03 January 2014

A GhettoForensics Look Back on 2013

This site, Ghetto Forensics, was started this year as the beginning of an effort to better document some of the side work that I do that I thought would be appealing, or humorous, to the overall industry. This content was originally posted to my personal web site, thebaskins.com, but really needed a site of its own.

My first public project this year was reversing, documenting, and writing a parser for Java IDX files, cached files that accompany any file downloaded via Java. It was a bit of a painful project, mainly due to the bad documentation provided by Oracle, not to mention the horrendous style in which they designed it. I immediately released the code to the public and have received great feedback for improvements, as well as quite a few examiners touting how much they used it in their examinations. Thank you!

However, my greatest project this year was the release of Noriben. I first designed Noriben as a simple script for me to use at home for really quick malware dynamic analysis. I lacked many of the tools and sandboxes that I use at my day job, and needed a quick triage tool for research. After a few months, I realized that many commercial groups were in the exact same situation as I was at home: a severe lack of funding to purchase software to help. So, I cleaned up the code, gave it a silly name, and released it into the world. I've received numerous feedback and suggestions from all over, all of which were incorporated into the code. While its usage is widely unknown, for practical reasons, I did learn of quite a few Defense organizations, as well as a handful of Fortune organizations that incorporated it into their workflow. Awesome!

Research-wise, I released a comparison of various Java disassembly and decompilation tools, having found the standard JD-GUI to be extremely lacking for modern Java malware. The positive side of this is introducing tools to security professionals that were previously unknown to them. The research itself changed the tools that I use on a regular basis and allowed me to create a better product, faster, for reversing Java applications.

For community projects, I wrote a small malware configuration dumper template for Volatility, based on some time-reducing work I've been practicing. Whenever I do a full reversal of malware, I now try to write a memory configuration dumper. That way, in a few months when they change the encryption routine, I can still retrieve the same configuration and getting the report out instantly, then go back and figure out the encryption.

My greatest effort, however, is in a series of plugins and parsers to the Plaso supertimeline suite. This awesome forensic tool, created by Kristinn Gudjonsson, is an evolution of log2timeline. While we've performed timeline-based forensics since the beginning of time, this unique tool parses data files to retrieves individual records within for additional events on the timeline. I started by first writing a parser for Java IDX files, based on my initial, stand-alone parser. I then wrote one for Windows scheduled task job files, then a plugin for bencoded (i.e. BitTorrent) files. A painful exercise, only in that through their stringent code review, I was forced to become a better programmer than I was. Through Kristinn's efforts I've been able to write much cleaner and efficient code, and can now attack parsers quickly. I find writing parsers for Plaso to provide a great sense of community involvement, and I recommend that others, who may be proficient at Python, contribute in their own capacity.

Changes to Forensic Work Processes

The biggest success so far this year in my file system forensics work has been in moving my dead box forensics to X-Ways Forensics. After working an exam that required X-Ways (due to XFS file systems), I quickly fell in love with just how fast and easily I can cut through systems. As X-Ways keeps track of every file already viewed (with a green highlight), large 20-system cases fell easily as duplicate files/folders could immediately be excluded based solely on that green color. No more 10-step program just to run searches, and no 30-minute waits to reparse the MFT after every time EnCase crashes. Not to mention that it can be quickly picked up without guidance, unlike other software that exists solely to drive a lucrative training business.

The necessity for change, and for a varied toolkit, is found in the wide ranges of media encountered. My past three exams contained file systems that were not able to be parsed by EnCase 6, including XFS and Ext4. Interestingly, support for XFS wasn't found in any other product, surprisingly not even Sleuthkit/Autopsy. When I spoke with Brian Carrier about this at the Open Source Digital Forensics Conference (OSDFC), the reasoning was that until there is an adequate demand for a file system parser, the work isn't performed. File systems require an extreme amount of effort for a relatively volatile market. This makes logical sense, as just a few years ago everyone was enthusiastic about ReiserFS... luckily the effort hadn't moved forward on that file system.

Beyond the standard forensic tools, there is great value in forensic examiners learning penetration testing procedures. This goes a bit beyond the 'hacking for forensic examiners' training I helped put on years ago. It's about using a better range of tools to succeed in our jobs. At the right focal point, there is a large intersection in the tasks of forensic examiners and penetration testers and there is a great benefit to trying to use a tactic from 'the other side'.  For example, I am routinely using oclHashCat with a 5GB dictionary to crack obtained user passwords from Windows and Linux/OSX systems. After all, a password is one of the best fingerprints you can get for tying multiple accounts together and attributing them to a user.

Reversing Challenges

A majority of my work is in malware analysis and reverse engineering -- two completely different jobs. The latter has many aspects that have eluded me for years, topics that just can't be learned on the job. 

The best exercise to combat these issues is in continual testing through exercises. There are numerous CrackMe, UnPackMe, and KeygenMe challenges across the internet. One notable set this year was the Microsoft Bluehat Challenge. This challenge consistent of three separate gauntlets: Vulnerability Discovery, Web Design Vulnerabilities, and Reverse Engineering. I started on the Reverse Engineering challenge, but quickly realized the burden of doing this challenge when you only have 1-2 hours of work "downtime" per week. After a month, I threw in the towel on challenges 4 and 5, wherein the former required debugging an algorithm with floating point math and the latter with reversing C++ Virtual Function Tables. Like many who just do malware analysis without much reversing, I've always just ignored the presence of vftables and focused on functionality, so this was a huge gut punch that stopped me in my tracks.

Industry Conferences

After a long conference circuit in 2011, I took it easy in 2012, and planned to as well in 2013. As conferences and training are out of pocket, and since I had just bought a home, I had no expectations of traveling this year.

However, I was able to attend the first-ever BSidesNOLA in New Orleans. While there was a great mixture of topics and speakers, there was a heavier component of forensics and incident response than in most other conferences. Ran by an extremely talented group of foodies, even the chosen taco food truck obliterated my expectations. I'll be looking to return in 2014, if I can secure enough funding.

I also had the pleasure of attending the Open Source Digital Forensics Conference (OSDFC), put on by Basis Tech. I had attended only once prior and found it a great mixing bowl of academia and practitioners. Where most of the core open source developers drink whisky alongside forensic examiners and discuss techniques.

The OSDFC was heralded in by the Open Memory Forensic Workshop (OMFW) put on by the core developers of Volatility. After a jam-packed series of technical talks given at the rate of a machine gun, the only emotion I could come to was... humbled. Here are the folks who are utterly conquering a new battlefield of forensics. And that was my opinion after having already done basic memory forensics for a few years.

On request, I put together a new talk this year on Introducing Intelligence into your Malware Analysis (video link).  I first gave it to the CyberGamut group, and carried it on to the inaugural BSidesDC and then BSidesDE (Delaware). The talk was targeted towards malware analysts in smaller organizations who are facing an uphill battle of malware and attacks. Using the currently accepted Cyber Kill Chain model, the talk broke down a typical malware analysis into phases that can be acted upon immediately, delegated, or stored for later processing. Given the right structure and intelligence, an analyst should be able to get actionable intel back from a malware sample within minutes, not hours, but focusing on the core indicators. This means putting reversing a custom encryption routine on the back burner and get the components to build rules for file system and network monitoring.

On notable point about 2013 was the lack of conferences I attended, as well. Due to buying a house, and since conferences are out of pocket for me, I had to turn down attending (and speaking at) a handful of conferences this year. Notably, DEFCON, BSidesLV, and DerbyCon. DerbyCon will always remain one of my favorites, and I was sad to miss it for the first time, but my fingers are crossed for next year.

Goals and Efforts for 2014

To keep myself honest, here are some of my ideas of things to continue or improve upon for 2014:

  • I will continue development on Noriben. It's currently undergoing a massive rewrite that will eventually allow it to automatically request VirusTotal results and transmit dropped files, given a legitimate public API key. More features will be implemented as requested.  Have an idea? Let me know!
  • I will continue to crack away at the Microsoft BlueHat Challenges. Being literally stuck on the RE samples, I suspect continued progress will result from a dream-induced epiphany, but I'll take anything I can get.
  • I will attempt the Matasano Cryptography challenges. Crypto plays a large part of the malware analysis field, with one-time cipher pads and iterative variants of RC4 popping up every week. I haven't attempted these challenges, but plan to once a sizable amount of free time appears (hah!).
  • I will improve my programming abilities, which starts with creating more class-based Python code, and fostered by participation in challenges like Matasano's. 
  • I will strive to get better at reversing, well.. everything. Working in a reverse engineering environment where samples switching between C, C++, Delphi, and .NET on a regular basis, I know that I need to improve at the intricacies of these individual languages. 
  • I will spend more of my time testing out forensic tools and applications, instead of just relying on what's always worked. I've been backed into a hard corner many times, spending days trying to figure out why one tool was giving me bad data, only to see everything presented normally in another. My current case has me running EnCase/FTK/XWays Forensics simultaneously. X-Ways is the core tool, but if something doesn't look right I check the data out with the others.

No comments: