Digital forensics(intro)By Anton Kalinin & George Lagoda

Feb 15, 2014

/whoami

Anton Kalinin

Malware analyst Interests: bad toilet selfie

Work at . . .

/wh0x41mi

George Lagoda

Security expert Pentester Interests: [deep|web]penetrations,

revers, forensics,

Work at . . .

Digital forensics, The.[quote]

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.

[/quote]

What itz all about?

What we going to talk about

• Data recovery• Evidence detection• Group-ib Olympic case discussion• Some tools discussionBasically we just goin to run through one more or less real interesting case and discuss techniques and tools we used…

Why do we need data recovery?

Why also we need data recovery• Damaged discs• Damaged images• Deleted files• Something encrypted• Something partially missing• Something damaged by malware[…] All these things can omit evidence of crime

What can be restored

• MBR• Partition table• Encrypted volume• Private pgp key, certificates,etc..• Files/audio/video….. Why? Because it is still text with headers, structure, etc…How? TOOLS. Coming up later…

Can I haz cheezburger now?

Group-ib imageE01 format (Elcomsoft – making expensive but not very fast forensics software.)Image damaged40 gb of unallocated spaceNo partition table1 employee does not want go to jail.Can we help to Anna?

And do u want to help her in that case?

Scanning disc with R-Studio

Trying to access to file system

Tasks for helping Anna• Find all partitions, their fs, size • Find system info : OS versions, system time, machine name,

last power off time• All user accs• Autorun progs• All email addresses• Storage of secret key for digital signature, and is there

anything telling about compromising this key• Antivirus software, malware detections, rdp connections,

other people involved, their mails, malware on the disc, and some additional info about incident on disc…

Finding all partitions with disk internal partition recovery

Gathering system info• Recovering files from

Windows\System32\config– System, Software, Security, Sam,

• Recovering NTUSER.dat from Users\[username]

• Downloading MiTec Windows Registry Recovery(www.mitec.cz/wrr.html )

• Obtaining system info

searching malware• - autoruns• - %temp%• - %windir% or %systemdir%• - java cache• - downloads :)so on

Malware Analysis• fast way - monitors:

- procmon- wireshark- total uninstall

• my way:- hiew + ida

Anna's case. Found malware:• Mipko keylogger (already in AV’s bases)• KIS quarantined file• xls.exe (drops xls+rdptool+installer)it's enough to do bad stuff

Dropper.xls .exe

So now we haveWindows 7 Ultimate Product ID: 00426-OEM-8992662-00400KEY: 342DG-6YJR8-X92GV-V7DCV-P4K27 Version: Multiprocessor Free 6.1.7601.win7sp1_gdr.120330-1504install date: 12.04.2013 17:09:15With users :

Finding autorun with WRR

Secret key storage

Recovering files and installing GNU4WIN on VM. Placing recovered files in the same folder on VMOpening Kleopatra

Obtaining secret key

We need to find TC passwd and check on this secret file. Possible way is to look for keylooger

and dig for logs or screens

Potential TC container

Keylogger’s log

TC cracked

What we have?• System was compromise• Attackers obtained all passwd and key files to

perform crime• Anna will be ok. Don’t worry.

Y.O.B.A. hacking

The end.