簡單易用的電腦軌跡資料分析工具 [2015/11/18]

JASON CHENG - 鄭郁霖

簡單易用電腦軌跡 資料分析工具

講者勤益科⼤大 :: 電⼦子⼯工程系碩⼠士

靜宜⼤大學 :: EMBA 學分先修班

耀達電腦 :: 研發兼資訊經理

光華⾼高⼯工 :: 資訊科業界講師

軟體⾃自由協會 :: 個⼈人會員

CEH、MCP 認證

1WHY?

資安有多重要？

PHOTO BY TVBS

PHOTO BY EXTREMETECH.COM、RAVENFOUNDATION.ORG

PHOTO BY WWW.DROPBOX.COM/S/7QBQVATL42BCUZ2/101H.JPG?DL=1

數位證據

PHOTO BY WWW.FLICKR.COM/PHOTOS/FINANCIALTIMES/8785445626/SIZES/L/

證據取得

PHOTO BY WWW.FLICKR.COM/PHOTOS/57936333@N07/8285850247/SIZES/L/

⼤大海撈針

⺫⽬目標

PHOTO BY WWW.FLICKR.COM/PHOTOS/INSTANTVANTAGE/8363737128/SIZES/L/

PHOTO BY WWW.MORGUEFILE.COM/ARCHIVE/DISPLAY/936092

節省開⽀支

PHOTO BY WWW.FLICKR.COM/PHOTOS/JZSINR/4129022342/SIZES

快速上⼿手

PHOTO BY WWW.DROPBOX.COM/S/LC4HPPDDQSMWM88/92H.JPG?DL=1

不須安裝

時間紀錄

電腦軌跡

節省成本

追查線索

抓住問題

盡在掌握

以下開始，本簡報含有⼤大量軟體與介紹，請⼩小⼼心服⽤用。

WARNING

2電腦使⽤用分析

初步分析

證據蒐證

證據擷取保存 證據檢驗分析

結果呈現

保存現場

PHOTO BY WWW.FLICKR.COM/PHOTOS/BOOLEANSPLIT/2358030054/SIZES

CloneZilla完整系統映像檔備份

CloneZilla

事件檢視器資訊⿑齊全，但使⽤用費時

EventVwr

慢!

WinLogOnView分析 Windows 登⼊入紀錄

WinLogOnView

TurnedOnTimesView

分析 Windows 登⼊入使⽤用時間與狀況

TurnedOntimesView

LastActivityView分析使⽤用者所有程序、檔案等操作⾏行為

LastActivityView

LastActivityView

BlueScreenView

分析 Windows BSOD 當機詳細資訊

BlueScreenView

StartBlueScreen

重現 Windows BSOD 當機畫⾯面

StartScreenView

StartScreenView

AppCrashRView分析應⽤用程式當機詳細資訊

AppCrashView

InstalledCodec分析影⾳音解碼器異動紀錄

InstalledCodec

InstalledCodec

RegDllView分析DLL註冊紀錄

RegDllView

RegDllView

CCleaner分析系統還原點紀錄

CCleaner

3上網⾏行為分析

BrowsingHistoryView

分析各⼤大瀏覽器歷史紀錄

BrowsingHistoryView

BrowsingHistoryView

MyLastSearch分析瀏覽器搜尋列歷史紀錄

MyLastSearch

IECacheView MozillaCacheView OperaCacheView

ChromeCacheView分析瀏覽器快取查看紀錄

*CacheView

VideoCacheView分析瀏覽器影⽚片快取查看紀錄

VideoCacheView

VideoCacheView

FBCacheView分析瀏覽器 Facebook 快取查看紀錄

FBCacheView

IECookiesView MozillaCookiesView ChromeCookiesView

FlashCookiesView分析瀏覽器快取查看紀錄

*CookiesView

4硬體異動分析

DevManView分析驅動程式異動紀錄

DevManView

DevManView

USBDeview分析USB裝置異動紀錄

USBDeview

USBDeview

5檔案異動分析

OSFMount完整備份檔案掛載

OSFMount

檔案實際在硬碟的所在地標記

檔案實際在硬碟的所在地標記

Recuva分析檔案異動紀錄

Recuva

PhotoRec分析檔案異動紀錄

PhotoRec

真實案例

Everything快速尋找檔案名稱與位置

Everything

Everything

AstroGrep完整尋找檔案內容

AstroGrep

6密碼資料分析

BulletsPassView分析星號密碼輸⼊入框資訊

BulletsPassView

ProduKey分析作業系統序號資訊

ProduKey

WebBrowserPassView

分析瀏覽器儲存密碼資訊

WebBrowserPassView

RouterPassView

分析路由器密碼資訊

RouterPassView

RouterPassView• Linksys WRT54GL (With original firmware or

Tomato firmware), WRT54G (only some of them), WRT160N, WRT320N, and possibly similar models.

• Linksys E5200 • Linksys E2000 • Linksys RV082 • Linksys E2500 • Linksys N1500 • Linksys E900 • Cisco-Linksys E4200 • Cisco Linksys E1000 v2.1 • Edimax BR6204WG, and possibly similar models. • Siemens ADSL SL2-141, and possibly similar

models. • Siemens CL-110 PSTN ADSL2+ • Dynalink RTA1025W, and possibly similar models. • NETGEAR WGT624, WGR614v9, WNR1000v3,

WNR3500L, and possibly other models. • NETGEAR DEVG2020 • ASUS WL-520g, WL-600g, and possibly similar

models. • ASUS RT-N10+ , and possibly similar models. • Asus RT-N56U , and possibly similar models. • Asus RT-AC66U • Asus RT-AC68U • Asus RT-AC68W • D-Link DIR-655, DIR-300, and possibly similar

models. • Sanex SA 5100, and possibly similar models.

• Sitecom WL-351, WL-575, WL-312, and possibly similar models.

• COMTREND 536+ (Only Internet Login) • US Robotics 9108 ADSL (internet login and admin

login) • D-Link DSL-2540U/BRU/D ADSL2+, DSL-2650U,

DSL-520B • D-Link DVA-G3170i/PT • D-Link DSL-604T • D-Link G3670B • D-Link DSL-2640T • D-Link DSL-G684T • D-Link DSL-2500U • D-Link 2740B • D-Link DIR-615 G2 • D-Link WBR-1310 • D-Link DSL-2543B • D-Link DI-524 • D-Link DI-624+A • D-Link DIR-600 • D-Link DIR-300 • D-Link DSL-2780 • D-Link DIR-605L • TL-WDR4300 N750 • TP-Link TD-8810 ADSL Modem/Router. • Dynamode R-ADSL-C4-W-G1 • NetComm NB5Plus4 DSL • Thomson TG580 DSL (only in Hex Dump mode)

RouterPassView• Asus RT-G31 • HuaWei EchoLife HG520 • Huawei Echolife HG510a/HG520s/HG520b/

HG520c • HuaWei HG526 • HuaWei-3Com Aolynk BR104 • TP-LINK TL-WR841N • TP-LINK TL-WR841DN • TP-LINK TL-MR342 • TP-LINK TL-WR340G • TP-LINK TL-R460 • TP-LINK TL-WR741ND v2.0 • TP-LINK TL-WR700N • TP-LINK TL-WR740N • TP-LINK TL-WA801N • TP-LINK TL-WR541G • TP-LINK TL-WR1043ND • TP-LINK TD-W8960N • TP-Link TL-WR941ND • TP-Link TL-MR3220 • TP-Link TL-WR642G • TP-Link TL-WDR3320 • TP-Link TL-WDR3600 • TP-LINK TL-WR720N • TP-Link TD-W8970 • TP-LINK TD-W8901N • TP-LINK TD-8816 • TP-LINK TD-W8901G

• TP-LINK TD-W8951ND • TP-Link TD-8840 • TP-LINK TD-8817 • TP-LINK Archer C2 • TP-LINK Archer D5 • TP-LINK Archer D9 • Belkin N+ (F5D8236uk4) • Mercury MW54R • Netgear DG632 • Netgear Wireless Cable Voice Gateway

CG3000/CG3100 • Netgear WNDR4000 (Rev 1) • Netcomm NB6W • Aztech DSL605EW • Comtrend CT-5072T ADSL2+ modem/router • Small Business RV042 • Intelbras WRN240 • ipTIME N604V • Linksys WRV200 • Sagem F@ST2404 • ZTE ZXV10 • ZTE ZXHN H108N • SmartAX MT880a/MT880d/MT882a • Zyxel AMG1302 • Alcatel Lucent I-240W-A • LevelOne WBR-3406TX v2

Protected Storage PassView

分析已儲存的密碼資訊

Protected Storage PassView

PstPassView

分析Outlook資料庫檔案密碼資訊

PstPassView

Network Password Recovery

分析已儲存的網域認證密碼

Network Password Recovery

Dualpass

分析撥號網路密碼資訊

Dualpass

WirelessKeyView

分析無線網路密碼資訊

WirelessKeyView

Remote Desktop PassView

分析遠端桌⾯面連線密碼資訊

Remote Desktop PassView

VNCPassView

分析VNC遠端搖控密碼資訊

VNCPassView

SniffPass

分析主要通訊協定密碼資訊

SniffPass

POP3、IMAP、SMTP、FTP、HTTP

7網路歷史分析

archive.org

分析網站歷史過程

時代的眼淚

PHOTO BY WWW.DROPBOX.COM/S/2XSAW5VOTMX5KGX/7H.JPG?DL=1

archive.org

archive.org

archive.org

archive.org

archive.org

archive.org

archive.org

archive.org

archive.org

archive.org

9GO!

PHOTO BY WWW.MORGUEFILE.COM/ARCHIVE/DISPLAY/936092

0軟體費⽤用無⽀支出

PHOTO BY WWW.MORGUEFILE.COM/ARCHIVE/DISPLAY/926464

Fight!

DO!PHOTO BY WWW.FLICKR.COM/PHOTOS/TRYSIL/6885485137/SIZES/L/

ENDPHOTO BY WWW.IMCREATOR.COM/FREE/THE-ENDLESS-ROAD