forensic analysis of mysql db systems - digital forensics training | incident response ... · ·...

Forensic Analysis of MySQL DB SystemsMarcel Niefindt | SANS DFIR Prague 2014Prague, 05.10.2014

whoami

Abstract

Marcel Niefindt

28 years old

M.Sc. in Security Management

Profession

Information Security Officer

Security Consultant

Lecturer

IT-Security Speaker

Security Focus

Network & Web-App Security

Database Forensic

Threat Modeling

ISMS

2 / 58

What you will get

3 / 58

What you will miss

4 / 58

Road map

5 / 58

MySQL Basics

Defined Post-Mortem process (with hints & tips)

Useful artefacts

References to other cool MySQL-Forensics projects

Your chance to get involved into a nice project

MySQL Basics

Relational Database Systemby Codd in 1960th / 70th

Likely structured as 5-Layer Model

IBM Prototype „System R“ by Härder (1987)

based on idea of Senko (1973)(IBM Systems Journal Vol. 12, Iss. 1)

6 / 58

Basic System

7 / 58

Data

Table

Database

Database System

Operating System

5-Layer Model

DB-Application- Website with SQL-Stmts- Connector to MySQL

Connection-Manager- Session Management

Query Processing- Query Cache- Parser- Security Manager- Optimizer- Execution Engine

Storage Engines- MyISAM / InnoDB- Transaction Management- Recovery Management

File System / Main Storage

(„MySQL 5.6: Das umfassende Handbuch“, Pröll et al., 2013, S. 154)8

Forensical Methods

Post-Mortem

AnalyseLive-Analyse

Hybride-Analyse

Taking candy from a baby vs. Heart surgery

9 / 58

Post-Mortem Process

Many defined Post-Mortem processes

„SQL Server Forensic Analysis“, by Kevvie Fowler

„Computer Forensik“, by Alexander Geschonneck

…

I compared them and defined my own

Preparation Verification Analysis Evaluation Rework

10 / 58

Preparation Preparation Verification Analysis Evaluation Rework

11 / 58

Verification Preparation Verification Analysis Evaluation Rework

Without verification it could cost you a lot of money

Time is money, you may safe a lot of time

The results in this phase give you an approach for the rest process

12 / 58


13 / 58


Results

Plausibility

Is it urgent

Do we need an Incident Response Process

How many systems are involved

What will be our further process

14 / 58

Analysis Preparation Verification Analysis Evaluation Rework

15 / 58


16 / 58


17 / 58


System time

18 / 58

Analysis

System time


19 / 58

(http://www.hgst.com, Accessed 02.10.2014)

Analysis

System time – Example Firefox

FF safes properties, visited websites etc in the profile directory.C:\Users\Johnny Cash\AppData\Roaming\Mozilla\Firefox\Profiles\eyv1b2pj.default

FF Add-On SQLite-Manager helps to read the records via SQL-Statementscookies.sqlplaces.sql

SELECT host, datetime(lastAccessed/1000000, 'unixepoch') FROM moz_cookies order by lastAccessed


20 / 58

Analysis

MAC Times


21 / 58

Analysis

MAC Times


22 / 58

Analysis

MAC Times

find /home –ctime 1 –atime 1 –mtime 1 –printf “ %p;%Tx;%TT;%Ax;%AT;%Cx;%CT;\n” >> mac_time.txt

/var/lib/mysql

/var/log/apache2

/var/log

/home

/root

/


23 / 58

Analysis

MAC Times

find /home –ctime 1 –atime 1 –mtime 1 –printf “ %p;%Tx;%TT;%Ax;%AT;%Cx;%CT;\n” >> mac_time.txt


24 / 58

Analysis

Log Files

Apache Log-Files

MySQL Log-Files

Auth.log

Dmesg

Kern.log

Udev

syslog


25 / 58


26 / 58

Analysis

Query Cache

Optimization of return time

Saves SQL-Statements as Hash Valuesnot so useful

Statistical values could be usefulQcache_hits, Qcache_not_cached …

If the attacker adds „SQL_NO_CACHE“ to the Statement´,the statement will not be logged


(„MySQL 5.6: Das umfassende Handbuch“, Pröll et al., 2013, S. 154)

27 / 58


Query Cache

Optimization of return time

Saves SQL-Statements as Hash Valuesnot so useful

Statistical values could be usefulQcache_hits, Qcache_not_cached …

If the attacker adds „SQL_NO_CACHE“ to the Statement´,the statement will not be logged

(„MySQL 5.6: Das umfassende Handbuch“, Pröll et al., 2013, S. 154)

28 / 58

Analysis

RAM


29 / 58

Analysis

RAM


30 / 58

m.y.s.q.l

-.+.

Analysis

DB structure

/var/lib/<database>/

Database tables ends with .frm

If the option innodb_file_per_table is active (default in MySQL 5.6)

InnoDB tables have a second file .ibd

MyISAM with .MYD & .MYI

MEMORY only has .from (stores data in RAM)


31 / 58

Analysis

DB structure

What if innodb_file_per_table is not active?


32 / 58

Analysis

DB structure reconstruction example (.frm File)

Offset 0x03 describes the Storage Engine0x09 == MyISAM0x0c == InnoDB0x06 == MEMORY

More values in the Source Code/sql/handler.h – Lines 374 – 397 (Revision 5585)Enum „legacy_db_type“


(„InnoDB Database Forensics“, Frühwirt et al., 2010, S. 2)

33 / 58

Analysis


Information about the references (keys) start at 0x10000x1001 == column in table0x1002 == number of keys0x1018 == 7 Byte with type of key (PK / FK)


(„InnoDB Database Forensics“, Frühwirt et al., 2010, S. 3)

34 / 58

Analysis


Information of columns are defined between 0x2100 and EOF

0x2102 has 2 bytes with the number of fields (columns) in the table

Definition of columns types do not have a specific starting point

So let’s do some math…


35 / 58

Analysis


Each column is defined within 17 byte

At EOF you find the column names

Column names are separated by the value FF

𝑠𝑡𝑎𝑟𝑡 = 𝐸𝑂𝐹 − (𝑟𝑒𝑎𝑑 0𝑥2102 ∗ 𝑓𝑖𝑛𝑑 ff + 1) − 17 𝑏𝑦𝑡𝑒 ∗ 𝑟𝑒𝑎𝑑(0𝑥2102)

Offset 0x0D within a 17 byte field defines the column type

/include/mysql_com.h has all valuesenum “enum_field_type” in rows 369 - 392


36 / 58

(„InnoDB Database Forensics“, Frühwirt et al., 2010, S. 4ff)

Analysis


𝑠𝑡𝑎𝑟𝑡 = 𝐸𝑂𝐹 − (𝑟𝑒𝑎𝑑 0𝑥2102 ∗ 𝑓𝑖𝑛𝑑 ff + 1) − 17 𝑏𝑦𝑡𝑒 ∗ 𝑟𝑒𝑎𝑑(0𝑥2102)


37 / 58

Analysis

Reconstruction of SQL Manipulation Statements

Manipulation statements are Insert, Update, Delete

Just look in /home/<someUser>/.mysql_history

How easy is that, right?


38 / 58

Analysis



39 / 58

Analysis


Normal user have access rights!


40 / 58

Analysis


Use these log-files/var/lib/mysql/ib_logfile0/var/lib/mysql/ib_logfile1/var/lib/mysql/ibdata1

„InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs“ by Frühwirt et al., 2012


41 / 58

Analysis


The ib_logfileX


(„InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs“, Frühwirt et al., 2012, S. 2)

42 / 58

Analysis



(„InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs“, Frühwirt et al., 2012, S. 2 ff)

43 / 58

Analysis


Beware!The log-block is not consistent like the log-block-header or the .frm-files

It depends on the Storage Engine AND the manipulation statements

Update / Delete == mlog_undo_insert entries (Starts with Offset 0x14)Insert == mlog_comp_rec_insert entries (starts with offset 0x26)


44 / 58

Analysis


Beware²!If there is only 1 entry / page we have an OR conjunction with the flag

mlog_single_rec_flag (0x80)

So the entry would start with 0x94 not 0x14

All log entry types are defined in /storage/innobase/include/mtr0mtr.h (lines 65 –189)


45 / 58

Analysis



46 / 58



47 / 58

Analysis

Python will do it for you

Frm_parser.pyReconstructing the database structure by parsing the .frm files

Iblogfile_parser.pyReconstructing the sql manipulation statements by using ib_logfile(0|1) &

ibdata1 files

Scripts are available at https://github.com/KasperFridolin/mysql_forensics Unfortunately not ready for productive use, now Let’s say it is a prototype with a lot of “challenges”


48 / 58

frm_parser.py

49 / 58

/var/lib/<database>/

0x1 0xf

0x4 0xb

0x10xd

0xa 0x3

Table1.frm Table2.frm Table3.frm Table4.frm

Frm_parser.py


50 / 58

/var/lib/mysql/

0x1 0xf

0x4 0xb

0xa 0x3

ib_logfile0 ib_logfile1 ibdata1

iblogfile_parser.py

iblogfile_parser Preparation Verification Analysis Evaluation Rework

Evaluation

From single information to meta-level


51 / 58

09:30 15:00

Posteingang

Postausgang

09:57

Von [email protected]: Urlaub zuende?!

10:00

Re: Urlaub zuende?!An [email protected]

10:02

Von [email protected]: Urlaub zuende?!

10:48

Von [email protected] bearbeiten

10:55

Re: Bitte bearbeitenAn [email protected]

11:03

Von [email protected]

11:04

Re: MittagAn [email protected]

11:58

Von [email protected]: Bitte bearbeiten

13:34


13:37

Re: Bitte bearbeitenAn [email protected]

13:39


13:45

Fw: Bitte bearbeitenAn [email protected]

14:40


14:41


10:29


16.12.2010

Evaluation

From single information to meta-level


52

Evaluation

Do your report!


53 / 58

Rework

After the game is before the game

Preparation Verification Analyses Evaluation Rework

54 / 58

(Sepp Herberger)

Rework

Motivation!


55 / 58

Rework

Motivation!


56 / 58

What‘s up next?

Get involved!

Reverse Engineering

Code review

Implementation of new features (or bugs)

Shift bugs into features

Chatting about other cool forensic stuff

And so on

And so on

57 / 58

Thank you for your kind attention!

forensic analysis of mysql db systems - digital forensics training | incident response ... · ·...

Documents