introducing the''' metasploit antiforensics project

1
introducing the... metasploitantiforensics
project
vinnie liu, toorcon 7
2
speaker

• vinnie
• anti-forensics researcher
• framework contributor
• vinnie_at_metasploit.com

3
coverage

• avoid detection
• weaknesses in current forensic techniques
• break industry tools
• Guidance EnCase, PGP Desktop, NTFS, MS
  AntiSpyware
• Metasploit Anti-Forensic Investigation Arsenal
• timestomp, slacker, transmogrify, sam juicer
• identify opportunities for improvement

4
why

• airing the industrys dirty laundry.
• the lack of true innovation in the forensics
  world is because theres no pressure to do so.
• too much dependence on forensic tools

5
talk format

• technique
• anti-technique
• opportunity for improvement, weaknesses, tools,
  etc...

6
temporal locality

• technique
• timestamps hint as to when an event occurred.
• timestamps help an analyst timeline events and
  profiling hacker behavior.
• if an investigator finds a suspicious file, they
  will search for other files with similar MAC
  attributes.

7
temporal locality

• anti-technique
• modify file times, log file entries, and create
  bogus and misleading timestamps
• we need better tools
• most tools only modify the MAC
• ok for FAT, but not for NTFS

8
temporal locality

• modified (M), accessed (A), created (C)
• entry modified (E)

M
C
A
E
9
tool timestomp

• timestomp
• uses the following Windows system calls
• NtQueryInformationFile()
• NtSetInformationFile()
• doesnt use
• SetFileTime()
• features
• display set MACE attributes
• mess with EnCase and MS Anti-Spyware

10
timestomp _at_ work

• normal

• after setting values (-z Monday 05/05/2005
  050505 AM)

• example EnCase weakness (-b)

11
timestomp _at_ work
12
timestomp _at_ work

• Windows Explorer Demo

13
one opportunity for improvement

• current state
• EnCase only uses the MACE values from the
  Standard Information Attribute (SIA) in a each
  files MFT record
• opportunity for improvement
• validate SIA MACE values with the MACE values
  stored in the Filename (FN) attribute

MFT Entry Header
SIA Attribute MACE
FN Attribute MACE
Remaining Attributes
14
one opportunity for improvement

• given
• the FN MACE values are only updated when a file
  is created or moved
• therefore
• FN MACE values must be older than SIA MACE values
• validation technique
• determine if the SIA MACE values are older than
  the FN MACE values

earlier time
later time
15
then again

• anti-validation technique
• system files and archives are false positives
• use raw disk i/o to change the FN MACE values
• MFT is a file
• calculate offsets from the start of the MFT to a
  files FN MACE values
• use a file thats not been used in a while,
  delete the data attribute and fill it with your
  own data
• no creating, no moving means no FN updates
• only the SIA changes
• SIA is controllable

16
spatial locality

• technique
• attackers tend to store tools in the same
  directory
• anti-technique
• stop using windir\system32
• mix up storage locations both on a host and
  between multiple hosts
• 3rd party software, browser temp, AV/spyware

17
data recovery

• technique
• forensics tools will make a best effort to
  reconstruct deleted data
• anti-technique
• secure file deletion
• filename, file data, MFT record entry
• wipe all slack space
• wipe all unallocated space

18
data recovery

• tools
• Sys Internals sdelete.exe
• doesnt clean file slack space
• Eraser (heide)
• does clean file slack space
• PGP Desktops Disk Wipe
• vulnerabilities
• PGP Desktops Disk Wipe

19
selling snake oil
PGP 8.x and 9.1 -wiping slack space at end of
files
well, it doesnt.
think of it as an opportunity for improvement
20
signature analysis

• technique
• EnCase has two methods for identifying file types
• file extension
• file signatures
• anti-technique
• change the file extension
• changing file signatures to avoid EnCase analysis
• one-byte modification

21
foiling signature analysis

• unmodified

• one byte modified

22
flip it and reverse it

• tools
• transmogrify
• does all the work
• switch between multiple file formats

23
hashing

• technique
• create an MD5 fingerprint of all files on a
  system
• compare to lists of known good known bad file
  hashes
• minimizes search scope and analysis time
• anti-technique
• avoid common system directories (see earlier)
• modify and recompile
• remove usage information
• stego works on non-executables
• direct binary modification

24
hashing

• direct binary modification (one-byte)

4e65745d42c70ac0a5f697e22b8bb033
eafcc942c7960f921c64c1682792923c
25
keyword searching

• technique
• analysts build lists of keywords and search
  through files, slack space, unallocated space,
  and pagefiles
• anti-technique
• exploit the examiners lack of language skill
• great and nearly impossible to catch
• opportunity for improvement
• predefined keyword lists in different languages

26
reverse engineering

• technique
• 99 of examiners cant code
• possess rudimentary malware analysis skills if
  any
• packer identification
• commonly available unpackers
• run strings
• behavioral analysis
• anti-technique
• use uncommon packers or create a custom loader
• PEC2
• strategic packing

27
profiling

• technique
• analysts find commonalities between tools,
  toolkits, packers, language, location,
  timestamps, usage info, etc
• anti-technique
• use whats already in your environment

28
information overload

• technique
• forensics takes time, and time costs money
• businesses must make business decisions, again
  this means money
• no pulling-the-plug. business data takes
  priority.
• anti-technique
• on a multi-system compromise, make the
  investigation cost as much as possible
• choose the largest drive
• help the investigators

29
hiding in memory

• technique
• EnCase Enterprise allows the examiner to see
  current processes, open ports, file system, etc
• anti-technique
• Metasploits Meterpreter (never hit disk)
• exploit a running process and create threads
• opportunity for improvement
• capture whats in memory

30
tool sam juicer

• sam juicer
• think pwdump on crack
• built from the ground up
• stealthy!

31
tool sam juicer

• why pwdump should not be used
• opens a remote share
• hits disk
• starts a service to do dll injection
• hits registry
• creates remote registry conn
• often fails and doesnt clean up

memory/lsass
services
remote share
disk
registry
remote registry
32
tool sam juicer
sam juicer
memory/lsass
meterpreter channel
services

• slides over Meterpreter channel
• direct memory injection
• never hits disk never hits the registry
• never starts a service
• data flows back over existing connection
• failure doesnt leave evidence

disk
registry
33
tool slacker

• hiding files in NTFS slack space
• technique
• take advantage of NTFS implementation oddity
• move logical and physical file pointers in
  certain ways to avoid having data zeroed out
• features
• file splitting use tracking file
• multiple selection techniques - dumb, random,
  intelligent
• obfuscation - none, key, file

34
tool slacker
standard file setup
sector
sector
sector
sector
sector
sector
sector
sector
1 cluster 8 sectors
35
tool slacker
writing to slack
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetEndOfFile()
NTFS zeros data
safe data!
WriteFile()
1 cluster 8 sectors
36
tool slacker
reading from slack
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetFilePointer()
SetEndOfFile()
SetFileValidData()
ReadFile()
1 cluster 8 sectors
37
tool slacker
closing out
sector
sector
sector
sector
sector
sector
sector
sector
SetFilePointer()
SetEndOfFile()
1 cluster 8 sectors
38
tool slacker

• selection
• dumb
• first N files that have enough combined slack
  space
• random
• dumb selection random additions
• intelligent
• dumb selection replacing files with older last
  modified times
• nifty in-place algorithm, ask me about it offline
• recursion available on all

39
tool slacker

• obfuscation
• none
• xor key
• random 8 bit key repeated over all data
• one-time pad

Message 100 bits
Message 100 bits
XOR Key 100 bits
Encrypted Message 100 bits
40
tool slacker

• one-time pad (sort of...)
• strength relies on a truly random xor key of
  equal length to the message
• by using a file...
• we avoid generating a an xor key
• we avoid having to store it anywhere
• because its already on the system
• BUT, its not truly random
• EVEN SO, good effing luck trying to figure out
  which series of 1s and 0s on your hard drive I
  chose.

41
tool slacker

• Demo Slacker

42
what weve defeated

• temporal locality (time stamps)
• spatial locality (file location)
• data recovery
• file signatures
• hashing
• keywords
• reverse engineering
• profiling
• effectiveness/info overload
• disk access/hiding in memory

43
done

• what?
• slides
• advisories
• Metasploit Anti-Forensic Investigation Arsenal
  (MAFIA)
• where?
• www.metasploit.com/projects/antiforensics/
• www.toorcon.org

44
...gotta go catch my flight

• thanks to...
• muirnin, skape, hdm, optyx, spoonm, thief, ecam,
  tastic, vax, arimus