포렌식 도구 모음 (Digital Forensics Tools)

디지털 포렌식 종합 분석 도구인 EnCase, FTK 등의 제품이 있지만 해당 제품이 모든 요구를 충족시켜 주는 것은 아니다. 파일시스템에 의한 파일 분류 기능, 해쉬 분석, 검색, 미리보기 등이 기능은 우수할지 몰라도 레지스트리, 프리패치, 인터넷 사용 흔적 등과 같은 기능은 지원하기는 하지만 분석하는데 큰 도움이 되지는 못한다. 이러한 기능들은 다른 도구를 통해 보완해야 할 것이다. 물론 EnCase가 NIST의 CFTT(Computer Forensic Tool Testing)를 받은 도구이고 법률적인 영향이 있기 때문에 최종적으로는 EnCase를 이용해 분석한 후 보고서를 작성하는 것이 바람직 할 것이다.

이번 포스팅에서는 종합 분석 도구의 한계를 보완할 수 있는 디지털 포렌식 도구들을 정리해보았다. 몇 년전에 비해 현재에는 각 데이터별로 수많은 도구들이 공개되었다. 하지만 직접 사용해보고 유용하다고 판단되는 도구들만 정리해보았다. 물론 도구들의 장단점이 있기 때문에 카테고리별로 2,3개의 도구들을 이용하는 것이 바람직하다. 하나의 도구가 완벽하면 좋겠지만 지금까지의 경험으로는 그렇지 못한 경우가 더 많기 때문에 자신의 판단으로 가장 분석하기 용이한 도구를 선택한 후 이를 보완할 수 있는 도구를 선택하면 될 것이다.

이렇게 선택된 도구들은 현장 분석용 도구 모음으로 만들어 현장 대응시 사용해도 될 것이다. 현장에서 증거만 압수한 이후 압수된 증거를 자신의 포렌식 랩에서 분석한다면 문제가 없겠지만 부득이하게 현장에서 수집 및 분석이 이루어지는 환경도 있다. 이러한 경우 환경 구축에 드는 시간이 부담이 된다면 선택된 도구로 고스트(Ghost)와 같은 이미지를 생성한 후 현장에서 활용해도 될 것이다.

---

통합 포렌식 도구 (Integrated Forensics)

Name	Interface	Platform	Manufacturer	Licence
EnCase	GUI	Windows	Guidance Software	Commercial
FTK (Forensic Toolkit)	GUI	Windows	AccessData	Commercial
ProDiscover®	GUI	Windows	Technology Pathways	Commercial
X-Ways Forensics	GUI	Windows	X-Way SOftware	Commercial
TSK (The Sleuth Kit) & Autopsy	CLI	Anywhere	Brian Carrier	Opensource
SIFT (SANS Investigate Forensic Toolkit)	-	-	SANS	Freeware

---

라이브 CD (Live CD)

Name	Interface	Platform	Manufacturer	Licence
Helix	-	-	e-fense	Commercial
BackTrack	-	-	BackTrack Linux	Freeware
Caine	-	-	Caine	Freeware

---

라이브 포렌식 (Live Forensics)

Name	Interface	Platform	Manufacturer	Licence
WFT (Windows Forensic Toolchest)	CLI	Windows	FoolMoon	Free/Comm
IRCR (Incident Response Collection Report)	CLI	Windows	mcleodjp	Opensource
COFEE (Computer Online Forensic Evidence Extractor)	CLI	Windows	Microsoft	only Law enforcement
FRED (First Responder’s Evidence Disk)	GUI	Windows	Dark Particle Labs	Freeware
MIR (MANDIANT Intelligent Response)	GUI	Windows	MANDIANT	Commercial
ProDiscover® IR	GUI	Windows	Technology Pathways	Commercial
OnLineDFS (OnLine Digital Forensic Suite)	CLI	Windows	CST	Commercial

---

디스크 이미징 (Disk Imaging)

Name	Interface	Platform	Manufacturer	Licence
FTK Imager	GUI	Windows	AccessData	Freeware
Tableau Imager	GUI	Windows	TABLEAU	Freeware
EnCase Linen	CLI	Linux	Guidance Software	Commercial
dd (FAU DD)	CLI	Anywhere	George M. Garner Jr.	Freeware

---

이미지 마운트 (Image Mounting)

Name	Interface	Platform	Manufacturer	Licence
Mount Image Pro	GUI	Windows	GetData	Commercial
P2 eXplorer	GUI	Widows	Paraben	Freeware
ImDisk	GUI	Windows	LTRDATA	Opensource

---

메모리 획득 (Memory Acquisition)

Name	Interface	Platform	Manufacturer	Licence
winen	CLI	Windows	Guidance Software	Commercial
FastDump Pro	CLI	Windows	HBGary	Commercial
FastDump CE	CLI	Windows	HBGary	Freeware
win(32/64)dd	CLI	Windows	Matthieu Suiche	Freeware
mdd	CLI	Windows	ManTech	Opensource
Memorize	GUI	Windows	Mandiant	Freeware

---

메모리 분석 (Memory Analysis)

Name	Interface	Platform	Manufacturer	Licence
Responder Pro	GUI	Windows	HBGary	Commercial
Volatility	CLI	Anywhere	Volatile Systems	Opensource
RedLine	GUI	Windows	Mandiant	Freeware
Memorize & Audit Viewer	GUI	Windows	Mandiant	Freeware
Volafox	CLI	Mac OS	n0fate	Opensource
Volafunx	CLI	FreeBSD	n0fate	Opensource

---

레지스트리 획득 (Registry Acquisition)

Name	Interface	Platform	Manufacturer	Licence
RegEx (for Volatile)	CLI	Windows	DFRC	Freeware
F-Response (for Remote)	GUI	Windows	F-Response	Commercial

---

레지스트리 분석 (Registry Analysis)

Name	Interface	Platform	Manufacturer	Licence
REGA	GUI	Windows	DFRC	Freeware
Registry File Viewer	GUI	Windows	MiTeC	Freeware
RegRipper	CLI	Windows	Harlan Carvey	Opensource
UserAssist	GUI	Windows	Didier Stevens	Freeware
RegExtract	GUI	Windows	woanware	Freeware
USBDeviceForensics	GUI	Windows	woanware	Freeware
ForensicUserInfo	GUI	Windows	woanware	Freeware
pwdump7	CLI	Windows	Tarasco	Freeware
SAMInside	GUI	Windows	InsidePro	Free/Comm

---

로그 분석 (Log Analysis)

Name	Interface	Platform	Manufacturer	Licence
Event Log Explorer	GUI	Windows	FSPro Labs	Commercial
EventLog Analyzer	GUI	Anywhere	ManageEngine	Commercial
Log Parser	CLI	Windows	Microsoft	Freeware

---

프리패치 분석 (Prefetch Analysis)

Name	Interface	Platform	Manufacturer	Licence
PrefetchForensics	GUI	Windows	woanware	Freeware
Prefetch Parser	CLI	Windows	SANS	Freeware
Windows Prefetch Parser	CLI	Anywhere	TZWorks	Freeware

---

추가적인 OS 분석 (Any other Artifacts)

Name	Interface	Platform	Manufacturer	Licence
log2timeline	GUI	Linux & Mac	Kristinn Gudjonsson	Freeware
Windows File Analyzer	GUI	Windows	MiTeC	Freeware
JumpLister	GUI	Windows	woanware	Freeware
lnkanlyser	CLI	Windows	woanware	Freeware
Windows Search Index Extractor	GUI	Windows	Filesig Software	Commercial
ShadowExplorer	GUI	Windows	ShadowExplorer	Freeware
Thumbnail Database Viewer	GUI	Windows	Igor Tolmache	Freeware

---

파일시스템 메타데이터 (Filesystem Metadata)

Name	Interface	Platform	Manufacturer	Licence
anlyzeMFT	CLI	Anywhere	David Kovar	Opensource
MFTView	GUI	Windows	Sanderson Forensics	Freeware

---

웹 브라우저 사용 흔적 (Web Browser Trace)

Name	Interface	Platform	Manufacturer	Licence
WEFA (WEb browser Forensic Analyzer)	GUI	Windows	FOUR&SIX TECH	Commercial
Web Historian	GUI	Windows	Mandiant	Freeware
ChromeForensics FireFoxForensics OperaForensics firefoxsessionstoreextractor	GUI	Windows	woanware	Freeware
IECacheView IECookiesView IEHistoryView IEPassView MozilaCacheView MozilaCookieView MozilaHistoryView PasswordFox OperaCacheView OperaPassView	GUI	Windows	NirSoft	Freeware

---

데이터베이스 분석 (Database Analysis)

Name	Interface	Platform	Manufacturer	Licence
Exchange EDB Viewer	GUI	Windows	Lepide Software	Freeware
EseDbViewer	GUI	Windows	woanware	Freeware
SQLite Database Browser	GUI	Win & Mac	Tabuleiro	Opensource
OracleForensics Tools	-	-	-	-

---

메일 분석 (Mail Analysis)

Name	Interface	Platform	Manufacturer	Licence
gmailparser	CLI	Windows	woanware	Freeware
Mail Viewer	GUI	Windows	MiTeC	Freeware
Kernel OST Viewer	GUI	Windows	Lepide SOftware	Freeware
Kernel Outlook PST Viewer	GUI	Windows	Lepide SOftware	Freeware

---

문서 포맷 분석 (Document Format Analysis)

Name	Interface	Platform	Manufacturer	Licence
Structed Storage Viewer	GUI	Windows	MiTeC	Freeware
OffVif	GUI	Windows	Microsoft	Freeware

---

패킷 분석 (Packet Analysis)

Name	Interface	Platform	Manufacturer	Licence
WireShark	GUI	Anywhere	WireShark	Freeware
NetworkMiner	GUI	Windows	NETRESEC	Commercial
Investigator	GUI	Win & Lin	NETWITNESS	Commercial
Ostinato	GUI	Anywhere	Pstavirs	Opensource
Packet Builder	GUI	Windows	Colasoft	Freeware
SplitCap	CLI	Windows	NETRESEC	Opensource
tshark	CLI	Anywhere	WireShark	Freeware
Scapy	CLI	Anywhere	Philippe Biondi	Opensource
tcpdump	CLI	Anywhere	-	Freeware

---

헥스 편집기 (Hex Editor)

Name	Interface	Platform	Manufacturer	Licence
010Editor	GUI	Windows	SweetScape	Commercial
WinHex	GUI	Windows	X-Ways Software	Commercial
HexWorkshop	GUI	Windows	HexWorkshop	Commercial
HxD	GUI	Windows	Mael Horz	Freeware

---

해쉬 분석 (Hash Analysis)

Name	Interface	Platform	Manufacturer	Licence
HashTab	GUI	Win & Mac	Implbits	Free/Comm
md5deep/hashdeep	CLI	Anywhere	Jesse Kornblum	Freeware
ssdeep	CLI	Anywhere	ManTech	Freeware
NSRL Hashsets	-	-	NIST	Freeware

---

완전삭제 도구 (Wipe Tools)

Name	Interface	Platform	Manufacturer	Licence
Eraser	GUI	Windows	The Eraser Project	Freeware
SDelete	CLI	Windows	Sysinternals	Freeware
BCWipe	GUI	Windows	Jetico	Commercial

---

그 밖에… (Other Tools)

Name	Interface	Platform	Manufacturer	Licence
BinText	GUI	Windows	McAfee	Freeware
DCode	GUI	Windows	Digital Detective	Freeware

---

도구 관련 사이트 목록 (Various Sites)

Site

MiTeC

NirSoft

RedWolf Computer Forensics

Woanware

Open Source Digital Foresncis

RCE Tool Libary

Software for Computer Forensics

Sysinternals

EnScript