(120429) #fitalk case studyk-masked file
TRANSCRIPT
![Page 1: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/1.jpg)
FORENSIC INSIGHT SEMINAR
Case Studyk #1 w/ volatility
ykei
ykei.egloos.com
![Page 2: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/2.jpg)
forensicinsight.org Page 2 / 35
개요
1. Background
2. Volatility
3. Log2timeline
4. IIS Log
![Page 3: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/3.jpg)
forensicinsight.org Page 3 / 35
Background
- 민원 접수
- 현장 보존
![Page 4: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/4.jpg)
forensicinsight.org Page 4 / 35
Volatility
- Network connections
- Processes tracking
- Artifact of infection
- Binary analysis
![Page 5: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/5.jpg)
forensicinsight.org Page 5 / 35
Volatility
Network connections
� vol.py connscan
� vol.py sockscan
![Page 6: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/6.jpg)
forensicinsight.org Page 6 / 35
Volatility
Processes tracking
� vol.py psscan
� vol.py pstree
![Page 7: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/7.jpg)
forensicinsight.org Page 7 / 35
Volatility
Processes tracking
� vol.py dlllist
![Page 8: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/8.jpg)
forensicinsight.org Page 8 / 35
Volatility
Processes tracking
� vol.py vadinfo
� vol.py vaddump
![Page 9: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/9.jpg)
forensicinsight.org Page 9 / 35
Volatility
Processes tracking
� Strings on VAD
![Page 10: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/10.jpg)
forensicinsight.org Page 10 / 35
Volatility
Processes tracking
� Strings on VAD
![Page 11: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/11.jpg)
forensicinsight.org Page 11 / 35
Volatility
Artifact of infection
� Infect vector
![Page 12: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/12.jpg)
forensicinsight.org Page 12 / 35
Volatility
Artifact of infection
� Manipulate Timestamp
![Page 13: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/13.jpg)
forensicinsight.org Page 13 / 35
Volatility
Artifact of infection
� Register services
![Page 14: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/14.jpg)
forensicinsight.org Page 14 / 35
Volatility
Binary analysis
� Basic Information
![Page 15: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/15.jpg)
forensicinsight.org Page 15 / 35
Volatility
Binary analysis
� Static & Dynamic analysis
![Page 16: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/16.jpg)
forensicinsight.org Page 16 / 35
Volatility
Binary analysis
� Find more evidence
![Page 17: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/17.jpg)
forensicinsight.org Page 17 / 35
Volatility
Binary analysis
� Verify artifact and Preserve evidence
![Page 18: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/18.jpg)
forensicinsight.org Page 18 / 35
Log2Timeline
- RADIUS
- Manipulate execution chain
- Explore inside network
- RDP access
![Page 19: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/19.jpg)
forensicinsight.org Page 19 / 35
Log2Timeline
RADIUS
� RADIUS Server Config
![Page 20: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/20.jpg)
forensicinsight.org Page 20 / 35
Log2Timeline
RADIUS
� RADIUS Configuration Information
![Page 21: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/21.jpg)
forensicinsight.org Page 21 / 35
Log2Timeline
Manipulate execution chain
� Image File Execution Options
![Page 22: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/22.jpg)
forensicinsight.org Page 22 / 35
Log2Timeline
Manipulate execution chain
� Detour system tool and suppression vaccine
![Page 23: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/23.jpg)
forensicinsight.org Page 23 / 35
Log2Timeline
Explore inside network
� ShellNoRoam Key
![Page 24: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/24.jpg)
forensicinsight.org Page 24 / 35
Log2Timeline
Explore inside network
� Check ShellNoRoam
![Page 25: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/25.jpg)
forensicinsight.org Page 25 / 35
Log2Timeline
RDP access
� Extract IP and PC Name
![Page 26: (120429) #fitalk case studyk-masked file](https://reader034.vdocuments.net/reader034/viewer/2022042907/587efc901a28ab35528b643d/html5/thumbnails/26.jpg)
forensicinsight.org Page 26 / 35
IIS Log