博碩士論文 etd-0721118-200932 詳細資訊


[回到前頁查詢結果 | 重新搜尋]

姓名 蔡政勳(Zheng-Xun Tsai) 電子郵件信箱 E-mail 資料不公開
畢業系所 資訊管理學系研究所(Information Management)
畢業學位 碩士(Master) 畢業時期 106學年第2學期
論文名稱(中) 自動化資安事件應變之鑑識系統
論文名稱(英) An Automatic Forensic System for Incident Response
檔案
  • etd-0721118-200932.pdf
  • 本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
    請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
    論文使用權限

    紙本論文:5 年後公開 (2023-08-27 公開)

    電子論文:使用者自訂權限:校內 5 年後、校外 5 年後公開

    論文語文/頁數 中文/66
    統計 本論文已被瀏覽 5404 次,被下載 0 次
    摘要(中) 近年來,台灣所發生的資安事件越來越多,政府、學術單位、企業以及個人
    用戶都是駭客鎖定的目標。而當事件發生時,受害者往往是措手不及,導致損失逐
    漸擴大。
    數位鑑識,又稱為電腦鑑識,是在網路犯罪後,蒐集數位證據,並且從證據
    中找到犯罪者的蛛絲馬跡。駭客手法十分多元,一件資安事件可能包含許多攻擊方
    式,造成證據分散在不同資源中;而不同資源證據蒐集以及不同鑑識步驟都有許多
    鑑識工具,造成使用者很難選擇適合的鑑識工具,不同鑑識工具也提供不同格式的
    數位證據,造成整合分析上的困難,減少資安應變的速度。
    本研究的目的是開發一套自動化鑑識系統,整合常用鑑識工具,讓使用者能
    夠快速蒐集受害主機的鑑識工具。而蒐集完成後,在自動化分析蒐集的鑑識工具,
    讓使用者能夠快速了解資安事件。
    摘要(英) In recent years, there are more and more cyber-attacks targeting at Taiwan. Govern-
    ments, academic institutes, enterprises and even people in Taiwan are the victims of these
    incidents. And when an incident happened, the victims usually fail to handle the incident
    properly or conduct some mitigation methods, making it worse and worse.
     Digital forensics, also known as computer forensics, is the action after the cybercrime
    occurred. The goal of the digital forensics is to collect evidences to trace back the whole
    incident and find out the criminals. There are multiple ways for hacker to perform the attack
    and each attack may consist of plenty of various attack scenarios, which make evidences
    scattered at different resources. And there are too many tools implementing the evidences
    acquisition in different resources and stages, making it much more difficult for victims who
    have few know-hows about the digital forensics to choose proper tools to respond a security
    incident. Even worse, the adversities caused by the different log formats generated by differ-
    ent forensics tools may slow down the whole progress of incident response.
     This thesis aims to design an automatic forensic system for incident response, the
    forensics system integrates some commonly used forensics tools, so the victims no longer
    have to involve the dilemma of choosing tools and quickly collect the digital evidences in
    the victim system. After the collection, the forensics system will automatically analyze the
    collected data and generate the report that helps user comprehend the incident and as a refer-
    ence for the investigators.
    關鍵字(中)
  • 工具整合
  • 惡意偵測
  • 資安應變
  • 數位鑑識
  • 自動化
  • 關鍵字(英)
  • Incidents Response
  • Automatic
  • Digital Forensics
  • Malware Detection
  • Tools Integrate
  • 論文目次 目錄

    摘要 ........................................................................................................................................ ii
    Abstract .................................................................................................................................. iii
    目錄 ....................................................................................................................................... iv
    圖次 ....................................................................................................................................... vi
    表次 ...................................................................................................................................... vii
    第一章 緒論 ................................................................................................................ 1
    1.1 研究背景 ........................................................................................................ 1
    1.2 研究動機 ........................................................................................................ 2
    第二章 文獻探討 ........................................................................................................ 6
    2.1 鑑識流程 ........................................................................................................ 6
    2.2 數位證據 ...................................................................................................... 10
    2.3 數位鑑識分析工具包 .................................................................................. 12
    2.4 Windows 登錄檔 .......................................................................................... 13
    2.5 鑑識工具 ...................................................................................................... 16
    2.5.1 網路連線鑑識工具 .............................................................................. 16
    2.5.2 處理程序鑑識工具 .............................................................................. 18
    第三章 系統設計 ...................................................................................................... 21
    3.1 設定檔 .......................................................................................................... 22
    3.2 蒐集數位證據 .............................................................................................. 26
    3.2.1 網路證據 .............................................................................................. 26
    3.2.2 處理程序 .............................................................................................. 28
    3.2.3 Windows 登錄檔 .................................................................................. 29
    3.2.4 Windows 事件記錄檔 .......................................................................... 30
    3.3 分析模組 ...................................................................................................... 32
    3.3.1 網路行為分析 ...................................................................................... 33
    3.3.2 處理程序分析 ...................................................................................... 34
    3.3.3 登錄檔分析 .......................................................................................... 36
    3.3.4  Windows 事件記錄檔分析 ................................................................. 37
    3.3.5 關鍵字搜尋 .......................................................................................... 38
    3.4 匯出報告 ...................................................................................................... 38
    第四章 系統評估 ...................................................................................................... 40
    4.1 實驗一、蒐集並分析惡意程式足跡 .......................................................... 40
    4.2 實驗二、不同時間惡意程式數位證據 ...................................................... 46
    4.3 實驗三、與其他系統比較 .......................................................................... 47
    4.4 實驗四、與真正鑑識報告比較 .................................................................. 49
    4.5 實驗五、證據大小與分析時間 .................................................................. 51
    第五章 系統貢獻與未來展望 .................................................................................. 54
    參考資料 .............................................................................................................................. 55
    參考文獻 [1] ASIA TIMES STAFF, "Taiwanese under Siege from Blitz of Chinese Cyberattacks," ASIA TIMES, Apr. 06, 2018. [Online]. Available: http://www.atimes.com/article/taiwanese-siege-blitz-chinese-cyberattacks/. [Accessed: May 27, 2018].
    [2] 沈庭安, "駭客集團連續鎖定臺灣,臺灣金融業歷年遭駭事件簿," iThome, Oct. 13, 2017. [Online]. Available: https://www.ithome.com.tw/news/117386. [Accessed: May. 27, 2018].
    [3] 黃彥棻, "駭客入侵一銀ATM流程追追追," iThome, Jul. 25, 2016. [Online]. Available: https://www.ithome.com.tw/news/107294. [Accessed: May. 25, 2018].
    [4] 黃彥棻, "更多入侵細節大公開!18億元遠銀遭駭盜轉事件追追追," iThome, Oct. 23, 2017. [Online]. Available: https://www.ithome.com.tw/news/117397. [Accessed: May. 27, 2018].
    [5] "TACERT「臺灣學術網路危機處理中心」," TWCERT, [Online]. Available: https://twcert.org.tw/subpages/cert/cert_taiwan_details.aspx?id=9. [Accessed: May. 29, 2018].
    [6] 臺灣學術網路危機處理中心團隊, "個案分析-校園 Linux 主機感染挖礦," 5 2018. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2018052502050404129385033631215.pdf. [Accessed: May. 29, 2018].
    [7] 臺灣學術網路危機處理中心團隊, "個案分析-Coinhive 網頁掛碼挖礦," 1 2017. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2018012305014949449974152724093.pdf. [Accessed: May. 29, 2018].
    [8] 臺灣學術網路危機處理中心團隊, "個案分析-校園主機感染 WannaCry," Jun., 2015. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2017062004063434305283221149085.pdf. [Accessed: May. 29, 2018].
    [9] V. Baryamureeba and F. Tushabe, "The Enhanced Digital Investigation Process Model," in The Digital Forensic Research Conference, Baltimore, MD, 2004.
    [10] I. O. Ademu, C. O. Imafidon and D. S. Preston, "A New Approach of Digital Forensic Model for Digital Forensic Investigation," International Journal of Advanced Computer Science and Applications, vol. 2, no. 12, pp. 175-178, 2011.
    [11] N. Kumari and A. K. Mohapatra, "An Insight into Digital Forensics Branches and Tools," in International Conference on Computational Techniques in Information and Communication Technologies, New Delhi, 2016.
    [12] 臺灣學術網路危機處理中心團隊(TACERT), "個案分析-具自我摧毀功能的無檔案式勒索病毒Sorebrect(aes_ni_0day)事件分析報告," Aug., 2017. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2017081501084949170395834445902.pdf. [Accessed: Jul. 28, 2018].
    [13] 嚴珮華 and 楊中皇, "Live-analysis數位鑑識系統平台的設計與實現," in 全國資訊安全會議, 新竹市, 2010.
    [14] HW. Cheng and CH. Yang, "Design and Implementation of Windows Based Computer Forensics Management System".
    [15] M. B. Mukasey, J. L. Sedgwick and D. W. Hagy, Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, U.S. Department of Justice Office of Justice Programs, 2008.
    [16] C. Altheide and H. Carvey, Digital Forensics with Open Source Tools, Elsevier, 2011, pp. 64-66.
    [17] J. Schicht, "RawCopy," [Online]. Available: https://github.com/jschicht/RawCopy. [Accessed: Oct. 23, 2017].
    [18] Guidance Software,, "EnCase® Version 7.10 Release Note," 2014. [Online]. Available: http://download.guidancesoftware.com/kITfPITm9odiYEOx/Hs8YP4aNGqB8jL1t1J1E97zIIRyZHAYw+Nivn7kX6qXPfaiQsI57XJmkq/6a5gc8n6/TQ==. [Accessed: Aug. 12, 2017].
    [19] AccessData, "Forensic Toolkits User Guide," 29 11 2016. [Online]. Available: https://support.accessdata.com/hc/en-us/article_attachments/204958597/FTK_UG_v6.0.1.pdf. [Accessed:Jul. 31, 2018].
    [20] "Android Debug Bridge," [Online]. Available: https://developer.android.com/studio/command-line/adb.html. [Accessed:Mar. 30, 2018].
    [21] W. Venema, "memdump man page," [Online]. Available: http://manpages.ubuntu.com/manpages/zesty/man1/memdump.1.html. [Accessed : Dec. 30, 2017].
    [22] 504ENSICS Labs, "Linux Memory Extractor," [Online]. Available: https://github.com/504ensicsLabs/LiME. [Accessed: Nov. 21, 2017].
    [23] "Live RAM Capture," [Online]. Available: https://belkasoft.com/ram-capturer. [Accessed: Nov. 15, 2017].
    [24] V. Jacobson, "tcpdump man page," [Online]. Available: http://manpages.ubuntu.com/manpages/zesty/man8/tcpdump.8.html. [Accessed: Sep. 18, 2017].
    [25] "Wireshark User Guide," [Online]. Available: https://www.wireshark.org/docs/man-pages/wireshark.html. [Accessed: Nov. 7, 2017].
    [26] A. Agarwal, M. Gupta, S. Gupta and S. C. Gupta, "Systematic Digital Forensic Investigation Model," International Journal of Computer Science and Security, vol. 5, pp. 118-131, 2011.
    [27] M. Kohn, J. H. P. Eloff and M. S. Olivier, "Framework for a Digital Forensic Investigation," in Information and Computer Security Architectures Research Group, Sandton, 2006.
    [28] C. Chisholm and J. Groman, "Integrating Forensic Investigation Methodology into eDiscovery," in GIAC (GCFA) Gold Certification, 2010.
    [29] R. v. Baar, H. Beek and E. Eijk, "Digital Forensics as a Service: A game changer," DFRWS Europe 2014, pp. S54-S62, 2014.
    [30] H. Park, S. Cho and H.-C. Kwon, "Cyber Forensics Ontology for Cyber Criminal Investigation," in ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2009.
    [31] D. N. Patil and B. B. Meshram, "RegForensicTool: Evidence Collection and Analysis of Windows Registry," International Journal of Cyber-Security and Digital Forensics, p. 37, 2016.
    [32] H. Carvey, Windows Forensic Analysis, Syngress Publish, 2007.
    [33] K. A. Alghafli, A. Jones and T. A. Martin, "Forensic Analysis of the Windows 7 Registry," in Australian Digital Forensics Conference, Perth, 2010.
    [34] M. Russinovich, "TCP View," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview. [Accessed: May. 5, 2018].
    [35] "CurrPorts," [Online]. Available: http://www.nirsoft.net/utils/cports.html. [Accessed: Oct. 8, 2017].
    [36] S. L. Garfinkel, "TCP Flow," [Online]. Available: https://github.com/simsong/tcpflow/wiki/tcpflow-—-A-tcp-ip-session-reassembler. [Accessed: May. 04, 2018].
    [37] M. Russinovich, "Process Explorer," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer. [Accessed: Nov. 05, 2017].
    [38] "Windows Management Instrument Console," [Online]. Available: https://msdn.microsoft.com/zh-tw/library/aa394531(v=vs.85).aspx. [Accessed: Nov. 06, 2017].
    [39] "Process Monitor," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. [Accessed: Nov. 05, 2017].
    [40] T. Grance, K. Kent, S. Chevalier and H. Dang, "Guide to Integrating Forensic Techniques into Incident Response," NIST Special Publication 800-86, 2006.
    [41] SANS DFIR Faculty, "SANS-Digital-Forensics-and-Incident-Response-Poster-2012," 2012. [Online]. Available: https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. [Accessed: May. 31, 2018].
    [42] J. Talebi, A. Dehghantanha and R. Mahmoud, "Introducing and Analysis of the Windows 8 Event Log for Forensic Purposes," in Springer International Publishing Switzerland 2015, Switzerland, 2015.
    [43] 臺灣學術網路危機處理中心團隊(TACERT), "Black Ruby 挖礦勒索攻擊事件分析報告," 臺灣學術網路危機處理中心團隊, 2018 [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/201803260103535349117347458789.pdf . [Accessed: May. 25, 2018]
    口試委員
  • 鄭伯炤 - 召集委員
  • 胡育誠 - 委員
  • 范俊逸 - 委員
  • 賴谷鑫 - 委員
  • 陳嘉玫 - 指導教授
  • 口試日期 2018-07-26 繳交日期 2018-08-27

    [回到前頁查詢結果 | 重新搜尋]


    如有任何問題請與論文審查小組聯繫