ߥʡ Ϥʤ Ȥ 뤳 Ȥ Ǥ ޤ Ǥ л ΤǤ Τޤޤ Ȥ äȤޤ ʤΤ ( ƤϤ Ȥʤ ΤǤ ) ݥ Ȥ ˤޤȤ Ƥ Ȼפ ޤ ( ȸ ʤ 顢 Ƥ 뤦 빽 ʥܥ 塼 ˤʤäƤ ޤ ޤ )
ޤǤ Ū ǥ 롦 ե å Ǥϡ Ĵ оݤȤʤ륷 ƥ åȥ ( ޤ Ÿ ) ȡ ǥ ơ Υ ե Ф ʸ θ ե Ȥ ä Ĵ ʬ Ϥ Ԥ Ȥ ή ä ˡ ʤΤϡ ڵ Ȥʤ ʤ 餫 Υǡ Ȥ HDD Ĥ Ƥ 뤳 Ȥ Υǡ Ф 뤳 Ȥ פǤ ä Ǥ 롣 Ƕ ǤϤ Τ褦 ʥǥ Ĵ Ǥϸ Ƥ ˤϹ ɸ 2 Ĥ װ 롣 װ
տ Ū ե å Ф Ԥä 硢 ǥ ǡ ɬ ѤǤ ʤ Ȥ С ե 륷 ƥ Ϥ 뤳 Ȥˤ ꡢ ƥե ॹ ( Ǹ 줿 ʤ ) Ĵ 뤳 Ȥ Ǥ 뤬 Τ褦 ʥǡ Ϲ Ԥˤ äƲ 뤳 Ȥ ǽ Ǥ 롣[4] ɸ װ
ɸ װ Ǥϡ ǥ μ Τ ʥ ʤ HDD Τ Ź Ƥ ơ ǥ Ƥ 椷 ʤ ɤ ʤ ߥå ƥ ʥ ƥ ξ 硢 ƥ ߤ 뤳 Ȥ Ǥ ʤ оݤȤʤ ȥ졼 礭 硢 ǥ κ ϸ Ū ǤϤʤ Ĵ ˤ פʥǡ ޤȤ Ƽ 뤿 ᡢ ץ饤 Х 䵡 δ
饤 ե å Ȥϡ ȯ ( ޤ Դ ȯ ) ƥब ư Τޤ Ĵ ʬ Ϥ ˡ 䵻 ѤΤ ȤǤ 롣 Τ褦 Ĵ Ѽ ΤϤ ɿ ΤǤϤʤ ǥ 쥹 ݥ Dz Ư 楷 ƥफ ɬ פʾ 뤳 ȤϤ ޤǤˤ Ԥ Ƥ ǯ ι ˡ ι ٲ 䡢 ꥤ ϵ Ѥ ȯŸ ʤɤˤ äơ 餿 ܤ Ƥ ʬ Ǥ 롣
饤 ե å Ǥϼ ȯ 갷 ᡢ ȯ ν ( ȯ 䤹 䤹 ) 褯 ɬ פ 롣RFC3227(Guidelines for Evidence Collection and Archiving)[8] ΤäƤ 롣 ޤ "Forensic Discovery"[7] ˤ Ʊ ȯ ˤĤ Ƥε Ҥ 롣 Ƥ ʲ ɽ Registers, peripheral memory, caches, etc. nanoseconds Main Memory nanoseconds Network state milliseconds Running processes seconds hofesh Disk inutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
饤 ե å ˤ Ū ǥ 롦 ե å θ 䤦 ޤ ޤ ʹ ɸ װ ؤ б ˤ ꡢɬ פʾ Ψ 褯 Ǥ 롣 Ʊ ˡ ƥ ƶ 饤 Ǥξڵ ι ϡ 켫 Τ ڵ Ѥ ? ȼ ʤˤ ˤ Ƥ Υǡ ƶ 뤳 Ȥ ʤ ʸ С ɤä ߤ 顢 ʤˤ ʤ ϼ 褤 ڵ λ 饤 Ǥξڵ ϻ Ȥ 襤 Ǥ 롣OOV Ǥ 褦 1 ð Τ 鷺 ʴ Ѳ Ƥ ޤ Τ ν ˤʤ롣 ƥ ؤΥ Ư Υ ƥफ 뤿 ˤϡ ʤ 餫 μ ʤˤ äƥ ƥ Ǥ 뤳 Ȥ ɬ פˤʤ롣ʪ Ū 뤤 åȥ Ū ǽ Ǥ 뤳 ȤϤ ɬ פʸ ʴ Ը Υ ǥ ʤɡˤ ɬ פˤʤ롣 Ƹ ǽ 饤 ե å Ϥ μ ˡ 塢Ĵ κƸ ݾڤ 뤳 Ȥ Τ Ƹ ꥤ ϤϽ פǤ 롣 饤 쥹 ݥ
饤 쥹 ݥ ϲ Ư Υ ƥ Ф ƹԤ Τǡ Ǥ θ Ȥʤ ǡ Ϥ Ȥ ɥ ߤ 롣 äƥ ꥤ Ϥˤ ä Ӥ ȡ μ ˤĤ ƤϤ Ȥ ɺ ʤ ξ Ԥˤ 礭 ʰ㤤 롣 ꥤ Ϥˤ ϼ ΤȤ Ǥ 롣[17] ƥ ؤαƶ Ǿ ޤ 뤳 Ȥ Ǥ ꥤ κݤ ƶ ڤܤ Ȥ ʤ Υ ޥ ɤ Ԥ ʤ Фʤ ʤ 饤 쥹 ݥ и Ū ȸ 롣 rootkit ʤɤˤ 륢 å αƶ ˤ оݥ ƥ rootkit ȡ Ƥ Ȥ ȡ 饤 쥹 ݥ ڤ ʤɤˤ ä ΤǤϤʤ ǽ 롣 ꥤ β ϤǤ Ф Τ褦 ʤ 뤳 Ȥ Ǥ 롣 Ʊ Ϥ Ԥ 뤳 Ȥ Ǥ 饤 쥹 ݥ ϰ Ǥ ľ Ȥ Ǥ ʤ ޤ Ƹ 뤳 Ȥ Ǥ ʤ ꥤ Ϥϡ Ƥ ޤ С Ϥϲ Ǥ Ǥ Ƹ 롣 Ȥ β ϼ ˡ ɲä 뤳 Ȥ Ǥ 饤 쥹 ݥ ǤϤ Ȥ ɲþ ȻפäƤ Բ ǽ ꥤ Ƥ в ǽ Ǥ 롣 ꥤ μ
(b) Firewire IEEE1394 ) ե Ѥ 狼 ľ ܥ Υǡ ԡ 롣 줬 ǽ ʤΤ Firewire λ Ǥ ɤ ߤ Ǥʤ ߤ ǽ ˡ ϸ Ȳ Ư Υ ƥ Υ Ф 빶 ѤǤ 롣 ºݡ С ʤ ѥ å ä Windows ޥ Ф ơ å ġ Ƥ 롣
(c) ƥ Ÿ ǤΤ ȡ ѥġ ư ƥ ǡ 롣 ǯ ץ ȥ Coldboot Atack ȸƤФ 빶 ˡ 餫 ˤ 줿[21] θ ǡ ƥ ߤ ľ Ū 㲹 ˤ Ϥ ʤ λ ǡ ݻ Ƥ 뤳 Ȥ ǧ 줿 Ǥ Ѥ ȡ ƥ ꥤ ѤΥġ ư ƥǡ 뤳 Ȥ Ǥ 롣 BIOS μ ECC ) ˤ äƤ Ƶ ư Ȥ ꥢ 뤿 ᡢ ξ 礳 μ ˡ ϻȤ ʤ
Ρ PC Ǥϡ ڥ Τ ٻ 뤤 ϥ Х ȸƤФ 뵡ǽ ݡ Ȥ Ƥ 롣 ξ 硢 Ÿ ڤäƤ ݻ 褦 ˡ λ Υ ꥤ HDD ե Ȥ ƽ Ф 褦 ˤʤäƤ 롣 Υե ˡ Ǽ Raw Ȥϰ ʤ Windows ȼ η Ƥ 뤬 Ϥ ġ 뤬 Ƥ 롣
ꥤ ƹ ˤϼ 2 Ĥ ˡ 롣[33][35] Tree & List Traversal Ȥ С Windows hofesh EPROCESS hofesh Τˤ ť ꥹ Ȥ 뤿 ᡢ 缡 ɤ뤳 Ȥǡ Ư ץ? ؤ 뤳 Ȥ Ǥ 롣 DKOM Direct Kernel Object Manipulation ˤ ʤɤ ꡢ Τʾ Ǥ ʤ ? 롣 ʤ Ȥ FU rootkit ʤɤ DKOM Ȥä ץ? 롣 Fingerprint Search 嵭 ˡ Ф ơ ꥤ Υǡ Υѥ ޤʤ 뿷 ˡ ޤ줿 Ƕ μ ή Ϥ ˡ Ǥ 롣 ʤ Ȥ PTFinder, Volatility ʤɡ
Shadow Walker[45] Ȥ rootkit hofesh ϡ ڡ ե 㳰 ϥ ɥ TLB ˤ ꡢ Υǡ ڤ 뵡ǽ äƤ 롣 Ȥ Х ꥤ Ǥ 뤳 Ȥˤʤ롣 ޤ AMD Υ ƥ Ǥ DMA ˤ ꥤ Ǥ Ȥ
No comments:
Post a Comment