Theater Hall - E.T.I. (HiP main stage)
Finding (state) malware: methods and tools for civil forensic analysis
December 28, 2022
2:30 PM – 4:00 PM Add to calendar
2:30 PM – 4:00 PM Add to calendar
HIP - Track 1 - Room 5
Not only since the Pegasus Project, which exposed the surveillance of numerous activists, journalists and opposition figures by the NSO Group's Pegasus state malware, state malware have posed a threat to the privacy of those affected and their contacts. In order to make such attacks visible and provable, analyses are needed using methods and tools similar to those used by security agencies, but which should be open source and adhere to ethical standards of consensual forensics. In our workshop we want to give an overview of what approaches, methods, and tools are suitable for these analyses to best perform forensic data extraction in a civilian context and present what tools and scripts we have developed ourselves. We all work in civil forensics ourselves and want to share our experiences on what has worked for us and what has not.
The presented tools are of course not only suitable for the search of state malware, but also for any other malware such as stalkerware or ransomware.
Not only since the Pegasus Project, which exposed the surveillance of numerous activists, journalists and opposition figures by the NSO Group's Pegasus state malware, state malware have posed a threat to the privacy of those affected and their contacts. In order to make such attacks visible and provable, analyses are needed using methods and tools similar to those used by security agencies, but which should be open source and adhere to ethical standards of consensual forensics. In our workshop we want to give an overview of what approaches, methods, and tools are suitable for these analyses to best perform forensic data extraction in a civilian context and present what tools and scripts we have developed ourselves. We all work in civil forensics ourselves and want to share our experiences on what has worked for us and what has not.
The presented tools are of course not only suitable for the search of state malware, but also for any other malware such as stalkerware or ransomware.
Topics and tools we present are:
* Collecting data:
* Android/iOS: Mobile Verification Toolkit (MVT), android-qf.
* HDD/SSD Image: guymager
* Windows/Mac: pc-qf
* Evaluate data:
* Indicator of Compromise (IoC) Management (MISP).
* Mobile Verification Toolkit (MVT)
* Sysdiagnosis exports: analyze processes
* PCAP evaluation (TinyCheck)
* Linking of data, creation of timelines
For these steps and typical attack patterns we explain reasonable approaches and what has been proven in our work.
Additional information
| Live Stream | https://streaming.media.ccc.de/jev22/hip1 |
|---|---|
| Type | Talk/panel 75 min + 10 min Q&A (85 Minuten) |
| Language | English |
More sessions
| 12/27/22 |
Welcome to Hacking in Parallel. Lets fire this up.
|
| 12/27/22 |
We'll look at the role IT and software play in modern manufacturing, with a twist on the semiconductor industry. Since I'm a security guy, we'll mostly focus on the sorry state of that.
|
| 12/27/22 |
Das US-Militär hat massenhaft Geräte zur biometrischen Erfassung von Menschen in Afghanistan genutzt. Einige Geräte wurden beim hastigen Abzug der NATO-Truppen zurückgelassen. Wir haben bei Analysen solcher Geräte große Mengen an biometrischen und weiteren personenbezogenen Daten gefunden. In den falschen Händen bedeuten diese Daten Lebensgefahr für Menschen in Afghanistan und Irak.
|
| 12/27/22 |
In IT security we have been preoccupied with failures, with things that go wrong, and so we count the negatives -- the times when we failed. How about we seriously started counting the positives? More importantly, what if by adding more and more constraints to avoid the holes we have found, we are also removing the positive capacities in the system, thereby hurting our chance of success more than we hurt our chance of failure? In this talk, I will try to highlight how IT security could be done ...
|
| 12/27/22 |
The C programming language first appeared in 1972 and became enormously popular. It has this magical combination of features that allows developers to quickly write portable code that can be reused and easily ported to different architectures. It has been the foundation of most operating systems and systems programming in the past 50 years.
|
| 12/27/22 |
The "Enhanced Border Security Partnership" poses an unprecedented threat to civil liberties in Europe.
|
| 12/27/22 |
We summarize howto secure Kubernetes clusters in critical infrastructure and give insights from the machine rooms.
|
