F.I.R.E.

1
F.I.R.E.

• Forensics Incident Response Environment

2
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

3
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

4
What and The Purpose

• Examine an Unknown malware binary (Open Source
  tools)
• The Sleuth Kit
• autopsy
• strings
• hexedit
• F.I.R.E.
• Package all tools together in a bootable CD

5
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

6
Under an Unknown Condition

• Possibly where it came from
• What the binarys purpose is
• It may be possible to identify when the system
  was compromised the binary installed
• May be also discover which user id facilitated
  the compromise of the system

7
Binary Details

• From
• http//www.giac.org/gcfa/binary_v1.3.zip

Userid, md5sum,
CRC number
The last modified time
The file size when extracted
The file size within the archive
8
The strings command

• Parse an input file and output readable strings
• Sequentially program the code

May be an ICMP back-door to a cmd.exe shell
May deal with creating starting services
9
The hexedit command

• The purposes
• Confirm the function of the application
• Confirm who was involved in its creation or
  distribution (possibly)

The command line
Some information you interested!!
10
The person may compile, write or created the zip
file
May be a ICMP back-door to a cmd.exe shell
11
May be the hackers message
smesses.exe and reg.exe querying amd modifying
registry entries
The ip address
12
KERNEL32.dll ADVAPI32.dll WS2_32.dll MSVCRT.dll MS
VP60.dll
Some DLL files
13
The objdump command

• View library information about a binary
  executable
• -p option
• Print the object header information

command
The time and date
14
The kernel interface was dealing with pipes and
handles so the application was talking to
interface, processes or other applications!!
15
The application was doing something to the
systems services
16
May be Socket IOCTL calls, so the application
is definitely communicating with external
applications through a socket
17
Shows the basic Terminal I/O communications
through the standard MSVCRT library
18
The f-prot command

• Its a virus scanner
• Can Live-Update (/usr/local/f-prot/update-defs.sh)

The command
Nothing you can find
19
All evidence leads me to decide

• An ICMP back-door to cmd.exe
• Default password may be loki
• Coded by Spoof
• Hacker group
• MFC
• May be installed by local user Rich

20
From Google

• http//packetstormsecurity.com/crypt/misc/loki2.ta
  r.gz
• Coded for windows version based on loki2 for
  Unix-Like OS

21
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

22
What

• A bootable Linux CD that turns any machine into a
  forensics workstation
• Boot the entire system without touching the local
  system
• Open Source
• http//fire.dmzs.com
• http//www.sourceforge.net/projects/biatchux

23
How

• F.I.R.E. runs within a RAM disk that it does not
  touch the system or images
• Log the information you need to the /data/
  directory

24
Two quick ways of using F.I.R.E

• Burnt the ISO to a CD boot from it
• The ISO can be booted from within VMWare

25
Autopsy

• http//www.sleuthkit.org/autopsy/desc.php
• Graphic interface
• Some features
• Case Management
• File Analysis
• File Content Analysis
• File Type
• Hash Database
• Timeline of File Activity
• Keyword Search
• Meta Data Analysis
• Image Details
• Image integrity
• Notes
• Reports
• Logging
• Open Design
• Client Server Model

26
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

27
The compromised image

• From the Digital Forensics Research Workshop
• http//www.dfrw.org
• Download site
• http//www.honeynet.org/scans/scan24/

28
The VMWare
Select the ISO image
The beginning!!
29
Set-up your network(1/2)

• Prompt mode

Start menu!!
Many options
30
Set-up your network(2/2)
Set up the IP Address, Netmask and default
gateway!!

• Command line

31
Log you activity
Like The script command!
Right clicking-gtShells/Consoles-gtlogging-gtrespawn
all logging xterms
The data was saved to /data/consolelogs/user/dat
e-tty.log
32
consh and replay

• consh (shell script)
• Do the logging
• replay (command)
• replay May30-182215-tty_ttyp0.log.timing
  May30-182215-tty_ttyp0.log

33
Start
Command
You must start your browser to this URL for
starting
34
Set-up the Case
select
/data/ltCASE-NAMEgt
35
Add Host
36
Add Image
37
Analysis type

• File analysis
• Browse the various files available on the image,
  including deleted files
• Keyword search
• Search the image for various keywords
• File type
• Run the sorter that counts the various file types
  on the image
• Image details
• Contain summary data about the image
• Meta Data
• You can enter a meta data number for search
• Data Unit
• Allow for the entry of a sector number

38
Some test(1/6)
39
Some test(2/6)
Enter what you want to search
Quick search
40
Some test(3/6)
summary
41
Some test(4/6)
42
Some test(5/6)
43
Some test(6/6)
44
The final step

• Create Data File
• Create Timeline
• tar md5sum

45
(No Transcript)
46
(No Transcript)
47
Outline

• Preface
• Analyze Unknown Binary
• F.I.R.E.
• Example
• Conclusion

48
Do not touch the local system
49
Additional Information(1/2)

• VNC

VNC connection
Internet
50
Addition Information(2/2)

• Some legal issue
• Go to the INSA Knowledge-Base