0011 0010 1010 1101 0001 0100 1011

Digital ForensicsLecture 9

Binary Analysis

0011 0010 1010 1101 0001 0100 1011

This Week’s Presentations

• Joshua Prusak: Tools for Binary Analysis • Sage LaTorra: Detection of Malicious Code • Rodrigo Lopes: Reverse Engineering • Chad Cravens: Encrypted Binaries (EC)

0011 0010 1010 1101 0001 0100 1011

Next Week Presentations

• Mayurie Shakamuri: Forensic Certifications • Unnati Thakore: Risk Analysis for Evidence

Collection • Jim Curry: Non-IT Parents Ability to Investigate

their Child’s Behavior (EC)• Kelcey Tietjen: EnCase Forensic Toolkit (EC) • Maggie Castillo: Slueth Kit Forensic Toolkit

(EC) • Rodrigo Lopes: Paraben Forensic Toolkit (EC)

0011 0010 1010 1101 0001 0100 1011

News Item

• Data Stolen From 2,300 British Computers Found in The United (11 October 2006)

• Microsoft Issues Ten Bulletins on Patch Tuesday (12 & 10 October 2006)

• Cyber Thief Steals Data on Brock University Donors (12 October 2006)

• More Than Half of Higher Education Institutions Surveyed had Security Breaches Last Year (10 October 2006)Sans Newsbites

0011 0010 1010 1101 0001 0100 1011

Lecture Overview

• Motivation• What is Binary Analysis?• Where does it fit in DF?• How is it done?• What are some of the tools?• What are some of the gaps?

Legal/Policy

Preparation Collection Analysis Findings/Evidence

Reporting/Action

0011 0010 1010 1101 0001 0100 1011

Motivation for Binary Analysis

• Measure and mitigate potential impacts• Understand and mitigate malicious code• Understand adversarial motivation• Testing of high consequence systems• Interoperability testing• Failure and fault analysis• What else?

0011 0010 1010 1101 0001 0100 1011

Module 1

What is Binary Analysis?

0011 0010 1010 1101 0001 0100 1011

Binary Analysis

• Analysis of binary data• Analysis of executables• Can be performed on live or dead systems

0011 0010 1010 1101 0001 0100 1011

Module 2

Where Does Binary Analysis Fit?

0011 0010 1010 1101 0001 0100 1011

Characteristics

• This is an expert activity• Expensive for a corporation to maintain• Both and art and a science• Very tool intensive• Becoming more difficult to accomplish

0011 0010 1010 1101 0001 0100 1011

When to Use It?

• Triggered by routine observation• Based on a suspicion• Preemptive analysis

0011 0010 1010 1101 0001 0100 1011

Module 3

How it’s Done

0011 0010 1010 1101 0001 0100 1011

Binary Analysis

• Description of forensics time-line

• Analysis goals

• Description of a typical analysis techniques

0011 0010 1010 1101 0001 0100 1011

Type of Data to Collect

• User Data– Documents, email, images, encrypted files

• System Data– Files from OS directory, registry entries,

services• Network Data

– Network traffic related to the system in question

• Execution information (most difficult)– Behavior

0011 0010 1010 1101 0001 0100 1011

Tools

• Debuggers– OllyDbg, etc.

• Disassemblers– IDA Pro, etc.

• Binary editors– Hex Workshop, etc.

• Utilities– Libraries, Development, Network, Misc.

0011 0010 1010 1101 0001 0100 1011

OllyDbg

0011 0010 1010 1101 0001 0100 1011

IDA Pro

0011 0010 1010 1101 0001 0100 1011

Module 4

Gaps

0011 0010 1010 1101 0001 0100 1011

Gaps

• What are the difficult problems?– Technology advancement– System complexity

• Legal “understanding” of this domain• Lack of experts• Lack of communication among corporations

0011 0010 1010 1101 0001 0100 1011

Questions?

After all, you are an investigator