8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

1/63

Visual Forensic Analysis and

Binary Data

Erik Dean

United States Military Academy

West Point, New York

gregory.conti@usma.edu

erik.dean@usma.edu

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

2/63

Outline

The Problem Tin Windows

Background and Motivation

Moving Beyond Hex System Design

Case Studies

Demos

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

3/63

data operated on by

applicationsxlstxt

exe executed by OSELFPE...01010

10101 other special casescore dumppagefile.sys

.

memory process memory

network

packets

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

4/63

Ida ProOllyDBGBinNavi (Zynamics)

high

Filemon

011

Regmon

objdumphex editorslower

originalapplication

ex umpgrep & diffstrings

insight

general purpose precise application

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

5/63

strings /grep/diff

H: \ Dat aset s>st r i ngs 20040517_homeI SP. pcap | more

St r i ngs v2. 4

Copyr i ght ( C) 1999- 2007 Mar k Russi novi chSysi nt er nal s - www. sysi nt er nal s. com

0hFM@y

7bs

MI CROSOFT NETWORKSWI NDOWS USERMi cr osof t Secur i t y Bul l et i n MS03- 043

Buf f er Over r un i n Messenger Ser vi ce Coul d Al l ow Code Execut i on( 828035)Af f ect ed Sof t war e:

Mi cr osof t Wi ndows NT Ser ver 4. 0

Mi cr osof t Wi ndows 2000. . .

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

6/63

011 Hex Editor

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

7/63

Hex Workshop

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

8/63

WinHex

http://www.x-ways.net/pics/winhex.gif

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

9/63

Ida ProOllyDBGBinNavi (Zynamics)

high

Filemon

011

Regmon

objdumphex editorslower

originalapplication

ex umpgrep & diffstrings

insight

general purpose precise application

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

10/63

Ida ProOllyDBGBinNavi (Zynamics)

high

Filemon

011

Regmon

objdumphex editorslower

originalapplication

ex umpgrep & diffstrings

insight

general purpose precise application

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

11/63

SysInternals

FileMon

RegMon

http://technet.microsoft.com/en-us/sysinternals/default.aspx

...

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

12/63

Wireshark

image: http://code.google.com/support/bin/answer.py?answer=71567

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

13/63

OllyDbg

http://www.ollydbg.de/

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

14/63

IDA Prov5.1

http://www.hex-rays.com/idapro/

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

15/63

F-Secure Malware

http://www.f-secure.com/weblog/archives/00000662.html

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

16/63

Zynamics BinDiff

http://www.zynamics.com/content/_images/bindiff_scr2.gif

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

17/63

Zynamics BinNavi

http://www.zynamics.com/index.php?page=binnavi

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

18/63

Ida ProOllyDBGBinNavi (Zynamics)

high

Filemon

011

Regmon

objdumphex editorslower

originalapplication

ex umpgrep & diffstrings

insight

general purpose precise application

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

19/63

Framework

File Independent Level

Entropy Byte Frequency

- r y

Strings

Bit Plot (2D/3D)

File Statistics

File Specific Level Complete or Partial Knowledge of File

For Example, Metadata

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

20/63

Syntax Highlighting for Hex Dumps

image: Dan Kaminsky, CCC2006

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

21/63

nwdiff

http://www.geocities.jp/belden_dr/ToolNwdiff_Eng.html

http://computer.forensikblog.de/en/2006/02/compare_binary_files_with_nwdiff.html

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

22/63

Dot Plots & Visual BinDiff

Self-Similarity in Diffing Two Filesa single file. (.NET Assembly) ima es: Dan Kaminsk CCC2006

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

23/63

TextualTraditional

Textual Graphical

Detail ViewUtilities

(strings...)Displays

Machine Assisted Mapping and Navigation

Hex Editor Core

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

24/63

Towards a Visual Hex Editor

Identify Unknown Binaries

Malware Anal sis

Analyze Unknown/Undocumented File Format Locate Embedded Objects

nco ng ncrypt on

Audit Files for Vulnerabilities

Cracking

Cryptanalysis

Perform Forensic Analysis File System Analysis

File Fuzzing

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

25/63

Goals

Handle Large Files

Many Insightful Windows Big Picture Context

Improved Navigation

Data Files Executable Files Hex Editor best practices is the

foundation

Support Art & Science

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

26/63

Design

Robust extensible framework

Open source

Semantic File Analysis Useful

Multi le coordinated views

Combine Functionality of current

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

27/63

Filtering + Encoding

Identifying something

REGEX

algorithmic Usin this knowled e

to..

hi hli ht fade

Interactive or automated

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

28/63

, ,

Graphical: Bitplot, BytePlot, RGBPlot, BytePresence, ByteFrequency,Digram, Dotplot

Interaction: VCR, Memory Map, Color Coding

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

29/63

Traditional Views

Hex / ASCII View Strings

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

30/63

Strange Attractors and TCP/IP

(Michal Zalewski)

htt : lcamtuf.coredum .cx oldtc tc se .html http://lcamtuf.coredump.cx/newtcp/

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

31/63

Digraph View

black hat

bl ( 98, 108)ac ( 97, 99)c ,k ( 107, 32)_

_h ( 32, 104) ,

at ( 97, 116)

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

32/63

Digraph View

0, 1, . . . 255

Byt e 0Byt e 1

32, 108

. . .98, 108

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

33/63

uuenco e compressionencryption

incrementingwords

constrained pairsslashdot.org .txt

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

34/63

Bit Plot

1 640

1

1101

. . .

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

35/63

Byte Plot

1 640

1

255108040

. . .

l l

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

36/63

Byte Plot Example

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

37/63

Byte Presence

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

38/63

RGB Plot255

1 6400

140

128255

0

0

20000

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

39/63

Dot Plots

Jonathan

HelfmansDot lotPatterns: A

Literal Look atPatternLan ua es.

Dan Kaminsky,

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

40/63

DotPlots

Byt e 0, Byt e 1, . . . Byt e N

Byt e 0

Byt e 1

. . .O(N2)

B t e N

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

41/63

Dynamic DotPlots

Byt e 0, Byt e 1, . . . Byt e N

Byt e 0

Byt e 1 500x500

. . .O(N)

B t e N

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

42/63

DotPlot Examples

Images: Jonathan Helfman, Dotplot Patterns: A Literal Look at Pattern Languages.

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

43/63

DotPlot Examples

Images: Jonathan Helfman, Dotplot Patterns: A Literal Look at Pattern Languages.

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

44/63

Compressed AudioEnglish Text

Bitmap Image

l d

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

45/63

Byte Clouds

Tag Cloud

for Fun and Profithttp://tagcrowd.com/

Byte Cloud

h b l

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

46/63

Neverwinter Nights Database File

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

47/63

Firefox .hdmp

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

48/63

Firefox .hdmp

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

49/63

Firefox .hdmp

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

50/63

Firefox .hdmp

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

51/63

PDF...

Weaknesses

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

52/63

Weaknesses

entire file ma be extracted from

bit/byte/RGBMa tri er AV or IDS

8bit/byte steg

Demos

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

53/63

Demos

A Look to the Future

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

54/63

A Look to the Future

Visual Front Ends for Offensive Tools

Visual Cryptanalysis Support

Human Insights Passed to Machine Processors

-

More Inspiration from General InfoVis Community

Visual Fin er rints / Smart Books Web-based Visualization (AJAX)

User-task Analyses rue se ase ase es gns

Engagement of Users Beyond Students

Examination of Full Range of Security Data Merging Multiple Security Dataflows

Future Work

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

55/63

Future Work

Plug-ins / Editable Config Files

Visualizations

Encodings

Saving state

Memory Maps

Improving Interaction

What works / What doesnt

Multiple Files / File Systems REGEX search

Automated Memory Map Generation

DAVIX

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

56/63

DAVIXJan Monsch and Raff Mart

http://www.secviz.org/node/89

InfoVis Survey

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

57/63

InfoVis Survey

Security Visualization Survey

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

58/63

Security Visualization Survey

Communities

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

59/63

Communities

http://secviz.org/ http://vizsec.org/

The place to share, discuss,challenge, and learn about security

visualization.

vizSEC is a research community forcomputer security visualization.

Raffy Marty

Splunk

John Goodall

Secure Decisions

VizSEC 2008

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

60/63

VizSEC 2008

http://www.vizsec.org/workshop2008/

More Information

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

61/63

More Information

Visual ReverseEn ineerin of Binarand Data Files. GregoryConti, Erik Dean,Matthew Sinda, BenjaminSangster. VizSEC 2008.

va a e ep em er

Security Data

(No Starch Press)

Visualization

Addison-Wesle

Acknowledgements

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

62/63

Acknowledgements

Damon Becknell Jon Bentle Jean

Blair, Sergey Bratus, ChrisCom ton Tom Cross Ron Dod eCarrie Gates, Chris Gates, Joe

Grand Julian Grizzard TobKohlenberg, Oleg Kolesnikov,Frank Mabr Raff Mart Brent

Nolan, Gene Ressler, BenSan ster Matt Sinda and EdSobiesk

"I f t t

8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis

63/63

"In fact master reverserslike Fravia recommendcracking while intoxicated

alcoholic beverages.

While for health reasons

we cannot recommendthis method, you may findthat a relaxing cup of hot

and allows you to think inreverse."

-from Security Warrior