[cryptome] Re: minimum viable toolset for low level malware forensics [was: BadBIOS forensics]

  • From: Ryan Carboni <ryacko@xxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Tue, 5 Aug 2014 11:02:11 -0700

Play loud rap music.

On Tue, Aug 5, 2014 at 5:22 AM, doug <douglasrankine2001@xxxxxxxxxxx> wrote:

> How does one suppress the noise which comes out of ones computers. How
> does one suppress the noise that an individual Faraday cage makes...Each
> and every component in a computer and the internet of things emits an
> identifiable noise pattern.  Even the variations of the phases of electric
> current in the mains power supply can determine time and place of
> transmission of data...such are the laws of quantum mechanics. Good
> forensic tools,  can take a hard disk back to the original writing and
> reading, even with the best of erasure tools.
> Just a thought.
> Dougie.
> On 20/07/14 08:07, coderman wrote:
>> On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus <bluelotus@xxxxxxxxxxxxxxx>
>> wrote:
>>> ...
>>> I wrote threads on my limited ability to perform forensics
>> for those technical, the minimum viable toolset for identifying low
>> level subversive programming is:
>> - a solid base (clean hw, clean installs, clean environment) in a
>> separate location with RF shielding. (a closed metal barn out in the
>> country, for example. if you're a geek you love the thought of a
>> faraday closet ;)
>> - instrumented runtime (e.g. volatility memory forensics, system
>> performance profiling, all to append only storage) on any systems you
>> are using as suspect to attack.
>> - obstructed runtime (see thread on "how to hack your systems before
>> someone else") - this is optional; a modified system that appears to
>> be vulnerable / stock condition will exhibit undefined behavior under
>> attempted enabling, sometimes. otherwise it may be difficult to
>> identify a successful infection.
>> - direct flash memory pinout rig (specs for all chips including flash
>> memory associated with BIOS, integrated management controllers,
>> network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD
>> drives, graphics memory, wifi, 4g, and bluetooth wireless adapters
>> will be needed  you're programming an FPGA to perform reads directly
>> from the flash chips. converting flash memory into high level block
>> storage the next black art upward.
>> - wide band high performance software defined radio. you will be
>> building custom GNU radio blocks and running many from third party
>> repositories or research projects. you are using a two stage process,
>> where wide sweeps and auto ranging are applied to sample swaths of
>> signal of interest to storage. then parallel processing on other
>> hardware or later time (off-use-hours) extracting known / useful data
>> and anomalies for further analysis.
>> - in-line network archival, shaping, and cut-out for link to internet
>> / local network. this works best as a zero visibility transparent
>> ethernet bridge with ARP spoofing and ether mangling at each end. that
>> does not speak IP at all. the shaping is used to squelch suspect or
>> unexpected peak traffic (both a signalling system for malicious
>> activity and a means to constrain the reach once compromised)
>> as per the kit above,
>> you are instrumenting a system to observe its runtime behavior on an
>> external audit system. this is because the advanced attacks inject
>> into processes and ring0, persisting only what is needed / chosen
>> (enabling hooks). you need to capture the active payloads that are
>> delivered on-demand in host memory space.
>> you are observing the network and RF space for anomalies and
>> discrepancies. for example, a wifi radio disabled yet still emitting
>> into 2.4Ghz/5.xGhz spectrum.  network captures also provide evidence
>> to correlate with malicious memory, for example identifying a payload
>> delivered over the network, with keys from volatility used to decrypt
>> the encrypted communications containing the payload identified in
>> memory.
>> you are (sometimes destructively) sampling all flash memory as parts
>> of advanced payloads persist outside of the OS and storage level
>> interface visibility. (stealth at bus/bios level). discrepancies in
>> blocks that should not have changed, executable code segments where
>> not expected, strange carvings of wear leveling around "protected"
>> offsets. all of these are indicators for further scrutiny and
>> instruction level reversing (if corresponding to microcontroller
>> programming instructions for manipulating streams read or written to
>> and from device, for example :)
>> last but not least, you are not getting attached to any hardware,
>> because at any moment you may find it all suspect and have to replace
>> all laptops, desktops, routers, printers, mobile devices, storage
>> media, media servers, smart televisions, and god forbid you installed
>> one of those intelligent thermostats. [ laugh for sanity, then go back
>> and read the list, and then understand that the far end of the nation
>> state malware asymptote is full of freaky exotics. i also hope you
>> never hit that level of "all systems go" *grin* ]
>> best regards,

Other related posts: