Introduction Mapping the ELFPinpointing FragmentationEvaluationConclusion Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand †, Zhiqiang.

Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion

Bin-CarverAutomatic Recovery of Binary Executable Files

Scott Hand†, Zhiqiang Lin†,Guofei Gu*, Bhavani Thuraisingham†

COE 589 : Digital Forensics

Presented by:Mohammed Younus Siddiqui201103270

Outline

1 IntroductionBinary File Carving

Mapping the ELFRecovery without Fragmentation

Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation

EvaluationProcedureResults

Conclusion

Outline

Conclusion

What is that paper trying to accomplish?

Basic Idea

Recover meaningful data (files) from unorganized data (datafrom disk)

Disk LevelA1 A2 A3 B1 B2 B3 B4 A4 A5 C1 C2 C3

File System Level

File AFile C

File B

Why do we care?

Needed any time file system metadata is not present

Deletion

Corruption

Not part of file system (VM, embedded in other files, etc.)

Needed whenever there is no file metadata•Data Recovery is Lucrative Market•Unintentional Deletion•Corruption by Malware

Motivation for focusing on binary executables

Difficult to carveHeterogeneous contentsNo explicit footers

Lots of internal structure

They’re everywhere

Malware loves to hide

• Difficult to carve• No explicit footers• Heterogeneous content

• Present in all file systems

• Decrease the traditional carving space

• Finding Malware

Previous Approaches - Bifragment Carving

Simson Garfinkel - Carving Contiguous and Fragmented Fileswith Fast Object ValidationDFRWS’07

Header Footer

Previous Approaches - Shortest Path

Pal, A. and Shanmugasundaram, K. and Memon, N. Automatedreassembly of fragmented images using greedy algorithmsIEEE Transactions on Image Processing 2006

Header 2

Header 1 1

Header 34 8

Previous Approaches - Shortest Path

Header 1 2 6 7

Header 2 3 4 8

Header 3 1 5

Common elements

• Fragment edge identification

• Needs edge location heuristics

• Need both header and footer

Assumptions

• Recover only ELF executable file.

• Linux platform with EXT2 file systems.

• Content in the file is not overwritten.

Outline

Conclusion

ELF ELF ELF ELF ELF ELF

Elf File n

Magic Number

Executable and Linkable Format (ELF)

It is a common standard file format for executables, object code, shared libraries, and core dumps.

Start with the magic number and expandBuild a list of ELF file headers by searching for ELF file magicnumbers (0x7f,0x45,0x4c,0x46)

ELF ELF ELF ELF ELF ELF

Elf File n

Magic Number

Load the ELF header

Luckily the ELF header will always be on the same block as themagic number

Elf File n

Magic Number

File Header

Find the section header tableThe header will have a pointer to the section header table(SHT).

Elf File n

Magic Number

File Header

Section Header Table

Identify the "footer"The last part of the ELF file will either be the last section or theSHT. This can be easily checked, the footer identified, and thefile size inferred.

Elf File n

Magic Number

File Header

Section Header Table

Footer

We’re done!

Write everything from beginning to end

√ √ √ √ √

Uh oh!

Disaster strikes

√ √ √ √ √

√ X √ X √ √ X √

Outline

Conclusion

Pointers Before Fragmentation

BlockOffset:

Block Number:4

Pointers After Fragmentation

BlockOffset:

Block Number:4

Finding the SHTWithout fragmentation:

Header Data SHT Data Data Data Data

Finding the SHTWithout fragmentation:

With fragmentation:

Header Data Pad Pad SHT Data Data

Finding the SHT

Without fragmentation:

With fragmentation:

After moving forward twice, we find the SHT:

Outline

Conclusion

The next step

What next?

Finding fragmentation in the ELF file now becomes findingfragmentation within sections

Targeting .text

Let’s focus on .text, as it comprises a large part of the ELF file

Strategy for validating machine code blocks

Taking advantage of internal structure

Explore the structure provided by pointers in the code

Map a CALL instruction to a function prologue at its targetto validate a pair of locations

8049480 <_init>:8049480: 558049481: 89 e58049483: 53...

804949d: e8 de 00 00 00...

80494b0 <abort@plt-0x10>:80494b0: ff 35 08 e1 05 0880494b6: ff 25 0c e1 05 0880494bc: 00 00...

8049580 <__gmon_start__@plt>:8049580: ff 25 40 e1 05 088049586: 68 60 00 00 00804958b: e9 20 ff ff ff...

8059e84:...

e8 f7 f5 fe ff

pushmovpush

%ebp%esp,%ebp%ebx

8049580 <__gmon_start__@plt>

pushljmpadd

0x805e108*0x805e10c%al,(%eax)

jmppushjmp

*0x805e140$0x6080494b0 <_init+0x30>

8049480 <_init>

Example

A quick example shows this algorithm handling three calls tothree different blocks.Before fragmentation:

Call 1 FP3 FP1 Call 2 FP2 Call3

Example - Call 3Call 3 previously pointed four blocks back to FP3, now it isinvalid.

We look backward to find FP3:

Example - Call 2

Call 2 previously pointed one block forward to FP2, now it isinvalid.

Example - Call 2

Call 2 previously pointed one block forward to FP2, now it isinvalid.

We look forward to find FP2:

Example - Call 1Call 1 previously pointed two blocks forward to FP1, now it isinvalid.

We look forward to find FP1:

Other Sections

Other important sections need recovery approaches as well,but many of them (rodata, debug sections, etc.) havepredictable structures that lend themselves to dataclassification approaches.

Outline

Conclusion

Bin-Carver

Prototype was coded in C#

Python used for collection of accuracy statistics

Test Data

Tested on 8 different disk images

Each differed in the number of files as well as the numberof deletes and copies executed after its creation

Disk 1 was a small baseline sample, only contained /bin

Disk 2 contained a larger number of ELF files

Disk 3 contained some of the files from disk 2, with someof them deleted before the image was made

Disk 4 contained all of disk 2 as well as SO ELF files from/lib

1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.

Disk 6 is the same as disk 5 except that only half weredeleted

Disk 7 repeated the same process as 6, but twice withsmaller batches

Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image

1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.

Disk 6 is the same as disk 5 except that only half weredeleted

Disk 7 repeated the same process as 6, but twice withsmaller batches

Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image

Evaluating accuracy

Effectiveness

Identification Rate - number of valid files on the disk wecan identify

Recovery Rate - number of files that were recoveredsuccessfully after identification

Outline

Conclusion

Accuracy Metrics

Identification RateRecovery Rate

Disk Images

Performance Metrics

Disk Images

Outline

Conclusion

Remarks

Recovery approaches were shown to be effective

Hopefully, more research will be done in executable filecarving

Exclusionary carving could benefit other kinds of filecarving

Conclusion

Remarks

Recovery approaches were shown to be effective

Hopefully, more research will be done in executable filecarving

Exclusionary carving could benefit other kinds of filecarving

Limitations and Future Work

PE Files

More signatures

Robustness

Thank you for your patience

Any questions?

Introduction Mapping the ELFPinpointing FragmentationEvaluationConclusion Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand †, Zhiqiang.

outline1in file carvingmapping

elf executable file

file metadatadata recovery

ext2 file systems

common standard file

system metadata

system vm

binary executablesdifcult

Documents

Zhiqiang (Abraham) Deng - NASA

Peter Carver

Cyndi Carver

Stephen Carver

Chapter 2 - 1 Abstraction Concrete: directly...

Executable Architectures using Cuckoo Search Optimization...

idbi executable

Steve carver

3 Liu Zhiqiang FOUNDATION Project Best Practices

Carver (TresRosasAmarillas)

3ldreghorn carver

Carver Park and Ride Carver County CDA request for...

Memory Management. Memory Manager Requirements –Minimize.....

LIN Liqun , CHEN Zhixin , XU Zhiqiang ,WANG Zhiyong

North Carver Landfill, North Carver, MA, MAG910448 … ·.....

Le repentir impitoyable de Raymond Carver / Raymond Carver.....