[Question]
What application were installed by the suspect after installing OS?
① 분석 도구
- Registry Explorer
② 관련 레지스트리 키
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- HKLM\SOFTWARE\Wow64Node\Microsoft\Windows\CurrentVersion\Uninstall
③ OS 설치 시각
- 2015-03-22 14:34:26 (GMT+0)
④ Anti-Forensic Application
- CCleaner
- 잠재적으로 불필요한 팡리과 잘못된 윈도우 레지스트리 항목을 제거하는 피리폼사 유틸리티입니다.
- 브라우저 히스토리, 쿠키, 휴지통, 메모리 덤프, 파일 조각, 로그 파일, 시스템 캐시, 응용 프로그램 데이터, 자동 완성 폼 히스토리 등의 다양한 데이터도 삭제합니다. (위키백과)
- Eraser
- Windows 운영 체제에서 사용할 수 있는 오픈 소스 보안 파일 삭제 도구입니다. 파일 및 볼륨 삭제를 모두 지원합니다.
- 데이터를 복구 할 수 없도록 덮어써서 데이터를 안전하게 지웁니다.(위키백과)
⑤ 분석 결과
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall에서는 64bit 응용프로그램 설치 기록을 볼 수 있습니다.
- HKLM\SOFTWARE\Wow64Node\Microsoft\Windows\CurrentVersion\Uninstall에서는 32bit 응용프로그램 설치 기록을 볼 수 있습니다.
| Name | Installed Date(UTC -9) | Path |
| Microsoft Office Shared MUI (English) 2013 | 2015-03-22 15:00:59 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Shared Metadata MUI (English) 2013 | 2015-03-22 15:01:01 | C:\Program Files\Microsoft Office\ |
| Microsoft Access MUI (English) 2013 | 2015-03-22 15:01:02 | C:\Program Files\Microsoft Office\ |
| Microsoft Access Setup Metadata MUI (English) 2013 | 2015-03-22 15:01:02 | C:\Program Files\Microsoft Office\ |
| Microsoft InfoPath MUI (English) 2013 | 2015-03-22 15:01:03 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Shared 32-bit MUI(English) 2013 | 2015-03-22 15:01:04 | C:\Program Files\Microsoft Office\ |
| Microsoft Lync MUI (English) 2013 | 2015-03-22 15:01:05 | C:\Program Files\Microsoft Office\ |
| Microsoft Excel MUI (English) | 2015-03-22 15:01:07 | C:\Program Files\Microsoft Office\ |
| Microsoft PowerPoint MUI (English) 2013 | 2015-03-22 15:01:09 | C:\Program Files\Microsoft Office\ |
| Microsoft Publisher MUI (English) 2013 | 2015-03-22 15:01:10 | C:\Program Files\Microsoft Office\ |
| Microsoft DCF MUI (English) 2013 | 2015-03-22 15:01:11 | C:\Program Files\Microsoft Office\ |
| Microsoft Groove MUI (English) 2013 | 2015-03-22 15:01:12 | C:\Program Files\Microsoft Office\ |
| Microsoft OneNote MUI (English) | 2015-03-22 15:01:13 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Proofing Tools 2013 - Espanol | 2015-03-22 15:01:14 | C:\Program Files\Microsoft Office\ |
| Outils de vérification linguistique 2013 de Microsoft Office - Français | 2015-03-22 15:01:30 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Proofing Tools 2013 - English | 2015-03-22 15:01:31 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Proofing (English) 2013 | 2015-03-22 15:01:32 | C:\Program Files\Microsoft Office\ |
| Microsoft Office OSM MUI (English) 2013 | 2015-03-22 15:01:34 | C:\Program Files\Microsoft Office\ |
| Microsoft Office OSM UX MUI (English) 2013 | 2015-03-22 15:01:34 | C:\Program Files\Microsoft Office\ |
| Microsoft Outlook MUI (English) 2013 | 2015-03-22 15:01:37 | C:\Program Files\Microsoft Office\ |
| Microsoft Word MUI (English) 2013 | 2015-03-22 15:01:38 | C:\Program Files\Microsoft Office\ |
| Microsoft Office 32-bit Components 2013 | 2015-03-22 15:01:46 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Professional Plus 2013 | 2015-03-22 15:03:33 | C:\Program Files\Microsoft Office\ |
| Microsoft Office Professional Plus 2013 | 2015-03-22 15:04:14 | C:\Program Files\Microsoft Office\ |
| Google Chrome | 2015-03-22 15:11:51 | C:\Program Files (x86)\Google\Chrome\Application |
| Google Update Helper | 2015-03-22 15:16:03 | |
| Apple Application Support | 2015-03-23 20:00:45 | C:\Program Files (x86)\Common Files\Apple\Apple Application Support\ |
| Bonjour | 2015-03-23 20:00:58 | C:\Program Files(x86)\Bonjour\ |
| Apple Software Update | 2015-03-23 20:01:01 | C:\Program Files (x86)\Apple Software Update\ |
| Google Drive | 2015-03-23 20:02:46 | |
| DXM_Runtime | 2015-03-25 10:15:21 | |
| MPlayer2 | 2015-03-25 10:15:21 | |
| Microsoft .NET Framework 4 Client Profile | 2015-03-25 14:51:39 | C:\Windows\Microsoft.NET\Framework64\ v4.0.30319\SetupCache\Client |
| Microsoft .NET Framework 4 Client Profile | 2015-03-25 14:52:06 | C:\Users\INFORM~1\AppData\Local\Temp\ Microsoft .NET Framework 4 Setup_4.0.30319\ |
| Microsoft .NET Framework 4 Extended | 2015-03-25 14:54:06 | C:\Windows\Microsoft.NET\Framework64\ v4.0.30319\SetupCache\Extended |
| Microsoft .NET Framework 4 Extended | 2015-03-25 14:54:33 | C:\Users\INFORM~1\AppData\Local\Temp\ Microsoft .NET Framework 4 Setup_4.0.30319\ |
| Eraser 6.2.0.2962 | 2015-03-25 14:57:31 | C:\Users\INFORM~1\AppData\Local\Temp\ eraserInstallBootstrapper\ |
| CCleaner | 2015-03-25 14:58:35 | C:\Program Files\CCleaner |
'CFReDS > Data Leakage Case' 카테고리의 다른 글
| 12. system on/off & user logon/logoff (0) | 2022.06.23 |
|---|---|
| 11. application execution log (0) | 2022.06.23 |
| 9. Network interface (0) | 2022.06.23 |
| 8. last recorded shutdown date/time (0) | 2022.06.21 |
| 7. last logon (0) | 2022.06.21 |
