Hide and seek - interesting uses of forensics and covert channels.
Upcoming SlideShare
Loading in...5
×
 

Hide and seek - interesting uses of forensics and covert channels.

on

  • 1,489 views

In this talk, we will discuss some interesting uses of forensic methods like memory extraction and carving in non-law enforcement scenarios. Also, some interesting methods for achieving covert ...

In this talk, we will discuss some interesting uses of forensic methods like memory extraction and carving in non-law enforcement scenarios. Also, some interesting methods for achieving covert channels will be covered with their detection possibilities.
Bio: Junior researcher at Faculty or organization and informatics with interest in Security, Cryptography and FLOSS.

Statistics

Views

Total Views
1,489
Views on SlideShare
1,482
Embed Views
7

Actions

Likes
1
Downloads
12
Comments
0

3 Embeds 7

http://www.linkedin.com 4
https://www.linkedin.com 2
http://www.docseek.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hide and seek - interesting uses of forensics and covert channels. Hide and seek - interesting uses of forensics and covert channels. Presentation Transcript

  • Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
  • $ whois tkisason Junior researcher @ foi.hr Likes:  Security  Crypto  Gnu/Linux  Interesting security problems e-mail: tonimir.kisasondi@foi.hr skype: tkisason
  • $ topic of this talk A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels
  • $ forensics for non law enforcement uses? Useful for data recovery You can protect your files, but you cant protect your RAM1. Dig deep2. Find interesting problems3. ???4. Profit!
  • $ memory imaging /dev/mem is restricted on newer versions of the Linux kernel Alternatives:  Reboot the system with a imager  PCI imagers  Insert a kernel module that can access the address space /dev/fmem:http://hysteria.sk/~niekt0/foriana/fmem_current.tgz Simply dd /dev/fmem or grep -a
  • $ memory secrets leakage Pidgins passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also• Various pieces of plaintext / passwords can be obtained from memory• ASLR - YMMW• Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt
  • $ memory carvingtony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img[sudo] password for tony:PhotoRec 6.11, Data Recovery Utility, April 2009tony@blackbox:~/0drive$ ls recovery* | wc -l620
  • $ file/mem carving Use scalpel:http://www.digitalforensicssolutions.com/Scalpel/ /etc/scalpel/scalpel.conf is frugal at start Uncomment file headers Good thing is we can add aditional signatures...
  • $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  • $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  • $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  • $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  • $ runtime extraction of RSA/DSA keystony@blackbox:~$ sudo ./passe-partout 729Target has pid 729=> 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607=> 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607...found RSA key @ 0x7f8e0fad7e20[X] Key saved to file id_rsa-1.keydone for pid 729apache, openssh, openvpn
  • $ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN Staticssh-rsassh-dsausernames
  • $ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN Staticssh-rsassh-dsausernames
  • $ covert channels? Opposite from forensics :) Data hiding: Files, protocols "A adversary can always transmit one bit at a time" Tonys rule 183: Any structure in a covert channel destroys its covertness. Some interesting covert channels: TCSteg OutGuess
  • $ TCSteg -> http://keyj.s2000.at/?p=458
  • $ Truecryptish problems File mod 256 == 0 Filesize > 16Kb H(File) ~ 7.5 Header != /usr/share/misc/magic Yes, a filesystem in a encrypted volume CAN be carved :) TC = relatively OK LUKS leaks... = LUKSxbaxbe File in file embedding leaks magic bytes Outguess and similar known stego tools can be easily detected
  • $ interesting channels Most formats that have strict footers can be "injected" – bmp for one example Injecting data in FLV? - why not! In short: Any structure leaks possible data. Perfect randomness "leaks" encryption.
  • $ interesting channels A typical flv/video file is highly random:In [27]: entropy(cat)Out[27]: 7.8086139822740126 Always map data into same character range. Avoid distrupting changes that increase entropy Avoid magic bytes and known patterns Youtube/You**** is so common, that you simply hide the data in the mass traffic.
  • $ interesting channels Filesystem fragmentation – No structure • http://goo.gl/dfhfR Distributed covert channels? – On my github soon :)
  • $ :)
  • $ :)
  • $ :)
  • $ :)
  • $ Knowledge is power with biliteral cipher
  • $ questions?
  • $ Thank youYou can find the most updated version of this slides on my slideshare (tkisason).