(Fios#03) 5. 죽은 서비스도 살려내는 포렌식 기술
1 like87 views
This document discusses forensic analysis techniques for resurrecting dead digital systems and services. It explains how a forensic expert can use virtualization technology to mount disk images from a dead system and boot it in a virtual machine to extract information. The document outlines steps like adjusting for physical drivers, checking disk order and mount points, fixing RAID bugs, updating kernel and bootloader information, recovering database files, and adjusting network settings to resurrect dead systems and services. It also discusses how resurrection can be done while maintaining the chain of custody of evidence.
![forensicinsight.org Page 28
Resurrection
Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-28-320.jpg)
![forensicinsight.org Page 29
Resurrection
Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-29-320.jpg)
![forensicinsight.org Page 30
Resurrection
Physical Driver to Virtual [ /etc/modprobe.conf ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-30-320.jpg)
![forensicinsight.org Page 31
Resurrection
Check disk order [ fdisk –l ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-31-320.jpg)
![forensicinsight.org Page 32
Resurrection
Check original mount point [ /etc/fstab ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-32-320.jpg)
![forensicinsight.org Page 33
Resurrection
Fix the raid bug [ /etc/grub.conf ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-33-320.jpg)
![forensicinsight.org Page 34
Resurrection
Grub information update [ grub-install ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-34-320.jpg)
![forensicinsight.org Page 35
Resurrection
Update Kernel information [ mkinitrd ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-35-320.jpg)
![forensicinsight.org Page 38
Resurrection
Adjust network environment [ ifconfig ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-38-320.jpg)
![forensicinsight.org Page 42
Resurrection
But, u can cheating the history :) [ history ]](https://image.slidesharecdn.com/fios035-160825145126/85/Fios-03-5-42-320.jpg)
(Fios#03) 5. 죽은 서비스도 살려내는 포렌식 기술
- 1. The 3rd FIOS (F-INSIGHT OPEN SEMINAR) Resurrect the System and Services : 죽은 서비스도 살리는 포렌식 기술 ykei @ykx100
- 2. forensicinsight.org Page 2 목차 1. Cold or Hot Evidence 2. Resurrection 3. Chain of Custody
- 3. forensicinsight.org Page 3 Cold or Hot?
- 4. forensicinsight.org Page 4 Cold or Hot Evidence Top Class Forensic Scientist
- 5. forensicinsight.org Page 5 Cold or Hot Evidence One of Top Class Forensic Scientist
- 6. forensicinsight.org Page 6 Cold or Hot Evidence Meet The bruised body One of Top Class Forensic Scientist with breath
- 7. forensicinsight.org Page 7 Cold or Hot Evidence U Remember? Specialized at dead body
- 8. forensicinsight.org Page 8 Cold or Hot Evidence
- 9. forensicinsight.org Page 9 Cold or Hot Evidence Now He got the cold body as his wish Is it fair?
- 10. forensicinsight.org Page 10 Cold or Hot Evidence Digital Evidence?
- 11. forensicinsight.org Page 11 Cold or Hot Evidence Have you ever like this?
- 12. forensicinsight.org Page 12 Cold or Hot Evidence Same Cold EV.
- 13. forensicinsight.org Page 13 Cold or Hot Evidence But, Benefit of live forensics Short way to extract Quick response Seize the live data
- 14. forensicinsight.org Page 14 Cold or Hot Evidence Increased size, complexity of Data Hard to find evidence
- 15. forensicinsight.org Page 15 Cold or Hot Evidence Still, u wanna kill the hot & take the cold body for analysis?
- 16. forensicinsight.org Page 16 Cold or Hot Evidence Stop pulling the plug
- 17. forensicinsight.org Page 17 Cold or Hot Evidence Boooooring… I know that, already
- 18. forensicinsight.org Page 18 Cold or Hot Evidence Someone killing the hot body Mistake Wrong decision Bad Situation
- 19. forensicinsight.org Page 19 Cold or Hot Evidence If someone give you the shit,
- 21. forensicinsight.org Page 21 Resurrection Unified Log Monitor System Pulled the plug and Imaging the Disks Can you export the all log from DB? Where is the start point? Here is shit…
- 23. forensicinsight.org Page 23 Resurrection Virtual mount disk image files
- 24. forensicinsight.org Page 24 Resurrection Check the Kernel version information
- 25. forensicinsight.org Page 25 Resurrection Check Filesystem information
- 26. forensicinsight.org Page 26 Resurrection Make the VM with mounted disk
- 27. forensicinsight.org Page 27 Resurrection Now boot, Meet the kernel panic So I present this now :)
- 28. forensicinsight.org Page 28 Resurrection Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]
- 29. forensicinsight.org Page 29 Resurrection Try to rescue boot [ linux rescue, chroot /mnt/sysimage ]
- 30. forensicinsight.org Page 30 Resurrection Physical Driver to Virtual [ /etc/modprobe.conf ]
- 31. forensicinsight.org Page 31 Resurrection Check disk order [ fdisk –l ]
- 32. forensicinsight.org Page 32 Resurrection Check original mount point [ /etc/fstab ]
- 33. forensicinsight.org Page 33 Resurrection Fix the raid bug [ /etc/grub.conf ]
- 34. forensicinsight.org Page 34 Resurrection Grub information update [ grub-install ]
- 35. forensicinsight.org Page 35 Resurrection Update Kernel information [ mkinitrd ]
- 36. forensicinsight.org Page 36 Resurrection Still No Heartbeat of Service
- 38. forensicinsight.org Page 38 Resurrection Adjust network environment [ ifconfig ]
- 39. forensicinsight.org Page 39 Resurrection Recovery DB files
- 40. forensicinsight.org Page 40 Resurrection Recovery DB files
- 41. forensicinsight.org Page 41 Resurrection May be It is not good idea…
- 42. forensicinsight.org Page 42 Resurrection But, u can cheating the history :) [ history ]
- 43. forensicinsight.org Page 43 Resurrection Now service is warmed
- 44. forensicinsight.org Page 44 Resurrection Maybe, u need to PW recovery from DB
- 45. forensicinsight.org Page 45 Resurrection But, Is resurrection break the chain?
- 46. forensicinsight.org Page 46 Chain of Custody
- 47. forensicinsight.org Page 47 Chain of Custody No, Chain is fine
- 48. forensicinsight.org Page 48 Chain of Custody When is preservation done, CoC is Start.
- 49. forensicinsight.org Page 49 Chain of Custody Don’t scared, Do hash For Compatibility : MD5 For Security : SHA256(higher)
- 50. forensicinsight.org Page 50 Chain of Custody But be prepared, always Guide Tools for your Environment Storage for backup And Hiring the Real Expert Don’t deceived by crook
- 51. forensicinsight.org Page 51 Now, Cold or Hot?
- 52. forensicinsight.org Page 52 Conclusion Virtual Technology is awesome I can resurrect the cold media Sometimes, It is very efficient method
- 53. forensicinsight.org Page 53 Conclusion Please reconsidering the pull the plug Do not send the shit to me If you give me the shit, I can over that, too.
- 54. forensicinsight.org Page 54 Conclusion Hello, digital media necromancer! Have u a question?