Слайды к курсу Расследование локального инцидента информационной безопасности.

1. Расследование локального инцидента
ИБ
Криминалистический анализ слепков RAM, DISK
Версия 0.2

2. Volatility
https://www.volatilityfoundation.org
https://github.com/volatilityfoundation/volatility

3. Поддерживаются слепки RAM с
● 32- and 64-bit Windows 10 and Server 2016
● 64-bit Windows Server 2012 and 2012 R2
● 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
● 32- and 64-bit Windows 7 (all service packs)
● 32- and 64-bit Windows Server 2008 (all service packs)
● 64-bit Windows Server 2008 R2 (all service packs)
● 32- and 64-bit Windows Vista (all service packs)
● 32- and 64-bit Windows Server 2003 (all service packs)
● 32- and 64-bit Windows XP (SP2 and SP3)
● 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3+
● 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
● 32- and 64-bit 10.6.x Snow Leopard
● 32- and 64-bit 10.7.x Lion
● 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
● 64-bit 10.9.x Mavericks (there is no 32-bit version)
● 64-bit 10.10.x Yosemite (there is no 32-bit version)
● 64-bit 10.11.x El Capitan (there is no 32-bit version)
● 64-bit 10.12.x Sierra (there is no 32-bit version)

4. Поддерживаемые форматы памяти
● Raw/Padded Physical Memory
● Firewire (IEEE 1394)
● Expert Witness (EWF)
● 32- and 64-bit Windows Crash Dump
● 32- and 64-bit Windows Hibernation
● 32- and 64-bit MachO files
● Virtualbox Core Dumps
● VMware Saved State (.vmss) and Snapshot (.vmsn)
● HPAK Format (FastDump)
● LiME (Linux Memory Extractor)
● QEMU VM memory dumps

5. Запуск volatility и опции запуска
Структура опций запуска
python vol.py [plugin] -f [image] --profile=[profile]
Или
./vol.py [plugin] -f [image] --profile=[profile]
В видео уроках используем формат:
cd ~/training/tools/volatility
./vol.py -f /media/sdb1/Windows/memory.img imageinfo

6. Исследование образа RAM
Исследуем образ RAM, определяем:
● Возможный профиль (по поиску KDBG)
● AS Layer 1, 2
● Тип PAE
● DTB (Directory Table Base)
● KDBG
● KPCR (Kernel Processor Control Region)
● KUSER_SHARED_DATA
● Время слепка (отдельно указывается временная зона)

7. Используем алиасы для удобства
Так как нам уже известны адреса DTB, KDBG, KPCR можем задать алиас:
vol=’/home/enisa/training/tools/volatility/vol.py -f
/media/sdb1/Windows/memory.img --dtb=0x1a8000 --kdbg=0x82461820
--kpcr=0x8248b000 --profile=Win10x86_44B89EEA’

8. Yara
https://virustotal.github.io/yara/
https://github.com/virustotal/yara
https://yara.readthedocs.io/en/stable/
https://github.com/Yara-Rules/rules
man yara
man yarac

9. Yara python
https://yara.readthedocs.io/en/stable/yarapython.html
https://pypi.org/project/yara-python/
https://github.com/VirusTotal/yara-python

10. Yara Editor

11. https://code.visualstudio.com/
https://marketplace.visualstudio.com/items?itemName=infosec-intern.yara
https://atom.io/
https://atom.io/packages/language-yara

12. Установка дополнительных модулей volatility
Установка дополнительных модулей volatility на примере ethscan [1]
1. cd /home/enisa/training/tools/volatility/volatility/plugins
2. wget https://raw.githubusercontent.com/byt3bl33d3r/jamaal-re-tools/master/volplugins/ethscan.py
3. cd /home/enisa/training/tools/volatility
4. sudo ./vol.py ethscan -f /media/sdb1/Windows/memory.img --profile=Win10x86_44B89EEA
--save-pcap=out.pcap --dump-dir=ethscan_dump
[1] https://github.com/byt3bl33d3r/jamaal-re-tools/tree/master/volplugins