minimum viable toolset for low level malware forensics [was: BadBIOS forensics]
On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus <bluelotus@openmailbox.org> wrote:
... I wrote threads on my limited ability to perform forensics
for those technical, the minimum viable toolset for identifying low level subversive programming is: - a solid base (clean hw, clean installs, clean environment) in a separate location with RF shielding. (a closed metal barn out in the country, for example. if you're a geek you love the thought of a faraday closet ;) - instrumented runtime (e.g. volatility memory forensics, system performance profiling, all to append only storage) on any systems you are using as suspect to attack. - obstructed runtime (see thread on "how to hack your systems before someone else") - this is optional; a modified system that appears to be vulnerable / stock condition will exhibit undefined behavior under attempted enabling, sometimes. otherwise it may be difficult to identify a successful infection. - direct flash memory pinout rig (specs for all chips including flash memory associated with BIOS, integrated management controllers, network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD drives, graphics memory, wifi, 4g, and bluetooth wireless adapters will be needed you're programming an FPGA to perform reads directly from the flash chips. converting flash memory into high level block storage the next black art upward. - wide band high performance software defined radio. you will be building custom GNU radio blocks and running many from third party repositories or research projects. you are using a two stage process, where wide sweeps and auto ranging are applied to sample swaths of signal of interest to storage. then parallel processing on other hardware or later time (off-use-hours) extracting known / useful data and anomalies for further analysis. - in-line network archival, shaping, and cut-out for link to internet / local network. this works best as a zero visibility transparent ethernet bridge with ARP spoofing and ether mangling at each end. that does not speak IP at all. the shaping is used to squelch suspect or unexpected peak traffic (both a signalling system for malicious activity and a means to constrain the reach once compromised) as per the kit above, you are instrumenting a system to observe its runtime behavior on an external audit system. this is because the advanced attacks inject into processes and ring0, persisting only what is needed / chosen (enabling hooks). you need to capture the active payloads that are delivered on-demand in host memory space. you are observing the network and RF space for anomalies and discrepancies. for example, a wifi radio disabled yet still emitting into 2.4Ghz/5.xGhz spectrum. network captures also provide evidence to correlate with malicious memory, for example identifying a payload delivered over the network, with keys from volatility used to decrypt the encrypted communications containing the payload identified in memory. you are (sometimes destructively) sampling all flash memory as parts of advanced payloads persist outside of the OS and storage level interface visibility. (stealth at bus/bios level). discrepancies in blocks that should not have changed, executable code segments where not expected, strange carvings of wear leveling around "protected" offsets. all of these are indicators for further scrutiny and instruction level reversing (if corresponding to microcontroller programming instructions for manipulating streams read or written to and from device, for example :) last but not least, you are not getting attached to any hardware, because at any moment you may find it all suspect and have to replace all laptops, desktops, routers, printers, mobile devices, storage media, media servers, smart televisions, and god forbid you installed one of those intelligent thermostats. [ laugh for sanity, then go back and read the list, and then understand that the far end of the nation state malware asymptote is full of freaky exotics. i also hope you never hit that level of "all systems go" *grin* ] best regards,
participants (1)
-
coderman