์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ” Forensic

1. ์นจํ•ด์‚ฌ๊ณ ์กฐ์‚ฌ - ๋ฉ”๋ชจ๋ฆฌ ํฌ๋ Œ์‹

  • -
๋ฐ˜์‘ํ˜•
# ๋ฉ”๋ชจ๋ฆฌ ํฌ๋ Œ์‹
# volatility : ๋ฉ”๋ชจ๋ฆฌ ๋คํ”„ ๋ถ„์„ ํˆด , top3
# ๋คํ”„ : FTK, encase, ๋คํ”„์ž‡(window ํ•œ์ •)
cmd ๊ด€๋ฆฌ์ž๊ถŒํ•œ ์‹คํ–‰
> setup.py build
> setup.py install
> vol.py -h
> vol.py -f data.vmem imageinfo # ์–ด๋–ค ํ”„๋กœํŒŒ์ผ์„ ๊ฐ€์ง€๊ณ  ์žˆ๋Š”์ง€ ํ™•์ธํ•˜๊ธฐ
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (D:\\๋””์ง€ํ„ธํฌ๋ Œ์‹_๋ฏผ๋ณ‘์šฑ\\2๊ฐ•\\Tool\\Vol\\volatility\\data.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029ed070L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff800029eed00L
                KPCR for CPU 1 : 0xfffff880009ee000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-10-05 03:05:11 UTC+0000
     Image local date and time : 2016-10-04 21:05:11 -0600

> vol.py -f data.vmem --profile=Win2008R2SP1x64 pstree
> vol.py -f data.vmem --profile=Win2008R2SP1x64 pslist
> vol.py -f data.vmem --profile=Win2008R2SP1x64 psscan
0xfffffa8003ec7a70:SkypeC2AutoUpd                   1364   2528     15   1951 2016-10-04 12:07:51 UTC+0000
> vol.py -f data.vmem --profile=Win2008R2SP1x64 netscan
0x7d79e010         TCPv4    10.1.1.122:54905               54.174.131.235:80    CLOSED           1364     SkypeC2AutoUpd
>vol.py -f data.vmem --profile=Win2008R2SP1x64 cmdscan
# ์•„๋ฌด๊ฒƒ๋„ ์•ˆ๋œฐ๊ฒฝ์šฐ cmd ์‚ฌ์šฉ ์•ˆํ–ˆ๋‹ค๋Š”๊ฒƒ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 iehistory   # ์ธํ„ฐ๋„ท ์‚ฌ์šฉ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 iehistory >> ie_history.txt   # ํ˜„์žฌ ์œ„์น˜์— history๋ฅผ txtํŒŒ์ผ๋กœ ์ €์žฅํ•œ๋‹ค

# mft ํŒŒ์„œ
Master File Table : NTFS ํŒŒ์ผ ์‹œ์Šคํ…œ (์œˆ๋„์šฐ)
> ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ, ํŒŒ์ผ , ๋””๋ ‰ํ„ฐ๋ฆฌ, ์ด๋ฆ„, ์‹œ๊ฐ„, ์ˆ˜์ •์œ ๋ฌด, ํŒŒ์ผ์˜ ํฌ๊ธฐ ...

> vol.py -f data.vmem --profile=Win2008R2SP1x64 mftparser >> mft.csv
# csv = ์—‘์…€์ธ๋ฐ ๊ฒฝ๋Ÿ‰ํ™”๋œ ๋ฐ์ดํ„ฐ ํŒŒ์ผ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 memdump -p 1364 -D ./
# 1364๋ฒˆ PID๋ฅผ ๊ฐ€์ง„ ํŒŒ์ผ์˜ ๋คํ”„ ํŒŒ์ผ ์ƒ์„ฑ
> strings.exe 1364.dmp >> 1364.txt
# ๋คํ”„ํŒŒ์ผ hex๊ฐ’์—์„œ ์˜์–ด๋กœ strings๋ฅผ ์‚ฌ์šฉํ•ด txt ํŒŒ์ผ๋กœ ๋ณ€๊ฒฝ
> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "png"
# ๋ฉ”๋ชจ๋ฆฌ์— ์ ์žฌ๋ผ์žˆ๋Š” ๊ทธ๋ฆผ ํŒŒ์ผ ํ™•์ธ

> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007da574e0 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7da574e0   None   \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ES41GRPK\\BB90I6E[1].png

> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007e9bcf20 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7e9bcf20   None   \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\537DE0WP\\BBAq9[1].png

> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007eb1cd30 -D ./
Volatility Foundation Volatility Framework 2.4
*** Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)
DataSectionObject 0x7eb1cd30   None   \\Device\\HarddiskVolume1\\Users\\phillip.price\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\8KHN1NH9\\AAiPW9F[1].png
# ๋ฉ”๋ชจ๋ฆฌ์— ์ ์žฌ ๋ผ ์žˆ๋Š” ๊ทธ๋ฆผ ํŒŒ์ผ ํ˜„์žฌ ์œ„์น˜์— ์ €์žฅ
# data ํ˜•์‹์œผ๋กœ ์ €์žฅ ๋ผ ์žˆ์„ ๊ฒฝ์šฐ, png๋กœ ํ™•์žฅ์ž ๋ณ€๊ฒฝ ํ›„ ํ™•์ธ ๊ฐ€๋Šฅ
# Quiz ) ์•…์„ฑ์ฝ”๋“œ๋กœ ์˜์‹ฌ๋˜๋Š” sky~๋ฅผ ์นด๋น™:sky.exe ๋กœ ์ €์žฅ
# sky์ €์žฅ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ๊ฐ’ ํ™•์ธ ํ•˜๊ธฐ
sky
0x000000007d8c7a70 SkypeC2AutoUpd     1364   2528 0x00000000312ef000 2016-10-04 12:07:51 UTC+0000
> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "Sky"
0x000000007dbb69b0      7      0 R--r-d \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007dbb69b0 -D ./
ImageSectionObject 0x7dbb69b0   None   \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe
DataSectionObject 0x7dbb69b0   None   \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\SkypeC2AutoUpdate.exe

# img ํŒŒ์ผ Sky.exe๋กœ ๋ณ€๊ฒฝ ํ›„ ๋ฐ”์ด๋Ÿฌ์Šค ํ™•์ธํ•˜๊ธฐ

VirusTotal

ํŒŒ์ผ ๋ฐ”์ด๋Ÿฌ์Šค ํ™•์ธ ์ธํ„ฐ๋„ท

> vol.py -f data.vmem --profile=Win2008R2SP1x64 filescan | findstr "Temp" >> tmp.txt
txt ํŒŒ์ผ์—์„œ .dll ์ฐพ๊ธฐ
0x00000000059f8bd0      9      0 R--r-d \\Device\\HarddiskVolume1\\Users\\PHILLI~1.PRI\\AppData\\Local\\Temp\\avicap32.dll
# .dll ํŒŒ์ผ์€ ์•…์„ฑ์ฝ”๋“œ์ผ ํ™•๋ฅ  ๋†’๋‹ค
> vol.py -f data.vmem --profile=Win2008R2SP1x64 dumpfiles -Q 0x00000000059f8bd0 -D ./
# imgํŒŒ์ผ mal.exe๋กœ ๋ณ€๊ฒฝ ํ›„ ๋ฐ”์ด๋Ÿฌ์Šค ํ™•์ธํ•˜๊ธฐ
๋ฐ˜์‘ํ˜•
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.