DIGITAL FORENSICS: Security Identifier SID คือ
http://www.mvpskill.com |
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
Digital forensic examiners are investigators who are experts in gathering, recovering, analyzing, and presenting data evidence from computers and other digital media related to computer-based .They might work on cases concerning identity theft, electronic fraud,investigation of material found in digital devices ,electronic evidence, often in relation to cyber crimes.
http://www.mvpskill.com |
รูปจาก notebookspec.com |
รูปจาก notebookspec.com |
ตัวอย่างที่ 1 $MFT Master File Table Date Create 26-3-2012 |
Original Install Date: |
ตัวอย่างที่ 2 Windows Original Install Date: 24-9-2019 |
Microsoft Security Bulletin MS12-020 - Critical คือ ช่องโหว่ที่ร้ายแรง อนุญาตให้เรียกใช้โค้ดจากระยะไกลได้ หากผู้โจมตีส่งลำดับของแพ็กเก็ต RDP ที่ออกแบบมาเป็นพิเศษไปยังระบบที่ได้รับผลกระทบ โดยค่าเริ่มต้น Remote Desktop Protocol (RDP)
ทดสอบช่องโหว่ โดยเตรียมเครื่องมือดังนี้
Kali# wget -O RDPkill.py
http://www.pastebin.com/raw.php?i=G99npvDy
#chmod 777 RDPkill.py
File RDPkill.7z ps: 1234
#python (python2) RDPkill.py 192.168.18.131
Microsoft ได้ประกาศ Security Bulletin MS12-020 เพื่อ แจ้งเตือนผู้ใช้งานระบบปฏิบัติการ Windows ทุกเวอร์ชัน ให้ ทำการติดตั้งแพทช์ KB2621440 เพื่อแก้ไขปัญหาช่องโหว่ CVE-2012-0002 ซึ่งอนุญาตให้ผู้ไม่หวังดีส่งแพ็กเกจ RDP (Remote Desktop Protocol) เข้ามายังระบบ เพื่อสั่งให้ ประมวลผลคำสั่งที่ไม่พึงประสงค์จากระยะไกลได้ (Remote Code Execution) [10-1] อย่างไรก็ตาม ถึงแม้ว่าช่องโหว่ดังกล่าวได้ถูกแจ้งมายัง Microsoft โดยตรง และเชื่อว่า ไม่ได้มีการเปิดเผยราย
โดยออกคำแนะนำให้ติดตั้งลงบน Windows ทุกเครื่อง (แม้ว่าไม่ได้ enable RDP ก็ตาม) ใน Update นี้ มี 2 ไฟล์ (KB2621440 และ KB2667402 )
สืบคดีสไตล์ CSI รูปภาพจาก หนังสือ ถอดรหัสนิติวิทยาศาสตร์ |
รูปภาพจาก หนังสือ ถอดรหัสนิติวิทยาศาสตร์ |
Star Wars Episode I |
Reverse.photos |
Search by Image |
Name
|
From
|
Description
|
MoonSols
|
Generates
physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB
flash drive.
|
|
Guidance
Software
|
Create EnCase
evidence files and EnCase logical evidence files [direct download link]
|
|
Magnet
Forensics
|
Checks local
physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted
volumes
|
|
4Discovery
|
Edit EWF
(E01) meta data, remove passwords (Encase v6 and earlier)
|
|
Ridgecrop
|
Enables large
capacity disks to be formatted as FAT32
|
|
Web Content
Protection Association
|
Browser
designed to forensically capture web pages
|
|
AccessData
|
Imaging tool,
disk viewer and image mounter
|
|
vogu00
|
Multi-threaded
GUI imager under running under Linux
|
|
Kazuyuki
Nakayama
|
Safely remove
SATA disks similar to the “Safely Remove Hardware” icon in the
notification area
|
|
CERT
|
Allows
examiner to boot dd images in VMware.
|
|
Paraben
|
Mount
forensic images as read-only local logical and physical disks
|
|
Belkasoft
|
Extracts RAM
dump including that protected by an anti-debugging or anti-dumping system. 32
and 64 bit builds
|
|
Passmark
Software
|
Boot utility
for CD/DVD or USB flash drives to create dd or AFF images/clones.
|
|
Passmark
Software
|
Mounts a wide
range of disk images. Also allows creation of RAM disks
|
|
Tableau
|
Imaging tool
for use with Tableau imaging products
|
|
Microsoft
|
Converts raw
disk images to VHD format which are mountable in Windows Disk Management
|
Name
|
From
|
Description
|
|
Lepide
Software
|
Open and view
(not export) Outlook EDB files without an Exchange server
|
||
MiTeC
|
Viewer for
Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message
databases and single EML files
|
||
Lepide
Software
|
Open and view
(not export) Outlook OST files without connecting to an Exchange server
|
||
Lepide
Software
|
Open and view
(not export) Outlook PST files without needing Outlook
|
||
Name
|
From
|
Description
|
Mythicsoft
|
Search
multiple files using Boolean operators and Perl Regex
|
|
Blackthorn
|
Contemporaneous
notes recorder
|
|
NIST
|
Collated
forensic images for training, practice and validation
|
|
Nuix
|
Copies data
between locations, with file comparison, verification, logging
|
|
Shirouzu
Hiroaki
|
Self labelled
‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
|
|
Gary Kessler
|
Table of file
signatures
|
|
Nirsoft
|
Calculate MD5
and SHA1 hashes
|
|
Mobatek
|
Run Linux
live CDs from their ISO image without having to boot to them
|
|
Arkane
Systems
|
Automatically
moves mouse pointer stopping screen saver, hibernation etc.
|
|
Notepad ++
|
Advanced
Notepad replacement
|
|
NIST
|
Hash sets of
‘known’ (ignorable) files
|
|
Ted
Technology
|
A Linux &
Windows GUI for individual and recursive SHA1 hashing of files
|
|
DSi
|
Enables
software write-blocking of USB ports
|
|
Sécurité
Multi-Secteurs
|
Software
write blocker for Windows XP through to Windows 8
|
|
Troy Larson
|
Guide by
Brett Shavers to creating and working with a Windows boot CD
|
Name
|
From
|
Description
|
Allan Hay
|
Reads Windows
XP,Vista and Windows 7 prefetch files
|
|
David Kovar
|
Parses the
MFT from an NTFS file system allowing results to be analysed with other tools
|
|
Various
|
Detects full
and partial multimedia files in unallocated space
|
|
Ted
Technology
|
Recursively
parses headers of every eCryptfs file in selected directory. Outputs encryption
algorithm used, original file size, signature used, etc.
|
|
Passware
|
Scans a
computer for password-protected & encrypted files, reports encryption
complexity and decryption options for each file
|
|
Phil Harvey
|
Read, write
and edit Exif data in a large number of file types
|
|
Sanderson
Forensics
|
View various
picture formats, image enhancer, extraction of embedded Exif, GPS data
|
|
Mandiant
|
Examine log
files using text, graphic or histogram views
|
|
4Discovery
|
Recursively
parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
|
|
Nirsoft
|
View and
export Windows Live Messenger contact details
|
|
EMC
|
Network
packet capture and analysis
|
|
Mandiant
|
Acquire
and/or analyse RAM images, including the page file on live systems
|
|
4Discovery
|
Recursively
parses folders to extract meta data from MS Office, OpenOffice and PDF files
|
|
Sanderson
Forensics
|
Displays and
decodes contents of an extracted MFT file
|
|
NetGrab
|
Network
monitoring tool, with covert “silent port scanning”
|
|
Mike’s
Forensic Tools
|
Lists EXIF,
and where available, GPS data for all photographs present in a directory.
Export data to .xls or Google Earth KML format
|
|
Microsoft
|
Suite of
command-line Windows utilities
|
|
Shadow
Explorer
|
Browse and
extract files from shadow copies
|
|
Chris Mayhew
|
GUI tool for
parsing .lnk files, prefetch and jump list artefacts
|
|
Mrinal Kant,
Tarakant Tripathy
|
Firefox
add-on enabling viewing of any SQLite database
|
|
Microsoft
|
Command-line
tool for text searches
|
|
MiTec
|
View and
manage MS OLE Structured Storage based files
|
|
Mike’s
Forensic Tools
|
Text
replacement/converter/decoder for when dealing with URL encoding, etc
|
|
MiTeC
|
Analyse
thumbs.db, Prefetch, INFO2 and .lnk files
|
Name
|
From
|
Description
|
Twocanoes
Software
|
Audit
Preference Pane and Log Reader for OS X
|
|
Aaron
Burghardt
|
Blocks the
mounting of file systems, complimenting a write blocker in disabling disk
arbitration
|
|
Blackbag
Technologies
|
Converts
epoch times to local time and UTC
|
|
AccessData
|
Command line
Mac OS version of AccessData’s FTK Imager
|
|
Blackbag
Technologies
|
Lists items
connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID
sets). Can locate partition information, including sizes, types, and the bus
to which the device is connected
|
|
Cyber Marshal
|
Command-line
utility to capture physical RAM from Mac OS systems
|
|
Blackbag
Technologies
|
Displays the
physical partitioning of the specified device. Can be used to map out all the
drive information, accounting for all used sectors
|
Name
|
From
|
Description
|
Leo Crawford,
Mat Proud
|
Explore the
internal file structure of Pad, iPod and iPhones
|
|
Robin Wood
|
Extracts
phone model and software version and created date and GPS data from iPhone
videos.
|
|
CCL Forensics
|
Deconstructs
Blackberry .ipd backup files
|
|
SignalSEC
Corp
|
Obtain SMS
Messages, call logs and contacts from Android devices
|
|
Zena
Forensics
|
Extract
WhatApp messages from iOS and Android backups
|
Name
|
From
|
Description
|
Brian Carrier
|
Graphical
interface to the command line digital investigation analysis tools in The
Sleuth Kit (see below)
|
|
Backtrack
|
Penetration
testing and security audit with forensic boot capability
|
|
Nanni
Bassetti
|
Linux based
live CD, featuring a number of analysis tools
|
|
Dr. Stefano
Fratepietro and others
|
Linux based
live CD, featuring a number of analysis tools
|
|
ArxSys
|
Analyses
volumes, file systems, user and applications data, extracting metadata,
deleted and hidden items
|
|
Harlan Carvey
|
Automates
‘repetitive tasks of data collection’. Fuller description here
|
|
Sumuri
|
Ubuntu based
live boot CD for imaging and analysis
|
|
SANS
|
VMware
Appliance pre-configured with multiple tools allowing digital forensic
examinations
|
|
Brian Carrier
|
Collection of
UNIX-based command line file and volume system forensic analysis tools
|
|
How-To Geek
|
Guide to
using an Unbuntu live disk to recover partitions, carve files, etc.
|
|
Volatile
Systems
|
Collection of
tools for the extraction of artefacts from RAM
|
Name
|
From
|
Description
|
Microsoft
|
View
PowerPoint presentations
|
|
Microsoft
|
View Visio
diagrams
|
|
VideoLAN
|
View most
multimedia files and DVD, Audio CD, VCD, etc.
|
Name
|
From
|
Description
|
CCL Forensics
|
Python module
for performing off-line parsing of Chrome session files (“Current Session”,
“Last Session”, “Current Tabs”, “Last Tabs”)
|
|
Nirsoft
|
Reads the
cache folder of Google Chrome Web browser, and displays the list of all files
currently stored in the cache
|
|
Mike’s
Forensic Tools
|
Extracts
embedded data held within Google Analytics cookies. Shows search terms used
as well as dates of and the number of visits.
|
|
Busindre
|
Runs in
Python 3.x, extracting forensic information from Firefox, Iceweasel and
Seamonkey browsers. See manual for more information.
|
|
Belkasoft
|
Captures
information publicly available in Facebook profiles.
|
|
Nirsoft
|
Extracts
various details of Internet Explorer cookies
|
|
Nirsoft
|
Extract
stored passwords from Internet Explorer versions 4 to 8
|
|
Nirsoft
|
Reads the
cache folder of Firefox/Mozilla/Netscape Web browsers
|
|
Nirsoft
|
Parses the
cookie folder of Firefox/Mozilla/Netscape Web browsers
|
|
Nirsoft
|
Reads the
history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list
of all visited Web page
|
|
Nirsoft
|
Extracts
search queries made with popular search engines (Google, Yahoo and MSN) and
social networking sites (Twitter, Facebook, MySpace)
|
|
Nirsoft
|
Extracts the
user names and passwords stored by Mozilla Firefox Web browser
|
|
Nirsoft
|
Reads the
cache folder of Opera Web browser, and displays the list of all files
currently stored in the cache
|
|
Nirsoft
|
Decrypts the
content of the Opera Web browser password file, wand.dat
|
|
Mandiant
|
Reviews list
of URLs stored in the history files of the most commonly used browsers
|
|
Magnet
Forensics
|
Takes list of
URLs saving scrolling captures of each page. Produces HTML report file
containing the saved pages
|
Name
|
From
|
Description
|
Woanware
|
Extracts user
information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT
hashes from the SAM file
|
|
Microsoft
|
Examine
Windows processes and registry threads in real time
|
|
US National
Institute of Justice, Digital Forensics Solutions
|
For the
acquisition, analysis, and reporting of registry contents
|
|
Harlan Carvey
|
Registry data
extraction and correlation tool
|
|
Regshot
|
Takes
snapshots of the registry allowing comparisons e.g., show registry changes
after installing software
|
|
TZWorks
|
Extracts data
from Shellbag entries
|
|
Woanware
|
Details
previously attached USB devices on exported registry hives
|
|
4Discovery
|
Displays 20+
attributes relating to USB device use on Windows systems
|
|
Nirsoft
|
Details
previously attached USB devices
|
|
4Discovery
|
Extracts SID,
User Names, Indexes, Application Names, Run Counts, Session, and Last Run
Time Attributes from UserAssist keys
|
|
Didier
Stevens
|
Displays list
of programs run, with run count and last run date and time
|
|
MiTec
|
Extracts
configuration settings and other information from the Registry
|
Name
|
From
|
Description
|
Magnet
Forensics
|
Decrypts the
Dropbox filecache.dbx file which stores information about files that have been
synced to the cloud using Dropbox
|
|
Magnet
Forensics
|
Takes x,y,z
coordinates found in a tile filename and downloads surrounding tiles
providing more context
|
|
Sanderson
Forensics
|
Extracts
various data from the KaZaA application
|
|
Nirsoft
|
View and
export Windows Live Messenger contact details
|
|
Nirsoft
|
View Skype
calls and chats
|
Name
|
From
|
Description
|
Digital
Detective
|
Converts
various data types to date/time values
|
|
Rene Devichi
|
View
unencrypted backups of iPad, iPod and iPhones
|
|
Foxton
Software
|
Analysis of
internet history data generated using Google Chrome
|
|
Nirsoft
|
Extracts
recently visited Internet Explorer URLs
|