SlideShare uma empresa Scribd logo

(in)Secure Secret Zone

Reality Net System Solutions
Reality Net System Solutions

The Samsung, now Seagate, SecretZone (SSZ) is a software program that protects personal information by creating a secure, password-­‐protected folder on the Samsung external drive. This software is provided free along with Samsung devices, as for example a M series device, and can only be used with such devices. This presentation will share two real DF cases where such tool was used by the suspects to hide their data, and how these cases were handled to overcome such protection. Moreover a major flaw in the SSZ implementation will be addressed, which allows to easily decrypt the whole "secret zone", despite the strong algorithms used (AES, Blowfish).

Tecnologia
1 de 36
Baixar para ler offline
S(un)SZ Samsung (un) Secret Zone SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
what is it? SSZ (Samsung, now Seagate, Secret Zone is “a software program that protects personal information by creating a secure, password-protected folder on the Samsung external drive.” [http://www.seagate.com/gb/en/support/downloads/item/samsung-secretzone-master-dl/] • A software... • Secure... (well, you can’t simply say that) • Folder? Ancient versions, maybe... SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the software program • The software if provided as free tool with Samsung/Seagate/Maxtor portable devices (e.g. the M3 USB disk) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
executing Portable SecretZone SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
popcorns incoming SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
where the secured data is? Please show me the hidden and the system files! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
msr files and vi.dat vi.dat seguro.msr SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
demo results • Indeed, when unlocked, it does create a virtual disk (usually NTFS) which uses an encrypted file to read/write data. • The encrypted file (container) is stored on the Samsung (Seagate/Maxtor) device. • Who said Truecrypt? SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
demo results • Anyway the data looks like it’s encrypted… • … as specified in the user manual • http://www.seagate.com/files/www-content/support- content/documentation/samsung/downloads/ENG_Samsung%20SecretZ one%20User%20Manual%20Ver%202.0.pdf • “ […] Have the confidence that your data is secured using software-based 128-bit AES, 256-bit AES, or Blowfish 448 encryption. You can think of Samsung SecretZone as a safe within your computer. […]” SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
cool but... why bother? • I have no statistics... • ... but SSZ does not seem widely used • So, why bother? • Because I had to • During two criminal cases • So, how could a DFir guy handle it? SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
hurry up! the 1st SSZ case SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the hurry up case • A domestic violence case • I was asked from the Prosecutor to analyze the suspect’s seized devices • Four pc / laptops and many USB devices • guess one of them was a Samsung pendrive? • I focused on the pc / laptops for chat / emails / web artifacts • Searching for evidences of personal threats • No evidences • Did not spot anything useful on USB devices too. BUT… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
check the checklist! • I have a checklist of steps to do for such cases • One of them is to check for encrypted files (known formats) • One is the entropy check • to spot encryption or weird-ness • Cool, but I did not update the checklist for every devices • I did not perform entropy test on a Samsung USB pendrive • When I realized that, one day before the milestone, I did it… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
ODI! • “OMG, what is that (high) entropy on that 4GB msr file?” • This is how I discovered the existence of SSZ… • How to decrypt an unknown uber-secure safe? • Googling? Just the manual and complains… • ODI (Offensive Digital Investigation)! • To access protected data/system • To “exploit” passwords re-use or their schema • See “ReVaulting! Decryption and opportunities” - LSA secrets - hiberfil - System’s secrets (dpapi) - (maybe) rainbow table attack on NTLM - Apps’ credentials (LaZagne style!) - User’s credentials / vaults - … whatever can be achieved in predetermined time… - LSA secrets - hiberfil - System’s secrets (dpapi) - (maybe) rainbow table attack on NTLM - Apps’ credentials (LaZagne style!) - User’s credentials / vaults - … whatever can be achieved in predetermined time… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
minidumps • I got a bunch of good credentials from the suspect’s system • And two juicy minidumps of the (installed) SecretZone! • %LOCALAPPDATA%CrashDumps • %SYSTEMROOT%Minidump • Strings on the minidumps • grep to see if the password candidates were there • to order the candidates SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the need of a Samsung device • Is it possible then a dictionary attack? … Yes.. By hand! • Internals unknown… no automation • Need to use the SSZ software… with a Samsung device • Could we use the original devide? Guess not… • Tic tac tic tac… • I had an expendable pendrive and an expendable PC • The former for changing its Pid & Vid • Both annihilated after - using a write blocker… effectively blocked… not working - fast patching SSZ crashed it… more time needed - using a write blocker… effectively blocked… not working - fast patching SSZ crashed it… more time needed SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
finally the data! • The suspect re-used one of his Windows login passwords • By the way one of his email accounts passwords (source: his Thunderbird) • What did I find? … suspence … • Just music! • It looks like he just did a test • Files timestamps • Files looked legit • Not proud but finally I did it. SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
(a word about ODI) • ODI could work • Just remember we are working post-mortem • OS must expose something • Still it needs some “wrong” user behavior • Password re-use, schemas, etc. • The 500 Encrypted Archives case • The FDE (Luks) case • Never give up! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the spy case the 2st SSZ case SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the spy case • Well, not real a 007 case… The suspect was charged with taking photo and video of his neighbors… without them knowing. • Basically he was spying on the female neighbors. • When he was discovered LE was involved. • One of the seized device was a M3 Samsung USB disk • This time I immediately spot a 200GB MSR file… • … with enough time to work on it. SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
automatic cracking • The goal was to understand how encryption was used • To make possible automatic cracking • with our ripper friend john, hashcat, whatever • Virtual disk… a driver should be in place • Expect a user-land application with one driver at least • My first hypothesis was to work on the userland, but first… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
who did it? Portable SecretZone version Certificate: Data: Version: 3 (0x2) Serial Number: 7c:12:97:b5:46:91:be:5c:26:6e:74:3a:7c:a2:18:bf Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA - G2 Validity Not Before: May 5 00:00:00 2012 GMT Not After : May 5 23:59:59 2013 GMT Subject: C=KR, ST=SEOUL, L=Seocho-gu, O=Clarus, Inc., CN=Clarus, Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) [...] X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name:URI:http://cs-g2-crl.thawte.com/ThawteCSG2.crl X509v3 Extended Key Usage: Code Signing, Microsoft Commercial Code Signing 2.5.29.4: [...] Authority Information Access: OCSP - URI:http://ocsp.thawte.com Netscape Cert Type: Object Signing Signature Algorithm: sha1WithRSAEncyption [...] SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
clarus www.clarussoft.com (Korean, default) www.clarussoft.com (English language) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the drivers mdf16.sys filter driver x86 mvd23.sys virtual disk driver x86 mdf16.sys filter driver x64 mvd23.sys virtual disk driver x64 Note: different drivers versions depending on the main exe version (es: mvd22.sys) Note: different drivers versions depending on the main exe version (es: mvd22.sys) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the kernel path Error message Error reporting • These drivers are full of useful error messages • Many clues of what routines will do • So I started looking at drivers, IOCTL first SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
the mvdnn driver • From the error messages, is clear that great part of the job is done by the virtual disk driver • Creation of the container, mounting, setting password id (?), AES and BlowFish algorithms etc. • So I started looking at the driver, which did look promising • Both static analysis and kernel debugging IOCTL_MVD_CREATE_VOLUME IOCTL_MVD_DELETE_VOLUME IOCTL_MVD_CONNECT_VOLUME IOCTL_MVD_DISCONNECT_VOLUME IOCTL_MVD_GET_VOLUME_COUNT IOCTL_MVD_GET_VOLUME_INFO IOCTL_MVD_GET_ALL_VOLUME_INFO IOCTL_MVD_GET_VOLUME_MSR_INFO IOCTL_MVD_CREATE_SYMLINK IOCTL_MVD_DELETE_SYMLINK IOCTL_MVD_SET_TIMER IOCTL_MVD_GET_IDPASS IOCTL_MVD_SET_IDPASS IOCTL_MVD_SET_VOLUME_REMOVED IOCTL_MVD_WRITE_IMAGE_FILE IOCTL_MVD_READ_IMAGE_FILE IOCTL_MVD_RESET_VOLUME_SIZE IOCTL_MVD_SET_FILE_INFO IOCTL_MVD_SET_VALID_DATA IOCTL_MVD_SET_VALID_DATA_DEV IOCTL_MVD_SET_IMAGE_PWD IOCTL_MVD_GET_IMAGE_VERSION IOCTL_MVD_UPDATE_VERSION0 IOCTL_MVD_ADD_MSR_LIST IOCTL_MVD_OPEN_EVENT IOCTL_MVD_CLOSE_EVENT IOCTL_MVD_CREATE_EVENT IOCTL_MVD_MOUNTMGR_MOUNT IOCTL_MVD_MOUNTMGR_DISMOUNT …. IOCTL_MVD_CREATE_VOLUME IOCTL_MVD_DELETE_VOLUME IOCTL_MVD_CONNECT_VOLUME IOCTL_MVD_DISCONNECT_VOLUME IOCTL_MVD_GET_VOLUME_COUNT IOCTL_MVD_GET_VOLUME_INFO IOCTL_MVD_GET_ALL_VOLUME_INFO IOCTL_MVD_GET_VOLUME_MSR_INFO IOCTL_MVD_CREATE_SYMLINK IOCTL_MVD_DELETE_SYMLINK IOCTL_MVD_SET_TIMER IOCTL_MVD_GET_IDPASS IOCTL_MVD_SET_IDPASS IOCTL_MVD_SET_VOLUME_REMOVED IOCTL_MVD_WRITE_IMAGE_FILE IOCTL_MVD_READ_IMAGE_FILE IOCTL_MVD_RESET_VOLUME_SIZE IOCTL_MVD_SET_FILE_INFO IOCTL_MVD_SET_VALID_DATA IOCTL_MVD_SET_VALID_DATA_DEV IOCTL_MVD_SET_IMAGE_PWD IOCTL_MVD_GET_IMAGE_VERSION IOCTL_MVD_UPDATE_VERSION0 IOCTL_MVD_ADD_MSR_LIST IOCTL_MVD_OPEN_EVENT IOCTL_MVD_CLOSE_EVENT IOCTL_MVD_CREATE_EVENT IOCTL_MVD_MOUNTMGR_MOUNT IOCTL_MVD_MOUNTMGR_DISMOUNT ….SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
pizza connection? No, volume connection • I isolated an interesting routine I called VolumeConnect • With parameters, but apparently nothing related to a password or to a password derivation • Still, when finished, the volume was accessible! • Weird SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
header decryption • The routine decrypts a sort of an header • First 16KB of the MSR file • Using AES 128 in CBC mode • Guess what? With a fixed key • At least for version 1 & 2 • Version 0 should be cleartext HEADER_KEY = 'x06x42x21x98x03x69x5Ex B1x5Fx40x60x8Cx2Ex36x00 x06' SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
header decryption • But the routine does not stop after parsing the header • The real header starts after 8KB • It does not return back some data from the header, it continues… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
header decrypted … 00002000: A7 B2 62 5A 00 00 00 00 - 00 C0 FF 3F 00 00 00 00 | bZ ? | 00002010: 01 00 00 00 41 64 6D 69 - 6E 00 00 00 00 00 00 00 | Admin | 00002020: 00 00 00 00 20 D1 3F D3 - 1B 86 81 0D 4C 98 34 0F | ? L 4 | 00002030: 73 BD 84 10 00 02 00 00 - 01 00 00 00 11 7C 00 06 |s | | 00002040: 11 06 0C E0 AB 00 0F 00 - 29 75 02 AD 00 00 00 00 | )u | … magic v2 Volume size (1GB) unknown, just keep an eye on it unknown It’s multiuser, any user can have his own MSR file SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
surprise! • The routine continues and when it finishes, the volume is unlocked • What happens is that the routine will use the previous 16 bytes key (unknown) to decrypt the rest of the volume! • Using AES 128 in ECB mode (default) • Depending on the settings, issue holds … 00002000: A7 B2 62 5A 00 00 00 00 - 00 C0 FF 3F 00 00 00 00 00002010: 01 00 00 00 41 64 6D 69 - 6E 00 00 00 00 00 00 00 00002020: 00 00 00 00 20 D1 3F D3 - 1B 86 81 0D 4C 98 34 0F 00002030: 73 BD 84 10 00 02 00 00 - 01 00 00 00 11 7C 00 06 00002040: 11 06 0C E0 AB 00 0F 00 - 29 75 02 AD 00 00 00 00 SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
put it in action • I did not complete 100% the RE process • Still to look at special cases, different configurations, etc. • E.g. in the Python script on the right, I hardcoded the decryption key position • Didn’t test if it could change due to username length from __future__ import print_function from Crypto.Cipher import AES import sys CHUNK_SIZE = 4096 HEADER_SIZE = 16384 # AES key, for different crypto algorithms, different keys. HEADER_KEY = 'x06x42x21x98x03x69x5ExB1x5Fx40x60x8Cx2Ex36x00x06' def main(): with open(sys.argv[1], 'rb') as input_file: header_enc = input_file.read(HEADER_SIZE) decryptor = AES.new(HEADER_KEY, AES.MODE_CBC, 16 * 'x00') header_dec = decryptor.decrypt(header_enc) body_decryption_key = header_dec[0x203c:0x204C] print('Decoding key: {}'.format(body_decryption_key.encode('hex'))) if len(sys.argv) != 3: print('No output file specified, giving up...') sys.exit(0) decryptor = AES.new(body_decryption_key, AES.MODE_ECB, 16 * '00') with open(sys.argv[2], 'wb') as output_file: while True: chunk_enc = input_file.read(CHUNK_SIZE) if len(chunk_enc) == 0: break chunk_dec = decryptor.decrypt(chunk_enc) output_file.write(chunk_dec) sys.stdout.write('.') sys.stdout.flush() SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
demo time SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
conclusions • 2nd case: • once decrypted the SSZ container I found many images and video • Part of them already recovered from the seized devices • delete files and file carving • The SSZ software made by Clarus “suffers” a major vulnerability • by design? • The password (its derivation) is kept inside the container. • Encrypted data (MSR containers) can be decrypted without knowing the user password! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
let’s keep in touch Francesco Picasso Reality Net System Solutions @dfirfpi blog.digital-forensics.it https://github.com/dfirfpi SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
Thank you! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ

Recomendados

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Data recovery
Data recoveryData recovery
Data recoverybhaumik_c
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)Tech4 Helper
 
Nand flash memory
Nand flash memoryNand flash memory
Nand flash memoryMohamed Fadel Buffon
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Criptografia
CriptografiaCriptografia
CriptografiaCesar Cuamatzi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Microsoft Palladium
Microsoft PalladiumMicrosoft Palladium
Microsoft PalladiumSuryakanta Rout
 

Recomendados

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Data recovery
Data recoveryData recovery
Data recoverybhaumik_c
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)Tech4 Helper
 
Nand flash memory
Nand flash memoryNand flash memory
Nand flash memoryMohamed Fadel Buffon
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Criptografia
CriptografiaCriptografia
CriptografiaCesar Cuamatzi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Microsoft Palladium
Microsoft PalladiumMicrosoft Palladium
Microsoft PalladiumSuryakanta Rout
 
Ngs introduction
Ngs introductionNgs introduction
Ngs introductionAlagar Suresh
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Graphics card
Graphics cardGraphics card
Graphics cardPratik Jain
 
Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Festplattenpräsentation
FestplattenpräsentationFestplattenpräsentation
FestplattenpräsentationVorname Nachname
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Mediated+authentication
Mediated+authenticationMediated+authentication
Mediated+authenticationvbha
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
DF Process Models
DF Process ModelsDF Process Models
DF Process ModelsCostas Katsavounidis
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarAnuj Pawar
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
SSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay JainSSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay JainAtishay Jain
 
Capture the flag
Capture the flagCapture the flag
Capture the flagKachkad Narender
 
Jan2016 pac bio giab
Jan2016 pac bio giabJan2016 pac bio giab
Jan2016 pac bio giabGenomeInABottle
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 
10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everythingRyan Kovar
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 

Mais conteúdo relacionado

Mais procurados

Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Mediated+authentication
Mediated+authenticationMediated+authentication
Mediated+authenticationvbha
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarAnuj Pawar
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
SSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay JainSSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay JainAtishay Jain
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 

Mais procurados (20)

Ngs introduction
Ngs introductionNgs introduction
Ngs introduction
 
Data recovery
Data recoveryData recovery
Data recovery
 
Graphics card
Graphics cardGraphics card
Graphics card
 
Data recovery
Data recoveryData recovery
Data recovery
 
Festplattenpräsentation
FestplattenpräsentationFestplattenpräsentation
Festplattenpräsentation
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Ch03
Ch03Ch03
Ch03
 
Mediated+authentication
Mediated+authenticationMediated+authentication
Mediated+authentication
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
DF Process Models
DF Process ModelsDF Process Models
DF Process Models
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with frida
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj Pawar
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide show
 
SSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay JainSSD - Solid State Drive PPT by Atishay Jain
SSD - Solid State Drive PPT by Atishay Jain
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
 
Jan2016 pac bio giab
Jan2016 pac bio giabJan2016 pac bio giab
Jan2016 pac bio giab
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 

Semelhante a (in)Secure Secret Zone

10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everythingRyan Kovar
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...Alessandro Confetti
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFAnthony Jose
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 

Semelhante a (in)Secure Secret Zone (20)

10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...
Scuttlebutt or how to exit facebook and start coding your first web 3.0 socia...
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 

Mais de Reality Net System Solutions

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesReality Net System Solutions
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 

Mais de Reality Net System Solutions (12)

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 

Último

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

(in)Secure Secret Zone

  • 1. S(un)SZ Samsung (un) Secret Zone SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 2. what is it? SSZ (Samsung, now Seagate, Secret Zone is “a software program that protects personal information by creating a secure, password-protected folder on the Samsung external drive.” [http://www.seagate.com/gb/en/support/downloads/item/samsung-secretzone-master-dl/] • A software... • Secure... (well, you can’t simply say that) • Folder? Ancient versions, maybe... SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 3. the software program • The software if provided as free tool with Samsung/Seagate/Maxtor portable devices (e.g. the M3 USB disk) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 4. executing Portable SecretZone SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 5. popcorns incoming SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 6. where the secured data is? Please show me the hidden and the system files! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 7. msr files and vi.dat vi.dat seguro.msr SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 8. demo results • Indeed, when unlocked, it does create a virtual disk (usually NTFS) which uses an encrypted file to read/write data. • The encrypted file (container) is stored on the Samsung (Seagate/Maxtor) device. • Who said Truecrypt? SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 9. demo results • Anyway the data looks like it’s encrypted… • … as specified in the user manual • http://www.seagate.com/files/www-content/support- content/documentation/samsung/downloads/ENG_Samsung%20SecretZ one%20User%20Manual%20Ver%202.0.pdf • “ […] Have the confidence that your data is secured using software-based 128-bit AES, 256-bit AES, or Blowfish 448 encryption. You can think of Samsung SecretZone as a safe within your computer. […]” SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 10. cool but... why bother? • I have no statistics... • ... but SSZ does not seem widely used • So, why bother? • Because I had to • During two criminal cases • So, how could a DFir guy handle it? SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 11. hurry up! the 1st SSZ case SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 12. the hurry up case • A domestic violence case • I was asked from the Prosecutor to analyze the suspect’s seized devices • Four pc / laptops and many USB devices • guess one of them was a Samsung pendrive? • I focused on the pc / laptops for chat / emails / web artifacts • Searching for evidences of personal threats • No evidences • Did not spot anything useful on USB devices too. BUT… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 13. check the checklist! • I have a checklist of steps to do for such cases • One of them is to check for encrypted files (known formats) • One is the entropy check • to spot encryption or weird-ness • Cool, but I did not update the checklist for every devices • I did not perform entropy test on a Samsung USB pendrive • When I realized that, one day before the milestone, I did it… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 14. ODI! • “OMG, what is that (high) entropy on that 4GB msr file?” • This is how I discovered the existence of SSZ… • How to decrypt an unknown uber-secure safe? • Googling? Just the manual and complains… • ODI (Offensive Digital Investigation)! • To access protected data/system • To “exploit” passwords re-use or their schema • See “ReVaulting! Decryption and opportunities” - LSA secrets - hiberfil - System’s secrets (dpapi) - (maybe) rainbow table attack on NTLM - Apps’ credentials (LaZagne style!) - User’s credentials / vaults - … whatever can be achieved in predetermined time… - LSA secrets - hiberfil - System’s secrets (dpapi) - (maybe) rainbow table attack on NTLM - Apps’ credentials (LaZagne style!) - User’s credentials / vaults - … whatever can be achieved in predetermined time… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 15. minidumps • I got a bunch of good credentials from the suspect’s system • And two juicy minidumps of the (installed) SecretZone! • %LOCALAPPDATA%CrashDumps • %SYSTEMROOT%Minidump • Strings on the minidumps • grep to see if the password candidates were there • to order the candidates SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 16. the need of a Samsung device • Is it possible then a dictionary attack? … Yes.. By hand! • Internals unknown… no automation • Need to use the SSZ software… with a Samsung device • Could we use the original devide? Guess not… • Tic tac tic tac… • I had an expendable pendrive and an expendable PC • The former for changing its Pid & Vid • Both annihilated after - using a write blocker… effectively blocked… not working - fast patching SSZ crashed it… more time needed - using a write blocker… effectively blocked… not working - fast patching SSZ crashed it… more time needed SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 17. finally the data! • The suspect re-used one of his Windows login passwords • By the way one of his email accounts passwords (source: his Thunderbird) • What did I find? … suspence … • Just music! • It looks like he just did a test • Files timestamps • Files looked legit • Not proud but finally I did it. SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 18. (a word about ODI) • ODI could work • Just remember we are working post-mortem • OS must expose something • Still it needs some “wrong” user behavior • Password re-use, schemas, etc. • The 500 Encrypted Archives case • The FDE (Luks) case • Never give up! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 19. the spy case the 2st SSZ case SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 20. the spy case • Well, not real a 007 case… The suspect was charged with taking photo and video of his neighbors… without them knowing. • Basically he was spying on the female neighbors. • When he was discovered LE was involved. • One of the seized device was a M3 Samsung USB disk • This time I immediately spot a 200GB MSR file… • … with enough time to work on it. SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 21. automatic cracking • The goal was to understand how encryption was used • To make possible automatic cracking • with our ripper friend john, hashcat, whatever • Virtual disk… a driver should be in place • Expect a user-land application with one driver at least • My first hypothesis was to work on the userland, but first… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 22. who did it? Portable SecretZone version Certificate: Data: Version: 3 (0x2) Serial Number: 7c:12:97:b5:46:91:be:5c:26:6e:74:3a:7c:a2:18:bf Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Thawte, Inc., CN=Thawte Code Signing CA - G2 Validity Not Before: May 5 00:00:00 2012 GMT Not After : May 5 23:59:59 2013 GMT Subject: C=KR, ST=SEOUL, L=Seocho-gu, O=Clarus, Inc., CN=Clarus, Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) [...] X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name:URI:http://cs-g2-crl.thawte.com/ThawteCSG2.crl X509v3 Extended Key Usage: Code Signing, Microsoft Commercial Code Signing 2.5.29.4: [...] Authority Information Access: OCSP - URI:http://ocsp.thawte.com Netscape Cert Type: Object Signing Signature Algorithm: sha1WithRSAEncyption [...] SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 23. clarus www.clarussoft.com (Korean, default) www.clarussoft.com (English language) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 24. the drivers mdf16.sys filter driver x86 mvd23.sys virtual disk driver x86 mdf16.sys filter driver x64 mvd23.sys virtual disk driver x64 Note: different drivers versions depending on the main exe version (es: mvd22.sys) Note: different drivers versions depending on the main exe version (es: mvd22.sys) SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 25. the kernel path Error message Error reporting • These drivers are full of useful error messages • Many clues of what routines will do • So I started looking at drivers, IOCTL first SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 26. the mvdnn driver • From the error messages, is clear that great part of the job is done by the virtual disk driver • Creation of the container, mounting, setting password id (?), AES and BlowFish algorithms etc. • So I started looking at the driver, which did look promising • Both static analysis and kernel debugging IOCTL_MVD_CREATE_VOLUME IOCTL_MVD_DELETE_VOLUME IOCTL_MVD_CONNECT_VOLUME IOCTL_MVD_DISCONNECT_VOLUME IOCTL_MVD_GET_VOLUME_COUNT IOCTL_MVD_GET_VOLUME_INFO IOCTL_MVD_GET_ALL_VOLUME_INFO IOCTL_MVD_GET_VOLUME_MSR_INFO IOCTL_MVD_CREATE_SYMLINK IOCTL_MVD_DELETE_SYMLINK IOCTL_MVD_SET_TIMER IOCTL_MVD_GET_IDPASS IOCTL_MVD_SET_IDPASS IOCTL_MVD_SET_VOLUME_REMOVED IOCTL_MVD_WRITE_IMAGE_FILE IOCTL_MVD_READ_IMAGE_FILE IOCTL_MVD_RESET_VOLUME_SIZE IOCTL_MVD_SET_FILE_INFO IOCTL_MVD_SET_VALID_DATA IOCTL_MVD_SET_VALID_DATA_DEV IOCTL_MVD_SET_IMAGE_PWD IOCTL_MVD_GET_IMAGE_VERSION IOCTL_MVD_UPDATE_VERSION0 IOCTL_MVD_ADD_MSR_LIST IOCTL_MVD_OPEN_EVENT IOCTL_MVD_CLOSE_EVENT IOCTL_MVD_CREATE_EVENT IOCTL_MVD_MOUNTMGR_MOUNT IOCTL_MVD_MOUNTMGR_DISMOUNT …. IOCTL_MVD_CREATE_VOLUME IOCTL_MVD_DELETE_VOLUME IOCTL_MVD_CONNECT_VOLUME IOCTL_MVD_DISCONNECT_VOLUME IOCTL_MVD_GET_VOLUME_COUNT IOCTL_MVD_GET_VOLUME_INFO IOCTL_MVD_GET_ALL_VOLUME_INFO IOCTL_MVD_GET_VOLUME_MSR_INFO IOCTL_MVD_CREATE_SYMLINK IOCTL_MVD_DELETE_SYMLINK IOCTL_MVD_SET_TIMER IOCTL_MVD_GET_IDPASS IOCTL_MVD_SET_IDPASS IOCTL_MVD_SET_VOLUME_REMOVED IOCTL_MVD_WRITE_IMAGE_FILE IOCTL_MVD_READ_IMAGE_FILE IOCTL_MVD_RESET_VOLUME_SIZE IOCTL_MVD_SET_FILE_INFO IOCTL_MVD_SET_VALID_DATA IOCTL_MVD_SET_VALID_DATA_DEV IOCTL_MVD_SET_IMAGE_PWD IOCTL_MVD_GET_IMAGE_VERSION IOCTL_MVD_UPDATE_VERSION0 IOCTL_MVD_ADD_MSR_LIST IOCTL_MVD_OPEN_EVENT IOCTL_MVD_CLOSE_EVENT IOCTL_MVD_CREATE_EVENT IOCTL_MVD_MOUNTMGR_MOUNT IOCTL_MVD_MOUNTMGR_DISMOUNT ….SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 27. pizza connection? No, volume connection • I isolated an interesting routine I called VolumeConnect • With parameters, but apparently nothing related to a password or to a password derivation • Still, when finished, the volume was accessible! • Weird SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 28. header decryption • The routine decrypts a sort of an header • First 16KB of the MSR file • Using AES 128 in CBC mode • Guess what? With a fixed key • At least for version 1 & 2 • Version 0 should be cleartext HEADER_KEY = 'x06x42x21x98x03x69x5Ex B1x5Fx40x60x8Cx2Ex36x00 x06' SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 29. header decryption • But the routine does not stop after parsing the header • The real header starts after 8KB • It does not return back some data from the header, it continues… SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 30. header decrypted … 00002000: A7 B2 62 5A 00 00 00 00 - 00 C0 FF 3F 00 00 00 00 | bZ ? | 00002010: 01 00 00 00 41 64 6D 69 - 6E 00 00 00 00 00 00 00 | Admin | 00002020: 00 00 00 00 20 D1 3F D3 - 1B 86 81 0D 4C 98 34 0F | ? L 4 | 00002030: 73 BD 84 10 00 02 00 00 - 01 00 00 00 11 7C 00 06 |s | | 00002040: 11 06 0C E0 AB 00 0F 00 - 29 75 02 AD 00 00 00 00 | )u | … magic v2 Volume size (1GB) unknown, just keep an eye on it unknown It’s multiuser, any user can have his own MSR file SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 31. surprise! • The routine continues and when it finishes, the volume is unlocked • What happens is that the routine will use the previous 16 bytes key (unknown) to decrypt the rest of the volume! • Using AES 128 in ECB mode (default) • Depending on the settings, issue holds … 00002000: A7 B2 62 5A 00 00 00 00 - 00 C0 FF 3F 00 00 00 00 00002010: 01 00 00 00 41 64 6D 69 - 6E 00 00 00 00 00 00 00 00002020: 00 00 00 00 20 D1 3F D3 - 1B 86 81 0D 4C 98 34 0F 00002030: 73 BD 84 10 00 02 00 00 - 01 00 00 00 11 7C 00 06 00002040: 11 06 0C E0 AB 00 0F 00 - 29 75 02 AD 00 00 00 00 SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 32. put it in action • I did not complete 100% the RE process • Still to look at special cases, different configurations, etc. • E.g. in the Python script on the right, I hardcoded the decryption key position • Didn’t test if it could change due to username length from __future__ import print_function from Crypto.Cipher import AES import sys CHUNK_SIZE = 4096 HEADER_SIZE = 16384 # AES key, for different crypto algorithms, different keys. HEADER_KEY = 'x06x42x21x98x03x69x5ExB1x5Fx40x60x8Cx2Ex36x00x06' def main(): with open(sys.argv[1], 'rb') as input_file: header_enc = input_file.read(HEADER_SIZE) decryptor = AES.new(HEADER_KEY, AES.MODE_CBC, 16 * 'x00') header_dec = decryptor.decrypt(header_enc) body_decryption_key = header_dec[0x203c:0x204C] print('Decoding key: {}'.format(body_decryption_key.encode('hex'))) if len(sys.argv) != 3: print('No output file specified, giving up...') sys.exit(0) decryptor = AES.new(body_decryption_key, AES.MODE_ECB, 16 * '00') with open(sys.argv[2], 'wb') as output_file: while True: chunk_enc = input_file.read(CHUNK_SIZE) if len(chunk_enc) == 0: break chunk_dec = decryptor.decrypt(chunk_enc) output_file.write(chunk_dec) sys.stdout.write('.') sys.stdout.flush() SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 33. demo time SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 34. conclusions • 2nd case: • once decrypted the SSZ container I found many images and video • Part of them already recovered from the seized devices • delete files and file carving • The SSZ software made by Clarus “suffers” a major vulnerability • by design? • The password (its derivation) is kept inside the container. • Encrypted data (MSR containers) can be decrypted without knowing the user password! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 35. let’s keep in touch Francesco Picasso Reality Net System Solutions @dfirfpi blog.digital-forensics.it https://github.com/dfirfpi SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ
  • 36. Thank you! SANS DFIR Summit Prague 10.2017 - @dfirfpi on SunSZ