SlideShare uma empresa Scribd logo

Investigating Hackers' Tools

Israel Umana
Israel Umana

This document discusses tools and techniques for analyzing hackers' tools through static and dynamic analysis. Static analysis involves determining the file type, reviewing strings, performing online research, and reviewing source code if available. Dynamic analysis involves executing the tool in a sandboxed environment and monitoring system calls, file system activity, registry activity, and network traffic to observe the tool's behavior and interactions. A variety of Unix and Windows tools are recommended for tracing activity at different levels, including strace, Filemon, and Regmon. The goal of analysis is to understand the tool's functions and determine how it was used.

Internet
1 de 37
Baixar para ler offline
INVESTIGATING IIIINNNNVVVVEEEESSSSTTTTIIIIGGGGAAAATTTTIIIINNNNGGGG IIINNNVVVEEESSSTTTIIIGGGAAATTTIIINNNGGG HHHHAAAACCCCKKKKEEEERRRRSSSS’’’’ TTTTOOOOOOOOLLLLSSSS AAAA SSSSEEEEMMMMIIIINNNNAAAARRRR BBBBYYYY IISSRRAAEELL UUMMAANNAA MM..TTeecchh – IInnffoorrmmaattiioonn SSeeccuurriittyy aanndd CCyybbeerr FFoorreennssiicc SSRRMM UUnniivveerrssiittyy,, CChheennnnaaii IInnddiiaa
AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss Material is sourced from: INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION Authors: CHRIS PROSISE KEVIN MANDIA Publisher: McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto 2 Israel Umana - Investigating Hackers' tools
THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders 3 Prepare yourself for a successful subject interview if you catch the attacker Determine the attacker’s objectives and goals (specific targeting versus target of opportunity) Israel Umana - Investigating Hackers' tools
HOW HHHOOOWWW FFFFIIIILLLLEEEESSSS AAAARRRREEEE CCCCOOOOMMMMPPPPIIIILLLLEEEEDDDD Statically Linked Programs (gcc -static zap.c -o zapstatic) Dynamically Linked Programs (gcc zap.c -o zap_out) Programs Compiled with Debug Options 4 (gcc -g zap.c -o zapdebug) Stripped Programs Programs Packed with UPX Israel Umana - Investigating Hackers' tools
SSSSttttaaaattttiiiiccccaaaallllllllyyyy vvvvssss DDDDyyyynnnnaaaammmmiiiiccccaaaallllllllyyyy ccccoooommmmppppiiiilllleeeedddd pppprrrrooooggggrrrraaaammmm 5 Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss On a Unix system, change to the directory of the suspicious file and issue the command: root@conan zap]# ls -al Z This displays the file attributes and permissions 6 -rwxr--r-- 1 root root 7423 Feb 4 02:00 Z Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# file Z This command shows the compilation method used on the file. Here is a sample output: Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux), 7 statically inked, stripped Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# strings –a Z This command shows if the file is compressed with UPX Sample output: --Excerpt-- Linux 8 $Info: This file is packed with the UPX executable packer http://upx.sf.net$ $ $Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights Reserved. $ UWVSQR Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) The following command decompresses (unpacks) the suspect file and stores the output in the file named foo. root@conan zap]# upx –d Z –o foo Output 9 Ultimate Packer for executables Copyright © 1996, 1996, 1998, 1999, 2000, 2001, 2002 UPX 1.24 Markus F.X.J. Oberhumer Laszlo Molnar Nov 7th 2002 File size Ratio Format Name --------------------- -------- ---------- --------- 13160 - 7423 56.40% linux/386 foo Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) We can now run the following commands again: - file Z - strings -a foo 10 Israel Umana - Investigating Hackers' tools
STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL Static analysis is tool analysis performed without actually executing the rogue code. It involves the following steps: 1. Determine the type of file 11 2. Review the ASCII and Unicode strings 3. Perform online research 4. Perform source code review Israel Umana - Investigating Hackers' tools
Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee Common file types include: Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL) Linux a.out/elf/script Solaris a.out/elf/script 12 DOS 32-bit COFF DOS 16-bit .com file DOS 16-bit executable Atari ST/TT Israel Umana - Investigating Hackers' tools
Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd The standard command for determining a file type on Unix systems is file. [root@conan zap] file * 13 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd The Windows equivalent of the file command is the NT Resource Kit tool exetype. It recognizes fewer file types than the file command 14 Israel Umana - Investigating Hackers' tools
Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee SSSSttttrrrriiiinnnnggggssss Basic static analysis of object code involves examining the ASCII-formatted strings of the binary file. The strings command has the following syntax: strings -a filename 15 This command line will display all ASCII strings contained in the object code that are four characters or longer. Israel Umana - Investigating Hackers' tools
HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss When all analysis fails, the hex editor is our friend. However, when performing static tool analysis, the hex editor is only slightly better than the strings command. It allows you to see Unicode and ASCII strings within a file at the same time. 16 Israel Umana - Investigating Hackers' tools
Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh Perform online research to determine if the tool is publicly available on computer security or hacker sites. Compare any online tools identified with the tool you are analyzing. If the tool is not publicly available, then you will need to decompile the file to analyse its functions. 17 Israel Umana - Investigating Hackers' tools
Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww With the source code available to you for review, you will be capable of determining exactly what a rogue program does. Performing source code review requires working knowledge of the programming language used to create the tool. Most popular exploits and tools are found in ANSIC and Microsoft 18 Visual Basic scripting, so you should become familiar with these formats. Israel Umana - Investigating Hackers' tools
DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL In Dynamic analysis, you execute rogue code and interpret its interaction with the host operating system. This can be dangerous on your forensic workstation. Our methodology includes the following tasks: 19 Monitor the time/date stamps to determine what files a tool affects. Run the program to intercept its system calls. Perform network monitoring to determine if any network traffic is generated. Monitor how Windows-based executables interact with the Registry. Israel Umana - Investigating Hackers' tools
Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt Get the operating system and architecture necessary to execute the object code properly. Install VMware on your test system Turn on the Nonpersistent write option in configuration settings 20 Make sure that the test system is not connected to the Internet. execute rogue code on a closed network Israel Umana - Investigating Hackers' tools
Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm Most applications execute in a memory area defined as user space prohibited from accessing computer hardware and resources directly User applications access these resources by requesting the 21 kernel to perform the operations on its behalf The user application makes these requests to the kernel via system calls. Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee Unix has a tool that traces the use of system calls by an executed process. The strace command displays information about file access, network access, memory access, and many other system calls that a file makes when it is executed. 22 [root@conan zap]strace -o strace.out ./zapdynamic This command line will store the interaction between the zap program and the operating system in a file called strace.out. Israel Umana - Investigating Hackers' tools
SSSSaaaammmmpppplllleeee oooouuuuttttppppuuuutttt 20) fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 21) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 23 22) ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 23) write(1, “Error.n”, 7) = 7 24) munmap(0x40014000, 4096) = 0 25) _exit(7) = ? Israel Umana - Investigating Hackers' tools
EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt Look out for the following system calls The execve call. The brk system calls are used to allocate memory for the process. The mmap calls which map a portion of a file into memory. 24 The fstat call obtains information about the file that is referenced by the file descriptor The close system calls are used to release a file descriptor when the process no longer needs the file or socket referenced. Israel Umana - Investigating Hackers' tools
Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee search the strace output file for open, read, write, unlink, lstat, socket, and close system calls. A shortcut is to use the option -e trace=file. To display all interactions with a network device, use the option -e trace=network 25 More combinations are available in the main page for strace. save a copy of all the data transferred with the –e write command Israel Umana - Investigating Hackers' tools
Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee The strace utility cannot do everything With strace, you cannot determine what the process is doing once it reads, writes, or receives values from the system calls. Need to resort to techniques such as debugging and 26 decompiling. The debugger will allow you to step through every action a program takes during its execution. Israel Umana - Investigating Hackers' tools
RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee The binutils package is installed on most versions of Linux Built to recognize a small number of object file types. Tools in the precompiled binutils package may build, view, disassemble, and otherwise alter a handful of Linux native executable files 27 Recompile of the package with ./configure –enable-targets=all Israel Umana - Investigating Hackers' tools
Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss SSSSyyyysssstttteeeemmmm You execute the rogue code and use utilities to watch how the rogue process interacts with the file system, the Registry, (APIs), and the operating system. For dynamic tool analysis of Windows applications, we use Filemon, Regmon, ListDLLs, Fport, and PsList. 28 Filemon, Regmon, ListDLLs, and PsList can be gotten at: http://www.sysinternals.com Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn The Filemon utility (from the Sysinternals web site) provides a wiretap between running processes and the file system. It intercepts all access and queries a process makes to the file system. You can determine all of the files the program reads, writes 29 to, and accesses to perform its unknown activity. Israel Umana - Investigating Hackers' tools
30 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn Regmon taps a process’s interaction with the Windows Registry. Some programs query, enumerate, and close more than 950 Registry keys upon execution. Regmon allows you to enter filters to focus your analysis on relevant entries. 31 It provides immediate access to the Registry Editor (regedit). Provides a simple interface to monitor which programs write startup entries in the Registry and which programs query the network hardware in order to generate or receive network traffic. Israel Umana - Investigating Hackers' tools
32 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss ListDLLs is available in the NT/2000 Resource Kit Shows all of the DLLs needed by a process. It enumerates the full pathnames of the DLLs loaded by the process. ListDLLs is helpful for detecting applications that have been 33 modified (injected) with extra functionality. Viewing which DLLs the program is using may allow you to detect if the application is interacting with the network services at an API level or if it is attempting to bypass them. Works on programs that are currently running Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt Fport and PsList are critical tools for dynamic analysis on a Windows system. Fport should be used prior to and after executing a rogue process to determine if the rogue process opened any network sockets. 34 PsList is useful to determine if a process changes its process name after execution. Israel Umana - Investigating Hackers' tools
35 Israel Umana - Investigating Hackers' tools
36 Israel Umana - Investigating Hackers' tools
Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn WWWWiiiinnnnddddoooowwwwssss The tools described in this chapter provide the first level of analysis. more comprehensive techniques are available Decompiling and debugging are the next steps. IDA Pro (an interactive disassembler) and SoftICE (a source- 37 source-level debugger). Can be obtained at: IDA Pro: http://www.datarescue.com SoftICE: http://www.compuware.com/products/devpartner/ softice Israel Umana - Investigating Hackers' tools

Recomendados

CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 

Recomendados

CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Whats A Hash
Whats A HashWhats A Hash
Whats A HashAmerican Document Management
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)Molfar
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 

Mais conteúdo relacionado

Mais procurados

cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)Molfar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 

Mais procurados (20)

Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Incident response process
Incident response processIncident response process
Incident response process
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Whats A Hash
Whats A HashWhats A Hash
Whats A Hash
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Network Forensic
Network ForensicNetwork Forensic
Network Forensic
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 

Semelhante a Investigating Hackers' Tools

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxMuhammad FAHAD
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]Phil Huggins FBCS CITP
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 

Semelhante a Investigating Hackers' Tools (20)

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for Linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 

Último

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...SUHANI PANDEY
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 

Último (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...
Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...
Thalassery Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call G...
 

Investigating Hackers' Tools

  • 1. INVESTIGATING IIIINNNNVVVVEEEESSSSTTTTIIIIGGGGAAAATTTTIIIINNNNGGGG IIINNNVVVEEESSSTTTIIIGGGAAATTTIIINNNGGG HHHHAAAACCCCKKKKEEEERRRRSSSS’’’’ TTTTOOOOOOOOLLLLSSSS AAAA SSSSEEEEMMMMIIIINNNNAAAARRRR BBBBYYYY IISSRRAAEELL UUMMAANNAA MM..TTeecchh – IInnffoorrmmaattiioonn SSeeccuurriittyy aanndd CCyybbeerr FFoorreennssiicc SSRRMM UUnniivveerrssiittyy,, CChheennnnaaii IInnddiiaa
  • 2. AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss Material is sourced from: INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION Authors: CHRIS PROSISE KEVIN MANDIA Publisher: McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto 2 Israel Umana - Investigating Hackers' tools
  • 3. THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders 3 Prepare yourself for a successful subject interview if you catch the attacker Determine the attacker’s objectives and goals (specific targeting versus target of opportunity) Israel Umana - Investigating Hackers' tools
  • 4. HOW HHHOOOWWW FFFFIIIILLLLEEEESSSS AAAARRRREEEE CCCCOOOOMMMMPPPPIIIILLLLEEEEDDDD Statically Linked Programs (gcc -static zap.c -o zapstatic) Dynamically Linked Programs (gcc zap.c -o zap_out) Programs Compiled with Debug Options 4 (gcc -g zap.c -o zapdebug) Stripped Programs Programs Packed with UPX Israel Umana - Investigating Hackers' tools
  • 5. SSSSttttaaaattttiiiiccccaaaallllllllyyyy vvvvssss DDDDyyyynnnnaaaammmmiiiiccccaaaallllllllyyyy ccccoooommmmppppiiiilllleeeedddd pppprrrrooooggggrrrraaaammmm 5 Israel Umana - Investigating Hackers' tools
  • 6. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss On a Unix system, change to the directory of the suspicious file and issue the command: root@conan zap]# ls -al Z This displays the file attributes and permissions 6 -rwxr--r-- 1 root root 7423 Feb 4 02:00 Z Israel Umana - Investigating Hackers' tools
  • 7. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# file Z This command shows the compilation method used on the file. Here is a sample output: Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux), 7 statically inked, stripped Israel Umana - Investigating Hackers' tools
  • 8. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# strings –a Z This command shows if the file is compressed with UPX Sample output: --Excerpt-- Linux 8 $Info: This file is packed with the UPX executable packer http://upx.sf.net$ $ $Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights Reserved. $ UWVSQR Israel Umana - Investigating Hackers' tools
  • 9. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) The following command decompresses (unpacks) the suspect file and stores the output in the file named foo. root@conan zap]# upx –d Z –o foo Output 9 Ultimate Packer for executables Copyright © 1996, 1996, 1998, 1999, 2000, 2001, 2002 UPX 1.24 Markus F.X.J. Oberhumer Laszlo Molnar Nov 7th 2002 File size Ratio Format Name --------------------- -------- ---------- --------- 13160 - 7423 56.40% linux/386 foo Israel Umana - Investigating Hackers' tools
  • 10. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) We can now run the following commands again: - file Z - strings -a foo 10 Israel Umana - Investigating Hackers' tools
  • 11. STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL Static analysis is tool analysis performed without actually executing the rogue code. It involves the following steps: 1. Determine the type of file 11 2. Review the ASCII and Unicode strings 3. Perform online research 4. Perform source code review Israel Umana - Investigating Hackers' tools
  • 12. Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee Common file types include: Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL) Linux a.out/elf/script Solaris a.out/elf/script 12 DOS 32-bit COFF DOS 16-bit .com file DOS 16-bit executable Atari ST/TT Israel Umana - Investigating Hackers' tools
  • 13. Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd The standard command for determining a file type on Unix systems is file. [root@conan zap] file * 13 Israel Umana - Investigating Hackers' tools
  • 14. UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd The Windows equivalent of the file command is the NT Resource Kit tool exetype. It recognizes fewer file types than the file command 14 Israel Umana - Investigating Hackers' tools
  • 15. Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee SSSSttttrrrriiiinnnnggggssss Basic static analysis of object code involves examining the ASCII-formatted strings of the binary file. The strings command has the following syntax: strings -a filename 15 This command line will display all ASCII strings contained in the object code that are four characters or longer. Israel Umana - Investigating Hackers' tools
  • 16. HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss When all analysis fails, the hex editor is our friend. However, when performing static tool analysis, the hex editor is only slightly better than the strings command. It allows you to see Unicode and ASCII strings within a file at the same time. 16 Israel Umana - Investigating Hackers' tools
  • 17. Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh Perform online research to determine if the tool is publicly available on computer security or hacker sites. Compare any online tools identified with the tool you are analyzing. If the tool is not publicly available, then you will need to decompile the file to analyse its functions. 17 Israel Umana - Investigating Hackers' tools
  • 18. Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww With the source code available to you for review, you will be capable of determining exactly what a rogue program does. Performing source code review requires working knowledge of the programming language used to create the tool. Most popular exploits and tools are found in ANSIC and Microsoft 18 Visual Basic scripting, so you should become familiar with these formats. Israel Umana - Investigating Hackers' tools
  • 19. DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL In Dynamic analysis, you execute rogue code and interpret its interaction with the host operating system. This can be dangerous on your forensic workstation. Our methodology includes the following tasks: 19 Monitor the time/date stamps to determine what files a tool affects. Run the program to intercept its system calls. Perform network monitoring to determine if any network traffic is generated. Monitor how Windows-based executables interact with the Registry. Israel Umana - Investigating Hackers' tools
  • 20. Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt Get the operating system and architecture necessary to execute the object code properly. Install VMware on your test system Turn on the Nonpersistent write option in configuration settings 20 Make sure that the test system is not connected to the Internet. execute rogue code on a closed network Israel Umana - Investigating Hackers' tools
  • 21. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm Most applications execute in a memory area defined as user space prohibited from accessing computer hardware and resources directly User applications access these resources by requesting the 21 kernel to perform the operations on its behalf The user application makes these requests to the kernel via system calls. Israel Umana - Investigating Hackers' tools
  • 22. UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee Unix has a tool that traces the use of system calls by an executed process. The strace command displays information about file access, network access, memory access, and many other system calls that a file makes when it is executed. 22 [root@conan zap]strace -o strace.out ./zapdynamic This command line will store the interaction between the zap program and the operating system in a file called strace.out. Israel Umana - Investigating Hackers' tools
  • 23. SSSSaaaammmmpppplllleeee oooouuuuttttppppuuuutttt 20) fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 21) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 23 22) ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 23) write(1, “Error.n”, 7) = 7 24) munmap(0x40014000, 4096) = 0 25) _exit(7) = ? Israel Umana - Investigating Hackers' tools
  • 24. EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt Look out for the following system calls The execve call. The brk system calls are used to allocate memory for the process. The mmap calls which map a portion of a file into memory. 24 The fstat call obtains information about the file that is referenced by the file descriptor The close system calls are used to release a file descriptor when the process no longer needs the file or socket referenced. Israel Umana - Investigating Hackers' tools
  • 25. Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee search the strace output file for open, read, write, unlink, lstat, socket, and close system calls. A shortcut is to use the option -e trace=file. To display all interactions with a network device, use the option -e trace=network 25 More combinations are available in the main page for strace. save a copy of all the data transferred with the –e write command Israel Umana - Investigating Hackers' tools
  • 26. Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee The strace utility cannot do everything With strace, you cannot determine what the process is doing once it reads, writes, or receives values from the system calls. Need to resort to techniques such as debugging and 26 decompiling. The debugger will allow you to step through every action a program takes during its execution. Israel Umana - Investigating Hackers' tools
  • 27. RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee The binutils package is installed on most versions of Linux Built to recognize a small number of object file types. Tools in the precompiled binutils package may build, view, disassemble, and otherwise alter a handful of Linux native executable files 27 Recompile of the package with ./configure –enable-targets=all Israel Umana - Investigating Hackers' tools
  • 28. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss SSSSyyyysssstttteeeemmmm You execute the rogue code and use utilities to watch how the rogue process interacts with the file system, the Registry, (APIs), and the operating system. For dynamic tool analysis of Windows applications, we use Filemon, Regmon, ListDLLs, Fport, and PsList. 28 Filemon, Regmon, ListDLLs, and PsList can be gotten at: http://www.sysinternals.com Israel Umana - Investigating Hackers' tools
  • 29. UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn The Filemon utility (from the Sysinternals web site) provides a wiretap between running processes and the file system. It intercepts all access and queries a process makes to the file system. You can determine all of the files the program reads, writes 29 to, and accesses to perform its unknown activity. Israel Umana - Investigating Hackers' tools
  • 30. 30 Israel Umana - Investigating Hackers' tools
  • 31. UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn Regmon taps a process’s interaction with the Windows Registry. Some programs query, enumerate, and close more than 950 Registry keys upon execution. Regmon allows you to enter filters to focus your analysis on relevant entries. 31 It provides immediate access to the Registry Editor (regedit). Provides a simple interface to monitor which programs write startup entries in the Registry and which programs query the network hardware in order to generate or receive network traffic. Israel Umana - Investigating Hackers' tools
  • 32. 32 Israel Umana - Investigating Hackers' tools
  • 33. UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss ListDLLs is available in the NT/2000 Resource Kit Shows all of the DLLs needed by a process. It enumerates the full pathnames of the DLLs loaded by the process. ListDLLs is helpful for detecting applications that have been 33 modified (injected) with extra functionality. Viewing which DLLs the program is using may allow you to detect if the application is interacting with the network services at an API level or if it is attempting to bypass them. Works on programs that are currently running Israel Umana - Investigating Hackers' tools
  • 34. UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt Fport and PsList are critical tools for dynamic analysis on a Windows system. Fport should be used prior to and after executing a rogue process to determine if the rogue process opened any network sockets. 34 PsList is useful to determine if a process changes its process name after execution. Israel Umana - Investigating Hackers' tools
  • 35. 35 Israel Umana - Investigating Hackers' tools
  • 36. 36 Israel Umana - Investigating Hackers' tools
  • 37. Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn WWWWiiiinnnnddddoooowwwwssss The tools described in this chapter provide the first level of analysis. more comprehensive techniques are available Decompiling and debugging are the next steps. IDA Pro (an interactive disassembler) and SoftICE (a source- 37 source-level debugger). Can be obtained at: IDA Pro: http://www.datarescue.com SoftICE: http://www.compuware.com/products/devpartner/ softice Israel Umana - Investigating Hackers' tools