Embed Size (px)
Citation preview
LOG:MOLEFinding needles in forensic haystacks
Introduction
Concept
Workflow
File Modules
Url Modules
Output Modules
Use Cases / Examples
Outlook
Questions
AGENDA
LOG:MOLE
INTRODUCTION
AUTHOR
In the IT industry for 15 years
System Engineering in public / private sector, Malware Analysis , Information Security Engineering in the online gaming industry, Information Security Consulting
Now: Information Systems Auditor
Projects in my spare time: Usec.at software (e.g. Radix), Community Sense Net, various non-security IT projects
Interest in computer forensics and forensic archaeology
Tool developed by DI Wilhelm Demuth and Florian Eichelberger
Re-implemented in 2015 by Simon Scheuchenpflug of Cognosec
Cognosec Gmbh (Founded in 2011 in Vienna)
Operational Worldwide (branches in Stockholm, London, Dubai, Johannesburg)
Leaders in IT Security, IT Audit, Risk and Compliance
Active in all major industries including Banking/Finance, Payment/E-Commerce, Healthcare, Retail, Manufacturing, Government, Hospitality, Transport, Gaming, and Education
Commitment to Quality
ABOUT COGNOSEC
SERVICE OVERVIEW
Assurance Services•Penetration Testing•Application Security Testing•Social Engineering•IS Audits
Security Services•Data Leakage & Loss
Prevention•Security Monitoring•Application Security•Incident Response•Network Security
GRC Services•Compliance Gap Assessment•Risk Assessment•GRC Solutions•Information Security
Management (incl. ISMS)
PCI Services•PCI ASV Security Scan•PCI QSA On-Site Assessment•PCI Gap Assessment•Remediation•Security Awareness Programme
LOG:MOLE
CONCEPT
WHAT’S THE PROBLEM
PROBLEM?!
Overwhelming amount of evidence to sift through
Manual approach or multi-tool-multi-format approach error-prone and not parallelizable
Takes a long time to find the “smoking gun”
Log2timeline and mactime bodyfiles format mostly used in OS forensics
Logfiles with hundreds of MB or GB take a long time to process with most other tools unfortunately
WHAT’S THE SOLUTION
SOLUTION!?
Automation of evidence processing
Analyze log2timeline and mactime bodyfiles
Process read-only mounted filesystems and file-system images
Processes referenced files / registry keys / urls to find the “smoking gun”
Easily adjustable and extensible for other formats using a config file
Initially written in C# and optimized for speed and memory usage
Ported to python in 2015
Tested on Windows and Linux and MacOS X
DESIGN GOALS
Stability
Extendability with defined interfaces
Powerful workflow configuration
Export to SIEM tools (JSON, CSV, Syslog)
Implemented two modes in new version
(LogMole and FileMole)
LOG:MOLE
WORKFLOW
WORKFLOW
New workflow engine implemented
Provides flexibility for target environments and situations and required tests
Workflow consists of modules, parametrized
Using Time-range, Filter , Tagger Modules
WORKFLOW
LOG:MOLE
FILE MODULES
ENTROPY CHECK / MD5 / SHA1
Check for compression
Check entropy based on filetype
Generated Hashes for further processing and reference (MD5 for legacy application compatibility)
REGEX-IN-FILE / STRINGS
Check for regex in files
As powerful as the written regex but slow.
Same as linux strings module
CLAMAV
Most widely open-source OS virus scannerCheck for known malwareSub-optimal detection rate for rare samples , detection rate only averageCan be replaced by other cmd-line virus scanner
NSRL
National Software Reference LibraryProvided by the NISTKnown file databaseUsed for whitelisting (!)
For weeding out OS / Common application files.Converted to optimized binary format for faster processing.
VIRUSTOTAL
Online Multi-AV scanner (now owned by Microsoft)Provides information on documented malware via MD5 searchScanning for unknown malware.
Upload of unknown files found by Log:Mole to VT for analysis.Note: Needs proper API key
LOG:MOLE
URL MODULES
MALWAREDOMAINLIST
Provides malware url / server information in CSV format.
Parsed and used by Log:Mole for malicious urldetection
Additional checks on urls are performed to detect suspicious urls and add up to a ….value.
GOOGLE SAFE BROWSING
Up-to-date list
Pre-Categorized list (Phishing, malware , unwanted)
Online / Offline mode (some GB to be downloaded but FAST)
LOG:MOLE
OUTPUT MODULES
SAVE-AS
Output is saved to the filesystem.
CSV format is widely used and easily parse able
JSON , timestamps can be exported in a desired timefomat
Syslog
SEND-AS
Output is sent to a udp / tcp network port
CSV format is widely used and easily parse able
JSON , timestamps can be exported in a desired timefomat
Syslog
“PRETTY PRINT”
Generates human-readable output on the console{
"uid": 501,
"orig_path": "Documents and Settings/All Users/Application Data/Adobe/Reader/9.3/ARM/7019/ReaderUpdater.exe",
"set_uid": false,"mtime": "2012/01/03 07:37:53",
"size": 320456,"group_read": true,"others_read": true,"owner_write": true,
"gid": 20,"md5": "6b5ed259ffcdd40663007b6047e1efe0",
}
LOG:MOLE
USE CASE / EXAMPLE
USE CASE LOG:MOLE
Helps to speed up time-to-evidence
Multiple body files can be processed at once
No “pushbutton forensics” but a tool for an investigator
Malware and malicious url detection
Import into SIEM Solution to correlate with other threat data
USE CASE FILE:MOLE
Helps to speed up time-to-evidence
Highly configurable workflow / automation
Extract filesystem meta-data for malware detection and file classification
Import into SIEM Solution to correlate with other threat data
EXAMPLE
LOG:MOLE
OUTLOOK / FUTURE WORK
POSSIBLE EXTENSIONS ?
More input formats
More output formats / Tool integrations ?
More AV Scanner ?
IOC Tools ?
More Badware URL detection mechanism ?
Rating System
LOG:MOLE
SO, DO YOU HAVE ANY QUESTIONS?
