NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational

1 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.

NoSQL Forensics

What to Do with (No)ARTIFACTS

Matt Bromiley

Senior Consultant, Mandiant

2 © Mandiant, a FireEye Company. All rights reserved.

Agenda

• $ whoami

• Why Does this Matter?

• Examining MongoDB Artifacts

• Config File

• CRUD Artifacts

• User Sessions

• In-Row Data

• Searching Through Memory

• NoSQL Triage

• Q&A


$ whoami


$ whoami

• Currently a Senior Consultant with Mandiant

• 4+ years experience with a focus on data breaches,

incident response, network security monitoring, and

digital forensics

• Work with clients from small, regional shops to

multinational Fortune 50s

• LOVE to develop open source forensic tools, share,

teach, learn, and help others improve (while improving

myself!)

Tweet/Git/Blog

[@]505Forensics[.com]


Why Does This Matter?


Why Does This Matter?

• With Microsoft, Oracle, SAP, and IBM leading the

pack, who cares about NoSQL?!

• NoSQL is on the rise!

• Easy to deploy

• Web app friendly

• APIs out the …

• Open-source, so lots and lots of players

• MongoDB

• Elastic(search)

• Couchbase

• Cassandra

• Hadoop

Houdini’s Quartet of Squares


Why Does This Matter? (cont.)

• Who's Using This Stuff?

• MongoDB: ADP, The Weather Channel, MetLife, City of Chicago

• Elastic(search): Netflix, Target, LinkedIn, OpenTable, GitHub

• Couchbase: BMW, U.S. Senate, Comcast, Starbucks, eBay, AOL

• Hadoop: eBay, Expedia, Kayak, Samsung

• Even with all this support..the default sucks!

• Security is not a primary consideration

• Ease of coding, data accessibility > data security


Why Does This Matter? (cont.)

• Reports are being published on Internet-facing MongoDB servers with little or NO authentication

• Three students from University of Saarland in Germany published a report in January 2015

of nearly 40,000 MongoDB databases openly available on the Internet

• Shodan can be used to scan for NoSQL databases


Examining MongoDB Artifacts



• Config File

• /etc/mongodb.conf

• First place to look!

• Logging

• Where

• What

• How

• Security

• Authentication On/Off?

• Access

• IP Address

• Connection Ports



• CRUD Operations

CREATE

$ mongo

> use testdata

switched to db testdata

> db.blog.insert({“Title”:”My First

Post”,”Author”:”505Forensics”})



• CRUD Operations (cont.)

Log Output

v2.x

v3.x



• CRUD Operations

READ

> db.blog.findOne()

{

"_id" : ObjectId("55879d3aeca5d08121fe1118"),

"Title" : "My New Blog",

"Author" : "505Forensics"

}




Log Output…



• CRUD Operations

UPDATE

> post = db.blog.findOne()

> post.comments = [{"Comment 1":"This is a comment!"},{"Comment

2":"This is another comment!"}]

> db.blog.update({“Title”:”My New Blog”},post)




Log Output…



• CRUD Operations

DELETE

> db.blog.remove({“Title”:”My New Blog”})




Log Output…



• CRUD Operations

In summary:

• Default logging SUCKS!

• Importance of config file to find other artifacts of relevance

• External logs

• Default port: 27017

• Authentication

• Turn to other artifacts within MongoDB to identify information around data

• User session IDs

• IP addresses/ports

• Timestamps within records

• Memory dump



• User Sessions

• Upon connections, user sessions are assigned an ID #

• Use the conn# to track user activity

• Captures interactive user sessions

• Also captures API/script interactions



• In-Row Data

By default, Mongo will add an '_id' field if not provided by data entry

> db.blog.findOne()

{

"_id" : ObjectId("55879d3aeca5d08121fe1118”)

..snip..

}

• ID has a 12-byte structure:

• 4-byte timestamp

• 3-byte machine identifier

• 2-byte process id

• 3-byte random counter



• Memory Dump

• We can also look to system memory dumps to carve MongoDB sessions/in-memory data

• Use what we know about data structure, commands, collections to build regex queries for

memory strings

• Every entry has an “_id” field

• Mongo is stored in JSON

• CRUD commands have structure • db.<collection>.insert({

• db.<collection>.findOne()

• db.<collection>.remove({

• etc…

• Dump memory strings, search for what we know



• Memory Dump (cont.)

$ strings mem.dump | grep '{ "_id"'

Timestamps

Machine ID

Process ID



• Memory Dump (cont.)

$ strings mem.dump | grep ’db.testData'

$ strings mem.dump | grep ’testData'


NoSQL Triage


NoSQL Triage

• NoSQL Triage

• Let’s say we encounter a MongoDB…what do we want to know?

• DB information

• Tables, collections, “schemas”

• Users

• Recent operations/changes

• Size of cluster (if > 1)

• Sources of data:

• Config file

• Other logs

• MongoDB itself!

• Mongo commands

• Javascript

NoSQL Triage


NoSQL Triage

• NoSQL Triage (cont.)

• MongoDB has a range of built-in diagnostic commands that can be used to profile running

instance • mongostat – Provides quick overview of a running instance

• Can be used for remote servers


NoSQL Triage



instance • mongotop – Provides time tracking of operations

• Great for DB/collection breakdown!

• Can be used for remote servers


NoSQL Triage



instance • mongosniff – Basically tcpdump for MongoDB

• Not normally available in production environments; requires special build

instructions

• However! Wireshark can also parse MongoDB traffic


NoSQL Triage


• PCAP:

• MongoDB Log:


NoSQL Triage


• MongoDB also has a wide range of administration commands built-in

• JavaScript-function format

$ mongo

> db.serverStatus()




• We can also pass JavaScript commands directly through the terminal to pull back

information

• For example:

mongo --eval "printjson(db.serverStatus())"

• We can script it…we have the technology!



• NoSQL Triage – Tool Time!


Conclusion


And with that...

Any questions?


THANK YOU!

Documents

NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational