태터데스크 관리자

도움말
닫기
적용하기   첫페이지 만들기

태터데스크 메시지

저장하였습니다.

'전체'에 해당되는 글 587건

  1. 2017.02.22 레오폴드 FC900R과 바밀로 PBT 키캡 후기
  2. 2017.01.24 everything 대체 프로그램 - Glarysoft QuickSearch
  3. 2016.11.14 안드로이드 루팅 앱 - towelroot
  4. 2016.11.14 안드로이드 후킹 - Frida, Xposed Module
  5. 2016.10.04 리눅스 로그 설명
  6. 2016.09.07 네트워크 모니터링 도구 20선
  7. 2016.06.15 이메일 주소 유효성 검사 프로그램
  8. 2016.05.31 Volume Shadow Copy Service 분석
  9. 2016.04.25 MAC Forensic
  10. 2016.04.20 Windows 10 Forensics
  11. 2016.03.18 Windows Logon Forensics
  12. 2016.02.23 Windows용 log2timeline
  13. 2015.08.28 디지털 포렌식 조사 툴 20선
  14. 2015.08.28 이미지 파일 포렌식 툴 - exiftool
  15. 2014.10.23 index.dat analyzer
  16. 2014.10.23 ntfs-log-tracker
  17. 2014.10.23 [Prefetch] Viewer & Parser
  18. 2014.10.15 Windows8 Prefetch Structure
  19. 2014.09.24 Windows 침해사고대응 도구
  20. 2014.04.28 Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView
  21. 2014.04.28 MS사의 EMET(Enhances Mitigation Experience Toolkit)
  22. 2014.04.02 [VBscript] 네트워크 정보 수집
  23. 2014.02.21 EnCase Enterprise 데모 동영상
  24. 2013.12.02 BitKiller - 오픈소스 라이선스 파일완전삭제 프로그램
  25. 2013.11.26 Malwr - 악성코드 행위 분석
  26. 2013.10.25 CPU / Memory 정보보기
  27. 2013.09.17 $Recycle.Bin 분석하기
  28. 2013.08.26 전세계 공용 DNS서버 주소
  29. 2013.08.01 디지털 포렌식 케이스 관리 - Lima
  30. 2013.07.15 [AES암호화/복호화] python에서 암호화, php에서 복호화

레오폴드 FC900R과 바밀로 PBT 키캡 후기

┃ 끄적끄적 2017.02.22 11:25

레오폴드 FC900R 순정 사용시 


낮고 두꺼운(1.5mm) 체리식 키캡 특징 때문에 일반 기계식 키보드에 비해 조용하면서 묵직한 면이 좋음


허나 키캡이 낮아지면서 손가락 사이의 폭을 줄여서 타이핑해야 하여 불편함


이에 체리식보단 높고 마제식보다는 조금 낮은 바밀로 PBT 키캡(두께 1.3mm)으로 바꿔서 손가락 폭 문제는 해결하였으나 조금 가벼워진 느낌이 생김


단점으로는 레오폴드 순정 PBT 키캡보다 까슬한 면이 있어 스페이스 칠 경우(보통 엄지손가락 사이드로 침) 엄지손가락이 쓰라리고, 솔직히 손가락이 착착 감기는 맛은 없음


PBT 특성이라 생각(바밀로 키캡이 레오폴드 키캡보다 까슬한 건 팩트...더 부슬부슬?하다는 인터넷 후기보고 낚임)



왜 키보드질을 하는지 조금 공부해보고 체험해보니 알 것 같음


축 유형(체리, 카일, 무접점, 멤브레인) + 키캡(키캡 높이, 재질, 두께) 조합으로 자신에게 맞는 개취 스타일을 찾는 것이 중요하다는 걸 깨달음(뭐가 더 좋고 나쁜건 없는듯)


레오폴드 산지 별로 안됐는데 요즘 보급형 무접점이 눈에 들어옴....(리얼포스는 가격이 너무 깡패라...ㅠㅠ)

'┃ 끄적끄적' 카테고리의 다른 글

레오폴드 FC900R과 바밀로 PBT 키캡 후기  (0) 2017.02.22
ACE 패쓰  (0) 2011.03.16
'요일별 직장인 표정'  (0) 2010.09.03
외국인도 좋아하는 뽀글이  (2) 2010.04.20
이직...  (6) 2010.02.26
드라마 IRIS의 IP추적 장면  (6) 2009.11.27
Trackbacks 0 : Comments 0

Write a comment


everything 대체 프로그램 - Glarysoft QuickSearch

ⓟ Software 2017.01.24 13:27

다량의 데이터가 담긴 디스크를 everything이 감당하기 힘든지 자꾸 죽는 문제가 있어 대체 프로그램을 찾다가 발견.

 

http://www.glarysoft.com/quick-search/

 

 

이외에도 Glarysoft사에서 다양한 툴을 제공.

개인적으로는 QuickSearch와 Security Process Explorer를 득템함

Trackbacks 0 : Comments 0

Write a comment


안드로이드 루팅 앱 - towelroot

분류없음 2016.11.14 15:38

https://towelroot.com/

Trackbacks 0 : Comments 0

Write a comment


안드로이드 후킹 - Frida, Xposed Module

┃ mobile 2016.11.14 13:49

 

 

http://www.frida.re/

 

http://repo.xposed.info/

'┃ mobile' 카테고리의 다른 글

안드로이드 후킹 - Frida, Xposed Module  (0) 2016.11.14
Trackbacks 0 : Comments 0

Write a comment


리눅스 로그 설명

┃ Linux 2016.10.04 16:41

출처 : http://www.thegeekstuff.com/2011/08/linux-var-log-files/

 

 

The following are the 20 different log files that are located under /var/log/ directory. Some of these log files are distribution specific. For example, you’ll see dpkg.log on Debian based systems (for example, on Ubuntu).

  1. /var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
  2. /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
  3. /var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.
  4. /var/log/boot.log – Contains information that are logged when the system boots
  5. /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system
  6. /var/log/dpkg.log – Contains information that are logged when a package is installed or removed using dpkg command
  7. /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
  8. /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
  9. /var/log/maillog /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
  10. /var/log/user.log – Contains information about all user level logs
  11. /var/log/Xorg.x.log – Log messages from the X
  12. /var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
  13. /var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
  14. /var/log/cups – All printer and printing related log messages
  15. /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
  16. /var/log/yum.log – Contains information that are logged when a package is installed using yum
  17. /var/log/cron – Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
  18. /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
  19. /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
  20. /var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file.

Apart from the above log files, /var/log directory may also contain the following sub-directories depending on the application that is running on your system.

  • /var/log/httpd/ (or) /var/log/apache2 – Contains the apache web server access_log and error_log
  • /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
  • /var/log/conman/ – Log files for ConMan client. conman connects remote consoles that are managed by conmand daemon.
  • /var/log/mail/ – This subdirectory contains additional logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
  • /var/log/prelink/ – prelink program modifies shared libraries and linked binaries to speed up the startup process. /var/log/prelink/prelink.log contains the information about the .so file that was modified by the prelink.
  • /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
  • /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
  • /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
  • /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
  • /var/log/sssd/ – Use by system security services daemon that manage access to remote directories and authentication mechanisms.
Trackbacks 0 : Comments 0

Write a comment


네트워크 모니터링 도구 20선

ⓒ Network 2016.09.07 14:04

출처 : http://www.gfi.com/blog/the-top-20-free-network-monitoring-and-analysis-tools-for-sys-admins/

 

 

 

1. Microsoft Network Monitor

Microsoft Network Monitor is a packet analyzer that allows you to capture, view and analyze network traffic. This tool is handy for troubleshooting network problems and applications on the network. Main features include support for over 300 public and Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.

MicrosoftNetworkMonitor

When you launch Microsoft Network Monitor, choose which adapter to bind to from the main window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click “Capture Settings” to change filter options, adapter options, or global settings accordingly and then hit “Start” to initiate the packet capture process.

2. Nagios

Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling and reporting. The Nagios Core is the heart of the application that contains the core monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as well as add-ons for data visualisation, graphs, load distribution, and MySQL database support, amongst others.

Tip: If you want to try out Nagios without needing to install and configure it from scratch, download Nagios XI and enable the free version. Nagios XI is the pre-configured enterprise class version built upon Nagios Core and is backed by a commercial company that offers support and additional features such as more plugins and advanced reporting.

Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven nodes.

NagiosXI

Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host groups and service groups. Once Nagios has had some time to monitor the status of the specified hosts and services, it can start to paint a picture of what the health of your systems look like.

3. OpenNMS

OpenNMS is an open source enterprise grade network management application that offers automated discovery, event and notification management, performance measurement, and service assurance features. OpenNMS includes a client app for the iPhone, iPad or iPod Touch for on-the-go access, giving you the ability to view outages, nodes, alarms and add an interface to monitor.

OpenNMS

Once you successfully login to the OpenNMS web UI, use the dashboard to get a quick ‘snapshot view’ of any outages, alarms or notifications. You can drill down and get more information about any of these sections from the Status drop down menu. The Reports section allows you to generate reports to send by e-mail or download as a PDF.

4. Advanced IP Scanner

Advanced IP Scanner is a fast and easy to use network scanner that detects any network devices (including wireless devices such as mobile phones, printers and WIFI routers) on your network. It allows you to connect to common services such as HTTP, FTP and shared folders if they are enabled on the remote machine. You are also able to wake up and shut down remote computers.

AdvancedIPScanner

The installer allows you to fully install the application on your machine or run the portable version. When you launch Advanced IP Scanner, start by going to Settings > Options to select which resources to scan and how fast/accurate you want the results to be. You can then choose which subnet to scan and proceed with pressing the “Scan” button. Once the scan is complete, expand the results to see which resources you are able to connect to for each discovered device.

5. Capsa Free

Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network issues and analyze packets. Features include support for over 300 network protocols (including the ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable reports and dashboards.

Capsa

When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as packet analysis.

6. Fiddler

Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and responses before they hit the browser. Fiddler gives you extremely detailed information about HTTP traffic and can be used for testing the performance of your websites or security testing of your web applications (e.g. Fiddler can decrypt HTTPS traffic).

Fiddler

When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from the top menu bar onto an open application.

7. NetworkMiner

NetworkMiner captures network packets and then parses the data to extract files and images, helping you to reconstruct events that a user has taken on the network – it can also do this by parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can obtain information such as hostname, operating system and open ports from hosts.

NetworkMiner

In the example above, I set NetworkMiner to capture packets, opened a web browser and searched for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I saw during my browser session.

When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to initiate the packet capture process.

8. Pandora FMS

Pandora FMS is a performance monitoring, network monitoring and availability management tool that keeps an eye on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalates.

pandorafms

When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’ node from the left hand navigation pane. From here, you can configure monitoring agents and services.

9. Zenoss Core

Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. It also has a high performance event handling system and an advanced notification system.

ZenossCore

Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard that asks you to create user accounts and add your first few devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key features include:

(1) Comprehensive Network Monitoring which offers more than 170 sensor types for application monitoring, virtual server monitoring, SLA monitoring, QoS monitoring

(2) Flexible Alerting, including 9 different notification methods, status alerts, limit alerts, threshold alerts, conditional alerts, and alert scheduling

(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.

Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

PRTGNetworkMonitor

When you launch PRTG Network Monitor, head straight to the configuration wizard to get started. This wizard will run you through the main configuration settings required to get the application up and running, including the adding of servers to monitors and which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when there is a problem. It can also automatically scan all devices on a given subnet and then draw and layout a map of your network.

TheDude

When you launch The Dude, you first choose to connect to a local or remote network and specify credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and Reports.

12 Splunk

Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search, reporting and dashboard features to make the most of the collected data. Splunk also allows you to install ‘Apps’ to extend system functionality.

Note: When you first download and install Splunk, it automatically installs the Enterprise version for you to trial for 60 days before switching to the Free version. To switch to the Free version straight away, go to Manager > Licensing.

Splunk

When you login to the Splunk web UI for the first time, add a data source and configure your indexes to get started. Once you do this you can then create reports, build dashboards, and search and analyze data.

13. Angry IP Scanner

Angry IP Scanner is standalone application that facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that are alive and obtain information about them (including MAC address, open ports, hostname, ping time, NetBios information, etc).

AngryIpScanner

When you execute the application, go to Tools > Preferences to configure Scanning and Port options, then go to Tools > Fetchers to choose what information to gather from each scanned IP address.

14 Icinga 2

Icigna is a Linux based fully open source monitoring application which checks the availability of network resources and immediately notifies users when something goes down. Icigna provides business intelligence data for in depth analysis and a powerful command line interface.

Icigna2_Overview

When you first launch the Icigna web UI, you are prompted for credentials. Once you’ve authenticated, use the navigation menu on the left hand side to manage the configuration of hosts, view the dashboard, reports, see a history of events, and more.

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network, notifying you of any issues that require attention via a detailed report of the problem. The result of each probe is classified using green, red, or black colors to quickly show whether the probe was successful, had a negative result or wasn’t able to complete.

TotalNetworkMonitor

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a specified network range automatically and assign the discovered hosts to a group. Alternatively, create a new group manually to start adding devices/hosts individually.

16. NetXMS

NetXMS is a multi-platform network management and monitoring system that offers event management, performance monitoring, alerting, reporting and graphing for the entire IT infrastructure model. NetXMS’s main features include support for multiple operating systems and database engines, distributed network monitoring, auto-discovery, and business impact analysis tools, amongst others. NetXMS gives you the option to run a web-based interface or a management console.

NetXMS

Once you login to NetXMS you need to first go to the “Server Configuration” window to change a few settings that are dependent on your network requirements (e.g. changing the number of data collection handlers or enabling network discovery). You can then run the Network Discovery option for NetXMS to automatically discover devices on your network, or add new nodes by right clicking on “Infrastructure Services” and selecting Tools > Create Node.

17. Xymon

Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive deep into the configuration, performance and real-time statistics of your networking environment. It offers monitoring capabilities with historical data, reporting and performance graphs.

Xymon

Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts that you are going to monitor. Here, you add information such as the host IP address, the network services to be monitored, what URLs to check, and so on.

When you launch the Xymon Web UI, the main page lists the systems and services being monitored by Xymon. Clicking on each system or service allows you to bring up status information about a particular host and then drill down to view specific information such as CPU utilization, memory consumption, RAID status, etc.

18. WirelessNetView

WirelessNetView is a lightweight utility (available as a standalone executable or installation package) that monitors the activity of reachable wireless networks and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.

WirelessNetView

As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi networks in the area and displays information relevant to them (all columns are enabled by default).

Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView. It scans your wireless network and displays a list of all computers and devices that are currently connected, showing information such as IP adddress, MAC address, computer name and NIC card manufacturer – all of which can be exported to a html/xml/csv/txt file.

WirelessNetworkWatcher

19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality and speed tests.

XirrusWiFiInspector

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can run a test, change the layout, edit settings, refresh connections, etc.

20. WireShark

This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.

WireShark

When you launch Wireshark, choose which interface you want to bind to and click the green shark fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what you need, you can export the data to a file for analysis in another application or use the in-built filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.

'ⓒ Network' 카테고리의 다른 글

네트워크 모니터링 도구 20선  (0) 2016.09.07
[Cain&Abel] ARP Spoofing  (0) 2012.06.01
DDOS 대처 방법  (0) 2010.01.24
wireshark GeoIP 지원  (0) 2009.10.21
MS08-067 취약점 정리  (0) 2009.03.16
WPA가 크랙되었다!  (0) 2008.11.10
Trackbacks 0 : Comments 0

Write a comment


이메일 주소 유효성 검사 프로그램

ⓟ Software 2016.06.15 11:16

특정 이메일 주소가 유효한지 확인하는 프로그램

 

 

 

http://www.email-unlimited.com/downloads.html

Trackbacks 1 : Comments 0

Write a comment


Volume Shadow Copy Service 분석

ⓔ Forensic 2016.05.31 21:49

CEIC_2014-Examining_Volume_Shadow_Copies-The_Easy_Way.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


MAC Forensic

ⓔ Forensic 2016.04.25 16:51
출처 :  https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf


'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 1 : Comments 0

Write a comment


Windows 10 Forensics

ⓔ Forensic 2016.04.20 09:43

출처: http://www.google.co.kr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwiqu9aA-pvMAhXlL6YKHSOdAXUQFghMMAY&url=http%3A%2F%2Fwww.champlain.edu%2FDocuments%2FLCDI%2FWindows%252010%2520Forensics.pdf&usg=AFQjCNGTOXlb1bi6Z7kvJTCvxfdrBxprLg

 

 

Windows 10 Forensics.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


Windows Logon Forensics

ⓔ Forensic 2016.03.18 17:43

http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

 

 

windows-logon-forensics-34132.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


Windows용 log2timeline

ⓔ Forensic 2016.02.23 15:57

https://e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.4.0/

'ⓔ Forensic' 카테고리의 다른 글

Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


디지털 포렌식 조사 툴 20선

ⓔ Forensic 2015.08.28 15:06

http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

 

 

01 SANS SIFT

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

01 SANS SIFT

When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.

02 ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.

02 ProDiscover Basic

When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.

03 Volatility

Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.

03 Volatility

If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.

1

When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

05 FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.

2

When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.

06 Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.

3

To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.

07 CAINE

CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

4

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.

08 Oxygen Forensic Suite 2013 Standard

If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.

5

When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

9

Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.

10 Bulk Extractor

bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).

10

Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.

11 DEFT

DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.

11

When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

12 Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

12

Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.

13 LastActivityView

I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.

13

When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.

14 Digital Forensic Framework

The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.

14

When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.

15 Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

15

When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.

16 PlainSight

PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.

16

When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.

17 HxD

HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.

17

From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.

18 HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.

18

When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.

19 NetSleuth

NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.

Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!

19

When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.

20 P2 eXplorer Free

P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.

20

When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.

Tip: In Top 20 Free Disk Tools for SysAdmins I mentioned another image mounting tool called OSFMount. OSFMount is very similar to P2 eXplorer but also supports the mounting of VMWare files and the creation of RAM disks. Part of the OSFMount family is a digital forensics suite called OSForensics – the freeware version of this application is available for personal, educational or home use to allow you to experiment and become acquainted with digital forensics concepts.

'ⓔ Forensic' 카테고리의 다른 글

Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


이미지 파일 포렌식 툴 - exiftool

ⓔ Forensic 2015.08.28 14:36

exiftool 다운로드 : http://sourceforge.net/projects/exiftool/

 

csv형태로 다수 파일 정보 출력 명령: exiftool.exe -u [파일경로] -csv > [저장경로]

'ⓔ Forensic' 카테고리의 다른 글

Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
[Prefetch] Viewer & Parser  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


index.dat analyzer

ⓔ Forensic 2014.10.23 13:39

http://www.systenance.com/download/indexdat-setup.exe

 

 

 

Trackbacks 0 : Comments 0

Write a comment


ntfs-log-tracker

ⓔ Forensic 2014.10.23 13:37

http://code.google.com/p/ntfs-log-tracker/downloads/list

 

 

 

Trackbacks 0 : Comments 0

Write a comment


[Prefetch] Viewer & Parser

ⓔ Forensic 2014.10.23 10:20

 

parse_prefetch_info_v1.4.zip

 

pf32.v.1.05.win.zip

 

pf64.v.1.05.win.zip

 

winprefetchview-x64.zip

 

winprefetchview.zip

 

 

 

1. WinPrefetchview

http://www.nirsoft.net/utils/win_prefetch_view.html

 

Command-Line Options

/folder <Folder> Start WinPrefetchView with Prefetch folder from another instance of Windows operating system.
/prefetchfile <Filename> You can use this command-line parameter with the other save commands (/shtml, /stab, and so on) in order to export the records of specific .pf file into text/html/csv file, for example:
WinPrefetchView.exe /shtml "C:\temp\records.html" /prefetchfile "C:\windows\Prefetch\NTOSBOOT-B00DFAAD.pf"

 

/stext <Filename> Save the list of Prefetch files into a regular text file.
/stab <Filename> Save the list of Prefetch files into a tab-delimited text file.
/scomma <Filename> Save the list of Prefetch files into a comma-delimited text file (csv).
/stabular <Filename> Save the list of Prefetch files into a tabular text file.
/shtml <Filename> Save the list of Prefetch files into HTML file (Horizontal).
/sverhtml <Filename> Save the list of Prefetch files into HTML file (Vertical).
/sxml <Filename> Save the list of Prefetch files into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "File Size" and "Filename". You can specify the '~' prefix character (e.g: "~Created Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.

Examples:
WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort 2 /sort ~1
WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort "~Modified Time"

/nosort When you specify this command-line option, the list will be saved without any sorting.

 

 

2. Parser

[pf]

https://tzworks.net/prototype_page.php?proto_id=1

 

[Prefetch Parser info 1.4]

 http://digital-forensics.sans.org/blog/2010/02/12/prefetch-parser-v1-4/

 

 

'ⓔ Forensic' 카테고리의 다른 글

index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
[Prefetch] Viewer & Parser  (0) 2014.10.23
Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView  (0) 2014.04.28
EnCase Enterprise 데모 동영상  (0) 2014.02.21
$Recycle.Bin 분석하기  (0) 2013.09.17
Trackbacks 0 : Comments 0

Write a comment


Windows8 Prefetch Structure

┃ Windows 2014.10.15 15:29

원본: http://i.imgur.com/riuljsK.jpg




Trackbacks 0 : Comments 0

Write a comment


Windows 침해사고대응 도구

┏ Analysis 2014.09.24 18:25

아래 링크에서 소개해주고 있다.

http://windowsir.blogspot.kr/p/foss-tools.html

 

 

FOSS Tools
I wanted to keep a list of tools as a reference for myself, but also provide it in such a manner that others can make use of the list, as well.

Memory Collection/Analysis
FTK Imager - Includes the ability to collect memory
DumpIt - Great utility for dumping Windows memory; 32- & 64-bit versions in one EXE!
Volatility - 'nuff said! (Google Code project home)
Mandiant RedLine
HBGary Responder CE

Don't want to collect your own memory?
NIST memory images
List from ForensicsWiki
"Federal" Trojan sample
HoneyNet "Banking Troubles" Challenge

Network Capture/Analysis Tools
WireShark - Excellent free tool for capturing and analyzing network packet captures
NetworkMiner - Network forensic analysis tool
Netwitness Investigator - free edition of the tool; supports 25 simultaneous 1GB captures.
Network Appliance Forensic Toolkit (NAFT) by Didier Stevens - Python-based, can extract packets from Windows memory.  If you're using 32-bit Python and your input file is greater than 512MB, split it into chunks.

Sample Images
Digital Corpora - Simson Garfinkel's site with test images and scenarios
Hacking Case from NIST (CFReDs)
Lance Mueller's Practical examples - Lance no longer maintains the site, but the site itself will remain; Practical #1 is an excellent example to use.
Interesting image and scenario from InfoSecShortTakes

Carving
PhotoRec - from the site: "...designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data..."
Scalpel - v2.0; excellent carver that (like others) is file system independent.  You can also create custom .conf file entries.
ParseRS/RipRS - John Moan's tools for recovering IE Travelog/RecoveryStore pages.

Image Mounting
OSFMount
ImDisk - Installs as a Control Panel applet
FTK Imager
vhdtool - use this tool to convert a raw/dd image file to a .vhd file, which you can mount using the Disk Management tool in Win7
raw2vmdk - Java utility convert a raw/dd image to .vmdk
LiveView - Java utility for creating VMWare support files for a raw/dd image; you can then boot the image (if you're not LE, consider using ntpasswd below to 'zero out' the Administrator password so that you can log in...)
VirtualBox - Oracle's free virtualization framework that can run a wide range of guest OS's, including OS/2, Amiga, Android, etc., as well as Linux and Windows.

File System Artifact Tools
analyzeMFT - David Kovar's Python tool for parsing the MFT
MFT Extractor (hmft.exe) - Extract the MFT for parsing with other tools
INDXParse - Tool for parsing index/$I30 files
Joachim Schicht's MFT Tools (mft2csv, LogFileParser, etc.)

File Analysis
PDF Tools from Didier Stevens
PDFStreamDumper - description of use here;
SWF Mastah - Python script to make extracting SWF streams from PDF files easier

Analysis Frameworks
OSForensics - Features listed here; file searches, hash lists, rainbow tables.  Primarily intended to work on live systems, but you can mount an image as a volume and run it against that.
DFF - FOSS digital analysis framework; be sure to read and follow the blog.
ProDiscover Basic Edition - Free, limited version of ProDiscover; you'll need to scroll down (also be sure to check out ZeroView)
SANS SIFT Workstation - SANS Forensic Appliance
Autopsy - As of Aug 2011, Windows only version (in beta) is a complete rewrite, using Java.

Registry Analysis
RegRipper - Get it here (RR.zip), includes regslack; also, more info here...
Registry Decoder

Shellbag Forensics (w/ a Python script and bodyfile format output)
Digital Forensics Stream blog post: Including Shellbags Data in Timelines
Chad's Shellbags analysis article (w/ link to TZWorks sbag.exe)

Password Recovery
Now and again, there's a need to change or crack Windows passwords; for LE, often just knowing if an account had a password or not is enough.
Ntpwedit - allows you to change a Windows password; based on Nordahl's tool
Ntpasswd - Nordahl's tool; includes option for a CD/USB bootdisk to change a Windows password
pwdump7 - dump password hashes
SAMInside - password hash cracker
OphCrack - password hash cracker
L0phtcrack - no introduction necessary (15 day trial)

Phones/Phone Backup Files
I wanted to include a section to address FOSS tools for accessing mobile devices/phones, as well as backups of these devices that you might find on a Windows system.

iPhone
iPhoneBrowser - Access the iPhone file system from a Windows GUI
iPhone Analyzer
iPhoneBackupExtractor - includes a free download for extracting files from an iPhone backup
iPhone Backup Browser -
*You can also use the information in this article (even more info is available from this AppleExaminer article), and use SQLite or SQLite Browser to access information in the db files; for working with plists, consider plutil.exe (installed with iTunes) for converting plists.  Also consider this article from Linux Sleuthing that describes parsing the iPhone SMS database.
iTwin -

This SlideShare presentation talks about using open source tools to analyze iOS devices.

BlackBerry
ForensicsWiki BlackBerry Forensics page (watch out for these common pitfalls)
Blackberry Desktop Manager software
There is some additional information at Eric Huber's blog, via an interview with Shafik Punja.
Blackberry.com IPD file format
ElcomSoft BlackBerry Explorer -for pay, but has a limited trial version (read/parse IPD/BBB files)
Get additional information from a BB (after backup) using JavaLoader (NOT a forensic tool)
Bye Nary blog post - What's in an IPD?

Other possible solutions (untested):
Reincubate Labs - Blackberry Backup Extractor
MagicBerry IPD parser

Android
If you're interested in seeing if there's any location information available in an Android phone, check out android-locdump. 

While not specific to Windows, check out this Wiki page at the HoneyNet site for a VirtualBox VM you can download to do Android malware RE.

eEvidence.info site for mobile forensics
Cellular.Sherlock - lots of great info available on mobile forensics

PE Analysis Tools
HBGary Fingerprint - Analysis/comparison tool, extensible via C#
CFF Explorer - Understands .NET files, extensible via scripting
TZWorks pe_view and pescan
PEiD - discontinued, but good tool
PEView

Metadata tools
Phil Harvey's EXIFTool
Zena Forensics EXIF Summarizer - Python script
Word 2007 metadata - read_open_xml.pl

Other tools
Wifi WAP geolocation using macl.pl
VMDK Forensic Artifact Extractor (vfae.exe) - extract files from a VMDK
Jesse updated md5deep to include Win PE file identification (miss identify)

Browser Analysis
Sean Cavanaugh's paper on Safari cache.db analysis (refers to the Forensics from the Sausage Factory blog posts)

Firefox
Kristinn's SANS  blog write-up regarding FF3+ history (ff3histview.pl)
MozillaZine: Contents of user's profile folder
ForensicsWiki: FF3 History File format
Write-up on F3e

Chrome
Hindsight Chrome history parser

Sites
These are some sites that include a number of useful tools:
TZWorks - lots of great tools including a shellbag parser
NirSoft - another site with a lot of great tools
Tools I've written and provided with my books (WRF tools, timeline tools, etc.)
WoanWare - Lots of great free utilities, including some for browser analysis
OpenSourceForensics - site with a number of *nix/Windows tools listed
pyDetective - Site containing Python scripts for DF analysis
ForensicCtrl - Free forensic tool list
MalwareHunters Free Tools
My Forensic Tools (from the UK): Some interesting free tools
BethLogic Code site

 

Trackbacks 133 : Comments 0

Write a comment


Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView

ⓔ Forensic 2014.04.28 10:50

IEHV로 Windows7이상 운영체제에서 히스토리가 제대로 긁어와 지지 않을 경우 이 도구 사용

CLI 명령을 지원

 

http://www.nirsoft.net/utils/browsing_history_view.html

 

 

Command-Line Options
====================

 

/stext <Filename>
Save the browsing history into a regular text file.

/stab <Filename>
Save the browsing history into a tab-delimited text file.

/scomma <Filename>
Save the browsing history into a comma-delimited text file (csv).

/stabular <Filename>
Save the browsing history into a tabular text file.

/shtml <Filename>
Save the browsing history into HTML file (Horizontal).

/sverhtml <Filename>
Save the browsing history into HTML file (Vertical).

/sxml <Filename>
Save the browsing history into XML file.

/sort <column>
This command-line option can be used with other save options for sorting
by the desired column. If you don't specify this option, the list is
sorted according to the last sort that you made from the user interface.
The <column> parameter can specify the column index (0 for the first
column, 1 for the second column, and so on) or the name of the column,
like "Title" and "URL". You can specify the '~' prefix character (e.g:
"~Visit Time") if you want to sort in descending order. You can put
multiple /sort in the command-line if you want to sort by multiple
columns.

Examples:
BrowsingHistoryView.exe /shtml "f:\temp\history.html" /sort 2 /sort ~1
BrowsingHistoryView.exe /shtml "f:\temp\history.html" /sort "URL" /sort
"Visit Time"

/nosort
When you specify this command-line option, the list will be saved without
any sorting.

/SaveDirect
Save the browsing history in SaveDirect mode. For using with the other
save command-line options ( /scomma, /stab, /sxml, and so on...) When you
use the SaveDirect mode, the history lines are saved directly to the
disk, without loading them into the memory first. This means that you can
save a list with large amount of history lines into your disk without any
memory problem, as long as you have enough disk space to store the saved
file. The drawback of this mode: You cannot sort the lines according to
the column you choose with /sort command-line option.

/HistorySource <Source>
Specifies the type of history data source:
* 1 - Load history from the current running system (All users).
* 2 - Load history from the current running system (Only current user).
* 3 - Load history from the specified profiles folder
  (/HistorySourceFolder command-line parameter).
* 4 - Load history from the specified profile (/HistorySourceFolder
  command-line parameter).


/HistorySourceFolder <Folder>
Specifies the folder path if /HistorySource is 3 or 4.

/VisitTimeFilterType <Filter Type>
Specifies the type of date/time filter:
* 1 - Load history from any date/time.
* 2 - Load history from the last xx hours (xx specified in
  /VisitTimeFilterValue)
* 3 - Load history from the last xx days (xx specified in
  /VisitTimeFilterValue)
* 4 - Load history from the specified date/time range (The time range
  is specified in /VisitTimeFrom and /VisitTimeTo)


/VisitTimeFilterValue <Filter Value>
Specifies the filter value when /VisitTimeFilterType is 2 or 3

/VisitTimeFrom <Time>
/VisitTimeTo <Time>
Specifies the date/time range when /VisitTimeFilterType is 4. date/time
value must be in the following format: dd-mm-yyyy hh:nn:ss

For example:
BrowsingHistoryView.exe /VisitTimeFrom "10-01-2012 12:00:00" /VisitTimeTo
"18-02-2012 10:00:00"

/LoadIE <0 | 1>
/LoadFirefox <0 | 1>
/LoadChrome <0 | 1>
/LoadSafari <0 | 1>

Specifies whether to load the history of IE/Firefox/Chrome/Safari Web
browser. 0 = Don't load, 1 = Load.

Here's some command-line examples:
BrowsingHistoryView.exe /HistorySource 4 /HistorySourceFolder
"H:\Documents and Settings\User01" /stab "c:\temp\history.txt"
BrowsingHistoryView.exe /HistorySource 3 /HistorySourceFolder
"G:\Documents and Settings" /VisitTimeFilterType 3 /VisitTimeFilterValue
10 /scomma "c:\temp\history.csv"
BrowsingHistoryView.exe /HistorySource 1 /LoadIE 1 /LoadFirefox 0
/LoadChrome 0 /LoadSafari 0 /shtml "c:\temp\history.html"
BrowsingHistoryView.exe /HistorySource 2 /VisitTimeFilterType 4
/VisitTimeFrom "01-01-2011 00:00:00" /VisitTimeTo "01-01-2012 00:00:00"
/stab "c:\temp\history.txt"

Trackbacks 0 : Comments 0

Write a comment


MS사의 EMET(Enhances Mitigation Experience Toolkit)

ⓤ System 2014.04.28 10:41

MS사에서 무료로 제공되는 보안설정 도구.

 

소프트웨어 취약성이 악용되지 못하도록 하는 보안 유틸리티 도구로써 제로데이에 대응 가능

 

 

- 소개 링크: http://allimter.tistory.com/18

- EMET 다운로드: http://www.microsoft.com/en-us/download/confirmation.aspx?id=41138

- 현재 버전(4.1) 우회 기법 기술문서: http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf

Trackbacks 0 : Comments 0

Write a comment


[VBscript] 네트워크 정보 수집

ⓘ Programming 2014.04.02 17:18
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NetworkAdapterConfiguration",,48)
For Each objItem in colItems
    Wscript.Echo "ArpAlwaysSourceRoute: " & objItem.ArpAlwaysSourceRoute
    Wscript.Echo "ArpUseEtherSNAP: " & objItem.ArpUseEtherSNAP
    Wscript.Echo "Caption: " & objItem.Caption
    Wscript.Echo "DatabasePath: " & objItem.DatabasePath
    Wscript.Echo "DeadGWDetectEnabled: " & objItem.DeadGWDetectEnabled
    Wscript.Echo "DefaultIPGateway: " & objItem.DefaultIPGateway
    Wscript.Echo "DefaultTOS: " & objItem.DefaultTOS
    Wscript.Echo "DefaultTTL: " & objItem.DefaultTTL
    Wscript.Echo "Description: " & objItem.Description
    Wscript.Echo "DHCPEnabled: " & objItem.DHCPEnabled
    Wscript.Echo "DHCPLeaseExpires: " & objItem.DHCPLeaseExpires
    Wscript.Echo "DHCPLeaseObtained: " & objItem.DHCPLeaseObtained
    Wscript.Echo "DHCPServer: " & objItem.DHCPServer
    Wscript.Echo "DNSDomain: " & objItem.DNSDomain
    Wscript.Echo "DNSDomainSuffixSearchOrder: " & objItem.DNSDomainSuffixSearchOrder
    Wscript.Echo "DNSEnabledForWINSResolution: " & objItem.DNSEnabledForWINSResolution
    Wscript.Echo "DNSHostName: " & objItem.DNSHostName
    Wscript.Echo "DNSServerSearchOrder: " & objItem.DNSServerSearchOrder
    Wscript.Echo "DomainDNSRegistrationEnabled: " & objItem.DomainDNSRegistrationEnabled
    Wscript.Echo "ForwardBufferMemory: " & objItem.ForwardBufferMemory
    Wscript.Echo "FullDNSRegistrationEnabled: " & objItem.FullDNSRegistrationEnabled
    Wscript.Echo "GatewayCostMetric: " & objItem.GatewayCostMetric
    Wscript.Echo "IGMPLevel: " & objItem.IGMPLevel
    Wscript.Echo "Index: " & objItem.Index
    Wscript.Echo "IPAddress: " & objItem.IPAddress
    Wscript.Echo "IPConnectionMetric: " & objItem.IPConnectionMetric
    Wscript.Echo "IPEnabled: " & objItem.IPEnabled
    Wscript.Echo "IPFilterSecurityEnabled: " & objItem.IPFilterSecurityEnabled
    Wscript.Echo "IPPortSecurityEnabled: " & objItem.IPPortSecurityEnabled
    Wscript.Echo "IPSecPermitIPProtocols: " & objItem.IPSecPermitIPProtocols
    Wscript.Echo "IPSecPermitTCPPorts: " & objItem.IPSecPermitTCPPorts
    Wscript.Echo "IPSecPermitUDPPorts: " & objItem.IPSecPermitUDPPorts
    Wscript.Echo "IPSubnet: " & objItem.IPSubnet
    Wscript.Echo "IPUseZeroBroadcast: " & objItem.IPUseZeroBroadcast
    Wscript.Echo "IPXAddress: " & objItem.IPXAddress
    Wscript.Echo "IPXEnabled: " & objItem.IPXEnabled
    Wscript.Echo "IPXFrameType: " & objItem.IPXFrameType
    Wscript.Echo "IPXMediaType: " & objItem.IPXMediaType
    Wscript.Echo "IPXNetworkNumber: " & objItem.IPXNetworkNumber
    Wscript.Echo "IPXVirtualNetNumber: " & objItem.IPXVirtualNetNumber
    Wscript.Echo "KeepAliveInterval: " & objItem.KeepAliveInterval
    Wscript.Echo "KeepAliveTime: " & objItem.KeepAliveTime
    Wscript.Echo "MACAddress: " & objItem.MACAddress
    Wscript.Echo "MTU: " & objItem.MTU
    Wscript.Echo "NumForwardPackets: " & objItem.NumForwardPackets
    Wscript.Echo "PMTUBHDetectEnabled: " & objItem.PMTUBHDetectEnabled
    Wscript.Echo "PMTUDiscoveryEnabled: " & objItem.PMTUDiscoveryEnabled
    Wscript.Echo "ServiceName: " & objItem.ServiceName
    Wscript.Echo "SettingID: " & objItem.SettingID
    Wscript.Echo "TcpipNetbiosOptions: " & objItem.TcpipNetbiosOptions
    Wscript.Echo "TcpMaxConnectRetransmissions: " & objItem.TcpMaxConnectRetransmissions
    Wscript.Echo "TcpMaxDataRetransmissions: " & objItem.TcpMaxDataRetransmissions
    Wscript.Echo "TcpNumConnections: " & objItem.TcpNumConnections
    Wscript.Echo "TcpUseRFC1122UrgentPointer: " & objItem.TcpUseRFC1122UrgentPointer
    Wscript.Echo "TcpWindowSize: " & objItem.TcpWindowSize
    Wscript.Echo "WINSEnableLMHostsLookup: " & objItem.WINSEnableLMHostsLookup
    Wscript.Echo "WINSHostLookupFile: " & objItem.WINSHostLookupFile
    Wscript.Echo "WINSPrimaryServer: " & objItem.WINSPrimaryServer
    Wscript.Echo "WINSScopeID: " & objItem.WINSScopeID
    Wscript.Echo "WINSSecondaryServer: " & objItem.WINSSecondaryServer
Next

 

Trackbacks 0 : Comments 0

Write a comment


EnCase Enterprise 데모 동영상

ⓔ Forensic 2014.02.21 09:52

http://video.guidancesoftware.com/services/player/bcpid855695060001?bckey=AQ~~,AAAAlw1hUBk~,irEp7d0uO14TYal9Cx7fxUjjVMeh-Sw6

Trackbacks 0 : Comments 0

Write a comment


BitKiller - 오픈소스 라이선스 파일완전삭제 프로그램

ⓟ Software 2013.12.02 09:46

파일, 폴더 단위로 zero, random data, DoD, Gutman 삭제 알고리즘을 모두 제공하고 있고 UI 간단

 

다운로드: http://sourceforge.net/projects/bitkiller/

Trackbacks 0 : Comments 0

Write a comment


Malwr - 악성코드 행위 분석

┏ Analysis 2013.11.26 10:45
https://malwr.com/

 

Trackbacks 0 : Comments 0

Write a comment


CPU / Memory 정보보기

┃ Linux 2013.10.25 18:49

1. CPU

 

- 모델 확인하기

grep "model name" /proc/cpuinfo | tail -1

 

- 코어 전체 개수

grep -c processor /proc/cpuinfo

 

- 물리 CPU 수

grep "physical id" /proc/cpuinfo | sort -u | wc -l

 

- CPU당 물리코어 수

grep "cpu cores" /proc/cpuinfo | tail -1

 

 

2. Memory

 

- 메모리 전체 용량

cat /proc/meminfo | grep MemTotal

 

- 간단명령

free

Trackbacks 0 : Comments 0

Write a comment


$Recycle.Bin 분석하기

ⓔ Forensic 2013.09.17 16:54

 

forensic-analysis-vista-recycle-bin.pdf

 

12-larson-windows7-foreniscs.pdf

 

Trackbacks 0 : Comments 0

Write a comment


전세계 공용 DNS서버 주소

┃ Web 2013.08.26 16:09

아래 사이트에서 나라별 DNS서버 주소 제공

 

http://public-dns.tk/

'┃ Web' 카테고리의 다른 글

전세계 공용 DNS서버 주소  (0) 2013.08.26
RapidShar 60초/15분 대기 해제 방법  (0) 2009.12.14
MS 새 검색 엔진, Bing  (2) 2009.06.10
http 에러 메세지  (0) 2009.04.08
네이버 광고 배너 차단하기  (0) 2009.01.25
iis(4.0) + tomcat(3.2.x ~ 5) 연동  (0) 2008.10.02
Trackbacks 0 : Comments 0

Write a comment


디지털 포렌식 케이스 관리 - Lima

ⓔ Forensic 2013.08.01 18:36

관련 Article:

Lima wins SC Magazine "Best Buy" 2013 award for Digital Forensic Case Management

http://www.forensicfocus.com/News/article/sid=2068/

 

판매처: http://www.intaforensics.com/

 

관리의 중요성...

'ⓔ Forensic' 카테고리의 다른 글

EnCase Enterprise 데모 동영상  (0) 2014.02.21
$Recycle.Bin 분석하기  (0) 2013.09.17
디지털 포렌식 케이스 관리 - Lima  (0) 2013.08.01
메모리 덤프 분석 도구 소개  (0) 2013.07.08
[Wiping] dcfldd를 이용한 Disk Wipe  (0) 2013.03.25
MAC 포렌식 도구  (0) 2013.03.18
Trackbacks 0 : Comments 0

Write a comment


[AES암호화/복호화] python에서 암호화, php에서 복호화

ⓘ Programming 2013.07.15 20:06

출처: http://stackoverflow.com/questions/13051293/encrypt-data-with-python-decrypt-in-php

 

 

[ python encrypt ]

from Crypto.Cipher import AES
import base64
import os
# the block size for the cipher object; must be 16, 24, or 32 for AES
BLOCK_SIZE = 32
BLOCK_SZ = 14

# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length.  This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'

# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING

# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
secret = "332SECRETabc1234"
iv = "HELLOWORLD123456"
cipher=AES.new(key=secret,mode=AES.MODE_CBC,IV=iv)
my_text_to_encode = "password"
encoded = EncodeAES(cipher, my_text_to_encode)
print 'Encrypted string:', encoded

[ php decrypt (note the encoded text is just copy/pasted from python print above) ]

<?php
$enc = "x3OZjCAL944N/awRHSrmRBy9P4VLTptbkFdEl2Ao8gk=";
$secret = "332SECRETabc1234"; // same secret as python
$iv="HELLOWORLD123456";  // same iv as python
$padding = "{";  //same padding as python
function decrypt_data($data, $iv, $key) {
    $cypher = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');

    if(is_null($iv)) {
        $ivlen = mcrypt_enc_get_iv_size($cypher);
        $iv = substr($data, 0, $ivlen);
        $data = substr($data, $ivlen);
    }

    // initialize encryption handle
    if (mcrypt_generic_init($cypher, $key, $iv) != -1) {
            // decrypt
            $decrypted = mdecrypt_generic($cypher, $data);

            // clean up
            mcrypt_generic_deinit($cypher);
            mcrypt_module_close($cypher);

            return $decrypted;
    }

    return false;
}



$res = decrypt_data(base64_decode($enc), $iv, $secret);
print rtrim($res,$padding);
?>
Trackbacks 0 : Comments 0

Write a comment