SlideShare uma empresa Scribd logo

Hide and seek - interesting uses of forensics and covert channels.

T
tkisason

In this talk, we will discuss some interesting uses of forensic methods like memory extraction and carving in non-law enforcement scenarios. Also, some interesting methods for achieving covert channels will be covered with their detection possibilities. Bio: Junior researcher at Faculty or organization and informatics with interest in Security, Cryptography and FLOSS.

1 de 28
Baixar para ler offline
Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
$ whois tkisason  Junior researcher @ foi.hr  Likes:  Security  Crypto  Gnu/Linux  Interesting security problems  e-mail: tonimir.kisasondi@foi.hr  skype: tkisason
$ topic of this talk  A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels
$ forensics for non law enforcement uses?  Useful for data recovery  You can protect your files, but you can't protect your RAM 1. Dig deep 2. Find interesting problems 3. ??? 4. Profit!
$ memory imaging  /dev/mem is restricted on newer versions of the Linux kernel  Alternatives:  Reboot the system with a imager  PCI imagers  Insert a kernel module that can access the address space  /dev/fmem: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz  Simply dd /dev/fmem or grep -a
$ memory secrets leakage  Pidgin's passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also • Various pieces of plaintext / passwords can be obtained from memory • ASLR - YMMW • Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt
$ memory carving tony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img [sudo] password for tony: PhotoRec 6.11, Data Recovery Utility, April 2009 tony@blackbox:~/0drive$ ls recovery* | wc -l 620
$ file/mem carving  Use scalpel: http://www.digitalforensicssolutions.com/Scalpel/  /etc/scalpel/scalpel.conf is frugal at start  Uncomment file headers  Good thing is we can add aditional signatures...
$ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
$ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
$ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
$ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
$ runtime extraction of RSA/DSA keys tony@blackbox:~$ sudo ./passe-partout 729 Target has pid 729 => 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607 => 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607 ... found RSA key @ 0x7f8e0fad7e20 [X] Key saved to file id_rsa-1.key done for pid 729 apache, openssh, openvpn
$ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
$ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
$ covert channels?  Opposite from forensics :)  Data hiding: Files, protocols  "A adversary can always transmit one bit at a time"  Tony's rule 183: Any structure in a covert channel destroys it's covertness.  Some interesting covert channels:  TCSteg  OutGuess
$ TCSteg -> http://keyj.s2000.at/?p=458
$ Truecryptish problems  File mod 256 == 0  Filesize > 16Kb  H(File) ~ 7.5  Header != /usr/share/misc/magic  Yes, a filesystem in a encrypted volume CAN be carved :)  TC = relatively OK  LUKS leaks... = LUKSxbaxbe  File in file embedding leaks magic bytes  Outguess and similar known stego tools can be easily detected
$ interesting channels  Most formats that have strict footers can be "injected" – bmp for one example  Injecting data in FLV? - why not!  In short: Any structure leaks possible data.  Perfect randomness "leaks" encryption.
$ interesting channels  A typical flv/video file is highly random: In [27]: entropy(cat) Out[27]: 7.8086139822740126  Always map data into same character range.  Avoid distrupting changes that increase entropy  Avoid magic bytes and known patterns  Youtube/You**** is so common, that you simply hide the data in the mass traffic.
$ interesting channels  Filesystem fragmentation – No structure • http://goo.gl/dfhfR  Distributed covert channels? – On my github soon :)
$ :)
$ :)
$ :)
$ :)
$ Knowledge is power with biliteral cipher
$ questions?
$ Thank you You can find the most updated version of this slides on my slideshare (tkisason).

Recomendados

Pry at the Ruby Drink-up of Sophia, February 2012
Pry at the Ruby Drink-up of Sophia, February 2012Pry at the Ruby Drink-up of Sophia, February 2012
Pry at the Ruby Drink-up of Sophia, February 2012
rivierarb
 
Presentazione
PresentazionePresentazione
Presentazione
Giulia Cassarà
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
Hanan Nmr
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
INSIGHT FORENSIC
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
Avansa Mid- en Zuidwest
 
01 linux basics
01 linux basics01 linux basics
01 linux basics
Robson Levi
 
Linux CLI Primer
Linux CLI PrimerLinux CLI Primer
Linux CLI Primer
Michael Pearce
 

Recomendados

Pry at the Ruby Drink-up of Sophia, February 2012
Pry at the Ruby Drink-up of Sophia, February 2012Pry at the Ruby Drink-up of Sophia, February 2012
Pry at the Ruby Drink-up of Sophia, February 2012
rivierarb
 
Presentazione
PresentazionePresentazione
Presentazione
Giulia Cassarà
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
Hanan Nmr
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
INSIGHT FORENSIC
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
Avansa Mid- en Zuidwest
 
01 linux basics
01 linux basics01 linux basics
01 linux basics
Robson Levi
 
Linux CLI Primer
Linux CLI PrimerLinux CLI Primer
Linux CLI Primer
Michael Pearce
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
fangjiafu
 
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiatiRicostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Andrea Lazzarotto
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.
Mario Cho
 
Licão 06 process text streams with filters
Licão 06 process text streams with filtersLicão 06 process text streams with filters
Licão 06 process text streams with filters
Acácio Oliveira
 
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
Andrea Lazzarotto
 
Character_device_driver_bbb
Character_device_driver_bbbCharacter_device_driver_bbb
Character_device_driver_bbb
Rashila Rr
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Linux Commands - Cheat Sheet
Linux Commands - Cheat Sheet Linux Commands - Cheat Sheet
Linux Commands - Cheat Sheet
Isham Rashik
 
3.1.b how to - colors and prompts in bash
3.1.b how to - colors and prompts in bash3.1.b how to - colors and prompts in bash
3.1.b how to - colors and prompts in bash
Acácio Oliveira
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uring
Anne Nicolas
 
3.1.computer foundations
3.1.computer foundations3.1.computer foundations
3.1.computer foundations
Miriam Baig
 
My First F-Stack
My First F-StackMy First F-Stack
My First F-Stack
Naoto MATSUMOTO
 
2.Accessing the Pi
2.Accessing the Pi2.Accessing the Pi
2.Accessing the Pi
Mayank Joneja
 
005 skyeye
005 skyeye005 skyeye
005 skyeye
Sherif Mousa
 
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonLargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
Eric Roberson
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
Zsh shell-for-humans
Zsh shell-for-humansZsh shell-for-humans
Zsh shell-for-humans
Juan De Bravo
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-Python
Anurag Patel
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
Anton Chuvakin
 
ironing out Docker
ironing out Dockerironing out Docker
ironing out Docker
nindustries
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
INSIGHT FORENSIC
 

Mais conteúdo relacionado

Mais procurados

Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
fangjiafu
 
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiatiRicostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Andrea Lazzarotto
 
Character_device_driver_bbb
Character_device_driver_bbbCharacter_device_driver_bbb
Character_device_driver_bbb
Rashila Rr
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonLargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
Eric Roberson
 

Mais procurados (18)

Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
 
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiatiRicostruzione forense di NTFS con metadati parzialmente danneggiati
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.
 
Licão 06 process text streams with filters
Licão 06 process text streams with filtersLicão 06 process text streams with filters
Licão 06 process text streams with filters
 
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
RecuperaBit: Forensic File System Reconstruction Given Partially Corrupted Me...
 
Character_device_driver_bbb
Character_device_driver_bbbCharacter_device_driver_bbb
Character_device_driver_bbb
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
 
Linux Commands - Cheat Sheet
Linux Commands - Cheat Sheet Linux Commands - Cheat Sheet
Linux Commands - Cheat Sheet
 
3.1.b how to - colors and prompts in bash
3.1.b how to - colors and prompts in bash3.1.b how to - colors and prompts in bash
3.1.b how to - colors and prompts in bash
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uring
 
3.1.computer foundations
3.1.computer foundations3.1.computer foundations
3.1.computer foundations
 
My First F-Stack
My First F-StackMy First F-Stack
My First F-Stack
 
2.Accessing the Pi
2.Accessing the Pi2.Accessing the Pi
2.Accessing the Pi
 
005 skyeye
005 skyeye005 skyeye
005 skyeye
 
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonLargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Zsh shell-for-humans
Zsh shell-for-humansZsh shell-for-humans
Zsh shell-for-humans
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-Python
 

Semelhante a Hide and seek - interesting uses of forensics and covert channels.

Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
QUONTRASOLUTIONS
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Puppet
 
Shared Coursework in Cyber Security Instructions Manual .docx
Shared Coursework in Cyber Security Instructions Manual .docxShared Coursework in Cyber Security Instructions Manual .docx
Shared Coursework in Cyber Security Instructions Manual .docx
edgar6wallace88877
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
jyothimuppasani1
 

Semelhante a Hide and seek - interesting uses of forensics and covert channels. (20)

Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
ironing out Docker
ironing out Dockerironing out Docker
ironing out Docker
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 Arch
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Open Enea Linux workshop at the Embedded Conference Scandinavia 2014
Open Enea Linux workshop at the Embedded Conference Scandinavia 2014Open Enea Linux workshop at the Embedded Conference Scandinavia 2014
Open Enea Linux workshop at the Embedded Conference Scandinavia 2014
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
Linux configer
Linux configerLinux configer
Linux configer
 
Shared Coursework in Cyber Security Instructions Manual .docx
Shared Coursework in Cyber Security Instructions Manual .docxShared Coursework in Cyber Security Instructions Manual .docx
Shared Coursework in Cyber Security Instructions Manual .docx
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
 
Part 4 of 'Introduction to Linux for bioinformatics': Managing data
Part 4 of 'Introduction to Linux for bioinformatics': Managing data Part 4 of 'Introduction to Linux for bioinformatics': Managing data
Part 4 of 'Introduction to Linux for bioinformatics': Managing data
 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?
 

Hide and seek - interesting uses of forensics and covert channels.

  • 1. Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
  • 2. $ whois tkisason  Junior researcher @ foi.hr  Likes:  Security  Crypto  Gnu/Linux  Interesting security problems  e-mail: tonimir.kisasondi@foi.hr  skype: tkisason
  • 3. $ topic of this talk  A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels
  • 4. $ forensics for non law enforcement uses?  Useful for data recovery  You can protect your files, but you can't protect your RAM 1. Dig deep 2. Find interesting problems 3. ??? 4. Profit!
  • 5. $ memory imaging  /dev/mem is restricted on newer versions of the Linux kernel  Alternatives:  Reboot the system with a imager  PCI imagers  Insert a kernel module that can access the address space  /dev/fmem: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz  Simply dd /dev/fmem or grep -a
  • 6. $ memory secrets leakage  Pidgin's passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also • Various pieces of plaintext / passwords can be obtained from memory • ASLR - YMMW • Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt
  • 7. $ memory carving tony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img [sudo] password for tony: PhotoRec 6.11, Data Recovery Utility, April 2009 tony@blackbox:~/0drive$ ls recovery* | wc -l 620
  • 8. $ file/mem carving  Use scalpel: http://www.digitalforensicssolutions.com/Scalpel/  /etc/scalpel/scalpel.conf is frugal at start  Uncomment file headers  Good thing is we can add aditional signatures...
  • 9. $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
  • 10. $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
  • 11. $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
  • 12. $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 files jpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 files png with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
  • 13. $ runtime extraction of RSA/DSA keys tony@blackbox:~$ sudo ./passe-partout 729 Target has pid 729 => 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607 => 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607 ... found RSA key @ 0x7f8e0fad7e20 [X] Key saved to file id_rsa-1.key done for pid 729 apache, openssh, openvpn
  • 14. $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
  • 15. $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
  • 16. $ covert channels?  Opposite from forensics :)  Data hiding: Files, protocols  "A adversary can always transmit one bit at a time"  Tony's rule 183: Any structure in a covert channel destroys it's covertness.  Some interesting covert channels:  TCSteg  OutGuess
  • 17. $ TCSteg -> http://keyj.s2000.at/?p=458
  • 18. $ Truecryptish problems  File mod 256 == 0  Filesize > 16Kb  H(File) ~ 7.5  Header != /usr/share/misc/magic  Yes, a filesystem in a encrypted volume CAN be carved :)  TC = relatively OK  LUKS leaks... = LUKSxbaxbe  File in file embedding leaks magic bytes  Outguess and similar known stego tools can be easily detected
  • 19. $ interesting channels  Most formats that have strict footers can be "injected" – bmp for one example  Injecting data in FLV? - why not!  In short: Any structure leaks possible data.  Perfect randomness "leaks" encryption.
  • 20. $ interesting channels  A typical flv/video file is highly random: In [27]: entropy(cat) Out[27]: 7.8086139822740126  Always map data into same character range.  Avoid distrupting changes that increase entropy  Avoid magic bytes and known patterns  Youtube/You**** is so common, that you simply hide the data in the mass traffic.
  • 21. $ interesting channels  Filesystem fragmentation – No structure • http://goo.gl/dfhfR  Distributed covert channels? – On my github soon :)
  • 22. $ :)
  • 23. $ :)
  • 24. $ :)
  • 25. $ :)
  • 26. $ Knowledge is power with biliteral cipher
  • 28. $ Thank you You can find the most updated version of this slides on my slideshare (tkisason).