introducing the... metasploit antiforensics project

Slides:



Advertisements
Similar presentations
COMP091 – Operating Systems 1
Advertisements

Text Searches Slack Space Unallocated Space
SEMINAR ON FILE SLACK AND DISK SLACK
Guide to Computer Forensics and Investigations, Second Edition
This presentation will take a look at to prevent your information from being discovered by and investigator.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
Guide to Computer Forensics and Investigations Fourth Edition
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Objectives Learn what a file system does
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
MIS Week 2 Site:
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Data and its manifestations. Storage and Retrieval techniques.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Lecture 18 Windows – NT File System (NTFS)
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
bitdefender virus protection
Intercept X Early Access Program Sophos Tester
Chapter Objectives In this chapter, you will learn:
Efficient Drive forensics – and it’s free!
SEARCHING, VIEWING AND BOOKMARKING
Cyber intelligence made easy.
Detect Malware No One Else Can… Rapidly Identify it’s capabilities, Mitigate the Threat with Actionable Risk Intelligence.
Module 11: File Structure
Malware Reverse Engineering Process
Transactions and Reliability
Indexing Structures for Files and Physical Database Design
Chapter 1. Basic Static Techniques
Malware Reverse Engineering Process
Windows XP File Systems
Chapter 5 EnCase Concepts.
File Management.
Cyber intelligence made easy.
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
Intercept X for Server Early Access Program Sophos Tester
Extract and Correlate Evidences in Computer Forensics
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Playing in the Devil's Playground
Chapter 3: Windows7 Part 3.
Introduction to Database Systems
Stay Safe While Using The Internet
RDBMS Chapter 4.
Exam Information CSI5107 Network Security.
COMP1321 Digital Infrastructures
Modern PC operating systems
Chapter 16 File Management
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
ONLINE SECURE DATA SERVICE
Threats to Privacy in the Forensic Analysis of Database Systems
CSC 497/583 Advanced Topics in Computer Security
Test 3 review FTP & Cybersecurity
“Encryption threatens to lead all of us to a very dark place.”
Data Recovery: Why Secure Deletion is so Important.
Presentation transcript:

introducing the... metasploit antiforensics project vinnie liu, bluehat

speaker vinnie anti-forensics researcher framework contributor vinnie@metasploit.com

coverage weaknesses in current forensic techniques break industry tools Guidance EnCase, PGP Desktop, NTFS, MS AntiSpyware, Windows Explorer Metasploit AF Tools timestomp, slacker, transmogrify, sam juicer identify opportunities for improvement

why airing the forensic dirty laundry. no pressure to innovate in the forensics community. too much dependence on forensic tools

talk format technique anti-technique opportunity for improvement, weaknesses, tools, etc...

#1 timestamps technique timestamps hint as to when an event occurred. timestamps help an analyst timeline events and profiling hacker behavior. if an investigator finds a suspicious file, they will search for other files with similar MAC attributes.

#1 timestamps anti-technique we need better tools… modify file times, log file entries, and create bogus and misleading timestamps we need better tools… most tools only modify the MAC ok for FAT, but not for NTFS…

A C M E #1 timestamps modified (M), accessed (A), created (C) entry modified (E) A C M E

timestomp tool #1: timestomp uses the following Windows system calls: NtQueryInformationFile() NtSetInformationFile() doesn’t use SetFileTime() features: display & set MACE attributes mess with EnCase and MS Anti-Spyware

timestomp @ work normal after setting values (-z “Monday 05/05/2005 05:05:05 AM”) example EnCase weakness (-b)

timestomp @ work

timestomp @ work Windows Explorer Demo

opportunity for improvement current state EnCase only uses the Standard Information Attribute (SIA) opportunity for improvement use the Filename (FN) attribute MFT Entry Header SIA Attribute MACE FN Attribute MACE Remaining Attributes…

opportunity for improvement given the FN MACE values are only updated when a file is created or moved therefore FN MACE values must be older than SIA MACE values validation technique determine if the SIA MACE values are older than the FN MACE values SIA MACE earlier time later time FN MACE

…but we can bypass that too anti-validation technique system files and archives are false positives use raw disk i/o to change the FN MACE values $MFT is a file calculate offsets from the start of the MFT to a file’s FN MACE values may cause file system instability

…but we can bypass that too anti-validation technique use a file that’s not been used in a while, delete the $data attribute and fill it with your own data no creating, no moving means no FN updates only the SIA changes & SIA is controllable MFT Entry Header SIA Attribute MACE FN Attribute MACE Data Attribute

#2 location, location, location technique attackers tend to store tools in the same directory anti-technique stop using %windir%\system32 mix up storage locations both on a host and between multiple hosts 3rd party software, browser temp, AV/spyware

#3 undelete technique anti-technique forensics tools will make a best effort to reconstruct deleted data anti-technique secure file deletion filename, file data, MFT record entry wipe all slack space wipe all unallocated space

#3 undelete tools vulnerabilities Sys Internals – sdelete.exe doesn’t clean file slack space Eraser (heide) does clean file slack space PGP Desktop’s Disk Wipe privacy concerns vulnerabilities

snake oil PGP 8.x and 9.1 -“wiping slack space at end of files…” not so private...

#4 signature analysis technique anti-technique EnCase has two methods for identifying file types file extension file signatures anti-technique change the file extension changing file signatures to avoid EnCase analysis

foiling signature analysis unmodified one byte modified

…flip it and reverse it tool #2 transmogrify does all the work switch between multiple file formats exe, jpeg, pdf, gif, txt, and so on...

#5 hashing technique anti-technique to minimize search scope and analysis time create an MD5 fingerprint of all files on a system compare to lists of known good & known bad file hashes anti-technique modify and recompile remove usage information stego works on non-executables as well as executables direct binary modification

#5 hashing direct binary modification (one-byte) eafcc942c7960f921c64c1682792923c 4e65745d42c70ac0a5f697e22b8bb033

#6 keyword searching technique anti-technique analysts build lists of keywords and search through files, slack space, unallocated space, and pagefiles anti-technique exploit the examiner’s lack of language skill opportunity for improvement predefined keyword lists in different languages

#7 reverse engineering technique anti-technique 99% of examiners can’t code possess rudimentary malware analysis skills if any binary compression (packer) identification commonly available unpackers run strings behavioral analysis anti-technique use uncommon packers or create a custom loader PEC2 packing strategy

#8 profiling technique anti-technique analysts find commonalities between: tools, toolkits, packers, language, location, timestamps, usage info, etc… anti-technique use what’s already in your environment

#9 information overload technique forensics takes time, and time costs money businesses must make business decisions, again this means money no pulling-the-plug. business data takes priority. anti-technique on a multi-system compromise, make the investigation cost as much as possible choose the largest drive help the investigators

#10 hiding in memory technique anti-technique EnCase Enterprise allows the examiner to see current processes, open ports, file system, etc… anti-technique Metasploit’s Meterpreter (never hit disk) exploit a running process and create threads opportunity for improvement capture what’s in memory

tool #3: sam juicer sam juicer grab the password hashes from the SAM built from the ground up, real-world implementation ooooohhh, stealthy! tool name sucks

tool #3: pwdump is no good current state of tools opens a remote share hits disk starts a service to do dll injection hits registry creates remote registry conn often fails and doesn’t clean up memory/lsass services remote share disk registry remote registry

tool #3: the juice is good memory/lsass sam juicer meterpreter channel services slides over Meterpreter channel direct memory injection never hits disk & never hits the registry never starts a service data flows back over existing connection failure doesn’t leave evidence disk registry

tool #4: slacker hiding files in NTFS slack space technique features take advantage of NTFS implementation oddity move logical and physical file pointers in certain ways to avoid having data zeroed out features file splitting multiple selection techniques obfuscation

tool #4: slacker standard file setup 1 cluster = 8 sectors end of file valid data slack space sector sector sector sector sector sector sector sector file pointer end of valid data 1 cluster = 8 sectors

safe data! NTFS zeros data WriteFile() SetFilePointer() SetEndOfFile() tool #4: slacker writing to slack end of valid data end of file sector sector sector sector sector sector sector sector file pointer safe data! NTFS zeros data WriteFile() SetFilePointer() SetEndOfFile() 1 cluster = 8 sectors

ReadFile() SetFileValidData() SetFilePointer() SetEndOfFile() tool #4: slacker reading from slack end of valid data end of file sector sector sector sector sector sector sector sector file pointer ReadFile() SetFileValidData() SetFilePointer() SetEndOfFile() SetFilePointer() 1 cluster = 8 sectors

SetEndOfFile() SetFilePointer() tool #4: slacker closing out end of valid data end of file sector sector sector sector sector sector sector sector file pointer SetEndOfFile() SetFilePointer() 1 cluster = 8 sectors

tool #4: slacker selection dumb random intelligent first N files that have enough combined slack space random random selection of files in a directory intelligent selects the oldest files in a directory each flavor also available with recursion

Encrypted Message = 100 bits tool #4: slacker obfuscation none xor key random 8 bit key repeated over all data one-time pad Message = 100 bits Message = 100 bits XOR Key = 100 bits Encrypted Message = 100 bits

tool #4: slacker one-time pad (sort of...) strength relies on a truly random xor key of equal length to the message by using a file... we avoid generating a an xor key we avoid having to store it anywhere because its already on the system BUT, it’s not truly random EVEN SO, good luck trying to figure out which series of 1s and 0s on your hard drive I chose.

tool #4: slacker Normally, this is where I demo slacker. but my $20k USB dongle for EnCase was “reposessed”.

what we’ve defeated temporal locality (time stamps) spatial locality (file location) data recovery file signatures hashing keywords reverse engineering profiling effectiveness/info overload disk access/hiding in memory

more information what? where? slide decks Metasploit Anti-Forensic Investigation Arsenal (MAFIA) where? www.metasploit.com/projects/antiforensics/

thanks microsoft questions comments suggestions vinnie@metasploit.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.