Data carvers en retos forenses
Data carvers en retos forenses, en la comunidad DragonJAR hemos realizado varios retos forenses, hemos tenido mucha participación y han gustado mucho. Los participantes que han entregado sus soluciones han seguido distintas vías de investigación para obtener los resultados finales.
Está claro que, hay cosas comunes como hacer el MD5, la copia de la imagen etc...
Pero una de las cosas que nos pueden ir muy bien y que, en casi ninguna solución se había hecho es pasar un data carver. Esto nos servirá para tener todos los datos que se puedan extraer realizando esta técnica antes de empezar el caso.
Data carvers en retos forenses y la selección al azar de un reto
He cogido un reto forense al azar, y el escogido a sido el primer reto forense que se hizo aquí en la Comunidad DragonJAR.
Descomprimimos el archivo RAR y tendremos los componentes de una máquina virtual, en concreto una imagen vmware.
darkmac:Reto Forence marc$ ls -lh total 8414856 drwxr-xr-x@ 4 marc staff 544B 4 ago 21:18 ./ drwxr-xr-x@ 3 marc staff 136B 4 ago 19:52 ../ -rw-r--r--@ 1 marc staff 640K 19 dic 2009 Reto Forence-000001.vmdk -rw-r--r--@ 1 marc staff 512M 19 dic 2009 Reto Forence-Snapshot1.vmem -rw-r--r--@ 1 marc staff 131M 19 dic 2009 Reto Forence-Snapshot1.vmsn -rw-r--r--@ 1 marc staff 8,5K 19 dic 2009 Reto Forence.nvram -rw-r--r--@ 1 marc staff 2,8G 19 dic 2009 Reto Forence.vmdk -rw-r--r--@ 1 marc staff 512M 15 dic 2009 Reto Forence.vmem -rw-r--r--@ 1 marc staff 586B 19 dic 2009 Reto Forence.vmsd -rw-r--r--@ 1 marc staff 131M 19 dic 2009 Reto Forence.vmss -rw-r--r--@ 1 marc staff 2,5K 19 dic 2009 Reto Forence.vmx -rw-r--r--@ 1 marc staff 1,6K 15 dic 2009 Reto Forence.vmxf -rw-r--r--@ 1 marc staff 747K 19 dic 2009 vmware-0.log -rw-r--r--@ 1 marc staff 95K 19 dic 2009 vmware.log
Lo primero que vamos ha hacer es lanzar bulk sobre el fichero .vmem que corresponde a la memoria RAM.
darkmac:Reto Forence marc$ bulk_extractor -o memoria Reto\ Forence-Snapshot1.vmem bulk_extractor version: 1.4.0-beta5 Hostname: darkmac.local Input file: Reto Forence-Snapshot1.vmem Output directory: memoria Disk Size: 536870912 Threads: 4 19:54:52 Offset 67MB (12.50%) Done in 0:02:12 at 19:57:04 19:55:14 Offset 150MB (28.12%) Done in 0:01:44 at 19:56:58 19:55:37 Offset 234MB (43.75%) Done in 0:01:21 at 19:56:58 19:55:57 Offset 318MB (59.38%) Done in 0:00:57 at 19:56:54 19:56:35 Offset 402MB (75.00%) Done in 0:00:40 at 19:57:15 19:56:56 Offset 486MB (90.62%) Done in 0:00:14 at 19:57:10 All data are read; waiting for threads to finish... Time elapsed waiting for 4 threads to finish: (timeout in 60 min .) Time elapsed waiting for 4 threads to finish: 6 sec (timeout in 59 min 54 sec.) Thread 0: Processing 503316480 Thread 1: Processing 520093696 Thread 2: Processing 469762048 Thread 3: Processing 486539264 Time elapsed waiting for 4 threads to finish: 12 sec (timeout in 59 min 48 sec.) Thread 0: Processing 503316480 Thread 1: Processing 520093696 Thread 2: Processing 469762048 Thread 3: Processing 486539264 Time elapsed waiting for 3 threads to finish: 18 sec (timeout in 59 min 42 sec.) Thread 0: Processing 503316480 Thread 1: Processing 520093696 Thread 3: Processing 486539264 All Threads Finished! Producer time spent waiting: 132.666 sec. Average consumer time spent waiting: 1.38148 sec. ******************************************* ** bulk_extractor is probably CPU bound. ** ** Run on a computer with more cores ** ** to get better performance. ** ******************************************* Phase 2. Shutting down scanners Phase 3. Creating Histograms ccn histogram... ccn_track2 histogram... domain histogram... email histogram... ether histogram... find histogram... ip histogram... telephone histogram... url histogram... url microsoft-live... url services... url facebook-address... url facebook-id... url searches... Elapsed time: 164.525 sec. Overall performance: 3.26357 MBytes/sec Total email features found: 701
Como veis, directamente desde el fichero vmem, sin ni siquiera arrancar la máquina ya podemos extraer cositas de la memoria.
darkmac:memoria marc$ ls -lh | grep -v 0 drwxr-xr-x 2 marc staff 1,5K 4 ago 19:57 ./ drwxr-xr-x@ 4 marc staff 544B 4 ago 21:18 ../ -rw-r--r-- 1 marc staff 878B 4 ago 19:57 ccn.txt -rw-r--r-- 1 marc staff 438K 4 ago 19:57 domain.txt -rw-r--r-- 1 marc staff 12K 4 ago 19:57 domain_histogram.txt -rw-r--r-- 1 marc staff 141K 4 ago 19:57 email.txt -rw-r--r-- 1 marc staff 2,6K 4 ago 19:57 email_histogram.txt -rw-r--r-- 1 marc staff 21K 4 ago 19:57 ether.txt -rw-r--r-- 1 marc staff 326B 4 ago 19:57 ether_histogram.txt -rw-r--r-- 1 marc staff 1,5K 4 ago 19:56 exif.txt -rw-r--r-- 1 marc staff 496B 4 ago 19:57 ip_histogram.txt -rw-r--r-- 1 marc staff 28K 4 ago 19:57 json.txt -rw-r--r-- 1 marc staff 161K 4 ago 19:54 packets.pcap -rw-r--r-- 1 marc staff 12K 4 ago 19:57 report.xml -rw-r--r-- 1 marc staff 36K 4 ago 19:57 rfc822.txt -rw-r--r-- 1 marc staff 815B 4 ago 19:57 telephone.txt -rw-r--r-- 1 marc staff 255B 4 ago 19:57 telephone_histogram.txt -rw-r--r-- 1 marc staff 1,6M 4 ago 19:57 url.txt -rw-r--r-- 1 marc staff 341B 4 ago 19:57 url_searches.txt -rw-r--r-- 1 marc staff 9,1K 4 ago 19:57 url_services.txt -rw-r--r-- 1 marc staff 2,4M 4 ago 19:57 windirs.txt -rw-r--r-- 1 marc staff 2,2M 4 ago 19:57 winpe.txt -rw-r--r-- 1 marc staff 5,9K 4 ago 19:57 winprefetch.txt -rw-r--r-- 1 marc staff 544B 4 ago 19:56 zip.txt
Esto es lo que hemos podido obtener del fichero RAM, por ejemplo direcciones IP
darkmac:memoria marc$ more ip_histogram.txt # BANNER FILE NOT PROVIDED (-b option) # BULK_EXTRACTOR-Version: 1.4.0-beta5 ($Rev: 10844 $) # Feature-Recorder: ip # Filename: Reto Forence-Snapshot1.vmem # Histogram-File-Version: 1.1 n=247 192.168.229.129 n=91 192.168.229.1 n=80 74.125.47.147 n=42 92.43.20.50 n=37 192.168.229.255 n=26 192.168.229.2 n=24 239.255.255.250 n=20 87.242.73.60 n=11 199.7.52.190 n=8 192.168.198.1 n=8 65.54.165.177 n=8 74.125.47.99 n=2 127.0.0.1 n=1 65.55.113.23 n=1 65.55.17.37 n=1 74.125.65.139 n=1 74.125.67.138
Si queremos analizar cosas del disco, podemos lanzar Bulk Extractor encima del fichero VMDK.
darkmac:Reto Forence marc$ bulk_extractor -o disco Reto\ Forence.vmdk bulk_extractor version: 1.4.0-beta5 Hostname: darkmac.local Input file: Reto Forence.vmdk Output directory: disco Disk Size: 2958360576 Threads: 4 21:18:48 Offset 67MB (2.27%) Done in 0:11:22 at 21:30:10 21:19:04 Offset 150MB (5.10%) Done in 0:10:01 at 21:29:05 21:19:33 Offset 234MB (7.94%) Done in 0:11:49 at 21:31:22 21:20:09 Offset 318MB (10.78%) Done in 0:13:20 at 21:33:29 21:20:39 Offset 402MB (13.61%) Done in 0:13:27 at 21:34:06 21:21:05 Offset 486MB (16.45%) Done in 0:12:57 at 21:34:02 21:21:48 Offset 570MB (19.28%) Done in 0:13:39 at 21:35:27 21:22:49 Offset 654MB (22.12%) Done in 0:15:06 at 21:37:55 21:23:27 Offset 738MB (24.95%) Done in 0:14:48 at 21:38:15 21:24:09 Offset 822MB (27.79%) Done in 0:14:35 at 21:38:44 21:24:31 Offset 905MB (30.62%) Done in 0:13:34 at 21:38:05 21:25:07 Offset 989MB (33.46%) Done in 0:13:05 at 21:38:12 21:25:31 Offset 1073MB (36.30%) Done in 0:12:14 at 21:37:45 21:26:07 Offset 1157MB (39.13%) Done in 0:11:47 at 21:37:54 21:26:34 Offset 1241MB (41.97%) Done in 0:11:07 at 21:37:41 21:27:00 Offset 1325MB (44.80%) Done in 0:10:26 at 21:37:26 21:27:28 Offset 1409MB (47.64%) Done in 0:09:49 at 21:37:17 21:27:53 Offset 1493MB (50.47%) Done in 0:09:10 at 21:37:03 21:28:14 Offset 1577MB (53.31%) Done in 0:08:30 at 21:36:44 21:28:32 Offset 1660MB (56.14%) Done in 0:07:48 at 21:36:20 21:28:56 Offset 1744MB (58.98%) Done in 0:07:14 at 21:36:10 21:29:22 Offset 1828MB (61.82%) Done in 0:06:41 at 21:36:03 21:29:42 Offset 1912MB (64.65%) Done in 0:06:06 at 21:35:48 21:30:02 Offset 1996MB (67.49%) Done in 0:05:32 at 21:35:34 21:33:49 Offset 2080MB (70.32%) Done in 0:06:27 at 21:40:16 21:35:30 Offset 2164MB (73.16%) Done in 0:06:13 at 21:41:43 21:36:45 Offset 2248MB (75.99%) Done in 0:05:45 at 21:42:30 21:37:24 Offset 2332MB (78.83%) Done in 0:05:04 at 21:42:28 21:39:06 Offset 2415MB (81.66%) Done in 0:04:37 at 21:43:43 21:40:05 Offset 2499MB (84.50%) Done in 0:03:57 at 21:44:02 21:41:36 Offset 2583MB (87.34%) Done in 0:03:20 at 21:44:56 21:42:08 Offset 2667MB (90.17%) Done in 0:02:34 at 21:44:42 21:42:38 Offset 2751MB (93.01%) Done in 0:01:48 at 21:44:26 21:43:12 Offset 2835MB (95.84%) Done in 0:01:04 at 21:44:16 21:43:38 Offset 2919MB (98.68%) Done in 0:00:20 at 21:43:58 All data are read; waiting for threads to finish... Time elapsed waiting for 4 threads to finish: (timeout in 60 min .) Time elapsed waiting for 2 threads to finish: 6 sec (timeout in 59 min 54 sec.) Thread 0: Processing 2936012800 Thread 2: Processing 2516582400 Time elapsed waiting for 1 thread to finish: 12 sec (timeout in 59 min 48 sec.) Thread 2: Processing 2516582400 Time elapsed waiting for 1 thread to finish: 18 sec (timeout in 59 min 42 sec.) Thread 2: Processing 2516582400 Time elapsed waiting for 1 thread to finish: 24 sec (timeout in 59 min 36 sec.) Thread 2: Processing 2516582400 All Threads Finished! Producer time spent waiting: 1461.1 sec. Average consumer time spent waiting: 0.954565 sec. ******************************************* ** bulk_extractor is probably CPU bound. ** ** Run on a computer with more cores ** ** to get better performance. ** ******************************************* Phase 2. Shutting down scanners Phase 3. Creating Histograms ccn histogram... ccn_track2 histogram... domain histogram... email histogram... ether histogram... find histogram... ip histogram... telephone histogram... url histogram... url microsoft-live... url services... url facebook-address... url facebook-id... url searches... Elapsed time: 1556.47 sec. Overall performance: 1.90068 MBytes/sec Total email features found: 5331
Si miramos los resultados que hemos extraído con el carver, podemos ver que del disco no hemos podido obtener direcciones IP, por ejemplo.
darkmac:disco marc$ ls -lh | grep -v 0 drwxr-xr-x 2 marc staff 1,5K 4 ago 21:44 ./ drwxr-xr-x@ 4 marc staff 544B 4 ago 21:18 ../ -rw-r--r-- 1 marc staff 3,3K 4 ago 21:44 ccn.txt -rw-r--r-- 1 marc staff 451B 4 ago 21:44 ccn_histogram.txt -rw-r--r-- 1 marc staff 6,5M 4 ago 21:44 domain.txt -rw-r--r-- 1 marc staff 71K 4 ago 21:44 domain_histogram.txt -rw-r--r-- 1 marc staff 868K 4 ago 21:44 email.txt -rw-r--r-- 1 marc staff 12K 4 ago 21:44 email_histogram.txt -rw-r--r-- 1 marc staff 889B 4 ago 21:44 ether.txt -rw-r--r-- 1 marc staff 267B 4 ago 21:44 ether_histogram.txt -rw-r--r-- 1 marc staff 23K 4 ago 21:43 exif.txt -rw-r--r-- 1 marc staff 622K 4 ago 21:44 json.txt -rw-r--r-- 1 marc staff 35K 4 ago 21:44 report.xml -rw-r--r-- 1 marc staff 334K 4 ago 21:44 rfc822.txt -rw-r--r-- 1 marc staff 18K 4 ago 21:37 telephone.txt -rw-r--r-- 1 marc staff 515B 4 ago 21:44 telephone_histogram.txt -rw-r--r-- 1 marc staff 29M 4 ago 21:44 url.txt -rw-r--r-- 1 marc staff 193B 4 ago 21:44 url_facebook-address.txt -rw-r--r-- 1 marc staff 1,3M 4 ago 21:44 url_histogram.txt -rw-r--r-- 1 marc staff 6,4K 4 ago 21:44 url_searches.txt -rw-r--r-- 1 marc staff 61K 4 ago 21:44 url_services.txt -rw-r--r-- 1 marc staff 5,8M 4 ago 21:44 windirs.txt -rw-r--r-- 1 marc staff 14M 4 ago 21:44 winpe.txt -rw-r--r-- 1 marc staff 466K 4 ago 21:44 winprefetch.txt -rw-r--r-- 1 marc staff 1,3M 4 ago 21:43 zip.txt
Si hacemos un diffing de los dominios por ejemplo, también veremos diferencias de resultados.
Data carvers en retos forenses, aunque un reto forense, consta de muchas mas fases, procedimientos y actuaciones, podemos ver que con un carver sobre las evidencias que nos han dado, puede resultar muy útil para tener un punto de partida desde el cual poder sacar unas primeras conclusiones para saber mas o menos que ha pasado.