Presentation is loading. Please wait.

Presentation is loading. Please wait.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University."— Presentation transcript:

1 2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University

2 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

3 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

4 What and The Purpose Examine an Unknown malware binary (Open Source tools)  The Sleuth Kit  autopsy  strings  hexedit  … F.I.R.E.  Package all tools together in a bootable CD

5 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

6 Under an Unknown Condition Possibly where it came from What the binary’s purpose is It may be possible to identify when the system was compromised & the binary installed May be also discover which user id facilitated the compromise of the system

7 Binary Details From  http://www.giac.org/gcfa/binary_v1.3.zip http://www.giac.org/gcfa/binary_v1.3.zip The file size when extracted The file size within the archive The last modified time CRC number Information Networking Security and Assurance Lab National Chung Cheng University Userid, md5sum, …

8 The strings command Parse an input file and output readable strings Sequentially program the code May deal with creating & starting services May be an ICMP back-door to a cmd.exe shell

9 The hexedit command The purposes  Confirm the function of the application  Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!! Information Networking Security and Assurance Lab National Chung Cheng University

10 The person may compile, write or created the zip file May be a ICMP back- door to a cmd.exe shell Information Networking Security and Assurance Lab National Chung Cheng University

11 May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

12 Some DLL files KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll Information Networking Security and Assurance Lab National Chung Cheng University

13 The objdump command View library information about a binary executable -p option  Print the object header information command The time and date Information Networking Security and Assurance Lab National Chung Cheng University

14 The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!! Information Networking Security and Assurance Lab National Chung Cheng University

15 The application was doing something to the systems services Information Networking Security and Assurance Lab National Chung Cheng University

16 May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket Information Networking Security and Assurance Lab National Chung Cheng University

17 Shows the basic Terminal I/O communications through the standard MSVCRT library Information Networking Security and Assurance Lab National Chung Cheng University

18 The f-prot command It’s a virus scanner Can Live-Update (/usr/local/f-prot/update- defs.sh) Information Networking Security and Assurance Lab National Chung Cheng University The command Nothing you can find

19 All evidence leads me to decide An ICMP back-door to cmd.exe Default password may be loki Coded by Spoof Hacker group  MFC May be installed by local user Rich Information Networking Security and Assurance Lab National Chung Cheng University

20 From Google http://packetstormsecurity.com/crypt/misc/l oki2.tar.gz http://packetstormsecurity.com/crypt/misc/l oki2.tar.gz Coded for windows version based on loki2 for Unix-Like OS Information Networking Security and Assurance Lab National Chung Cheng University

21 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

22 What A bootable Linux CD that turns any machine into a forensics workstation Boot the entire system without touching the local system Open Source http://fire.dmzs.com http://www.sourceforge.net/projects/biatch ux http://www.sourceforge.net/projects/biatch ux Information Networking Security and Assurance Lab National Chung Cheng University

23 How F.I.R.E. runs within a RAM disk that it does not touch the system or images Log the information you need to the /data/ directory Information Networking Security and Assurance Lab National Chung Cheng University

24 Two quick ways of using F.I.R.E Burnt the ISO to a CD & boot from it The ISO can be booted from within VMWare Information Networking Security and Assurance Lab National Chung Cheng University

25 Autopsy http://www.sleuthkit.org/autopsy/desc.php Graphic interface Some features  Case Management  File Analysis  File Content Analysis  File Type  Hash Database  Timeline of File Activity  Keyword Search  Meta Data Analysis  Image Details  Image integrity  Notes  Reports  Logging  Open Design  Client Server Model

26 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

27 The compromised image From the Digital Forensics Research Workshop http://www.dfrw.org Download site  http://www.honeynet.org/scans/scan24/ http://www.honeynet.org/scans/scan24/ Information Networking Security and Assurance Lab National Chung Cheng University

28 The VMWare Select the ISO image The beginning!! Information Networking Security and Assurance Lab National Chung Cheng University

29 Set-up your network(1/2) Prompt mode Information Networking Security and Assurance Lab National Chung Cheng University Start menu!! Many options

30 Set-up your network(2/2) Command line Set up the IP Address, Netmask and default gateway!! Information Networking Security and Assurance Lab National Chung Cheng University

31 Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

32 consh and replay consh (shell script)  Do the logging replay (command)  #replay May30-182215-tty_ttyp0.log.timing May30-182215-tty_ttyp0.log Information Networking Security and Assurance Lab National Chung Cheng University

33 Start Information Networking Security and Assurance Lab National Chung Cheng University Command You must start your browser to this URL for starting

34 Set-up the Case select /data/ Information Networking Security and Assurance Lab National Chung Cheng University

35 Add Host Information Networking Security and Assurance Lab National Chung Cheng University

36 Add Image Information Networking Security and Assurance Lab National Chung Cheng University

37 Analysis type File analysis  Browse the various files available on the image, including deleted files Keyword search  Search the image for various keywords File type  Run the sorter that counts the various file types on the image Image details  Contain summary data about the image Meta Data  You can enter a meta data number for search Data Unit  Allow for the entry of a sector number

38 Some test(1/6) Information Networking Security and Assurance Lab National Chung Cheng University

39 Some test(2/6) Information Networking Security and Assurance Lab National Chung Cheng University Enter what you want to search Quick search

40 Some test(3/6) Information Networking Security and Assurance Lab National Chung Cheng University summary

41 Some test(4/6) Information Networking Security and Assurance Lab National Chung Cheng University

42 Some test(5/6) Information Networking Security and Assurance Lab National Chung Cheng University

43 Some test(6/6) Information Networking Security and Assurance Lab National Chung Cheng University

44 The final step Create Data File Create Timeline tar & md5sum Information Networking Security and Assurance Lab National Chung Cheng University

45 Information Networking Security and Assurance Lab National Chung Cheng University

46 Information Networking Security and Assurance Lab National Chung Cheng University

47 Outline Preface Analyze Unknown Binary F.I.R.E. Example Conclusion Information Networking Security and Assurance Lab National Chung Cheng University

48 Do not touch the local system Information Networking Security and Assurance Lab National Chung Cheng University

49 Additional Information(1/2) VNC Internet VNC connection Information Networking Security and Assurance Lab National Chung Cheng University

50 Addition Information(2/2) Some legal issue  Go to the INSA Knowledge-Base Information Networking Security and Assurance Lab National Chung Cheng University

Download ppt "2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University."

Similar presentations

Presentation Heading – font Arial

Presentation Heading – font Arial
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University

2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
Introduction to Applied Network Security By Prof. Herzberg Man in the Middle lab #1 Aharon Brodie.

Introduction to Applied Network Security By Prof. Herzberg Man in the Middle lab #1 Aharon Brodie.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Overview Basic functions Features Installation: Windows host and Linux host.

Overview Basic functions Features Installation: Windows host and Linux host.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.

Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Similar presentations

Ads by Google