Iifayile zokulandelela, okanye iifayile ze-Prefetch, zangeniswa kwi Windows Ukususela ngemihla ye-XP, bebenceda iingcali ze-digital forensics kunye neengcali zempendulo yeziganeko zekhompyutha ukufumana iimpawu zokuphunyezwa kwenkqubo, kuquka ne-malware. Ingcali ephambili ye-digital forensics kwi-Group-IB Oleg Skulkin ikuxelela into onokuyifumana usebenzisa iifayile zePrefetch kunye nendlela yokwenza.
Iifayile zokulanda kwangaphambili zigcinwa kulawulo I-%SystemRoot%Prefetch kunye nokusebenza ukukhawulezisa inkqubo yokuqalisa iinkqubo. Ukuba sijonga nayiphi na yezi fayile, siya kubona ukuba igama layo liqukethe iinxalenye ezimbini: igama lefayile ephunyeziweyo kunye nokukhangela abalinganiswa abasibhozo ukusuka kwindlela eya kuyo.
Iifayile ze-prefetch ziqulethe ulwazi oluninzi oluluncedo ngokwezomthetho: igama le-executable, inani lezihlandlo ephunyezwe ngazo, uluhlu lweefayile kunye nee-directory i-executable esebenzisana nazo, kwaye, ewe, ii-timestamps. Abahlalutyi be-forensic badla ngokusebenzisa umhla wokudalwa kwefayile ethile ye-prefetch ukumisela umhla inkqubo eyaphunyezwa ngawo okokuqala. Ezi fayile zikwagcina umhla wokwenziwa kwayo kokugqibela, kwaye ziqala ngenguqulelo yama-26 (Windows 8.1) - izitampu zexesha zokuqaliswa kweenkqubo ezisixhenxe zokugqibela.
Masithathe enye yeefayile zokulanda, sikhuphe idatha kuyo sisebenzisa iPECmd ka-Eric Zimmerman kwaye sijonge indawo nganye yayo. Ukubonisa, ndiya kukhupha idatha kwifayile I-CCLEANER64.EXE-DE05DBE1.pf.
Ngoko masiqale ukusuka phezulu. Ewe kunjalo, sinokudala iifayile, uhlengahlengiso, kunye nesitampu sexesha lokufikelela:
Zilandelwa ligama lefayile ephunyezwayo, i-checksum yendlela eya kuyo, ubungakanani befayile ephunyezwayo, kunye noguqulelo lwefayile yokulanda kwangaphambili:
Ekubeni sisebenzisana Windows 10, emva koko siza kubona inani lokuqaliswa, umhla kunye nexesha lokuqaliswa kokugqibela, kunye nezinye izitampu zexesha ezisixhenxe ezibonisa imihla yokuqaliswa kwangaphambili:
Oku kulandelwa lulwazi malunga nomthamo, kubandakanywa inombolo yothotho kunye nomhla wokudala:
Okokugqibela kodwa kuluhlu lwabalawuli kunye neefayile eziphunyeziweyo ezidityaniswe nazo:
Ke, abalawuli kunye neefayile eziphunyeziweyo ezidityaniswe nazo zizo kanye endifuna ukugxila kuzo namhlanje. Yile datha evumela iingcali kwi-forensics yedijithali, impendulo yezehlo zekhompyutheni, okanye ukuzingela ngokukrakra ukuseka kungekuphela nje inyaniso yokuphunyezwa kwefayile ethile, kodwa kwakhona, kwezinye iimeko, ukwakha kwakhona amaqhinga athile kunye nobuchule babahlaseli. Namhlanje, abahlaseli bahlala besebenzisa izixhobo zokucima ngokusisigxina idatha, umzekelo, i-SDelete, ngoko ke ukukwazi ukubuyisela ubuncinci beendlela zokusetyenziswa kwamaqhinga athile kunye nobuchule buyimfuneko kuye nawuphi na umkhuseli wale mihla - ingcali ye-computer ye-forensics, ingcali yokuphendula isiganeko, i-ThreatHunter. ingcaphephe.
Masiqale ngeqhinga loFikelelo lokuqala (TA0001) kunye neyona ndlela idumileyo, iSpearphishing Attachment (T1193). Amanye amaqela e-cybercriminal anobuchule bokukhetha utyalo-mali. Umzekelo, iqela elithi Thulisa lisebenzise iifayile kwi-CHM (uNcedo lwe-HTML oluqokelelweyo lweMicrosoft) kule nto. Ke, sinalo phambi kwethu obunye ubuchule-Ifayile yeHTML ehlanganisiweyo (T1223). Iifayile ezinjalo ziqaliswa kusetyenziswa hh.exe, ke ngoko, ukuba sikhupha idatha kwifayile yayo yokulanda, siya kufumanisa ukuba yeyiphi ifayile eyavulwa lixhoba:
Masiqhubeke sisebenza ngemizekelo evela kwiimeko zokwenyani kwaye sidlulele kwiqhinga elilandelayo lokuSebenza (TA0002) kunye nobuchule be-CSMTP (T1191). IsiFakelo seProfayile yoMphathi woQhagamshelwano lukaMicrosoft (CMSTP.exe) sinokusetyenziswa ngabahlaseli ukuqhuba imibhalo eyingozi. Umzekelo omhle liqela leCobalt. Ukuba sikhupha idatha kwifayile yokulanda kwangaphambili cmstp.exe, emva koko sinokuphinda sifumanise ukuba yintoni kanye kanye eyasungulwa:
Obunye ubuchule obudumileyo yiRegsvr32 (T1117). Regsvr32.exe ikwasetyenziswa rhoqo ngabahlaseli ukuqalisa. Nanku omnye umzekelo osuka kwiqela le-Cobalt: ukuba sikhupha idatha kwifayile ye-Prefetch regsvr32.exe, emva koko kwakhona siza kubona oko kwasungulwa:
Amaqhinga alandelayo yi-Persistence (TA0003) kunye nePrivilege Escalation (TA0004), kunye ne-Application Shimming (T1138) njengobuchule. Obu buchule busetyenziswe yiCarbanak/FIN7 ukuqinisa inkqubo. Ngokuqhelekileyo isetyenziselwa ukusebenza ngogcino lwenkqubo oluhambelanayo (.sdb) sdbinst.exe. Ke ngoko, iFayile yokulanda kwangaphambili yale nto iphunyeziweyo inokusinceda sifumane amagama oovimba beenkcukacha kunye neendawo zabo:
Njengoko unokubona kumzekeliso, asinalo kuphela igama lefayile esetyenziselwa ukufakela, kodwa kunye negama ledatha efakiweyo.
Makhe sijonge omnye wemizekelo eqhelekileyo yosasazo lwenethiwekhi (TA0008), PsExec, usebenzisa izabelo zolawulo (T1077). Inkonzo enegama elithi PSEXECSVC (ewe, naliphi na elinye igama linokusetyenziswa ukuba abahlaseli basebenzise iparamitha -r) iyakwenziwa kwindlela ekujoliswe kuyo, ngoko ke, ukuba sikhupha idatha kwifayile ye-Prefetch, siya kubona oko kwaqaliswa:
Mhlawumbi ndiya kugqiba apho ndiqale khona - ukucima iifayile (T1107). Njengoko sele ndiphawulile, abaninzi abahlaseli basebenzisa i-SDelete ukucima ngokusisigxina iifayile kumanqanaba ahlukeneyo ohlaselo lobomi. Ukuba sijonga idatha evela kwifayile yokulanda kwangaphambili sdelete.exe, emva koko siza kubona ukuba yintoni kanye kanye yacinywayo:
Ewe, olu ayiloluhlu olupheleleyo lweendlela ezinokuthi zifunyanwe ngexesha lokuhlalutywa kweefayile ze-Prefetch, kodwa oku kufanele kwanele ukuqonda ukuba ezo fayile azinakunceda nje ukufumana umkhondo wokuqaliswa, kodwa ziphinde ziphinde zakhe amaqhinga kunye nobuchule bomhlaseli. .
umthombo: www.habr.com
