Introduction Mapping the ELFPinpointing FragmentationEvaluationConclusion Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand †, Zhiqiang.

Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion

Bin-CarverAutomatic Recovery of Binary Executable Files

Scott Hand†, Zhiqiang Lin†,Guofei Gu*, Bhavani Thuraisingham†

COE 589 : Digital Forensics

Presented by:Mohammed Younus Siddiqui201103270

1


Outline

1 IntroductionBinary File Carving

Mapping the ELFRecovery without Fragmentation

Pinpointing FragmentationRecovery with FragmentationRemoving the Fragmentation

EvaluationProcedureResults

Conclusion

2

3

4

5

2

Outline





Conclusion

2

3

4

5

3


What is that paper trying to accomplish?

Basic Idea

Recover meaningful data (files) from unorganized data (datafrom disk)

Disk LevelA1 A2 A3 B1 B2 B3 B4 A4 A5 C1 C2 C3

File System Level

File AFile C

File B

4


Why do we care?

Needed any time file system metadata is not present

Deletion

Corruption

Not part of file system (VM, embedded in other files, etc.)

5

Needed whenever there is no file metadata•Data Recovery is Lucrative Market•Unintentional Deletion•Corruption by Malware


Motivation for focusing on binary executables

Difficult to carveHeterogeneous contentsNo explicit footers

Lots of internal structure

They’re everywhere

Malware loves to hide

6

• Difficult to carve• No explicit footers• Heterogeneous content

• Present in all file systems

• Decrease the traditional carving space

• Finding Malware


Previous Approaches - Bifragment Carving

Simson Garfinkel - Carving Contiguous and Fragmented Fileswith Fast Object ValidationDFRWS’07

Header Footer

7


Previous Approaches - Shortest Path

Pal, A. and Shanmugasundaram, K. and Memon, N. Automatedreassembly of fragmented images using greedy algorithmsIEEE Transactions on Image Processing 2006

6

7

Header 2

Header 1 1

32

5

Header 34 8

8


Previous Approaches - Shortest Path

Header 1 2 6 7

Header 2 3 4 8

Header 3 1 5

9


Common elements

10

• Fragment edge identification

• Needs edge location heuristics

• Need both header and footer


Assumptions

11

• Recover only ELF executable file.

• Linux platform with EXT2 file systems.

• Content in the file is not overwritten.

Outline





Conclusion

2

3

4

5

12


ELF ELF ELF ELF ELF ELF

Elf File n

Magic Number

???

13

Executable and Linkable Format (ELF)

It is a common standard file format for executables, object code, shared libraries, and core dumps.


Start with the magic number and expandBuild a list of ELF file headers by searching for ELF file magicnumbers (0x7f,0x45,0x4c,0x46)

ELF ELF ELF ELF ELF ELF

Elf File n

Magic Number

???

14


Load the ELF header

Luckily the ELF header will always be on the same block as themagic number

Elf File n

Magic Number

File Header

???

15


Find the section header tableThe header will have a pointer to the section header table(SHT).

Elf File n

Magic Number

File Header

???

Section Header Table

???

16


Identify the "footer"The last part of the ELF file will either be the last section or theSHT. This can be easily checked, the footer identified, and thefile size inferred.

Elf File n

Magic Number

File Header

???

Section Header Table

Footer

17


We’re done!

Write everything from beginning to end

√ √ √ √ √

18


Uh oh!

Disaster strikes

√ √ √ √ √

√ X √ X √ √ X √

19

Outline





Conclusion

2

3

4

5

20


Pointers Before Fragmentation

11

2

BlockOffset:

3

4

a

b

c

d

2

e

f

g

h

3

i

j

k

l

Block Number:4

m

n

o

p

5

q

r

s

t

6

u

v

w

x

7

y

z

0

1

21


Pointers After Fragmentation

1

1

2

BlockOffset:

3

4

a

b

c

d

2

e

f

g

h

3

i

j

k

l

Block Number:4

m

n

o

p

5 6

q

r

s

t

7

u

v

w

x

8

y

z

0

1

22


Finding the SHTWithout fragmentation:

Header Data SHT Data Data Data Data

23


Finding the SHTWithout fragmentation:


With fragmentation:

Header Data Pad Pad SHT Data Data

24


Finding the SHT

Without fragmentation:


With fragmentation:


After moving forward twice, we find the SHT:


25

Outline





Conclusion

2

3

4

5

26


The next step

What next?

Finding fragmentation in the ELF file now becomes findingfragmentation within sections

Targeting .text

Let’s focus on .text, as it comprises a large part of the ELF file

27


Strategy for validating machine code blocks

Taking advantage of internal structure

Explore the structure provided by pointers in the code

Map a CALL instruction to a function prologue at its targetto validate a pair of locations

28


Code

8049480 <_init>:8049480: 558049481: 89 e58049483: 53...

804949d: e8 de 00 00 00...

80494b0 <abort@plt-0x10>:80494b0: ff 35 08 e1 05 0880494b6: ff 25 0c e1 05 0880494bc: 00 00...

8049580 <__gmon_start__@plt>:8049580: ff 25 40 e1 05 088049586: 68 60 00 00 00804958b: e9 20 ff ff ff...

8059e84:...

e8 f7 f5 fe ff

pushmovpush

call

%ebp%esp,%ebp%ebx

8049580 <__gmon_start__@plt>

pushljmpadd

0x805e108*0x805e10c%al,(%eax)

jmppushjmp

call

*0x805e140$0x6080494b0 <_init+0x30>

8049480 <_init>

29


Example

A quick example shows this algorithm handling three calls tothree different blocks.Before fragmentation:

Call 1 FP3 FP1 Call 2 FP2 Call3

30


Example - Call 3Call 3 previously pointed four blocks back to FP3, now it isinvalid.


31


Example - Call 3Call 3 previously pointed four blocks back to FP3, now it isinvalid.


We look backward to find FP3:


32


Example - Call 2

Call 2 previously pointed one block forward to FP2, now it isinvalid.


33


Example - Call 2

Call 2 previously pointed one block forward to FP2, now it isinvalid.


We look forward to find FP2:


34


Example - Call 1Call 1 previously pointed two blocks forward to FP1, now it isinvalid.


35


Example - Call 1Call 1 previously pointed two blocks forward to FP1, now it isinvalid.


We look forward to find FP1:


36


Other Sections

Other important sections need recovery approaches as well,but many of them (rodata, debug sections, etc.) havepredictable structures that lend themselves to dataclassification approaches.

37

Outline





Conclusion

2

3

4

5

38


Setup

Bin-Carver

Prototype was coded in C#

Python used for collection of accuracy statistics

Test Data

Tested on 8 different disk images

Each differed in the number of files as well as the numberof deletes and copies executed after its creation

39


Disks

1

2

3

Disk 1 was a small baseline sample, only contained /bin

Disk 2 contained a larger number of ELF files

Disk 3 contained some of the files from disk 2, with someof them deleted before the image was made

Disk 4 contained all of disk 2 as well as SO ELF files from/lib

4

40


Disks

1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.

Disk 6 is the same as disk 5 except that only half weredeleted

Disk 7 repeated the same process as 6, but twice withsmaller batches

Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image

2

3

4

41


Disks

1 Disk 5 had all the files from disk 4 which were thendeleted. Half were then picked randomly and copied back.

Disk 6 is the same as disk 5 except that only half weredeleted

Disk 7 repeated the same process as 6, but twice withsmaller batches

Disk 8 did lots of unpredictable small copy and deletecycles to create the most chaotic image

2

3

4

42


Evaluating accuracy

Effectiveness

Identification Rate - number of valid files on the disk wecan identify

Recovery Rate - number of files that were recoveredsuccessfully after identification

43

Outline





Conclusion

2

3

4

5

44


Accuracy Metrics

Identification RateRecovery Rate

100%

80%

60%

40%

20%

0%

Disk Images

45


Performance Metrics

80

70

60

50

40

30

20

10

0

Disk Images

46

Outline





Conclusion

2

3

4

5

47


Conclusion

Remarks

Recovery approaches were shown to be effective

Hopefully, more research will be done in executable filecarving

Exclusionary carving could benefit other kinds of filecarving

48


Conclusion

Remarks

Recovery approaches were shown to be effective

Hopefully, more research will be done in executable filecarving

Exclusionary carving could benefit other kinds of filecarving

Limitations and Future Work

PE Files

More signatures

Robustness

49


Thank you for your patience

Any questions?

50

Introduction Mapping the ELFPinpointing FragmentationEvaluationConclusion Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand †, Zhiqiang.

Documents

outline1in file carvingmapping

elf executable file

file metadatadata recovery

ext2 file systems

common standard file

system metadata

system vm

binary executablesdifcult