디지털포렌식 관련 도구 모음
http://forensic-proof.com/tools
다음은 디지털포렌식 관련 도구로 사용해본 도구 중 유용하다고 판단되는 도구를 정리한 것이다. 소프트웨어는 필연적으로 오류를 포함하기 때문에 증거 분석에 사용하는 도구라면 반드시 2개 이상의 도구로 상호 검증을 수행하는 것이 바람직하다.
현재 국내는 별도의 디지털포렌식 인증 기관이 없어f 해외에서 널리 인정된 도구를 많이 사용하고 있고, 또 인정해주는 편이다. 대표적인 해외 인증으로는 NIST의 CFTT(Computer Forensics Tool Testing)가 있다. 인증받은 도구의 목록은 CFTT Catalog에서 쉽게 확인할 수 있다.
실제 분석을 수행하다보면 인증받은 도구의 기능적인 한계나 불편함으로 제3의 도구를 사용하는 경우가 있다. 이 경우에는 최종적으로 인증받은 도구로 결과를 한번 더 검증하는 작업이 요구된다. 도구의 장.단점은 목적에 따라 다르기 때문에 자신의 업무 목적에 맞는 적합한 도구를 사용하기 바란다. 다음의 목록이 선택에 조금이나마 도움이 되길 바란다.
* 목록에 추가하고 싶은 도구가 있거나 기타 의견이 있다면 부담없이 댓글로 의견을 주기 바랍니다.
Last updated: 2013-09-14
통합 포렌식 도구 (Integrated Forensics Tools)
Name | Interface | Platform | Manufacturer | Licence |
EnCase Forensic | GUI | Windows | Guidance Software | Commercial |
FTK (Forensic Toolkit) | GUI | Windows | AccessData | Commercial |
Forensic Explorer | GUI | Windows | GetData | Commercial |
X-Ways Forensics | GUI | Windows | X-Way Software Technology AG | Commercial |
Mac Marshal Forensic Edition™ | GUI | Macintosh | Architecture Technology | Commercial |
BlackLight | GUI | Anywhere | BlackBag Technologies | Commercial |
Autopsy | GUI | Anywhere | Brian Carrier | Opensource |
라이브 CD/VM (Live CD/VM)
Name | Interface | Platform | Manufacturer | Licence |
SIFT | – | – | SANS | Freeware |
PALADIN | – | – | SAMURI | Freeware |
DEFT | – | – | DEFT Staff | Freeware |
Helix | – | – | e-fense | Commercial |
BackTrack | – | – | BackTrack Linux | Freeware |
C.A.IN.E | – | – | Caine | Freeware |
라이브 포렌식 (Live Forensics)
Name | Interface | Platform | Manufacturer | Licence |
FPLive_win | CLI | Windows | JK Kim | Freeware |
FRED (First Responder’s Evidence Disk) | GUI | Windows | Dark Particle Labs | Freeware |
WFT (Windows Forensic Toolchest) | CLI | Windows | FoolMoon | Free/Comm |
Dual Purpose Volatile Data Collection Script | CLI | Windows | Corey Harrell | Opensource |
IRCR (Incident Response Collection Report) | CLI | Windows | mcleodjp | Opensource |
COFEE (Computer Online Forensic Evidence Extractor) | CLI | Windows | Microsoft | only Law enforcement |
MIR (MANDIANT Intelligent Response) | GUI | Windows | Mandiant | Commercial |
OnLineDFS (OnLine Digital Forensic Suite) | CLI | Windows | CST | Commercial |
MacResponse LE™ | GUI | Macintosh | AIS | Opensource |
이미징 하드웨어 (Imaging Hardware)
Name | Interface | Platform | Manufacturer | Licence |
Image MASSter Series | – | – | Intelligent Computer Solutions, Inc. | Commercial |
Dossier & Falcon | – | – | Logicube | Commercial |
TD3 | – | – | Tableau | Commercial |
Magicube | – | – | DataExpert | Commercial |
이미징 소프트웨어 (Imaging Software)
Name | Interface | Platform | Manufacturer | Licence |
FTK Imager (Lite) CLI FTK Imager for Debian, Ubuntu, Fedora, RedHat, Mac OS. | GUI | Windows | AccessData | Freeware |
Tableau Imager | GUI | Windows | TABLEAU | Freeware (need Tableau W/B) |
X-Ways Imager | GUI | Windows | X-Ways Software Technology AG | Commercial |
EnCase Forensic Imager | GUI | Windows | Guidance Software | Freeware |
FAU DD | CLI | Windows | George M. Garner Jr. | Freeware |
ODIN | GUI | Windows | JensH | Opensource |
OSFClone | CLI | Windows | PassMark Software | Opensource |
ewfacquire, ewfacquirestream | CLI | Unix-based | Joachim Metz | Opensource |
Guymager | GUI | Linux | vogu00 | Freeware |
dcfldd | CLI | Unix-based | Nick Harbour | Opensource |
MacQuisition | CLI | Macintosh | BlackBag Technologies | Opensource |
쓰기방지장치 (Write Blocker)
Name | Interface | Platform | Manufacturer | Licence |
Tableau Forensic Bridge | – | – | Tableau | Commercial |
Wiebetech Dock | – | – | Wiebetech | Commercial |
이미지 마운트 (Image Mounting)
Name | Interface | Platform | Manufacturer | Licence |
Arsenal Image Mounter | GUI | Windows | Arsenal Recon | Freeware |
Mount Image Pro | GUI | Windows | GetData | Commercial |
OSFMount | GUI | Widows | PassMark Software | Freeware |
VHD tool | CLI | Windows | Microsoft | Freeware |
LiveView | GUI | Win & Lin | CMU/td> | Freeware |
raw2vmdk | GUI | Anywhere | Zapotek/td> | Freeware |
FTK Imager | GUI | Windows | AccessData | Freeware |
P2 eXplorer | GUI | Widows | Paraben | Freeware |
ImDisk | GUI | Windows | LTRDATA | Opensource |
원격 포렌식 (Remote Forensics)
Name | Interface | Platform | Manufacturer | Licence |
F-Response Series | GUI | Anywhere | F-Response | Commercial |
메모리 획득 (Memory Acquisition)
Name | Interface | Platform | Manufacturer | Licence |
DumpIt | CLI | Windows | MoonSols | Freeware |
win(32/64)dd | CLI | Windows | MoonSols | Free/Comm |
FastDump Pro | CLI | Windows | HBGary | Commercial |
mdd | CLI | Windows | ManTech | Opensource |
Memorize (for Mac) | GUI | Windows | Mandiant | Freeware |
FTK Imager (Lite) CLI FTK Imager for Debian, Ubuntu, Fedora, RedHat, Mac OS. | GUI | Windows | AccessData | Freeware |
WinPmem | CLI | Windows | Michael Cohen | Freeware |
fmem | CLI | Linux | niekt0 | Freeware |
LiME | CLI | Linux | Joe Sylve | Freeware |
Second Look® Linux Memory Acquisition | CLI | Linux | Raytheon Pikewerks | Commercial |
Mac Memory Reader™ | CLI | Macintosh | Mac Marshal™ | Freeware |
OSXPMem | CLI | Macintosh | Michael Cohen | Freeware |
메모리 분석 (Memory Analysis)
Name | Interface | Platform | Manufacturer | Licence |
Redline | GUI | Windows | Mandiant | Freeware |
Volatility | CLI | Anywhere | Volatile Systems | Opensource |
Memorize & Audit Viewer | GUI | Windows | Mandiant | Freeware |
Responder Pro | GUI | Windows | HBGary | Commercial |
Second Look® Linux Memory Analysis | CLI | Linux | Raytheon Pikewerks | Commercial |
Volafox | CLI | Mac OS | n0fate | Opensource |
Volafunx | CLI | FreeBSD | n0fate | Opensource |
타임라인 분석 (Timeline Analysis)
Name | Interface | Platform | Manufacturer | Licence |
log2timeline | CLI | Linux & Mac | Kristinn Gudjonsson | Freeware |
plaso | CLI | Win & Mac | Kristinn Gudjonsson | Freeware |
4n6time | GUI | Win & Mac | Kristinn Gudjonsson | Freeware |
Timeliner | GLI | Windows | Woanware | Freeware/Opensource |
Timeline Report | GUI | EnCase-Based | Geoff Black | Opensource |
레지스트리 분석 (Registry Analysis)
Name | Interface | Platform | Manufacturer | Licence |
REGA(REGistry Analyzer) | GUI | Windows | 4&6tech | Commercial |
Registry Recon | GUI | Windows | Arsenal Recon | Commercial |
Registry Workshop | GUI | Windows | TorchSoft | Commercial |
RegRipper | CLI | Windows | Harlan Carvey | Opensource |
UserAssist | GUI | Windows | Didier Stevens | Freeware |
Registry Binary Parser | GUI | Windows | woanware | Freeware/Opensource |
RegRipperRunner | GUI | Windows | woanware | Freeware/Opensource |
ForensicUserInfo | GUI | Windows | woanware | Freeware/Opensource |
USBDeviceForensics | GUI | Windows | woanware | Freeware/Opensource |
Windows USB Storage Parser (usp) | CLI | Windows | TZWorks | Freeware/Commercial |
Yet Another Registry Utility (yaru) | CLI | Windows | TZWorks | Freeware/Commercial |
Windows ShellBag Parser (sbag) | CLI | Windows | TZWorks | Freeware/Commercial |
Computer Account Forensic Artifact Extractor (cafae) | CLI | Windows | TZWorks | Freeware/Commercial |
파일시스템 메타데이터 (Filesystem Metadata)
Name | Interface | Platform | Manufacturer | Licence |
mft2csv | GUI | Windows | joakim | Freeware |
anlyzeMFT | CLI | Anywhere | David Kovar | Opensource |
MFTView | GUI | Windows | Sanderson Forensics | Freeware |
NTFS Directory Enumerator | CLI | Windows | TZWorks | Freeware/Commercial |
Windows $MFT and NTFS Metadata Extractor Tool | CLI | Windows | TZWorks | Freeware/Commercial |
Windows INDX Slack Parser | CLI | Windows | TZWorks | Freeware/Commercial |
Graphical Engine for NTFS Analysis (gena) | CLI | Windows | TZWorks | Freeware/Commercial |
바로가기 파일 분석 (LNK Analysis)
Name | Interface | Platform | Manufacturer | Licence |
Windows LNK Parsing Utility (lp) | CLI | Windows | TZWorks | Freeware/Commercial |
lnkanalyser | CLI | Windows | Woanware | Freeware |
로그 분석 (Log Analysis)
Name | Interface | Platform | Manufacturer | Licence |
Event Log Explorer | GUI | Windows | FSPro Labs | Commercial |
Log Parser | CLI | Windows | Microsoft | Freeware |
NTFS Log Tracker | GUI | Windows | blueangel | Freeware |
NTFS TriForce | CLI | Windows | David Cowen | Freeware |
Windows Journal Parser (jp) | GUI | Windows | TZWorks | Freeware/Commercial |
Windows Event Log Viewer | GUI | Windows | TZWorks | Freeware/Commercial |
Windows Event Log Parser | GUI | Windows | TZWorks | Freeware/Commercial |
UsnJrnl2Csv | CLI | Windows | joakim | Freeware |
LogFile Parser | CLI | Windows | joakim | Freeware |
악성코드 분석 (Malware Analysis)
Name | Interface | Platform | Manufacturer | Licence |
PeStudio | GUI | Windows | Marc Ochsenmeier | Freeware |
PEView | GUI | Windows | Wayne J. Radburn | Freeware |
Automater | CLI | Win & Lin | TEKDEFENSE | OpenSource |
Noriben | CLI | Windows | Rurik | OpenSource |
프리패치 분석 (Prefetch Analysis)
Name | Interface | Platform | Manufacturer | Licence |
WinPrefetchView | GUI | Windows | NirSoft | Freeware |
PrefetchForensics | GUI | Windows | woanware | Freeware |
APFA(Advanced Prefetch File Analyzer) | GUI | Windows | Allan S Hay | Freeware |
Prefetch Parser | CLI | Windows | SANS | Freeware |
Windows Prefetch Parser | CLI | Anywhere | TZWorks | Freeware/Commercial |
웹 브라우저 사용 흔적 (Web Browser Artifacts)
Name | Interface | Platform | Manufacturer | Licence |
WEFA(WEb browser Forensic Analyzer) | GUI | Windows | 4&6 Tech | Commercial |
Web Historian | GUI | Windows | Mandiant | Freeware |
IEF(Internet Evidence Finder) | GUI | Windows | Magnet Forensics | Commercial |
ChromeForensics | GUI | Windows | woanware | Freeware |
FireFoxForensics | GUI | Windows | woanware | Freeware |
firefoxsessionstoreextractor | GUI | Windows | woanware | Freeware |
Windows ‘index.dat’ Parser (id) | CLI | Windows | TZWorks | Freeware/Commercial |
BrowsingHistoryView | GUI | Windows | NirSoft | Freeware |
IECacheView | GUI | Windows | NirSoft | Freeware |
IECookiesView | GUI | Windows | NirSoft | Freeware |
IEHistoryView | GUI | Windows | NirSoft | Freeware |
ChromeCacheView | GUI | Windows | NirSoft | Freeware |
ChromeHistoryView | GUI | Windows | NirSoft | Freeware |
MozilaCacheView | GUI | Windows | NirSoft | Freeware |
MozilaCookieView | GUI | Windows | NirSoft | Freeware |
MozilaHistoryView | GUI | Windows | NirSoft | Freeware |
SafariCacheView | GUI | Windows | NirSoft | Freeware |
SafariHistoryView | GUI | Windows | NirSoft | Freeware |
OperaCacheView | GUI | Windows | NirSoft | Freeware |
WebBrowserPassView | GUI | Windows | NirSoft | Freeware |
MyLastSearch | GUI | Windows | NirSoft | Freeware |
데이터베이스 분석 (Database Analysis)
Name | Interface | Platform | Manufacturer | Licence |
Exchange EDB Viewer | GUI | Windows | Lepide Software | Freeware |
ESEDatabaseView | GUI | Windows | NirSoft | Freeware |
EseDbViewer | GUI | Windows | woanware | Freeware |
SQLite Expert | GUI | Windows | Bogdan Ureche | Commercial |
Oxygen SQLite Viewer | GUI | Windows | Oxygen Forensic | Commercial |
SQLite Database Browser | GUI | Win & Mac | Tabuleiro | Opensource |
OracleForensics Tools | – | – | – | – |
이메일 분석 (Email Analysis)
Name | Interface | Platform | Manufacturer | Licence |
E-mail Examiner | GUI | Windows | Paraben | Commercial |
Mail Viewer | GUI | Windows | MiTeC | Freeware |
Email Utilities | GUI | Windows | Stellar Information Systems | Commercial |
Email Recovery Tools | GUI | Windows | Lepide Software | Commercial |
포맷 분석 (Format Analysis)
Name | Interface | Platform | Manufacturer | Licence |
010Editor Templates | GUI | Windows | SweetScape Software | Commercial |
FileInsight | GUI | Windows | McAfee | Freeware |
Structed Storage Viewer | GUI | Windows | MiTeC | Freeware |
OffVis | GUI | Windows | Microsoft | Freeware |
Windows Portable Executable Viewer (pe_view) | GUI | Windows | TZWorks | Freeware/Commercial |
PDF Parser | CLI | Anywhere | Didier Stevens | Freeware |
peedpdf | CLI | Anywhere | Jose Miguel Esparza | Freeware |
PDF Stream Dumper | GUI | Windows | David Zimmer | Freeware |
복원지점/볼륨섀도복사본 분석 (Restore Point/VSC))
Name | Interface | Platform | Manufacturer | Licence |
RP Log Tracker | GUI | Windows | blueangel | Freeware |
libvshadow | CLI | Windows | Joachim Metz | Freeware |
ShadowExplorer | GUI | Windows | ShadowExplorer | Freeware |
ShadowKit | GUI | Windows | David Dym | Freeware |
VSC Toolset | GUI | Windows | Jason Hale | Freeware |
Reconnoitre | GUI | Windows | Sanderson Forensics | Commercial |
자바 IDX 분석 (Java IDX Analysis))
Name | Interface | Platform | Manufacturer | Licence |
RP Log Tracker | CLI | Anywhere | Brian Baskin | OpenSource |
Javaidx | CLI | Windows | Mark Woan | OpenSource |
Idxparser | CLI | Windows | Harlan Carvey | OpenSource |
추가적인 아티팩트 분석 (Any Other Artifacts)
Name | Interface | Platform | Manufacturer | Licence |
Windows File Analyzer | GUI | Windows | MiTeC | Freeware |
Windows Jump List Parser (jmp) | CLI | Windows | TZWorks | Freeware/Commercial |
Portable Executable Scanner (pescan) | CLI | Windows | TZWorks | Freeware/Commercial |
autorunner | GUI | Windows | woanware | Freeware |
exefinder | GUI | Windows | woanware | Freeware |
JumpLister | GUI | Windows | woanware | Freeware |
shimcacheparser | GUI | Windows | woanware | Freeware |
Windows Search Index Extractor | GUI | Windows | Filesig Software | Commercial |
Thumbnail Database Viewer | GUI | Windows | Igor Tolmache | Freeware |
SFP(Simple File Parser) | GUI | Windows | Chris Mayhew | Freeware |
네트워크 포렌식 (Network Forensics)
Name | Interface | Platform | Manufacturer | Licence |
WireShark | GUI | Anywhere | WireShark | Freeware |
NetworkMiner | GUI | Windows | NETRESEC | Commercial |
RSA NetWitness | GUI | Win & Lin | RSA | Commercial |
Ostinato | GUI | Anywhere | Pstavirs | Opensource |
Packet Builder | GUI | Windows | Colasoft | Freeware |
SplitCap | CLI | Windows | NETRESEC | Opensource |
tshark | CLI | Anywhere | WireShark | Freeware |
Scapy | CLI | Anywhere | Philippe Biondi | Opensource |
tcpdump | CLI | Anywhere | – | Freeware |
DNS Query Utility (dqu) | CLI | Windows | TZWorks | Freeware/Commercial |
Packet Capture ICMP Carver (pic) | CLI | Windows | TZWorks | Freeware/Commercial |
Network Xfer Client/Server Utility (nx) | CLI | Windows | TZWorks | Freeware/Commercial |
snorbert | CLI | Windows | Woanware | Freeware |
SessionViewer | CLI | Windows | Woanware | Freeware |
enumdotnet | CLI | Windows | Woanware | Freeware |
패스워드 공격(Password Attack)
Name | Interface | Platform | Manufacturer | Licence |
EPRB(ElcomSoft Password Recovery Bundle) | GUI | Windows | ElcomSoft | Commercial |
PPR(Passware Password Recovery) | GUI | Windows | Passware | Commercial |
SAMInside | GUI | Windows | InsidePro | Freeware |
ophcrack | GUI | Anywhere | OBJECTIF SECURITE | Freeware |
L0PHTCRACK | GUI | Windows | L0pht Holdings | Commercial |
윈도우 패스워드(Windows Password)
Name | Interface | Platform | Manufacturer | Licence |
Cain & Abel | GUI | Windows | Massimiliano Montoro | Freeware |
Windows Password Recovery | GUI | Windows | Passcape Software | Freeware |
pwdump7 | CLI | Windows | Tarasco | Freeware |
gsecdump | CLI | Windows | Truesec | Freeware |
PWDumpX | CLI | Windows | Reed Arvin | Freeware |
lsadump2 | CLI | Windows | izar | Freeware |
creddump | CLI | Windows | mooyix | Opensource |
NTPWEdit | GUI | Windows | Vadim Druzhin | Freeware |
NTPassword | CLI | Windows | Pogostick | Freeware |
모바일 포렌식 (Mobile Forensics)
Name | Interface | Platform | Manufacturer | Licence |
MD Series | – | – | GMDSystem | Commercial |
Cellebrite Mobile Forensics | – | – | Cellebrite | Commercial |
Device Seizure | – | – | Paraben | Commercial |
XRY Series | – | – | Micro Systemation | Commercial |
Oxygen Forensic® Suite | GUI | Windows | Oxygen Software | Commercial |
MPE+ | GUI | Windows | Access Data | Commercial |
Lantern | GUI | Mac | KatanaForensics | Commercial |
iPhone Backup Browser | GUI | Windows | rene.devichi | Commercial |
헥스 편집기 (Hex Editor)
Name | Interface | Platform | Manufacturer | Licence |
010Editor | GUI | Windows | SweetScape | Commercial |
WinHex | GUI | Windows | X-Ways Software Technology AG | Commercial |
HexWorkshop | GUI | Windows | HexWorkshop | Commercial |
HxD | GUI | Windows | Mael Horz | Freeware |
해쉬 분석 (Hash Analysis)
Name | Interface | Platform | Manufacturer | Licence |
HashTab | GUI | Win & Mac | Implbits | Free/Comm |
md5deep/hashdeep | CLI | Anywhere | Jesse Kornblum | Freeware |
ssdeep | CLI | Anywhere | ManTech | Freeware |
NSRL Hashsets | – | – | NIST | Freeware |
완전삭제 (Wipe/Sanitization)
Name | Interface | Platform | Manufacturer | Licence |
Eraser | GUI | Windows | The Eraser Project | Freeware |
BCWipe | GUI | Win & Lin | Jetico | Commercial |
SDelete | CLI | Windows | Sysinternals | Freeware |
Secure Erase | CLI | Win & Lin | CMRR | Freeware |
데이터 복구 (Data Recovery)
Name | Interface | Platform | Manufacturer | Licence |
RMF(Recover My Files) | GUI | Windows | GetData | Commercial |
R-Studio | GUI | Anywhere | R-Tools Technology | Commercial |
Power Data Recovery | GUI | Windows | MiniTool® Solution | Commercial |
그 밖에… (Other Tools)
Name | Interface | Platform | Manufacturer | Licence |
Highlighter | GUI | Windows | Mandiant | Freeware |
BinText | GUI | Windows | McAfee | Freeware |
DCode | GUI | Windows | Digital Detective | Freeware |
TimeLord | GUI | Windows | Harry Parsonage | Freeware |
ArgosDFAS | GUI | Windows | DUZON | Commercial |
포렌식 도구 사이트 (dForensics Tool Sites)
Site |
MiTeC |
TZWorks |
Software for Computer Forensics |
Woanware |
NirSoft |
CFTT Catalog |
mft2csv |
Open Source Digital Foresncis |
RCE Tool Libary |
Sysinternals |
ForensicKB |