The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file...
Transcript of The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file...
![Page 1: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/1.jpg)
The Art of Defiling
Defeating Forensic Analysison Unix File Systems
the grugq
![Page 2: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/2.jpg)
Overview
n Introduction
n Unix File Systems
n Forensics
n Anti-Forensics
n Demonstration
n Q & A
![Page 3: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/3.jpg)
Introduction
n Who I amn grugq
n What I don Write intrusion prevention software
n Break forensic tools
n Why anti-forensics?n Security is an arms race
n Trend of increased forensics
n Trend of increased anti-forensics
![Page 4: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/4.jpg)
Unix File Systems
n Overview of a unix file system
n Super-Blocks
n Data Blocks
n Inodes
n Directory Files
SB inodetable
datablocks
![Page 5: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/5.jpg)
File System Overview
n Two main parts to any file system
n Filesn Meta data
n Time stamps, ownership, permissions, etc.
n Datan Disk blocks organised as byte streams
n Meta data filesn Organise data files for human reference
![Page 6: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/6.jpg)
File System
n Superblockn Describes the file system
n Known Location
n Data Blockn Data blocks store…. data!
n Block is the lowest atomic component
n Multiple disk sectors per block
![Page 7: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/7.jpg)
File Systems: inodes
n inodes are filesn Store meta data
n Time Stamps, Reference Counts, Size
n List of data blocksn block pointers
struct inode {int uid, gid;int size;int blk_cnt;int links;int block_ptrs[ BLOCK_NUM ];
}
![Page 8: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/8.jpg)
inode structure: graphic
inode metadatasize, owner, mode etc.
Data blocks
block pointers
indirectblock
.
.
.
.
![Page 9: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/9.jpg)
Directory files
n Create the file systemdirectory hierarchy
n Contain structures to mapnames to inodes
struct dirent {int inode;short rec_len;short name_len;
char name[];
}
0 deleted 16
12 somefile 32
13 lamefile 16
123 lastfile 128
11 lost & found 16
13 lame file 16
12 somefile 32
123 lastfile 128
0 deleted 16
![Page 10: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/10.jpg)
Forensics
n Introduction
n Data Recovery
n Data Parsing
n Data Analysis
![Page 11: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/11.jpg)
Introduction
n Forensics defined
n Forensic Food chain..
BitstreamsEvidence
Filesystems
Files
![Page 12: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/12.jpg)
Data Recovery
n Convert bitstream to file systemnThe Coroner’s Toolkit
n Recovers deleted files
nTCT Utilsn Examine deleted directory entries
n Total file system awarenessnRead “deleted” data
![Page 13: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/13.jpg)
Data Parsing
n Convert file systems into evidencecandidates -- files
n File content requires understanding fileformatsn Email, jpeg, .doc, ELF, etc
![Page 14: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/14.jpg)
Data Analysis
n Keyword searchesn Extract “evidence” from datan JPEG files containing illegal images
n Log files containing access information
![Page 15: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/15.jpg)
Anti-forensics
n Data is evidencen Anti-Forensic Theoryn Data Destruction
n Data Hiding
nData Contraception
“Attempting to limit the quantity andquality of forensic evidence (since 1999)”
![Page 16: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/16.jpg)
Data Destruction
n Deleted file residuen Dirty inodes
n Directory entries
n Dirty data blocks
n File System Activityn inode time stamps
![Page 17: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/17.jpg)
The Defiler’s Toolkit
n Necrofilen Sanitize deleted inodes
n Klismafilen Sanitize directory entries
Before and after
![Page 18: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/18.jpg)
Data Hiding
n Requirementsn Theoryn Implementationsn Demos
“Aspire to subtlety”
![Page 19: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/19.jpg)
Data Hiding – Requirements
n Covert
n Outside the scope of forensic toolsn Temporarily – ergo, insecure long term storage
n Reliablen Data must not disappear
n Securen Can't be accessed without correct tools
n Encrypted
![Page 20: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/20.jpg)
Data Hiding Theory
“Ladies and Gentlemen, I'm hereto talk about FISTing”
![Page 21: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/21.jpg)
Filesystem Insertion & SubversionTechnique
n FISTing is inserting data into places itdoesn't belong
n Data storage in meta-data filesn e.g. Journals, directory files, OLE2 files, etc.
n Modifying meta-data is dangerous!n What holes can you FIST?
![Page 22: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/22.jpg)
Holes for FISTing
FS Specification
fsck
forensics kernel
FIST here
![Page 23: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/23.jpg)
FISTing implementations
n Rune FSn Stores data in the “bad blocks” file
n Waffen FSn Stores data in the ext3 journal file
n KY FSn Stores data in directory files
![Page 24: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/24.jpg)
Rune FS
n Bad Blocks inode 1, root ('/') inode 2n Exploits (historically) incorrect ext2
implementation within TCTn Up to 4GB storagen TCT pseudo code (old):
if (inode < ROOT_INODE || inode > LAST_INO)return BAD_INODE;
n Just a regular inode file
![Page 25: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/25.jpg)
Waffen FS
n Adds an ext3 journal to an ext2 FS
n Exploits e2fsck (and lame forensic tools)n e2fsck supports both ext2 & ext3nHas to guess which FS it's looking at
n Usually 32Mb storage (average journal sz)
n e2fsck pseudo code:for (j_ent = journal; ; j_ent += j_ent->size)
if (IS_VALID(j_ent) == FALSE) /* end of the journal */return JOURNAL_OK;
n Regular file with a fake journal meta-data
![Page 26: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/26.jpg)
KY FS
n Utilizes null directory entries
n Exploits the kernel, e2fsck & forensic tools
n Storage space limited by disk size
Kill Your File System
![Page 27: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/27.jpg)
KY FS details
n Kernel + fsck pseudo code:for (dp = dir; dp < dir_end; dp += dp->rec_len)
if (dp->inode == 0) /* is deleted? */continue;
n Forensic tools pseudo code:if (dp->inode == 0 && dp->namelen > 0)
/* recover deleted file name */
![Page 28: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/28.jpg)
Data Contraception
n Better not to create data than to destroy itn Prevent data from ever being stored on
diskn Use common Unix utilities to reduce the
quality of evidence
“What is the act of not creating?”
![Page 29: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/29.jpg)
Data Contraception: Implem.
n Rexecn Remote execution of binaries without creating
a file on diskn Uses non-exotic utilities to create a remote process
image
n Solves the bootstrapping issue for accessinghidden data storesn Reduces effectiveness of honeypots – no binaries
to “capture”
![Page 30: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/30.jpg)
Summary
n Summarised Unix File System
n Presented overview of forensics
n Presented a methodology for anti-forensics
n Demonstrated simple mechanisms todefeat digital forensic analysis
n 0wned your file system
![Page 31: The Art of Defiling · FISTing implementations nRune FS nStores data in the Òbad blocksÓ file nWaffen FS nStores data in the ext3 journal file nKY FS nStores data in directory files.](https://reader030.fdocuments.in/reader030/viewer/2022011910/5f846b6a1b54a651d920f23e/html5/thumbnails/31.jpg)
Q & A