logmole Presentation v2.0 - IT-SECX · SERVICE OVERVIEW Assurance Services •Penetration Testing...

Preview:

Citation preview

LOG:MOLEFinding  needles  in  forensic  haystacks

Introduction

Concept

Workflow

File  Modules

Url Modules

Output  Modules

Use  Cases  /  Examples

Outlook

Questions

AGENDA

LOG:MOLE

INTRODUCTION

AUTHOR

In  the  IT  industry  for  15  years

System  Engineering   in  public  /  private  sector,    Malware  Analysis  ,  Information  Security  Engineering   in  the  online  gaming  industry,  Information  Security  Consulting

Now:  Information  Systems  Auditor

Projects  in  my  spare  time:  Usec.at software  (e.g.  Radix),  Community  Sense  Net,  various  non-­security  IT  projects  

Interest  in  computer  forensics  and  forensic  archaeology

Tool  developed  by  DI  Wilhelm  Demuth  and  Florian  Eichelberger

Re-­implemented  in  2015  by  Simon  Scheuchenpflug of  Cognosec

Cognosec  Gmbh (Founded  in  2011  in  Vienna)

Operational  Worldwide  (branches  in  Stockholm,  London,  Dubai,  Johannesburg)

Leaders  in  IT  Security,  IT  Audit,  Risk  and  Compliance

Active  in  all  major  industries  including  Banking/Finance,  Payment/E-­Commerce,  Healthcare,  Retail,  Manufacturing,  Government,  Hospitality,  Transport,  Gaming,  and  Education

Commitment  to  Quality

ABOUT COGNOSEC

SERVICE OVERVIEW

Assurance Services•Penetration Testing•Application Security Testing•Social Engineering•IS Audits

Security Services•Data Leakage & Loss

Prevention•Security Monitoring•Application Security•Incident Response•Network Security

GRC Services•Compliance Gap Assessment•Risk Assessment•GRC Solutions•Information Security

Management (incl. ISMS)

PCI Services•PCI ASV Security Scan•PCI QSA On-Site Assessment•PCI Gap Assessment•Remediation•Security Awareness Programme

LOG:MOLE

CONCEPT

WHAT’S THE PROBLEM

PROBLEM?!

Overwhelming  amount  of  evidence  to  sift  through

Manual  approach  or  multi-­tool-­multi-­format  approach  error-­prone  and  not  parallelizable

Takes  a  long  time  to  find  the  “smoking  gun”

Log2timeline  and  mactime bodyfiles format  mostly  used  in  OS  forensics

Logfiles with  hundreds  of  MB  or  GB  take  a  long  time  to  process  with  most  other  tools  unfortunately

WHAT’S THE SOLUTION

SOLUTION!?

Automation  of  evidence  processing

Analyze  log2timeline  and  mactime bodyfiles

Process  read-­only  mounted  filesystems and  file-­system  images

Processes  referenced  files  /  registry  keys  /  urls to  find  the  “smoking  gun”

Easily  adjustable  and  extensible  for  other  formats  using  a  config file

Initially  written  in  C#  and  optimized  for  speed  and  memory  usage

Ported  to  python  in  2015

Tested  on  Windows  and  Linux  and  MacOS X

DESIGN GOALS

Stability

Extendability with defined interfaces

Powerful workflow configuration

Export to SIEM tools (JSON, CSV, Syslog)

Implemented two modes in new version

(LogMole and FileMole)

LOG:MOLE

WORKFLOW

WORKFLOW

New  workflow  engine  implemented

Provides  flexibility  for  target  environments  and  situations  and  required  tests

Workflow  consists  of  modules,  parametrized

Using  Time-­range,  Filter  ,  Tagger  Modules

WORKFLOW

LOG:MOLE

FILE MODULES

ENTROPY CHECK / MD5 / SHA1

Check  for  compression

Check  entropy  based  on  filetype

Generated  Hashes  for  further  processing  and  reference  (MD5  for  legacy  application  compatibility)

REGEX-IN-FILE / STRINGS

Check  for  regex  in  files

As  powerful  as  the  written  regex  but  slow.

Same  as  linux strings  module

CLAMAV

Most  widely  open-­source  OS  virus  scannerCheck  for  known  malwareSub-­optimal  detection  rate  for  rare  samples  ,  detection  rate  only  averageCan  be  replaced  by  other  cmd-­line  virus  scanner

NSRL

National  Software  Reference  LibraryProvided  by  the  NISTKnown  file  databaseUsed  for  whitelisting  (!)

For  weeding  out  OS  /  Common  application  files.Converted  to  optimized  binary  format  for  faster  processing.

VIRUSTOTAL

Online  Multi-­AV  scanner  (now  owned  by  Microsoft)Provides  information  on  documented  malware  via  MD5  searchScanning  for  unknown  malware.

Upload  of  unknown  files  found  by  Log:Mole to  VT  for  analysis.Note:  Needs  proper  API  key

LOG:MOLE

URL MODULES

MALWAREDOMAINLIST

Provides  malware  url /  server  information  in  CSV  format.

Parsed  and  used  by  Log:Mole for  malicious  urldetection

Additional  checks  on  urls are  performed  to  detect  suspicious  urls and  add  up  to  a  ….value.

GOOGLE SAFE BROWSING

Up-­to-­date  list

Pre-­Categorized  list  (Phishing,  malware  ,  unwanted)

Online  /  Offline  mode  (some  GB  to  be  downloaded  but  FAST)

LOG:MOLE

OUTPUT MODULES

SAVE-AS

Output  is  saved  to  the  filesystem.

CSV  format  is  widely  used  and  easily  parse  able

JSON  ,  timestamps  can  be  exported  in  a  desired  timefomat

Syslog

SEND-AS

Output  is  sent  to  a  udp /  tcp network  port

CSV  format  is  widely  used  and  easily  parse  able

JSON  ,  timestamps  can  be  exported  in  a  desired  timefomat

Syslog

“PRETTY PRINT”

Generates  human-­readable  output  on  the  console{

"uid": 501,

"orig_path": "Documents and Settings/All Users/Application Data/Adobe/Reader/9.3/ARM/7019/ReaderUpdater.exe",

"set_uid": false,"mtime": "2012/01/03 07:37:53",

"size": 320456,"group_read": true,"others_read": true,"owner_write": true,

"gid": 20,"md5": "6b5ed259ffcdd40663007b6047e1efe0",

}

LOG:MOLE

USE CASE / EXAMPLE

USE CASE LOG:MOLE

Helps  to  speed  up  time-­to-­evidence

Multiple  body  files  can  be  processed  at  once

No  “pushbutton  forensics”  but  a  tool  for  an  investigator

Malware  and  malicious  url detection

Import  into  SIEM  Solution  to  correlate  with  other  threat  data

USE CASE FILE:MOLE

Helps  to  speed  up  time-­to-­evidence

Highly  configurable  workflow  /  automation

Extract  filesystem meta-­data  for  malware  detection  and  file  classification

Import  into  SIEM  Solution  to  correlate  with  other  threat  data

EXAMPLE

LOG:MOLE

OUTLOOK / FUTURE WORK

POSSIBLE EXTENSIONS ?

More  input  formats

More  output  formats  /  Tool  integrations  ?

More  AV  Scanner  ?

IOC  Tools  ?

More  Badware URL  detection  mechanism  ?

Rating  System

LOG:MOLE

SO, DO YOU HAVE ANY QUESTIONS?

Florian Eichelberger

florian.eichelberger@cognosec.com

Recommended