Open Source Forensics

Why are there so many tools left at the end of the money?

Richard Austin MS, CISSP
Southern Polytechnic State University

ADVANCED DIGITAL FORENSICS
WITH OPEN SOURCE TOOLS

IT Elder Flatulence
Bio
My First Computer

 Richard is a 30+ year veteran of the IT industry in positions ranging from
software developer to security architect. Before beginning a career as an
independent cybersecurity consultant and educator, he was focused on
technology and processes for successfully protecting the 14PB storage area
network infrastructure within the global IT organization of a Fortune 25
company.
 MS degree with a concentration in information security from Kennesaw State
University, a DHS/NSA recognized National Center of Academic Excellence in
Information Assurance Education.
 Active member of SNIA's Security Technical Working Group.
 Active member of the Cloud Security Alliance’s Trusted Cloud Initiative.
 Senior Member of both the IEEE and ACM and also a member of the IEEE
Computer Society, CTIN, ISC(2) and the Atlanta Chapter of Infragard .
 Book review columnist for IEEE Cipher, the newsletter of the IEEE Computer
Society Technical Committee on Security and Privacy
 A published author frequently writing and presenting on storage networking
security, ethics and digital forensics.

Advanced Digital Forensics with Open Source Tools

Forensics is Changing

Digital forensics was once solely concerned with
just collecting and analyzing disk images from a
cold, dead system but much useful information
leaves few durable traces on disk


Two New Areas

 Live memory collection and analysis
 Registry analysis

Though commercial tools are available, Open
Source tools provide much of the same
functionality


Collecting Live Memory


Why Live Memory?

 The bad people are very interested in forensic
technology and follow quite closely what we do
 Contrary to popular opinion, this stuff ain’t secret
 They know that we image disks so they do things that
don’t leave disk traces
 Memory-only malware
 A lot of information may not leave clearly
discernable disk traces
 Open network connections
 Active encryption – data may only be in plaintext while
the system is running


How do you do it?

 Just like any other forensic task
 You collect the data
 You extract information from it
 So what’s all the hub bub, bub?
 IAxx architectures don’t have a “DUMP” button
 Rely on software to dump main memory (the
infamous BSOD and crashdump)
 Reading memory dumps is the province of O/S
level debuggers
 Great tools but you have to be a Windows/*UX
internals guru to understand and use them

Remember!

 When working with a compromised system,
remember you’re working with Satan’s
computer
 You have no clue what the attacker may have
done to it


Issues

 User mode access to the .PhysicalMemory
object was removed in Vista/2003 and later
 This was a serious security issue – it’s gone; not
coming back; get over it!
 Many older live memory acquisition tools no
longer work
 For Vista/2003 and later, a utility must load a
kernel mode driver to get access to physical
memory
 Some vendors call this an “agent”


Issues

 Running a program to collect memory
contents does change the state of memory
(and maybe disk)
 Can’t be helped
 If physical memory is full, something may be
swapped out when you run the program
 Documented, repeatable process is key
 You are only collecting physical memory
 Swapped out pages will not be in the image


Data Triage

•Consider the order of volatility
•Relevance of the type of information to the case under investigation


Lots of Options

 Memoryze from Mandiant
http://www.mandiant.com/software/memory
ze.htm
 The usual forensic vendors have their tools
 I’ll be demoing winxxdd (community edition)
from http://www.moonsols.com/products/
 This free version does have limitations such as not
running from a removable device or via a script.


Win32dd


Hash the Image


Points to Remember

 You must be able to run a program as
ADMINISTRATOR on the system
 For remote access:
 psexec
 Remote Desktop
 Etc
 This does change the state of the system
 Students are surprised to see win32dd in the list of
running processes


Analyzing the Memory Image
OK, I got it but what do I do with it?


Volatility

 https://www.volatilesystems.com/default/volatili
ty
 Open Source, written in Python
 Python is a well-known scripting language
 Download Python from www.activestate.com
 The 1.3 version only supports XP SP2 and SP3
 Version 1.4 in in RC and supports Vista and Windows 7
as well as incorporating many improvements
 http://code.google.com/p/volatility/
 Already installed on REMnux


Update

 Volatility 2.0 is now released!!!
 Includes a standalone Windows installer


Using Volatility

 Very simple command-line interface:
 python volatility command –f image_file
 1.4 adds --profile=profile to identify the O/S
 Notable commands:
 ident – descriptive information about the dump file
 datetime – date/time information for the dump file
(included in ident)
 pslist – list of processes
 files – list of files open for each process
 connections – open network connections
 sockets – open sockets

ident

 In 1.4, this command becomes imageinfo


pslist


Scan vs List

 Some commands have two versions – list and
scan
 The difference is that list follows the normal way
of doing things
 e.g., listing processes by following the EPROCESS list
 scan scans through memory looking for data
structures (e.g., _EPROCESS)
 Psscan will find terminated and de-linked processes
(one stealth technique used by rootkits)
 The scan version is much slower because it is scanning
memory contents rather than walking a linked list

psscan

Terminated
FTP
processes


files


connections

FTP


Connections vs Connscan2


sockets


netscan

 For Vista and later, these are consolidated into
netscan

Sample output taken from the Volatility 1.4 wiki
http://code.google.com/p/volatility/wiki/CommandReference#netscan


Protocol Numbers


And the Registry

 Locating the Registry -- hivelist


Listing Keys


Examining Values


Services – Where malware
hides


What does it all mean?

 Working with memory
contents does require a
bit of knowledge about
what it all means
 These are two good
reference books on
how Windows really
works and what you’re
looking at in a memory
dump

BUT What About Vista, …?

 Volatility is nice but it only works on XP. So if you
need to look at memory on Vista, Server 2003,
etc, you’re back to using strings ….
 Of course not:
 1.4 is in RC and is installed in the REMnux CD (and virtual
appliance)
 And other tools are a little more arcane but they work
 The Windows Debugging Tools can be used to analyze a
Windd dump IFF it’s made in crashdump format (-d option)
 http://www.msuiche.net/con/BlackHat_Webcast_New_Fron
tiers_in_Forensics.pdf


Active Processes


Don’t get too comfortable …
Particularly Part
III on Anti-
Forensics

“In war the will is directed at an animate object that reacts.”
Carl Von Clausewitz, On War


Registry Extraction and Analysis


Windows Registry

 The Windows registry has been found to
contain a treasure trove of information useful
to the forensic analyst
 The good news is that disk imaging includes the
registry
 New tools are simplifying the process of
extracting this information in a useful format


Nomenclature

Value Data
Type

Key

Subkey


Registry File Locations
System %WINDIR%system32configSystem
SAM %WINDIR%system32configSam
Security %WINDIR%system32configSecurity
Software %WINDIR%system32configSoftware
NTUSER.DAT Documents and SettingsUser

 Simply extract these files from the image
 Security on NTUSER.DAT may prevent copying so use the type command to
make a copy:
type NTUSER.DAT>somewhere else


Note

 I’m going to be showing some representative
samples of the information available and the
things they imply about events in the real
world.
 If you get lost in the key-value wilderness,
don’t despair – it’s all in the book.
 What book? Be patient.


Mounting images

 You need to extract the registry files out of
the disk image
 P2Explorer is a very useful tool provided free by
Paraben
 http://www.paraben.com/p2-explorer.html
 It allows you to mount disk images on a Windows
system (free edition only works on 32-bit versions)
 OSFMount from PassMark software is another
option
 Works on both 32 and 64 bit Windows


Mounting An Image


Accessing Registry Files


Advantages of Mounted Image

 Mounting the image basically gives you read-
only access to the contents of the image as a
drive letter
 Windows Explorer, anti-malware, etc, can be used
 No need to export everything in advance


Other Options

 FTKImager is a free download from
AccessData (developers of The Forensic
Toolkit)
 It can be used to open a disk image and
export the registry files


Exporting Registry Files
Imager can open most of the
common image formats (dd,
EnCase, etc)


Exporting Registry Files
Once the image is
opened, students see a
familiar directory tree
and just have to
navigate to the registry
file locations

Files are exported by
right clicking the file
and selecting “Export”
from the menu


Analyzing the Registry


Resource
 This is an excellent book that covers
many of the registry analysis tasks in
detail
 RegRipper is the tool used for analyzing
the registry after it is collected
 http://www.regripper.net/RegRipper/ and
also available on the tools CD that
accompanies the book
 You can read my book review at
http://www.ieee-
security.org/Cipher/BookReviews
(shameless self-promotion)


The Case: Price Software

 Tom Warner is suspected of industrial espionage
 He was upset about being passed over for a VP
position
 He is alleged to have set up a quid pro quo deal with a
competitor
 He may have colluded with Leslie Stowle in other
actions
 The forensic analyst has been given an image of
Tom’s Windows workstation
 Let’s see what kinds of information can be found

Plugins

 RegRipper comes with a wide variety of
plugins for examining registry information
 Plugins are basically Perl scripts


Running Plugins: winver

 You have the option to run the Perl scripts
directly if you have Perl (and the right
libraries) installed or you can use rip.exe
 rip –r registry file –p plugin


USB Devices
Identifying use of a thumb drive


Command Line
C:DATARegRipper>rip -r ..PSCRegistryntuser.dat -p mp2
Launching mp2 v.20080324
MountPoints2
SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2
LastWrite Time Mon Jan 3 21:59:36 2005 (UTC)

Drives:
A Wed Sep 29 21:00:05 2004 (UTC)
D Wed Sep 29 21:00:05 2004 (UTC)
C Wed Sep 29 21:00:05 2004 (UTC)
E Fri Oct 29 17:46:24 2004 (UTC)

Volumes:
{3622c883-1069-11d9-b601-806d6172696f} Wed Sep 29 21:02:41 2004 (UTC)
{707f5caa-29d2-11d9-99eb-000c291e65ae} Fri Oct 29 18:09:55 2004 (UTC)
{3622c880-1069-11d9-b601-806d6172696f} Wed Sep 29 21:02:41 2004 (UTC)
{3622c881-1069-11d9-b601-806d6172696f} Wed Sep 29 21:03:24 2004 (UTC)

Remote Drives:
##2kadvserver#Users#twarner Wed Sep 29 21:03:22 2004 (UTC)
##psc-ws-03#c$ Fri Oct 1 05:58:52 2004 (UTC)
##2kadvserver#Management Fri Oct 1 05:54:14 2004 (UTC)
##2kadvserver#Software Fri Oct 1 05:54:50 2004 (UTC)
##2kadvserver#Software Development Fri Oct 1 05:54:37 2004 (UTC)


Running Plugins: recentdocs


The GUI

 A GUI (rr.exe) is
available
 It provides access to
plugin files that collect
commonly used
plugins into a single file
and run them as a
group


Plugin Files

 Some sets of plugins are so commonly used
together they are listed in a plugin file
rip –r registryfile -f plugingfile
 The plugin file is just a list of plugings to be run


Network Config

 Excerpt from the SYSTEM plugin report
 Pretend you didn’t notice “Guidance Software”


The Software Hive

 The disk image had large blocks of binary 0’s –
wonder how that happened?


Sources of Images
Garfinkel’s Forensic Corpora


Scenarios

 Simson Garfinkel of the NPS is working under
a NSF grant to produce scenarios and
associated forensic images for use in teaching
digital forensics
 Two scenarios are currently available at
http://domex.nps.edu/corp/scenarios


M57

2009-M57 "Patents" scenario

This scenario involves a small company called M57
which was engaged in prior art searches for
patents. The fictional company is contacted by
the local police in November 2009 after a person
purchases a computer from Craigslist and
discovers "kitty porn" on the computer. The
police trace the computer back to the M57
company.
Includes an instructor’s packet!!!


Nitroba

Nitroba University Harassment Scenario

This scenario involves a harassment case at
the fictional Nitroba University.


Summary

 Digital forensic practice must evolve to keep
pace
 Live memory analysis for volatile information lost
when a system is shutdown or restarted
 The Windows registry is a rich mine of
information


Questions?

 EMAIL raustin2@spsu.edu if you’d like a PDF of
the slides

Open Source Forensics

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Open Source Forensics

Similar a Open Source Forensics (20)

Más de CTIN

Más de CTIN (20)

Último

Último (20)

Open Source Forensics