論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0721118-200932 詳細資訊
Title page for etd-0721118-200932
論文名稱 Title |
自動化資安事件應變之鑑識系統 An Automatic Forensic System for Incident Response |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
66 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2018-07-26 |
繳交日期 Date of Submission |
2018-08-27 |
關鍵字 Keywords |
工具整合、惡意偵測、資安應變、數位鑑識、自動化 Incidents Response, Automatic, Digital Forensics, Malware Detection, Tools Integrate |
||
統計 Statistics |
本論文已被瀏覽 5864 次,被下載 3 次 The thesis/dissertation has been browsed 5864 times, has been downloaded 3 times. |
中文摘要 |
近年來,台灣所發生的資安事件越來越多,政府、學術單位、企業以及個人 用戶都是駭客鎖定的目標。而當事件發生時,受害者往往是措手不及,導致損失逐 漸擴大。 數位鑑識,又稱為電腦鑑識,是在網路犯罪後,蒐集數位證據,並且從證據 中找到犯罪者的蛛絲馬跡。駭客手法十分多元,一件資安事件可能包含許多攻擊方 式,造成證據分散在不同資源中;而不同資源證據蒐集以及不同鑑識步驟都有許多 鑑識工具,造成使用者很難選擇適合的鑑識工具,不同鑑識工具也提供不同格式的 數位證據,造成整合分析上的困難,減少資安應變的速度。 本研究的目的是開發一套自動化鑑識系統,整合常用鑑識工具,讓使用者能 夠快速蒐集受害主機的鑑識工具。而蒐集完成後,在自動化分析蒐集的鑑識工具, 讓使用者能夠快速了解資安事件。 |
Abstract |
In recent years, there are more and more cyber-attacks targeting at Taiwan. Govern- ments, academic institutes, enterprises and even people in Taiwan are the victims of these incidents. And when an incident happened, the victims usually fail to handle the incident properly or conduct some mitigation methods, making it worse and worse. Digital forensics, also known as computer forensics, is the action after the cybercrime occurred. The goal of the digital forensics is to collect evidences to trace back the whole incident and find out the criminals. There are multiple ways for hacker to perform the attack and each attack may consist of plenty of various attack scenarios, which make evidences scattered at different resources. And there are too many tools implementing the evidences acquisition in different resources and stages, making it much more difficult for victims who have few know-hows about the digital forensics to choose proper tools to respond a security incident. Even worse, the adversities caused by the different log formats generated by differ- ent forensics tools may slow down the whole progress of incident response. This thesis aims to design an automatic forensic system for incident response, the forensics system integrates some commonly used forensics tools, so the victims no longer have to involve the dilemma of choosing tools and quickly collect the digital evidences in the victim system. After the collection, the forensics system will automatically analyze the collected data and generate the report that helps user comprehend the incident and as a refer- ence for the investigators. |
目次 Table of Contents |
目錄 摘要 ........................................................................................................................................ ii Abstract .................................................................................................................................. iii 目錄 ....................................................................................................................................... iv 圖次 ....................................................................................................................................... vi 表次 ...................................................................................................................................... vii 第一章 緒論 ................................................................................................................ 1 1.1 研究背景 ........................................................................................................ 1 1.2 研究動機 ........................................................................................................ 2 第二章 文獻探討 ........................................................................................................ 6 2.1 鑑識流程 ........................................................................................................ 6 2.2 數位證據 ...................................................................................................... 10 2.3 數位鑑識分析工具包 .................................................................................. 12 2.4 Windows 登錄檔 .......................................................................................... 13 2.5 鑑識工具 ...................................................................................................... 16 2.5.1 網路連線鑑識工具 .............................................................................. 16 2.5.2 處理程序鑑識工具 .............................................................................. 18 第三章 系統設計 ...................................................................................................... 21 3.1 設定檔 .......................................................................................................... 22 3.2 蒐集數位證據 .............................................................................................. 26 3.2.1 網路證據 .............................................................................................. 26 3.2.2 處理程序 .............................................................................................. 28 3.2.3 Windows 登錄檔 .................................................................................. 29 3.2.4 Windows 事件記錄檔 .......................................................................... 30 3.3 分析模組 ...................................................................................................... 32 3.3.1 網路行為分析 ...................................................................................... 33 3.3.2 處理程序分析 ...................................................................................... 34 3.3.3 登錄檔分析 .......................................................................................... 36 3.3.4 Windows 事件記錄檔分析 ................................................................. 37 3.3.5 關鍵字搜尋 .......................................................................................... 38 3.4 匯出報告 ...................................................................................................... 38 第四章 系統評估 ...................................................................................................... 40 4.1 實驗一、蒐集並分析惡意程式足跡 .......................................................... 40 4.2 實驗二、不同時間惡意程式數位證據 ...................................................... 46 4.3 實驗三、與其他系統比較 .......................................................................... 47 4.4 實驗四、與真正鑑識報告比較 .................................................................. 49 4.5 實驗五、證據大小與分析時間 .................................................................. 51 第五章 系統貢獻與未來展望 .................................................................................. 54 參考資料 .............................................................................................................................. 55 |
參考文獻 References |
[1] ASIA TIMES STAFF, "Taiwanese under Siege from Blitz of Chinese Cyberattacks," ASIA TIMES, Apr. 06, 2018. [Online]. Available: http://www.atimes.com/article/taiwanese-siege-blitz-chinese-cyberattacks/. [Accessed: May 27, 2018]. [2] 沈庭安, "駭客集團連續鎖定臺灣,臺灣金融業歷年遭駭事件簿," iThome, Oct. 13, 2017. [Online]. Available: https://www.ithome.com.tw/news/117386. [Accessed: May. 27, 2018]. [3] 黃彥棻, "駭客入侵一銀ATM流程追追追," iThome, Jul. 25, 2016. [Online]. Available: https://www.ithome.com.tw/news/107294. [Accessed: May. 25, 2018]. [4] 黃彥棻, "更多入侵細節大公開!18億元遠銀遭駭盜轉事件追追追," iThome, Oct. 23, 2017. [Online]. Available: https://www.ithome.com.tw/news/117397. [Accessed: May. 27, 2018]. [5] "TACERT「臺灣學術網路危機處理中心」," TWCERT, [Online]. Available: https://twcert.org.tw/subpages/cert/cert_taiwan_details.aspx?id=9. [Accessed: May. 29, 2018]. [6] 臺灣學術網路危機處理中心團隊, "個案分析-校園 Linux 主機感染挖礦," 5 2018. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2018052502050404129385033631215.pdf. [Accessed: May. 29, 2018]. [7] 臺灣學術網路危機處理中心團隊, "個案分析-Coinhive 網頁掛碼挖礦," 1 2017. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2018012305014949449974152724093.pdf. [Accessed: May. 29, 2018]. [8] 臺灣學術網路危機處理中心團隊, "個案分析-校園主機感染 WannaCry," Jun., 2015. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2017062004063434305283221149085.pdf. [Accessed: May. 29, 2018]. [9] V. Baryamureeba and F. Tushabe, "The Enhanced Digital Investigation Process Model," in The Digital Forensic Research Conference, Baltimore, MD, 2004. [10] I. O. Ademu, C. O. Imafidon and D. S. Preston, "A New Approach of Digital Forensic Model for Digital Forensic Investigation," International Journal of Advanced Computer Science and Applications, vol. 2, no. 12, pp. 175-178, 2011. [11] N. Kumari and A. K. Mohapatra, "An Insight into Digital Forensics Branches and Tools," in International Conference on Computational Techniques in Information and Communication Technologies, New Delhi, 2016. [12] 臺灣學術網路危機處理中心團隊(TACERT), "個案分析-具自我摧毀功能的無檔案式勒索病毒Sorebrect(aes_ni_0day)事件分析報告," Aug., 2017. [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/2017081501084949170395834445902.pdf. [Accessed: Jul. 28, 2018]. [13] 嚴珮華 and 楊中皇, "Live-analysis數位鑑識系統平台的設計與實現," in 全國資訊安全會議, 新竹市, 2010. [14] HW. Cheng and CH. Yang, "Design and Implementation of Windows Based Computer Forensics Management System". [15] M. B. Mukasey, J. L. Sedgwick and D. W. Hagy, Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, U.S. Department of Justice Office of Justice Programs, 2008. [16] C. Altheide and H. Carvey, Digital Forensics with Open Source Tools, Elsevier, 2011, pp. 64-66. [17] J. Schicht, "RawCopy," [Online]. Available: https://github.com/jschicht/RawCopy. [Accessed: Oct. 23, 2017]. [18] Guidance Software,, "EnCase® Version 7.10 Release Note," 2014. [Online]. Available: http://download.guidancesoftware.com/kITfPITm9odiYEOx/Hs8YP4aNGqB8jL1t1J1E97zIIRyZHAYw+Nivn7kX6qXPfaiQsI57XJmkq/6a5gc8n6/TQ==. [Accessed: Aug. 12, 2017]. [19] AccessData, "Forensic Toolkits User Guide," 29 11 2016. [Online]. Available: https://support.accessdata.com/hc/en-us/article_attachments/204958597/FTK_UG_v6.0.1.pdf. [Accessed:Jul. 31, 2018]. [20] "Android Debug Bridge," [Online]. Available: https://developer.android.com/studio/command-line/adb.html. [Accessed:Mar. 30, 2018]. [21] W. Venema, "memdump man page," [Online]. Available: http://manpages.ubuntu.com/manpages/zesty/man1/memdump.1.html. [Accessed : Dec. 30, 2017]. [22] 504ENSICS Labs, "Linux Memory Extractor," [Online]. Available: https://github.com/504ensicsLabs/LiME. [Accessed: Nov. 21, 2017]. [23] "Live RAM Capture," [Online]. Available: https://belkasoft.com/ram-capturer. [Accessed: Nov. 15, 2017]. [24] V. Jacobson, "tcpdump man page," [Online]. Available: http://manpages.ubuntu.com/manpages/zesty/man8/tcpdump.8.html. [Accessed: Sep. 18, 2017]. [25] "Wireshark User Guide," [Online]. Available: https://www.wireshark.org/docs/man-pages/wireshark.html. [Accessed: Nov. 7, 2017]. [26] A. Agarwal, M. Gupta, S. Gupta and S. C. Gupta, "Systematic Digital Forensic Investigation Model," International Journal of Computer Science and Security, vol. 5, pp. 118-131, 2011. [27] M. Kohn, J. H. P. Eloff and M. S. Olivier, "Framework for a Digital Forensic Investigation," in Information and Computer Security Architectures Research Group, Sandton, 2006. [28] C. Chisholm and J. Groman, "Integrating Forensic Investigation Methodology into eDiscovery," in GIAC (GCFA) Gold Certification, 2010. [29] R. v. Baar, H. Beek and E. Eijk, "Digital Forensics as a Service: A game changer," DFRWS Europe 2014, pp. S54-S62, 2014. [30] H. Park, S. Cho and H.-C. Kwon, "Cyber Forensics Ontology for Cyber Criminal Investigation," in ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2009. [31] D. N. Patil and B. B. Meshram, "RegForensicTool: Evidence Collection and Analysis of Windows Registry," International Journal of Cyber-Security and Digital Forensics, p. 37, 2016. [32] H. Carvey, Windows Forensic Analysis, Syngress Publish, 2007. [33] K. A. Alghafli, A. Jones and T. A. Martin, "Forensic Analysis of the Windows 7 Registry," in Australian Digital Forensics Conference, Perth, 2010. [34] M. Russinovich, "TCP View," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview. [Accessed: May. 5, 2018]. [35] "CurrPorts," [Online]. Available: http://www.nirsoft.net/utils/cports.html. [Accessed: Oct. 8, 2017]. [36] S. L. Garfinkel, "TCP Flow," [Online]. Available: https://github.com/simsong/tcpflow/wiki/tcpflow-—-A-tcp-ip-session-reassembler. [Accessed: May. 04, 2018]. [37] M. Russinovich, "Process Explorer," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer. [Accessed: Nov. 05, 2017]. [38] "Windows Management Instrument Console," [Online]. Available: https://msdn.microsoft.com/zh-tw/library/aa394531(v=vs.85).aspx. [Accessed: Nov. 06, 2017]. [39] "Process Monitor," [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. [Accessed: Nov. 05, 2017]. [40] T. Grance, K. Kent, S. Chevalier and H. Dang, "Guide to Integrating Forensic Techniques into Incident Response," NIST Special Publication 800-86, 2006. [41] SANS DFIR Faculty, "SANS-Digital-Forensics-and-Incident-Response-Poster-2012," 2012. [Online]. Available: https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. [Accessed: May. 31, 2018]. [42] J. Talebi, A. Dehghantanha and R. Mahmoud, "Introducing and Analysis of the Windows 8 Event Log for Forensic Purposes," in Springer International Publishing Switzerland 2015, Switzerland, 2015. [43] 臺灣學術網路危機處理中心團隊(TACERT), "Black Ruby 挖礦勒索攻擊事件分析報告," 臺灣學術網路危機處理中心團隊, 2018 [Online]. Available: https://portal.cert.tanet.edu.tw/docs/pdf/201803260103535349117347458789.pdf . [Accessed: May. 25, 2018] |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS