This Monday, January 23, the day before FIC 2017, the third edition of the Conference on Incident Response and Digital Investigation (CoRIIN) was held in Lille. We were there and we're taking this opportunity to report on the day's topics.

Dark0de, analysis of a hacker network

Benoît Dupont, University of Montreal

The dark0de forum was known for harboring seasoned cybercriminals, willing to sell their technical skills or monetize information acquired during their activities. It had gained enough notoriety to attract the attention of security researchers, including Xylit0l And Brian Krebs.

Following the publication of a large amount of information concerning the forum by Xylit0l in 2013 and the closure of the site by the FBI in 2015, the speaker and his team analyzed the accessible data to draw trends and uses of the forum.

The forum operated on an invitation-only basis. Once registered, users had to pass a "job interview" before gaining access to restricted areas of the forum. In practice, analysis showed that the most difficult aspect was finding a sponsor for initial access: the vast majority of accounts already had access to the "privileged" sections.

The analyses also focused on the members' skills, as highlighted in their CVs. These included common programming languages (JavaScript, C/C++) and some less widespread ones (Go). The speaker returned to a point of interest: by "profiling" the members' stated skills, it would be possible to link the identities of cybercriminals present in different communities under various pseudonyms.

In summary, an interesting conference providing a good overview of how communities function underground.

Post-mortem detection of bootkits

By Sébastien Chapiron and Thierry Guignard, ANSSI

A very detailed presentation on the operation of a BIOS system boot chain (UEFI being explicitly outside the scope) and the techniques used by the malware to find accommodation there.

Interest in the subject stems from the challenges of analyzing critical systems. bootkits Since they are installed by definition outside the partitioned space of a disk, they can more easily escape analysis.

The speakers present each step of a startup sequence, how a malware it may be there, and the possible analysis techniques to try to uncover malicious code – or more generally, any situation deviating from the normal.

Each of the described analysis methods has been implemented in a complete and extensively documented tool, published under an open-source license on GitHub: https://github.com/ANSSI-FR/bootcode_parser.

Cloud forensics in RAM

By Pierre Veutin and Nicolas Scherrmann, TRACIP

The speakers' topic stems from a general lack of RAM analysis capabilities in the context of digital investigations.

RAM analysis during incident response is now a fairly well-established topic: several tools are actively being developed and provide the ability to search for indicators of known technical compromises (network connections, process hierarchy, process hollowing, etc). In the context of digital investigations, capabilities are more limited. The challenges involve searching for traces left by the use of online services, such as information accessible from an open Gmail session: contact list, email content, instant messaging conversations, etc.

With cloud services becoming increasingly widespread, it's natural that artifacts related to their use are becoming increasingly important in digital investigations. The speakers therefore focused on the most popular services and are actively developing an information analysis and extraction tool. They demonstrated this tool, highlighting artifacts related to document editing in Google Drive: document content, version history, revision marks, comments, and so on.

The conference highlights the extent to which online services generate significant traces for digital investigations, and the complexity of the developments needed to properly extract usable information from them.

Blockchain Investigations

By Stéphane Bortzmeyer, AFNIC

The speaker begins by recalling the basics of digital investigation: namely, always seeking to assess the level of trust that can be placed in a source (in this case, exploration services such as blockchain.info) and be aware of the information you are transmitting to a third party who may not be trusted. The best solution is to perform all processing locally; in the case of Bitcoin, it is simply necessary to keep some disk space aside (approximately 100 GB in January 2017).

The speaker then reminds us that Bitcoin is not a truly anonymous currency, and that it is possible, for example, to link a wallet to the identity of a person if the latter has carried out transactions from a marketplace that knows their true identity (to exchange Bitcoins for/from "physical" currencies).

The speaker then presents an overview of the techniques used to obscure investigations into these types of transactions, which are ultimately quite similar to those used to launder "physical" money: dividing a sum, going through several intermediaries, conversions into different currencies…

3D printing, counterfeiting and organized crime

Garance Mathias, Mathias Lawyers

This conference takes a break from the technical aspects. The speaker presents the legal impact of 3D printers… which, in the end, isn't as significant as one might think. Copying three-dimensional forms is covered by copyright law as well as industrial property law. It's also likely that the right to private copying applies, provided the "copier" obtained the digital 3D model legally.

The conference then shifted to the crime of counterfeiting itself. The collective unconscious tends to consider it a minor offense, whereas it is largely linked to organized crime and has a very significant global financial impact, according to the OECD.

Legal action concerning counterfeiting can be pursued in civil or criminal court, but these approaches are mutually exclusive. Victims tend to opt for civil proceedings due to the generally higher compensation awarded to them, rather than the risk of a harsher sentence for the counterfeiter.

A look back at the techniques of the FIN7 group

By David Grout, FireEye

The conference presents the conclusions of FireEye analysts following two years of observation and investigation into a group of cybercriminals, named "FIN7" for their operations concentrated around the financial sector.

The attack pattern is fairly classic: the actors do not use zero-day exploits, but rather... spear-phishing relying on Office documents with malicious macros. Once a victim has been infected, they deploy additional tools like Cobalt Strike to ensure persistence, and spread throughout the network until they find the targeted information.

In short, this serves as a reminder that even organized cybercriminal groups rely on classic attack techniques and widely available tools. And by extension, basic defense measures are sufficient to counter threats that could be classified as APTs.

RAM & DISK EFI Dumper

By Solal Jacob, ArxSys

The final conference of the day presented feedback on a digital investigation conducted on a convertible tablet. The device had a BitLocker-encrypted partition relying exclusively on the TPM chip, therefore without a password. pre-boot.

Since the computer could be booted this way, the BitLocker encryption keys were therefore somewhere in memory… but accessing them was another matter. Analysts had considered methods such as cold-boot, or direct access to memory offered by FireWire or Thunderbolt ports. But in practice, the RAM chips were soldered to the motherboard and the tablet's connectivity was limited and did not offer the interfaces necessary for "DMA" attacks.

The solution came from UEFI, which was already in place on the device. UEFI environments are very feature-rich and notably include a shell interactive, for which it is possible to develop and run programs. The UEFI execution environment inherently has privileged access to the hardware layer, and the speaker was able to obtain a complete copy of the RAM and hard drive through specially designed UEFI programs.