The following picture illustrate the flow of the Investigation and Intelligence Framework.
Thursday 11 December 2014
Wednesday 26 November 2014
Investigation and Intelligence Framework - About Evidence
Cybercrimes are advancing every day, investigators are facing more and more challenges, but they are often too focused technically, hence miss out to draw whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose.
The idea of Investigation and Intelligence Framework (iif) is to help to correlate evidence and intelligence to help investigation more effectively. To begin with, let's look at the evidence first.
All network related evidences including Memory, Registry, Web-applications (e.g. Browser or Skype) and Network traffic (e.g. pcap) should be investigated.
Memory
We are not going to malware analysis when we got the memory dump, instead we are looking for any suspicious processes and interesting artifacts.
Registry
For registry, we will try to look at HIVE keys for the starting processes, to see if any suspicious findings. Besides, we can also check the Internet History (sometimes).
Web-applications
Web applications include Browser history as well as some Instant Messengers history like Skype, we should try to look for possible downloads from suspicious sources.
Network traffic
For network traffic, we will have to do packet analysis, searching for suspicious IP Addresses and Protocol, in the example here (of course it's intended to), a malware could be using FTP protocol to transfer something like keylogger history to the evil server.
So, you may ask how do we know if the evidence worth further investigation, and even if we sort out the evidence we want, what are we going to do next? We will be discussing about it in the next post, please stay tuned. :)
The idea of Investigation and Intelligence Framework (iif) is to help to correlate evidence and intelligence to help investigation more effectively. To begin with, let's look at the evidence first.
All network related evidences including Memory, Registry, Web-applications (e.g. Browser or Skype) and Network traffic (e.g. pcap) should be investigated.
Memory
We are not going to malware analysis when we got the memory dump, instead we are looking for any suspicious processes and interesting artifacts.
Registry
For registry, we will try to look at HIVE keys for the starting processes, to see if any suspicious findings. Besides, we can also check the Internet History (sometimes).
Web-applications
Web applications include Browser history as well as some Instant Messengers history like Skype, we should try to look for possible downloads from suspicious sources.
Network traffic
For network traffic, we will have to do packet analysis, searching for suspicious IP Addresses and Protocol, in the example here (of course it's intended to), a malware could be using FTP protocol to transfer something like keylogger history to the evil server.
So, you may ask how do we know if the evidence worth further investigation, and even if we sort out the evidence we want, what are we going to do next? We will be discussing about it in the next post, please stay tuned. :)
Tuesday 25 November 2014
Investigation and Intelligence Framework
Digital forensics investigators face various daily challenges because there are a large variety of high-tech cybercrimes reported, for instance APT, Hacking, Ransomware and DDOS etc... During investigation, the investigators focus on the reverse engineering malware, illustrating its behaviour and conducting packets analysis to deal with any credentials leakage and the pattern of the network attack. They often only concentrate on the evidence itself, but seldom or having difficulties to draw out the whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose. All relevant data from seized media should be utilized and analyzed, later transformed to intelligence so as to build a profile of the potential suspect with his corresponding attributes.
Based on the principle of Zachman Framework, we propose and design an Investigation and Intelligence Framework, which is an automated mechanism to identify the potential suspect at the early stage for the ease of the further investigation, correlating evidence to oversee the entire picture of the cybercrime. Our framework has adopted four of the intersections, i.e. When, Where, Who and How. 4W of the incident should be the concerned factors no matter what type of cybercrimes happened. To fulfill this 4W concept, related artifacts including timeline, location, identity and attack path would be effectively recognized at the earlier phase, and investigators can tackle the cybercrimes more successfully.
The table summarizes the relationship of 4W concepts and evidence, and how IIFramework Tool and Maltego can help the situation.
Below is the basic flow of the IIFramework Tool, evidence data is imported to the engine, it will extract the IP Addresses, Domains and Email Addresses, with the Intelligence, it will rank which evidence data deserves more attention for further investigation. Maltego will help to correlate the important evidence to give a bigger picture of the incident.
A tool is developed to demonstrate the framework, correlating evidence and intelligence in order to provide a big picture of the cybercrime story and help investigation more effectively. Maltego is also contributing the functionalities of correlating the evidences found from tool, with the integration with MalProfile (developed by ran2), it will provide a clearer picture of the potential incident or cybercrime story.
The video is the demo of the Investigation and Intelligence Framework
Based on the principle of Zachman Framework, we propose and design an Investigation and Intelligence Framework, which is an automated mechanism to identify the potential suspect at the early stage for the ease of the further investigation, correlating evidence to oversee the entire picture of the cybercrime. Our framework has adopted four of the intersections, i.e. When, Where, Who and How. 4W of the incident should be the concerned factors no matter what type of cybercrimes happened. To fulfill this 4W concept, related artifacts including timeline, location, identity and attack path would be effectively recognized at the earlier phase, and investigators can tackle the cybercrimes more successfully.
The table summarizes the relationship of 4W concepts and evidence, and how IIFramework Tool and Maltego can help the situation.
Below is the basic flow of the IIFramework Tool, evidence data is imported to the engine, it will extract the IP Addresses, Domains and Email Addresses, with the Intelligence, it will rank which evidence data deserves more attention for further investigation. Maltego will help to correlate the important evidence to give a bigger picture of the incident.
A tool is developed to demonstrate the framework, correlating evidence and intelligence in order to provide a big picture of the cybercrime story and help investigation more effectively. Maltego is also contributing the functionalities of correlating the evidences found from tool, with the integration with MalProfile (developed by ran2), it will provide a clearer picture of the potential incident or cybercrime story.
The video is the demo of the Investigation and Intelligence Framework
HITCON 2014 - Investigation and Intelligence Framework Abstract
Hacks in Taiwan (HITCON) is a highly technical security conference in Taiwan. We know there are a lot of information security researchers with very professional expertise and experience in Taiwan. It's held in 19-22 Aug 2014 (ref: http://hitcon.org/2014/)
The research topic Investigation and Intelligence Framework was selected in Playground Session of HITCON 2014. (ref :http://hitcon.org/2014/agenda/)
The research topic Investigation and Intelligence Framework was selected in Playground Session of HITCON 2014. (ref :http://hitcon.org/2014/agenda/)
DFRWS EU 2014 - Introduction of Investigation and Intelligence Framework
From the previous post, we provided a workshop about Real Network Security Kungfu in DFRWS EU 2014, in the workshop, we also introduced the concept of Investigation and Intelligence Framework.
The Investigation and Intelligence Framework aims at facilitating the following functions:
The Investigation and Intelligence Framework aims at facilitating the following functions:
- Import evidence data to our engine, for example Memory Dump, Registry and URLs
- Our system grabs the data but not limited to IP Addresses, Domains, Emails Addresses.
- The data grabbed is fed to our intelligence Engine and give birth of the following information, working out threat forecasting:
- Timelining
- Relevance/Confidence Level
- Activities Correlation
- The demo is the prototype of Investigation Intelligence Framework
- Memory dump is imported, it further digs out the detected URLs from the IP Address
- The VirusTotal API finds the one of the IP Addresses which is suspicious
The Investigation and Intelligence Framework is a on-going research in our team.
DFRWS EU 2014 Workshop - Real Network Forensics KungFu
The annual DFRWS conference allows leading digital forensics researchers from government, industry, and academia to present their work and results to fellow researchers and practitioners. DFRWS EU 2014 was in Amsterdam from 7-9 May 2014.
Our research fellows Kelvin Wong, Anthony Lai and myself held a workshop on Real Network Security Kungfu:
Abstract:
Most of the ‘Network Forensics’ only focus on the packet (pcap) and net-flow analysis but it is just a part of the investigation. Investigator is not a ’Prophet‘, it is impossible to capture the traffic before the incident occurred, to trace the intruder/attacker. Network Forensics should cover not only the captured traffic but also all of the network-related evidences (located at memory, registry, web-applications and, of course network traffic) acquired from the compromised machine. The workshop will concentrate on the practical skills and recommend a best solution to the forensics professionals by a case study. Also we will demonstrate a new project (proposed by Ran2) which could identify the attacker at the early stage for the ease of the further investigation.
(ref: http://www.dfrws.org/2014eu/tutorials.shtml#kungfu)
Our research fellows Kelvin Wong, Anthony Lai and myself held a workshop on Real Network Security Kungfu:
Abstract:
Most of the ‘Network Forensics’ only focus on the packet (pcap) and net-flow analysis but it is just a part of the investigation. Investigator is not a ’Prophet‘, it is impossible to capture the traffic before the incident occurred, to trace the intruder/attacker. Network Forensics should cover not only the captured traffic but also all of the network-related evidences (located at memory, registry, web-applications and, of course network traffic) acquired from the compromised machine. The workshop will concentrate on the practical skills and recommend a best solution to the forensics professionals by a case study. Also we will demonstrate a new project (proposed by Ran2) which could identify the attacker at the early stage for the ease of the further investigation.
(ref: http://www.dfrws.org/2014eu/tutorials.shtml#kungfu)
Thursday 19 June 2014
Maltego Local Transform Hello World
Maltego is an open source intelligence and forensics application. It will offer timous mining and gathering of information as well as the representation of this information in a easy to understand format. Local transforms are pieces of code that run on the same machine which the client application is.
Ref:
https://www.paterva.com/web6/
http://www.paterva.com/web6/documentation/developer-local.php
How we can write our own Local Transform, here is the step-by-step guide for beginner.
Run the Maltego Python Code (Ref: https://github.com/Lookingglass/Maltego)
The codes are adapted from "Lookingglass" so as to start up more easily. (not all the codes will be used in the sample files)
1. Download the zip file, it contains 3 files:
- MaltegoClass.py
- MaltegoTransform.py
- vxicon.png
putting them into the same directory.
2. MaltegoClass.py contains the EntityType, MaltegoEntity and MaltegoTransform, which are the basic classes for the Local Transform in Maltego.
Here we add our own EntityType, my.Input and my.Output, which will be used for creating a new Entity later.
3. In MaltegoTransform.py, it has our Local Transform functions and rendering the output. Here we have the helloworld which takes "myInput" as input and output as "myOutput" which we defined in MaltegoClass.py. we simply "process" the input by adding "processed" as demostration.
4. We add the function names to the dict, it can be called by adding the corresponding arguments in command line.
5. We try to run MaltegoTransform.py in command line. It returns the XML as result.
python MaltegoTransform.py helloworld 'Yeah baby!'
So now we have the MaltegoClass and MaltegoTransform ready, next step is to create the new Entity and Local Transform.
Create a new Entity
1. Choose "New Entity Type"
2. Type the information as below,
Display name: My input, which will display in the palette
Short description: whatever you like
Unique type name: it is the unique name that we will reference in our LocalTransform code
Inheritance: we choose "maltego.Phrase" here, which is text input
Icon: you may add your own icon from clicking "manage" and add the icon to Custom Category
Click"Next >"
3. Create a custom main property and click "Next >"
4. Add to category, we type our own category "My Entity Category" and click "Finish"
5 . We repeat the above steps and Create "my.Output", after we have done so, we click "Manage Entities", we can find "My Input" and "My Output"
Create Local Transform
1. Choose "Manage Transforms"
2. Create new Transform Sets, click "Transform Sets" tab, and click "New Set..", type the set name and description.
3. After creating the New Transform Set, choose "All Transform" tab and choose "New Local Transform".
4. Type the following information as below, and Input entity type as "My Input" which we created previously, and choose "Transform Set" as "My Local Transform Set" that we created before. Click "Next >"
5. Type the commands for running the Transform
Command: python (if using Windows, may change full path)
Parameters: MaltegoTransform.py helloworld (the command that runs the function)
Working directory: The location of the python files
Click "Finish"
6. "My Local Transform" is added to the list.
Create a new graph using our new Local Transform
1. Create a new graph, our new Entities are under "My Entity Category", drag "My Input" to the graph, and type the text you want.
2. Right click the icon and choose "My Local Transform Set" -> "My Local Transform".
3. It will run MaltegoTransform.py and return the results, "Processed: Yeah baby!!".
Export Configuration
After creating the new Entities, Local Transforms and icon, we can export them as *.mtz together with the python files (MaltegoClass.py and MaltegoTransform.py) for the others to use
1. Export > Export Configuration
2. Choose "Custom selection", we just want to export the new stuff we created just now.
3. We check "Entities", "Transforms", "Transform Sets" and "Icons".
4. Expand it and check the necessary items, ie "My Input", "My Output", "My Local Transform", "My Local Transform Set" and custom icon.
Choose "Next >"
5. Save the file as "myConfig.mtz", and it can be use imported into another Maltego, and also copying the python files to the corresponding locations.
Choose "Finish". and that's all
Summary
The above is just the simple steps to create new Entities, Transforms and run the hello world function, we can develop more complex Transforms and use the power of Maltego for further investigation and analysis.
Ref:
https://www.paterva.com/web6/
http://www.paterva.com/web6/documentation/developer-local.php
How we can write our own Local Transform, here is the step-by-step guide for beginner.
Run the Maltego Python Code (Ref: https://github.com/Lookingglass/Maltego)
The codes are adapted from "Lookingglass" so as to start up more easily. (not all the codes will be used in the sample files)
1. Download the zip file, it contains 3 files:
- MaltegoClass.py
- MaltegoTransform.py
- vxicon.png
putting them into the same directory.
2. MaltegoClass.py contains the EntityType, MaltegoEntity and MaltegoTransform, which are the basic classes for the Local Transform in Maltego.
Here we add our own EntityType, my.Input and my.Output, which will be used for creating a new Entity later.
3. In MaltegoTransform.py, it has our Local Transform functions and rendering the output. Here we have the helloworld which takes "myInput" as input and output as "myOutput" which we defined in MaltegoClass.py. we simply "process" the input by adding "processed" as demostration.
4. We add the function names to the dict, it can be called by adding the corresponding arguments in command line.
5. We try to run MaltegoTransform.py in command line. It returns the XML as result.
python MaltegoTransform.py helloworld 'Yeah baby!'
So now we have the MaltegoClass and MaltegoTransform ready, next step is to create the new Entity and Local Transform.
Create a new Entity
1. Choose "New Entity Type"
2. Type the information as below,
Display name: My input, which will display in the palette
Short description: whatever you like
Unique type name: it is the unique name that we will reference in our LocalTransform code
Inheritance: we choose "maltego.Phrase" here, which is text input
Icon: you may add your own icon from clicking "manage" and add the icon to Custom Category
Click"Next >"
3. Create a custom main property and click "Next >"
4. Add to category, we type our own category "My Entity Category" and click "Finish"
5 . We repeat the above steps and Create "my.Output", after we have done so, we click "Manage Entities", we can find "My Input" and "My Output"
Create Local Transform
1. Choose "Manage Transforms"
2. Create new Transform Sets, click "Transform Sets" tab, and click "New Set..", type the set name and description.
3. After creating the New Transform Set, choose "All Transform" tab and choose "New Local Transform".
4. Type the following information as below, and Input entity type as "My Input" which we created previously, and choose "Transform Set" as "My Local Transform Set" that we created before. Click "Next >"
5. Type the commands for running the Transform
Command: python (if using Windows, may change full path)
Parameters: MaltegoTransform.py helloworld (the command that runs the function)
Working directory: The location of the python files
Click "Finish"
6. "My Local Transform" is added to the list.
Create a new graph using our new Local Transform
1. Create a new graph, our new Entities are under "My Entity Category", drag "My Input" to the graph, and type the text you want.
2. Right click the icon and choose "My Local Transform Set" -> "My Local Transform".
3. It will run MaltegoTransform.py and return the results, "Processed: Yeah baby!!".
Export Configuration
After creating the new Entities, Local Transforms and icon, we can export them as *.mtz together with the python files (MaltegoClass.py and MaltegoTransform.py) for the others to use
1. Export > Export Configuration
2. Choose "Custom selection", we just want to export the new stuff we created just now.
3. We check "Entities", "Transforms", "Transform Sets" and "Icons".
4. Expand it and check the necessary items, ie "My Input", "My Output", "My Local Transform", "My Local Transform Set" and custom icon.
5. Save the file as "myConfig.mtz", and it can be use imported into another Maltego, and also copying the python files to the corresponding locations.
Choose "Finish". and that's all
Summary
The above is just the simple steps to create new Entities, Transforms and run the hello world function, we can develop more complex Transforms and use the power of Maltego for further investigation and analysis.
Wednesday 21 May 2014
SANS Gold Paper - Website Security for Mobile
Smartphones and Tablets are very popular nowadays; other than playing around the apps, most of us use the
mobile devices to browse web pages. People usually look for convenient and quick browsing without paying much attention to security settings like anti-phishing or anti-xss filtering. Thus, special attention must be paid
to the end-user's web security when they use mobile devices (mainly on iOS and Android Platforms). For
example, how easily phishing can be done in mobile devices; what is the impact of visiting...
http://www.sans.org/reading-room/whitepapers/pda/website-security-mobile-34190
mobile devices to browse web pages. People usually look for convenient and quick browsing without paying much attention to security settings like anti-phishing or anti-xss filtering. Thus, special attention must be paid
to the end-user's web security when they use mobile devices (mainly on iOS and Android Platforms). For
example, how easily phishing can be done in mobile devices; what is the impact of visiting...
http://www.sans.org/reading-room/whitepapers/pda/website-security-mobile-34190
Tuesday 20 May 2014
PlaidCTF 2014 For-350 write up
Challenge:
You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.
Password is saved as SHA1, and it is located in NVRAM on the device. So in order to find the location of the password, let's set one on our own first, open simulator, do factory reset, so we can set our password and search in memory later on. Let's reset it by entering the password 10 times wrongly.
Let's reset the screen lock password to be "password", and its SHA is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
Let's search for in the NVRAM, 9930-nv.dmp, search for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
the offset is 00053020 (and starting with "3C000000")
Restore the original 9930-nv.dmp, go to the same offset, got the hash "3E270F54C6EB3175B4EF8B20080795EF2EE15589"
Google it, we got "fuckfuckfuckyouhahaha"...
We go back to the BB again and unlock, cool, we can enter it!
From the hints, let's search the contact, and we found Plaid CTF
Open it, and we get the first key, "fuckfuckfucky0uh4h4h4".. but there's another challenge, ok let's download it
From blackberry.dmp, it looks like a full dump, anyway, let's open it with winhex. In order to speed up, we just search for "3C000000"... first of all, we got "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" again, it's "password", but it does not look like the key :-(...
With more patience... we got another one, we got "AC0CFE7BD0AE22B44722F1A01ECB6CE102CA27C5"
we google it, finally got "BerryGood"
Reference:
http://crackberry.com/security-blackberry-balance
The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key
http://www.forensicfocus.com/Forums/viewtopic/t=7055/
password should be in SHA1
You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.
Password is saved as SHA1, and it is located in NVRAM on the device. So in order to find the location of the password, let's set one on our own first, open simulator, do factory reset, so we can set our password and search in memory later on. Let's reset it by entering the password 10 times wrongly.
Let's reset the screen lock password to be "password", and its SHA is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
Let's search for in the NVRAM, 9930-nv.dmp, search for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
the offset is 00053020 (and starting with "3C000000")
Restore the original 9930-nv.dmp, go to the same offset, got the hash "3E270F54C6EB3175B4EF8B20080795EF2EE15589"
Google it, we got "fuckfuckfuckyouhahaha"...
We go back to the BB again and unlock, cool, we can enter it!
From the hints, let's search the contact, and we found Plaid CTF
Open it, and we get the first key, "fuckfuckfucky0uh4h4h4".. but there's another challenge, ok let's download it
From blackberry.dmp, it looks like a full dump, anyway, let's open it with winhex. In order to speed up, we just search for "3C000000"... first of all, we got "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" again, it's "password", but it does not look like the key :-(...
With more patience... we got another one, we got "AC0CFE7BD0AE22B44722F1A01ECB6CE102CA27C5"
we google it, finally got "BerryGood"
Reference:
http://crackberry.com/security-blackberry-balance
The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key
http://www.forensicfocus.com/Forums/viewtopic/t=7055/
password should be in SHA1
Subscribe to:
Posts (Atom)