COEN 252 Computer Forensics Data Analysis Techniques for Hard Drives.
COEN 252 Computer Forensics
description
Transcript of COEN 252 Computer Forensics
![Page 1: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/1.jpg)
COEN 252 Computer Forensics
Investigating Hacker Tools
![Page 2: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/2.jpg)
Program Analysis Given an executable, how do we
find out what it does? Try to find the program online.
Analyze source code to find clues. Search for the name of the program.
Perform source code review. Execute the program in a sandbox.
Some programs can break out of a sandbox / jail.
![Page 3: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/3.jpg)
Program Compilation Compiler
Translates HLL code to Assembly / ILL Assembler
Translates Assembly code to machine language
Linker Creates object code out of several modules. A program usually makes library calls (stdio)
![Page 4: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/4.jpg)
Program Compilation Statically Linked: All library code is part
of the object code Dynamically Linked: Program calls
library functions. (DLL) Stripping: Removes all human-readable
symbols from object code. Combats reverse engineering.
Packing with UPX, etc. upx.sourceforge.net Compresses source code (achieves ratios of
20% - 40%)
![Page 5: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/5.jpg)
Program Compilation
Static compilation needs more memory
![Page 6: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/6.jpg)
Program Analysis Static Analysis:
Determine the type of executable. ELF file in Unix Exe-type in Windows
Symbol Extraction: Use a program like strings to find
symbols left in object code. Names give hints on program. Will not work for stripped files.
![Page 7: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/7.jpg)
Static Program Analysis
Example for strings output:
![Page 8: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/8.jpg)
Program Analysis
Find the program online: Use the name of the file to find online
versions. Use strings to check whether this is a
similar file. Use same compiler to compile the
online version and check for similarity.
![Page 9: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/9.jpg)
Static Program Analysis
Investigate source code Use Reversing Tools:
Disassembler: Decodes binary machine code into a readable
assembly language text IDA-Pro ILDasm (Microsoft .Net IL disassembler)
![Page 10: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/10.jpg)
Static Program Analysis Investigate source code
Use Reversing Tools: Debuggers
Kernel-mode: Component that sits alongside the system’s kernel Allows for stopping and observing the entire system.
User-mode: Attach to a process. Take full control of process.
Tools: OllyDbg WinDbg (MS tool) IDA-Pro Numega-SoftIce (no longer available in isolation)
![Page 11: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/11.jpg)
Static Program Analysis Investigate source code
Use Reversing Tools: Decompilers
Attempt to produce a high-level language source-code-like representation from a binary.
Never completely possible because The compiler removes some information, The compiler optimizes the code.
System Monitoring Tools Filemon TCPView RegMon PortMon WinObj Process Explorer
![Page 12: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/12.jpg)
Static Program Analysis
Investigate source code Executable-Dumping
Dumpbin (MS) PEView PEBrowse Professional
![Page 13: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/13.jpg)
Program Analysis
Using disassembly:
![Page 14: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/14.jpg)
Program Analysis
![Page 15: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/15.jpg)
Static Program Analysis
Artifacts to look for: Names of functions
Especially API functions. Data strings
Names of constant strings Names of directories Identification of compiler
![Page 16: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/16.jpg)
Program Analysis
![Page 17: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/17.jpg)
Static Program Analysis Compilers generate different types of
code for the same HLL feature Function Calls:
Order in which parameters are pushed on stack. Use of certain registers to pass variables. Use of stack / registers to return a value. Division of labor between callee and caller.
This allows us to recognize the compiler with which an executable was created.
Programmers using assembly will not follow the same standards throughout the code.
Hence, we can recognize assembly writers as well.
![Page 18: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/18.jpg)
Dynamic Program Analysis Run the program and see what it is doing. Requires security mechanisms:
Dedicated machine. Not connected to the internet. Or: Virtual machine.
However: Code can recognize whether it is running in VMWare.
E.g. by the internal MAC addresses, …
Transport malware on a non-writable CD / DVD
![Page 19: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/19.jpg)
Dynamic Program Analysis Strace, systrace:
Run the programming, but keep track of the system calls that it makes with parameters.
More relevant calls (Unix): open read write Unlink lstat socket close
Strace has an option that intercepts all network related calls.
![Page 20: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/20.jpg)
Dynamic Program Analysis
Use fport, netstat, … to determine ports opened by the program.
On Windows systems. Use regmon Use ListDlls Use psList
to find out processes created by program.
![Page 21: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/21.jpg)
Dynamic Program Analysis
Intercept communication of program. Need to generate a fake network. E.g.: Static analysis reveals that the
program tries to contact www.evil.org on the IRC port.
Hence, name an additional machine on separated net www.evil.org.
![Page 22: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/22.jpg)
Dynamic Program Analysis
Run program on a debugger. IDA-Pro OllyDbg SoftIce
![Page 23: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/23.jpg)
Dynamic Program Analysis
Do a web-search for unique names.
![Page 24: COEN 252 Computer Forensics](https://reader035.fdocuments.in/reader035/viewer/2022081603/56813bf4550346895da53609/html5/thumbnails/24.jpg)
Program Analysis Malware writers can use antireversing
techniques. Eliminate symbolic information. Encrypt code. Code obfuscation.
Make HLL constructs difficult to understand. Antidebugger Methods:
Use the IsDebuggerPresent API to protect against user-level debuggers.
Use the NTQuerySystemInformation API to determine if a kernel debugger is attached to the system.
Set a trap flag and check whether it is still there. A debugger would “swallow” it.
Put in bogus bytes over which the code jumps. Does not work for all disassemblers.