Algorithms uye matekiniki ekupindura kune zviitiko zvekuchengetedza ruzivo, maitiro ekurwiswa kwazvino cyber, nzira dzekuferefeta kuburitswa kwedata mumakambani, kutsvagisa mabhurawuza uye nharembozha, kuongorora mafaera akavharidzirwa, kuburitsa geolocation data uye analytics yeakawanda mavhoriyamu data - zvese izvi nedzimwe misoro. inogona kudzidzwa pamakosi matsva akabatanidzwa eBoka-IB neBelkasoft. MunaAugust isu yekutanga Belkasoft Digital Forensics kosi, iyo inotanga munaGunyana 9, uye tagamuchira nhamba yakakura yemibvunzo, takasarudza kutaura zvakadzama nezve izvo vadzidzi vachadzidza, ruzivo rwupi, kugona uye mabhonasi (!) kusvika kumagumo. Zvinhu zvekutanga kutanga.
Vaviri Zvose mune imwe
Pfungwa yekubata makosi ekudzidzisa akabatana yakaonekwa mushure mekunge vatori vechikamu veBoka-IB vatanga kubvunza nezve chishandiso chaizovabatsira mukuongorora macomputer akakanganiswa masisitimu nemanetiweki, uye kusanganisa kushanda kweakasiyana emahara ekushandisa atinokurudzira kushandisa panguva yekupindura chiitiko.
Semaonero edu, chishandiso chakadaro chinogona kunge chiri Belkasoft Evidence Center (takatotaura nezvazvo mukati Igor Mikhailov "Kiyi yekutanga: yakanakisa software uye Hardware forensics yekombuta"). Naizvozvo, isu, pamwe neBelkasoft, takagadzira makosi maviri ekudzidzisa: Belkasoft Digital Forensics ΠΈ Belkasoft Incident Response Examination.
ZVINOKOSHA: iwo makosi anoteedzana uye akabatana! Belkasoft Digital Forensics yakatsaurirwa kuBelkasoft Evidence Center chirongwa, uye Belkasoft Incident Response Examination yakatsaurirwa kuongorora zviitiko uchishandisa zvigadzirwa zveBelkasoft. Ndokunge, tisati tadzidza iyo Belkasoft Incident Response Examination kosi, isu tinokurudzira zvakasimba kupedzisa iyo Belkasoft Digital Forensics kosi. Kana iwe ukatanga ipapo ipapo nekosi yekuferefeta kwechiitiko, mudzidzi anogona kunge aine zvinogumbura ruzivo ruzivo mukushandisa Belkasoft Evidence Center, kutsvaga uye kuongorora mafekitori ehunyanzvi. Izvi zvinogona kutungamira kune chokwadi chekuti panguva yekudzidziswa muBelkasoft Incident Response Examination kosi, mudzidzi angave asina nguva yekuziva zvinyorwa, kana kuti anonokesa boka rose mukuwana ruzivo rutsva, sezvo nguva yekudzidziswa ichashandiswa. nemurairidzi achitsanangura zvinhu kubva kuBelkasoft Digital Forensics kosi.
Computer forensics neBelkasoft Evidence Center
Chinangwa chedzidzo Belkasoft Digital Forensics - suma vadzidzi kuchirongwa cheBelkasoft Evidence Center, vadzidzise kushandisa chirongwa ichi kuunganidza humbowo kubva kwakasiyana (kuchengetwa kwegore, kusarongeka kwekuyeuka (RAM), nharembozha, midhiya yekuchengetera (mahard drive, flash drive, nezvimwewo), master maitiro ekutanga ezvekuferefeta uye matekiniki, nzira dzekuferefeta kuongorora kweWindows artifacts, nharembozha, RAM dumps.Unozodzidzawo kuziva uye kunyora zvinyorwa zvebrowser uye zvirongwa zvekutumira mameseji nekukurumidza, kugadzira makopi ezve data kubva kwakasiyana siyana, bvisa geolocation data uye kutsvaga. kutevedzana kwemavara (tsvaga nemazwi akakosha), shandisa hashes paunenge uchiita tsvakiridzo, ongorora Windows registry, kugona hunyanzvi hwekuongorora zvisingazivikanwe SQLite dhatabhesi, hwaro hwekuongorora graphic uye vhidhiyo mafaera, uye analytical matekiniki anoshandiswa panguva yekuferefeta.
Iyo kosi ichave yakakosha kune nyanzvi dzine hunyanzvi mumunda wekombuta technical forensics (computer forensics); nyanzvi dzehunyanzvi dzinoona zvikonzero zvekupindira kwakabudirira, kuongorora ketani yezviitiko uye mhedzisiro yekurwiswa kwecyber; nyanzvi dzehunyanzvi dzinoona uye kunyora kubiwa kwedata (kudonha) nemunhu ari mukati (muparadzi wemukati); e-Discovery nyanzvi; SOC uye CERT/CSIRT vashandi; vashandi vekuchengetedza ruzivo; computer forensics vanofarira.
Chirongwa chekosi:
- Belkasoft Evidence Center (BEC): matanho ekutanga
- Kugadzira uye kugadzirisa nyaya muBEC
- Unganidza humbowo hwedhijitari hwekuferefeta neBEC
- Kushandisa mafirita
- Kugadzira mishumo
- Tsvagiridzo yePakarepo Messaging Zvirongwa
- Tsvagiridzo yeWebhu yewebhu
- Mobile Device Research
- Kutora geolocation data
- Kutsvaga kutevedzana kwemavara mumakesi
- Kutora uye kuongorora data kubva kune cloud storages
- Kushandisa mabhukimaki kuratidza humbowo hwakakosha hunowanikwa panguva yekutsvaga
- Kuongororwa kweWindows system mafaira
- Windows Registry Analysis
- Kuongororwa kweSQLite databases
- Data Recovery Nzira
- Matekiniki ekuongorora kuraswa kwe RAM
- Kushandisa hash calculator uye hashi ongororo mukutsvagisa forensic
- Ongororo yemafaira akavharidzirwa
- Nzira dzekudzidza graphic uye vhidhiyo mafaera
- Kushandiswa kweanalytical matekiniki mukutsvagisa forensic
- Gadzirisa zviito zvechinyakare uchishandisa yakavakirwa-mukati Belkascripts programming mutauro
- Zvidzidzo zvinoshanda
Course: Belkasoft Incident Response Examination
Chinangwa chekosi iyi kudzidza izvo zvekutanga zvekuferefeta kuferefetwa kwecyber kurwiswa uye mukana wekushandisa Belkasoft Evidence Center mukuferefeta. Iwe unozodzidza nezve iwo makuru mavheji ekurwiswa kwemazuva ano pamakombuta network, dzidza kurongedza kurwiswa kwekombuta zvichibva paMITER ATT & CK matrix, shandisa masisitimu ekutsvagisa maalgorithms kuratidza chokwadi chekukanganisika uye kuvakazve zviito zvevanorwisa, dzidza panowanikwa zvigadzirwa izvo. ratidza mafaera akavhurwa kekupedzisira, uko sisitimu yekushandisa inochengeta ruzivo rwekuti mafaera anogona kutakurwa akatorwa sei uye akaurayiwa, kuti vanorwisa vakafamba sei padandemutande, uye dzidza maitiro ekuongorora zvinhu izvi vachishandisa BEC. Iwe unozodzidzawo kuti ndezvipi zviitiko muhurongwa matanda zvinofarirwa kubva pakuona kwekuferefetwa kwechiitiko uye kuona kureba kwekuwana, uye dzidza maitiro ekuzviongorora uchishandisa BEC.
Iyo kosi ichave yakakosha kune nyanzvi dzehunyanzvi dzinoona zvikonzero zvekupindira kwakabudirira, kuongorora maketani ezviitiko uye mhedzisiro yekurwiswa kwecyber; vatariri vehurongwa; SOC uye CERT/CSIRT vashandi; vashandi vekuchengetedza ruzivo.
Course Overview
Cyber ββββKill Chain inotsanangura matanho makuru ekurwiswa kwehunyanzvi pamakomputa emunhu akabatwa (kana komputa network) sezvinotevera:
Zviito zvevashandi veSOC (CERT, chengetedzo yeruzivo, nezvimwewo) zvine chinangwa chekudzivirira vanopinda kuti vasawane ruzivo rwakachengetedzwa.
Kana vanorwisa vakapinda mukati mezvivakwa zvakadzivirirwa, vanhu vari pamusoro vanofanirwa kuyedza kudzikisa kukuvadzwa kubva muzviitiko zvevanorwisa, kuona kuti kurwiswa kwakaitwa sei, kuvakazve zviitiko uye kutevedzana kwezviito zvevapambi mune yakakanganiswa ruzivo chimiro, uye kutora. matanho ekudzivirira rudzi urwu rwekurwisa mune ramangwana.
Aya anotevera marudzi ekutsvaga anogona kuwanikwa mune yakakanganiswa ruzivo ruzivo, zvichiratidza kuti network (kombuta) yakakanganiswa:
Ese maitiro akadai anogona kuwanikwa uchishandisa iyo Belkasoft Evidence Center chirongwa.
BEC ine "Incident Investigation" module, apo, kana uchiongorora kuchengetedza midhiya, ruzivo pamusoro pezvigadzirwa zvinoiswa zvinogona kubatsira muongorori kana achiongorora zviitiko.
BEC inotsigira kuongororwa kwemhando huru dzeWindows artifacts dzinoratidza kuitiswa kwemafaira anoteedzera pane system iri kuferefetwa, kusanganisira Amcache, Userassist, Prefetch, BAM/DAM mafaera, ,kuongororwa kwezviitiko zvehurongwa.
Ruzivo rwezvekuteedzera zvine ruzivo nezve zviito zvemushandisi mune yakakanganiswa system inogona kuratidzwa mune inotevera fomu:
Ruzivo urwu, pakati pezvimwe zvinhu, runosanganisira ruzivo rwekumhanyisa mafaera anozoitwa:
Ruzivo rwekumhanyisa faira 'RDPWInst.exe'.
Ruzivo nezve kuvapo kwevanorwisa mumasisitimu akakanganisa anogona kuwanikwa muWindows registry yekutanga makiyi, masevhisi, akarongwa mabasa, Logon zvinyorwa, WMI, nezvimwe. Mienzaniso yekuona ruzivo rwevanorwisa vari kubatanidzwa kune sisitimu inogona kuoneka mune anotevera skrini:
Kumanikidza vanorwisa vachishandisa iyo inoronga basa nekugadzira basa rinomhanyisa PowerShell script.
Kubatanidza vanorwisa vachishandisa Windows Management Instrumentation (WMI).
Kubatanidza vanorwisa vachishandisa Logon script.
Kufamba kwevanorwisa pane yakakanganiswa komputa network inogona kuwonekwa, semuenzaniso, nekuongorora Windows system logs (kana vanorwisa vachishandisa RDP sevhisi).
Ruzivo nezve zvakaonekwa RDP kubatana.
Ruzivo nezvekufamba kwevanorwisa panetiweki.
Nekudaro, Belkasoft Evidence Center inogona kubatsira vaongorori kuona makomputa akakanganisika mune yakarwiswa komputa network, kutsvaga maratidziro ekutangwa kwemalware, mitsetse yekumisikidza muhurongwa uye kufamba kunetiweki, uye zvimwe zvinoteedzera zvekurwisa chiitiko pamakomputa akakanganiswa.
Maitiro ekuita tsvagiridzo yakadai uye kuona zvinhu zvakatsanangurwa pamusoro zvinotsanangurwa muBelkasoft Incident Response Examination kudzidziswa kosi.
Chirongwa chekosi:
- Cyberattack maitiro. Tekinoroji, zvishandiso, zvinangwa zvevanorwisa
- Kushandisa maitiro ekutyisidzira kunzwisisa maitiro evanorwisa, maitiro, uye maitiro
- Cyber ββββkuuraya cheni
- Chiitiko chemhinduro algorithm: kuzivikanwa, kugarisana, chizvarwa chezviratidzo, tsvaga nyowani dzine hutachiona node
- Kuongororwa kweWindows masisitimu uchishandisa BEC
- Kuonekwa kwemaitiro ekutanga kutapukira, kupararira kwetiweki, kusanganisa, uye network chiitiko chemalware uchishandisa BEC
- Ziva masisitimu ane hutachiona uye dzorera nhoroondo yehutachiona uchishandisa BEC
- Zvidzidzo zvinoshanda
FAQKosi dzinoitirwa kupi?
Makosi anoitirwa kuGroup-IB headquarters kana panzvimbo yekunze (nzvimbo yekudzidzira). Zvinogoneka kuti mudzidzisi afambe kunzvimbo dzine vatengi vemakambani.
Ndiani anoitisa zvidzidzo?
Varairidzi paBoka-IB varapi vane makore mazhinji eruzivo mukuita tsvakiridzo yezvemberi, kuferefeta kwemakambani uye kupindura kune zviitiko zvekuchengetedza ruzivo.
Izvo zvikwaniriso zvevarairidzi zvinosimbiswa nezvitupa zvakawanda zvepasirese: GCFA, MCFE, ACE, EnCE, nezvimwe.
Vadzidzisi vedu vanowana nyore mutauro wakafanana nevateereri, vachitsanangura zvakajeka kunyange nyaya dzakaoma zvikuru. Vadzidzi vanozodzidza yakawanda yakakosha uye inonakidza ruzivo nezve kuferefeta zviitiko zvekombuta, nzira dzekuziva uye kuverengera kurwiswa nemakomputa, uye kuwana ruzivo chairwo runoshanda rwavanogona kushandisa kana vapedza kudzidza.
Ko makosi acho anopa hunyanzvi hunobatsira husina hukama neBelkasoft zvigadzirwa, kana hunyanzvi uhu huchave husingashande pasina iyi software?
Unyanzvi hunowanikwa panguva yekudzidziswa huchabatsira pasina kushandisa zvigadzirwa zveBelkasoft.
Chii chinosanganisirwa mukuyedzwa kwekutanga?
Yekutanga kuyedzwa bvunzo yeruzivo rwezvakakosha zvekombuta forensics. Iko hakuna hurongwa hwekuyedza ruzivo rweBelkasoft neBoka-IB zvigadzirwa.
Ndingawane kupi ruzivo nezvekosi yedzidzo yekambani?
Sechikamu chezvidzidzo zvedzidzo, Boka-IB inodzidzisa nyanzvi mukupindura zviitiko, tsvakiridzo yemalware, cyber intelligence nyanzvi (Threat Intelligence), nyanzvi dzekushanda muSecurity Operation Center (SOC), nyanzvi mukuvhima kwekutyisidzira (Threat Hunter), nezvimwe. . Rondedzero yakazara yemakosi evaridzi kubva kuBoka-IB inowanikwa .
Ndeapi mabhonasi ayo vadzidzi vanopedza makosi akabatana pakati peBoka-IB neBelkasoft vanogashira?
Avo vakapedza kudzidziswa mumakosi akabatana pakati peBoka-IB neBelkasoft vanogashira:
- chitupa chekupedza kosi;
- kunyoreswa kwemahara pamwedzi kuBelkasoft Evidence Center;
- 10% kuderedzwa pakutenga kweBelkasoft Evidence Center.
Tinokuyeuchidza kuti kosi yekutanga inotanga neMuvhuro, 9 september, - usapotsa mukana wekuwana ruzivo rwakasiyana mumunda wekuchengetedzwa kwemashoko, forensics yekombuta uye chiitiko chemhinduro! Kunyoresa kwekosi .
SourcesMukugadzirira chinyorwa, takashandisa mharidzo yaOleg Skulkin "Kushandisa host-based forensics kuwana zviratidzo zvekukanganisika kwekubudirira kwehungwaru-inotungamirwa nechiitiko mhinduro."
Source: www.habr.com