한 두개 나올때까지만 해도 어디 듣보잡이 만들어서 배포하나보다 싶었다. 최근에 마주할 기회가 되서 직접 설명을 듣게 됐는데 이게 보아하니 보통 도구가 아니었다. 명령어 기반을 좋아하는 사람들에게는 딱이다. 아직도 GUI를 선호하는 초보에게는 호불호가 있겠다. 분석을 하다보면 메타 등 리스트를 export할 때가 많다. 엑셀로 불러와서 여러가지 필터 써서 분석을 하는데, 에릭 도구는 이걸 편하게 해뒀다. 필터, 컨디션 등을 편리하게 활용할 수 있게 해뒀다. 또한 sorting 기능이 아주 쓸만하다. 프리패치, compat, 점프리스트, MFT 등 모든 Parser가 값진 정보를 제공한다. Kroll 디렉터로 일한다는데 KAPE도 빼놓을 순 없다. Artifacts 수집하는데 엄청난 편리성을 제공한다. 디지..
오래된 자료임에도 아주 유용하네요. 범죄유형별로 포렌식 분석할 대상들입니다. 분석기법개발에 도움이 많이 되겠네요. https://www.ncjrs.gov/pdffiles1/nij/187736.pdf 예시) Computer Intrusion u Address books. u Configuration files. u E-mail/notes/letters. u Executable programs. u Internet activity logs. u Internet protocol (IP) address and user name. u Internet relay chat (IRC) logs. u Source code. u Text files (user names and passwords). Death Investi..
The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity: Firewall..
스마트폰 분석을 위한 Acquisition, Memory 분석, 유용한 파일 경로 등을 포스터 형식으로 제작하여 배포중이네. http://digital-forensics.sans.org/blog/2014/06/24/getting-the-most-out-of-smartphone-forensic-exams-sans-advanced-smartphone-forensics-poster-release SANS Advanced Smartphone Forensics Poster Release There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than ..
http://www.dfinews.com/blogs/2014/07/live-response-vs-traditional-forensics?et_cid=4054166&et_rid=497220977&type=cta The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics. Live response and traditional forensics have a lot in common in that they both are looking for similar artifacts on a system. The differentiator..
Reference Site http://resources.infosecinstitute.com/recycle-bin-forensics/ An icon on the Windows desktop represents a directory in which deleted files are temporarily stored. This enables you to retrieve files that you may have accidentally deleted. From time to time, you’ll want to purge the recycle bin to free up space on your hard disk. You can also configure Windows so that it doesn’t use ..
http://linuxsleuthing.blogspot.kr/2013/09/recovering-data-from-deleted-sqlite.html I’ve received many, many inquiries about recovering deleted records from SQLite databases ever since I posted an article about my first attempt to recover deleted data. Well, the hypothesis of checking the difference between the original database and a vacuumed copy seemed sound at the time and did in fact yield d..