Difference between pages "Solid State Drive (SSD) Forensics" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Bibliography)
 
(HackingTeam)
 
Line 1: Line 1:
Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
+
'''Malware''' is a short version of '''Malicious Software'''.
# Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
+
# Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
+
# Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
+
  
To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.''  Most FTLs are contained within the SSD device and are not accessible to end users.
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
==Bibliography==
+
== Virus ==
<bibtex>
+
A computer program that can automatically copy itself and infect a computer.
@inproceedings{wei2011,
+
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
+
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
+
  booktitle={FAST 2011},
+
  year = 2011,
+
  keywords = {erasing flash security ssd},
+
  added-at = {2011-02-22T09:22:03.000+0100},
+
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
+
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
+
}
+
</bibtex>
+
<bibtex>
+
@article{bell2011,
+
author="Graeme B. Bell and Richard Boddington",
+
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
+
journal="Journal of Digital Forensics, Security and Law",
+
volume=5,
+
issue=3,
+
year=2011,
+
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Billard:2010:MSU:1774088.1774426,
+
author = {Billard, David and Hauri, Rolf},
+
title = {Making sense of unstructured flash-memory dumps},
+
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
+
series = {SAC '10},
+
year = {2010},
+
isbn = {978-1-60558-639-7},
+
location = {Sierre, Switzerland},
+
pages = {1579--1583},
+
numpages = {5},
+
url = {http://doi.acm.org/10.1145/1774088.1774426},
+
doi = {http://doi.acm.org/10.1145/1774088.1774426},
+
acmid = {1774426},
+
publisher = {ACM},
+
address = {New York, NY, USA},
+
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
+
}
+
</bibtex>
+
<bibtex>
+
@mastersthesis{regan:2009,
+
  title="The Forensic Potential of Flash Memory",
+
  author="James E. Regan",
+
  school="Naval Postgraduate School",
+
  address="Monterey, CA",
+
  date=Sep,
+
  year=2009,
+
  pages=86,
+
  url="http://handle.dtic.mil/100.2/ADA509258"
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Phillips:2008:RDU:1363217.1363243,
+
author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
+
title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
+
booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
+
series = {e-Forensics '08},
+
year = {2008},
+
isbn = {978-963-9799-19-6},
+
location = {Adelaide, Australia},
+
pages = {19:1--19:6},
+
articleno = {19},
+
numpages = {6},
+
url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
+
acmid = {1363243},
+
publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
+
address = {ICST, Brussels, Belgium, Belgium},
+
keywords = {data recovery, flash memory, semiconductor data remanence},
+
}
+
</bibtex>
+
  
==Presentations==
+
== Worm ==
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
+
A self-replicating computer program that can automatically infect computers on a network.
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly.
+
 
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I ]Solid State Drives: Ruining Forensics, by Scott Moulton, DEFCON 16 (2008)
+
== Trojan horse ==
* Scott Moulton, Shmoocon 20008, SSD drives vs. Hard Drives.
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
+
 
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
+
== Spyware ==
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
+
A computer program that can automatically intercept or take partial control over the user's interaction.
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
+
 
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
+
== Exploit Kit ==
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
+
 
 +
=== Drive-by-download ===
 +
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
 +
 
 +
== Rootkit ==
 +
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
 +
 
 +
== See Also ==
 +
* [[Malware analysis]]
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
 +
 
 +
=== Analysis ===
 +
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
 +
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
 +
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
 +
 
 +
=== Exploit Kit ===
 +
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
 +
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 +
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
 +
 
 +
=== Rootkit ===
 +
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
 +
 
 +
=== HackingTeam ===
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
 +
 
 +
 
 +
[[Category:Malware]]

Revision as of 02:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam