Forensic Science

Only available on StudyMode
  • Topic: Windows Driver Model, Computer forensics, File system
  • Pages : 19 (2510 words )
  • Download(s) : 21
  • Published : August 11, 2012
Open Document
Text Preview
Low Down and Dirty: Anti-forensic Rootkits

Presented by Darren Bilby Ruxcon 2006

Copyright Security-Assessment.com 2006

Agenda
• • • • • • • • • • Anti-forensics Overview Digital Forensics Acquisition The Live Imaging Process How Live Forensics Tools Work DDefy Introduction NTFS Basics DDefy Disk Forensics Demonstration DDefy Challenges DDefy Memory Forensics Demonstration Better Methods for Live Imaging

Copyright Security-Assessment.com 2006

This is Not…
• A demonstration of 0day rootkit techniques

This is …
• Showing flaws in current and proposed forensic techniques • Showing how evidence could be manipulated and people wrongly convicted through bad forensic methodologies

Copyright Security-Assessment.com 2006

Digital Anti-forensics

Copyright Security-Assessment.com 2006

Anti-Forensics Methods
• Data Contraception – Prevent evidence data from existing somewhere that can be analyzed – E.g. Memory only malware, memory only exploitation • Data Hiding – Put the data on disk but put it somewhere the forensic analyst is unlikely to look – E.g. Defilers toolkit, runefs,

Copyright Security-Assessment.com 2006

Anti-Forensics Overview
• Data Destruction – Destroy any evidence before someone gets a chance to find it – E.g. Disk wiping, wipe, srm, evidence eliminator, necrofile • Data Misdirection – Provide the forensic analyst false data that is indistinguishable from the real thing – No public examples… until now.

Copyright Security-Assessment.com 2006

Digital Forensics Acquisition
• Need to gather an evidential copy of a system • The Aim – Gather the “best” evidence available

• Gather volatile information – memory, process list, network connections, open files… • Power off machine and image disk

Copyright Security-Assessment.com 2006

Digital Forensics Acquisition
• What really happens… • Two Competing Aims – Gather the “best” evidence available – Allow the system to continue operation in an unhindered manner • Results in “Live Imaging” – Taking a copy of a system while that system is still functioning in a live environment

Copyright Security-Assessment.com 2006

Reasons for “Live Imaging”
• Business critical systems that cannot be shut down • Shutting down systems may create legal liability for examiners through: – damaging equipment – unintentional data loss – hampering operations • Judge instructs that evidence gathering must be conducted using the least intrusive methods available • Encrypted volumes Copyright Security-Assessment.com 2006

Digital Forensics Acquisition
Live imaging is now common practice • Tools – Helix (dd/netcat) – Prodiscover IR – Encase EEE/FIM – FTK – Smart – …

Copyright Security-Assessment.com 2006

The Live Imaging Process
Trusted Un-trusted
Network Forensic Server

Suspicious Server

Un-trusted Trusted? Un-trusted Trusted
Copyright Security-Assessment.com 2006

Network Stack

Acquisition Client Application

OS Kernel

Disk

The Live Imaging Process
Trusted Trusted
Network Forensic Server

Easy Solution… Add Encryption



Suspicious Server

Encase – SAFE public key encryption architecture DD – Cryptcat Prodiscover IR – Twofish Encryption

Trusted Trusted? Un-trusted Trusted
Copyright Security-Assessment.com 2006

Network Stack


Acquisition Client Application


OS Kernel

Disk

So this is common practice, accepted as legitimate by most courts of law, supported by many big name forensic vendors, it must be foolproof right? uhhh… ok

Copyright Security-Assessment.com 2006

Live imaging…
… is like turning up to a homicide at the docks and asking the mafia to collect your evidence and take it back to the police station for you.

Copyright Security-Assessment.com 2006

What Happens When You Read a File?
1
Application Readfile() (Win32 API) NtReadfile() (Kernel 32.dll) Int 2E (Ntdll.dll)

User Mode Kernel Mode

2 3 4
Initiate I/O Operation (driver.sys)...
tracking img