I’m just back from Lille (France) where is organized the “FIC” or “International Cybersecurity Forum” today and tomorrow. This event is very popular for some people but not technical at all. Basically, you find all the vendors in one big place trying to convince you that their solution, based on blockchain, machine learning and running in the cloud, is the one that you MUST have! Anyway… Besides this mega-vendors party, there is a small event that is organized in parallel for a few years (I think it was already the 4th edition): “CoRIIN” or, in French, “ConfÃ©rence sur la rÃ©ponse aux incidents et lâ€™investigation numÃ©rique”. 400 people registered and came to follow presentations around forensics, investigations, etc… Here is my quick wrap-up as usual!
The conference started with an overview of the WhatsApp application on mobile phones: “Lâ€™investigateur, le Smartphone, et lâ€™application WhatsApp” by GuÃ©naÃ«lle De Julis. She had the opportunity to investigate a mobile phone and was asked to find data in the WhatsApp application. With the lack of documentation available, she decided to have a look at the application. She explained covered iOS & Android devices. First, GuÃ©naÃ«lle explained how to access data, some are available via backups, some need root access (jailbreak) depending on what you need to extract. Data are stored in SQLite database. Once extracted, how to search for juicy information? You can, of course, use one of the multiple SQLite viewer available but GuÃ©naÃ«lle decided to use Python with the Pandas library to write powerful queries. Some examples:
- Export messages for a defined period
- Try to find the number of missing messages for a defined period
- Groups: identify members and associates messages
I don’t have experience with mobile forensics and learned interesting stuff with this first presentation.
Then, Philippe Baumgart et Fahim Hasnaoui presented their point of view regarding investigations in cloud environments. They started by reviewing common issues that organizations are facing when using the cloud: They are easy to order (just a credit card is required) and “tests” platforms become often regular platforms. Welcome to shadow IT! Then, they explained the challenges to collect information from cloud providers. An interesting point of view: they offer powerful monitoring tools that can also be used to detect suspicious activities. Example: a peak of traffic on a database server could be related to some data exfiltration! I liked their mention of “intra-cloud” attacks where people rent virtual machines inside cloud infrastructure and scan for servers with non-public IP addresses.
Then, SÃ©bastien MÃ©riot, head of the OVH CSIRT came to discuss data leaks and credential stuffing. Data leaks are everywhere and people like to know what has been done with stolen data. When, according to SÃ©bastien, it’s interesting to have a look at what’s happening before the leak. Often, the data leak is not the primary goal of the attackers, it’s an opportunity. Leaked data are not immediately released because passwords are often hashed+salted. Attackers need to take time to brute-force the passwords. But, it’s a fact, the time between the leak and the public release tends to be reduced due to… the power of GPU! Passwords can be decrypted very quickly today. Then, they are used for credential stuffing. This means they’re tested against many services. To perform this, there exist tools like:
- Private Keeper
SÃ©bastien explained that OVH, as a major cloud player, is also a good target for credential stuffing. He also explained some counter-measures they implemented like dynamic forms (that change all the time to prevent automation). From a business point of view, phishers are moving to credential stuffingâ€¦ many come from Africa
The next presentation was performed by FranÃ§ois Normand about Pastebin and all the malicious content that can be found on this service. He reviewed some examples of abuse like storing malicious code encoded. Encoding can be different, XOR can be performed to defeat security controls. Interesting to keep in mind that attackers use legit services to distribute malicious content. And they are not easy to block.
After a lunch break, “A year hunting in a bamboo forest” was presented by Aranone Zarkan and SÃ©bastien Larinier. Sorry, no information because the presentation was under TLP:Amber.
Giovanni Rarrato came to present his baby: “Tsurugi Linux”. He’s the core developer of this Linux distribution, Ubuntu-based, dedicated to forensics investigations. It contains a lot of tools that, preinstalled, speed-up the processing of data.
Solal Jacob, from the ANSSI agency, came to present his research: memory analysis of a Cisco router running IOS-XR. This type of router is running a modified version of QNX. Solal explained step by step how he learning the way the platform runs, then how to access the memory to extract it and save it. Finally, the framework used to extract artifacts from the memory image. Great research that was not easy to present in only 30 minutes! His framework “Amnesic Sherpa” will be available soon.
After a welcomes coffee break, StÃ©phane Bortzmeyer, from AFNIC, presented “Who’s really the owner of this IP prefix?”. Usually, when you need to learn more information about the owner of an IP address, you just use the “whois” command. Easy… but are you confident with the results? StÃ©phane started with an example: In 1990, the prefix 188.8.131.52/16 was assigned to the company called “Athenix” based in California. She went to bankruptcy. In 2008, a new company was created called “Athenix” based in Massachusetts. They took over the prefix, easy! The business of IPv4 is growing because, as we are out of addresses, organizations tend to use many techniques to get more IPs. The problem is that techniques exist to authenticate the ownership of prefixes but people don’t use them (for example: RKPI). Conclusions; investigating is easy because tools are easy but whatâ€™s being? Business relations etcâ€¦. I really liked the presentation!
Jean Gautier presented another tool: DFIR-ORC. “ORC” stands for “Outil de Recherche de Compromisation”. It’s a tool dedicated to extracting artifacts from a compromized system. Why reinvent a tool? Because it must be reliable, easy to use, with a minimum impact on the tested system and highly customizable! Some features are really impressive like using the NTFS MFT to access locked files, volume shadow copies or deleted files metadata! Jean explained in detail how the tool is working and it deserves to be tested. It is available here.
The last presentation was a return of experience by Mathieu Hartheiser et Maxence Duchet. It was based on a real case when one of their customers was compromized via a vulnerable JunOS Pulse appliance. I expected more technical details but it looked more like a GRC presentation…