Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment

Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 4 What and The Purpose Examine an Unknown malware binary (Open Source tools)  The Sleuth Kit  autopsy  strings  hexedit  … F.I.R.E.  Package all tools together in a bootable CD

Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 6 Under an Unknown Condition Possibly where it came from What the binary’s purpose is It may be possible to identify when the system was compromised & the binary installed May be also discover which user id facilitated the compromise of the system

Information Networking Security and Assurance Lab National Chung Cheng University 7 Binary Details From  The file size when extracted The file size within the archive The last modified time CRC number Userid, md5sum, …

Information Networking Security and Assurance Lab National Chung Cheng University 8 The strings command Parse an input file and output readable strings Sequentially program the code May deal with creating & starting services May be an ICMP back-door to a cmd.exe shell

Information Networking Security and Assurance Lab National Chung Cheng University 9 The hexedit command The purposes  Confirm the function of the application  Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!!

Information Networking Security and Assurance Lab National Chung Cheng University 10 The person may compile, write or created the zip file May be a ICMP back- door to a cmd.exe shell

Information Networking Security and Assurance Lab National Chung Cheng University 11 May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

Information Networking Security and Assurance Lab National Chung Cheng University 12 Some DLL files KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll

Information Networking Security and Assurance Lab National Chung Cheng University 13 The objdump command View library information about a binary executable -p option  Print the object header information command The time and date

Information Networking Security and Assurance Lab National Chung Cheng University 14 The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!!

Information Networking Security and Assurance Lab National Chung Cheng University 15 The application was doing something to the systems services

Information Networking Security and Assurance Lab National Chung Cheng University 16 May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket

Information Networking Security and Assurance Lab National Chung Cheng University 17 Shows the basic Terminal I/O communications through the standard MSVCRT library

Information Networking Security and Assurance Lab National Chung Cheng University 18 The f-prot command It’s a virus scanner Can Live-Update (/usr/local/f-prot/update-defs.sh) The command Nothing you can find

Information Networking Security and Assurance Lab National Chung Cheng University 19 All evidence leads me to decide An ICMP back-door to cmd.exe Default password may be loki Coded by Spoof Hacker group  MFC May be installed by local user Rich

Information Networking Security and Assurance Lab National Chung Cheng University 20 From Google 2.tar.gz 2.tar.gz Coded for windows version based on loki2 for Unix-Like OS

Information Networking Security and Assurance Lab National Chung Cheng University 21 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 22 What A bootable Linux CD that turns any machine into a forensics workstation Boot the entire system without touching the local system Open Source

Information Networking Security and Assurance Lab National Chung Cheng University 23 How F.I.R.E. runs within a RAM disk that it does not touch the system or images Log the information you need to the /data/ directory

Information Networking Security and Assurance Lab National Chung Cheng University 24 Two quick ways of using F.I.R.E Burnt the ISO to a CD & boot from it The ISO can be booted from within VMWare

Information Networking Security and Assurance Lab National Chung Cheng University 25 Autopsy Graphic interface Some features Case Management File Analysis File Content Analysis File Type Hash Database Timeline of File Activity Keyword Search Meta Data Analysis Image Details Image integrity Notes Reports Logging Open Design Client Server Model

Information Networking Security and Assurance Lab National Chung Cheng University 26 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 27 The compromised image From the Digital Forensics Research Workshop Download site 

Information Networking Security and Assurance Lab National Chung Cheng University 28 The VMWare Select the ISO image The beginning!!

Information Networking Security and Assurance Lab National Chung Cheng University 29 Set-up your network(1/2) Prompt mode Start menu!! Many options

Information Networking Security and Assurance Lab National Chung Cheng University 30 Set-up your network(2/2) Command line Set up the IP Address, Netmask and default gateway!!

Information Networking Security and Assurance Lab National Chung Cheng University 31 Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

Information Networking Security and Assurance Lab National Chung Cheng University 32 consh and replay consh (shell script)  Do the logging replay (command)  #replay May tty_ttyp0.log.timing May tty_ttyp0.log

Information Networking Security and Assurance Lab National Chung Cheng University 33 Start Command You must start your browser to this URL for starting

Information Networking Security and Assurance Lab National Chung Cheng University 34 Set-up the Case select /data/

Information Networking Security and Assurance Lab National Chung Cheng University 35 Add Host

Information Networking Security and Assurance Lab National Chung Cheng University 36 Add Image

Information Networking Security and Assurance Lab National Chung Cheng University 37 Analysis type File analysis  Browse the various files available on the image, including deleted files Keyword search  Search the image for various keywords File type  Run the sorter that counts the various file types on the image Image details  Contain summary data about the image Meta Data  You can enter a meta data number for search Data Unit  Allow for the entry of a sector number

Information Networking Security and Assurance Lab National Chung Cheng University 38 Some test(1/6)

Information Networking Security and Assurance Lab National Chung Cheng University 39 Some test(2/6) Enter what you want to search Quick search

Information Networking Security and Assurance Lab National Chung Cheng University 40 Some test(3/6) summary

Information Networking Security and Assurance Lab National Chung Cheng University 41 Some test(4/6)

Information Networking Security and Assurance Lab National Chung Cheng University 42 Some test(5/6)

Information Networking Security and Assurance Lab National Chung Cheng University 43 Some test(6/6)

Information Networking Security and Assurance Lab National Chung Cheng University 44 The final step Create Data File Create Timeline tar & md5sum

Information Networking Security and Assurance Lab National Chung Cheng University 45

Information Networking Security and Assurance Lab National Chung Cheng University 46

Information Networking Security and Assurance Lab National Chung Cheng University 47 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

Information Networking Security and Assurance Lab National Chung Cheng University 48 Do not touch the local system

Information Networking Security and Assurance Lab National Chung Cheng University 49 Additional Information(1/2) VNC Internet VNC connection

Information Networking Security and Assurance Lab National Chung Cheng University 50 Addition Information(2/2) Some legal issue  Go to the INSA Knowledge-Base