ProHoster > Блог > ozi ịntanetị > Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa
Algorithms na ụzọ maka ịzaghachi ihe omume nchekwa ozi, ọnọdụ na mwakpo cyber ugbu a, ụzọ iji nyocha nyocha data na ụlọ ọrụ, nyocha ihe nchọgharị na ngwaọrụ mkpanaka, nyocha faịlụ ezoro ezo, wepụ data geolocation na nyocha nke nnukwu data - ihe ndị a niile na isiokwu ndị ọzọ. enwere ike mụọ na nkuzi nkwonkwo ọhụrụ nke Group-IB na Belkasoft. N'August anyị mara ọkwa nke mbụ Belkasoft Digital Forensics N'ezie, nke na-amalite na September 9, na natara a ọnụ ọgụgụ nke ajụjụ, anyị kpebiri ikwu n'ụzọ zuru ezu banyere ihe ụmụ akwụkwọ ga-amụ, ihe ọmụma, competences na bonuses (!) ga-enweta ndị na-enweta. iru ọgwụgwụ. Mbụ ihe mbụ.

Abụọ niile n'otu

Echiche nke iduzi nkwonkwo ọzụzụ ọmụmụ pụtara mgbe Group-IB N'ezie sonyere malitere ịjụ banyere ngwá ọrụ ga-enyere ha aka na-enyocha mie kọmputa usoro na netwọk, na ikpokọta ọrụ nke dị iche iche free utilities na anyị nwere ike ikwu na-eji n'oge omume nzaghachi .

N'uche anyị, ngwá ọrụ dị otú ahụ nwere ike ịbụ Belkasoft Evidence Center (anyị ekwuola banyere ya na ederede Igor Mikhailov "Igodo nke mmalite: software na ngwaike kacha mma maka kọmpụta forensics"). Ya mere, anyị, yana Belkasoft, ewepụtala nkuzi ọzụzụ abụọ: Belkasoft Digital Forensics и Nnwale nzaghachi mberede Belkasoft.

DỊ MKPA: Nkuzi ndị ahụ bụ usoro na njikọta ọnụ! A raara Belkasoft Digital Forensics na mmemme Evidence Center nke Belkasoft, yana nyocha nzaghachi mberede Belkasoft raara nye nyocha ihe mere site na iji ngwaahịa Belkasoft. Ya bụ, tupu ịmụ akwụkwọ nkuzi nyocha nzaghachi mberede nke Belkasoft, anyị na-akwadosi ike imecha nkuzi Belkasoft Digital Forensics. Ọ bụrụ na ibido ozugbo site na nkuzi gbasara nyocha ihe merenụ, nwa akwụkwọ ahụ nwere ike ịnwe oghere ọmụma na-akpasu iwe n'iji Belkasoft Evidence Center, ịchọta na nyocha ihe arịa dị iche iche. Nke a nwere ike iduga n'eziokwu ahụ na n'oge ọzụzụ na nkuzi nzaghachi nzaghachi mberede nke Belkasoft, nwa akwụkwọ ahụ agaghị enwe oge iji mara ihe ahụ, ma ọ bụ mee ka ndị ọzọ na-eme ka ndị ọzọ kwụsị inweta ihe ọmụma ọhụrụ, ebe ọ bụ na a ga-eji oge ọzụzụ. site na onye nkuzi na-akọwa ihe sitere na nkuzi Belkasoft Digital Forensics.

Kọmputa forensics na Belkasoft Evidence Center

Nzube nke N'ezie Belkasoft Digital Forensics - ewebata ụmụ akwụkwọ na mmemme Evidence Center nke Belkasoft, kuziere ha ka ha jiri mmemme a na-anakọta ihe akaebe sitere na isi mmalite dị iche iche (nchekwa igwe ojii, ebe nchekwa ohere nchekwa (RAM), ngwaọrụ mkpanaka, mgbasa ozi nchekwa (draịva siri ike, draịva flash, wdg), nna ukwu. usoro usoro nyocha nke isi na usoro nyocha, ụzọ nke nyocha nyocha nke arịa Windows, ngwaọrụ mkpanaaka, mkpofu RAM.Ị ga-amụtakwa ịmata na idekọ ihe arụrụ arụ nke ihe nchọgharị na mmemme izi ozi ngwa ngwa, mepụta mbipụta nke data sitere na isi mmalite dị iche iche, wepụ data geolocation na ịchọọ. maka usoro ederede (chọọ site na isi okwu), jiri hashes mgbe ị na-eme nyocha, nyochaa ndekọ Windows, mara nkà nke ịchọgharị ọdụ data SQLite amaghị, ihe ndabere nke nyocha faịlụ eserese na vidiyo, yana usoro nyocha ejiri n'oge nyocha.

Usoro nkuzi a ga-abara ndị ọkachamara nwere ọkachamara ọkachamara na ngalaba nke kọmpụta teknụzụ kọmpụta (forensics kọmputa); ndị ọkachamara na teknụzụ na-ekpebi ihe kpatara ntinye nke ọma, nyochaa usoro ihe omume na nsonaazụ nke mwakpo cyber; ndị ọkachamara na teknụzụ na-achọpụta na ịdekọ ohi data (nyocha) site n'aka onye n'ime (onye na-emebi ihe n'ime); ndị ọkachamara e-Nchọpụta; Ndị ọrụ SOC na CERT/CSIRT; ndị ọrụ nchekwa ozi; ndị na-ahụ maka nyocha kọmputa.

Atụmatụ nkuzi:

  • Belkasoft Evidence Center (BEC): nzọụkwụ mbụ
  • Ịmepụta na nhazi nke ikpe na BEC
  • Chịkọta ihe akaebe dijitalụ maka nyocha nyocha na BEC

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Iji nzacha
  • Na-emepụta akụkọ
  • Nnyocha na mmemme izi ozi ngwa ngwa

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Nnyocha ihe nchọgharị weebụ

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Nchọpụta ngwaọrụ mkpanaka
  • Na-ewepụta data geolocation

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Na-achọ usoro ederede n'ọnọdụ
  • Ịwepụta na nyochaa data sitere na nchekwa igwe ojii
  • Iji ibe edokọbara gosipụta ihe akaebe dị mkpa achọtara n'oge nyocha
  • Nyochaa faịlụ sistemụ Windows

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Nyocha ndekọ Windows
  • Nyocha nke ọdụ data SQLite

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • Ụzọ mgbake data
  • Usoro maka inyocha ihe mkpofu RAM
  • Iji mgbako hash na nyocha hash na nyocha nyocha
  • Nyocha nke faịlụ ezoro ezo
  • Ụzọ maka ịmụ faịlụ eserese na vidiyo
  • Iji usoro nyocha na nyocha nyocha
  • Jiri asụsụ mmemme Belkascripts arụnyere arụ ọrụ, megharịa omume ọ bụla

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa

  • nkuzi bara uru

Agụmakwụkwọ: Nnwale nzaghachi mberede Belkasoft

Ebumnuche nke nkuzi a bụ ịmụta ihe ndabere nke nyocha nyocha nke mwakpo cyber yana ohere nke iji Belkasoft Evidence Center na nyocha. Ị ga-amụta banyere isi vectors nke ọgụ ọgbara ọhụrụ na netwọk kọmputa, mụta ịchịkọta ọgụ kọmputa dabere na MITER ATT & CK matrix, tinye usoro nyocha algọridim iji gosipụta eziokwu nke imebi ma wughachi omume nke ndị na-awakpo, mụta ebe artifact dị. gosi faịlụ ndị emepere ikpeazụ, ebe sistemụ arụmọrụ na-echekwa ozi gbasara otu esi ebudata ma gbuo faịlụ executable, ka ndị mwakpo si gafere na netwọkụ ahụ, wee mụta otu esi enyocha ihe ndị a site na iji BEC. Ị ga-amụtakwa ihe omume na ndekọ usoro na-amasị mmasị site n'echiche nke nchọpụta ihe merenụ na nchọpụta ohere dịpụrụ adịpụ, ma mụta otu esi enyocha ha site na iji BEC.

Usoro a ga-aba uru maka ndị ọkachamara na-ahụ maka nkà na ụzụ bụ ndị na-ekpebi ihe kpatara ntinye aka nke ọma, nyochaa usoro ihe omume na nsonaazụ nke mwakpo cyber; ndị nchịkwa usoro; Ndị ọrụ SOC na CERT/CSIRT; ndị ọrụ nchekwa ozi.

Nchịkọta nkuzi

Cyber ​​​​Kill Chain na-akọwa ọkwa bụ isi nke mwakpo teknụzụ ọ bụla na kọmputa (ma ọ bụ netwọk kọmputa) nke onye ahụ metụtara dị ka ndị a:
Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa
Omume nke ndị ọrụ SOC (CERT, nchekwa ozi, wdg) bụ iji gbochie ndị omempụ ịnweta akụrụngwa ozi echedoro.

Ọ bụrụ na ndị na-awakpo abanye n'ime akụrụngwa echedoro, ndị ahụ dị n'elu kwesịrị ịgbalị ibelata mmebi sitere na ihe omume ndị mwakpo ahụ, chọpụta ka e siri mee mwakpo ahụ, rụgharịa ihe omume na usoro nke omume nke ndị mwakpo ahụ n'usoro ozi mebiri emebi, wee were. usoro iji gbochie ụdị ọgụ a n'ọdịnihu.

Enwere ike ịhụ ụdị akara ndị a na akụrụngwa ozi mebiri emebi, na-egosi na emebiela netwọkụ (kọmputa):

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa
Enwere ike ịchọta ụdị egwu niile site na iji mmemme Ebe Evidence Center nke Belkasoft.

BEC nwere modul "Nchọpụta ihe merenụ", ebe, mgbe a na-enyocha mgbasa ozi nchekwa, a na-etinye ozi gbasara ihe ndị nwere ike inyere onye nyocha aka mgbe ọ na-enyocha ihe omume.

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa
BEC na-akwado nyocha nke isi ụdị Windows artifacts nke na-egosi ogbugbu nke faịlụ nwere ike ime na sistemụ a na-eme nyocha, gụnyere Amcache, Userassist, Prefetch, faịlụ BAM/DAM, Windows 10 usoro iheomume,nyocha nke usoro ihe omume.

Enwere ike iwepụta ozi gbasara akara nwere ozi gbasara omume onye ọrụ n'ime sistemu mebiri emebi n'ụdị a:

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịa
Ozi a, n'etiti ihe ndị ọzọ, gụnyere ozi gbasara ịgba ọsọ faịlụ enwere ike ime:

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaOzi gbasara ịgba ọsọ faịlụ 'RDPWinst.exe'.

Enwere ike ịhụ ozi gbasara ọnụnọ ndị mwakpo na sistemụ mebiri emebi na igodo mmalite ndekọ Windows, ọrụ, ọrụ akwadoro, script Logon, WMI, wdg. Enwere ike ịhụ ọmụmaatụ nke ịchọpụta ozi gbasara ndị na-awakpo agbakwunyere na sistemụ na nseta ihuenyo ndị a:

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaNa-amachibido ndị na-awakpo iji onye nhazi ọrụ site na ịmepụta ọrụ na-eme edemede PowerShell.

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaIji Windows Management Instrumentation (WMI) na-eme ka ndị na-ebuso ọgụ na-emekọ ihe.

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaNa-eji script Logon na-akwado ndị mwakpo.

Enwere ike ịhụ mmegharị nke ndị na-awakpo n'ofe netwọk kọmputa mebiri emebi, dịka ọmụmaatụ, site na nyochaa ndekọ usoro Windows (ọ bụrụ na ndị mwakpo ahụ na-eji ọrụ RDP).

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaOzi gbasara njikọ RDP achọpụtara.

Usoro nkuzi nke Group-IB na Belkasoft: ihe anyị ga-akụzi na onye ga-abịaOzi gbasara mmegharị nke ndị na-awakpo n'ofe netwọkụ.

Ya mere, Belkasoft Evidence Center nwere ike inyere ndị nchọpụta aka ịchọpụta kọmpụta ndị mebiri emebi na netwọk kọmputa a wakporo, chọta akara mmalite nke malware, usoro nhazi na sistemụ na mmegharị n'ofe netwọkụ, yana akara ndị ọzọ na-eme mwakpo na kọmputa ndị mebiri emebi.

Otu esi eme nyocha dị otú ahụ na ịchọpụta ihe ndị akọwara n'elu ka akọwara na nkuzi ọzụzụ nyocha nzaghachi mberede nke Belkasoft.

Atụmatụ nkuzi:

  • Usoro mwakpo cyber. Teknụzụ, ngwaọrụ, ebumnuche nke ndị na-awakpo
  • Iji ụdị iyi egwu ịghọta ụzọ ọgụ, usoro na usoro
  • Agbụ cyber egbu egbu
  • Algọridim nzaghachi ihe omume: njirimara, nhazi mpaghara, ọgbọ nke ndị na-egosi, chọọ ọnụ ụzọ nje ọhụrụ
  • Nyocha nke sistemụ Windows na-eji BEC
  • Nchọpụta ụzọ nke ọrịa isi, mgbasa ozi netwọkụ, nkwado, yana ọrụ netwọk nke malware na-eji BEC
  • Chọpụta sistemu ndị butere ọrịa wee weghachi akụkọ gbasara ọrịa site na iji BEC
  • nkuzi bara uru

FAQEbee ka a na-eme ihe ọmụmụ?
A na-eme nkuzi n'isi ụlọ ọrụ Group-IB ma ọ bụ na saịtị mpụga (ebe ọzụzụ). Ọ ga-ekwe omume ka onye na-enye ọzụzụ gaa na saịtị ya na ndị ahịa ụlọ ọrụ.

Onye na-eduzi klaasị?
Ndị na-enye ọzụzụ na Group-IB bụ ndị na-arụ ọrụ nwere ahụmahụ ọtụtụ afọ n'ime nyocha nyocha, nyocha ụlọ ọrụ na ịzaghachi ihe nchekwa ozi.

A kwadoro ntozu nke ndị nkuzi site na ọtụtụ asambodo mba ụwa: GCFA, MCFE, ACE, EnCE, wdg.

Ndị na-enye ọzụzụ anyị na-achọta otu asụsụ na ndị na-ege ntị n'ụzọ dị mfe, na-akọwa nke ọma ọbụna isiokwu ndị dị mgbagwoju anya. Ụmụ akwụkwọ ga-amụta ọtụtụ ozi dị mkpa na nke na-atọ ụtọ gbasara nyocha ihe omume kọmputa, ụzọ nke ịchọpụta na igbochi mwakpo kọmputa, ma nweta ezigbo ihe ọmụma bara uru nke ha nwere ike itinye ozugbo ha gụsịrị akwụkwọ.

Usoro ọmụmụ a ga-enye nkà bara uru na-emetụtaghị ngwaahịa Belkasoft, ma ọ bụ na nkà ndị a agaghị adaba na-enweghị ngwanrọ a?
Nkà ndị enwetara n'oge ọzụzụ ga-aba uru na-ejighi ngwaahịa Belkasoft.

Kedu ihe agụnyere na ule mbụ?

Nnwale nke mbụ bụ nnwale nke ịma ihe ndabere nke kọmpụta forensics. Enweghị atụmatụ ịnwale ihe ọmụma nke ngwaahịa Belkasoft na Group-IB.

Ebee ka m nwere ike ịhụ ozi gbasara nkuzi nkuzi ụlọ ọrụ?

Dị ka akụkụ nke nkuzi nkuzi, Group-IB na-azụ ndị ọkachamara na nzaghachi ihe merenụ, nyocha malware, ndị ọkachamara na-ahụ maka ọgụgụ isi cyber (Egwu Intelligence), ndị ọkachamara na-arụ ọrụ na Security Operation Center (SOC), ndị ọkachamara na ịchụ nta ihe iyi egwu (Treat Hunter), wdg. . Ndepụta zuru oke nke nkuzi nwe ụlọ sitere na Group-IB dị ebe a.

Kedu ụgwọ ọrụ ụmụ akwụkwọ gụchara nkuzi nkwonkwo n'etiti Group-IB na Belkasoft na-enweta?
Ndị gụchara ọzụzụ na nkuzi nkwonkwo n'etiti Group-IB na Belkasoft ga-enweta:

  1. akwụkwọ nke mmecha nke N'ezie;
  2. ndebanye aha kwa ọnwa na Belkasoft Evidence Center;
  3. Mbelata 10% na ịzụrụ Ụlọ Ọrụ Evidence Belkasoft.

Anyị na-echetara gị na nkuzi mbụ na-amalite na Mọnde. 9 September, - echefula ohere iji nweta ihe ọmụma pụrụ iche n'ihe gbasara nchekwa ozi, nyocha kọmputa na nzaghachi ihe omume! Ndebanye aha maka usoro ebe a.

Isi mmaliteN'ịkwadebe akụkọ ahụ, anyị jiri ihe ngosi Oleg Skulkin kwuru "Iji nyocha nyocha ndị ọbịa na-enweta ihe ngosi nke nkwekọrịta maka nzaghachi ihe omume ọgụgụ isi na-aga nke ọma."

isi: www.habr.com

Tinye a comment