Upload
insight-forensic
View
20
Download
1
Embed Size (px)
Citation preview
FORENSIC INSIGHT SEMINAR
Case Studyk #1 w/ volatility
ykei
ykei.egloos.com
forensicinsight.org Page 2 / 35
개요
1. Background
2. Volatility
3. Log2timeline
4. IIS Log
forensicinsight.org Page 3 / 35
Background
- 민원 접수
- 현장 보존
forensicinsight.org Page 4 / 35
Volatility
- Network connections
- Processes tracking
- Artifact of infection
- Binary analysis
forensicinsight.org Page 5 / 35
Volatility
Network connections
� vol.py connscan
� vol.py sockscan
forensicinsight.org Page 6 / 35
Volatility
Processes tracking
� vol.py psscan
� vol.py pstree
forensicinsight.org Page 7 / 35
Volatility
Processes tracking
� vol.py dlllist
forensicinsight.org Page 8 / 35
Volatility
Processes tracking
� vol.py vadinfo
� vol.py vaddump
forensicinsight.org Page 9 / 35
Volatility
Processes tracking
� Strings on VAD
forensicinsight.org Page 10 / 35
Volatility
Processes tracking
� Strings on VAD
forensicinsight.org Page 11 / 35
Volatility
Artifact of infection
� Infect vector
forensicinsight.org Page 12 / 35
Volatility
Artifact of infection
� Manipulate Timestamp
forensicinsight.org Page 13 / 35
Volatility
Artifact of infection
� Register services
forensicinsight.org Page 14 / 35
Volatility
Binary analysis
� Basic Information
forensicinsight.org Page 15 / 35
Volatility
Binary analysis
� Static & Dynamic analysis
forensicinsight.org Page 16 / 35
Volatility
Binary analysis
� Find more evidence
forensicinsight.org Page 17 / 35
Volatility
Binary analysis
� Verify artifact and Preserve evidence
forensicinsight.org Page 18 / 35
Log2Timeline
- RADIUS
- Manipulate execution chain
- Explore inside network
- RDP access
forensicinsight.org Page 19 / 35
Log2Timeline
RADIUS
� RADIUS Server Config
forensicinsight.org Page 20 / 35
Log2Timeline
RADIUS
� RADIUS Configuration Information
forensicinsight.org Page 21 / 35
Log2Timeline
Manipulate execution chain
� Image File Execution Options
forensicinsight.org Page 22 / 35
Log2Timeline
Manipulate execution chain
� Detour system tool and suppression vaccine
forensicinsight.org Page 23 / 35
Log2Timeline
Explore inside network
� ShellNoRoam Key
forensicinsight.org Page 24 / 35
Log2Timeline
Explore inside network
� Check ShellNoRoam
forensicinsight.org Page 25 / 35
Log2Timeline
RDP access
� Extract IP and PC Name
forensicinsight.org Page 26 / 35
IIS Log