Latela lifaele, kapa lifaele tsa Prefetch, esale li le teng Windows ho tloha XP. Ho tloha ka nako eo, ba thusitse litsebi tsa morao-rao tsa dijithale le litsebi tsa karabelo ea liketsahalo tsa komporo ho fumana mesaletsa ea software, ho kenyeletsoa malware. Setsebi se etelletseng pele lefapheng la forensics ea likhomphutha Group-IB Oleg Skulkin e u bolella seo u ka se fumanang u sebelisa lifaele tsa Prefetch le mokhoa oa ho li etsa.
Lifaele tse laetsoeng esale pele li bolokiloe bukeng %SystemRoot%Prefetch le ho sebeletsa ho potlakisa ts'ebetso ea ho qala mananeo. Haeba re sheba leha e le efe ea lifaele tsena, re tla bona hore lebitso la eona le na le likarolo tse peli: lebitso la faele e sebetsang le checksum ea litlhaku tse robeli ho tloha tseleng e eang ho eona.
Lifaele tsa Prefetch li na le tlhaiso-leseling e ngata e bohlokoa ho tsoa ponong ea forensic: lebitso la faele e ka phethisoang, palo ea makhetlo ao e sebelitsoeng ka ona, lethathamo la lifaele le li-directory tseo faele e sebetsang e sebelisanang le tsona, 'me, ehlile, litempe tsa linako. Ka tloaelo, bo-rasaense ba forensics ba sebelisa letsatsi la tlhahiso ea faele e itseng ea Prefetch ho fumana hore na lenaneo le qalile ka letsatsi lefe. Ntle le moo, lifaele tsena li boloka letsatsi la ho qala ha eona la ho qetela, 'me ho qala ho mofuta oa 26 (Windows 8.1) - litempe tsa linako tse supileng tsa morao tjena.
Ha re nke e 'ngoe ea lifaele tsa Prefetch, re ntše data ho eona re sebelisa PECmd ea Eric Zimmerman' me u shebe karolo ka 'ngoe ea eona. Ho bontša, ke tla ntša data ho file CCLEANER64.EXE-DE05DBE1.pf.
Kahoo a re qaleng ho tloha holimo. Ehlile, re na le litempe tsa ho etsa lifaele, ho li fetola, le ho fihlella nako:
Li lateloa ke lebitso la faele e ka phethisoang, tlhahlobo ea tsela e eang ho eona, boholo ba faele e ka phethisoang, le mofuta oa faele ea Prefetch:
Kaha re sebetsana le Windows 10, ka mor'a moo re tla bona palo ea ho qala, letsatsi le nako ea qalo ea ho qetela, le litempe tse ling tse supileng tse bontšang matsatsi a fetileng a ho qala:
Tsena li lateloa ke leseli mabapi le bophahamo ba modumo, ho kenyeletswa nomoro ya seriale le letsatsi la tlhahiso:
Qetellong empa bonyane ke lethathamo la li-directory le lifaele tseo motho ea sebetsang a sebelisaneng le tsona:
Kahoo, li-directory le lifaele tseo motho ea sebetsang a sebelisaneng le tsona ke tsona tseo ke batlang ho tsepamisa maikutlo ho tsona kajeno. Ke data ena e lumellang litsebi tsa forensics tsa dijithale, karabelo ea liketsahalo tsa komporo, kapa ts'ebetso ea ts'okelo ea ts'okelo ho theha eseng feela 'nete ea ts'ebetso ea faele e itseng, empa hape, maemong a mang, ho theha bocha maqheka le mekhoa ea bahlaseli. Kajeno, bahlaseli hangata ba sebelisa lisebelisoa ho hlakola data ka ho sa feleng, mohlala, SDelete, kahoo bokhoni ba ho khutlisetsa bonyane mesaletsa ea ts'ebeliso ea maqheka le mekhoa e itseng e hlokahala bakeng sa mosireletsi ofe kapa ofe oa sejoale-joale - setsebi sa forensics ea khomphutha, setsebi sa karabelo ea liketsahalo, ThreatHunter. setsebi.
Ha re qaleng ka leqheka la ho Fumana Pele (TA0001) le mokhoa o tsebahalang haholo, Spearphishing Attachment (T1193). Lihlopha tse ling tsa cybercriminal li na le boqapi ba khetho ea tsona ea matsete. Mohlala, sehlopha sa Silence se sebelisitse lifaele ka sebopeho sa CHM (Microsoft Compiled HTML Help) bakeng sa sena. Kahoo, re na le mokhoa o mong ka pel'a rona - Faele ea HTML e Kopantsoeng (T1223). Lifaele tse joalo li qala ho sebelisoa hh.exe, ka hona, haeba re ntša data ho tsoa faeleng ea eona ea Prefetch, re tla fumana hore na ke faele efe e ileng ea buloa ke phofu:
Ha re tsoeleng pele ho sebetsa ka mehlala ea linyeoe tsa 'nete' me re fetele ho leqheka le latelang la Phethahatso (TA0002) le mokhoa oa CSMTP (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) e ka sebelisoa ke bahlaseli ho tsamaisa mongolo o kotsi. Mohlala o motle ke sehlopha sa Cobalt. Haeba re ntša data ho tsoa faeleng ea Prefetch cmstp.exe, joale re ka boela ra fumana hore na hantle-ntle ho ile ha qalisoa eng:
Mokhoa o mong o tsebahalang ke Regsvr32 (T1117). Regsvr32.exe e boetse e sebelisoa hangata ke bahlaseli ho qala. Mona ke mohlala o mong ho tsoa sehlopheng sa Cobalt: haeba re ntša data ho tsoa faeleng ea Prefetch regsvr32.exe, joale re tla boela re bone se ileng sa qalisoa:
Maqheka a latelang ke Persistence (TA0003) le Privilege Escalation (TA0004), ka Application Shimming (T1138) e le mokhoa. Mokhoa ona o ne o sebelisoa ke Carbanak/FIN7 ho tiisa sistimi. Ka tloaelo e sebelisoa ho sebetsa le lipolokelo tsa litšebelisano tsa lenaneo (.sdb) sdbinst.exe. Ka hona, faele ea Prefetch ea ts'ebetso ena e ka re thusa ho fumana mabitso a li-database tse joalo le libaka tsa tsona:
Joalokaha u ka bona papisong, ha re na feela lebitso la faele e sebelisetsoang ho kenya, empa hape le lebitso la database e kentsoeng.
Ha re shebeng e 'ngoe ea mehlala e atileng haholo ea phatlalatso ea marang-rang (TA0008), PsExec, e sebelisang likarolo tsa tsamaiso (T1077). Ts'ebeletso e bitsoang PSEXECSVC (ehlile, lebitso lefe kapa lefe le ka sebelisoa haeba bahlaseli ba sebelisitse paramente -r) e tla bōptjoa tsamaisong e lebisitsoeng, ka hona, haeba re ntša data ho tswa ho Prefetch file, re tla bona se qalileng:
Mohlomong ke tla qetella moo ke qalileng teng - ho tlosa lifaele (T1107). Joalokaha ke se ke hlokometse, bahlaseli ba bangata ba sebelisa SDelete ho hlakola lifaele ka ho sa feleng methating e fapaneng ea tlhaselo ea bophelo. Haeba re sheba data ho tswa ho Prefetch faele sdelete.exe, joale re tla bona hore na hantle-ntle ho hlakotsoe eng:
Ehlile, lena ha se lenane le felletseng la mekhoa e ka sibolloang nakong ea tlhahlobo ea lifaele tsa Prefetch, empa sena se lokela ho lekana ho utloisisa hore lifaele tse joalo li ka thusa eseng feela ho fumana mesaletsa ea ho qala, empa hape le ho tsosolosa maqheka le mekhoa e itseng ea bahlaseli. .
Source: www.habr.com