SlideShare a Scribd company logo

Investigating Hackers' Tools

Israel Umana
Israel Umana

This document discusses tools and techniques for analyzing hackers' tools through static and dynamic analysis. Static analysis involves determining the file type, reviewing strings, performing online research, and reviewing source code if available. Dynamic analysis involves executing the tool in a sandboxed environment and monitoring system calls, file system activity, registry activity, and network traffic to observe the tool's behavior and interactions. A variety of Unix and Windows tools are recommended for tracing activity at different levels, including strace, Filemon, and Regmon. The goal of analysis is to understand the tool's functions and determine how it was used.

Internet
1 of 37
Download to read offline
INVESTIGATING IIIINNNNVVVVEEEESSSSTTTTIIIIGGGGAAAATTTTIIIINNNNGGGG IIINNNVVVEEESSSTTTIIIGGGAAATTTIIINNNGGG HHHHAAAACCCCKKKKEEEERRRRSSSS’’’’ TTTTOOOOOOOOLLLLSSSS AAAA SSSSEEEEMMMMIIIINNNNAAAARRRR BBBBYYYY IISSRRAAEELL UUMMAANNAA MM..TTeecchh – IInnffoorrmmaattiioonn SSeeccuurriittyy aanndd CCyybbeerr FFoorreennssiicc SSRRMM UUnniivveerrssiittyy,, CChheennnnaaii IInnddiiaa
AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss Material is sourced from: INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION Authors: CHRIS PROSISE KEVIN MANDIA Publisher: McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto 2 Israel Umana - Investigating Hackers' tools
THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders 3 Prepare yourself for a successful subject interview if you catch the attacker Determine the attacker’s objectives and goals (specific targeting versus target of opportunity) Israel Umana - Investigating Hackers' tools
HOW HHHOOOWWW FFFFIIIILLLLEEEESSSS AAAARRRREEEE CCCCOOOOMMMMPPPPIIIILLLLEEEEDDDD Statically Linked Programs (gcc -static zap.c -o zapstatic) Dynamically Linked Programs (gcc zap.c -o zap_out) Programs Compiled with Debug Options 4 (gcc -g zap.c -o zapdebug) Stripped Programs Programs Packed with UPX Israel Umana - Investigating Hackers' tools
SSSSttttaaaattttiiiiccccaaaallllllllyyyy vvvvssss DDDDyyyynnnnaaaammmmiiiiccccaaaallllllllyyyy ccccoooommmmppppiiiilllleeeedddd pppprrrrooooggggrrrraaaammmm 5 Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss On a Unix system, change to the directory of the suspicious file and issue the command: root@conan zap]# ls -al Z This displays the file attributes and permissions 6 -rwxr--r-- 1 root root 7423 Feb 4 02:00 Z Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# file Z This command shows the compilation method used on the file. Here is a sample output: Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux), 7 statically inked, stripped Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# strings –a Z This command shows if the file is compressed with UPX Sample output: --Excerpt-- Linux 8 $Info: This file is packed with the UPX executable packer http://upx.sf.net$ $ $Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights Reserved. $ UWVSQR Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) The following command decompresses (unpacks) the suspect file and stores the output in the file named foo. root@conan zap]# upx –d Z –o foo Output 9 Ultimate Packer for executables Copyright © 1996, 1996, 1998, 1999, 2000, 2001, 2002 UPX 1.24 Markus F.X.J. Oberhumer Laszlo Molnar Nov 7th 2002 File size Ratio Format Name --------------------- -------- ---------- --------- 13160 - 7423 56.40% linux/386 foo Israel Umana - Investigating Hackers' tools
FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) We can now run the following commands again: - file Z - strings -a foo 10 Israel Umana - Investigating Hackers' tools
STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL Static analysis is tool analysis performed without actually executing the rogue code. It involves the following steps: 1. Determine the type of file 11 2. Review the ASCII and Unicode strings 3. Perform online research 4. Perform source code review Israel Umana - Investigating Hackers' tools
Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee Common file types include: Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL) Linux a.out/elf/script Solaris a.out/elf/script 12 DOS 32-bit COFF DOS 16-bit .com file DOS 16-bit executable Atari ST/TT Israel Umana - Investigating Hackers' tools
Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd The standard command for determining a file type on Unix systems is file. [root@conan zap] file * 13 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd The Windows equivalent of the file command is the NT Resource Kit tool exetype. It recognizes fewer file types than the file command 14 Israel Umana - Investigating Hackers' tools
Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee SSSSttttrrrriiiinnnnggggssss Basic static analysis of object code involves examining the ASCII-formatted strings of the binary file. The strings command has the following syntax: strings -a filename 15 This command line will display all ASCII strings contained in the object code that are four characters or longer. Israel Umana - Investigating Hackers' tools
HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss When all analysis fails, the hex editor is our friend. However, when performing static tool analysis, the hex editor is only slightly better than the strings command. It allows you to see Unicode and ASCII strings within a file at the same time. 16 Israel Umana - Investigating Hackers' tools
Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh Perform online research to determine if the tool is publicly available on computer security or hacker sites. Compare any online tools identified with the tool you are analyzing. If the tool is not publicly available, then you will need to decompile the file to analyse its functions. 17 Israel Umana - Investigating Hackers' tools
Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww With the source code available to you for review, you will be capable of determining exactly what a rogue program does. Performing source code review requires working knowledge of the programming language used to create the tool. Most popular exploits and tools are found in ANSIC and Microsoft 18 Visual Basic scripting, so you should become familiar with these formats. Israel Umana - Investigating Hackers' tools
DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL In Dynamic analysis, you execute rogue code and interpret its interaction with the host operating system. This can be dangerous on your forensic workstation. Our methodology includes the following tasks: 19 Monitor the time/date stamps to determine what files a tool affects. Run the program to intercept its system calls. Perform network monitoring to determine if any network traffic is generated. Monitor how Windows-based executables interact with the Registry. Israel Umana - Investigating Hackers' tools
Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt Get the operating system and architecture necessary to execute the object code properly. Install VMware on your test system Turn on the Nonpersistent write option in configuration settings 20 Make sure that the test system is not connected to the Internet. execute rogue code on a closed network Israel Umana - Investigating Hackers' tools
Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm Most applications execute in a memory area defined as user space prohibited from accessing computer hardware and resources directly User applications access these resources by requesting the 21 kernel to perform the operations on its behalf The user application makes these requests to the kernel via system calls. Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee Unix has a tool that traces the use of system calls by an executed process. The strace command displays information about file access, network access, memory access, and many other system calls that a file makes when it is executed. 22 [root@conan zap]strace -o strace.out ./zapdynamic This command line will store the interaction between the zap program and the operating system in a file called strace.out. Israel Umana - Investigating Hackers' tools
SSSSaaaammmmpppplllleeee oooouuuuttttppppuuuutttt 20) fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 21) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 23 22) ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 23) write(1, “Error.n”, 7) = 7 24) munmap(0x40014000, 4096) = 0 25) _exit(7) = ? Israel Umana - Investigating Hackers' tools
EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt Look out for the following system calls The execve call. The brk system calls are used to allocate memory for the process. The mmap calls which map a portion of a file into memory. 24 The fstat call obtains information about the file that is referenced by the file descriptor The close system calls are used to release a file descriptor when the process no longer needs the file or socket referenced. Israel Umana - Investigating Hackers' tools
Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee search the strace output file for open, read, write, unlink, lstat, socket, and close system calls. A shortcut is to use the option -e trace=file. To display all interactions with a network device, use the option -e trace=network 25 More combinations are available in the main page for strace. save a copy of all the data transferred with the –e write command Israel Umana - Investigating Hackers' tools
Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee The strace utility cannot do everything With strace, you cannot determine what the process is doing once it reads, writes, or receives values from the system calls. Need to resort to techniques such as debugging and 26 decompiling. The debugger will allow you to step through every action a program takes during its execution. Israel Umana - Investigating Hackers' tools
RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee The binutils package is installed on most versions of Linux Built to recognize a small number of object file types. Tools in the precompiled binutils package may build, view, disassemble, and otherwise alter a handful of Linux native executable files 27 Recompile of the package with ./configure –enable-targets=all Israel Umana - Investigating Hackers' tools
Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss SSSSyyyysssstttteeeemmmm You execute the rogue code and use utilities to watch how the rogue process interacts with the file system, the Registry, (APIs), and the operating system. For dynamic tool analysis of Windows applications, we use Filemon, Regmon, ListDLLs, Fport, and PsList. 28 Filemon, Regmon, ListDLLs, and PsList can be gotten at: http://www.sysinternals.com Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn The Filemon utility (from the Sysinternals web site) provides a wiretap between running processes and the file system. It intercepts all access and queries a process makes to the file system. You can determine all of the files the program reads, writes 29 to, and accesses to perform its unknown activity. Israel Umana - Investigating Hackers' tools
30 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn Regmon taps a process’s interaction with the Windows Registry. Some programs query, enumerate, and close more than 950 Registry keys upon execution. Regmon allows you to enter filters to focus your analysis on relevant entries. 31 It provides immediate access to the Registry Editor (regedit). Provides a simple interface to monitor which programs write startup entries in the Registry and which programs query the network hardware in order to generate or receive network traffic. Israel Umana - Investigating Hackers' tools
32 Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss ListDLLs is available in the NT/2000 Resource Kit Shows all of the DLLs needed by a process. It enumerates the full pathnames of the DLLs loaded by the process. ListDLLs is helpful for detecting applications that have been 33 modified (injected) with extra functionality. Viewing which DLLs the program is using may allow you to detect if the application is interacting with the network services at an API level or if it is attempting to bypass them. Works on programs that are currently running Israel Umana - Investigating Hackers' tools
UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt Fport and PsList are critical tools for dynamic analysis on a Windows system. Fport should be used prior to and after executing a rogue process to determine if the rogue process opened any network sockets. 34 PsList is useful to determine if a process changes its process name after execution. Israel Umana - Investigating Hackers' tools
35 Israel Umana - Investigating Hackers' tools
36 Israel Umana - Investigating Hackers' tools
Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn WWWWiiiinnnnddddoooowwwwssss The tools described in this chapter provide the first level of analysis. more comprehensive techniques are available Decompiling and debugging are the next steps. IDA Pro (an interactive disassembler) and SoftICE (a source- 37 source-level debugger). Can be obtained at: IDA Pro: http://www.datarescue.com SoftICE: http://www.compuware.com/products/devpartner/ softice Israel Umana - Investigating Hackers' tools

Recommended

Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
مقدمة في مسابقة إلتقاط الأعلام CTF
مقدمة في مسابقة إلتقاط الأعلام CTFمقدمة في مسابقة إلتقاط الأعلام CTF
مقدمة في مسابقة إلتقاط الأعلام CTF
مصعب محمد زكريا
 
Introduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityIntroduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-security
Glenn McKnight
 
Network forensics
Network forensicsNetwork forensics
Network forensics
ArthyR3
 
Threat Detection in Surveillance Videos
Threat Detection in Surveillance VideosThreat Detection in Surveillance Videos
Threat Detection in Surveillance Videos
Databricks
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 

Recommended

Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
مقدمة في مسابقة إلتقاط الأعلام CTF
مقدمة في مسابقة إلتقاط الأعلام CTFمقدمة في مسابقة إلتقاط الأعلام CTF
مقدمة في مسابقة إلتقاط الأعلام CTF
مصعب محمد زكريا
 
Introduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityIntroduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-security
Glenn McKnight
 
Network forensics
Network forensicsNetwork forensics
Network forensics
ArthyR3
 
Threat Detection in Surveillance Videos
Threat Detection in Surveillance VideosThreat Detection in Surveillance Videos
Threat Detection in Surveillance Videos
Databricks
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
SRIMCA
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 
Recent trends in use of ict in courts
Recent trends in use of ict in courtsRecent trends in use of ict in courts
Recent trends in use of ict in courts
Talwant Singh
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
Manik Bhola
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Amped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science ParkAmped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science Park
AREA Science Park
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 

More Related Content

What's hot

Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
SRIMCA
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 
Recent trends in use of ict in courts
Recent trends in use of ict in courtsRecent trends in use of ict in courts
Recent trends in use of ict in courts
Talwant Singh
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
Manik Bhola
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Amped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science ParkAmped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science Park
AREA Science Park
 

What's hot (20)

Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodology
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
Recent trends in use of ict in courts
Recent trends in use of ict in courtsRecent trends in use of ict in courts
Recent trends in use of ict in courts
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Amped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science ParkAmped Five (Innovation Factory, AREA Science Park
Amped Five (Innovation Factory, AREA Science Park
 

Similar to Investigating Hackers' Tools

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for Linux
Muhammad FAHAD
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
Jeewanthi Fernando
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
Ricardo L0gan
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
Pedro Tavares
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
Anthony Hasse
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 

Similar to Investigating Hackers' Tools (20)

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Intrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for LinuxIntrusion Discovery Cheat Sheet for Linux
Intrusion Discovery Cheat Sheet for Linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hta w22
Hta w22Hta w22
Hta w22
 

Recently uploaded

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 

Recently uploaded (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 

Investigating Hackers' Tools

  • 1. INVESTIGATING IIIINNNNVVVVEEEESSSSTTTTIIIIGGGGAAAATTTTIIIINNNNGGGG IIINNNVVVEEESSSTTTIIIGGGAAATTTIIINNNGGG HHHHAAAACCCCKKKKEEEERRRRSSSS’’’’ TTTTOOOOOOOOLLLLSSSS AAAA SSSSEEEEMMMMIIIINNNNAAAARRRR BBBBYYYY IISSRRAAEELL UUMMAANNAA MM..TTeecchh – IInnffoorrmmaattiioonn SSeeccuurriittyy aanndd CCyybbeerr FFoorreennssiicc SSRRMM UUnniivveerrssiittyy,, CChheennnnaaii IInnddiiaa
  • 2. AAAAcccckkkknnnnoooowwwwlllleeeeddddggggmmmmeeeennnnttttssss Material is sourced from: INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION Authors: CHRIS PROSISE KEVIN MANDIA Publisher: McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto 2 Israel Umana - Investigating Hackers' tools
  • 3. THE GOALS TTTHHHEEE GGGOOOAAALLLSSS OOOOFFFF TTTTOOOOOOOOLLLL AAAANNNNAAAALLLLYYYYSSSSIIIISSSS Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders 3 Prepare yourself for a successful subject interview if you catch the attacker Determine the attacker’s objectives and goals (specific targeting versus target of opportunity) Israel Umana - Investigating Hackers' tools
  • 4. HOW HHHOOOWWW FFFFIIIILLLLEEEESSSS AAAARRRREEEE CCCCOOOOMMMMPPPPIIIILLLLEEEEDDDD Statically Linked Programs (gcc -static zap.c -o zapstatic) Dynamically Linked Programs (gcc zap.c -o zap_out) Programs Compiled with Debug Options 4 (gcc -g zap.c -o zapdebug) Stripped Programs Programs Packed with UPX Israel Umana - Investigating Hackers' tools
  • 5. SSSSttttaaaattttiiiiccccaaaallllllllyyyy vvvvssss DDDDyyyynnnnaaaammmmiiiiccccaaaallllllllyyyy ccccoooommmmppppiiiilllleeeedddd pppprrrrooooggggrrrraaaammmm 5 Israel Umana - Investigating Hackers' tools
  • 6. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss On a Unix system, change to the directory of the suspicious file and issue the command: root@conan zap]# ls -al Z This displays the file attributes and permissions 6 -rwxr--r-- 1 root root 7423 Feb 4 02:00 Z Israel Umana - Investigating Hackers' tools
  • 7. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# file Z This command shows the compilation method used on the file. Here is a sample output: Z: ELF 32-bit LSB executable, Intel 80386, version 1 (Linux), 7 statically inked, stripped Israel Umana - Investigating Hackers' tools
  • 8. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) root@conan zap]# strings –a Z This command shows if the file is compressed with UPX Sample output: --Excerpt-- Linux 8 $Info: This file is packed with the UPX executable packer http://upx.sf.net$ $ $Id: UPX 1.24 Copyright (C) 1996-202 the UPX Team. All Rights Reserved. $ UWVSQR Israel Umana - Investigating Hackers' tools
  • 9. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) The following command decompresses (unpacks) the suspect file and stores the output in the file named foo. root@conan zap]# upx –d Z –o foo Output 9 Ultimate Packer for executables Copyright © 1996, 1996, 1998, 1999, 2000, 2001, 2002 UPX 1.24 Markus F.X.J. Oberhumer Laszlo Molnar Nov 7th 2002 File size Ratio Format Name --------------------- -------- ---------- --------- 13160 - 7423 56.40% linux/386 foo Israel Umana - Investigating Hackers' tools
  • 10. FFFFiiiilllleeee AAAAnnnnaaaallllyyyyssssiiiissss ((((ccccoooonnnnttttdddd) We can now run the following commands again: - file Z - strings -a foo 10 Israel Umana - Investigating Hackers' tools
  • 11. STATIC ANALYSIS SSSTTTAAATTTIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL Static analysis is tool analysis performed without actually executing the rogue code. It involves the following steps: 1. Determine the type of file 11 2. Review the ASCII and Unicode strings 3. Perform online research 4. Perform source code review Israel Umana - Investigating Hackers' tools
  • 12. Determining DDDeeettteeerrrmmmiiinnniiinnnggg tttthhhheeee TTTTyyyyppppeeee ooooffff FFFFiiiilllleeee Common file types include: Windows 95/98/NT/2000/XP executable or dynamically linked library (DLL) Linux a.out/elf/script Solaris a.out/elf/script 12 DOS 32-bit COFF DOS 16-bit .com file DOS 16-bit executable Atari ST/TT Israel Umana - Investigating Hackers' tools
  • 13. Using the UUUsssiiinnnggg ttthhheee UUUUnnnniiiixxxx FFFFiiiilllleeee CCCCoooommmmmmmmaaaannnndddd The standard command for determining a file type on Unix systems is file. [root@conan zap] file * 13 Israel Umana - Investigating Hackers' tools
  • 14. UUUUssssiiiinnnngggg tttthhhheeee WWWWiiiinnnnddddoooowwwwssss EEEExxxxeeeettttyyyyppppeeee CCCCoooommmmmmmmaaaannnndddd The Windows equivalent of the file command is the NT Resource Kit tool exetype. It recognizes fewer file types than the file command 14 Israel Umana - Investigating Hackers' tools
  • 15. Reviewing the RRReeevvviiieeewwwiiinnnggg ttthhheee AAAASSSSCCCCIIIIIIII aaaannnndddd UUUUnnnniiiiccccooooddddeeee SSSSttttrrrriiiinnnnggggssss Basic static analysis of object code involves examining the ASCII-formatted strings of the binary file. The strings command has the following syntax: strings -a filename 15 This command line will display all ASCII strings contained in the object code that are four characters or longer. Israel Umana - Investigating Hackers' tools
  • 16. HHHHeeeexxxx eeeeddddiiiittttoooorrrrssss When all analysis fails, the hex editor is our friend. However, when performing static tool analysis, the hex editor is only slightly better than the strings command. It allows you to see Unicode and ASCII strings within a file at the same time. 16 Israel Umana - Investigating Hackers' tools
  • 17. Performing PPPeeerrrfffooorrrmmmiiinnnggg OOOOnnnnlllliiiinnnneeee RRRReeeesssseeeeaaaarrrrcccchhhh Perform online research to determine if the tool is publicly available on computer security or hacker sites. Compare any online tools identified with the tool you are analyzing. If the tool is not publicly available, then you will need to decompile the file to analyse its functions. 17 Israel Umana - Investigating Hackers' tools
  • 18. Performing PPPeeerrrfffooorrrmmmiiinnnggg SSSSoooouuuurrrrcccceeee CCCCooooddddeeee RRRReeeevvvviiiieeeewwww With the source code available to you for review, you will be capable of determining exactly what a rogue program does. Performing source code review requires working knowledge of the programming language used to create the tool. Most popular exploits and tools are found in ANSIC and Microsoft 18 Visual Basic scripting, so you should become familiar with these formats. Israel Umana - Investigating Hackers' tools
  • 19. DYNAMIC ANALYSIS DDDYYYNNNAAAMMMIIICCC AAANNNAAALLLYYYSSSIIISSS OOOOFFFF AAAA HHHHAAAACCCCKKKKEEEERRRR TTTTOOOOOOOOLLLL In Dynamic analysis, you execute rogue code and interpret its interaction with the host operating system. This can be dangerous on your forensic workstation. Our methodology includes the following tasks: 19 Monitor the time/date stamps to determine what files a tool affects. Run the program to intercept its system calls. Perform network monitoring to determine if any network traffic is generated. Monitor how Windows-based executables interact with the Registry. Israel Umana - Investigating Hackers' tools
  • 20. Creating the CCCrrreeeaaatttiiinnnggg ttthhheee SSSSaaaannnnddddbbbbooooxxxx EEEEnnnnvvvviiiirrrroooonnnnmmmmeeeennnntttt Get the operating system and architecture necessary to execute the object code properly. Install VMware on your test system Turn on the Nonpersistent write option in configuration settings 20 Make sure that the test system is not connected to the Internet. execute rogue code on a closed network Israel Umana - Investigating Hackers' tools
  • 21. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa UUUUnnnniiiixxxx SSSSyyyysssstttteeeemmmm Most applications execute in a memory area defined as user space prohibited from accessing computer hardware and resources directly User applications access these resources by requesting the 21 kernel to perform the operations on its behalf The user application makes these requests to the kernel via system calls. Israel Umana - Investigating Hackers' tools
  • 22. UUUUssssiiiinnnngggg SSSSttttrrrraaaacccceeee Unix has a tool that traces the use of system calls by an executed process. The strace command displays information about file access, network access, memory access, and many other system calls that a file makes when it is executed. 22 [root@conan zap]strace -o strace.out ./zapdynamic This command line will store the interaction between the zap program and the operating system in a file called strace.out. Israel Umana - Investigating Hackers' tools
  • 23. SSSSaaaammmmpppplllleeee oooouuuuttttppppuuuutttt 20) fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 21) mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 23 22) ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 23) write(1, “Error.n”, 7) = 7 24) munmap(0x40014000, 4096) = 0 25) _exit(7) = ? Israel Umana - Investigating Hackers' tools
  • 24. EEEExxxxaaaammmmiiiinnnniiiinnnngggg SSSSttttrrrraaaacccceeee OOOOuuuuttttppppuuuutttt Look out for the following system calls The execve call. The brk system calls are used to allocate memory for the process. The mmap calls which map a portion of a file into memory. 24 The fstat call obtains information about the file that is referenced by the file descriptor The close system calls are used to release a file descriptor when the process no longer needs the file or socket referenced. Israel Umana - Investigating Hackers' tools
  • 25. Using UUUsssiiinnnggg SSSShhhhoooorrrrttttccccuuuuttttssss wwwwiiiitttthhhh SSSSttttrrrraaaacccceeee search the strace output file for open, read, write, unlink, lstat, socket, and close system calls. A shortcut is to use the option -e trace=file. To display all interactions with a network device, use the option -e trace=network 25 More combinations are available in the main page for strace. save a copy of all the data transferred with the –e write command Israel Umana - Investigating Hackers' tools
  • 26. Conducting CCCooonnnddduuuccctttiiinnnggg AAAAnnnnaaaallllyyyyssssiiiissss BBBBeeeeyyyyoooonnnndddd SSSSttttrrrraaaacccceeee The strace utility cannot do everything With strace, you cannot determine what the process is doing once it reads, writes, or receives values from the system calls. Need to resort to techniques such as debugging and 26 decompiling. The debugger will allow you to step through every action a program takes during its execution. Israel Umana - Investigating Hackers' tools
  • 27. RRRReeeeccccoooommmmppppiiiilllleeee tttthhhheeee GGGGNNNNUUUU BBBBiiiinnnnuuuuttttiiiillllssss PPPPaaaacccckkkkaaaaggggeeee The binutils package is installed on most versions of Linux Built to recognize a small number of object file types. Tools in the precompiled binutils package may build, view, disassemble, and otherwise alter a handful of Linux native executable files 27 Recompile of the package with ./configure –enable-targets=all Israel Umana - Investigating Hackers' tools
  • 28. Dynamic Analysis DDDyyynnnaaammmiiiccc AAAnnnaaalllyyysssiiisss oooonnnn aaaa WWWWiiiinnnnddddoooowwwwssss SSSSyyyysssstttteeeemmmm You execute the rogue code and use utilities to watch how the rogue process interacts with the file system, the Registry, (APIs), and the operating system. For dynamic tool analysis of Windows applications, we use Filemon, Regmon, ListDLLs, Fport, and PsList. 28 Filemon, Regmon, ListDLLs, and PsList can be gotten at: http://www.sysinternals.com Israel Umana - Investigating Hackers' tools
  • 29. UUUUssssiiiinnnngggg FFFFiiiilllleeeemmmmoooonnnn The Filemon utility (from the Sysinternals web site) provides a wiretap between running processes and the file system. It intercepts all access and queries a process makes to the file system. You can determine all of the files the program reads, writes 29 to, and accesses to perform its unknown activity. Israel Umana - Investigating Hackers' tools
  • 30. 30 Israel Umana - Investigating Hackers' tools
  • 31. UUUUssssiiiinnnngggg RRRReeeeggggmmmmoooonnnn Regmon taps a process’s interaction with the Windows Registry. Some programs query, enumerate, and close more than 950 Registry keys upon execution. Regmon allows you to enter filters to focus your analysis on relevant entries. 31 It provides immediate access to the Registry Editor (regedit). Provides a simple interface to monitor which programs write startup entries in the Registry and which programs query the network hardware in order to generate or receive network traffic. Israel Umana - Investigating Hackers' tools
  • 32. 32 Israel Umana - Investigating Hackers' tools
  • 33. UUUUssssiiiinnnngggg LLLLiiiissssttttDDDDLLLLLLLLssss ListDLLs is available in the NT/2000 Resource Kit Shows all of the DLLs needed by a process. It enumerates the full pathnames of the DLLs loaded by the process. ListDLLs is helpful for detecting applications that have been 33 modified (injected) with extra functionality. Viewing which DLLs the program is using may allow you to detect if the application is interacting with the network services at an API level or if it is attempting to bypass them. Works on programs that are currently running Israel Umana - Investigating Hackers' tools
  • 34. UUUUssssiiiinnnngggg FFFFppppoooorrrrtttt aaaannnndddd PPPPssssLLLLiiiisssstttt Fport and PsList are critical tools for dynamic analysis on a Windows system. Fport should be used prior to and after executing a rogue process to determine if the rogue process opened any network sockets. 34 PsList is useful to determine if a process changes its process name after execution. Israel Umana - Investigating Hackers' tools
  • 35. 35 Israel Umana - Investigating Hackers' tools
  • 36. 36 Israel Umana - Investigating Hackers' tools
  • 37. Conducting Further CCCooonnnddduuuccctttiiinnnggg FFFuuurrrttthhheeerrr AAAAnnnnaaaallllyyyyssssiiiissss oooonnnn WWWWiiiinnnnddddoooowwwwssss The tools described in this chapter provide the first level of analysis. more comprehensive techniques are available Decompiling and debugging are the next steps. IDA Pro (an interactive disassembler) and SoftICE (a source- 37 source-level debugger). Can be obtained at: IDA Pro: http://www.datarescue.com SoftICE: http://www.compuware.com/products/devpartner/ softice Israel Umana - Investigating Hackers' tools