BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1

8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1

1/61


2/61

SpeakerBackground

ComputerSciencedegreefromtheUniversityofNewOrleans

FormerSecurityConsultantforNeohapsisWorkedforDigitalForensicsSoluonssince

2009

Workexperiencerangesfrompenetraontesngtoreverseengineeringtoforensicsinvesgaons/IRtorelatedresearch

2


3/61

Agenda

DiscussLiveCDsandhowtheydisruptthenormalforensicsprocess

PresentresearchthatenablestradionalinvesgavetechniquesagainstliveCDs

DiscussissueswithTorsinsecurehandlingofmemoryandpresentpreliminarymemory

analysisresearch

3


4/61

NormalForensicsProcess

Acquire Disk Image

Verify Image

Process Image

Perform Investigation

Obtain Hard Drive

4


5/61

TradionalAnalysisTechniques

TimeliningofacvitybasedonMACmesHashingoffilesIndexingandsearchingoffilesandunallocatedspaceRecoveryofdeletedfilesApplicaonspecificanalysisWebacvityfromcache,history,andcookies

E-mailacvityfromlocalstores(PST,Mbox,)5


6/61

ProblemofLiveCDs

LiveCDsallowuserstorunanoperangsystemandallapplicaonsenrelyinRAMThismakestradionaldigitalforensics

(examinaonofdiskimages)impossible

Allthepreviouslylistedanalysistechniquescannotbeperformed

6


7/61

TheProblemIllustrated

Acquire Disk Image

Verify Image

Process Image

Perform Investigation

Obtain Hard Drive

7


8/61

NoDisksorFiles,NowWhat?

AllwecanobtainisamemorycaptureWiththis,aninvesgatorisle^withvery

limitedandcrudeanalysistechniques

Cansllsearch,butcantmaptofilesordatesNocontext,hardtopresentcoherently

FilecarvingbecomesuselessNextslideGoodluckincourt

8


9/61

FileCarvingUsedextensivelytorecoverpreviouslydeletedfiles/dataUsesadatabaseofheadersandfooterstofind

fileswithinrawbytestreamssuchasadisk

image

Findsinstancesofeachheaderfollowedbythefooter

Examplefileformats:JPEG-\xff\xd8\xff\xe0\x00\x10-\xff\xd9GIF-\x47\x49\x46\x38\x37\x61-\x00\x3b 9


10/61

FileCarvingCont.

FilecarvingreliesonconguousallocaonoffilesLuckilymodernfilesystemsstriveforlow

fragmentaon

Unfortunatelyformemoryanalysis,physicalpagesforfilesarealmostneverallocated

congously

Pagesizeisonly4ksonostructuredfilewillfitIstheequivalentofacompletelyfragmented

filesystem

10


11/61

PeopleHaveCaughtOn

TheAmnesicIncognitoLiveSystem(TAILS)[1]Notraceisle^onlocalstoragedevicesunless

explicitlyasked.

AlloutgoingconneconstotheInternetareforcedtogothroughtheTornetworkBacktrack[2]

abilitytoperformassessmentsinapurelynaveenvironmentdedicatedtohacking.

11


12/61

WhatItReallyMeans

Invesgatorswithoutdeepkernelinternalsknowledgeandprogrammingskillarebasically

hopeless

ItiswellknownthattheuseofliveCDsisgoingtodefeatmostinvesgaons

MainmovaonforthisworkPlentyanecdotalevidenceofthiscanbefoundthroughGooglesearches

12


13/61

WhatistheSoluon?

MemoryAnalysis!Itistheonlymethodwehaveavailable

ThisAnalysisgivesus:Thecompletefilesystemstructureincludingfilecontentsandmetadata

DeletedFiles(Maybe)Userlandprocessmemoryandfilesysteminformaon

13


14/61

Stepsneededtoachievethisgoal:1.Understandthein-memoryfilesystem2.Developanalgorithmthatcanenumerate

directoryandfiles3.Recovermetadatatoenablemeliningand

otherinvesgavetechniques

14

Goal1:RecoveringtheFileSystem


15/61

TheIn-MemoryFilesystem

AUFS(AnotherUnionFS)hp://aufs.sourceforge.net/UsedbyTAILS,Backtrack,Ubuntu10.04installer,

andanumberofotherLiveCDs

Notincludedinthevanillakernel,loadedasanexternalmodule

15


16/61

AUFSInternalsStackablefilesystem

PresentsamullayerfilesystemasasingleonetousersThisallowsforfilescreateda^ersystemboottobe

transparentlymergedontopofreadonlyCD

EachlayeristermedabranchIntheliveCDcase,onebranchfortheCD,andoneforall

otherfilesmadeorchangedsinceboot

16


17/61

AUFSUserlandViewofTAILS

#cat/proc/mountsaufs/aufsrw,relame,si=4ef94245,noxino

/dev/loop0/filesystem.squashfssquashfs

tmpfs/live/cowtmpfstmpfs/livetmpfsrw,relame

#cat/sys/fs/aufs/si_4ef94245/br0

/live/cow=rw#cat/sys/fs/aufs/si_4ef94245/br1

/filesystem.squashfs=rr

17

Mountpoints

relevantto AUFS

The

mount

point of

eachAUFSbranch


18/61

ForensicsApproach

Norealneedtocopyfilesfromtheread-onlybranch

JustimagetheCDOntheotherhand,thewritablebranch

containseveryfilethatwascreatedor

modifiedsinceboot

IncludingmetadataNodeletedonesthough,moreonthatlater

18


19/61

LinuxInternalsOverviewIstructdentryRepresentsadirectoryentry(directory,file,)

Containsthenameofthedirectoryentryandapointertoitsinodestructure

structinodeFSgeneric,in-memoryrepresentaonofadiskinodeContainsaddress_spacestructurethatlinksaninode

toitsfilespages

structaddress_spaceLinksphysicalpagestogetherintosomethingusefulHoldsthesearchtreeofpagesforafile

19


20/61


21/61

EnumerangDirectories

Oncewecanenumeratedirectories,wecanrecoverthewholefilesystem

Notassimpleasrecursivelywalkingthechildrenofthefilesystem

srootdirectory

AUFScreateshiddendentrysandinodesinordertomaskbranchesofthestacked

filesystemNeedtocarefullyinteractbetweenAUFSand

tmpfsstructures

21


22/61

DirectoryEnumeraonAlgorithm1)Walkthesuperblockslistunltheaufsfilesystemisfound

Thiscontainsapointertotherootdentry2)Foreachchilddentry,testifitrepresentsadirectory

Ifthechildisadirectory:

Obtainthehiddendirectoryentry(nextslide)Recordmetadataandrecurseintodirectory

Ifthechildisaregularfile:

Obtainthehiddeninodeandrecordmetadata22


23/61

ObtainingaHiddenDirectory

structdentry

{

d_inode

d_name

d_subdirs

d_fsdata

}

structau_dinfo

{

au_hdentry}

Branch

0

1 Pointer

Pointer

Dentry

23

Eachkerneldentrystoresapointertoanau_dinfostructureinsideitsd_fsdatamemberThedi_hdentrymemberofau_dinfoisanarrayofau_hdentrystructuresthatembedregularkerneldentrys


24/61

ObtainingMetadata

AllusefulmetadatasuchasMACmes,filesize,fileowner,etciscontainedinthehidden

inode

ThisinformaonisusedtofillthestatcommandandistatfunconalityoftheSleuthkit

Timeliningbecomespossibleagain

24


25/61

ObtainingaHiddenInode

struct

aufs_icntnr{

iinfo

inode}

struct au_iinfo{

ii_hinode}

Branch

0

1 Pointer

Pointer

struct inode

25

Eachaufscontrolledinodegetsembeddedinanaufs_icntnrThisstructurealsoembedsanarrayofau_hinodestructureswhichcanbeindexedbybranchnumbertofindthehiddeninodeofanexposedinode


26/61

Goal2:RecoveringFileContents

Thesizeofafileiskeptinitsinodesi_sizemember

Aninodespage_treememberistherootoftheradixtreeofitsphysicalpages

Inordertorecoverfilecontentsthistreeneedstobesearchedforeachpageofafile

Thelookupfunconreturnsastructpagewhichleadstothebackingphysicalpage

26


27/61

RecoveringFileContentsCont.Indexingthetreeinorderandgatheringofeachpagewillleadtoaccuraterecoveryofa

wholefile

ThisalgorithmassumesthatswapisntbeingusedUsingswapwoulddefeatmuchofthepurposeof

anonymousliveCDs

TmpfsanalysisisusefulforeverydistribuonManydistrosmount/tmpusingtmpfs,shmem,

etc

27


28/61

Discussion:1.FormulateApproach2.Discussthekmem_cacheandhowitrelates

torecovery

3.Aempttorecoverpreviouslydeletedfileanddirectorynames,metadata,andfile

contents

28

Goal3:RecoveringDeletedInfo


29/61

Approach

WewantorderlyrecoveryToaccomplishthis,informaonaboutdeleted

filesanddirectoriesneedstobefoundina

non-standardwayAllregularlists,hashtables,andsoonlosetrack

ofstructuresastheyaredeleted

Needawaytogatherthesestructuresinanorderlymannerkmem_cacheanalysistotherescue!

29


30/61

Recoverythoughkmem_cacheanalysis

Akmem_cacheholdsallstructuresofthesametypeinanorganizedmanner

Allowsforinstantallocaons&deallocaonsUsedforhandlingofprocess,memorymappings,

openfiles,andmanyotherstructures

ImplementaoncontrolledbyallocatorinuseSLABandSLUBarethetwomainones

30


31/61

kmem_cacheInternals

Bothallocatorskeeptrackofallocatedandpreviouslyde-allocatedobjectsonthreelists:full,inwhichallobjectsareallocatedpar7al,amixofallocatedandde-allocatedobjectsfree,previouslyfreedobjects*

Thefreelistsareclearedinanallocatordependentmanner

SLABleavesfreelistsin-tactforlongperiodsofme

SLUBismoreaggressive

31


32/61

kmem_cacheIllustrated

/proc/slabinfocontainsinformaonabouteachcurrentkmem_cache

Exampleoutput:#name

task_struct101154

mm_struct699

filp9011420

32

The difference

between

num_objs and

active_objs is

how many free

objects are

being tracked bythe kernel


33/61

RecoveryUsingkmem_cacheAnalysis

Enumeraonofthelistswithfreeentriesrevealspreviousobjectssllbeingtrackedby

thekernel

Thekerneldoesnotclearthememoryoftheseobjects

Ourpreviousworkhasdemonstratedthat

muchpreviouslyde-allocated,forensicallyinteresnginformaoncanbeleveragedfrom

thesecaches[4]

33

l l


34/61

RecoveringDeletedFilesystem

Structure

BothLinuxkernelandaufsdirectoryentriesarebackedbythekmem_cache

RecoveryofthesestructuresrevealsnamesofpreviousfilesanddirectoriesIfd_parentmemberissllin-tact,canplace

entrieswithinfilesystem

34


35/61

RecoveringPreviousMetadata

Inodesarealsobackedbythekmem_cacheRecoverymeanswecanmelineagainAlso,thedentrylistoftheAUFSinodessll

haveentries(strange)ThisallowsustolinkinodesanddentrystogetherNowwecanreconstructpreviouslydeletedfile

informaonwithnotonlyfilenames&paths,but

alsoMACmes,sizes,inodenumbers,andmore

35


36/61

RecoveringFileContentsBadNewsAgain,inodesarekeptinthekmem_cacheUnfortunately,pagecacheentriesare

removedupondeallocaon,makinglookup

impossible

Alargenumberofpointerswouldneedtostayin-tactforthistowork

Thisremovestheabilitytorecoverfile

contentsinanorderlymannerOtherwaysmaybepossible,butwillrequire

moreresearch

36


37/61

SummaryofFileSystemAnalysis

Cancompletelyrecoverthein-memoryfilesystem,itsassociatedmetadata,andallfile

contents

Ordered,paralrecoveryofdeletedfilenamesandtheirmetadataisalsopossible

TradionalforensicstechniquescanbemadepossibleagainstliveCDsMakingsuchanalysisaccessibletoallinvesgators

37


38/61

Implementaon

RecoverycodewasoriginallywrienasloadablekernelmodulesAllowedforrapiddevelopmentandtesngof

ideas

2ndimplementaonwasdevelopedforVolalityVmwareworkstaonsnapshotswereusedto

avoidreboongoftheliveCDand

reinstallaonofso^wareTAILsdoesntincludedevelopmenttools/headersThissaveddaysofresearchme

38


39/61

Tesng

OutputwascomparedtoknowndatasetsDirectoriesandfileswithscriptedcontentsMetadatawascomparedtothestatcommandFilecontentswerecomparedtoscriptedcontentsDeletedinformaonwasanalyzedthrough

previouslyallocatedstructures

Whileafilewassllallocated,itsdentry,inode,etcpointersweresavedFilewasdeletedandtheseaddresseswere

examinedforpreviousdata

39


40/61

MemoryAnalysisofTor

40


41/61

TorOverview

UsedbymillionsofpeopleworldwidetoperformanonymousInternetcommunicaonsAnonymityofcommunicaonsisessenalto

whistleblowers,journalistsfromnaonswithoutfreedomofthepress,andtoa

numberofotherprofessions

AnyrecoveryofTorrelatedacvitycanhavedireconsequencesforsuchpeople

41


42/61

OneSlideTechnicalOverview

Torencryptsandsendstrafficfromclientstoanumberofotherhostsbeforebeingsentto

therecipientdesnaon

OnlythefinalTorendpointcandecrypttheactualpacketcontentsAllotherscanonlydecryptnecessaryroung

informaon

Theendpointusedischangedatregularintervalstoensurethatacompromisedoes

notremoveallanonymity

42


43/61

TorAnalysisMovaon

Forensics/IRPerspecveTAILSandanumberofotherliveCDsuseTorto

avoidnetworkforensics

NotbeingabletoobtainorreconstructtrafficcanmakecertaininvesgaonscenariosimpossibleIfmemoryanalysiscanrevealusefulevidence

thentheinabilitytoperformnetworkanalysisis

notaspainful

43


44/61

TorAnalysisMovaon

PrivacyPerspecveTorprovidesanextremelyusefulplaormto

performanonymouscommunicaons

Toensurethatcommunicaonsareindeedsecure,memoryanalysisneedstobeperformed

onallsystemsthatprocessunencrypteddata

44


45/61

AnalyzingMemoryAcvityofTor

AnalysisrevealsthatTordoesnotalwayssecurelyerasememorya^eritsused

SoundFamiliar?SincewehaveaccesstotheprocessmemoryofTorweshouldbeabletorecoverdataof

interest.

Papersdiscussinghowtorecoveruserlandprocessmemoryarereferencedinthewhitepaper

45


46/61

InialSetup&Analysis

PrivoxyisaTor-awareHTTPproxyTorwasinstalledalongwithPrivoxyonthe

testvirtualmachine

wgetwasthenconfiguredtousePrivoxywhichwouldrelaytheinformaontoTor

Beforediggingintosourcecode,performedthePoorMan

sTest(nextslide)

46


47/61

ThePoorMansTest

1.Usedwgettorecursivelydownloaddigitalforensicssoluons.com2.VerifiedTornetworkconneconsclosed3.Usedmemfetch[3]todumptheheapofthetorprocess4.Ranstringsonheapfile5.#grep-cdigitalforensicsstrings-output

7

Lookinggoodsofar.

47


48/61

InialAnalysisResultsAnalysisrevealedthatHTTPheaders,downloadedpagecontents,server

informaon,andmorewerecontainedinits

memory

ItseemedthatthelastusedHTTPheaderwaskeptinmemory

Possiblyasinglebufferusedforthis?Numerousinstanceswerefoundfortheother

typesofdata

48


49/61

InteresngOutputfromStrings1)HTTPREQUEST

GET/incidence-response.htmlHTTP/1.0Referer:hp://www.digitalforensicssoluons.com/

User-Agent:Wget/1.12(linux-gnu)

Accept:*/*

Host:www.digitalforensicssoluons.com

2)HTMLfragmentsfromdownloadedwebpage

EvidencePreservaon

Ourevidencepreservaonmethodologyprovidesanexact

copyofanydigitalevidenceandensuresthattheauthencityandintegrityofboththeduplicatecopyandtheoriginaldata

sourceispreserved.

EvidenceCustody

49


50/61

DiggingDeeperintoTor

A^erseeingthepreviousresults,sourcecodeanalysiswasperformedAgain,orderlycolleconofdataisourgoalMuchmoreanalysisispossiblethanwhatwascoveredinthisinialanalysisSllon-goingresearch

50


51/61


52/61

Script1-WalkingTorsfreelist

Torkeepschunksinitsglobalfreelistinordertoprovidefastallocaonofnew

memory

Verysimilartotheworkingsofthekmem_cacheThescriptenumeratesthefreelistarrayand

dumpsallmemorycontained

52


53/61

FreelistStructuretypedefstructchunk_freelist_t{

size_talloc_size;//sizeofchunk

intcur_length;//numberonlist

chunk_t*head;

}

typedefstructchunk_t{

structchunk_t*next;

size_tdatalen;char*data;

}chunk_t;

53

freelistisan

instanceof

thisstructure

Eachchunkis

representedbyachunk_t


54/61

Script2-TorsCellPoolCache

InTor,alldataissentandreceivedasapackedcell

cell_poolisamemorypoolthatholdscellsallocatedanddeallocatedbyTorUnlessthepooliscleaned

Walkingofthispoolenumerateseverycellstructureincludingitscontents(payload)

Unfortunatelythepayloadsareencrypted 54

Cell Pool Structures & Enumeraon


55/61

CellPoolStructures&Enumeraon

structmp_pool_t{

structmp_chunk_t*empty_chunks,

*used_chunks,*full_chunks;

size_titem_alloc_size;}

55

structmp_chunk_t{

mp_chunk_t*next;

mp_chunk_t*prev;

size_tmem_size;

charmem[1];}

cell_poolisoftypemp_pool_t

Therecoveryscriptwalksthethreemp_chunk_tlistsaswellasthedoublylinkedlistcontainedineach

mp_chunk_t

Thisleadstothetype-agnoscmembufferofeachchunk


56/61

RecoveryofPackedCells

mp_chunk_tstructuresholdtype-agnoscdataInthecellpoolthesearerepresentedbya:

typedefstructpacked_cell_t{

structpacked_cell_t*next;

charbody[CELL_NETWORK_SIZE];

}packed_cell_t;Walkingthenextlistretrievesreachable

packedcells

56


57/61

Conclusion

MemoryAnalysisofLiveCDsisnolongerdifficult

Useofthepresentedresearchenablestradionalforensicstechniquestobeused

Asifwedidntknowalready,applicaonsarereallybadabouthandlingofsensivedatain

memory

57


58/61

FutureWorkLiveCDFilesystems

IntegrateanalysiscodeintoVolalityTestagainstmoreLiveCDs/aufs

configuraons

aufshasanumberofconfiguraonoponsLookintostackablefilesystemsusedbyother

LiveCDs

Unionfsisagoodtarget(usedbyDebian,Gentoo,etc)

58


59/61

FutureWork-Tor

WorkonrecoveryofencryptedTorcellsNeedtofindtheencryptedkey,matchtopackedcell,andthendecryptthepayload

seconTordevelopersareawareofthememory

handlingissues,responsewilldetermine

amountoffurtherworkpossible

59


60/61


61/61

References[1]hps://amnesia.boum.org/

[2]hp://www.backtrack-linux.org

[3]lcamtuf.coredump.cx/so^/memfetch.tgz

[4]A.Case,etal,"TreasureandTragedyinkmem_cacheMining

forLiveForensicsInvesgaon,"Proceedingsofthe10th

AnnualDigitalForensicsResearchWorkshop(DFRWS2010),

Portland,OR,2010.

BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1

Documents

Transcript of BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1