태터데스크 관리자

도움말
닫기
적용하기   첫페이지 만들기

태터데스크 메시지

저장하였습니다.

'ⓔ Forensic'에 해당되는 글 69건

  1. 2016.05.31 Volume Shadow Copy Service 분석
  2. 2016.04.25 MAC Forensic
  3. 2016.04.20 Windows 10 Forensics
  4. 2016.03.18 Windows Logon Forensics
  5. 2016.02.23 Windows용 log2timeline
  6. 2015.08.28 디지털 포렌식 조사 툴 20선
  7. 2015.08.28 이미지 파일 포렌식 툴 - exiftool
  8. 2014.10.23 index.dat analyzer
  9. 2014.10.23 ntfs-log-tracker
  10. 2014.10.23 [Prefetch] Viewer & Parser
  11. 2014.04.28 Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView
  12. 2014.02.21 EnCase Enterprise 데모 동영상
  13. 2013.09.17 $Recycle.Bin 분석하기
  14. 2013.08.01 디지털 포렌식 케이스 관리 - Lima
  15. 2013.07.08 메모리 덤프 분석 도구 소개
  16. 2013.03.25 [Wiping] dcfldd를 이용한 Disk Wipe
  17. 2013.03.18 MAC 포렌식 도구
  18. 2013.03.18 Mac Disk Wiping 하기
  19. 2012.12.07 [TweakingRegistryBackup] 레지스트리 하이브 파일 수집기
  20. 2012.12.07 [US-LATT] 포터블 휘발성 데이터 수집기
  21. 2012.11.10 [파일카빙] Foremost
  22. 2012.10.30 SSD의 Trim명령에 의한 데이터 복구의 어려움
  23. 2012.10.11 EnCase E01 이미지를 DD로 변환하기
  24. 2012.10.08 패킷파일에서 카빙기법을 통한 데이터 추출
  25. 2012.09.25 MFT의 FileName Information 속성을 통한 악성코드 생성시간 알아내기
  26. 2012.09.10 [감사정책] Windows 감사정책 레지스트리 구성
  27. 2012.07.26 Full Dev Installation for Volatility 2.0¶
  28. 2012.06.13 [Tool] ICQ Message/Opera, Firefox, Chrome History/Skype Message 복구툴
  29. 2012.05.03 [Volatility] 메모리덤프에서 실행파일 추출하기
  30. 2012.04.17 carving malware from live memory

Volume Shadow Copy Service 분석

ⓔ Forensic 2016.05.31 21:49

CEIC_2014-Examining_Volume_Shadow_Copies-The_Easy_Way.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


MAC Forensic

ⓔ Forensic 2016.04.25 16:51
출처 :  https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf


'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 1 : Comments 0

Write a comment


Windows 10 Forensics

ⓔ Forensic 2016.04.20 09:43

출처: http://www.google.co.kr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwiqu9aA-pvMAhXlL6YKHSOdAXUQFghMMAY&url=http%3A%2F%2Fwww.champlain.edu%2FDocuments%2FLCDI%2FWindows%252010%2520Forensics.pdf&usg=AFQjCNGTOXlb1bi6Z7kvJTCvxfdrBxprLg

 

 

Windows 10 Forensics.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

Volume Shadow Copy Service 분석  (0) 2016.05.31
MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


Windows Logon Forensics

ⓔ Forensic 2016.03.18 17:43

http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

 

 

windows-logon-forensics-34132.pdf

 

'ⓔ Forensic' 카테고리의 다른 글

MAC Forensic  (0) 2016.04.25
Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
Trackbacks 0 : Comments 0

Write a comment


Windows용 log2timeline

ⓔ Forensic 2016.02.23 15:57

https://e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.4.0/

'ⓔ Forensic' 카테고리의 다른 글

Windows 10 Forensics  (0) 2016.04.20
Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


디지털 포렌식 조사 툴 20선

ⓔ Forensic 2015.08.28 15:06

http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

 

 

01 SANS SIFT

The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

01 SANS SIFT

When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.

02 ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.

02 ProDiscover Basic

When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.

03 Volatility

Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.

03 Volatility

If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.

1

When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

05 FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.

2

When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.

06 Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.

3

To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.

07 CAINE

CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.

4

When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.

08 Oxygen Forensic Suite 2013 Standard

If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.

5

When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

9

Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.

10 Bulk Extractor

bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).

10

Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.

11 DEFT

DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.

11

When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

12 Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

12

Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.

13 LastActivityView

I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.

13

When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.

14 Digital Forensic Framework

The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.

14

When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.

15 Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

15

When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.

16 PlainSight

PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.

16

When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.

17 HxD

HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.

17

From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.

18 HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.

18

When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.

19 NetSleuth

NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.

Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!

19

When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.

20 P2 eXplorer Free

P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.

20

When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.

Tip: In Top 20 Free Disk Tools for SysAdmins I mentioned another image mounting tool called OSFMount. OSFMount is very similar to P2 eXplorer but also supports the mounting of VMWare files and the creation of RAM disks. Part of the OSFMount family is a digital forensics suite called OSForensics – the freeware version of this application is available for personal, educational or home use to allow you to experiment and become acquainted with digital forensics concepts.

'ⓔ Forensic' 카테고리의 다른 글

Windows Logon Forensics  (0) 2016.03.18
Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


이미지 파일 포렌식 툴 - exiftool

ⓔ Forensic 2015.08.28 14:36

exiftool 다운로드 : http://sourceforge.net/projects/exiftool/

 

csv형태로 다수 파일 정보 출력 명령: exiftool.exe -u [파일경로] -csv > [저장경로]

'ⓔ Forensic' 카테고리의 다른 글

Windows용 log2timeline  (0) 2016.02.23
디지털 포렌식 조사 툴 20선  (0) 2015.08.28
이미지 파일 포렌식 툴 - exiftool  (0) 2015.08.28
index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
[Prefetch] Viewer & Parser  (0) 2014.10.23
Trackbacks 0 : Comments 0

Write a comment


index.dat analyzer

ⓔ Forensic 2014.10.23 13:39

http://www.systenance.com/download/indexdat-setup.exe

 

 

 

Trackbacks 0 : Comments 0

Write a comment


ntfs-log-tracker

ⓔ Forensic 2014.10.23 13:37

http://code.google.com/p/ntfs-log-tracker/downloads/list

 

 

 

Trackbacks 0 : Comments 0

Write a comment


[Prefetch] Viewer & Parser

ⓔ Forensic 2014.10.23 10:20

 

parse_prefetch_info_v1.4.zip

 

pf32.v.1.05.win.zip

 

pf64.v.1.05.win.zip

 

winprefetchview-x64.zip

 

winprefetchview.zip

 

 

 

1. WinPrefetchview

http://www.nirsoft.net/utils/win_prefetch_view.html

 

Command-Line Options

/folder <Folder> Start WinPrefetchView with Prefetch folder from another instance of Windows operating system.
/prefetchfile <Filename> You can use this command-line parameter with the other save commands (/shtml, /stab, and so on) in order to export the records of specific .pf file into text/html/csv file, for example:
WinPrefetchView.exe /shtml "C:\temp\records.html" /prefetchfile "C:\windows\Prefetch\NTOSBOOT-B00DFAAD.pf"

 

/stext <Filename> Save the list of Prefetch files into a regular text file.
/stab <Filename> Save the list of Prefetch files into a tab-delimited text file.
/scomma <Filename> Save the list of Prefetch files into a comma-delimited text file (csv).
/stabular <Filename> Save the list of Prefetch files into a tabular text file.
/shtml <Filename> Save the list of Prefetch files into HTML file (Horizontal).
/sverhtml <Filename> Save the list of Prefetch files into HTML file (Vertical).
/sxml <Filename> Save the list of Prefetch files into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "File Size" and "Filename". You can specify the '~' prefix character (e.g: "~Created Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.

Examples:
WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort 2 /sort ~1
WinPrefetchView.exe /shtml "f:\temp\Prefetch.html" /sort "~Modified Time"

/nosort When you specify this command-line option, the list will be saved without any sorting.

 

 

2. Parser

[pf]

https://tzworks.net/prototype_page.php?proto_id=1

 

[Prefetch Parser info 1.4]

 http://digital-forensics.sans.org/blog/2010/02/12/prefetch-parser-v1-4/

 

 

'ⓔ Forensic' 카테고리의 다른 글

index.dat analyzer  (0) 2014.10.23
ntfs-log-tracker  (0) 2014.10.23
[Prefetch] Viewer & Parser  (0) 2014.10.23
Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView  (0) 2014.04.28
EnCase Enterprise 데모 동영상  (0) 2014.02.21
$Recycle.Bin 분석하기  (0) 2013.09.17
Trackbacks 0 : Comments 0

Write a comment


Window 7 이상 인터넷히스토리 수집을 위한 BrowsingHistoryView

ⓔ Forensic 2014.04.28 10:50

IEHV로 Windows7이상 운영체제에서 히스토리가 제대로 긁어와 지지 않을 경우 이 도구 사용

CLI 명령을 지원

 

http://www.nirsoft.net/utils/browsing_history_view.html

 

 

Command-Line Options
====================

 

/stext <Filename>
Save the browsing history into a regular text file.

/stab <Filename>
Save the browsing history into a tab-delimited text file.

/scomma <Filename>
Save the browsing history into a comma-delimited text file (csv).

/stabular <Filename>
Save the browsing history into a tabular text file.

/shtml <Filename>
Save the browsing history into HTML file (Horizontal).

/sverhtml <Filename>
Save the browsing history into HTML file (Vertical).

/sxml <Filename>
Save the browsing history into XML file.

/sort <column>
This command-line option can be used with other save options for sorting
by the desired column. If you don't specify this option, the list is
sorted according to the last sort that you made from the user interface.
The <column> parameter can specify the column index (0 for the first
column, 1 for the second column, and so on) or the name of the column,
like "Title" and "URL". You can specify the '~' prefix character (e.g:
"~Visit Time") if you want to sort in descending order. You can put
multiple /sort in the command-line if you want to sort by multiple
columns.

Examples:
BrowsingHistoryView.exe /shtml "f:\temp\history.html" /sort 2 /sort ~1
BrowsingHistoryView.exe /shtml "f:\temp\history.html" /sort "URL" /sort
"Visit Time"

/nosort
When you specify this command-line option, the list will be saved without
any sorting.

/SaveDirect
Save the browsing history in SaveDirect mode. For using with the other
save command-line options ( /scomma, /stab, /sxml, and so on...) When you
use the SaveDirect mode, the history lines are saved directly to the
disk, without loading them into the memory first. This means that you can
save a list with large amount of history lines into your disk without any
memory problem, as long as you have enough disk space to store the saved
file. The drawback of this mode: You cannot sort the lines according to
the column you choose with /sort command-line option.

/HistorySource <Source>
Specifies the type of history data source:
* 1 - Load history from the current running system (All users).
* 2 - Load history from the current running system (Only current user).
* 3 - Load history from the specified profiles folder
  (/HistorySourceFolder command-line parameter).
* 4 - Load history from the specified profile (/HistorySourceFolder
  command-line parameter).


/HistorySourceFolder <Folder>
Specifies the folder path if /HistorySource is 3 or 4.

/VisitTimeFilterType <Filter Type>
Specifies the type of date/time filter:
* 1 - Load history from any date/time.
* 2 - Load history from the last xx hours (xx specified in
  /VisitTimeFilterValue)
* 3 - Load history from the last xx days (xx specified in
  /VisitTimeFilterValue)
* 4 - Load history from the specified date/time range (The time range
  is specified in /VisitTimeFrom and /VisitTimeTo)


/VisitTimeFilterValue <Filter Value>
Specifies the filter value when /VisitTimeFilterType is 2 or 3

/VisitTimeFrom <Time>
/VisitTimeTo <Time>
Specifies the date/time range when /VisitTimeFilterType is 4. date/time
value must be in the following format: dd-mm-yyyy hh:nn:ss

For example:
BrowsingHistoryView.exe /VisitTimeFrom "10-01-2012 12:00:00" /VisitTimeTo
"18-02-2012 10:00:00"

/LoadIE <0 | 1>
/LoadFirefox <0 | 1>
/LoadChrome <0 | 1>
/LoadSafari <0 | 1>

Specifies whether to load the history of IE/Firefox/Chrome/Safari Web
browser. 0 = Don't load, 1 = Load.

Here's some command-line examples:
BrowsingHistoryView.exe /HistorySource 4 /HistorySourceFolder
"H:\Documents and Settings\User01" /stab "c:\temp\history.txt"
BrowsingHistoryView.exe /HistorySource 3 /HistorySourceFolder
"G:\Documents and Settings" /VisitTimeFilterType 3 /VisitTimeFilterValue
10 /scomma "c:\temp\history.csv"
BrowsingHistoryView.exe /HistorySource 1 /LoadIE 1 /LoadFirefox 0
/LoadChrome 0 /LoadSafari 0 /shtml "c:\temp\history.html"
BrowsingHistoryView.exe /HistorySource 2 /VisitTimeFilterType 4
/VisitTimeFrom "01-01-2011 00:00:00" /VisitTimeTo "01-01-2012 00:00:00"
/stab "c:\temp\history.txt"

Trackbacks 0 : Comments 0

Write a comment


EnCase Enterprise 데모 동영상

ⓔ Forensic 2014.02.21 09:52

http://video.guidancesoftware.com/services/player/bcpid855695060001?bckey=AQ~~,AAAAlw1hUBk~,irEp7d0uO14TYal9Cx7fxUjjVMeh-Sw6

Trackbacks 0 : Comments 0

Write a comment


$Recycle.Bin 분석하기

ⓔ Forensic 2013.09.17 16:54

 

forensic-analysis-vista-recycle-bin.pdf

 

12-larson-windows7-foreniscs.pdf

 

Trackbacks 0 : Comments 0

Write a comment


디지털 포렌식 케이스 관리 - Lima

ⓔ Forensic 2013.08.01 18:36

관련 Article:

Lima wins SC Magazine "Best Buy" 2013 award for Digital Forensic Case Management

http://www.forensicfocus.com/News/article/sid=2068/

 

판매처: http://www.intaforensics.com/

 

관리의 중요성...

'ⓔ Forensic' 카테고리의 다른 글

EnCase Enterprise 데모 동영상  (0) 2014.02.21
$Recycle.Bin 분석하기  (0) 2013.09.17
디지털 포렌식 케이스 관리 - Lima  (0) 2013.08.01
메모리 덤프 분석 도구 소개  (0) 2013.07.08
[Wiping] dcfldd를 이용한 Disk Wipe  (0) 2013.03.25
MAC 포렌식 도구  (0) 2013.03.18
Trackbacks 0 : Comments 0

Write a comment


메모리 덤프 분석 도구 소개

ⓔ Forensic 2013.07.08 17:46

Tools for Analyzing Memory Dumps

At this time, no single forensic tool can extract all possible artifacts from a memory dump. Different tools are used to analyze chat remnants, lists of running processes or extract decryption keys for encrypted volumes mounted at the time of the capture. A brief list of such analysis tools is available below.

Belkasoft Evidence Center [ http://Belkasoft.com/ ] : remnants of conversations and communications occurring in social networks, chat rooms, multi-player online games, Skype; data from cloud services such as Flickr, Dropbox, Sky Drive, Google Drive etc.; communications in Webmail systems such as Gmail, Hotmail, Yahoo; Web browser and virtual worlds artifacts, and so on.

Elcomsoft Forensic Disk Decryptor [ http://elcomsoft.com/ ]: extracts decryption keys protecting encrypted volumes (PGP, True Crypt, BitLocker and Bitlocker To Go containers are supported), allowing investigators to instantly access the content of these encrypted volumes without brute-forcing the original volume password. All the keys from a memory dump are extracted at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.

Passware [ http://passware.com ]: forensic toolkit including tools for capturing memory dumps via FireWire attack. Also includes a tool to extract decryption keys for popular crypto containers.

 

'ⓔ Forensic' 카테고리의 다른 글

$Recycle.Bin 분석하기  (0) 2013.09.17
디지털 포렌식 케이스 관리 - Lima  (0) 2013.08.01
메모리 덤프 분석 도구 소개  (0) 2013.07.08
[Wiping] dcfldd를 이용한 Disk Wipe  (0) 2013.03.25
MAC 포렌식 도구  (0) 2013.03.18
Mac Disk Wiping 하기  (0) 2013.03.18
Trackbacks 0 : Comments 0

Write a comment


[Wiping] dcfldd를 이용한 Disk Wipe

ⓔ Forensic 2013.03.25 14:52
https://www.anti-forensics.com/disk-wiping-with-dcfldd/

 

 

Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.

  • Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs – dcfldd can output to multiple files or disks at the same time.
  • Split output – dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively
  •  

     

    와이핑 명령(0으로 덮어쓰기)

    dcfldd if=/dev/sdb count=1 bs=512 | hexdump -C

    Trackbacks 0 : Comments 0

    Write a comment


    MAC 포렌식 도구

    ⓔ Forensic 2013.03.18 13:15

    Lantern 2 - A Mac based tool that analyzes iPhone, iPod Touch, and the new iPad.

    Lantern Lite – the free iOS Imager for Law Enforcement

    Mac Marshall – Excellent Mac Triage tool (Free to LE)

    The Mac – The Mac itself is the best platform to conduct Mac exams.

    dc3dd – A command line binary to create images. Also A GUI version as well for Mac.

    Md5deep - A command line binary to hash file(s)

    FTK 3 - Up and coming Forensic Tool that supports the HFS+ file system

    MacForensicsLab – Great Utility for Mac Related exams. To include all iOS Devices

    Show All Files – A free app from Version Tracker to show hidden files on Macs

    Disk Arbitration – A cool tool to selectively mount and unmount devices from an easy to use GUI

     

    Disk Arbitrator 0.4.2 Aaron Burghardt Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration
    Epoch Converter* Not listed Blackbag Technologies Converts epoch times to local time and UTC
    FTK Imager CLI for Mac OS* 3.1.1 AccessData Command line Mac OS version of AccessData’s FTK Imager
    IORegInfo Not listed Blackbag Technologies Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected
    Mac Memory Reader 3.0.2 Cyber Marshal Command-line utility to capture physical RAM from Mac OS systems
    PMAP Info* Not listed Blackbag Technologies Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors

    Trackbacks 2 : Comments 0

    Write a comment


    Mac Disk Wiping 하기

    ⓔ Forensic 2013.03.18 12:10

    MAC설치CD를 통해 부팅하여 내장된 디스크 유틸리티를 통한 방법

     

    http://www.mactip.net/how-to-securely-wipe-your-mac-hard-drive-before-selling-it/

    http://support.apple.com/kb/HT1820

     

    Trackbacks 0 : Comments 0

    Write a comment


    [TweakingRegistryBackup] 레지스트리 하이브 파일 수집기

    ⓔ Forensic 2012.12.07 17:24

    다운로드: http://www.tweaking.com/content/page/registry_backup.html

     

    1. GUI지원

    2. CLI지원

     - supersilent(GUI를 보여주지 않고 레지스트리 하이브 파일 자동 수집)

     - silent(GUI는 뜨지만 레지스트리 하이브 파일 자동 수집)

     - auto

    3. setting.ini

     - 내용 수정하여 파일 수집 폴더 지정

    Trackbacks 0 : Comments 0

    Write a comment


    [US-LATT] 포터블 휘발성 데이터 수집기

    ⓔ Forensic 2012.12.07 15:41

     

    http://www.wetstonetech.com/product/us-latt/

     

  • Capture Memory
  • Catalog Running Processes
  • Snapshot Network Ports and Connections
  • Capture Screen Shots
  • Identify and Image Encrypted Volumes
  • Acquire Files
  • Acquire Skype Actions
  • Acquire Web Activity
  • Acquire e-mail Activity
  • Acquire User Actions
  • Acquire System Event Logs
  • Strong Authentication and Evidence Protection
  • On Scene and Lab analysis
  • All acquired data is in standard XML formats with supplied style sheets for web browsing based examination
  • Trackbacks 0 : Comments 0

    Write a comment


    [파일카빙] Foremost

    ⓔ Forensic 2012.11.10 16:46

    다운로드 : http://foremost.sourceforge.net/

     

    압축풀고 make foremost

     

    foremost.exe 생성

    Trackbacks 0 : Comments 0

    Write a comment


    SSD의 Trim명령에 의한 데이터 복구의 어려움

    ⓔ Forensic 2012.10.30 10:26

    Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

    왜 SSD 드라이브는 법정증거를 파괴하나, 그리고 무엇이 그렇게 만드는가 (맞나..ㅡㅡ;)

     

    http://articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

     

    Trackbacks 0 : Comments 0

    Write a comment


    EnCase E01 이미지를 DD로 변환하기

    ⓔ Forensic 2012.10.11 12:12
    http://kb.digital-detective.co.uk/display/BLADE1/Home

     

    Trackbacks 0 : Comments 0

    Write a comment


    패킷파일에서 카빙기법을 통한 데이터 추출

    ⓔ Forensic 2012.10.08 16:54

     

     

    http://www.packetinside.com/2011_11_01_archive.html

     

    Trackbacks 0 : Comments 0

    Write a comment


    MFT의 FileName Information 속성을 통한 악성코드 생성시간 알아내기

    ⓔ Forensic 2012.09.25 17:16

    악성코드들 중에 자신들이 추가 생성하는 파일들의 MAC타임을 변경하여 조사자에게 생성시간대에 혼란을 주고 있다.

     

    analyzeMFT 툴을 통해 FileName information 속성의 MAC타임을 조사한다

     

     

    EnCase의 Entry 수정시간을 통해서도 추정할 수 있으나 파일정보가 바뀌면 변경되는 특성상 정확한 시간이라고 보기 어렵다.

    Trackbacks 0 : Comments 0

    Write a comment


    [감사정책] Windows 감사정책 레지스트리 구성

    ⓔ Forensic 2012.09.10 20:42

    단순히 로컬보안정책에서 실패,감사를 체크해 준 것만이 다가 아니다.

     

    레지스트리에 보면 각 감사별 세부 감사내용이 포함되어 있다.

     

    참고자료1 : http://technet.microsoft.com/en-us/library/dd349800(v=ws.10).aspx

    참고자료2: http://support.microsoft.com/kb/977519

     

    그림 출처 : http://www.kazamiya.net/files/PolAdtEv_Structure_en_rev2.pdf

     

     

     

     

     

     

    Trackbacks 0 : Comments 0

    Write a comment


    Full Dev Installation for Volatility 2.0¶

    ⓔ Forensic 2012.07.26 22:24

    Volatility  설치에 대한 설명이 담긴 사이트...(좋긴한데...64비트 지원되게 해주세용~)

     

    http://code.google.com/p/volatility/wiki/FullInstallation#Full_Dev_Installation_for_Volatility_2.0

     

    Trackbacks 0 : Comments 0

    Write a comment


    [Tool] ICQ Message/Opera, Firefox, Chrome History/Skype Message 복구툴

    ⓔ Forensic 2012.06.13 18:20

    출처 : http://www.myforensictools.co.uk/

     

    위 사이트에서 다음의 기능을 하는 도구를 만들어 올려놓았다.

     

  • ICQ Message Recovery
  • Opera History Recovery
  • Cerberus (Firefox and Chrome History Recovery)
  • Skype Message Recovery
  •  

    Trackbacks 0 : Comments 0

    Write a comment


    [Volatility] 메모리덤프에서 실행파일 추출하기

    ⓔ Forensic 2012.05.03 12:11

    출처 : http://blog.basementpctech.com/2012/04/in-acquiring-memory-blog-list-of-tools.html

     

    volatility.exe --profile=WinXPSP2x86 -f [덤프명] -p [PID] procexedump -D [저장경로]

    volatility.exe --profile=WinXPSP2x86 -f [덤프명] -p [PID] procexedump -D [저장경로]

    Trackbacks 0 : Comments 0

    Write a comment


    carving malware from live memory

    ⓔ Forensic 2012.04.17 10:31

    http://lvdeijk.wordpress.com/2009/11/17/carving-malware-from-live-memory/

    Trackbacks 0 : Comments 0

    Write a comment