The Undiscovered Country The Undiscovered Country Tobias Fiebig - Introduction Router? Device Presence Estimation from Home Router DHCP? JTAG? Research Memory Dumps Question Forensics Method Experiment Tobias Fiebig Results Conclusion University of Amsterdam 07/04/2013 Tobias Fiebig The Undiscovered Country
The Situation The Undiscovered Country Tobias Fiebig • Who has when been where is an important question during Introduction an investigation. Router? DHCP? • Example: One wants to establish that a murder suspect JTAG? Research Question visited the victims home on a specific date. Forensics • People tend to carry all sorts of wireless and network Method capable devices with them. Experiment • Nearly everywhere where there is Internet there is a small Results Conclusion home router. Tobias Fiebig The Undiscovered Country
Router? The Undiscovered Country Tobias Fiebig • Small device handed out by Internet Service Providers to a Introduction Router? customer - enables the customer to have more than one DHCP? JTAG? device on the Internet. Research Question • Mostly MIPS or ARM based. Forensics • Cheap Design - Exposed JTAG ports are very common. Method Experiment • Usually “manages” the local network, usually with Results RFC1918 and DHCP. Conclusion Tobias Fiebig The Undiscovered Country
DHCP? The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • State-full protocol to manage IPv4 address assignments. JTAG? Research Question • State has to be kept somewhere. Forensics • Can not do it in flash - memory file-system here we come! Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
JTAG? The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? • Standardized debug interface for most embedded CPUs. Research Question • Allows direct access to device memory. Forensics Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Research Question The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? Is it possible to extract DHCP state information from a JTAG? Research home routers memory and establish a time-line of device Question presence with this information in a forensically sound Forensics Method manner? Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Forensic Requirements The Undiscovered Country Am forensically sound memory image extraction method has to Tobias Fiebig have the following features [V¨ omel & Freiling, 2012]: Introduction Correctness and Completeness : Everything that has Router? DHCP? been read was read as it was in the memory and nothing JTAG? Research Question that has not been in that memory is read and everything Forensics that is read is written to the dump-file as it was read. Method Atomicity : If memory area A is read at time t , all Experiment subsequent ones have to be read in the state they had at t . Results Integrity : The method does not change the memory Conclusion contents before reading them. Tobias Fiebig The Undiscovered Country
Forensic Verification The Undiscovered Country Tobias Fiebig Furthermore the following verification techniques should be Introduction applied to the technique: Router? DHCP? Self-similarity check : Check for self-similarity using JTAG? Research dotplots, following the method of [Inoue et al. , 2011] to Question Forensics verify correctness. Method Integrity check : Check if two subsequent extraction Experiment processes on the same target produce highly identical Results images and ensure that no transmission errors occure. Conclusion Tobias Fiebig The Undiscovered Country
Hardware The Undiscovered Country Tobias Fiebig Introduction • Experiments have been performed with a TP-Link Router? DHCP? 1043ND. JTAG? Research • Small MIPS based device. Question Forensics • Readily available in the lab. • Well documented. Method • Nicely exposed JTAG port. Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Method - Overview The Undiscovered Country Tobias Fiebig The method itself consists of five steps, each one catering to Introduction some of the forensic requirements. Router? DHCP? 1 Plug-in the JTAG Cable JTAG? Research Question 2 Connect patched OpenOCD Forensics 3 Halt the CPU Method Experiment 4 Extract memory Results 5 Analyze the image Conclusion Tobias Fiebig The Undiscovered Country
Plug-in the JTAG Cable The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: A DLC5 Cable is used to connect a TP-Link 1043ND with a standard PC. Tobias Fiebig The Undiscovered Country
Plug-in the JTAG Cable The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? • Use of “dumb” cable reduces probability of tainted Research Question correctness due to operations on the cable. Forensics Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Connect OpenOCD The Undiscovered Country Tobias Fiebig • A tool for interacting with devices via JTAG. Introduction • Not developed for forensics, but made so it “[...] never Router? DHCP? displays wrong or inaccurate information” [Rath, 2008, p. JTAG? Research Question 38]. Forensics • Patched to directly access the memory instead of using the Method processor’s MMU - eliminates further issues for the Experiment correctness. Results • Should not perform any operations in the Target memory. Conclusion Tobias Fiebig The Undiscovered Country
Halt CPU The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • Stops all execution in the CPU. JTAG? Research Question • Ensures atomicity - where there is no computation, there Forensics is no change. Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Extract Memory The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? • Tell OpenOCD to get the memory... JTAG? Research Question • ... then mostly wait. Speed: 0.66KiB/s Forensics • Takes roughly 12h for a 32MB image. Method Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Analysis The Undiscovered Country Tobias Fiebig Introduction • Lease-file on 1043ND is not as plain-text in the RAM but Router? DHCP? in the DHCP servers memory structures. JTAG? Research • As available tooling has no MIPS support: Focus on Question Forensics log-messages containing the same information. Method • Create a tool that extracts time-lines and creates Experiment visualizations. Results Conclusion Tobias Fiebig The Undiscovered Country
Test-Setup The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: Schematic representation of the setup used for testing the proposed method. Tobias Fiebig The Undiscovered Country
Simulated Scenarios The Undiscovered Country Performed extractions on the device after simulating seven Tobias Fiebig different scenarios. Introduction Scenario Description Router? adv-test-1-4 boot 1 host, shutdown, wait 4h, dump memory DHCP? JTAG? adv-test-1-8 boot 1 host, shutdown, wait 8h, dump memory Research adv-test-8-4 boot 8 hosts, shutdown, wait 4h, dump memory Question adv-test-8-8 boot 8 hosts, shutdown, wait 8h, dump memory Forensics plain-test-4 boot 4 hosts, dump memory Method plain-test-8 boot 8 hosts, dump memory complex boot 3 hosts, wait 1.25h, boot 3 hosts, shutdown 2 hosts, wait Experiment 12h, dump memory Results Table: Overview of the simulated scenarios. Conclusion Tobias Fiebig The Undiscovered Country
Image Validation The Undiscovered Country Tobias Fiebig • In addition to these scenarios, the previously mentioned Introduction subsequent extraction from the same target state was Router? DHCP? performed. The extracted images were bit-wise identical. JTAG? Research This indicates a high integrity of the method and no Question Forensics introduction of random errors during the transfer. Method • The creation of a dotplot with the method described Experiment by [Inoue et al. , 2011] indicated no significant Results self-similarities that would yield a tainted image. Conclusion Tobias Fiebig The Undiscovered Country
Image Validation The Undiscovered Country Tobias Fiebig Introduction Router? DHCP? JTAG? Research Question Forensics Method Experiment Results Conclusion Figure: Dotplot showing self-similarity between pages in a memory image obtained by the author. The axis show the index of the corresponding pages. Tobias Fiebig The Undiscovered Country
Result Metrics The Undiscovered Country Tobias Fiebig Introduction Router? • Amount of correctly detected host presences. DHCP? JTAG? • Correctly detected join-times. Research Question Forensics • Hosts that could be found in the DHCP Server memory. Method • Hosts that were detected but were not actually present. Experiment Results Conclusion Tobias Fiebig The Undiscovered Country
Recommend
More recommend