�ݺ�ߣ

FORENSIC INSIGHT;
DIGITAL FORENSICS COMMUNITY IN KOREA
Trends in dForensics, Jan/2013
proneer
proneer@gmail.com
http://forensic-proof.com
Security is a people problem��

forensicinsight.org Page 2
? FORENSIC-PROOF
1. ?????? ?? ??? ??? (dForensic Practitioner Interview)
2. ?????? ?? ?? (What jobs are available in the dForensics)
3. ??? ??? ?? (An Introduction to Digital Forensics) (slides)
4. ?? ??, ?????? ??????? (Anti-Forensics vs. Anti-Anti Forensics)
5. ??? ???? ?? (Don��t blindly format your hard drive)
6. [???#1] ????????? ??? ???
7. ??? ??? ??? ?? (The Truth about Recovering Overwritten Data)
? malwareL4B
? Java Applet JMX 0day Remote Code Execution ???(CVE-2013-0422) ?????
Domestic Stuff (cont��d)

? Red Alert, NSHC
? ?? ??? ?? ???? ?? ???
? ?????
? e-??? 19?
? ??????
? ???? ????? (with KISEC)
? ???? ???? ?? (with KISEC)
? ??? ?? ??? (with KISEC)
? Metasploit Forensic
Domestic Stuff (cont��d)

? Kyaru��s Blog
? ???? ??? ??? ??? ??? ??
? CIO Korea
? ?? | ??? ?? ?? ???
? ��
Domestic Stuff

? Windows DLL Injection Basics
? Getting Started With Lock Picking
? Deobfuscating Potentially Malicious URLs - Part 1
? Deobfuscating Potentially Malicious URLs - Part 1 Solution
? Attributing Potentially Malicious URLs - Part 2
? Attributing Potentially Malicious URLs - Part 2 (Solution?)
Open Security Research (blog.opensecurityresearch.com)

? Re-Introducing $UsnJrnl (NTFS Change Journal)
? ?? ???: %SystemDrive%$Extend$UsnJrnl:$J
? ?? ??? ?? ??: %SystemDrive%$Extend$UsnJrnl:$Max
? ??? ????? ?? ??? ??
? $LogFile? ???? ??? ?? ?? ??, $UsnJrnl? ?? ??? ??
? ????? ??? ??? ????? $UsnJrnl? $LogFile? ???? ???
Journey Into Incident Response (journeyintoir.blogspot.kr/) (cont��d)

? Re-Introducing $UsnJrnl ? $UsnJrnl �C Journal Entry
??(Offset) ?? (Byte) ??
0x00 4 ?? ???? ??
0x04 2 ?? ??
0x06 2 ?? ??
0x08 8 ?? ?? ?? (File Reference Address)
0x10 8 ??? ?? ?? ??
0x18 8 ?? ???($J)?? ?? ?? ???? ??(USN)
0x20 8 ?? ???
0x28 4 ??(reason) ???
0x2B 4 ?? ??
0x30 4 ?? ID(SID)
0x34 4 ?? ??
0x38 2 ?? ?? ??
0x3A 2 ?? ?? ??
0x3C ?? ?? ??
? ?? ?? 8??? ??? ?? ??
??: ???? ???? ?? ?????? ??? ??

? Re-Introducing $UsnJrnl ? $UsnJrnl �C Journal Entry ? Reason Flags
??(Offset) ??
0x00000001 ?? $DATA ??? ??? ?????.
0x00000002 ?? $DATA ??? ??? ?????.
0x00000004 ?? $DATA ??? ??? ?????.
0x00000010 ??? ?? $DATA ??? ??? ?????.
0x00000020 ??? ?? $DATA ??? ??? ?????.
0x00000040 ??? ?? $DATA ??? ??? ?????.
0x00000100 ?? ?? ????? ?????.
0x00000200 ?? ?? ????? ?????.
0x00000400 ??? ?? ??? ?????.
0x00000800 ?? ???(Security Descriptor)? ?????.
0x00001000 ??? ?????. ?? ???? ?? ??? ??? ??.
0x00002000 ??? ?????. ?? ???? ??? ??? ??? ??.
0x00004000 ??? ??? ?????.
0x00008000 ?? ?? ????? ??? ?????.
0x00010000 ?? ??? ????? ?????.
0x00020000 ?? ??? ?????.
0x00040000 ??? ??? ?????.
0x00080000 Object ID? ?????.
0x00100000 Reparse Point ?? ?????.
0x00200000 ???? $DATA ??? ??, ??, ?????.
0x80000000 ?? ?? ????? ???.

? Re-Introducing $UsnJrnl ? Data Hiding in Obscure Location
? ZeroAccess ??? ?? ??? ??? ??
? IDS ZeroAccess ??: 2012-12-14 15:38 UTC
? ?? ???? $UsnJrnl:$J ?? ??

? Re-Introducing $UsnJrnl ? Data Hiding in Obscure Location
? $MFT? ?? ?? ??
? BlueAngel? NTFS Log Tracker (http://code.google.com/p/ntfs-log-tracker/)

? Re-Introducing $UsnJrnl ? Data Destruction
? Self Deleting Droppers/Downloaders

? Overwriting File System Metadata
? /Users/lab/AppData/Local/{5da39e95-8007-4308-c6cf-bcce61795d0d}/n
? Standard Information Attribute
Creation: 7/13/2009 23:11:59 UTC
Access: 7/13/2009 23:11:59 UTC
Modification: 7/14/2009 1:17:52 UTC
? Filename Attribute
Creation: 12/6/2012 22:18:00 UTC
Access: 12/6/2012 22:18:00 UTC

? File System Tunneling
? %SystemDrive%WindowsSystem32services.exe
? Standard Information Attribute
Creation: 7/13/2009 23:11:26 UTC
Access: 7/13/2009 23:11:26 UTC
? Filename Attribute
Creation: 7/13/2009 23:11:26 UTC
Access: 12/6/2012 22:18:06 UTC

? Layering Data
? ?? ?? ??? ???? ???? ???? ? ? ? ??? ? ? ??
? DFIR?? ???? ??? ?? ??
? ??? ?? ?? ??
? ???? ??

? Layering Data ? Layering Data in Action
? Crime Map, City of Spokane, Washington (http://www.spokanegis.org/crimemap2/)

? Layering Data ? Layering Data in Timelines
1. Examine the programs ran on the system
2. Examine the auto-start locations
3. Examine the host-based logs
4. Examine file system artifacts

? Layering Data ? Layering Data in Timelines
Journey Into Incident Response (journeyintoir.blogspot.kr/)

? Bad Sector Recovery
? HDD? ??? ? ?? ???? ???? ?? ? ?? ????
? ??? ???? 100% ???? ??? ??? ?????? ?? ???? ??
? General causes of bad sector formation
? Physical Corruption
? ??? ??? ???? ???? ??
? Magnetic Corruption
? ?? ??? ???? ?? ??
? ??? ???? ??
? ??? ??? ??(servo) ????? ?? ??
FORENSIC FOCUS (forensicfocus.com) (cont��d)

? Bad Sector Recovery ? Data/Servo Sectors

? Bad Sector Recovery ? Possible outcomes
? ?? ??? ???? ?? ??? ??? ? ?? ??
? Address Mark field corruption
? Data corruption
? ECC field corruption
? Servo sector corruption
? Or any combination of these
? ?? ??? ???? ??? ????? ???? ??? ?? ???? ?? ???
? ? ???? ??? ??? ?? ?

? Bad Sector Recovery ? Address Mark Corruption
? ??? ?? ??(Address Mark)? ???? ??? ??? ?? ? ??
? ???? ??? ?? ? ???, ????��.?
? ?? ?? ???? ?? ID? ?? ??? ???? ??, ??? ?? ??? ???
? Bad Sector Recovery ? Data Corruption
? HDD? ?? ECC ??? ???? ?? ??? ?? ?????? ??? ??
? ???? ????, ECC ?????? ?? ?? ? ???? ??? ??
? ????, ?? ???? ?????? ?? ??

? Bad Sector Recovery ? ECC field corruption
? ?? ?? ????,
? ???? ?????? ECC? ?? ??? ?? ?? ? ???? ??? ?? X
? Bad Sector Recovery ? Servo sector corruption
? ? ?? ? ?? ?? ?? ??? ??
? ?? ?? ?? ??? ??? ???? ? ?? ?? ??, ?? ID ??
? ?? ??? ??? GPS ???? ????? ?? ?? ??? ?? ??? ??
? ?? ??? ????, ??? ??? ??? ??? ?? ? ?? ? ?? ?? ??

? Bad Sector Recovery ? How Bad Sector Recovery Works
? Read Long Command
? ???? ?? ?? ?? ??? ?? ????? ?????? ??
? ??? + ECC ?? ??
? ATA-1(1994) ~ ATA-3(1997) ? HDD ???? ?? ?? ??
? SMART Command Transport (SCT) ? Long Sector Access Command
? SMART(Self-Monitoring, Analysis and Reporting Technology)? ?? ????
? ???? Read Long ??? ??? ??
? ?? ?? ?? ?, ??? ?? ?? ???? ??? ?? ? ??? ?? ???? ??

? Bad Sector Recovery ? Debunking Bad Sector Recovery
? ?? ? ?? ?? ???? ?? ?? ?? ??? ??
? ?? ??? ?? ????? ??? ???
? Read Long ??? ?? ?? ???? ???? ??? ? ??
? ?? ??? ???? ?? ?? ??? ?? ?? ??
? ?? ??? ??? ??
? ??? ???? ?? ???? ??? vs ?? ?? ???

? Bad Sector Recovery ? Dangers of Read Long approach
? ???? ?? ?? ?? ???? ???? ??
? ??? ????? ??? ???? ?? ? ?????? ?? ? ??? ??
? ??? ??? ? ????
? 777-677-766 vs. 776-676-677
? ??? ?????? ?? ? MFT ???? ????? ???????
? ??: ???? ??? ???? ?? ???? ?? ???? ??? ????? ??
? ???? ?????? ??? ??, ?? ??? ???? ??? ???? ?? ??
? ?? ?? ?? ??? ??? ??, ?? ? ????
? ?? ???? ???, ? ??? ???? ???? ?? ???? ??? ??? ??
FORENSIC FOCUS (forensicfocus.com)

? What are ��gdocs��? Google Drive Data

? %UserProfile%Google Drive ? gdoc, gsheet, gslides

? License.gdoc
? Forensic Tool.gsheet
? [INSIGHT] Next Plan.pptx.gslides
FORENSIC FOCUS (forensicfocus.com)
{"url": "https://docs.google.com/document/d/1H58pLy5tzNbRmkMPjFQNgtGcrjHhCQVGLZPJMrh5ugE/edit",
"resource_id": "document:1H58pLy5tzNbRmkMPjFQNgtGcrjHhCQVGLZPJMrh5ugE"}
{"url":
"https://docs.google.com/spreadsheet/ccc?key=0AvcjdMXf7DDHdEFRM2JMZjlGS3RoTE5GWkhXY0oxaVE",
"resource_id": "spreadsheet:0AvcjdMXf7DDHdEFRM2JMZjlGS3RoTE5GWkhXY0oxaVE"}
{"url": "https://docs.google.com/presentation/d/1ArxV28ZER0CiFPEgCIs7D-XgJqJTA0TYbodGjrTYo0I/edit",
"resource_id": "presentation:1ArxV28ZER0CiFPEgCIs7D-XgJqJTA0TYbodGjrTYo0I"}

? THA Deep Dive �C Analyzing Malware in Memory
The Hacker Academy (thehackeracademy.com)

? NTFS Triforce
Hacking Exposed (hackingexposedcomputerforensicsblog.blogspot.kr) (cont��d)

? NTFS Triforce �C MFT Entry Header

? NTFS Triforce �C $STANDARD_INFORMATION Attribute

? NTFS Triforce �C $LogFile

? NTFS Triforce �C $UsnJrnl

? NTFS Triforce �C Put it all together
? The Power of the NTFS Triforce
1. ?? ???? ?? ($LogFile)
2. ?? SID? ?? ($LogFile)
3. ?????? ?? ($LogFile)
4. ???? ?? ?? ?? ($LogFile & $UsnJrnl)
5. ?? ?? ?? ($LogFile & $UsnJrnl)
6. ??? ?? ?? ?? ($UsnJrnl)
7. ?? ?? ?? ($LogFile)
Hacking Exposed (hackingexposedcomputerforensicsblog.blogspot.kr)

? Carving Station �C RAR Files
? ???? ��RAR.EXE��? ??? ?? ??
? RAR.EXE-12F2DC4F.pf
? RAR ??
? ??: ��52 61 72 21��, ��52 45 7E 5E��
? ??: ??(?)
? ??? ???? ?? ??
MANDIANT Blog (mandiant.com/blog) (cont��d)

? Carving Station �C RAR Files

? Carving Station �C RAR Files ? Password Prompt
? Mandiant Redline

? Carving Station �C RAR Files ? RAR file content indicators
1. Prefetch File
2. WinRAR Directory
? Windows XP: ��%APPDATA%WinRAR��
? Windows 7: ��%APPDATA%RoamingWinRAR��
3. Shellbags
4. Internet History
MANDIANT Blog (mandiant.com/blog)

? 5 Must-Have Skills for Fraud Examiners
1. Understand the Business
? IT? ???? ??? ?? ??? ??? ?? ?
2. Leverage Technology
? ??? ???? ??? ??? ??? ?? ??? ??? ??? ??? ?? ? ??? ?
3. Have a Versatile Work Experience
? ?? ?? ?? ??? ??? ?? ???? ?? ? ?? ??? ??? ??
4. Understand Where the information Resides
? ???? ??? ??? ???? ?? ??, ??? ??? ?? ???? ?? ??? ??
5. Possess International Capabilities
? ?? ??? ????? ??, ?? ??, ?????? ??? ? ?? ??? ?? ??
GOV Info Security (govinfosecurity.com)

? Google Transparency Report (http://www.google.com/transparencyreport/)
? ? ?? Google ???? ??? ? ?? ???
? ??? ??? ?? ????? ?? ?? ?? ??
? ?? ?? ? ?????? ?? ??? ??? ?? ??
? Twitter��s Transparency Report (https://transparency.twitter.com/overview)
? ??? ?? ?? ?? (???)
? ??? ?? ?? ?? (???)
? ??? ?? ?? ?? (??)
Transparency Report

? Forensic Artifact: Malware Analysis in Windows 8
? ??? 8 ???? ???? ?? ? ???? ? ?? ????.
? BinMode: Parsing Java *.idx files
? ?? ??? ??? idx ??? ?? ??? ?? ????.
? Cracking Android Passwords: The Need for Speed (hashcat)
? Hashcat? ??? ????? ????? ????? ??? ???.
? Volume Shadow Copy to Logical Evidence File (LEF)
? ?? ??? ???? LEF? ???? ?? ????.
? Red October �C Indicators of compromise (IOC)
? ?? ?? ?? ??? ????? ?? 10?? IOC? ?????.
Others

? 2012 eDiscovery Year in Review: eDiscovery Case Law, Part 1, 2, 3, 4
? 2012 ?????? ?? ?? ??? ????.
? Pulsing the HeartBeat APT
? ????????? ??? ??? ???? APT ??? ?? ??? ?? ????.
? FCC Smartphone Security Checker
? ??? ?????, ???, ????, ??? ?? ?? ??? ??? ? ?? ?????.
? Creative Option for Better Authentication of Mobile Phone Users
? ??? ??? ??? ? ?? ?? ?? ??? ????.
? Exploiting printer via Jetdirect vunerabilities
? Jetdirect ???? ??? ??? ??? ????.
Others

? HowTo: Extract ��Hidden�� API-Hooking BHO DLLs
? ?????? ??? API ??? BHO DLL? ???? ?? ???.
? How to add GPS position to images (picasa)
? ??? ??? GPS ???? ??? ???? ?? ????.
? Android Messaging: Is Android Getting Religious?
? ????? ??? ??? ???? SQLite Vacuum? ?? ????.
? Internet Evidence Finder (IEF) Review
? ? ???? ?? ?? ??? IEF? ?? ????.
Others

? NTFS Log Tracker
? $LogFile, $UsnJrnl ??? ????? ??
? SyncTools for Sysinternals
? ????? ??? ?? ??? ???? ????? ??
? AnalyzePE
? ??? ??? PE ?? ?? ?? ??
? ESEDatabaseView
? NirSoft?? ??? ??? ESE DB ??
? NetAnalysis v1.56 / HstEx v3.10
? ? ?? ?? ??? NetAnalysis? ?? ???? ?? ??? HstEx ????
dForensics Tools

Question and Answer

�ݺ�ߣ

(130202) #fitalk trends in d forensics (jan, 2013)

More Related Content

(130202) #fitalk trends in d forensics (jan, 2013)