Date post: | 18-Aug-2015 |
Category: |
Documents |
Upload: | shailendra-sadh |
View: | 46 times |
Download: | 1 times |
Agenda
• The Scenario• Technologies Used• Investigation Process • Questions & Results• Challenges & Future Work• Tech Pros & Cons
The Scenario
• Suspect Botnet Commander
• Custom Android Application to determine Bot status
• Feds go knocking on the door.
Technologies used
• LIME – Linux Memory Extractor (formerly DMD)
• Volatility 2.3 (Beta)Open SourceExtremely CapableWide Range of support for Win & Linux ( Android
)• Autopsy• Investigator’s Swiss knife - HEXEDITOR
Investigation Process
Seize
Acquire
Analyze
Report
• Warrant• Internal Investigation
• Hard Disk• Memory• PCAP/Logs
• Evidence Hashing• Forensic Analysis
• Present findings• Expert Witness
Acquire Droid RAM Dump - Revelations!!
• Acquisition
ADB Android Debug Bridge
KO No it not Knockout! Kernel Object loadable as kernel module
Insmod Insert module command to load module in kernel land
Acquisition over TCP Stream
On Host$ adb push evo-lime.ko /sdcard/evo-lime.ko$ adb forward tcp:4444 tcp:4444$ adb shell$ su
On Phone$ su$ insmod /sdcard/evo-lime.ko “path=tcp:4444 format=lime”
Acquisition on SD card
On Host$ adb push evo-lime.ko /sdcard/evo-lime.ko$ adb shell$ su
On Phone$ su$ insmod /sdcard/evo-lime.ko “path= /sdcard/mdump.lime format=lime”
Analysis
• Calculate MD5/SHA1 hash of acquired evidence
• Document the processes followed
• Record and document suspicious or notable findings
• Don’t Give up!
Droid RAM Analysis – Revelations!!
• Volatility – 2.3 (Beta)Profile used --LinuxEvo4Gx86Find available commands by running:
python vol.py --profile=LinuxEvo4Gx86 -f Evo4GRodeo.lime --info |grep linux_
Complete list available at:https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_volshell
1) When was LiME run, and what were the exact parameters used?
Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_psaux |grep lime
2) What was the device’s IP address?
Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_ifconfig
3) What are the IP and MAC address of the device’s gateway?
Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_arp
4) Find a list of running processes. Do any appear to be of interest? List them, along with time of execution.
PID UID Process
712 10018 Com.smithmicro.DM
751 10066 Com.pv.wmdrmservice
780 1000 Com.pv.wmdrmproxy
1860 10093 Com.l33t.seccncviewer
659 10047 Htcloggerd
662 10047 ghost
5) Find any communication that would suggest information about the origin of the application and its author. Acquire a copy of the application, if possible.
Sanitized email extract - From HexEditor
<div class="gm-sender-name" style="color:#00681c">Joe Sylve</div><div class="gm-sender-email">joe.sylve<span></span>gmail.com</div>:<div class="gm-date">Aug 4</div><div class="gm-time">1:33am</div>:<td class="gm-recipient-title">To:</td><td class="gm-recipient-list">rodeo.wrangler.2012<span></span>gmail.com</td>:<div class="gm-body">..<div class="gm-message-content" style="zoom:1.5">Hey man.. Here's the app, it shouldn't leave any evidence on the phone, so feel free to burn it any time. Now please... send my money! I really need another ride on the mechanical whale...<div><br></div><div><a href="http://db.tt/9UECzowS" target="_blank">http://db.tt/9UECzowS</a><font color=#888888>:<br>..<div><br></div><div>-Joe</div></font></div></div>
5) Find any communication that would suggest information about the origin of the application and its author. Acquire a copy of the application, if possible.
• File retrieved and executed – seccncviewer.apk
Challenges
Q 6) What is the IP address of the server that the application is connecting to?
Most volatility network commands didn’t give out any result
Uninteresting/no IPs found in hex dump (.lime & .apk files)Extracted RouteCache files. (Just too much data) Tried to emulate the bot connection – potentially different
IP addresses foundNot Enough time and lack of forensics skill!!!
Challenges - Cont
Q 7) Recover any information about the Bots.? Found files
• BOTStatusActivity.java (extract ELF file from Lime)• Com.l33t.seccncviewer.PullToRefreshListActivity • botInfo.xml- ( figure out the xml struct)
Distributed by Joe Sylve :P Spread out to multiple location and it tries to connect
every few milliseconds (267 probably)Not Enough time and lack of forensics & Reverse
Engineering skills!!!
Future Work
• Case Perspective Search and extract ELF (exe linkable format) files to
possibly find source code of the application Find more traces for BotInfo.xml Learn Assembly!!! Encryption used. (Maybe RSA!)
Tech – Pros & Cons
• Volatility 2.3 BetaBrilliant memory analysis toolkitNascent stages for android forensics
• Focus on Windows Forensics! (Well Obviously :P)
• Customization of open source tools (Time & Skills!)