I-algorithms kunye namaqhinga okuphendula kwiziganeko zokhuseleko lolwazi, iindlela zokuhlaselwa kwe-cyber yangoku, iindlela zokuphanda ukuvuza kwedatha kwiinkampani, ukuphanda iiphequluli kunye nezixhobo eziphathwayo, ukuhlalutya iifayile ezifihliweyo, ukukhupha idatha ye-geolocation kunye nohlalutyo lwedatha enkulu - zonke ezi kunye nezinye izihloko. inokufundwa kwiikhosi ezintsha ezidibeneyo zeQela-IB kunye neBelkasoft. Ngo-Agasti thina ikhosi yokuqala ye-Belkasoft Digital Forensics, eqala ngoSeptemba 9, kwaye emva kokufumana inani elikhulu lemibuzo, sagqiba ekubeni sithethe ngokubanzi malunga noko abafundi baya kufunda, yintoni ulwazi, ubuchule kunye neebhonasi (!) ukufikelela esiphelweni. Izinto zokuqala kuqala.
Ababini kwinto enye
Umbono wokuqhuba izifundo zoqeqesho oludibeneyo uvele emva kokuba abathathi-nxaxheba beQela-IB beqalile ukubuza malunga nesixhobo esiya kubanceda ekuphandeni iinkqubo zekhompyuter ezisengozini kunye nothungelwano, kunye nokudibanisa ukusebenza kwezixhobo ezahlukeneyo zasimahla esicebisa ukuba zisetyenziswe ngexesha lokuphendula isiganeko.
Ngokombono wethu, isixhobo esinjalo sinokuba yi-Belkasoft Evidence Centre (esele sithethile ngayo kuyo Igor Mikhailov "Isitshixo ekuqaleni: eyona software kunye ne-hardware ye-forensics yekhompyutha"). Ke ngoko, thina, kunye neBelkasoft, siye saqulunqa iikhosi zoqeqesho ezimbini: Belkasoft Digital Forensics ΠΈ Belkasoft Isiganeko Impendulo Examination.
KUBALULEKILEYO: iikhosi zilandelelana kwaye zidibene! I-Belkasoft Digital Forensics inikezelwe kwiprogram yeZiko loBubungqina beBelkasoft, kunye noVavanyo lweMpendulo yesiganeko saseBelkasoft lunikezelwe ukuphanda iziganeko kusetyenziswa iimveliso zeBelkasoft. Oko kukuthi, ngaphambi kokufunda ikhosi ye-Belkasoft Incident Response Examination, sicebisa ngamandla ukuba ugqibezele ikhosi ye-Belkasoft Digital Forensics. Ukuba uqala kwangoko ngekhosi ngophando lwezehlo, umfundi unokuba nezithuba ezicaphukisayo zolwazi ekusebenziseni iZiko loBungqina laseBelkasoft, ukufumana kunye nokuhlola izinto zakudala. Oku kunokukhokelela ekubeni ngexesha loqeqesho kwikhosi ye-Belkasoft Incident Response Examination course, umfundi mhlawumbi akayi kuba nexesha lokuqonda izinto eziphathekayo, okanye uya kucothisa lonke iqela ekufumaneni ulwazi olutsha, ekubeni ixesha loqeqesho liya kuchithwa. ngumqeqeshi ochaza izinto ezivela kwikhosi ye-Belkasoft Digital Forensics.
I-Computer forensics kunye ne-Belkasoft Evidence Centre
Injongo yale khosi Belkasoft Digital Forensics - ukwazisa abafundi kwiprogram yeZiko loBubungqina beBelkasoft, bafundise ukusebenzisa le nkqubo ukuqokelela ubungqina obuvela kwimithombo eyahlukeneyo (ukugcinwa kwelifu, imemori yokufikelela okungahleliwe (RAM), izixhobo zeselula, imidiya yokugcina (i-hard drives, i-flash drives, njl.), inkosi ubuchule obusisiseko kunye nobuchule be-forensic, iindlela zovavanyo lwe-forensic ye-Windows artifacts, izixhobo eziphathwayo, ukulahla i-RAM.Uya kufunda kwakhona ukuchonga kunye nokubhala izinto ezenziwe ngabaphequluli kunye neenkqubo zokuthumela imiyalezo ngokukhawuleza, wenze iikopi zedatha yedatha evela kwimithombo eyahlukeneyo, ukhuphe idatha ye-geolocation kunye nokukhangela. ulandelelwano lwesicatshulwa (ukukhangela kwegama elingundoqo), sebenzisa i-hashes xa uqhuba uphando, uhlalutye irejista yeWindows, izakhono zokuhlola ulwazi olungaziwa lwe-SQLite yolwazi, iziseko zokuhlola iifayile zegraphic kunye nevidiyo, kunye neendlela zokuhlalutya ezisetyenziswe ngexesha lophando.
Ikhosi iya kuba luncedo kwiingcali ezikhethekileyo kwinkalo ye-computer ye-forensics yobugcisa (i-computer forensics); iingcali zobugcisa ezigqiba izizathu zokungenelela okuphumelelayo, ukuhlalutya uchungechunge lweziganeko kunye nemiphumo yokuhlaselwa kwe-cyber; iingcali zobugcisa ezichonga kwaye zibhale ukubiwa kwedatha (ukuvuza) ngumntu wangaphakathi (umaphuli-mthetho wangaphakathi); Iingcali ze-e-Discovery; SOC kunye nabasebenzi beCERT/CSIRT; abasebenzi bokhuseleko lolwazi; abathandi bekhompyutha ye forensics.
Isicwangciso sekhosi:
- Belkasoft Ubungqina Centre (BEC): amanyathelo okuqala
- Ukudalwa kunye nokuqhutyelwa kwamatyala kwi-BEC
- Qokelela ubungqina bedijithali bophando lwasenkundleni kunye ne-BEC
- Ukusebenzisa izihluzi
- Ukuvelisa iingxelo
- Uphando kwiiNkqubo zeMiyalezo ekhawulezileyo
- UPhando lwesikhangeli sewebhu
- UPhando lwesiXhobo esiXhobayo
- Ukutsalwa kwedatha yendawo
- Ukukhangela ulandelelwano lokubhaliweyo kwiimeko
- Ukukhupha kunye nokuhlalutya idatha kwisitoreji samafu
- Ukusebenzisa iibhukumaka ukubonisa ubungqina obubalulekileyo obufunyenwe ngexesha lophando
- Uvavanyo lweefayile zesistim yeWindows
- Uhlalutyo lweRegistry yeWindows
- Uhlalutyo lwesiseko sedatha seSQLite
- Iindlela zokuBuyisa iDatha
- Ubuchwephesha bokuvavanya ukulahlwa kwe-RAM
- Ukusebenzisa i-hash calculator kunye nohlalutyo lwe-hash kuphando lwe-forensic
- Uhlalutyo lweefayile ezifihliweyo
- Iindlela zokufunda iifayile zegraphic kunye nevidiyo
- Ukusetyenziswa kobuchule bokuhlalutya kuphando lwasenkundleni
- Yenza ngokuzenzekelayo iintshukumo zesiqhelo usebenzisa ulwimi olwakhelwe ngaphakathi lweBelkascripts
- Izifundo eziluncedo
Ikhosi: Belkasoft Isiganeko Response Examination
Injongo yekhosi kukufunda iziseko zophando lwe-forensic yokuhlaselwa kwe-cyber kunye namathuba okusebenzisa i-Belkasoft Evidence Centre kuphando. Uya kufunda malunga nezona zithwala ziphambili zohlaselo lwanamhlanje kuthungelwano lwekhompyuter, funda ukuhlela uhlaselo lwekhompyuter olusekwe kwi-MITER ATT & CK matrix, sebenzisa ii-algorithms zophando lwenkqubo yokusebenza ukuseka inyani yokulalanisa kunye nokwakha kwakhona izenzo zabahlaseli, funda apho zikhoyo izinto zakudala ezifumanekayo. bonisa ukuba zeziphi iifayile eziye zavulwa ekugqibeleni, apho inkqubo yokusebenza igcina ulwazi malunga nendlela iifayile eziphunyeziweyo ezikhutshelwe ngayo kwaye zaphunyezwa, indlela abahlaseli bahamba ngayo kuthungelwano, kwaye bafunde indlela yokuhlola ezi zixhobo zisebenzisa i-BEC. Uya kufunda kwakhona ukuba zeziphi iziganeko kwiilogi zenkqubo ezinomdla ukusuka kwindawo yokujonga uphando lwezehlo kunye nokufumanisa ukufikelela kude, kwaye ufunde indlela yokuphanda kubo usebenzisa i-BEC.
Ikhosi iya kuba luncedo kwiingcali zobuchwepheshe ezithatha izizathu zokungenelela okuphumelelayo, ukuhlalutya amakhonkco eziganeko kunye nemiphumo yokuhlaselwa kwe-cyber; abalawuli benkqubo; SOC kunye nabasebenzi beCERT/CSIRT; abasebenzi bokhuseleko lolwazi.
Isishwankathelo seSifundo
I-Cyber ββββKill Chain ichaza amanqanaba aphambili alo naluphi na uhlaselo lobuchwephesha kwiikhompyuter zexhoba (okanye inethiwekhi yekhompyuter) ngolu hlobo lulandelayo:
Izenzo zabasebenzi be-SOC (i-CERT, ukhuseleko lolwazi, njl.) zijolise ekuthinteleni abangeneleli ekufikeleleni kwimithombo yolwazi ekhuselweyo.
Ukuba abahlaseli bangena kwiziseko zophuhliso ezikhuselweyo, ke aba bantu bangasentla kufuneka bazame ukunciphisa umonakalo ovela kwimisebenzi yabahlaseli, banqume ukuba uhlaselo lwenziwe njani, baphinde baphinde bahlele iziganeko kunye nolandelelwano lwezenzo zabahlaseli kwisakhiwo solwazi, kwaye bathathe. amanyathelo okuthintela olu hlobo lohlaselo kwixesha elizayo.
Ezi ntlobo zilandelayo zokulandelela zinokufunyanwa kwisiseko solwazi esichetyiweyo, esibonisa ukuba uthungelwano (ikhompyuter) luchaphazelekile:
Yonke imikhondo enjalo inokufunyanwa kusetyenziswa inkqubo yeZiko loBubungqina beBelkasoft.
I-BEC inemodyuli ethi "Isiganeko soPhando", apho, xa uhlalutya imidiya yokugcina, ulwazi malunga nezinto ezisetyenzisiweyo zibekwe ezinokunceda umphandi xa ephanda iziganeko.
I-BEC ixhasa uviwo lweentlobo eziphambili zee-artifacts zeWindows ezibonisa ukuphunyezwa kweefayili ezinokusetyenziswa kwisistim ephantsi kophando, kubandakanywa i-Amcache, i-Userassist, i-Prefetch, iifayili ze-BAM/DAM, ,uhlalutyo lweziganeko zenkqubo.
Ulwazi malunga nokulandelelwa okuqulethe ulwazi malunga nezenzo zomsebenzisi kwinkqubo ethotyiweyo inokubonakaliswa ngolu hlobo lulandelayo:
Olu lwazi, phakathi kwezinye izinto, lubandakanya ulwazi malunga nokusebenzisa iifayile ezisebenzisekayo:
Ulwazi malunga nokuqhuba ifayile 'RDPWInst.exe'.
Ulwazi malunga nobukho babahlaseli kwiinkqubo ezithotyiweyo zinokufumaneka kwizitshixo zokuqalisa zobhaliso lweWindows, iinkonzo, imisebenzi ecwangcisiweyo, izikripthi zeLogon, iWMI, njl. Imizekelo yokufumanisa ulwazi malunga nabahlaseli abancanyathiselwe kwisistim inokubonwa kwezi sikrini zilandelayo:
Ukunyanzelisa abahlaseli usebenzisa umcwangcisi womsebenzi ngokwenza umsebenzi oqhuba iskripthi sePowerShell.
Ukudibanisa abahlaseli usebenzisa i-Windows Management Instrumentation (WMI).
Ukudibanisa abahlaseli usebenzisa i-Logon script.
Ukuhamba kwabahlaseli kuthungelwano lwekhompyuter oluphazamisekileyo kunokubonwa, umzekelo, ngokuhlalutya iilogi zenkqubo yeWindows (ukuba abahlaseli basebenzisa inkonzo ye-RDP).
Ulwazi malunga noqhagamshelo lweRDP olufunyenweyo.
Ulwazi malunga nokuhamba kwabahlaseli kwinethiwekhi.
Ngaloo ndlela, i-Belkasoft Evidence Centre inokunceda abaphandi bachonge iikhomputha ezithintekayo kwinethiwekhi yekhompyutheni ehlaselweyo, ukufumana umkhondo wokuphehlelelwa kwe-malware, umkhondo wokulungiswa kwenkqubo kunye nokuhamba kwinethiwekhi, kunye neminye imikhondo yomsebenzi womhlaseli kwiikhompyuter eziphazamisekileyo.
Indlela yokuqhuba uphando olunjalo kunye nokufumanisa izinto zakudala ezichazwe ngasentla zichazwe kwikhosi yoqeqesho ye-Belkasoft Incident Response Examination.
Isicwangciso sekhosi:
- Iintsingiselo zeCyberattack. Itekhnoloji, izixhobo, iinjongo zabahlaseli
- Ukusebenzisa iimodeli ezisongelayo ukuqonda amaqhinga omhlaseli, ubuchule kunye neenkqubo
- Ikhonkco lokubulala leCyber
- I-algorithm yempendulo yesiganeko: ukuchongwa, indawo yokuhlala, ukuveliswa kwezikhombisi, khangela iindawo ezintsha ezisulelekileyo
- Uhlalutyo lweenkqubo zeWindows usebenzisa iBEC
- Ukufunyanwa kweendlela zosulelo oluphambili, ukusasazeka kwenethiwekhi, ukuhlanganiswa, kunye nomsebenzi womnatha we-malware usebenzisa i-BEC
- Chonga iinkqubo ezosulelekileyo kunye nokubuyisela imbali usulelo usebenzisa BEC
- Izifundo eziluncedo
FAQZiqhutyelwa phi iikhosi?
Iikhosi zibanjwa kwikomkhulu leQela-IB okanye kwindawo yangaphandle (iziko loqeqesho). Kuyenzeka ukuba umqeqeshi ahambe kwiindawo ezinabathengi bequmrhu.
Ngubani oqhuba iiklasi?
Abaqeqeshi kwiQela-IB ngabasebenzi abaneminyaka emininzi yamava ekuqhubeni uphando lwezophando, uphando lwenkampani kunye nokuphendula kwiziganeko zokhuseleko lolwazi.
Iziqinisekiso zabaqeqeshi ziqinisekiswa ziziqinisekiso ezininzi zamazwe ngamazwe: GCFA, MCFE, ACE, EnCE, njl.
Abaqeqeshi bethu bafumana ngokulula ulwimi oluqhelekileyo kunye nabaphulaphuli, bechaza ngokucacileyo nakwizihloko ezinzima kakhulu. Abafundi baya kufunda ulwazi oluninzi olufanelekileyo kunye nolunomdla malunga nokuphanda ngeziganeko zekhompyuter, iindlela zokuchonga kunye nokubala uhlaselo lwekhompyuter, kwaye bafumane ulwazi lokwenyani olunokuthi basebenzise ngokukhawuleza emva kokuphumelela.
Ngaba iikhosi ziya kubonelela ngezakhono eziluncedo ezingahambelani neemveliso zeBelkasoft, okanye ngaba ezi zakhono ziya kuba zingasebenzi ngaphandle kwale software?
Izakhono ezifunyenwe ngexesha loqeqesho ziya kuba luncedo ngaphandle kokusebenzisa iimveliso zeBelkasoft.
Yintoni ebandakanyiweyo kuvavanyo lokuqala?
Uvavanyo oluphambili luvavanyo lolwazi lweziseko ze-computer forensics. Akukho zicwangciso zokuvavanya ulwazi lweBelkasoft kunye neemveliso zeQela-IB.
Ndingalufumana phi ulwazi malunga nezifundo zemfundo zenkampani?
Njengenxalenye yezifundo zemfundo, iQela-IB iqeqesha iingcali ekuphenduleni isiganeko, uphando lwe-malware, iingcali ze-cyber intelligence (Threat Intelligence), iingcali ezisebenza kwiZiko lokuSebenza loKhuseleko (SOC), iingcali ekuzingeleni okusongelayo (Threat Hunter), njl. . Uluhlu olupheleleyo lwezifundo zobunini ezivela kwiQela-IB luyafumaneka .
Zeziphi iibhonasi ezifunyanwa ngabafundi abagqiba izifundo ezidityanelweyo phakathi kweQela-IB neBelkasoft?
Abo bagqibe uqeqesho kwiikhosi ezidibeneyo phakathi kweQela-IB kunye neBelkasoft baya kufumana:
- isatifikethi sokugqiba ikhosi;
- umrhumo wenyanga wasimahla kwiZiko loBubungqina beBelkasoft;
- I-10% isaphulelo ekuthengweni kwe-Belkasoft Evidence Centre.
Siyakukhumbuza ukuba ikhosi yokuqala iqala ngoMvulo, 9 Septemba, - ungaphuthelwa ithuba lokufumana ulwazi olukhethekileyo kwinkalo yokhuseleko lolwazi, i-forensics yekhompyutheni kunye nempendulo yesiganeko! Ukubhalisela ikhosi .
ImithomboEkulungiseleleni eli nqaku, sisebenzise inkcazo-ntetho ka-Oleg Skulkin "Ukusebenzisa i-forensics esekwe kumamkeli ukufumana izalathisi zokulalanisa kwimpendulo yesiganeko esiqhutywa bubulumko."
umthombo: www.habr.com