29C3 - Version 1.9
| Referenten | |
|---|---|
|
Travis Goodspeed |
| Programm | |
|---|---|
| Tag | Day 3 - 2012-12-29 |
| Raum | Saal 1 |
| Beginn | 17:15 |
| Dauer | 01:00 |
| Info | |
| ID | 5327 |
| Veranstaltungstyp | Vortrag |
| Sprache der Veranstaltung | englisch |
| Feedback | |
|---|---|
|
Haben Sie diese Veranstaltung besucht? Feedback abgeben |
Writing a Thumbdrive from Scratch
Prototyping Active Disk Antiforensics
This action-packed lecture presents the inner workings of the author's from-scratch implementation of a USB Mass Storage disk in user-land Python, along with some embarrassing bugs in operating systems that support such disks. The lecture concludes with an introduction to Active Antiforensics, in which a thumbdrive's own firmware can recognize and defend itself against disk imaging and other forensic tools.
USB is a lovely little conduit into the deepest parts of the kernel. Drivers are made to speak complicated protocols in hastily written C, leaving a goldmine of bugs and unexplored behaviors for a crafty attacker to exploit.
This lecture will show how a USB Mass Storage device was implemented from scratch in user-land Python for the Facedancer board. Along the way, we'll take a look at how to abuse a number of bugs in kernels, automounters, filesystems, and forensic utilities, all of which are easily confused.
As an example application of these techniques, the culmination of this lecture presents a prototype disk that actively resists forensics, wiping itself to an innocent state whenever it detects disk imaging, undeletes, access by the wrong operating system, or the presence a write blocker.