Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 What and The Purpose Examine an Unknown malware binary (Open Source tools)  The Sleuth Kit  autopsy  strings  hexedit  … F.I.R.E.  Package all tools together in a bootable CD

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 Under an Unknown Condition Possibly where it came from What the binary’s purpose is It may be possible to identify when the system was compromised & the binary installed May be also discover which user id facilitated the compromise of the system

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 Binary Details From  http://www.giac.org/gcfa/binary_v1.3.zip http://www.giac.org/gcfa/binary_v1.3.zip The file size when extracted The file size within the archive The last modified time CRC number Userid, md5sum, …

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 The strings command Parse an input file and output readable strings Sequentially program the code May deal with creating & starting services May be an ICMP back-door to a cmd.exe shell

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 The hexedit command The purposes  Confirm the function of the application  Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!!

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 The person may compile, write or created the zip file May be a ICMP back- door to a cmd.exe shell

11 Information Networking Security and Assurance Lab National Chung Cheng University 11 May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 Some DLL files KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 The objdump command View library information about a binary executable -p option  Print the object header information command The time and date

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!!

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 The application was doing something to the systems services

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 Shows the basic Terminal I/O communications through the standard MSVCRT library

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 The f-prot command It’s a virus scanner Can Live-Update (/usr/local/f-prot/update-defs.sh) The command Nothing you can find

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 All evidence leads me to decide An ICMP back-door to cmd.exe Default password may be loki Coded by Spoof Hacker group  MFC May be installed by local user Rich

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 From Google http://packetstormsecurity.com/crypt/misc/loki 2.tar.gz http://packetstormsecurity.com/crypt/misc/loki 2.tar.gz Coded for windows version based on loki2 for Unix-Like OS

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 What A bootable Linux CD that turns any machine into a forensics workstation Boot the entire system without touching the local system Open Source http://fire.dmzs.com http://www.sourceforge.net/projects/biatchux

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 How F.I.R.E. runs within a RAM disk that it does not touch the system or images Log the information you need to the /data/ directory

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Two quick ways of using F.I.R.E Burnt the ISO to a CD & boot from it The ISO can be booted from within VMWare

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 Autopsy http://www.sleuthkit.org/autopsy/desc.php Graphic interface Some features Case Management File Analysis File Content Analysis File Type Hash Database Timeline of File Activity Keyword Search Meta Data Analysis Image Details Image integrity Notes Reports Logging Open Design Client Server Model

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 The compromised image From the Digital Forensics Research Workshop http://www.dfrw.org Download site  http://www.honeynet.org/scans/scan24/ http://www.honeynet.org/scans/scan24/

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 The VMWare Select the ISO image The beginning!!

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Set-up your network(1/2) Prompt mode Start menu!! Many options

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Set-up your network(2/2) Command line Set up the IP Address, Netmask and default gateway!!

31 Information Networking Security and Assurance Lab National Chung Cheng University 31 Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

32 Information Networking Security and Assurance Lab National Chung Cheng University 32 consh and replay consh (shell script)  Do the logging replay (command)  #replay May30-182215-tty_ttyp0.log.timing May30- 182215-tty_ttyp0.log

33 Information Networking Security and Assurance Lab National Chung Cheng University 33 Start Command You must start your browser to this URL for starting

34 Information Networking Security and Assurance Lab National Chung Cheng University 34 Set-up the Case select /data/

35 Information Networking Security and Assurance Lab National Chung Cheng University 35 Add Host

36 Information Networking Security and Assurance Lab National Chung Cheng University 36 Add Image

37 Information Networking Security and Assurance Lab National Chung Cheng University 37 Analysis type File analysis  Browse the various files available on the image, including deleted files Keyword search  Search the image for various keywords File type  Run the sorter that counts the various file types on the image Image details  Contain summary data about the image Meta Data  You can enter a meta data number for search Data Unit  Allow for the entry of a sector number

38 Information Networking Security and Assurance Lab National Chung Cheng University 38 Some test(1/6)

39 Information Networking Security and Assurance Lab National Chung Cheng University 39 Some test(2/6) Enter what you want to search Quick search

40 Information Networking Security and Assurance Lab National Chung Cheng University 40 Some test(3/6) summary

41 Information Networking Security and Assurance Lab National Chung Cheng University 41 Some test(4/6)

42 Information Networking Security and Assurance Lab National Chung Cheng University 42 Some test(5/6)

43 Information Networking Security and Assurance Lab National Chung Cheng University 43 Some test(6/6)

44 Information Networking Security and Assurance Lab National Chung Cheng University 44 The final step Create Data File Create Timeline tar & md5sum

45 Information Networking Security and Assurance Lab National Chung Cheng University 45

46 Information Networking Security and Assurance Lab National Chung Cheng University 46

47 Information Networking Security and Assurance Lab National Chung Cheng University 47 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

48 Information Networking Security and Assurance Lab National Chung Cheng University 48 Do not touch the local system

49 Information Networking Security and Assurance Lab National Chung Cheng University 49 Additional Information(1/2) VNC Internet VNC connection

50 Information Networking Security and Assurance Lab National Chung Cheng University 50 Addition Information(2/2) Some legal issue  Go to the INSA Knowledge-Base

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment."

Similar presentations

Presentation Heading – font Arial

Presentation Heading – font Arial
LINUX-WINDOWS INTERACTION. One software allowing interaction between Linux and Windows is WINE. Wine allows Linux users to load Windows programs while.

LINUX-WINDOWS INTERACTION. One software allowing interaction between Linux and Windows is WINE. Wine allows Linux users to load Windows programs while.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University

2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
Introduction to Applied Network Security By Prof. Herzberg Man in the Middle lab #1 Aharon Brodie.

Introduction to Applied Network Security By Prof. Herzberg Man in the Middle lab #1 Aharon Brodie.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Overview Basic functions Features Installation: Windows host and Linux host.

Overview Basic functions Features Installation: Windows host and Linux host.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.

Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google