digital forensics lecture 9 - nmt computer science …df/lectures/09 binary analysis.pdfdigital...
TRANSCRIPT
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Joshua Prusak: Tools for Binary Analysis • Sage LaTorra: Detection of Malicious Code • Rodrigo Lopes: Reverse Engineering • Chad Cravens: Encrypted Binaries (EC)
0011 0010 1010 1101 0001 0100 1011
Next Week Presentations
• Mayurie Shakamuri: Forensic Certifications • Unnati Thakore: Risk Analysis for Evidence
Collection • Jim Curry: Non-IT Parents Ability to Investigate
their Child’s Behavior (EC)• Kelcey Tietjen: EnCase Forensic Toolkit (EC) • Maggie Castillo: Slueth Kit Forensic Toolkit
(EC) • Rodrigo Lopes: Paraben Forensic Toolkit (EC)
0011 0010 1010 1101 0001 0100 1011
News Item
• Data Stolen From 2,300 British Computers Found in The United (11 October 2006)
• Microsoft Issues Ten Bulletins on Patch Tuesday (12 & 10 October 2006)
• Cyber Thief Steals Data on Brock University Donors (12 October 2006)
• More Than Half of Higher Education Institutions Surveyed had Security Breaches Last Year (10 October 2006)Sans Newsbites
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Motivation• What is Binary Analysis?• Where does it fit in DF?• How is it done?• What are some of the tools?• What are some of the gaps?
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Motivation for Binary Analysis
• Measure and mitigate potential impacts• Understand and mitigate malicious code• Understand adversarial motivation• Testing of high consequence systems• Interoperability testing• Failure and fault analysis• What else?
0011 0010 1010 1101 0001 0100 1011
Binary Analysis
• Analysis of binary data• Analysis of executables• Can be performed on live or dead systems
0011 0010 1010 1101 0001 0100 1011
Characteristics
• This is an expert activity• Expensive for a corporation to maintain• Both and art and a science• Very tool intensive• Becoming more difficult to accomplish
0011 0010 1010 1101 0001 0100 1011
When to Use It?
• Triggered by routine observation• Based on a suspicion• Preemptive analysis
0011 0010 1010 1101 0001 0100 1011
Binary Analysis
• Description of forensics time-line
• Analysis goals
• Description of a typical analysis techniques
0011 0010 1010 1101 0001 0100 1011
Type of Data to Collect
• User Data– Documents, email, images, encrypted files
• System Data– Files from OS directory, registry entries,
services• Network Data
– Network traffic related to the system in question
• Execution information (most difficult)– Behavior
0011 0010 1010 1101 0001 0100 1011
Tools
• Debuggers– OllyDbg, etc.
• Disassemblers– IDA Pro, etc.
• Binary editors– Hex Workshop, etc.
• Utilities– Libraries, Development, Network, Misc.
0011 0010 1010 1101 0001 0100 1011
Gaps
• What are the difficult problems?– Technology advancement– System complexity
• Legal “understanding” of this domain• Lack of experts• Lack of communication among corporations