Linux Forensics


Published on

linux Forensics

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Linux Forensics

  1. 1. A Survey on Linux Volatile MemoryForensic TechniquesSuba Surianarayanansuba.suri@gmail.comDr. V. Uma Maheswariumam_in@yahoo.comCollege Of Engineering, ChennaiAnna University
  2. 2. INTRODUCTIONVarious threats to a Linux machine Loadable kernel modules Directly accessible kernel Memory in some versions of Linux - /dev/kmem
  3. 3. Volatile Memory Forensics  Volatile memory – Evidence gathered from RAM  Hidden malware  Live techniques - Based on in-built utilities or tools Disadvantage: Leave footprint on the memory image  Linux - LKM and direct kernel memory access in-built utilities like ps (process enumeration) unreliable and untrustworthy  Static techniques - Capture state of system during seizure
  4. 4. Linux Volatile Memory Forensics -Challenges Numerous builds and versions – Challenges applicability oftechniques Kernel structure changes between versions Security vulnerabilities – LKM and Direct access of/dev/kmem
  5. 5. Research directions Exploring kernel vulnerabilities Detection of Malware and rootkits based on Volatilememory analysis Emulation of Kernel utilities Reverse engineering data structures fromexecutables, behavioral analysis etc.
  6. 6. Deriving Kernel data structures Reverse engineering kernel data structures – fromexecutable [10] Graph based signatures (pointer pattern based) [11] Utilization of debugging information [5] Simulation of utilities based on kernel structures [13] Understanding kernel data structures forms the core ofVolatile memory forensics – eg. enables detection ofHidden Processes [9], [15], [16], [17]
  7. 7. Detecting hidden Processes:Kernel structures next task_struct prev task_struct … task_struct files files_struct fd_array file file f_path dentry d_inode inode
  8. 8. Detecting hidden Processes:Kernel structuresStructure Descriptiontask_struct Current state of Processmm_struct Pages owned by a process. Memory sections – begin and end addressesvm_area_struct Access permissionsfiles_struct Files, pipes, sockets opened by a processdentry Directory informationinode Includes file MAC timesaddress_space Radix tree that holds pages of process togetherpage_struct Index into page filefile Representation of each open file, socket etc.inet_sock Protocol specific information
  9. 9. Detecting hidden Processes:Kernel structures (Kernel 2.6.32)struct task_struct { [0] volatile long int state; [4] void *stack; [8] atomic_t usage; [12] unsigned int flags; [16] unsigned int ptrace; [20] int lock_depth; [24] int prio; [28] int static_prio; [32] int normal_prio; [36] unsigned int rt_priority; [40] const struct sched_class *sched_class; [44] struct sched_entity se; [376] struct sched_rt_entity rt; [412] struct hlist_head preempt_notifiers; [416] unsigned char fpu_counter; [420] unsigned int btrace_seq; [424] unsigned int policy; [428] cpumask_t cpus_allowed; [432] struct sched_info sched_info; [464] struct list_head tasks; //Circular linked list of processes, and task.prev … [3248] struct memcg_batch_info memcg_batch;}SIZE: 3264
  10. 10. Detecting hidden Processes:Requirements for Volatile memoryanalysis analysisUncompressed kernel build – vmlinuxKernel debuggerMemory dump fileHow to obtain the uncompressed kernel?(Redhat versions)Download kernel build for same versionKernel-debuginfo
  11. 11. System.mapstruct file.f_op = “socket_file_ops”struct file.f_path -> dentry.d_op =“sockfs_dentry_operations”The static addresses for these two functionscould be obtained from
  12. 12. Detecting hidden Processes Traverse the circularly linked task list andcompare with the corresponding mm_struct list Brute force detection based on task_structfield signatures Slab and slub allocator - kmem_cache list
  13. 13. Locating Kernel structures fromMemory DumpTypes of data structures(1)Static(2)DynamicLocating static data structures Using, file Contains name and address of every staticdata structure in kernel Created during kernel build process using nmon the compiled vmlinux fileLocating dynamic data structures Derive from static data structures
  14. 14. Malware detection techniquesBased on: Data access patterns and structural signatures[4],[6],[8] Binary analysis based on instruction sequence[12] task structure analysis [14]
  15. 15. Malware detection techniques [4]Inter-structure pointers:struct socket_alloc{ [0] struct socket socket; [1] struct inode vfs_inode; //0x28}size: 392
  16. 16. Malware detection techniques [4] socket_alloc0 dentry struct file file f_dentry d_inode40 vfs_inode
  17. 17. Rootkit DetectionHidden Rootkit – DKOM and Function hookingRemain undetected through normal modes ofdetection such as psFinding hidden objects such as sockets andprocesses based on field types and inter-structurepointers in kernel structures [4, 6]Behavioral analysis – such as data accesspatterns [8]
  18. 18. Classification of various techniquesTitle Analysis type ApplicationDetecting stealthymalware with Inter-Structure and In-execution Malware detectionimported Signatures[4]Characterizing KernelMalware Behavior In-execution Malware detectionwith Kernel DataAccess Patterns [8]In-Execution MalwareDetection using Task In-execution Malware detectionStructures of LinuxProcesses [14]Detecting Kernel-levelRootkits In-execution Rootkit detectionusing Data StructureInvariants [6]Detecting Kernel- Pre execution Rootkit detectionLevel RootkitsThrough BinaryAnalysis [12]Locating 386 paging Memory dump Hidden processstructures in memory analysis detectionimages [9]
  19. 19. Classification of various techniquesTitle Analysis type ApplicationFACE: Automated digital Memory dump analysis Evidence correlationevidence discovery andcorrelation [13]The 7 dwarves: Post execution Identification of Kerneldebugging information structure offsetsbeyond gdb [5]SigGraph: Brute Force In-execution Identification of KernelScanning of Kernel Data structuresStructure InstancesUsingGraph-based Signatures[11]Automatic Reverse In-execution Identification of KernelEngineering of Data structures from memoryStructures from Binary imageExecution [10]An Analysis of Linux RAM Memory dump analysis Identification ofForensics [16] forensically relevant data structures (SUSE Linux kernel 2.6)Linux Memory Forensic: Memory dump analysis Identification ofSearching for processes forensically relevant data[17] structures (kernel version 2.6.20 and 2.4.23)
  20. 20. Conclusion and future trends Understanding the Kernel memory structuresof the target system forms the basis of Volatilememory forensics task_struct and are the startingpoints of such analysis on a Linux machine Frameworks and techniques applicableacross kernel versions Interpretation of collected evidence User-friendly report format
  21. 21. References[1] Wikipedia,[2] ”Crash utility”,[3] Case, A., Marziale, L., Richard, G.G., “Dynamic recreation of kernel datastructures for live forensics”, Digital Investigations, 2010[4] Liang, B., You, W., Shi, W., Liang, Z., “Detecting stealthy malware with Inter-Structure and imported Signatures”, Proceedings of the 6th ACM Symposium onInformation, Computer and Communications Security, 2011[5] Arnaldo Carvalho de Melo, "The 7 dwarves: debugging information beyondgdb", Proceedings of the Linux Symposium, 2007[6] Baliga, A., “Detecting Kernel-level Rootkits using Data Structure Invariants,IEEE Transactions on Dependable and Secure Computing”, 2011[7] Ramaswamy, A., “Detecting Kernel rootkits”, Dartmouth College MastersThesis, 2008[8] Rhee, J., Lin, Z., Xu, D., “Characterizing Kernel Malware Behavior with KernelData Access Patterns”, Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security, 2011[9] Saur, K., Julian B. Grizzard, “Locating 386 paging structures in memoryimages”, Digital Investigations, 2010[10] Lin, Z., Zhang, X., Xu, D., “Automatic Reverse Engineering of DataStructures from Binary Execution”, the 17th Network and Distributed SystemSecurity Symposium, 2010[11] Lin, Z., “SigGraph: Brute Force Scanning of Kernel Data Structure InstancesUsing Graph-based Signatures”, 40th Annual IEEE/IFIP International Conferenceon Dependable Systems and Networks, 2010
  22. 22. References[12] Christopher , K., “Detecting Kernel-Level Rootkits Through Binary Analysis”,Computer Security Applications Conference, 2004[13] Case, A., Cristina, A., Marziale, L., Golden G. Richard, Roussev, V., “FACE:Automated digital evidence discovery and correlation”, Digital Investigations,2008[14] Shahzad, F. et al, “In-Execution Malware Detection using Task Structures ofLinux Processes”, IEEE International Conference on Communications, 2011[15] Burdach, M., “Digital Forensics of the physical memory”, 2005[16] Urrea, J.M., “An analysis of Linux RAM forensics”, Naval PostgraduateSchool Thesis, 2006[17] Gao, Y., Cao, T., “Linux Memory Forensic: Searching for processes”,Computer Security Applications Conference, 2010[18] Movall, P., Nelson, W., Wetzstein, S., “Linux Physical Memory Analysis”,Proceedings of the annual conference on USENIX Annual Technical Conference,2005[19] Wikipedia,[20] DFRWS. Dfrws 2005 forensics challenge,; 2005.[21] Volatility framework,
  23. 23. Thank you