1 / 50

F.I.R.E.

INSA. Information Networking Security and Assurance Lab National Chung Cheng University. F.I.R.E. F orensics & I ncident R esponse E nvironment. INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Outline. Preface Analyze Unknown Binary F.I.R.E.

jane
Download Presentation

F.I.R.E.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INSA Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment 2004, Jei

  2. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  3. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  4. What and The Purpose • Examine an Unknown malware binary (Open Source tools) • The Sleuth Kit • autopsy • strings • hexedit • … • F.I.R.E. • Package all tools together in a bootable CD

  5. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  6. Under an Unknown Condition • Possibly where it came from • What the binary’s purpose is • It may be possible to identify when the system was compromised & the binary installed • May be also discover which user id facilitated the compromise of the system

  7. INSA Information Networking Security and Assurance Lab National Chung Cheng University Binary Details • From • http://www.giac.org/gcfa/binary_v1.3.zip Userid, md5sum, … CRC number The last modified time The file size when extracted The file size within the archive

  8. The strings command • Parse an input file and output readable strings • Sequentially program the code May be an ICMP back-door to a cmd.exe shell May deal with creating & starting services

  9. INSA Information Networking Security and Assurance Lab National Chung Cheng University The hexedit command • The purposes • Confirm the function of the application • Confirm who was involved in it’s creation or distribution (possibly) The command line Some information you interested!!

  10. INSA Information Networking Security and Assurance Lab National Chung Cheng University The person may compile, write or created the zip file May be a ICMP back-door to a cmd.exe shell

  11. May be the hacker’s message smesses.exe and reg.exe: querying amd modifying registry entries The ip address

  12. INSA Information Networking Security and Assurance Lab National Chung Cheng University KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MSVP60.dll Some DLL files

  13. INSA Information Networking Security and Assurance Lab National Chung Cheng University The objdump command • View library information about a binary executable • -p option • Print the object header information command The time and date

  14. INSA Information Networking Security and Assurance Lab National Chung Cheng University The kernel interface was dealing with pipes and handles so the application was talking to interface, processes or other applications!!

  15. INSA Information Networking Security and Assurance Lab National Chung Cheng University The application was doing something to the systems services

  16. INSA Information Networking Security and Assurance Lab National Chung Cheng University May be Socket & IOCTL calls, so the application is definitely communicating with external applications through a socket

  17. INSA Information Networking Security and Assurance Lab National Chung Cheng University Shows the basic Terminal I/O communications through the standard MSVCRT library

  18. INSA Information Networking Security and Assurance Lab National Chung Cheng University The f-prot command • It’s a virus scanner • Can Live-Update (/usr/local/f-prot/update-defs.sh) The command Nothing you can find

  19. INSA Information Networking Security and Assurance Lab National Chung Cheng University All evidence leads me to decide • An ICMP back-door to cmd.exe • Default password may be loki • Coded by Spoof • Hacker group • MFC • May be installed by local user Rich

  20. INSA Information Networking Security and Assurance Lab National Chung Cheng University From Google • http://packetstormsecurity.com/crypt/misc/loki2.tar.gz • Coded for windows version based on loki2 for Unix-Like OS

  21. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  22. INSA Information Networking Security and Assurance Lab National Chung Cheng University What • A bootable Linux CD that turns any machine into a forensics workstation • Boot the entire system without touching the local system • Open Source • http://fire.dmzs.com • http://www.sourceforge.net/projects/biatchux

  23. INSA Information Networking Security and Assurance Lab National Chung Cheng University How • F.I.R.E. runs within a RAM disk that it does not touch the system or images • Log the information you need to the /data/ directory

  24. INSA Information Networking Security and Assurance Lab National Chung Cheng University Two quick ways of using F.I.R.E • Burnt the ISO to a CD & boot from it • The ISO can be booted from within VMWare

  25. Autopsy • http://www.sleuthkit.org/autopsy/desc.php • Graphic interface • Some features • Case Management • File Analysis • File Content Analysis • File Type • Hash Database • Timeline of File Activity • Keyword Search • Meta Data Analysis • Image Details • Image integrity • Notes • Reports • Logging • Open Design • Client Server Model

  26. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  27. INSA Information Networking Security and Assurance Lab National Chung Cheng University The compromised image • From the Digital Forensics Research Workshop • http://www.dfrw.org • Download site • http://www.honeynet.org/scans/scan24/

  28. INSA Information Networking Security and Assurance Lab National Chung Cheng University The VMWare Select the ISO image The beginning!!

  29. INSA Information Networking Security and Assurance Lab National Chung Cheng University Set-up your network(1/2) • Prompt mode Start menu!! Many options

  30. INSA Information Networking Security and Assurance Lab National Chung Cheng University Set-up your network(2/2) Set up the IP Address, Netmask and default gateway!! • Command line

  31. Log you activity Like The script command! Right clicking->Shells/Consoles->logging->respawn all logging xterms The data was saved to /data/consolelogs/$user/$date-$tty.log

  32. INSA Information Networking Security and Assurance Lab National Chung Cheng University consh and replay • consh (shell script) • Do the logging • replay (command) • #replay May30-182215-tty_ttyp0.log.timing May30-182215-tty_ttyp0.log

  33. INSA Information Networking Security and Assurance Lab National Chung Cheng University Start Command You must start your browser to this URL for starting

  34. INSA Information Networking Security and Assurance Lab National Chung Cheng University Set-up the Case select /data/<CASE-NAME>

  35. INSA Information Networking Security and Assurance Lab National Chung Cheng University Add Host

  36. INSA Information Networking Security and Assurance Lab National Chung Cheng University Add Image

  37. Analysis type • File analysis • Browse the various files available on the image, including deleted files • Keyword search • Search the image for various keywords • File type • Run the sorter that counts the various file types on the image • Image details • Contain summary data about the image • Meta Data • You can enter a meta data number for search • Data Unit • Allow for the entry of a sector number

  38. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(1/6)

  39. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(2/6) Enter what you want to search Quick search

  40. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(3/6) summary

  41. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(4/6)

  42. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(5/6)

  43. INSA Information Networking Security and Assurance Lab National Chung Cheng University Some test(6/6)

  44. INSA Information Networking Security and Assurance Lab National Chung Cheng University The final step • Create Data File • Create Timeline • tar & md5sum

  45. INSA Information Networking Security and Assurance Lab National Chung Cheng University

  46. INSA Information Networking Security and Assurance Lab National Chung Cheng University

  47. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Analyze Unknown Binary • F.I.R.E. • Example • Conclusion

  48. INSA Information Networking Security and Assurance Lab National Chung Cheng University Do not touch the local system

  49. INSA Information Networking Security and Assurance Lab National Chung Cheng University Additional Information(1/2) • VNC VNC connection Internet

  50. INSA Information Networking Security and Assurance Lab National Chung Cheng University Addition Information(2/2) • Some legal issue • Go to the INSA Knowledge-Base

More Related