第四章计算机证据-helixSysinternal.ppt

Helix传统取证工具 Helix operates in two different modes – Windows and Linux. Helix is a forensically sound bootable Linux environment much like Knoppix, but a whole lot more. The “other side” of Helix, a Microsoft Windows executable feature, contains approximately 90 MB of incident response tools for Windows. Windows工具 Windows工具 Windows工具 Windows工具 Windows工具 Windows工具 Windows工具 Windows工具 Windows工具 WFT工具：综合取证 WFT工具：综合取证 WFT工具：综合取证 WFT工具：综合取证 Windows工具 Windows工具 Malware Hunting with the Sysinternals Tools This session provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. Mark Russinovich demonstrates their malware-hunting capabilities by presenting several real-world cases that used the tools to identify and clean malware, and concludes by performing a live analysis of a Stuxnet infection’s system impact. Malware Hunting with the Sysinternals Tools-技巧 Process Explorer 用颜色区分不同进程 可以检验签名 显示进程是否自启动和启动的注册键值 显示进程执行时间 难以kill的进程可以挂起 Autoruns 具有最全面的windows启动项检查 Process Monitor 可以记录进程的各种行为，并可以设置过滤器进行筛选 可以记录短时间运行进程 可以转跳到进程读写的各个注册表键值 Malware Hunting with the Sysinternals Tools-实际处理Malware 利用Desktop工具 所有工具启动会快速退出，所以使用desktop工具，在另外一个桌面启动Process Explorer。因为malware会查找windows的title结束Sysinternals工具： 在另外一个桌面启动Process Monitor后发现Winlogon会不断查询一个注册表键值。删掉该值，又会恢复。利用杀毒软件查杀该dll后，可以删除该键值，恢复正常。 Clean Scareware 多个可疑进程 伪装系统进程，有TCP连接到外部网络 Clean CycBot No icon 产生一个55d.exe加入自启动注册表键值 Stuxnet and Flame Malware Hunting with the Sysinternals Tools-实际处理Malware 4. Stuxnet The worm copies itself to the root of any removable drives as the files ~WTR4132.tmp and ~WTR4141.tmp. they are actually .dll files. It also copies the shortcuts linking to ~WTR4132.tmp Stuxnet exploits the zero-day LNK/PIF (shortcut file) automatic execution vulnerability to execute on th