online investigation

Digital Forensic Research Center, CIST, Korea Univ. 1 / 3004/17/2023 Digital Forensic Research Center, CIST, Korea Univ.

Advanced Digital Forensics

Chapter 7. Online Digital Officer Safety

27th Master Course Moon-ho Kim

[email protected]

Digital Forensic Research CenterCenter for Information Security Technologies

Korea University

Digital Forensic Research Center, CIST, Korea Univ. 2 / 3004/17/2023

Consider use of en-cryption

Keeping sys-tem secure


Basic preparation and protection

Online investigative computer protection process ------------- pp. 3-21

Continuing security maintenance

Keeping your investigative computer secure -------------------- pp. 22-29

Contents


Basic investigative computer protection

Online investigative computer protection process (1/20)

Install fire-wall

Load an-tivirus

software

Install/up-date browser

Block cook-ies

<Online investigative computer protection process>

Consider use of en-cryption

Keeping sys-tem secure

Install spy-ware detec-

tion software

Configure operating

system



Firewalll installation

• Hardware firewalls

◦ 하드웨어 방화벽의 유형은 다양하며 , 대규모 고비용 시스템도 존재하지만 , 대부분 일반적으로 많이 사용하는 유형은 SOHO network 연결하는 유형임 (Hardware firewalls come in a variety of

types. There are commercially available systems that can cost thousands of dollars and are used

by network administrators to control any size network. The most commonly available routers for

general use are the types that connect to the average SOHO network.)

◦ SOHO 라우터에 대한 보안 조치 (Steps for router security)

◦ Enable encryption, Change the service set identifier(SSID) / disable broadcast

◦ Turn off remote management, Change the access password to your router

◦ Disable Universal Plug and Play on the router, Media Access Control(MAC) addressing

◦ Uncheck any options that allow the router to respond to a ping command from the Inter-

net




Firewalll installation

• Software firewalls

◦ 윈도우 XP, SP2 이후 소프트웨어 방화벽 내장 (The windows operating systems since Windows

XP, SP2 have each come with a built in software firewall.)

◦ 상업용 소프트웨어 방화벽 다수 존재 (There are also many commercial software firewalls that of-

fer different features and functionality than the Windows firewall.)

◦ 소프트웨어 방화벽 사용 시 윈도우 방화벽 미사용토록 설정 필요 (Be sure to disable the Win-

dows firewall before loading any other firewall to prevent any conflict between the software

firewalls.)

◦ 악성 공격을 예방하기 위해 필요하나 , 너무 엄격하게 적용하면 수사 목적에 사용되는 사이트 접근 제한 (Firewalls should obviously be configured to prevent malicious intrusion into the inves-

tigative system. However, they should not be set so restrictively that individuals can’t access cer-

tain sites, such as social networking sites, that may be needed for investigative purposes.)




Malware protection

• 안티바이러스 애플리케이션은 컴퓨터 바이러스 감염 예방에 도움 (Antivirus application manufacturers

provide products that assist the user in the prevention of computer virus infections.)

• 바이러스 탐지 기술은 두가지임 . 첫번째는 바이러스 시그니처 사용인데 , 이는 제로데이 취약점이 있음 (These products involve two techniques for detecting virus. The first and most prevalent tech-

nique uses antivirus signatures. The pitfall to this detection method is its vulnerability to a “zero-day

threat”.)

• 두번째는 경험적인 분석방법임 . 이는 false positives 야기 (Another method is heuristic analysis. The

problem with this technique is it can lead to false positives.)

• 프로그램을 주기적으로 업데이트 해야함 . 자동 업데이트 설치는 권장하지 않음 (Be sure to update the

programs periodically. It is not recommended that these tools do automatic update installations. This

prevents an update from forcing a reboot during the middle of an investigation.)




Spyware protection

• 웹사이트 접근만으로 스파이웨어가 설치됨 (The simple act of accessing a website can result in the

spyware installation.)

• 사용자의 인터넷 히스토리 , 개인적인 데이터와 로긴 크리덴셜 정보 획득 가능 (Besides tracking and

reporting back on a user’s Internet history, some can capture personal data and login credentials.)

• 심한경우 문제가 되는 프로그램을 제거하기 위하여 드라이브 포맷 필요 (Infections can get so bad that

sometimes the only recourse is to reformat the hard drive to remove the offending programs.)

• 주기적인 업데이트 및 매뉴얼 숙지 (As with virus protection, you should update the programs periodi-

cally and do full manual scans.)

• 프로그램 간 충돌 가능성 존재 , 수사에 필요한 프로그램만 선별 사용 (Running them all on the same

machine would undoubtedly cause conflicts on the investigative machine. The investigator needs to re-

view the software that best suits their needs and install only the needed tools for the investigation.)




Installing and updating browsers


ExtensionInternet Ex-

plorerFirefox Chrome

WOT Yes Yes Yes

Fiddler Yes Yes Yes

Dom inspector Yes(similar tool built

in)

DebugBar Yes

Search Engine Security Yes Yes Yes

Hide My Ass(proxy server)

Yes Yes

IPv4 to IPv6 Converter Yes

Screen Capture Yes

Disconnect Yes


WOT (Web Of Trust)


IE Firefox Chrome

○ ○ ○


Fiddler


IE Firefox Chrome

○ ○ ○


Dom (Document Object Model) Inspector


IE Firefox Chrome

○ △


DebugBar


IE Firefox Chrome

○


Search Engine Security


IE Firefox Chrome

○ ○ ○


Hide My Ass


IE Firefox Chrome

○ ○


IPv4 to IPv6 Converter


IE Firefox Chrome

○


Screen Capture


IE Firefox Chrome

○


Disconnect


IE Firefox Chrome

○



Blocking cookies

• 쿠키는 웹사이트가 생성한 텍스트 파일로서 로컬 하드 드라이브에 저장되어 사이트를 방문한 정보를 기억하는데 도움 (The purpose of cookies is to identify website users and prepare customized Web

pages when the user returns.)

• 쿠키는 두가지 유형 존재 . 첫째 , First-party 쿠키로 , 이용자가 방문한 웹 사이트에 의해 생성 (Cook-

ies really personalize a user’s browsing experience. The type of cookies that accomplishes this are

called, First-party cookies.)

• 둘째 , Third-party 쿠키이며 , 다른 사이트에서의 사용을 위해 웹 사이트에서 생성 (Third-party cookies

are not placed on your computer by the site you are not actually visiting. As you explore a website and

access differet pages, the data on those pages may come from other website servers. These other web-

site servers, which you never actually visited, place their own cookies on your machine.)



Basic investigative computer protection Blocking cookies

• 모든 쿠키를 막도록 설정하는 것은 오히려 일부 사이트에 접근하지 못하는 역효과가 발생 (Selecting

block all cookies in your browser setting prevents first-party cookies from being placed on your ma-

chine, which can adversely affect access to some sites.

• 브라우저에서 제 3 자 쿠키를 선택적으로 막도록 설정 가능 (Browsers can be adjusted to selectively

block third-party cookies.)


< Internet Explorer > < Google Chrome >



Windows operating systems and application changes

• 윈도우 XP 컴퓨터는 기본적으로 파일 공유 가능하도록 설정되어 있어 공유 파일 접근 가능 (Windows

XP computers by default has file sharing enabled. When the file sharing is enabled, anyone with access

in the network and proper permissions can access the shared files.)

• 파일 공유 시 권한 있는 사람에게만 최소한의 접근권 부여 (If you do enable it to share between two or

more computers, be sure to enable tight permission to afford only access by authorized persons.)

• 강력한 비밀번호 설정 필요 (Make sure you have a strong password. A strong password is at least 8+

characters of random letters, numbers, and symbols.)

• 필요 이상으로 폴더 열기 금지 , 루트 드라이브 공유 금지 (Never open up more folders than you need

and never share the c:\(root) drive.)




Windows updates

• 윈도우 익스플로이트 패치 필요 (Make sure you have patched all critical Windows exploits.)

◦ http://www.update.microsoft.com/

• 마이크로 소프트 오피스 , 워드 , 아웃룩 익스프레스 사용 시 패치 필요 (If you use Microsoft Office,

Word, Outlook or Express here’s the link for critical patches.)

◦ http://office.microsoft.com/en-us/



Encryption 파일에 대한 암호화의 생활화 (Encryption of your working files is a recommended practice for

the online investigatior.)

암호화 이후 , 키를 분실하면 파일을 확인 불가하기 때문에 정기적으로 백업의 필요성에 대한 이슈 존재 (Once encrypted, if you lose the key, you have lost the files. An additional issue if that

backups need to be made on a regular basis if encryption is employed.)

암호화에 대한 제약사항은 구현이 아니라 장비 문제임 (A significant limitation of encryption is

not its implementation but the electromechanical devices it is stored on.)

Keeping your investigative computer secure (1/8)


디스크 복제 (Cloning a hard drive) 과 이미징 (Imaging)

Cloning• 다른 저장장치에 데이터를 복제하는 기술 (The technique of cloning the drive is copying the data on the

investigators drive to the exact same position on another hard drive or the clone.)

• 감염되지 않은 시스템으로 현 시스템에 덮어쓰는데 사용 (not only as a back up, but as a clean copy

that can be used to overwrite the existing system with a clean unaltered or infected system.)

• 해킹이나 악성코드 감염 시 대처 가능 (This gives the investigator the ability to put a new copy of the

system back on the investigative machine if it has been compromised by malware or hackers.)

Imaging• 데이터를 복사하는 과정이나 큰 용량의 저장장치에 복제되며 , 그러한 저장장치에 다른 이미지

복제본이 존재 가능 (Similarly, Imaging refers to a process of copying the data on the investigators hard

drive but taking that same data the clone makes and placing it into a large file. This file can be stored on

another drive with other image copies of the investigator’s computer hard drives.)



디스크 복제 (Cloning a hard drive) 과 이미징 (Imaging)

Free cloning tools

• Redo backup

• DriveImageXML

• HDCLone

Commercial cloning tools

• Acronis

• XXClone

• Disk Copy


http://circlash.tistory.com/104


Keeping your system clean 작업 효율성을 위하여 정기적인 점검 필요

(Your operating system needs regular maintenance to keep working at its peak efficiency.)

윈도우 운영체제에서 시스템 최적화를 위해 사용되는 도구가 있으며 , 이를 정기적으로 사용해야 함 (Windows have two tolls that are very useful for helping to optimize your Windows

system. Both are tools that should be used on a regular basis to maintain the performance of

your system.)

• Disk Cleanup

• Disk Defragmenter

기타 도구 : CCleaner



Testing your security(www.grc.com)

Passward’s Crackability Test




Securable Test




UPnP Internet Exposure Test




Leak Test



Thank you for listening

[email protected]

Documents

online investigation