introducing the... metasploit antiforensics project - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

introducing the... metasploit antiforensics project

Description:

temporal locality. technique. timestamps hint as to when ... temporal ... temporal locality (time stamps) spatial locality (file location) data recovery ... – PowerPoint PPT presentation

Number of Views:127
Avg rating:3.0/5.0
Slides: 45
Provided by: jamesc203
Category:

less

Transcript and Presenter's Notes

Title: introducing the... metasploit antiforensics project


1
introducing the... metasploitantiforensics
project
vinnie liu, toorcon 7
2
speaker
  • vinnie
  • anti-forensics researcher
  • framework contributor
  • vinnie_at_metasploit.com

3
coverage
  • avoid detection
  • weaknesses in current forensic techniques
  • break industry tools
  • Guidance EnCase, PGP Desktop, NTFS, MS
    AntiSpyware
  • Metasploit Anti-Forensic Investigation Arsenal
  • timestomp, slacker, transmogrify, sam juicer
  • identify opportunities for improvement

4
why
  • airing the industrys dirty laundry.
  • the lack of true innovation in the forensics
    world is because theres no pressure to do so.
  • too much dependence on forensic tools

5
talk format
  • technique
  • anti-technique
  • opportunity for improvement, weaknesses, tools,
    etc...

6
temporal locality
  • technique
  • timestamps hint as to when an event occurred.
  • timestamps help an analyst timeline events and
    profiling hacker behavior.
  • if an investigator finds a suspicious file, they
    will search for other files with similar MAC
    attributes.

7
temporal locality
  • anti-technique
  • modify file times, log file entries, and create
    bogus and misleading timestamps
  • we need better tools
  • most tools only modify the MAC
  • ok for FAT, but not for NTFS

8
temporal locality
  • modified (M), accessed (A), created (C)
  • entry modified (E)

M
C
A
E
9
tool timestomp
  • timestomp
  • uses the following Windows system calls
  • NtQueryInformationFile()
  • NtSetInformationFile()
  • doesnt use
  • SetFileTime()
  • features
  • display set MACE attributes
  • mess with EnCase and MS Anti-Spyware

10
timestomp _at_ work
  • normal
  • after setting values (-z Monday 05/05/2005
    050505 AM)
  • example EnCase weakness (-b)

11
timestomp _at_ work
12
timestomp _at_ work
  • Windows Explorer Demo

13
one opportunity for improvement
  • current state
  • EnCase only uses the MACE values from the
    Standard Information Attribute (SIA) in a each
    files MFT record
  • opportunity for improvement
  • validate SIA MACE values with the MACE values
    stored in the Filename (FN) attribute

MFT Entry Header
SIA Attribute MACE
FN Attribute MACE
Remaining Attributes
14
one opportunity for improvement
  • given
  • the FN MACE values are only updated when a file
    is created or moved
  • therefore
  • FN MACE values must be older than SIA MACE values
  • validation technique
  • determine if the SIA MACE values are older than
    the FN MACE values

earlier time
later time
15
then again
  • anti-validation technique
  • system files and archives are false positives
  • use raw disk i/o to change the FN MACE values
  • MFT is a file
  • calculate offsets from the start of the MFT to a
    files FN MACE values
  • use a file thats not been used in a while,
    delete the data attribute and fill it with your
    own data
  • no creating, no moving means no FN updates
  • only the SIA changes
  • SIA is controllable

16
spatial locality
  • technique
  • attackers tend to store tools in the same
    directory
  • anti-technique
  • stop using windir\system32
  • mix up storage locations both on a host and
    between multiple hosts
  • 3rd party software, browser temp, AV/spyware

17
data recovery
  • technique
  • forensics tools will make a best effort to
    reconstruct deleted data
  • anti-technique
  • secure file deletion
  • filename, file data, MFT record entry
  • wipe all slack space
  • wipe all unallocated space

18
data recovery
  • tools
  • Sys Internals sdelete.exe
  • doesnt clean file slack space
  • Eraser (heide)
  • does clean file slack space
  • PGP Desktops Disk Wipe
  • vulnerabilities
  • PGP Desktops Disk Wipe

19
selling snake oil
PGP 8.x and 9.1 -wiping slack space at end of
files
well, it doesnt.
think of it as an opportunity for improvement
20
signature analysis
  • technique
  • EnCase has two methods for identifying file types
  • file extension
  • file signatures
  • anti-technique
  • change the file extension
  • changing file signatures to avoid EnCase analysis
  • one-byte modification

21
foiling signature analysis
  • unmodified
  • one byte modified

22
flip it and reverse it
  • tools
  • transmogrify
  • does all the work
  • switch between multiple file formats

23
hashing
  • technique
  • create an MD5 fingerprint of all files on a
    system
  • compare to lists of known good known bad file
    hashes
  • minimizes search scope and analysis time
  • anti-technique
  • avoid common system directories (see earlier)
  • modify and recompile
  • remove usage information
  • stego works on non-executables
  • direct binary modification

24
hashing
  • direct binary modification (one-byte)

4e65745d42c70ac0a5f697e22b8bb033
eafcc942c7960f921c64c1682792923c
25
keyword searching
  • technique
  • analysts build lists of keywords and search
    through files, slack space, unallocated space,
    and pagefiles
  • anti-technique
  • exploit the examiners lack of language skill
  • great and nearly impossible to catch
  • opportunity for improvement
  • predefined keyword lists in different languages

26
reverse engineering
  • technique
  • 99 of examiners cant code
  • possess rudimentary malware analysis skills if
    any
  • packer identification
  • commonly available unpackers
  • run strings
  • behavioral analysis
  • anti-technique
  • use uncommon packers or create a custom loader
  • PEC2
  • strategic packing

27
profiling
  • technique
  • analysts find commonalities between tools,
    toolkits, packers, language, location,
    timestamps, usage info, etc
  • anti-technique
  • use whats already in your environment

28
information overload
  • technique
  • forensics takes time, and time costs money
  • businesses must make business decisions, again
    this means money
  • no pulling-the-plug. business data takes
    priority.
  • anti-technique
  • on a multi-system compromise, make the
    investigation cost as much as possible
  • choose the largest drive
  • help the investigators

29
hiding in memory
  • technique
  • EnCase Enterprise allows the examiner to see
    current processes, open ports, file system, etc
  • anti-technique
  • Metasploits Meterpreter (never hit disk)
  • exploit a running process and create threads
  • opportunity for improvement
  • capture whats in memory

30
tool sam juicer
  • sam juicer
  • think pwdump on crack
  • built from the ground up
  • stealthy!

31
tool sam juicer
  • why pwdump should not be used
  • opens a remote share
  • hits disk
  • starts a service to do dll injection
  • hits registry
  • creates remote registry conn
  • often fails and doesnt clean up

memory/lsass
services
remote share
disk
registry
remote registry
32
tool sam juicer
sam juicer
memory/lsass
meterpreter channel
services
  • slides over Meterpreter channel
  • direct memory injection
  • never hits disk never hits the registry
  • never starts a service
  • data flows back over existing connection
  • failure doesnt leave evidence

disk
registry
33
tool slacker
  • hiding files in NTFS slack space
  • technique
  • take advantage of NTFS implementation oddity
  • move logical and physical file pointers in
    certain ways to avoid having data zeroed out
  • features
  • file splitting use tracking file
  • multiple selection techniques - dumb, random,
    intelligent
  • obfuscation - none, key, file

34
tool slacker
standard file setup
sector
sector
sector
sector
sector
sector
sector
sector
1 cluster 8 sectors
35
tool slacker
writing to slack
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetEndOfFile()
NTFS zeros data
safe data!
WriteFile()
1 cluster 8 sectors
36
tool slacker
reading from slack
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetFilePointer()
SetEndOfFile()
SetFileValidData()
ReadFile()
1 cluster 8 sectors
37
tool slacker
closing out
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetEndOfFile()
1 cluster 8 sectors
38
tool slacker
  • selection
  • dumb
  • first N files that have enough combined slack
    space
  • random
  • dumb selection random additions
  • intelligent
  • dumb selection replacing files with older last
    modified times
  • nifty in-place algorithm, ask me about it offline
  • recursion available on all

39
tool slacker
  • obfuscation
  • none
  • xor key
  • random 8 bit key repeated over all data
  • one-time pad

Message 100 bits
Message 100 bits
XOR Key 100 bits
Encrypted Message 100 bits
40
tool slacker
  • one-time pad (sort of...)
  • strength relies on a truly random xor key of
    equal length to the message
  • by using a file...
  • we avoid generating a an xor key
  • we avoid having to store it anywhere
  • because its already on the system
  • BUT, its not truly random
  • EVEN SO, good effing luck trying to figure out
    which series of 1s and 0s on your hard drive I
    chose.

41
tool slacker
  • Demo Slacker

42
what weve defeated
  • temporal locality (time stamps)
  • spatial locality (file location)
  • data recovery
  • file signatures
  • hashing
  • keywords
  • reverse engineering
  • profiling
  • effectiveness/info overload
  • disk access/hiding in memory

43
done
  • what?
  • slides
  • advisories
  • Metasploit Anti-Forensic Investigation Arsenal
    (MAFIA)
  • where?
  • www.metasploit.com/projects/antiforensics/
  • www.toorcon.org

44
...gotta go catch my flight
  • thanks to...
  • muirnin, skape, hdm, optyx, spoonm, thief, ecam,
    tastic, vax, arimus
Write a Comment
User Comments (0)
About PowerShow.com