Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.

Slides:



Advertisements
Similar presentations
automated single login access to Novell storage resources
Advertisements

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Mountain Lion Security Mac OS X Strong Passwords Every Mac needs a login name and password Every user on every Mac should have their own account.
Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Lesson 17: Configuring Security Policies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Guide To UNIX Using Linux Third Edition
Week:#14 Windows Recovery
ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
How to discover ephemeral evidence with Live RAM analysis.
Your Interactive Guide to the Digital World Discovering Computers 2012.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
Using the “Setup Assistant” to configure your new Mac Personalizing your new Mac.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Explain the purpose of an operating system
Protecting Data on Smartphones and Tablets from Memory Attacks
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Professional Encryption Software FINECRYPT 8.1. Contents Introduction Introduction Features Features Installation Installation Tests Tests Results Results.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
TCOM Information Assurance Management Software Hacking.
Lesson 10: Configuring Network Settings MOAC : Configuring Windows 8.1.
Wireless and Mobile Security
Introduction to UNIX CS 2204 Class meeting 1 *Notes by Doug Bowman and other members of the CS faculty at Virginia Tech. Copyright
SCSC 455 Computer Security Chapter 3 User Security.
Chapter 9 Operating Systems Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Page 1 of 45 BIOS & Software | © 2008 Lenovo Lenovo Confidential Lenovo Confidential Lenovo Confidential Lenovo Confidential Lenovo Confidential Please.
Lesson 6: Controlling Access to Local Hardware and Applications
UNIX SYSTEM SECURITY Tanusree Sen Agenda Introduction Three Different Levels of Security Security Policies Security Technologies Future of.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Technology Requirements for Online Testing Training Module Copyright © 2014 American Institutes for Research. All rights reserved.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
2Operating Systems  Program that runs on a computer  Manages hardware resources  Allows for execution of programs  Acts as an intermediary between.
ICAICT201A USE COMPUTER OPERATING SYSTEM. USING THE CONTROL PANEL The Control Panel contains many options for configuring your computer, including: adding.
BY: SALMAN 1.
DISCOVERING COMPUTERS 2018 Digital Technology, Data, and Devices
Presented by Kartik Patel
Chapter Objectives In this chapter, you will learn:
BY: SALMAN.
CSCI 351 – Mobile Applications Development
Common Methods Used to Commit Computer Crimes
OS X Yosemite Troubleshooting 9L0-066 Exam Questions Pack
Chapter 5 : Designing Windows Server-Level Security Processes
Secure Software Confidentiality Integrity Data Security Authentication
CIT 480: Securing Computer Systems
IBM Software Group | Tivoli Brand Software
Chapter 5: Switch Configuration
Chapter 2: System Structures
Bethesda Cybersecurity Club
Software - Operating Systems
Introducing Windows Operating Systems
Convergence IT Services Pvt. Ltd
“Encryption threatens to lead all of us to a very dark place.”
Presentation transcript:

Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011

Copyright © 2011 Todd Garrison. This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

Overview Mac OS 10.7 (Lion) includes a full-volume encryption product called FileVault 2. o It is possible to use IEEE 1394/Firewire to extract a user’s password from the RAM of a running system, and in most cases a sleeping system once it has been woken up. o This password can be used to decrypt the volume, or to login to the system. o Using Firewire in this manner is a well-known method of gaining access to an operating system, with published attack methods dating back to Lion uses a set of countermeasures designed to prevent this attack. o There are weaknesses in the implementation. Default settings allow the protections to be bypassed. o Changing three settings can protect against the attack in most cases.

Tools to Extract RAM libforensic1394 o Written by Freddie Witherden and released in o Available at: o Python and C library that works on Linux (JuJu Firewire stack) and Mac OS (IOKit libraries). o Does not supply programs to perform capture, so a Python script was written to perform capture. Available at: pythonraw1394 o Written by Adam Boileau and released in o Original website no longer available, mirrored copy at: tgz tgz o Python and C library that uses raw1394 Linux kernel module (no longer available on most Linux distributions.) Also supplies programs for performing memory capture and more.

Applicability The attack is possible in most system states. o The user has logged off of the system. o The system has been locked via the screensaver, “User Switching” is enabled (default setting,) and there is more than one user account on the system. o The system has been booted, but a user has not logged in. Not a default system configuration when FileVault 2 is enabled. Plaintext passwords are not available, SHA2-512 hashes are in RAM. When do the countermeasures apply? o When the screen saver is active and requires a password. Can be bypassed by selecting “Switch User” (if available.) o When the system is requesting authentication to gain access to the full- volume encryption key. Normally this is done at boot time, but can also be configured to work after waking from sleep.

Can the System be Imaged?

Protecting Against Firewire DMA Several settings are suggested, and should protect against most attempts to gain access: o Disable User Switching feature. o Configure system to store RAM to disk and remove power to memory upon sleep state. o Configure system to remove full-volume encryption key upon sleep. Other settings: o Always use a strong password for every user. Any user’s password can be used to decrypt the volume. o Do not disable screen locking: Set a reasonable time for automatically locking. Configure the system to sleep if it has been idle for a long time.

Disable User Switching Can be disabled in “System Preferences,” “Users and Groups,” “Login Options.” o Uncheck the “Show fast user switching menu as...” option.

Sleep Options Must be performed as the “root” user from the Unix shell. o Uses the dmset program to change two values: o Example: OptionValueDescription destroyfvkeyonstandby 1Removes the full volume encryption key from RAM when the system is put into sleep mode and is dependent on the value of hibernatemode. hibernatemode 25Forces the system to immediately write RAM to disk and remove power from memory upon sleep.

Conclusion Encryption products are designed to protect data when a third party gains physical access to a computer. o Unfortunately, the system is not secure when using the default settings. o It is simple to configure the system in a secure state. It may be possible for Apple to extend the restrictions for Firewire DMA, but for now it is suggested that the recommended configuration options be set on computers containing confidential information. o There are also other interfaces (such as Thunderbolt and SDXC) that may exhibit the same vulnerabilities. o FileVault 2 is new software; it is likely there are other attack vectors available.

Bibliography IEEE Standard for a High-Performance Serial Bus. (2008). IEEE Standards Association. Apple - OS X Lion - The world’s most advanced OS. (n.d.). Retrieved September 17, 2011, from Apple - Thunderbolt: Next-generation high-speed I/O technology. (n.d.). Retrieved September 17, 2011, from Boileau, A. (2006). pythonraw1394. Dalrymple, J. (2011, July 26). Lion FireWire security issue misleading. Retrieved September 17, 2011, from Fleischer, G. (2011, July 12). File Vault in Mac OS X Lion - k3t’s weblog. Retrieved September 3, 2011, from Garrison, T. (2011, September 7). Cracking MacOS Lion Passwords. Retrieved September 17, 2011, from Garrison, T. (2011, September 17). Mac OS Lion Forensic Memory Acquisition Using IEEE Graham, R. (2011, February 24). Errata Security: Thunderbolt: Introducing a new way to hack Macs. Retrieved September 17, 2011, from introducing-new-way-to-hack.htmlhttp://erratasec.blogspot.com/2011/02/thunderbolt- introducing-new-way-to-hack.html Hermann, U. (2008, August 14). Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update) | Uwe Hermann. Retrieved September 17, 2011, from uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigationhttp:// uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation Jacob. (2011, July 21). Lion Tips, a Collection | The Tech Bulletin. Retrieved September 17, 2011, from Koukoushkina, N. (2011, July 26). Passware Proves Mac OS Lion Insecure Revealing Login Passwords in Minutes. Retrieved from OS X Lion: About FileVault 2. (2011, July 26). Retrieved September 17, 2011, from pmset(1) Mac OS X Manual Page. (n.d.).Mac OS X Developer Library. Retrieved September 17, 2011, from Schuster, A. (2008, February). Memory analysis: “Acquisition (5): FireWire” - Computer Forensic Blog. Retrieved September 13, 2011, from Technical Note TN2124: Technical Note TN2124. (n.d.). Retrieved September 3, 2011, from Witherden, F. (2010, September 7). Memory Forensics over the IEEE 1394 Interface. Retrieved from