Ryan O'Neill - Advances in Linux Process Forensics Using ECFS

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ryan-O%27Neil-Advances-in-Linux-Forensics-ECFS.pdf Advances in Linux Process Forensics Using ECFS Ryan O'Neill Security Consultant, Leviathan Security Group Many hackers today are using process memory infections to maintain stealth residence inside of a compromised system. The current state of forensics tools in Linux, lack the sophistication used by the infection methods found in real world hacks. ECFS (Extended core file snapshot) technology, https://github.com/elfmaster/ecfs is an innovative extension to regular ELF core files, designed to be used as forensics-friendly snapshots of process memory. A brief showcasing of the ECFS technology was featured in POC||GTFO 0x7 (Innovations with core files). However this talk will reveal deeper insight on the many features of this technology, such as full symbol table reconstruction, builtin detection heuristics, and how common binutils such as objdump, and readelf can be used to quickly identify complex infections such as PLT/GOT hooks and shared library injection. We will also cover the libecfs API that was created specifically for malware and forensics analysts who aim to implement support for ECFS snapshots into new or existing malware detection software. While the ECFS core format was initially designed for runtime malware and forensics purposes, another very neat aspect to this technology was quickly extrapolated on; the ECFS snapshots can also be reloaded into memory and executed. Very similar to VM snapshots, which opens many more doors for research and exploration in a vast array of areas from dynamic analysis to migrating live processes across systems. ECFS is still a work in progress, but for those who understand the arduous nature of dissecting a process and identifying anomalies, will surely acquire a quick respect for the new technology that makes all of this so much easier. Ryan 'elfmaster' O'Neill is a computer security researcher at Leviathan Security and the maintainer of Bitlackeys.org, a hub for much of his independent research. He is a Reverse engineer, and a Software engineer, who also specializes in the ELF binary format, and delivers on going workshops in this area to interested parties, including the US government. Ryan has worked on many security technologies including but not limited to: Maya's Veil : anti-tamper / anti-exploitation protection for Linux ELF binaries VMA Vudu : automated forensics analysis of process runtime infections in Linux kernelDetective : Linux kernel forensics software Ryan has produced alot of research and publications in areas pertaining to Linux kernel and userland malware, such as "Linux kprobe instrumentation from phrack 66", and is author of soon to be released book "The art of Linux binary analysis" which focuses on everything from ELF internals to Linux Viruses, and Binary protection techniques. Ryan has been involved in the computer security scene since 1999.

There are no comments yet.

Please log in to write the first comment.