달력

8

« 2020/8 »

  •  
  •  
  •  
  •  
  •  
  •  
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  •  
  •  
  •  
  •  
  •  



 

Exif (EXchangable Image File format)

·         교환 이미지 파일 형식

·         디지털 카메라에서 이용되는 이미지 파일 포맷입니다.

·         JPEG, TIFF 6.0 RIFF, WAV 파일 포맷에 사진에 대한 정보메타데이터를 추가할 수 있습니다.

·         Exif JPEG 2000, PNG GIF 파일에서는 지원하지 않는다.

 

 

 

https://bit.ly/2ViBUDf

http://en.wikipedia.org/wiki/Exchangeable_image_file_format

 

 

Exif 메타데이터에 포함되는 정보

·         카메라 제조사

·         카메라 모델

·         회전 방향

·         날짜와 시간

·         위치 정보(지리정보, GPS)

·         색 공간

·         초점 거리

·         플래시 사용 여부

·         ISO 속도

·         조리개

·         노출 방식

·         측광 방식

·         셔터 속도

·         저작권 정보 등

 

 

 

 

 

Exif file format

http://www.media.mit.edu/pia/Research/deepview/exif.html


 


Posted by codedragon codedragon

댓글을 달아 주세요


 

 

Salamandra Spy Microphone Detection Tool

 

http://bit.ly/2FylHly


 

 

GETTING THE RTL-SDR TO WORK IN WINDOWS 10

http://bit.ly/2ux7Re3

 

 

 

 

직접 다운로드

Salamandra-master.z01

Salamandra-master.zip

 




Posted by codedragon codedragon

댓글을 달아 주세요

 

FILE SIGNATURES TABLE(File Magic Number Table)

파일의 유형에 따른 파일 매직 넘버(File Magic Numbers)를 확인할 수 있습니다.

 

http://www.garykessler.net/library/file_sigs.html



 

 

 

 

List of file signatures - Wiki

https://en.wikipedia.org/wiki/List_of_file_signatures


 

Posted by codedragon codedragon

댓글을 달아 주세요

   

Windows Help program (WinHlp32.exe) for Windows Vista

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5143

   

 

 

 

직접 다운받기

Windows6.0-KB917607-x64.msu

Windows6.0-KB917607-x86.msu


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

ChkRegLastChange

윈도우즈 레지스트리 value 및 data에 대한 생성 및 변경 시간 체크 프로그램

freeware

   


C++ source   

RegistryTimeCheck.cpp

RegistryTimeCheck.cpp

   


출처의 사이트 사라짐 (접속안됨)

TAG Archive
Posted by codedragon codedragon

댓글을 달아 주세요

   

   

HOWTO – iPhone Forensics with free and-or open source tools – 9-14-11 – viaForensics « viaForensics

   

   

https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/#viaforensics

   

   

   

iPhone Forensics with F/OSS ### A HOWTO for iPhone Forensics with free and/or open source tools Qualifications

Presentation Goals

iPhone Forensics with F/OSS tools • Commercial Tools exist but there are a growing number of F/OSS tools

• A Mac (OSX) or Linux workstation is used for many of these programs

• Focus on step-by-step examples Open source (MIT) iPhone backup analyzer by Mario Picci (http://ipbackupanalyzer.com/) • Decodes files, presents in a hierarchical view, has some search and conversions

• Plist files are shown (binary plist files are automatically converted in ascii format)

• Image files are shown

• SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table's content is dumped in the main UI

• Unknown data files are shown as hex/ASCII data iTunes Backup Directories

Mac Os X: /Library/Application Support/MobileSync/Backup/

Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\

Windows Vista, Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

Linux Install

On Ubuntu Workstation

------------------------------

sudo apt-get update

sudo apt-get install python-tk python-imaging python-imaging-tk git

Install pyttk

- Download: http://pypi.python.org/pypi/pyttk/

- Extract: tar xzvf pyttk-0.3.2.tar.gz

- cd pyttk-0.3.2/

- Install: sudo python setup.py install

git clone git://github.com/PicciMario/iPhone-Backup-Analyzer

cd iPhone-Backup-Analyzer/

./main.py -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/

Zdziarski's iOS forensic tools

Free for qualified law enforcement and government agencies • Based on F/OSS software and research (Cyanide, etc)

• Physical acquisition

• Logical acquisition

• PIN bypass

• Decrypts the encrypted files / slice

– iOS 3.x: fully decrypt slice, gets unallocated

– iOS 4.x: decrypts files, not unallocated (mostly)

• Decrypt Keychain

• Working on recovering deleted keys

with F/OSS

• @0naj iphone-dataprotection tools (Python and C)

– Brute force PIN code on device

– Recover device encryption keys

– Decrypt the keychain, all dataprotection encrypted files

– Scrape the HFS journal for deleted content

– Decrypt the entire raw disk

– Included with Jonathan Zdziarski's toolset, or available separately to developers:

http://code.google.com/p/iphone-dataprotection/

Mount the dmg image read-only (Linux)

• Determine file system offset in dd image:

• Mount HFS partition read only:

• Make sure file system was mounted

• Can check disk usage

• The Sleuth Kit by Brian Carrier

– Brain author of excellent book File System Forensics Analysis (FSFA)

– Actively maintained, just released 3.2.2 (06/13/2011)

– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660

http://sleuthkit.org/

• Install:

• Programs to start with:

– mmls – Media Management ls, generally partition info:

• fsstat – File system info

• fls – Forensic list

– Power utility which can list allocated/deleted files

– Provides offset so recovery is possible

– Build MACB for timeline analysis

– analyst@ubuntu:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m '/' -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body

human friendly

• analyst@ubuntu:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv

– Takes body file and turns into CSV or other format

Log2timeline

• Kristinn Gudjonsson developed this software

– Written in Perl (trying to convince him to move to Python)

– Extracts timeline artifacts from many file types including

• Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing)

– 10+ export formats

http://log2timeline.net/ • Install log2timeline on Ubuntu 10.10 (lucid)

– sudo add-apt-repository "deb http://log2timeline.net/pub/ lucid main"

– wget -q http://log2timeline.net/gpg.asc -O- | sudo apt-key add -

– sudo apt-get update

– sudo apt-get install log2timeline-perl

Log2timeline

• sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv

– 218 artifacts (either files or directories).

– Run time of the script 24 seconds. • If you output in body format, can combine with TSK's fls output and generate full timeline of file system and file metadata (sometimes referred to as a "Super Timeline"

Scalpel

• Download scalpel src at:

• wget http://www.digitalforensicssolutions.com/Scalpel/scalpel-2.0.tar.gz

• Compile

– tar xzvf scalpel-2.0.tar.gz

– cd scalpel-2.0/

– sudo apt-get install libtre-dev libtre5

– ./configure; make

– sudo cp scalpel /usr/local/bin • Run scalpel

$ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg • Examine data in "scalpel-output" directory

Sample scalpel.conf

viewer

• Usage:

$ xxd iPhone-3g-313.dmg | less • To auto skip 0's:

$ xxd -a iPhone-3g-313.dmg | less Hex editor

• Usage:

$ hexedit iPhone-3g-313.dmg • Once in hex editor:

– "/" = search hex/ASCII string (in "hexedit" use tab to change between ASCII and hex searches)

– q = exit hex editor

– h = help • Can quickly locate potential evidence • Other tools also available (hexeditor and many others) Grep Command

• Searches through a file (or many files/folders) for a specified keyword(s) • Grep is case sensitive by default

$ grep amr iPhone-3g-313.dmg • To do case-insensitive (more time consuming):

$ grep –i AmR iPhone-3g-313.dmg • Can search for a phrase in quotes

$ grep "Trace File" iPhone-3g-313.dmg

$ grep -a "Trace File" iPhone-3g-313.dmg

$ grep -a -A 1 -B 1 "Trace File" iPhone-3g-313.dmg

Grep Command (continued)

• Can also be used to search through many files • Grep through all files in a user's home directory for "viaF": analyst@ubuntu:~$ grep -R 312493 *

Binary file scalpel-output/sqlitedb-9-0/00001.db matches

Binary file scalpel-output/sqlitedb-9-0/00017.db matches Find all sms database files from iPhone (after scalpel)

analyst@ubuntu:~$ grep -R svc_center sqlite* "Strings" Command

• Strings is a powerful utility to extract ASCII or Unicode strings from binary data • Can be run against a file or a full disk image

$ strings iPhone-3g-313.dmg > iPhone.str

$ strings iPhone-3g-313.dmg | less • Can also search for Unicode

$ strings -e b iPhone-3g-313.dmg | less "Strings" does more than ASCII

• Strings is designed to extract ASCII and Unicode

– 7-bit ASCII, 8-bit ASCII

– 16-bit big-endian and little-endian

– 32-bit big-endian and little-endian • From the strings manual page:

Decrypting data – step 1

• Scenario: imaged iPhone and application has encrypted data which you need to view. • Our solution (but other approaches may work)

• Noted app data was encrypted

• Analyzed symbol table for app, saw entries such as:

• 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:]

• 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:]

• 0009aA07e t -[NSData(AESAdditions) keyBytes:]

• 00034261 t +[NSData(Base64) dataFromBase64String:]

• 00034410 t -[NSData(Base64) base64EncodedString] • Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key

• Decoded Base64 key

• Wrote quick program that used "AES256DecryptWithKey" API, encrypted file and decode AES encryption key to access data • F/OSS Tools used:

• Zdziarski's techniques to physically image device, crack keychain

• Strings to determine encryption technique

• XCode from Apple to write decrypt program Andrew Hoog

Chief Investigative Officer

ahoog@viaforensics.com http://viaforensics.com

Main Office:

1000 Lake St, Suite 203

Oak Park, IL 60301

Tel: 312-878-1100 | Fax: 312-268-7281

   

출처: <https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/>

  

 

 

 

직접 다운로드

viaForensics-iPhone-Forensics-with-FOSS.pdf


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

Cyber Policing Research Center (사이버 폴리싱 리서치 센터)

http://cyberpolicing.com/

   

Posted by codedragon codedragon

댓글을 달아 주세요

   

   

윈도우즈 기반에서 정보 유출 방지를 위한 GUID 분석기법

   

 



윈도우즈 기반에서 정보 유출 방지를 위한 GUID 분석기법(2011).pdf


TAG Archive
Posted by codedragon codedragon

댓글을 달아 주세요

   

   

디지털 포렌식 기술과 표준화 동향

   



[2008]=디지털포렌식기술과_표준화동향_tta.pdf


TAG Archive
Posted by codedragon codedragon

댓글을 달아 주세요

   

   

컴퓨터 포렌식스 지원을 위한 침해대응시스템 설계

   

   


[2005]=컴퓨터 포렌식스 지원을 위한 침해대응시스템 설계.pdf


TAG Archive
Posted by codedragon codedragon

댓글을 달아 주세요