Anti-Forensics: Real world identification, analysis and prevention

Digital Anti-Forensics
Real World Identification, Analysis & Prevention

M ic h a e l L e g a r y
IR -1 0
N ovember 7, 2007
Copyright 2005 Seccuris Inc

Introduction

Michael Legary
Founder, Seccuris Inc.

CISSP, CISA, CISM, CCSA, GCIH, SCF
CNE, MCSE, CCNA


Overview

• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions


Organization A - Agrieng Inc
• Small Agri-Business

• Sales +/- 2M & 25 Employees

• Designs tractors, bailers, etc

• Heavy use of electronic drafting
& engineering software

• Bids on contract work for major
manufacturers

Organization A - Agrieng Inc
• Outbid & Outsold by
foreign competitor

• One particular
competitor’s designs look
eerily similar


Organization B – ServPro GmbH
• Large Service Provision company

• Sales +/- 200M & 2500 Employees

• Provides Information Management
Solutions to world wide organizations

• Specialized database and information
mining technology separate ServPro
from competitive organizations

• Currently handles personal
information of over 50 million
individuals


Organization B – ServPro GmbH
• A few clients are reporting
an increase in identity theft
reports by their constituents.

• There seems to be a pattern
in the types of information
being reported as stolen.


Organization C – Government Department

• Federal organization
providing legal related
services

• Handles specialty
investigations from
multiple provinces

• Conducting investigation in
high tech criminal activity

Organization C – Government Department
• Suspects are continually
evading capture

• Individuals caught seem
to have been prepared for
questioning

• Little to no evidence
identified when caught


Forensic Investigation
• What is going on?
• Who is behind the activity?
• Why are they doing it?
• When did the start / stop?
• Where are they located?
• How is the activity
occurring?

• Has a crime taken place?

Forensic Investigation
• Often in cases involving
information systems
standardized forensic
investigation does not
occur until it is known that
suspicious activity is
happening

• Where do we look for this
activity?

Digital Evidence & Forensics
• Digital evidence exists all
around us

• Tools and techniques available
to investigators has greatly
increased in recent time

• Reliance on digital evidence is
becoming a reality

• Where is evidence on a
system?

User Console

User Level

Kernel
Interface
Memory

Kernel Level
File System

Hardware
Level


Evidence exists in:
Memory

• System Memory
• System Cache Program
Temp Log Temp File

File System

• File System
• File System Cache Program
Config File Target File Log File

Temp Log Temp File


Evidence exists in:
User Level Service

• Running Programs Kernel
Interface

• Running Services

Kernel Level
• Active Processes

Hardware
Level


User Console

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System

Target File Log File
Config File Program

Temp Log Temp File

Hardware
Level


Standardized process for digital
evidence
Standard processes being created
for:

• Attack Identification

• Forensic Investigation
• Image Capture
• Image Analysis
• Evidence identification


Standardized process for digital
evidence
Forensic investigations are
initiated from
evidence collected
during the
attack identification process.

If an investigator can not identify
an attack,
forensic investigation will not be
conducted;

Allowing attackers to go
unnoticed.

User Console

Identification

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System

Config File Program Target File Log File

Temp Log Temp File

Hardware
Level


User Console

Forensic
Investigation

User Level Service

Kernel
SYSTEM STATE IMAGE
Interface
Memory

MEMORY IMAGE
Temp Log Temp File

Kernel Level
File System


HARD DRIVE IMAGE

Temp Log Temp File

Hardware
Level


Anti-Forensics
What is it?

• Practices and processes to
prevent, counter-act or
neutralize an investigators
ability to identify or recover
evidence for use in an
investigation.


Anti-Forensics
The common purpose:

• Prevent detection of the
attacker

• Prevent an investigator from
gaining usable knowledge

• Destroy, hide, prevent
creation of, or transform data


Anti-Forensics
The common purpose:

• Even if an attacker is detected,

evidence regarding their means,
methods and motives will be
altered

preventing accurate investigation
or prosecution.


The origins of Anti-forensics

• Traditional
techniques
• Physical
• Financial
• Criminal

• Good Examples
• On Television


Anti-forensics – Methods Overview

• In order to maintain covert activities of any sort
there is a requirement to
Destroy,
Hide,
Prevent Creation of,
or transform data to remain hidden.


Destruction of data

• Goal
• Significantly Damage the Integrity of Evidence

• Physical Destruction of Data
• Magnetic Techniques (Degaussing)
• Brute Force

• Logical Destruction of Data
• Reinitialize Media
• Significantly change composition of data on media

Hiding of data

• Goal
• Limit identification and collection of evidence

• Obfuscation
• Information Manipulation
• Steganography

• Encryption
• Data Encryption
• Media Encryption

Data creation prevention

• Goal
• Prevent creation of evidence

• Direct Prevention
• Root Kits
• Modification of System Binaries

• Indirect Prevention
• Limit system functionality – DoS – to prevent creation of
data

Transformation Techniques

• Goal
• Maintain or Re-establish investigator trust in
falsified data as evidence.

• Conventional Techniques
• Root Kits

• Advanced Techniques
• Shared Library Hijacking

User Console

Identification

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System


Att

Attacker
Temp Log Temp File Attacker File
Program

Hardware
Level



• One of the most complex technical attacks being
performed today

• Understanding and appreciation for methods
used will allow us to reform our investigation
techniques



• WHY?

• Detailed forensic
investigation may not start if
there is no suggestion of
system tampering

• These techniques can make
very ugly systems look like
good ones… Copyright 2005 Seccuris Inc

Overview

• Traditional Methods
• Conventional
• Advanced
• Detection
• Conventional
• Advanced
• Emerging Methods


Anti-Forensics – Traditional Techniques
Conventional transformation methods

• Initial System Compromise
• Deception of Security Personal



• Initial System Compromise
• Breach of system due to known vulnerability
• Attacker gains access to system, attempts to by-pass
detection



• Deception of Security Personal

• Deleting Files
• Hiding files / logs / activities
• Root Kits

• Tools used to identify suspicious activity (In BSD)
• Disk Tools: df, ls ,du
• Process Tools: ps, top, crontab
• Network Tools: netstat, sockstat, fstat, tcpdump

• Be suspicious of your compiler

Traditional Techniques – AgriEng Inc
• Attacker identifies vulnerability

• Breaks into system

• Removes logs

• Installs rootkit

• Downloads engineering files

• Configures backdoor into
system


User Console

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System


Att

Attacker
Temp Log Temp File Attacker File
Program

Hardware
Level


User Console

Identification

User Level Service

Kernel
Interface
Memory

Attacker
Program

Temp Log Temp File

Kernel Level
File System

Config File Program Target File

Att
Attacker
Attacker File Program

Hardware
Level


Anti-Forensics – Traditional Techniques
Advanced Transformation Methods

• Kernel Modules and
hijacking systems calls

• Kernel level root kit
• Provides undetected and almost
unlimited access to a compromised
system

• Allows attackers to perform a
variety of functions such as:

• Hide processes
• Hide files and registry keys
• Log Keystrokes
• Redirect Executable Files
• Issue Commands
• Generates own hidden TCP/IP Stack
• Remote administration

Traditional Techniques – ServPro GmbH
• Attacker identifies vulnerability


• Removes logs

• Installs kernel level rootkit

• Installs System Sniffer

• Created automated system to
send out client information


Anti-Forensics - Traditional Techniques
Traditional Transformation Detection Methods

• Cryptographic hashing for data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching


Transformation Detection Methods

• Cryptographic hashing for data integrity
• Using fingerprints investigators can ensure files
come from trusted sources, or weed out known
attack tools

• MD5 / SHA / RIPE-MD
• HIDS – Use of Cryptographic Hashing
• Tripwire, Axent, Cybersafe, ISS


Cryptographic hashing for data integrity
Trusted Command Executable

% md5 ps.trusted
MD5 (p s .tru s te d ) =
9 50 1e f2 86 e f3a b 86 87 b 7 9 20 c a 4 fe e 2 9 f

Un-trusted Command Executable

% md5 /bin/ps
MD5 (/ in / ) =
b ps
02b2f8087896314bafd4e9f3e00b35fb


User Console

Identification

Target File
Config File Program
User Level Service

Att

Attacker
Attacker File
Program
Kernel
Interface
NOT SAME
Memory

ATTACKGood
Known
DETECTED!
Attacker Program
Program

Temp Log Temp File

Kernel Level
File System


Att
Attacker

Hardware
Level



• Processes contain content such as:
• Open files
• Memory Maps
• Ownership Labels
• Resource Consumption Statistics

• Analysis of these characteristics allow an investigator to
identify discrepancies in common system activity

• Utilities such as:
• PS –AUX
• top
• proc fs

User Console

Identification

Target File
Config File Program
User Level
Known Good Service
Service
Att

NOT SAME
Attacker
Attacker File
Program
Kernel
ATTACK
Interface
Memory
DETECTED!

Attacker
Program

Temp Log Temp File

Kernel Level
File System


Att
Attacker

Hardware
Level



• NIDS
• Firewall Monitoring
• Bandwidth Trending

• Output can identify use of known attacks, or
privileged accounts




No v 10 2 1:59 :06 <4.1> 1 72 .1 6.1 .2 0 s no rt: [1:4 6 6:1 ] SHELLCODE
x86 stealth NOOP [P rio rity: 2]: {P R OTO0 01 } 1 0.0.1 .1 25 ->
10 .5 .1.3

• Example Snort® log which has detected the op-
codes or machine instructions for a “stealth
NOOP”.



% tcpdump -nett -i pflog0
lis te n in g on pflo g 0, link-type P F LOG (Ope nB S D p flog file ), c a pture s iz e 96 b yte s
1 1 0 0 2 2 1 1 36.6 7744 1 rule 1/0(match): b loc k in o n s is 0: IP 10 .0.0.35.4646 > 20 5.1 1 .1 1 .1 1 .4 4 5 : S
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>
1 1 0 0 2 2 1 1 38.3 7042 3 rule 1 / a tc h ): b loc k in on s is 0 : IP 10 .0.0.35.4646 > 205.11 .1 1 .1 1 .4 4 5 : S
0(m
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>

• Example use of tcpdump on the OpenBSD® PF
Firewall


User Console

Identification

Target File
Config File Program
User Level Service

Att

Attacker
Attacker File
Program
Kernel
Interface
Memory
ATTACK
DETECTED! Attacker
Program

Temp Log Temp File

Kernel Level
File System

Network Config File Program Target File
Intrusion Detection System
Att
Attacker

Hardware
Level



• Database of known patterns and signatures
• Binary Sequence Matching

• Used in NIDS / HIDS / Investigative Tools




% file libtransform.so.1

lib tra n s form .s o .1 : E LF 32 -b it LSB shared object, In te l 8 03 8 6,
ve rs ion 1 (F re e B S D), s trip p e d

• Output of the “file” utility on a shared object.
• The “file” utility attempts to figure the file type for a
specified file.

User Console

Identification

Target File
Config File Program
User Level Service

Att

Attacker
Attacker File
Program
Kernel
Interface
Memory
1. File Size
2. Header Information
Attacker
Program
3. File Content
4. Unknown Pattern
Temp Log Temp File

Kernel Level
File System
ATTACK
DETECTED!

Att
Attacker

Hardware
Level


Investigating – AgriEng Inc

• Cryptographic hashing for
data integrity





User Console

Identification

Target File
Config File Program
User Level Service

Att

Attacker
ATTACK
Attacker File
Program
Kernel
DETECTED!
Interface
Memory

Attacker
Program

Temp Log Temp File

Kernel Level
File System


Att
Attacker

Hardware
Level


Anti-Forensics - Traditional Techniques
Advanced Transformation
Detection Methods

• Advanced Transformation
Detection methods

• Detection of system call
hijacking


Advanced Transformation Detection Methods
• Detection of system call hijacking
• System Call hijacking changes the address the
system references from a known module to
their own “attacker” module

• If an investigator can find inconsistencies in
programs making system calls they will be able to
detect an attack


Advanced Transformation Detection Methods

• Advanced Transformation Detection methods

i f ( s y s e n t [ S YS _o p e n ] . s y _c a l l ! = o p e n )
pa ni c ( “ ope n s ys t e m c a l l ha s be e n hi - j a c ke d” ) ;
i f ( s y s e n t [ S YS _wr i t e ] . s y _c a l l ! = wr i t e )
p a n i c ( “ wr i t e s y s t e m c a l l h a s b e e n h i - j a c k e d ” ) ;

• Code snippet for the FreeBSD® operating system which
when executed in the context of the kernel, could be used
to detect the presence of a hi-jacked system call.


Investigating – ServPro GmbH

data integrity




hijacking


User Console

Identification

Config File Target File
User Level Service

Program
Kernel
Interface
Memory

Attacker
Program

ATTACK
Temp Log Temp File
DETECTED!
Kernel Level
File System


Att
Attacker

Hardware
Level


Overview

• Traditional Methods
• Emerging Methods
• Emerging Transformation Methods
• Emerging Detection


Anti-Forensics – Emerging Techniques
Emerging transformation
methods

• Hijacking of user space
library calls


Dynamically Standard Libraries
Memory
Linked Libraries

• More efficient use of
system resources

• Loads from User Space
Dynamically Linked
• Multiple programs utilize Memory

same code libraries for
similar functions

• Attackers can change
program behavior without
modifying program or
libraries Copyright 2005 Seccuris Inc

Dynamically
Linked Libraries
Memory


Emerging transformation methods

• Hijacking of user space library calls
• Information Transformation
• Takes “Ugly / Untrusted” information and
makes it look “Good / Trusted”

• Scenarios
• System Logs
• Audit Logs
• Existing Files
• IDS
• FW
• Dynamic Review


Emerging Techniques – Government Department

• Attacker identifies
vulnerability


• Installs User Space Module
for Shared Library Hi-jacking

• Creates automated system
to send out client information

• Avoids capture through
regular methods from
investigators


User Console
Att

Attacker File

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System


Temp Log Temp File Shared Object File

Hardware
Level


User Console

Identification

User Level Service

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System


Att

Temp Log Temp File Attacker File Shared Object File

Hardware
Level


Investigating – Government Department

data integrity




hijacking


User Console

Identification
Temp Log Config File Shared Object File

User Level Service
Temp File Target File

No Attack
Log File
Program

Kernel
Interface
Memory

Temp Log Temp File

Kernel Level
File System


Att


Hardware
Level


Anti-Forensics – Emerging Techniques
Emerging transformation
detection methods

• Shared Library Analysis


Emerging transformation detection methods

• Shared Library Analysis
• Analyze active processes to identify links to “Ugly /
untrusted” shared libraries.

• Using LSOF to analyze VMCORE
• Identifies if an untrusted object is being used by the
system

• Using objdump to analyze dynamic symbols
• Identifies which functions are being hijacked by the
untrusted object

Investigating – Government Department

• Using LSOF to analyze
VMCORE

• Using objdump to analyze
dynamic symbols


User Console

Identification
Temp Log Config File Shared Object File

User Level Service
Temp File Target File

Log File
ATTACK
Program

Kernel
DETECTED!
Interface
Memory

VMCORE File

Temp Log Temp File

Kernel Level
File System


Att


Hardware
Level


Current trends to watch

• Direct Kernel Hijack
• Concurrency Exploits
• Dynamic Firmware Attack
• Virtualization Attacks


Direct Kernel Hijack

• Modifies live kernel instead of system calls

• Injection of malicious kernel code through /d e v /me m
or / d e v / k me m

• This isn’t new, but gaining popularity again…
• Tripwire, Execshied, PaX bypass standard in most kits
• Most script kits do not require root for proper execution on
Ubuntu, general Linux/BSD flavors
• Better detection of NOP sleds allowing for higher chance of
1st time success

Concurrency Exploits & Race Conditions

• System call wrappers have been touted as the
answer to system call hijack.

• Concurrency exploits remove the effectiveness
of wrappers in multi-process systems

• More information
• http://www.watson.org/~robert/2007woot/20070806-
woot-concurrency.pdf

Concurrency Exploits – Race Conditions


Firmware Attack - Covert Channel

• Hijack of interrupts through firmware exploitation

• RAID / SATA drives increasingly vulnerable

• Automated exploit though dynamic firmware
update

• Hide I/O errors, misreport write commands,
reword strings being written to drive


Virtualization Attacks

• The Blue Pill hype (and anti-hype)
• http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html

• Reported to be 100% undetectable malware

• On-the-fly installation of malware that “Traps & Emulates”
the original OS

• Timing, Memory & Hypervisor checks detect it…

• As hardware moves towards virtualization support this will
become a bigger concern

Prevention Methods for the Real World

• Psychological Changes
• Be aware of this type of activity

• Process Changes
• Modify incident handling and forensic investigation
processes to test for this type of activity

• Architecture Changes
• Static Linking (back to the future!)
• Utilize trusted security architectures
• Cryptographic Execution Policy (CheckSums)
• Mandatory Access Control Frameworks
• FreeBSD Trusted Execution Policy



• Real world tools for detection available:

• RootKit Hook Analyser
• http://www.resplendence.com/hookanalyzer

• RootkitRevealer (Windows NT4 – 2003+)
• http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

• F-Secure BlackLight
• http://www.f-secure.co.uk/blacklight/blacklight.html



• Real world tools for prevention available:

• Tripwire
• http://www.tripwire.com/

• Third Brigage
• http://www.thirdbrigade.com/

• Anti-Rootkit software
• http://www.antirootkit.com/software/index.htm


Overview

• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Prevention Methods for Real World
• Conclusions


Conclusions

• Anti-forensic techniques in the digital realm are
becoming more complex and harder to detect


Conclusions

• Transformation attacks can falsely maintain an
investigator’s trust in a system preventing a
proper investigation from occurring


Conclusions

• Awareness of anti-forensics and the techniques
required for identification will enhance our ability
to protect our organizations


Thank-you

Michael Legary
Founder, Seccuris Inc.

(204) 255-4490
Michael.Legary@Seccuris.com

1-866-644-8442
www.seccuris.com


Anti-Forensics: Real world identification, analysis and prevention

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Anti-Forensics: Real world identification, analysis and prevention

Similaire à Anti-Forensics: Real world identification, analysis and prevention (20)

Plus de Seccuris Inc.

Plus de Seccuris Inc. (11)

Dernier

Dernier (20)

Anti-Forensics: Real world identification, analysis and prevention