SlideShare a Scribd company logo

(130720) #fitalk trends in d forensics

INSIGHT FORENSIC
INSIGHT FORENSIC

This document summarizes trends in digital forensics from a conference in June 2013. It discusses forensic artifacts from the Amazon Cloud Drive desktop application and web browser, including log files and database records that can be analyzed. It also covers evidence that can be found in the Windows Control Panel, such as Prefetch files, registry keys, and jump lists recording which control panel applications have been used and when. The document provides an overview of digital forensic issues and tools discussed at the conference.

Technology
1 of 39
Download to read offline
FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA Trends in dForensics, Jun/2013 JK Kim proneer proneer@gmail.com http://forensic-proof.com Security is a people problem…
forensicinsight.org Page 2 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics • 클라우드 이용 방식  데스크톱 애플리케이션  온라인 인터페이스 (웹 브라우저)  모바일 앱 (Amazon Clound Drive Photos만 존재) Digital Forensics Stream
forensicinsight.org Page 3 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
forensicinsight.org Page 4 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
forensicinsight.org Page 5 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
forensicinsight.org Page 6 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
forensicinsight.org Page 7 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • 클라우드 동기화 폴더에 파일 추가  %UserProfile%AppDataLocalAmazon Cloud DriveSyncClient  Write-Ahead Logging (v3.7.0 부터 rollback journal 대신) Digital Forensics Stream
forensicinsight.org Page 8 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClient  ADriveNativeClientService.log  adrive-client.log  1319b5c6-2672-49b4-b623-bf5a33fd4c40.db  sync--1522780775.db Digital Forensics Stream
forensicinsight.org Page 9 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.log Digital Forensics Stream
forensicinsight.org Page 10 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.debug.log Digital Forensics Stream
forensicinsight.org Page 11 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.debug.log Digital Forensics Stream INFO 2013-07-19 16:23:58,565 [1] Adrive.Desktop.Application.CloudDriveApplication - Trace(2).Event::Starting Sync... DEBUG 2013-07-19 16:23:58,566 [1] Adrive.Desktop.Services.LocalServiceRequest - method=startSync, id=20, url=http://127.0.0.1:26330 DEBUG 2013-07-19 16:24:00,716 [1] Adrive.Desktop.Services.LocalServiceRequest - method=getAllLinks, id=21, url=http://127.0.0.1:26330 DEBUG 2013-07-19 16:24:02,133 [1] Adrive.Desktop.Services.ADriveLocalService - httpResponse={"id":21,"result":{"links":{"Help":"https://www.amazon.com/clouddrive/help","ThirdPartyLicenses":"https://www.ama zon.com/gp/drive/attribution","Manage":"https://www.amazon.com/clouddrive/manage","CloudDriveWebPage":"https://www.am azon.com/clouddrive","Feedback":"https://www.amazon.com/clouddrive/feedback","Faq":"https://www.amazon.com/help/cloudd rive/errors","DeletedItems":"https://www.amazon.com/clouddrive?sf=1&cdpath=DeletedItems","TermsOfUse":"https://www.amaz on.com/gp/drive/tou"},"default":false},"jsonrpc":"2.0"} DEBUG 2013-07-19 16:24:03,909 [1] Adrive.Desktop.Services.ADriveLocalService - httpResponse={"id":20,"result":{"name":"SYNCING","state":1},"jsonrpc":"2.0"}
forensicinsight.org Page 12 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table • filter__resolve • local_scan • remote_scan • synced Digital Forensics Stream
forensicinsight.org Page 13 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: local_scan Digital Forensics Stream
forensicinsight.org Page 14 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: remote_scan Digital Forensics Stream
forensicinsight.org Page 15 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: synced Digital Forensics Stream
forensicinsight.org Page 16 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Digital Forensics Stream
forensicinsight.org Page 17 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Digital Forensics Stream
forensicinsight.org Page 18 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5  ACD 브라우저 캐시 파일이 존재하지 않음 Digital Forensics Stream
forensicinsight.org Page 19 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5 Digital Forensics Stream https://www.amazon.com/clouddrive/api/?_=1374221497170&Operation=selectMetadata&customerId=AQKWZ 4UCHAU02&ContentType=JSON&query=select+count(*)+from+object+where+hidden+!%3D+true+and+paren tObjectId%3D'c183a7d0-3fb3-429c-b244- 3edf781b4a35'+and+status+!%3D+'PENDING'+and+type+!%3D+'RECYCLE' apiCA20H5UW.json https://fls-na.amazon.com/1/adrive- metrics/1/OP/customerId=AQKWZ4UCHAU02;%7B%22metricIdentifier%22:%22uploadButtonClicked%22,%22co ntext%22:%22List%22,%22timestamp%22:%222013-07- 19T08:11:13.724Z%22%7D;%7B%22metricIdentifier%22:%22Delete%22,%22selectAll%22:%22No%22,%22number OfFiles%22:1,%22context%22:%22List%22,%22timestamp%22:%222013-07-19T08:11:35.044Z%22%7D; _timestamp___2013-07- 19T08_11_13.724Z_};{_metricIdentifier___Delete_,_selectAll___No_,_numberOfFiles__1,_contex t___List_,_timestamp___2013-07-19T08_11_35[1].gif
forensicinsight.org Page 20 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsHistoryHistory.IE5 Digital Forensics Stream Visited: forensic32@https://www.amazon.com/clouddrive?_encoding=UTF8&ref_=cd_spl_def_ycd&sf=1&openid.assoc _handle=amzn_clouddrive_us&aToken=5%7CjSAVqSVWYsOS2JvwHHA5SJQmz%2BIs%2Be4wLFNGrb1nd424U7D DaWe%2BxqIK9gZYY3%2FE%2BRDlxx1%2F3aDtvTIV%2BPAlRY8Iz7Ngs7bj5U0QejWtM6TkzK2bIl%2FOdBYe%2Fx9 8UTUNrVZMRTnA9nSlpnqxHiEE75aey3ClYUOGTwSKDESIYpk8jl15245REqsdD%2FSo9I9o20nO9BfPSn52CKwNWO 75EoYKVQ1KMGwY&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AF S5WGWLGWZNPTQTZZENLULFQV2A&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famz n1.account.AFS5WGWLGWZNPTQTZZENLULFQV2A&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.op enid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.res ponse_nonce=2013-07- 19T10%3A08%3A47Z6526231790617976937&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fclouddr ive%3F_encoding%3DUTF8%26ref_%3Dcd_spl_def_ycd%26sf%3D1&openid.signed=assoc_handle%2CaToken%2 Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Cpape.auth_poli cies%2Cpape.auth_time%2Cns.pape%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensio ns%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F20 07%2F06%2Fnone&openid.pape.auth_time=2013-07- 19T10%3A08%3A47Z&openid.sig=LoWsvL%2FKPm9M%2FVUN8GgOBJrb%2FLb5Z1UOc71E5hOyspo%3D&
forensicinsight.org Page 21 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • GUI Control Panel SANS Computer Forensics Blog
forensicinsight.org Page 22 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 감사 항목  비인가된 소프트웨어에 의해 방화벽 설정 변경 (firewall.cpl)  사용자 계정 추가 혹은 수정 (nusrmgr.cpl)  시스템 복원 및 볼륨 섀도 복사본 끄기 (sysdm.cpl)  시스템 시간 변경 (timedate.cpl)  타사 보안 소프트웨어 애플릿과의 통신 SANS Computer Forensics Blog
forensicinsight.org Page 23 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 구성  제어판은 다수의 애플릿(.cpl)으로 구성 (%SystemRoot%System32 폴더에 존재)  애플릿 접근 방법 • GUI 제어판 이용 • 시작  실행 • 작업바 (시스템 시간 변경) • 명령 프롬프트 (control.exe timedate.cpl) • … …  접근 방법에 따라 상이한 아티팩트 SANS Computer Forensics Blog
forensicinsight.org Page 24 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 1. 윈도우 프리패치 (Prefetch) SANS Computer Forensics Blog
forensicinsight.org Page 25 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 2. 레지스트리 응용프로그램 사용로그(UserAssist) 키 (XP/Vista) • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist SANS Computer Forensics Blog
forensicinsight.org Page 26 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 3. 레지스트리 실행명령 로그(RunMRU) 키 • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU SANS Computer Forensics Blog
forensicinsight.org Page 27 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 4. 점프 목록 (Win7/Win8) • %UsreProfile%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations7e4dca 80246863e3.automaticDestinations-ms SANS Computer Forensics Blog
forensicinsight.org Page 28 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 4. 점프 목록 (Win7/Win8) • %UsreProfile%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations7e4dca 80246863e3.automaticDestinations-ms SANS Computer Forensics Blog
forensicinsight.org Page 29 Trends in dForensics, Jun/2013  GrrCON 2012 Forensics Challenge Walkthrough • 부팅 가능한 라이브 이미지  ID: analyst  PW: grrcon2012 • 바탕화면 – 3개의 파일  memdump.img  out.pcap  compromised.timeline • 설치된 도구  TSK, Volatility, Yara, Foremost, tcpflow • 주어진 20개 문제의 답을 찾는 챌린지 Paul Melson’s Blog
forensicinsight.org Page 30 Trends in dForensics, Jun/2013  GrrCON 2012 Forensics Challenge Walkthrough • 부팅 가능한 라이브 이미지  ID: analyst  PW: grrcon2012 • 바탕화면 – 3개의 파일  memdump.img  out.pcap  compromised.timeline • 설치된 도구  TSK, Volatility, Yara, Foremost, tcpflow • 주어진 20개 문제의 답을 찾는 챌린지 Paul Melson’s Blog
forensicinsight.org Page 31 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 휘발성 메모리의 증거 항목  동작 중인 프로세스와 서비스, 언팩/복호화된 프로그램 데이터  시스템/사용자 로그인 정보, 레지스트리/웹 브라우징 흔적  네트워크 연결 정보, SNS, MMORPG의 통신 및 채팅 내역  웹 메일/클라우드 서비스 흔적, 암호화된 볼륨의 복호화 키  최근 열람한 문서 및 사진, 동작 중인 악성코드 정보 • 휘발성 메모리 흔적은 명이 짧음 • 따라서, 조사관은 남아 있는 흔적을 최대한 가져올 수 있어야 함 FORENSIC FOCUS
forensicinsight.org Page 32 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 휘발성 데이터가 법적으로 인정받을 수 있는가?  검증된 도구의 사용  휘발성 메모리 수집은 필연적으로 풋프린트를 남김  기술적 타당성과 법적 타당성은 별개의 문제  수집의 모든 단계를 문서화 FORENSIC FOCUS
forensicinsight.org Page 33 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • ACPO(Association of Chief Police Officers) 메모리 덤프 표준 절차 1. 상황에 대한 위험 평가: 증거로서 필요하고 안전하게 수집이 가능한가? 2. 그렇다면, 휘발성 데이터 캡쳐 장비 장착 (USB Flash Drive, USB Hard Drive 등) 3. 휘발성 데이터 수집 스크립트 실행 4. 완료 후 장치 중지 (반드시, “안전하게 제거”) 5. 장치 제거 6. 별도의 조사 컴퓨터에서 수집 데이터 검증 (절대 용의자 시스템에서 하지 말것) 7. 표준 전원 종료 절차에 따름 FORENSIC FOCUS
forensicinsight.org Page 34 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 메모리 덤프 도구 요구 사항 1. 커널 모드 동작 2. 풋프린트 최소화 3. 포터블 방식 4. 읽기 모드 접근 FORENSIC FOCUS
forensicinsight.org Page 35 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • FireWire Attack  아무것도 실행하지 않고 DMA를 이용해 메모리 덤프  알려진 방법 중 가능 • Freezer Attack  콜드 부트를 이용해 암호화된 스마트폰의 암호화 키를 메모리에서 획득  FROST(Forensic Recovery Of Scrambled Telephones) FORENSIC FOCUS
forensicinsight.org Page 36 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • Belkasoft Evidence Center FORENSIC FOCUS
forensicinsight.org Page 37 Trends in dForensics, Jun/2013  Open Security Research • Reversing Basics Part 1: Understanding the C Code • Reversing Basics Part 2: Understanding the Assembly • Reversing Basics Part 3: Dynamically Reversing main()  Microsoft Security Blog • Microsoft Releases New Mitigation Guidance for Active Directory  EnCase® Forensic Blog • Safari Form Value Decryptor  FORENSICMETHODS • Memory Forensics Cheat Sheet v1.2 Others
forensicinsight.org Page 38 Trends in dForensics, Jun/2013  WDFS (The Workshop of Digital Forensics) • 2013-08-27, Hana-Square Auditorium in Korea University. • Early Bird : 20,000 (Student), 50,000 (General) • Standard : 30,000 (Student), 70,000 (General)  CSS (Cyber Security Summer) 2013 • 2013-08-30, COEX • Early Bird : 350,000 • Standard : 450,000 Events
forensicinsight.org Page 39 Question and Answer

Recommended

Naive application development
Naive application developmentNaive application development
Naive application development
Shaka Huang
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
99X Technology
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)
Google
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome os
Neethu Dasan
 
DEVIEW2013: Automating Performance Tests for Android Applications
DEVIEW2013: Automating Performance Tests for Android ApplicationsDEVIEW2013: Automating Performance Tests for Android Applications
DEVIEW2013: Automating Performance Tests for Android Applications
Kyungmin Lee
 

Recommended

Naive application development
Naive application developmentNaive application development
Naive application development
Shaka Huang
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
99X Technology
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)
Google
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
Kyungmin Lee
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome os
Neethu Dasan
 
DEVIEW2013: Automating Performance Tests for Android Applications
DEVIEW2013: Automating Performance Tests for Android ApplicationsDEVIEW2013: Automating Performance Tests for Android Applications
DEVIEW2013: Automating Performance Tests for Android Applications
Kyungmin Lee
 
OSB310: Whitelisting: The Good, The Bad, and The Ugly!
OSB310: Whitelisting: The Good, The Bad, and The Ugly!OSB310: Whitelisting: The Good, The Bad, and The Ugly!
OSB310: Whitelisting: The Good, The Bad, and The Ugly!
Ivanti
 
Android tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.comAndroid tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.com
TIB Academy
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
sullis
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Monitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the FirehoseMonitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the Firehose
Dustin Ruehle
 
AbdullahFawad_OS_Assignment.docx
AbdullahFawad_OS_Assignment.docxAbdullahFawad_OS_Assignment.docx
AbdullahFawad_OS_Assignment.docx
TabyaSaeed
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
webscale
 
Android developmenttools 20100424
Android developmenttools 20100424Android developmenttools 20100424
Android developmenttools 20100424
Marakana Inc.
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQueryMongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
MongoDB
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Chris Sistrunk
 
Google Cloud lightning talk @MHacks
Google Cloud lightning talk @MHacksGoogle Cloud lightning talk @MHacks
Google Cloud lightning talk @MHacks
wesley chun
 
Modular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdfModular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdf
Nilesh Gule
 
Modular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdfModular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdf
Nilesh Gule
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13
Robbert van den Bogerd
 
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Demian Borba
 
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
Christopher Schmitt
 
Lambda Architecture using Google Cloud plus Apps
Lambda Architecture using Google Cloud plus AppsLambda Architecture using Google Cloud plus Apps
Lambda Architecture using Google Cloud plus Apps
Simon Su
 
Online Cloud Storage System By using PHP
Online Cloud Storage System By using PHPOnline Cloud Storage System By using PHP
Online Cloud Storage System By using PHP
Tuhin Ray
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 

More Related Content

Similar to (130720) #fitalk trends in d forensics

Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Monitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the FirehoseMonitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the Firehose
Dustin Ruehle
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
Christopher Schmitt
 

Similar to (130720) #fitalk trends in d forensics (20)

OSB310: Whitelisting: The Good, The Bad, and The Ugly!
OSB310: Whitelisting: The Good, The Bad, and The Ugly!OSB310: Whitelisting: The Good, The Bad, and The Ugly!
OSB310: Whitelisting: The Good, The Bad, and The Ugly!
 
Android tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.comAndroid tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.com
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Monitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the FirehoseMonitoring Cloud Foundry: Learning about the Firehose
Monitoring Cloud Foundry: Learning about the Firehose
 
AbdullahFawad_OS_Assignment.docx
AbdullahFawad_OS_Assignment.docxAbdullahFawad_OS_Assignment.docx
AbdullahFawad_OS_Assignment.docx
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Android developmenttools 20100424
Android developmenttools 20100424Android developmenttools 20100424
Android developmenttools 20100424
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
 
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQueryMongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
MongoDB Europe 2016 - Warehousing MongoDB Data using Apache Beam and BigQuery
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
Google Cloud lightning talk @MHacks
Google Cloud lightning talk @MHacksGoogle Cloud lightning talk @MHacks
Google Cloud lightning talk @MHacks
 
Modular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdfModular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdf
 
Modular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdfModular Architecturs for resilience and Adaptability.pdf
Modular Architecturs for resilience and Adaptability.pdf
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13
 
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
 
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design[HEWEBAR 2012] Adaptive Images in Responsive Web Design
[HEWEBAR 2012] Adaptive Images in Responsive Web Design
 
Lambda Architecture using Google Cloud plus Apps
Lambda Architecture using Google Cloud plus AppsLambda Architecture using Google Cloud plus Apps
Lambda Architecture using Google Cloud plus Apps
 
Online Cloud Storage System By using PHP
Online Cloud Storage System By using PHPOnline Cloud Storage System By using PHP
Online Cloud Storage System By using PHP
 

More from INSIGHT FORENSIC

(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
INSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

(130720) #fitalk trends in d forensics

  • 1. FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA Trends in dForensics, Jun/2013 JK Kim proneer proneer@gmail.com http://forensic-proof.com Security is a people problem…
  • 2. forensicinsight.org Page 2 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics • 클라우드 이용 방식  데스크톱 애플리케이션  온라인 인터페이스 (웹 브라우저)  모바일 앱 (Amazon Clound Drive Photos만 존재) Digital Forensics Stream
  • 3. forensicinsight.org Page 3 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
  • 4. forensicinsight.org Page 4 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
  • 5. forensicinsight.org Page 5 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
  • 6. forensicinsight.org Page 6 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Digital Forensics Stream
  • 7. forensicinsight.org Page 7 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • 클라우드 동기화 폴더에 파일 추가  %UserProfile%AppDataLocalAmazon Cloud DriveSyncClient  Write-Ahead Logging (v3.7.0 부터 rollback journal 대신) Digital Forensics Stream
  • 8. forensicinsight.org Page 8 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClient  ADriveNativeClientService.log  adrive-client.log  1319b5c6-2672-49b4-b623-bf5a33fd4c40.db  sync--1522780775.db Digital Forensics Stream
  • 9. forensicinsight.org Page 9 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.log Digital Forensics Stream
  • 10. forensicinsight.org Page 10 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.debug.log Digital Forensics Stream
  • 11. forensicinsight.org Page 11 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientadrive-client.debug.log Digital Forensics Stream INFO 2013-07-19 16:23:58,565 [1] Adrive.Desktop.Application.CloudDriveApplication - Trace(2).Event::Starting Sync... DEBUG 2013-07-19 16:23:58,566 [1] Adrive.Desktop.Services.LocalServiceRequest - method=startSync, id=20, url=http://127.0.0.1:26330 DEBUG 2013-07-19 16:24:00,716 [1] Adrive.Desktop.Services.LocalServiceRequest - method=getAllLinks, id=21, url=http://127.0.0.1:26330 DEBUG 2013-07-19 16:24:02,133 [1] Adrive.Desktop.Services.ADriveLocalService - httpResponse={"id":21,"result":{"links":{"Help":"https://www.amazon.com/clouddrive/help","ThirdPartyLicenses":"https://www.ama zon.com/gp/drive/attribution","Manage":"https://www.amazon.com/clouddrive/manage","CloudDriveWebPage":"https://www.am azon.com/clouddrive","Feedback":"https://www.amazon.com/clouddrive/feedback","Faq":"https://www.amazon.com/help/cloudd rive/errors","DeletedItems":"https://www.amazon.com/clouddrive?sf=1&cdpath=DeletedItems","TermsOfUse":"https://www.amaz on.com/gp/drive/tou"},"default":false},"jsonrpc":"2.0"} DEBUG 2013-07-19 16:24:03,909 [1] Adrive.Desktop.Services.ADriveLocalService - httpResponse={"id":20,"result":{"name":"SYNCING","state":1},"jsonrpc":"2.0"}
  • 12. forensicinsight.org Page 12 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table • filter__resolve • local_scan • remote_scan • synced Digital Forensics Stream
  • 13. forensicinsight.org Page 13 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: local_scan Digital Forensics Stream
  • 14. forensicinsight.org Page 14 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: remote_scan Digital Forensics Stream
  • 15. forensicinsight.org Page 15 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Desktop App Forensic Artifacts • %UserProfile%AppDataLocalAmazon Cloud DriveSyncClientsync--1522780775.db  Table: synced Digital Forensics Stream
  • 16. forensicinsight.org Page 16 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Digital Forensics Stream
  • 17. forensicinsight.org Page 17 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Digital Forensics Stream
  • 18. forensicinsight.org Page 18 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5  ACD 브라우저 캐시 파일이 존재하지 않음 Digital Forensics Stream
  • 19. forensicinsight.org Page 19 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5 Digital Forensics Stream https://www.amazon.com/clouddrive/api/?_=1374221497170&Operation=selectMetadata&customerId=AQKWZ 4UCHAU02&ContentType=JSON&query=select+count(*)+from+object+where+hidden+!%3D+true+and+paren tObjectId%3D'c183a7d0-3fb3-429c-b244- 3edf781b4a35'+and+status+!%3D+'PENDING'+and+type+!%3D+'RECYCLE' apiCA20H5UW.json https://fls-na.amazon.com/1/adrive- metrics/1/OP/customerId=AQKWZ4UCHAU02;%7B%22metricIdentifier%22:%22uploadButtonClicked%22,%22co ntext%22:%22List%22,%22timestamp%22:%222013-07- 19T08:11:13.724Z%22%7D;%7B%22metricIdentifier%22:%22Delete%22,%22selectAll%22:%22No%22,%22number OfFiles%22:1,%22context%22:%22List%22,%22timestamp%22:%222013-07-19T08:11:35.044Z%22%7D; _timestamp___2013-07- 19T08_11_13.724Z_};{_metricIdentifier___Delete_,_selectAll___No_,_numberOfFiles__1,_contex t___List_,_timestamp___2013-07-19T08_11_35[1].gif
  • 20. forensicinsight.org Page 20 Trends in dForensics, Jun/2013  Amazon Cloud Drive Forensics – Web Browser App Forensic Artifacts • %UserProfile%AppDataLocalMicrosoftWindowsHistoryHistory.IE5 Digital Forensics Stream Visited: forensic32@https://www.amazon.com/clouddrive?_encoding=UTF8&ref_=cd_spl_def_ycd&sf=1&openid.assoc _handle=amzn_clouddrive_us&aToken=5%7CjSAVqSVWYsOS2JvwHHA5SJQmz%2BIs%2Be4wLFNGrb1nd424U7D DaWe%2BxqIK9gZYY3%2FE%2BRDlxx1%2F3aDtvTIV%2BPAlRY8Iz7Ngs7bj5U0QejWtM6TkzK2bIl%2FOdBYe%2Fx9 8UTUNrVZMRTnA9nSlpnqxHiEE75aey3ClYUOGTwSKDESIYpk8jl15245REqsdD%2FSo9I9o20nO9BfPSn52CKwNWO 75EoYKVQ1KMGwY&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famzn1.account.AF S5WGWLGWZNPTQTZZENLULFQV2A&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2Famz n1.account.AFS5WGWLGWZNPTQTZZENLULFQV2A&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.op enid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin&openid.res ponse_nonce=2013-07- 19T10%3A08%3A47Z6526231790617976937&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fclouddr ive%3F_encoding%3DUTF8%26ref_%3Dcd_spl_def_ycd%26sf%3D1&openid.signed=assoc_handle%2CaToken%2 Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Cpape.auth_poli cies%2Cpape.auth_time%2Cns.pape%2Csigned&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensio ns%2Fpape%2F1.0&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F20 07%2F06%2Fnone&openid.pape.auth_time=2013-07- 19T10%3A08%3A47Z&openid.sig=LoWsvL%2FKPm9M%2FVUN8GgOBJrb%2FLb5Z1UOc71E5hOyspo%3D&
  • 21. forensicinsight.org Page 21 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • GUI Control Panel SANS Computer Forensics Blog
  • 22. forensicinsight.org Page 22 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 감사 항목  비인가된 소프트웨어에 의해 방화벽 설정 변경 (firewall.cpl)  사용자 계정 추가 혹은 수정 (nusrmgr.cpl)  시스템 복원 및 볼륨 섀도 복사본 끄기 (sysdm.cpl)  시스템 시간 변경 (timedate.cpl)  타사 보안 소프트웨어 애플릿과의 통신 SANS Computer Forensics Blog
  • 23. forensicinsight.org Page 23 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 구성  제어판은 다수의 애플릿(.cpl)으로 구성 (%SystemRoot%System32 폴더에 존재)  애플릿 접근 방법 • GUI 제어판 이용 • 시작  실행 • 작업바 (시스템 시간 변경) • 명령 프롬프트 (control.exe timedate.cpl) • … …  접근 방법에 따라 상이한 아티팩트 SANS Computer Forensics Blog
  • 24. forensicinsight.org Page 24 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 1. 윈도우 프리패치 (Prefetch) SANS Computer Forensics Blog
  • 25. forensicinsight.org Page 25 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 2. 레지스트리 응용프로그램 사용로그(UserAssist) 키 (XP/Vista) • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist SANS Computer Forensics Blog
  • 26. forensicinsight.org Page 26 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 3. 레지스트리 실행명령 로그(RunMRU) 키 • NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU SANS Computer Forensics Blog
  • 27. forensicinsight.org Page 27 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 4. 점프 목록 (Win7/Win8) • %UsreProfile%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations7e4dca 80246863e3.automaticDestinations-ms SANS Computer Forensics Blog
  • 28. forensicinsight.org Page 28 Trends in dForensics, Jun/2013  Control Panel Forensics: Evidence of Time Manipulation and More • 제어판 애플릿 실행 흔적 4. 점프 목록 (Win7/Win8) • %UsreProfile%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations7e4dca 80246863e3.automaticDestinations-ms SANS Computer Forensics Blog
  • 29. forensicinsight.org Page 29 Trends in dForensics, Jun/2013  GrrCON 2012 Forensics Challenge Walkthrough • 부팅 가능한 라이브 이미지  ID: analyst  PW: grrcon2012 • 바탕화면 – 3개의 파일  memdump.img  out.pcap  compromised.timeline • 설치된 도구  TSK, Volatility, Yara, Foremost, tcpflow • 주어진 20개 문제의 답을 찾는 챌린지 Paul Melson’s Blog
  • 30. forensicinsight.org Page 30 Trends in dForensics, Jun/2013  GrrCON 2012 Forensics Challenge Walkthrough • 부팅 가능한 라이브 이미지  ID: analyst  PW: grrcon2012 • 바탕화면 – 3개의 파일  memdump.img  out.pcap  compromised.timeline • 설치된 도구  TSK, Volatility, Yara, Foremost, tcpflow • 주어진 20개 문제의 답을 찾는 챌린지 Paul Melson’s Blog
  • 31. forensicinsight.org Page 31 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 휘발성 메모리의 증거 항목  동작 중인 프로세스와 서비스, 언팩/복호화된 프로그램 데이터  시스템/사용자 로그인 정보, 레지스트리/웹 브라우징 흔적  네트워크 연결 정보, SNS, MMORPG의 통신 및 채팅 내역  웹 메일/클라우드 서비스 흔적, 암호화된 볼륨의 복호화 키  최근 열람한 문서 및 사진, 동작 중인 악성코드 정보 • 휘발성 메모리 흔적은 명이 짧음 • 따라서, 조사관은 남아 있는 흔적을 최대한 가져올 수 있어야 함 FORENSIC FOCUS
  • 32. forensicinsight.org Page 32 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 휘발성 데이터가 법적으로 인정받을 수 있는가?  검증된 도구의 사용  휘발성 메모리 수집은 필연적으로 풋프린트를 남김  기술적 타당성과 법적 타당성은 별개의 문제  수집의 모든 단계를 문서화 FORENSIC FOCUS
  • 33. forensicinsight.org Page 33 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • ACPO(Association of Chief Police Officers) 메모리 덤프 표준 절차 1. 상황에 대한 위험 평가: 증거로서 필요하고 안전하게 수집이 가능한가? 2. 그렇다면, 휘발성 데이터 캡쳐 장비 장착 (USB Flash Drive, USB Hard Drive 등) 3. 휘발성 데이터 수집 스크립트 실행 4. 완료 후 장치 중지 (반드시, “안전하게 제거”) 5. 장치 제거 6. 별도의 조사 컴퓨터에서 수집 데이터 검증 (절대 용의자 시스템에서 하지 말것) 7. 표준 전원 종료 절차에 따름 FORENSIC FOCUS
  • 34. forensicinsight.org Page 34 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • 메모리 덤프 도구 요구 사항 1. 커널 모드 동작 2. 풋프린트 최소화 3. 포터블 방식 4. 읽기 모드 접근 FORENSIC FOCUS
  • 35. forensicinsight.org Page 35 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • FireWire Attack  아무것도 실행하지 않고 DMA를 이용해 메모리 덤프  알려진 방법 중 가능 • Freezer Attack  콜드 부트를 이용해 암호화된 스마트폰의 암호화 키를 메모리에서 획득  FROST(Forensic Recovery Of Scrambled Telephones) FORENSIC FOCUS
  • 36. forensicinsight.org Page 36 Trends in dForensics, Jun/2013  Catching the ghost: how to discover ephemeral evidence with Live RAM analysis • Belkasoft Evidence Center FORENSIC FOCUS
  • 37. forensicinsight.org Page 37 Trends in dForensics, Jun/2013  Open Security Research • Reversing Basics Part 1: Understanding the C Code • Reversing Basics Part 2: Understanding the Assembly • Reversing Basics Part 3: Dynamically Reversing main()  Microsoft Security Blog • Microsoft Releases New Mitigation Guidance for Active Directory  EnCase® Forensic Blog • Safari Form Value Decryptor  FORENSICMETHODS • Memory Forensics Cheat Sheet v1.2 Others
  • 38. forensicinsight.org Page 38 Trends in dForensics, Jun/2013  WDFS (The Workshop of Digital Forensics) • 2013-08-27, Hana-Square Auditorium in Korea University. • Early Bird : 20,000 (Student), 50,000 (General) • Standard : 30,000 (Student), 70,000 (General)  CSS (Cyber Security Summer) 2013 • 2013-08-30, COEX • Early Bird : 350,000 • Standard : 450,000 Events