Silk Road forums

Discussion => Security => Topic started by: astor on December 31, 2012, 10:17 am

Title: Prototyping Active Disk Antiforensics
Post by: astor on December 31, 2012, 10:17 am
This talk from the recently held 29C3 has a lot of interesting content.

http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/29c3-5327-en-writing_a_thumbdrive_from_scratch_h264.mp4  [281 MB]

Prototyping Active Disk Antiforensics

This action-packed lecture presents the inner workings of the author's from-scratch implementation of a USB Mass Storage disk in user-land Python, along with some embarrassing bugs in operating systems that support such disks. The lecture concludes with an introduction to Active Antiforensics, in which a thumbdrive's own firmware can recognize and defend itself against disk imaging and other forensic tools.

USB is a lovely little conduit into the deepest parts of the kernel. Drivers are made to speak complicated protocols in hastily written C, leaving a goldmine of bugs and unexplored behaviors for a crafty attacker to exploit.

This lecture will show how a USB Mass Storage device was implemented from scratch in user-land Python for the Facedancer board. Along the way, we'll take a look at how to abuse a number of bugs in kernels, automounters, filesystems, and forensic utilities, all of which are easily confused.

As an example application of these techniques, the culmination of this lecture presents a prototype disk that actively resists forensics, wiping itself to an innocent state whenever it detects disk imaging, undeletes, access by the wrong operating system, or the presence a write blocker.