Forensic Tools - 1

다음은 디지털포렌식 관련 도구로 사용해본 도구 중 유용하다고 판단되는 도구를 정리해 놓은 표이다. 소프트웨어는 필연적으로 오류를 포함하기 때문에 증거 분석에 사용하는 도구라면 반드시 2개 이상의 도구로 상호 검증을 수행하는 것이 바람직하다.

실제 분석을 수행하다 보면 인증 받은 도구의 기능적인 한계나 불편함으로 제3의 도구를 사용하는 경우가 있다. 이 경우에는 최종적으로 인증 받은 도구로 결과를 한 번 더 검증하는 작업이 요구된다. 도구의 장 · 단점은 목적에 따라 다르기 때문에 자신의 업무 목적에 맞는 적합한 도구를 사용하기 바란다.

목록은 다음과 같다.(최신 정보가 업데이트되지 않은 경우가 있다.)

통합 포렌식 도구 (Integrated Forensics Tools)

Name	Interface	Platform	Manufacturer	Licence
EnCase Forensic	GUI	Windows	Guidance Software	Commercial
FTK (Forensic Toolkit)	GUI	Windows	AccessData	Commercial
Forensic Explorer	GUI	Windows	GetData	Commercial
X-Ways Forensics	GUI	Windows	X-Way Software Technology AG	Commercial
Mac Marshal Forensic Edition™	GUI	Macintosh	Architecture Technology	Commercial
BlackLight	GUI	Anywhere	BlackBag Technologies	Commercial
Autopsy	GUI	Anywhere	Brian Carrier	Opensource

라이브 CD/VM (Live CD/VM)

Name	Interface	Platform	Manufacturer	Licence
SIFT	–	–	SANS	Freeware
PALADIN	–	–	SAMURI	Freeware
DEFT	–	–	DEFT Staff	Freeware
Helix	–	–	e-fense	Commercial
BackTrack	–	–	BackTrack Linux	Freeware
C.A.IN.E	–	–	Caine	Freeware

라이브 포렌식 (Live Forensics)

Name	Interface	Platform	Manufacturer	Licence
FPLive_win	CLI	Windows	JK Kim	Freeware
FRED (First Responder’s Evidence Disk)	GUI	Windows	Dark Particle Labs	Freeware
WFT (Windows Forensic Toolchest)	CLI	Windows	FoolMoon	Free/Comm
Dual Purpose Volatile Data Collection Script	CLI	Windows	Corey Harrell	Opensource
IRCR (Incident Response Collection Report)	CLI	Windows	mcleodjp	Opensource
COFEE (Computer Online Forensic Evidence Extractor)	CLI	Windows	Microsoft	only Law enforcement
MIR (MANDIANT Intelligent Response)	GUI	Windows	Mandiant	Commercial
OnLineDFS (OnLine Digital Forensic Suite)	CLI	Windows	CST	Commercial
MacResponse LE™	GUI	Macintosh	AIS	Opensource

이미징 하드웨어 (Imaging Hardware)

Name	Interface	Platform	Manufacturer	Licence
Image MASSter Series	–	–	Intelligent Computer Solutions, Inc.	Commercial
Dossier &Falcon	–	–	Logicube	Commercial
TD3	–	–	Tableau	Commercial
Magicube	–	–	DataExpert	Commercial

이미징 소프트웨어 (Imaging Software)

Name	Interface	Platform	Manufacturer	Licence
FTK Imager (Lite) CLI FTK Imager for Debian, Ubuntu, Fedora, RedHat, Mac OS.	GUI	Windows	AccessData	Freeware
Tableau Imager	GUI	Windows	TABLEAU	Freeware (need Tableau W/B)
X-Ways Imager	GUI	Windows	X-Ways Software Technology AG	Commercial
EnCase Forensic Imager	GUI	Windows	Guidance Software	Freeware
FAU DD	CLI	Windows	George M. Garner Jr.	Freeware
ODIN	GUI	Windows	JensH	Opensource
OSFClone	CLI	Windows	PassMark Software	Opensource
ewfacquire, ewfacquirestream	CLI	Unix-based	Joachim Metz	Opensource
Guymager	GUI	Linux	vogu00	Freeware
dcfldd	CLI	Unix-based	Nick Harbour	Opensource
MacQuisition	CLI	Macintosh	BlackBag Technologies	Opensource

쓰기방지장치 (Write Blocker)

Name	Interface	Platform	Manufacturer	Licence
Tableau Forensic Bridge	–	–	Tableau	Commercial
Wiebetech Dock	–	–	Wiebetech	Commercial

이미지 마운트 (Image Mounting)

Name	Interface	Platform	Manufacturer	Licence
Arsenal Image Mounter	GUI	Windows	Arsenal Recon	Freeware
Mount Image Pro	GUI	Windows	GetData	Commercial
OSFMount	GUI	Widows	PassMark Software	Freeware
VHD tool	CLI	Windows	Microsoft	Freeware
LiveView	GUI	Win &Lin	CMU/td>	Freeware
raw2vmdk	GUI	Anywhere	Zapotek/td>	Freeware
FTK Imager	GUI	Windows	AccessData	Freeware
P2 eXplorer	GUI	Widows	Paraben	Freeware
ImDisk	GUI	Windows	LTRDATA	Opensource

원격 포렌식 (Remote Forensics)

Name	Interface	Platform	Manufacturer	Licence
F-Response Series	GUI	Anywhere	F-Response	Commercial

메모리 획득 (Memory Acquisition)

Name	Interface	Platform	Manufacturer	Licence
DumpIt	CLI	Windows	MoonSols	Freeware
win(32/64)dd	CLI	Windows	MoonSols	Free/Comm
FastDump Pro	CLI	Windows	HBGary	Commercial
mdd	CLI	Windows	ManTech	Opensource
Memorize (for Mac)	GUI	Windows	Mandiant	Freeware
FTK Imager (Lite) CLI FTK Imager for Debian, Ubuntu, Fedora, RedHat, Mac OS.	GUI	Windows	AccessData	Freeware
WinPmem	CLI	Windows	Michael Cohen	Freeware
fmem	CLI	Linux	niekt0	Freeware
LiME	CLI	Linux	Joe Sylve	Freeware
Second Look® Linux Memory Acquisition	CLI	Linux	Raytheon Pikewerks	Commercial
Mac Memory Reader™	CLI	Macintosh	Mac Marshal™	Freeware
OSXPMem	CLI	Macintosh	Michael Cohen	Freeware

메모리 분석 (Memory Analysis)

Name	Interface	Platform	Manufacturer	Licence
Redline	GUI	Windows	Mandiant	Freeware
Volatility	CLI	Anywhere	Volatile Systems	Opensource
Memorize &Audit Viewer	GUI	Windows	Mandiant	Freeware
Responder Pro	GUI	Windows	HBGary	Commercial
Second Look® Linux Memory Analysis	CLI	Linux	Raytheon Pikewerks	Commercial
Volafox	CLI	Mac OS	n0fate	Opensource
Volafunx	CLI	FreeBSD	n0fate	Opensource

타임라인 분석 (Timeline Analysis)

Name	Interface	Platform	Manufacturer	Licence
log2timeline	CLI	Linux &Mac	Kristinn Gudjonsson	Freeware
plaso	CLI	Win &Mac	Kristinn Gudjonsson	Freeware
4n6time	GUI	Win &Mac	Kristinn Gudjonsson	Freeware
Timeliner	GLI	Windows	Woanware	Freeware/Opensource
Timeline Report	GUI	EnCase-Based	Geoff Black	Opensource

레지스트리 분석 (Registry Analysis)

Name	Interface	Platform	Manufacturer	Licence
REGA(REGistry Analyzer)	GUI	Windows	4&6tech	Commercial
Registry Recon	GUI	Windows	Arsenal Recon	Commercial
Registry Workshop	GUI	Windows	TorchSoft	Commercial
RegRipper	CLI	Windows	Harlan Carvey	Opensource
UserAssist	GUI	Windows	Didier Stevens	Freeware
Registry Binary Parser	GUI	Windows	woanware	Freeware/Opensource
RegRipperRunner	GUI	Windows	woanware	Freeware/Opensource
ForensicUserInfo	GUI	Windows	woanware	Freeware/Opensource
USBDeviceForensics	GUI	Windows	woanware	Freeware/Opensource
Windows USB Storage Parser (usp)	CLI	Windows	TZWorks	Freeware/Commercial
Yet Another Registry Utility (yaru)	CLI	Windows	TZWorks	Freeware/Commercial
Windows ShellBag Parser (sbag)	CLI	Windows	TZWorks	Freeware/Commercial
Computer Account Forensic Artifact Extractor (cafae)	CLI	Windows	TZWorks	Freeware/Commercial

파일시스템 메타데이터 (File System Metadata)

Name	Interface	Platform	Manufacturer	Licence
mft2csv	GUI	Windows	joakim	Freeware
anlyzeMFT	CLI	Anywhere	David Kovar	Opensource
MFTView	GUI	Windows	Sanderson Forensics	Freeware
NTFS Directory Enumerator	CLI	Windows	TZWorks	Freeware/Commercial
Windows $MFT and NTFS Metadata Extractor Tool	CLI	Windows	TZWorks	Freeware/Commercial
Windows INDX Slack Parser	CLI	Windows	TZWorks	Freeware/Commercial
Graphical Engine for NTFS Analysis (gena)	CLI	Windows	TZWorks	Freeware/Commercial

바로가기 파일 분석 (LNK Analysis)

Name	Interface	Platform	Manufacturer	Licence
Windows LNK Parsing Utility (lp)	CLI	Windows	TZWorks	Freeware/Commercial
lnkanalyser	CLI	Windows	Woanware	Freeware

로그 분석 (Log Analysis)

Name	Interface	Platform	Manufacturer	Licence
Event Log Explorer	GUI	Windows	FSPro Labs	Commercial
Log Parser	CLI	Windows	Microsoft	Freeware
NTFS Log Tracker	GUI	Windows	blueangel	Freeware
NTFS TriForce	CLI	Windows	David Cowen	Freeware
Windows Journal Parser (jp)	GUI	Windows	TZWorks	Freeware/Commercial
Windows Event Log Viewer	GUI	Windows	TZWorks	Freeware/Commercial
Windows Event Log Parser	GUI	Windows	TZWorks	Freeware/Commercial
UsnJrnl2Csv	CLI	Windows	joakim	Freeware
LogFile Parser	CLI	Windows	joakim	Freeware

악성코드 분석 (Malware Analysis)

Name	Interface	Platform	Manufacturer	Licence
PeStudio	GUI	Windows	Marc Ochsenmeier	Freeware
PEView	GUI	Windows	Wayne J. Radburn	Freeware
Automater	CLI	Win &Lin	TEKDEFENSE	OpenSource
Noriben	CLI	Windows	Rurik	OpenSource

프리패치 분석 (Prefetch Analysis)

Name	Interface	Platform	Manufacturer	Licence
WinPrefetchView	GUI	Windows	NirSoft	Freeware
PrefetchForensics	GUI	Windows	woanware	Freeware
APFA(Advanced Prefetch File Analyzer)	GUI	Windows	Allan S Hay	Freeware
Prefetch Parser	CLI	Windows	SANS	Freeware
Windows Prefetch Parser	CLI	Anywhere	TZWorks	Freeware/Commercial

웹 브라우저 사용 흔적 (Web Browser Artifacts)

Name	Interface	Platform	Manufacturer	Licence
WEFA(WEb browser Forensic Analyzer)	GUI	Windows	4&6 Tech	Commercial
Web Historian	GUI	Windows	Mandiant	Freeware
IEF(Internet Evidence Finder)	GUI	Windows	Magnet Forensics	Commercial
ChromeForensics	GUI	Windows	woanware	Freeware
FireFoxForensics	GUI	Windows	woanware	Freeware
firefoxsessionstoreextractor	GUI	Windows	woanware	Freeware
Windows ‘index.dat’ Parser (id)	CLI	Windows	TZWorks	Freeware/Commercial
BrowsingHistoryView	GUI	Windows	NirSoft	Freeware
IECacheView	GUI	Windows	NirSoft	Freeware
IECookiesView	GUI	Windows	NirSoft	Freeware
IEHistoryView	GUI	Windows	NirSoft	Freeware
ChromeCacheView	GUI	Windows	NirSoft	Freeware
ChromeHistoryView	GUI	Windows	NirSoft	Freeware
MozilaCacheView	GUI	Windows	NirSoft	Freeware
MozilaCookieView	GUI	Windows	NirSoft	Freeware
MozilaHistoryView	GUI	Windows	NirSoft	Freeware
SafariCacheView	GUI	Windows	NirSoft	Freeware
SafariHistoryView	GUI	Windows	NirSoft	Freeware
OperaCacheView	GUI	Windows	NirSoft	Freeware
WebBrowserPassView	GUI	Windows	NirSoft	Freeware
MyLastSearch	GUI	Windows	NirSoft	Freeware

데이터베이스 분석 (Database Analysis)

Name	Interface	Platform	Manufacturer	Licence
Exchange EDB Viewer	GUI	Windows	Lepide Software	Freeware
ESEDatabaseView	GUI	Windows	NirSoft	Freeware
EseDbViewer	GUI	Windows	woanware	Freeware
SQLite Expert	GUI	Windows	Bogdan Ureche	Commercial
Oxygen SQLite Viewer	GUI	Windows	Oxygen Forensic	Commercial
SQLite Database Browser	GUI	Win &Mac	Tabuleiro	Opensource
OracleForensics Tools	–	–	–	–

이메일 분석 (Email Analysis)

Name	Interface	Platform	Manufacturer	Licence
E-mail Examiner	GUI	Windows	Paraben	Commercial
Mail Viewer	GUI	Windows	MiTeC	Freeware
Email Utilities	GUI	Windows	Stellar Information Systems	Commercial
Email Recovery Tools	GUI	Windows	Lepide Software	Commercial

포맷 분석 (Format Analysis)

Name	Interface	Platform	Manufacturer	Licence
010Editor Templates	GUI	Windows	SweetScape Software	Commercial
FileInsight	GUI	Windows	McAfee	Freeware
Structed Storage Viewer	GUI	Windows	MiTeC	Freeware
OffVis	GUI	Windows	Microsoft	Freeware
Windows Portable Executable Viewer (pe_view)	GUI	Windows	TZWorks	Freeware/Commercial
PDF Parser	CLI	Anywhere	Didier Stevens	Freeware
peedpdf	CLI	Anywhere	Jose Miguel Esparza	Freeware
PDF Stream Dumper	GUI	Windows	David Zimmer	Freeware

복원지점/볼륨섀도복사본 분석 (Restore Point/VSC)

Name	Interface	Platform	Manufacturer	Licence
RP Log Tracker	GUI	Windows	blueangel	Freeware
libvshadow	CLI	Windows	Joachim Metz	Freeware
ShadowExplorer	GUI	Windows	ShadowExplorer	Freeware
ShadowKit	GUI	Windows	David Dym	Freeware
VSC Toolset	GUI	Windows	Jason Hale	Freeware
Reconnoitre	GUI	Windows	Sanderson Forensics	Commercial

자바 IDX 분석 (Java IDX Analysis)

Name	Interface	Platform	Manufacturer	Licence
RP Log Tracker	CLI	Anywhere	Brian Baskin	OpenSource
Javaidx	CLI	Windows	Mark Woan	OpenSource
Idxparser	CLI	Windows	Harlan Carvey	OpenSource

추가적인 아티팩트 분석 (Any Other Artifacts)

Name	Interface	Platform	Manufacturer	Licence
Windows File Analyzer	GUI	Windows	MiTeC	Freeware
Windows Jump List Parser (jmp)	CLI	Windows	TZWorks	Freeware/Commercial
Portable Executable Scanner (pescan)	CLI	Windows	TZWorks	Freeware/Commercial
autorunner	GUI	Windows	woanware	Freeware
exefinder	GUI	Windows	woanware	Freeware
JumpLister	GUI	Windows	woanware	Freeware
shimcacheparser	GUI	Windows	woanware	Freeware
Windows Search Index Extractor	GUI	Windows	Filesig Software	Commercial
Thumbnail Database Viewer	GUI	Windows	Igor Tolmache	Freeware
SFP(Simple File Parser)	GUI	Windows	Chris Mayhew	Freeware

네트워크 포렌식 (Network Forensics)

Name	Interface	Platform	Manufacturer	Licence
WireShark	GUI	Anywhere	WireShark	Freeware
NetworkMiner	GUI	Windows	NETRESEC	Commercial
RSA NetWitness	GUI	Win &Lin	RSA	Commercial
Ostinato	GUI	Anywhere	Pstavirs	Opensource
Packet Builder	GUI	Windows	Colasoft	Freeware
SplitCap	CLI	Windows	NETRESEC	Opensource
tshark	CLI	Anywhere	WireShark	Freeware
Scapy	CLI	Anywhere	Philippe Biondi	Opensource
tcpdump	CLI	Anywhere	–	Freeware
DNS Query Utility (dqu)	CLI	Windows	TZWorks	Freeware/Commercial
Packet Capture ICMP Carver (pic)	CLI	Windows	TZWorks	Freeware/Commercial
Network Xfer Client/Server Utility (nx)	CLI	Windows	TZWorks	Freeware/Commercial
snorbert	CLI	Windows	Woanware	Freeware
SessionViewer	CLI	Windows	Woanware	Freeware
enumdotnet	CLI	Windows	Woanware	Freeware

패스워드 공격(Password Attack)

Name	Interface	Platform	Manufacturer	Licence
EPRB(ElcomSoft Password Recovery Bundle)	GUI	Windows	ElcomSoft	Commercial
PPR(Passware Password Recovery)	GUI	Windows	Passware	Commercial
SAMInside	GUI	Windows	InsidePro	Freeware
ophcrack	GUI	Anywhere	OBJECTIF SECURITE	Freeware
L0PHTCRACK	GUI	Windows	L0pht Holdings	Commercial

윈도우 패스워드(Windows Password)

Name	Interface	Platform	Manufacturer	Licence
Cain &Abel	GUI	Windows	Massimiliano Montoro	Freeware
Windows Password Recovery	GUI	Windows	Passcape Software	Freeware
pwdump7	CLI	Windows	Tarasco	Freeware
gsecdump	CLI	Windows	Truesec	Freeware
PWDumpX	CLI	Windows	Reed Arvin	Freeware
lsadump2	CLI	Windows	izar	Freeware
creddump	CLI	Windows	mooyix	Opensource
NTPWEdit	GUI	Windows	Vadim Druzhin	Freeware
NTPassword	CLI	Windows	Pogostick	Freeware

모바일 포렌식 (Mobile Forensics)

Name	Interface	Platform	Manufacturer	Licence
MD Series	–	–	GMDSystem	Commercial
Cellebrite Mobile Forensics	–	–	Cellebrite	Commercial
Device Seizure	–	–	Paraben	Commercial
XRY Series	–	–	Micro Systemation	Commercial
Oxygen Forensic® Suite	GUI	Windows	Oxygen Software	Commercial
MPE+	GUI	Windows	Access Data	Commercial
Lantern	GUI	Mac	KatanaForensics	Commercial
iPhone Backup Browser	GUI	Windows	rene.devichi	Commercial

헥스 편집기 (Hex Editor)

Name	Interface	Platform	Manufacturer	Licence
010Editor	GUI	Windows	SweetScape	Commercial
WinHex	GUI	Windows	X-Ways Software Technology AG	Commercial
HexWorkshop	GUI	Windows	HexWorkshop	Commercial
HxD	GUI	Windows	Mael Horz	Freeware

해쉬 분석 (Hash Analysis)

Name	Interface	Platform	Manufacturer	Licence
HashTab	GUI	Win &Mac	Implbits	Free/Comm
md5deep/hashdeep	CLI	Anywhere	Jesse Kornblum	Freeware
ssdeep	CLI	Anywhere	ManTech	Freeware
NSRL Hashsets	–	–	NIST	Freeware

완전삭제 (Wipe/Sanitization)

Name	Interface	Platform	Manufacturer	Licence
Eraser	GUI	Windows	The Eraser Project	Freeware
BCWipe	GUI	Win &Lin	Jetico	Commercial
SDelete	CLI	Windows	Sysinternals	Freeware
Secure Erase	CLI	Win &Lin	CMRR	Freeware

데이터 복구 (Data Recovery)

Name	Interface	Platform	Manufacturer	Licence
RMF(Recover My Files)	GUI	Windows	GetData	Commercial
R-Studio	GUI	Anywhere	R-Tools Technology	Commercial
Power Data Recovery	GUI	Windows	MiniTool® Solution	Commercial

그 밖에… (Other Tools)

Name	Interface	Platform	Manufacturer	Licence
Highlighter	GUI	Windows	Mandiant	Freeware
BinText	GUI	Windows	McAfee	Freeware
DCode	GUI	Windows	Digital Detective	Freeware
TimeLord	GUI	Windows	Harry Parsonage	Freeware
ArgosDFAS	GUI	Windows	DUZON	Commercial

포렌식 도구 사이트 (dForensics Tool Sites)

Site
MiTeC	mft2csv
TZWorks	Open Source Digital Foresncis
Software for Computer Forensics	RCE Tool Libary
Woanware	Sysinternals
NirSoft	ForensicKB
CFTT Catalog

출처 - http://forensic-proof.com/tools