29C3 - Version 1.9

F/a{hr-p).l//a,n
2.9/C-3

Referenten
Travis Goodspeed
Programm
Tag Day 3 - 2012-12-29
Raum Saal 1
Beginn 17:15
Dauer 01:00
Info
ID 5327
Veranstaltungstyp Vortrag
Sprache der Veranstaltung englisch
Feedback

Writing a Thumbdrive from Scratch

Prototyping Active Disk Antiforensics

This action-packed lecture presents the inner workings of the author's from-scratch implementation of a USB Mass Storage disk in user-land Python, along with some embarrassing bugs in operating systems that support such disks. The lecture concludes with an introduction to Active Antiforensics, in which a thumbdrive's own firmware can recognize and defend itself against disk imaging and other forensic tools.

USB is a lovely little conduit into the deepest parts of the kernel. Drivers are made to speak complicated protocols in hastily written C, leaving a goldmine of bugs and unexplored behaviors for a crafty attacker to exploit.

This lecture will show how a USB Mass Storage device was implemented from scratch in user-land Python for the Facedancer board. Along the way, we'll take a look at how to abuse a number of bugs in kernels, automounters, filesystems, and forensic utilities, all of which are easily confused.

As an example application of these techniques, the culmination of this lecture presents a prototype disk that actively resists forensics, wiping itself to an innocent state whenever it detects disk imaging, undeletes, access by the wrong operating system, or the presence a write blocker.

Archived page - Impressum/Datenschutz