DFRWSForensicsChallenge2016
RobertBeverly,BrianGreunke,MichaelMcCarrin#
JoeSylve*VassilRoussev+
#NavalPostgraduateSchool*BlackBag Technologies
+UniversityofNewOrleans
1
DFRWSForensicsChallengeGoals
1. Advanceresearchinnewandemergingareasofdigitalforensics
2. Spurdevelopmentofnewtoolsandtechniques
3
RichHistoryofOfferingTimelyForensicsChallengestothe
Community…Year Challenge
2015 GPUMalware
2014 Mobile Malware
2013 BlockClassifier
2012 BlockClassifier
2011 AndroidForensics
2010 FlashMemory Forensics
2009 Playstation Forensics
2008 LinuxMemoryAnalysis
4
RichHistoryofOfferingTimelyForensicsChallengestothe
Community…Year Challenge
2016 Software DefinedNetworks(SDN)
2015 GPUMalware
2014 Mobile Malware
2013 BlockClassifier
2012 BlockClassifier
2011 AndroidForensics
2010 FlashMemory Forensics
2009 Playstation Forensics
2008 LinuxMemoryAnalysis
5
SoftwareDefinedNetworks
• NewModelforBuilding/OperatingNetworks:– MoveawayfromproprietarynetworkOS– Open/programmablenetworkswitches– Standards-basedprotocol(OpenFlow)– Commodityhardware– Centralizedcontrol
• Promise:– Lower-cost,multi-vendor– Correctness– Enableinnovationwithinnetwork– Enablevirtualization
6
SDNAbstraction• Switchesmaintaina“flowtable:”– Packetmatchingrulesandactions– Hardandsoftstate– Ifnomatch,packetissenttoacontroller
• E.g.– in_port=2,nw_src=42.59.142.200/30 actions=mod_dl_src:41:31:3a:38:42:3a idle_timeout=45, out_port=7
• Controllers:– OpenFlow-speakingsoftwareonaPC– Proactivelyorreactivelyinstallflowrules– Includesophisticatedlogic
7
StateofSDN• Implementations:– Hardwarefrommajorvendorsandstartups– Softwareswitches(e.g.,OpenvSwitch inLinuxKernel)– Opensoftwarecontrollers(e.g.,Ryu,Pox,Floodlight,etc)
• Deployments:– GoogleB4,Amazon,enterprises,etc.– Morevirtualswitchportsinexistencetodaythanphysical!
• But,security:– Onlynascentresearch– NoworkonSDNforensics
8
SDNChallenge• Participantsgiven:– Switchmemoryimage– pcap ofnettrafficbetweencontrollerandswitch– Nootherknowledgeorcluesofscenariosetup
• Forensicquestions:– WhattypeofSDNswitchandcontroller?– Whathostswereconnectedtowhichports?– Whattrafficdidhostssend?– Whatflowruleswereinstalledonswitch?– Whatactionsdidswitchtake,andwhen?
10
Scenario
• 4Physicallydistinctdevices:– Ryu OpenFlow controller– OVSLinuxSDNswitch– Twohosts
• OpenFlow TLSECDHEbetweencontrollerandswitch,withcertidentifyinginforemoved
• LiME rawmemoryimageofLinuxOVSafterreboot*– Pre-installedanddynamicflowtablerules– Expiredandnon-expiredflowtablerules
11
OVS
Ryu
H1 H2
LevelsofComplexity
• WhattypeofSDNswitchandcontroller?• LiME memorydump,Linux/OVSsignatures• Controllercapabilitiesnegotiation
• Whathostswereconnectedtowhichports?• Flowrules(w/MACandIPs),includingresidual,presentin
memorydumps• Butwhereinmemory…
• Whatactionsdidswitch/controllertake,andwhen?• Someactivityrevealedinencryptedtraffic
12
Participants(thanks!)
• Foursubmissions:– KoreaUniversity– BoozeAllenHamilton(BAH)– UniversityofNewhaven– Salford University
14
ChallengeApproaches
• Misunderstandchallenge:– e.g.,IPaddressesofcontrollerandswitchratherthanhostsandflowrules
• Analyzeencryptedpcap:– Difficultandlimited
• CarveOVSdatastructures/logsfrommemoryimage
• ObtainECDHEprivatekey,pre-masterkeyfrommemoryimage,decryptsouthboundpcap
15
BAHSubmission(or,whatmakesawinningsubmission)
• Welldocumented:– Approach– Findings– Howtoreproduce
• Correctlyansweredallchallengequestions• Createdvolatilityplugins• Workedtowardautomatingsystem
17
BAHApproach
1. Determineformat/typeofmemorydump(usingstrings)• Linuxmachine,LiME dump,butrawformat
2. Recreatephysicaltovirtualaddressmapping• FromBIOSartifacts
3. Createnewmemoryimage4. RunvolatilitywithcorrectLinuxprofile
18
BAHApproach(con’t)
• Recoverprivatekeyfrommemory• AnalyzeTLShandshake• Yara onmemoryimagetoobtainpre-masterkey
• IdentifyTLShandshakemessageswithrandomtimeandbytes,obtainmasterkey
• Decryptpcap,recoverOpenFlow messages• (Also,obtainOVSlogmessages)
19
Challenge2017
• Nextyear’schallengeTBD:– ContinueSDN?– Internetofthings?– UEFImalware?–Windows10?– Drones?– Cloud?– Other?
21
Pleasesendfeedback/flames:[email protected]