<p><strong>Digital Investigation and the Trojan </strong><br><strong>Defense, Revisited </strong></p><p><strong>Golden G. Richard III </strong></p><p>Professor of Computer Science and University Research Professor <br>Director, Greater New Orleans Center for Information Assurance (GNOCIA) <br>University of New Orleans </p><p>GIAC-certified Digital Forensics Investigator <br>Founder, Arcane Alloy, LLC </p><p><em>[email protected] / [email protected] / @nolaforensix </em><a href="/goto?url=http://www.cs.uno.edu/~golden" target="_blank"><em>http://www.cs.uno.edu/~golden </em></a></p><p>2</p><p><strong>Who? </strong></p><p><strong>Professor of Computer Science and University Research Professor, Director, Greater New Orleans Center for Information Assurance (GNOCIA), University of New Orleans </strong></p><p><a href="/goto?url=http://www.cs.uno.edu/~golden" target="_blank"><strong>http://www.cs.uno.edu/~golden </strong></a></p><p><strong>Digital forensics, OS internals, reverse engineering, offensive computing, pushing students to the brink of destruction, et al. </strong></p><p><strong>Founder, Arcane Alloy, LLC. </strong><a href="/goto?url=http://www.arcanealloy.com" target="_blank"><strong>http://www.arcanealloy.com </strong></a></p><p><strong>Digital forensics, reverse engineering, malware analysis, security research, tool development, training. </strong></p><p><strong>Co-Founder, Partner / Photographer, High ISO Music, LLC. </strong></p><p><a href="/goto?url=http://www.highisomusic.com" target="_blank"><strong>http://www.highisomusic.com </strong></a></p><p><strong>Music. Rock&nbsp;stars. Earplugs. </strong></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>3</p><p><strong>Digital Forensics </strong></p><p>“Tools and techniques to recover, preserve, and examine digital evidence stored on or transmitted </p><p>by digital devices.” </p><p>Computers, PDAs, cellular phones, videogame consoles, digital cameras, copy machines, printers, digital voice recorders… </p><p>4</p><p><strong>What That Really Means </strong></p><p>• <strong>Data. “You&nbsp;only think it’s gone.” </strong></p><p>• Sensitive data tenaciously clings to life. </p><p>• <strong>The vast majority of users—and lots of technical people, too— have no idea what’s really stored on their digital devices</strong>… </p><p>• …and no ability to properly “clean up” even if they do suspect what’s there </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>5</p><p><strong>Where’s the Evidence? </strong></p><p><strong>Files and </strong><br><strong>Deleted Files </strong><br><strong>Filesystem metadata </strong><br><strong>Application metadata </strong><br><strong>Windows registry </strong></p><p><strong>Print spool files </strong><br><strong>Hibernation files </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Temp files </strong></li><li style="flex:1"><strong>Log files </strong></li></ul><p><strong>Browser caches </strong><br><strong>Network traces </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Slack space </strong></li><li style="flex:1"><strong>Swap files </strong></li></ul><p><strong>RAM: OS&nbsp;and app data </strong></p><p>Volatile Evidence </p><p><strong>structures </strong></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p><strong>How awesome are we? </strong></p><p>7</p><p><strong>File Carving </strong></p><p>one cluster one sector </p><ul style="display: flex;"><li style="flex:1">unrelated disk blocks </li><li style="flex:1">interesting file </li></ul><p>header, e.g., 0x474946e8e761 (GIF) footer, e.g., 0x003B (GIF) </p><p>“milestones” or “anti-milestones” </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>8</p><p><strong>Awesomeness Progression: File Carving </strong></p><p><strong>Can carve </strong><br><strong>Chaos: files, but </strong></p><p><strong>not very well </strong><br><strong>More accurate </strong></p><ul style="display: flex;"><li style="flex:1"><strong>Faster </strong></li><li style="flex:1"><strong>can't </strong></li></ul><p></p><p><strong>Yay! </strong></p><p><strong>carve files </strong></p><p>Tools appear, but have issues <br>File type aware carving, et al <br>Fragmentation, damned spinning disks! <br>Manual hex editor stuff <br>Multithreading, better design </p><p>Images: <a href="/goto?url=https://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg" target="_blank">https://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg </a><a href="/goto?url=http://cdn.bigbangfish.com/555/Cow/Cow-6.jpg" target="_blank">http://cdn.bigbangfish.com/555/Cow/Cow-6.jpg</a>, <a href="/goto?url=http://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg" target="_blank">http://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg </a><a href="/goto?url=http://i5.walmartimages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg" target="_blank">http://i5.walmartimages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg </a></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>9</p><p><strong>Memory Analysis </strong></p><p>• physical memory dumping tool • VM memory snapshot • VM introspection </p><p>Capture RAM from live system </p><p>• strings • carving • Volatility </p><p>Analyze <br>Memory Dump </p><p>• VM introspection </p><p>Expose interesting volatile evidence </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>10 </p><p><strong>Memory Analysis: Evidence </strong></p><p>e.g., discover and analyze unauthorized programs </p><p>Processes (dead / alive) </p><p>e.g., detect keystroke loggers, hidden processes </p><p>Open files </p><p>e.g., find backdoors, connections to contraband sites </p><p>Network connections </p><p>Volatile registry contents </p><p>Volatile application data </p><p>portions of Windows registry that are never stored on disk </p><p>e.g., plaintext for encrypted material, chat messages, email fragments, volatile web browser history </p><p>volatile contents of clipboard </p><p>Clipboard data </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>11 </p><p><strong>Awesomeness Progression: Memory Forensics </strong></p><p><strong>Pioneering efforts show great promise </strong><br><strong>More, more, more </strong><br><strong>Chaos: run strings? </strong><br><strong>Beyond </strong><br><strong>Windows </strong></p><p><strong>?? </strong></p><p>More attention to malware, filling in the gaps, <br>GPU stuff, etc. </p><p>pt_finder et al </p><p>awesome but limited </p><p>…</p><p>Manual, run strings, little context <br>Mac, <br>Linux, BSD </p><p>functionality </p><p>Images: <a href="/goto?url=https://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg" target="_blank">https://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg</a>,, <a href="/goto?url=http://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg" target="_blank">http://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg </a><a href="/goto?url=http://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg" target="_blank">http://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg</a>, <a href="/goto?url=http://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg" target="_blank">http://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg </a></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>12 </p><p><strong>Memory Analysis:&nbsp;2004 </strong></p><p><strong>$ grep –i murder /dev/mem </strong></p><p>I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>13 </p><p><strong>Detecting Hidden Resource Utilization </strong></p><p>• Adversary: Direct Kernel Object Manipulation (DKOM) • Strategy: Deep&nbsp;analysis and cross-correlation of data kernel data structures to reveal hidden resource utilization </p><p>PID = <br>2260 </p><p>Doubly-linked process list in Windows kernel </p><p>Processes continue to run because Windows <br>C:\&gt; fu –ph 2260 scheduler handles </p><p>threads, not processes </p><p>PID = 2260 </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>14 </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>15 </p><p>FU on PID 2260 </p><p><strong>DKOM Hidden Process Detection in Volatility </strong></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p><strong>So we're awesome, right? </strong></p><p>17 </p><p><strong>Unfortunately </strong></p><p>What evidence is present and what can be recovered? <br>How hard is it to recover? </p><p><strong>Technical Difficulty Increasing </strong></p><p>What “evidence” <br>Did malware play </p><p>a role? was actually <br>“recovered”? </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>18 </p><p><strong>Unfortunately, Part 2 </strong></p><p>What evidence is present and what can be recovered? <br>How hard is it to recover? </p><p><strong>Misinformation </strong><br><strong>Abounds </strong></p><p>What “evidence” <br>Did malware play </p><p>a role? was actually <br>“recovered”? </p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>19 </p><p><strong>Digital Forensics </strong></p><p><strong>Settle Intellectual Property Disputes </strong><br><strong>Investigate Employee Misconduct </strong><br><strong>Uncover Fraud </strong><br><strong>Discover Insider Threats </strong><br><strong>Investigate Child Exploitation </strong></p><p><strong>Prosecute Thieves, Kidnappers, Murderers </strong></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p><p>20 </p><p><strong>Digital Forensics </strong></p><p><strong>Settle Intellectual Property Disputes </strong><br><strong>Investigate Employee Misconduct </strong><br><strong>Uncover Fraud </strong></p><p><strong>malware </strong></p><p><strong>Discover Insider Threats </strong><br><strong>Investigate Child Exploitation </strong></p><p><strong>Prosecute Thieves, Kidnappers, Murderers </strong></p><p>Copyright 2015 by Golden G. Richard III (@nolaforensix) </p>