![Page 1: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/1.jpg)
1 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
NoSQL Forensics
What to Do with (No)ARTIFACTS
Matt Bromiley
Senior Consultant, Mandiant
![Page 2: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/2.jpg)
2 © Mandiant, a FireEye Company. All rights reserved.
Agenda
• $ whoami
• Why Does this Matter?
• Examining MongoDB Artifacts
• Config File
• CRUD Artifacts
• User Sessions
• In-Row Data
• Searching Through Memory
• NoSQL Triage
• Q&A
![Page 3: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/3.jpg)
3 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
$ whoami
![Page 4: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/4.jpg)
4 © Mandiant, a FireEye Company. All rights reserved.
$ whoami
• Currently a Senior Consultant with Mandiant
• 4+ years experience with a focus on data breaches,
incident response, network security monitoring, and
digital forensics
• Work with clients from small, regional shops to
multinational Fortune 50s
• LOVE to develop open source forensic tools, share,
teach, learn, and help others improve (while improving
myself!)
Tweet/Git/Blog
[@]505Forensics[.com]
![Page 5: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/5.jpg)
5 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
Why Does This Matter?
![Page 6: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/6.jpg)
6 © Mandiant, a FireEye Company. All rights reserved.
Why Does This Matter?
• With Microsoft, Oracle, SAP, and IBM leading the
pack, who cares about NoSQL?!
• NoSQL is on the rise!
• Easy to deploy
• Web app friendly
• APIs out the …
• Open-source, so lots and lots of players
• MongoDB
• Elastic(search)
• Couchbase
• Cassandra
• Hadoop
Houdini’s Quartet of Squares
![Page 7: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/7.jpg)
7 © Mandiant, a FireEye Company. All rights reserved.
Why Does This Matter? (cont.)
• Who's Using This Stuff?
• MongoDB: ADP, The Weather Channel, MetLife, City of Chicago
• Elastic(search): Netflix, Target, LinkedIn, OpenTable, GitHub
• Couchbase: BMW, U.S. Senate, Comcast, Starbucks, eBay, AOL
• Hadoop: eBay, Expedia, Kayak, Samsung
• Even with all this support..the default sucks!
• Security is not a primary consideration
• Ease of coding, data accessibility > data security
![Page 8: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/8.jpg)
8 © Mandiant, a FireEye Company. All rights reserved.
Why Does This Matter? (cont.)
• Reports are being published on Internet-facing MongoDB servers with little or NO authentication
• Three students from University of Saarland in Germany published a report in January 2015
of nearly 40,000 MongoDB databases openly available on the Internet
• Shodan can be used to scan for NoSQL databases
![Page 9: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/9.jpg)
9 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
![Page 10: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/10.jpg)
10 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• Config File
• /etc/mongodb.conf
• First place to look!
• Logging
• Where
• What
• How
• Security
• Authentication On/Off?
• Access
• IP Address
• Connection Ports
![Page 11: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/11.jpg)
11 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations
CREATE
$ mongo
> use testdata
switched to db testdata
> db.blog.insert({“Title”:”My First
Post”,”Author”:”505Forensics”})
![Page 12: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/12.jpg)
12 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations (cont.)
Log Output
v2.x
v3.x
![Page 13: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/13.jpg)
13 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations
READ
> db.blog.findOne()
{
"_id" : ObjectId("55879d3aeca5d08121fe1118"),
"Title" : "My New Blog",
"Author" : "505Forensics"
}
![Page 14: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/14.jpg)
14 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations (cont.)
Log Output…
![Page 15: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/15.jpg)
15 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations
UPDATE
> post = db.blog.findOne()
> post.comments = [{"Comment 1":"This is a comment!"},{"Comment
2":"This is another comment!"}]
> db.blog.update({“Title”:”My New Blog”},post)
![Page 16: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/16.jpg)
16 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations (cont.)
Log Output…
![Page 17: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/17.jpg)
17 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations
DELETE
> db.blog.remove({“Title”:”My New Blog”})
![Page 18: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/18.jpg)
18 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations (cont.)
Log Output…
![Page 19: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/19.jpg)
19 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• CRUD Operations
In summary:
• Default logging SUCKS!
• Importance of config file to find other artifacts of relevance
• External logs
• Default port: 27017
• Authentication
• Turn to other artifacts within MongoDB to identify information around data
• User session IDs
• IP addresses/ports
• Timestamps within records
• Memory dump
![Page 20: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/20.jpg)
20 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• User Sessions
• Upon connections, user sessions are assigned an ID #
• Use the conn# to track user activity
• Captures interactive user sessions
• Also captures API/script interactions
![Page 21: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/21.jpg)
21 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• In-Row Data
By default, Mongo will add an '_id' field if not provided by data entry
> db.blog.findOne()
{
"_id" : ObjectId("55879d3aeca5d08121fe1118”)
..snip..
}
• ID has a 12-byte structure:
• 4-byte timestamp
• 3-byte machine identifier
• 2-byte process id
• 3-byte random counter
![Page 22: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/22.jpg)
22 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• Memory Dump
• We can also look to system memory dumps to carve MongoDB sessions/in-memory data
• Use what we know about data structure, commands, collections to build regex queries for
memory strings
• Every entry has an “_id” field
• Mongo is stored in JSON
• CRUD commands have structure • db.<collection>.insert({
• db.<collection>.findOne()
• db.<collection>.remove({
• etc…
• Dump memory strings, search for what we know
![Page 23: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/23.jpg)
23 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• Memory Dump (cont.)
$ strings mem.dump | grep '{ "_id"'
Timestamps
Machine ID
Process ID
![Page 24: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/24.jpg)
24 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• Memory Dump (cont.)
$ strings mem.dump | grep ’db.testData'
$ strings mem.dump | grep ’testData'
![Page 25: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/25.jpg)
25 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
![Page 26: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/26.jpg)
26 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage
• Let’s say we encounter a MongoDB…what do we want to know?
• DB information
• Tables, collections, “schemas”
• Users
• Recent operations/changes
• Size of cluster (if > 1)
• Sources of data:
• Config file
• Other logs
• MongoDB itself!
• Mongo commands
• Javascript
NoSQL Triage
![Page 27: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/27.jpg)
27 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage (cont.)
• MongoDB has a range of built-in diagnostic commands that can be used to profile running
instance • mongostat – Provides quick overview of a running instance
• Can be used for remote servers
![Page 28: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/28.jpg)
28 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage (cont.)
• MongoDB has a range of built-in diagnostic commands that can be used to profile running
instance • mongotop – Provides time tracking of operations
• Great for DB/collection breakdown!
• Can be used for remote servers
![Page 29: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/29.jpg)
29 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage (cont.)
• MongoDB has a range of built-in diagnostic commands that can be used to profile running
instance • mongosniff – Basically tcpdump for MongoDB
• Not normally available in production environments; requires special build
instructions
• However! Wireshark can also parse MongoDB traffic
![Page 30: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/30.jpg)
30 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage (cont.)
• PCAP:
• MongoDB Log:
![Page 31: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/31.jpg)
31 © Mandiant, a FireEye Company. All rights reserved.
NoSQL Triage
• NoSQL Triage (cont.)
• MongoDB also has a wide range of administration commands built-in
• JavaScript-function format
$ mongo
> db.serverStatus()
![Page 32: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/32.jpg)
32 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• NoSQL Triage (cont.)
• We can also pass JavaScript commands directly through the terminal to pull back
information
• For example:
mongo --eval "printjson(db.serverStatus())"
• We can script it…we have the technology!
![Page 33: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/33.jpg)
33 © Mandiant, a FireEye Company. All rights reserved.
Examining MongoDB Artifacts
• NoSQL Triage – Tool Time!
![Page 34: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/34.jpg)
34 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
Conclusion
![Page 35: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/35.jpg)
35 © Mandiant, a FireEye Company. All rights reserved.
And with that...
Any questions?
![Page 36: NoSQL Forensics - SANS Institute · PDF fileNoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley ... digital forensics • Work with clients from small, regional shops to multinational](https://reader031.vdocuments.us/reader031/viewer/2022030408/5a897f977f8b9a14748eacbc/html5/thumbnails/36.jpg)
36 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
THANK YOU!