digital forensics for ssc solvers
play

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital - PowerPoint PPT Presentation

Apr 03, 2023 •96 likes •307 views

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

  1. Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT

  2. Digital Forensics • Methods to collect and analyze (digital) evidence • Three basic phases – Data collection, Analysis, Reporting – Triage • Various sources of information – Host, network • Online (live) vs. Offline analysis • https://wiki.egi.eu/wiki/Forensic_Howto

  3. Triage – is there an incident or not? • Minimize actions – Every contact leaves a trace • Quickly examine the system – Looking for anomalies – Even minor things may matter • If incident is confirmed- isolate services/machines – Proceed to contain incident

  4. Starting investigation • Leif Nixon’s cup of tea/coffee • Any applicable policies? • Security contact(s), teams, … • Do some documentation, note times – Save outputs • Do communication • Isolate the system

  5. Live analysis • Part of triage • Checking live system is often important – Access to memory and working system • Memory can be gathered – Hard to hide something – Processes are “unlocked” – Data can only be available from memory – Independent view on OS structures • But the system may not be yours anymore!

  6. Performing live analysis • Before you start, secure evidence that could be changed – Snapshot(s), take FS metadata, (RAM) • Start with introspection of the whole system – Network connections, running processes, …. – Note processes for additional analysis • After that, examine suspicious processes – resources used – recover files – obtain memory dumps

  7. Processes • A process is an instance of a program – Program is usually an executable file on a disk • Process keeps data in memory, uses system resources – Sometimes released only during termination • Processes form a hierarchy

  8. System examination • Closer look at processes – Strange names, executables – Distributions of PIDs, relationships, CPU consumption • Resources in use • Memory, open sockets (files, networks), shared memory • Investigations – User-space commands (common commands) – Check kernel structures • Correlation of command outputs, access lower-level info

  9. Commands needed • Commands – ps , netstat , lsof • Kernel structures – /proc/$PID • Document/record the process – Keep track of issued commands – Save outputs • Ramdisks (/dev/shm) might be an option

  10. /proc records /proc/31418 -r--r--r-- 1 kouril kouril 0 May 5 18:46 cmdline lrwxrwxrwx 1 kouril kouril 0 May 5 18:46 cwd -> /tmp -r-------- 1 kouril kouril 0 May 5 18:46 environ lrwxrwxrwx 1 kouril kouril 0 May 5 18:46 exe -> /usr/bin/wget dr-x------ 2 kouril kouril 0 May 5 18:46 fd lrwx------ 1 kouril kouril 64 May 5 18:46 0 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 1 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 2 -> /dev/pts/47 lrwx------ 1 kouril kouril 64 May 5 18:46 3 -> socket:[3097580] l-wx------ 1 kouril kouril 64 May 5 18:46 4 -> /tmp/ubuntu-19.04-desktop- amd64.iso?_ga=2.213675796.1604966281.1557074696-1247976767.1557074696

  11. Deleted files • Unix keeps deleted files open until they are closed • ls /proc/$PID/exe : – lrwxrwxrwx 1 kouril kouril 0 May 4 07:31 exe -> /tmp/wget (deleted) • Proc’s “symbolic links” can be used for easy recovering the data – cp /cat/… /proc/$PID/exe /tmp/dest – The process must be still running! • Both executable and open files (see the fd directory)

  12. Open files (lsof -p 31418 – n) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME wget 31418 kouril cwd DIR 252,0 36864 524291 /tmp wget 31418 kouril rtd DIR 252,0 4096 2 / wget 31418 kouril txt REG 252,0 407696 393524 /usr/bin/wget wget 31418 kouril mem REG 252,0 43616 1049154 /lib/x86_64-linux-gnu/ libnss_files-2.19.so wget 31418 kouril mem REG 252,0 3165552 394658 /usr/lib/locale/locale-arc wget 31418 kouril mem REG 252,0 14664 1064472 /lib/x86_64-linux-gnu/libd wget 31418 kouril mem REG 252,0 1857312 1064478 /lib/x86_64-linux-gnu/libc wget 31418 kouril mem REG 252,0 18936 1050745 /lib/x86_64-linux-gnu/libu wget 31418 kouril mem REG 252,0 207128 397935 /usr/lib/x86_64-linux-gnu/ wget 31418 kouril mem REG 252,0 100728 1048634 /lib/x86_64-linux-gnu/libz wget 31418 kouril mem REG 252,0 1938752 1050644 /lib/x86_64-linux-gnu/libc wget 31418 kouril mem REG 252,0 387272 1050636 /lib/x86_64-linux-gnu/libs wget 31418 kouril mem REG 252,0 149120 1064460 /lib/x86_64-linux-gnu/ld-2 wget 31418 kouril mem REG 252,0 26258 671480 /usr/lib/x86_64-linux-gnu/ wget 31418 kouril 0u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 1u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 2u CHR 136,47 0t0 50 /dev/pts/47 wget 31418 kouril 3u IPv4 3101285 0t0 TCP 127.0.0.1:44280->127.0.0.1 wget 31418 kouril 4w REG 252,0 14777874 573900 /tmp/ubuntu-19.04-desktop-

  13. Open network connections (netstat – tnp) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9050 127.0.0.1:34902 ESTABLISHED - tcp 0 0 127.0.0.1:44280 127.0.0.1:8118 ESTABLISHED 31418/wget

  14. Dumping process memory • gcore – p PID – o dump – Part of the GDB package • Outputs an ELF file (see later) containing the process memory

  15. Executable file analysis • Static analysis • Dynamic analysis

  16. ELF

  17. Look inside an ELF executable https://binvis.io/

  18. Static analysis of binary files • Determine the type file /bin/bash /bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=7e4c4de7a4d259aeb0896fd579609bb6c27fae8d, stripped • Content analysis – Break down individual ELF sections and analyse them • .rodata - constants (strings) • .data - global tables, variables • .text • readelf – Or do quick examination of the file • Human readable strings – strings – a <binary> • Strings often point to username, file paths, function names, . . . • Malware producers tend to obfuscate important strings – XOR, base64, . . . – Dynamic calls to library functions – dlopen(), dlsym()

  19. Countermeasures • Encoded (packed) binaries – Binary is encoded by a customized algorithm and gets unpacked only during executions – UPX (easy to unpack), or its modifications – Also for scripts – self-executable archives • Obfuscated scripts – very often used for PHP or Javascript

  20. Next Session • A joint walk-through the SSC malware • 35 VMs available for hands-on exercise • SSH client necessary, access credentials will be circulated

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of Digital Evidence: Admissible evidence must be related to the fact being proved Authentic evidence must be real and related to the

1.13k views • 68 slides
Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting

478 views • 30 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

1.04k views • 65 slides
Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using SMT-LIB 2.5 Clifford Wolf 1 Abstract Bounded model checking and other SAT-based formal methods are an important part of todays digital design

773 views • 52 slides
Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute intro to Digital Forensics Some challenges scale cloud the encryption boundary anti-forensics Digital Forensics in 2 mins

415 views • 7 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics Lab Director HTCIA/ICFP/ACM/IEEE/ACIS/ISSA asoto@asoto.com INTENDED AUDIENCE Forensic lab directors / analysts - Law enforcement - Researchers -

568 views • 36 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &amp;

858 views • 55 slides
Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI,

Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI,

Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI, Universit e de Bordeaux June, 2013 European Lisp Symposium, ELS2013 Objectives What : Compute information about finite graphs Verify properties

683 views • 30 slides
Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo Introduc=on to Sudo Sudo allows a system administrator to give users the ability

439 views • 24 slides
Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7

Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7

Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7 85088 Vohburg Germany &lt; seyfried@b1-systems.de &gt; 1 Configuring and Analyzing Kernel Crash Dumps Did you ever want to investigate that

90 views • 6 slides
Security Hardened Kernels for Linux Servers Masters Thesis by Sowgandh Sunil Gadi Thesis

Security Hardened Kernels for Linux Servers Masters Thesis by Sowgandh Sunil Gadi Thesis

Security Hardened Kernels for Linux Servers Masters Thesis by Sowgandh Sunil Gadi Thesis Director: Dr. Prabhaker Mateti Gadi/MSThesis/4-12-2004 1 Outline Problem: Server security Thesis contribution Prevention of buffer overflow

1.28k views • 111 slides
USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME

USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME

USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME Working at Red Hat Platform Engineering (Security) FreeIPA and Dogtag Certificate System 2 User Session Recording: An Open Source

618 views • 45 slides
Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics

Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics

Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics Thinking about projects: Informal proposal in one week (March 8) Free-for-all at end of class HW 2 notes (how I spent my weekend) Code

430 views • 30 slides
Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of automata Bruno Courcelle and Irne Durand Bordeaux University, LaBRI (CNRS laboratory) Demonstration of the software TRAG Written by Irne Durand and

754 views • 52 slides
Batch Systems Running calculations on HPC resources Outline What is a batch system? How

Batch Systems Running calculations on HPC resources Outline What is a batch system? How

Batch Systems Running calculations on HPC resources Outline What is a batch system? How do I interact with the batch system Job submission scripts Interactive jobs Common batch systems Converting between different batch

543 views • 17 slides

More recommend