Data Carving in Incident Response - Steps Toward Learning More Advanced DFIR Topics

Introduction

I have been in information security since March 2010, when I got out of the Navy after navigating nuclear submarines for almost 7 years. Little did I know that with this change of career, I was about to be in for the ride of my life.

I have been steadily progressing as a "blue teamer" or enterprise defender this whole time and have undertaken learning one of (what I believe to be) the most difficult blue team trades: reverse engineering malware. The purpose of this blog is to allow readers to follow along if they want to get into the trade as well as to force me to take actual notes periodically.

Background: The Beginning

To understand my background, here is a graphic showing my career progression:

I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well.

I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'."

As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience.

Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta.

Background: 2013 to Mid-2017

When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things.

As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner.

As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my current position as an Enterprise Security Consultant in October, 2016.

In the 7 months that I have been here, I have been exposed to more than I ever could have imagined. I have worked with government contractors, small business, large businesses, and many in between. To date, I have conducted GAP analyses, NIST assessments, phishing/social engineering assessments, and incident response. I even passed the AlienVault Certified Security Engineer (ACSE) exam and have become an AlienVault certified instructor.

THE BEGINNING OF THE TRANSITION

During this time, I also started public speaking and got to meet the illustrious Kate Brew in person at Infosec Southwest. I hope to also see her again at LASCON as well as "Hacker Summer Camp" as I am speaking at BSides Las Vegas and attending Defcon.

To return to where I am in my career and what I am working towards, I discovered that I was seeing consistent trends in things that were missing while doing incident response (IR). My solution: determine the tools I needed to work and put them on a system to take with me so I always had them. No logging, no problem. After the events below, I put that project on hold to learn data carving initially, then I decided to learn about reverse engineering before I return to that project. At some point, I still plan on completing an IR specific operating system.

Naturally, as I did more IR, I became more interested in the "Blue Team", though I had always thought that I was going to end up as a "Red Teamer." While this still might happen, I couldn't be happier on the Blue Team doing Digital Forensics and Incident Response (DFIR.)

TRANSITION: IN-PROGRESS

There are many things that feel mysterious to me. Forensics is one of them. As a challenge, after I and my mentee Caroline Stephens (@cxstephens) were selected to speak at BSides Cincy, we decided to embark on a learning adventure. We intentionally selected a topic that was relatively foreign to both of us - "Data Carving", also known as "File Carving". We both had a lot of preconceived notions about what it was and she was actually closer to the mark than I was. Once we ironed out what it was and was not, we began to tinker with some tools.

THE RESEARCH

We planned on starting with The SleuthKit (TSK), Autopsy (SleuthKit GUI), and Foremost. Come to find out Foremost is gone and was carried forward as Scalpel, an open-source tool maintained by SleuthKit. TSK is not impeccably user friendly at first. With the short timeframe we had, working out the nuances was quite a challenge. We gathered information on TSK, mentioned it in the talk and focused on the more user-friendly solutions. You might ask, could we have used Autopsy? Absolutely, but we also wanted to focus more on the command line for this.

I did a little research into file carving and was able to find some disk images (dd files) to carve. Using Scalpel, I was able to figure it out and work with Caroline to get her up to speed as well. We opted out of using the typical Digital Ocean droplet that I normally use and chose a REMnux virtual machine instead. Note that REMnux is SANS' reverse engineering malware custom Linux distribution. NIST CFReDS (Computer Forensics Reference Data Sets) proved invaluable.

WHAT IS DATA CARVING?

Simply put, data carving is the act of "carving" files out of disk images and packet captures (as I learned later from my mentor, Chris Sanders (@chrissanders88) - author of Practical Packet Analysis). This can be conducted to recover lost files or to restore files forensically. Alternatively, under the right conditions, this can be also used offensively to intercept files in a man in the middle situation. We chose REMnux because of the capability of carving out of packet captures, which I found some of malware infections.

If you're a glutton for punishment, you could use regular expressions to attempt to carve the packets manually. If you want to do so, you'll need to know the header and footer information for the file type(s) you're carving and have some level of familiarity with

In talking with Chris about carving from packet captures, I discovered an awesome tool, Network Miner. It does much more than carving, but that is the icing on the cake. This tool not only allows you to carve file(s) out (if there are any), but also view the network traffic organized by host sent and received, as well as view credentials, parameters, images, and DNS lookups (think Wannacry). You can also seamlessly query sites like VirusTotal for the actual file since Network Miner puts it in a directory on your system or you can search OTX or VirusTotal for the hash, as Network Miner makes getting them easy.

I looked around on the internet for good resources to obtain malware samples and packet captures (pcaps). I will list them in the references section below.

WHAT DO YOU DO WITH THE CARVED DATA?

Well, this will depend on what kind of data you've carved. Was it from an image or a pcap? In either circumstance, your intention will dictate what you do with the data. If you're operating under defensive parameters, you'll return the files and/or include them in your report. If you're operating with malice or simulated malice (penetration testing), you will see what is in the file and how you can use it to your advantage. I use one of Chris' SMB pcaps for demonstrations and execute puTTy directly from Network Miner. Alternatively, if you're carving malware out of file systems or pcaps, you could begin to reverse engineer it to create Indicators of Compromise.

THE TRANSITION: STEPS FORWARD

This is my journey, not my destination. I will continue to learn more tools and techniques to help secure networks, identify and assess the damage of incidents, and resolve incidents. I reached out to someone I met at BSides Charm, Maddie Stone (@maddiestone), and asked for some help in learning to reverse engineer.

As if I would expect anything else, she gave me a laundry list of homework to complete. I am currently working through it. I am currently using C for Dummies to learn C Programming while also using OpenSecurityTraining to learn x86. Additionally, I have been working to get better at binary and hexadecimal math. Furthermore, I have begun working with GNU Debugger (gdb) in addition to GNU Compiler Collection (gcc) to work with compiling and debugging the code. I have also started using Minimalist GNU for Windows (mingw) to compile C for the Windows platform.

Beyond this, I have started using IDA Pro Free and Ollydbg to get more familiar with common debugging and disassembly tools used in the field. I have also downloaded Immunity Debugger, but have not used it much. I also installed Visual Studio because the OpenSecurityTraining course uses it.

My next steps are:

1. Conquer C and Basic x86 (via Practical Reverse Engineering)
2. Complete the Intermediate x86 course
3. Complete the Static and Dynamic Analysis courses
4. Complete the Reverse Engineering courses (Software & Malware; Hopefully also SANS Forensics 610: Reverse Engineering Malware)
5. Wash, Rinse, and Repeat for x64 and ARM
6. Take some exploit development courses (1& 2)
7. Keep on kicking butt (Always!)

REFERENCES AND OTHER TRAINING OPTIONS

I did some searching to identify additional training options (in case I need a different explanation of material) and here are some of the more inexpensive courses I found:

Pluralsight ($29/mo.)

• Malware Analysis Fundamentals
• Malware Analysis: The Big Picture
• Advanced Malware Analysis: Combating Exploit Kits
• Security for Hackers and Developers: Reverse Engineering
• Exploit Development and Execution with the Metasploit Framework

Cybrary Free unless you want a certificate for proof and continuing education)

• Intro to Malware Analysis and Reverse Engineering
• Dynamic Malware Analysis Training Course

Udemy has a $50 Reverse Engineering and Exploit Development course.

Now on to the more expensive courses:

• Infosec Institute has a "Reverse Engineering Bootcamp" for $4398 (Note: this includes an attempt at the CREA certification)
• Intense School has a "Reverse Engineering Online: Malware, Binary Analysis and Software Vulnerabilities" course (which also corresponds to CREA; I was unable to get a price - the website was glitchy)
• SANS has the following in the way of Reverse Engineering and Exploit Development:
  • Forensics 610: Reverse Engineering Malware (which corresponds to the GREM certification) for $5910 + $689 for GREM
  • SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking(which corresponds to the GXPN certification) $5910 + $689 for GXPN
  • SEC760: Advanced Exploit Development for Penetration Testers$5910 (No Corresponding Certification)
• Offensive Security (the OSCP people) have the Advanced Windows Exploitation (AWE) course and Offensive Security Exploitation Expert (OSEE) The training is only held once per year at Black Hat and is $5000+ ($5000 is the early bird price).
• Furthermore, this year at Black Hat, there are also the following courses:
  • Malware Analysis Crash Course- $3700
  • OS X Malware Analysis Crash Course- $3500
  • The IDA Pro Basic Course- $3500
  • The IDA Pro Advanced Course: Reverse Engineering with IDA Pro- $3500

Finally, here are the final resources that I am using (not all right now, but I am working through it):

• Epic List that onethawt maintains on Github.
• FREE Reverse Engineering for Beginners book (PDF)
• Author of SANS FOR610, Lenny Zeltser's Blog about Starting in Malware Analysis
• Practical Malware Analysis(Considered to be a seminal Work)
• Malware Analyst's Cookbook (also endorsed by Zeltser)
• Practical Reverse Engineering (also considered seminal)
• Reversing: Secrets of Reverse Engineering
• Learning Linux Binary Analysis

In conclusion, this is a work in progress. I am actively working on honing my understanding of x86 then x64 and ARM, while concurrently learning C. While I try to minimize my attempted analysis of malware, I sometimes do it alongside simple C programs that I write and compile as part of the For Dummies book. This gives me a measure of where I am in something that is hard to understand at first. I will continue to chronicle this as blogs for those following along and those interested in getting into malware analysis.