.
3332 Q: Is the witness unaware of this part?
3333 Answer: I heard that there is a trace of change that I am not familiar with.
3334 Q: Does the analyst in the role of analyst only do the analysis, or did he conduct additional investigations besides analysis?
3335 Answer: I just did analysis.
3336 Q: According to the results of the analysis, was the witness doing any further investigations?
3337 Answer: What is the additional investigation?
3338 Q: For example, if you find a trace of a change in your mac address, I would ask you if you needed to check the defendant's router, did not you?
3339 Answer: The MAC address is the manufacturer of the first six digits, and the manufacturer assigns the last six digits of the MAC address. We have probably seen a counter-report of the defendant's comment on the mac address, but if the manufacturer makes a random change to it I can not do the investigation anymore.
3340 Your lawyer tells you that if the mac has been changed, and if you have not done any further investigations about it, there is no clue that you can investigate anymore if mac has changed that way.
3341 Q: I asked if I needed to check the defendant's router.
3342 A: When we did the transcription, the digital evidence analysis was at the end, and I have to hand over the suspect's recruits to the prosecution office tomorrow. What do you do?
3343 Q: Did you mean you could not do it on time?
3344 Answer: Yes.
3345 Q: There was a trace of changing the MAC address on the defendant's laptop, and there was analysis that released the log record at the time of the crime, remember?
3346 A: I told you I did not do it.
3347 Q: Do you know this by Kim Kyung Hwan?
3348 Answer: Yes.
3349 Question: According to the statement of witness submitted by the witness in relation to the mac address, there are several mac addresses that are not confirmed by the manufacturer. If the maker changes to an unconfirmed mac address, Go?
3350 Answer: I do not know the carrier policy, so I can not answer exactly, I know it is not.
3351 Q: Do you know that if you change to an unconfirmed mac address depending on your carrier policy, Internet access may be restricted?
3352 ANSWER: Yes, there is a case where the switch is allowed to access the internet when only a certain MAC address is connected, which is called NAC. If you do not set this policy, you are allowed to connect from the internet regardless of the MAC address. This is the carrier policy. There are two technologies on the switch that can or may not be blocked.
3353 Q: I know that if you change your router or MAC address arbitrarily, you may be restricted from accessing the Internet. Do you know? For example, have you ever heard of such cases in Windows 7 or Windows 8?
3354 Answer: Not at all. However, if you change the mac address, there is no problem with internet access.
3355 Q: Is there any problem with the computer?
3356 A: Yes, it takes less than a minute and you can do it right away.
3357 judge
3358 To witnesses
3359 Q: I have a question about the defendant's question. "I wrote on the White House Contact us webpage, and I found 'Thank you!' In response to the question "Did the defendant have a picture of the screen capturing the screen before writing the screen?", The witness said, "No one was writing, because it was edited and made into a png file." I have an answer, please tell me about it again.
3360 A: The screen you are composing and the screen where you have completed the 'Thank you! 1' screen was synthesized as a png file, but the screen you were composing was not saved and only the pictures that were composited were correct . But it's technically possible to synthesize it.
3361 Q: Please explain how technically possible.
3362 Answer: Take a picture of A with a capture tool such as Paint or Snap-in, capture a picture of B, put B under A, select the file again and save the file as a different file.
3363 I will explain it again. When you capture the screen you are creating with the Google Chrome browser, you will see the url address and the time next to it.
3364 Then, when you save it to the defendant's computer in that state, click the right mouse button and save it under the same name.
3365 Then, when you capture the screen 'Thank you!', You will see the url address and time information at the top and 'Thank you!'.
3366 And if you save it under a different name, it will be saved on the defendant's computer.
3367 However, technically you can right click on the 'Thank you!' Screen and save it to your computer. You can take the first screen without saving it, and then use the Paint or other capture tool If you save this file as usa.png or isis.png, you will not be able to save the first image you created, and the second image will be saved You can save only the final result at the end.
3368 Q: I was wondering if it was possible technically, but you answered with the idea that it is possible?
3369 Answer: Yes.
3370
3371 inspection
3372 To witnesses
3373 Q: I heard that the screen of the writing on the defendant's notebook is not found, but the relevant screen is not found, and the capture file of the process of posting on the White House site is found.
3374 A: Yes, it does not matter, but I do not know exactly what happened before in June, but before that I had a copy of the White House story that I was capturing and capturing.
3375 If you are writing a webpage, you will see a wave in Internet Explorer, Google Chrome, Safari, and spelling. If you're writing on the White House website, Due to the law of alignment, a tilde appears at the bottom of the English alphabet.
3376 If you look at it, you can see that it is a screen that you are writing. I captured it and kept other articles, but I do not remember it correctly. I think it was related to black slaves at that time.
3377 Q: In regards to the reporter ambassador threatening text, did you also find a separate screen capture of only the result screen "Thank you!"?
3378 Answer: Yes.
3379 Q: I heard that the defendant posted the file on 4chan earlier than the defendant posted at the White House. Did you confirm this in the police investigation?
3380 Answer: Yes.
3381 Q: Did you find that a capture file with the same contents as the intimidation of this case was posted on 4chan site at the time?
3382 Answer: Yes.
3383 Q: The capture files found at 4chan site at that time were posted earlier than the date of creation of the crime-related capture file found on the defendant's computer.
3384 A: I do not remember exactly.
3385 Q: By default, when you use the internet through an ISP like Dongdaemun Tibur Road, is the IP assigned by the carrier?
3386 Answer: Yes.
3387 Q: How many IPs can be changed by turning the computer off and on, or changing the Mac address randomly?
3388 Answer: Yes.
3389 Q: In the case of Dongdaemun Tiburdo IP, which is used in this case, I do not want the IP to be assigned to a specific user for a certain period of time and use only that IP, but then the IP will be changed.
3390 Answer: Yes.
3391 Q: I do not know whether SuperHideIP was used, but how can I change IP even if SuperHideIP is not used?
3392 Answer: Yes.
3393 Q: Did you find a program on the defendant's computer to change the file's creation date?
3394 Answer: None at all.
3395 Q: Is it possible that the defendant changed the creation date of the capture file stored on his computer to the date and time of the crime of this case by confirming the time of the crime?
3396 A: If you are a suspect, do not you need to change? I do not need to change the time on my computer, even if I change the IP to conceal it. I can not be certain who I am. So even if you try to hide your IP, you do not need to change the file on your computer.
3397
3398 Lawyer
3399 To witnesses
3400 Q: The second file 'Thank you!' I found that only the part of the captured file was found, the second threatening 'Thank you!' How do you know if it's a part?
3401 Answer: Maybe in time ...
3402 Q: Is it specific in time?
3403 Answer: Yes.
3404 Q: You do not know what you wrote?
3405 A: Yes, I do not know what it is, but what I am writing ...
3406 Q: Thank you! Even after writing a different article, it can exist at the same time.
3407 Answer: That's possible.
3408 Q: And have you ever seen the "Rules for the Collection and Handling of Digital Evidence", which is a Witness Ordinance?
3409 A: I think I've seen it.
3410 Q: Here are the details of the procedures for seizure search and the request for analysis, and I will ask if I have kept the procedure.
3411 I did not refuse to shoot the seizure process, and I have to take measures such as the identity of the digital evidence, such as the storage seal, and the proper method of not having a reasonable suspicion of integrity.
3412 Answer: We sealed the notebook.
3413 Q: I have to ask Kim Kyung Hwan. You said you did not know if you sealed the hard disk you were imaging before?
3414 I asked the analyst to analyze the digital seizure. According to the analysis result report, the analyst was a witness.
3415 A: Because I'm the same team, I could do it, or someone next to me could do it.
3416 Q: Do you think you made an analysis request on July 13, 2015?
3417 A: I did not go to the scene from the beginning. I do not even ask for it.
3418 Q: Is not there a formal request for a separate request?
3419 A: Yes, I went to the scene together.
3420 Q: When the analysis request is made, the analyst has to send the original or duplicate of the digital seizure in a container that can be safely stored so as not to be damaged by shock, magnetic field, moisture and dust.
3421 Answer: It is because I confiscated analytical data from other crime scenes and submitted it to the Digital Evidence Analysis Office of the Cyber ​​Crime Investigation Department of Seoul Metropolitan City, so I have to do such a thing in the course of the process. At that time, This is not what we do, because the digital analyst in the field is doing it.
3422 Q: Is it the right thing to take in such a container?
3423 Answer: Ask your digital evidence analyst.
3424 Q: Do you not know the witness?
3425 Answer: Yes.
3426
3427 judge
3428 To witnesses
3429 Q: In the end, I think it is the intent that the witness is handed over to the digital witness analyst on the spot, right?
3430 Answer: Yes.
3431
3432 judge
3433 I will finish the witness newspaper about the witness Nam Sang Wook.
3434
3435 Witness newspaper report (part of the eighth trial)
3436 Event 2015 Torture 4685 Threatening
3437 Name Kim Jin-kwang
3438 Date of birth December 5, 1976
3439 Housing 305, Hyundai Apartment 1-dong, Cheongryangri, Dongdaemun-gu, Seoul
3440
3441 judge
3442 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3443 The contents of the newspaper about the witness are the same as the recording file of the court recording system (original number 160321162216).
3444 March 21, 2016.
3445 Hwang,
3446 The judge (doctor)
3447
3448 A statement on the testimony veto notice
3449 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3450 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3451 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3452 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3453 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3454 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3455
3456 Oath
3457 According to the conscience,
3458 In fact,
3459 If there is a lie
3460 To be punished for perjury
3461 I am a wanderer.
3462 Witness Kim Jin-kwang (sign) or signature (handwritten signature)
3463
3464
3465
3466 Recording book (main point)
3467 Case No. 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None) Please submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3468 1. Attachment: Witness newspaper recording of Kim Jin-kwang (total face: 19 pages) 1 copy
3469 March 21, 2016.
3470 Stamped stamping machine (seal) (painted)
3471
3472 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3473 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3474
3475 judge
3476 Witness Kim Jin - kwang 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3477 Notice of testimony veto. The witness's testimony may refuse to testify about the confidentiality of someone else who has a relationship with you or a prospective witness, or about the confidentiality of someone else whom the witness has known about the job. After the oath, for the same reason, you can refuse to testify about individual newspapers. After the oath, you must state the truth and if you lie, you can be punished for perjury. Please swear.
3478
3479 witness
3480 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Jin-kwang.
3481
3482 inspection
3483 To witnesses
3484 (Present evidence page 45 of the evidence list Sequence No. 5)
3485 Q: Is it true that this was an essay by a witness, entitled 'Check for additional posts on 4plebs.org'?
3486 Answer: Yes.
3487 Q: Please explain briefly what it is.
3488 Answer: When I searched Google about the e-mail that the defendant wrote to a foreign language university, 4plebs.org was searched and the site related to 4chan.org was confirmed to be backed up. That's why there are some contacts and e-mails that a defendant wrote to a foreign language university.
3489 Q: Is 4plebs.org the right site?
3490 Answer: Yes.
3491 Q: Is this site the backup site of 4chan.org site?
3492 Answer: Yes.
3493 Q: Is it the intention of attaching the information that comes from searching for the contents of the intimidating article?
3494 Answer: Yes.
3495 Question: On page 48 of the attached documents, did you identify the captures and captions of rape intimidation articles for the first Obama daughter in this intimidating article?
3496 Answer: Yes.
3497 Q: Is it true that you have your own ID number, and the post number is '47628036' on July 7, 20:24:52.
3498 Answer: Yes.
3499 Q: Do you see the Korean flag on the side, and can you think that this post was saved at this time in Korea time?
3500 Answer: Yes.
3501 Q: In the top of the investigation record, on the top of page 49, there is a post called 'Korea isis1', which is similar to this, Is it the right thing to find?
3502 Answer: Yes.
3503 Q: Here is the date posted on July 8, 2015, 02:31:29, post number '47640986', and next to the Korean national flag pattern, this is also the date this post was posted on the site Is it possible to look at it from July 8, 2015 to 02:31:29?
3504 Answer: Yes.
3505 (Provision of Record No. 7, Investigation Record # 71 on the Evidence List)
3506 Q: Is it true that a witness wrote a report titled 'Crime Facts and Hankuk University of Foreign Studies'.
3507 Answer: Yes.
3508 Q: Please explain briefly what it is.
3509 Answer: At the time of the defendant 's writing, there was the phrase' 4ourth, 4inger ', which is the result of searching on that specific phrase on Google search and bing search sites. And when the defendant searched the contacts and e-mails that he wrote to a foreign language university backwards, there were writings that slandered Hankuk University of Foreign Studies,
3510 Q: Is this the intent to attach the result of the search using POS Finger's phrase in the intimidating article?
3511 Answer: Yes.
3512 (Present evidence page 79 on page 8 of the evidence list)
3513 Q: Is it true that the witness wrote the following questionnaire titled 'Confirmation of Hankuk University of Foreign Studies' on WordPress site?
3514 Answer: Yes.
3515 Q: Please explain the contents of this investigation report.
3516 A: There is a site called WordPress, which is managed by Hankuk University of Foreign Studies, and there were articles written against Hankuk University of Foreign Studies. Then have a written article haeteotgo actually enter the admin page to visit the Korea University of Foreign Studies confirm the contents of these posts, the materials attached to chaejeung that this article 'ended the scam business "as it is written in the report that was me.
3517 Q: When there is here described as "the White House post was written, IP and South Korea is shown to be the same as watching the suspects created by the IP range used to price match Hankuk University of Foreign blame," This IP geotingayo confirming what?
3518 A: When I visited Hankuk University of Foreign Studies, I went to the administrator site with my cooperation. So I wrote an investigation report about that part.
3519 (Exhibit # 196 of the Record of Evidence No. 11 in the Evidence List)
3520 Q: Is it true that the witness wrote a report titled 'Confirming additional reporting to the White House'?
3521 Answer: Yes.
3522 Q: Please explain this briefly.
3523 A: The 4plebs.org site is the backup site of 4chan.org, and if it goes past the backup site, everything will be deleted. When the defendant published the article, I decided that I could post more than one post, and I checked every post related to the foreign language university. I did not check it by any search words but checked it by eye. I confirmed it by clicking on the site one by one. I also confirmed the post on May 5, 2015, and confirmed the post on June 25, There is more to the point of denouncing a foreign language university, and it is attached to it.
3524 Q: Are postings attached to the contents of the post at the time?
3525 Answer: Yes.
3526 (Exhibit # 251 of Investigation Record No. 14 in Evidence List)
3527 Q: Is it true that the witness wrote a report titled 'About posts posted on 4chan and 4chan backup sites'?
3528 Answer: Yes. I wrote it.
3529 Q: I found that the file usa.png was on the 4plebs.org site, the backup site of 4chan.org, and the attached screen captures the internet page that I confirmed at that time.
3530 Answer: Yes.
3531 Q: Isis.png Is there any indication that the file was retrieved from 4chan.org but it was not found?
3532 Answer: Yes.
3533 Q: Finally, did you put together the contents found on 4chan.org site and 4chan.org site backup site?
3534 Answer: Yes.
3535 In this case, the time for the rape of Obama's daughter on the White House site was posted on July 7, 2015 at 20:20, the post was deleted on 4chan.org site, and the backup site of 4chan.org site Did you confirm that the same content was posted on July 7, 2015 at 20:24?
3536 Answer: Yes.
3537 Q: Regarding the threat of terrorist attack on US Ambassador to the Republic of Korea, the time it took to go to the White House on July 8, 2015 was confirmed to be posted on 4chan.org on July 8, 2015 Does the backup site on 4chan.org also confirm that the same time was saved on July 8, 2015?
3538 Answer: Yes.
3539 Q: Are you confirming everything yourself?
3540 Answer: Yes, I have.
3541 (Present evidence page 263 of the evidence list Sequence No. 16)
3542 Question: Isis.png, usa.png About file analysis, isis.png title is isis.png?
3543 Answer: Yes.
3544 Q: Is it true that the above investigation report was written by a witness?
3545 A: Yes, this is the part where I downloaded the direct download from 4chan.org site and checked the image and these parts.
3546 Q: Please explain in detail.
3547 Answer: There are picture files named isis.png and usa.png in the 4chan.org site post. You can check the update date or specific values ​​of the file by downloading the files. You can check the unique value of the image you uploaded . In order to compare the values ​​with others, we then use the flash hash value to determine the MD5 for the file, and the flash hash program to check for any unique value.
3548 Q: If you click the isis.png file posted on 4chan.org site and save it as an image, the file name will be automatically saved as a random number, and you can download it by clicking the download button. , It says that the isis.png file has been downloaded, is that correct?
3549 Answer: Yes.
3550 Q: I tried to calculate the hash value of this file and it says the image is the same as the original one.
3551 Answer: The file itself differs in how to download it, but if you check MD5 for a unique hash value for the file, isis.png or 1436268292526.png tells you that the file is received differently, The name is the same, but it means the same.
3552 Q: Did you download the usa.png file from 4chan.org site?
3553 Answer: Yes.
3554 Q: In the same way, we can see that there are two ways of downloading, and in that case, the hash values ​​calculated using MD5 function are found to be the same?
3555 Answer: Yes.
3556 (Present evidence page 176, Investigation Record, page 266)
3557 Q: Is it true that the witness wrote a report titled "About Nouveau dossier folders identified on suspect laptops"?
3558 Answer: Yes.
3559 Q: Please explain what it is.
3560 A: In the New Folder, images related to terrorism related to Kim Kyeong-jong or Ripert were stored.
3561 Q: Here is a description of 'I do not see the Internet history, but the images of the suspects have created folders and saved them.'
3562 Answer: When you create a file, when you automatically surf or surf the Internet, some files are stored on your computer in the form of numeric random numbers or complex cryptosystem ... numbers, So, I did not surf the internet and checked something. Instead, I saved my file and saved it under a certain name.
3563 Q: If I check again, is it correct that the user is checking the file that saved the image, not the cache file which is saved automatically during the internet surfing process?
3564 Answer: Yes.
3565 Q: When I look at the contents of the next page, 'Folder creation date and time, images, etc. are created and collected on June 3, 2015. If you check the last access date and time, What is it?
3566 Answer: Yes.
3567 (Suggesting the record number 35 of the No. 20 book)
3568 Q: Is it true that the witness wrote the following investigation report entitled "About Identification of Additional Evidence Related to Terrorism"?
3569 Answer: Yes.
3570 Q: Please explain what it is.
3571 Answer: There was a file named s.txt on the notebook, and a text file similar to the one raping the Obama daughter was stored under the file.
3572 Q: After the investigation, is it appropriate to print out the characteristics of the file and the original text of the file?
3573 Answer: Yes, this part is the same with the digital analyst Kim Kyung-hwan.
3574 (Proof # 408 of Record No. 25-1 of Evidence List)
3575 Q: Is it true that the witness wrote the investigation report titled 'About 4chan site publication time'?
3576 Answer: Yes.
3577 Q: Please explain this.
3578 A: Because 4chan is not a Korean site, I think that the way the posted post is shown will not be seen in Korea at first. If you think that it is different from the post posted by the suspect, Since I have posted all the articles, 4chan site has service to all the countries in the world, so it is shown as a part that shows the time to turn off according to the country. So if you connect in Korea, you will show your time in Korea, This is a rhetorical report showing that.
3579 Q: Did you test it by yourself?
3580 Answer: Yes.
3581 (Proof No. 463 of Record No. 27 of the Evidence List)
3582 Q: Is it a witness' s report on the title of '4chan' s time on the site?
3583 Answer: Yes.
3584 Q: Is it the same as the investigation report you just saw?
3585 Answer: Yes.
3586 Q: Is it true that the articles or photographs posted on internet sites such as blogs, which are stored in the investigation reports created by the witnesses, and the information or materials found on the defendant's notebooks are captured or output as they were originally attached?
3587 Answer: Yes.
3588 (Proof No. 22-1, Investigation Record, Section 393 of Evidence List)
3589 Q: Is it true that you have seen this document?
3590 A: I have seen this while working together.
3591 Q: Do you know from whom you received this papers from?
3592 A: I know it from the White House, through the Cooperatives.
3593 Q: Do not know the details?
3594 Answer: Yes.
3595 Q: Is the witness a police officer?
3596 Answer: Yes.
3597 Q: What is your position and rank?
3598 A: It is Kim Jin-kwang, a member of Cyber ​​Safety Bureau, Seoul Metropolitan Police Agency.
3599 Q: Is the witness involved in the investigation?
3600 Answer: Yes.
3601 Q: What role did the witness play in the investigation?
3602 A: At that time, we were on duty. I was trying to find out if there was the same post as the one posted by the defendant because I was on duty and I should have started the case immediately after receiving the case.
3603 Q: In a little more detail, did you participate at the time of the seizure?
3604 A: Yes, I also participated in the seizure search and I had to check a lot of posts first to get a warrant, and I had a lot of focus on that part, and when I was in the seizure search site, When I did not have a laptop or something like this. So, there are some parts that we have fielded with other investigators to secure evidence.
3605 Q: What role did you play in the seized search site?
3606 Answer: First, I thought it was important to find a laptop. The defendant posted a blog on the blog. So I made a lot of efforts to secure the laptop, and I asked the analyst to analyze the computer or something.
3607 Q: Was there a picture of your laptop on the defendant's blog?
3608 A: Yes, so I tried hard to find a laptop.
3609 Q: Do you remember how you found your laptop?
3610 Answer: Yes, when I first entered, the defendant was lying in bed, and when I tried to go into the room with a search warrant, I could not go in for about 30 minutes because the defendant 's parents never entered. So, first of all, I went into the room alone and told me that I had to check my laptop, so I told her that I could not go in there, so she asked me for a laptop, so the defendant's mother brought her laptop from the defendant's room. So I received a laptop and sent it to Kim Kyung-Hwan, and asked him to check if there was an image, and Kim Kyung-Hwan analyzed it because he had an image.
3611 Q: Did you shoot the situation at the time of the seizure?
3612 A: Yes, I have done video recording.
3613 In the case of Lieutenant General Nam Sang-wook, he tried to shoot and testified that the defendant's family members were not able to shoot against him.
3614 A: Not all of them were shot, but there were some parts that I had to shoot.
3615 Q: Did the defendant 's family prevent him from filming?
3616 Answer: Yes.
3617 Q: Was the defendant lying in bed throughout the search process?
3618 Answer: Yes.
3619 Q: Did you search the defendant's laptop to find the relevant evidence?
3620 Answer: Yes.
3621 Q: Isis.png, usa.png, s.txt file?
3622 Answer: Yes.
3623 Q: After confirming it at that time, did the defendant find out where these files came from?
3624 A: I told him to look, but I kept seeing him and he lay there.
3625 Q: Did the defendant analyze the room?
3626 Answer: No. I analyzed it in the next room study, and the defendant 's mother attended to confirm the contents.
3627 Q: At that time, I received the Confirmation of Confirmation of the Confirmation of the Confiscated Water, Confirmation of the Confirmation of the Confirmation of the Confiscated Water Information, etc. Who received it?
3628 Answer: Kim Kyung-hwan was given by the analyst.
3629 Q: In addition to what the witness has so far testified, is there any fact that I have verified during the investigation of this case?
3630 A: I do not remember well because the incident is long.
3631
3632 Lawyer
3633 To witnesses
3634 Q: Has the commencement of the investigation been initiated by the US Embassy?
3635 A: We know that the incident has come down to us.
3636 Q: Have you ever seen an 'urgent cooperation request' from the US Embassy?
3637 Answer: Yes.
3638 Do you know that the Koreans in the Buddhist e - mail sent a blackmail message saying that they sent a warning email to President Obama on terrorism against Ambassador Ripper?
3639 Answer: As far as I know, I posted on the White House site.
3640 Q: I know so, and it's been investigated, but it says that I sent it by e-mail to the initial cooperation letter.
3641 A: Is not it supposed to be sent by email?
3642 Q: Does the witness know anything about this?
3643 Answer: Yes.
3644 Q: There are some documents attached to the investigation report written by witnesses, some of which have been downloaded from the Internet. Where did the data from the defendant's notebook come from?
3645 Answer: Most of the Internet postings are written by me, and the parts of the investigation report are written by Kim, Kyung-Hwan, because they can not share the system because the team is different. So I made this same data with me, so I checked it out. I wrote this investigation report together with Kim Kyung Hwan, and I printed it out.
3646 Q: Does the analyst Kim have output?
3647 Answer: Yes.
3648
3649 judge
3650 To witnesses
3651 Q: I said I wrote an Internet post, but I misstated it?
3652 Answer: First of all, 4chan or something like this is what I did after capturing separately, and the parts from the defendant's notebook were written by me because Kim Kyung-hwan's analyst could not write the investigation report.
3653
3654 Lawyer
3655 To witnesses
3656 (Presenting an investigation report, page 263)
3657 Q: I have downloaded the witness from 4chan site and changed it to another file. The first isis.png file is downloaded on July 7, 2015 at 3:23:30 pm What does this time mean?
3658 Answer:
3659 Q: I do not seem to remember well, but w will answer the question. The time at the White House was written on July 7, 2015, 20:20 and the file isis.png on the defendant's laptop is 20:21, remember?
3660 Answer: Yes.
3661 Q: I have two hours to show evidence that there is evidence so far, so I know what it is. I am talking about the 3:23:30, the 24 hour hour, the 15:23? Please explain what this time means. You do not know because you wrote it?
3662 A: I did not focus on the time when writing, but instead of backing up the original files on my desktop computer, I created a folder called "Terrorist" and had an original under it, There is a method and a download button called isis.png below it.
3663 I clicked on that button and downloaded it in two ways, but the important thing is that the investigation report was written to specify that 'MD5 is the same, if MD5 is the same, this file is the same' I saved the file to my computer and compared it with it, and I do not remember the date exactly.
3664 Q: Is not it time you saved your witness computer?
3665 A: Yes, it is not.
3666 Q: Now, three files have the same MD5, but the same thing means that the first file is the same file?
3667 Answer: Yes.
3668 (Presenting an investigation report on page 264 of the investigation record)
3669 Q: How long does it take for usa.png to be downloaded on July 8, 2015 at 2:28:52?
3670 A: I do not remember the details, but it seems to be the investigation report about the part where the original file on the defendant's laptop was referred by the pumice team and compared with the file.
3671 Q: What is the meaning of time now that you do not know exactly?
3672 A: I guess it's probably the time on the defendant's laptop, but where did the source of usa.png come from? So I do not know exactly what the file was from when the usa.png was uploaded.
3673 (Suggesting an investigation record, page 334)
3674 Q: Here is the 'Photovoltaic vs. Work File, Text File' on July 12, 2015 at 4:53:58 PM ...
3675 Answer: This is the data that the analysis of Kim Kyung Hwan analyzed.
3676 Q: Is the witness unaware of this time?
3677 A: Well, I've seen it together, but analyst Kim Kyun-hwan will know better.
3678 Q: Does the witness mean that you do not know about this?
3679 Answer: Yes.
3680 Q: Witnesses also participated at the time of the seizure, did you see the process of imaging the defendant's laptop?
3681 Answer: Yes.
3682 Where was the witness at that time?
3683 A: I was in the same room and went to the room where the defendant was lying.
3684 Q: Before imaging on a laptop, I turned on my laptop and searched for related files first. Who did it?
3685 Answer: Kim Kyung Hwan was the analyst.
3686 Q: In the process of looking at the defendant's laptop, did the defendant or defendant guarantee the right to participate in the parents?
3687 Answer: Yes.
3688 Q: Who did?
3689 A: There were several investigators.
3690 Q: Did you participate?
3691 Answer: The defendant did not participate, and the defendant 's mother said that she participated, so she did the imaging in front of the defendant' s mother.
3692 Q: How many hours did the imaging work take?
3693 A: I do not remember exactly, but it seems to take about two hours.
3694 Q: Did you film the process of examining or imaging the defendant's laptop?
3695 A: I think I just took a picture when I first went in.
3696 Q: Did you take videos or pictures about the process of imaging?
3697 A: I think I did not.
3698 Q: It is related to the witness who wrote the investigation report. If there is a screen-captured file and you download the file from 4chan and save it, the two will clearly distinguish between the captured and downloaded files from the defendant's notebook. Can you do it?
3699 Answer: Although the name of the file can be changed because the computer is clearly distinguished, the root cause of the screen capture is a program called full page screen capture on the defendant's computer. When you capture using this program, the file name is created uniquely. Because there is a name and a date and it is hard for ordinary people to write it, so if there is such a thing, it should be said that it was programmed ...
3700 Q: Even if you download the same thing, you are asking if you are following it.
3701 Answer: If the filename remains the same, if you receive usa.png when you download it, then usa.png follows, and the url where the full-page screen was originally printed does not appear.
3702 Moon: usa.png but not url ...
3703 Answer: If you have url, you can get it as it is.
3704 Q: If you download it in that state, is not it well separated?
3705 Answer: Yes.
3706 Q: And can you download and rename it?
3707 Answer: Yes.
3708 Q: If I remove the value of zone.identifier attached to the downloaded file, will it be impossible to check whether it is a downloaded file or not?
3709 A: I do not know.
3710 (Presenting the first and second Google search screens of the certificate No. 5)
3711 Q: I searched on Google that the first blackmail related article was stored on 4chan site. This is what I came up with in search of the text, which is exactly the same as the number you saw. It is the first blackmail article that I have been suspected to have written by the defendant. There is a time called July 7, 07. 07:24:52, and the time of the first blackmail was written on July 7, 20:20, right? The time to upload to 4chan is much faster, do you have any idea about this?
3712 A: I do not know because it is not confirmed.
3713 Q: This is what the witness made when he wrote the investigation report. If you posted in Korea, you would be posting Korean time on 4chan site? So the time I posted on the 4chan site was later than the time of the file on the laptop because the defendant wrote it. But now the time I searched on Google is much faster than the time I posted on the case. That 's why I ask.
3714 Q: I do not know exactly what I am talking about. But first of all, this is Google. I do not know how to write url in 4chan, and the way it's written in Google would be wrong, because I did not see it.
3715 Q: Does the witness have any experience in analyzing digital evidence?
3716 A: I joined Cyber ​​Special, basically there is no digital analysis and I have listened to education or lecture.
3717 Q: Is not there a career?
3718 A: I have to go to work because I needed to do it, but I did not get a license or anything like that, and I had a lot of training related to database and hacking.
3719 Q: You have been trained in the National Police Agency?
3720 A: I have a police station and I'm in a database.
3721 Q: Was the witness involved in the investigation that changed the defendant's MAC address?
3722 A: I joined the investigation together but I do not remember exactly. The story seems to have done a lot.
3723 Q: Have you been involved in the investigation that led you to receive a Mac address that matched the IP address that you sent the search warrant to Tibur Road?
3724 A: It was not me.
3725 Q: I have an analysis that says that the defendant's laptop analysis results have been released so that the logs stored in the router are not released in the adjacent time zone of the time when they wrote the article. Do you know this part?
3726 A: That part is written by Kim Kyung-Hwan.
3727 Q: Does the witness know this part well?
3728 Answer: Yes.
3729
3730 judge
3731 To witnesses
3732 Q: Is it true that the witness's statement is unclear, and that he was working at a private database company in relation to his career in analyzing digital evidence, and then joined Cybercrime as a specialist?
3733 A: Sometimes the process of coming to the police comes to the general public, and if you have more than a few years of social work, you may be able to get a special bond. The part I majored in is the database, and I've come across a lot of hacks and stuff like that.
3734 Q: I have an editorial story ...
3735 Answer: It is the part of the license.
3736 Q: Did you major in the database, joined the police as a specialist, and then took the training related to hacking, and did you not only learn about the digital analysis related to the work, but also the training?
3737 Answer: Yes.
3738
3739 judge
3740 I will finish the witness newspaper for Kim Jin-kwang.
3741
3742
3743 Witness newspaper report (part of the eighth trial)
3744 Event 2015 Torture 4685 Threatening
3745 Name Kim Kyung Hwan
3746 Date of Birth February 5, 1976
3747 Housing Seoul, Gangseo-gu, Woohyeon-ro 67, 109, 402 (Hwagok-dong, Kangseo Hill State)
3748
3749 judge
3750 If a witness asks whether he or she falls under Article 148 or Article 149 of the Criminal Procedure Act and acknowledges that he / she does not fall under this clause and explains that he / she can refuse to testify if he / After warning the punishment, he stood as a separate line and made him swear. The next witnesses did not finance it.
3751 The contents of the newspaper about the witness are the same as the recording file of the court recording system (the original number 160321171323).
3752 March 21, 2016.
3753 Hwang,
3754 The judge (doctor)
3755
3756 A statement on the testimony veto notice
3757 1. A witness may, if he / she has any of the following reasons, deny his / her testimony to the presiding judge by calling for reasons for refusal.
3758 end. If a person who has a relative or relative with a witness or a witness, a legal representative, or a supervisor is found to be subject to a criminal prosecution or a complaint or convicted (Criminal Procedure Act, Article 148)
3759 I. If a witness is in such position or in such position as a lawyer, a patent attorney, a notary public, a CPA, a tax accountant, a taxpayer, a doctor, a doctor, a dentist, a dentist, a pharmacist, a midwife, a midwife, a nurse, (The Criminal Procedure Act, Article 149)
3760 2. In addition, a witness may refuse to testify if he or she finds that there is a reason similar to that of paragraph 1 of an individual or specific newspaper after the oath.
3761 3. If a witness does not expressly deny the testimony or give false testimony to a newspaper article that has the right to veto testimony, he / she shall be held liable for perjury please.
3762 Witness Kim, Kyung-hwan (signature) or signature (signature)
3763
3764 Oath
3765 According to the conscience,
3766 In fact,
3767 If there is a lie
3768 To be punished for perjury
3769 I am a wanderer.
3770 Witness Kim, Kyung-hwan (signature) or signature (signature)
3771
3772
3773 Recording book (main point)
3774 Case Number 2015 High 4685 Date 2016. 3. 21. 14:00 Remarks (None)
3775 I submit a transcript prepared in accordance with the provisions of Article 38, Paragraph 1 of the Criminal Procedure Rules.
3776 1. Attachment: A copy of the witness newspaper on the witness Kim Kyung-hwan (total face: 24 pages) 1 copy
3777 March 21, 2016.
3778 Stamped stamping machine (seal) (painted)
3779
3780 ※ This transcript was written in a way that summarizes only the main parts of the statement.
3781 ※ Parties and witnesses may object to the matters described in this transcript. When an objection is raised, a court clerk or other person must indicate the intent of the objection in this transcript or in a separate document or correct the relevant part of this transcript.
3782
3783 judge
3784 Witness Kim Kyung - hwan 's witness newspaper procedure recognizes the necessity of recording and instructs him to record all of them in accordance with the provisions of the relevant Criminal Procedure Law. The contents of the witness newspaper are all recorded, so please be sure to tell the microphone when speaking.
3785 Notice of testimony veto. Because of witness testimony, the witness may deny his / her testimony about the confidentiality of someone else who has a business relationship with the witness because he / she is concerned about his / her criminal penalties. After witnesses have sworn in, they can also refuse to testify for the same reason in individual newspapers. After the oath, you must state the truth, and if you lie, you will be punished for perjury. Please swear.
3786
3787 witness
3788 According to the oath and conscience, I speak truthfully without any concealment and assistance, and if there is a lie I swear to be punished for perjury. Witness Kim Kyung Hwan.
3789
3790 inspection
3791 To witnesses
3792 (Proof No. 68, page 69 of the evidence list No. 33, No. 1)
3793 Q: Is it true that the results of this digital evidence analysis were true of the witness's experience?
3794 Answer: Yes.
3795 (Proof No. 73-2 of Investigation Record # 33-2)
3796 The CD is attached with the title of 'Digital Evidence Analysis Result'. The digital evidence analysis result stored on this CD contains the defendant's notebook image file and the main data or information found in the analysis of the incident Is that right?
3797 Answer: Yes.
3798 Q: Witness is the Digital Evidence Analyst at the Seoul Metropolitan Police Department Cyber ​​Crime Investigation Division?
3799 A: Yes, I am currently working at Cyber ​​Crime Lab. We shared with the Evidence Analysis team earlier this year and worked in the Digital Evidence Analysis team until last year, and this year we are in charge of Detectives who are out of cyberspace.
3800 Q: What was the work of the witness during the investigation?
3801 A: As a digital analyst, I was collecting and analyzing evidence on digital evidence from the incident at the police investigation room under the Seoul Metropolitan Police Agency.
3802 Q: Did the witness participate in the seizure of this case?
3803 Answer: Yes.
3804 Q: Have you participated in the whole process of seizure search?
3805 A: Yes, that scene from that date.
3806 Q: Did you participate from the beginning to the end?
3807 Answer: Yes.
3808 Q: Tell the defendant's notebook the discovery and imaging process as the witness has experienced.
3809 A: I do not find it. I remember it was discovered by Kim Jin-kwang. And the defendant was in the room and there was a room in front of him where the defendant's father seemed to write, and while I was searching the room for an all-in-one PC used by the defendant's father, he found a laptop and searched and analyzed the laptop .
3810 Q: When I first got the defendant's laptop, was the laptop on or off?
3811 Answer: I remember it was turned off because it was folded.
3812 Q: After turning the power on and searching, we found evidence related to the incident, shut it down, and imaged it immediately?
3813 Answer: Yes.
3814 Q: Did you take the seizure process or imaging process at the time?
3815 A: I did not take the shoot, and I remember that the staff of the WTC and our cybercrime staff shot it together.
3816 Q: Did you take all the steps?
3817 Answer: Yes. I remember that two or more cameras were spinning.
3818 Ms. Sang-wook said that she had stopped at the time while she was filming the opposite of the defendants' families. Is that right?
3819 Answer: Yes, that's right. I remember that there was an argument.
3820 Q: Do you remember which course of filming was discontinued?
3821 Answer: I can not remember correctly.
3822 Q: After I image the defendant's laptop hard disk, who do I get such as integrity verification or hash verification?
3823 Answer: I got it from the defendant's mother.
3824 Q: Did the witness directly receive it?
3825 Answer: Yes, I got a confirmation from my defendant mother that I wrote the hash value by hand.
3826 Question: Did the witness claim that the defendant confiscated a hard disk on the lenovo B490 laptop computer, seized five hard disks, and analyzed one replica of SanDisk USB memory?
3827 Answer: Yes.
3828 Q: Was the time of the defendant's laptop computer in Paris, France?
3829 Answer: Yes.
3830 Q: So, when the crime of this case is on, July 7, 2015, was the daylight saving time set to be 7 hours earlier than Korea's standard time?
3831 Answer: Yes.
3832 Q: When Witnesses used EnCase, a digital forensic program, to analyze the defendant's laptop computer, did you set it to display in Korean Standard Time?
3833 Answer: Yes.
3834 Question: Isis.png and usa.png files found on the defendant's laptop computer hard disk?
3835 Answer: Yes.
3836 Q: Isis.png file creation date and time is July 7, 20:21:12, the last revised date is July 20, 2015. 7. 7. 20:23:30, and the creation date of usa.png file is 2015. 7 8. Was it confirmed at 02:27:07 and the last revised city date was July 8, 2015 at 02:28:51?
3837 Answer: It is correct in the analysis report.
3838 Q: I found isis.png.lnk and usa.png.lnk linked to the above isis.png and usa.png files.
3839 Answer: Yes.
3840 Q: When and how are these link files created and stored?
3841 Answer: Generally, when you open a file on a Windows system, a link file called a shortcut file is created.
3842 Q: If you analyze the meta information of this link file, ie file attribute information, what kind of information can you check?
3843 Answer: Once you open the Ink file, you will see the name of the file you opened. When you open it, the computer name, volume name, and hardware Mac address will be saved.
3844 Question: Did you check the hard disk volume name, serial number, computer name, MAC address of each link file mentioned above and the information of the defendant's laptop computer?
3845 Answer: Yes, it has been confirmed.
3846 Q: Isis.png and usa.png files are exactly the same date and time, but link files with different file names were found on the defendant's notebook.
3847 Answer: Yes, I remember that part of the file name is different, but the original date and time of creation of the analysis is the result of analyzing the file name when I changed the source file ... So, if the file name is changed, the creation date and time will not change. It has been confirmed that the creation date and time of the original file remain in the link file.
3848 Q: Is it possible to interpret the link file as a file name that is created when the original isis.png or usa.png file is created, but the original file has a different file name?
3849 A: Yes, I interpreted it that way.
3850 Q: In addition to the isis.png and usa.png files, there are many screens on the White House site, as well as a screen capture of the post completion screen, found on the defendant's laptop computer?
3851 Answer: Yes.
3852 In addition, the email address Twitter address, phone number, 'HUFSRO 4ourth 4inger' in this case is listed, and the 'Embassy of the US Embassy will surely kill Ambassador Ripper' I will give you an anal rape. "And there was a s.txt file with the same contents as the case of this incident.
3853 Answer: Yes.
3854 Q: Are the link files A0065359.1nk, A0065518.1nk, A0065541.1nk, and A0065621.1nk found in the s.txt file found?
3855 Answer: Yes.
3856 Q: How are these link files created and where are they stored?
3857 Answer: The link files that are randomly numbered starting with A are the volumes used by the system called system volume information. At first, when I explained the time when the volume was used, I tried using it in Windows 7 As you know, there is a feature called Restore Computer. I have a feature called restoring the computer that will take a snapshot, so Windows 7 will automatically back up. So, at that time, I automatically backed up the list of files or files in a certain period of time, and the backup location is the system volume information folder, and a folder is created under each backed up day. A link file pointing to txt has been found.
3858 Q: The operating system of the defendant's laptop is XP. Does XP have the same function?
3859 Answer: Yes.
3860 Q: What events are required to generate these link files?
3861 Answer: The system automatically backs up the function. If you do not specifically make a backup, I know that the backup is basically based on the operating system settings.
3862 Q: The date of creation of each link file just mentioned is 2014. 9. 10. 16:59, and the final access date and time is July 7, 14:57, 21:10, 21:10 , 22:31?
3863 Answer: Yes, as you can see in the report.
3864 Q: Have you found any more link files that link to s.txt other than the four link files?
3865 Answer: Yes, at that time, the link file pointing to the s.tet file was analyzed to be it.
3866 Q: Can I see the date and time of the last access to the s.txt file on July 7, 2015?
3867 Answer: At the end of the last one, what if the link file was on July 7, 2015, 22:31, then you can interpret the s.txt file as the last time you opened it.
3868 Q: On the other hand, when the defendant analyzed the Internet access rate of laptop computers, did you check the records of accessing through Internet Explorer, Chrome, Mozilla and Opera web browser?
3869 Q: Did you also find a record of 'Michelle obama' on Google search site via Internet Explorer?
3870 Answer: Yes.
3871 Q: Is the record of accessing the Internet Router Management page verified on July 7, 2015, and July 8, 2015 at the time of the crime of this case?
3872 Answer: Yes.
3873 Q: Did you check the details of the settings such as setting the router to not record the log in the time zone adjacent to the crime of this case?
3874 A: I do not know what the intent was, but I've confirmed that I changed the settings.
3875 Q: How do I change my router settings?
3876 A: Router management is to connect the IP address and router IP of the network to the web browser, and the management page will appear. You can go to the management page and change the general setting value of the network or the MAC address or the MAC address. .
3877 Q: So I usually access the administration page through the web browser, so I have a record of my internet connection history?
3878 Answer: Yes.
3879 Q: Is there a way to keep the record of the connection?
3880 A: There are a variety of ways you can stay away. Nowadays, web browsers like Explorer and Chrome have features like incognito, which keeps browsing history from being left, so I know that if you use it, your records will not be checked.
3881 Q: Is there an incite comb in the case of explorer, and an incognito mode in case of Google Chrome, and if there is such a mode, there will be no connection record at all?
3882 A: Yes, I did not have any results.
3883 Q: Has the defendant's laptop been able to change the MAC address of the Internet router 9 times between June 8, 2015 and June 3, 2015?
3884 Answer: Yes, Mac address changes have been verified through Internet history.
3885
3886 Lawyer
3887 To witnesses
3888 Q: In the confiscation search site, did you direct the witness to image the defendant's laptop?
3889 Answer: Yes.
3890 Q: How did you save the imaged file and how did you take it?
3891 Answer: We made a copy on the hard disk we brought with Falcon, and cloned the image through the Falcon by attaching the original hard disk to the original.
3892 Q: How did you make a copy of your hard disk? Did not you seal that part separately?
3893 Deep: Yes, it does not have to be sealed.
3894 Q: Is it true that the regulations of the National Police Agency, such as the "Regulations on the Collection and Processing of Digital Evidence", require the seal to be sealed. Is it not necessary to seal?
3895 Answer: The storage medium is intended to be sealed, but the duplicate image is not explicitly marked as sealed.
3896 Q: How do you keep the duplicate image and keep it?
3897 A: Since the image is the result of integrity, it is necessary to have an integrity hash value for the image file and the image file.
3898 Q: In the case law, I have a sealing process as one of the methods of ensuring the integrity of the image file, and I am shooting the process.
3899 Answer: I shot it.
3900 Q: I do not ask opinions from witnesses. We will later ...
3901 A: I think you denied what I did, but I do not know that.
3902 Question: Is the witness bringing the file itself to the National Police Agency?
3903 A: I was in the car and I was in the car.
3904 Q: Have you received an analysis request separately?
3905 Answer: I understand that I have received an analysis request form.
3906 Q: From whom?
3907 A: Because it is computerized, I do not receive it directly.
3908 Q: Have you taken it in a container that can be safely stored so that it will not be damaged by impact, magnetic fields, moisture or dust when you take it?
3909 Answer: Yes, that's right.
3910 Q: What equipment did you bring at the time of the seizure?
3911 Answer: Replicate Falcons and their accessories, laptops, EnCase for analyzing the scene, hard disk for copying the original, and then the police office which extracts the file list for simple use. There is a program called CIP which I developed.
3912 (Suggesting an investigation record, page 334)
3913 Q: I think you've seen it in the process of writing the statement, but the text file in the Photovoltaic vs. Work file. July 12, 2015 04:53:58 What is the meaning of this time I will ask you about this?
3914 Answer: I work with a program called UltraEdit. When I print it there, I know that it shows the attributes related to creating or modifying the file.
3915 Q: I think it is written in the opinion letter that the file will be automatically released based on the last access date. Does that mean?
3916 Answer: As stated.
3917 (Suggesting an investigation record, page 665)
3918 Q: I have the same photovoltaic versus work file and this is on July 21, 2015 at 07:06 pm?
3919 Answer: Yes.
3920 Q: Under that, the Modified time and the Accesed time are from July 7, 2015 to July 7, 2015. What does the witness say now and what does it mean, different?
3921 A: Of course, the structure is different.
3922 Q: What is the reason?
3923 Answer: This is the information in the file, and the one above it shows the computer time when you did the work.
3924 Q: Does July 12, 2015 tell the time of the computer that the witness worked on?
3925 Answer: Yes.
3926 Q: Witness, is that certain? Were you working on July 12, 2015?
3927 A: I did not work at that time, but I printed what was missing.
3928 Q: What does it mean to be missing then?
3929 A: I guess I did not do it at the time.
3930 Q: Witnesses, do you know how many days a search has been made? It was on July 13, 2015. But what does it mean to say that we have removed all of our records the day before the seizure?
3931 Answer: What?
3932 Q: The file was on July 12th, right?
3933 Answer: Where?
3934 (Suggesting an investigation record, page 334)
3935 Q: Is not it July 12, 2015?
3936 Answer: At the time of the last revision.
3937 Q: What does it mean?
3938 Answer: You just got what you got there and printed it from your analysis computer.
3939 Q: So, is it a time stamped by the police?
3940 Answer: I have to see exactly how s.txt comes out, but I was too busy to see the case record. The output is the output of UltraEdit on my analysis computer. The opinions remain intact.
3941 Q: Does it mean that the output was on July 12, 2015?
3942 Answer: No. This is not what I printed on July 12, but the attribute of that file named s.txt is recorded.
3943 Q: I have shown the properties of the file before July 7, 2015. There is a part of the file, please describe it.
3944 Answer: It was changed because I put the save separately.
3945 (Suggesting an investigation record, page 665)
3946 Q: What does that mean? It looks like here on July 21, 2015. What does this mean?
3947 A: That's '.txt'. There is no file called '.txt' on the notebook. When I change '.lnk' to '.txt', that file is not a file on the defendant's notebook, but a reporting screen that is displayed as EnCase. I pulled it out and I made it into a text file.
3948 Q: So this is not a file on the defendant's laptop, is it a separate file created by the witness?
3949 Answer: It is a file created by EnCase, which is not a file but implies its contents.
3950 Q: So is the date you worked on July 21, 2015?
3951 Answer: Yes. I created a file called Text.
3952
3953 judge
3954 To witnesses
3955 (Suggesting an investigation record, page 334)
3956 Q: The seizure was on July 13, 2015, and the date and time of the seizure on July 12, 2015, before the seizure, is written in the s.txt file. Please summarize and explain once again what this time and date means.
3957 A: There is a date attribute called s.txt which is the creation date of the file, the last modified date, or the last access date. The last modified date is displayed there, followed by the "A number.txt" Since I can not subtract it, the attribute of the original file is not displayed. Therefore, I use EnCase tool to display the properties of the original file managed by EnCase. I copied it completely and made it randomly on my analysis computer as a text file. . To show the screen, to show the letter, on that date.
3958
3959 Lawyer
3960 To witnesses
3961 Q: Do you remember who wrote the seizure?
3962 Answer: If my letter is correct ...
3963 Q: The writer is not a witness, did you see that he made the list of seizures that day?
3964 Answer: Yes.
3965 Q: In the list of seizures, the file on the defendant's laptop is in the list, do you know?
3966 A: I do not remember, but I do not remember seeing exactly what the output is because I can not connect to the system called kicks.
3967 Q: The seizure of the seizure is written by Lieutenant Kim Sang-Kuk and Joo Yoo-Woo, but since the witness has imaged it, he / she will ask for it because the witness confirmed it when he made the seizure list.
3968 A: Is not the confiscation list written in the office?
3969 Q: Before that, did you use the handwriting on your confiscation list?
3970 A: It's not a confiscation list, it's an electronic information confirmation.
3971 (Presenting the confiscation record, page 398)
3972 Q: On the confiscation list, it says that the imaging files were confiscated in 2, 3, 4, 5, but the imaging file is not listed on the 1st notebook. Of course, the witness did not write it, but the writer Kim Sang-Kuk proved his confession to the mother of the defendant and wrote it by hand. There is also no imaging file here, but below is the imaging file. The imaging file is not listed here either. Do you know about this?
3973 Answer: I do not know.
3974 Q: Did the witness check these documents at the time?
3975 Answer: I have no reason to be involved in the proof of confiscation or the record.
3976 Q: At the time of the seizure search, did the lieutenant Kim Sang Kook confirm or get confirmed by the witness when he wrote such a document?
3977 Answer: There was.
3978 Q: Did the witness go through the process of verifying this document?
3979 Answer: Whether or not it should be written by my confirmation ...
3980 Q: Witness, please tell me the facts you remember.
3981 A: Are you asking exactly the month?
3982 Q: At the time of the seizure, did the witness check this document and say, 'This is a confiscation list'?
3983 Answer: I have a memorable memory of the results.
3984 Q: Do you mean that you confirmed this list because you confirmed the output?
3985 Answer: As you remember, I did not think it was the end of the seizure at that time, and I think the process of seizure is ongoing ... Q: Are you telling me when to write this list? A: Yes, so for the final confiscated object, I have to hand over the file to the investigative team through my analysis. Q: How long did it take to image that day? Answer: It takes about an hour and a half to two hours per hard disk, so I know that 3 o'clock that day ended at 4 o'clock. Q: Is it finished on July 14, 2015? Answer: Yes.
3986 -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------------------------------
3987
3988 It is not exactly what I remember coming and going back and forth when I found it. So I told you to keep coming, not to go out.
3989 Q: Witness is now working as an analyst on digital evidence. What is your career history?
3990 Answer: I received the police assignment on April 4, 2009, and I have been working in the cybercrime to date. I also analyzed the digital evidence. I worked for two years from 2014 to 2015 as a whole.
3991 Q: Is there a separate education or a degree?
3992 A: Yes, I have a master's degree in Information and Communications.
3993 Q: Is there anything else that was trained in the police department?
3994 A: I have been trained about once a year, once a year for about a month, trained as a hacking professional investigator at the Police Investigation Training Center, then at the Seoul Metropolitan Police Department as a network investigation last year I have lectured about 600 people.
3995 Q: I have two intrusive articles, but I do not have a capture file to write the first one. Isis.png I am writing a text file from the last one, and the screen that says 'Thank you!' I see it as one file, do you remember it?
3996 Answer: I do not know.
3997 Q: If there is only one file, but the defendant actually wrote it, then there are two files that should be present. There are only files that are combined with the part that says. Please explain if it is technically possible.
3998 A: I can not remember the result of this, honestly. I remember that 'Thank you!' Was just a single file.
3999 Q: There is that one, and then the evidence found on the defendant's notebook isis.png, usa.png file that wrote the entire article, remember?
4000 Answer: Yes.
4001 Q: It was a single file that was synthesized up to 'Thank you!'
4002 A: Was there 'Thank you!' Below?
4003 Q: Yes, there is a 'Thank you!' Below, and there is a writing on top of it, so please explain why the file that captures the writing should be separately existed.
4004 A: I do not know why.
4005 Q: Have you confirmed that you have captured using Chrome Full Page Capture?
4006 Answer: Yes.
4007 Q: Do you know that if you capture a full page, it will be saved automatically on your laptop and that the save file will be created, or you will have to save it with a different name or press Save but save it?
4008 A: I do not know why I have not used it. What I put in my analysis report is that I did not know exactly when the capture was done that the filename was created that way, whether it was dropped when the user saved it, or whether the file was temporary before it was saved.
4009 Q: According to the analysis of the witness, the defendant's internet router MAC address has been changed, remember?
4010 Answer: Yes.
4011 Q: And at the end of the crime at the time of the log records are stored in the analysis that you have released, do you remember?
4012 Answer: If you are in the report, you are right.
4013 Q: After that, I do not think that the investigation related to the router is going to be carried out. Do you usually not investigate the router? For example, if you change the MAC address of the router, you should have done an additional investigation. How do you normally investigate?
4014 A: At the time, I was not handled by a mobile investigator, so I do not know if I did an investigation into the router.
4015 Q: There were two IPs in which the blackmail was written, and the IP address was confirmed. If there is a corresponding IP that has committed the crime at the specified time of the crime, then the MAC address that matches the existing 1P can be confirmed through the carrier?
4016 Answer: At that time, I knew that on the Tibur Road it had not been confirmed well.
4017 Q: I once went through the process of confiscating the MAC address for the existence of a MAC address on the Tibudoad. Do you know about that?
4018 Answer: I do not know about that.
4019 Q: I asked Tibor to have a Mac address that matched the IP address as stated, but it was not certain that the defendant did. If so, if you check the router in the defendant's home, is it possible to change the MAC address or not?
4020 A: I do not know if it should be confirmed.
4021 Q: Is it possible, technically possible or not?
4022 Answer: Yes.
4023 Q: Anyway, the witness does not know that he has further investigated the router.
4024 A: I do not know that. I did not receive a router analysis request.
4025 Q: Was the imaging file analyzed by the witness first imaging the laptop at the defendant's home?
4026 Answer: Yes.
4027 Q: Did the witness analyze it and replicate the imaging file again?
4028 Answer: Yes.
4029 Q: What about the storage device of the analyzed imaging file?
4030 A: Then I took two hard disks, one was the investigation team, the other was my team, so I remember what I included in my team ... I do not remember which team the notebook was on, but anyway, I used to send it to the investigative team, so I told them to copy it, final.
4031 Q: Did you replicate what you had on the witness team to the investigation team?
4032 A: I did not replicate it, I gave it a hard disk.
4033 Q: If you look at the reports you have asked for analysis, there are 5 or 6 imaging files. It looks like it was copied to a hard disk and commissioned for analysis. Is this correct?
4034 A: I do not know that. As I said, I came in two ...
4035 Q: When I witnessed it, did I put it on one hard disk?
4036 Answer: No. There are two.
4037 Q: Then you have one on your laptop ...
4038 A: So I do not remember how it was stored on my laptop.
4039 Q: And the original of the image was passed back to the investigation team?
4040 Answer: Yes.
4041 Q: Do not you know who you turned over?
4042 A: Yes, I do not know.
4043 Q: I think the analysis is finished on July 23, 2015.
4044 A: I do not know. Because the report is urgent, you should have given it as a file first.
4045 Q: And did the witness print out the evidence from the imaging file and provide it to the investigators in the middle of the analysis?
4046 Answer: Yes.
4047 Q: Do you usually do that?
4048 Answer: Yes.
4049 Q: Do you mean that even before the analysis report comes out?
4050 Answer: Yes, what I convey is in the analysis report.
4051 (Suggesting Investigation Record # 722)
4052 Q: What is the page in the analysis report that the witness made?
4053 Answer: Yes.
4054 Q: It is related to the router here, it says 'Disable logging setting'. What is the source of this screen?
4055 A: You probably have a file called Time Pro, which you run on the analysis computer.
4056 Q: Is it not a screen printed on the notebook of the witness, or a screen printed on the defendant's notebook?
4057 A: You have a time pro and a text file. But there is an HTML file that opens up there. The text file was stored on the defendant's laptop, and since I only need to convert the extension after the text file to open it in the web browser, it seems that I have been converted to HTML to increase visibility.
4058 Q: Is this screen now on the witness's computer in the process of analyzing the witness?
4059 A: Yes, I will. It's my Chrome browser environment.
4060 (Suggesting Investigation Record # 736)
4061 Q: It is almost the last part of the report that the witness analyzes the file. I extracted the file extraction result and the hash value, and I gave the hash value of the notebook imaging file separately at the first time. Does the witness have a hash value?
4062 Answer: Yes, result request.
4063 Q: The hash value here is different from the hash value of the imaging file that initially imaged the defendant's laptop?
4064 Answer: That 's not it. The hash value for the compressed file for the final output I made.
4065 Q: The hash value has changed, so I'm looking at it.
4066 Answer: It is not a new, hash value of just another file that has nothing to do with imaging files.
4067 Q: Is the result of the request attached to the CD now?
4068 Answer: Yes.
4069 Q: Is it not possible to recognize the originality of the original file attached to this CD and the imaging file that the witness first imaged?
4070 Answer: Of course, the originals are not the same because they are different. Inside the imaging file, I put this file in here, but the hash value for this file came out like this, but the hash value is different and the identity is different? Not that. I can prove it again.
4071 Q: How can you prove that you came out?
4072 Answer: You can export the output here and extract the hash value.
4073
4074 judge
4075 To witnesses
4076 (Presenting section 2 of the Attorney's Statement on December 12, 2015)
4077 Q: The attorney's claim is that the file before the file was merged because the picture file was merged, but it did not exist. Is the file before merging necessarily exist?
4078 Answer: It may not be.
4079 Q: Please explain in what case it might not be.
4080 Answer: I do not know what features the Chrome Extension Tool has, but a common capture tool is that once you capture a screen and then try to put it underneath it, you capture it first, and if you do not save it, , So you do not need to save it, but if you put the second captured screen just below the area that was left in the memory, and then save it, the first thing you saved will not be saved.
4081
4082 Lawyer
4083 To witnesses
4084 Q: Is it possible to remain in the memory area at first?
4085 Answer: Yes.
4086 Q: Does it disappear from the memory area over time?
4087 A: Normally I keep the clipboard, but the program I use remains, and I do not know how the date is set, but if I capture it yesterday and save it, it will be shown on the screen again.
4088 Q: So if you stay in the memory area, is it possible?
4089 Answer: Yes.
4090
4091 inspection
4092 To witnesses
4093 Q: Is it possible that the original text and the result screen are both saved as a file, and then the result screen is pasted in the original text and the synthesized file is saved under a new name. ?
4094 Answer: Yes, there are many possibilities.
4095
4096 Lawyer
4097 To witnesses
4098 Q: The writing screen is so large that you can not see it on one page. Is it possible to capture it as a single file when you capture a full screen, or capture it separately?
4099 Answer: It can also be captured as a single file. But I do not know the full page capture program because I did not use it. The capture function provided by Naver or most of the recent capture programs are scrolled all the time, and when I select the whole screen, the one below is captured as one screen.
4100
4101 judge
4102 I will finish the newspaper about Kim Wonhwan. Thank you.
4103
4104 After the prison sentence in Seoul detention center, I added 15 sheets of staples to the sentence, followed by a document that shows how to file a copy of the sentence, and 16 sheets of staples.
4105 I added a copy of the document stating that I added a copy of the document stating how to apply for viewing and copying restrictions. I suspect that the court has done this by worrying about the disclosure of the ruling.
4106
4107 Seoul Central District Court
4108 verdict
4109
4110 Event 2015 Torture 4685 Intimidation (Recognition of Torture)
4111 The defendants were OO (OOOOOO-OOOOOOO), unemployed
4112 Housing Seoul, Dongdaemun-gu, Hancheon-ro 58, Gil 139, O-dong O (I-moon-dong, O-apartment)
4113 Registration Criteria Gyeongbuk, Andong-gun Il-kyung-myeon Dongfang Dong 408
4114 Inspection Jungmun-sik (Prosecution), Jung Jun-jun (trial)
4115 Counsel
4116 Attorney Kim Yong Min, Kim Jin Hyeong, Park In Sook
4117 Judgment sentenced Nov. 11, 2016
4118
4119 order
4120 The accused shall be sentenced to one year and six months in prison.
4121 Confiscate one seized notebook (model name: lenovo B490, S / N: WB09564311)
4122
4123 Reason
4124 Crime Facts
4125 1. Defendant's first intimidation attempted
4126 The defendant used the defendant's laptop (model: lenovo B490) at the defendant's residence to contact the White House Consumer Affairs Corner (Contact the White House, "in English," to President Obama and First Lady Michelle. ... I am a college student at Hankuk University of Foreign Studies in Seoul, Korea. How are your families doing? I am tired of my life because I always masturbate watching sex transsexual pornography. One day I realized that I did not want to die like this. I decided to stay as a famous Korean man in American history. I will eventually rape your second daughter, Natasha. I think it would be a bit politicky to ask beforehand, but is it okay? I think the second daughter (first daughter) is more than Malia Ann ... (Omitted) ... so I am ... Parental consent is required prior to the application. Do not worry about me. I have a lot of kimchi and I do not have AIDS. I am going to rape black people before they die. ... 1).
4127 -------------------------------------------------- --------------------------------------------------
4128 1) The following is the original text of the post.
4129 From: Mr. Lifee Iss Crazzyyjr. / Submitted: 7/7/2015 7:20 AM EDT (US Eastern Time) Email: isshufs@gmail.com / Phone: 82221732062 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro , Dongdaemun-gu, Seoul, Korea, 130-791, Damascus, Message: Dear Mr. President Obama and Mrs. First lady Michelle.
4130 Hi.
4131 I'm HUFS student from Seoul, Korea.
4132 How's your president family?
4133 I'm sick of my life cause I always mastervating with tranny prons. One day, I realize that I'm not going to die like this.
4134 2 decide to be a famous Korean male in USA history.
4135 Therefore, I am going to anal rape your second daughter Natasha. Is that okay?
4136 I think that bitch's asshole is much tighter than Malia Ann. So I need parents permission before the nigger anus.
4137 Do not worry about me: I eat lots of Kimchi so free from AIDS.
4138 I eager to penetrate nigro asshole before I killed by Kim Jung-un.
4139 Thanks.
4140
4141 As a result, the defendant tried to intimidate both US President Barack Obama and his first wife, Barack Michelle, but the victims did not reach the above postings, so they tried.
4142 2. Attempted second intimidation of defendant
4143 The defendant accessed the white house in the White House section of the White House in the above manner at the defendant's residence as described in paragraph 1 of the " . ... This is a warning message to terrorist attacks. In Korea, we will attack the US Ambassador Mark Ripert in Seoul again. Last time, the assassin 's heart I sent was so weak that I could not break Ripper' s artery. This time we will be preparing a well-trained assassin {traditional Cuisine-Professor) and kill the metabolism with a nuclear poison. Until the US forces dispose of chemical weapons on the Korean peninsula, we will slowly and surely discipline all your political comrades. It is an ultimatum. Wait for us, WIP Satan, Obama! I will see the dialogue soon after. ... 2).
4144 -------------------------------------------------- --------------------------------------------------
4145 2) The original text of the post is as follows.
4146 From: Dr. Korea Isis One / Submitted: 7/7/2015 1:26 PM EDT / Email: summer@hufs.ackr Phone: 82221732061 / Address: Office of International Summer Session in Korean & East Asian Studies 107, Imun-ro, Dongdaemun-gu , Seoul, Korea, 130-791 Message: Declaration Terror to Mr. President Obama.
4147 A beautiful Evening is it?
4148 Right this is the warning message from the Terrorist Attack.
4149 Korea, we're going to re-attack US ambassador Mark Lippert in Seoul.
4150 So last time, my a5sassirator's mind is too weak to cut the ambassador's artery perfectly. End this time, we have been prepared by a well-trained traditional Cuisine-Professor and kill Him by nuclear poisoning.
4151 Ok? We'll keep you amputated all your political comrades slowly but surely one by one, until the US army eliminates Bio-chemical weapons in Korean Peninsular Mother Land.
4152 UltimatuM; 3xpects us, our WIP Archenemy Obama!
4153 LIMFAO, See mark Soon in your After-Life ......
4154 HUFSRO 4ourth 4inger
4155
4156 As a result, the defendant threatened to assassinate US Ambassador Mark Ripert, a foreign envoy to the Republic of Korea, if his intention was not met by US President Barack Obama, but he did not reach the victim.
4157 The point of evidence
4158 1. Witnesses Nam Sang-wook, Kim Jin-kwang, Kim Kyung-hwan
4159 1. Intimidating texts, English texts typed into each white house homepage, 4plebs.org site postings
4160 1. Digital evidence analysis report
4161 1. Investigative reporting (see additional postings on 4plebs.org site), investigation reports (crime facts and Hankuk University of Foreign Studies lectures), investigation reports (suspects found on OO computers, original capturing files) (Evidence list 13-1 to 13-4), investigation reports (for posts posted on 4Chan and 4Chan backup sites), investigation reports (for isis.png, usa.png file analysis), investigation reports (For the Nouveau dossier folder identified on the defendant's laptop), the 's.txt' file found on the defendant's notebook, the investigation report (the suspect for the OO laptop time zone setting confirmation), the investigation report (using the Google Chrome browser capture function Analysis of generated time information), investigation reporting (this OO notebook time information confirmation and re-imaging)
4162 1. Confiscation Record and Confiscation List
4163 1. Confidentiality (submission) integrity verification, seized material (submission) information
4164 Application of statutes
4165 1. The applicable law on crime
4166 Article 286 of each criminal law, Article 283 (1)
4167 1. Imaginative competition
4168 Article 40 of the Criminal Act, Article 50
4169 1. Type selection
4170 Jail option
4171 1. Weighting
4172 Article 37 of the Criminal Act, Article 38 Paragraph (1) Item 2, Article 50
4173 1. Confiscation
4174 Criminal Law Article 48 Clause 1 first
4175 Judgment of defendant's and defendant's claims
4176 1. On the illegality of seizure and search procedures
4177 end. Seizure method restriction violation
4178 1) The point of the claim
4179 The Seoul Central District Court on July 13, 2015 (the "Warrant for Warrant," 2015-18545, hereinafter referred to as "the warrant for this case") restricts the objects and methods of seizure, and in principle, The method of outputting the evidence is sufficient and the notebook computer itself can be duplicated. If the duplication is not possible at the execution site, the original export of the storage medium is allowed and returned within 10 days from the date of export.
4180 However, the defendant's laptop computer had already been cloned at the execution site, so it was taken out and stored as a seizure, even though it was not necessary to remove it.
4181 This is an unlawful seizure violation against a warrant, and the illegality may affect the entire seizure process, so all the evidence obtained from the seizure corresponds to evidence of illegal collection.
4182
4183 2) Judgment
4184 The object and method of confiscation of the electronic information set forth in this case warrant are as follows.
4185 The warrant is for confiscation, "computer hard disk, tablet PC related to the crime" is listed, and the confiscation of the storage device itself is allowed, the defendant's laptop computer is set to French time zone, It is confirmed that VMware is installed as an operating system operating program, so it is necessary to clarify time information and check and analyze the usage history of virtual computer in the future, thereby seizing and exporting the notebook computer itself, It is expected that the recognition of identity will be problematic and it seems to be an action according to necessity of confiscation of the storage medium itself in order to confirm the original electronic information. It is stated that the case warrant should not exceed 10 days from the original date of export unless there is special circumstances However, since this method stipulates the seizure method when seizing only electronic information, In this case, in addition to electronic information, if the original of the notebook computer itself is confiscated as an object of seizure, it can not be said that it is a violation of the method of confiscation of electronic information. In such a case, the seizure of this case is illegal seizure It can not be called search.
4186 I. Seizure search without guarantee of participation
4187 1) The point of the claim
4188 The search for electronic information should be regarded as a seizure process in the whole process of searching electronic information related to a criminal offense and outputting the corresponding electronic information in a document or copying a file. In this case, Not guaranteed.
4189 2) Judgment
4190 In summary, the following facts recognized by the evidence that the court has legally adopted and investigated suggest that, even if the investigating agency does not fully comply with some of the proceedings, the offense is the assurance of the participation of the defendant in the proceedings It can not be regarded as illegal.
4191 â‘ The defendant was lying in the bed with only his underwear in the execution process of the seizure search at the defendant's residence, and the defendant's family refused to film the seizure process, and the defendant and the defendant's family showed uncooperative attitude (The defendant was arrested in an emergency and lied on the floor with his / her clothes taken off after he was in. In the office of the police department of the Seoul Metropolitan Police Agency. Etc.).
4192 (2) The defendant's mother Kim OO participated in the confiscation process of the confiscated materials, and the contents of the storage device were modified, unchanged, and the seals were seized while creating the hash value and hash value of the defendant's laptop computer hard disk And that there was no abnormality in the seal, and the signatures of the integrity of the seized water and the information on the seized materials were unattended.
4193 ③ On the other hand, the defendant 's Mo Kim OO informed the police officer that he could participate in the seizure process such as the release of seizure of the seizure, duplication, etc. The police officer analyzed the hard disk imaging file of the notebook computer without participation of the defendant on the grounds that Kim OO 's decision to participate in the analysis process did not have a separate statement, but because the defendant (Article 121 and Article 122 of the Criminal Procedure Code states that if a participant does not participate in the execution of a seizure search warrant, he / It is difficult to say that the defendant raced after the emergency arrest and that the time of the emergency arrest was so rapid as to omit the notice of participation of the defendant's family in the process of analyzing the seizure. However, the seal and hash values ​​of the storage medium are preserved, the hash value of the hard disk of the laptop computer in this case is the same as the hash value of the file generated through the imaging operation, In view of the integrity of the document and the recognition of the identity, the imaging file appears to have not changed from the time of initial seizure until the time of submission of the evidence. Therefore, it is difficult to say that the analysis of the imaging file was done without the defendant '
4194 2. Proof of original identity and integrity of digital evidence
4195 end. opinion
4196 The defendant 's lawyer argues that the proof of the integrity of the digital evidence is not proven, so the evidence of the files and images printed on the defendant' s laptop hard disk should be excluded.
4197 ①Confirmation of integrity by comparing hash values ​​confirms that there has not been any change until the status of the digital evidence at the specific time (imaging time) is submitted to the court afterwards. Therefore, Identification can not be a guarantee of integrity. Before the police officer imaged the information stored in the defendant's laptop computer hard disk, the defendant made a search and browse for 40 minutes without taking measures to prevent a minimum of breaks such as " It is not possible to exclude the possibility that unsaved files or pictures are stored and written.
4198 â‘¡ The storage medium that needs to be sealed should also include an 'imaging file storage medium', and the police officer did not seal the storage medium of the file that imaged the defendant's laptop computer hard disk.
4199 I. judgment
4200 The evidence of integrity and identity in judging the evidence ability of digital evidence can be verified objectively and rationally according to the free trial of the authors by collecting the hash value confirmation, the testimony of investigator or digital potentiometer expert, It is important to note that the original identity and integrity of the digital evidence presented in this case has been proven in light of the following circumstances. Therefore, the defendant's claim is not accepted.
4201 â‘ According to the warrant for seizure of the case, the confiscated object is a computer hard disk, tablet PC, etc. related to the crime, and the investigation officer searched for electronic information in order to determine the relevance to the crime and the necessity of seizure, Of the total number of applicants.
4202 â‘¡ The seizure of the incident began on July 13, 1945, 2014. The investigating officer found the defendant's laptop computer, turned on the power on July 13, 2018, and searched for electronic information related to the alleged crime of the incident, and found a file, usa.png, And then shut down the notebook computer from 2015. 7. 13. 20:47:18 2015. 7. 13. 21:56:08 on the same day until 23:37:11 notebook HDD imaging operation .
4203 â‘¢ As a result of analyzing the defendant's computer imaging file with Encase, a digital evidence analysis tool, the image file isis.png, usa, which captures the contents of the 'Contact the White House' page of the white house website related to each case of this case. The creation and last modified date of the png was confirmed before the seizure of the incident.
4204 â‘£ The investigating officer found the isis.png, usa.png, and s.txt files related to the offense on the defendant's laptop computer and checked the source of the file to the defendant. In the presence of the defendant's OO, In the process of seizing the incident, police officers do not show the circumstances in which they excluded the right of participation of the defendant and the family member.
4205 ⑤ The defendant's mother Kim OO participated in the seizure process of the confiscated materials, and after the defendant's computer hard disk was cloned, the contents of the storage device were modified while the hash value was generated and the hash value was generated, The fact that the seal was sealed and that there was no abnormality in the seal and the integrity of the seizure and signature of the information on the seizure were unattended.
4206 (6) The hash value of the hard disk of the notebook computer in this case is the same as the hash value of the file generated through the imaging operation, and the integrity and the identity of the document output from the file generated through the imaging operation are recognized. As long as the seal and hash values ​​for the storage medium are preserved, the defendant's argument that the storage medium of the duplicated copy (imaging file) must be sealed at the confiscation site and that evidence capability should be excluded in case of violation.
4207 Reason for sentencing
4208 The defendant caused an international wave not only in Korea but also in Korea by posting a rape on Obama's young daughter and an attempt to assassinate US Ambassador to the United States, Mark Ripert, in the column of the US White House complaints column. Although the crime of each of these cases has been attempted, it is very inferior in light of the crime method and crime.
4209 On behalf of the US government, the Embassy of the United States of America (the US Embassy) has indicated that the offense is a serious threat to the US government and that it intends to seek thorough investigation and punishment.
4210 The defendant is not satisfied with the situation after the crime, such as showing the defendant 's attitude from the investigation stage to the court, the defendant' s behavior and the risk of re - punishment.
4211 However, considering the fact that the defendant is the first person, and the defendant's age, family relationship, home environment, the motive and means of the crime, and the circumstance after the crime, To be determined.
4212 Innocent part
4213 1. Point of circumstance
4214 The defendant accessed the White House Contact Us White House by using the defendant's laptop (model: lenovo B490) at each time and place listed in the crime of criminal offense, Obama and Barack Michelle (first threat), and victim Barack Obama (second threat).
4215 2. Judgment
4216 end. As long as the other person recognizes the meaning of the harmfulness enough to cause the person to be afraid, regardless of whether or not the other person is frightened realistically, If the applicant does not acknowledge the meaning of the evil, or if the opponent fails to perceive the meaning of the evil, he / she will only be tried for the threat of intimidation (Supreme Court Dec. 2007, Dec. 2007, Dec. 606) Reference).
4217 I. The content of each case in this case is considered to be a notice of harmfulness enough to cause victims to fear, but the evidence submitted by the attorney about whether or not the notice of such harm has actually reached the other It is not enough to admit it and there is no other evidence to admit it. Therefore, it is difficult to see threats reach the nose.
4218 All. conclusion
4219 In the end, the circumstantial indictment of the crime shall be deemed innocent by the end of Article 325 of the Criminal Procedure Act, but if the accused is a preliminary indictment, Not.
4220 The judge (with no signature)
4221
4222 [Seizure, search, and verification of electronic information stored in information storage media such as computer disks]
4223 end. Search and verification of electronic information
4224 If the purpose of the investigation can be accomplished only by search and verification, search and verification without confiscation are required.
4225 I. Seizure of electronic information
4226 (1) Principle
4227 Only the electronic information related to the allegations after the search and verification in the storage media can be confiscated or copied to a storage medium carried by the investigation agency.
4228 (2) Hard copying, imaging (hereinafter referred to as "reproduction") of the storage medium is permitted
4229 (A) Replication at the execution site
4230 If it is impossible to execute by output or copy, or if it is considerably difficult to achieve the purpose of confiscation 3) Only the storage medium can be copied
4231 -------------------------------------------------- --------------------------------------------------
4232 3) The following cases shall apply.
4233 1. If the person to be eavesdroppers do not cooperate or can not expect cooperation
4234 2. Where electronic information that is likely to be related to the allegation is deleted or found to be obsolete
4235 3. If execution by copying or printing violates the tranquility of the business activities or privacy of the person to be eavesdropped
4236 4. Other equivalent
4237
4238 (B) The export of the original of the storage medium is permitted.
4239 (1) In the case of (a) above, if the reproduction of the storage medium is impossible or extremely difficult in the current edition of the executive act, (4) only the original of the storage medium is sealed under the participation of the suspect, Can do
4240 -------------------------------------------------- --------------------------------------------------
4241 4) The following cases shall be referred to.
4242 1. Hard copying and imaging in the field is physically and technically impossible or extremely difficult.
4243 2. Hard copying, execution by imaging, violates the tranquility of the business activities or privacy of the person to be confiscated
4244 3. Other equivalent
4245
4246 2) The original exported by method 1) above shall be opened with the participation of the intruder, reproduced and returned without any delay, but not more than 10 days from the original export date, unless there are special circumstances.
4247 Middle omission
4248 (3) Precautions for confiscation of electronic information
4249 (A) A list of electronic information confiscated by the person to be confiscated shall be issued. (The grant of the list may be replaced by the issuance of a copy of the final confiscated printed matter or electronic information through the procedure of paragraph (2) above.
4250 (B) Sealing and unsealing may be done in physical way or in the way of both parties such as the investigating authority and the person to be confiscated by setting the password. When copying or duplicating, it is necessary to check the hash function value, seize, And a method to confirm the identity with
4251 (C) The right to participate should be ensured through the whole process of seizure and search, and in case of refusal to participate, seizure and search should be done in a considerable way to ensure reliability and professionalism.
4252
4253 It is a copy.
4254 November 15, 2016.
4255 Seoul Central District Court
4256 Hwang Mi-young
4257
4258 ※ You can check whether the document has been faked or not by using the issue number search menu of the event search computer installed at each court's civil affairs office or by inquiring the court in charge and inquiring the issuance number shown at the bottom of this document.
4259
4260 Criminal judgment, reading, copy restriction application
4261 1. Reason for application
4262 A litigant in a criminal case may apply to limit the reading and copying of a criminal judgment, etc. in the following cases:
4263 â—‹ If the disclosure of the lawsuit records is likely to seriously undermine the honor and privacy of your identity or the life, safety of your body or the calmness of your life
4264 â—‹ If there is a concern that the trade secret of the applicant (the "trade secret" in Article 2 (2) of the Act on the Prevention of Unfair Competition and Trade Secrets)
4265 2. Eligibility: Legal person involved in a criminal case
4266 A representative of a defendant who is a defendant, a defendant, an assistant, a legal representative, a special representative under Article 28 of the Criminal Procedure Act, a complainant, a victim or a legal representative thereof, a witness or a legal representative thereof in accordance with Article 340 and Article 341
4267 3. How to Apply
4268 Apply to the court clerk, court clerk, court clerk, court chief of the court holding the litigation record (after the judgment is finalized, the court that sent the judgment)
4269 4. Legal basis: Article 59-3 of the Criminal Procedure Act
4270
4271
4272 ++++++++++++++++++++ The End ++++++++++++++++++++
4273
4274Moon Jae-in President of South Korea
4275moonriver365@president.go.kr