๐ Forensic
1. ์นจํด์ฌ๊ณ ์กฐ์ฌ - ๋ฉ๋ชจ๋ฆฌ ํฌ๋ ์
- -
๋ฐ์ํ
# ๋ฉ๋ชจ๋ฆฌ ํฌ๋ ์
# volatility : ๋ฉ๋ชจ๋ฆฌ ๋คํ ๋ถ์ ํด , top3
# ๋คํ : FTK, encase, ๋คํ์(window ํ์ )
cmd ๊ด๋ฆฌ์๊ถํ ์คํ
> setup.py build
> setup.py install
> vol.py -h
> vol.py -f data.vmem imageinfo # ์ด๋ค ํ๋กํ์ผ์ ๊ฐ์ง๊ณ ์๋์ง ํ์ธํ๊ธฐ
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (D:\\๋์งํธํฌ๋ ์_๋ฏผ๋ณ์ฑ\\2๊ฐ\\Tool\\Vol\\volatility\\data.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800029ed070L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff800029eed00L
KPCR for CPU 1 : 0xfffff880009ee000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2016-10-05 03:05:11 UTC+0000
Image local date and time : 2016-10-04 21:05:11 -0600
> vol.py -f data.vmem --profile=Win2008R2SP1x64 pstree
> vol.py -f data.vmem --profile=Win2008R2SP1x64 pslist
> vol.py -f data.vmem --profile=Win2008R2SP1x64 psscan
0xfffffa8003ec7a70:SkypeC2AutoUpd 1364 2528 15 1951 2016-10-04 12:07:51 UTC+0000
> vol.py -f data.vmem --profile=Win2008R2SP1x64 netscan
0x7d79e010 TCPv4 10.1.1.122:54905 54.174.131.235:80 CLOSED 1364 SkypeC2AutoUpd
>vol.py -f data.vmem --profile=Win2008R2SP1x64 cmdscan
# ์๋ฌด๊ฒ๋ ์๋ฐ๊ฒฝ์ฐ cmd ์ฌ์ฉ ์ํ๋ค๋๊ฒ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 iehistory # ์ธํฐ๋ท ์ฌ์ฉ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 iehistory >> ie_history.txt # ํ์ฌ ์์น์ history๋ฅผ txtํ์ผ๋ก ์ ์ฅํ๋ค
# mft ํ์
Master File Table : NTFS ํ์ผ ์์คํ
(์๋์ฐ)
> ๋ฉํ ๋ฐ์ดํฐ, ํ์ผ , ๋๋ ํฐ๋ฆฌ, ์ด๋ฆ, ์๊ฐ, ์์ ์ ๋ฌด, ํ์ผ์ ํฌ๊ธฐ ...
> vol.py -f data.vmem --profile=Win2008R2SP1x64 mftparser >> mft.csv
# csv = ์์
์ธ๋ฐ ๊ฒฝ๋ํ๋ ๋ฐ์ดํฐ ํ์ผ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 memdump -p 1364 -D ./
# 1364๋ฒ PID๋ฅผ ๊ฐ์ง ํ์ผ์ ๋คํ ํ์ผ ์์ฑ
> strings.exe 1364.dmp >> 1364.txt
# ๋คํํ์ผ hex๊ฐ์์ ์์ด๋ก strings๋ฅผ ์ฌ์ฉํด txt ํ์ผ๋ก ๋ณ๊ฒฝ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "png"
# ๋ฉ๋ชจ๋ฆฌ์ ์ ์ฌ๋ผ์๋ ๊ทธ๋ฆผ ํ์ผ ํ์ธ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007da574e0 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7da574e0 None \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ES41GRPK\\BB90I6E[1].png
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007e9bcf20 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7e9bcf20 None \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\537DE0WP\\BBAq9[1].png
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007eb1cd30 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7eb1cd30 None \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\8KHN1NH9\\AAiPW9F[1].png
# ๋ฉ๋ชจ๋ฆฌ์ ์ ์ฌ ๋ผ ์๋ ๊ทธ๋ฆผ ํ์ผ ํ์ฌ ์์น์ ์ ์ฅ
# data ํ์์ผ๋ก ์ ์ฅ ๋ผ ์์ ๊ฒฝ์ฐ, png๋ก ํ์ฅ์ ๋ณ๊ฒฝ ํ ํ์ธ ๊ฐ๋ฅ
# Quiz ) ์
์ฑ์ฝ๋๋ก ์์ฌ๋๋ sky~๋ฅผ ์นด๋น:sky.exe ๋ก ์ ์ฅ
# sky์ ์ฅ ๋ฉ๋ชจ๋ฆฌ ์ฃผ์๊ฐ ํ์ธ ํ๊ธฐ
sky
0x000000007d8c7a70 SkypeC2AutoUpd 1364 2528 0x00000000312ef000 2016-10-04 12:07:51 UTC+0000
> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "Sky"
0x000000007dbb69b0 7 0 R--r-d \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007dbb69b0 -D ./
ImageSectionObject 0x7dbb69b0 None \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe
DataSectionObject 0x7dbb69b0 None \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe
# img ํ์ผ Sky.exe๋ก ๋ณ๊ฒฝ ํ ๋ฐ์ด๋ฌ์ค ํ์ธํ๊ธฐ
ํ์ผ ๋ฐ์ด๋ฌ์ค ํ์ธ ์ธํฐ๋ท
> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "Temp" >> tmp.txt
txt ํ์ผ์์ .dll ์ฐพ๊ธฐ
0x00000000059f8bd0 9 0 R--r-d \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\avicap32.dll
# .dll ํ์ผ์ ์
์ฑ์ฝ๋์ผ ํ๋ฅ ๋๋ค
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x00000000059f8bd0 -D ./
# imgํ์ผ mal.exe๋ก ๋ณ๊ฒฝ ํ ๋ฐ์ด๋ฌ์ค ํ์ธํ๊ธฐ
๋ฐ์ํ
'๐ Forensic' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
2. ์๋์ฐ ํฌ๋ ์ - ์ํธ ๋ฐ ๋ฉ์ผ ๋ถ์ 1 (0) | 2022.06.13 |
---|---|
2. ์๋์ฐ ํฌ๋ ์ - ํ๋กํ์ผ ๋ถ์ (0) | 2022.06.13 |
2. ์๋์ฐ ํฌ๋ ์ - ๋ ์ง์คํธ๋ฆฌ ๋ถ์ (0) | 2022.06.13 |
1. ์นจํด์ฌ๊ณ ์กฐ์ฌ - ๋ฆฌ๋ ์ค ์๋ฒ (0) | 2022.06.09 |
1. ์นจํด์ฌ๊ณ ์กฐ์ฌ - ๋ก๊ทธ ๋ถ์ (0) | 2022.06.09 |
Contents
์์คํ ๊ณต๊ฐ ๊ฐ์ฌํฉ๋๋ค