[펌] 포렌식 관련

■ 사고대응관련 기관

 국내
  CERTCC-KR   -  http://www.certcc.or.kr/
 SecurityMap.Net IRC  -  http://www.securitymap.net/
 KRNIC   -  http://ip.nic.or.kr/
 CONCERT   -  http://www.concert.or.kr/
 경찰청    -   http://www.ctrc.go.kr/
 검찰청    -   http://icic.sppo.go.kr/
 국정원    -   http://www.nis.go.kr/
 
 국외
  FIRST    -    http://www.first.org/
 APCERT   -   http://www.apcert.org/
 TF-CERT   -   http://www.terena.nl/tech/task-forces/tf-csirt/
 

 ■ 취약성 정보 제공 사이트

 CVE
  http://cve.mitre.org/
 
 CERTCC-KR
  http://www.certcc.or.kr/
 
 Securityfocus
  http://www.securityfocus.com/
 
 CERTCC
  http://www.cert.org/
 
 CIAC
  http://www.ciac.org/ciac/
 
 SANS ISC
  http://isc.sans.org/
 

 ■ PGP software

 PGPi
  http://www.pgpi.org/
 
 GnuPG
  http://www.gnupg.org/
 

## 유닉스 피해시스템 분석 ##

 ■ 분석 도구

 netcat
 cryptcat
  http://www.atstake.com/research/tools/network_utilities/
 http://sourceforge.net/projects/cryptcat/
 
 lsof
  ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof
 
 nmap
  http://www.nmap.org
 http://www.certcc.or.kr/tools/Nmap.html
 http://www.neohapsis.com/neolabs/neo-ports/
 
 chkrootkit
  http://www.chkrootkit.org/
 
 sleuthkit/autopsy
  http://www.sleuthkit.org/index.php
 
 TCT
  http://www.porcupine.org/forensics/
 
 분석도구링크사이트
  http://www.sleuthkit.org/links.php
 http://www.opensourceforensics.org/tools/index.html
 http://www.linux-forensics.com/downloads.html
 
 분석 CD
  snarl  -  http://snarl.eecue.com/articles/
 FIRE  - http://fire.dmzs.com/
 

 ■ 무결성 관련 사이트 및 도구

 Tripwire
  http://www.certcc.or.kr/tools/tripwire.html
 
 SUN fingerprint
 Database
  http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7
 
 Known Goods
  http://www.knowngoods.org/
 
 Cyber Abuse
  http://rk.cyberabuse.org/
 
 NIST NSRL
  http://www.nsrl.nist.gov/
 
 Hacker Keeper
  http://www.hashkeeper.org/
 

 ■ LKM 관련 자료

 Solaris LKM/BSD LKM/Linux LKM
  http://www.thc.org/papers.php
 
 Knark 분석문서
  http://www.certcc.or.kr/paper/paper-2.htm
 http://www.securityfocus.com/guest/4871
 
 Runtime Kernel Patch
  http://phrack.org/phrack/58/p58-0x07
 
 Adore LKM
  http://www.team-teso.net/releases.php
 
 kstat
  http://s0ftpj.org/en/site.html
 
 carbonite
  http://www.foundstone.com/
 

 ■ log 분석 및 관리

 Counterpane
  http://www.counterpane.com/log-analysis.html
 

 ■ 코드분석

 strace
  http://www.liacs.nl/~wichert/strace/
 
 ltrace
  http://packages.debian.org/stable/utils/ltrace.html
 
 fenris
  http://lcamtuf.coredump.cx/fenris/devel.shtml
 
 REC
  http://www.backerstreet.com/rec/rec.htm
 
 IDA Pro
  http://www.datarescue.com/idabase/ida.htm
 

## Windows 피해시스템 분석 ##

 ■ 디스크 복제

 EnCase  http://www.guidancesoftware.com/
 Safeback  http://www.forensics-intl.com/
 Ghost  http://www.symantec.co.kr/
 
 TrueImage  http://www.acronis.com/products/trueimage/
 Windows dd  http://unxutils.sourceforge.net/
 http://fire.dmzs.com/
 VOGON Image  http://www.vogon-international.com
 Fastbloc  http://www.guidancesoftware.com
 netcat
  http://www.atstake.com/
 http://sourceforge.net/projects/cryptcat/

 ■ 피해 정보 수집

psinfo, uptime, loggedon,
pslist, listdlls, handle, streams  http://www.sysinternals.com
fport/vision, sfind  http://www.foundstone.com
promiscdetect  http://ntsecurity.nu/toolbox/promiscdetect
listmodules, LNS  http://www.ntsecurity.nu/

 ■ 초기대응 자동화 도구

 Biatchux  http://biatchux.dmzs.com/
 IRCR
  http://packetstormsecurity.nl/Win/IRCR.zip

 ■ 파일 분석

 fs
  http://protools.anticrack.de/files/utilities/fs.zip
 SECRETS  http://www.invisiblesecrets.com
 EnCase  http://www.guidancesoftware.com
 FTK  http://www.accessdata.com
 bintext  http://www.foundstone.com

 ■ NT 루트킷

 NT 루트킷 동작원리  http://www.phrack.org/show.php?p=55&a=5
 NT 후크(hook) 프로그래밍  http://www.iamaphex.cjb.net
 NT 후크(hook) API  http://www.anticracking.sk/elicz
 HookTool  http://www.ivosoft.com/
 Windows API 보호 프로그램  http://www.watchguard.co.kr/slock.htm

 ■ 디스크 분석

 디스크 탐색기  http://www.restorer2000.com
 http://www.runtime.org/
 플로피디스크/하드디스크 분석  http://home.ahnlab.com/securityinfo
 Seagate 디스크 유틸리티  http://www.seagate.com/support/software
 Maxtor 디스크 유틸리티  http://www.maxtor.com/en/index.htm
 SAMSUNG 디스크 유틸리티  http://www.sec.co.kr
 슬랙 공간 검색 프로그램(NTI)  http://www.secure-data.com

 ■ 메모리 덤프

 Windows NT memory dumps  http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q235496&
 Windows 2000/xp/2003  memory dumps  http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q254649&
 Windows Debugging Tools  http://www.microsoft.com/whdc/ddk/debugging/default.mspx
 pmdump  http://ntsecurity.nu/toolbox/pmdump

 ■ Timeline 분석

 Wininterrogate  http://winfingerprint.sourceforge.net
 
 
 

 ■ 파일 복구

 휴지통 폴더 분석(Rifiuti)  http://sourceforge.net/projects/odessa
 파일 복구(Undelete)  http://www.execsoft.com/undelete
 GetDataBack  http://www.runtime.org
 File Recover  http://www.filerecover.com

 ■ 임시파일 분석

 Cache Auditor  http://www.webknacks.com/
 PurgeIE Pro  http://www.purgeie.com/
 History Reader  http://www.wbaudisch.de/HistoryReader.htm
 IE Cookie File
 IE Internet Activity  http://sourceforge.net/project/odessa
 Examiner  http://www.paraben-forensics.com/examiner.html

 ■ 로그 파일 분석

 NT Security Event IDs  http://support.microsoft.com/default.aspx?scid=kb;en-us:174074  --> x
 Windows 2000 Event IDs  http://www.microsoft.com/korea/windows2000/techinfo/messages/default.asp
 EventCombMT  http://www.microsoft.com/downloads/release.asp?releaseid=36834
 이벤트 로그 모니터링  http://www.tntsoftware.com
 원격 이벤트 로그 수집  http://www.kiwisyslog.com/
 http://www.rippletech.com
 Log Parser   http://www.microsoft.com/windows2000/downloads/tools/default.asp
 웹서버 공격 로그 점검  http://www.securitymap.net/sdm/docs/ids/fingerprint-80-attack.txt
 Log Parser  http://securityfocus.com/infocus/1712
 SQL-Inject 공격 분석  http://www.nextgenss.com/papers/advanced_sql_injection.pdf
 http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf

 ■ 바이너리 프로그램 분석

 Filemon, Regmon,  CPUmon, TDImon,  procexp, strings  http://www.sysinternals.com
 Winalysis  http://www.winalysis.com
 strace  http://razor.bindview.com/tools
 Tripwire  http://www.tripwire.com
 Undelete 3.0  http://www.execsoft.com/undelete
 INTACT  http://www.pedestalsoftware.com
 API Spy   http://www.matcode.com/apis32.htm
 SoftICE  http://www.numega.com/
 PE File Format  http://spiff.tripnet.se/~iczelion/files/pe1.zip
 http://www.windowsitlibrary.com/Content/356/11/toc.html
 PEiD  http://www.mesa-sys.com/~snaker/peid
 UPX  http://upx.sourceforge.net
 gt030  http://surf.to/phax
 fd/fi FileScanner  http://protools.anticrack.de/files/utilities/fd.zip
 http://protools.anticrack.de/files/utilities/fi.zip
 Programmer’s Tools  http://protools.cjb.net/
 IDA Pro  http://www.datarescue.com/idabase/ida.htm
 PE Exploere  http://www.heaventools.com/

 ■ 패스워드 해독

 @stake LC  http://www.atstake.com/
 John the Ripper  http://www.openwall.com/john/
 chntpw  http://ntpass.blaa.net/
 rawwrite2  http://home.eunet.no/~pnordahl/ntpasswd
 패스워드 복구 프로젝트  http://www.openwall.com/passwords
 ELCOMSOFT  http://www.crackpassword.com/
 Russian password crackers  http://www.password-crackers.com/
 Passware Kit  http://www.lostpassword.com/
 AccessData  http://www.accessdata.com/
 PasswordService  http://www.passwordservice.com/

## 공격자 모니터링 ##

 ■ 네트워크 모니터링

 TCPDump
  http://www.tcpdump.org
 http://windump.polito.it/
 
 tcpflow
  http://www.circlemud.org/~jelson/software/tcpflow/
 
 ngrep
  http://www.packetfactory.net/Projects/ngrep
 
 ethereal
  http://www.ethereal.com/
 
 snort
  http://www.snort.org/
 
 p0f
  http://www.stearns.org/p0f/
 
 dsniff
  http://monkey.org/~dugsong/dsniff/
 

 ■ 시스템 모니터링

 sebek
  http://www.honeynet.org/papers/honeynet/tools/index.html
 
 ComLog
  http://iquebec.ifrance.com/securit/
 
 evtsys
  https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys
 
 원격 이벤트 로그 수집
  http://www.kiwisyslog.com/
 

 ■ Honeynet/Honeypot

 Honeynet.Org
  http://www.honeynet.org/
 
 backofficer
  http://www.nfr.com/resource/backOfficer.php
 
 Deception Toolkit
  http://all.net/dtk/index.html
 
 Honeyd
  http://www.citi.umich.edu/u/provos/honeyd/
 
 Tracking Hackers
  http://www.tracking-hackers.com/
 
 Honeypots.net
  http://www.honeypots.net/
 
 bridge Firewall
  http://doc.kldp.org/wiki.php/DocbookSgml/Bridge_Firewall-KLDP
 
 Firewall 관련자료
  http://doc.kldp.org/wiki.php/LinuxdocSgml/Firewall-HOWTO
 
 Netfilter
  http://doc.kldp.org/wiki.php/DocbookSgml/Netfilter-hacking-TRANS
 
 Firewall 설정
 스크립(rc.firewall)
  http://www.honeynet.org/papers/gen2/rc.firewall
 
 Vmware
  http://www.vmware.com/products/
 
 UML
  http://user-mode-linux.sourceforge.net/
 

## 공격자 추적 및 대응 ##

 samspade
  http://www.samspade.org/ssw/
 
 ARIN
  http://www.arin.net/index.html
 
 APNIC
  http://www.apnic.net/apnic-bin/whois.pl
 
 RIPE
  http://www.ripe.net/perl/whois
 
 LACNIC
  http://lacnic.net/cgi-bin/lacnic/whois
 
 KRNIC
  http://whois.nic.or.kr/
 
 이메일 환경개선 추진 협의체
  http://www.antispam.or.kr/
 
 Network Abuse Clearinghouse
  http://www.abuse.net/
 
 Fight Spam
  http://spam.abuse.net/
 
 Spamcop
  http://www.spamcop.net/
 
 Mail Abuse Prevention System
  http://mail-abuse.org/