algorithms thiab tactics rau teb rau cov ntaub ntawv kev ruaj ntseg xwm txheej, tiam sis nyob rau hauv tam sim no cyber attacks, mus kom ze rau kev soj ntsuam cov ntaub ntawv leaks nyob rau hauv cov tuam txhab, tshawb fawb browsers thiab mobile pab kiag li lawm, tsom xam cov ntaub ntawv encrypted, rho tawm geolocation cov ntaub ntawv thiab analytics ntawm loj ntim ntawm cov ntaub ntawv - tag nrho cov no thiab lwm yam ntsiab lus tuaj yeem kawm txog kev sib koom ua ke tshiab ntawm Group-IB thiab Belkasoft. Lub yim hli ntuj peb thawj chav kawm Belkasoft Digital Forensics, uas pib lub Cuaj Hlis 9, thiab tau txais cov lus nug ntau, peb tau txiav txim siab los tham kom ntxaws txog cov tub ntxhais kawm yuav kawm dab tsi, kev paub, kev txawj ntse thiab nyiaj tshwj xeeb (!) yuav tau txais los ntawm cov neeg uas mus txog qhov kawg. Thawj yam ua ntej.
Ob leeg nyob ib leeg
Lub tswv yim ntawm kev tuav cov kev kawm sib koom ua ke tau tshwm sim tom qab Pab Pawg-IB cov neeg koom nrog pib nug txog cov cuab yeej uas yuav pab tau lawv hauv kev tshawb nrhiav kev cuam tshuam hauv computer thiab network, thiab sib txuas ua haujlwm ntawm ntau yam khoom siv dawb uas peb pom zoo siv thaum muaj xwm txheej teb.
Hauv peb lub tswv yim, cov cuab yeej zoo li no tuaj yeem yog Belkasoft Evidence Center (peb twb tau tham txog nws hauv Igor Mikhailov "Key rau qhov pib: qhov zoo tshaj plaws software thiab kho vajtse rau computer forensics"). Yog li ntawd, peb, ua ke nrog Belkasoft, tau tsim ob qhov kev cob qhia: Belkasoft Digital Forensics ΠΈ Belkasoft Incident Response Examination.
TSEEM CEEB: Cov chav kawm yog ua ntu zus thiab sib cuam tshuam! Belkasoft Digital Forensics tau mob siab rau Belkasoft Evidence Center program, thiab Belkasoft Incident Response Examination yog mob siab rau tshawb xyuas cov xwm txheej uas siv cov khoom siv Belkasoft. Ntawd yog, ua ntej kawm Belkasoft Kev Tshawb Fawb Kev Tshawb Fawb Kev Tshawb Fawb, peb xav kom ua tiav cov chav kawm Belkasoft Digital Forensics. Yog tias koj pib tam sim ntawd nrog rau chav kawm ntawm kev tshawb nrhiav qhov xwm txheej, tus tub ntxhais kawm yuav muaj kev cuam tshuam kev paub tsis meej hauv kev siv Belkasoft Evidence Center, nrhiav thiab tshuaj xyuas cov khoom cuav. Qhov no tej zaum yuav ua rau lub fact tias thaum lub sij hawm kev cob qhia nyob rau hauv lub Belkasoft Incident Response Examination chav kawm, tus tub ntxhais kawm yuav tsis muaj sij hawm los ua tus tswv ntawm cov ntaub ntawv, los yog yuav ua rau kom tus so ntawm pab pawg neeg tau txais kev paub tshiab, txij li thaum lub sij hawm kev cob qhia yuav siv sij hawm. los ntawm tus kws qhia piav qhia cov khoom siv los ntawm Belkasoft Digital Forensics chav kawm.
Computer forensics nrog Belkasoft Evidence Center
Lub hom phiaj ntawm chav kawm Belkasoft Digital Forensics - Qhia cov tub ntxhais kawm rau Belkasoft Evidence Center program, qhia lawv siv qhov program no los sau cov ntaub ntawv pov thawj los ntawm ntau qhov chaw ( huab cia, random access memory (RAM), mobile devices, storage media (hard drives, flash drives, etc.), master Cov txheej txheem forensic yooj yim thiab cov tswv yim, cov txheej txheem ntawm kev tshuaj ntsuam xyuas ntawm Windows artifacts, mobile devices, RAM dumps.Koj tseem yuav kawm paub txheeb xyuas thiab sau cov ntaub ntawv artifacts ntawm browsers thiab instant messaging programs, tsim forensic luam ntawm cov ntaub ntawv los ntawm ntau qhov chaw, rho tawm cov ntaub ntawv geolocation thiab tshawb nrhiav rau cov ntawv nyeem ib ntus (nrhiav los ntawm cov ntsiab lus), siv hashes thaum tshawb fawb, txheeb xyuas lub Windows sau npe, paub cov txuj ci ntawm kev tshawb nrhiav tsis paub SQLite databases, cov hauv paus ntawm kev tshuaj xyuas cov duab thiab video, thiab cov tswv yim tshuaj xyuas siv thaum tshawb xyuas.
Hoob no yuav muaj txiaj ntsig zoo rau cov kws tshaj lij tshwj xeeb hauv kev ua haujlwm hauv computer technical forensics (computer forensics); cov kws tshaj lij uas txiav txim siab txog qhov laj thawj rau kev nkag mus tau zoo, txheeb xyuas cov saw ntawm cov xwm txheej thiab qhov tshwm sim ntawm kev tawm tsam cyber; cov kws tshaj lij kev txheeb xyuas thiab sau cov ntaub ntawv tub sab nyiag (tawm) los ntawm tus neeg sab hauv (tus neeg ua txhaum sab hauv); e-Discovery cov kws tshaj lij; SOC thiab CERT/CSIRT cov neeg ua haujlwm; cov neeg ua haujlwm ruaj ntseg cov ntaub ntawv; computer forensics enthusiasts.
Cov phiaj xwm chav kawm:
- Belkasoft Evidence Center (BEC): thawj kauj ruam
- Tsim thiab ua cov rooj plaub hauv BEC
- Sau cov ntaub ntawv pov thawj digital rau kev tshawb xyuas forensic nrog BEC
- Siv cov ntxaij lim dej
- Tsim cov ntawv ceeb toom
- Kev tshawb fawb txog Instant Messaging Programs
- Tshawb nrhiav Web Browser
- Kev Tshawb Fawb Txog Cov Khoom Siv Txawb
- Extracting cov ntaub ntawv geolocation
- Tshawb nrhiav cov ntawv sau ua ke hauv rooj plaub
- Extracting thiab txheeb xyuas cov ntaub ntawv los ntawm huab cia
- Siv bookmarks los qhia txog cov pov thawj tseem ceeb uas pom thaum tshawb fawb
- Kev ntsuam xyuas ntawm Windows system cov ntaub ntawv
- Windows Registry Analysis
- Kev tsom xam ntawm SQLite databases
- Cov txheej txheem rov qab cov ntaub ntawv
- Cov txheej txheem rau kev tshuaj xyuas RAM dumps
- Siv lub tshuab xam zauv hash thiab hash tsom xam hauv kev tshawb fawb forensic
- Kev tshuaj xyuas cov ntaub ntawv encrypted
- Cov txheej txheem rau kev kawm cov duab nraaj thiab video ntaub ntawv
- Kev siv cov txheej txheem analytical hauv kev tshawb fawb forensic
- Automate cov kev ua niaj hnub siv cov lus tsim hauv Belkascripts programming
- Cov lus qhia siv tau
Hoob: Belkasoft Incident Response Examination
Lub hom phiaj ntawm chav kawm yog los kawm txog cov hauv paus ntawm kev tshawb nrhiav forensic ntawm kev tawm tsam cyber thiab muaj peev xwm siv Belkasoft Evidence Center hauv kev tshawb nrhiav. Koj yuav kawm txog cov vectors tseem ceeb ntawm kev tawm tsam niaj hnub no hauv computer network, kawm paub faib cov kev tawm tsam hauv computer raws li MITER ATT&CK matrix, siv cov txheej txheem kev tshawb fawb txog kev ua haujlwm los tsim kom muaj qhov tseeb ntawm kev sib haum xeeb thiab rov tsim kho cov yeeb yam ntawm cov neeg tawm tsam, kawm qhov twg cov khoom qub nyob rau hauv. qhia seb cov ntaub ntawv twg tau qhib kawg, qhov twg lub operating system khaws cov ntaub ntawv hais txog yuav ua li cas cov ntaub ntawv raug rub tawm thiab raug tua, cov neeg tawm tsam tau tsiv mus li cas thoob plaws hauv lub network, thiab kawm seb yuav tshuaj xyuas cov khoom cuav no siv BEC li cas. Koj tseem yuav kawm seb cov xwm txheej twg hauv cov ntawv teev cia muaj kev txaus siab los ntawm qhov kev xav ntawm kev tshawb nrhiav qhov xwm txheej thiab kev nkag mus rau thaj chaw deb, thiab kawm seb yuav tshuaj xyuas lawv li cas siv BEC.
Cov chav kawm yuav muaj txiaj ntsig zoo rau cov kws tshaj lij uas txiav txim siab txog qhov laj thawj rau kev nkag mus tau zoo, txheeb xyuas cov xwm txheej ntawm cov xwm txheej thiab qhov tshwm sim ntawm kev tawm tsam cyber; cov thawj tswj hwm; SOC thiab CERT/CSIRT cov neeg ua haujlwm; cov neeg ua haujlwm kev ruaj ntseg cov ntaub ntawv.
Txheej txheem txheej txheem
Cyber ββββKill Chain piav qhia txog cov theem tseem ceeb ntawm kev tawm tsam ntawm tus neeg raug tsim txom lub khoos phis tawj (lossis khoos phis tawj network) raws li hauv qab no:
Cov kev ua ntawm SOC cov neeg ua haujlwm (CERT, kev ruaj ntseg cov ntaub ntawv, thiab lwm yam) yog txhawm rau tiv thaiv cov neeg nkag los ntawm kev nkag mus rau cov ntaub ntawv tiv thaiv.
Yog tias cov neeg tawm tsam nkag mus rau cov kev tiv thaiv kev tiv thaiv, ces cov neeg saum toj no yuav tsum sim txo qhov kev puas tsuaj los ntawm cov neeg tawm tsam kev ua ub no, txiav txim siab seb qhov kev tawm tsam tau ua li cas, rov tsim kho cov xwm txheej thiab cov txheej txheem ntawm kev ua ntawm cov neeg tawm tsam hauv cov ntaub ntawv tsis sib haum xeeb, thiab coj. kev ntsuas los tiv thaiv hom kev tawm tsam no yav tom ntej.
Cov kab hauv qab no tuaj yeem pom nyob rau hauv cov ntaub ntawv tsis sib haum xeeb, qhia tias lub network (lub computer) tau raug cuam tshuam:
Tag nrho cov kab no tuaj yeem pom tau siv Belkasoft Evidence Center program.
BEC muaj qhov "Kev Tshawb Fawb Txog Teeb Meem", qhov twg, thaum txheeb xyuas cov ntaub ntawv khaws cia, cov ntaub ntawv hais txog cov khoom qub raug muab tso rau uas tuaj yeem pab tus kws tshawb fawb thaum tshawb xyuas qhov xwm txheej.
BEC txhawb kev ntsuam xyuas ntawm cov khoom tseem ceeb ntawm Windows uas qhia txog kev ua tiav cov ntaub ntawv ua tiav ntawm lub kaw lus hauv kev tshawb xyuas, suav nrog Amcache, Userassist, Prefetch, BAM / DAM cov ntaub ntawv, , tsom xam cov txheej xwm txheej txheem.
Cov ntaub ntawv hais txog cov kab ke uas muaj cov ntaub ntawv hais txog cov neeg siv kev ua hauv ib qho kev cuam tshuam tuaj yeem nthuav tawm hauv daim ntawv hauv qab no:
Cov ntaub ntawv no, ntawm lwm yam, suav nrog cov ntaub ntawv hais txog kev khiav cov ntaub ntawv executable:
Cov ntaub ntawv hais txog kev khiav cov ntaub ntawv 'RDPWInst.exe'.
Cov ntaub ntawv hais txog cov neeg tawm tsam muaj nyob hauv cov kev cuam tshuam tuaj yeem pom hauv Windows sau npe pib cov yuam sij, cov kev pabcuam, cov haujlwm tau teem tseg, Logon scripts, WMI, thiab lwm yam. Piv txwv ntawm kev txheeb xyuas cov ntaub ntawv hais txog cov neeg tawm tsam raug txuas nrog lub kaw lus tuaj yeem pom hauv cov screenshots hauv qab no:
Kev txwv tsis pub cov neeg tawm tsam siv lub sijhawm ua haujlwm los ntawm kev tsim ib txoj haujlwm uas khiav PowerShell tsab ntawv.
Consolidating attackers siv Windows Management Instrumentation (WMI).
Consolidating attackers siv Logon tsab ntawv.
Kev txav ntawm cov neeg tawm tsam thoob plaws lub khoos phis tawj tsis sib haum xeeb tuaj yeem tshawb pom, piv txwv li, los ntawm kev txheeb xyuas Windows system cav (yog tias cov neeg tawm tsam siv RDP kev pabcuam).
Cov ntaub ntawv hais txog kev sib txuas ntawm RDP.
Cov ntaub ntawv hais txog kev txav ntawm cov neeg tawm tsam thoob plaws lub network.
Yog li, Belkasoft Evidence Center tuaj yeem pab cov kws tshawb fawb txheeb xyuas cov khoos phis tawj cuam tshuam hauv lub khoos phis tawj tau tawm tsam, nrhiav cov cim ntawm kev tso tawm ntawm malware, cov cim ntawm kev txhim kho hauv lub kaw lus thiab kev txav mus los thoob plaws lub network, thiab lwm yam kev cuam tshuam ntawm kev tawm tsam ntawm cov khoos phis tawj cuam tshuam.
Yuav ua li cas kev tshawb fawb thiab tshawb xyuas cov khoom qub uas tau piav qhia saum toj no tau piav qhia hauv Belkasoft Incident Response Examination chav kawm.
Cov phiaj xwm chav kawm:
- Cyberattack tiam sis. Tshuab, cuab yeej, lub hom phiaj ntawm cov neeg tawm tsam
- Siv cov qauv kev hem thawj kom nkag siab txog kev tawm tsam tus neeg tawm tsam, cov txheej txheem, thiab cov txheej txheem
- Cyber ββββkill chain
- Cov xwm txheej teb algorithm: txheeb xyuas, thaj chaw, tsim cov cim, tshawb nrhiav cov kab mob tshiab
- Kev soj ntsuam ntawm Windows systems siv BEC
- Kev txheeb xyuas cov txheej txheem ntawm tus kab mob thawj zaug, kev sib kis hauv lub network, kev sib sau ua ke, thiab kev ua haujlwm network ntawm malware siv BEC
- Txheeb xyuas cov kab mob muaj kab mob thiab kho keeb kwm kev kis kab mob siv BEC
- Cov lus qhia siv tau
FAQCov chav kawm nyob qhov twg?
Cov chav kawm muaj nyob rau ntawm Group-IB lub hauv paus chaw haujlwm lossis ntawm qhov chaw sab nraud (chaw qhia chaw). Nws yog qhov ua tau rau tus kws qhia mus rau qhov chaw nrog cov neeg siv khoom lag luam.
Leej twg ua cov chav kawm?
Cov kws qhia ntawm Pab Pawg-IB yog cov kws tshaj lij nrog ntau xyoo ntawm kev paub txog kev tshawb fawb forensic, koom nrog kev tshawb nrhiav thiab teb rau cov ntaub ntawv kev nyab xeeb xwm txheej.
Cov kev tsim nyog ntawm cov kws qhia raug lees paub los ntawm ntau daim ntawv pov thawj thoob ntiaj teb: GCFA, MCFE, ACE, EnCE, thiab lwm yam.
Peb cov kws qhia yooj yim nrhiav tau ib hom lus nrog cov neeg tuaj saib, piav qhia meej txawm tias cov ncauj lus nyuaj tshaj plaws. Cov tub ntxhais kawm yuav kawm paub ntau yam ntaub ntawv tseem ceeb thiab nthuav dav txog kev tshawb xyuas cov xwm txheej hauv computer, cov txheej txheem ntawm kev txheeb xyuas thiab tiv thaiv kev tawm tsam hauv computer, thiab tau txais kev paub txog cov tswv yim tiag tiag uas lawv tuaj yeem siv tam sim tom qab kawm tiav.
Cov kev kawm puas yuav muab cov txuj ci tseem ceeb uas tsis cuam tshuam nrog Belkasoft cov khoom lag luam, lossis cov kev txawj no puas yuav siv tsis tau yam tsis muaj software no?
Cov kev txawj uas tau txais thaum lub sij hawm kev cob qhia yuav muaj txiaj ntsig yam tsis siv cov khoom siv Belkasoft.
Dab tsi suav nrog hauv qhov kev sim thawj zaug?
Kev sim thawj zaug yog ib qho kev sim ntawm kev paub txog cov hauv paus hauv computer forensics. Tsis muaj kev npaj los ntsuas kev paub ntawm Belkasoft thiab Group-IB cov khoom.
Kuv tuaj yeem nrhiav tau cov ntaub ntawv hais txog lub tuam txhab cov chav kawm kev kawm nyob qhov twg?
Raws li ib feem ntawm cov kev kawm, Pab Pawg-IB cob qhia cov kws tshaj lij hauv qhov xwm txheej, kev tshawb fawb txog malware, cyber Intelligence tshwj xeeb (Threat Intelligence), cov kws tshaj lij los ua haujlwm hauv Lub Chaw Haujlwm Saib Xyuas Kev Ruaj Ntseg (SOC), cov kws tshaj lij hauv kev hem kev yos hav zoov (Threat Hunter), thiab lwm yam. . Muaj ib daim ntawv teev npe kawm tiav los ntawm Pawg-IB .
Cov tub ntxhais kawm uas kawm tiav cov kev kawm sib koom ua ke ntawm Pawg-IB thiab Belkasoft tau txais nyiaj tshwj xeeb dab tsi?
Cov neeg uas tau ua tiav kev cob qhia hauv kev sib koom ua ke ntawm Pawg-IB thiab Belkasoft yuav tau txais:
- daim ntawv pov thawj ntawm kev kawm tiav;
- pub dawb txhua hli rau Belkasoft Evidence Center;
- 10% luv nqi ntawm kev yuav khoom ntawm Belkasoft Evidence Center.
Peb ceeb toom rau koj tias thawj chav kawm pib hnub Monday, 9 cuaj hlis, - tsis txhob plam lub sijhawm kom tau txais kev paub tshwj xeeb hauv thaj chaw ntawm kev ruaj ntseg cov ntaub ntawv, computer forensics thiab qhov xwm txheej teb! Kev sau npe rau chav kawm .
Cov chawHauv kev npaj tsab xov xwm, peb tau siv qhov kev nthuav qhia los ntawm Oleg Skulkin "Siv tus tswv tsev raws li kev cai lij choj kom tau txais cov cim ntawm kev sib haum xeeb rau kev ua tiav kev txawj ntse-tsav qhov xwm txheej."
Tau qhov twg los: www.hab.com