de anonymizing live cds through physical memory analysis
play

De-Anonymizing Live CDs through Physical Memory Analysis Andrew - PowerPoint PPT Presentation

Dec 01, 2023 •282 likes •911 views

De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst Speaker Background Computer Science degree from the University of New Orleans Former Security Consultant for Neohapsis Worked for Digital

  1. De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst

  2. Speaker Background • Computer Science degree from the University of New Orleans • Former Security Consultant for Neohapsis • Worked for Digital Forensics Solutions since 2009 • Work experience ranges from penetration testing to reverse engineering to forensics investigations/IR to related research 2

  3. Agenda • Discuss Live CDs and how they disrupt the normal forensics process • Present research that enables traditional investigative techniques against live CDs • Discuss issues with Tor’s insecure handling of memory and present preliminary memory analysis research 3

  4. Normal Forensics Process Obtain Hard Drive Acquire Disk Image Verify Image Process Image Perform Investigation 4

  5. Traditional Analysis Techniques • Timelining of activity based on MAC times • Hashing of files • Indexing and searching of files and unallocated space • Recovery of deleted files • Application specific analysis – Web activity from cache, history, and cookies – E- mail activity from local stores (PST, Mbox, …) 5

  6. Problem of Live CDs • Live CDs allow users to run an operating system and all applications entirely in RAM • This makes traditional digital forensics (examination of disk images) impossible • All the previously listed analysis techniques cannot be performed 6

  7. The Problem Illustrated Obtain Hard Drive Acquire Disk Image Verify Image Process Image Perform Investigation 7

  8. No Disks or Files, Now What? • All we can obtain is a memory capture • With this, an investigator is left with very limited and crude analysis techniques • Can still search, but can’t map to files or dates – No context, hard to present coherently • File carving becomes useless – Next slide • Good luck in court 8

  9. File Carving • Used extensively to recover previously deleted files/data • Uses a database of headers and footers to find files within raw byte streams such as a disk image • Finds instances of each header followed by the footer • Example file formats: – JPEG - \xff\xd8\xff\xe0\x00\x10 - \xff\xd9 – GIF - \x47\x49\x46\x38\x37\x61 - \x00\x3b 9

  10. File Carving Cont. • File carving relies on contiguous allocation of files – Luckily modern filesystems strive for low fragmentation • Unfortunately for memory analysis, physical pages for files are almost never allocated contigously – Page size is only 4k so no structured file will fit – Is the equivalent of a completely fragmented filesystem 10

  11. People Have Caught On… • The Amnesic Incognito Live System (TAILS) [1] – “No trace is left on local storage devices unless explicitly asked.” – “All outgoing connections to the Internet are forced to go through the Tor network” • Backtrack [2] – “ability to perform assessments in a purely native environment dedicated to hacking.” 11

  12. What It Really Means… • Investigators without deep kernel internals knowledge and programming skill are basically hopeless • It is well known that the use of live CDs is going to defeat most investigations – Main motivation for this work – Plenty anecdotal evidence of this can be found through Google searches 12

  13. What is the Solution? • Memory Analysis! • It is the only method we have available… • This Analysis gives us: – The complete file system structure including file contents and metadata – Deleted Files (Maybe) – Userland process memory and file system information 13

  14. Goal 1: Recovering the File System • Steps needed to achieve this goal: 1. Understand the in-memory filesystem 2. Develop an algorithm that can enumerate directory and files 3. Recover metadata to enable timelining and other investigative techniques 14

  15. The In-Memory Filesystem • AUFS (AnotherUnionFS) – http://aufs.sourceforge.net/ – Used by TAILS, Backtrack, Ubuntu 10.04 installer, and a number of other Live CDs – Not included in the vanilla kernel, loaded as an external module 15

  16. AUFS Internals • Stackable filesystem • Presents a multilayer filesystem as a single one to users • This allows for files created after system boot to be transparently merged on top of read only CD • Each layer is termed a branch • In the live CD case, one branch for the CD, and one for all other files made or changed since boot 16

  17. AUFS Userland View of TAILS # cat /proc/mounts Mount aufs / aufs rw,relatime,si= 4ef94245 ,noxino points relevant /dev/loop0 /filesystem.squashfs squashfs to AUFS tmpfs /live/cow tmpfs tmpfs /live tmpfs rw,relatime The # cat /sys/fs/aufs/si_ 4ef94245 /br0 mount point of /live/cow=rw each AUFS # cat /sys/fs/aufs/si_ 4ef94245 /br1 branch /filesystem.squashfs=rr 17

  18. Forensics Approach • No real need to copy files from the read-only branch – Just image the CD • On the other hand, the writable branch contains every file that was created or modified since boot – Including metadata – No deleted ones though, more on that later 18

  19. Linux Internals Overview I • struct dentry – Represents a directory entry (directory, file, …) – Contains the name of the directory entry and a pointer to its inode structure • struct inode – FS generic, in-memory representation of a disk inode – Contains address_space structure that links an inode to its file’s pages • struct address_space – Links physical pages together into something useful – Holds the search tree of pages for a file 19

  20. Linux Internals Overview II • Page Cache – Used to store struct page structures that correspond to physical pages – address_space structures contain linkage into the page cache that allows for ordered enumeration of all physical pages pertaining to an inode • Tmpfs – In-memory filesystem – Used by TAILS to hold the writable branch 20

  21. Enumerating Directories • Once we can enumerate directories, we can recover the whole filesystem • Not as simple as recursively walking the children of the file system’s root directory • AUFS creates hidden dentrys and inodes in order to mask branches of the stacked filesystem • Need to carefully interact between AUFS and tmpfs structures 21

  22. Directory Enumeration Algorithm 1) Walk the super blocks list until the “ aufs ” filesystem is found • This contains a pointer to the root dentry 2) For each child dentry, test if it represents a directory If the child is a directory: • Obtain the hidden directory entry (next slide) • Record metadata and recurse into directory If the child is a regular file: • Obtain the hidden inode and record metadata 22

  23. Obtaining a Hidden Directory • Each kernel dentry stores a pointer to an au_dinfo structure inside its d_fsdata member • The di_hdentry member of au_dinfo is an array of au_hdentry structures that embed regular kernel dentrys struct dentry struct au_dinfo Branch Dentry { { 0 Pointer d_inode au_hdentry d_name 1 Pointer } d_subdirs d_fsdata } 23

  24. Obtaining Metadata • All useful metadata such as MAC times, file size, file owner, etc is contained in the hidden inode • This information is used to fill the stat command and istat functionality of the Sleuthkit • Timelining becomes possible again 24

  25. Obtaining a Hidden Inode • Each aufs controlled inode gets embedded in an aufs_icntnr • This structure also embeds an array of au_hinode structures which can be indexed by branch number to find the hidden inode of an exposed inode struct Branch struct inode struct au_iinfo aufs_icntnr { 0 Pointer { ii_hinode 1 Pointer iinfo } inode } 25

  26. Goal 2: Recovering File Contents • The size of a file is kept in its inode’s i_size member • An inode’s page_tree member is the root of the radix tree of its physical pages • In order to recover file contents this tree needs to be searched for each page of a file • The lookup function returns a struct page which leads to the backing physical page 26

  27. Recovering File Contents Cont. • Indexing the tree in order and gathering of each page will lead to accurate recovery of a whole file • This algorithm assumes that swap isn’t being used – Using swap would defeat much of the purpose of anonymous live CDs • Tmpfs analysis is useful for every distribution – Many distros mount /tmp using tmpfs, shmem, etc 27

  28. Goal 3: Recovering Deleted Info • Discussion: 1. Formulate Approach 2. Discuss the kmem_cache and how it relates to recovery 3. Attempt to recover previously deleted file and directory names, metadata, and file contents 28

  29. Approach • We want orderly recovery • To accomplish this, information about deleted files and directories needs to be found in a non-standard way – All regular lists, hash tables, and so on lose track of structures as they are deleted • Need a way to gather these structures in an orderly manner — kmem_cache analysis to the rescue! 29

  30. Recovery though kmem_cache analysis • A kmem_cache holds all structures of the same type in an organized manner – Allows for instant allocations & deallocations – Used for handling of process, memory mappings, open files, and many other structures • Implementation controlled by allocator in use – SLAB and SLUB are the two main ones 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

De-Anonymizing Live CDs through Physical Memory Analysis

De-Anonymizing Live CDs through Physical Memory Analysis

De-Anonymizing Live CDs through Physical Memory Analysis Andrew Case Senior Security Analyst Speaker Background Computer Science degree from the University

644 views • 61 slides
Virtual Memory Programmer can assume he/she has infinite amount of physical memory

Virtual Memory Programmer can assume he/she has infinite amount of physical memory

4/27/17 Virtual Memory Idea: Give the programmer the illusion of a large address space while having a small physical memory So that the programmer does not worry about managing physical memory Virtual Memory Programmer can assume

817 views • 12 slides
A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory

A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory

A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory 3: (PA) CPU 4: 4 5: Process Abstraction, Part 2: Private Address Space 6: 7: 8: ... M-1: Motivation : why not direct physical memory

376 views • 6 slides
lecture 16 virtual vs. physical memory - types of physical memory - paging Wed. March 9,

lecture 16 virtual vs. physical memory - types of physical memory - paging Wed. March 9,

lecture 16 virtual vs. physical memory - types of physical memory - paging Wed. March 9, 2016 MIPS Memory next three lectures virtual address physical address 514 - 398 - 3740 cell tower

311 views • 27 slides
Virtual Memory Logical address space can therefore be much larger than physical address

Virtual Memory Logical address space can therefore be much larger than physical address

CSC 4103 - Operating Systems Background Spring 2007 Virtual memory separation of user logical memory from physical memory. Only part of the program needs to be in memory for Lecture - XIII execution. Virtual Memory Logical

309 views • 7 slides
Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory, internal and external fragmentation Paging and segmentation Address translation, efficiency Hardware support (e.g., TLB) Page

513 views • 13 slides
MIPS Memory lecture 16 virtual address physical address

MIPS Memory lecture 16 virtual address physical address

MIPS Memory lecture 16 virtual address physical address virtual vs. physical memory 514 - 398 - 3740 - types of physical memory - paging Wed. March 9, 2016 next three lectures cell tower

460 views • 3 slides
Virtual Memory Concept A mechanism for hiding the details of how much physical memory exists

Virtual Memory Concept A mechanism for hiding the details of how much physical memory exists

1 2 Virtual Memory Concept A mechanism for hiding the details of how much physical memory exists and how its being shared Allows the OS to EE 457 Unit 7c Efficiently share the physical memory between several _______ ___________

380 views • 11 slides
x (Actually, its smaller than that heap Process 3 What goes

x (Actually, its smaller than that heap Process 3 What goes

11/20/15 Virtual Memory Physical Addressing Motivation: why not direct physical memory access? Main memory Address translation with pages 0: 1: Optimizing translation: translation

431 views • 12 slides
Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical Memory Through virtual memory N 2 32 -sized address spaces All isolated by default Uses for memory Make a new process Address

516 views • 22 slides
Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical memory over a bus Devices access memory over I/O bus with DMA Devices can appear to be a region of memory 1 / 41 Realistic ~2005 PC

1.54k views • 50 slides
L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms using an integrated lecture capture and delivery service Matteo Bertazzo - CINECA InterUniversity Consortium 3 rd TF-Media Task Force meeting,

521 views • 21 slides
Lecture 19: Virtual Memory Virtual Memory concept, Virtual- physical translation, page table,

Lecture 19: Virtual Memory Virtual Memory concept, Virtual- physical translation, page table,

Lecture 19: Virtual Memory Virtual Memory concept, Virtual- physical translation, page table, TLB, Alpha 21264 memory hierarchy 1 Adapted from UC Berkeley CS252 S01 Virtual Memory Virtual memory (VM) allows programs to have the illusion of a

711 views • 23 slides
The hard work behind large physical memory allocations in the kernel Vlastimil Babka SUSE Labs

The hard work behind large physical memory allocations in the kernel Vlastimil Babka SUSE Labs

The hard work behind large physical memory allocations in the kernel Vlastimil Babka SUSE Labs vbabka@suse.cz Physical Memory Allocator Physical memory is divided into several zones 1+ zone per NUMA node Binary buddy allocator for

537 views • 51 slides
Virtual Memory: Demand Paging and Replacment Virtual Memory Illustrated virtual physical

Virtual Memory: Demand Paging and Replacment Virtual Memory Illustrated virtual physical

Virtual Memory: Demand Paging and Replacment Virtual Memory Illustrated virtual physical backing executable memory memory storage file (big) (small) header text pageout/eviction text data data idata data BSS wdata symbol user

356 views • 17 slides
Programmed I/O: isolated vs. memory-mapped When we discussed physical addresses of memory, we

Programmed I/O: isolated vs. memory-mapped When we discussed physical addresses of memory, we

COMP 273 20 - memory mapped I/O, polling, DMA Mar. 23, 2016 This lecture we will look at several methods for sending data between an I/O device and either main memory or the CPU. (Recall that we are considering the hard disk to be an I/O

171 views • 6 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine & Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

777 views • 29 slides
Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin

A A Conceptual Nationwide Cyber Situational Awareness Framework for Critical In Infrastructures Hayretdin Bahi , Olaf Manuel Maennel Centre For Digital Forensics and Cyber Security Tallinn University of Technology Evolvement of Cyber

470 views • 13 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company & setup

Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company & setup

DFRWS12 /Aug 5-8 2012/Washington DC Vassil Roussev Candice Quates The M57 Case Study Introduction 2 M57: The company & setup Employees: o President: Pat McGoo o IT: Terry o Researchers: Jo, Charlie Period o 11/16/2009

673 views • 50 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http://

Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http://

12.03.2013 Einfhrung in Visual Computing Unit 5: Image Encoding and Compression http:// www.caa.tuwien.ac.at/cvl/teaching/sommersemester/evc Content: Introduction to Encoding Image File Formats Information vs. Data Introduction

414 views • 40 slides
WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color

WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color

Formati grafici e Multimediali WWW Davide Rossi Aprile 2002 Table of contents Table of contents Part I Colors and Color Systems WWW Still Images: Bitmaps, Vectors & Metafiles Part II Data Compression Pixel Packing, RLE, LZ, Huffman,

937 views • 58 slides

More recommend