Copyright Security-Assessment.com 2006 Defeating Live Forensics in the Windows Kernel Presented by Darren Bilby AUSCERT 2006.

Slides:



Advertisements
Similar presentations
1 Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
How an attacker can maintain control over their victim’s system without being discovered.
Evidence Collection & Admissibility Computer Forensics BACS 371.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition
Windows Security and Rootkits Mike Willard January 2007.
Security Awareness: Applying Practical Security in Your World
Presented by Boris Yurovitsky
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Passwords, Encryption Forensic Tools
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
UNIX Unbounded 5 th Edition Amir Afzal Chapter 1 First Things First.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Rootkits in Windows XP  What they are and how they work.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
Copyright Security-Assessment.com 2006 Low Down and Dirty: Anti-forensic Rootkits Presented by Darren Bilby Ruxcon 2006.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Guide to Computer Forensics and Investigations Fourth Edition
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Remote Forensic Tools --- PDIR and EEE Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey, Aaron Stanley Source : Digital.
Hidden Processes: The Implication for Intrusion Detection
Rootkits What are they? What do they do? Where do they come from?
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
Operating Systems Security
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Computer threats, Attacks and Assets upasana pandit T.E comp.
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
“Enterprise Malware Detection”
Introduction to Operating Systems
Hidden Processes: The Implication for Intrusion Detection
Rootkits Jonathan Hobbs.
Hiding Malware Rootkits
Presentation transcript:

Copyright Security-Assessment.com 2006 Defeating Live Forensics in the Windows Kernel Presented by Darren Bilby AUSCERT 2006

Copyright Security-Assessment.com 2006 Digital Forensics Acquisition The Live Imaging Process Windows Storage Architecture I/O Functionality in Rootkits DDefy DDefy Demo Better Methods for Live Imaging Overview

Copyright Security-Assessment.com 2006 Security-Assessment.com – Who We Are Specialist pure-play security firm Offices in Australia and New Zealand / Strong global partnerships Committed to research and improving our industry Specialisation in multiple security fields – Security assessment – Security management – Forensics / incident response – Research and development

Copyright Security-Assessment.com 2006 Digital Forensics Acquisition Need to gather an evidential copy of a system The Aim – Gather the “best” evidence available Gather volatile information – memory, process list, network connections, open files… Power off machine and image disk

Copyright Security-Assessment.com 2006 Digital Forensics Acquisition Two Competing Aims – Gather the “best” evidence available – Allow the system to continue operation in an unhindered manner Results in “Live Imaging” – Taking a copy of a system while that system is still functioning in a live environment

Copyright Security-Assessment.com 2006 Reasons for “Live Imaging” Business critical systems that cannot be shut down Shutting down systems may create legal liability for examiners through: – damaging equipment – unintentional data loss – hampering operations Judge instructs that evidence gathering must be conducted using the least intrusive methods available Encrypted volumes

Copyright Security-Assessment.com 2006 Digital Forensics Acquisition Live imaging is now “best practice” … …or at least common practice Tools – Helix (dd/netcat) – Prodiscover IR – Encase EEE/FIM – FTK – Smart – …

Copyright Security-Assessment.com 2006 So this is common practice, accepted as legitimate by most courts of law, supported by many big name forensic vendors, it must be foolproof right? uhhh… ok

Copyright Security-Assessment.com 2006 The Live Imaging Process Trusted Un-trusted Trusted Un-trusted Trusted?

Copyright Security-Assessment.com 2006 Live imaging… … is like turning up to a homicide at the docks and asking the mafia to collect your evidence and take it back to the police station for you.

Copyright Security-Assessment.com 2006 The Live Imaging Process Encryption Encase – SAFE public key encryption architecture DD – Cryptcat Prodiscover IR – Twofish Encryption

Copyright Security-Assessment.com 2006 … with network encryption is like turning up to a homicide at the docks and then asking the mafia to collect your evidence. Then handing it to an elite military squad to take it back to the police station for you. Live imaging…

Copyright Security-Assessment.com 2006 Live Imaging How do we know we have collected all the original evidence on an un-trusted system?

Copyright Security-Assessment.com 2006 Live Imaging on Windows Overview What happens when you read a file? Rootkit functionality for disk IO What happens when you run dd or FTK imager

Copyright Security-Assessment.com 2006 Windows Storage Architecture Diagram adapted from Microsoft Windows Internals Fourth Edition

Copyright Security-Assessment.com 2006 What Happens When You Read a File? Readfile() called on File1.txt offset 0 Transition to Ring 0 NtReadFile() processed I/O Subsystem called IRP generated Data at File1.txt offset 0 requested from ntfs.sys – translation Data at D: offset requested from dmio.sys – translation Data at disk 2 offset requested from disk.sys

Copyright Security-Assessment.com 2006 Live Imaging with DD Live Imaging Command dd.exe if =\\.\ PhysicalDrive0 of=z:\physicaldrive0.raw.dd \\.\PhysicalDrive0 is a device symbolic link to the raw disk The File System Driver and Volume Manager Driver are bypassed This method has been confirmed as used by – DD (GM Garner) – FTK Imager – Prodiscover IR

Copyright Security-Assessment.com 2006 Rootkits

Copyright Security-Assessment.com 2006 Rootkits Malicious people want to remain undetected on a system – Operating system must be subverted to give a false view – Hide files, processes, network traffic

Copyright Security-Assessment.com 2006 Rootkits Dangerous for incident responders and security people because:  No Discovery - If an incident is not discovered it will never be investigated.  The Trojan Defence – If it cannot be proved that a rootkit was not present, a case may be undermined.  Evidence tampering – An investigator cannot trust any information gathered from the machine.

Copyright Security-Assessment.com 2006 Public Userland (Ring 3) Rootkits Binary replacement eg modified Exe or Dll Binary modification in memory eg He4Hook User land hooking eg Hacker Defender – IAT hooking

Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits Kernel Hooking E.g. NtRootkit Driver replacement E.g. replace ntfs.sys with ntfss.sys Direct Kernel Object Manipulation – DKOM E.g. Fu, FuTo

Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits IO Request Packet (IRP) Hooking – IRP Dispatch Table E.g. He4Hook (some versions)

Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits Filter Drivers – The official Microsoft method Types – File system filter – Volume filter – Disk Filter – Bus Filter E.g. Clandestine File System Driver (CFSD)

Copyright Security-Assessment.com 2006 That’s great… but why is this interesting?

Copyright Security-Assessment.com 2006 It’s interesting because… If we can identify bits on disk as relating to a file we have opportunity There are many places to subvert the file read process It is very unlikely to be detected This gets an attacker closer to the trump card for the “whoever hooks lowest wins” arms race

Copyright Security-Assessment.com 2006 DDefy The Aim: When someone forensically analyses my machine, they should get a valid image, but not my sensitive data. Written on the power of short blacks and jack daniels Proof of concept for 2K/XP/2k3 Standard Upper Disk Filter Driver Intercepts IRP_MJ_READ I/O Request Packets sent to the disk and modifies the return data No hooking, DKOM or other modification Hiding in plain sight Can be found in device manager

Copyright Security-Assessment.com 2006 DDefy: Where It Lives

Copyright Security-Assessment.com 2006 DDefy: The Process

Copyright Security-Assessment.com 2006 Demo D:\video\ddefypres\ddefy-noddefy imaging.wmv D:\video\ddefypres\ddefy- analysiswithddefyinstalled.wmv

Copyright Security-Assessment.com 2006 DDefy Results Any data that is stored on the physical disk can be hidden from the live forensics tool There is no way to completely prevent this Live forensic imaging is still a useful tool – but it needs to be used with full knowledge of the implications Image the disk offline whenever possible Memory analysis becomes very important

Copyright Security-Assessment.com 2006 DDefy Challenges Replacing Data without Corruption – MFT replacement – Null, Random, Bad Sector, Deleted, Random, Other Files Windows Disk Caching – If the file system has cached a file, the disk won’t be asked for the data

Copyright Security-Assessment.com 2006 A Better Way of Acquiring Data Method – Install trusted disk class driver – Communicate directly with driver using DeviceIOControl – Encrypt communications between driver and application Challenges – Stability – OS Specific

Copyright Security-Assessment.com 2006 … using a trusted driver and direct I/O is like turning up to a homicide at the docks and collecting the evidence yourself, while the mafia stand over you. Live imaging…

Copyright Security-Assessment.com 2006 Further Research Effects on rootkit detection tools Applying the same techniques to memory forensics – Intercepting dd if=\\.\PhysicalMemory – Shadow Walker – (S. Sparks, J. Butler) Implementation of an open source direct IO driver

Copyright Security-Assessment.com 2006 Questions ?

Copyright Security-Assessment.com 2006 Resources Windows System Internals 4 th Edition– D. Solomon, M. Russinovich Rootkits – G. Hoglund, J. Butler Primary Windows Rootkit Resource Joanna Rutkowska – Stealth Malware Detection Windows Driver Development Resource

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.