The Secret Lives of Hard Drives

Total Page:16

File Type:pdf, Size:1020Kb

The Secret Lives of Hard Drives 4:mag TIPS ON BREAKING INto THE FIELD MAC MALWARE. ARE YOU READY? You’ve heard THE RUMORS, BUT HOW MUCH DO YOU REALLY KNOW ABOUT... THE SECRET LIVES OF HARD DRIVES Issue 1 Q2 2013 4:HOME contents 4 events 5 editorial 6 a call to action 7 10 device and application data from ios devices 13 taking a byte out of apple computers 16 win - forensic contest 18 starting out and getting ahead 13 23 forensic 4cast awards 2013 25 pro-file 28 hard drive secrets revealed 34 4:ward Contents Pictures Courtesy of http://www.flickr.com/photos/razor512/7695485686/ http://www.flickr.com/photos/zoliblog/2214058583/ Cover Photo Courtesy of http://www.flickr.com/photos/amagill/89623319/ 28 4:mag - issue #1 Q2 2013 3 4:Take a look at EVENthe events that are coming up for every forensicator’sTS calendar AccessData Users Conference - Las Vegas, NV - April 23-25 Lee Whitfield Teaching SANS 408 - Toronto, Canada - April 29 - May 4 Subtle Enough? CEIC - Orlando, FL - May 19-22 Mobile Forensics World - Myrtle Beach, SC - Jun 2-5 FIRST Conference - Bangkok, Thailand - Jun 16-21 SANS Digital Forensics and Incident Respone Summit - Austin, TX - July 9-10 HTCIA International Conference - Summerlin, NV - September 8-11 SANS Forensics - Prague - October 6-12 Sleuthkit and Open Source Forensics Conference - Chantilly, VA - Nov 4-5 F3 Annual Workshop - Tortworth Court, UK - November 5-7 Have we missed anything? If you know of something happening and you think that it would interest other forensicators please let us know by emailing [email protected] Picture courtesy of http://www.flickr.com/photos/ter-burg/5808816530/ 4 4:mag - issue #1 Q2 2013 4:EVENTS 4:whichED often causes me to loseIT brand new theories or products focus and become upset when that are completely original. things don’t turn out exactly as Typically everything is born of planned. This magazine is one something else. of those. So, on with the first issue. We A year ago I came up with the have some great articles writ- concept; a completely free dig- ten by the best minds in the ital forensics magazine that, field (and Ken Johnson). just like the 4cast awards, is completely community driven. I love Gareth’s article on hard Life got in the way until just drives. I think that this is espe- recently. I felt the desire to get cially pertinent because we’re back into podcasting and to fo- now starting to see proof- cus on getting this magazine of-concept software coming reetings to all and wel- out for everyone to read. through showing how some of G come to the first edition of these firmware features are 4:mag. My goal is to publish once a being exploited. We will see quarter (and the occasional more of these in the coming Five years ago I persuaded special edition) with only the months I’m sure. my brother, Simon, to record best material. I want the mag- a new podcast for the digital azine to be completely free to In Sarah’s article we read that forensics community. I didn’t anyone that wants to read and Apple computers may have expect much response, the in- learn. This means that anyone had their day in the sun and, tention was, simply, to have from people with a casual in- as a result, been burned. While some fun. Little did I know the terest in forensics, to students, Mac malware is not yet main- amazing journey that awaited. to seasoned professionals can stream, it is certainly getting have access to the highest there. Here we are in 2013. The pod- quality articles available in the cast has seen great success. field. I hope you enjoy these and the Because of Forensic 4cast other articles we have com- I have travelled to amaz- I remember being a student, piled for your review. If you ing places and met some re- and then a new analyst, want- have any questions, comment, ally wonderful people. I really ing to learn and grow but the suggestions, or insults please feel a part of this community cost of the magazines and pe- send them to me at: and that is why I strive to give riodicals seemed to be quite back, hence this magazine. prohibitive. [email protected] Anyone who knows me will I’m an open source kind of Thanks for taking the time to testify to the fact that I don’t guy. I believe that knowledge read. Enjoy! like to stand still for more than is only attained because some- 5 minutes. I always have sev- one before you did the ground- Lee Whitfield eral things on the go at once work. Hardly ever do we see 4:mag - issue #1 Q2 2013 5 A CALL TO ACTION JESSE KORNBLUM LOG THE DATA SO WE CAN DO OUR JOBS It’s not just file system activ- to zero and injecting memo- ity which is deficient. Right ry resident code. Even worse now browser history logs only than destroying data, it’s pos- record the requests for whole sible for somebody to alter the pages. Many user actions, such data in question. The complete as clicks, drags, and “likes” absence of legitimate data is a are not logged. Pages which sign that something out of the involve a lot of dynamic con- ordinary has happened. But tent, for example, can be dif- when just the suspicious data ficult to reconstruct. A recent are deleted, or altered to look omputer forensic examin- article by Chad Tilbury, for legitimate, it can be a night- C ers don’t have the resourc- example, looked at extract- mare for the investigator. Not es necessary to answer the ing geolocation data, http:// all of the destruction is mali- questions we are being asked. computer-forensics.sans.org/ cious, of course. Data can be These are reasonable ques- blog/2012/04/11/big-brother- overwritten by legitimate us- tions: How did the attacker forensics-device-tracking-us- ers doing legitimate work, or get in? Which systems did they ing-browser-based-artifacts- by system administrators at- compromise? What data did part-2. The data of interest tempting to determine if an in- they get? But answering those wasn’t available in the browser cident occurred. Keeping these questions requires data which history, however, but only the data on the same computer are not found in the logs we cache. The user committed an which an attacker has compro- have. Instead we have to piece act which caused the brows- mised is making us vulnerable together answers based on er to send data over the net- to such destruction and ma- data stores never intended for work. The response was re- nipulation. In an age of cheap such purposes. With computer ceived, parsed, and displayed, and abundant storage, there security holding such a promi- but nothing was written to the is simply no excuse for losing nent position right now, we logs. An examiner working data because we didn’t have a should use this time to change on such a system would have copy of it. what is being logged and how a hard time reconstructing it’s being stored. We can pro- what the user did. Never for- The solution to these prob- vide better results, make our get that the primary purpose lems is to change the data we jobs easier, and make the com- of computer forensics is re- have our computers store and munity safer. constructing what a user did. how they store them. Answer- Sometimes that person is the ing the question “How did they victim, sometimes an attacker, Let’s pretend that we find an get in”, for example, would be sometimes both in the same unfamiliar executable on a com- much easier if we knew the case. But right now we do not promised host. How did it get time when each file on the have the resources necessary there? When did it get there? system was created, modified, to effectively reconstruct their When was it run? What did it or executed. For each process, activities. modify on the system? To an- we’d like to know when it was swer those questions we have executed, what process creat- some timestamps, a Prefetch In those cases where there ed it, any network access, and file, and perhaps a few registry is some meaningful data re- any registry and file modifica- keys, but that’s it. Worse, all of corded, it remains vulnerable tions. these footprints are stored on to both deliberate and acci- the compromised host, where dental destruction. The rise It would be foolish to record the attacker can either destroy of anti-forensics has given us these rich data on a poten- or alter them. We are currently malfeasants who understand tially compromised host. The relying on these traces for our the Prefetch directory and attacker could easily change cases. But they may not be wipe its contents during an in- or destroy all of this evidence, trustworthy, if available at all. trusion. There are automated leaving us in the same situ- tools for setting timestamps ation we are in now. The so- 4:mag - issue #1 Q2 2013 7 lution is off-host storage for Who gets to access them and In full disclosure, I have been these data. Log data is gen- when? Will employers use such involved in developing a prod- erally plain text, which com- records to monitor their own uct which records some of the presses well.
Recommended publications
  • User Space Memory Analysis
    User Space Memory Analysis Master's Thesis University of Twente Author: Committee: Edwin Smulders dr. J.Y. Petit prof. dr. P.H. Hartel R.B. van Baar, MSc (NFI) November 13, 2013 Contents 1 Introduction 5 1.1 Digital Forensics . .5 1.2 Memory Forensics . .5 1.3 Organisation of this document . .6 2 Problem Statement and Research Questions 7 2.1 Problem Statement . .7 2.2 Research Questions . .8 3 Related Work 11 3.1 Acquisition . 11 3.2 Platforms . 12 3.3 Multi-platform . 15 3.4 Userland . 15 3.5 Virtual Machines . 16 3.6 Other . 16 3.7 Conlusion . 17 4 Methodology 19 4.1 Introduction . 19 4.2 Methods . 19 4.3 Summary . 25 5 Data Acquisition 27 5.1 Virtualbox . 27 5.2 Operating Systems . 27 5.3 Applications . 28 6 Core Implementation 29 6.1 Registers . 29 6.2 System Calls . 30 6.3 Reverse engineering the PLT . 31 6.4 Stacks and Calling Conventions . 33 6.5 Optimizations . 35 3 6.6 Finding Main . 37 6.7 Limitations . 39 7 Considerations 41 7.1 Compile Options . 41 7.2 Static compilation . 43 7.3 Stripped executables . 43 8 Case Examples 45 8.1 Python networking test case . 45 8.2 Analysis of the steam locomotive . 47 9 Results and evaluation 51 9.1 Test data - Ubuntu 13.04 . 51 9.2 Tests and evaluation of swap use . 52 9.3 Registers . 53 9.4 System call analysis . 55 9.5 Stack analysis . 55 9.6 Register call analysis . 56 9.7 Method weaknesses .
    [Show full text]
  • The Acquisition and Analysis of Random Access Memory
    Currently “In Submission” to JDFP (some content may change before publication) THE ACQUISITION AND ANALYSIS OF RANDOM ACCESS MEMORY Timothy Vidas Naval Postgraduate School Monterey, CA ABSTRACT Mainstream operating systems (and the hardware they run on) fail to purge the contents of portions of volatile memory when that portion is no longer required for operation. Similar to how many file systems simply mark a file as deleted instead of actually purging the space that the file occupies on disk, Random Access Memory (RAM) is commonly littered with old information in unallocated space waiting to be reused. Additionally, RAM contains constructs and caching regions that include a wealth of state related information. The availability of this information along with techniques to recover it, provide new methods for investigation. This article discusses the benefits and drawbacks of traditional incident response methods compared to an augmented model that includes the capture and subsequent analysis of a suspect system’s memory, provides a foundation for analyzing captured memory, and provides suggestions for related work in an effort to encourage forward progress in this relatively new area of digital forensics. KEYWORDS: memory, random access memory, memory analysis, digital forensics, Windows forensics, incident response, best practices Tim Vidas is a Research Associate at the Naval Postgraduate School. He has been focusing research in the field of digital forensics for a few years and is now primarily working on in the area of trusted operating systems and kernels. In addition to research, he likes to teach and has a wide set of IT related interests. He maintains several affiliations like ACM, CERT, and Infragard and holds several certifications such as CISSP, Sec+ and EnCE.
    [Show full text]
  • Memory Analysis and What Data Can Be Extracted from Memory Vijaya Lakshmi1, Dr
    ISSN 2321 3361 © 2019 IJESC Research Article Volume 9 Issue No. 6 Memory Analysis and what Data can be Extracted from Memory Vijaya Lakshmi1, Dr. Neetu Sharma2 M.Tech Scholar1, HOD2 Department of Computer Forensic & Information Security1, Department of Computer Science & Engineering2 Ganga Institute of Technology and Management, Jhajjar Haryana, India Abstract: At present era of digital world, modern criminal investigators face an increasing number of computer-related crimes. This requires the application of digital forensic science. Digital investigation is becoming an increasing concern. Many digital forensic tools are being developed to deal with the challenge of investigating digital crimes. The major challenge that digital forensics practitioners face is the complicated task of acquiring an understanding of the digital data residing in electronic devices. Acquisition of memory from digital system or device is the first step in digital forensics analysis. Before any analysis can be done, we need to acquire the memory in the first place. Acquisition of volatile memory is one of the vital steps of digital forensics process. There are a number of commercial utilities to acquire memory, but there is also a few free and even open source equivalents. In this article, I am going to review some memory acquisition tools that are designed to deploy on a USB stick for quick incident response operations. Currently, this task requires significant experience and background to correctly analyze and aggregate the data that the tools provide from the digital artifacts. Most of the presently available tools, shows their results in text files or tree lists. It is up to the practitioner to mentally capture a global understanding of the state of the device at the time of seizure and find the useful items of evidentiary interest.
    [Show full text]
  • On the Viability of Memory Forensics in Compromised Environments
    On the Viability of Memory Forensics in Compromised Environments Zur Praktikabilit¨atvon Hauptspeicherforensik in kompromittierten Umgebungen Der Technischen Fakult¨atder Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg zur Erlangung des Grades DOKTOR-INGENIEUR vorgelegt von Johannes Stuettgen aus Herdecke Als Dissertation genehmigt von der Technischen Fakult¨atder Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg Tag der m¨undlichen Pr¨ufung: 28.05.2015 Vorsitzende des Promotionsorgans: Prof. Dr.-Ing. habil. Marion Merklein Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Michael Meier Abstract Memory forensics has become a powerful tool for the detection and analysis of ma- licious software. It provides investigators with an impartial view of a system, expos- ing hidden processes, threads, and network connections, by acquiring and analyzing physical memory. Because malicious software must be at least partially resident in memory in order to execute, it cannot remove all its traces from RAM. However, the memory acquisition process is vulnerable to subversion in compromised envi- ronments. Malicious software can employ anti-forensic techniques to intercept the acquisition and filter memory contents while they are copied. In this thesis, we analyze 12 popular memory acquisition tools for Windows, Linux, and Mac OS X, and study their implementation in regard to how they enumerate and map memory. We find that all of the analyzed programs use the operating system to perform these tasks, and further illustrate this by implementing an open source memory acquisition framework for Mac OS X. In a survey of kernel rootkit techniques, that prevent or filter physical memory access, we show that all 12 tested programs are vulnerable to anti-forensics, because they rely on the operating system for critical functions.
    [Show full text]
  • Memory Forensic
    [Jani et. al., Vol.5 (Iss.2: SE): February, 2018] ISSN: 2454-1907 [Communication, Integrated Networks & Signal Processing-CINSP 2018] DOI: 10.29121/ijetmr.v5.i2.2018.618 MEMORY FORENSIC: ACQUISITION AND ANALYSIS OF MEMORY AND ITS TOOLS COMPARISON Mital Parekh 1, Snehal Jani *2 1 Student in M.Tech, Department of Cyber Security, Raksha Shakti University, Ahmedabad, Gujarat, India *2 Assistant Professor, Amity School of Applied Sciences, Amity University Madhya Pradesh, Gwalior, India Abstract: The enhancement of technology has led to a considerable amount of growth in number of cases pertaining to cyber-crime and has raised an enormous challenge to tackle it effectively. There are various cyber forensic techniques and tools used to recover data from the devices to tackle cyber-crime. Present research paper focuses on performing memory forensic and analyzes the memory which contains many pieces of information relevant to forensic investigation, such as username, password, cryptographic keys, deleted files, deleted logs, running processes; that can be helpful to investigate the cyber-crime pining down the accused. The three main steps followed in memory forensic are acquiring, analyzing and recovering. Recovery of the evidences of crime from the volatile memory can be possible with the knowledge of different tools and techniques used in memory forensic. However, it is always tough to analyze volatile memory as it stays for a very short period. Not all tools can be used for memory forensic in every situation and therefore, it is important to have the knowledge of tools before applying to solve a particular cyber-crime. It is yet to establish on using a single tool for complete investigation, however, most of the tools used are successful in providing reasonable evidences.
    [Show full text]
  • Windows Memory Forensics
    J Comput Virol (2008) 4:83–100 DOI 10.1007/s11416-007-0070-0 SSTIC 2007 BEST ACADEMIC PAPERS Windows memory forensics Nicolas Ruff Received: 5 January 2007 / Revised: 15 July 2007 / Accepted: 2 October 2007 / Published online: 1 November 2007 © Springer-Verlag France 2007 Abstract This paper gives an overview of all known “live” Web site) provided decryption key (for more information memory collection techniques on a Windows system, and on cryptovirology, see [6–8]). In this case, “offline” analy- freely available memory analysis tools. Limitations and sis might be impossible if no key is available at the time of known anti-collection techniques will also be reviewed. Anal- analysis. ysis techniques will be illustrated through some practical That is why there has been a lot of interest in “live” foren- examples, drawn from past forensics challenges. This paper sics techniques in the last 3years, starting with DFRWS 2005 is forensics-oriented, but the information provided informa- [28] challenge. tion will also be of interest to malware analysts fighting This paper encompasses the following topics: against stealth rootkits. – “Live” memory collection tools; – Analysis tools; 1 Introduction – “Real life” examples; – Known anti-forensics techniques. “In memory only” intrusion came out from the lab to the field through the release of [Meterpreter] in 2004 [4]. Other tools (like Immunity [CANVAS] and Core [IMPACT]) [1,2]have been offering the same capability for a long time, but those 2 Live memory collection tools were specialized and expensive. On the other hand, Metasploit is a freely available Open Source intrusion frame- Collecting “live” memory is not an easy task.
    [Show full text]