• Proceedings of the Korean Society of Computer Information Conference
• /
• 2020.01a
• /
• pp.177-180
• /
• 2020

윈도우즈(Windows)에는 서버 메시지 블록(SMB :Server Message Block) 프로토콜을 이용하여 폴더(Folder)를 공유(Share)할 수 있는 기능을 제공 하고 있다. SMB 프로토콜은 네트워크 상 존재하는 노드들 간에 자원을 공유할 수 있도록 설계된 프로토콜이다. 주로 네트워크에 연결된 컴퓨터끼리 파일, 프린터, 포트 또는 기타 메시지를 주고받는데 사용된다. 하지만 이 기능은 대부분 사람들이 잘 알지 못하고 설정 방법을 몰라 사용 하지 않는 경우가 많다. 본 논문에서는 이 공유 폴더 기능을 보다 쉽고 빠르게 설정 할 수 있도록 공유 폴더 기능 향상을 위한 도우미를 설계하고 구현 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.389-396
• /
• 2020

WannaCryptor is a type of ransomware which encrypts users' personal data or files and demands ransom payment in order to regain access. But it peculiarly spreads by itself like a Internet worm using Windows vulnerabilities of shared folder. In this paper, we analyzed and estimated the spread of WannaCryptor focusing on the wormable spread features different from the existed ransomware. Thus we observed its behaviors in virtual environments, and experimented the various spreads of WannaCryptor based on our prediction modeling.

• Journal of Information Processing Systems
• /
• v.17 no.4
• /
• pp.772-786
• /
• 2021

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.591-603
• /
• 2018

Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.