Beyond files forensic OWADE cloud based forensic

Transcription

1 Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian 1

2 The world is moving to the cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 2

3 2.7 millions photos are uploaded to Facebook every 20 minutes E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 3

4 100 millions new files are saved on Dropbox every day E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 4

5 Data are moving to multiple services Hard drive s contacts photos Cloud Hotmail LinkedIn Facebook E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 5

6 Impact on the forensic field There are more data which are harder to reach Dealing with cloud data force us to reinvent forensic E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 6

7 Let s do cloud forensics E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 7

8 What is cloud forensics? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 8

9 Facebook credentials as a use case Syskey Windows User Password DPAPI blob-key credentials Registry SAM (hash) DPAPI master-key IE DPAPI Blob Facebook Getting Facebook credentials require to bypass 4 layer of encryption E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 9

10 Focus of this talk xw Show you how to bypass the encryption layers and get the data you want E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 10

11 Introducing OWADE Dedicated to cloud forensics Decrypt / recovers DPAPI secrets Browsers history and websites credentials Instant messaging creds Wifi data Free and open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 11

12 OWADE Overview E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 12

13 Outline File base forensics refresher The Windows crypto eco-system Wifi data and Geo-location Recovering browser data Recovering instant messaging data Acquiring cloud-data Demo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 13

14 File based forensic refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 14

15 Not all files are born equal Type of file Standard In the trash Deleted how to recover it copy undelete utility file carving Wiped call the NSA :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 15

16 Windows registry Hardware information Softwares installed with version and serials Windows credentials (encrypted) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 16

17 Windows crypto E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 17

18 Many software use Windows Crypto APIs E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 18

19 The Windows crypto eco-system Crypto API DPAPI Credential Manager SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 19

20 Windows Crypto API Basic cryptographic blocks Cipher: 3DES, AES Hash functions: SHA-1 SHA256, HMAC PKI: public keys and certificates (X.509) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 20

21 The Security Account Manager (SAM) Store Windows user credentials located in the registry Encrypted with the SYSKEY Password are hashed E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 21

22 Windows Password Hashing functions Two hash functions used LM hash function (NT, 2K, XP, VISTA) weak NTLM (XP, Vista, 7) Password are not salted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 22

23 LM hash weakness Use only upper-case Hash password in chunk of 7 characters mypassword LMHash(mypassw) + LMHash(ord) Password key-space: 69^7 (at most) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 23

24 Rainbow Tables Pre-compute all the possible passwords Time-Memory trade-off Rainbow tables of all the LM hash are available E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 24

25 How OWADE Works Extract Usernames and password hashes LM hashes available? use John/Rainbow tables to get the pass in uppercase use NTLM hashes to find the password cases Try to crack the NTLM using John/Rainbow table E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 25

26 What if we can t crack the NTLM hash :( (need a sad baby face here) If the password is too strong we can t recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 26

27 Everything is not lost because of how DPAPI works (smilling baby face) but we can still decrypt DPAPI secret (sometime) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 27

28 The Data Protection API Ensure that encrypted data can t be decrypted without knowing the user Windows password Blackbox crypto API for developers: Encrypt data DPAPI blob Decrypt DPAPI blob data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 28

29 DPAPI derivation scheme SHA1(password) pre-key User master-key blob key blob key blob key DPAPI blob DPAPI blob DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 29

30 Master-key GUID DPAPI blob Master key Cipher + key pre-key SHA1(password) User IV + Salt Master key blob key Additional entropy Software E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 30

31 Bypassing the user password cracking If we can t crack the password we need its SHA1 This SHA1 is stored in the hibernate file OWADE use Moonsol to recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 31

32 Bypassing the user password cracking If we can t crack the password we need its SHA1 This SHA1 is stored in the hibernate file OWADE use Moonsol to recover it There is an OWADE plugin for that! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 31

33 DPAPI additional entropy Software can supply an additional entropy Act as a key (need for decryption) Force us to understand how it is generate for each software Can be used to tie data to a specific machine (i.e Netbios name) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 32

34 Credential Manager Built on top of DPAPI Handle transparently the encryption and storage of sensitive data Used by Windows, Live Messenger, Remote desktop... E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 33

35 Credstore type of credentials Type of credential Encryption Example of application Generic password DPAPI + fixed string Live messenger HTTP auth (IE) Domain password in clear Netbios Domain certificate hash of certificate Certificate Domain visible password DPAPI + fixed string Remote access.net passport E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 34

36 WiFi data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 35

37 Wifi data Info stored for each access point Mac address (BSSID) Password (encrypted) Last time of access Wifi data are stored in Registry (XP) XML file and Registry (Vista/7) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 36

38 Decrypting WiFi password Encrypted with DPAPI Access point shared among users Encrypted with the System account But the system account has no password... What is my DPAPI key??? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 37

39 Decrypting WiFi password Use a LSASecret as DPAPI key Recovered with Windows Credentials E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 38

40 Where are you? We ve recovered access point keys but where are they? Also found by Sami Kemvar E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 39

41 Where are you? We ve recovered access point keys but where are they? There is an app for that! Also found by Sami Kemvar E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 39

42 HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 40

43 HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 40

44 HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 40

45 Behind the curtain E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 41

46 Nothing is ever easy Google started to restrict queries in June :( Fortunately for us there are other API :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 42

47 Geo-location API restrictions Requires 2 MAC close from each other The MAC and IP location need to be close None see for more information E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 43

48 Browsers E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 44

49 Firefox > 3.4 Passwords location: signons.sqlite encryption: 3DES + Master password History URLs: places.sqlite Forms fields: formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 45

50 Decrypting Firefox password pass salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key master key: 3DES(userkey, enckey) encrypted pass Site password: 3DES (master key, enc pass) signon.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 46

51 Shopping at Amazon? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 47

52 How about a nice kindle? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 48

53 How about a nice kindle? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 48

54 Every form field is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 49

55 Configuring a Linksys? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 50

56 Again the key is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 51

57 Form history leak a lot of information Shipping address Wifi key Credit card information Search history E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 52

58 Preventing field recording To tell the browser to not record a field use the tag autocomplete= off E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 53

59 Passwords location: registry encryption: DPAPI + URL as salt History Internet Explorer URLs: Index.dat Forms fields: E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 54

60 Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List DPAPI Blob Site password Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 55

61 Passwords location: login data (sqlite) Chrome encryption: DPAPI History URLs: History (sqlite) Forms fields: Web data (sqlite) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 56

62 Passwords location: keychain.plist Safari encryption: DPAPI + fixed string as entropy History URLs: History.plist (Property list format) Forms fields: Form Value.plist E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 57

63 Browsers takeaway Internet Explorer is the most secure. If you don t know the URL you can t recover the pass Firefox is the worst Passwords encryption not tied to the Windows pass Login are encrypted in signons.sqlite not in formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 58

64 Private mode Most bugs are fixed Requires to be creative SSL OCSP requests File carving Potential techniques Analyze the hibernate file See: for more information on private mode E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 59

65 Instant messaging E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 60

66 Skype Encryption custom Difficulty extreme Location registry + config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 61

67 Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) encrypted credential Login pass cracking MD5(login\nskyper\npassword) config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 62

68 Google Talk Encryption DPAPI + custom (salt) Difficulty Hard Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 63

69 Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 64

70 Microsoft Messenger Encryption DPAPI or Credstore Difficulty Medium Location version dependent E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 65

71 Windows Messenger by version Version Storage encryption 5 Registry Base64 encoded 6 Credstore Credstore 7 Registry x2 DPAPI x 2 Live Credstore Credstore E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 66

72 amsn Encryption DES key: substr(login. dummykey, 8) Difficulty easy Location config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 67

73 9talk Encryption XOR key: 9 Difficulty trivial Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 68

74 Trillian Encryption Base 64 +XOR key: fixed string Difficulty trivial Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 69

75 Pidgin Encryption Clear aka encryt-what? Difficulty none Location account.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 70

76 Paltalk Encryption Custom Difficulty difficult (offline) Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 71

77 Paltalk encryption algorithm VolumeSerial Number Paltalk account name myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password ci: yyyzi - asciicode(s-boxn-i) yyyz yyyz yyyz yyyz Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 72

78 Messenger take away If the Skype password is strong you can t recover it Gtalk and Paltalk are the only ones to use computer information 3rd party software are the least secure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 73

79 Conclusion People moving to the cloud means more data that is harder to get Forensics needs to evolve to cope with this OWADE is the first tool dedicated to cloud forensic Decrypt the 4 major browsers data Decrypt Instant messaging credentials Open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 74

80 Download OWADE Follow-us Donate to OWADE to support it! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic 75