Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Similar presentations


Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 What and The Purpose Examine an Unknown malware binary (Open Source tools)  The Sleuth Kit  autopsy  strings  hexedit  … F.I.R.E.  Package all tools together in a bootable CD

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 Under an Unknown Condition Possibly where it came from What the binary’s purpose is It may be possible to identify when the system was compromised & the binary installed May be also discover which user id facilitated the compromise of the system

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 Binary Details From  http://www.giac.org/gcfa/binary_v1.3.zip http://www.giac.org/gcfa/binary_v1.3.zip The file size when extracted The file size within the archive The last modified time CRC number Userid, md5sum, …

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 The strings command Parse an input file and output readable strings Sequentially program the code May deal with creating & starting services May be an ICMP back-door to a cmd.exe shell

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 The hexedit command The purposes  Confirm the function of the application  Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!!

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 The person may compile, write or created the zip file May be a ICMP back- door to a cmd.exe shell

11 Information Networking Security and Assurance Lab National Chung Cheng University 11 May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 Some DLL files KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 The objdump command View library information about a binary executable -p option  Print the object header information command The time and date

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!!

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 The application was doing something to the systems services

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 Shows the basic Terminal I/O communications through the standard MSVCRT library

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 The f-prot command It’s a virus scanner Can Live-Update (/usr/local/f-prot/update-defs.sh) The command Nothing you can find

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 All evidence leads me to decide An ICMP back-door to cmd.exe Default password may be loki Coded by Spoof Hacker group  MFC May be installed by local user Rich

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 From Google http://packetstormsecurity.com/crypt/misc/loki 2.tar.gz http://packetstormsecurity.com/crypt/misc/loki 2.tar.gz Coded for windows version based on loki2 for Unix-Like OS

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 What A bootable Linux CD that turns any machine into a forensics workstation Boot the entire system without touching the local system Open Source http://fire.dmzs.com http://www.sourceforge.net/projects/biatchux

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 How F.I.R.E. runs within a RAM disk that it does not touch the system or images Log the information you need to the /data/ directory

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Two quick ways of using F.I.R.E Burnt the ISO to a CD & boot from it The ISO can be booted from within VMWare

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 Autopsy http://www.sleuthkit.org/autopsy/desc.php Graphic interface Some features Case Management File Analysis File Content Analysis File Type Hash Database Timeline of File Activity Keyword Search Meta Data Analysis Image Details Image integrity Notes Reports Logging Open Design Client Server Model

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 The compromised image From the Digital Forensics Research Workshop http://www.dfrw.org Download site  http://www.honeynet.org/scans/scan24/ http://www.honeynet.org/scans/scan24/

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 The VMWare Select the ISO image The beginning!!

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Set-up your network(1/2) Prompt mode Start menu!! Many options

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Set-up your network(2/2) Command line Set up the IP Address, Netmask and default gateway!!

31 Information Networking Security and Assurance Lab National Chung Cheng University 31 Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

32 Information Networking Security and Assurance Lab National Chung Cheng University 32 consh and replay consh (shell script)  Do the logging replay (command)  #replay May30-182215-tty_ttyp0.log.timing May30- 182215-tty_ttyp0.log

33 Information Networking Security and Assurance Lab National Chung Cheng University 33 Start Command You must start your browser to this URL for starting

34 Information Networking Security and Assurance Lab National Chung Cheng University 34 Set-up the Case select /data/

35 Information Networking Security and Assurance Lab National Chung Cheng University 35 Add Host

36 Information Networking Security and Assurance Lab National Chung Cheng University 36 Add Image

37 Information Networking Security and Assurance Lab National Chung Cheng University 37 Analysis type File analysis  Browse the various files available on the image, including deleted files Keyword search  Search the image for various keywords File type  Run the sorter that counts the various file types on the image Image details  Contain summary data about the image Meta Data  You can enter a meta data number for search Data Unit  Allow for the entry of a sector number

38 Information Networking Security and Assurance Lab National Chung Cheng University 38 Some test(1/6)

39 Information Networking Security and Assurance Lab National Chung Cheng University 39 Some test(2/6) Enter what you want to search Quick search

40 Information Networking Security and Assurance Lab National Chung Cheng University 40 Some test(3/6) summary

41 Information Networking Security and Assurance Lab National Chung Cheng University 41 Some test(4/6)

42 Information Networking Security and Assurance Lab National Chung Cheng University 42 Some test(5/6)

43 Information Networking Security and Assurance Lab National Chung Cheng University 43 Some test(6/6)

44 Information Networking Security and Assurance Lab National Chung Cheng University 44 The final step Create Data File Create Timeline tar & md5sum

45 Information Networking Security and Assurance Lab National Chung Cheng University 45

46 Information Networking Security and Assurance Lab National Chung Cheng University 46

47 Information Networking Security and Assurance Lab National Chung Cheng University 47 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion

48 Information Networking Security and Assurance Lab National Chung Cheng University 48 Do not touch the local system

49 Information Networking Security and Assurance Lab National Chung Cheng University 49 Additional Information(1/2) VNC Internet VNC connection

50 Information Networking Security and Assurance Lab National Chung Cheng University 50 Addition Information(2/2) Some legal issue  Go to the INSA Knowledge-Base


Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment."

Similar presentations


Ads by Google