Forensic Science
Low Down and Dirty: Anti-forensic Rootkits
Presented by Darren Bilby Ruxcon 2006
Copyright Security-Assessment.com 2006
Agenda
• • • • • • • • • • Anti-forensics Overview Digital Forensics Acquisition The Live Imaging Process How Live Forensics Tools Work DDefy Introduction NTFS Basics DDefy Disk Forensics Demonstration DDefy Challenges DDefy Memory Forensics Demonstration Better Methods for Live Imaging
Copyright Security-Assessment.com 2006
This is Not…
• A demonstration of 0day rootkit techniques
This is …
• Showing flaws in current and proposed forensic techniques • Showing how evidence could be manipulated and people wrongly convicted through bad forensic methodologies
Copyright Security-Assessment.com 2006
Digital Anti-forensics
Copyright Security-Assessment.com 2006
Anti-Forensics Methods
• Data Contraception – Prevent evidence data from existing somewhere that can be analyzed – E.g. Memory only malware, memory only exploitation • Data Hiding – Put the data on disk but put it somewhere the forensic analyst is unlikely to look – E.g. Defilers toolkit, runefs,
Copyright Security-Assessment.com 2006
Anti-Forensics Overview
• Data Destruction – Destroy any evidence before someone gets a chance to find it – E.g. Disk wiping, wipe, srm, evidence eliminator, necrofile • Data Misdirection – Provide the forensic analyst false data that is indistinguishable from the real thing – No public examples… until now.
Copyright Security-Assessment.com 2006
Digital Forensics Acquisition
• Need to gather an evidential copy of a system • The Aim – Gather the “best” evidence available
• Gather volatile information – memory, process list, network connections, open files… • Power off machine and image disk
Copyright Security-Assessment.com 2006
Digital Forensics Acquisition
• What really happens… • Two Competing Aims – Gather the “best” evidence available – Allow the system to continue operation in an unhindered manner
Presented by Darren Bilby Ruxcon 2006
Copyright Security-Assessment.com 2006
Agenda
• • • • • • • • • • Anti-forensics Overview Digital Forensics Acquisition The Live Imaging Process How Live Forensics Tools Work DDefy Introduction NTFS Basics DDefy Disk Forensics Demonstration DDefy Challenges DDefy Memory Forensics Demonstration Better Methods for Live Imaging
Copyright Security-Assessment.com 2006
This is Not…
• A demonstration of 0day rootkit techniques
This is …
• Showing flaws in current and proposed forensic techniques • Showing how evidence could be manipulated and people wrongly convicted through bad forensic methodologies
Copyright Security-Assessment.com 2006
Digital Anti-forensics
Copyright Security-Assessment.com 2006
Anti-Forensics Methods
• Data Contraception – Prevent evidence data from existing somewhere that can be analyzed – E.g. Memory only malware, memory only exploitation • Data Hiding – Put the data on disk but put it somewhere the forensic analyst is unlikely to look – E.g. Defilers toolkit, runefs,
Copyright Security-Assessment.com 2006
Anti-Forensics Overview
• Data Destruction – Destroy any evidence before someone gets a chance to find it – E.g. Disk wiping, wipe, srm, evidence eliminator, necrofile • Data Misdirection – Provide the forensic analyst false data that is indistinguishable from the real thing – No public examples… until now.
Copyright Security-Assessment.com 2006
Digital Forensics Acquisition
• Need to gather an evidential copy of a system • The Aim – Gather the “best” evidence available
• Gather volatile information – memory, process list, network connections, open files… • Power off machine and image disk
Copyright Security-Assessment.com 2006
Digital Forensics Acquisition
• What really happens… • Two Competing Aims – Gather the “best” evidence available – Allow the system to continue operation in an unhindered manner