Hide and Seek – Interesting uses of forensics           and covert channels     Tonimir Kišasondi, mag.inf., EUCIP
$ whois tkisason        Junior researcher @ foi.hr        Likes:            Security            Crypto            Gnu...
$ topic of this talk      A quick overview of some interesting:           Forensics methods                  Memory ima...
$ forensics for non law enforcement uses?    Useful for data recovery    You can protect your files, but you cant    pro...
$ memory imaging        /dev/mem is restricted on newer versions of the        Linux kernel        Alternatives:       ...
$ memory secrets leakage     Pidgins passwords stored in 5 places     00 00 1E 00 00 00 00 00 00 00     Plaintexted in ...
$ memory carvingtony@blackbox:~/0drive$ sudo photorec /d  recovery bbox-memory.img[sudo] password for tony:PhotoRec 6.11, ...
$ file/mem carving    Use scalpel:http://www.digitalforensicssolutions.com/Scalpel/    /etc/scalpel/scalpel.conf is frug...
$ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G....
$ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G....
$ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G....
$ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G....
$ runtime extraction of RSA/DSA keystony@blackbox:~$ sudo ./passe-partout 729Target has pid 729=> 0x7f8e0ba5c000 0x7f8e0ba...
$ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN St...
$ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN St...
$ covert channels?    Opposite from forensics :)    Data hiding: Files, protocols    "A adversary can always transmit o...
$ TCSteg -> http://keyj.s2000.at/?p=458
$ Truecryptish problems   File mod 256 == 0   Filesize > 16Kb   H(File) ~ 7.5   Header != /usr/share/misc/magic   Yes...
$ interesting channels    Most formats that have strict footers can be    "injected" – bmp for one example    Injecting ...
$ interesting channels    A typical flv/video file is highly random:In [27]: entropy(cat)Out[27]: 7.8086139822740126    ...
$ interesting channels    Filesystem fragmentation     – No structure            • http://goo.gl/dfhfR    Distributed co...
$ :)
$ :)
$ :)
$ :)
$ Knowledge is power with biliteral cipher
$ questions?
$ Thank youYou can find the most updated version of this  slides on my slideshare (tkisason).
Upcoming SlideShare
Loading in …5
×

Hide and seek - interesting uses of forensics and covert channels.

1,694 views

Published on

In this talk, we will discuss some interesting uses of forensic methods like memory extraction and carving in non-law enforcement scenarios. Also, some interesting methods for achieving covert channels will be covered with their detection possibilities.
Bio: Junior researcher at Faculty or organization and informatics with interest in Security, Cryptography and FLOSS.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,694
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hide and seek - interesting uses of forensics and covert channels.

  1. 1. Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
  2. 2. $ whois tkisason Junior researcher @ foi.hr Likes:  Security  Crypto  Gnu/Linux  Interesting security problems e-mail: tonimir.kisasondi@foi.hr skype: tkisason
  3. 3. $ topic of this talk A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels
  4. 4. $ forensics for non law enforcement uses? Useful for data recovery You can protect your files, but you cant protect your RAM1. Dig deep2. Find interesting problems3. ???4. Profit!
  5. 5. $ memory imaging /dev/mem is restricted on newer versions of the Linux kernel Alternatives:  Reboot the system with a imager  PCI imagers  Insert a kernel module that can access the address space /dev/fmem:http://hysteria.sk/~niekt0/foriana/fmem_current.tgz Simply dd /dev/fmem or grep -a
  6. 6. $ memory secrets leakage Pidgins passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also• Various pieces of plaintext / passwords can be obtained from memory• ASLR - YMMW• Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt
  7. 7. $ memory carvingtony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img[sudo] password for tony:PhotoRec 6.11, Data Recovery Utility, April 2009tony@blackbox:~/0drive$ ls recovery* | wc -l620
  8. 8. $ file/mem carving Use scalpel:http://www.digitalforensicssolutions.com/Scalpel/ /etc/scalpel/scalpel.conf is frugal at start Uncomment file headers Good thing is we can add aditional signatures...
  9. 9. $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  10. 10. $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  11. 11. $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  12. 12. $ memory carvingtony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.imgScalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.Opening target "/home/tony/0drive/blackbox-mem.img"Image file pass 1/2.blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETAAllocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "x47x49x46x38x39x61" and footer "x00x3b" --> 855 filesjpg with header "xffxd8xffxe0x00x10" and footer "xffxd9" --> 2459 filespng with header "x50x4ex47x3f" and footer "xffxfcxfdxfe" --> 3176 files...Carving files from image.Image file pass 2/2.
  13. 13. $ runtime extraction of RSA/DSA keystony@blackbox:~$ sudo ./passe-partout 729Target has pid 729=> 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607=> 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607...found RSA key @ 0x7f8e0fad7e20[X] Key saved to file id_rsa-1.keydone for pid 729apache, openssh, openvpn
  14. 14. $ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN Staticssh-rsassh-dsausernames
  15. 15. $ grep is your friendgrep -a is really useful. Try some of the following:-----BEGIN RSA-----BEGIN PGP-----BEGIN OpenVPN Staticssh-rsassh-dsausernames
  16. 16. $ covert channels? Opposite from forensics :) Data hiding: Files, protocols "A adversary can always transmit one bit at a time" Tonys rule 183: Any structure in a covert channel destroys its covertness. Some interesting covert channels: TCSteg OutGuess
  17. 17. $ TCSteg -> http://keyj.s2000.at/?p=458
  18. 18. $ Truecryptish problems File mod 256 == 0 Filesize > 16Kb H(File) ~ 7.5 Header != /usr/share/misc/magic Yes, a filesystem in a encrypted volume CAN be carved :) TC = relatively OK LUKS leaks... = LUKSxbaxbe File in file embedding leaks magic bytes Outguess and similar known stego tools can be easily detected
  19. 19. $ interesting channels Most formats that have strict footers can be "injected" – bmp for one example Injecting data in FLV? - why not! In short: Any structure leaks possible data. Perfect randomness "leaks" encryption.
  20. 20. $ interesting channels A typical flv/video file is highly random:In [27]: entropy(cat)Out[27]: 7.8086139822740126 Always map data into same character range. Avoid distrupting changes that increase entropy Avoid magic bytes and known patterns Youtube/You**** is so common, that you simply hide the data in the mass traffic.
  21. 21. $ interesting channels Filesystem fragmentation – No structure • http://goo.gl/dfhfR Distributed covert channels? – On my github soon :)
  22. 22. $ :)
  23. 23. $ :)
  24. 24. $ :)
  25. 25. $ :)
  26. 26. $ Knowledge is power with biliteral cipher
  27. 27. $ questions?
  28. 28. $ Thank youYou can find the most updated version of this slides on my slideshare (tkisason).

×