the undiscovered country
play

The Undiscovered Country Tobias Fiebig - Introduction Router? - PowerPoint PPT Presentation

Jul 22, 2023 •343 likes •620 views

The Undiscovered Country The Undiscovered Country Tobias Fiebig - Introduction Router? Device Presence Estimation from Home Router DHCP? JTAG? Research Memory Dumps Question Forensics Method Experiment Tobias Fiebig Results

  1. The Undiscovered Country The Undiscovered Country Tobias Fiebig - Introduction Router? Device Presence Estimation from Home Router DHCP? JTAG? Research Memory Dumps Question Forensics Method Experiment Tobias Fiebig Results Conclusion University of Amsterdam 07/04/2013 Tobias Fiebig The Undiscovered Country

  2. The Situation The Undiscovered Country Tobias Fiebig • Who has when been where is an important question during Introduction an investigation. Router? DHCP? • Example: One wants to establish that a murder suspect JTAG? Research Question visited the victims home on a specific date. Forensics • People tend to carry all sorts of wireless and network Method capable devices with them. Experiment • Nearly everywhere where there is Internet there is a small Results Conclusion home router. Tobias Fiebig The Undiscovered Country

  3. Router? The Undiscovered Country Tobias Fiebig • Small device handed out by Internet Service Providers to a Introduction Router? customer - enables the customer to have more than one DHCP? JTAG? device on the Internet. Research Question • Mostly MIPS or ARM based. Forensics • Cheap Design - Exposed JTAG ports are very common. Method Experiment • Usually “manages” the local network, usually with Results RFC1918 and DHCP. Conclusion Tobias Fiebig The Undiscovered Country

  4. DHCP? The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • State-full protocol to manage IPv4 address assignments. JTAG? Research Question • State has to be kept somewhere. Forensics • Can not do it in flash - memory file-system here we come! Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  5. JTAG? The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? • Standardized debug interface for most embedded CPUs. Research Question • Allows direct access to device memory. Forensics Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  6. Research Question The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? Is it possible to extract DHCP state information from a JTAG? Research home routers memory and establish a time-line of device Question presence with this information in a forensically sound Forensics Method manner? Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  7. Forensic Requirements The Undiscovered Country Am forensically sound memory image extraction method has to Tobias Fiebig have the following features [V¨ omel & Freiling, 2012]: Introduction Correctness and Completeness : Everything that has Router? DHCP? been read was read as it was in the memory and nothing JTAG? Research Question that has not been in that memory is read and everything Forensics that is read is written to the dump-file as it was read. Method Atomicity : If memory area A is read at time t , all Experiment subsequent ones have to be read in the state they had at t . Results Integrity : The method does not change the memory Conclusion contents before reading them. Tobias Fiebig The Undiscovered Country

  8. Forensic Verification The Undiscovered Country Tobias Fiebig Furthermore the following verification techniques should be Introduction applied to the technique: Router? DHCP? Self-similarity check : Check for self-similarity using JTAG? Research dotplots, following the method of [Inoue et al. , 2011] to Question Forensics verify correctness. Method Integrity check : Check if two subsequent extraction Experiment processes on the same target produce highly identical Results images and ensure that no transmission errors occure. Conclusion Tobias Fiebig The Undiscovered Country

  9. Hardware The Undiscovered Country Tobias Fiebig Introduction • Experiments have been performed with a TP-Link Router? DHCP? 1043ND. JTAG? Research • Small MIPS based device. Question Forensics • Readily available in the lab. • Well documented. Method • Nicely exposed JTAG port. Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  10. Method - Overview The Undiscovered Country Tobias Fiebig The method itself consists of five steps, each one catering to Introduction some of the forensic requirements. Router? DHCP? 1 Plug-in the JTAG Cable JTAG? Research Question 2 Connect patched OpenOCD Forensics 3 Halt the CPU Method Experiment 4 Extract memory Results 5 Analyze the image Conclusion Tobias Fiebig The Undiscovered Country

  11. Plug-in the JTAG Cable The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: A DLC5 Cable is used to connect a TP-Link 1043ND with a standard PC. Tobias Fiebig The Undiscovered Country

  12. Plug-in the JTAG Cable The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? • Use of “dumb” cable reduces probability of tainted Research Question correctness due to operations on the cable. Forensics Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  13. Connect OpenOCD The Undiscovered Country Tobias Fiebig • A tool for interacting with devices via JTAG. Introduction • Not developed for forensics, but made so it “[...] never Router? DHCP? displays wrong or inaccurate information” [Rath, 2008, p. JTAG? Research Question 38]. Forensics • Patched to directly access the memory instead of using the Method processor’s MMU - eliminates further issues for the Experiment correctness. Results • Should not perform any operations in the Target memory. Conclusion Tobias Fiebig The Undiscovered Country

  14. Halt CPU The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • Stops all execution in the CPU. JTAG? Research Question • Ensures atomicity - where there is no computation, there Forensics is no change. Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  15. Extract Memory The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • Tell OpenOCD to get the memory... JTAG? Research Question • ... then mostly wait. Speed: 0.66KiB/s Forensics • Takes roughly 12h for a 32MB image. Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

  16. Analysis The Undiscovered Country Tobias Fiebig Introduction • Lease-file on 1043ND is not as plain-text in the RAM but Router? DHCP? in the DHCP servers memory structures. JTAG? Research • As available tooling has no MIPS support: Focus on Question Forensics log-messages containing the same information. Method • Create a tool that extracts time-lines and creates Experiment visualizations. Results Conclusion Tobias Fiebig The Undiscovered Country

  17. Test-Setup The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: Schematic representation of the setup used for testing the proposed method. Tobias Fiebig The Undiscovered Country

  18. Simulated Scenarios The Undiscovered Country Performed extractions on the device after simulating seven Tobias Fiebig different scenarios. Introduction Scenario Description Router? adv-test-1-4 boot 1 host, shutdown, wait 4h, dump memory DHCP? JTAG? adv-test-1-8 boot 1 host, shutdown, wait 8h, dump memory Research adv-test-8-4 boot 8 hosts, shutdown, wait 4h, dump memory Question adv-test-8-8 boot 8 hosts, shutdown, wait 8h, dump memory Forensics plain-test-4 boot 4 hosts, dump memory Method plain-test-8 boot 8 hosts, dump memory complex boot 3 hosts, wait 1.25h, boot 3 hosts, shutdown 2 hosts, wait Experiment 12h, dump memory Results Table: Overview of the simulated scenarios. Conclusion Tobias Fiebig The Undiscovered Country

  19. Image Validation The Undiscovered Country Tobias Fiebig • In addition to these scenarios, the previously mentioned Introduction subsequent extraction from the same target state was Router? DHCP? performed. The extracted images were bit-wise identical. JTAG? Research This indicates a high integrity of the method and no Question Forensics introduction of random errors during the transfer. Method • The creation of a dotplot with the method described Experiment by [Inoue et al. , 2011] indicated no significant Results self-similarities that would yield a tainted image. Conclusion Tobias Fiebig The Undiscovered Country

  20. Image Validation The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: Dotplot showing self-similarity between pages in a memory image obtained by the author. The axis show the index of the corresponding pages. Tobias Fiebig The Undiscovered Country

  21. Result Metrics The Undiscovered Country Tobias Fiebig Introduction Router? • Amount of correctly detected host presences. DHCP? JTAG? • Correctly detected join-times. Research Question Forensics • Hosts that could be found in the DHCP Server memory. Method • Hosts that were detected but were not actually present. Experiment Results Conclusion Tobias Fiebig The Undiscovered Country

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been

Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been

Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been prepared by Emmerson Resources Limited ACN 117 086 745 (ASX: ERM ) (the Company ) and is being provided to a limited number of investors for the sole

456 views • 19 slides
Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been

Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been

Discovering the Undiscovered Rob Bills MD & CEO Disclaimer This presentation has been prepared by Emmerson Resources Limited ACN 117 086 745 (ASX: ERM ) (the Company ) and is being provided to a limited number of investors for the sole

379 views • 20 slides
UNDISCOVERED / DISCOVERING DUSTERS This is the lineage and designations for the Dusters and their

UNDISCOVERED / DISCOVERING DUSTERS This is the lineage and designations for the Dusters and their

UNDISCOVERED / DISCOVERING DUSTERS This is the lineage and designations for the Dusters and their progeny. PROMISED SANDS This is the geneaology of the races, with the hybrids set off in the box. This is the array of cultures. If a culture

65 views • 5 slides
Differentiate the property from the competition with a true competitive edge and an undiscovered

Differentiate the property from the competition with a true competitive edge and an undiscovered

Differentiate the property from the competition with a true competitive edge and an undiscovered Ongoing Revenue Stream The Residential Program The Next Generation Platform for Connected Living Competitive Advantage Comm Hubs Unique Approach

361 views • 19 slides
APN ASIAN REIT FUND: AN UNDISCOVERED WORLD OF OPPORTUNITY May 2018 APN Property Group A

APN ASIAN REIT FUND: AN UNDISCOVERED WORLD OF OPPORTUNITY May 2018 APN Property Group A

APN ASIAN REIT FUND: AN UNDISCOVERED WORLD OF OPPORTUNITY May 2018 APN Property Group A specialist Asia Pacific real estate investment manager since 1996 with an income focused, lower risk philosophy 2 3 things to remember Why you

903 views • 22 slides
Fanaroff & Riley present A Musical Malady Showcasing the hitherto undiscovered

Fanaroff & Riley present A Musical Malady Showcasing the hitherto undiscovered

Fanaroff & Riley present A Musical Malady Showcasing the hitherto undiscovered talents of The Boys from Kassiesbaai A long long time ago, on a beach not far away, some fish where in a trap, it was perhaps a 100k, but

214 views • 9 slides
Undiscovered global leaders in Asia Emily Whiting , Investment Specialist, EMAP Equities

Undiscovered global leaders in Asia Emily Whiting , Investment Specialist, EMAP Equities

Undiscovered global leaders in Asia Emily Whiting , Investment Specialist, EMAP Equities PROFESSIONAL CLIENTS ONLY | NOT FOR RETAIL USE OR DISTRIBUTION Not your fathers Emerging Markets What is behind Trumps protectionist agenda in

416 views • 23 slides
DFS(v) Recursive version Global Initialization: // mark v " undiscovered " for

DFS(v) Recursive version Global Initialization: // mark v " undiscovered " for

DFS(v) Recursive version Global Initialization: // mark v " undiscovered " for all nodes v, v.dfs# = -1 dfscounter = 0 for v = 1 to n do if state(v) != fully-explored then DFS(v): DFS(v) // v "discovered" ,

292 views • 26 slides
Supplying evidence based international statistics for decision-making The undiscovered wealth of

Supplying evidence based international statistics for decision-making The undiscovered wealth of

Supplying evidence based international statistics for decision-making The undiscovered wealth of international statistics Per Nymand-Andersen European Central Bank CCSA session on international statistics, Panel discussion , Hong Kong, 30

191 views • 15 slides
Pickett Mountain Project and Undiscovered Mineral Potential Penobscot County, Maine GSM Meeting

Pickett Mountain Project and Undiscovered Mineral Potential Penobscot County, Maine GSM Meeting

Pickett Mountain Project and Undiscovered Mineral Potential Penobscot County, Maine GSM Meeting November 17, 2017 TSX-V:WLF Disclaimer This presentation may contain "forward looking information" within the meaning of Canadian

580 views • 17 slides
PhysikClub Students Research Centre Understanding Science by doing self-reliant and independent

PhysikClub Students Research Centre Understanding Science by doing self-reliant and independent

PhysikClub Students Research Centre Understanding Science by doing self-reliant and independent research Part 1 Inquiry based learning IBL and the constructivist learning theory Learning is like exploring an undiscovered country Follow

562 views • 33 slides
The Country Context Landlocked Himalayan Country in South Asia Federal Democratic Republic

The Country Context Landlocked Himalayan Country in South Asia Federal Democratic Republic

Geo-referenced Information System for Disaster Risk Management (Geo-DRM) 26-27 June 2014, Bangkok, Thailand Presented By Rameshwor Dangal M inistry of Home Affairs Government of Nepal 1 The Country Context Landlocked Himalayan Country

593 views • 14 slides
Country presentation Myanmar MA4Health/Inter-country Measurement and Accountability Conference

Country presentation Myanmar MA4Health/Inter-country Measurement and Accountability Conference

Country presentation Myanmar MA4Health/Inter-country Measurement and Accountability Conference 26-28 April, 2016, Dhaka,Bangladesh Country Profile Nay Pyi Taw Council Territory and 14 States and Regions 74 Districts, 330 Townships, 398

690 views • 25 slides
OPORA COUNTRY LIVING OPORA COUNTRY LIVING DESTINATION "OPORA COUNTRY LIVING"

OPORA COUNTRY LIVING OPORA COUNTRY LIVING DESTINATION "OPORA COUNTRY LIVING"

OPORA COUNTRY LIVING OPORA COUNTRY LIVING DESTINATION "OPORA COUNTRY LIVING" Discover a unique hospitality one hour away from Athens I N T H E M I D S T O F C U L T U R E The Accomodation offers easy access to

771 views • 40 slides
Myanmar Cou Country Part artnership Fr Fram amework NA NATIONAL CON ONSULTATIONS November

Myanmar Cou Country Part artnership Fr Fram amework NA NATIONAL CON ONSULTATIONS November

Myanmar Cou Country Part artnership Fr Fram amework NA NATIONAL CON ONSULTATIONS November December 2019 World Bank Group (WBG) Country Engagement Process Country Systematic Performance Completion Partnership Country and Learning

627 views • 16 slides
Manufactured Housing in Indian Country Manufactured Housing in Indian Country Patrice

Manufactured Housing in Indian Country Manufactured Housing in Indian Country Patrice

A Conversation with Tribal Leaders: Manufactured Housing in Indian Country Manufactured Housing in Indian Country Patrice Kunesh, Center for Indian Country Development Sharon Vogel, Cheyenne River Housing Authority Lance Morgan,

1.05k views • 58 slides
INVESTOR PRESENTATION March 12, 2019 WESTERN OVERVIEW PURPOSE To create long-term wealth for

INVESTOR PRESENTATION March 12, 2019 WESTERN OVERVIEW PURPOSE To create long-term wealth for

INVESTOR PRESENTATION March 12, 2019 WESTERN OVERVIEW PURPOSE To create long-term wealth for shareholders by building and maintaining a diversified portfolio of strong, stable and profitable Western-based companies and helping them grow.

385 views • 34 slides
GIS STEERING COMMITTEE 9/28/2016 Hosted by the DC Office of Zoning

GIS STEERING COMMITTEE 9/28/2016 Hosted by the DC Office of Zoning

CUSTOMER SERVICE. ACCOUNTABILTY. EFFICIENCY. SECURITY. GIS STEERING COMMITTEE 9/28/2016 Hosted by the DC Office of Zoning DCGISSteering.Committee@dc.gov CUSTOMER SERVICE. ACCOUNTABILTY. EFFICIENCY. SECURITY. AGENDA (THEME: ZONING)

709 views • 40 slides
Q1 2019 Quarter Report All figures in CDN$ unless otherwise noted May 30, 2019 CNSX: SLNG |

Q1 2019 Quarter Report All figures in CDN$ unless otherwise noted May 30, 2019 CNSX: SLNG |

Q1 2019 Quarter Report All figures in CDN$ unless otherwise noted May 30, 2019 CNSX: SLNG | Frankfurt: 84S Disclaimer DISCLAIMERS This presentation of SLANG Worldwide Inc. (the Company or SLANG) is for information only and

665 views • 24 slides
Malt COA Bucket Analysis Approach Presenters Mike Heinrich Tyler Schoales Craft Malt Specialist

Malt COA Bucket Analysis Approach Presenters Mike Heinrich Tyler Schoales Craft Malt Specialist

Breakdown of a Malt COA Bucket Analysis Approach Presenters Mike Heinrich Tyler Schoales Craft Malt Specialist NA Craft Sales Manager Country Malt Group Great Western Malting Breakdown of a Malt COA Agenda Overview of Malting and

453 views • 22 slides
Great Panther Silver Friendly Acquisition of Beadell Resources SEPTEMBER 2018 W W W . G R E A T

Great Panther Silver Friendly Acquisition of Beadell Resources SEPTEMBER 2018 W W W . G R E A T

Great Panther Silver Friendly Acquisition of Beadell Resources SEPTEMBER 2018 W W W . G R E A T P A N T H E R . C O M W W W . B E A D E L L R E S O U R C E S . C O M . A U Forward-Looking Statements This presentation contains forward-looking

818 views • 34 slides
FROM KUNENE CONSERVANCIES & COMMUNITY CBOs are both conservancies and community forests

FROM KUNENE CONSERVANCIES & COMMUNITY CBOs are both conservancies and community forests

The institutions : IRDNC is a Namibian NGO VALUE CHAIN DEVELOPMENT OF MYROTHAMNUS FROM KUNENE CONSERVANCIES & COMMUNITY CBOs are both conservancies and community forests FORESTS KCINP Trust consisting of several CBOs for joint marketing

1.28k views • 17 slides
Kerr Mines TSX: KER I OTC: KERMF July 2018 FORWARD-LOOKING STATEMENTS This presentation

Kerr Mines TSX: KER I OTC: KERMF July 2018 FORWARD-LOOKING STATEMENTS This presentation

AN EMERGING AMERICAN GOLD PRODUCER CORPORATE PRESENTATION Kerr Mines TSX: KER I OTC: KERMF July 2018 FORWARD-LOOKING STATEMENTS This presentation contains forward-looking information, including statements regarding: the proposed timing,

214 views • 20 slides
Unidimensional and Multidimensional IRT Modeling with the mirt Package Phil Chalmers York

Unidimensional and Multidimensional IRT Modeling with the mirt Package Phil Chalmers York

Introduction IRT models IRT components mirt package Advanced features Future developments Unidimensional and Multidimensional IRT Modeling with the mirt Package Phil Chalmers York University February 18, 2013 Introduction IRT models IRT

606 views • 44 slides

More recommend