• Home

  • Documents

  • DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert...
21
DFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, Michael McCarrin # Joe Sylve * Vassil Roussev + # Naval Postgraduate School * BlackBag Technologies + University of New Orleans 1

DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

  • Upload
    vudan

  • View
    218

  • Download
    3

Embed Size (px)

Citation preview

Page 1: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

DFRWSForensicsChallenge2016

RobertBeverly,BrianGreunke,MichaelMcCarrin#

JoeSylve*VassilRoussev+

#NavalPostgraduateSchool*BlackBag Technologies

+UniversityofNewOrleans

1

Page 2: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

ForensicsChallenge2016

• Background• Scenario• Results

2

Page 3: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

DFRWSForensicsChallengeGoals

1. Advanceresearchinnewandemergingareasofdigitalforensics

2. Spurdevelopmentofnewtoolsandtechniques

3

Page 4: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

RichHistoryofOfferingTimelyForensicsChallengestothe

Community…Year Challenge

2015 GPUMalware

2014 Mobile Malware

2013 BlockClassifier

2012 BlockClassifier

2011 AndroidForensics

2010 FlashMemory Forensics

2009 Playstation Forensics

2008 LinuxMemoryAnalysis

4

Page 5: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

RichHistoryofOfferingTimelyForensicsChallengestothe

Community…Year Challenge

2016 Software DefinedNetworks(SDN)

2015 GPUMalware

2014 Mobile Malware

2013 BlockClassifier

2012 BlockClassifier

2011 AndroidForensics

2010 FlashMemory Forensics

2009 Playstation Forensics

2008 LinuxMemoryAnalysis

5

Page 6: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

SoftwareDefinedNetworks

• NewModelforBuilding/OperatingNetworks:– MoveawayfromproprietarynetworkOS– Open/programmablenetworkswitches– Standards-basedprotocol(OpenFlow)– Commodityhardware– Centralizedcontrol

• Promise:– Lower-cost,multi-vendor– Correctness– Enableinnovationwithinnetwork– Enablevirtualization

6

Page 7: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

SDNAbstraction• Switchesmaintaina“flowtable:”– Packetmatchingrulesandactions– Hardandsoftstate– Ifnomatch,packetissenttoacontroller

• E.g.– in_port=2,nw_src=42.59.142.200/30 actions=mod_dl_src:41:31:3a:38:42:3a idle_timeout=45, out_port=7

• Controllers:– OpenFlow-speakingsoftwareonaPC– Proactivelyorreactivelyinstallflowrules– Includesophisticatedlogic

7

Page 8: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

StateofSDN• Implementations:– Hardwarefrommajorvendorsandstartups– Softwareswitches(e.g.,OpenvSwitch inLinuxKernel)– Opensoftwarecontrollers(e.g.,Ryu,Pox,Floodlight,etc)

• Deployments:– GoogleB4,Amazon,enterprises,etc.– Morevirtualswitchportsinexistencetodaythanphysical!

• But,security:– Onlynascentresearch– NoworkonSDNforensics

8

Page 9: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

ForensicsChallenge2016

• Background• Scenario• Results

9

Page 10: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

SDNChallenge• Participantsgiven:– Switchmemoryimage– pcap ofnettrafficbetweencontrollerandswitch– Nootherknowledgeorcluesofscenariosetup

• Forensicquestions:– WhattypeofSDNswitchandcontroller?– Whathostswereconnectedtowhichports?– Whattrafficdidhostssend?– Whatflowruleswereinstalledonswitch?– Whatactionsdidswitchtake,andwhen?

10

Page 11: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

Scenario

• 4Physicallydistinctdevices:– Ryu OpenFlow controller– OVSLinuxSDNswitch– Twohosts

• OpenFlow TLSECDHEbetweencontrollerandswitch,withcertidentifyinginforemoved

• LiME rawmemoryimageofLinuxOVSafterreboot*– Pre-installedanddynamicflowtablerules– Expiredandnon-expiredflowtablerules

11

OVS

Ryu

H1 H2

Page 12: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

LevelsofComplexity

• WhattypeofSDNswitchandcontroller?• LiME memorydump,Linux/OVSsignatures• Controllercapabilitiesnegotiation

• Whathostswereconnectedtowhichports?• Flowrules(w/MACandIPs),includingresidual,presentin

memorydumps• Butwhereinmemory…

• Whatactionsdidswitch/controllertake,andwhen?• Someactivityrevealedinencryptedtraffic

12

Page 13: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

ForensicsChallenge2016

• Background• Scenario• Results

13

Page 14: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

Participants(thanks!)

• Foursubmissions:– KoreaUniversity– BoozeAllenHamilton(BAH)– UniversityofNewhaven– Salford University

14

Page 15: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

ChallengeApproaches

• Misunderstandchallenge:– e.g.,IPaddressesofcontrollerandswitchratherthanhostsandflowrules

• Analyzeencryptedpcap:– Difficultandlimited

• CarveOVSdatastructures/logsfrommemoryimage

• ObtainECDHEprivatekey,pre-masterkeyfrommemoryimage,decryptsouthboundpcap

15

Page 16: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

2016Winners

16

Congrats!!

Page 17: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

BAHSubmission(or,whatmakesawinningsubmission)

• Welldocumented:– Approach– Findings– Howtoreproduce

• Correctlyansweredallchallengequestions• Createdvolatilityplugins• Workedtowardautomatingsystem

17

Page 18: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

BAHApproach

1. Determineformat/typeofmemorydump(usingstrings)• Linuxmachine,LiME dump,butrawformat

2. Recreatephysicaltovirtualaddressmapping• FromBIOSartifacts

3. Createnewmemoryimage4. RunvolatilitywithcorrectLinuxprofile

18

Page 19: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

BAHApproach(con’t)

• Recoverprivatekeyfrommemory• AnalyzeTLShandshake• Yara onmemoryimagetoobtainpre-masterkey

• IdentifyTLShandshakemessageswithrandomtimeandbytes,obtainmasterkey

• Decryptpcap,recoverOpenFlow messages• (Also,obtainOVSlogmessages)

19

Page 20: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

WrappingUp

• Fullsolutiontobepostedondfrws.org afterthissession

• Thankstoalltheparticipants!

20

Page 21: DFRWS Forensics Challenge 2016 - CMAND · PDF fileDFRWS Forensics Challenge 2016 Robert Beverly, Brian Greunke, ... 2014 Mobile Malware 2013 Block Classifier 2012 Block Classifier

Challenge2017

• Nextyear’schallengeTBD:– ContinueSDN?– Internetofthings?– UEFImalware?–Windows10?– Drones?– Cloud?– Other?

21

Pleasesendfeedback/flames:[email protected]


DSVS Rotating Classifier

DSVS Rotating Classifier

Documents
SVM classifier

SVM classifier

Documents
Cm Classifier

Cm Classifier

Documents
16S classifier

16S classifier

Science
Bayesian Network Classifier

Bayesian Network Classifier

Documents
Naïve Bayes Classifier · Naïve Bayes Classifier 17 • Bayes Classifier with additional “naïve” assumption: – Features are independent given class: – More generally: •

Naïve Bayes Classifier · Naïve Bayes Classifier 17 • Bayes Classifier with additional “naïve” assumption: – Features are independent given class: – More generally: •

Documents
Define: Classifier

Define: Classifier

Documents
AIR CLASSIFIER TURBO CLASSIFIER - AAAmachine, Inc. · for Turbo Classifier To adjust the classification point of Turbo Classifier, revolution speed of the classifica-tion rotor and

AIR CLASSIFIER TURBO CLASSIFIER - AAAmachine, Inc. · for Turbo Classifier To adjust the classification point of Turbo Classifier, revolution speed of the classifica-tion rotor and

Documents
Air Classifier - Klumpar

Air Classifier - Klumpar

Documents
iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

Documents
AIR CLASSIFIER TURBO CLASSIFIER - AAAmachine

AIR CLASSIFIER TURBO CLASSIFIER - AAAmachine

Documents
Classifier API for Mac - Forcepoint · Classifier API for Mac UM643700 boldonjames.com 3 1 INTRODUCTION Boldon James Classifier API enables limited Classifier functionality to be

Classifier API for Mac - Forcepoint · Classifier API for Mac UM643700 boldonjames.com 3 1 INTRODUCTION Boldon James Classifier API enables limited Classifier functionality to be

Documents
Logistic Regression Classifier

Logistic Regression Classifier

Documents
Design of Classifier for Detecting Image Tampering Using … · Image tampering detection is a significant multimedia forensics topic which involves, assessing the authenticity or

Design of Classifier for Detecting Image Tampering Using … · Image tampering detection is a significant multimedia forensics topic which involves, assessing the authenticity or

Documents
Dynamic Classifier Systems for Classifier Aggregation

Dynamic Classifier Systems for Classifier Aggregation

Documents
The Naïve Bayes Classifier - svivek · •The naïve Bayes Classifier •Learning the naïve Bayes Classifier •Practical concerns 2. Today’s lecture •The naïve Bayes Classifier

The Naïve Bayes Classifier - svivek · •The naïve Bayes Classifier •Learning the naïve Bayes Classifier •Practical concerns 2. Today’s lecture •The naïve Bayes Classifier

Documents
Grit Classifier

Grit Classifier

Documents
Pollyanna Document Classifier

Pollyanna Document Classifier

Technology
rule-based classifier

rule-based classifier

Documents
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
Naïve Bayes Classifier - unibas.ch · The Naïve Bayes classifier is more than a spam or text classifier. It is a general classification model based on the Bayes classifier with

Naïve Bayes Classifier - unibas.ch · The Naïve Bayes classifier is more than a spam or text classifier. It is a general classification model based on the Bayes classifier with

Documents
AdaBoost 1. Classifier Simplest classifier 2 3 Adaboost: Agenda (Adaptive Boosting, R. Scharpire, Y. Freund, ICML, 1996): Supervised classifier Assembling

AdaBoost 1. Classifier Simplest classifier 2 3 Adaboost: Agenda (Adaptive Boosting, R. Scharpire, Y. Freund, ICML, 1996): Supervised classifier Assembling

Documents
MAHOUT classifier tour

MAHOUT classifier tour

Technology
Air Classifier Article

Air Classifier Article

Documents
Classifier Document

Classifier Document

Documents
Question Classifier

Question Classifier

Education
PARTICLE CLASSIFIER

PARTICLE CLASSIFIER

Documents
Classifier training

Classifier training

Documents
Air Classifier CTM

Air Classifier CTM

Documents
Numbers of Classifier

Numbers of Classifier

Documents