Скачать презентацию Seminar Series Ed Skoudis June 6 2005 Скачать презентацию Seminar Series Ed Skoudis June 6 2005

c86dbc21b05b301fd73780133b0d957c.ppt

  • Количество слайдов: 7

Seminar Series Ed Skoudis June 6, 2005 Seminar Series Ed Skoudis June 6, 2005

A Quote from One of History’s Greatest Hackers § If you know the enemy A Quote from One of History’s Greatest Hackers § If you know the enemy and know yourself, you need not fear the result of a hundred battles. § If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. § If you know neither the enemy nor yourself, you will succumb in every battle. —Sun Tzu, The Art of War © 2005 Ed Skoudis

Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Presentation Outline Purpose & General Trends Step 1: Reconnaissance Step 2: Scanning Step 3: Gaining Access Step 4: Maintaining Access Step 5: Covering the Tracks Conclusions © 2005 Ed Skoudis

The Defiler’s Toolkit § The Defiler’s Toolkit attempt to confuse forensics investigations § First The Defiler’s Toolkit § The Defiler’s Toolkit attempt to confuse forensics investigations § First public anti-forensic tool § Developed by “The Grugq” § Targeted specifically to counter The Coroner’s Toolkit and only extensively tested for ext 2/3 file systems. § Six Components § § § KY FS – Stores data in superblocks / directory structures Warren FS – Stores data in the ext 3 journal file Data Mule FS – Stores data in inode reserved space Rune FS – Stores data in Bad Blocks Necrofile Klismafile © 2005 Ed Skoudis

Defiler’s Toolkit § Data hiding § Bad blocks inode points to blocks that don’t Defiler’s Toolkit § Data hiding § Bad blocks inode points to blocks that don’t function properly § Attacker associates good blocks with the bad block inode and stores data there § Carve out a segment of your hard drive and label it “bad” § Drive appears smaller, but TCT won’t look in the bad blocks § Data destruction with Necrofile § Undelete tools remove just the data, not the meta-data (inodes and directory entries) § Necrofile – scrubs inodes clean, based on deletion time criteria § Data destruction with Klismafile § Directory entries show deleted filenames and sizes § Klismafile searches for these entries and scrubs them © 2005 Ed Skoudis

Anti-Forensic Tools… § Techniques § CANVAS § DECAF – direct response to COFFEE § Anti-Forensic Tools… § Techniques § CANVAS § DECAF – direct response to COFFEE § Microsoft and the US Department of Justice have stated intention to prosecute anyone found to be in unauthorized possession of DECAF § Security. Wizard List © 2005 Ed Skoudis

Forensics § The Coroner’s Toolkit is very popular, along with its descendent, “The Sleuth Forensics § The Coroner’s Toolkit is very popular, along with its descendent, “The Sleuth Kit” (www. sleuthkit. org) § The Coroner’s Toolkit, as cool as it was, is a bit outdated § Turn toward a more recent descendant of TCT, “The Sleuth Kit” to get a better look at forensics data § Use the Autopsy Forensic Browser GUI… § In investigations, don’t forget to look in blocks marked bad! There could be some very useful data hidden in there § Dead vs. Live analysis modes © 2005 Ed Skoudis