Using Shellbag Information to Reconstruct User Activities
-
Upload
doppiamunnezza -
Category
Documents
-
view
67 -
download
8
Transcript of Using Shellbag Information to Reconstruct User Activities
Digital Forensic Research Center
발표자 : 박 정흠
([email protected])고려대학교 디지털포렌식연구센터
Using shellbag information to reconstruct user activities
Yuandong Zhu, Pavel Gladyshev, Joshua James, DFRWS 2009
Digital Forensic Research Center 2/28
발표순서
1. Registry Forensics
2. Shellbag Information
3. Experimental Analysis of Shellbag updating
4. Causality between User actions & Shellbag updating
5. Shellbag Analysis Method
6. Case Study
7. Conclusion
Digital Forensic Research Center 3/28
Registry Forensics
Digital Forensic Research Center 4/28
1. Registry Forensics
기존의 Registry ForensicsRegistry에서 포렌식적으로 의미있는 데이터 추출
• 계정정보, 최근작업파일, 자동실행목록, 프로그램실행로그, 저장장치연결목록 등
삭제된 Registry 데이터 복구
최근 이슈
Restore Point Registry Snapshot 분석 !• 두 개 이상의 Registry 데이터 연관 분석
Papers (2009)• Identifying newly updated data values of MRU Keys between registry snapshots
– Fifth annual IFIP WG 11.9 international conference on digital forensics
• A comparative methodology for the reconstruction of digital events using Windows Restore Points– Digital Investigation
• Using shellbag information to reconstruct user activities– DFRWS 2009
• Authors– Yuandong Zhu, Pavel Gladyshev, Joshua James
Center for Cybercrime Investigation, University College Dublin, Ireland
Digital Forensic Research Center 5/28
Shellbag Information
Digital Forensic Research Center 6/28
2. Shellbag Information
Shellbag바탕화면, 윈도우(window) 크기, 위치 등의 캐쉬
Digital Forensic Research Center 7/28
2. Shellbag Information
Shellbag2000, XP, 2003
• HKCU\Software\Microsoft\Windows\Shell
• HKCU\Software\Microsoft\Windows\ShellNoRoam
Vista, 7• HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
Shellbag & StreamsShellbag 각 폴더의 정보 저장
Streams 기본(default) 정보 저장
Digital Forensic Research Center 8/28
2. Shellbag Information
바탕화면(Desktop)
내 컴퓨터
Modification
LastAccess
Creation
내컴퓨터[Programs]
Test
최대 5000개
Window SizeWindow Position
Sort Order
Digital Forensic Research Center 9/28
2. Shellbag Information
CLSID List (Windows Class Identifiers)
내 컴퓨터
Digital Forensic Research Center 10/28
2. Shellbag Information
Shellbag Cleaner ?
Digital Forensic Research Center 11/28
2. Shellbag Information
Digital Forensic Research Center 12/28
2. Shellbag Information
용어 정리
Folder’s MRU Key
Folder’s MRU Item
Folder’s Display Key
Digital Forensic Research Center 13/28
Experimental Analysis of Shellbag updating
Digital Forensic Research Center 14/28
Experiment 1 ~ 6
3. Experimental Analysis of Shellbag updating
Shellbag존재 ?
DesktopFolder ?
User Actions Results
Yes Yes Open- Find target folder’s MRU item by enumerating all items- Update the BagMRU key’s “MRUListEx” value- Find target folder’s Display key
Yes Yes Close- Find target folder’s MRU item by enumerating all items- Update the BagMRU key’s “MRUListEx” value- Write the folder’s display settings to Display key
Yes No Open- Find target folder’s MRU item by enumerating all items- Update target folder’s and all parent folders’ “MRUListEx” value- Find target folder’s Display key
Yes No Close-Find target folder’s MRU item by enumerating all items- Update target folder’s and all parent folders’ “MRUListEx” value- Write the folder’s display settings to Display key
No Both Open- Find target folder’s MRU item by enumerating all items- User actions do not create any new Shellbag information- Update target’s parent folders’ “MRUListEx” value
No Both Close- Find target folder’s MRU item by enumerating all items- Create target folder’s MRU key and item- Update target folder’s and all parent folders’ “MRUListEx” value- Write the folder’s display settings to Display key
Digital Forensic Research Center 15/28
3. Experimental Analysis of Shellbag updating Experiment 7 (Deleting a folder)
Experiment 8 (Created a folder with the same name)
Experiment 9 (Closing a folder when the registry contain the MAX(5000) of Display keys)
Shellbag존재 ?
DesktopFolder ?
User Actions Results
Yes Both Delete - Update target folder’s and all parent folders’ “MRUListEx” value- There is no registry deleting operation
Shellbag존재 ?
DesktopFolder ?
User Actions Results
Yes Both Open - 기존의 Shellbag 그대로 사용- 실험 1과 같음
Shellbag존재 ?
DesktopFolder ?
User Actions Results
No Both Close - Update target folder’s and all parent folders’ “MRUListEx” value- NodeSlot value = ‘1’ (Bags\1\Shell)
Digital Forensic Research Center 16/28
Analysis of Causality between User actions & Shellbag updating
Digital Forensic Research Center 17/28
4. Analysis of Causality between User actions & Shellbag updating
정리 1
Digital Forensic Research Center 18/28
4. Analysis of Causality between User actions & Shellbag updating
정리 2MRU item’s position updating
Digital Forensic Research Center 19/28
4. Analysis of Causality between User actions & Shellbag updating
정리 3key 내부의 values 또는 subkeys가 변하는 경우에만 timestamp 변경
정리 4기존에 존재하던(existing) Shellbag MRU item 인지 판단하는 방법
‘폴더 이름 (경로)’
폴더를 삭제한 후, 그 위치에 다시 생성하면 기존에 남아있던 MRU key, MRU item, Display key 사용
Digital Forensic Research Center 20/28
Shellbag Analysis Method
Digital Forensic Research Center 21/28
5. Shellbag Analysis Method
Rule 1A folder’s MRU item’s position 변경
A folder에 대해 type 1, 2가 수행됨
Rule 2A folder’s Display key was created or updated
A folder에 대해 type 2가 수행됨
Rule 3A folder’s MRU key, MRU item, Display key 존재 X
Type 2 was never occurred on A folder !
Rule 4A folder’s MRU item’s position이 변경되기 이전에
A’s parent folders’ items’ position이 반드시 변경되었어야 함
Digital Forensic Research Center 22/28
5. Shellbag Analysis Method
Rule 5A folder’s MRU item’s position 변경 X
A’s parent folders’ items’ position 변경 X
Rule 6두 연속적인 snapshot에서 A folder’s MRU key’s timestamp가 같음
MRU item’s position 변경 X또는 The first item’s position 변경
Rule 7두 연속적인 snapshot에서 A folder’s MRU key’s timestamp가 같음
MRU item’s position 변화 없음 (단, fitst item 제외)
Rule 8두 연속적인 snapshot에서 A folder’s MRU key’s values는 모두 같지만, timestamp가 다름
몇몇 MRU item’s position이 변경되었을 것임
Digital Forensic Research Center 23/28
5. Shellbag Analysis Method
Rule 9A folder’s MRU item’s binary data 내의 Creation time과
A folder’s Creation time in Filesystem
• 같은 경우
현재 존재하는 folder’s MRU item 임
• 다른 경우
현재 존재하는 folder’s MRU item 아님
Digital Forensic Research Center 24/28
Case Study
Digital Forensic Research Center 25/28
6. Case Study
Digital Forensic Research Center 26/28
Conclusion
Digital Forensic Research Center 27/28
7. Conclusion
Shellbag Information과 관련된 9개의 Rule 제안
이를 이용해서 사용자의 활동 내역을 파악할 수 있음
TraceHunter (http://tracehunter.com/)
Windows XP 이외의 운영체제에 대한 연구 필요
Digital Forensic Research Center 28/28
Q & A
감사합니다
Digital Forensic Research Centerhttp://forensic.korea.ac.kr