(120429) #fitalk case studyk-masked file

FORENSIC INSIGHT SEMINAR

Case Studyk #1 w/ volatility

ykei

ykei.egloos.com

forensicinsight.org Page 2 / 35

개요

1. Background

2. Volatility

3. Log2timeline

4. IIS Log


Background

- 민원 접수

- 현장 보존


Volatility

- Network connections

- Processes tracking

- Artifact of infection

- Binary analysis


Volatility

Network connections

� vol.py connscan

� vol.py sockscan


Volatility

Processes tracking

� vol.py psscan

� vol.py pstree


Volatility

Processes tracking

� vol.py dlllist


Volatility

Processes tracking

� vol.py vadinfo

� vol.py vaddump


Volatility

Processes tracking

� Strings on VAD


Volatility

Processes tracking

� Strings on VAD


Volatility

Artifact of infection

� Infect vector


Volatility


� Manipulate Timestamp


Volatility


� Register services


Volatility

Binary analysis

� Basic Information


Volatility

Binary analysis

� Static & Dynamic analysis


Volatility

Binary analysis

� Find more evidence


Volatility

Binary analysis

� Verify artifact and Preserve evidence


Log2Timeline

- RADIUS

- Manipulate execution chain

- Explore inside network

- RDP access


Log2Timeline

RADIUS

� RADIUS Server Config


Log2Timeline

RADIUS

� RADIUS Configuration Information


Log2Timeline

Manipulate execution chain

� Image File Execution Options


Log2Timeline

Manipulate execution chain

� Detour system tool and suppression vaccine


Log2Timeline

Explore inside network

� ShellNoRoam Key


Log2Timeline

Explore inside network

� Check ShellNoRoam


Log2Timeline

RDP access

� Extract IP and PC Name


IIS Log

Technology

(120429) #fitalk case studyk-masked file