How the Leopard hides his Spots. OS X Anti-Forensics

Similar documents
The Art of Defiling. Defeating Forensic Analysis on Unix File Systems the grugq

This Technote describes the on-disk format for an HFS Plus volume. It does not describe any programming interfaces for HFS Plus volumes.

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Advanced Operating Systems

Example Implementations of File Systems

Windows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS

FILE SYSTEM IMPLEMENTATION. Sunu Wibirama

File System Implementation. Sunu Wibirama

COMP091 Operating Systems 1. File Systems

File Management 1/34

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

File System Interpretation

File System CS170 Discussion Week 9. *Some slides taken from TextBook Author s Presentation

FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23

Machine Language and System Programming

File System Internals. Jo, Heeseung

Glossary. The target of keyboard input in a

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

CS370 Operating Systems

FILE SYSTEMS, PART 2. CS124 Operating Systems Fall , Lecture 24

Microsoft File Allocation Table

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission 1

Lecture Data layout on disk. How to store relations (tables) in disk blocks. By Marina Barsky Winter 2016, University of Toronto

Operating Systems. Operating Systems Professor Sina Meraji U of T

A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.

File Management. Ezio Bartocci.

Typical File Extensions File Structure

ECE 598 Advanced Operating Systems Lecture 14

CS 4284 Systems Capstone

Introduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

CNIT 121: Computer Forensics. 13 Investigating Mac OS X Systems

Operating Systems 2015 Assignment 4: File Systems

UNIX File Systems. How UNIX Organizes and Accesses Files on Disk

File Systems. CS 4410 Operating Systems. [R. Agarwal, L. Alvisi, A. Bracy, M. George, E. Sirer, R. Van Renesse]

8/31/2015 BITS BYTES AND FILES. What is a bit. Representing a number. Technically, it s a change of voltage

Figure 1-1 Example of File System Layout

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

bytes per disk block (a block is usually called sector in the disk drive literature), sectors in each track, read/write heads, and cylinders (tracks).

Project 3: An Introduction to File Systems. COP 4610 / CGS 5765 Principles of Operating Systems

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

File System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Main Points. File layout Directory layout

Input & Output 1: File systems

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

NTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure

DOS. 5/1/2006 Computer System Software CS 012 BE 7th Semester 2

Motivation. Operating Systems. File Systems. Outline. Files: The User s Point of View. File System Concepts. Solution? Files!

EECE.4810/EECE.5730: Operating Systems Spring 2017

Summer 2003 Lecture 26 07/24/03

Chapter 12: File System Implementation

File System Implementation. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Chapter 11: Implementing File Systems. Operating System Concepts 8 th Edition,

Operating Systems 2014 Assignment 4: File Systems

Chapter 11: Implementing File Systems

CSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems

Lecture 24: Filesystems: FAT, FFS, NTFS

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CS 111. Operating Systems Peter Reiher

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

Files. File Structure. File Systems. Structure Terms. File Management System. Chapter 12 File Management 12/6/2018

File Systems. CSE 2431: Introduction to Operating Systems Reading: Chap. 11, , 18.7, [OSC]

ECE 598 Advanced Operating Systems Lecture 17

File systems Computer Forensics

Computer Systems. Assembly Language for x86 Processors 6th Edition, Kip Irvine

CSE 565 Computer Security Fall 2018

we are here I/O & Storage Layers Recall: C Low level I/O Recall: C Low Level Operations CS162 Operating Systems and Systems Programming Lecture 18

File System Implementation

412 Notes: Filesystem

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

File Directories Associated with any file management system and collection of files is a file directories The directory contains information about

5/10/2009. Introduction. The light-saber is a Jedi s weapon not as clumsy or random as a blaster.

Computer Systems Laboratory Sungkyunkwan University

CS370 Operating Systems

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission 1

,879 B FAT #1 FAT #2 root directory data. Figure 1: Disk layout for a 1.44 Mb DOS diskette. B is the boot sector.

File System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1

FYSOS and the Simple File System This document pertains to and is written for the purpose of adding this file system to FYSOS found at:

SQL Injection. EECS Introduction to Database Management Systems

Preview. COSC350 System Software, Fall

Shared snapshots. 1 Abstract. 2 Introduction. Mikulas Patocka Red Hat Czech, s.r.o. Purkynova , Brno Czech Republic

Long-term Information Storage Must store large amounts of data Information stored must survive the termination of the process using it Multiple proces

Hack in the Box - Amsterdam Chronic-Dev, LLC

The UNIX file system! A gentle introduction"

File System Implementation

Exploiting Vulnerabilities in Media Software. isec Partners

Recall: So What About a Real File System? Meet the inode: Recall: Unix File System (2/2) Recall: Unix File System (1/2)

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

There is a general need for long-term and shared data storage: Files meet these requirements The file manager or file system within the OS

Crash Consistency: FSCK and Journaling. Dongkun Shin, SKKU

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Windows History 2009 Windows 7 2

File Systems. What do we need to know?

Advanced System Security: Vulnerabilities

QUIZ: Is either set of attributes a superkey? A candidate key? Source:

ELEC 377 Operating Systems. Week 8 Class 1

Transcription:

How the Leopard hides his Spots OS X Anti-Forensics the.grugq@gmail.com

Introduction Strategies Tactics Conclusion Overview

Introduction the grugq <the.grugq@gmail.com> Independent security researcher Based in Thailand Anti forensic researcher since 1999

Why Anti Forensics? Forensics is integral to infosec spectrum No research => no fixes Still green field research Forensics remains vulnerable and insecure

Forensics (in 1 slide) Forensics only exists within an investigation Preserve data in original state Extract evidentiary data from snapshot Present evidence

Anti Forensics

Data is evidence

Reduce the quantity and quality of evidentiary data

Strategies

Data Destruction They can t find what isn t there

Remove evidentiary data ex post facto Difficult to do properly Systems scatter data everywhere Scorched earth is the best policy

Data Hiding They can t find what they can t see

Store data outside scope of tools Not a long term solution Suffers from bug death Don t forget to encrypt

Data Contraception They can t find what was never there

Don t create evidentiary data Avoid contact with the disk Requires planning and discipline see haxh, hacking harness* * http://www.tacvoip.com/tools.html

Tactics

Data Hiding Tactics Requirements: Hidden - obviously Robust - don t want data to vanish Exploit structured storage bugs

Structured Storage

File System Fundamentals Comprised of data and metadata System level metadata/data User level metadata/data OS level CRUD Pair data streams with readable names Internal structured metadata organises:

Components Header - Global FS layout / properties Block - Smallest atomic component Node - Metadata for a single file + block list(s) Map - Link names to nodes

Example: NTFS Header - Boot Block Block - Cluster Node - Master File Table entry (File) Map - Master File Table Directory (Folder)

Example: FAT Header - Boot Block Block - Cluster Map - Directory file Node - Directory entry + FAT chain

Attacking Structured Storage Allocate space Exploit bugs Parsing Interpretation Presentation Inject data into that space

FISTing File system Insertion and Subversion Technique Generic technique for exploit structure storage Find a hole and FIST it

What holes can I FIST?

FIST sized Holes Special files Handled implicitly Slack space Typically inaccessible reserved reserved for hacker use, only!

Forensic Tool Bugs Incomplete/Ignorant implementations Logic bugs Edge cases get ignored Security bugs buffer overflows, int wraps, etc. Unused structured storage features

FISTing for All Any structured data storage can be FISTed File Systems Application file formats

Assaulting OS X

OS X Attacks File system attacks HFS+ Application file format attacks

HFS+ Induction

HFS+ Hierarchical File System Plus (HFS+) Introduced with OS X Strongly influenced by HFS Complex on-disk structure B*trees Technical Note 1150

Components Header - Volume Header Block - Block Node - block lists in extents meta data in catalog file entries Map - catalog file entries

HFS+ Core Concepts Data Forks Extents B*trees Nodes

Data Forks Store data stream location information Size of user data Block location + order

Data Forks struct HFSPlusForkData { UInt64 logicalsize; UInt32 clumpsize; UInt32 totalblocks; HFSPlusExtentDescriptor extents[8]; }; struct HFSPlusExtentDescriptor { UInt32 startblock; UInt32 blockcount; };

Special Files allocationfile - block allocation bitmap catalogfile - file/directory meta data extentsfile - fragmented file block lists startupfile - (optional) kernel loader attributesfile - extended attributes

B*trees Used for most file system meta data Binary tree Stored on disk within a special file File is divided into equal sized nodes Node address == index

B*tree Nodes Header node - B*tree metadata Leaf nodes - key:data record Map nodes - node allocation bitmap Index nodes - key:node pointer

B*tree Node

B*tree FIRST LEAF NODE POINTER ROOT NODE POINTER LEAF NODE POINTER 8 POINTER 18 POINTER 8 POINTER 13 POINTER 18 POINTER 20 POINTER 23 POINTER 8 DATA 10 DATA 13 DATA 15 DATA 18 DATA 20 DATA 22 DATA 23 DATA

HFS+ Attacks

File Allocation Attacks

Bad Blocks File Allocated extents within the extentsfile Special CNID => 5 Prevents kernel allocating bad blocks for userfiles Lame attack, way too obvioous

startupfile Used for certain (archaic) systems Typically 0 length file Can be arbitrary size Kinda like bad blocks file, only more explicit

HFS Wrapper HFS+ volumes embedded within HFS HFS volume marks HFS+ space in bad blocks file Slack space after embedded HFS+ volume

B*tree Internals Attacks

Excessive Map Nodes Map nodes contain node allocation bitmap Stored as linked list of nodes Can exceed the size required for all nodes

B*tree Free Space B*tree nodes can contain free space Use freespace for data storage

When Unicode Attacks

Zero Width Unicode UTF-16 has non-glyph characters \x00\x00 NULL CHARACTER \x20\0b ZERO WIDTH SPACE Invisible data storage

UTF-16 is where? ipod itunes db (mhbd), extensive UTF16 File names: HFS+, NTFS, FAT32 Inside documents etc.

ZWU (Z triple U) ipod mhbd attack Max size is 255 UTF-16 chars 8 chars per byte approx 100k per 1k tracks ~31 bytes per string (theoretical max)

>>> import utfool >>> s = "hello world" >>> u = utfool.tounicode(s) >>> print u'"%s"' % u "" >>> len(u) 88 >>> s == utfool.fromunicode(u) True

Application File Formats

Browser Cookies

Browser Cookies What is a cookie? url: { key: value } value is a base64 encoded encrypted binary blob

Browser Cookies What is a cookie? url: { key: value } value is a base64 encoded encrypted binary blob What do we want to store? encrypted binary blobs

Mozilla Cookies File Stored in an SQLite database Very simple schema Can access with sqlite3 tool

moz_cookies Schema CREATE TABLE moz_cookies ( id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, issecure INTEGER, ishttponly INTEGER, lastaccessed INTEGER )

Cookies HOWTO sqlite> insert into moz_cookies host,value ('www.lolitapictures.com', 'ew91j3jligxlzxq=');

SQLite

File Format File is an array of pages Pages contain cells Cells linked in b-trees Header stored in first page Free pages in a linked list

SQLeez Free space within SQLite files Expand in size, shrink after vacuum AUTO-VACUUM can destroy

Demo SQLeez

Future Out of the file system, into the files Application specific attacks are harder to detect More diverse attack space

Q & A

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback