forensic analysis aleš padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/belgrade_security... ·...
TRANSCRIPT
![Page 1: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/1.jpg)
FORENSIC ANALYSIS
Aleš Padrta
![Page 2: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/2.jpg)
2015-03-20, Belgrade Security Seminar 2015 2
CESNET, CESNET-CERTS, FLAB
● CESNET – Czech NREN operator● CESNET-CERTS
● 2004 – Established● 2008 – Accredited CSIRT
● FLAB● Forensic LABoratory● Established 6/2011● Support team for CESNET-CERTS
● Incident analysis● Penetration testing● Other services
![Page 3: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/3.jpg)
2015-03-20, Belgrade Security Seminar 2015 3
Belgrade Security Workshop 2015
Part I. – Brief Introduction
![Page 4: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/4.jpg)
2015-03-20, Belgrade Security Seminar 2015 4
Why Forensic Analysis?
● Security Incident Handling● Standard process
● Acquiring answers Detail (forensic) analysis
![Page 5: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/5.jpg)
2015-03-20, Belgrade Security Seminar 2015 5
Cooperation Scheme● Customer
● Problem (Incident)● Description
● Evidence● Metadata
● Questions
● Analyst● Own / Outsourced● Knowledge Answers
![Page 6: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/6.jpg)
2015-03-20, Belgrade Security Seminar 2015 6
Typical Questions
Who used the device?
Which applications were used?
Which files were modified?
Which wifi networks were used?
When was the system on-line?
What did the user do?
Which USB devices were connected?
Which webpages were visited?
Was some malware present?
Were used antiforesics methods?
What was the content of communication?
When was the server hacked?
Which vulnerability has been exploited?
Is some backdoor left there?
How to find all infected machines?
Can you work faster?
Which IP addresses were used by attacker?
![Page 7: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/7.jpg)
2015-03-20, Belgrade Security Seminar 2015 7
Belgrade Security Workshop 2015
Part II. – Practical Examples
![Page 8: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/8.jpg)
2015-03-20, Belgrade Security Seminar 2015 8
Belgrade Security Workshop 2015
CASE 1Attack Vector on Web server
![Page 9: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/9.jpg)
2015-03-20, Belgrade Security Seminar 2015 9
Attack vector on Web server● Metadata
● Web defacement● Suspicious files on HDD
● Unauthorized application
● Evidence● HDD image
● Questions● How was the server infiltrated?● Which files were created / modified?● Did attacker created some backdoor?
![Page 10: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/10.jpg)
2015-03-20, Belgrade Security Seminar 2015 10
Attack vector on Web server● Think Over Phase
● What we have● Files … MAC times● Deleted files (Delete = MFT change, data stay on disk)● Time information
● Hack time („you have been hacked“ picture)● Last reinstallation time, shutdown time, admin access, ...
● Unauthorized application● How and when was installed
● What we can do● Create timeline activity find attacker tools● File analysis
![Page 11: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/11.jpg)
2015-03-20, Belgrade Security Seminar 2015 11
Attack vector on Web server
● Analysis scheme
![Page 12: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/12.jpg)
2015-03-20, Belgrade Security Seminar 2015 12
Attack vector on Web server
● Event timeline reconstruction● T=0 Recon manager/.../howto.html ● T=+10:09 Passwd guessing (3 times)● T=+14:24 Login to manager● T=+14:30 Upload „unauthorized app“● T=+14:43 Start using „unauthorized app“ (remote shell)
● Download more tools● Download & distribute „you have been hacked“ webpage● Access to files
● T=+20:15 Attempt to antiforensics
![Page 13: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/13.jpg)
2015-03-20, Belgrade Security Seminar 2015 13
Attack vector on Web server
● Answers to questions● How was the server infiltrated?
● Default + weak password for admin users
● Which files were created / modified?● Acquired list of files
● Did attacker created some backdoor?● Downloaded● Tried to install● Unsuccessfully
![Page 14: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/14.jpg)
2015-03-20, Belgrade Security Seminar 2015 14
Belgrade Security Workshop 2015
CASE 2Device User Identification
![Page 15: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/15.jpg)
2015-03-20, Belgrade Security Seminar 2015 15
Device User Identification
● Metadata● We found the device● Want to handle it properly
● Evidence● Nokia N810 + accessories
● Questions● Who used the device?● When was the device used for the last time?● What kind of data was on the device?
![Page 16: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/16.jpg)
2015-03-20, Belgrade Security Seminar 2015 16
Device User Identification
● Think Over Phase● What we have
● Mobile device● Maemo Linux (modified Debian)
● System partition● Data partition
● Files … MAC times, deleted files ● Communication device – links to external sources?
● What we can do● Get the system logs timestamps● Get user data timestamps, metadata, contents
![Page 17: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/17.jpg)
2015-03-20, Belgrade Security Seminar 2015 17
Device User Identification● Creating images
● MicroSD card● Connect to PC + FTK Imager
● Internal memory● Application rootsh, DropBear SSH client nad Server changes to system drive
● dd, transfer via SSH● 3 drives
● Internal: system (JFFS2), data (FAT32)● Removable: microSD card (FAT32)
● Analysis scheme more extensive
![Page 18: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/18.jpg)
2015-03-20, Belgrade Security Seminar 2015 18
Device User Identification● Analysis – Carved files
![Page 19: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/19.jpg)
2015-03-20, Belgrade Security Seminar 2015 19
Device User Identification● Analysis – Swapfile
![Page 20: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/20.jpg)
2015-03-20, Belgrade Security Seminar 2015 20
Device User Identification● Analysis – Data mining
● Boarding pass● Doctoral thesis● Web www.my-travel.diary● Academic site
![Page 21: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/21.jpg)
2015-03-20, Belgrade Security Seminar 2015 21
Device User Identification● Answers to questions
● Who used the device?● John Excavator (main user)● Emily Gold-Digger (secondary user, GF of J.E.)
● When was the device used for the last time?● 20.8.2014 14:13 UCT (data deletion)
● What kind of data was on the device?● Freetime related (travelling, guns hobby)● Academic work/study (doctoral thesis, research papers)
![Page 22: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/22.jpg)
2015-03-20, Belgrade Security Seminar 2015 22
Belgrade Security Workshop 2015
CASE 3Quick Malware Analysis
![Page 23: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/23.jpg)
2015-03-20, Belgrade Security Seminar 2015 23
Quick Malware Analysis● Metadata
● Scam e-mails delivered (1000s users)● Malware in attachment● Without AV detection
● Evidence● Several E-mail attachments
● Questions● How to identify infected machines?● How to stop malware outbreak?● How to remove the malware?
![Page 24: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/24.jpg)
2015-03-20, Belgrade Security Seminar 2015 24
Quick Malware Analysis
● Think Over Phase● What we have
● E-mail attachments – several malware samples● Little time (data for incident response)● Typical malware
● Changes to filesystem (create/modify files)● Changes to registry (MS Windows)● Communication with dropzone / C&C
● What we can do● Dynamic analysis run in monitored environment● Analyse changes
![Page 25: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/25.jpg)
2015-03-20, Belgrade Security Seminar 2015 25
Quick Malware Analysis
● Controlled environment● Virtual machine preparation
● Process monitor● Wireshark● CaptureBat● RegShot
● Run malware● Collect data
● Analyse collected data● ProcDot (graphic visualization)
Part of ProcDot output
![Page 26: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/26.jpg)
2015-03-20, Belgrade Security Seminar 2015 26
Quick Malware Analysis
● Analysis results
![Page 27: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/27.jpg)
2015-03-20, Belgrade Security Seminar 2015 27
Quick Malware Analysis● Answers to questions
● How to identify infected machines?
● Local signs: registry and filesystem changes
● Network signs: communication with list of IP addresses
● How to stop malware outbreak?
● Block creation of „ate.exe“ (manual rule for AV/HIPS)
● How to remove the malware?
● Userspace clean profile
● Recommended – reinstall (unknown orders from C&C)
![Page 28: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/28.jpg)
2015-03-20, Belgrade Security Seminar 2015 28
Belgrade Security Workshop 2015
CASE 4Malware Reverse Engineering
![Page 29: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/29.jpg)
2015-03-20, Belgrade Security Seminar 2015 29
Malware Reverse Engineering● Metadata
● Malicious PDF / page visit● Locked computers
● Evidence● Virtual machines images● Memory image● Captured communications
● Questions● How does the malware infect the machine?● Which changes were made on infected machine?● Where are the C&C servers?● What kind of data is collected and sent to C&C?
![Page 30: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/30.jpg)
2015-03-20, Belgrade Security Seminar 2015 30
Malware Reverse Engineering
● Think Over Phase● What we have
● Image of drive & memory● Communication● Webpages not accessible online
● What we can do● Analyse attack vector
● Memory, drive, communication● Reverse engineering of malware
● Detail insight● IDA Pro, OllyDbg
![Page 31: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/31.jpg)
2015-03-20, Belgrade Security Seminar 2015 31
Malware Reverse Engineering● Attack vector
● Webpage● Entry point● Redirect
● Infect page● Professional exploit pack● Install botnet client
● Payload (Ransomware)● C&C order● Download & Run
● IP addresses – change in time
![Page 32: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/32.jpg)
2015-03-20, Belgrade Security Seminar 2015 32
Malware Reverse Engineering
● Exploit Pack analysis● Based on Blackhole● Three variants
● PDF with exploit● Font installation● Java vulnerability
● Files used by malware (for detail analysis)● %userprofile%/Local settings/Temp/wlsidten.dll● %allusersprofile%/App Data/netdislw.pad
![Page 33: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/33.jpg)
2015-03-20, Belgrade Security Seminar 2015 33
Malware Reverse Engineering
![Page 34: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/34.jpg)
2015-03-20, Belgrade Security Seminar 2015 34
Malware Reverse Engineering● Malware overview
![Page 35: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/35.jpg)
2015-03-20, Belgrade Security Seminar 2015 35
Malware Reverse Engineering● How it works
● Communication thread● Code injection to web browser● Bypass AV/HIPS rules
● Persistence thread● Write value to registry● Each 500ms
● „Hide Task Manager“ thread● Minimize Task Manager window● Each 500ms
![Page 36: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/36.jpg)
2015-03-20, Belgrade Security Seminar 2015 36
Malware Reverse Engineering● How it works
● Ransompage● Borland
Delphi screen● StayOnTop● Offline code
pre-validion● Show webcam
picture or noise● Show IP address geoinfo
● User profile oriented – can be removed
![Page 37: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/37.jpg)
2015-03-20, Belgrade Security Seminar 2015 37
Malware Reverse Engineering
● Answers to questions● How does the malware infiltrate the machine?
● One of the exploit PDF/font intallation/java● Which changes are made on infected machine?
● Install botnet client● Download and run Ransomware
● Where are the C&C servers?● List of IP addresses + domain name
● What kind of data is collected and sent to C&C?● Volume ID, IP address, webcam picture, entered code
![Page 38: FORENSIC ANALYSIS Aleš Padrtacbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/Belgrade_Security... · 2015-03-20, Belgrade Security Seminar 2015 10 Attack vector on Web server Think](https://reader035.vdocuments.net/reader035/viewer/2022081614/5fc13ac5d4261622d9652853/html5/thumbnails/38.jpg)