Bin-Carver: Automatic recovery of binary executable files
description
Transcript of Bin-Carver: Automatic recovery of binary executable files
![Page 1: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/1.jpg)
Bin-Carver: Automatic recovery of binary
executable filesPresented by: Ryan O’Donnell
![Page 2: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/2.jpg)
The process of reassembling files from disk fragments in the absence of metadata.
What is file carving?
![Page 3: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/3.jpg)
•Accidental user deletions•Intentional user deletions•Malware
When would we need file carving?
![Page 4: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/4.jpg)
Using .jpeg file as an example•Find header (FF D8)•Know footer pair (FF D9)•Find all contiguous data
Traditional file carving method
![Page 5: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/5.jpg)
•fragmentation•doesn’t work without exact header
and footer information•doesn’t work with all file types
o focuses on documents of forensic interest
o binary executables not included
Problems with traditional method
![Page 6: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/6.jpg)
•recover Executable Linkable Format (ELF) file e from disk image D
•D strictly consists of file content blocks
•Assume D is an EXT2 file system, block size 4k
Bin-carver overview -1
![Page 7: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/7.jpg)
•file content has not been overwritten•file content is stored in increasing
order•ELF file e has n blocks in the diskWe want to link these n blocks
together utilizing internal graph node logic.
Bin-carver overview -2
![Page 8: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/8.jpg)
Bin-carver overview -3
![Page 9: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/9.jpg)
•Filename recovery is typically not possible without the file system metadata
•Fragmentation
Challenges
![Page 10: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/10.jpg)
•ELF-header scannero scan all possible ELF headers hi using
ELF-file magic value
•block node linkero scans disk image, identifies nodes and links
them
•conflict-node resolvero removes conflict nodes and outputs ELF-file ei
Components
![Page 11: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/11.jpg)
System Overview Diagram
![Page 12: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/12.jpg)
Headers hold a “road map” describing ELF file organization.
Searching for the magic number sequence 7f 45 4c 46 allows us to locate headers, telling us how to traverse all other sections .
Scanner -1
![Page 13: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/13.jpg)
Each header is 52k and contains:•program header table (PHT)o array of program headers
•section header table (SHT)o array of section headers
Scanner -2
![Page 14: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/14.jpg)
•usually located at end of ELF fileo can serve as a footer because of this
•since A(footer) > A(hi) we can start our search at the 0x14 disk block
•gives us a multitude of other constraints that allow us to calculate the location of the footer
Searching SHT
![Page 15: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/15.jpg)
•locates segments that create memory image of the program
•each program header is 32 bytes•usually starts right after ELF headers
o same 4k block
Searching PHT
![Page 16: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/16.jpg)
•from program header, infer vase virtual address of image file
•keep iterating and build our road map
•our goal is to find every fill this road map with content (bi)
Searching PHT
![Page 17: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/17.jpg)
With no fragmentation, our job is done.
But, with any garbage gap, this approach would fail.
So how do we link each individual bi if the disk is fragmented?
Finished?
![Page 18: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/18.jpg)
We have to logically connect bi and bj
We explore the caller-callee relationship:
•fill block place of bcaller and bcallee
o find address
•logically link them togethero function prologue signature (local calls)o PLT instruction sequence (library calls)
Block-node linker -1
![Page 19: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/19.jpg)
On a library call•use PLT block number as an anchor•use this anchor to identify absolute block number of the caller block
On a local call•only determines distance•only works with blocks starting with e8 (CALL opcode)Most cases library calls are used to resolve block numbers
Block-node liner -2
![Page 20: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/20.jpg)
A particular placeholder i could have several candidates.
To eliminate redundant placeholders:•use identified non-conflict nodes•explore logic connections•resolve node•iterate through until a fixed point is reached
Conflict-node resolver -1
![Page 21: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/21.jpg)
Block-node linker only focuses on linking code blocks. Conflict-node resolver handles other data blocks (.data, .debug).
Conflict-node resolver -2
![Page 22: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/22.jpg)
To retrieve data blocks:•treat data sections as a block between the ELF header and the first block of code section•resolvers explores constraints defined in PHT and SHT•worst case scenario: data section does not have identifiable sections and we must use dynamic execution to eliminate bogus permutationso essentially, if the recovered binary file doesn’t
crash, it may have been recovered successfully
Conflict-node resolver -3
![Page 23: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/23.jpg)
Comparisons were intended to be made to other similar tools, both Foremost and Scalpel do not support carving for fragmented ELF binary files.
Evaluation - Comparison
![Page 24: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/24.jpg)
Evaluation -1
![Page 25: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/25.jpg)
•All files are ELF binarieso worst case, high false positive rateso addition of heterogeneous data irrelevant
•performance of algorithm is invariant to size of the disk
•performance relies on number of files to be recovered
Evaluation -2
![Page 26: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/26.jpg)
To evaluate accuracy, need to prove the recovered files are true elf files.
Need to create an MD5 hash of first block and every individual block for each true ELF binary to detect true data in worst case fragmentation scenario.
Evaluation -3
![Page 27: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/27.jpg)
Identification rate:•shows portion that can be identified no matter how fragmented the disk iso must be able to match hash values
Recovery Rate•valid files in the system that were identified and recovered
Effectiveness -1
![Page 28: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/28.jpg)
Overall, very effective. On average:•Identification rate of 96.3%•Recovery rate of 93.1%
Effectiveness -3
![Page 29: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/29.jpg)
Effectiveness -3
![Page 30: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/30.jpg)
All performance slowdowns occur during linker and resolver phases.
Large gaps hurt performance, and the large number of caller-callee instructions cause performance penalties.
Runtime Analysis -1
![Page 31: Bin-Carver: Automatic recovery of binary executable files](https://reader034.fdocuments.in/reader034/viewer/2022051218/568157e7550346895dc56277/html5/thumbnails/31.jpg)
Runtime Analysis -2