高级持续性威胁攻击取证分析调查作业程序之研究

Study of Program of Forensic Investigation Procedures Against APT Attack

高级持续性威胁攻击（Advanced Persistent Threat，APT）／目标攻击，是全球各地具备创造力、灵活力的网络犯罪分子针对网络基础设施，以不断翻新、随时在线待命、高级持续的专业攻击工具，进行的网络攻击手法。情报搜集与窃取数据，是所有APT的共同目的，传统的网络安全防御技术对未发觉、多元且复杂的APT威胁并无侦测能力，将遭受APT攻击的风险推到前所未有的高度，APT吓是现今组织所面临的最大威胁之一。循以数字证据分析取证标准作业程序：搜集-保全-分析-结果呈现，首先对APT攻击行为进行静态分析：再对APT攻击进行深入的动态分析，探讨数字证据取证处理程序，研制有关APT攻击数字证据取证的处理程序及规则；最后，将数字取证设备及取证软件为主要的取证工具，让取证人员能够运用此取证程序与取证工具，即可完成取证工作，了解APT威胁攻击态样，为日后的调查分析提供数字证据，补强数字证据取证调查的完整性、一致性和精确性。

Advanced persistent threat （APT）/target attack is a technique of network attack employed by creative, flexible cybercrime activists around the world by means of constant refurbishing, ready to go online, high-end and continuous attack for network infrastructures. Intelligence gathering and information stealing are the sole goal of all APr. However, the traditional network security defense technology can no longer detect the unidentified, multiple and complex APT threats today,which will be the severest risk for our organizations to face with. This study follows the procedure of digital evidence forensic standard operation, collecting, containing, analyzing and results presenting. At first, the static analysis of the APT attacks is carried out, and then the APT attacks dynamic analysis is conducted in- depth to explore the digital evidence forensics procedure and establish the handling rules. Finally, proper digital evi- dence forensic equipment and software are treated as the main forensic means, then the forensic personals just follow the procedure and tools to complete their forensic work. Accordingly, by acknowledging the APT penetration attacks aspect, it can facilitate future investigation and analysis to provide digital evidence, reinforcing the integrity, consisten- cy and accuracy of digital evidence forensic investigation.