Upload
marcelo-cazon
View
223
Download
0
Embed Size (px)
Citation preview
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
1/63
Visual Forensic Analysis and
Binary Data
Erik Dean
United States Military Academy
West Point, New York
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
2/63
Outline
The Problem Tin Windows
Background and Motivation
Moving Beyond Hex System Design
Case Studies
Demos
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
3/63
data operated on by
applicationsxlstxt
exe executed by OSELFPE...01010
10101 other special casescore dumppagefile.sys
.
memory process memory
network
packets
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
4/63
Ida ProOllyDBGBinNavi (Zynamics)
high
Filemon
011
Regmon
objdumphex editorslower
originalapplication
ex umpgrep & diffstrings
insight
general purpose precise application
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
5/63
strings /grep/diff
H: \ Dat aset s>st r i ngs 20040517_homeI SP. pcap | more
St r i ngs v2. 4
Copyr i ght ( C) 1999- 2007 Mar k Russi novi chSysi nt er nal s - www. sysi nt er nal s. com
0hFM@y
7bs
MI CROSOFT NETWORKSWI NDOWS USERMi cr osof t Secur i t y Bul l et i n MS03- 043
Buf f er Over r un i n Messenger Ser vi ce Coul d Al l ow Code Execut i on( 828035)Af f ect ed Sof t war e:
Mi cr osof t Wi ndows NT Ser ver 4. 0
Mi cr osof t Wi ndows 2000. . .
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
6/63
011 Hex Editor
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
7/63
Hex Workshop
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
8/63
WinHex
http://www.x-ways.net/pics/winhex.gif
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
9/63
Ida ProOllyDBGBinNavi (Zynamics)
high
Filemon
011
Regmon
objdumphex editorslower
originalapplication
ex umpgrep & diffstrings
insight
general purpose precise application
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
10/63
Ida ProOllyDBGBinNavi (Zynamics)
high
Filemon
011
Regmon
objdumphex editorslower
originalapplication
ex umpgrep & diffstrings
insight
general purpose precise application
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
11/63
SysInternals
FileMon
RegMon
http://technet.microsoft.com/en-us/sysinternals/default.aspx
...
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
12/63
Wireshark
image: http://code.google.com/support/bin/answer.py?answer=71567
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
13/63
OllyDbg
http://www.ollydbg.de/
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
14/63
IDA Prov5.1
http://www.hex-rays.com/idapro/
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
15/63
F-Secure Malware
http://www.f-secure.com/weblog/archives/00000662.html
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
16/63
Zynamics BinDiff
http://www.zynamics.com/content/_images/bindiff_scr2.gif
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
17/63
Zynamics BinNavi
http://www.zynamics.com/index.php?page=binnavi
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
18/63
Ida ProOllyDBGBinNavi (Zynamics)
high
Filemon
011
Regmon
objdumphex editorslower
originalapplication
ex umpgrep & diffstrings
insight
general purpose precise application
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
19/63
Framework
File Independent Level
Entropy Byte Frequency
- r y
Strings
Bit Plot (2D/3D)
File Statistics
File Specific Level Complete or Partial Knowledge of File
For Example, Metadata
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
20/63
Syntax Highlighting for Hex Dumps
image: Dan Kaminsky, CCC2006
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
21/63
nwdiff
http://www.geocities.jp/belden_dr/ToolNwdiff_Eng.html
http://computer.forensikblog.de/en/2006/02/compare_binary_files_with_nwdiff.html
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
22/63
Dot Plots & Visual BinDiff
Self-Similarity in Diffing Two Filesa single file. (.NET Assembly) ima es: Dan Kaminsk CCC2006
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
23/63
TextualTraditional
Textual Graphical
Detail ViewUtilities
(strings...)Displays
Machine Assisted Mapping and Navigation
Hex Editor Core
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
24/63
Towards a Visual Hex Editor
Identify Unknown Binaries
Malware Anal sis
Analyze Unknown/Undocumented File Format Locate Embedded Objects
nco ng ncrypt on
Audit Files for Vulnerabilities
Cracking
Cryptanalysis
Perform Forensic Analysis File System Analysis
File Fuzzing
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
25/63
Goals
Handle Large Files
Many Insightful Windows Big Picture Context
Improved Navigation
Data Files Executable Files Hex Editor best practices is the
foundation
Support Art & Science
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
26/63
Design
Robust extensible framework
Open source
Semantic File Analysis Useful
Multi le coordinated views
Combine Functionality of current
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
27/63
Filtering + Encoding
Identifying something
REGEX
algorithmic Usin this knowled e
to..
hi hli ht fade
Interactive or automated
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
28/63
, ,
Graphical: Bitplot, BytePlot, RGBPlot, BytePresence, ByteFrequency,Digram, Dotplot
Interaction: VCR, Memory Map, Color Coding
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
29/63
Traditional Views
Hex / ASCII View Strings
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
30/63
Strange Attractors and TCP/IP
(Michal Zalewski)
htt : lcamtuf.coredum .cx oldtc tc se .html http://lcamtuf.coredump.cx/newtcp/
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
31/63
Digraph View
black hat
bl ( 98, 108)ac ( 97, 99)c ,k ( 107, 32)_
_h ( 32, 104) ,
at ( 97, 116)
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
32/63
Digraph View
0, 1, . . . 255
Byt e 0Byt e 1
32, 108
. . .98, 108
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
33/63
uuenco e compressionencryption
incrementingwords
constrained pairsslashdot.org .txt
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
34/63
Bit Plot
1 640
1
1101
. . .
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
35/63
Byte Plot
1 640
1
255108040
. . .
l l
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
36/63
Byte Plot Example
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
37/63
Byte Presence
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
38/63
RGB Plot255
1 6400
140
128255
0
0
20000
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
39/63
Dot Plots
Jonathan
HelfmansDot lotPatterns: A
Literal Look atPatternLan ua es.
Dan Kaminsky,
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
40/63
DotPlots
Byt e 0, Byt e 1, . . . Byt e N
Byt e 0
Byt e 1
. . .O(N2)
B t e N
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
41/63
Dynamic DotPlots
Byt e 0, Byt e 1, . . . Byt e N
Byt e 0
Byt e 1 500x500
. . .O(N)
B t e N
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
42/63
DotPlot Examples
Images: Jonathan Helfman, Dotplot Patterns: A Literal Look at Pattern Languages.
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
43/63
DotPlot Examples
Images: Jonathan Helfman, Dotplot Patterns: A Literal Look at Pattern Languages.
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
44/63
Compressed AudioEnglish Text
Bitmap Image
l d
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
45/63
Byte Clouds
Tag Cloud
for Fun and Profithttp://tagcrowd.com/
Byte Cloud
h b l
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
46/63
Neverwinter Nights Database File
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
47/63
Firefox .hdmp
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
48/63
Firefox .hdmp
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
49/63
Firefox .hdmp
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
50/63
Firefox .hdmp
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
51/63
PDF...
Weaknesses
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
52/63
Weaknesses
entire file ma be extracted from
bit/byte/RGBMa tri er AV or IDS
8bit/byte steg
Demos
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
53/63
Demos
A Look to the Future
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
54/63
A Look to the Future
Visual Front Ends for Offensive Tools
Visual Cryptanalysis Support
Human Insights Passed to Machine Processors
-
More Inspiration from General InfoVis Community
Visual Fin er rints / Smart Books Web-based Visualization (AJAX)
User-task Analyses rue se ase ase es gns
Engagement of Users Beyond Students
Examination of Full Range of Security Data Merging Multiple Security Dataflows
Future Work
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
55/63
Future Work
Plug-ins / Editable Config Files
Visualizations
Encodings
Saving state
Memory Maps
Improving Interaction
What works / What doesnt
Multiple Files / File Systems REGEX search
Automated Memory Map Generation
DAVIX
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
56/63
DAVIXJan Monsch and Raff Mart
http://www.secviz.org/node/89
InfoVis Survey
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
57/63
InfoVis Survey
Security Visualization Survey
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
58/63
Security Visualization Survey
Communities
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
59/63
Communities
http://secviz.org/ http://vizsec.org/
The place to share, discuss,challenge, and learn about security
visualization.
vizSEC is a research community forcomputer security visualization.
Raffy Marty
Splunk
John Goodall
Secure Decisions
VizSEC 2008
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
60/63
VizSEC 2008
http://www.vizsec.org/workshop2008/
More Information
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
61/63
More Information
Visual ReverseEn ineerin of Binarand Data Files. GregoryConti, Erik Dean,Matthew Sinda, BenjaminSangster. VizSEC 2008.
va a e ep em er
Security Data
(No Starch Press)
Visualization
Addison-Wesle
Acknowledgements
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
62/63
Acknowledgements
Damon Becknell Jon Bentle Jean
Blair, Sergey Bratus, ChrisCom ton Tom Cross Ron Dod eCarrie Gates, Chris Gates, Joe
Grand Julian Grizzard TobKohlenberg, Oleg Kolesnikov,Frank Mabr Raff Mart Brent
Nolan, Gene Ressler, BenSan ster Matt Sinda and EdSobiesk
"I f t t
8/12/2019 BH US 08 Conti Dean Visual Forensic Analysis
63/63
"In fact master reverserslike Fravia recommendcracking while intoxicated
alcoholic beverages.
While for health reasons
we cannot recommendthis method, you may findthat a relaxing cup of hot
and allows you to think inreverse."
-from Security Warrior