2012_Secuwave_F200_writeup

시나리오

판교 테크노밸리 K기업에서 기밀유출 사건이 발생했다. 현재 용의자의 시스템을 조사하는 중이다. 용의자의 인터넷 사용 패턴으로 용의자의 관심사를 파악하고자 한다. 용의자가 가장 많이 접근했던 사이트의 URL(http://aaa.bbb.cccc/)과 해당 URL에 마지막으로 접근한 시간(UTC+09:00)을 알아내시오.

(1~2번 문제파일 : 2012_Secuwave F200.7z)

 

증거파일 목록

2012_Secuwave_F200

- Incident_Response

- Users

- 7ester

- AppData

- Aplication Data

- Contacts

- Cookies

- Desktop

- Documents

- Downloads

- Favorites

- Links

- Local Settings

- Music

- My Documents

- NetHoods

- Pictures

- PrintHood

- Recent

- Saved Games

- Searches

- SendTo

- Templates

- Videos

- 시작 메뉴

- AppData:$TXF_DATA

- NTUSER.DAT

- ntuser.dat.LOG1

- ntuser.dat.LOG2

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TM.blf

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TMContainer00000000000000000001.regtrans-ms

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TMContainer00000000000000000002.regtrans-ms

- ntuser.ini

- All Users

- Default

- AppData

- Aplication Data

- Cookies

- Desktop

- Documents

- Downloads

- Favorites

- Links

- Local Settings

- Music

- My Documents

- NetHoods

- Pictures

- PrintHood

- Recent

- Saved Games

- SendTo

- Templates

- Videos

- 시작 메뉴

- NTUSER.DAT

- ntuser.dat.LOG1

- ntuser.dat.LOG2

- NTUSER.DAT{2d8b9247-a161-11e1-82c8-0010189e0196}.TM.blf

- NTUSER.DAT{2d8b9247-a161-11e1-82c8-0010189e0196}.TMContainer00000000000000000001.regtrans-ms

- NTUSER.DAT{2d8b9247-a161-11e1-82c8-0010189e0196}.TMContainer00000000000000000002.regtrans-ms

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TM.blf

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TMContainer00000000000000000001.regtrans-ms

- NTUSER.DAT{ba04e13e-a18c-11e1-a5d4-be242f68574f}.TMContainer00000000000000000002.regtrans-ms

- Default User

- Public

- Desktop

- Decuments

- Downloads

- Libraries

- Music

- Pictures

- Videos

- desktop.ini

- 7ester·$TXF_DATA

- desktop.ini

사용프로그램

IE10Analyzer

 

문제

1. 용의자가 가장 많이 접근했던 사이트의 URL(http://aaa.bbb.cccc/)

KEY Format URL(http://aaa.bbb.cccc/)

2. 해당 URL에 마지막으로 접근한 시간(UTC+09:00)

KEY Format (yyyy-MM-dd_hh:mm:ss)

파일 분석

해당 문제에서 주어진 사용자 파일 목록을 통해 7ester라는 사용자가 용의자로 추측됨

가장 많이 접근했던 사이트와 마지막으로 접근한 시간을 알기위해 웹 로그파일을 분석해야함

 

웹로그 파일 경로

OS 버전	Web	정보	경로
Windows 2000, XP	IE	Cache	%Profile%\Local Settings\Temporary Internet Files\Content.IE5\index.dat %Profile%\Local Settings\Temporary Internet Files\Content.IE5\<Random>\<모든 파일>
		History	%Profile%\Local Settings\History\History.IE5\index.dat %Profile%\Local Settings\History\History.IE5\<기간>\index.dat
		Cookie	%Profile%\Cookies\index.dat %Profile%\Cookies\<모든 텍스트 파일>
		download	없음
	Chrome	Cache	%Profile%\Local Settings\Application Data\Google\Chrome\User Data\Default\ Cache\<모든파일>
		History	%Profile%\Local Settings\Application Data\Google\Chrome\User Data\Default\History %Profile%\Local Settings\Application Data\Google\Chrome\User Data\Default\ History.index <년-월>
		Cookie	%Profile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies
		Download	%Profile%\Local Settings\Application Data\Google\Chrome\User Data\Default\History
	Firefox	Cache	%Profile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<Random>.default\ Cache\_CACHE_MAP_ 외 3개 파일 %Profile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<Random>.default\ Cache\모든 폴더
		History	%Profile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<Random>.default\ place.sqlite
		Cookie	%Profile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<Random>.default\ cookies.sqlite
		Download	%Profile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<Random>.default\ download.sqlite
	Safari	Cache	%Profile%\Local Settings\Application Data\Apple Computer\Safari\Cache.db
		History	%Profile%\Local Settings\Application Data\Apple Computer\Safari\History.plist
		Cookie	%Profile%\Local Settings\Application Data\Apple Computer\Safari\Cookies.plist
		Download	%Profile%\Local Settings\Application Data\Apple Computer\Safari\Downloads.plist
	Opera	Cache	%Profile%\Local Settings\Application Data\Opera\Opera\cache\dcache4.url
		History	%Profile%\Local Settings\Application Data\Opera\Opera\global_history.dat
		Cookie	%Profile%\Local Settings\Application Data\Opera\Opera\cookies4.dat
		Download	%Profile%\Local Settings\Application Data\Opera\Opera\download.dat

Windows Vista, 7	IE	Cache	%Profile%\AppData\Local\Microsoft\Windows\Temporary Internet Files \Content.IE5\index.dat %Profile%\AppData\Local\Microsoft\Windows\Temporary Internet Files \Content.IE5\<Random>\<모든 파일>
		History	%Profile%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat %Profile%\AppData\Local\Microsoft\Windows\History\History.IE5\<기간>\index.dat
		Cookie	%Profile%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat %Profile%\AppData\Roaming\Microsoft\Windows\Cookies\<모든 텍스트 파일>
		download	%Profile%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat(IE9 ~)
	Chrome	Cache	%Profile%\AppData\Local\Google\Chrome\User Data\Default\Cache\
		History	%Profile%\AppData\Local\Google\Chrome\User Data\Default\History %Profile%\AppData\Local\Google\Chrome\User Data\Default\History\History Index <년-월>
		Cookie	%Profile%\AppData\Local\Google\Chrome\User Data\Default\Cookies
		download	%Profile%\AppData\Local\Google\Chrome\User Data\Default\History
	Firefox	Cache	%Profile%\AppData\Local\Mozilla\Firefox\Profiles\<Random>\Cache\ _CACHE_MAP_(같은 폴더 안의 모든 파일 필요)
		History	%Profile%\AppData\Local\Mozilla\Firefox\Profiles\<Random>.default\places.sqlite
		Cookie	%Profile%\AppData\Local\Mozilla\Firefox\Profiles\<Random>.default\cookies.sqlite
		download	%Profile%\AppData\Local\Mozilla\Firefox\Profiles\<Random>.default\download.sqlite
	Safari	Cache	%Profile%\AppData\Local\Apple Computer\Safari\Cache.db
		History	%Profile%\AppData\Roaming\Apple Computer\Safari\History.plist
		Cookie	%Profile%\AppData\Roaming\Apple Computer\Safari\Cookies\Cookies.plist
		download	%Profile%\AppData\Roaming\Apple Computer\Safari\Downloads.plist
	Opera	Cache	%Profile%\AppData\Local\Opera\Opera\cache\dcache4.url
		History	%Profile%\AppData\Roaming\Opera\Opera\global_history.dat
		Cookie	%Profile%\AppData\Roaming\Opera\Opera\cookies4.dat
		download	%Profile%\AppData\Roaming\Opera\Opera\download.dat

%Profile%\Local Settings를 확인 결과 해당 폴더는 빈 폴더이므로 이 용의자의 pc는 vista 이상 버전으로 확인됨

다음 각 경로에 공통적인 %Profile%\AppData\Local을 확인결과 Microsoft밖에 없으므로 해당 용의자가 사용한 웹브라우저는 Internet Explorer

 

 

사용하는 Web Browser가 확인되었으니 해당 Web Browser의 Web Cache의 위치로 이동하여 그 안에 존재하는 WebCacheV24.dat 파일을 IE10Analyzer를 이용하여 분석

 

해당 IE10Analyzer를에서 History 탭을 확인해보니 가장 많이 접속한 사이트는 http://hanrss.com 으로 확인되었고 마지막에 접근한 시간은 2012-08-30 14:59:49로 확인됨