Digital Investigation and Trojan Defense.Pdf

Digital Investigation and the Trojan Defense, Revisited

Golden G. Richard III

Professor of Computer Science and University Research Professor Director, Greater New Orleans Center for Information Assurance (GNOCIA) University of New Orleans

GIAC-certified Digital Forensics Investigator Founder, Arcane Alloy, LLC

[email protected] / [email protected] / @nolaforensix http://www.cs.uno.edu/~golden

2 Who?

Professor of Computer Science and University Research Professor, Director, Greater New Orleans Center for Information Assurance (GNOCIA), University of New Orleans http://www.cs.uno.edu/~golden Digital forensics, OS internals, reverse engineering, offensive computing, pushing students to the brink of destruction, et al.

Founder, Arcane Alloy, LLC. http://www.arcanealloy.com Digital forensics, reverse engineering, malware analysis, security research, tool development, training.

Co-Founder, Partner / Photographer, High ISO Music, LLC. http://www.highisomusic.com Music. Rock stars. Earplugs.

“Tools and techniques to recover, preserve, and examine digital evidence stored on or transmitted by digital devices.” Computers, PDAs, cellular phones, videogame consoles, digital cameras, copy machines, printers, digital voice recorders… 4 What That Really Means

• Data. “You only think it’s gone.” • Sensitive data tenaciously clings to life.

• The vast majority of users—and lots of technical people, too— have no idea what’s really stored on their digital devices… • …and no ability to properly “clean up” even if they do suspect what’s there

Files and Filesystem Application Windows Deleted Files metadata metadata registry

Print spool Hibernation Temp files Log files files files

Browser Network Slack space Swap files caches traces

RAM: OS and app data Volatile Evidence structures

one sector

header, e.g., footer, e.g., 0x474946e8e761 0x003B (GIF) (GIF)

“milestones” or “anti-milestones”

Can carve Chaos: files, but More can't Faster not very accurate Yay! carve files well

Tools Manual File type Fragmentation, appear, Multithreading, hex editor aware damned but have better design stuff carving, et al spinning disks! issues

Images: https://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg http://cdn.bigbangfish.com/555/Cow/Cow-6.jpg, http://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg http://i5.walmartimages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg Copyright 2015 by Golden G. Richard III (@nolaforensix) 9 Memory Analysis

• physical memory dumping tool Capture RAM • VM memory snapshot from live system • VM introspection

• strings Analyze • carving Memory Dump • Volatility • VM introspection

Expose interesting volatile evidence

Processes (dead / alive) e.g., discover and analyze unauthorized programs

e.g., detect keystroke loggers, Open files hidden processes

e.g., find backdoors, connections Network connections to contraband sites

Volatile registry contents portions of Windows registry that are never stored on disk

Volatile application data e.g., plaintext for encrypted material, chat messages, email fragments, volatile web browser history Clipboard data volatile contents of clipboard

Pioneering Chaos: More, efforts Beyond run more, show great Windows ?? strings? more promise

pt_finder et al More attention Manual, Mac, … awesome but to malware, run strings, Linux, BSD filling in the gaps, little context limited functionality GPU stuff, etc.

Images: https://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg,, http://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg http://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg, http://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg Copyright 2015 by Golden G. Richard III (@nolaforensix) 12 Memory Analysis: 2004 $ grep –i murder /dev/mem

I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered

• Adversary: Direct Kernel Object Manipulation (DKOM) • Strategy: Deep analysis and cross-correlation of data kernel data structures to reveal hidden resource utilization

PID = 2260

Doubly-linked process list in Windows kernel

Processes continue to run because Windows C:\> fu –ph 2260 scheduler handles threads, not processes

PID = 2260

FU on PID 2260

DKOM Hidden Process Detection in Volatility

What evidence is How hard is it to present and what recover? can be recovered? Technical Difficulty Increasing What “evidence” Did malware play was actually a role? “recovered”?

What evidence is How hard is it to present and what recover? can be recovered?

Misinformation Abounds

What “evidence” Did malware play was actually a role? “recovered”?

Uncover Fraud Investigate Employee Misconduct

Investigate Child Exploitation Discover Insider Threats Prosecute Thieves, Kidnappers, Murderers

Uncover Fraud Investigate Employee Misconduct

malware

Investigate Child Exploitation Discover Insider Threats Prosecute Thieves, Kidnappers, Murderers Copyright 2015 by Golden G. Richard III (@nolaforensix) 21 Digital Forensics Settle Intellectual Property Disputes

Uncover Fraud Investigate Employee Misconduct

malware

Software whose execution carries out actions crafted with malicious intent

Or, basically,

Software that does bad stuff.

• “Traditional” Malware – Hacking exercise – “My mad skillz are better than yours” – Mostly, annoying – Possibly, data destruction • Now – Monetized, targeted – Skillz  Skill$ – Extremely sophisticated, hard to investigate – Persistent – Serious risks for data theft / catastrophic damage

• Capture data – Keystrokes – Audio – Video – Email – Text messages – Screenshots – Network traffic • Exfiltrate data • Delete important data • Hold data for ransom • Deliberately incriminate users – Cyberattacks – NSFW imagery / documents – Child porn – … Copyright 2015 by Golden G. Richard III (@nolaforensix) 25 Malware: Fallacies

• "It's incredibly hard to write!" – Sometimes. – But you can buy it, copy it from the Internet. – And basic malicious intent is very easy to code. • "Antivirus! Yay, Antivirus!" – Generally, no. – Doesn't mean you don't want to use it. – Just don't lean on it too much. – It's not that awesome. • "Criminals are stupid!" – Generally, we catch the stupid(er) ones. – The rest are pretty smart.

• Variant of the SODDI defense—"Some Other Dude Did It" • Claim by accused: "Wasn't me. Malware did it." – “I didn’t download that stuff—a virus did it” – “I didn’t take the money out of that account” – “I didn’t leak that document!” • Problem #1: – Overused. We can't let everyone walk. • Problem # 2: – Increasingly, the malware might actually have done it.

[1] Brenner, Susan W., Brian Carrier, and Jef Henninger. The Trojan Horse Defense in Cybercrime Cases," Santa Clara Computer & High Tech. LJ 21 (2004): 1.

The second problem…

"As Mark Rasch, former head of the Department of Justice's Computer Crime and Intellectual Property Section, explained, it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty…"

Plus, "determining" can cost $350+ per hour.

Proposed solution from [1]:

"Establish defendant's computer expertise"

We'll let this slide for now, and as the talk progresses, try to imagine how much expertise would be required to fend off modern malware.

Proposed solution from [1]:

"Negate the factual foundation of the defense"

Means: illustrate that no malware is present

This might, or might not, be a fun time.

• Run antivirus • Find nothing • Assume accused was lying

• Unfortunately, antivirus is notoriously incapable of detecting new threats

• An extremely important digital forensics tool • Take advantage of the fact that web browsers don't securely delete browsing history • Investigate history to reveal: – URLs of web sites visited – Images / media downloaded – Times they were accessed – Cookies, etc. – …

Firefox Browser History Google Search keywords

• Malware sample shared by a colleague • Internet Explorer browser cache loaded with thousands of “NSFW” images • Browser history: appears user spent her entire work day surfing porn sites • Images are located in precisely the right places to indicate intensive web browsing activity • Times that images are downloaded correspond to times the user was “working” at the computer • Employee will be fired

• The user didn’t download the NSFW images • Difficult to detect malware is the culprit in case • Not explicitly detected by any commercial antivirus • Difficult to analyze – Written in Borland Delphi – Packed, crazy control flow, anti-debugging tricks • Mimics IE browsing to download porn using the IE API, in the background • No visible IE user interface • Synchronizes porn “surfing” with active computer activity Copyright 2015 by Golden G. Richard III (@nolaforensix) 37 “Background” Surfing

Mostly mischaracterizations: something is amiss, but what?

All's well! Carry on!

Realm of antivirus, etc.

computer

Photo: http://northerncomputer.ca/wp-content/uploads/2011/11/Computer-Ports.png Arrigo Triulzi, Project Maux MkII, PACSEC 2008 Copyright 2015 by Golden G. Richard III (@nolaforensix) 41 Evidence Handling: “Dead”

Make a perfect copy of evidence, examine evidence carefully, form hypotheses, …

Zaddach, Jonas, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurélien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas. "Implementation and implications of a stealth hard-drive backdoor." In Proceedings of the 29th Annual Computer Security Applications Conference, pp. 279-288. ACM, 2013. Copyright 2015 by Golden G. Richard III (@nolaforensix) 43 Windows Registry Analysis

• Forms the backbone of many Microsoft Windows digital forensics investigations • Reveals lots of info about user activities • Plus lots of information about system configuration • Malicious manipulation of this evidence, however, is trivial

Which files were recently accessed by a particular user?

NTUSER.dat file

SOFTWARE file

Which programs are installed on the machine? Which license keys are in use?

Which programs run automatically when a particular user logs in? NTUSER.dat file

Which programs run automatically when ANY user SOFTWARE file logs in?

Two Jumpdrive Elite thumbdrives

750GB USB hard drives (same type)

What has been plugged in?

SYSTEM file

Which URLS were typed recently by a particular user?

NTUSER.dat file

Your signature indicates compliance with this policy.

char buf[512], pathname[512]; HKEY hKey; long err;

err=RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Internet Explorer\\TypedURLs", 0,KEY_SET_VALUE,&hKey); err=RegSetValueEx(hKey, "url1", 0, REG_SZ, (const unsigned char*)"http://www.squirrels.com", strlen("http://www.squirrels.com")); RegCloseKey(hKey);

}

Malware can change the TypedURLs registry key, but so can users, using commonly available software

You can even create sets of URLs to load on demand…

Robert Templeman, Zahid Rahman, David Crandall, and Apu Kapadia, “PlaceRaider: Virtual Theft in Physical Spaces with Smartphones,” In Proceedings of The 20th Annual Network & Distributed System Security Symposium (NDSS ’13), Copyright 2015 by Golden G. Richard III (@nolaforensix) 56

click click click click

click click click click click. Right? NO.

Brocker, Matthew, and Stephen Checkoway. iSeeYou: Disabling the MacBook webcam indicator LED. Proceedings of USENIX Security, 2014.

VIRTUALIZED ENVIRONMENT NEGLECTED OPERATIONS MANIPULATION

Buffer overflow in floppy driver in Xen virtual machine manager—used in corporate and cloud infrastructure worldwide

Bug since…2004

• "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors" – Kim et al, ISCA 2014

• "Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges" – http://googleprojectzero.blogspot.com/2015/03/e xploiting-dram-rowhammer-bug-to-gain.html

65 Hammering

uid=1000 euid=1000

uid=0 euid=0

Copyright 2015 by Golden G. Richard III (@nolaforensix) 72 So? • Expertise + Empathy • Very powerful forensics tools combined with very powerful malware • Requires rethinking Trojan defense • Otherwise people without: – Very high degree of technical ability – Lots of resources ($$$) • Can be left in very unenviable positions • If you're already worrying about these issues, that's great • But not everyone is!