(fios#03) 3. grr 사고 대응 프레임워크
TRANSCRIPT
FORENSICINSIGHT;DIGITALFORENSICSCOMMUNITYINKOREA
GRRRapidResponse
demantos
http://malwarel4b.blogspot.kr
ChoHoon
forensicinsight.org Page
Agenda
2
▪ ForensicAcuisition&Analyze
▪ WhatisGRRRapidResponse
▪ Architecture
▪ Framework
▪ Flows
▪ Hunt
▪ Artifacts
▪ TimelineVisualization
▪ Demo
▪ Q&A
forensicinsight.org Page
Acquisition
3
▪ TraditionalForensicAcquisitionStep
• Shuttingdowntargetsystem
• Removingdisks
• Acquiringabitforbitcopyofthedrive
▪ Advantage?
• Preservationofdigitalevidence
• Courtvalidatedprocedureenhancingtheadmissibilityofevidence
▪ Disadvantage
• Timeconsuming
• Requireatrainedforensicinvestigator
• Increasethecostofimagingandresponsetime
• Lossofimportantvolatileevidence
forensicinsight.org Page
Analyze
4
Investigation
IncidentResponse
forensicinsight.org Page
AnalyzeCompromisedSystem
5
IncidentResponse
remoteorlocal?
liveorunlive?
targetsystemis1~10ormorethan100?
whataboutyourcompany?
forensicinsight.org Page
WhatisGRRRapidResponse?
6
▪ GRRRapidResponseisanincidentresponseframeworkfocusedonremoteliveforensics
• OpenSource
• DiskForensics(Sleuthkit)
• MemoryForensics(Rekall)
• Scalable
• Cross-platformsupport(Windows,Linux,OSX)
forensicinsight.org Page
GRRArchitecture
7
ClientClientClientClient FrontendHTTPServer
AFF4DataStorage
ClientQueuesClientQueuesClientQueues
WorkerQueue(W:)
EnrollerQueue(E:)
Console
AdminUI
WorkerWorkerWorkerWorker
Enroller
AnalystsAnalystsAnalysts
"DistributedForensicsandIncidentResponseintheenterprise",MichaelCohen,DarrenBilbyandGermanoCaronni
MongoDatabase
forensicinsight.org Page
DataModel
8
▪ AFF4-AdvancedForensicsFileFormat
▪ BasedonRDForNoSQLmodels
• UniqueID(AFF4URN)
• Shardedacrossmanyservers
• RDFallowscrossreferencing
▪ AFF4example
• aff4:/C.06d423b86ba45660
• aff4:/C.06d423b86ba45660/fs/os/C:/Windows/System32/config/SAM
• aff4:/C.06d423b86ba45660/fs/tsk/\\?\Volume{95ba5414-13dd-11e5-80b3-806e6f6e6963}/$MFT
• aff4:/C.06d423b86ba45660/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsNT/CurrentVersion
forensicinsight.org Page
GRRRapidResponseFramework
9
▪ GRRComponentOverview
• Client
• FrontEndServers
✓ decryptPOSTrequestsfromtheclient
✓ queuethemuntilfinalSTATUSresponseisreceived
• Datastore
✓ ResourceDescriptionFramework(RDF)
✓ centralstoragecomponentfordata
✓ communicationmechanismforallcomponents
• Console
✓ centralapplicationforIRman
• Worker
✓ checkqueuesinDatastoreforresponses
✓ processdataandre-queuenewrequest
forensicinsight.org Page
GRRRapidResponseFramework
10
▪ Communications
• ServercommunicatewithclientsviaMessages(AES265+randomsessionkey+IV)
• Request:fromservertoclient
• Response:fromclienttoserver
• HTTPProtocol
forensicinsight.org Page
GRRRapidResponseFramework
11
▪ Clientenrolment
• Clientimpersonationattack
forensicinsight.org Page
GRRRapidResponseFramework
12
▪ Flows
• Server-sidecodeentitiesthatcallclientaction
• ProcessedontheWorkers
Aflowtocopyafilefromtheclient
forensicinsight.org Page
GRRRapidResponseFramework
13
▪ Transmissionofmessages
• FinalresponseisStatusmessage
forensicinsight.org Page14
▪ Processingqueues
• W:generalpurposeworker
• CA:responsibleforCAenrollmentscommunicates
GRRRapidResponseFramework
forensicinsight.org Page
Flows
15
CPU I/O Socket
GRRServer
MAX
forensicinsight.org Page
Flows
16
CPU I/O Socket
GRRServer
MAX
forensicinsight.org Page
Flows
17
▪ Tosolvetheresourcehoggingproblem,Flowswerecreated.
▪ Callclientactions
▪ Completelyasynchronous
• Triggeredbyincomingresponsesfromaclientorfromasubflow
Startnewflows>Memory>AnalyzeClientMemory
Start
RunPlugins
KcoreStatResult
StoreResult
End
DeleteFiles
LogDeleteFiles
UpdateProfile
CalltheclientwiththeRekallactions
forensicinsight.org Page
▪ LifeofaFlow
Flows
18
WorkerQueue FlowQueue ClientQueueFrontend Client
1.AdminUIcreatesflowwithStartFlow
2.CallClientcreatesRequestsontheFlowQueue
3.CallClientcopiesRequeststotheClientQueue
4.ClientRequestsWork
5.FrontendsendsrequeststoClient
6.Clientsendsresponses.FrontendwritesthemtoFlowqueue
7.ClientsendsStatusresponsetoindicatecompletion
8.Frontendnotifiesworkerthatresponsesareready
9.Workerreadsresponsesandrunsnextflowstate.
processing
request
response
forensicinsight.org Page
Hunt
19
▪ Foundsuspiciousfileononemachine,othermachinehaveit?
▪ Flowsonmanymachines
▪ Fleetcheck
• maliciouscode
• abnormalbehavior
MILLENNIUM FALCON ON THE STAR DESTROYER
forensicinsight.org Page
Hunt
20
▪ FindawebshellforIISfromareport.Twomd5sandanacoupleofstringsfromtheaspx.
• C:\**100,Action=HASH
• C:\**100.aspx,Contentregex=pwnies
• C:\Inetpub\**20.aspx
Contentregex=pwnies
Size<5MB
Windowsmachines
Action=Download
▪ Huntingisevery10minutes(default)
• Client.foreman_check_frequency
forensicinsight.org Page
Artifacts
21
▪ Definewhattocollect
▪ Definehowtoparseit
▪ Definewhattheyproduce
▪ Dataonly,nocode
▪ YAMLbasedformat
▪ https://github.com/ForensicArtifacts/artifacts
forensicinsight.org Page
Artifacts
22
Iffilename"temp.exe"containsstring"evil"orissignedby"stolencert"
HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*
IOCs
Artifacts
purelydata,nologic
▪ Artifactsvs.IOCs
forensicinsight.org Page
Artifacts
23
name: SafariHistory doc: Safari browser history (History.plist). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\History.plist' - '%%users.appdata%%\Roaming\Apple Computer\Safari\History.plist' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/History.plist' supported_os: [Darwin] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari']
name: WindowsSetupAPILog doc: Windows setup API logs. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\setupapi.log']} conditions: [os_major_version < 6] - type: FILE attributes: paths: - '%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%environ_systemroot%%\inf\setupapi.offline.log' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Setup_API_Logs']
forensicinsight.org Page
Artifacts
24
▪ KnowledgeBaseInterpolation
• %%environ_allusersprofile%%->c:\DocumentsandSettings\AllUsers
• %%systemroot%%->c:\Windows\System32
• %%users.name%%->c:\DocumentsandSettings\demantos\AppData\Roaming
->c:\DocumentsandSettings\testuser\AppData\Roaming
->c:\DocumentsandSettings\hellboy\AppData\Roaming
https://github.com/google/grr/blob/master/proto/knowledge_base.proto
forensicinsight.org Page
▪ GRR+GRRFuse+Plaso+Timesketch
TimelineVisualization
25
CollectArtifacts
MountfromDatastore
ExtratTimestamp ViewResults
GRRAgents GRRDatastore FuseMount PlasoProcessingElasticsearchTimeSketch
forensicinsight.org Page
Demo
26
▪ Collectartifacts
▪ Viewfilesystem
▪ Viewbrowserhistory
▪ Processlist
▪ GRR+GRRFuse+Plaso+Timesketch
forensicinsight.org Page
Question and Answer
27