REMnux tutorial-2: Extraction and decoding of Artifacts

REMnux Tutorial-2: Extraction
and Decoding Artifacts
Rhydham Joshi
M.S. in Software Engineering, San Jose State University
Phone : (+1) 408-987-1991 | Email : rhydham.joshi@yahoo.com
Blog : malwareforensics1.blogspot.com | Linkedin : www.linkedin.com/in/rhydhamjoshi

Contents:
• REMnux:
• Introduction to REMnux
• Artifacts:
• Malwares and Artifacts
• Deobfuscate and String extraction:
• unXOR
• XORSearch
• XORStrings
• xorBruteForcer
• brutexor
• xortool
• NoMoreXor
• Forensics investigation practices:
• Forensically Imaging a drive
• Dcfldd
• Forensics and file carving:
• Foremost
• Scalpel
• Bulk_extractor
• hachoir
• References

REMnux: A Linux Toolkit for Reverse-Engineering and
Analyzing Malware
• REMnux is a free, lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering
malicious software.
• REMnux provides the collection of some of the most common and effective tools used for reverse
engineering malwares in categories like:
1) Investigate Linux malwares
2) Statically analyze windows executable file
3) Examine File properties and contents
4) Multiple sample processing
5) Memory Snapshot Examination
6) Extract and decode artifacts
7) Examine Documents
8) Browser Malware Examination
9) Network utilities
• For more information about REMnux, please visit my blog at:
http://malwareforensics1.blogspot.com/2015/04/the-power-of-remnux-linux-toolkit-for.html

Artifacts:
• Artifact is something observed in a scientific investigation or experiment that is not naturally
present but occurs as a result of the preparative or investigative procedure.
• Malwares usually embed themselves with USB devices, malicious JavaScript in HTML pages, a
SQL injection attack, email attachment, PDF files, Document files, images etc.
• Malwares exhibits variety of behavior by thoroughly examining the system. I have listed some
of the malware anomalies.
Malware Anomalies:
• Rogue Processes
• Unknown services
• Code injection and root kit behavior
• Unusual OS artifacts
• Suspicious network activity
• Evidence of persistence
• For more information about REMnux, please visit my blog at:
http://malwareforensics1.blogspot.com/2015/04/the-power-of-remnux-linux-toolkit-for.html

Deobfuscate and String extraction:-> unXOR
• unXOR try guessing keys until the known-plaintext is found. It requires
either key or plaintext argument to keep guessing the keys

Deobfuscate and String extraction:-> xorsearch

• XORStrings is best described as the combination of my XORSearch tool
and the well-known strings command.
• XORStrings will search for strings in the (binary) file , using the same
encodings as XORSearch (XOR, ROL, ROT and SHIFT).
• For every encoding/key, XORStrings will search for strings and report the
number of strings found, the average string length and the maximum
string length.
• Common used words : “HTML”, “This program” & “DOS”
Deobfuscate and String extraction:-> xorsearch

Deobfuscate and String extraction:-> xorstrings

• xorBruteForcer decodes contents of a given file using all possible 1-byte XOR key
values. The output of the tool contains lots of noise, xorBruteForcer shows potential
string values
for all possible
1-byte XOR
key values.
• Now, we can
use –k key
to reduce
noise
Deobfuscate and String extraction:-> xorBruteForcer

• Brutexor brute-forces all possible 1-byte
XOR key values and examines the file for
strings that might have been encoded
with these keys.
• The brutexor tool provides a handy way
to brute-force simple XOR keys without
looking for any particular string.
• Brutexor shows ASCII data located
between null bytes ("x00") by default.
• Brutexor is very handy provided we know
the key found using other tools like,
xorsearch, xorstring, xorBruteForcer etc.
• It could do brutexor for full file too using
–f option.
Deobfuscate and String extraction:-> brutexor

• Xortool is very useful in
determining key length and
in certain cases encrypted
key too.
• Here I have used xor.py
program to encrypt one
pdf file.
• Xortool returns the key
length
• By proper combinations or by
using trail and error method,
(usually 00 for text and 20 for
doc), we can even extract
exact key
Deobfuscate and String extraction:-> xortool

• NoMoreXOR attempts to guess XOR 256-byte long XOR key values.
• It uses Yara signatures to determine whether a potential key value worked:
• If the decoded content matches one of the signatures in you file, then probably
the key was guessed correctly.
• In that case, the tool deobfuscates
corresponding contents and
extracts them from the original file.
• NoMoreXOR extracted the deobfuscated
contents into the files named
filename.0.unxored that could be
further examined.
Deobfuscate and String extraction:-> NoMoreXor

• Forensic investigators often used to investigate
devices like compact disk, hard disk, USB, etc.
• The first step is to perform forensic imaging of the drive
start the investigation on them insuring no harm
or any type of modification to evidence.
• Make sure to use Write Blocker to perform imagining.
• Since Linux is dominantly used for performing Investigations.
I would be focusing on doing forensic imaging using Linux.
• “Recoverjpeg”, “Foremost”, “Scalpel” for commonly used for
file carving.
Forensics Investigation practices-> Forensically imaging a Drive

• Consider we have a suspect USB drive to be forensically examined.
• Connect USB drive to Write blocker and then to Forensic Workstation to convert the
suspect drive to *.dd image file.
• Find the drive using dir /dev/sd* command and dmesg | grep sd* (dmesg lists the Kernel
messages including the information about drives)
• The *.dd extension (for archive images, not picture images) is not a single file, but rather
an archive in the form of a file.
• Dcfldd (download it using sudo apt-get install dcfldd) is an enhanced version for imaging
drives. It is an advance version of dd developed by the U.S. Department of Defense
Computer Forensics Lab.
• It has some useful features for forensic investigators such as:
• On-the-fly hashing of the transmitted data.
• Progress bar of how much data has already been sent.
• Wiping of disks with known patterns.
• Verification that the image is identical to the original drive, bit-for-bit.
• Simultaneous output to more than one file/disk is possible.
• The output can be split into multiple files.
• Logs and data can be piped into external applications.

• man dcfldd or dcfldd --help provides many options that can be used to
format the output
• Here, Input file is /dev/sdd1 and output file is located at /suspicious
• This command will read ten Gigabytes from the source drive and write that
to a file called driveimage.dd.aa
• It will then read the next ten gigs and name that driveimage.dd.ab.
• It will also calculate the MD5 hash and the sha256 hash of the ten Gigabyte
chunk.
• The md5 hashes will be stored in a file called md5.txt and the sha256
hashes will be stored in a file called sha256.txt.
• The block size for transferring has been set to 512 bytes, and in the event
of read errors, dcfldd will write zeros.
Forensics Investigation practices->Dcfldd

• Foremost is a console program to recover files based on their headers, footers,
and internal data structures.
• Foremost can work on image files, such as those generated by dd, Safeback,
Encase, etc, or directly on a drive. foremost can search through most any kind of
data without worrying about the format.
• Foremost is designed to ignore the type of underlying filesystem and directly read
and copy portions of the drive into the computer's memory.
• It takes these portions one segment at a time, and using a process known as file
carving searches this memory for a file header type that matches the ones found
in Foremost's configuration file.
• When a match is found, it writes that header and the data following it into a file,
stopping when either a footer is found, or until the file size limit is reached.
• The headers and footers can be specified by a configuration file or you can use
command line switches to specify built-in file types.
• These built-in types look at the data structures of a given file format allowing for
a more reliable and faster recovery.
• Foremost served as the basis for Scalpel, a significantly faster program to also
recover deleted files & to perform forensic investigation on device images.
Forensics & File Carving -> Foremost

Forensics & File Carving -> Foremost

• Scalpel is an open source program for recovering deleted data originally
based on foremost, although significantly more efficient. It runs on Linux
and Windows.
• The tool visits the block database storage and identifies the deleted files
from it and recover them instantly.
• Apart from file recovery it is also useful for digital forensics investigation.
• By default scalpel utility has its own configuration file in ‘/etc‘ directory
and full path is “/etc/scalpel/scalpel.conf” or “/etc/scalpel.conf“.
• Everything is commented out (#) by default. So before running scalpel one
needs to uncomment the file format that one want to recover.
• However uncomment the entire file is time consuming and will generate a
huge false results.
• Installation comand: sudo apt-get install scalpel
Forensics & File Carving -> Scalpel

• Here, I uncommented for Java, zip, .dat, wav, rpm, pdf, html, doc, avi, bmp, png
file formats.

• bulk_extractor is a multi-threaded program that extracts features such as email addresses, credit
card numbers, URLs, and other types of information from digital evidence files, disk image, or
directory of files.
• It is a useful forensic investigation tool for many tasks such as malware and intrusion
investigations, identity investigations and cyber investigations, as well as analyzing imagery and
password cracking.
• The results can be easily inspected, parsed, or processed with automated tools.
• bulk_extractor automatically detects, decompresses, and recursively re-processes compressed
data that is compressed with a variety of algorithms.
• It can process compressed data (like ZIP, PDF and GZIP files) and incomplete or partially
corrupted data.
• It can carve JPEGs, office documents and other kinds of files out of fragments of compressed
data. It will detect and carve encrypted RAR files, XOR files etc.
• It builds word lists based on all of the words found within the data, even those in compressed files
that are in unallocated space. Those word lists can be useful for password cracking.
• It creates histograms showing the most common email addresses, URLs, domains, search terms
and other kinds of information on the drive.
• In addition to the capabilities described above, bulk_extractor also includes:
• A graphical user interface, Bulk Extractor Viewer, for browsing features stored in feature files and for
launching bulk_extractor scans
• A small number of python programs for performing additional analysis on feature files
Forensics & File Carving -> Bulk_Extractor

Bulk_Extractor is very powerful tool for
extracting contents from file.For more
information about Bulk_Extractor, go
through below urls :
http://tools.kali.org/forensics/bulk-
extractor
http://www.basistech.com/wp-
content/uploads/2014/04/osdf-2011-
garfinkel-bulk-extractor.pdf
http://wiki.bitcurator.net/index.php?tit
le=Using_Bulk_Extractor_Viewer_to_Fi
nd_Potentially_Sensitive_Information_
on_a_Disk_Image
https://github.com/simsong/bulk_extr
actor/wiki/Installing-bulk_extractor

Forensics & File Carving -> Hachoir-metadata
• Hachoir metadata can extract metadata even from invalid/truncated files, remove
duplicate values, Set priority to value, so it's possible to filter metadata (option --
level).
• It archives (bzip2, gzip, zip, tar), audio (MPEG audio/MP3, WAV, Sun/NeXT audio,
Ogg/Vorbis, MIDI, AIFF, AIFC, Real Audio), images (BMP, CUR, EMF, ICO, GIF, JPEG,
PCX, PNG, TGA, TIFF, WMF, XCF), and video (ASF/WMV, AVI, Matroska, Quicktime,
Ogg/Theora, Real Media).

• Hachoir urwid project is a binary file
explorer that uses the Hachoir library to
parse files.
• Using this tool, we can know the exact
meaning of each bit/byte of files.
Forensics & File Carving -> Hachoir-urwid

• Remnux(https://remnux.org/)
• Artifacts and Malwares(http://windowsir.blogspot.com/p/malware.html)
• Unxor(https://github.com/tomchop/unxor/)
• Bulk_Extractor(http://tools.kali.org/forensics/bulk-extractor)
• Bulk_Extractor(http://www.basistech.com/wp-content/uploads/2014/04/osdf-2011-garfinkel-
bulk-extractor.pdf)
• Bulk_Extractor(http://wiki.bitcurator.net/index.php?title=Using_Bulk_Extractor_Viewer_to_Find_
Potentially_Sensitive_Information_on_a_Disk_Image)
• Bulk_Extractor(https://github.com/simsong/bulk_extractor/wiki/Installing-bulk_extractor)
• Scalpel(https://www.youtube.com/watch?v=5Z9JsBazOdw)
• Foremost(https://www.youtube.com/watch?v=OGlRKz2PECg)
• Dcfldd(http://www.forensicswiki.org/wiki/Dcfldd)
• Xortool(https://github.com/hellman/xortool)
• Hachoir(http://www.forensicswiki.org/wiki/Hachoir)
• XorBruteForcer(http://digital-forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-
obfuscation-for-malware-analysis)
References:

REMnux tutorial-2: Extraction and decoding of Artifacts

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to REMnux tutorial-2: Extraction and decoding of Artifacts (20)

Recently uploaded (20)

REMnux tutorial-2: Extraction and decoding of Artifacts