blackhat_dc_2011_case_de-anonymizing live cds-slides-1
TRANSCRIPT
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
1/61
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
2/61
SpeakerBackground
ComputerSciencedegreefromtheUniversityofNewOrleans
FormerSecurityConsultantforNeohapsisWorkedforDigitalForensicsSoluonssince
2009
Workexperiencerangesfrompenetraontesngtoreverseengineeringtoforensicsinvesgaons/IRtorelatedresearch
2
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
3/61
Agenda
DiscussLiveCDsandhowtheydisruptthenormalforensicsprocess
PresentresearchthatenablestradionalinvesgavetechniquesagainstliveCDs
DiscussissueswithTorsinsecurehandlingofmemoryandpresentpreliminarymemory
analysisresearch
3
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
4/61
NormalForensicsProcess
Acquire Disk Image
Verify Image
Process Image
Perform Investigation
Obtain Hard Drive
4
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
5/61
TradionalAnalysisTechniques
TimeliningofacvitybasedonMACmesHashingoffilesIndexingandsearchingoffilesandunallocatedspaceRecoveryofdeletedfilesApplicaonspecificanalysisWebacvityfromcache,history,andcookies
E-mailacvityfromlocalstores(PST,Mbox,)5
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
6/61
ProblemofLiveCDs
LiveCDsallowuserstorunanoperangsystemandallapplicaonsenrelyinRAMThismakestradionaldigitalforensics
(examinaonofdiskimages)impossible
Allthepreviouslylistedanalysistechniquescannotbeperformed
6
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
7/61
TheProblemIllustrated
Acquire Disk Image
Verify Image
Process Image
Perform Investigation
Obtain Hard Drive
7
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
8/61
NoDisksorFiles,NowWhat?
AllwecanobtainisamemorycaptureWiththis,aninvesgatorisle^withvery
limitedandcrudeanalysistechniques
Cansllsearch,butcantmaptofilesordatesNocontext,hardtopresentcoherently
FilecarvingbecomesuselessNextslideGoodluckincourt
8
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
9/61
FileCarvingUsedextensivelytorecoverpreviouslydeletedfiles/dataUsesadatabaseofheadersandfooterstofind
fileswithinrawbytestreamssuchasadisk
image
Findsinstancesofeachheaderfollowedbythefooter
Examplefileformats:JPEG-\xff\xd8\xff\xe0\x00\x10-\xff\xd9GIF-\x47\x49\x46\x38\x37\x61-\x00\x3b 9
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
10/61
FileCarvingCont.
FilecarvingreliesonconguousallocaonoffilesLuckilymodernfilesystemsstriveforlow
fragmentaon
Unfortunatelyformemoryanalysis,physicalpagesforfilesarealmostneverallocated
congously
Pagesizeisonly4ksonostructuredfilewillfitIstheequivalentofacompletelyfragmented
filesystem
10
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
11/61
PeopleHaveCaughtOn
TheAmnesicIncognitoLiveSystem(TAILS)[1]Notraceisle^onlocalstoragedevicesunless
explicitlyasked.
AlloutgoingconneconstotheInternetareforcedtogothroughtheTornetworkBacktrack[2]
abilitytoperformassessmentsinapurelynaveenvironmentdedicatedtohacking.
11
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
12/61
WhatItReallyMeans
Invesgatorswithoutdeepkernelinternalsknowledgeandprogrammingskillarebasically
hopeless
ItiswellknownthattheuseofliveCDsisgoingtodefeatmostinvesgaons
MainmovaonforthisworkPlentyanecdotalevidenceofthiscanbefoundthroughGooglesearches
12
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
13/61
WhatistheSoluon?
MemoryAnalysis!Itistheonlymethodwehaveavailable
ThisAnalysisgivesus:Thecompletefilesystemstructureincludingfilecontentsandmetadata
DeletedFiles(Maybe)Userlandprocessmemoryandfilesysteminformaon
13
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
14/61
Stepsneededtoachievethisgoal:1.Understandthein-memoryfilesystem2.Developanalgorithmthatcanenumerate
directoryandfiles3.Recovermetadatatoenablemeliningand
otherinvesgavetechniques
14
Goal1:RecoveringtheFileSystem
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
15/61
TheIn-MemoryFilesystem
AUFS(AnotherUnionFS)hp://aufs.sourceforge.net/UsedbyTAILS,Backtrack,Ubuntu10.04installer,
andanumberofotherLiveCDs
Notincludedinthevanillakernel,loadedasanexternalmodule
15
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
16/61
AUFSInternalsStackablefilesystem
PresentsamullayerfilesystemasasingleonetousersThisallowsforfilescreateda^ersystemboottobe
transparentlymergedontopofreadonlyCD
EachlayeristermedabranchIntheliveCDcase,onebranchfortheCD,andoneforall
otherfilesmadeorchangedsinceboot
16
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
17/61
AUFSUserlandViewofTAILS
#cat/proc/mountsaufs/aufsrw,relame,si=4ef94245,noxino
/dev/loop0/filesystem.squashfssquashfs
tmpfs/live/cowtmpfstmpfs/livetmpfsrw,relame
#cat/sys/fs/aufs/si_4ef94245/br0
/live/cow=rw#cat/sys/fs/aufs/si_4ef94245/br1
/filesystem.squashfs=rr
17
Mountpoints
relevantto AUFS
The
mount
point of
eachAUFSbranch
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
18/61
ForensicsApproach
Norealneedtocopyfilesfromtheread-onlybranch
JustimagetheCDOntheotherhand,thewritablebranch
containseveryfilethatwascreatedor
modifiedsinceboot
IncludingmetadataNodeletedonesthough,moreonthatlater
18
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
19/61
LinuxInternalsOverviewIstructdentryRepresentsadirectoryentry(directory,file,)
Containsthenameofthedirectoryentryandapointertoitsinodestructure
structinodeFSgeneric,in-memoryrepresentaonofadiskinodeContainsaddress_spacestructurethatlinksaninode
toitsfilespages
structaddress_spaceLinksphysicalpagestogetherintosomethingusefulHoldsthesearchtreeofpagesforafile
19
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
20/61
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
21/61
EnumerangDirectories
Oncewecanenumeratedirectories,wecanrecoverthewholefilesystem
Notassimpleasrecursivelywalkingthechildrenofthefilesystem
srootdirectory
AUFScreateshiddendentrysandinodesinordertomaskbranchesofthestacked
filesystemNeedtocarefullyinteractbetweenAUFSand
tmpfsstructures
21
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
22/61
DirectoryEnumeraonAlgorithm1)Walkthesuperblockslistunltheaufsfilesystemisfound
Thiscontainsapointertotherootdentry2)Foreachchilddentry,testifitrepresentsadirectory
Ifthechildisadirectory:
Obtainthehiddendirectoryentry(nextslide)Recordmetadataandrecurseintodirectory
Ifthechildisaregularfile:
Obtainthehiddeninodeandrecordmetadata22
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
23/61
ObtainingaHiddenDirectory
structdentry
{
d_inode
d_name
d_subdirs
d_fsdata
}
structau_dinfo
{
au_hdentry}
Branch
0
1 Pointer
Pointer
Dentry
23
Eachkerneldentrystoresapointertoanau_dinfostructureinsideitsd_fsdatamemberThedi_hdentrymemberofau_dinfoisanarrayofau_hdentrystructuresthatembedregularkerneldentrys
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
24/61
ObtainingMetadata
AllusefulmetadatasuchasMACmes,filesize,fileowner,etciscontainedinthehidden
inode
ThisinformaonisusedtofillthestatcommandandistatfunconalityoftheSleuthkit
Timeliningbecomespossibleagain
24
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
25/61
ObtainingaHiddenInode
struct
aufs_icntnr{
iinfo
inode}
struct au_iinfo{
ii_hinode}
Branch
0
1 Pointer
Pointer
struct inode
25
Eachaufscontrolledinodegetsembeddedinanaufs_icntnrThisstructurealsoembedsanarrayofau_hinodestructureswhichcanbeindexedbybranchnumbertofindthehiddeninodeofanexposedinode
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
26/61
Goal2:RecoveringFileContents
Thesizeofafileiskeptinitsinodesi_sizemember
Aninodespage_treememberistherootoftheradixtreeofitsphysicalpages
Inordertorecoverfilecontentsthistreeneedstobesearchedforeachpageofafile
Thelookupfunconreturnsastructpagewhichleadstothebackingphysicalpage
26
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
27/61
RecoveringFileContentsCont.Indexingthetreeinorderandgatheringofeachpagewillleadtoaccuraterecoveryofa
wholefile
ThisalgorithmassumesthatswapisntbeingusedUsingswapwoulddefeatmuchofthepurposeof
anonymousliveCDs
TmpfsanalysisisusefulforeverydistribuonManydistrosmount/tmpusingtmpfs,shmem,
etc
27
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
28/61
Discussion:1.FormulateApproach2.Discussthekmem_cacheandhowitrelates
torecovery
3.Aempttorecoverpreviouslydeletedfileanddirectorynames,metadata,andfile
contents
28
Goal3:RecoveringDeletedInfo
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
29/61
Approach
WewantorderlyrecoveryToaccomplishthis,informaonaboutdeleted
filesanddirectoriesneedstobefoundina
non-standardwayAllregularlists,hashtables,andsoonlosetrack
ofstructuresastheyaredeleted
Needawaytogatherthesestructuresinanorderlymannerkmem_cacheanalysistotherescue!
29
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
30/61
Recoverythoughkmem_cacheanalysis
Akmem_cacheholdsallstructuresofthesametypeinanorganizedmanner
Allowsforinstantallocaons&deallocaonsUsedforhandlingofprocess,memorymappings,
openfiles,andmanyotherstructures
ImplementaoncontrolledbyallocatorinuseSLABandSLUBarethetwomainones
30
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
31/61
kmem_cacheInternals
Bothallocatorskeeptrackofallocatedandpreviouslyde-allocatedobjectsonthreelists:full,inwhichallobjectsareallocatedpar7al,amixofallocatedandde-allocatedobjectsfree,previouslyfreedobjects*
Thefreelistsareclearedinanallocatordependentmanner
SLABleavesfreelistsin-tactforlongperiodsofme
SLUBismoreaggressive
31
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
32/61
kmem_cacheIllustrated
/proc/slabinfocontainsinformaonabouteachcurrentkmem_cache
Exampleoutput:#name
task_struct101154
mm_struct699
filp9011420
32
The difference
between
num_objs and
active_objs is
how many free
objects are
being tracked bythe kernel
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
33/61
RecoveryUsingkmem_cacheAnalysis
Enumeraonofthelistswithfreeentriesrevealspreviousobjectssllbeingtrackedby
thekernel
Thekerneldoesnotclearthememoryoftheseobjects
Ourpreviousworkhasdemonstratedthat
muchpreviouslyde-allocated,forensicallyinteresnginformaoncanbeleveragedfrom
thesecaches[4]
33
l l
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
34/61
RecoveringDeletedFilesystem
Structure
BothLinuxkernelandaufsdirectoryentriesarebackedbythekmem_cache
RecoveryofthesestructuresrevealsnamesofpreviousfilesanddirectoriesIfd_parentmemberissllin-tact,canplace
entrieswithinfilesystem
34
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
35/61
RecoveringPreviousMetadata
Inodesarealsobackedbythekmem_cacheRecoverymeanswecanmelineagainAlso,thedentrylistoftheAUFSinodessll
haveentries(strange)ThisallowsustolinkinodesanddentrystogetherNowwecanreconstructpreviouslydeletedfile
informaonwithnotonlyfilenames&paths,but
alsoMACmes,sizes,inodenumbers,andmore
35
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
36/61
RecoveringFileContentsBadNewsAgain,inodesarekeptinthekmem_cacheUnfortunately,pagecacheentriesare
removedupondeallocaon,makinglookup
impossible
Alargenumberofpointerswouldneedtostayin-tactforthistowork
Thisremovestheabilitytorecoverfile
contentsinanorderlymannerOtherwaysmaybepossible,butwillrequire
moreresearch
36
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
37/61
SummaryofFileSystemAnalysis
Cancompletelyrecoverthein-memoryfilesystem,itsassociatedmetadata,andallfile
contents
Ordered,paralrecoveryofdeletedfilenamesandtheirmetadataisalsopossible
TradionalforensicstechniquescanbemadepossibleagainstliveCDsMakingsuchanalysisaccessibletoallinvesgators
37
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
38/61
Implementaon
RecoverycodewasoriginallywrienasloadablekernelmodulesAllowedforrapiddevelopmentandtesngof
ideas
2ndimplementaonwasdevelopedforVolalityVmwareworkstaonsnapshotswereusedto
avoidreboongoftheliveCDand
reinstallaonofso^wareTAILsdoesntincludedevelopmenttools/headersThissaveddaysofresearchme
38
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
39/61
Tesng
OutputwascomparedtoknowndatasetsDirectoriesandfileswithscriptedcontentsMetadatawascomparedtothestatcommandFilecontentswerecomparedtoscriptedcontentsDeletedinformaonwasanalyzedthrough
previouslyallocatedstructures
Whileafilewassllallocated,itsdentry,inode,etcpointersweresavedFilewasdeletedandtheseaddresseswere
examinedforpreviousdata
39
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
40/61
MemoryAnalysisofTor
40
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
41/61
TorOverview
UsedbymillionsofpeopleworldwidetoperformanonymousInternetcommunicaonsAnonymityofcommunicaonsisessenalto
whistleblowers,journalistsfromnaonswithoutfreedomofthepress,andtoa
numberofotherprofessions
AnyrecoveryofTorrelatedacvitycanhavedireconsequencesforsuchpeople
41
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
42/61
OneSlideTechnicalOverview
Torencryptsandsendstrafficfromclientstoanumberofotherhostsbeforebeingsentto
therecipientdesnaon
OnlythefinalTorendpointcandecrypttheactualpacketcontentsAllotherscanonlydecryptnecessaryroung
informaon
Theendpointusedischangedatregularintervalstoensurethatacompromisedoes
notremoveallanonymity
42
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
43/61
TorAnalysisMovaon
Forensics/IRPerspecveTAILSandanumberofotherliveCDsuseTorto
avoidnetworkforensics
NotbeingabletoobtainorreconstructtrafficcanmakecertaininvesgaonscenariosimpossibleIfmemoryanalysiscanrevealusefulevidence
thentheinabilitytoperformnetworkanalysisis
notaspainful
43
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
44/61
TorAnalysisMovaon
PrivacyPerspecveTorprovidesanextremelyusefulplaormto
performanonymouscommunicaons
Toensurethatcommunicaonsareindeedsecure,memoryanalysisneedstobeperformed
onallsystemsthatprocessunencrypteddata
44
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
45/61
AnalyzingMemoryAcvityofTor
AnalysisrevealsthatTordoesnotalwayssecurelyerasememorya^eritsused
SoundFamiliar?SincewehaveaccesstotheprocessmemoryofTorweshouldbeabletorecoverdataof
interest.
Papersdiscussinghowtorecoveruserlandprocessmemoryarereferencedinthewhitepaper
45
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
46/61
InialSetup&Analysis
PrivoxyisaTor-awareHTTPproxyTorwasinstalledalongwithPrivoxyonthe
testvirtualmachine
wgetwasthenconfiguredtousePrivoxywhichwouldrelaytheinformaontoTor
Beforediggingintosourcecode,performedthePoorMan
sTest(nextslide)
46
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
47/61
ThePoorMansTest
1.Usedwgettorecursivelydownloaddigitalforensicssoluons.com2.VerifiedTornetworkconneconsclosed3.Usedmemfetch[3]todumptheheapofthetorprocess4.Ranstringsonheapfile5.#grep-cdigitalforensicsstrings-output
7
Lookinggoodsofar.
47
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
48/61
InialAnalysisResultsAnalysisrevealedthatHTTPheaders,downloadedpagecontents,server
informaon,andmorewerecontainedinits
memory
ItseemedthatthelastusedHTTPheaderwaskeptinmemory
Possiblyasinglebufferusedforthis?Numerousinstanceswerefoundfortheother
typesofdata
48
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
49/61
InteresngOutputfromStrings1)HTTPREQUEST
GET/incidence-response.htmlHTTP/1.0Referer:hp://www.digitalforensicssoluons.com/
User-Agent:Wget/1.12(linux-gnu)
Accept:*/*
Host:www.digitalforensicssoluons.com
2)HTMLfragmentsfromdownloadedwebpage
EvidencePreservaon
Ourevidencepreservaonmethodologyprovidesanexact
copyofanydigitalevidenceandensuresthattheauthencityandintegrityofboththeduplicatecopyandtheoriginaldata
sourceispreserved.
EvidenceCustody
49
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
50/61
DiggingDeeperintoTor
A^erseeingthepreviousresults,sourcecodeanalysiswasperformedAgain,orderlycolleconofdataisourgoalMuchmoreanalysisispossiblethanwhatwascoveredinthisinialanalysisSllon-goingresearch
50
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
51/61
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
52/61
Script1-WalkingTorsfreelist
Torkeepschunksinitsglobalfreelistinordertoprovidefastallocaonofnew
memory
Verysimilartotheworkingsofthekmem_cacheThescriptenumeratesthefreelistarrayand
dumpsallmemorycontained
52
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
53/61
FreelistStructuretypedefstructchunk_freelist_t{
size_talloc_size;//sizeofchunk
intcur_length;//numberonlist
chunk_t*head;
}
typedefstructchunk_t{
structchunk_t*next;
size_tdatalen;char*data;
}chunk_t;
53
freelistisan
instanceof
thisstructure
Eachchunkis
representedbyachunk_t
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
54/61
Script2-TorsCellPoolCache
InTor,alldataissentandreceivedasapackedcell
cell_poolisamemorypoolthatholdscellsallocatedanddeallocatedbyTorUnlessthepooliscleaned
Walkingofthispoolenumerateseverycellstructureincludingitscontents(payload)
Unfortunatelythepayloadsareencrypted 54
Cell Pool Structures & Enumeraon
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
55/61
CellPoolStructures&Enumeraon
structmp_pool_t{
structmp_chunk_t*empty_chunks,
*used_chunks,*full_chunks;
size_titem_alloc_size;}
55
structmp_chunk_t{
mp_chunk_t*next;
mp_chunk_t*prev;
size_tmem_size;
charmem[1];}
cell_poolisoftypemp_pool_t
Therecoveryscriptwalksthethreemp_chunk_tlistsaswellasthedoublylinkedlistcontainedineach
mp_chunk_t
Thisleadstothetype-agnoscmembufferofeachchunk
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
56/61
RecoveryofPackedCells
mp_chunk_tstructuresholdtype-agnoscdataInthecellpoolthesearerepresentedbya:
typedefstructpacked_cell_t{
structpacked_cell_t*next;
charbody[CELL_NETWORK_SIZE];
}packed_cell_t;Walkingthenextlistretrievesreachable
packedcells
56
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
57/61
Conclusion
MemoryAnalysisofLiveCDsisnolongerdifficult
Useofthepresentedresearchenablestradionalforensicstechniquestobeused
Asifwedidntknowalready,applicaonsarereallybadabouthandlingofsensivedatain
memory
57
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
58/61
FutureWorkLiveCDFilesystems
IntegrateanalysiscodeintoVolalityTestagainstmoreLiveCDs/aufs
configuraons
aufshasanumberofconfiguraonoponsLookintostackablefilesystemsusedbyother
LiveCDs
Unionfsisagoodtarget(usedbyDebian,Gentoo,etc)
58
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
59/61
FutureWork-Tor
WorkonrecoveryofencryptedTorcellsNeedtofindtheencryptedkey,matchtopackedcell,andthendecryptthepayload
seconTordevelopersareawareofthememory
handlingissues,responsewilldetermine
amountoffurtherworkpossible
59
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
60/61
-
8/7/2019 BlackHat_DC_2011_Case_De-Anonymizing Live CDs-Slides-1
61/61
References[1]hps://amnesia.boum.org/
[2]hp://www.backtrack-linux.org
[3]lcamtuf.coredump.cx/so^/memfetch.tgz
[4]A.Case,etal,"TreasureandTragedyinkmem_cacheMining
forLiveForensicsInvesgaon,"Proceedingsofthe10th
AnnualDigitalForensicsResearchWorkshop(DFRWS2010),
Portland,OR,2010.