bischoff's picture
From bischoff rss RSS  subscribe Subscribe

Hide and seek - interesting uses of forensics and covert channels. 

Hide and seek - interesting uses of forensics and covert channels.

 

 
 
Tags:  data recovery  cipher  forensics  kisasondi  stego  biliteral  foi  openssl 
Views:  225
Published:  November 23, 2011
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
Data Entry, Data Entry Jobs, Data Entry Work, Freelance Data Entry ...

Data Entry, Data Entry Jobs, Data Entry Work, Freelance Data Entry ...

From: Chang674210
Views: 448 Comments: 0
Data Entry, Data Entry Jobs, Data Entry Work, Freelance Data Entry ...
We can help you find data entry, online data entry, offline data entry, data processing, data conversion, form filling, data typing, data collection & da (more)

 
Data Entry India, Outsource Data Entry Services to India, Data

Data Entry India, Outsource Data Entry Services to India, Data

From: Chang674210
Views: 439 Comments: 0
Data Entry India, Outsource Data Entry Services to India, Data
Outsource online data entry, offline data entry, eCommerce product data-entry, OCR, scanning, data capturing, data processing,
http://w (more)

 
Data Entry Services | Data Processing | Data Conversion companies

Data Entry Services | Data Processing | Data Conversion companies

From: Chang674210
Views: 483 Comments: 0
Data Entry Services | Data Processing | Data Conversion companies
Yantram Data Entry Services India, Data Processing, Data Conversion, Web-Research. Data Mining, Image Processing, OCR, OMR, ICR Is the core services of (more)

 
Axion Data Entry Services Data Entry Outsourcing - Data Entry

Axion Data Entry Services Data Entry Outsourcing - Data Entry

From: Chang674210
Views: 452 Comments: 0
Axion Data Entry Services Data Entry Outsourcing - Data Entry
Specialists in data entry services, data entry projects, Business Process Outsourcing, BPO,data capture and forms processing. We free up your facilities and (more)

 
Data Entry India | Data Entry Company India | Outsource Data Entry

Data Entry India | Data Entry Company India | Outsource Data Entry

From: Chang674210
Views: 1112 Comments: 0
Data Entry India | Data Entry Company India | Outsource Data Entry
Data Entry & Processing Company India: Cignus Web Services is a Data Entry Outsourcing Company providing affordable Product Entry Services, Ecommerce Data (more)

 
Data Entry, Data-Entry, Dataentry, Online Data Entry Jobs India

Data Entry, Data-Entry, Dataentry, Online Data Entry Jobs India

From: Chang674210
Views: 514 Comments: 0
Data Entry, Data-Entry, Dataentry, Online Data Entry Jobs India
One stop solution for high quality, time bound and cost effective Outsourcing Services for. Data Entry Services, Data Processing Services, Data Conversion (more)

 
See all 
 
More from this user
[Finance]Three Easy Steps To Fix Your Credit Score For Cheaper Car Insurance[2949]

[Finance]Three Easy Steps To Fix Your Credit Score For Cheaper Car Insurance[2949]

From: bischoff
Views: 270
Comments: 0

Bob Beck Paper

Bob Beck Paper

From: bischoff
Views: 2847
Comments: 0

The Reid-Schumer-Menend ez Conceptual Proposal for Immigration reform

The Reid-Schumer-Menendez Conceptual Proposal for Immigration reform

From: bischoff
Views: 637
Comments: 0

Progressive 2008-2Q

Progressive 2008-2Q

From: bischoff
Views: 330
Comments: 0

Pre

Pre

From: bischoff
Views: 166
Comments: 0

Engineering Chemistry 1 Jntu Model Paper{Www.Studentyo gi.Com}

Engineering Chemistry 1 Jntu Model Paper{Www.Studentyogi.Com}

From: bischoff
Views: 113
Comments: 0

See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 

 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
Slide 2: $ whois tkisason Junior researcher @ foi.hr Likes:       Security Crypto Gnu/Linux Interesting security problems  e-mail: tonimir.kisasondi@foi.hr skype: tkisason 
Slide 3: $ topic of this talk A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels 
Slide 4: $ forensics for non law enforcement uses? Useful for data recovery You can protect your files, but you can't protect your RAM   1. Dig deep 2. Find interesting problems 3. ??? 4. Profit!
Slide 5: $ memory imaging /dev/mem is restricted on newer versions of the Linux kernel      Alternatives: Reboot the system with a imager PCI imagers Insert a kernel module that can access the address space  /dev/fmem: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz Simply dd /dev/fmem or grep -a 
Slide 6: $ memory secrets leakage Pidgin's passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also  • • • Various pieces of plaintext / passwords can be obtained from memory ASLR - YMMW Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt
Slide 7: $ memory carving tony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img [sudo] password for tony: PhotoRec 6.11, Data Recovery Utility, April 2009 tony@blackbox:~/0drive$ ls recovery* | wc -l 620
Slide 8: $ file/mem carving Use scalpel:  http://www.digitalforensicssolutions.com/Scalpel/  /etc/scalpel/scalpel.conf is frugal at start Uncomment file headers Good thing is we can add aditional signatures...  
Slide 9: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
Slide 10: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
Slide 11: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
Slide 12: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% | ********************************************************************************************* ****************| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2.
Slide 13: $ runtime extraction of RSA/DSA keys tony@blackbox:~$ sudo ./passe-partout 729 Target has pid 729 => 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607 => 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607 ... found RSA key @ 0x7f8e0fad7e20 [X] Key saved to file id_rsa-1.key done for pid 729 apache, openssh, openvpn
Slide 14: $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
Slide 15: $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames
Slide 16: $ covert channels? Opposite from forensics :) Data hiding: Files, protocols "A adversary can always transmit one bit at a time" Tony's rule 183: Any structure in a covert channel destroys it's covertness.      Some interesting covert channels: TCSteg OutGuess  
Slide 17: $ TCSteg -> http://keyj.s2000.at/?p=458
Slide 18: $ Truecryptish problems  File mod 256 == 0 Filesize > 16Kb H(File) ~ 7.5 Header != /usr/share/misc/magic     Yes, a filesystem in a encrypted volume CAN be carved :) TC = relatively OK LUKS leaks... = LUKS\xba\xbe File in file embedding leaks magic bytes Outguess and similar known stego tools can be easily detected    
Slide 19: $ interesting channels Most formats that have strict footers can be "injected" – bmp for one example   Injecting data in FLV? - why not! In short: Any structure leaks possible data. Perfect randomness "leaks" encryption.  
Slide 20: $ interesting channels A typical flv/video file is highly random:  In [27]: entropy(cat) Out[27]: 7.8086139822740126  Always map data into same character range. Avoid distrupting changes that increase entropy Avoid magic bytes and known patterns Youtube/You**** is so common, that you simply hide the data in the mass traffic.   
Slide 21: $ interesting channels Filesystem fragmentation – No structure • http://goo.gl/dfhfR   Distributed covert channels? – On my github soon :)
Slide 22: $ :)
Slide 23: $ :)
Slide 24: $ :)
Slide 25: $ :)
Slide 26: $ Knowledge is power with biliteral cipher
Slide 27: $ questions?
Slide 28: $ Thank you You can find the most updated version of this slides on my slideshare (tkisason).

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location