Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use Columbo to identify specific patterns in the attacked database", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use Columbo to identify specific patterns in the attacked database.

About Columbo

Columbo is a computer information forensics and security analysis tool that can help researchers identify specific patterns in the attacked database. The tool can split the data into small data chunks and use pattern recognition and machine learning models to identify the intrusion behavior of the attacker and the location of the infection in the infected Windows platform, and then give a suggestion table. It is important to note that the current version of Columbo only supports performing tasks on the Windows operating system platform.

Dependent components & High-level Architecture

Columbo relies on volatility 3, autorunsc.exe and sigcheck.exe for its data extraction function. Therefore, the majority of users must download these dependent tools and store them in the\ Columbo\ bin directory before using Columbo. The output data generated by these tools will be automatically transmitted to the main engine of Columbo through the pipeline. Next, Columbo splits the incoming data, pre-processes it, and then uses a machine learning model to classify the path location, executable files, and other attacks of the infected system.

Video material

1. Before you start using Columbo, please watch [https://www.youtube.com/watch?v=7rUCC1Wz4Gc].

2. Use [Columbo Memory-forensics] (https://www.youtube.com/watch?v=fOa62iVemAQ) for memory forensics analysis.

Tool installation and configuration

Download and install Python 3.7or3.8 (not tested 3.9) and make sure you have added python.exe to the PATH environment variable during the installation process.

2. Visit [https://github.com/visma-prodsec/columbo/releases] of the project to download the latest Columbo source code.

Download the following components and store them in\ Columbo\ bin: Volatility 3 source code, autorunsc.exe, and sigcheck.exe.

To avoid reporting errors, the directory structure must be\ Columbo\ bin\ volatility3-master,\ Columbo\ bin\ autorunsc.exe and\ Columbo\ bin\ sigcheck.exe.

4. Finally, double-click "exe" in the\ Columbo directory to start Columbo.

Columbo and Machine Learning

Columbo uses data preprocessing techniques to organize data and machine learning models to identify suspicious behavior. Its output is either 1 (suspicious) or 0 (normal), and it will help network security and computer forensics in decision analysis in a suggested form. We use different test cases to train the model and maximize the accuracy of the output data and reduce the occurrence of false positives. However, false positives for tool output will still exist, so we are still updating the model regularly.

False positive

Reducing false positives is not easy, especially when it comes to machine learning. The false positive output produced by the machine learning model is high or low, depending on the quality of the data used to train the model. However, in order to assist cyber security and computer forensics in their investigations, Columbo provides an accurate percentage factor (1-suspicious, 0-normal) for its output, which helps researchers select suspicious paths, commands, or processes that need to be analyzed.

Real-time analysis of operation options-file and process tracking

This option analyzes the running Windows process to identify running malicious activity, if any. Columbo uses autorunsc.exe to extract data from the target device and the output is piped to the machine learning model and pattern recognition engine to classify suspicious activity. Next, the output will be saved as an Excel file under\ Columbo\ ML\ Step-2-results for further analysis. In addition, Columbo provides users with the option to check for running processes. The result will contain information such as process tracking, commands associated with each process, if applicable, and whether the process is responsible for executing the new process.

Scan and analyze hard disk image files (.vhdx)

This option gets the mounted Windows hard disk image path, which uses sigcheck.exe to extract data from the destination file system. Then the results are imported into the machine learning model to classify suspicious activities. The output will be saved as an Excel file under\ Columbo\ ML\ Step-3-results.

Memory information forensics

When using this option, Columbo selects the path to the memory mirror and generates the following options for the user to choose from.

Memory information: use Volatility 3 to extract information about mirrors.

Process scanning: use Volatility 3 to extract processes and each process gives relevant DLL and processing information. Next, Columbo uses the grouping and clustering mechanism to group each process according to its parent process. This option is later used by the process tracking option under exception detection.

Process tree: use Volatility 3 to extract the process tree of a process.

Exception detection and process tracking: use Volatility 3 to extract the list of exception detection processes. However, Columbo provides an option called "process tracking" to examine each process individually The following information is generated: the path of the executable file and related commands, determining the legitimacy of the identified process using the machine learning model, tracing each process all the way to its root process (full path) and its execution date and time, determining whether the process is responsible for executing other processes, collecting and collating the above information about each process and providing it to the user.

Project address

Columbo: https://github.com/visma-prodsec/columbo

At this point, I believe you have a deeper understanding of "how to use Columbo to identify specific patterns in the attacked database". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.