Using Team Cymru’s MHR with Volatility

Today we’ll briefly discuss crosschecking Team Cymru’s Malware Hash Registry against files found in memory or hibernation files by Volatility. We’re going to do it by hand at the command line, as a quick exercise in some ways to manipulate both tools and think through command line problems. Please note Team Cymru places restrictions on automated use of their lookup tool, so don’t automate anything like this without speaking to them.

To do this, we’ll obviously need a memory image and a Linux environment with Volatility functioning (I recommend downloading the SIFT kit VM if you don’t have one). Our starting point in this exercise is after memory has been properly retrieved with an imaging tool, we’ve identified an appropriate Volatility profile with imageinfo, and we’ve identified a suspicious process or processes using our standard toolkit of commands like malfind, malsysproc, unloadedmodules, etc…

We shall begin by dumping some files of interest from our memory image using a command like moddump (which extracts kernel drivers) or dlldump. For this example we will simply be dumping dlls. To avoid a mess, we will first make a directory to put the dumped files in.

mkdir dlls

Next, we perform the dump. In practice, we should be focusing on specific suspicious processes using –pid, or the results of a search with –regex. There will be a cap on the number of hashes we can submit using this mechanism, so don’t try to submit the entire raw results of dumpfiles. However, as an example, examining only .exe files output by dumpfiles -n might be interesting. Each command has its purpose.

vol.py -f [mem]  –profile=[Profile] dlldump –dump-dir=dlls

(As a reminder, that command is:

vol.py -f [filename of the memory file] –profile=[The profile that imageinfo / kdbgscan identified) dlldump –dump-dir=[the path to our dump directory]  –pid=[suspicious process ID if available])

Now, we ought to have a big folder full of dll files which Volatility found in memory. Let’s head here and make sure everything worked okay.

cd dlls
ls

Team Cymru requires their input be in a specific format with a begin and end marker. So let’s make a new file that starts with that.

echo begin > hashes.txt

We can’t just use the output of md5sum or sha1sum because it contains two columns (hash and then filename) and the MHR service needs line-delimited hashes, only. We have to do something to remove that second column. There are a lot of solutions in Linux. In this example, I chose to pipe the results of md5sum into Gawk, with which I select only column 1. I’ll then stick that output into our hashes.txt file.

md5sum * | awk ‘{ print $1 }’ >> hashes.txt

(Grep is a powerful tool. We could certainly do some file filtering at this point if we failed to do so properly within Volatility – for instance, in our example of dumpfiles -n, this might be where we filter for only .exes, with md5sum * | grep .exe | awk ‘{print $1 }’ >> exehashes.txt)

Now let’s properly close our file as requested.

echo end >> hashes.txt

The bulk command line submission method for Team Cymru is netcat to whois. We shall upload the file we just made, and a new file with their response will be generated as a result.

netcat hash.cymru.com 43 < hashes.txt > hashescheck.txt

Remember that our syntax for netcat will be [destination server]  [port] < [the file we are sending] > [the returned output’s destination].

Now, we can check the contents of the resulting file. If we sent a larger list of files, we’ll probably want to filter out noise by eliminating any line returned NO_DATA. For verification, there should be a header returned at a minimum.

cat hashescheck.txt | grep -v NO_DATA

# Bulk mode; hash.cymru.com [2016-x-x x:x:x +0000]
# SHA1|MD5 TIME(unix_t) DETECTION_PERCENT

And that’s that!

(Please don’t ask me about submitting files to VirusTotal, because that already exists; all you’ll need is your API key.)

The Top 9 Ways I Found Your ‘Secret’ Dating Profile

  1. You reused a cute username (or email address).

Aliases and usernames have become a big part of our personal online presence, and we often feel tied to them when we register for new sites and services. This can be a great was to build an online identity, but it can also make it trivial to tie our activity on various services together.

Even if your registered username isn’t immediately visible in a dating profile, it’s often visible in the URL of your profile, your profile photo filenames, or during communication with other users.

There are plenty of free and paid services which search and monitor social media and email accounts by username. Pipl is a great example. It will rapidly scan popular sites and services for email addresses, usernames, names, and phone numbers to build a comprehensive profile of a person.image002

Namechk.com performs a broader sweep of services for usernames only, immediately flagging services where a particular username has been registered. This is an easy way for someone with malicious intent to draw connections between a dating site profile username and your ‘real’ life, even if your profiles are correctly private or hidden.

image004

The very simplest, a Google search will often turn up social media profiles, forum posts, and blog comments tied to a particular username. If you’re concerned about dating site matches finding your online presence, or people online finding your dating profile, just don’t reuse usernames or email addresses!


 

  1. You reused profile pictures.

A few years ago, image recognition on a large scale was restricted to law enforcement and corporate security. This isn’t true anymore. Free services like Tineye and Google Images will search billions of indexed images on the internet for identical or similar pictures. This isn’t necessarily traditional hash or metadata specific – cropping or resizing an image is not a foolproof way to defeat this (as I show in the screenshot below, where Tineye and Google correctly identified my profile selfie which is substantially cropped on social media). The photos are visually similar enough that the search engines’ algorithms can draw a connection.

image006image008

Ultimately, this means that if you are interested in privacy, you should never reuse a photo or set of photos that you’ve used elsewhere on the internet (at any time) on your dating profile. Choose where to use your glamour shots, wisely!


 

  1. You forgot to check and sanitize your pictures.

Reuse isn’t the only situation in which photos can compromise your privacy. There are two sets of clues that can give away important personal information in your photos. The first are old-fashioned visual clues. Consider: is there a window in your photos, and are there identifiable buildings or landmarks outside of it? Were your photos taken in an apartment building or dorm that can be easily identified in other people’s photos? I highly recommend reading this eye-opening blog on the subject by IOActive. Give some thought to what people can see in your photos’ backgrounds before posting them to your private dating profile.

The second way your photos can betray your privacy is a bit more technical, but still terribly important to recognize. It has to do with hidden information, or ‘metadata’, which is tacked onto most pictures by phones, photo editing software, and digital cameras. You can’t see EXIF metadata without using special tools, but it may contain startling amounts of information about where the photo was taken, by whom, and when. This exists primarily to help out professional photographers and photo storage tools.

image010

I took this pretty photo at Disney World. Let’s look at some of the data hidden inside of it:

Create Date                     : 2016:02:20 20:01:04
Make                              : Samsung
Orientation                     : Horizontal (normal)
Flash                               : No Flash
Focal Length                   : 4.3 mm
GPS Position                   : 28 deg 21′ 27.100″ N, 81 deg 33′ 29.71″ W

Even with location geotagging disabled in your camera settings, metadata still provides a tremendous amount of detail about you and your devices, and can even uniquely identify photos taken with your camera. (The use of photo editing tools also becomes blatantly obvious, which can be a cause for some embarrassment.) Ensure you remove identifying metadata from photos before posting them onto your dating profile.


 

  1. You forgot that the internet is forever.

If I were forced to pick only one error which causes dating site members the most personal embarrassment over the long term, it’s forgetting this. A single mistake made months earlier can haunt you. Let’s imagine that before reading this article you uploaded your professional headshot to your dating site profile. You realized a few days later that it was too much of a privacy give-away, and made the wise choice to switch to a new photo. You might not be out of the woods.

Search engines and archive sites are continually indexing as much content as they can from the internet. These sites retain cached copies of images and pages long after they are changed or erased at the original source.

Somebody with malicious intent may use this to their advantage when trying to correlate your dating profile to other web content. He or she will very likely check search engine caches for old pictures or bios that are easier to identify or contain embarrassing details. If that professional headshot is still in a cache associated with your dating profile, he or she can use Tineye to match it to your corporate bio that shares the same photograph. If you’ve changed your username, he or she may be able to find the previous version.

Unfortunately, this isn’t an easy thing to fix after the damage is done. The bottom line is: assume that anything posted to the internet is perpetual, and usually cannot be removed (even through legal action). If you post data which compromises your privacy or reputation to your profile, remove it immediately and consider starting fresh with an entirely new profile. If needed, pursue sites and search engines to remove what they can and will, and disassociate your online identity as much as possible from the content.


 

  1. Minor details tell a larger story about you.

This is open source intelligence 101. The individual facts and conversations you post on dating sites might not give away your identity, but as a collective whole, they may. Give some consideration to how much information you’re giving other users over time and as a whole. Did you post that you live in Milwaukee, tell a user that you live in an apartment with a pool, and tell another that you live next to an airport? These pieces of information put together say a lot more about your location than they do individually.

image012

Pay attention to details. How much information have you posted on your profile over time as you’ve updated it? How much information are you providing in private conversations with other users?


 

  1. Your social media profiles aren’t private enough.

The number one open source intelligence source that people with evil intent will try to use against you, or to identify you, is your social media profiles. You make a malicious person’s life significantly more difficult by simply locking down your social media profiles so that nobody except people you know personally can view them, or that the data that is publicly visible is not enough to provide the attacker an advantage.


 

  1. You joined your social media profile to your dating site account.

We’ve previously discussed the privacy risk posed by sharing photos, usernames, and email addresses between your private dating profile and the rest of your online presence. Linking your social media accounts may be a simple and timesaving way to create an account on many dating sites and apps, but these sites frequently import most of the data we’ve discussed above directly into your dating profile and account. Given all the points we’ve discussed previously, this is obviously not a wise choice.

I highly recommend using an entirely new and separate email account to sign up for a private dating profile. If the site in question absolutely requires linking a social media account, start a new one without unnecessary personal details.


 

  1. You forgot that social engineering (and catfishing) happen, and can happen to you.

No matter who you are, which gender you are, what you do for a living, or how much money you make, you can be a target for fraud or social engineering. Somebody who wants to manipulate or identify you on a dating site may attempt to gain your trust before drawing you into a trap. If something doesn’t feel right, it probably isn’t. If something seems too good to be true, it probably is. Be very cognizant of members leading you into revealing unusual personal details, compromising photos, or financial information. Dating sites are fair game to cyber-criminals.


 

  1. You weren’t aware that you were accepting risk.

Dating online, like the rest of our lives, carries some inherent risk. The level of risk associated with joining a dating site and interacting with others on that site varies by each individual’s situation. For example, this risk may be to your reputation if your profile (or behavior with other users) were publicized, or to your personal safety if your location or identity were compromised.

Online dating is a great option for many people and many healthy relationships exist today because of it. You must simply consider what level of risk you’re willing to accept before doing it. Even if you are meticulous in protecting your online presence, there will always be circumstances outside your control. What would the consequences be if the site were breached, and your identity and interactions were posted online or sent to your employer or family? If somebody successfully identified you, how easy would it be to find your street address or place of business? Like any other activity that carries some significant risk, you must consider these types of questions and make your own informed decision.

What is ‘DFIR’? And how do ‘Digital Forensics’ roles vary?

I had a discussion today with a particular charming infosec pop star about what differentiates ‘DFIR‘ from other infosec job roles and how it relates to them. This is a question I get asked a lot by ladies and gents interested in making a jump into information security careers, so let’s have a brief discussion on what these forensicator jobs tend to do in your average working environment.

Now, you may be generally familiar with digital forensics – the exciting science of taking all manner of digital ^stuff^, and finding out what it’s done, when it was done, and who did it. Seen weekly on your average episode of CSI or NCIS… it is nothing like CSI or NCIS.

It’s usually not too much like what’s taught in ye olde average Forensics degree program. Not judging.

So first, what is this ‘digital stuff’ that we can do forensics on? Well, the obvious use case is a hard drive. Take it out of a computer. and find out everything that’s happened on that computer. When was the computer turned on, and who logged in? What programs did they start, and what did they do in those programs? Did they do any internet browsing? In the 1990’s and early 2000’s, proving those things in court were a large portion of the field. Modern digital forensics goes way beyond that. We’re not just concerned with PC hard drives. We’re concerned with anything that runs on 1’s and 0’s, from cars, to hospital equipment, to USB drives, to cameras. That’s the ‘internet of things’, friends. It can all contain digital evidence. A car GPS can tell us where it’s navigated to for weeks. A camera can tell us where every photo was taken. A hospital lab machine can tell us which USB drive connected contained malware, and from where.

“But Lesley, who wants that evidence? Abby from NCIS, and her beautiful beautiful pigtails, no?” Yes, and no. As appreciative as I am of Ms. Sciuto’s fashion sense, law enforcement is only one small measure of modern forensics professions. We can generally break down forensics on all these devices into two fields – e-discovery, and Digital Forensics and Incident Response (DFIR). E-Discovery is the legal side of forensics – in a broad sense the person being investigated is the case, and digital forensics tools and procedures are being used to support a case involving them. DFIR is more the infosec side of forensics- the digital system is the case, meaning instead of our main objective being investigating a external case, the digital device is being investigated. Examples of this are all types of security incidents, from data breaches to malware. Some forensics professionals do both types of cases, and others just do one or the other.

E-Discovery professionals tend to interface the most with legal and law enforcement agencies. Many e-discovery professionals have a legal background, but that is certainly not all inclusive. These are the guys and girls who are reading the emails you deleted. DFIR professionals tend to work as part of the blue team, working as parts of SOCs or CSIRTs or with malware analysts. They often have security operations center backgrounds – again, not all inclusive by any means.

Both of these jobs involve similar tools. Both types of investigators need tools to sift through deleted files on hard drives, browser caches, memory, and Windows registries (for similar and different reasons). The commercial products used by both overlap, although memory forensics is still often a DFIR specific field, and preserving a court admissible chain of custody oft remains the realm of e-discovery.. We see a lot of Guidance, FTK, and Oxygen tools heavy in the market. Obviously, both require quite specialized tools as well. Malware hides differently than human beings do.

“So, Lesley, what is the biggest myth about digital forensics?” Well, first of all, it is not Abby’s pigtails, because I rock fishnet. I would have to say that the biggest exaggeration is steganography. Its become a running gag that every time I find a person who wants to study or is studying forensics, their first case study will be some sort of steganography. If you don’t know what that is, you should read an article or two, as it is quite intellectually interesting. Unfortunately, it is a rare case that actually involves the hiding of data in this manner. The truth is, networks tend to be so insecure that such drastic methods are not usually necessary outside of certain uncouth communities. I spend a great deal more time recovering wholly undeleted data from memory and slack space on hard drives. I do wish that forensics degree programs spent a lot more time on memory forensics with products such as Volatility and Mandiant Redline, as it is frequently critical.

The second biggest myth is that ‘porn mode’ has any impact at all on me being able to see what you’ve browsed in the last several weeks. It rarely does. Not judging, again.

So there we have it. Foreniscs, and it’s variations in a nutshell. If you would like to know more, please feel free to tweet or message me. I am as always, happy to respond.