공장장과 함께하는 디지털 포렌식 이야기

Windows PE + 각종 복구 프로그램

http://www.hirensbootcd.net/

Hiren's BootCD 9.9 + Keyboard Patch

All in one Dos Bootable CD which has all these utilities:

Partition Tools

- Partition Magic Pro 8.05: Best software to partition hard drive.
- Acronis Disk Director 10.0.2160: Popular disk management functions in a single suite.
- Paragon Partition Manager 7.0.1274: Universal tool for partitions.
- Partition Commander 9.01: The safe way to partition your hard drive, with undo feature.
- Ranish Partition Manager 2.44: a boot manager and hard disk partitioner.
- The Partition Resizer 1.3.4: move and resize your partitions in one step and more.
- Smart Fdisk 2.05: a simple harddisk partition manager.
- SPecial Fdisk 2000.03v: SPFDISK a partition tool.
- eXtended Fdisk 0.9.3: XFDISK allows easy partition creation and edition.
- GDisk 1.1.1: Complete replacement for the DOS FDISK utility and more.
- Super Fdisk 1.0: Create, delete, format partitions drives without destroying data.
- Partition Table Editor 8.0: Partition Table and Boot Record Editor.
- EASEUS Partition Master 3.5: Partition Resize/Move/Copy/Create/Delete/Format/Convert, Explore, etc.

Backup Tools

- ImageCenter 5.6 (Drive Image 2002): Best software to clone hard drive.
- Norton Ghost 11.5: Similar to Drive Image (with usb/scsi support).
- Acronis True Image 8.1.945: Create an exact disk image for complete system backup and disk cloning.
- Partition Saving 3.71: A tool to backup/restore partitions. (SavePart.exe).
- COPYR.DMA Build013: A Tool for making copies of hard disks with bad sectors.
- DriveImageXML 2.02: backup any drive/partition to an image file, even if the drive is currently in use.
- Drive SnapShot 1.39: creates an exact Disk Image of your system into a file while windows is running.
- Ghost Image Explorer 11.5: to add/remove/extract files from Ghost image file.
- DriveImage Explorer 5.0: to add/remove/extract files from Drive image file.
- WhitSoft File Splitter 4.5a: a Small File Split-Join Tool.
- Express Burn 4.26: CD/DVD Burner Program to create and record CDs/DVDs, also create/burn .iso and .nrg images.
- Smart Driver Backup 2.12: Easy backup of your Windows device drivers (also works from PE).
- Double Driver 1.0: Driver Backup and Restore tool.
- DriverBackup! 1.0.3: Another handy tool to backup drivers.

Recovery Tools

- Active Partition Recovery 3.0: To Recover a Deleted partition.
- Active Uneraser 3.0: To recover deleted files and folders on FAT and NTFS systems.
- Ontrack Easy Recovery Pro 6.10: To Recover data that has been deleted/virus attack.
- Winternals Disk Commander 1.1: more than just a standard deleted-file recovery utility.
- TestDisk 6.11.3: Tool to check and undelete partition.
- Lost & Found 1.06: a good old data recovery software.
- DiyDataRecovery Diskpatch 2.1.100: An excellent data recovery software.
- Prosoft Media Tools 5.0 v1.1.2.64: Another excellent data recovery software with many other options.
- PhotoRec 6.11.3: File and pictures recovery Tool.
- Winsock 2 Fix for 9x: to fix corrupted Winsock2 information by poorly written Internet programs.
- XP TCP/IP Repair 1.0: Repair your Windows XP Winsock and TCP/IP registry errors.
- Active Undelete 5.5: a tool to recover deleted files.
- Restoration 3.2.13: a tool to recover deleted files.
- GetDataBack for FAT 2.31: Data recovery software for FAT file systems.
- GetDataBack for NTFS 2.31: Data recovery software for NTFS file systems.
- Recuva 1.27.419: Restore deleted files from Hard Drive, Digital Camera Memory Card, usb mp3 player...
- Partition Find and Mount 2.3.1: Partition Find and Mount software is designed to find lost or deleted partitions.
- Unstoppable Copier 4b: Allows you to copy files from disks with problems such as bad sectors, scratches or that just give errors when reading data.

Testing Tools

- System Speed Test 4.78: it tests CPU, harddrive, etc.
- PC-Check 6.5: Easy to use hardware tests.
- Ontrack Data Advisor 5.0: Powerful diagnostic tool for assessing the condition of your computer.
- The Troubleshooter 7.02: all kind of hardware testing tool.
- PC Doctor 2004: a benchmarking and information tool.
- CPU/Video/Disk Performance Test 5.7: a tool to test cpu, video, and disk.
- Test Hard Disk Drive 1.0: a tool to test Hard Disk Drive.
- Disk Speed1.0: Hard Disk Drive Speed Testing Tool.
- S&M Stress Test 1.9.1: cpu/hdd/memory benchmarking and information tool, including temperatures/fan speeds/voltages.
- IsMyLcdOK (Monitor Test) 1.01: Allows you to test CRT/LCD/TFT screens for dead pixels and diffective screens.

RAM (Memory) Testing Tools

- GoldMemory 5.07: RAM Test utility.
- Memtest86+ 2.11: PC Memory Test.
- MemTest 1.0: a Memory Testing Tool.
- Video Memory Stress Test 1.7.116: a tool to thoroughly test your video RAM for errors and faults.

Hard Disk Tools

- Seagate Seatools Graphical v2.13b
- SeaTools for Dos 1.10
- Western Digital Data Lifeguard Tools 11.2
- Western Digital Diagnostics (DLGDIAG) 5.04f
- Maxtor PowerMax 4.23
- Maxtor amset utility 4.0
- Maxtor(or any Hdd) Low Level Formatter 1.1
- Fujitsu HDD Diagnostic Tool 7.00
- Fujitsu IDE Low Level Format 1.0
- Samsung HDD Utility(HUTIL) 2.10
- Samsung Disk Diagnose (SHDIAG) 1.28
- Samsung The Drive Diagnostic Utility (ESTOOL) 2.12a
- IBM/Hitachi Drive Fitness Test 4.14
- IBM/Hitachi Feature Tool 2.13
- Gateway GwScan 5.12
- ExcelStor's ESTest 4.50
- MHDD 4.6
- WDClear 1.30
- Toshiba Hard Disk Diagnostic 2.00b
- HDD Regenerator 1.61: to recover a bad hard drive.
- HDAT2 4.53: main function is testing and repair (regenerates) bad sectors for detected devices.
- Ontrack Disk Manager 9.57: Disk Test/Format/Maintenance tool.
- Norton Disk Doctor 2002: a tool to repair a damaged disk, or to diagnose your hard drive.
- Norton Disk Editor 2002: a powerful disk editing, manual data recovery tool.
- Hard Disk Sentinel 0.04: Hard Disk health, performance and temperature monitoring tool.
- Active Kill Disk 4.1: Securely overwrites and destroys all data on physical drive.
- SmartUDM 2.00: Hard Disk Drive S.M.A.R.T. Viewer.
- Victoria 3.33e and 3.52rus: a freeware program for low-level HDD diagnostics.
- HDD Erase 4.0: Secure erase using a special feature built into most newer hard drives.
- HDD Scan 3.1: This is a Low-level HDD diagnostic tool, it scans surface find bad sectors etc.
- HDTune 2.55: Hard disk benchmarking and information tool.
- Data Shredder 1.0: A tool to Erase disk and files (also wipe free space) securely.

System Information Tools

- PCI and AGP info Tool (0906): The PCI System information & Exploration tool.
- System Analyser 5.3v: View extensive information about your hardware.
- Navratil Software System Information 0.60.32: High-end professional system information tool.
- Astra 5.42: Advanced System info Tool and Reporting Assistant.
- HWiNFO 5.2.7: a powerful system information utility.
- PC-Config 9.33: Complete hardware detection of your computer.
- SysChk 2.46: Find out exactly what is under the hood of your PC.
- CPU Identification utility 1.16: Detailed information on CPU (CHKCPU.EXE).
- CTIA CPU Information 2.7: another CPU information tool.
- Drive Temperature 1.0: Hard Disk Drive temperature meter.
- PC Wizard 2008.1.871: Powerful system information/benchmark utility designed especially for detection of hardware.
- SIW 2009-05-12: Gathers detailed information about your system properties and settings.
- CPU-Z 1.51: It gathers information on some of the main devices of your system.
- PCI 32 Sniffer 1.4 (0906): device information tool (similar to unknown devices).
- Unknown Devices 1.2 (0906): helps you find what those unknown devices in Device Manager really are.

MBR (Master Boot Record) Tools

- MBRWork 1.07b: a utility to perform some common and uncommon MBR functions.
- MBR Tool 2.2.100: backup, verify, restore, edit, refresh, remove, display, re-write...
- DiskMan4: all in one tool for cmos, bios, bootrecord and more.
- BootFix Utility: Run this utility if you get 'Invalid system disk'.
- MBR SAVE / RESTORE 2.1: BootSave and BootRest tools to save / restore MBR.
- Boot Partition 2.60: add Partition in the Windows NT/2000/XP Multi-boot loader.
- Partition Table Doctor 3.5: a tool to repair/modify mbr, bootsector, partition table.
- Smart Boot Manager 3.7.1: a multi boot manager.
- Bootmagic 8.0: This tool is for multi boot operating systems.
- MBRWizard 2.0b: Directly update and modify the MBR (Master Boot Record).

BIOS / CMOS Tools

- CMOS 0.93: CMOS Save / Restore Tool.
- BIOS Cracker 4.8: BIOS password remover (cmospwd).
- BIOS Cracker 1.4: BIOS password remover (cmospwc).
- BIOS Utility 1.35.0: BIOS Informations, password, beep codes and more.
- !BIOS 3.20: a powerfull utility for bios and cmos.
- DISKMAN4: a powerful all in one utility.
- UniFlash 1.40: bios flash utility.;
- Kill CMOS: a tiny utility to wipe cmos.
- Award DMI Configuration Utility 2.43: DMI Configuration utility for modifying/viewing the MIDF contents.

MultiMedia Tools

- Picture Viewer 1.94: Picture viewer for dos, supports more then 40 filetypes.
- QuickView Pro 2.58: movie viewer for dos, supports many format including divx.
- MpxPlay 1.56: a small Music Player for dos.

Password Tools

- Active Password Changer 3.0.420: To Reset User Password on windows NT/2000/XP/2003/Vista (FAT/NTFS).
- Offline NT/2K/XP Password Changer: utility to reset windows nt/2000/xp administrator/user password.
- Registry Reanimator 1.02: Check and Restore structure of the Damaged Registry files of NT/2K/XP.
- NTPWD: utility to reset windows nt/2000/xp administrator/user password.
- Registry Viewer 4.2: Registry Viewer/Editor for Win9x/Me/NT/2K/XP.
- ATAPWD 1.2: Hard Disk Password Utility.
- TrueCrypt 6.2: On-the-fly disk encryption tool, can create a virtual encrypted disk within a file and mount it as a real disk, can also encrypt an entire HDD/Partition/USB Drive.
- Content Advisor Password Remover 1.0: It Removes Content Advisor Password from Internet Explorer.
- Password Renew 1.1: Utility to (re)set windows passwords.
- WindowsGate 1.1: Enables/Disables Windows logon password validation.
- WinKeyFinder 1.73: Allows you to View and Change Windows XP/2003 Product Keys, backup and restore activation related files, backup Microsoft Office 97, 2000 SP2, XP/2003 keys etc.
- XP Key Reader 2.7: Can decode the XP-key on Local or Remote systems.
- ProduKey 1.35: Recovers lost the product key of your Windows/Office.
- Wireless Key View 1.26: Recovers all wireless network keys (WEP/WPA) stored in your computer by WZC.
- MessenPass 1.24: A password recovery tool that reveals the passwords of several instant messangers.
- Mail PassView 1.51: Recovers mail passwords of Outlook Express, MS Outlook, IncrediMail, Eudora, etc.
- Asterisk Logger 1.04: Reveal passwords hidden behind asterisk characters.

NTFS (FileSystems) Tools

- NTFS Dos Pro 5.0: To access ntfs partitions from Dos.
- NTFS 4 Dos 1.9: To access ntfs partitions from Dos.
- Paragon Mount Everything 3.0: To access NTFS, Ext2FS, Ext3FS partitions from dos.
- NTFS Dos 3.02: To access ntfs partitions from Dos.
- EditBINI 1.01: to Edit boot.ini on NTFS Partition.

Browsers / File Managers

- Volkov Commander 4.99: Dos File Manager with LongFileName/ntfs support (Similar to Norton Commander).
- Dos Command Center 5.1: Classic dos-based file manager.
- File Wizard 1.35: a file manager - colored files, drag and drop copy, move, delete etc.
- File Maven 3.5: an advanced Dos file manager with high speed PC-to-PC file transfers via serial or parallel cable.
- FastLynx 2.0: Dos file manager with Pc to Pc file transfer capability.
- LapLink 5.0: the smart way to transfer files and directories between PCs.
- Dos Navigator 6.4.0: Dos File Manager, Norton Commander clone but has much more features.
- Mini Windows 98: Can run from Ram Drive, with ntfs support, Added 7-Zip, Disk Defragmenter, Notepad / RichText Editor, Image Viewer, .avi .mpg .divx .xvid Movie Player, etc...
- Mini Windows Xp: Portable Windows Xp that runs from CD/USB/Ram Drive, with Network and SATA support.
- 7-Zip 4.65: File Manager/Archiver Supports 7z, ZIP, GZIP, BZIP2, TAR, RAR, CAB, ISO, ARJ, LZH, CHM, MSI, WIM, Z, CPIO, RPM, DEB and NSIS formats.
- Opera Web Browser 8.53: One of the fastest, smallest and smartest full-featured web browser.

Other Tools

- Ghost Walker 11.5: utility that changes the security ID (SID) for Windows NT, 2000 and XP.
- DosCDroast beta 2: Dos CD Burning Tools.
- Universal TCP/IP Network 6.4: MSDOS Network Client to connect via TCP/IP to a Microsoft based network. The network can either be a peer-to-peer or a server based network, it contains 91 different network card drivers.
- NewSID 4.10: utility that changes the security ID (SID) for Windows NT, 2000 and XP.
- Registry Editor PE 0.9c: Easy editing of remote registry hives and user profiles.
- Registry Restore Wizard 1.0.4: Restores a corrupted system registry from Xp System Restore.

Dos Tools

- USB CD-Rom Driver 1: Standard usb_cd.sys driver for cd drive.
- Universal USB Driver 2: Panasonic v2.20 ASPI Manager for USB mass storage.
- ASUSTeK USB Driver 3: ASUS USB CD-ROM Device Driver Version 1.00.
- SCSI Support: SCSI Drivers for Dos.
- SATA Support: SATA Driver (gcdrom.sys) and JMicron JMB361 (xcdrom.sys) for Dos.
- 1394 Firewire Support: 1394 Firewire Drivers for Dos.
- Interlnk support at COM1: To access another computer from COM port.
- Interlnk support at LPT1: To access another computer from LPT port.

and too many great dos tools, very good collection of dos utilities

extract.exe, pkzip.exe, pkunzip.exe, unrar.exe, rar.exe
ace.exe, lha.exe, gzip.exe, uharcd.exe, mouse.com
attrib.com, deltree.exe, xcopy.exe, diskcopy.com, imgExtrc.exe
undelete.com, edit.com, fdisk.exe, fdisk2.exe, fdisk3.exe
lf.exe, delpart.exe, wipe.com, zap.com, format.com
move.exe, more.com, find.exe, hex.exe, debug.exe
split.exe, mem.exe, mi.com, sys.com, smartdrv.exe
xmsdsk.exe, killer.exe, share.exe, scandisk.exe, scanreg.exe
guest.exe, doskey.exe, duse.exe, biosdtct.exe, setver.exe
intersvr.exe, interlnk.exe, loadlin.exe, lfndos.exe, doslfn.com

Cleaners

- SpaceMonger 1.4: keeping track of the free space on your computer.
- WinDirStat 1.1.2.80: a disk usage statistics viewer and cleanup tool for Windows.
- CCleaner 2.20.920: Crap Cleaner is a freeware system optimization and privacy tool.

Optimizers

- PageDfrg 2.32: System file Defragmenter For NT/2k/XP.
- NT Registry Optimizer 1.1j: Registry Optimization for Windows NT/2000/2003/XP/Vista.
- DefragNT 1.9: This tool presents the user with many options for disk defragmenting.
- JkDefrag 3.36: Free disk defragment and optimize utility for Windows 2000/2003/XP/Vista.
- Process Tools: IB Process Manager 1.04 a little process manager for 9x/2k, shows dll info etc.
- Process Explorer 11.33: shows you information about which handles and DLLs processes have opened or loaded.
- Pocket KillBox 2.0.0.978: can be used to get rid of files that stubbornly refuse to allow you to delete them.
- Unlocker 1.8.7: This tool can delete file/folder when you get this message - Cannot delete file: Access is denied, The file is in use by another program etc.
- CurrPorts 1.65: displays the list of all currently opened TCP and UDP ports on your computer.

Startup Tools

- Autoruns 9.50: Displays All the entries from startup folder, Run, RunOnce, and other Registry keys, Explorer shell extensions,toolbars, browser helper objects, Winlogon notifications, auto-start services, Scheduled Tasks, Winsock, LSA Providers, Remove Drivers and much more which helps to remove nasty spyware/adware and viruses.
- Silent Runners Revision 59: A free script that helps detect spyware, malware and adware in the startup process.
- Startup Control Panel 2.8: a tool to edit startup programs.
- Startup Monitor 1.02: it notifies you when any program registers itself to run at system startup.
- HijackThis 2.0.2: a general homepage hijackers detector and remover and more.

Tweakers

- Dial a Fix 0.60.0.24: Fix errors and problems with COM/ActiveX object errors and missing registry entries, Automatic Updates, SSL, HTTPS, and Cryptography service (signing/verification) issues, Reinstall internet explorer etc. comes with the policy scanner.
- Ultimate Windows Tweaker 1.2: A TweakUI Utility for tweaking and optimizing Windows Vista.
- TweakUI 2.10: This PowerToy gives you access to system settings that are not exposed in the Windows Xp.
- Xp-AntiSpy 3.97.3: it tweaks some Windows XP functions, and disables some unneeded Windows services quickly.
- Shell Extensions Manager (ShellExView) 1.37: An excellent tool to View and Manage all installed Context-menu/Shell extensions.
- EzPcFix 1.0.0.16: Helpful tool when trying to remove viruses, spyware, and malware.

Antivirus Tools

- Kaspersky Virus Removal Tool 7.0.0.290 (0906): Free on-demand virus scanner from Kaspersky Lab to remove viruses.
- Spybot - Search & Destroy 1.6.2 (0906): Application to scan for spyware, adware, hijackers and other malicious software.
- Malwarebytes' Anti-Malware 1.34 (0906): anti-malware application that can thoroughly remove even the most advanced malware.
- SpywareBlaster 4.2 (0906): Prevent the installation of spyware and other potentially unwanted software.
- SmitFraudFix 2.419: This removes Some of the popular Desktop Hijack malware.
- ComboFix (0906): Designed to cleanup malware infections and restore settings modified by malware.
- CWShredder 2.19: Popular CoolWebSearch Trojan Remover tool.
- RootkitRevealer 1.7.1: Rootkit Revealer is an advanced patent-pending root kit detection utility.
- SuperAntispyware 4.26 (0906): Remove Malware, Rootkits, Spyware, Adware, Worms, Parasites (a must have tool).

출처 : http://blog.paran.com/franc3sco/33307420


/* ChkRegLastChange 프로그램은 윈도우즈 레지스트리 value 및 data에 대한 생성 및 변경 시간 체크 프로그램입니다. 작성자 : 김태훈(kimfrancesco@gmail.com) 라이센스 : Freeware 첨언 : 용도에 맞게 제작된 작은 사이즈 프로그램입니다. */ #include <windows.h> #include <commctrl.h> #include <windowsx.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <winuser.h> #include <commdlg.h> #include "resource9.h" LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); void RegEnum(HKEY *key, DWORD entry_count, char *string); DWORD GetAbsDayfromsystime(SYSTEMTIME st); HINSTANCE g_hInst; LPSTR lpszClass = "RegistryTimeCheck"; HWND g_hWndMain; #ifndef NMAXFILE #define NMAXFILE 512 #endif #ifndef TEXTMAXBUF #define TEXTMAXBUF 512 #endif HKEY HKEY_ENTRY[4] = { HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG }; DWORD start_time_value; DWORD end_time_value; int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdParam, int nCmdShow) { HWND hWnd; MSG Message; WNDCLASS WndClass; g_hInst = hInstance; WndClass.cbClsExtra = 0; WndClass.cbWndExtra = 0; WndClass.hbrBackground = (HBRUSH)(COLOR_BTNFACE + 1); WndClass.hCursor = LoadCursor(NULL, IDC_ARROW); WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION); WndClass.hInstance = hInstance; WndClass.lpfnWndProc = (WNDPROC)WndProc; WndClass.lpszClassName = lpszClass; WndClass.lpszMenuName = MAKEINTRESOURCE(IDR_MENU1); WndClass.style = CS_HREDRAW | CS_VREDRAW; RegisterClass(&WndClass); hWnd = CreateWindow(lpszClass, lpszClass, WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPCHILDREN, 100, 100, 550, 310, NULL, (HMENU)NULL, hInstance, NULL); ShowWindow(hWnd, nCmdShow); g_hWndMain = hWnd; while ( GetMessage(&Message, 0, 0, 0)) { TranslateMessage(&Message); DispatchMessage(&Message); } return Message.wParam; } // Child 윈도우 컨트롤 #define ID_LISTBOX 100 #define ID_EDIT 101 #define ID_BUTTON 102 HWND hList; HWND hButton; HWND hStatic; HWND hStatic2; HWND hEDtp; HWND hSDtp; HWND hState; HWND hsTime; HWND heTime; // 윈도우 메시지 처리 프로시저 함수 정의 LRESULT CALLBACK WndProc(HWND hWnd, UINT iMessage, WPARAM wParam, LPARAM lParam) { HKEY key; OPENFILENAME ofn; HANDLE fichier; int i_dummy; char psz_text[TEXTMAXBUF]; char entry_item[TEXTMAXBUF]; char szFileName[NMAXFILE] = ""; char start_time[255]; char end_time[255]; char str[MAX_PATH]; char sHourTimeString[4] = { 0 }; char eHourTimeString[4] = { 0 }; DWORD sHourTime = 0; DWORD eHourTime = 0; DWORD entry_count = 0; LVCOLUMN COL; LVITEM LI; switch (iMessage) { case WM_CREATE: //InitCommonControls(); INITCOMMONCONTROLSEX InitCtrlEx; InitCtrlEx.dwSize = sizeof(INITCOMMONCONTROLSEX); InitCtrlEx.dwICC = ICC_PROGRESS_CLASS | ICC_BAR_CLASSES | ICC_LISTVIEW_CLASSES | ICC_DATE_CLASSES; InitCommonControlsEx(&InitCtrlEx); hList = CreateWindow(WC_LISTVIEW, NULL, WS_CHILD | WS_VISIBLE | WS_BORDER | LVS_REPORT, 10, 50, 530, 200, hWnd, NULL, g_hInst, NULL); hSDtp = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_SHORTDATEFORMAT, 30, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hsTime = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_TIMEFORMAT, 130, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hStatic = CreateWindow("static","~", WS_CHILD | SS_CENTER | WS_VISIBLE, 240, 15, 10, 25, hWnd, (HMENU)-1, g_hInst, NULL); hEDtp = CreateWindow(DATETIMEPICK_CLASS, "기간_종료", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_SHORTDATEFORMAT, 260, 10, 100, 25, hWnd, NULL, g_hInst, NULL); heTime = CreateWindow(DATETIMEPICK_CLASS, "기간_시작", WS_BORDER | WS_CHILD | WS_VISIBLE | DTS_TIMEFORMAT, 360, 10, 100, 25, hWnd, NULL, g_hInst, NULL); hButton = CreateWindow("Button","Check", WS_CHILD | WS_VISIBLE | BS_PUSHBUTTON, 480, 10, 50, 25, hWnd, (HMENU)ID_BUTTON, g_hInst, NULL); //hStatic2=CreateWindow("static", NULL, WS_CHILD | WS_VISIBLE | SS_SIMPLE | SS_GRAYRECT, //10, 250, 530, 280, hWnd, NULL, g_hInst, NULL); hState = CreateStatusWindow(WS_CHILD | WS_VISIBLE, "Written by Kim, Tae Hoon(kimfrancesco@gmail.com) - registry 생성/변경 날짜 체크 툴", hWnd, 0); COL.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM; COL.fmt = LVCFMT_LEFT; COL.cx = 150; COL.pszText = "ROOT KEY"; COL.iSubItem = 0; SendMessage(hList, LVM_INSERTCOLUMN, 0, (LPARAM)&COL); COL.pszText = "SUB KEY"; COL.iSubItem = 1; SendMessage(hList, LVM_INSERTCOLUMN, 1, (LPARAM)&COL); COL.cx = 300; COL.pszText = "Time(Create/Modify)"; COL.iSubItem = 2; SendMessage(hList, LVM_INSERTCOLUMN, 2, (LPARAM)&COL); return 0; case WM_COMMAND: switch(LOWORD(wParam)) { case ID_BUTTON: SYSTEMTIME s_tm; SYSTEMTIME e_tm; SYSTEMTIME s_time; SYSTEMTIME e_time; DateTime_GetSystemtime(hSDtp, &s_tm); DateTime_GetSystemtime(hEDtp, &e_tm); DateTime_GetSystemtime(hsTime, &s_time); DateTime_GetSystemtime(heTime, &e_time); s_tm.wHour = 0; e_tm.wHour = 0; s_tm.wHour = s_time.wHour; e_tm.wHour = e_time.wHour; s_tm.wMinute = s_time.wMinute; e_tm.wMinute = e_time.wMinute; s_tm.wSecond = s_time.wSecond; e_tm.wSecond = e_time.wSecond; start_time_value = GetAbsDayfromsystime(s_tm); end_time_value = GetAbsDayfromsystime(e_tm); SendMessage(hList, LVM_DELETEALLITEMS, 0, (LPARAM)&LI); for (entry_count; entry_count<sizeof(HKEY_ENTRY)/sizeof(HKEY); entry_count++) { RegEnum(&HKEY_ENTRY[0], entry_count, ""); } break; case ID_FILE_SAVE40001: memset(&(ofn), 0, sizeof(ofn)); ofn.lStructSize = sizeof(ofn); ofn.hwndOwner = hWnd; ofn.lpstrFile = szFileName; ofn.nMaxFile = NMAXFILE; ofn.lpstrFilter = "Text (*.txt)\0*.txt\0"; ofn.lpstrTitle = "Save File As"; ofn.Flags = OFN_HIDEREADONLY; ofn.lpstrDefExt = "txt"; if ( GetSaveFileName( (LPOPENFILENAME) &ofn)) { fichier = CreateFile(ofn.lpstrFile, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if ( fichier != INVALID_HANDLE_VALUE ) { int idx, n; for ( idx = 0; idx < ListView_GetItemCount(hList); idx++ ) { memset(entry_item, 0, sizeof(entry_item)); for ( n = 0; n < 3; n++ ) { memset(psz_text, 0, sizeof(psz_text)); ListView_GetItemText(hList, idx, n, psz_text, TEXTMAXBUF); if ( n == 0 ) { lstrcpy(entry_item, psz_text); lstrcat(entry_item, "\t\t"); } else { lstrcat(entry_item, "\t"); lstrcat(entry_item, psz_text); } } lstrcat(entry_item,"\r\n"); WriteFile(fichier, entry_item, strlen(entry_item), (LPDWORD)&i_dummy, NULL); } FlushFileBuffers(fichier); CloseHandle(fichier); } } break; case ID_FILE_EXIT: DestroyWindow(hWnd); break; } return 0; case WM_SIZE: //MoveWindow(hEdit, 10, 10, LOWORD(lParam) - 130, 25, TRUE); //MoveWindow(hButton, LOWORD(lParam) - 110, 10, 100, 25, TRUE); //MoveWindow(hList, 10, 50, LOWORD(lParam)-20, HIWORD(lParam)-80, TRUE); //MoveWindow(hStatic, 10, HIWORD(lParam)-30, LOWORD(lParam)-20, 25, TRUE); SendMessage(hState, WM_SIZE, wParam, lParam); return 0; // case WM_MOVE: // SetStatusText(hWnd); case WM_DESTROY: PostQuitMessage(0); return 0; } return (DefWindowProc(hWnd, iMessage, wParam, lParam)); } void RegEnum(HKEY *PHKEY_ENTRY, DWORD entry_count, char *str) { char lpSubKey[MAX_PATH]; char lpValue[MAX_PATH]; char key_path[4096]; DWORD i; LONG Result; DWORD Size; FILETIME FileTime; FILETIME LC_FileTime; SYSTEMTIME SysTime; HKEY key; char path_buffer[4096]={0}; DWORD crmd_time_value = 0; LVITEM LI; DWORD item_index = 0; char crmd_time[32] = { 0 }; char root_key[32] = { 0 }; if ( RegOpenKeyEx((HKEY)PHKEY_ENTRY[entry_count], str, 0, KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) return ; LI.mask = LVIF_TEXT; LI.state = 0; LI.stateMask = 0; switch( (DWORD)PHKEY_ENTRY[entry_count]) { case (DWORD)HKEY_CURRENT_USER: strncpy(root_key, "HKEY_CURRENT_USER", sizeof(root_key)); break; case (DWORD)HKEY_LOCAL_MACHINE: strncpy(root_key, "HKEY_LOCAL_MACHINE", sizeof(root_key)); break; case (DWORD)HKEY_USERS: strncpy(root_key, "HKEY_USERS", sizeof(root_key)); break; case (DWORD)HKEY_CURRENT_CONFIG: strncpy(root_key, "HKEY_CURRENT_CONFIG", sizeof(root_key)); break; } // 서브키의 목록의 조사해 리스트 박스에 채워 넣는다. Result=ERROR_SUCCESS; for (i=0;Result==ERROR_SUCCESS;i++) { Size=MAX_PATH; Result=RegEnumKeyEx(key,i,lpSubKey,&Size,NULL,NULL,NULL,&FileTime); if (Result==ERROR_SUCCESS) { if ( ! strcmp(str, "") ) { wsprintf(path_buffer, "%s",lpSubKey); }else { wsprintf(path_buffer, "%s\\%s", str, (char *)lpSubKey); } wsprintf(key_path,"%s\\%s", root_key, path_buffer); // 진행 상황 출력 SendMessage(hState, SB_SETTEXT, 0, (LPARAM)key_path); FileTimeToLocalFileTime(&FileTime, &LC_FileTime); FileTimeToSystemTime(&LC_FileTime,&SysTime); crmd_time_value = GetAbsDayfromsystime(SysTime); if ( crmd_time_value >= start_time_value && crmd_time_value <= end_time_value) { wsprintf(crmd_time,"%d-%d-%d:%d-%d-%d",SysTime.wYear, SysTime.wMonth, SysTime.wDay,SysTime.wHour, SysTime.wMinute, SysTime.wSecond); for ( item_index = 0; item_index < 3; item_index ++ ) { LI.iSubItem = item_index; if ( ! item_index ) { LI.iItem = 0; LI.pszText =root_key; SendMessage(hList, LVM_INSERTITEM, 0, (LPARAM)&LI); } if ( item_index == 1 ) { LI.pszText = path_buffer; SendMessage(hList, LVM_SETITEM, 0, (LPARAM)&LI); } if ( item_index == 2 ) { LI.pszText = crmd_time; SendMessage(hList, LVM_SETITEM, 0, (LPARAM)&LI); } } } RegEnum(PHKEY_ENTRY, entry_count, path_buffer); } } RegCloseKey(key); } DWORD GetAbsDayfromsystime(SYSTEMTIME st) { INT64 i64; FILETIME fst; char debug_msg[16] = {0 }; st.wMilliseconds=st.wDayOfWeek=0; SystemTimeToFileTime(&st,&fst); i64=(((INT64)fst.dwHighDateTime) << 32) + fst.dwLowDateTime; i64 = i64 / 10000000 - (INT64)144000 * 86400; return (DWORD)i64; }

보안컨설턴트이신 김태훈 님의 작품

EnCase의 Registry Scan이나 Timeline Analysis로도 가능하지만...

소스까지 공개해주시다니 넘넘 감사합니다.

출처 : http://blog.paran.com/franc3sco/33307420

한 시스템에서 IE5.5 에서 IE8까지 테스트 가능


꽤 쓸만할 듯 합니다.

IE7이 설치된 XP, VISTA, Win7에서 동작한다는군요.

http://www.my-debugbar.com/wiki/IETester/HomePage

EnCase 6.14 버전이 출시되었습니다.

설치시 어떤 작업이 이루어지는지 보여줍니다. 보통 HASP Driver 설치에 시간이 많이 걸리곤 했죠.

Options 항목에 Code Page가 추가되었습니다.

어떤 역할을 할까요?

이제 EnCase 내부에서 RAR 파일도 Mount 해서 내용을 확인할 수 있습니다.

HPUX의 파일 시스템인 VxFS와 UFS를 지원합니다.

exFAT를 지원합니다.

그 밖에

Linen이 Multithread를 지원해서 Imaging 속도를 향상시켰다고 합니다. 해봐야 알듯합니다.

Firefox 3 분석을 제대로 해줍니다.

Vista 64에서 Prosuite(PDE,VFS,EDS)가 제대로 동작합니다.

다른 기능도 테스트 해봐야 할 듯합니다.

Forensic 조사자의 필수품이었던 Helix의 상용버전인 Helix 3 Pro의 신버전(2009R2)이 출시되었다네요.

기능 추가 사항 

- Ability to save hash values generated in the Hash window  

- Acquisitions now have a single file name for all three output files: chain of custody, log, and image name 
- Helix3 Pro will auto discover the Helix3 Pro Receiver application on the local network 
- Helix3 Pro Receiver can accept more than 1 incoming image at a time  
- Save search results to a log file  
- Automatic verification of image hashes  
- Ability to image RAM on Linux through the /dev/mem device  
- Renamed dropdown item from Helix Pro Server to Helix3 Pro Receiver  
- Added cloning feature to the Helix3 Pro bootable UI  
- Added ability to mount devices from bootable UI  
- Can send volatile data collection results to Helix3 Pro Receiver  
- Log file contains all the output locations  
- Added additional exception handling  
- Automatically detects if the destination location does not have enough space for an image file 
- Hash search result files to ensure integrity when copied  
- Custom 2.6.28 Linux Kernel 
- New targetiscsi ability which auto generates devices and makes them available read only to iscsi initiators 
- Add new user called helix client with password helix for ssh access (sshd auto starts on boot) 
- Added crypt setup to bootable side 
- Added sqlite3 to bootable side 
- Added autopsy 2.21 to bootable side 
- Switched to Ubuntu 9.04 base 
   

수정사항 

- Encoding problems for foreign languages 

- Adjusted bootable side wallpaper to work with all resolutions  
- Adjusted text in the About box  
- Leaving "Copy Files To:" field blank in Search Window causes NilObjectException Error  
- OutOfBoundsException error when sending volatile data to receiver  
- Adjusted the order of collection for all tools to meet order of volatility collection 
- Clicking on stop button doesn't stop Receiver application from receiving data  
- NilObjectException Error when skipping verification of image  
- NilObjectException Error with printing blank COC form  
- Exception when creating the Chain of Custody form  
- Stopping an image being sent to a Receiver causes a NilObjectException Error  
- "User Info" volatile data does nothing  
- Verification fails for image of live device saved to a locally attached storage device  
- Search box highlighted when on the Info screen  
- Fix NilObjectException Error possibility within launcher code  
- NilObjectException Error on Mac 10.4 when launcher and Helix3 Pro start  
- If destination is in path of search folder files copied to destination will be shown in search results  
- Search button is disabled when memory device is selected 

이전다음

012

좀 더 구체화된 소식이 있다기에 적어 봅니다. 

EnCase Portable Kit은 아래와 같이 구성됩니다. 

4GB USB drive with EnCase Portable preinstalled

16GB drive for additional storage

4 port USB hub

EnCase Portable security key

User guide

EnCase Portable installation CD

Carrying Case

 EnCase Portable로 부팅한 후에 아래의 정보를 수집할 수 있다고 합니다. 

Collect Internet Artifacts

Collect Windows Event Logs

ICONS

Collect all Word Documents

Collect all Images

All PST

All MPG

Collect all Archive Files

Capture Registry

Collect EXE Files

Collect all Email Archives

Collect Mail Archives

Collect TEMP Files

초기 대응 단계에서는 유용하게 쓰일 수도 있을 듯 합니다만...

나오고 써봐야 알겠죠? 구경할 기회가 있으려나 모르겠네요.

아래는 EnCase Portable 관련 Youtube 입니다. 참조하시기 바랍니다.

7월 출시 예정

출처 : http://www.gizmag.com/encase-portable/11756/

출처 : http://www.tradingmarkets.com/.site/news/Stock%20News/2332988/

EnCase Enterprise의 agent인 Servlet을 Sun Solaris에 설치하는 방법입니다.

현재 Sun Solaris Sparc (x86에는 설치되지 않습니다) 8,9,10 의 32/64 machine을 지원하고 있습니다.

일반적인 Servlet은 ELF 파일만 실행시켜주면 되지만 Solaris의 경우 Driver 설치가 필요합니다.

따라서 Servlet 패키지를 시스템에 업로드 한 뒤 압축을 푼 후 pkgadd 명령어를 이용해 설치합니다.

설치가 끝나면 실행해주시면 됩니다.

[solweb1:root:/var/spool/pkg]tar xvf GSIservl.tar x GSIservl/pkgmap, 1421 bytes, 3 테이프 블록 x GSIservl/pkginfo, 296 bytes, 1 테이프 블록 x GSIservl/root, 0 bytes, 0 테이프 블록 x GSIservl/root/usr, 0 bytes, 0 테이프 블록 x GSIservl/root/usr/kernel, 0 bytes, 0 테이프 블록 x GSIservl/root/usr/kernel/drv, 0 bytes, 0 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv8, 7988 bytes, 16 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv8.conf, 174 bytes, 1 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv9, 7932 bytes, 16 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv9.conf, 174 bytes, 1 테이프 블록 x GSIservl/root/usr/kernel/drv/sparcv9, 0 bytes, 0 테이프 블록 x GSIservl/root/usr/kernel/drv/sparcv9/gsidrv8, 14280 bytes, 28 테이프 블록 x GSIservl/root/usr/kernel/drv/sparcv9/gsidrv9, 14216 bytes, 28 테이프 블록 x GSIservl/root/usr/kernel/drv/sparcv9/gsidrv10, 7792 bytes, 16 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv10.conf, 184 bytes, 1 테이프 블록 x GSIservl/root/usr/kernel/drv/gsidrv10, 4988 bytes, 10 테이프 블록 x GSIservl/install, 0 bytes, 0 테이프 블록 x GSIservl/install/postinstall, 270 bytes, 1 테이프 블록 x GSIservl/install/preremove, 156 bytes, 1 테이프 블록 x GSIservl/install/request, 2754 bytes, 6 테이프 블록 x GSIservl/reloc/encase/ensolsparc10, 1338600 bytes, 2615 테이프 블록 x GSIservl/reloc/encase/ensolsparc1064, 1225888 bytes, 2395 테이프 블록 x GSIservl/reloc/encase/ensolsparc8, 1356152 bytes, 2649 테이프 블록 x GSIservl/reloc/encase/ensolsparc864, 1249224 bytes, 2440 테이프 블록 x GSIservl/reloc/encase/ensolsparc9, 1327948 bytes, 2594 테이프 블록 x GSIservl/reloc/encase/ensolsparc964, 1214624 bytes, 2373 테이프 블록 [solweb1:root:/var/spool/pkg]ls GSIservl GSIservl.tar [solweb1:root:/var/spool/pkg]pkgadd GSIservl 패키지 예 <GSIservl>(을)를 </var/spool/pkg>에서 처리 중 Solaris servlet and driver for Encase Enterprise Edition (sparc) beta .1 Would you like to install the Encase Enterprise Edition Servlet for Solaris [y, n, q]? (default is yes, q to quit) Where would you like to install the Encase Enterprise Edition Servlet for Solaris [q, /usr/local]? (default is /usr/local, q to quit) 디렉토리 </usr/local>(을)를 패키지의 기본 디렉토리로 사용 ## 패키지 정보 처리 중 ## 시스템 정보 처리 중 3개 패키지 경로 이름이 이미 제대로 설치되어 있습니다. ## 디스크 공간 요구 검증 중 ## 이미 설치되어 있는 패키지와의 충돌 여부를 확인하고 있습니다. ## setuid/setgid 프로그램 점검 이 패키지에는 설치 과정 중 수퍼유저 권한으로 실행될 스크립트가 있습니다. <GSIservl>(을)를 계속 설치하겠습니까 [y,n,?] y Solaris servlet and driver for Encase Enterprise Edition(을)를 <GSIservl>(으)로 설치 ## 1째 (전체: 1) 부분 설치 [ 클래스 <serv> 검증 ] /usr/local/encase/ensolsparc964 [ 클래스 <serv964> 검증 ] [ 클래스 <driv> 검증 ] /usr/kernel/drv/gsidrv9 /usr/kernel/drv/gsidrv9.conf [ 클래스 <driv932> 검증 ] /usr/kernel/drv/sparcv9/gsidrv9 [ 클래스 <driv964> 검증 ] ## 설치 후 스크립트 실행 <GSIservl>(이)가 성공적으로 설치되었습니다. [solweb1:root:/var/spool/pkg] [solweb1:root:/var/spool/pkg]cd /usr/local/encase [solweb1:root:/usr/local/encase]ls -al 총 2404 drwx------ 2 root root 512 4월 30일 14:58 . drwxr-xr-x 7 root other 512 4월 30일 14:58 .. -rwx------ 1 root root 1214624 2004년 3월 16일 ensolsparc964 [solweb1:root:/usr/local/encase] [solweb1:root:/usr/local/encase] [solweb1:root:/usr/local/encase] [solweb1:root:/usr/local/encase]file ensolsparc964 ensolsparc964: ELF 64-비트 MSB 실행 가능 SPARCV9 버전 1, 동적으로 링크됨, 분리됨 [solweb1:root:/usr/local/encase]./ensolsparc964 -d -p /usr/local/encase [solweb1:root:/usr/local/encase]ps -ef | grep ensol root 1381 837 0 15:01:55 pts/9 0:00 grep ensol root 1378 1 0 15:01:49 ? 0:00 ./ensolsparc964 -d -p /usr/local/encase [solweb1:root:/usr/local/encase]netstat -an | grep 4445 *.4445 *.* 0 0 65880 0 LISTEN *.4445 *.* 0 0 65928 0 LISTEN *.4445 *.* 0 0 65880 0 LISTEN

실행 후 프로세스와 네트워크 상태를 확인해서 이상이 없으면 준비가 완료된 것입니다.