In this talk, we will discuss some interesting uses of forensic methods like memory extraction and carving in non-law enforcement scenarios. Also, some interesting methods for achieving covert channels will be covered with their detection possibilities.
Bio: Junior researcher at Faculty or organization and informatics with interest in Security, Cryptography and FLOSS.
3. $ topic of this talk
A quick overview of some interesting:
Forensics methods
Memory imaging
Memory carving
Covert channels
Detecting conventional channels
Creating useful covert channels
4. $ forensics for non law enforcement uses?
Useful for data recovery
You can protect your files, but you can't
protect your RAM
1. Dig deep
2. Find interesting problems
3. ???
4. Profit!
5. $ memory imaging
/dev/mem is restricted on newer versions of the
Linux kernel
Alternatives:
Reboot the system with a imager
PCI imagers
Insert a kernel module that can access the address space
/dev/fmem:
http://hysteria.sk/~niekt0/foriana/fmem_current.tgz
Simply dd /dev/fmem or grep -a
6. $ memory secrets leakage
Pidgin's passwords stored in 5 places
00 00 1E 00 00 00 00 00 00 00
Plaintexted in ~/.pidgin also
• Various pieces of plaintext / passwords can be
obtained from memory
• ASLR - YMMW
• Cryptographic algorithms can be identified
S-boxes and P-boxes, seeds, structures
Initialization vectors
https://github.com/fwhacking/bfcrypt
7. $ memory carving
tony@blackbox:~/0drive$ sudo photorec /d
recovery bbox-memory.img
[sudo] password for tony:
PhotoRec 6.11, Data Recovery Utility, April 2009
tony@blackbox:~/0drive$ ls recovery* | wc -l
620
8. $ file/mem carving
Use scalpel:
http://www.digitalforensicssolutions.com/Scalpel/
/etc/scalpel/scalpel.conf is frugal at start
Uncomment file headers
Good thing is we can add aditional
signatures...
9. $ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.
blackbox-mem.img: 100.0% |
*********************************************************************************************
****************| 3.2 GB 00:00 ETA
Allocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built. Workload:
...
gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files
jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files
png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files
...
Carving files from image.
Image file pass 2/2.
10. $ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.
blackbox-mem.img: 100.0% |
*********************************************************************************************
****************| 3.2 GB 00:00 ETA
Allocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built. Workload:
...
gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files
jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files
png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files
...
Carving files from image.
Image file pass 2/2.
11. $ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.
blackbox-mem.img: 100.0% |
*********************************************************************************************
****************| 3.2 GB 00:00 ETA
Allocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built. Workload:
...
gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files
jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files
png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files
...
Carving files from image.
Image file pass 2/2.
12. $ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.
blackbox-mem.img: 100.0% |
*********************************************************************************************
****************| 3.2 GB 00:00 ETA
Allocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built. Workload:
...
gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files
jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files
png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files
...
Carving files from image.
Image file pass 2/2.
13. $ runtime extraction of RSA/DSA keys
tony@blackbox:~$ sudo ./passe-partout 729
Target has pid 729
=> 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000
08:01 3416607
=> 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000
08:01 3416607
...
found RSA key @ 0x7f8e0fad7e20
[X] Key saved to file id_rsa-1.key
done for pid 729
apache, openssh, openvpn
14. $ grep is your friend
grep -a is really useful. Try some of the following:
-----BEGIN RSA
-----BEGIN PGP
-----BEGIN OpenVPN Static
ssh-rsa
ssh-dsa
usernames
15. $ grep is your friend
grep -a is really useful. Try some of the following:
-----BEGIN RSA
-----BEGIN PGP
-----BEGIN OpenVPN Static
ssh-rsa
ssh-dsa
usernames
16. $ covert channels?
Opposite from forensics :)
Data hiding: Files, protocols
"A adversary can always transmit one bit at a time"
Tony's rule 183: Any structure in a covert channel
destroys it's covertness.
Some interesting covert channels:
TCSteg
OutGuess
18. $ Truecryptish problems
File mod 256 == 0
Filesize > 16Kb
H(File) ~ 7.5
Header != /usr/share/misc/magic
Yes, a filesystem in a encrypted volume CAN be carved :)
TC = relatively OK
LUKS leaks... = LUKSxbaxbe
File in file embedding leaks magic bytes
Outguess and similar known stego tools can be easily detected
19. $ interesting channels
Most formats that have strict footers can be
"injected" – bmp for one example
Injecting data in FLV? - why not!
In short: Any structure leaks possible data.
Perfect randomness "leaks" encryption.
20. $ interesting channels
A typical flv/video file is highly random:
In [27]: entropy(cat)
Out[27]: 7.8086139822740126
Always map data into same character range.
Avoid distrupting changes that increase entropy
Avoid magic bytes and known patterns
Youtube/You**** is so common, that you simply
hide the data in the mass traffic.
21. $ interesting channels
Filesystem fragmentation
– No structure
• http://goo.gl/dfhfR
Distributed covert channels?
– On my github soon :)