Landela amafayela, noma amafayela Prefetch, abekhona ku-Windows kusukela ku-XP. Kusukela lapho, baye basiza i-digital forensics kanye nochwepheshe bokuphendula izigameko zekhompyutha ukuthi bathole iminonjana yesofthiwe, okuhlanganisa nohlelo olungayilungele ikhompuyutha. Uchwepheshe oholayo ku-computer forensics Group-IB Oleg Skulkin ikutshela ukuthi yini ongayithola usebenzisa amafayela we-Prefetch nokuthi ukwenze kanjani.
Amafayela okulanda kuqala agcinwa ohlwini lwemibhalo %SystemRoot%Prefetch futhi isebenze ukusheshisa inqubo yokwethula izinhlelo. Uma sibheka noma yiliphi lalawa mafayela, sizobona ukuthi igama lalo liqukethe izingxenye ezimbili: igama lefayela elisebenzisekayo kanye ne-checksum enezinhlamvu eziyisishiyagalombili ukusuka endleleni eya kuyo.
Amafayela okulanda aqukethe ulwazi oluningi oluwusizo ngokubuka kwe-forensic: igama lefayela elisebenzisekayo, inani lezikhathi elasetshenziswa ngalo, uhlu lwamafayela nezinkomba lapho ifayela elisebenzisekayo lihlanganyele khona, kanye, vele, izitembu zesikhathi. Ngokuvamile, ososayensi bezobunhloli basebenzisa idethi yokudala yefayela elithile le-Prefetch ukuze banqume usuku uhlelo olwaqalwa ngalo. Ngaphezu kwalokho, lawa mafayela agcina usuku lokwethulwa kokugcina kwawo, futhi aqala kunguqulo 26 (Windows 8.1) - izitembu zesikhathi zokugijima kwakamuva okuyisikhombisa.
Ake sithathe ifayela elilodwa le-Prefetch, sikhiphe idatha kulo sisebenzisa i-PECmd ka-Eric Zimmerman futhi sibheke ingxenye ngayinye yalo. Ukuze ngibonise, ngizokhipha idatha kufayela I-CCLEANER64.EXE-DE05DBE1.pf.
Ngakho ake siqale phezulu. Impela, sinokudala amafayela, ukuguqulwa, kanye nezitembu zesikhathi zokufinyelela:
Alandelwa yigama lefayela elisebenzisekayo, ishekemu yendlela eya kulo, usayizi wefayela elisebenzisekayo, kanye nenguqulo yefayela le-Prefetch:
Njengoba sibhekene Windows 10, ngokulandelayo sizobona inombolo yokuqala, idethi nesikhathi sokugcina kokugcina, nezinye izitembu zesikhathi eziyisikhombisa ezibonisa izinsuku zokuqalisa ezedlule:
Lokhu kulandelwa ulwazi mayelana nevolumu, okuhlanganisa inombolo yayo yomkhiqizo kanye nosuku lokudalwa:
Okokugcina uhlu lwemibhalo namafayela okusebenzisekayo ahlangane nawo:
Ngakho-ke, izinkomba namafayela asebenzisekayo ahlanganyele nawo yilokho kanye engifuna ukugxila kukho namuhla. Yile datha evumela ochwepheshe bezobunhloli bedijithali, impendulo yesigameko sekhompuyutha, noma ukuzingela okusongelayo ukuze bathole hhayi kuphela iqiniso lokwenziwa kwefayela elithile, kodwa futhi, kwezinye izimo, ukwakha kabusha amaqhinga namasu athile abahlaseli. Namuhla, abahlaseli bavame ukusebenzisa amathuluzi ukususa unomphela idatha, isibonelo, i-SDelete, ngakho-ke ikhono lokubuyisela okungenani iminonjana yokusetshenziswa kwamaqhinga namasu athile liyadingeka kunoma yimuphi umvikeli wesimanje - uchwepheshe we-computer forensics, uchwepheshe wokuphendula izigameko, ThreatHunter. uchwepheshe.
Ake siqale ngeqhinga Lokufinyelela Ekuqaleni (TA0001) kanye nendlela edume kakhulu, Okunamathiselwe kwi-Spearphishing (T1193). Amanye amaqembu obugebengu bamakhompuyutha anobuhlakani obukhulu ekukhetheni kwawo ukutshalwa kwezimali. Isibonelo, iqembu elithi Thulisa lisebenzise amafayela efomethi ye-CHM (Microsoft Compiled HTML Help) kulokhu. Ngakho-ke, sinenye indlela ngaphambi kwethu - Ifayela Le-HTML Elihlanganisiwe (T1223). Amafayela anjalo aqaliswa kusetshenziswa hh.exe, ngakho-ke, uma sikhipha idatha efayeleni layo le-Prefetch, sizothola ukuthi yiliphi ifayela elivulwe yisisulu:
Masiqhubeke sisebenza ngezibonelo ezivela ezimweni zangempela futhi sidlulele kuqhinga Lokusebenzisa elilandelayo (TA0002) kanye nezindlela ze-CSMTP (T1191). I-Microsoft Connection Manager Profile Installer (CMSTP.exe) ingasetshenziswa abahlaseli ukusebenzisa imibhalo eyingozi. Isibonelo esihle yiqembu leCobalt. Uma sikhipha idatha kufayela le-Prefetch cmstp.exe, bese singakwazi futhi ukuthola ukuthi yini ngempela eyethulwe:
Enye indlela edumile yi-Regsvr32 (T1117). Regsvr32.exe ibuye isetshenziswe abahlaseli ukuqalisa. Nasi esinye isibonelo esivela eqenjini le-Cobalt: uma sikhipha idatha kufayela le-Prefetch regsvr32.exe, sizophinda futhi sibone ukuthi yini eyethulwe:
Amaqhinga alandelayo yi-Persistence (TA0003) kanye ne-Privilege Escalation (TA0004), ne-Application Shimming (T1138) njengendlela. Le nqubo isetshenziswe yi-Carbanak/FIN7 ukuze kumiswe uhlelo. Ivamise ukusetshenzelwa ukusebenza nezizindalwazi zokusebenzisana kohlelo (.sdb) sdbinst.exe. Ngakho-ke, ifayela le-Prefetch lalokhu okusebenzisekayo lingasisiza ukuthi sithole amagama esizindalwazi esinjalo nezindawo zazo:
Njengoba ungabona emfanekisweni, asinalo igama lefayela elisetshenziselwa ukufakwa kuphela, kodwa futhi negama le-database efakiwe.
Ake sibheke esinye sezibonelo ezivame kakhulu zokusatshalaliswa kwenethiwekhi (TA0008), i-PsExec, kusetshenziswa amasheya okuphatha (T1077). Isevisi ebizwa nge-PSEXECSVC (yebo, noma yiliphi elinye igama lingasetshenziswa uma abahlaseli besebenzise ipharamitha -r) izokwakhiwa ohlelweni oluqondiwe, ngakho-ke, uma sikhipha idatha kufayela le-Prefetch, sizobona ukuthi yini eyethulwe:
Cishe ngizogcina lapho ngiqale khona - ukususa amafayela (T1107). Njengoba ngike ngaphawula, abahlaseli abaningi basebenzisa i-SDelete ukususa unomphela amafayela ezigabeni ezahlukahlukene zomjikelezo wokuphila wokuhlasela. Uma sibheka idatha evela kufayela le-Prefetch sdelete.exe, bese sizobona ukuthi yini ngempela esusiwe:
Vele, lolu akulona uhlu oluphelele lwamasu angatholwa ngesikhathi sokuhlaziywa kwamafayela e-Prefetch, kodwa lokhu kufanele kube ngokwanele ukuqonda ukuthi amafayela anjalo angasiza hhayi nje ukuthola iminonjana yokuqaliswa, kodwa futhi akhe kabusha amaqhinga namasu omhlaseli athile. .
Source: www.habr.com