You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$...
Transcript of You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$...
![Page 1: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/1.jpg)
You Forgot Your Wallet! Tracing Bits of Coins in Disk and Memory
Cem Gurkok
![Page 2: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/2.jpg)
whoami
• 10+ years of experience as InfoSec professional
• 2nd place @ the VolaIlity Framework Contest 2013 with Windows Kernel Object Security and Mac Rootkit DetecIon Plugins
• Talks at HITBKUL 2013, FIRST 2014, OMFW 2012/2013, HackerHalted 2013
![Page 3: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/3.jpg)
Summary
• GeWng Ready • What is Bitcoin? Or really Bitconning ;) • Bitcoin So[ware • Memory ArIfacts • Disk ArIfacts • A]ribuIon • Conclusion • References
![Page 4: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/4.jpg)
GeWng Ready • Downloading the Memory Sample and Script:
– Script: bit.ly/1rtvZme – Memory sample: bit.ly/1o9A7xk
• VolaIlity Framework InstallaIon – Checkout from GitHub
• svn co h]ps://github.com/volaIlityfoundaIon/volaIlity/trunk/ volaIlity-‐read-‐only – Install Yara
• Download and unzip: h]ps://github.com/plusvic/yara/archive/v3.1.0.zip • cd yara-‐3.1.0/yara-‐python/ • python setup.py install
– Install Pycoin: • Install pip (h]ps://pip.pypa.io/en/latest/installing.html#install-‐or-‐upgrade-‐pip) • pip install pycoin
– Install Distorm3 as well (Python disassembly library) • Download h]ps://distorm.googlecode.com/files/distorm3.zip • python setup.py install
– Copy plugin/script into /volaIlity-‐read-‐only/volaIlity/plugins/mac – Make sure you have the appropriate memory profiles installed as well – In this case MacMountainLion_10_8_5_AMDx64 (h]ps://code.google.com/p/volaIlity/downloads/detail?
name=MacProfilesAll.zip),
![Page 5: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/5.jpg)
What is Bitcoin? Or really Bitconning ;)
![Page 6: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/6.jpg)
What is Bitcoin? Or really Bitconning ;)
![Page 7: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/7.jpg)
What is Bitcoin? Or really Bitconning ;)
![Page 8: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/8.jpg)
Bitcoin Internals
• Wallet Clients: Bitcoin Core, MulIbit and more – Private Key: secp256k1 ECDSA standard [1] – Public Key – Address
• TransacIon Database – TransacIons, blocks, and block chains
• Network CommunicaIons * Ellip'c Curve Digital Signature Algorithm
![Page 9: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/9.jpg)
Bitcoin Internals
![Page 10: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/10.jpg)
What does a Wallet Generate?
Ar'fact Memory Disk
Private Key Yes, plain text Yes, if saved, possibly encrypted
Addresses Yes Yes
Debug files Yes Yes
Key Backup files Yes Yes
TransacIon logs Yes Yes
Network connecIons and traffic
Yes No
![Page 11: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/11.jpg)
Target: Mac MulIbit Client
* h]ps://mulIbit.org/
![Page 12: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/12.jpg)
Target: Mac MulIbit Client
• MulIBit is a Bitcoin wallet for Windows, MacOS and Linux
• Based on JAVA • Source code: h]ps://github.com/jim618/mulIbit
![Page 13: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/13.jpg)
Tool: VolaIlity Framework
• Open collecIon of tools • Python, under GNU GPL • ExtracIon of digital arIfacts from volaIle memory (RAM) samples
• Offer visibility into the runIme state of the system
• Most versions of Mac OS X memory from 10.5 to 10.9 Mavericks, both 32 and 64-‐bit
![Page 14: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/14.jpg)
Tool: VolaIlity Framework
Vola'lity Framework Plugin Mul'bit Ar'fact
mac_bitcoin [NEW!] Extracts Bitcoin private key and addresses
mac_netstat, mac_network_conns Display network connecIon informaIon
mac_list_files, mac_dump_file Extract debug, transacIon logs, backup files
![Page 15: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/15.jpg)
mac_bitcoin Find Keys
and Addresses
Reverse JVM
Scan Process Address Space
![Page 16: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/16.jpg)
mac_bitcoin
• Looks for two arIfacts in a MulIbit process: – Private keys – Addresses
• UIlizes – Yara and Regex to find the keys and addresses – Pycoin, a Python module for Bitcoin and alt-‐coins, used to convert private key to address and check validity of an address
![Page 17: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/17.jpg)
mac_bitcoin
• Private/Bitcoin key format in MulIbit: – 52 characters in compressed Base 58 format or “wallet import format” [1]
– Starts with L or K [1] – Example: L2nBvZFR3jsoWUNMzcPMadUfMPbxA2RXwFzzjcSERfShFofu3AnT
• Regex: – /(L|K)[0-‐9A-‐Za-‐z]{51}/
![Page 18: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/18.jpg)
mac_bitcoin
• Bitcoin address format in MulIbit: – 34 characters, also Base 58 encoded [2] – They consist of random digits and uppercase and lowercase le]ers, with the excepIon that the uppercase le]er "O", uppercase le]er "I", lowercase le]er "l", and the number "0" are never used to prevent visual ambiguity [2]
• Regex: – /[1-‐9a-‐zA-‐z]{34}(?!OIl)/
![Page 19: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/19.jpg)
mac_bitcoin
• Used Yara, “The pa]ern matching swiss knife for malware researchers”
• YARA is mulI-‐pla}orm, running on Windows, Linux and Mac OS X, and can be used through its command-‐line interface or from your own Python scripts with the yara-‐python extension.
• Used Yara to scan the Mul'bit process address space for keys and addresses
![Page 20: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/20.jpg)
mac_bitcoin
• Private key yara rule: – key_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /(L|K)[0-‐9A-‐Za-‐z]{51}/ condiIon: $a}'})
• Address yara rule: – addr_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /[1-‐9a-‐zA-‐z]{34}(?!OIl)/ condiIon: $a}'})
• Used with exisIng VolaIlity yarascan plugin: – scanner = mac_yarascan.MapYaraScanner(task = task, rules = addr_rule)
![Page 21: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/21.jpg)
mac_bitcoin Demo ## First find MulIbit process PID # python vol.py mac_pslist –f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i java # python vol.py mac_bitcoin –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 –p 239
![Page 22: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/22.jpg)
mac_netstat Demo ## First find MulIbit process PID # python vol.py mac_pslist –f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i java # python vol.py mac_netstat –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 –p 239
![Page 23: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/23.jpg)
mac_netconns Demo
# python vol.py mac_network_conns –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64
![Page 24: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/24.jpg)
mac_dump_file Demo ## First find MulIbit tagged file paths # python vol.py mac_list_files–f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i mul'bit # python vol.py mac_dump_file –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 -‐q 0xffffff800a100d90 -‐O mul'bit.log
![Page 25: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/25.jpg)
Disk ArIfacts
• Similar Yara signatures can be used to scan the disk arIfacts such as page files in Windows or swap files in Linux or Macs
• A page file is a special file that acts as a sort of "scratch pad" to store modified pages that are sIll in use by some process [6]
• You can use Michael Matonis’s tool page_brute to use yara rules to scan a page file [7]
• False-‐posiIves due to lack of verificaIon by a tool, such as pycoin
![Page 26: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/26.jpg)
Bitcoin Yara Rules in a file
rule bitcoin { strings: $key = /(L|K)[0-‐9A-‐Za-‐z]{51}/ $addr = /[1-‐9a-‐zA-‐z]{34}(?!OIl)/ condiIon: any of them }
![Page 27: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/27.jpg)
Pagefile.sys scan
# python page_brute-‐BETA.py -‐r bitcoin.yar –f pagefile.sys [+] -‐ PAGE_BRUTE processing file: pagefile.ysy [+] -‐ YARA rule of File type provided for compilaIon: bitcoin.yar ..... Ruleset CompilaIon Successful. [+] -‐ PAGE_BRUTE running with the following opIons:
[-‐] -‐ FILE: pagefile.sys [-‐] -‐ PAGE_SIZE: 4096 [-‐] -‐ RULES TYPE: FILE [-‐] -‐ RULE LOCATION: bitcoin.yar [-‐] -‐ INVERSION SCAN: False [-‐] -‐ WORKING DIR: PAGE_BRUTE-‐2014-‐10-‐11-‐02-‐30-‐08-‐RESULTS =================
[!] FLAGGED BLOCK 10: bitcoin [!] FLAGGED BLOCK 16: bitcoin [!] FLAGGED BLOCK 39: bitcoin ….
![Page 28: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/28.jpg)
Bitcoin Tracking
![Page 29: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/29.jpg)
Bitcoin Tracking
![Page 30: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/30.jpg)
Conclusions
• Memory forensics can reveal a lot • Bitcoin arIfacts: keys, addresses, transacIons, IP addresses
• These can be used with OS and other user informaIon for a]ribuIon
• If there is no search mechanism, write VolaIlity a plugin!
• Search methods trivially wrapped into a plugin for automaIon
![Page 31: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/31.jpg)
QuesIons?
• Thank you! – Twi]er: @CGurkok – E-‐mail: cemgurkok <at/> gmail.com – Code: github.com/siliconblade/ – Blog: siliconblade.blogspot.com
![Page 32: You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and ... · You$ForgotYour$Wallet!$Tracing$ Bits$of$Coins$in$Disk$and$Memory$ CemGurkok$](https://reader030.fdocuments.us/reader030/viewer/2022041107/5f09b5b77e708231d42824aa/html5/thumbnails/32.jpg)
References 1. Bitcoin private key format,
h]ps://en.bitcoin.it/wiki/Private_key 2. Bitcoin address format, h]ps://en.bitcoin.it/wiki/Address 3. VolaIlity Framework,
h]ps://github.com/volaIlityfoundaIon/volaIlity 4. Yara, h]ps://github.com/plusvic/yara 5. Pycoin, h]ps://github.com/richardkiss/pycoin 6. What is the Page File for anyway?,
h]p://blogs.technet.com/b/askperf/archive/2007/12/14/what-‐is-‐the-‐page-‐file-‐for-‐anyway.aspx
7. Page_brute, h]ps://github.com/matonis/page_brute