Wednesday, August 10, 2011

USENIX: Forensic Analysis, Refereed Papers

Font sizeForensic Triage for Mobile Phones with DECODE

Written by Robert J Walls, Erik Learned-Miller and Brian Neil Levine, University of Massachusetts Amherst, presented by Robert Walls.

Forensic triage attempts to acquire evidence quickly, accurately from a crime scene. DECODE works on mobile phones and can extract information from the raw data on the phone, without specific knowledge of the phone's file system or operating system.

Phones are the focus of this research as they are everywhere and essentially record our lives, and likely contain evidence. Even without direct evidence, they can be used to find motivation and establish a time line.

Directly browsing the phone only gets law enforcement the information that hasn't been deleted, and could possibly modify the data while the phone is being inspected. Many commercial tools currently available are very expensive and focused on the most common phones.

DECODE will look at the raw storage (bytes of data with unknown format), which helps retrieve "deleted" data, meta-data and time-stamps. It does this using block hash filtering and inference.

Inference relies on most phones having data listed together, like name, time, and phone number.

This work can be applied to phones that have not been previously seen - making it much more extensible in this ever changing market.

The audio and video of this presentation are now online.

mCarve: Carving Attribute Dump Sets

Written by Ton van Deursen, Sjouke Mauw, and Sasa Radomirovic, University of Luxembourg. Presented by Sjouke Mauw.

These researchers used beer, card readers and time to look at hacking their public transport cards. Unfortunately, were not able to use existing forensic carving tools, so had more work to do. The researches knew when the cards were purchased, how much money was left on them, and when they were last used - as they were their own cards. This gave them some "known text" to search for, ie attributes of the card.

Just knowing that "plain text" was not enough, in some cases the plain text was too simple and would appear multiple times on the card, for example, knowing that the card had been used 4 times. But, using that data, with others, they were able to narrow down the different components of the card.
The audio and video of this presentation are now online.

ShellOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks

Written by Kevin Z. Snow, Srinivas Krishnan, and Fabian Monrose, Universyt of North Carolina at Chapel Hill; Niels Provos, Google.

Exploit kits are making it easier and easier to deploy attacks. The speaker started out with a real world example of an email that looked very much like the standard email you get from a Xerox copy-scanner, except that the attachment contained shell code that could be used to attack the system.

One way of detecting this with dynamic code analysis by partly executing the code in a sand box environment, to detect malicious code. Emulation based approaches are slow and can be easily detected by the malicious code.

This is where ShellOS comes into play. Execution runs uninterrupted, at native speed. If any fault occurs, it is trapped and skipped. It does this in real-time, which makes it more stealthy.

Their next experiments were around how effective they were in practice at detecting shellcode. At 100Mb line, they could process packets in real-time and not risk any dropped packets, running on one CPU.

Their most important test came for trying to detect PDF code injection attacks. This is where Niels Provos came into play, handing over documents that had been flagged by Google's Large-Scale Web Malware Detection System and compared it to past USENIX Security conference PDFs (the assumption being that those would be exploit free).

While examining these documents, they found almost all of them were attempting to get a shell, which is what ShellOS was created to detect. They were able to detect the code in the malicious documents, and didn't get any false positives in the presumed innocent set from USENIX.

This seems like a very cool project and I'd be very interested to see where this ends up going.
The audio and video of this presentation are now online.

This post is syndicated from Thoughts on security, beer, theater and biking!