More Related Content Similar to Forensics 101 (20) Forensics 1014. DF = Digital Forensics / 數位鑑識
IR = Incident Response / 事件應變
7. DF VS IR
- 相輔相成
- DF
- 找出對於事件相關的資料
- IR
- 過程中需要鑑識資料
12. 主機資訊
- 防毒日誌
- Windows Event Log / syslog
- Web Access / Error Log
- 硬碟資訊
- 服務
- Autorun (自動啟動程式)
- 記憶體
- Process
- 惡意程式 Config
18. Install Elasticsearch
- docker pull
docker.elastic.co/elasticsearch/elasticsearch:7.16.0
- docker run -p 9200:9200 -p 9300:9300 -e
"discovery.type=single-node" --name=dfires
docker.elastic.co/elasticsearch/elasticsearch:7.16.0
20. Install Kibana
- docker pull docker.elastic.co/kibana/kibana:7.16.0
- docker run --link dfires:elasticsearch -p 5601:5601
docker.elastic.co/kibana/kibana:7.16.0
29. 可以分析什麼
- 網路
- 惡意 Domain 查詢
- 異常大量流量
- 服務日誌
- Web 攻擊 Pattern
- SQL Injection、XSS
32. 硬碟採集- On Host
VM / Container
Export VM
Or
Export RootFS
Windows
FTK Imager
Linux
dd
39. Windows Event Log
- Event Code
- 4688 in Security: Process Creation
- 7045 in System: Service Installed
- 4624 in Security: Logon Success
47. 判別系統
- docker run --rm -v $(pwd):/dumps:ro,Z -ti
phocean/volatility -f /dumps/malware.mem imageinfo
48. 列出 Process
- docker run --rm -v $(pwd):/dumps:ro,Z -ti
phocean/volatility -f /dumps/malware.mem pslist
50. CREDITS: This presentation template was created
by Slidesgo, including icon by Flaticon, and
infographics & images from Freepik
Thanks
- 007seadog@gmail.com
- +886 920498225
- seadog007.me
- seadog007.work
Please keep this slide for attribution