[cryptome] Re: minimum viable toolset for low level malware forensics [was: BadBIOS forensics]

  • From: Aftermath <aftermath.thegreat@xxxxxxxxx>
  • To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>
  • Date: Tue, 5 Aug 2014 13:26:59 -0700


On Tue, Aug 5, 2014 at 11:02 AM, Ryan Carboni <ryacko@xxxxxxxxx> wrote:

> Play loud rap music.
> On Tue, Aug 5, 2014 at 5:22 AM, doug <douglasrankine2001@xxxxxxxxxxx>
> wrote:
>> How does one suppress the noise which comes out of ones computers. How
>> does one suppress the noise that an individual Faraday cage makes...Each
>> and every component in a computer and the internet of things emits an
>> identifiable noise pattern.  Even the variations of the phases of electric
>> current in the mains power supply can determine time and place of
>> transmission of data...such are the laws of quantum mechanics. Good
>> forensic tools,  can take a hard disk back to the original writing and
>> reading, even with the best of erasure tools.
>> Just a thought.
>> ATB
>> Dougie.
>> On 20/07/14 08:07, coderman wrote:
>>> On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus <bluelotus@xxxxxxxxxxxxxxx>
>>> wrote:
>>>> ...
>>>> I wrote threads on my limited ability to perform forensics
>>> for those technical, the minimum viable toolset for identifying low
>>> level subversive programming is:
>>> - a solid base (clean hw, clean installs, clean environment) in a
>>> separate location with RF shielding. (a closed metal barn out in the
>>> country, for example. if you're a geek you love the thought of a
>>> faraday closet ;)
>>> - instrumented runtime (e.g. volatility memory forensics, system
>>> performance profiling, all to append only storage) on any systems you
>>> are using as suspect to attack.
>>> - obstructed runtime (see thread on "how to hack your systems before
>>> someone else") - this is optional; a modified system that appears to
>>> be vulnerable / stock condition will exhibit undefined behavior under
>>> attempted enabling, sometimes. otherwise it may be difficult to
>>> identify a successful infection.
>>> - direct flash memory pinout rig (specs for all chips including flash
>>> memory associated with BIOS, integrated management controllers,
>>> network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD
>>> drives, graphics memory, wifi, 4g, and bluetooth wireless adapters
>>> will be needed  you're programming an FPGA to perform reads directly
>>> from the flash chips. converting flash memory into high level block
>>> storage the next black art upward.
>>> - wide band high performance software defined radio. you will be
>>> building custom GNU radio blocks and running many from third party
>>> repositories or research projects. you are using a two stage process,
>>> where wide sweeps and auto ranging are applied to sample swaths of
>>> signal of interest to storage. then parallel processing on other
>>> hardware or later time (off-use-hours) extracting known / useful data
>>> and anomalies for further analysis.
>>> - in-line network archival, shaping, and cut-out for link to internet
>>> / local network. this works best as a zero visibility transparent
>>> ethernet bridge with ARP spoofing and ether mangling at each end. that
>>> does not speak IP at all. the shaping is used to squelch suspect or
>>> unexpected peak traffic (both a signalling system for malicious
>>> activity and a means to constrain the reach once compromised)
>>> as per the kit above,
>>> you are instrumenting a system to observe its runtime behavior on an
>>> external audit system. this is because the advanced attacks inject
>>> into processes and ring0, persisting only what is needed / chosen
>>> (enabling hooks). you need to capture the active payloads that are
>>> delivered on-demand in host memory space.
>>> you are observing the network and RF space for anomalies and
>>> discrepancies. for example, a wifi radio disabled yet still emitting
>>> into 2.4Ghz/5.xGhz spectrum.  network captures also provide evidence
>>> to correlate with malicious memory, for example identifying a payload
>>> delivered over the network, with keys from volatility used to decrypt
>>> the encrypted communications containing the payload identified in
>>> memory.
>>> you are (sometimes destructively) sampling all flash memory as parts
>>> of advanced payloads persist outside of the OS and storage level
>>> interface visibility. (stealth at bus/bios level). discrepancies in
>>> blocks that should not have changed, executable code segments where
>>> not expected, strange carvings of wear leveling around "protected"
>>> offsets. all of these are indicators for further scrutiny and
>>> instruction level reversing (if corresponding to microcontroller
>>> programming instructions for manipulating streams read or written to
>>> and from device, for example :)
>>> last but not least, you are not getting attached to any hardware,
>>> because at any moment you may find it all suspect and have to replace
>>> all laptops, desktops, routers, printers, mobile devices, storage
>>> media, media servers, smart televisions, and god forbid you installed
>>> one of those intelligent thermostats. [ laugh for sanity, then go back
>>> and read the list, and then understand that the far end of the nation
>>> state malware asymptote is full of freaky exotics. i also hope you
>>> never hit that level of "all systems go" *grin* ]
>>> best regards,

Other related posts: