Digital Investigation and the Trojan Defense, Revisited
Golden G. Richard III
Professor of Computer Science and University Research Professor Director, Greater New Orleans Center for Information Assurance (GNOCIA) University of New Orleans
GIAC-certified Digital Forensics Investigator Founder, Arcane Alloy, LLC
[email protected] / [email protected] / @nolaforensix http://www.cs.uno.edu/~golden
2 Who?
Professor of Computer Science and University Research Professor, Director, Greater New Orleans Center for Information Assurance (GNOCIA), University of New Orleans http://www.cs.uno.edu/~golden Digital forensics, OS internals, reverse engineering, offensive computing, pushing students to the brink of destruction, et al.
Founder, Arcane Alloy, LLC. http://www.arcanealloy.com Digital forensics, reverse engineering, malware analysis, security research, tool development, training.
Co-Founder, Partner / Photographer, High ISO Music, LLC. http://www.highisomusic.com Music. Rock stars. Earplugs.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 3 Digital Forensics
“Tools and techniques to recover, preserve, and examine digital evidence stored on or transmitted by digital devices.” Computers, PDAs, cellular phones, videogame consoles, digital cameras, copy machines, printers, digital voice recorders… 4 What That Really Means
• Data. “You only think it’s gone.” • Sensitive data tenaciously clings to life.
• The vast majority of users—and lots of technical people, too— have no idea what’s really stored on their digital devices… • …and no ability to properly “clean up” even if they do suspect what’s there
Copyright 2015 by Golden G. Richard III (@nolaforensix) 5 Where’s the Evidence?
Files and Filesystem Application Windows Deleted Files metadata metadata registry
Print spool Hibernation Temp files Log files files files
Browser Network Slack space Swap files caches traces
RAM: OS and app data Volatile Evidence structures
Copyright 2015 by Golden G. Richard III (@nolaforensix) How awesome are we? 7 File Carving unrelated disk blocks interesting file one cluster
one sector
header, e.g., footer, e.g., 0x474946e8e761 0x003B (GIF) (GIF)
“milestones” or “anti-milestones”
Copyright 2015 by Golden G. Richard III (@nolaforensix) 8 Awesomeness Progression: File Carving
Can carve Chaos: files, but More can't Faster not very accurate Yay! carve files well
Tools Manual File type Fragmentation, appear, Multithreading, hex editor aware damned but have better design stuff carving, et al spinning disks! issues
Images: https://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg http://cdn.bigbangfish.com/555/Cow/Cow-6.jpg, http://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg http://i5.walmartimages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg Copyright 2015 by Golden G. Richard III (@nolaforensix) 9 Memory Analysis
• physical memory dumping tool Capture RAM • VM memory snapshot from live system • VM introspection
• strings Analyze • carving Memory Dump • Volatility • VM introspection
Expose interesting volatile evidence
Copyright 2015 by Golden G. Richard III (@nolaforensix) 10 Memory Analysis: Evidence
Processes (dead / alive) e.g., discover and analyze unauthorized programs
e.g., detect keystroke loggers, Open files hidden processes
e.g., find backdoors, connections Network connections to contraband sites
Volatile registry contents portions of Windows registry that are never stored on disk
Volatile application data e.g., plaintext for encrypted material, chat messages, email fragments, volatile web browser history Clipboard data volatile contents of clipboard
Copyright 2015 by Golden G. Richard III (@nolaforensix) 11 Awesomeness Progression: Memory Forensics
Pioneering Chaos: More, efforts Beyond run more, show great Windows ?? strings? more promise
pt_finder et al More attention Manual, Mac, … awesome but to malware, run strings, Linux, BSD filling in the gaps, little context limited functionality GPU stuff, etc.
Images: https://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg,, http://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg http://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg, http://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg Copyright 2015 by Golden G. Richard III (@nolaforensix) 12 Memory Analysis: 2004 $ grep –i murder /dev/mem
I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered
Copyright 2015 by Golden G. Richard III (@nolaforensix) 13 Detecting Hidden Resource Utilization
• Adversary: Direct Kernel Object Manipulation (DKOM) • Strategy: Deep analysis and cross-correlation of data kernel data structures to reveal hidden resource utilization
PID = 2260
Doubly-linked process list in Windows kernel
Processes continue to run because Windows C:\> fu –ph 2260 scheduler handles threads, not processes
PID = 2260
Copyright 2015 by Golden G. Richard III (@nolaforensix) 14
Copyright 2015 by Golden G. Richard III (@nolaforensix) 15
FU on PID 2260
DKOM Hidden Process Detection in Volatility
Copyright 2015 by Golden G. Richard III (@nolaforensix) So we're awesome, right? 17 Unfortunately
What evidence is How hard is it to present and what recover? can be recovered? Technical Difficulty Increasing What “evidence” Did malware play was actually a role? “recovered”?
Copyright 2015 by Golden G. Richard III (@nolaforensix) 18 Unfortunately, Part 2
What evidence is How hard is it to present and what recover? can be recovered?
Misinformation Abounds
What “evidence” Did malware play was actually a role? “recovered”?
Copyright 2015 by Golden G. Richard III (@nolaforensix) 19 Digital Forensics Settle Intellectual Property Disputes
Uncover Fraud Investigate Employee Misconduct
Investigate Child Exploitation Discover Insider Threats Prosecute Thieves, Kidnappers, Murderers
Copyright 2015 by Golden G. Richard III (@nolaforensix) 20 Digital Forensics Settle Intellectual Property Disputes
Uncover Fraud Investigate Employee Misconduct
malware
Investigate Child Exploitation Discover Insider Threats Prosecute Thieves, Kidnappers, Murderers Copyright 2015 by Golden G. Richard III (@nolaforensix) 21 Digital Forensics Settle Intellectual Property Disputes
Uncover Fraud Investigate Employee Misconduct
malware
Investigate Child Exploitation Discover Insider Threats Prosecute Thieves, Kidnappers, Murderers Copyright 2015 by Golden G. Richard III (@nolaforensix) 22 Malware
Software whose execution carries out actions crafted with malicious intent
Or, basically,
Software that does bad stuff.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 23 Malware: Then, Now
• “Traditional” Malware – Hacking exercise – “My mad skillz are better than yours” – Mostly, annoying – Possibly, data destruction • Now – Monetized, targeted – Skillz Skill$ – Extremely sophisticated, hard to investigate – Persistent – Serious risks for data theft / catastrophic damage
Copyright 2015 by Golden G. Richard III (@nolaforensix) 24 Malware: Effects
• Capture data – Keystrokes – Audio – Video – Email – Text messages – Screenshots – Network traffic • Exfiltrate data • Delete important data • Hold data for ransom • Deliberately incriminate users – Cyberattacks – NSFW imagery / documents – Child porn – … Copyright 2015 by Golden G. Richard III (@nolaforensix) 25 Malware: Fallacies
• "It's incredibly hard to write!" – Sometimes. – But you can buy it, copy it from the Internet. – And basic malicious intent is very easy to code. • "Antivirus! Yay, Antivirus!" – Generally, no. – Doesn't mean you don't want to use it. – Just don't lean on it too much. – It's not that awesome. • "Criminals are stupid!" – Generally, we catch the stupid(er) ones. – The rest are pretty smart.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 26 The Trojan Defense
• Variant of the SODDI defense—"Some Other Dude Did It" • Claim by accused: "Wasn't me. Malware did it." – “I didn’t download that stuff—a virus did it” – “I didn’t take the money out of that account” – “I didn’t leak that document!” • Problem #1: – Overused. We can't let everyone walk. • Problem # 2: – Increasingly, the malware might actually have done it.
[1] Brenner, Susan W., Brian Carrier, and Jef Henninger. The Trojan Horse Defense in Cybercrime Cases," Santa Clara Computer & High Tech. LJ 21 (2004): 1.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 27
The second problem…
"As Mark Rasch, former head of the Department of Justice's Computer Crime and Intellectual Property Section, explained, it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty…"
Plus, "determining" can cost $350+ per hour.
Copyright 2015 by Golden G. Richard III (@nolaforensix)
28
Proposed solution from [1]:
"Establish defendant's computer expertise"
We'll let this slide for now, and as the talk progresses, try to imagine how much expertise would be required to fend off modern malware.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 29
Proposed solution from [1]:
"Negate the factual foundation of the defense"
Means: illustrate that no malware is present
This might, or might not, be a fun time.
Copyright 2015 by Golden G. Richard III (@nolaforensix) 30 "Negate the Factual…" State of the Art
• Run antivirus • Find nothing • Assume accused was lying
• Unfortunately, antivirus is notoriously incapable of detecting new threats
Image: http://abovethelaw.com/uploads/2011/11/gavel-bang-2.jpg Copyright 2015 by Golden G. Richard III (@nolaforensix) 31 Web Browser Forensics
• An extremely important digital forensics tool • Take advantage of the fact that web browsers don't securely delete browsing history • Investigate history to reveal: – URLs of web sites visited – Images / media downloaded – Times they were accessed – Cookies, etc. – …
Copyright 2015 by Golden G. Richard III (@nolaforensix)
32
Firefox Browser History Google Search keywords
Copyright 2015 by Golden G. Richard III (@nolaforensix) 33
Copyright 2015 by Golden G. Richard III (@nolaforensix) 34 Browsing History + Intrigue
Copyright 2015 by Golden G. Richard III (@nolaforensix) 35 A Real Employee Misconduct Case
• Malware sample shared by a colleague • Internet Explorer browser cache loaded with thousands of “NSFW” images • Browser history: appears user spent her entire work day surfing porn sites • Images are located in precisely the right places to indicate intensive web browsing activity • Times that images are downloaded correspond to times the user was “working” at the computer • Employee will be fired
Copyright 2015 by Golden G. Richard III (@nolaforensix) 36 Oops, The “Trojan Defense” is True
• The user didn’t download the NSFW images • Difficult to detect malware is the culprit in case • Not explicitly detected by any commercial antivirus • Difficult to analyze – Written in Borland Delphi – Packed, crazy control flow, anti-debugging tricks • Mimics IE browsing to download porn using the IE API, in the background • No visible IE user interface • Synchronizes porn “surfing” with active computer activity Copyright 2015 by Golden G. Richard III (@nolaforensix) 37 “Background” Surfing
Copyright 2015 by Golden G. Richard III (@nolaforensix) 38
Mostly mischaracterizations: something is amiss, but what?
All's well! Carry on!
Copyright 2015 by Golden G. Richard III (@nolaforensix) 39
Source: Avast: https://blog.avast.com/wp-content/uploads/2013/11/01_censored2.png Copyright 2015 by Golden G. Richard III (@nolaforensix) 40
Realm of antivirus, etc.
computer
computer
computer
Photo: http://northerncomputer.ca/wp-content/uploads/2011/11/Computer-Ports.png Arrigo Triulzi, Project Maux MkII, PACSEC 2008 Copyright 2015 by Golden G. Richard III (@nolaforensix) 41 Evidence Handling: “Dead”
Make a perfect copy of evidence, examine evidence carefully, form hypotheses, …
Copyright 2015 by Golden G. Richard III (@nolaforensix) 42
Zaddach, Jonas, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurélien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas. "Implementation and implications of a stealth hard-drive backdoor." In Proceedings of the 29th Annual Computer Security Applications Conference, pp. 279-288. ACM, 2013. Copyright 2015 by Golden G. Richard III (@nolaforensix) 43 Windows Registry Analysis
• Forms the backbone of many Microsoft Windows digital forensics investigations • Reveals lots of info about user activities • Plus lots of information about system configuration • Malicious manipulation of this evidence, however, is trivial
Copyright 2015 by Golden G. Richard III (@nolaforensix) 44
Which files were recently accessed by a particular user?
NTUSER.dat file
Copyright 2015 by Golden G. Richard III (@nolaforensix) 45
SOFTWARE file
Which programs are installed on the machine? Which license keys are in use?
Copyright 2015 by Golden G. Richard III (@nolaforensix) 46
Which programs run automatically when a particular user logs in? NTUSER.dat file
Copyright 2015 by Golden G. Richard III (@nolaforensix) 47
Which programs run automatically when ANY user SOFTWARE file logs in?
Copyright 2015 by Golden G. Richard III (@nolaforensix) 48
Two Jumpdrive Elite thumbdrives
750GB USB hard drives (same type)
What has been plugged in?
SYSTEM file
Copyright 2015 by Golden G. Richard III (@nolaforensix) 49
Which URLS were typed recently by a particular user?
NTUSER.dat file
Copyright 2015 by Golden G. Richard III (@nolaforensix) 50 You will be terminated immediately by SquirrelHaters, LLC if you look at squirrel pictures at work!
Your signature indicates compliance with this policy.
X
Copyright 2015 by Golden G. Richard III (@nolaforensix) 51
Copyright 2015 by Golden G. Richard III (@nolaforensix) 52 #include
char buf[512], pathname[512]; HKEY hKey; long err;
err=RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Internet Explorer\\TypedURLs", 0,KEY_SET_VALUE,&hKey); err=RegSetValueEx(hKey, "url1", 0, REG_SZ, (const unsigned char*)"http://www.squirrels.com", strlen("http://www.squirrels.com")); RegCloseKey(hKey);
}
Copyright 2015 by Golden G. Richard III (@nolaforensix) 53
Copyright 2015 by Golden G. Richard III (@nolaforensix) 54
Malware can change the TypedURLs registry key, but so can users, using commonly available software
You can even create sets of URLs to load on demand…
Copyright 2015 by Golden G. Richard III (@nolaforensix) 55 PlaceRaider (revisited)
Robert Templeman, Zahid Rahman, David Crandall, and Apu Kapadia, “PlaceRaider: Virtual Theft in Physical Spaces with Smartphones,” In Proceedings of The 20th Annual Network & Distributed System Security Symposium (NDSS ’13), Copyright 2015 by Golden G. Richard III (@nolaforensix) 56
Copyright 2015 by Golden G. Richard III (@nolaforensix) 57
Copyright 2015 by Golden G. Richard III (@nolaforensix) 58
Copyright 2015 by Golden G. Richard III (@nolaforensix) 59
click click click click
click click click click click. Right? NO.
Copyright 2015 by Golden G. Richard III (@nolaforensix) It's our friend, eh? 60
Copyright 2015 by Golden G. Richard III (@nolaforensix) 61
Brocker, Matthew, and Stephen Checkoway. iSeeYou: Disabling the MacBook webcam indicator LED. Proceedings of USENIX Security, 2014.
Copyright 2015 by Golden G. Richard III (@nolaforensix) Ooops. 62
Copyright 2015 by Golden G. Richard III (@nolaforensix) 63 VENOM
VIRTUALIZED ENVIRONMENT NEGLECTED OPERATIONS MANIPULATION
Buffer overflow in floppy driver in Xen virtual machine manager—used in corporate and cloud infrastructure worldwide
Bug since…2004
Image from Crowdstrike: http://venom.crowdstrike.com/ Copyright 2015 by Golden G. Richard III (@nolaforensix) 64 Row Hammering
• "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors" – Kim et al, ISCA 2014
• "Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges" – http://googleprojectzero.blogspot.com/2015/03/e xploiting-dram-rowhammer-bug-to-gain.html
Copyright 2015 by Golden G. Richard III (@nolaforensix)
65 Hammering
Copyright 2015 by Golden G. Richard III (@nolaforensix) 66
uid=1000 euid=1000
Copyright 2015 by Golden G. Richard III (@nolaforensix) 67
uid=1000 euid=1000
Copyright 2015 by Golden G. Richard III (@nolaforensix) 68
uid=1000 euid=1000
Copyright 2015 by Golden G. Richard III (@nolaforensix) 69
uid=1000 euid=1000
Copyright 2015 by Golden G. Richard III (@nolaforensix) 70
uid=1000 euid=1000
Copyright 2015 by Golden G. Richard III (@nolaforensix) 71
uid=0 euid=0
Copyright 2015 by Golden G. Richard III (@nolaforensix) 72 So? • Expertise + Empathy • Very powerful forensics tools combined with very powerful malware • Requires rethinking Trojan defense • Otherwise people without: – Very high degree of technical ability – Lots of resources ($$$) • Can be left in very unenviable positions • If you're already worrying about these issues, that's great • But not everyone is!
Copyright 2015 by Golden G. Richard III (@nolaforensix) 73
Plus: Are you willing to be Scotty? Drawing by Frank Adelstein, by request Copyright 2015 by Golden G. Richard III (@nolaforensix) 74
Copyright 2015 by Golden G. Richard III (@nolaforensix)