( )

Size: px

Start display at page:

Download "( )"

かおりてっちがわら
5 years ago
Views:

1 NAIST-IS-MT

2 ( )

3 Volatility Framework TPR % FPR 0-20% Volatility Framework 10., NAIST-IS-MT , i

4 Design and Implementation for Detecting Malware-Infected Terminals by Using Memory Forensics Kosuke Yushita Abstract The purpose of this research is to create a system for Memory Forensic tools in order to detect terminals that are infected with malware that cannot be detected by antivirus software. In the existing research, effective detection methods for known malware and specific kinds of specimens have been proposed, but none satisfy the demand for a general-purpose detection method based on behavior. In this research, I designed and implemented a malicious extraction system by combining the detection functions based on the behavior of Volatility Framework (which is a memory forensic tool). Subsequently, I attempted to detect the infected terminals and their malignant processes. As a result, I succeeded in detecting the infection (rate: TPR %, FPR %). In the cases where malicious processes can be recognized by process scanning, I was able to recognize malignant processes as highly suspicious processes. Keywords: Memory Forensics Infection Detection Malware Malignant Behavior Volatility Framework Master s Thesis, Graduate School of Information Science, Nara Institute of Science and Technology, NAIST-IS-MT , March 10, ii

5 Volatility Framework iii

6 SecCap JPCERT/CC Soliton Forensics Team VolatilityFoundation VolUtility iv

7 A. 83 v

8 ( [1]) KaniVola VolUtility ( VolUtility-Web Application for Volatility[2]) ( [3]) ( ) help Volatility Framework ( ) apihooks ( 5 ) pid trojan.exe vi

9 14 pid trojan.exe ( A B) vii

10 [4] ISO/IEC ISO27035[5] (Prepare) (Identify) (Report) (Assess) (Respond) (Learn) [6] CPU 1

11 Volatility Framework[7] Command Reference Mal[8]

12 Volatility Framework Volatility Framework Volatility Framework Forensic Analysis of Data from Random Access Memory[9] Volatility Framework JPCERT/CC apt17scan.py[10] Agtid Hikit APT APT17 1 Aurora Panda 2 1 Fireeye 2 CrowdStrike 3

13 Volatility Framework yarascan JPCERT/CC Volatility Framework impfuzzy plugin[11] impfuzzy Import API Windows impfuzzy for Volatility impfuzzy : impfuzzy imphashlist : imphash imphashsearch : imphash Volatility Framework malfind VAD VirusTotal[12] PAGE EXECUTE READWRITE 4

14 malfind Cysinfo hollowfind [13] hollow Volatility ldrmodules dlllist PEB VAD malfind hollowfind GitHub hollowfind Volatility Framework Membrane[14] (1) (2) (3) Gábor 86-98% 5

15 Volatility Framework Volatility Volatility Framework python 32bit 64bit Unix Windows Mac OS X Volatility Framework

16 Volatility Framework [15] Mandiant Memoryze Mandiant Memoryze Rekall Google [16] HBGary Responder Professional HBGary Digital DNA [17] ResponderPro DDNA [18] 7

17 2.2.2 AccessData FTK Imager FTK imager 20 AccessData [19] 13 FTK Imager HDD USB FTK Imager FTK Imager Memoryze Microsoft Windows Memoryze XML Mandiant Redline GMG Systems, Inc., KnTTools SSL 8

18 BIOS ROM/EEPROM/NVRAM F-Response F-Response Windows Mac OS X Linux HBGary FastDump MoonSols Windows Memory Toolkit RC4 EnCase/WinEn Belkasoft Live RAM Capturer ATC-NY Windows Memory Reader RAW MinGW Cygwin UNIX netcat SSH Winpmem Windows RAW 9

19 Volatility Volatility Volatility Framework The Art of The Memory Forensic[20] [20] Volatility malfind Volatility Framework Volatility Framework python < > < > 10

20 3.2 3 [15] Executive Process Windows API 6 ( ) 6 11

21 DLL DLL (VAD) IP OS Windows cmd.exe Vista Windows (csrss.exe) Vista (conhost.exe) strings 12

22 Windows Mimikatz lsass.exe (LSASS) Windows Windows API Volatility Active Setup API Import Address Table(IAT) 13

23 Interrupt Descriptor Table(IDT) System Service Dispatch(SSD) Volatility Framework apihooks IAT API 3.3 Volatility Framework help Volatility help VolatilityFoundation [21] Volatility Framework2.5 SANS DFIR(Degital Forensics and Incident Response)[22] Volatility Framework VolatilityFoundation[7] DLL Rootkit dump Volatility Framework The Art of Memory Forensic[20] VolatilityFoundation GitHub Volatility wiki Command Reference Mal 14

24 hollowfind 7 API [23] apihooks 8 dlllist 9, ldrmodules apihooks 2 apihooks apihooks API unknown INT 3 11 API 7 VAD PEB [13] 8 IAT EAT API 9 DLL 10 VAD PEB DLL 11 0xCC DebugBreak() INT 15

25 1 help Volatility Framework ( ) amcache Print AmCache information apihooks Detect API hooks in process and kernel memory atoms Print session and window station atom tables atomscan Pool scanner for atom tables auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools Dump the big page pools using BigPagePoolScanner bioskbd Reads the keyboard buffer from Real Mode memory cachedump Dumps cached domain hashes from memory callbacks Print system-wide notification routines clipboard Extract the contents of the windows clipboard cmdline Display process command-line arguments cmdscan Extract command history by scanning for COMMAND HISTORY connections Print list of open connections [Windows XP and 2003 Only] connscan Pool scanner for tcp connections consoles Extract command history by scanning for CONSOLE INFORMATION crashinfo Dump crash-dump information deskscan Poolscaner for tagdesktop (desktops) devicetree Show device tree dlldump Dump DLLs from a process address space dlllist Print list of loaded dlls for each process driverirp Driver IRP hook detection drivermodule Associate driver objects to kernel modules driverscan Pool scanner for driver objects dumpcerts Dump RSA private and public SSL keys dumpfiles Extract memory mapped and cached files dumpregistry Dumps registry files out to disk ( ) yarascan Scan process or kernel memory with Yara signatures 16

26 2 1 apihooks Victim modules unknown hooking modules IAT EAT kernel modules usermode CALL JMP INT PUSH RET dll wow64.dll ntdll.dll ldrmodules dlllist hollowfind 2 [13] 17

27 3.4 Volatility The Art of Memory Forensic[20] SANS DFIR VolatilityFoundation [22][24] Volatility 1. [psscan] 2. DLL [getsids grep -e Domain -e Enterprise] SIDs (Security Identifiers) domain Enterprise Domain Enterprise [20] [handles -t Files grep \\Device\\RawIp\\0] 0 0 \Device\RawIp\0 [20][24] 18

28 3. [netscan]. netscan malwaredomainlist.com[25] ipvoid.com[26], 4. [malfind grep Pid] VAD [malfind -D /tmp] dmp /tmp [ldrmodules grep False] VAD DLL 5. Rootkit [psxview] PsActiveProcessHead [8] 6. dump [dlldump -p PID -D./ --fix --memory] dll, Module Name UNKNOWN DLL [24] 7. [printkey -K Microsoft \\ Windows \\CurrentVersion\\ Run] [printkey -K Software\\Microsoft\\Windows\\ CurrentVersion\\Run] HKLM Runkey Run keys [20] Windows 19

29 (J-CRAT) 2016[27] 3 20

30 3 HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run /s HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit /s HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell /s HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell /s HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Load HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit Dlls /s HKLM\Software\Microsoft\Command Processor\AutoRun /s HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices /s HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s HKCU\Software\Microsoft\Windows\CurrentVersion\Run /s HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run /s HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /s HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18( ) HKCU\Software\Microsoft\Command Processor\AutoRun /s HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run /s HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices /s HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /s HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /v Startup HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /v Common Startup HKLM\SYSTEM\currentControlSet\services 21

31 8. [privs --silent --regex=debug grep Present, Enable grep -v Default] [24] [threads -F OrphanThread grep StartAddress] [20][24] [mutantscan] mutant ThreatExpert[28] mutant mutant mutant [timers grep UNKNOWN] UNKNOWN UNKNOWN [20] [unloadedmodules] unload unload unloaded [20] 22

32 3.5 DLL [29] NP [29] [29] 23

33 3 Volatility 24

34 4 command ( ) ( ) (%) ( ) psxview netscan malfind printkey getsids privs dlldump threads handles ldrmodules psscan 4 4 svchost OS 25

35 5 command psxview netscan malfind printkey getsids privs dlldump threads handles ldrmodules % malfind printkey 20% privs dlldump threads ldrmodules netscan 5 malfind 57% psxview ldrmodules False % netscan 26

36 3 psxview false printkey Trojan conhost SearchProtocol cmd Trojan printkey privs dlldump threads 4 printkey

37 6 ( 5 ) Trojan(30) svchost(35) audiodg(35) conhost(30) wmpnetwk(35) SearchProtocol(35) 1 SearchProtocol(30) NETSTAT(30) svchost(35) cmd(30) SearchProtocol(30) Trojan(30) chrome(25) Trojan(25) svchost(30) Trojan(180) svchost(210) audiodg(210) conhost(180) wmpnetwk(210) SearchProtocol(210) 2 SearchProtocol(180) NETSTAT(180) svchost(210) cmd(180) SearchProtocol(180) Trojan(180) chrome(150) Trojan(150) svchost(180) Trojan(115) svchost(165) svchost(155) svchost(105) Trojan(85) Trojan(115) 3 explorer(85) explorer(85) taskhost(115) chrome(55) chrome(55) explorer(85) wmpnetwk(40) svchost(40) SearchProtocol(60) Trojan(115) svchost(165) svchost(155) svchost(105) Trojan(85) Trojan(115) 4 explorer(85) explorer(85) taskhost(115) chrome(55) chrome(55) explorer(30) wmpnetwk(40) svchost(40) SearchProtocol(60) ( ).exe 28

38 FTK Imager Windows RAM FTK Imager

39 7 OS ubuntu16.04lts( ) 5GB HDD 50GB NAT Volatility2.5 python ubuntu16.04lts. 8 8 command point psxview False +5 netscan +30 malfind -p PID --dump-dir=. +30 malfind -D /tmp +20 printkey -K Run +10 getsids grep -e Domain -e Enterprise +10 privs --silent --regex=debug +15 dlldump -p PID -D./ --fix --memory UNKNOWN +15 threads -F OrphanThreads +15 handles -t Files grep +5 ldrmodules grep False +5 30

40 4.1.2 ID( pid). 1 pid. pid 2. 2 pid. Volatility

41 8 pid 8. 2 pid pid [ ] VirtualBox Windows7 SP1 x64 InternetExplorer GoogleChrome FTK Imager. 32

42 9 OS Windows7 SP1 x64( ) 1GB HDD 25GB NAT Google Chrome, InternetExplorer FTK Imager. 9 [ ] Windows malwr.com[30] Windows malwr.com FTK Imager. trojan.exe. 1. name trojan rootkit 2. Windows7 3. ( :mem9) 4. ( :mem3 10) malwr.com AV malwr.com 33

43 10 AV mem1 Backdoor:MSIL/Bladabindi.AJ 45/48 mem2 TrojanClicker:Win32/Zirit.dr 47/55 mem3 Trojan.Win32.Kovter.nwt 26/56 mem4 Ransom:Win32/Isda.A 39/54 mem5 not-a-virus:downloader.win32.express.bfb 26/53 mem6 rootkitremover.exe 0/56 mem7 TrojanDownloader:Win32/Small.gen!AP 45/50 mem8 Trojan:Win32/Bagsu!rfn 40/56 mem9 TrojanSpy:Win32/Bancos.gen!B 41/50 mem10 HKTL RICKPAT 47/ python 8. pid trojan malwr.com. trojan.exe 11 trojan.exe mem8 trojan.exe 86 5 mem8 3 svchost pstree 12 trojan.exe mem5 SrpnFiles psscan. psscan trojan.exe mem

44 mem2 Windows7 privs trojan.exe 13 malfind printkey psscan malfind printkey. handles threads malfind printkey psxview ldrmodules getsids privs. Volatility malfind exploere.exe svchost.exe svchost svchost 14 trojan.exe pid malfind printkey 35

45 11 pid top1 top2 top3 explorer(86) chrome(66) wmpnetwk(56) mem1 svchost(76) trojan(71) explorer(66) mem2 svchost(95) chrome(65) explorer(65) mem3 regsvr32(365) regsvr32(265) trojan(65) mem4 svchost(116) trojan(66) explorer(66) mem5 SrpnFiles(10185) svchost(76) taskhost(15) mem6 svchost(75) chrome(65) explorer(65) mem7 trojan(166) svchost(117) svchost(117) mem8 svchost(256) svchost(186) svchost(106) mem9 msiexec(160) msiexec(120) msiexec(100) mem10 chrome(316) svchost(76) explorer(66) ( ).exe 36

46 12 psscan VirusTotal trojan AV trojan dump mem1 45/48 trojan mem2-47/55 mem3 26/56 mem4 39/54 mem5-26/53 malfind300 mem6-0/56 mem7 45/50 mem8 40/56 trojan mem9-41/50 mem10-47/55 37

47 13 trojan.exe psscan malfind printkey psxview False ldrmodules getsids privs mem1 mem mem3 mem4 mem mem mem7 mem8 mem mem

48 14 pid ( ) psscan malfind printkey psxview False ldrmodules getsids privs mem1 svchost(90) mem2 svchost(95) mem3 regsvr(300) mem4 svchost(116) mem5 SrpnFiles (10185) mem6 svchost(75) mem7 svchost(117) mem8 svchost(256) mem9 msiexec(160) mem10 chrome(316) 39

49 4.1.5 psscan psscan Volatility VirusTotal psscan psscan 40

50 4.2 psscan Windows7 mcafee Adobe Reader mcafee Adobe Reader Windows7.exe 2. AV 3. malwr.com trojan.exe 41

51 15 clean mem1 snipping tool clean mem2 clean mem3 clean mem4 XPS clean mem5 Media Center clean mem6 clean mem7 Remote Desktop clean mem8 AVG antivirus clean mem9 clean mem10 clean mem11 clean mem12 windows powershell clean mem13 windows media player clean mem14 clean mem15 windows update clean mem16 clean mem17 clean mem18 Adobe Reader clean mem19 Adobe Reader Mcafee AV clean mem20 clean mem21 Chrome 30 42

52 16 AV AV mem1 Backdoor:MSIL/Bladabindi.AJ 45/48 mem24 OperaSetup.exe 14/57 mem2 TrojanClicker:Win32/Zirit.dr 47/55 mem25 keygen by uuk FIXED work.exe 35/57 mem3 Trojan.Win32.Kovter.nwt 26/56 mem26 PATCH Broadwave.exe 6/57 mem4 Ransom:Win32/Isda.A 39/54 mem27 1.exe 40/56 mem5 not-a-virus:downloader.win32.express.bfb 26/53 mem28 BafflerStandalone.exe 0/56 mem6 rootkitremover.exe 0/56 mem29 RuBjy2wiCxyLGr.dll 25/57 mem7 TrojanDownloader:Win32/Small.gen!AP 45/50 mem30 Drizzy Dox Tool V2.exe 16/56 mem8 Trojan:Win32/Bagsu!rfn 40/56 mem31 IDM.exe 13/56 mem9 TrojanSpy:Win32/Bancos.gen!B 41/50 mem32 VPN PRIVATE ATT 2016.exe 29/57 mem10 HKTL RICKPAT 47/55 mem33 sada.exe 18/56 mem Editable Fix.exe 0/56 mem34 Listary Pro exe 9/56 mem12 Tax Payment Challan.scr n/a mem35 0.exe 28/54 mem13 Server.exe n/a mem36 ae1529d70697( )acc7b2ef3 28/46 mem14 setup.exe 0/56 mem37 WWE0059.exe 38/56 mem15 uuuuuuuu.exe n/a mem38 s.exe 10/55 mem16 TeamViewerPt11.exe 1/56 mem39 H264MediaPlayPlugins.exe 9/58 mem17 silenteye win32.exe 1/56 mem40 IMG001.exe 22/56 mem18 IT Aquisition.pdf.exe 1/56 mem41 Portafolio empresarial pagos ach.exe 5/56 mem B60FC( )234C994517F9A 1/56 mem42 DriverFinder Setup.exe 6/56 mem20 bsfixwin.exe 2/54 mem43 WindowsFormsApplication5.exe 1/55 mem21 Efham internet booster.exe 0/56 mem44 AutoXP.EXE 4/56 mem22 4a1e00936bccd079.exe 14/56 mem45 DFStd.exe 1/56 mem23 adolh.exe 13/57 mem46 exiftool k.exe 1/58 43

53 4.2.3 explorer svchost 100 privs sssschedular 13 netscan mcafee AV svchost IP whois OrgName Microsoft Corporation VirusTotal IP Latest detected URLs Latest detected files that were downloaded from this IP address Latest detected files that communicate with this IP address 17 1 svchost explorer 18 malfind ldrmodules printkey getsids svchost explorer psscan trojan.exe 13 McAfee Security Scan 44

54 explorer svchost WtuSystemSupprt dlldump psxview netscan malfind printkey threads ldrmodules getsids privs handles % 3 trojan.exe trojan.exe psscan psscan pid malfind printkey trojan.exe trojan.exe top3 15 trojan.exe trojan.exe 1 1 SrpnFiles 300 trojan.exe 3 explorer, svchost trojan.exe malfind printkey dlldump threads 1 45

55 % malfind malfind = netscan privs, netscan ipvoid privs privs svchost trojan explorer regsvr SrpnFiles msiexer dfsvc DriverUtility IDM

56 20 trojan.exe dlldump psscan psxview netscan malfind printkey handles ldrmodules getsids privs therads psscan % 47

57 21 dlldump psxview netscan malfind printkey handles ldrmodules getsids privs therads % malfind vaddump dump VirusTotal psscan 100% trojan.exe psscan Volatility netscan privs psscan psscan Volatility Responder Pro Volatility 48

58 Volatility privs SecCap SecCap[31] Volatility Volatility 14 49

59 5. Volatility Framework 5.1 Volatility Framework mutant 5 = ( k ) k=1 +mutant + ldrmodules + timers 4 A B 5 68% A 95% B [32] 50

60 4 ( ) n A = + B =

61 5 >

62 22 command point psxview False +5 netscan +30 malfind grep Pid +30 malfind -D /tmp +30 printkey -K Run +10 getsids ( ) +10 privs --silent +15 dlldump -p PID ( ) UNKNOWN +15 threads -F +15 handles -t Files( +10 ldrmodules grep False +10 command mutantscan timers unloadedmodules point mutant +10 UNKNOWN +10 False +10 timers unloadedmodules mutantscan A B 1-3 unloadedmodules timers mutantscan 53

63 23 OS Oracle Linux6 CPU Intel Xeon Processor E5-2690v2 64GB Volatility Framework2.5 python2.6.6 mutantscan mutant B 47.0 timers 25 TPR % FPR 0-20% psscan psscan 16 3 VirusTotal

64 24 ( A B) A top1 top2 top3 top4 top5 timers unloadedmodules mutantscan B top1 top2 top3 top4 top5 timers unloadedmodules mutantscan TPR 78-87% FPR 0-20% mutant mcafee Adobe 55

65 25 A B A B ( ) TPR(%) FPR(%) B A A B ( ) TPR(%) FPR(%) Reader mutant GoogleUpdate svchost explorer psscan 16 56

66 57

67 GitHub GitHub git cron csv csv 6 csv, Volatility Framework GitHub 58

68 6 6.2 URL 59

69 SANS DFIR The Art of Memory Forensic[20] 26 svchost 26 IoT IoT OS Windows10 ubuntu Linux OS OS Volatility 60

70 26 Security Identifier DLL DLL mutant unload JPCERT/CC JPCERT/CC [33] JPCERT/CC APT17scan[10] 61

71 Impfuzzy[11] Volatility Framework GitHub web CODE BLUE2015 [1] 7 7 ( [1]) 62

72 6.3.2 Soliton Forensics Team Soliton Forensics Team JPCERT/CC GitHub JPCERT/CC (KaniReg) HEX (KaniKan) MD5 SHA-1 (KaniHash) Kani README.txt KaniVolatility KaniVolatility 2015 Soliton Forensics Team ji2saito Windows Volatility Framework GUI 8 GUI CLI Volatility txt kanivola KaniVolatility GitHub VolatilityFoundation Volatility Foundation Volatility Framework Volatility Framework Volatility Foundation 2013 Volatility Framework Shimcache Memory 63

73 8 KaniVola Scan FireEye Mandiant 1,500US Shimcache Memory Scan Shimcache 27 VM rootkit Volatility Framework GitHub 64

74 : 1 Fred House 2 : Shimcache Memory Scan 2 James Habben: Evolve Web Interface 3 Philip Huppert: VM Live Migration 4 Ying Li: Python Strings and SSH Keys 5 Adam Bridge: NDIS Packet Scan 2014 : 1 Dave Lasalle: Forensic Suite 2 Curtis Carmony: Dmcrypt 3 Adam Bridge: Editbox 4 Thomas Chopitea: Autoruns 5 Takahiro Haruyama: OpenIOC Scan 2013 : 1 Mariano Graziano: Intel VT-x introspection 2 Cem Gurkok: Window s security permission 3 Cem Gurkok: OS X rootkit detection 4 Edwin Smulders: Linux process information, stack analysis, and syscall register 5 Jamaal Speights: Extracts networking packets from memory samples 65

6.3.4 VolUtility VolUtility[2] 2016 4 Kevin Breen Volatility Framework Web GUI Volatility

75 6.3.4 VolUtility VolUtility[2] Kevin Breen Volatility Framework Web GUI Volatility Volatility Framework Mongo string yara GUI 9 VolUtility ( VolUtility-Web Application for Volatility[2])

76 6.4.1 VolatilityFoundation [34] web [35] 73.2% 98.9% 53.0% 90.8% 67

77 [3] 11 pid 11 This device is maybe infected 68

78 10 ( [3]) XX YY 69

79 11 ( ) 5W1H 70

80 IP 6.5 OS [36] 71

81 [37] RFC3227[38] 6.6 HDD [39] OS OS [39] 6.7 Metasploit SAM Jucier Lsass 72

82 HDD [40] [20] 73

83 % 0-20% Volatility python < > < > OS 74

84 7.2 OS 68% 95% FPR 2.5% malwr.com Framework Windows 75

85 1 30 Windows7 4GB 1 ID mutant 76

86 Doudou Fall

87 [1] JPCERT/CC., jp/by-code-blue ( ) [2] Chip dfir. Volutility-web application for volatility, ( ) [3]., ( ) [4] LAC., ( ) [5] IsecT. ISO/IEC 27035:2011 Information technology-security techniquesinformation security incident management, ( ) [6].?, ( ) [7] The Volatility Foundation. Volatility foundation, ( ) [8] VolatilityFoundation. Github command reference mal, github.com/volatilityfoundation/volatility/wiki/command-reference-mal ( ) [9] Er Gurjot Singh, Jalandhar KMV, Mandeep Kaur, and Navreet Kaur. Forensic analysis of data from random access memory. International Journal of 78

88 Computer and Communication System Engineering (IJCCSE), Vol 3, No. 3, pp , [10] JPCERT/CC. volatility plugin( ), ( ) [11] JPCERT/CC. impfuzzy for volatility( ), magazine/acreport-impfuzzy volatility.html ( ) [12] virustotal.com. Virustotal. ( ) [13] CYSINFO. Detecting deceptive process hollowing techniques using hollowfind volatility plugin, ( ) [14] Gábor Pék, Zsombor Lázár, Zoltán Várnagy, Márk Félegyházi, and Levente Buttyán. Membrane: A posteriori detection of malicious code loading by memory paging analysis. In European Symposium on Research in Computer Security, pp Springer, [15] Jason T. Luttgens, Matthew Pepe, and Kevin Mandia.., pp BP, [16] Google. Rekall, ( ) [17] CounterTack. Countertack s digital dna technology licensing program, ( ) [18] Focus Systems Corporation. Responderpro, cyberforensic.focus-s.com/product/168/ ( ) 79

89 [19] ACCESS DATA. ACCESS DATA, ( ) [20] Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters. The art of memory forensics: detecting malware and threats in windows, linux, and mac memory. John Wiley & Sons, [21] VolatilityFoundation. Volatility plugin contest, ( ) [22] SANS. SANS COMPUTER FORENSICS & INCIDENT RE- SPONSE memory forensics cheat sheet v1.2, ( ) [23] ( ) ( ).., [24] VolatilityFoundation.org. Cheatsheet 2.4 edition, downloads.volatilityfoundation.org/releases/2.4/cheatsheet v2.4.pdf ( ) [25] ( ) MALWARE DO- MAIN LIST, [26] NoVirusThanks. IPVoid, ( ) [27]. (j-crat) pc, ( ) 80

90 [28] ThreatExpert Ltd. Threat expert, ( ) [29],.., [30] malwr.com. malwr, ( ) [31] SecCap. Seccap, ( ) [32],. :!., [33] JPCERT/CC. JPCERT/CC, about/index.html ( ) [34] NPO Institute of Digital Forensics., ( ) [35] , [36], , Vol. 2016, No. 2, pp , [37],. L-017 (l :, )., Vol. 14, No. 4, pp , [38] Dominique Brezinski and Tom Killalea. RFC 3227 Evidence collection and archiving, ( ) [39] Johannes Stüttgen and Michael Cohen. Anti-forensic resilient memory acquisition. Digital Investigation, Vol. 10, pp. S105 S115,

91 [40] Doug Menendez Albert Marcella, Jr. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition. CRC Press,

92 A. 1.,. doc, pdf, zip (2015): ,, (2016): ,. Volatility Framework

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment 1170288 2017 2 28 Docker,.,,.,,.,,.,. Docker.,..,., Web, Web.,.,.,, CPU,,. i ., OS..,, OS, VirtualBox,.,