you$forgotyour$wallet!$tracing$ bits$of$coins$in$disk$and ... · you$forgotyour$wallet!$tracing$...
TRANSCRIPT
You Forgot Your Wallet! Tracing Bits of Coins in Disk and Memory
Cem Gurkok
whoami
• 10+ years of experience as InfoSec professional
• 2nd place @ the VolaIlity Framework Contest 2013 with Windows Kernel Object Security and Mac Rootkit DetecIon Plugins
• Talks at HITBKUL 2013, FIRST 2014, OMFW 2012/2013, HackerHalted 2013
Summary
• GeWng Ready • What is Bitcoin? Or really Bitconning ;) • Bitcoin So[ware • Memory ArIfacts • Disk ArIfacts • A]ribuIon • Conclusion • References
GeWng Ready • Downloading the Memory Sample and Script:
– Script: bit.ly/1rtvZme – Memory sample: bit.ly/1o9A7xk
• VolaIlity Framework InstallaIon – Checkout from GitHub
• svn co h]ps://github.com/volaIlityfoundaIon/volaIlity/trunk/ volaIlity-‐read-‐only – Install Yara
• Download and unzip: h]ps://github.com/plusvic/yara/archive/v3.1.0.zip • cd yara-‐3.1.0/yara-‐python/ • python setup.py install
– Install Pycoin: • Install pip (h]ps://pip.pypa.io/en/latest/installing.html#install-‐or-‐upgrade-‐pip) • pip install pycoin
– Install Distorm3 as well (Python disassembly library) • Download h]ps://distorm.googlecode.com/files/distorm3.zip • python setup.py install
– Copy plugin/script into /volaIlity-‐read-‐only/volaIlity/plugins/mac – Make sure you have the appropriate memory profiles installed as well – In this case MacMountainLion_10_8_5_AMDx64 (h]ps://code.google.com/p/volaIlity/downloads/detail?
name=MacProfilesAll.zip),
What is Bitcoin? Or really Bitconning ;)
What is Bitcoin? Or really Bitconning ;)
What is Bitcoin? Or really Bitconning ;)
Bitcoin Internals
• Wallet Clients: Bitcoin Core, MulIbit and more – Private Key: secp256k1 ECDSA standard [1] – Public Key – Address
• TransacIon Database – TransacIons, blocks, and block chains
• Network CommunicaIons * Ellip'c Curve Digital Signature Algorithm
Bitcoin Internals
What does a Wallet Generate?
Ar'fact Memory Disk
Private Key Yes, plain text Yes, if saved, possibly encrypted
Addresses Yes Yes
Debug files Yes Yes
Key Backup files Yes Yes
TransacIon logs Yes Yes
Network connecIons and traffic
Yes No
Target: Mac MulIbit Client
* h]ps://mulIbit.org/
Target: Mac MulIbit Client
• MulIBit is a Bitcoin wallet for Windows, MacOS and Linux
• Based on JAVA • Source code: h]ps://github.com/jim618/mulIbit
Tool: VolaIlity Framework
• Open collecIon of tools • Python, under GNU GPL • ExtracIon of digital arIfacts from volaIle memory (RAM) samples
• Offer visibility into the runIme state of the system
• Most versions of Mac OS X memory from 10.5 to 10.9 Mavericks, both 32 and 64-‐bit
Tool: VolaIlity Framework
Vola'lity Framework Plugin Mul'bit Ar'fact
mac_bitcoin [NEW!] Extracts Bitcoin private key and addresses
mac_netstat, mac_network_conns Display network connecIon informaIon
mac_list_files, mac_dump_file Extract debug, transacIon logs, backup files
mac_bitcoin Find Keys
and Addresses
Reverse JVM
Scan Process Address Space
mac_bitcoin
• Looks for two arIfacts in a MulIbit process: – Private keys – Addresses
• UIlizes – Yara and Regex to find the keys and addresses – Pycoin, a Python module for Bitcoin and alt-‐coins, used to convert private key to address and check validity of an address
mac_bitcoin
• Private/Bitcoin key format in MulIbit: – 52 characters in compressed Base 58 format or “wallet import format” [1]
– Starts with L or K [1] – Example: L2nBvZFR3jsoWUNMzcPMadUfMPbxA2RXwFzzjcSERfShFofu3AnT
• Regex: – /(L|K)[0-‐9A-‐Za-‐z]{51}/
mac_bitcoin
• Bitcoin address format in MulIbit: – 34 characters, also Base 58 encoded [2] – They consist of random digits and uppercase and lowercase le]ers, with the excepIon that the uppercase le]er "O", uppercase le]er "I", lowercase le]er "l", and the number "0" are never used to prevent visual ambiguity [2]
• Regex: – /[1-‐9a-‐zA-‐z]{34}(?!OIl)/
mac_bitcoin
• Used Yara, “The pa]ern matching swiss knife for malware researchers”
• YARA is mulI-‐pla}orm, running on Windows, Linux and Mac OS X, and can be used through its command-‐line interface or from your own Python scripts with the yara-‐python extension.
• Used Yara to scan the Mul'bit process address space for keys and addresses
mac_bitcoin
• Private key yara rule: – key_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /(L|K)[0-‐9A-‐Za-‐z]{51}/ condiIon: $a}'})
• Address yara rule: – addr_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /[1-‐9a-‐zA-‐z]{34}(?!OIl)/ condiIon: $a}'})
• Used with exisIng VolaIlity yarascan plugin: – scanner = mac_yarascan.MapYaraScanner(task = task, rules = addr_rule)
mac_bitcoin Demo ## First find MulIbit process PID # python vol.py mac_pslist –f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i java # python vol.py mac_bitcoin –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 –p 239
mac_netstat Demo ## First find MulIbit process PID # python vol.py mac_pslist –f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i java # python vol.py mac_netstat –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 –p 239
mac_netconns Demo
# python vol.py mac_network_conns –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64
mac_dump_file Demo ## First find MulIbit tagged file paths # python vol.py mac_list_files–f Mac\ OS\ X\ 10.8\ 64-‐bit-‐f1607e48.vmem -‐-‐profile=MacMountainLion_10_8_5_AMDx64 | grep -‐i mul'bit # python vol.py mac_dump_file –f Mac OS X 10.8 64-‐bit-‐f1607e48.vmem –profile=MacMountainLion_10_8_5_AMDx64 -‐q 0xffffff800a100d90 -‐O mul'bit.log
Disk ArIfacts
• Similar Yara signatures can be used to scan the disk arIfacts such as page files in Windows or swap files in Linux or Macs
• A page file is a special file that acts as a sort of "scratch pad" to store modified pages that are sIll in use by some process [6]
• You can use Michael Matonis’s tool page_brute to use yara rules to scan a page file [7]
• False-‐posiIves due to lack of verificaIon by a tool, such as pycoin
Bitcoin Yara Rules in a file
rule bitcoin { strings: $key = /(L|K)[0-‐9A-‐Za-‐z]{51}/ $addr = /[1-‐9a-‐zA-‐z]{34}(?!OIl)/ condiIon: any of them }
Pagefile.sys scan
# python page_brute-‐BETA.py -‐r bitcoin.yar –f pagefile.sys [+] -‐ PAGE_BRUTE processing file: pagefile.ysy [+] -‐ YARA rule of File type provided for compilaIon: bitcoin.yar ..... Ruleset CompilaIon Successful. [+] -‐ PAGE_BRUTE running with the following opIons:
[-‐] -‐ FILE: pagefile.sys [-‐] -‐ PAGE_SIZE: 4096 [-‐] -‐ RULES TYPE: FILE [-‐] -‐ RULE LOCATION: bitcoin.yar [-‐] -‐ INVERSION SCAN: False [-‐] -‐ WORKING DIR: PAGE_BRUTE-‐2014-‐10-‐11-‐02-‐30-‐08-‐RESULTS =================
[!] FLAGGED BLOCK 10: bitcoin [!] FLAGGED BLOCK 16: bitcoin [!] FLAGGED BLOCK 39: bitcoin ….
Bitcoin Tracking
Bitcoin Tracking
Conclusions
• Memory forensics can reveal a lot • Bitcoin arIfacts: keys, addresses, transacIons, IP addresses
• These can be used with OS and other user informaIon for a]ribuIon
• If there is no search mechanism, write VolaIlity a plugin!
• Search methods trivially wrapped into a plugin for automaIon
QuesIons?
• Thank you! – Twi]er: @CGurkok – E-‐mail: cemgurkok <at/> gmail.com – Code: github.com/siliconblade/ – Blog: siliconblade.blogspot.com
References 1. Bitcoin private key format,
h]ps://en.bitcoin.it/wiki/Private_key 2. Bitcoin address format, h]ps://en.bitcoin.it/wiki/Address 3. VolaIlity Framework,
h]ps://github.com/volaIlityfoundaIon/volaIlity 4. Yara, h]ps://github.com/plusvic/yara 5. Pycoin, h]ps://github.com/richardkiss/pycoin 6. What is the Page File for anyway?,
h]p://blogs.technet.com/b/askperf/archive/2007/12/14/what-‐is-‐the-‐page-‐file-‐for-‐anyway.aspx
7. Page_brute, h]ps://github.com/matonis/page_brute