저작자표시 - 비영리 - 변경금지 2.0 대한민국 이용자는아래의조건을따르는경우에한하여자유롭게 이저작물을복제, 배포, 전송, 전시, 공연및방송할수있습니다. 다음과같은조건을따라야합니다 : 저작자표시. 귀하는원저작자를표시하여야합니다. 비영리. 귀하는이저작물을영리목적으로이용할수없습니다. 변경금지. 귀하는이저작물을개작, 변형또는가공할수없습니다. 귀하는, 이저작물의재이용이나배포의경우, 이저작물에적용된이용허락조건을명확하게나타내어야합니다. 저작권자로부터별도의허가를받으면이러한조건들은적용되지않습니다. 저작권법에따른이용자의권리는위의내용에의하여영향을받지않습니다. 이것은이용허락규약 (Legal Code) 을이해하기쉽게요약한것입니다. Disclaimer

0 1 2 3 4 5 6 7 8 9 A B C D E F Signature Offset to Fixup Array Fixup array Entry Number LSN ($LogFile Sequence Number) Sequence Value Link Count Offset to First Attr Flags Used Size of MFT Entry Allocated Size of MFT Entry File Reference to Base MFT Entry Next Attr ID Fixup Array Attribute type ID Length of Attribute Reg Flag Name Length Offset to Name Flags Attribute ID Size of Content Offset of Content INDX Flag Unus ed Creation Time Modified Time MFT Modified Time Accessed Time Flags Max No. of Ver Ver. No. Class ID Owner ID Security ID Quata Charged USN (Update Sequence Number) Attr type ID Length of Attr Reg Flag Name Length Offset to Name Flags Attr ID Size of Content Offset of Content Unused File Reference of Parent directory Creation Time Modified Time MFT Modified Time Accessed Time Allocated Size Using Allocation Size Attr Flag Reparse value Name Length Length size File Name Attr type ID Length of Attr Reg Flag Name Length Offset to Name Flags Attr ID General Header Size of content Offset to content

구분 헥스값 변환값 속성타입 ID 0 00000080 128 ($DATA) 속성길이 0 00000060 96 거주 / 비거주속성 0 01 비거주 속성이름길이 0 02 2 속성이름오프셋 0 0048 72 플래그 0 8000 Sparse 속성 속성 ID( 각속성의고유값 ) 0 0003 3 런리스트시작 VCN 0 000000000000 0 런리스트마지막 VCN 0 00000000446F 17,519 런리스트오프셋 0 0050 80 압축유닛크기 0 0004 16 클러스터 미사용 00 00 00 00 속성내용에할당된크기 0 0000000004470000 71,761,920 속성내용의실제크기 0 0000000004436D18 71,527,704 속성내용의초기화된크기 0 0000000004436D18 71,527,704

미사용 00 00 07 02 00 00 00 00 속성이름 24 00 4A 00 $J 미사용 83 37 68 82 클러스터런리스트 (Sparse) 02 00 24 클러스터런리스트 ( 레코드 ) 미사용 32 70 20 58 FE 25 00 8E 01 A0 F8 FF FF 시작오프셋 : 0 길이 : 9,216 *9,216 4,096= 37,748,736 시작오프셋 : 2,489,944 길이 : 8,304 *(9,216+8,304) 4,096 = 71,761,920

<Sparse 영역의런리스트 > 9,216 4,096=37,748,736

구분 헥스값 변환값 레코드길이 0 00000060 96 Major 버전 0 0002 2 Miner 버전 0 0000 0 파일참조주소 0 000000007952 / 0 0006 31058, Sequence 번호 6 부모파일참조주소 0 00000000A722 / 0 0001 42786, Sequence 번호 1 USN 0 0000000002400000 37,478,736 변경시간 0 01CAFACC90D5B665 2010-5-24 08:06:24 변경원인플래그 13) 0 80000002 파일 / 디렉토리닫힘, $DATA 속성에데이터추가 소스정보 14) 00 00 00 00 0 보안 ID 00 00 00 00 0 파일속성 15) 0 00002020 파일 파일이름길이 0 0022 34 파일이름오프셋 0 003C 60 파일이름 53 00 43 00 6C 00 69 00 65 00 6E 00 74 00 41 00 70 00 70 00 73 00 2E 00 6C 00 6F 00 67 SBSClientApps.log

구분 헥스값 변환값 속성타입 ID 0 00000080 128($DATA) 속성길이 0 00000040 64 거주 / 비거주속성 0 00 거주 속성이름길이 0 04 4 속성이름오프셋 0 0018 24 플래그 0 0000 0 속성 ID( 각속성의고유값 ) 0 0005 5 속성내용크기 0 00000020 32 속성내용오프셋 0 0020 32 미사용 0000 속성이름 24 00 4D 00 61 00 78 00 $MAX 속성내용 00 00 00 02 00 00 00 00 00 00 40 00 00 00 00 00 5A 1B 46 FF E1 E1 CA 01 00 00 00 00 00 00 00 00 $UsnJrnl 파일의최대사이즈 : 33,554,432 할당 / 할당해제에사용된바이트수 : 4,194,304 USN ID 최저유효 USN

Time Stamp 2013-11-19 10:56:11(+9) 비할당영역의 $UsnJrnl 레코드일부 ( 가장오래된레코드 ) Time Stamp 2017-01-23 00:35:37(+9) 할당영역의 $UsnJrnl 레코드일부 ( 가장오래된레코드 ) < 하드디스크정보 > Label : Samsung Model : HD502HJ Total Size : 465.8GB Partition Part1 : NTFS, 341.8GB / Part2 : NTFS, 124GB 포맷일시 : 2012-11-29 17:14:21

0 1 2 3 4 5 6 7 8 9 A B C D E F This LSN Previous LSN Client Undo LSN Client Data Length Client Id Record Type Transaction ID Flags Alignment or Reserved Redo OP Undo OP Redo Offset Redo Length Undo Offset Undo Length Target Attr LCNs to follows Record Offset Attr Offset MFT Cluster INDX Alignment or Reserved Target VCN Alignment or Reserved Target LCN Alignment or Reserved

구분 $UsnJrnl $LogFile 기록정보 파일 / 디렉토리변경원인정보기록 파일 / 디렉토리변경이전 / 이후상태정보의기록 데이터복구가능여부불가능가능 위치 (Default) 운영체제볼륨에만존재모든볼륨에존재 논리적파일크기계속증가고정 비할당영역이전레코드기록존재이전레코드기록없음 파일에할당된클러스터수 (Maximum size+allocation delta)/cluster 크기내에서가변적 불변

파일명 : 1sttest.txt 이벤트 : 파일생성 구분헥스값 MFT Entry 번호 1sttest.txt 의 MFT Entry MFT Entry 번호 : 5292 ( 또는 file offset / 1024 = 5292) LSN : 0 0000000F23082597 USN : 0 00000004970BB768 $LogFile 레코드 ( 이벤트의마지막레코드 ) MFT Entry 번호 : VCN 4+MFT cluster index/2 = 5292 LSN : 0 0000000F23082597 $UsnJrnl 레코드 ( 이벤트의마지막레코드 ) MFT Entry 번호 : 5292 USN : 0 00000004970BB768

구분헥스값오프셋정보 1sttest.txt 의 MFT Entry USN : 0 00000004970BB768 파일생성시간 : 17-11-26 17:40:36 (0 013D66923AFCFFBD) 부모 MFT 파일참조주소 : 0 00040000000008B1 파일명 : 1sttest.txt USN : 0 00000004970BB6B8 기록시간 : 17-11-26 17:40:36 (0 01D366923AFCFFBD) 파일명 : 1sttest.txt $UsnJrnl 레코드 USN : 0 00000004970BB710 기록시간 : 17-11-26 17:40:36 (0 01D366923AFCFFBD) 파일명 : 1sttest.txt USN : 0 00000004970BB768 기록시간 : 17-11-26 17:40:39 (0 01D366923D0A8AAF) 파일명 : 1sttest.txt

1sttest.txt MFT Entry < 덮어쓰이기전 >

2ndtest.txt MFT Entry < 덮어쓰인후 >

1 2 3

시나리오피고인은디지털증거분석업무를맡고있는수사기관직원이다. 피고인은현재 K사건으로검찰조사를받고있는前팀장으로부터그의담당업무와관련된문서와데스크톱 PC를인계받았다. 피고인은위의인계받은문건들을검토하던중前팀장이관리하던문서들중에서 K사건과관련된증거들중일부에문제가있음을발견하고이후관련사건으로자신도조사를받게될것을우려하여해당문건을삭제하기로마음먹고다음과같이증거인멸을시도하였다. - 관련문건삭제 - 사건발생이전의시간으로시스템시간변경 - 변경된시간에서특정디렉토리와디렉토리내파일모두삭제 - 이벤트로그삭제 - 디스크조각모음실행 - 현재의시간으로시스템시간재변경 - 완전삭제프로그램 Moo0 Anti Recovery 1.11 다운로드 - Moo0 Anti Recovery 1.11 로파일제목완전삭제실행 - Moo0 Anti Recovery 1.11 프로그램삭제 대상 내용 파일명 증거인멸사례.E01 운영체제 Windows 7 Professional 파일시스템 NTFS 표준시간대 UTC +09:00 증거사본작성및파일추출, 분석도구 EnCase v7.12.01 $UsnJrnl 분석도구 NTFS Log Tracker, NTFS $UsnJrnl Parser(v5.0.1) 33) 프리패치분석도구 WinPrefetchView v1.3.5 이벤트로그분석도구 Event Log Explorer v4.6.1.2115

시간 행위 방법 2017.11.11. 18:30 경 5개의대상문건일괄삭제 Delete 키이용 2017.11.11. 18:40 경 시스템시간변경 윈도우시스템의시간변경기능이용 2017.10.11. 18:41 경 3개의문건이들어있는 1개의디렉토리삭제 Delete 키이용 2017.10.11. 18:42 경 이벤트로그삭제및디스크조각모음실행 윈도우시스템으로삭제및실행 2017.10.11. 18:50 경 시스템시간변경 변경방법 : 인터넷시간 > 지금업데이트 2017.11.11. 19:05 경 삭제프로그램 Moo0 Anti Recovery 1.11 다운로드 미실행 2017.11.11. 19:35 경 Moo0 Anti Recovery 1.11 실행 5번파일이름흔적선택 2017.11.11. 19:45 경 Moo0 Anti Recovery 1.11 삭제 프로그램실행및삭제

시간 / 행위레코드 1 2017.11.11. 18:30:20 / 5개의대상문건일괄삭제

2 2017.11.11. 18:40:29 / 시스템시간변경 (2017.11.11. 에서 2017.10.11. 로변경 ) 3 2017.10.11. 18:41:06 / 3 개의문건이들어있는 1 개의디렉토리삭제

4 2017.10.11. 18:42:26~18:43:16 / 이벤트로그삭제및디스크조각모음실행

5 2017.10.11. 18:43:26 / 시스템시간변경 (2017.10.11. 에서 2017.11.11. 로원위치 )

6 2017.11.11. 19:05:13 / 삭제프로그램 Moo0 Anti Recovery 1.11 다운로드 ~ 중략 ~ ~ 중략 ~

~ 중략 ~

7 2017.11.11. 19:35:16~ / Moo0 Anti Recovery 1.11 실행 ~ 중략 ~

~ 중략 ~

8 2017.11.11. 19:45:30 / Moo0 Anti Recovery 1.11 삭제 ~ 중략 ~

- \Users\Yun_Desktop\AppData\Roaming\Microsoft\MMC\eventvwr - \Users\Yun_Desktop\AppData\Local\Microsoft\Event Viewer\RecentViews - \ProgramData\Microsoft\Event Viewer\Windows 로그 \Channel_0.xml - \Users\Yun_Desktop\AppData\Local\Microsoft\Event Viewer\Settings.Xml

시나리오 피고인은현재 K회사의연구개발팀수석연구원으로재직중이다. 피고인은이직당시이전에근무하던 L회사의핵심기술정보를제공받는조건으로 K회사의수석연구원으로입사하기로하여, 퇴사전 L회사의핵심기술인 BMX-S500J' 에대한기술자료와도면, 기타장부내역을관리하던엑셀파일을빼내오기로마음먹고, 다음과같이기술유출을시도하였다. - BMX-S500J.xlsx 내회사이름을 K회사로변경 - BMX-S500J.xlsx 에서 Project_A505.xlsx' 로파일이름변경 - 'NewFileTime' 프로그램을이용하여 Project_A505.xlsx 생성일자를 '2015-11-10 16:50:26' 로변경 - 자신의 icloud 계정을통해 Project_A505.xlsx' 파일업로드 - 완전삭제프로그램인 Eraser' 프로그램을이용하여 Project_A505.xlsx' 삭제 수사기관에서확보된정보 : 유출된기술프로젝트명 BMX-S500J 대상 내용 파일명가상시나리오 _ 기술유출.E01 운영체제 파일시스템 Windows 8.1 Pro K NTFS 표준시간대 UTC +09:00 증거사본작성및파일추출, 분석도구 $UsnJrnl 분석도구 EnCase v7.12.01 NTFS Log Tracker, NTFS $UsnJrnl Parser(v5.0.1)

시간 행위 방법 2017.11.27. 15:47 경 파일내용변경 BMX-S500J.xlsx의두개의시트에서하나의셀씩변경 ( 문자의크기동일 ) 2017.11.27. 16:08 경 파일이름변경 BMX-S500J.xlsx > Project_A505.xlsx 2017.11.27. 16:33 경 시간정보변경 New File Time 36) 프로그램으로수정, 생성, 접근시간변경 2017.11.27. 16:40 경 icloud 37) 로파일 Project_A505.xlsx 업로드 즐겨찾기되어있던 icloud에로그인후파일업로드 2017.11.27. 17:01 경 Project_A505.xlsx 삭제 파일삭제프로그램 Eraser 38) ' 로 Gutmann 39) (35passes)' 선택후삭제

시간 / 행위레코드 1 2017.11.27.15:47:07 / 파일내용변경

2 2017.11.27. 16:08:40 / 파일이름변경 3 2017.11.27. 16:33:35~16:35:10 / 시간정보변경 ~ 중략 ~

~ 중략 ~

4 2017.11.27. 16:40:54~16:41:21 / icloud 로파일업로드 ~ 중략 ~ ~ 중략 ~

5 2017.11.27. 17:00:42~17:01:24 / Eraser' 로파일삭제 ~ 중략 ~ ~ 중략 ~

~ 중략 ~

~ 중략 ~ ~ 중략 ~ ~ 중략 ~

~ 중략 ~ ~ 중략 ~ ~ 중략 ~

~ 중략 ~

~ 중략 ~

~ 중략 ~ ~ 중략 ~ ~ 중략 ~ ~ 중략 ~

~ 중략 ~ ~ 중략 ~ ~ 중략 ~ ~ 중략 ~

BASIC_INFO_CHANGE 0x00008000 CLOSE 0x80000000 Value COMPRESSION_CHANGE 0x00020000 DATA_EXTEND 0x00000002 DATA_OVERWRITE 0x00000001 DATA_TRUNCATION 0x00000004 EA_CHANGE 0x00000400 ENCRYPTION_CHANGE 0x00040000 FILE_CREATE 0x00000100 FILE_DELETE 0x00000200 HARD_LINK_CHANGE 0x00010000 INDEXABLE_CHANGE 0x00004000 INTEGRITY_CHANGE 0x00800000 NAMED_DATA_EXTEND 0x00000020 NAMED_DATA_OVERWRITE 0x00000010 NAMED_DATA_TRUNCATION 0x00000040 OBJECT_ID_CHANGE 0x00080000 RENAME_NEW_NAME 0x00002000 RENAME_OLD_NAME 0x00001000 REPARSE_POINT_CHANGE 0x00100000 SECURITY_CHANGE 0x00000800 STREAM_CHANGE 0x00200000 TRANSACTED_CHANGE 0x00400000 Meaning A user has either changed one or more file or directory attributes (for example, the read-only, hidden, system, archive, or sparse attribute), or one or more time stamps. The file or directory is closed. The compression state of the file or directory is changed from or to compressed. The file or directory is extended (added to). The data in the file or directory is overwritten. The file or directory is truncated. The user made a change to the extended attributes of a file or directory. The file or directory is encrypted or decrypted. The file or directory is created for the first time. The file or directory is deleted. An NTFS file system hard link is added to or removed from the file or directory. A user changes the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. A user changed the state of the FILE_ATTRIBUTE_INTEGRITY_STREAM attribute for the given stream. The one or more named data streams for a file are extended (added to). The data in one or more named data streams for a file is overwritten. The one or more named data streams for a file is truncated. The object identifier of a file or directory is changed. A file or directory is renamed, and the file name in the USN_RECORD_V2 structure is the new name. The file or directory is renamed, and the file name in the USN_RECORD_V2 structure is the previous name. The reparse point that is contained in a file or directory is changed, or a reparse point is added to or deleted from a file or directory. A change is made in the access rights to a file or directory. A named stream is added to or removed from a file, or a named stream is renamed. The given stream is modified through a TxF transaction.

Value Meaning USN_SOURCE_AUXILIARY_DATA 0x00000002 The operation adds a private data stream to a file or directory. An example might be a virus detector adding checksum information. As the virus detector modifies the item, the system generates USN records. USN_SOURCE_AUXILIARY_DATA indicates that the modifications did not change the application data. The operation provides information about a change to the file or directory made by the operating system. USN_SOURCE_DATA_MANAGEMENT 0x00000001 A typical use is when the Remote Storage system moves data from external to local storage. Remote Storage is the hierarchical storage management software. Such a move usually at a minimum adds the USN_REASON_DATA_OVERWRITE flag to a USN record. However, the data has not changed from the user's point of view. By noting USN_SOURCE_DATA_MANAGEMENT in the SourceInfo member, you can determine that although a write operation is performed on the item, data has not changed. USN_SOURCE_REPLICATION_MANAGEMENT 0x00000004 The operation is modifying a file to match the contents of the same file which exists in another member of the replica set. USN_SOURCE_CLIENT_REPLICATION_ MANAGEMENT 0x00000008 The operation is modifying a file on client systems to match the contents of the same file that exists in the cloud. Value Meaning FILE_ATTRIBUTE_ARCHIVE 32 (0x20) A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal. FILE_ATTRIBUTE_COMPRESSED 2048 (0x800) A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories. FILE_ATTRIBUTE_DEVICE 64 (0x40) This value is reserved for system use.

FILE_ATTRIBUTE_DIRECTORY 16 (0x10) The handle that identifies a directory. FILE_ATTRIBUTE_ENCRYPTED 16384 (0x4000) A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories. FILE_ATTRIBUTE_HIDDEN 2 (0x2) The file or directory is hidden. It is not included in an ordinary directory listing. FILE_ATTRIBUTE_INTEGRITY_STREAM 32768 (0x8000) The directory or user data stream is configured with integrity (only supported on ReFS volumes). It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP : This flag is not supported until Windows Server 2012. FILE_ATTRIBUTE_NORMAL 128 (0x80) A file that does not have other attributes set. This attribute is valid only when used alone. FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 8192 (0x2000) The file or directory is not to be indexed by the content indexing service. FILE_ATTRIBUTE_NO_SCRUB_DATA 131072 (0x20000) The user data stream not to be read by the background data integrity scanner (AKA scrubber). When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP : This flag is not supported until Windows 8 and Windows Server 2012. FILE_ATTRIBUTE_OFFLINE 4096 (0x1000) The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute. FILE_ATTRIBUTE_READONLY 1 (0x1) A file that is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories. For more information, see You cannot view or change the Read-only or the System attributes of folders in Windows Server 2003, in Windows XP, in Windows Vista or in Windows 7. FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 4194304 (0x400000) FILE_ATTRIBUTE_RECALL_ON_OPEN 262144 (0x40000) When this attribute is set, it means that the file or directory is not fully present locally. For a file that means that not all of its data is on local storage (e.g. it may be sparse with some data still in remote storage). For a directory it means that some of the directory contents are being virtualized from another location. Reading the file / enumerating the directory will be more expensive than normal, e.g. it will cause at least some of the file/directory content to be fetched from a remote store. Only kernel-mode callers can set this bit. This attribute only appears in directory enumeration classes (FILE_DIRECTORY_INFORMATION, FILE_BOTH_DIR_INFORMATION, etc.). When this attribute is set, it means that the file or directory has no physical representation on the local system; the item is virtual. Opening the item will be more expensive than normal, e.g. it will cause at least some of it to be fetched from a remote store.

FILE_ATTRIBUTE_REPARSE_POINT 1024 (0x400) A file or directory that has an associated reparse point, or a file that is a symbolic link. FILE_ATTRIBUTE_SPARSE_FILE 512 (0x200) A file that is a sparse file. FILE_ATTRIBUTE_SYSTEM 4 (0x4) A file or directory that the operating system uses a part of, or uses exclusively FILE_ATTRIBUTE_TEMPORARY 256 (0x100) A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed. FILE_ATTRIBUTE_VIRTUAL 65536 (0x10000) This value is reserved for system use.