[cryptome] Re: minimum viable toolset for low level malware forensics [was: BadBIOS forensics]

  • From: doug <douglasrankine2001@xxxxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Tue, 05 Aug 2014 21:33:47 +0100

Hi Ryan,
It didn't work. I did try playing my Scottish bagpipes at full blast...Scotland the Brave. That is the loudest noise I know...combined with lifting my kilt and exposing my sporran...which has always been enough to scare even the English...it still didn't work. The CIA and GCHQ are more sophisticated than that...I fear...O:-) ...Nearly broke my hard disk though...I see I will need to do some nanometrical thinking.

On 05/08/14 19:02, Ryan Carboni wrote:
Play loud rap music.

On Tue, Aug 5, 2014 at 5:22 AM, doug <douglasrankine2001@xxxxxxxxxxx <mailto:douglasrankine2001@xxxxxxxxxxx>> wrote:

    How does one suppress the noise which comes out of ones computers.
    How does one suppress the noise that an individual Faraday cage
    makes...Each and every component in a computer and the internet of
    things emits an identifiable noise pattern.  Even the variations
    of the phases of electric current in the mains power supply can
    determine time and place of transmission of data...such are the
    laws of quantum mechanics. Good forensic tools,  can take a hard
    disk back to the original writing and reading, even with the best
    of erasure tools.
    Just a thought.

    On 20/07/14 08:07, coderman wrote:

        On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus
        <bluelotus@xxxxxxxxxxxxxxx <mailto:bluelotus@xxxxxxxxxxxxxxx>>

            I wrote threads on my limited ability to perform forensics

        for those technical, the minimum viable toolset for
        identifying low
        level subversive programming is:

        - a solid base (clean hw, clean installs, clean environment) in a
        separate location with RF shielding. (a closed metal barn out
        in the
        country, for example. if you're a geek you love the thought of a
        faraday closet ;)

        - instrumented runtime (e.g. volatility memory forensics, system
        performance profiling, all to append only storage) on any
        systems you
        are using as suspect to attack.

        - obstructed runtime (see thread on "how to hack your systems
        someone else") - this is optional; a modified system that
        appears to
        be vulnerable / stock condition will exhibit undefined
        behavior under
        attempted enabling, sometimes. otherwise it may be difficult to
        identify a successful infection.

        - direct flash memory pinout rig (specs for all chips
        including flash
        memory associated with BIOS, integrated management controllers,
        network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD
        drives, graphics memory, wifi, 4g, and bluetooth wireless adapters
        will be needed  you're programming an FPGA to perform reads
        from the flash chips. converting flash memory into high level
        storage the next black art upward.

        - wide band high performance software defined radio. you will be
        building custom GNU radio blocks and running many from third party
        repositories or research projects. you are using a two stage
        where wide sweeps and auto ranging are applied to sample swaths of
        signal of interest to storage. then parallel processing on other
        hardware or later time (off-use-hours) extracting known /
        useful data
        and anomalies for further analysis.

        - in-line network archival, shaping, and cut-out for link to
        / local network. this works best as a zero visibility transparent
        ethernet bridge with ARP spoofing and ether mangling at each
        end. that
        does not speak IP at all. the shaping is used to squelch
        suspect or
        unexpected peak traffic (both a signalling system for malicious
        activity and a means to constrain the reach once compromised)

        as per the kit above,

        you are instrumenting a system to observe its runtime behavior
        on an
        external audit system. this is because the advanced attacks inject
        into processes and ring0, persisting only what is needed / chosen
        (enabling hooks). you need to capture the active payloads that are
        delivered on-demand in host memory space.

        you are observing the network and RF space for anomalies and
        discrepancies. for example, a wifi radio disabled yet still
        into 2.4Ghz/5.xGhz spectrum.  network captures also provide
        to correlate with malicious memory, for example identifying a
        delivered over the network, with keys from volatility used to
        the encrypted communications containing the payload identified in

        you are (sometimes destructively) sampling all flash memory as
        of advanced payloads persist outside of the OS and storage level
        interface visibility. (stealth at bus/bios level).
        discrepancies in
        blocks that should not have changed, executable code segments
        not expected, strange carvings of wear leveling around "protected"
        offsets. all of these are indicators for further scrutiny and
        instruction level reversing (if corresponding to microcontroller
        programming instructions for manipulating streams read or
        written to
        and from device, for example :)

        last but not least, you are not getting attached to any hardware,
        because at any moment you may find it all suspect and have to
        all laptops, desktops, routers, printers, mobile devices, storage
        media, media servers, smart televisions, and god forbid you
        one of those intelligent thermostats. [ laugh for sanity, then
        go back
        and read the list, and then understand that the far end of the
        state malware asymptote is full of freaky exotics. i also hope you
        never hit that level of "all systems go" *grin* ]

        best regards,

Other related posts: