Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Digital Forensics - The Good, the Bad and the Ugly

1.065 visualizaciones

Publicado el

Presentation from the Linuxwochen Wien 2016 #lww2016

Publicado en: Software
  • Sé el primero en comentar

Digital Forensics - The Good, the Bad and the Ugly

  1. 1. Digital Forensics The good, the bad and the ugly Martin Schmiedecker
  2. 2. Outline What is Digital Forensics? Tools in Linux The Good The Bad The Ugly Fly Me to the Moon! 2/48
  3. 3. What is Digital Forensics?
  4. 4. What is Digital Forensics? Collection of tasks conducted by: • system administrators • DevOps • network engineers • law enforcement 3/48
  5. 5. What is Digital Forensics? What it’s not: CSI {Miami|LasVegas|Navy|Cyber} 4/48
  6. 6. What is Digital Forensics? Basic principles: • documentation is everything! • preserve integrity at all costs • calculate and check hash values • know your tools • seriously, documentation is everything!!!1elf 5/48
  7. 7. What is Digital Forensics? Computer off: • do not turn on! • remove hard drives • create two images with hardware write-blocker: ◦ backup copy, straight to the safe ◦ working copy • always do byte-level copies! 6/48
  8. 8. What is Digital Forensics? 7/48
  9. 9. What is Digital Forensics? Some (random) example: • FTP warez scene, simultaneous raids • servers stored in data center • analysis shows encrypted RAID for FTP storage • system partition was unencrypted • plenty of logs, directory listings, ... 8/48
  10. 10. What is Digital Forensics? Very broad spectrum: • operating systems • file systems • networks & protocols • apps, databases, encryption, ... But also: • reporting & presentation 9/48
  11. 11. What is Digital Forensics? Challenges: • data storage is cheap • encryption • data not easily acessible • time often limited • only constant factor is change 10/48
  12. 12. Tools in Linux
  13. 13. The Good: Kali 11/48
  14. 14. The Good: Kali 12/48
  15. 15. The Good: Deft 13/48
  16. 16. The Good: Deft 14/48
  17. 17. The Good: SIFT SIFT Workstation: • SANS Investigative Forensic Toolkit (SIFT) Workstation • install Ubuntu, run a single .sh script, done • contains all tools necessary 15/48
  18. 18. The Good: SIFT 16/48
  19. 19. The Good: volatility volatility: • collection of Python scripts • extracts information from RAM images • works for almost all platforms • book “The Art of Memory Forensics” 17/48
  20. 20. The Bad: strings strings: • can be used for keyword search • sometimes effective • easy to use • can miss a lot 18/48
  21. 21. The Bad: RAM RAM is hard to capture: • acquisition changes things • Firewire, cold boot, /dev/fmem • no silver bullet available 19/48
  22. 22. The Bad: Cloud Cloud computing: • = someone else’s computer • Facebook, Amazon EC2, Google Compute • no direct access • trust in the service operator 20/48
  23. 23. The Ugly: Wireshark Wireshark: • swiss army knife for networks • very powerful decoders (streams, TLS, ...) but: • complicated • non-intuitive 21/48
  24. 24. The Ugly: Autopsy 22/48
  25. 25. The Ugly: xplico 23/48
  26. 26. Fly Me to the Moon!
  27. 27. bulk extractor bulk extractor: • tool(-set) by Simson Garfinkel • highly parallelized, very powerful! • open-source • can find otherwise overlooked data 24/48
  28. 28. bulk extractor bulk extractor techniques: • bulk analysis • uses no file system metadata • similar to file carving • loads pages from disk for processing 25/48
  29. 29. bulk extractor bulk extractor operation: • analyzes data using ”scanners“ • scanners run sequentially • extracts ”features“, stores in files • recursive scanners: do, rinse, repeate 26/48
  30. 30. bulk extractor Examples for features: • AES keys • email adresses • creditcard information • GPS, wordlist, and many more • implemented in ”basic“ scanners 27/48
  31. 31. bulk extractor Recursive scanners: • most notably: decompress ZIP files • .docx, .pptx is zipped XML • also PDF, base64, ... do, rinse, repeate: • optimistic decoding used • then: feed back in buffer to be analyzed 28/48
  32. 32. bulk extractor 29/48
  33. 33. bulk extractor Did I mention? • very powerful!!1 • used e.g. for extracting tcpflows • really made for bulk analysis • will pin ALL CPU cores available • the more, the merrier 30/48
  34. 34. bulk extractor Works great with hashdb: • database of hash values • very fast (Bloom filter) Bonus: • can find sub-file pieces • partially overwritten files • check out www.peekatorrent.org 31/48
  35. 35. bulk extractor Demo: bulk extractor & hashdb 32/48
  36. 36. Incident Response Live forensics vs. incident response: • forensics with focus on analysis (HD, network & RAM content) • incident response with broader scope • entire LAN, company, user-base, ... • log-based vs. agent-based • time often an issue 33/48
  37. 37. Incident Response Community quite active: • GRR Rapid Response (GRR) • osquery • Mozilla Investigator (MIG) • steganographer (network) • slightly different regarding capabilities, usage, ... 34/48
  38. 38. GRR GRR Rapid Response: • by Google • supports Windows, Mac, Linux • open source since 2011 • written in Python • uses lightweight, local agents 35/48
  39. 39. GRR Pros: • web GUI • scales very well • allegedly large setups with 100,000+ client machines at once • configuration & roll-out easy • long-term supported project 36/48
  40. 40. GRR Cons: • not strictly user-friendly (yet) • initial setup of server can be tedious • privacy & legal implications?! 37/48
  41. 41. GRR Deployment: • most logic is server-side • server generates executables with config • client simply runs it, done • easy with Puppet or others • offline clients run tasks asap when online 38/48
  42. 42. GRR Forensic artefacts: • many things OS-, user- and landscape-specific • unified YAML-based description • e.g. %%users.homedir%%Downloads • works across all supported operating systems • separate git-repo1 1 https://github.com/ForensicArtifacts/artifacts 39/48
  43. 43. GRR RAM capabilities: • remote acquisition of RAM • use volatility on live RAM • = really, really cool! 40/48
  44. 44. GRR flow: • work unit in GRR, asynchronous • used for client data acquisition • can use e.g. OS API, or Sleuth Kit for file access • written in Python, stored on server • baselining: ◦ analysis over time e.g. weekly ◦ histogram analysis 41/48
  45. 45. GRR Hunting with GRR: • run flows on entire fleet • also on offline machines, once back • or any subset e.g., all machines running Windows • scaleable! • clients check for new flows every 10 mins 42/48
  46. 46. GRR 43/48
  47. 47. GRR 44/48
  48. 48. GRR GRR security: • access tokens with client permissions • 1024bit RSA, AES-256 • driver and code is signed • all done during executable generation • use offline machines for signing recommended • GRR can also be used to run custom Python code 45/48
  49. 49. GRR GRR internals: • datastore easily changeable • every message is timestamped • everything is asynchronous • signed & encrypted protobuffers • files and chunks are deduplicated! • nothing is ever deleted • AFF4 data model used for storage 46/48
  50. 50. GRR Performance watchdogs: • client will kill itself if too resource-hungry • heart beat • memory limit (500mb) • cpu limit (3 minutes) 47/48
  51. 51. Thank you for your attention Twitter: @Fr333k mail: mschmiedecker@sba-research.org 48/48

×