Upload
fortune777
View
22
Download
1
Tags:
Embed Size (px)
Citation preview
Digital Forensic Research Center, CIST, Korea Univ. 1 / 3004/17/2023 Digital Forensic Research Center, CIST, Korea Univ.
Advanced Digital Forensics
Chapter 7. Online Digital Officer Safety
27th Master Course Moon-ho Kim
Digital Forensic Research CenterCenter for Information Security Technologies
Korea University
Digital Forensic Research Center, CIST, Korea Univ. 2 / 3004/17/2023
Consider use of en-cryption
Keeping sys-tem secure
Digital Forensic Research Center, CIST, Korea Univ. 3 / 3004/17/2023
Basic preparation and protection
Online investigative computer protection process ------------- pp. 3-21
Continuing security maintenance
Keeping your investigative computer secure -------------------- pp. 22-29
Contents
Digital Forensic Research Center, CIST, Korea Univ. 4 / 3004/17/2023
Basic investigative computer protection
Online investigative computer protection process (1/20)
Install fire-wall
Load an-tivirus
software
Install/up-date browser
Block cook-ies
<Online investigative computer protection process>
Consider use of en-cryption
Keeping sys-tem secure
Install spy-ware detec-
tion software
Configure operating
system
Digital Forensic Research Center, CIST, Korea Univ. 5 / 3004/17/2023
Basic investigative computer protection
Firewalll installation
• Hardware firewalls
◦ 하드웨어 방화벽의 유형은 다양하며 , 대규모 고비용 시스템도 존재하지만 , 대부분 일반적으로 많이 사용하는 유형은 SOHO network 연결하는 유형임 (Hardware firewalls come in a variety of
types. There are commercially available systems that can cost thousands of dollars and are used
by network administrators to control any size network. The most commonly available routers for
general use are the types that connect to the average SOHO network.)
◦ SOHO 라우터에 대한 보안 조치 (Steps for router security)
◦ Enable encryption, Change the service set identifier(SSID) / disable broadcast
◦ Turn off remote management, Change the access password to your router
◦ Disable Universal Plug and Play on the router, Media Access Control(MAC) addressing
◦ Uncheck any options that allow the router to respond to a ping command from the Inter-
net
Online investigative computer protection process (2/19)
Digital Forensic Research Center, CIST, Korea Univ. 6 / 3004/17/2023
Basic investigative computer protection
Firewalll installation
• Software firewalls
◦ 윈도우 XP, SP2 이후 소프트웨어 방화벽 내장 (The windows operating systems since Windows
XP, SP2 have each come with a built in software firewall.)
◦ 상업용 소프트웨어 방화벽 다수 존재 (There are also many commercial software firewalls that of-
fer different features and functionality than the Windows firewall.)
◦ 소프트웨어 방화벽 사용 시 윈도우 방화벽 미사용토록 설정 필요 (Be sure to disable the Win-
dows firewall before loading any other firewall to prevent any conflict between the software
firewalls.)
◦ 악성 공격을 예방하기 위해 필요하나 , 너무 엄격하게 적용하면 수사 목적에 사용되는 사이트 접근 제한 (Firewalls should obviously be configured to prevent malicious intrusion into the inves-
tigative system. However, they should not be set so restrictively that individuals can’t access cer-
tain sites, such as social networking sites, that may be needed for investigative purposes.)
Online investigative computer protection process (3/19)
Digital Forensic Research Center, CIST, Korea Univ. 7 / 3004/17/2023
Basic investigative computer protection
Malware protection
• 안티바이러스 애플리케이션은 컴퓨터 바이러스 감염 예방에 도움 (Antivirus application manufacturers
provide products that assist the user in the prevention of computer virus infections.)
• 바이러스 탐지 기술은 두가지임 . 첫번째는 바이러스 시그니처 사용인데 , 이는 제로데이 취약점이 있음 (These products involve two techniques for detecting virus. The first and most prevalent tech-
nique uses antivirus signatures. The pitfall to this detection method is its vulnerability to a “zero-day
threat”.)
• 두번째는 경험적인 분석방법임 . 이는 false positives 야기 (Another method is heuristic analysis. The
problem with this technique is it can lead to false positives.)
• 프로그램을 주기적으로 업데이트 해야함 . 자동 업데이트 설치는 권장하지 않음 (Be sure to update the
programs periodically. It is not recommended that these tools do automatic update installations. This
prevents an update from forcing a reboot during the middle of an investigation.)
Online investigative computer protection process (4/19)
Digital Forensic Research Center, CIST, Korea Univ. 8 / 3004/17/2023
Basic investigative computer protection
Spyware protection
• 웹사이트 접근만으로 스파이웨어가 설치됨 (The simple act of accessing a website can result in the
spyware installation.)
• 사용자의 인터넷 히스토리 , 개인적인 데이터와 로긴 크리덴셜 정보 획득 가능 (Besides tracking and
reporting back on a user’s Internet history, some can capture personal data and login credentials.)
• 심한경우 문제가 되는 프로그램을 제거하기 위하여 드라이브 포맷 필요 (Infections can get so bad that
sometimes the only recourse is to reformat the hard drive to remove the offending programs.)
• 주기적인 업데이트 및 매뉴얼 숙지 (As with virus protection, you should update the programs periodi-
cally and do full manual scans.)
• 프로그램 간 충돌 가능성 존재 , 수사에 필요한 프로그램만 선별 사용 (Running them all on the same
machine would undoubtedly cause conflicts on the investigative machine. The investigator needs to re-
view the software that best suits their needs and install only the needed tools for the investigation.)
Online investigative computer protection process (5/19)
Digital Forensic Research Center, CIST, Korea Univ. 9 / 3004/17/2023
Basic investigative computer protection
Installing and updating browsers
Online investigative computer protection process (6/19)
ExtensionInternet Ex-
plorerFirefox Chrome
WOT Yes Yes Yes
Fiddler Yes Yes Yes
Dom inspector Yes(similar tool built
in)
DebugBar Yes
Search Engine Security Yes Yes Yes
Hide My Ass(proxy server)
Yes Yes
IPv4 to IPv6 Converter Yes
Screen Capture Yes
Disconnect Yes
Digital Forensic Research Center, CIST, Korea Univ. 10 / 3004/17/2023
WOT (Web Of Trust)
Online investigative computer protection process (7/19)
IE Firefox Chrome
○ ○ ○
Digital Forensic Research Center, CIST, Korea Univ. 11 / 3004/17/2023
Fiddler
Online investigative computer protection process (8/19)
IE Firefox Chrome
○ ○ ○
Digital Forensic Research Center, CIST, Korea Univ. 12 / 3004/17/2023
Dom (Document Object Model) Inspector
Online investigative computer protection process (9/19)
IE Firefox Chrome
○ △
Digital Forensic Research Center, CIST, Korea Univ. 13 / 3004/17/2023
DebugBar
Online investigative computer protection process (10/19)
IE Firefox Chrome
○
Digital Forensic Research Center, CIST, Korea Univ. 14 / 3004/17/2023
Search Engine Security
Online investigative computer protection process (11/19)
IE Firefox Chrome
○ ○ ○
Digital Forensic Research Center, CIST, Korea Univ. 15 / 3004/17/2023
Hide My Ass
Online investigative computer protection process (12/19)
IE Firefox Chrome
○ ○
Digital Forensic Research Center, CIST, Korea Univ. 16 / 3004/17/2023
IPv4 to IPv6 Converter
Online investigative computer protection process (13/19)
IE Firefox Chrome
○
Digital Forensic Research Center, CIST, Korea Univ. 17 / 3004/17/2023
Screen Capture
Online investigative computer protection process (14/19)
IE Firefox Chrome
○
Digital Forensic Research Center, CIST, Korea Univ. 18 / 3004/17/2023
Disconnect
Online investigative computer protection process (15/19)
IE Firefox Chrome
○
Digital Forensic Research Center, CIST, Korea Univ. 19 / 3004/17/2023
Basic investigative computer protection
Blocking cookies
• 쿠키는 웹사이트가 생성한 텍스트 파일로서 로컬 하드 드라이브에 저장되어 사이트를 방문한 정보를 기억하는데 도움 (The purpose of cookies is to identify website users and prepare customized Web
pages when the user returns.)
• 쿠키는 두가지 유형 존재 . 첫째 , First-party 쿠키로 , 이용자가 방문한 웹 사이트에 의해 생성 (Cook-
ies really personalize a user’s browsing experience. The type of cookies that accomplishes this are
called, First-party cookies.)
• 둘째 , Third-party 쿠키이며 , 다른 사이트에서의 사용을 위해 웹 사이트에서 생성 (Third-party cookies
are not placed on your computer by the site you are not actually visiting. As you explore a website and
access differet pages, the data on those pages may come from other website servers. These other web-
site servers, which you never actually visited, place their own cookies on your machine.)
Online investigative computer protection process (16/19)
Digital Forensic Research Center, CIST, Korea Univ. 20 / 3004/17/2023
Basic investigative computer protection Blocking cookies
• 모든 쿠키를 막도록 설정하는 것은 오히려 일부 사이트에 접근하지 못하는 역효과가 발생 (Selecting
block all cookies in your browser setting prevents first-party cookies from being placed on your ma-
chine, which can adversely affect access to some sites.
• 브라우저에서 제 3 자 쿠키를 선택적으로 막도록 설정 가능 (Browsers can be adjusted to selectively
block third-party cookies.)
Online investigative computer protection process (17/19)
< Internet Explorer > < Google Chrome >
Digital Forensic Research Center, CIST, Korea Univ. 21 / 3004/17/2023
Basic investigative computer protection
Windows operating systems and application changes
• 윈도우 XP 컴퓨터는 기본적으로 파일 공유 가능하도록 설정되어 있어 공유 파일 접근 가능 (Windows
XP computers by default has file sharing enabled. When the file sharing is enabled, anyone with access
in the network and proper permissions can access the shared files.)
• 파일 공유 시 권한 있는 사람에게만 최소한의 접근권 부여 (If you do enable it to share between two or
more computers, be sure to enable tight permission to afford only access by authorized persons.)
• 강력한 비밀번호 설정 필요 (Make sure you have a strong password. A strong password is at least 8+
characters of random letters, numbers, and symbols.)
• 필요 이상으로 폴더 열기 금지 , 루트 드라이브 공유 금지 (Never open up more folders than you need
and never share the c:\(root) drive.)
Online investigative computer protection process (18/19)
Digital Forensic Research Center, CIST, Korea Univ. 22 / 3004/17/2023
Basic investigative computer protection
Windows updates
• 윈도우 익스플로이트 패치 필요 (Make sure you have patched all critical Windows exploits.)
◦ http://www.update.microsoft.com/
• 마이크로 소프트 오피스 , 워드 , 아웃룩 익스프레스 사용 시 패치 필요 (If you use Microsoft Office,
Word, Outlook or Express here’s the link for critical patches.)
◦ http://office.microsoft.com/en-us/
Online investigative computer protection process (19/19)
Digital Forensic Research Center, CIST, Korea Univ. 23 / 3004/17/2023
Encryption 파일에 대한 암호화의 생활화 (Encryption of your working files is a recommended practice for
the online investigatior.)
암호화 이후 , 키를 분실하면 파일을 확인 불가하기 때문에 정기적으로 백업의 필요성에 대한 이슈 존재 (Once encrypted, if you lose the key, you have lost the files. An additional issue if that
backups need to be made on a regular basis if encryption is employed.)
암호화에 대한 제약사항은 구현이 아니라 장비 문제임 (A significant limitation of encryption is
not its implementation but the electromechanical devices it is stored on.)
Keeping your investigative computer secure (1/8)
Digital Forensic Research Center, CIST, Korea Univ. 24 / 3004/17/2023
디스크 복제 (Cloning a hard drive) 과 이미징 (Imaging)
Cloning• 다른 저장장치에 데이터를 복제하는 기술 (The technique of cloning the drive is copying the data on the
investigators drive to the exact same position on another hard drive or the clone.)
• 감염되지 않은 시스템으로 현 시스템에 덮어쓰는데 사용 (not only as a back up, but as a clean copy
that can be used to overwrite the existing system with a clean unaltered or infected system.)
• 해킹이나 악성코드 감염 시 대처 가능 (This gives the investigator the ability to put a new copy of the
system back on the investigative machine if it has been compromised by malware or hackers.)
Imaging• 데이터를 복사하는 과정이나 큰 용량의 저장장치에 복제되며 , 그러한 저장장치에 다른 이미지
복제본이 존재 가능 (Similarly, Imaging refers to a process of copying the data on the investigators hard
drive but taking that same data the clone makes and placing it into a large file. This file can be stored on
another drive with other image copies of the investigator’s computer hard drives.)
Keeping your investigative computer secure (2/8)
Digital Forensic Research Center, CIST, Korea Univ. 25 / 3004/17/2023
디스크 복제 (Cloning a hard drive) 과 이미징 (Imaging)
Free cloning tools
• Redo backup
• DriveImageXML
• HDCLone
Commercial cloning tools
• Acronis
• XXClone
• Disk Copy
Keeping your investigative computer secure (3/8)
http://circlash.tistory.com/104
Digital Forensic Research Center, CIST, Korea Univ. 26 / 3004/17/2023
Keeping your system clean 작업 효율성을 위하여 정기적인 점검 필요
(Your operating system needs regular maintenance to keep working at its peak efficiency.)
윈도우 운영체제에서 시스템 최적화를 위해 사용되는 도구가 있으며 , 이를 정기적으로 사용해야 함 (Windows have two tolls that are very useful for helping to optimize your Windows
system. Both are tools that should be used on a regular basis to maintain the performance of
your system.)
• Disk Cleanup
• Disk Defragmenter
기타 도구 : CCleaner
Keeping your investigative computer secure (4/8)
Digital Forensic Research Center, CIST, Korea Univ. 27 / 3004/17/2023
Testing your security(www.grc.com)
Passward’s Crackability Test
Keeping your investigative computer secure (5/8)
Digital Forensic Research Center, CIST, Korea Univ. 28 / 3004/17/2023
Testing your security(www.grc.com)
Securable Test
Keeping your investigative computer secure (6/8)
Digital Forensic Research Center, CIST, Korea Univ. 29 / 3004/17/2023
Testing your security(www.grc.com)
UPnP Internet Exposure Test
Keeping your investigative computer secure (7/8)
Digital Forensic Research Center, CIST, Korea Univ. 30 / 3004/17/2023
Testing your security(www.grc.com)
Leak Test
Keeping your investigative computer secure (8/8)
Digital Forensic Research Center, CIST, Korea Univ. 31 / 3004/17/2023
Thank you for listening