Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Anti-forensic Rootkits
This is …
• Data Hiding
– Put the data on disk but put it somewhere the
forensic analyst is unlikely to look
– E.g. Defilers toolkit, runefs,
• Data Misdirection
– Provide the forensic analyst false data that is
indistinguishable from the real thing
– No public examples… until now.
• The Aim
– Gather the “best” evidence available
• Encrypted volumes
Copyright Security-Assessment.com 2006
Digital Forensics Acquisition
Live imaging is now common practice
• Tools
– Helix (dd/netcat)
– Prodiscover IR
– Encase EEE/FIM
– FTK
– Smart
– …
Un-trusted Network
Suspicious Server
Un-trusted OS Kernel
Trusted Disk
• DD
– Cryptcat
Trusted? Acquisition Client
Application
• Prodiscover IR
Un-trusted OS Kernel – Twofish
Encryption
Trusted Disk
uhhh… ok
Kernel Mode
2 3. NtReadFile() processed
KiSystemService
(Ntoskrnl.exe)
4 4. I/O Subsystem called
Call NtReadFile()
3 Initiate I/O Operation 5. I/O Request Packet (IRP)
(Ntoskrnl.exe) (driver.sys)
generated
File System Driver
6
(ntfs.sys, …) 5
7. Data at File1.txt offset 0
Volume manager disk driver
7 requested from ntfs.sys
(ftdisk.sys, dmio.sys)
• \\.\PhysicalMemory
– Contains what is in physical memory
– Only sees memory it can access safely
– Changes as it is read
• \\.\PhysicalDriveX
– The raw data on the disk
– Ignores software cache
– Could change as it is read
1 2 3
Disk Array
Disk Array
Disk Array
E.g. Fu, FuTo
1 2 3
Disk Array
Disk Array
1 2 3
Disk Array
Cluster Area
• \\.\PhysicalMemory
3
View of Memory
Call NtMapViewofSection()
View of Memory
(Ntoskrnl.exe)
• Avoidable
– Zw Interception easily bypassed by multiple
unpublished forensic memory techniques
– Firewire works too
• Doesn’t hide
– Memory mapped files
– Memory paged to disk
http://www.security-assessment.com
darren.bilby@security-assessment.com