live disk forensics on bare metal
play

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky - PowerPoint PPT Presentation

Feb 17, 2023 •287 likes •800 views

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu Open-Source Digital Forensics Conference 2014 This work is sponsored by the Assistant Secretary of Defense for Research and Engineering under Air

  1. Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu Open-Source Digital Forensics Conference 2014 This work is sponsored by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government.

  2. Who are we? • Chad Spensky – Lifetime hacker/tinkerer – Education • BS @ University of Pittsburgh • MS @ University of North Carolina – Research staff at MIT Lincoln Laboratory – 3 rd time at OSDF Con – User and modifier of TSK and Volatility Live Disk Forensics - 2 CS & HH 11/5/2014

  3. Who are we? • Hongyi Hu – Computer scientist, tinkerer, lawyer – Education • S.B., M.Eng @ MIT • J.D. @ Boston U. – Research staff at MIT Lincoln Laboratory – 2nd time at OSDF Con – My photos are not as cool as Chad’s J J Live Disk Forensics - 3 CS & HH 11/5/2014

  4. Agenda • Overview • Motivation • Architecture • Live Disk Forensics • Summary • Future Directions Live Disk Forensics - 4 CS & HH 11/5/2014

  5. Overview • This talk is a small portion of a larger program – LO-PHI: Low-Observable Physical Host Instrumentation • Problem Statement – Instrument physical and virtual machines while introducing as few artifacts as possible. • Goals – Be as difficult-to-detect as possible – Develop capabilities for bare-metal machines – Produce high-level semantic information LO-PH Live Disk Forensics - 5 CS & HH 11/5/2014

  6. Why? • Malware analysis – Malware can actively evade detectable analysis artifacts and may behave differently • Cleanroom execution environment – Installing software on the system may not always be an option • E.g. Xbox 360 • Low-artifact debugging – Debuggers can be detected and evaded or mask real-world behavior Live Disk Forensics - 6 CS & HH 11/5/2014

  7. How? • Instrument interesting tap points in the system – E.g. Hard Disk, Main Memory, CPU, Network • Bridge the semantic gap to obtain useful information from these raw data sources – E.g. Volatility, Sleuthkit • Analyze the raw and semantic data to answer interesting questions – “Is program X malware?” – “What files were accessed?” – “Is this machine compromised?” Live Disk Forensics - 7 CS & HH 11/5/2014

  8. Agenda • Overview • Motivation • Architecture • Live Disk Forensics • Summary • Future Directions Live Disk Forensics - 8 CS & HH 11/5/2014

  9. Current Instrumentation • Access physical memory – Virtual: libvmi – Physical: PCI & PCI-express FPGA boards • Passively monitor disk activity – Virtual: Custom hooks into QEMU block driver – Physical: SATA man-in-the-middle with custom FPGA • CPU Instrumentation – Virtual: Custom hooks into QEMU KVM – Physical: Working with Intel’s eXtended Debug Port (XDP) and ARM’s DSTREAM debugger • Actuate inputs – Virtual: libvirt – Physical: Arduino Leonardo Live Disk Forensics - 9 CS & HH 11/5/2014

  10. Current Instrumentation • Access physical memory – Virtual: libvmi – Physical: PCI & PCI-express FPGA boards • Passively monitor disk activity – Virtual: Custom hooks into QEMU block driver – Physical: SATA man-in-the-middle with custom FPGA • CPU Instrumentation – Virtual: Custom hooks into QEMU KVM – Physical: Working with Intel’s eXtended Debug Port (XDP) and ARM’s DSTREAM debugger • Actuate inputs – Virtual: libvirt – Physical: Arduino Leonardo Live Disk Forensics - 10 CS & HH 11/5/2014

  11. Physical Instrumentation Power, Keyboard, Mouse SATA Introspection Network Tap Memory Introspection Semantic Analysis Live Disk Forensics - 11 CS & HH 11/5/2014

  12. Physical Instrumentation Power, Keyboard, Mouse SATA Introspection Network Tap Memory Introspection Semantic Analysis Live Disk Forensics - 12 CS & HH 11/5/2014

  13. Virtual Instrumentation Semantic Analysis block.c LO-PH UNIX Socket Live Disk Forensics - 13 CS & HH 11/5/2014

  14. Virtual Instrumentation Semantic Analysis block.c LO-PH UNIX Socket Live Disk Forensics - 14 CS & HH 11/5/2014

  15. Bridging the Semantic Gap • Problem – Most forensic tools, i.e. Volatility and Sleuthkit , assume static offline data – We need to analyze live data streams • Live Memory Introspection – We were able to optimize Volatility to use a custom address space that speaks directly to our hardware • Other code to deal with smearing vs. snapshots etc. • Live Disk Forensics – Far less straight-forward, especially on physical HDDs Live Disk Forensics - 15 CS & HH 11/5/2014

  16. Agenda • Overview • Motivation • Architecture • Live Disk Forensics • Summary • Future Directions Live Disk Forensics - 16 CS & HH 11/5/2014

  17. Live Disk Forensics 1. Instrumentation: Obtain a stream of disk activity – Read 1 sector from block 0, [DATA] – Write 1 sector to block 0, [DATA] – . . . 2. Semantic Gap: Determine the meaning of this read/write – Master Boot Record was modified – File read/write/rename/etc. 3. Analyze data – “Is that bad?” 2. Semantic 1. Data Collection 3. Analysis Reconstruction Live Disk Forensics - 17 CS & HH 11/5/2014

  18. Disk Instrumentation • Virtual (QEMU/KVM) – Obtain block, sector count, data, and read/write directly from block driver • Physical – Required developing specialized hardware – Currently using a Xilinx development board – Using off-the-shelf SATA core from Intelliprop – Custom code for C&C over Ethernet – Outputs raw SATA frames over UDP (~80MB/sec) ML507 Live Disk Forensics - 18 CS & HH 11/5/2014

  19. Disk Instrumentation • Virtual Limitations – Artifacts • Same as QEMU – Requires modifications to QEMU source • Physical Limitations – Artifacts • May sometimes need to throttle SATA to ensure full capture – Packet loss • UDP is a best-effort protocol 2. Semantic 1. Data Collection 3. Analysis Reconstruction Live Disk Forensics - 19 CS & HH 11/5/2014

  20. Disk Instrumentation: Physical Live Disk Forensics - 20 CS & HH 11/5/2014

  21. Disk Instrumentation: Physical Live Disk Forensics - 21 CS & HH 11/5/2014

  22. Semantic Reconstruction 1. Start with a forensic copy of the instrumented disk 2. Identify the file system on the disk – E.g. magic numbers, expert knowledge 3. Obtain stream of accesses to the instrumented disk in a common format – E.g. (Logical Block Address, Data, Operation) 4. Utilize forensic tools to identify subsequent file system operation 2. Semantic 1. Data Collection 3. Analysis Reconstruction Live Disk Forensics - 22 CS & HH 11/5/2014

  23. SATA Reconstruction • Multiple layers of abstraction that we must bridge – Analog Signal à à Raw bits – Raw bits à à SATA Frames – SATA Frames à à Sector manipulation – Sector manipulation à à File System Manipulation SATA File System Reconstruction Reconstruction 2. Semantic 1. Data Collection 3. Analysis Reconstruction Live Disk Forensics - 23 CS & HH 11/5/2014

  24. SATA Reconstruction • Multiple layers of abstraction that we must bridge } – Analog Signal à à Raw bits Xilinx ML507 – Raw bits à à SATA Frames – SATA Frames à à Sector manipulation – Sector manipulation à à File System Manipulation SATA File System Reconstruction Reconstruction 2. Semantic 1. Data Collection 3. Analysis Reconstruction Live Disk Forensics - 24 CS & HH 11/5/2014

  25. SATA Reconstruction A Brief Primer on SATA (1) • Serial ATA – bus interface that replaces older IDE/ATA standards • SATA uses frames (FIS) to communicate between host and device FIS – Frame Information Structure Live Disk Forensics - 25 CS & HH 11/5/2014

  26. SATA Reconstruction A Brief Primer on SATA (2) • Multi-layer protocol (physical, link, transport, command) – Reconstruction focuses on the command layer • Read SATA standard – Appendix B is useful! Live Disk Forensics - 26 CS & HH 11/5/2014

  27. SATA Reconstruction A Brief Primer on SATA (3) • Register FIS Host to Device – Marks the beginning of SATA transaction – Contains the logical block address (LBA) and operation information (read or write) • Register FIS Device to Host – Often marks completion of SATA transaction – Also used in software reset protocol, device diagnostic, etc. Live Disk Forensics - 27 CS & HH 11/5/2014

  28. SATA Reconstruction A Brief Primer on SATA (4) • DMA Activate – Device declares that it is ready to receive DMA data (for a write) • DMA Setup – Precedes Data frames (for NCQ, AFAIK) Live Disk Forensics - 28 CS & HH 11/5/2014

  29. SATA Reconstruction A Brief Primer on SATA (5) • Data – contains data! • BIST (Built In Self Test) • PIO (Programmed I/O) – Older mode of data transfer before DMA • Other protocols not mentioned here – Software reset, device diagnostic, device reset, packet – Read the SATA spec for more info Live Disk Forensics - 29 CS & HH 11/5/2014

  30. SATA Reconstruction A Brief Primer on SATA (6) HOST DEVICE Register HTD Tells us the LBA (sector), number DMA Activate of sectors, operation, etc. Data A Data B Data C Register DTH Example – DMA Write Live Disk Forensics - 30 CS & HH 11/5/2014

Recommend

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ?

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ?

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ? Images: Wikipedia No box What is Bare Metal ? No Operating System Your application is the OS Why Bare Board ? Not enough ressources for an

874 views • 31 slides
Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this

Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this

Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this talk What's bare metal provisioning Ironic introduction and work flows The future of ironic Why bare metal allocation Raw

478 views • 4 slides
Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon

Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon

Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon Acedo Rodriguez Product Manager, Red Hat OpenStack Team @ramonacedo | racedo@redhat.com Bare Metal On-Trend Bare Metal On-Trend Among users who run

713 views • 34 slides
Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures. Discriminators. Contraband Identification. Sector-based Hashing. Conclusions. Author: Prof Bill Buchanan Small Block Disk Forensics and

768 views • 45 slides
TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support

TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support

TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support bare-metal devices Optimization High-Level Differentiable IR AutoTVM Tensor Expression IR LLVM, CUDA VTA AutoVTA Hardware FPGA ASIC Fleet

1.46k views • 18 slides
Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa , Kazuhiko Kato University of Tsukuba, The University of Tokyo 1 Bare-metal Clouds An IaaS for high performance and device functionality

230 views • 21 slides
Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized

Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized

Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized BASKET-SAVAGE Trial Raban V. Jeger, M.D., Ahmed Farah, M.D., Thomas Engstrm, M.D., Sren Gala=us, M.D., Franz Eberli, M.D., Peter Rickenbacher, M.D., David

380 views • 14 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Mandos Disk encryption without passwords Teddy Hogeborn, Bjrn Phlsson 2020-01-29 When to

Mandos Disk encryption without passwords Teddy Hogeborn, Bjrn Phlsson 2020-01-29 When to

Mandos Disk encryption without passwords Teddy Hogeborn, Bjrn Phlsson 2020-01-29 When to use Mandos? 1. Physical/bare metal hardware? 2. More than just one physical machine? 3. Want to use full-disk encryption? You should use Mandos!

559 views • 11 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua Higgins, Taha Al-Jody and Violeta Holmes HPC Research Group University of Huddersfield, UK HPC Systems Professionals Workshop (HPCSYSPROS18) Outline

211 views • 20 slides
Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby

Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby

Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby Bhattacharjee University of Maryland, College Park 1 Outline Motivation Overview Projects Classroom Experience Conclusions 2 OS

365 views • 33 slides
Towards Converged SmartNIC Architecture for Bare Metal & Public Clouds Layong (Larry) Luo,

Towards Converged SmartNIC Architecture for Bare Metal & Public Clouds Layong (Larry) Luo,

Towards Converged SmartNIC Architecture for Bare Metal & Public Clouds Layong (Larry) Luo, Tencent TEG August 8, 2018 Agenda 1 SmartNIC in Bare Metal Cloud 2 SmartNIC in Public Cloud 3 Converged SmartNIC Architecture 4 Tencent

288 views • 28 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
New Directions in Disk Forensics Simson L. Garfinkel January 15, 2006, 3:15pm Postdoctoral

New Directions in Disk Forensics Simson L. Garfinkel January 15, 2006, 3:15pm Postdoctoral

New Directions in Disk Forensics Simson L. Garfinkel January 15, 2006, 3:15pm Postdoctoral Fellow, Center for Research on Computation and Society Harvard University 1 Here are 200 hard drives Which contain the email address

991 views • 77 slides
Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal

Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal

OPEN INFRASTRUCTURE SUMMIT | SHANGHAI, NOVEMBER 4-6 2019 Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal Product Manager, Red Hat Open Hybrid Cloud Vision OPTIONAL SECTION MARKER OR TITLE 2 The

1.02k views • 53 slides
Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me

Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me

Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me Nathan Goulding, SVP Engineering ~15 years frontline engineer for infrastructure/cloud and media companies Currently lead engineering team at

657 views • 27 slides
Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST) Kuniyasu Suzaki 1 Contents Background of BMC Drawbacks of container, general kernel, and accounting. What is BMC? Current

837 views • 34 slides
Biolimus-Coated vs. Bare-Metal Coronary Stents in High Bleeding Risk Patients Philip Urban,

Biolimus-Coated vs. Bare-Metal Coronary Stents in High Bleeding Risk Patients Philip Urban,

Biolimus-Coated vs. Bare-Metal Coronary Stents in High Bleeding Risk Patients Philip Urban, Alexandre Abizaid, Ian T. Meredith, Stuart J. Pocock, Didier Carri, Christoph Naber, John Gregson, Samantha Greene, Hans Peter Stoll and

543 views • 33 slides
EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly with Abraham Clements and Saurabh Bagchi http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in

769 views • 39 slides
Ironic Deploy Templates: Bespoke Bare Metal Mark Goddard | mgoddard Open Infrastructure Summit |

Ironic Deploy Templates: Bespoke Bare Metal Mark Goddard | mgoddard Open Infrastructure Summit |

Ironic Deploy Templates: Bespoke Bare Metal Mark Goddard | mgoddard Open Infrastructure Summit | Denver 2019 Intro Work for StackHPC in Bristol, UK Working on OpenStack for HPC since 2014 Previously at Cray Core in

638 views • 51 slides
ISAR-CABG: Randomized, Superiority Trial of Drug-Eluting-Stent and Bare Metal Stent in Safenous

ISAR-CABG: Randomized, Superiority Trial of Drug-Eluting-Stent and Bare Metal Stent in Safenous

ISAR-CABG: Randomized, Superiority Trial of Drug-Eluting-Stent and Bare Metal Stent in Safenous Vein Graft Lesions J. Mehilli, MD , G. Richardt, F-J. Neumann, S. Massberg, K-L. Laugwitz, J. Pache, J. Hausleiter, I. Ott, M. Fusaro, T. Ibrahim,

765 views • 27 slides
From Bare-Metal Windows to Kubernetes in Two Months Paul Steele #IndyCloudConf About Me

From Bare-Metal Windows to Kubernetes in Two Months Paul Steele #IndyCloudConf About Me

From Bare-Metal Windows to Kubernetes in Two Months Paul Steele #IndyCloudConf About Me Software Engineer at SEP Purdue University https://blog.paul-steele.com/ #IndyCloudConf Greenfield #IndyCloudConf Legacy #IndyCloudConf

945 views • 69 slides
Bare Metal Library Abstractions for modern hardware Cyprien Noel Plan 1. Modern Hardware? 2.

Bare Metal Library Abstractions for modern hardware Cyprien Noel Plan 1. Modern Hardware? 2.

Bare Metal Library Abstractions for modern hardware Cyprien Noel Plan 1. Modern Hardware? 2. New challenges & opportunities 3. Three use cases Current solutions Leveraging hardware Simple abstraction Myself High

452 views • 26 slides

More recommend