Upload
dinhtuong
View
222
Download
3
Embed Size (px)
Citation preview
1 EMC CONFIDENTIAL—INTERNAL USE ONLY
Digital Forensics
Mike Gotham – ASOC Senior Systems Engineer RSA The Security Division of EMC [email protected]
2 EMC CONFIDENTIAL—INTERNAL USE ONLY
The Internet is a dark and scary place. Malware can easily infiltrate enterprises and cause billions of dollars in damage. Our security professionals and aveangelists must stress the importance of this to those outside the security community.
-Abraham Lincoln
4 EMC CONFIDENTIAL—INTERNAL USE ONLY
What we’ll cover: � Static Analysis � Dynamic Analysis
� Network Analysis
8 EMC CONFIDENTIAL—INTERNAL USE ONLY
Strings
� First look at the obvious – Examining a piece of malware for strings (sequences of
printable characters) can reveal a few clues about what the malware does, or what it is capable of doing
Source: http://malwaremusings.com/2012/09/07/the-usefulness-of-strings-during-static-malware-analysis/
9 EMC CONFIDENTIAL—INTERNAL USE ONLY
Strings (Cont’d)
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
10 EMC CONFIDENTIAL—INTERNAL USE ONLY
Strings (Cont’d)
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
� Be careful about drawing conclusions � There is nothing stopping the attacker from planting strings meant
to deceive the analyst � Strings are a good first step and can sometimes even provide
attribution
11 EMC CONFIDENTIAL—INTERNAL USE ONLY
Why PE File format analysis? � How Windows loader loads the executable in memory. � How loader build the import and export table for a module in
memory. � From where to start the execution of Address of Entry Point � Answer the question “how binary compiled on a version of
Windows works on another version of Windows” � Where should attacker attack � Also, today malware is generally encrypted, packed. In order to
rebuild the original binary, we need to know how the binary is structures
Source: http://www.slideshare.net/securityxploded/reversing-malware-analysis-training-part-3-windows-pe-file-format-basics
12 EMC CONFIDENTIAL—INTERNAL USE ONLY
Examining the PE Structure
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
13 EMC CONFIDENTIAL—INTERNAL USE ONLY
Statistical Analysis Involving Memory
� In malware analysis, there is not a true separation of dynamic and static analysis. They are often performed together.
� Memory is a source of data for static analysis. However, it is captured via dynamic analysis.
� An analyst can capture the internal runtime state of an executable by dumping its address space.
14 EMC CONFIDENTIAL—INTERNAL USE ONLY
Why memory analysis? � Consider performing memory analysis in these
instance: – Code injection – Hollowed processes – Packed code
� Main challenges of memory analysis are: – PE Header not accurate anymore – Imports lost – Function indentification bad – Offset and references bad
17 EMC CONFIDENTIAL—INTERNAL USE ONLY
Dead Box Forensics � Computer forensics
– Detecting, analyzing, and reporting on evidentiary artifacts found in computer physical memory
� Forensics investigations – Seeks to uncover evidence and then analyze it in order to gain
a full understanding of a crime scene, the motives of the perpetrator, or the criminal’s identity. ▪ As computers and the Internet have become ubiquitous in our daily lives,
the cyber realm increasingly contains potential evidence for all types of criminal investigations.
▪ Traditional cyber forensics have focused on “dead-box” analysis, but there is an emerging methodology for “live-box” analysis—a technique that preserves and harvests vital evidence from a computer’s physical memory, also referred to as random-access memory (RAM) or volatile memory.
Source: http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49
18 EMC CONFIDENTIAL—INTERNAL USE ONLY
Seizing evidence
Source: https://star.worldbank.org/star/sites/star/files/english_-_computer_forensics_-_day_2.pdf
19 EMC CONFIDENTIAL—INTERNAL USE ONLY
Dead box acquisition
Source: https://star.worldbank.org/star/sites/star/files/english_-_computer_forensics_-_day_2.pdf
20 EMC CONFIDENTIAL—INTERNAL USE ONLY
Forensics tools Example
� Guidance Software – EnCase Forensics
� Access Data – Forensic Tool Kit (FTK)
� Magnet Forensics – Internet Evidence Finder (IEF)
Source: http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49
23 EMC CONFIDENTIAL—INTERNAL USE ONLY
Why Dynamic Analysis? � Static Analysis will reveal some immediate
information � Exhaustive Static Analysis could theoretically answer
any question, but it is slow and hard � Usually you care about « What » malware is doing
than « how » it is being accomplished � Dynamic Analysis is conducted by observing and
manipulating malware as it runs
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
24 EMC CONFIDENTIAL—INTERNAL USE ONLY
Dynamic Analysis � Dynamic analysis of malware focuses on observing the malware’s
behavior as it executes in a safe environment. � Tasks include:
– Monitoring API calls to discover what the malware is doing. – Observing changes to the system. – Observing network traffic. – Revealing unpacked code.
� The key to Dynamic Analysis is to monitor how the malware modifies the analysis system. System changes may come in the form of:
– Files saved or deleted from the file system. – Registry keys added to the Windows registry. – Network activity generated by the malware.
25 EMC CONFIDENTIAL—INTERNAL USE ONLY
Safe Environment
� Our nice & safe analytical environment wasn’t that important during static analysis.
� As soon as you run an unknown piece of code on your system, nothing that’s writable can be trusted.
� In general we will need to run the program many times. Snapshots make life easier.
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
26 EMC CONFIDENTIAL—INTERNAL USE ONLY
System Monitoring
� What we are after – Registry Activity – File Activity – Process Activity – Network Traffic
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
27 EMC CONFIDENTIAL—INTERNAL USE ONLY
The Tools � Registry
– Procmon – Regstat
� API – Capture-Bat – API Monitor
� Network Traffic – Wireshark – Paros
� Process – Process Hacker – SysInternals Process Monitor
� Debuggers – IDA Pro – Windbg – Ollydbg
29 EMC CONFIDENTIAL—INTERNAL USE ONLY
Processes
� Processes/threads are separate units of execution that have a number of unique attributes:
– Open file handles – Memory mappings – Network connections – Privileges
Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
30 EMC CONFIDENTIAL—INTERNAL USE ONLY
Non-Tampered with Process list • ACTIVE PROCESS BLOCK • EPROCESS BLOCK • FLINK • BLINK
FLINK BLINK
FLINK BLINK
EPROCESS
Unique Process ID
FLINK BLINK
EPROCESS
Unique Process ID
FLINK BLINK
EPROCESS
Unique Process ID
FLINK BLINK
EPROCESS
Unique Process ID
List Walking
PsActiveProcessHead > _LIST_ENTRY > EPROCESS…
31 EMC CONFIDENTIAL—INTERNAL USE ONLY
Tampered list • Hooking • Direct Kernel Object Manipulation (DKOM) • Cold Boot Attacks • Other Methods
FLINK BLINK
FLINK BLINK
EPROCESS
Explorer.exe
FLINK BLINK
EPROCESS
cmd.exe
FLINK BLINK
EPROCESS
Calc.exe
FLINK BLINK
EPROCESS
EVIL
32 EMC CONFIDENTIAL—INTERNAL USE ONLY
Observing System Activity using Process Monitor Process Monitor displays real-time activity for:
– Registry – File system – Processes and threads
33 EMC CONFIDENTIAL—INTERNAL USE ONLY
Examining Processes using Process Hacker
Process Hacker features include:
– Overview of running processes and resource usage
– Detailed system information and graphs
– Views and edits services – Process termination – Bypasses security
software and rootkits
34 EMC CONFIDENTIAL—INTERNAL USE ONLY
Detecting Changes to the File System and Registry
Regshot – Recursive from given directory – Entire Registry
35 EMC CONFIDENTIAL—INTERNAL USE ONLY
Examining API Calls and Parameters API Monitor’s:
– Capture-Bat – API Monitor – Pymon – oSpy
36 EMC CONFIDENTIAL—INTERNAL USE ONLY
Network Analysis � Network analysis is an important part of dynamic analysis. � These indicators describe network behavior:
– Hosts – Domains – IP’s accessed
� By monitoring network traffic, an analyst is able to determine: – What data is being sent, where is the data sent and for what reason? – How is the network response handled by the malware?
▪ Download and execute files, or run commands, DDoS ▪ Scanning and spreading
– Are there backup or alternative domains and IP’s for the C2 servers?
37 EMC CONFIDENTIAL—INTERNAL USE ONLY
Capturing Network Traffic using Wireshark � Wireshark
– Network protocol analyzer – Provides detailed information about network traffic down to
the packet level
38 EMC CONFIDENTIAL—INTERNAL USE ONLY
Capturing Network Traffic- known alternative
� Netwitness Investigator or Security Analytics – Network protocol analyzer – Provides detailed information about network traffic down to
the packet level
39 EMC CONFIDENTIAL—INTERNAL USE ONLY
What we covered: � Static Analysis � Dynamic Analysis
� Network Analysis