포렌식 관련 참고 사이트 모음

사고대응관련 기관

국내	CERTCC-KR   -  http://www.certcc.or.kr/  SecurityMap.Net IRC  -  http://www.securitymap.net/  KRNIC   -  http://ip.nic.or.kr/  CONCERT   -  http://www.concert.or.kr/  경찰청    -   http://www.ctrc.go.kr/  검찰청    -   http://icic.sppo.go.kr/  국정원    -   http://www.nis.go.kr/
국외	FIRST    -    http://www.first.org/  APCERT   -   http://www.apcert.org/  TF-CERT   -   http://www.terena.nl/tech/task-forces/tf-csirt/

 

■ 취약성 정보 제공 사이트

CVE	http://cve.mitre.org/
CERTCC-KR	http://www.certcc.or.kr
Securityfocus	http://www.securityfocus.com
CERTCC	http://www.cert.org
CIAC	http://www.ciac.org/ciac/
SANS ISC	http://isc.sans.org/

 ■ PGP software 

PGPi	http://www.pgpi.org/
GnuPG	http://www.gnupg.org/

 Part II: 유닉스 피해시스템 분석

 ■ 분석 도구

netcat  cryptcat	http://www.atstake.com/research/tools/network_utilities/  http://sourceforge.net/projects/cryptcat/
lsof	ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof
nmap	http://www.nmap.org  http://www.certcc.or.kr/tools/Nmap.html  http://www.neohapsis.com/neolabs/neo-ports/
chkrootkit	http://www.chkrootkit.org
sleuthkit/autopsy	http://www.sleuthkit.org/index.php
TCT	http://www.porcupine.org/forensics/
분석도구링크사이트	http://www.sleuthkit.org/links.php  http://www.opensourceforensics.org/tools/index.html  http://www.linux-forensics.com/downloads.html
분석 CD	snarl  -  http://snarl.eecue.com/articles/  FIRE  - http://fire.dmzs.com/

 

■ 무결성 관련 사이트 및 도구

Tripwire	http://www.certcc.or.kr/tools/tripwire.html
SUN fingerprint  Database	http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7
Known Goods	http://www.knowngoods.org/
Cyber Abuse	http://rk.cyberabuse.org/
NIST NSRL	http://www.nsrl.nist.gov/
Hacker Keeper	http://www.hashkeeper.org

 

■ LKM 관련 자료

Solaris LKM/BSD LKM/Linux LKM	http://www.thc.org/papers.php
Knark 분석문서	http://www.certcc.or.kr/paper/paper-2.htm  http://www.securityfocus.com/guest/4871
Runtime Kernel Patch	http://phrack.org/phrack/58/p58-0x07
Adore LKM	http://www.team-teso.net/releases.php
kstat	http://s0ftpj.org/en/site.html
carbonite	http://www.foundstone.com

 

■ log 분석 및 관리

Counterpane

http://www.counterpane.com/log-analysis.html

 

■ 코드분석

strace	http://www.liacs.nl/~wichert/strace/
ltrace	http://packages.debian.org/stable/utils/ltrace.html
fenris	http://lcamtuf.coredump.cx/fenris/devel.shtml
REC	http://www.backerstreet.com/rec/rec.htm
IDA Pro	http://www.datarescue.com/idabase/ida.htm

 

 Part III: Windows 피해시스템 분석

 ■ 디스크 복제

EnCase	http://www.guidancesoftware.com/
Safeback	http://www.forensics-intl.com/
Ghost	http://www.symantec.co.kr
TrueImage	http://www.acronis.com/products/trueimage/
Windows dd	http://unxutils.sourceforge.net/  http://fire.dmzs.com/
VOGON Image	http://www.vogon-international.com
Fastbloc	http://www.guidancesoftware.com
netcat	http://www.atstake.com/  http://sourceforge.net/projects/cryptcat/

 ■ 피해 정보 수집

psinfo, uptime, loggedon, pslist, listdlls, handle, streams	http://www.sysinternals.com
fport/vision, sfind	http://www.foundstone.com
promiscdetect	http://ntsecurity.nu/toolbox/promiscdetect
listmodules, LNS	http://www.ntsecurity.nu/

 ■ 초기대응 자동화 도구

Biatchux	http://biatchux.dmzs.com/
IRCR	http://packetstormsecurity.nl/Win/IRCR.zip

 ■ 파일 분석

fs	http://protools.anticrack.de/files/utilities/fs.zip
SECRETS	http://www.invisiblesecrets.com
EnCase	http://www.guidancesoftware.com
FTK	http://www.accessdata.com
bintext	http://www.foundstone.com

 ■ NT 루트킷

NT 루트킷 동작원리	http://www.phrack.org/show.php?p=55&a=5
NT 후크(hook) 프로그래밍	http://www.iamaphex.cjb.net
NT 후크(hook) API	http://www.anticracking.sk/elicz
HookTool	http://www.ivosoft.com/
Windows API 보호 프로그램	http://www.watchguard.co.kr/slock.htm

 ■ 디스크 분석

디스크 탐색기	http://www.restorer2000.com  http://www.runtime.org/
플로피디스크/하드디스크 분석	http://home.ahnlab.com/securityinfo
Seagate 디스크 유틸리티	http://www.seagate.com/support/software
Maxtor 디스크 유틸리티	http://www.maxtor.com/en/index.htm
SAMSUNG 디스크 유틸리티	http://www.sec.co.kr
슬랙 공간 검색 프로그램(NTI)	http://www.secure-data.com

 ■ 메모리 덤프

Windows NT memory dumps	http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q235496&
Windows 2000/xp/2003  memory dumps	http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q254649&
Windows Debugging Tools	http://www.microsoft.com/whdc/ddk/debugging/default.mspx
pmdump	http://ntsecurity.nu/toolbox/pmdump

 ■ Timeline 분석

Wininterrogate	http://winfingerprint.sourceforge.net

 ■ 파일 복구

휴지통 폴더 분석(Rifiuti)	http://sourceforge.net/projects/odessa
파일 복구(Undelete)	http://www.execsoft.com/undelete
GetDataBack	http://www.runtime.org
File Recover	http://www.filerecover.com

 ■ 임시파일 분석

Cache Auditor	http://www.webknacks.com
PurgeIE Pro	http://www.purgeie.com
History Reader	http://www.wbaudisch.de/HistoryReader.htm
IE Cookie File  IE Internet Activity	http://sourceforge.net/project/odessa
Examiner	http://www.paraben-forensics.com/examiner.html

 ■ 로그 파일 분석

NT Security Event IDs	http://support.microsoft.com/default.aspx?scid=kb;en-us:174074  --> x
Event ID 검색	http://www.eventid.net
Windows 2000 Event IDs	http://www.microsoft.com/korea/windows2000/techinfo/messages/default.asp
EventCombMT	http://www.microsoft.com/downloads/release.asp?releaseid=36834
이벤트 로그 모니터링	http://www.tntsoftware.com
원격 이벤트 로그 수집	http://www.kiwisyslog.com/  http://www.rippletech.com
Log Parser	http://www.microsoft.com/windows2000/downloads/tools/default.asp
웹서버 공격 로그 점검	http://www.securitymap.net/sdm/docs/ids/fingerprint-80-attack.txt
Log Parser	http://securityfocus.com/infocus/1712
SQL-Inject 공격 분석	http://www.nextgenss.com/papers/advanced_sql_injection.pdf  http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf

 ■ 바이너리 프로그램 분석

Filemon, Regmon,  CPUmon, TDImon,  procexp, strings	http://www.sysinternals.com
Winalysis	http://www.winalysis.com
strace	http://razor.bindview.com/tools
Tripwire	http://www.tripwire.com
Undelete 3.0	http://www.execsoft.com/undelete
INTACT	http://www.pedestalsoftware.com
API Spy	http://www.matcode.com/apis32.htm
SoftICE	http://www.numega.com/
PE File Format	http://spiff.tripnet.se/~iczelion/files/pe1.zip  http://www.windowsitlibrary.com/Content/356/11/toc.html
PEiD	http://www.mesa-sys.com/~snaker/peid
UPX	http://upx.sourceforge.net
gt030	http://surf.to/phax
fd/fi FileScanner	http://protools.anticrack.de/files/utilities/fd.zip  http://protools.anticrack.de/files/utilities/fi.zip
Programmer’s Tools	http://protools.cjb.net/
IDA Pro	http://www.datarescue.com/idabase/ida.htm
PE Exploere	http://www.heaventools.com

 ■ 패스워드 해독

@stake LC	http://www.atstake.com/
John the Ripper	http://www.openwall.com/john/
chntpw	http://ntpass.blaa.net
rawwrite2	http://home.eunet.no/~pnordahl/ntpasswd
패스워드 복구 프로젝트	http://www.openwall.com/passwords
ELCOMSOFT	http://www.crackpassword.com
Russian password crackers	http://www.password-crackers.com
Passware Kit	http://www.lostpassword.com
AccessData	http://www.accessdata.com
PasswordService	http://www.passwordservice.com

 

Part IV: 공격자 모니터링

 ■ 네트워크 모니터링

TCPDump	http://www.tcpdump.org  http://windump.polito.it
tcpflow	http://www.circlemud.org/~jelson/software/tcpflow/
ngrep	http://www.packetfactory.net/Projects/ngrep
ethereal	http://www.ethereal.com
snort	http://www.snort.org
p0f	http://www.stearns.org/p0f/
dsniff	http://monkey.org/~dugsong/dsniff/

 ■ 시스템 모니터링

sebek	http://www.honeynet.org/papers/honeynet/tools/index.html
ComLog	http://iquebec.ifrance.com/securit/
evtsys	https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys
원격 이벤트 로그 수집	http://www.kiwisyslog.com/

 ■ Honeynet/Honeypot

Honeynet.Org	http://www.honeynet.org
backofficer	http://www.nfr.com/resource/backOfficer.php
Deception Toolkit	http://all.net/dtk/index.html
Honeyd	http://www.citi.umich.edu/u/provos/honeyd/
Tracking Hackers	http://www.tracking-hackers.com/
Honeypots.net	http://www.honeypots.net/
bridge Firewall	http://doc.kldp.org/wiki.php/DocbookSgml/Bridge_Firewall-KLDP
Firewall 관련자료	http://doc.kldp.org/wiki.php/LinuxdocSgml/Firewall-HOWTO
Netfilter	http://doc.kldp.org/wiki.php/DocbookSgml/Netfilter-hacking-TRANS
Firewall 설정  스크립(rc.firewall)	http://www.honeynet.org/papers/gen2/rc.firewall
Vmware	http://www.vmware.com/products/
UML	http://user-mode-linux.sourceforge.net/

 

Part IV: 공격자 추적 및 대응

samspade	http://www.samspade.org/ssw/
ARIN	http://www.arin.net/index.html
APNIC	http://www.apnic.net/apnic-bin/whois.pl
RIPE	http://www.ripe.net/perl/whois
LACNIC	http://lacnic.net/cgi-bin/lacnic/whois
KRNIC	http://whois.nic.or.kr/
이메일 환경개선 추진 협의체	http://www.antispam.or.kr/
Network Abuse Clearinghouse	http://www.abuse.net/
Fight Spam	http://spam.abuse.net/
Spamcop	http://www.spamcop.net/
Mail Abuse Prevention System	http://mail-abuse.org/