SlideShare uma empresa Scribd logo

Linux Forensics

Transferir como PPT, PDF
Santosh Khadsare
Santosh Khadsare

linux Forensics

EducaçãoTecnologia
1 de 23
A Survey on Linux Volatile Memory Forensic Techniques Suba Surianarayanan suba.suri@gmail.com Dr. V. Uma Maheswari umam_in@yahoo.com College Of Engineering, Chennai Anna University
INTRODUCTION Various threats to a Linux machine  Loadable kernel modules  Directly accessible kernel Memory in some versions of Linux - /dev/kmem
Volatile Memory Forensics  Volatile memory – Evidence gathered from RAM  Hidden malware  Live techniques - Based on in-built utilities or tools Disadvantage: Leave footprint on the memory image  Linux - LKM and direct kernel memory access in-built utilities like ps (process enumeration) unreliable and untrustworthy  Static techniques - Capture state of system during seizure
Linux Volatile Memory Forensics - Challenges  Numerous builds and versions – Challenges applicability of techniques  Kernel structure changes between versions  Security vulnerabilities – LKM and Direct access of /dev/kmem
Research directions  Exploring kernel vulnerabilities  Detection of Malware and rootkits based on Volatile memory analysis  Emulation of Kernel utilities  Reverse engineering data structures from executables, behavioral analysis etc.
Deriving Kernel data structures  Reverse engineering kernel data structures – from executable [10]  Graph based signatures (pointer pattern based) [11]  Utilization of debugging information [5]  Simulation of utilities based on kernel structures [13]  Understanding kernel data structures forms the core of Volatile memory forensics – eg. enables detection of Hidden Processes [9], [15], [16], [17]
Detecting hidden Processes: Kernel structures next task_struct prev task_struct … task_struct files files_struct fd_array file file f_path dentry d_inode inode
Detecting hidden Processes: Kernel structures Structure Description task_struct Current state of Process mm_struct Pages owned by a process. Memory sections – begin and end addresses vm_area_struct Access permissions files_struct Files, pipes, sockets opened by a process dentry Directory information inode Includes file MAC times address_space Radix tree that holds pages of process together page_struct Index into page file file Representation of each open file, socket etc. inet_sock Protocol specific information
Detecting hidden Processes: Kernel structures (Kernel 2.6.32) struct task_struct { [0] volatile long int state; [4] void *stack; [8] atomic_t usage; [12] unsigned int flags; [16] unsigned int ptrace; [20] int lock_depth; [24] int prio; [28] int static_prio; [32] int normal_prio; [36] unsigned int rt_priority; [40] const struct sched_class *sched_class; [44] struct sched_entity se; [376] struct sched_rt_entity rt; [412] struct hlist_head preempt_notifiers; [416] unsigned char fpu_counter; [420] unsigned int btrace_seq; [424] unsigned int policy; [428] cpumask_t cpus_allowed; [432] struct sched_info sched_info; [464] struct list_head tasks; //Circular linked list of processes, tasks.next and task.prev … [3248] struct memcg_batch_info memcg_batch; } SIZE: 3264
Detecting hidden Processes: Requirements for Volatile memory analysis analysis Uncompressed kernel build – vmlinux Kernel debugger System.map Memory dump file How to obtain the uncompressed kernel? (Redhat versions) Download kernel build for same version Kernel-debuginfo
System.map struct file.f_op = “socket_file_ops” struct file.f_path -> dentry.d_op = “sockfs_dentry_operations” The static addresses for these two functions could be obtained from System.map
Detecting hidden Processes  Traverse the circularly linked task list and compare with the corresponding mm_struct list  Brute force detection based on task_struct field signatures  Slab and slub allocator - kmem_cache list
Locating Kernel structures from Memory Dump Types of data structures (1)Static (2)Dynamic Locating static data structures  Using, System.map file  Contains name and address of every static data structure in kernel  Created during kernel build process using nm on the compiled vmlinux file Locating dynamic data structures  Derive from static data structures
Malware detection techniques Based on:  Data access patterns and structural signatures [4],[6],[8]  Binary analysis based on instruction sequence [12]  task structure analysis [14]
Malware detection techniques [4] Inter-structure pointers: struct socket_alloc{ [0] struct socket socket; [1] struct inode vfs_inode; //0x28 } size: 392
Malware detection techniques [4] socket_alloc 0 dentry struct file file f_dentry d_inode 40 vfs_inode
Rootkit Detection Hidden Rootkit – DKOM and Function hooking Remain undetected through normal modes of detection such as ps Finding hidden objects such as sockets and processes based on field types and inter-structure pointers in kernel structures [4, 6] Behavioral analysis – such as data access patterns [8]
Classification of various techniques Title Analysis type Application Detecting stealthy malware with Inter- Structure and In-execution Malware detection imported Signatures [4] Characterizing Kernel Malware Behavior In-execution Malware detection with Kernel Data Access Patterns [8] In-Execution Malware Detection using Task In-execution Malware detection Structures of Linux Processes [14] Detecting Kernel-level Rootkits In-execution Rootkit detection using Data Structure Invariants [6] Detecting Kernel- Pre execution Rootkit detection Level Rootkits Through Binary Analysis [12] Locating 386 paging Memory dump Hidden process structures in memory analysis detection images [9]
Classification of various techniques Title Analysis type Application FACE: Automated digital Memory dump analysis Evidence correlation evidence discovery and correlation [13] The 7 dwarves: Post execution Identification of Kernel debugging information structure offsets beyond gdb [5] SigGraph: Brute Force In-execution Identification of Kernel Scanning of Kernel Data structures Structure Instances Using Graph-based Signatures [11] Automatic Reverse In-execution Identification of Kernel Engineering of Data structures from memory Structures from Binary image Execution [10] An Analysis of Linux RAM Memory dump analysis Identification of Forensics [16] forensically relevant data structures (SUSE Linux kernel 2.6) Linux Memory Forensic: Memory dump analysis Identification of Searching for processes forensically relevant data [17] structures (kernel version 2.6.20 and 2.4.23)
Conclusion and future trends  Understanding the Kernel memory structures of the target system forms the basis of Volatile memory forensics  task_struct and System.map are the starting points of such analysis on a Linux machine  Frameworks and techniques applicable across kernel versions  Interpretation of collected evidence  User-friendly report format
References [1] Wikipedia, http://en.wikipedia.org/wiki/Cyber_forensics [2] ”Crash utility”, http://people.redhat.com/anderson/crash_whitepaper/ [3] Case, A., Marziale, L., Richard, G.G., “Dynamic recreation of kernel data structures for live forensics”, Digital Investigations, 2010 [4] Liang, B., You, W., Shi, W., Liang, Z., “Detecting stealthy malware with Inter- Structure and imported Signatures”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011 [5] Arnaldo Carvalho de Melo, "The 7 dwarves: debugging information beyond gdb", Proceedings of the Linux Symposium, 2007 [6] Baliga, A., “Detecting Kernel-level Rootkits using Data Structure Invariants, IEEE Transactions on Dependable and Secure Computing”, 2011 [7] Ramaswamy, A., “Detecting Kernel rootkits”, Dartmouth College Masters Thesis, 2008 [8] Rhee, J., Lin, Z., Xu, D., “Characterizing Kernel Malware Behavior with Kernel Data Access Patterns”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011 [9] Saur, K., Julian B. Grizzard, “Locating 386 paging structures in memory images”, Digital Investigations, 2010 [10] Lin, Z., Zhang, X., Xu, D., “Automatic Reverse Engineering of Data Structures from Binary Execution”, the 17th Network and Distributed System Security Symposium, 2010 [11] Lin, Z., “SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures”, 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2010
References [12] Christopher , K., “Detecting Kernel-Level Rootkits Through Binary Analysis”, Computer Security Applications Conference, 2004 [13] Case, A., Cristina, A., Marziale, L., Golden G. Richard, Roussev, V., “FACE: Automated digital evidence discovery and correlation”, Digital Investigations, 2008 [14] Shahzad, F. et al, “In-Execution Malware Detection using Task Structures of Linux Processes”, IEEE International Conference on Communications, 2011 [15] Burdach, M., “Digital Forensics of the physical memory”, 2005 [16] Urrea, J.M., “An analysis of Linux RAM forensics”, Naval Postgraduate School Thesis, 2006 [17] Gao, Y., Cao, T., “Linux Memory Forensic: Searching for processes”, Computer Security Applications Conference, 2010 [18] Movall, P., Nelson, W., Wetzstein, S., “Linux Physical Memory Analysis”, Proceedings of the annual conference on USENIX Annual Technical Conference, 2005 [19] Wikipedia, http://en.wikipedia.org/wiki/Computer_forensics [20] DFRWS. Dfrws 2005 forensics challenge, http://www.dfrws.org/2005/challenge/index.shtml; 2005. [21] Volatility framework, https://www.volatilesystems.com/default/volatility
Thank you

Recomendados

Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsMalla Reddy Donapati
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems senthilamul
 

Recomendados

Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsMalla Reddy Donapati
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems senthilamul
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
File system
File systemFile system
File systemHarleen Johal
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systemsprimeteacher32
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Unix Administration
Unix AdministrationUnix Administration
Unix AdministrationNishant Munjal
 
Unix File System
Unix File SystemUnix File System
Unix File Systemstudent(MCA)
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsJyothishmathi Institute of Technology and Science Karimnagar
 
Buffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya JyothiBuffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya JyothiSowmya Jyothi
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1Anil Kumar Kapil,PMP®
 
NTFS and Inode
NTFS and InodeNTFS and Inode
NTFS and InodeAmit Seal Ami
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals TrainingLove Steven
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensicsSriram Krishnan
 

Mais conteúdo relacionado

Mais procurados

Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Buffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya JyothiBuffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya JyothiSowmya Jyothi
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals TrainingLove Steven
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 

Mais procurados (20)

Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
File system
File systemFile system
File system
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Unix Administration
Unix AdministrationUnix Administration
Unix Administration
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
Buffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya JyothiBuffer cache unix ppt Mrs.Sowmya Jyothi
Buffer cache unix ppt Mrs.Sowmya Jyothi
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1
 
NTFS and Inode
NTFS and InodeNTFS and Inode
NTFS and Inode
 
The unix file system
The unix file systemThe unix file system
The unix file system
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals Training
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 

Semelhante a Linux Forensics

Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensicsSriram Krishnan
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsonseurobsdcon
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 

Semelhante a Linux Forensics (20)

Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensics
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Linux kernel architecture
Linux kernel architectureLinux kernel architecture
Linux kernel architecture
 
DFSNov1.pptx
DFSNov1.pptxDFSNov1.pptx
DFSNov1.pptx
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode Architecture
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Linux internal
Linux internalLinux internal
Linux internal
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsons
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
 

Mais de Santosh Khadsare

INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)Santosh Khadsare
 

Mais de Santosh Khadsare (19)

Cyber fraud (netflix)
Cyber fraud (netflix)Cyber fraud (netflix)
Cyber fraud (netflix)
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
 
Smart card
Smart cardSmart card
Smart card
 
Guassvirus
GuassvirusGuassvirus
Guassvirus
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Webmail
WebmailWebmail
Webmail
 
Web server
Web serverWeb server
Web server
 
Samba server
Samba serverSamba server
Samba server
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
 
Securitytips
SecuritytipsSecuritytips
Securitytips
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Linuxfilesys
LinuxfilesysLinuxfilesys
Linuxfilesys
 
Linuxconcepts
LinuxconceptsLinuxconcepts
Linuxconcepts
 
Introtolinux
IntrotolinuxIntrotolinux
Introtolinux
 
New internet
New internetNew internet
New internet
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 

Último

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersChitralekhaTherkar
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 

Último (20)

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 

Linux Forensics

  • 1. A Survey on Linux Volatile Memory Forensic Techniques Suba Surianarayanan suba.suri@gmail.com Dr. V. Uma Maheswari umam_in@yahoo.com College Of Engineering, Chennai Anna University
  • 2. INTRODUCTION Various threats to a Linux machine  Loadable kernel modules  Directly accessible kernel Memory in some versions of Linux - /dev/kmem
  • 3. Volatile Memory Forensics  Volatile memory – Evidence gathered from RAM  Hidden malware  Live techniques - Based on in-built utilities or tools Disadvantage: Leave footprint on the memory image  Linux - LKM and direct kernel memory access in-built utilities like ps (process enumeration) unreliable and untrustworthy  Static techniques - Capture state of system during seizure
  • 4. Linux Volatile Memory Forensics - Challenges  Numerous builds and versions – Challenges applicability of techniques  Kernel structure changes between versions  Security vulnerabilities – LKM and Direct access of /dev/kmem
  • 5. Research directions  Exploring kernel vulnerabilities  Detection of Malware and rootkits based on Volatile memory analysis  Emulation of Kernel utilities  Reverse engineering data structures from executables, behavioral analysis etc.
  • 6. Deriving Kernel data structures  Reverse engineering kernel data structures – from executable [10]  Graph based signatures (pointer pattern based) [11]  Utilization of debugging information [5]  Simulation of utilities based on kernel structures [13]  Understanding kernel data structures forms the core of Volatile memory forensics – eg. enables detection of Hidden Processes [9], [15], [16], [17]
  • 7. Detecting hidden Processes: Kernel structures next task_struct prev task_struct … task_struct files files_struct fd_array file file f_path dentry d_inode inode
  • 8. Detecting hidden Processes: Kernel structures Structure Description task_struct Current state of Process mm_struct Pages owned by a process. Memory sections – begin and end addresses vm_area_struct Access permissions files_struct Files, pipes, sockets opened by a process dentry Directory information inode Includes file MAC times address_space Radix tree that holds pages of process together page_struct Index into page file file Representation of each open file, socket etc. inet_sock Protocol specific information
  • 9. Detecting hidden Processes: Kernel structures (Kernel 2.6.32) struct task_struct { [0] volatile long int state; [4] void *stack; [8] atomic_t usage; [12] unsigned int flags; [16] unsigned int ptrace; [20] int lock_depth; [24] int prio; [28] int static_prio; [32] int normal_prio; [36] unsigned int rt_priority; [40] const struct sched_class *sched_class; [44] struct sched_entity se; [376] struct sched_rt_entity rt; [412] struct hlist_head preempt_notifiers; [416] unsigned char fpu_counter; [420] unsigned int btrace_seq; [424] unsigned int policy; [428] cpumask_t cpus_allowed; [432] struct sched_info sched_info; [464] struct list_head tasks; //Circular linked list of processes, tasks.next and task.prev … [3248] struct memcg_batch_info memcg_batch; } SIZE: 3264
  • 10. Detecting hidden Processes: Requirements for Volatile memory analysis analysis Uncompressed kernel build – vmlinux Kernel debugger System.map Memory dump file How to obtain the uncompressed kernel? (Redhat versions) Download kernel build for same version Kernel-debuginfo
  • 11. System.map struct file.f_op = “socket_file_ops” struct file.f_path -> dentry.d_op = “sockfs_dentry_operations” The static addresses for these two functions could be obtained from System.map
  • 12. Detecting hidden Processes  Traverse the circularly linked task list and compare with the corresponding mm_struct list  Brute force detection based on task_struct field signatures  Slab and slub allocator - kmem_cache list
  • 13. Locating Kernel structures from Memory Dump Types of data structures (1)Static (2)Dynamic Locating static data structures  Using, System.map file  Contains name and address of every static data structure in kernel  Created during kernel build process using nm on the compiled vmlinux file Locating dynamic data structures  Derive from static data structures
  • 14. Malware detection techniques Based on:  Data access patterns and structural signatures [4],[6],[8]  Binary analysis based on instruction sequence [12]  task structure analysis [14]
  • 15. Malware detection techniques [4] Inter-structure pointers: struct socket_alloc{ [0] struct socket socket; [1] struct inode vfs_inode; //0x28 } size: 392
  • 16. Malware detection techniques [4] socket_alloc 0 dentry struct file file f_dentry d_inode 40 vfs_inode
  • 17. Rootkit Detection Hidden Rootkit – DKOM and Function hooking Remain undetected through normal modes of detection such as ps Finding hidden objects such as sockets and processes based on field types and inter-structure pointers in kernel structures [4, 6] Behavioral analysis – such as data access patterns [8]
  • 18. Classification of various techniques Title Analysis type Application Detecting stealthy malware with Inter- Structure and In-execution Malware detection imported Signatures [4] Characterizing Kernel Malware Behavior In-execution Malware detection with Kernel Data Access Patterns [8] In-Execution Malware Detection using Task In-execution Malware detection Structures of Linux Processes [14] Detecting Kernel-level Rootkits In-execution Rootkit detection using Data Structure Invariants [6] Detecting Kernel- Pre execution Rootkit detection Level Rootkits Through Binary Analysis [12] Locating 386 paging Memory dump Hidden process structures in memory analysis detection images [9]
  • 19. Classification of various techniques Title Analysis type Application FACE: Automated digital Memory dump analysis Evidence correlation evidence discovery and correlation [13] The 7 dwarves: Post execution Identification of Kernel debugging information structure offsets beyond gdb [5] SigGraph: Brute Force In-execution Identification of Kernel Scanning of Kernel Data structures Structure Instances Using Graph-based Signatures [11] Automatic Reverse In-execution Identification of Kernel Engineering of Data structures from memory Structures from Binary image Execution [10] An Analysis of Linux RAM Memory dump analysis Identification of Forensics [16] forensically relevant data structures (SUSE Linux kernel 2.6) Linux Memory Forensic: Memory dump analysis Identification of Searching for processes forensically relevant data [17] structures (kernel version 2.6.20 and 2.4.23)
  • 20. Conclusion and future trends  Understanding the Kernel memory structures of the target system forms the basis of Volatile memory forensics  task_struct and System.map are the starting points of such analysis on a Linux machine  Frameworks and techniques applicable across kernel versions  Interpretation of collected evidence  User-friendly report format
  • 21. References [1] Wikipedia, http://en.wikipedia.org/wiki/Cyber_forensics [2] ”Crash utility”, http://people.redhat.com/anderson/crash_whitepaper/ [3] Case, A., Marziale, L., Richard, G.G., “Dynamic recreation of kernel data structures for live forensics”, Digital Investigations, 2010 [4] Liang, B., You, W., Shi, W., Liang, Z., “Detecting stealthy malware with Inter- Structure and imported Signatures”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011 [5] Arnaldo Carvalho de Melo, "The 7 dwarves: debugging information beyond gdb", Proceedings of the Linux Symposium, 2007 [6] Baliga, A., “Detecting Kernel-level Rootkits using Data Structure Invariants, IEEE Transactions on Dependable and Secure Computing”, 2011 [7] Ramaswamy, A., “Detecting Kernel rootkits”, Dartmouth College Masters Thesis, 2008 [8] Rhee, J., Lin, Z., Xu, D., “Characterizing Kernel Malware Behavior with Kernel Data Access Patterns”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011 [9] Saur, K., Julian B. Grizzard, “Locating 386 paging structures in memory images”, Digital Investigations, 2010 [10] Lin, Z., Zhang, X., Xu, D., “Automatic Reverse Engineering of Data Structures from Binary Execution”, the 17th Network and Distributed System Security Symposium, 2010 [11] Lin, Z., “SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures”, 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2010
  • 22. References [12] Christopher , K., “Detecting Kernel-Level Rootkits Through Binary Analysis”, Computer Security Applications Conference, 2004 [13] Case, A., Cristina, A., Marziale, L., Golden G. Richard, Roussev, V., “FACE: Automated digital evidence discovery and correlation”, Digital Investigations, 2008 [14] Shahzad, F. et al, “In-Execution Malware Detection using Task Structures of Linux Processes”, IEEE International Conference on Communications, 2011 [15] Burdach, M., “Digital Forensics of the physical memory”, 2005 [16] Urrea, J.M., “An analysis of Linux RAM forensics”, Naval Postgraduate School Thesis, 2006 [17] Gao, Y., Cao, T., “Linux Memory Forensic: Searching for processes”, Computer Security Applications Conference, 2010 [18] Movall, P., Nelson, W., Wetzstein, S., “Linux Physical Memory Analysis”, Proceedings of the annual conference on USENIX Annual Technical Conference, 2005 [19] Wikipedia, http://en.wikipedia.org/wiki/Computer_forensics [20] DFRWS. Dfrws 2005 forensics challenge, http://www.dfrws.org/2005/challenge/index.shtml; 2005. [21] Volatility framework, https://www.volatilesystems.com/default/volatility