Big Galoot Diatribe - The Trojan Defence…the sleeping giant for computer forensics?
June 10th, 2007 Drazen Drazic Posted in Big Galoot Diatribe, Forensics |
The rantings of Craig Chapman, Computer Forensics Geek.
A couple of recent cases, including http://www.securityfocus.com/news/11469 in the US have highlighted malware and trojans as an emerging problem for the computer forensics community - testing the validity of the expert evidence and calling into question the practise as a whole.
In this most recent case, problems emerged after a teacher was wrongly convicted following an
incident where her classroom PCs became infected with pop-up ads displaying pornographic images. The prosecution alleged that the pop-ups were caused by the teacher’s activity on her PC following expert testimony from a computer forensics detective.
Problems in the case emerged after the defence’s computer forensics expert successfully argued that a harmless hairstyling web site had actually re-directed the PC’s browser to pornographic sites, setting off a chain of offensive pop up ads (a sub-argument was also presented about access control).
With the benefit of hindsight, this case was perhaps more about poor forensics practises - the investigating detective was apparently not thorough enough.
But it raised a bigger issue: What about really hard-core trojans & malware? How do we prove that malware didn’t exist on a suspect’s system? Recent studies into the potential problems facing computer forensics community of malware\trojans\viruses suggests this problem is not going to go away any time soon.
Highlighting this problem, some conceptual tools developed by Security-Assessment.com and Joanna Rutowska from www.invisiblethings.org have shown the ability already exists for
malware to defeat ‘volatile’ memory forensics. Make no mistake, this is a big threat facing computer forensics practises and its ability to withstand rigorous cross-examination in the witness box.
The really big questions facing the computer forensics community right now
must be:
- How can the trojan defence be negated? and;
- What practises can be put into place by the corporate world to assist computer forensics ?
The nitty-gritty of ‘The Trojan Defence’ is that we don’t know what we don’t know. In other words, how do we prove that something (a trojan) didn’t exist?……The mere possibility of the existence of a trojan may itself be enough for a case to be thrown out, in the absence of any corroborating evidence.
The solution? (Is there any?)
In terms of hard-drive forensics, (and even perhaps volatile memory?) the ability exists to make a ‘known good’ copy of a system prior to it’s deployment & have it locked away in a safe. In an attempt to negate the trojan or malware defence argument, the ‘known good’ copy could be dragged out of the safe & compared to the original, and forensically examined for changes to that system. Operating system active processes, dlls etc could all be mapped & compared against those of the ‘known good’ system. This practise could also be a really good tool for very quickly detecting what is going wrong with a particular system when the IT Security guys are called in following an ‘incident’, say, an intrusion where their system became owned or whatever.
In reality though, this practise is unlikely to be adopted in the short term. But I’d be very interested to learn if some companies out there are already adopting the practises of having a secured, ‘known good’ copy for forensics or IT Security purposes. Has anyone heard of this being done ?
Or, perhaps someone has some other ideas about how ‘The Trojan Defence’ argument can be (relatively expeditiously) negated in a forensic manner ?
June 10th, 2007 at 11:32 pm
Tried to address this at the larger architectural and conceptual level…. excuse the linkbait.
Machine and Service Integrity #quoted below#
What if instead of worrying about compromised services and data in the short term with fingerprints/hashes of binaries and files, we applied the concept of re-use and cycling to the actual services and machines? Think TKIP or perhaps PFS for IPSEC on a macro service and machine scale?
Think load balanced web servers constantly rebooting from verified images - either sequentially or in some form of complex pre-computed pseudo-random pattern, thus reducing the potential time an attacker had on a box, service or version? I will think more about this, but VM’s, load balancing and operational management would require a lot of planning, thought and overhead. Re-use of TCP connections e.g. TCP multiplexing is common now in many optimisation products/load balancing offerings.
If, as some in the industry have -> thrown the towel in per se, and are more worried about compromise, detection and time to restore a machine to an integral state - then why not take that to it’s logical conclusion. Almost like a macro level Stackguard and ProPolice in OpenBSD that randomises an offset to the next addressable chunk of memory to make it harder to predict/calculate and reproduce attacks with standard results.
Let’s limit the conceptual static state of a live machine ( harder for databases and synchronisation though.. ) but an interesting thought nonetheless.
Maybe you’d need a farm of diskless head-end servers the monkeys would constantly upgrade the OS/App from a bootable set of flash drives etc?
No one has addressed the issue of micro-time adequately in Information Security, rather intractability and macro-time as a defense! Please correct me if I am wrong here…
June 13th, 2007 at 8:09 am
It is something that is touched upon in some companies but not to the levels you talk about .. as linked from Ockham’s Razor. That is another level. But back to the basics of what Chappo discussed and you added to:
Depends upon how the OS is brought up, if I catch your drift and if you catch mine. In practice though, it seems to be forgotten to a certain extent why someone (who left a company a year ago as an example) decided to do something like this and with the plethora of security updates, it’s discarded as an approach to keeping a clean and secure build. Sounds a bit dumb I know….but I have seen it happen. Some even do it because they see the window of opportunity…the smart ones, but most, because they just can’t see it altogether.
This is an approach THAT HAS TO see the light of day…in one way or another. It is about the only thing that shows the light at the end of the tunnel.
Otherwise, Chappo is right and all that is left for the likes of Chappo is “corroborating evidence”.
Now you can’t discount this because, to be honest, the field of IT forensics pretty much relies on this NOW to close a case…because it’s too easy for a defence lawyer to throw enough doubt in at present!
So are we arguing future problems when we know that regardless, IT forensics today are going to be flogged on much simpler grounds in a court and lose?
Re: Joanna’s presentation: she does not consider the “corroborating” evidence component. Such presentations are purely IT focused and few have had input from law enforcement ….meaning to me, they assume, some may get off a charge. But that is not the case.