Tuesday, August 12, 2008

Black Hat USA 2008

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off. They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most useful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity.

After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

Leading off the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occuring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. They debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd an attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming.

Friday, August 1, 2008

Book Review: Real Digital Forensics

In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years Laughing. Now on to the review.

With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and response were dead on. They included great case data on the book DVD, which helps you work through the sample cases as well. That is a huge feature that needs to become standard in security books, where feasible. Probably the standout feature of the book for me though, was their chapters on analyzing unknown binaries. By following along step by step through the cases, its helps turn something that is considered more of an art, into a science. They also include good coverage of doing a forensic analysis of a palm device, and included the requisite chapters on email investigation, registry analysis, and browser forensics. One thing that I took note of during the book, was the chapter on building a response toolkit. They pointed out that you need to use filemon to ensure none of your trusted tools access the victims system for resources and instead are using libraries from your toolset. The authors also did a good job of showing both open source and commerical tools throughout the book.

Some of things I didn't enjoy about the book, was the coverage on duplication. But I guess you can't really do much with a topic that boring. Also, the chapter on domain onwership seemed more like a chapter on their DNS project, so it wasn't very useful. Other then that, I would have like to have seen some coverage on cell phone forensics, which is becoming more mainstream.

Overall though this was a great book that I would recommend to anyone in the security field and also system administrators. The authors knowledge of this subject is top notch and its good to be able glean information from them. Not to mention, you can gain a lot of practical experience by working through the example cases on the DVD. You can read my notes on the book here.

Thursday, April 24, 2008

Real Digital Forensics

Real Digital Forensics

by Keith Jones, Richard Bejtlich, and Curtis Rose

1 - Windows Live Response

Never save data locally on the hd, as there is a chance you may be overwriting evidence

Always use the -b option with md5sum, to perform the hash in binary mode

-k option with cryptcat, allows you to set the encryption password

Volatile Data

* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps

To truly verify a system binary, you must compare hashes with trusted source

Common attack involves changing a servers routing table to redirect traffic and bypass firewalls

Firedaemon turns any process into a service

userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so you must net use a remote share

dumpcheck.exe allows you to examine userdump output. More debugging tools and symbols here

Garner's DD allows full memory dump by mapping virtual address space to /Device/PhysicalMemory object

Nonvolatile Data

* System version and patch level
* File system time and date stamps
* Registry data
* Auditing policy
* History of logins
* System event logs
* User accounts
* IIS logs
* Suspicious files

Regdmp(Reg /export) will copy registry. Provides programs executed on bootup and entries created by the intruder's tools

NTLast provides a history of logins

IIS logs to c:\winnt\system32\logfiles\W3SVC by default. More info at http://www.iisfaq.com

After a successful bo attempt, there should be no logging as the server typically crashes

2 - Unix Live Response

Much of the process is the same for Windows Live Response, however differences are noted

Volatile Data

* Loaded kernel modules
* Mounted file systems

Review loaded kernel modules via the lsmod command. If the module is hidden, there is no way to detect it in the live response process

Nonvolatile Data

* Syslog logs
* User history files

On redhat, rpm -qa will list installed software and patches

On unix there is no create time as in windows, so the inode last changed "ctime" is all you have

Time can often be saved by comparing files to known good or bad hashsets (see NSRL)

/var/run/utmp contains users that are currently logged in(w command)

/var/log/wtmp contains the history of logins (last command)

zap2 is a common tool for hackers to clear these entries

datapipe is used to redirect ports on the local machine, allows for firewall bypass

/etc/syslog.conf contains settings for syslog logging

kill -31, this signal is undefined on Linux, often used by kernel level rootkits

Windows files cannot be deleted while still in use by a process in memory. However unix files can be deleted and stay resident only in memory until reboot. Binary images of processes can be found in /proc/ , also the /proc//fd directory contains all the open files for that process

3 - Collecting Network-Based Evidence

4 types of Network Based Evidence

* Full content data
* Session data
* Alert data
* Statistical data

Scanmap3d provides graphing for snortIDS

Hubs are half-duplex and create collisions as opposed to a Tap which is expensive, but full-duplex

Span ports will miss traffic on heavily loaded networks and some can only monitor a single vlan in a single direction

Flowgrep can search for regex accross tcp packet streams

FRHED free hex editor for windows

Argus for session logging

4 - Analyzing NBE for a Windows Intrusion

TCPslice can be used to split up pcaps into smaller sessions

High counts of "other" protocol can indicate either heavy use of a single unknown protocol or a vast amount of unrecognized protocols

Often low counts of various protocols are characteristic of port scans

Batch mode in snort will run snort against a pcap

Nitko is a common tool for web scanning

No tool currently exists to read and reconstruct SMS sessions

5 - Analyzing NBE for a Unix Intrusion

227 Entering Passive Mode (192,168,1,1,192,1) You must covert 192,1 into a real TCP port number

(192 * 256) + 1 = Port 49,153

6 - Before You Jump Right In ...

Forensic Air-Lite from Forensic Computers, Inc

Sample Toolkit: digital camera, multi-function screwdriver, flashlight, dremel, extra jumpers, extra screws, cable ties, internal pc power extension cords, extra IDE cables, scsi cables, scsi terminators, chain of custody forms, evidence labels, pens, evidence envelopes, evidence tape, anti-static bag, evidence hard drives, boot floppies/cdrom, blank cd/dvds/floppies, network hub/switch, network cable, forensic dongles, power strip, and OS install media.

Document the original hard drive: make, model, serial num, evidence tag num, geometry, capacity, and jumper settings

Document the original system: make, model, serial num, media evidence tags, expansion cards, peripheral connections, physical location

Agent notes worksheet should contain relevant info sucah as conference calls, shipment tracking numbers, relevant findings, etc

After duplication, you must label the evidence hard drive: Case num, Evidence tag num(s), contents, acquired by, and date

Chain of custody forms should contain: source individual, source location, destination individual, destination location, transfer date

When access is required to evidence safe, it must be recorded in the Evidence Access Log: date, name, case num, time in, and time out

7 - Commerical-Based Forensic Duplications

You typically must jumper the drives as Master for everything to operate correctly

Firewire allows the hard drives to be hot swappable

Ensure you use the Windows eject/disconnect function to prevent data corruption

By default EnCase will duplicate and create a series of 640MB files

Be sure to use the Evidence tag number as the device unique identifier in EnCase

Generally duplication will take longer with compression but the evidence files will be smaller

Not recommened to set a password for an evidence file

Hashing feature should always be enabled for duplication

8 - Noncommercial-Based Forensic Duplications

When booting to your forensic workstation, make sure the bios is configured to boot from OS hard drive and not the evidence hard drive.

conv=notrunc,noerror,sync - notrunc will stop truncation in the event of an error, noerror tells dd to continue when an error is encountered, and sync will replace bad blocks with zeros

After dd is complete, immediately make the file read-only and hash it

Images duplicated on Linux(ext3) will not be usable on FAT32 unless broken into 2G chunks using count & skip dd functions

DD rescue will traverse hard drives forwards and backwards and use variable blocks on bad hard drives

9 - Common Forensic Analysis Techniques

Recommended to first recover deleted files

Associate a dd image with a physical device with Enhanced_Loopback

# losetup /dev/loop0 .dd

fdisk -l /dev/loop0

Utilize NSRL to weed out known files

10 - Web Browsing Activity Reconstruction

Securityfocus Browser Forensics Part 1 , Part 2

IE has 3 types of evidence: browsing history, cookies, and Temp Internet Files(Cache)

Index.dat containsbrowsing history and links to cookies and cache

C:\Doc and Set\\Cookies - contains index.dat and all user's cookies

C:\Doc and Set\\L Set\History\ - contains cached sites by date

C:\Doc and Set\\Temporary Internet Files\ - contains all cached content

FTK's browser reconstruction is far superior to Encase

Cookies contain variable names and values, time of download, time of expiration, and status info

Galleta will parse cookies for you

In Index.dat at byte offset 0x50, a listing of cache directories is found

If an Index.dat file is large enough, it may contain more then one hash table

URL and LEAK both mean the suspect viewed the site

Index.dat uses MS FILETIME which is number of 100-nanoseconds since 00:00 1 Jan 1601

Most use UNIXTIME which is number of seconds since 00:00 1 Jan 1970

Unixtime = .0000001 * Filetime + 11,644,473,600, run result through unix cmd local-time

11 - E-Mail Reconstruction

Paraben's Network Email Examiner

Munpack will undecode MIME file attachments in email

12 - Microsoft Windows Registry Reconstruction

System registry files are saved to C:\WINDOWS\system32\config in default, software, and system

User registry files are found in ntuser.dat in the profile directory

Installed programs can be found in Microsoft\Windows\CurrentVersion\Uninstall or

Microsoft\Windows\CurrentVersion\App Paths

A registry search for MRU will give you a list of Most Recently Used docs/apps

Software\Microsoft\Internet Explorer\TypedURLs is a good one

13 - FTA - Using Linux for Analyzing Files of Unknown Origin

Using the -g option with gcc will include debugging information

strip command will remove all symbols from the compiled binary

Using the -static option with gcc will embed the needed libraries in the binary making it self contained

The -S option with gcc will make an assembly language file

By default strings will not scan the entire file, you must use the -a option

The -tx option with strings will add the offset

nm -a command will show you all the symbols in a binary

ldd command will list all the shared objects in a dynamic binary

Good idea to compare hashes of shared objects with known good ones to confirm any tampering

ELF format reference, also /usr/include/elf.h describes the ELF structure

readelf --file-header will list out the header information

readelf --section-headers will list out the section information

readelf --program-headers will list out locations of elf segments

readelf -symbols provides similar info to nm

readelf --debug-dump gets all the debugging information

readelf --hex-dump=

objdump -l -source will disassemble the binary into assembly(dead listing)

kill -l will list out all the signals

Strace executes a binary and intercepts all system calls and signals.

Ltrace intercepts all library calls

14 - FTA -A Hands-On Analysis of the Linux File aio

Without using the -v option in hexdump, duplicate lines are replaced with an asterisk

System call services are found in /usr/include/asm/unistd.h


/proc is a pseud-file system that is only populated by volatile data when the system is running.

the maps file in /proc/ will show you mapped memory

cat /proc/version to confirm that the compiler and OS versions match

15 - FTA - Analyzing Files of Unknown Origin(Windows)

Visual C++ Toolkit 2005

BinText provides a gui for strings output

PE and COFF Specifications

The cygwin pe_map command is similar to objdump

link -dump -all displays all the PE format info along with hex dump of the sections

IDA File -> Produce enables you to generate and export the dissasembly listing

Strace for Windows


Unpacking Tools , unpacking may some times result in execution of code

ProcDump will allow you to edit the PE structure to fix any errors

16 - Building the Ultimate Response CD

Live response tools should not be dependent on files from the suspect system. Utilize filemon to determine dependecies and copy them to your response tools directory. Different versions of OSes will have different response toolkits. Also, trusted tools should be prepended with t_ to differentiate them.

17 - Making Your CD-ROM a Bootable Environment

18 - Forensic Duplication and Analysis of PDAs

For your workstation to recognize a PALM pda you will need the drivers along with HotSync

For Encase to communicate with a Palm, Hotsync must be exited

Acquistion should be done with a fresh set of batteries or in a cradle to avoid data loss

The device should be in console mode(Shortcut-Dot-Dot-Two) and configured to stay on in the cradle

Paraben's PDA Seizure installs a file(CESeizure.dll) on the device in unallocated space

19 - Forensic Duplication of USB and Compact Flash Memory Devices

mount -r /dev/sda /mnt/usb in read only mode

20 - Forensic Analysis of USB and Compact Flash Memory Devices

USB drives usually only have one large FAT partition, sometimes with no partition table

Fatback simulates cmd prompt for your image

21 - Tracing Email

Anytime an email's header field starts with X, it is an optional field used by any email server

Always read headers from the bottom up, to find the source

Anonymous Remailers

22 - Domain Name Ownership