1 00:00:00,042 --> 00:00:02,751 Hello everybody, welcome to Defcon. 2 00:00:02,792 --> 00:00:09,751 I'd like to introduce Michael Perklin with ACL Stenography. 3 00:00:09,999 --> 00:00:11,417 Take it away. 4 00:00:11,417 --> 00:00:12,999 MICHAEL PERKLIN: Thank you. 5 00:00:13,751 --> 00:00:16,876 How is it going, guys? 6 00:00:20,999 --> 00:00:23,083 I happen to be here at DEF CON again. 7 00:00:23,709 --> 00:00:25,999 I think this would be an interesting talk for those 8 00:00:25,999 --> 00:00:29,250 of you interested in hiding things or finding hidden things depending 9 00:00:29,250 --> 00:00:31,209 if you're a Blackcat. 10 00:00:33,834 --> 00:00:36,584 I am a corporate investigator. 11 00:00:37,083 --> 00:00:40,334 I specialize in cyber crime. 12 00:00:40,334 --> 00:00:42,999 I am a digital forensic examiner. 13 00:00:43,167 --> 00:00:47,751 I take the geek side and legal support and smash them together. 14 00:00:47,999 --> 00:00:48,999 That's what I do. 15 00:00:49,417 --> 00:00:53,459 In this talk, I'll be talking about what steganography is. 16 00:00:55,959 --> 00:01:01,375 I have examples much how it was used before it existed. 17 00:01:04,959 --> 00:01:09,083 And finally, I'll talk about ACL steganography. 18 00:01:11,209 --> 00:01:14,999 So Let's get started. 19 00:01:15,125 --> 00:01:16,999 What is steganography? 20 00:01:17,667 --> 00:01:19,834 It's a Greek word. 21 00:01:20,083 --> 00:01:23,584 The origins of the word are Greek and it means concealed writing. 22 00:01:24,250 --> 00:01:26,959 There are two roots of the word. 23 00:01:26,959 --> 00:01:29,501 Steganos which means covered and protected and graphy, 24 00:01:29,501 --> 00:01:31,834 which means writing. 25 00:01:31,999 --> 00:01:33,999 I apologize if I am butchering the Greek. 26 00:01:36,083 --> 00:01:37,751 Sorry, grandma. 27 00:01:44,083 --> 00:01:47,250 Before the word even existed, basically it just means hiding 28 00:01:47,250 --> 00:01:49,626 something in plain sight. 29 00:01:49,999 --> 00:01:52,626 So let's go through classical examples. 30 00:01:53,167 --> 00:01:56,167 First example I want to show is a tattoo. 31 00:01:56,709 --> 00:01:58,501 Basically the somebody would take one 32 00:01:58,501 --> 00:02:01,334 of their slaves again, this is back in the day 33 00:02:01,334 --> 00:02:03,999 is about people had slaves they would shave 34 00:02:03,999 --> 00:02:08,999 the scalp and tattoo a message and wait for the hair to regrow. 35 00:02:08,999 --> 00:02:10,999 They send the slave over to the recipient 36 00:02:10,999 --> 00:02:13,999 of the message with the package. 37 00:02:13,999 --> 00:02:17,334 As they were delivering the good, about they would find private time, 38 00:02:17,334 --> 00:02:20,292 they would shave the head and read the message and 39 00:02:20,292 --> 00:02:22,959 the message was delivered. 40 00:02:22,959 --> 00:02:25,918 So it looks liked slave is going there to deliver a package, but there 41 00:02:25,918 --> 00:02:28,626 is a whole message under the hair. 42 00:02:32,459 --> 00:02:34,876 After you tattoo a message on someone's scalp, you need 43 00:02:34,876 --> 00:02:36,667 the hair to regrow. 44 00:02:46,667 --> 00:02:49,584 There is morse code. 45 00:02:49,626 --> 00:02:55,417 Some people would stitch some longer stitches and shorter stitches. 46 00:02:57,792 --> 00:03:01,209 That would conceal a message on the person. 47 00:03:01,542 --> 00:03:04,999 The messenger would go and hand a note. 48 00:03:06,292 --> 00:03:11,083 They would read the sweater and learn the second message, 49 00:03:11,083 --> 00:03:14,876 the true intention of the visit. 50 00:03:15,334 --> 00:03:18,125 Here's an example of a tapestry that was stitched 51 00:03:18,125 --> 00:03:20,959 by a prisoner of war in 1941. 52 00:03:21,250 --> 00:03:25,751 You can see there are two boarders with dots and dashes. 53 00:03:25,834 --> 00:03:27,584 That was morse code. 54 00:03:27,999 --> 00:03:30,999 So this prisoner of war was hoping by delivering this tapestry, 55 00:03:30,999 --> 00:03:33,959 they would deliver a message that would say I'm okay 56 00:03:33,959 --> 00:03:35,542 or whatever. 57 00:03:37,959 --> 00:03:42,834 You can grab the talk online and you can decode it yourself. 58 00:03:44,167 --> 00:03:47,334 The next classical example is invisible ink. 59 00:03:47,334 --> 00:03:49,918 This is a very simple technique, but effective. 60 00:03:50,250 --> 00:03:52,999 You would use lemon use or something acidic. 61 00:03:53,083 --> 00:03:58,250 You would write on top of the piece of paper and then you would deliver 62 00:03:58,250 --> 00:04:01,542 the paper to your recipient. 63 00:04:01,999 --> 00:04:04,417 The paper would have other writing on it. 64 00:04:04,417 --> 00:04:07,792 So it would look like it says one thing, but what happens is the acid 65 00:04:07,792 --> 00:04:11,125 in the lemon juice or the acidic liquid that you use breaks 66 00:04:11,125 --> 00:04:13,667 down parts of the paper. 67 00:04:13,667 --> 00:04:15,999 So when you put that piece of paper over heat, 68 00:04:15,999 --> 00:04:20,083 it would it would start to burn, but the parts that were broken 69 00:04:20,083 --> 00:04:23,334 down a little bit more by the acid that you added, 70 00:04:23,334 --> 00:04:27,459 they would burn first, the result would be it would turn darker 71 00:04:27,459 --> 00:04:30,375 and you can read the message that was written 72 00:04:30,375 --> 00:04:32,459 with the liquid. 73 00:04:32,959 --> 00:04:35,792 This is a lot of fun to do if you've got young kids. 74 00:04:35,792 --> 00:04:39,083 I have it done it with my nephews and they really enjoyed it. 75 00:04:39,417 --> 00:04:42,209 Let's take a look at a second digital steganographics. 76 00:04:45,999 --> 00:04:48,501 This is one of the most common type. 77 00:04:49,459 --> 00:04:54,626 You can encode one file as color information inside a photo. 78 00:04:55,999 --> 00:04:58,918 This uses the fact that only super helps can tell the difference 79 00:04:58,918 --> 00:05:01,167 between lemon and chart truths. 80 00:05:01,417 --> 00:05:06,709 I mean super helps the audience and fair sex. 81 00:05:08,375 --> 00:05:11,125 The very last bit of this color code would always be part 82 00:05:11,125 --> 00:05:14,125 ever the secret message you are encoding. 83 00:05:14,375 --> 00:05:17,918 The example I have on screen here is DFFF00. 84 00:05:19,375 --> 00:05:21,083 That's chart truths. 85 00:05:21,083 --> 00:05:24,459 The very last zero is part of the message you are encoding. 86 00:05:24,459 --> 00:05:26,999 The other example is DFF01. 87 00:05:27,209 --> 00:05:31,083 That's not chart truths, but it is something similar. 88 00:05:31,292 --> 00:05:33,918 So the difference between the two colors 89 00:05:33,918 --> 00:05:36,834 is imperceptible to most of us. 90 00:05:36,999 --> 00:05:40,167 If you look at the very last digit for all the adjacent pixels, 91 00:05:40,167 --> 00:05:42,999 you can rebuild another file. 92 00:05:44,125 --> 00:05:48,876 There eight adjacent pixels has one byte of encoded information. 93 00:05:49,667 --> 00:05:53,999 Audio steganography is to the photographs, 94 00:05:53,999 --> 00:05:56,999 but it uses sound. 95 00:05:57,999 --> 00:06:01,459 Helps can't tell the difference between 400 Hertz and 401 Hertz 96 00:06:01,459 --> 00:06:05,083 especially if it isn't sustained for a long time. 97 00:06:05,542 --> 00:06:10,999 After each frame, one bit is encoded in that frame. 98 00:06:10,999 --> 00:06:13,999 If you get a bunch of audio frames, you have your bytes and now you have 99 00:06:13,999 --> 00:06:15,751 your message. 100 00:06:20,876 --> 00:06:24,999 If you're interested in this kind of stuff, I urge you to take a look 101 00:06:24,999 --> 00:06:28,667 at John Ortiz's work, a presenter at Blackcat. 102 00:06:29,999 --> 00:06:33,209 They go a lot further into both photographs 103 00:06:33,209 --> 00:06:38,250 and audio steganography more than just using one bit. 104 00:06:38,751 --> 00:06:41,959 Some really neat math tricks you can do to encode information. 105 00:06:42,083 --> 00:06:44,125 Look up John Ortiz if you're interested. 106 00:06:44,999 --> 00:06:49,667 Another digital example is X86 ops. 107 00:06:50,125 --> 00:06:53,999 If you take a portable executive file or EXE, 108 00:06:53,999 --> 00:06:59,334 you can encode information using operations that don't really have 109 00:06:59,334 --> 00:07:04,792 an impact on the program such as NOP or the NOP code. 110 00:07:06,250 --> 00:07:09,667 If you have 5 NOPs, you can have one. 111 00:07:15,918 --> 00:07:18,959 The result is nothing by having an add one and a sub one, 112 00:07:18,959 --> 00:07:21,083 that can mean something. 113 00:07:21,083 --> 00:07:24,209 Maybe at 5, sub 5 means something else. 114 00:07:24,209 --> 00:07:26,999 Any complimentary things would work. 115 00:07:26,999 --> 00:07:30,334 Multiplication and division as long as you have a scheme to write this, 116 00:07:30,334 --> 00:07:31,999 it works. 117 00:07:32,918 --> 00:07:36,083 PE files or EXE files have a lot of other areas where you can 118 00:07:36,083 --> 00:07:38,083 encode information. 119 00:07:38,459 --> 00:07:41,751 This is looking at some of the raw bytes in hex form 120 00:07:41,751 --> 00:07:46,375 of PE file and there's a lot of space there where you can gem data 121 00:07:46,375 --> 00:07:51,083 that isn't expected by the user, but it wouldn't exact the running 122 00:07:51,083 --> 00:07:54,999 of the program, but it would hide data. 123 00:07:55,167 --> 00:07:58,999 If you send this EXE to someone, they can decode it on their side. 124 00:07:59,334 --> 00:08:03,834 The last example we talk about is chafing and windowing. 125 00:08:03,834 --> 00:08:06,751 This is probably the most interesting one for me at least. 126 00:08:06,999 --> 00:08:10,292 Rob Ryanus is the R in RSA. 127 00:08:15,501 --> 00:08:20,334 He, along with the WP stuff, if isn't it is sort of a hybrid of both, 128 00:08:20,334 --> 00:08:22,834 but it isn't either. 129 00:08:24,209 --> 00:08:26,083 It has properties of both. 130 00:08:26,250 --> 00:08:28,417 What happens is a sender doesn't only send 131 00:08:28,417 --> 00:08:29,999 his message. 132 00:08:29,999 --> 00:08:32,125 He has gibberish as well. 133 00:08:32,417 --> 00:08:36,918 So anybody listening sees the message and the gibberish at once. 134 00:08:37,999 --> 00:08:40,459 But the sender is very careful that whenever 135 00:08:40,459 --> 00:08:44,083 he sends a piece of the message that is truly part of the message, 136 00:08:44,083 --> 00:08:47,999 if you were to run a calculation like a parity check and the contents 137 00:08:47,999 --> 00:08:51,999 of the message, it would come out to a certain value. 138 00:08:51,999 --> 00:08:55,501 If you run the same calculation on one of the chaff packets 139 00:08:55,501 --> 00:09:00,459 or non message packets, it would not yield the same result. 140 00:09:00,459 --> 00:09:01,918 So the receiver, whenever they receive a packet, 141 00:09:01,918 --> 00:09:04,626 they would run the same calculation on it. 142 00:09:04,626 --> 00:09:06,959 Anything that matches the expected value must be part 143 00:09:06,959 --> 00:09:09,167 of the original message. 144 00:09:09,167 --> 00:09:11,918 If they run the calculation and they get a different result, 145 00:09:11,918 --> 00:09:15,792 it must be part of the chaff and they can discard it. 146 00:09:17,167 --> 00:09:20,501 There are four pieces of this message and 147 00:09:20,501 --> 00:09:25,083 the contents are the bits 1, 0, 0 interest 1. 148 00:09:25,751 --> 00:09:28,667 If you look at Mac codes, all of them are even. 149 00:09:28,876 --> 00:09:32,125 This is the encoding scheme for this spasm. 150 00:09:32,125 --> 00:09:35,709 On the right side, this is what Bob receives from Alice 151 00:09:35,709 --> 00:09:39,999 and some of the packets have an even Mac code. 152 00:09:39,999 --> 00:09:42,209 So those are ledge it pieces of message. 153 00:09:42,375 --> 00:09:45,999 The rest have an odd Mac code. 154 00:09:45,999 --> 00:09:47,459 So Bob knows to discard these only and use 155 00:09:47,459 --> 00:09:50,209 the ones that have an even Mac code and that must be 156 00:09:50,209 --> 00:09:54,999 the mess affect you can reassemble those together and get the message. 157 00:09:56,292 --> 00:09:59,709 So we talked about a couple of different types of steganography. 158 00:09:59,999 --> 00:10:01,876 They have three things in common. 159 00:10:02,709 --> 00:10:05,999 You need a medium of arbitrary information. 160 00:10:05,999 --> 00:10:08,209 The medium could be your scalp. 161 00:10:08,209 --> 00:10:10,834 It could be a tapestry. 162 00:10:12,959 --> 00:10:17,042 You need a key or legend, a way to encode data. 163 00:10:17,042 --> 00:10:20,417 If you encode this this way, it means this. 164 00:10:21,999 --> 00:10:23,999 And finally, you need a way to differentiate 165 00:10:23,999 --> 00:10:26,167 between the this encoded information and the rest 166 00:10:26,167 --> 00:10:29,876 of the medium information that is expected to be there. 167 00:10:29,999 --> 00:10:32,375 So these three things make up steganography. 168 00:10:32,792 --> 00:10:36,834 With that, let's talk about ACL steganography. 169 00:10:37,834 --> 00:10:41,999 It's a way to access files within an access controls where 170 00:10:41,999 --> 00:10:45,417 on a file on an NTFS file system. 171 00:10:45,417 --> 00:10:46,959 That was a mouthful. 172 00:10:48,501 --> 00:10:53,209 The medium is any file that's on an NTFS file system. 173 00:10:53,459 --> 00:10:57,334 The key is security identifiers within the access file entries and 174 00:10:57,334 --> 00:11:00,999 the differentiator between the message and regular stuff 175 00:11:00,999 --> 00:11:04,709 is access control entries with an unlikely combination 176 00:11:04,709 --> 00:11:06,709 of permissions. 177 00:11:06,792 --> 00:11:10,918 Before we get into more of how the scheme works, I want 178 00:11:10,918 --> 00:11:14,459 to back track a bit and talk about how NTFS works 179 00:11:14,459 --> 00:11:17,792 and we can understand how the scheme works.O 180 00:11:17,792 --> 00:11:20,999 on screen here are two images. 181 00:11:20,999 --> 00:11:25,083 The one on the left is the security tab of the properties window for a file. 182 00:11:25,083 --> 00:11:29,167 This shows that there's a user, Michael, who has read and execute permissions 183 00:11:29,167 --> 00:11:32,334 on the file that has been right clicked. 184 00:11:32,334 --> 00:11:35,709 On the right side, we see the computer management window. 185 00:11:35,709 --> 00:11:39,959 This is where windows adds users and there's a user Michael there. 186 00:11:40,083 --> 00:11:45,459 When I'm pulling up the properties for this file on the left here, 187 00:11:45,459 --> 00:11:51,918 windows windows doesn't store the permission entries by name. 188 00:11:51,918 --> 00:11:55,083 They don't say Michael has read, write and execute permissions. 189 00:11:55,083 --> 00:11:59,375 They say security identifier 1, 2, 3, 4, 5 has the permissions. 190 00:11:59,542 --> 00:12:02,125 As I am pulling up to this property window, 191 00:12:02,125 --> 00:12:07,667 they will see security identifier matches with user Michael. 192 00:12:07,667 --> 00:12:09,918 So it displays Michael nicely for me. 193 00:12:10,375 --> 00:12:13,834 I know Michael has read and executes permissions. 194 00:12:13,876 --> 00:12:16,417 There's a lot of permissions that you can set 195 00:12:16,417 --> 00:12:19,751 for a user, a lot more than just the five or six you see 196 00:12:19,751 --> 00:12:21,876 on the left screen. 197 00:12:22,667 --> 00:12:26,751 There are 22 unique permissions in all; however, they are stored 198 00:12:26,751 --> 00:12:29,709 in only 14 bits of information. 199 00:12:29,792 --> 00:12:32,584 This is because a lot of these bits are reused depending 200 00:12:32,584 --> 00:12:35,959 on what you're sending a permission on. 201 00:12:35,959 --> 00:12:39,542 For example, for directories or folders, if you have the ability 202 00:12:39,542 --> 00:12:45,999 to traverse that directory to open up it, that's one permission needed to track. 203 00:12:45,999 --> 00:12:48,918 But you don't traverse a file ors where the contents of a file 204 00:12:48,918 --> 00:12:51,999 the same way you do with a directory. 205 00:12:51,999 --> 00:12:53,083 So some of these bits are reused depending 206 00:12:53,083 --> 00:12:56,999 if you're looking at a folder or if you're looking at a file. 207 00:12:57,667 --> 00:13:00,876 There are a bunch unused values that I assume 208 00:13:00,876 --> 00:13:04,999 are left there for future expansion of NTFS. 209 00:13:04,999 --> 00:13:08,083 You can see on screen, there's a lot more granular permission than 210 00:13:08,083 --> 00:13:10,250 read, write and execute. 211 00:13:12,999 --> 00:13:14,083 This slide shows the difference 212 00:13:14,083 --> 00:13:16,125 between the simple and advanced. 213 00:13:16,167 --> 00:13:19,417 On the left is the file that I was showing earlier and on the right, 214 00:13:19,417 --> 00:13:21,999 you see quite a lot of permissions. 215 00:13:22,083 --> 00:13:26,459 I'm not sure how well you can see all the entries on the right, 216 00:13:26,459 --> 00:13:30,459 but there's a slash there that shows one bit would be used 217 00:13:30,459 --> 00:13:34,792 for either traverse folder or for execute file. 218 00:13:34,792 --> 00:13:36,667 It's the same bit, but defending if it's a folder or a file, it has 219 00:13:36,667 --> 00:13:38,375 a different meaning. 220 00:13:39,834 --> 00:13:42,626 I mentioned security identifiers. 221 00:13:42,876 --> 00:13:44,501 They have secured identifiers. 222 00:13:44,999 --> 00:13:47,751 If a user is removed, the operating system can't look 223 00:13:47,751 --> 00:13:50,167 up the same one with the file. 224 00:13:52,751 --> 00:13:55,083 You have read and executed permissions, 225 00:13:55,083 --> 00:13:58,999 but I have deleted the Michael user from the operating system 226 00:13:58,999 --> 00:14:04,626 and you can see here the top entry on the list says S1 yada, yada, yada. 227 00:14:08,417 --> 00:14:10,375 It didn't display Michael. 228 00:14:11,083 --> 00:14:15,751 That shows that NTFS shows by identifier and not by user. 229 00:14:16,501 --> 00:14:19,667 Let's talk more about the identifiers. 230 00:14:19,667 --> 00:14:22,626 They have a maximum size of 68 bytes. 231 00:14:23,083 --> 00:14:25,792 The first few bytes are pretty much static. 232 00:14:25,792 --> 00:14:27,667 The first byte will always be one. 233 00:14:27,667 --> 00:14:28,999 That's the revision number. 234 00:14:29,167 --> 00:14:32,584 Microsoft doesn't have the second revision of the identifiers. 235 00:14:33,709 --> 00:14:36,918 The second one is number of sub authorities with SID. 236 00:14:38,459 --> 00:14:41,125 The maximum number here is 15. 237 00:14:41,626 --> 00:14:45,250 That's the most you can the most amount sorry. 238 00:14:45,250 --> 00:14:47,959 The highest amount of sub authorities you can fit. 239 00:14:48,083 --> 00:14:51,292 Next six bytes are used for an over authority. 240 00:14:52,250 --> 00:14:55,626 There's too much about that to go into great depth in this talk, 241 00:14:55,626 --> 00:14:59,959 but for our purposes, we can say the value will always be four. 242 00:14:59,959 --> 00:15:04,209 And the last six bytes stored contents of all the sub authorities. 243 00:15:05,083 --> 00:15:06,459 All right. 244 00:15:06,459 --> 00:15:08,292 We've gone through a lot of acronyms. 245 00:15:08,292 --> 00:15:11,209 Let's go through acronym review or AR as I like it call it. 246 00:15:11,876 --> 00:15:14,834 There's an axes control list or ACL. 247 00:15:14,918 --> 00:15:18,292 That is a list of access control entries. 248 00:15:18,292 --> 00:15:24,083 There's access control and ACE, which says allow these permissions 249 00:15:24,083 --> 00:15:28,209 for SID or deny them to this SID. 250 00:15:28,501 --> 00:15:31,083 Finally there's the security identifier. 251 00:15:31,083 --> 00:15:33,999 That's a unique identifier for that user or group 252 00:15:33,999 --> 00:15:36,083 of a windows system. 253 00:15:39,792 --> 00:15:41,167 All right. 254 00:15:41,167 --> 00:15:42,167 Enough slides. 255 00:15:42,167 --> 00:15:43,292 Let's do a quick demo. 256 00:15:50,918 --> 00:15:52,792 In is a part of the presentation that was most worried 257 00:15:52,792 --> 00:15:54,709 about everything breaking. 258 00:15:54,834 --> 00:15:56,542 Everything looks okay. 259 00:15:56,834 --> 00:15:58,999 Nothing crashed, yet. 260 00:16:01,959 --> 00:16:03,083 Okay. 261 00:16:03,083 --> 00:16:06,083 So this is a windows VM. 262 00:16:06,083 --> 00:16:09,542 Let's put in full screen so we see a little bit better. 263 00:16:13,667 --> 00:16:14,999 All right. 264 00:16:14,999 --> 00:16:16,999 So, I have prepared a file that I'm going 265 00:16:16,999 --> 00:16:20,999 to encode using this ACL steganography scheme. 266 00:16:21,999 --> 00:16:24,334 I have created a true grid volume. 267 00:16:25,751 --> 00:16:28,459 Inside have a big coin wallet. 268 00:16:28,459 --> 00:16:33,542 It is a simple file that holes all my keys for this example. 269 00:16:33,542 --> 00:16:36,626 I will encode this bic 1 wallet and hide it in my file system 270 00:16:36,626 --> 00:16:41,459 in a way that cannot be easily found by my forensic investigator. 271 00:16:44,083 --> 00:16:50,999 You want to make sure it is not in use before we encode T. 272 00:16:50,999 --> 00:16:54,999 I have also prepared okay. 273 00:16:55,459 --> 00:16:59,083 So here's the true grit volume that I will be encoding. 274 00:16:59,999 --> 00:17:05,999 I need to put this file into ACL entries on a set of files. 275 00:17:05,999 --> 00:17:09,542 So I've prepared 16 text files that I will be using 276 00:17:09,542 --> 00:17:13,083 to hold this true grid volume. 277 00:17:13,083 --> 00:17:16,709 Let's take a look at the permissions of some of the files there here. 278 00:17:16,709 --> 00:17:17,999 I will choose number 1. 279 00:17:18,209 --> 00:17:19,709 Right click properties. 280 00:17:19,709 --> 00:17:22,167 I will go to the security tab and you can see there's default 281 00:17:22,167 --> 00:17:26,999 permissions here authenticated users, the system, nothing fancy here. 282 00:17:27,459 --> 00:17:30,584 Now that we know the permissions on this file, 283 00:17:30,584 --> 00:17:33,999 let's encode some data into it. 284 00:17:33,999 --> 00:17:35,876 I will launch the ACL encode utility that I 285 00:17:35,876 --> 00:17:37,501 have created. 286 00:17:37,834 --> 00:17:40,876 We'll choose the file that I want to encode. 287 00:17:40,876 --> 00:17:42,876 In this case, it is the true grid volume. 288 00:17:44,501 --> 00:17:47,083 I have to choose a file list. 289 00:17:47,999 --> 00:17:53,999 It says which files should I use to encode this data. 290 00:17:53,999 --> 00:17:55,999 So I will create a file list real quick. 291 00:17:55,999 --> 00:17:58,834 I will go to the test folder. 292 00:17:59,083 --> 00:18:03,167 Let's take all 16 of these files that will be on our list. 293 00:18:03,709 --> 00:18:07,334 And I will save the filelist.text. 294 00:18:13,083 --> 00:18:17,083 So you can see what that did it, created one entry for each 295 00:18:17,083 --> 00:18:21,209 of the files that I selected in that dialogue. 296 00:18:21,999 --> 00:18:25,083 I will encode into all of the 16 files. 297 00:18:25,626 --> 00:18:29,209 And it's as easy as clicking in code. 298 00:18:29,999 --> 00:18:34,584 You can imagine, it has to split up the file into a lost different pieces 299 00:18:34,584 --> 00:18:37,834 and convert the pieces into ACL entries and put each 300 00:18:37,834 --> 00:18:41,834 of these entries into all 16 files I have chosen. 301 00:18:42,250 --> 00:18:45,834 For this example, it takes about 27 seconds. 302 00:18:45,999 --> 00:18:47,250 I've timed it. 303 00:18:47,918 --> 00:18:50,999 In addition to splitting ups file, it needs to do a couple 304 00:18:50,999 --> 00:18:53,501 of other things like add the security identifiers 305 00:18:53,501 --> 00:18:57,375 to a special part of the volume called the secure file. 306 00:18:57,375 --> 00:19:00,083 I will go into more depth later in the presentation. 307 00:19:00,250 --> 00:19:00,667 There you G. 308 00:19:00,667 --> 00:19:02,375 the file has been encoded. 309 00:19:03,959 --> 00:19:08,667 If we take a look at the test files, they look like they're regular files, 310 00:19:08,667 --> 00:19:12,209 but if we take a closer look at the security permissions, 311 00:19:12,209 --> 00:19:16,083 we'll notice that there's a lot more entries here than there 312 00:19:16,083 --> 00:19:17,999 were before. 313 00:19:18,083 --> 00:19:20,999 Each of these entries don't have an associated user account 314 00:19:20,999 --> 00:19:22,999 within windows. 315 00:19:22,999 --> 00:19:23,999 So windows can't look up a friendly name 316 00:19:23,999 --> 00:19:25,999 like Michael to display. 317 00:19:26,918 --> 00:19:32,876 So all these values here are the is the bic 1 wallet. 318 00:19:34,959 --> 00:19:38,792 Now that we've written it, let's take it out. 319 00:19:38,792 --> 00:19:40,209 It's the exact opposite. 320 00:19:40,501 --> 00:19:43,999 In this case, I'm going to change the target. 321 00:19:43,999 --> 00:19:45,959 Let's say out. 322 00:19:45,959 --> 00:19:47,999 It will make a true grid volume underscore 323 00:19:47,999 --> 00:19:49,999 and decode. 324 00:19:49,999 --> 00:19:51,999 Decoding is a lot faster than encoding. 325 00:19:52,167 --> 00:19:56,167 It started to create the file and chunking out. 326 00:19:57,083 --> 00:20:01,375 Shortly, we should see that the file has been decoded and it has. 327 00:20:01,834 --> 00:20:02,918 This is here. 328 00:20:02,918 --> 00:20:04,834 You can see the file sizes are the same. 329 00:20:04,834 --> 00:20:05,834 220 kilo bytes. 330 00:20:06,167 --> 00:20:07,709 We'll see if it works. 331 00:20:09,125 --> 00:20:16,626 Using my super secret password and there it is. 332 00:20:16,626 --> 00:20:17,626 Open it up. 333 00:20:18,042 --> 00:20:21,250 It is successfully encoded and decoded it. 334 00:20:21,250 --> 00:20:22,250 It worked. 335 00:20:28,250 --> 00:20:28,918 [APPLAUSE] 336 00:20:28,918 --> 00:20:29,999 CO. 337 00:20:36,125 --> 00:20:41,834 I'm having a hard time getting out of this VM. 338 00:20:43,459 --> 00:20:44,792 Yeah. 339 00:20:48,250 --> 00:20:49,709 Drink. 340 00:20:53,209 --> 00:20:53,584 [Laughter] 341 00:20:53,584 --> 00:20:55,292 Shortcut is not working. 342 00:20:58,918 --> 00:20:58,999 343 00:20:58,999 --> 00:21:00,083 [INAUDIBLE] 344 00:21:00,083 --> 00:21:04,501 MICHAEL PERKLIN: There it is. 345 00:21:06,250 --> 00:21:07,626 Okay. 346 00:21:07,626 --> 00:21:08,792 Yeah. 347 00:21:09,083 --> 00:21:10,959 Drink harder in the audience? 348 00:21:10,959 --> 00:21:11,959 Yeah. 349 00:21:11,959 --> 00:21:16,999 I think that deserves it. 350 00:21:16,999 --> 00:21:17,999 All right. 351 00:21:21,876 --> 00:21:23,999 So we just went through the demonstration. 352 00:21:23,999 --> 00:21:26,626 Let's take a look at how this worked under the hood. 353 00:21:26,626 --> 00:21:28,999 What was the program doing behind the scenes. 354 00:21:29,167 --> 00:21:32,667 The file was a true grid volume. 355 00:21:32,667 --> 00:21:36,999 When I hit the encode volume, you can see there on the screen 356 00:21:36,999 --> 00:21:42,125 behind me, there are yellow chunks and blue chunks. 357 00:21:42,667 --> 00:21:45,375 I am only using a file list for two files. 358 00:21:46,542 --> 00:21:49,083 I chunked it up into 16 files. 359 00:21:49,083 --> 00:21:52,417 So there would be 16 different colors instead of the one you see. 360 00:21:52,417 --> 00:21:53,792 Each chunk becomes an SID. 361 00:21:55,375 --> 00:21:57,626 There are two files. 362 00:21:57,709 --> 00:22:00,792 File one and file two. 363 00:22:00,999 --> 00:22:05,542 The first chunk will be written in SID and will be encoded there. 364 00:22:05,542 --> 00:22:07,834 The second chunk will go to file number two. 365 00:22:07,834 --> 00:22:10,334 Fourth chunk will go to file number two again and back 366 00:22:10,334 --> 00:22:13,375 and forth until it is encoded. 367 00:22:13,876 --> 00:22:18,167 All the ACEs are created with ah low permission. 368 00:22:19,209 --> 00:22:22,999 It allows that SID to do certain things. 369 00:22:23,375 --> 00:22:29,334 Each of these are added to ACLs for all the files listed in the file system. 370 00:22:29,459 --> 00:22:31,999 When it's doing, this the Saturday important 371 00:22:31,999 --> 00:22:35,834 because we need ton where chunk 1 goes and chunk 2. 372 00:22:35,999 --> 00:22:39,626 When we decode it, we reassemble all the chunks in the right order. 373 00:22:39,626 --> 00:22:44,918 Also like the chafing and windowing that we went over earlier, we need 374 00:22:44,918 --> 00:22:49,250 to know which ACEs are legitimate and which ACEs belong 375 00:22:49,250 --> 00:22:52,083 to my encoding scheme. 376 00:22:52,083 --> 00:22:54,918 So there's a way that I do this. 377 00:22:55,209 --> 00:22:58,083 There 24 bits set in every single permission 378 00:22:58,083 --> 00:23:00,709 for an ACL encode entry. 379 00:23:00,709 --> 00:23:04,083 The synchronized bit and permissions bit. 380 00:23:04,999 --> 00:23:08,501 The synchronized bit cannot be set to the windows UI. 381 00:23:08,751 --> 00:23:12,167 You go to a security tab of a file within windows and look 382 00:23:12,167 --> 00:23:15,999 through that long list of all the advanced permissions, 383 00:23:15,999 --> 00:23:19,083 you will not find synchronize. 384 00:23:19,083 --> 00:23:21,834 There it is a hidden piece of windows that's used 385 00:23:21,834 --> 00:23:24,834 for thread synchronization. 386 00:23:24,959 --> 00:23:27,501 It is used under the hood for the operating system 387 00:23:27,501 --> 00:23:32,209 and you can set a programmatically, which is what I've done. 388 00:23:33,083 --> 00:23:37,250 And those two bits are red in the diagram you see here. 389 00:23:37,876 --> 00:23:41,999 The green bits are what I use for encoding their position 390 00:23:41,999 --> 00:23:44,667 within the overall file. 391 00:23:44,999 --> 00:23:48,959 So the last nine bits are used as a counter with request values 392 00:23:48,959 --> 00:23:51,083 of zero through 912. 393 00:23:51,209 --> 00:23:53,918 The first bit is sorry. 394 00:23:55,083 --> 00:23:58,999 The first chunk will issue encoded with a value of zero and then 395 00:23:58,999 --> 00:24:01,501 the next with one and so. 396 00:24:01,751 --> 00:24:03,501 To can hold all these. 397 00:24:05,125 --> 00:24:09,584 The file system that we're using, the list of all the 16 files that I chose 398 00:24:09,584 --> 00:24:13,834 becomes a sim metric key between the coder and decoder. 399 00:24:13,918 --> 00:24:18,459 Without that file list, you don't know what order your entries 400 00:24:18,459 --> 00:24:23,292 belong in and you don't know how to reassemble them. 401 00:24:23,292 --> 00:24:26,542 So the list identifies which files on the volume have ACL encoded 402 00:24:26,542 --> 00:24:28,999 entries and the list identifiers the order 403 00:24:28,999 --> 00:24:32,083 in which those entries are encoded. 404 00:24:32,709 --> 00:24:35,209 You can imagine there are limitations. 405 00:24:35,876 --> 00:24:39,999 Access control list can be no larger than 16 kilobytes. 406 00:24:40,459 --> 00:24:42,834 This is the windows operating system. 407 00:24:42,918 --> 00:24:47,250 Now each access control entry in the list has a maximum side 408 00:24:47,250 --> 00:24:49,125 of 76 bytes. 409 00:24:49,125 --> 00:24:51,667 That's 68 bytes to encode the SID, plus an 8 byte 410 00:24:51,667 --> 00:24:54,834 for a header which says allow or deny and details 411 00:24:54,834 --> 00:24:57,667 of that access control entry. 412 00:24:57,667 --> 00:25:03,083 This produces a theoretical of 862 access per file. 413 00:25:03,250 --> 00:25:08,209 We cram 862 entries per file, I've imposed a limit of 512 per file 414 00:25:08,209 --> 00:25:11,167 and this is mostly because you need room 415 00:25:11,167 --> 00:25:13,999 for legitimate entries. 416 00:25:14,083 --> 00:25:18,083 If you remove the ability for everyone to read a file or for the administrator 417 00:25:18,083 --> 00:25:21,709 to write to a file, you can't use it at off. 418 00:25:21,709 --> 00:25:23,999 There has to be room for real permissions. 419 00:25:24,125 --> 00:25:26,083 That's what I've imposed limits of 512. 420 00:25:28,999 --> 00:25:34,709 Using the numbers means the largest possible file you can encode 421 00:25:34,709 --> 00:25:38,083 is by this calculation here. 422 00:25:38,083 --> 00:25:40,999 The number of files on the list times 512 times 60 byte 423 00:25:40,999 --> 00:25:43,751 or 30 kilobytes per file. 424 00:25:43,999 --> 00:25:49,834 The larger file you need have more and more files to accommodate. 425 00:25:49,834 --> 00:25:53,999 This each file in the list allows you to encode 30 kilobytes more data. 426 00:25:56,959 --> 00:25:58,876 There's another limitation. 427 00:25:58,876 --> 00:26:00,459 The secure file limitation. 428 00:26:00,459 --> 00:26:02,626 Out in dollar 69 secure file is a hidden file that 429 00:26:02,626 --> 00:26:04,959 is on all NTFS volumes. 430 00:26:05,999 --> 00:26:10,542 This file is like a mini database that stores all the security information 431 00:26:10,542 --> 00:26:12,459 for every file. 432 00:26:12,459 --> 00:26:15,999 Doesn't matter if it's in C windows or C users. 433 00:26:15,999 --> 00:26:17,501 Any file, anywhere on the volume has 434 00:26:17,501 --> 00:26:22,876 all of the permissions crammed in this one file called a secure file. 435 00:26:23,876 --> 00:26:27,459 Every time a new security identifier is encountered, 436 00:26:27,459 --> 00:26:31,334 windows adds that SID to the secure file. 437 00:26:31,334 --> 00:26:34,292 It does this so in the future if you are trying 438 00:26:34,292 --> 00:26:39,999 to read or write permissions of that file, windows will be optimized and 439 00:26:39,999 --> 00:26:42,999 will know that it's there. 440 00:26:42,999 --> 00:26:46,417 It is sort of caches it. 441 00:26:46,999 --> 00:26:50,292 NTFS doesn't remove old or new. 442 00:26:53,834 --> 00:26:57,999 All the files all the files that user used to be able 443 00:26:57,999 --> 00:27:01,751 to read or write have been deleted. 444 00:27:03,584 --> 00:27:08,501 You can remove every single file that Michael ever had permissions on. 445 00:27:08,501 --> 00:27:11,417 But the SID will always still be there. 446 00:27:11,709 --> 00:27:15,292 It is designed to grow in size and never shrink. 447 00:27:15,417 --> 00:27:18,167 This imposes a severe limitation. 448 00:27:18,584 --> 00:27:20,999 Every single chunk of ACL encoded file 449 00:27:20,999 --> 00:27:25,834 will always persist in the secure file forever. 450 00:27:26,709 --> 00:27:30,626 So the more you try to encode data, the more data will be eaten 451 00:27:30,626 --> 00:27:33,959 up by your file system and you wait a moment be able 452 00:27:33,959 --> 00:27:37,876 to recover this even if you try to clean it up. 453 00:27:37,876 --> 00:27:39,167 Now, if you do manual hacking, you might be able 454 00:27:39,167 --> 00:27:43,334 to remove them manually, but that's beyond the scope of this talk. 455 00:27:43,834 --> 00:27:46,918 Let's take a look at how this works or how this looks 456 00:27:46,918 --> 00:27:49,083 to a forensic examiner. 457 00:27:49,083 --> 00:27:51,999 I mentioned I am a forensic examiner and I have access 458 00:27:51,999 --> 00:27:53,999 to forensic tools. 459 00:27:54,209 --> 00:27:58,501 What better way to test this than to use my tools. 460 00:28:01,876 --> 00:28:04,584 I formatted as NTFS. 461 00:28:04,792 --> 00:28:07,626 And then I used two common tools. 462 00:28:09,083 --> 00:28:11,999 Guidance is end case forensic. 463 00:28:12,083 --> 00:28:13,667 I use slightly older versions of the tools 464 00:28:13,667 --> 00:28:17,125 because they're more widely known and more supported. 465 00:28:18,125 --> 00:28:21,626 Even the newest versions have the same results. 466 00:28:21,792 --> 00:28:27,083 So in order to do the test, I have prepared a couple of test files. 467 00:28:27,083 --> 00:28:30,501 Again, I created a folder with a bunch of text files as my list 468 00:28:30,501 --> 00:28:35,125 of files that I'll be using and I created a file list.text. 469 00:28:38,209 --> 00:28:41,167 Then I created an input file. 470 00:28:41,167 --> 00:28:44,459 I wanted an input file that had contents that were no where else. 471 00:28:44,459 --> 00:28:48,125 So I can see where it came up on the volume. 472 00:28:48,250 --> 00:28:51,542 So I created a 4 kilobyte with just DEF CON XXI repeated 473 00:28:51,542 --> 00:28:53,959 over and over again. 474 00:28:53,999 --> 00:28:58,918 This would allow me to search for it later to find it. 475 00:28:58,999 --> 00:29:02,501 Let's see how access data held up on this. 476 00:29:02,876 --> 00:29:04,999 This is FTK4. 477 00:29:04,999 --> 00:29:09,083 We're liking a look at all 16 files. 478 00:29:09,083 --> 00:29:12,375 You can see on the bottom half of the image. 479 00:29:12,999 --> 00:29:15,125 File number 1 is selected. 480 00:29:15,125 --> 00:29:18,501 And FTK is showing us the owner of the file. 481 00:29:18,501 --> 00:29:23,375 It is showing us the size and the dated and the day it was modified, 482 00:29:23,375 --> 00:29:26,083 et cetera, et cetera. 483 00:29:28,999 --> 00:29:35,375 I started hunting and pecking looking to see why I seat security permission 484 00:29:35,375 --> 00:29:39,459 on the files that are listed in FTK. 485 00:29:39,959 --> 00:29:47,250 FTK lists a lot of different fields within NTFS that you're able to view. 486 00:29:47,459 --> 00:29:50,375 None of these are the access control list. 487 00:29:50,542 --> 00:29:56,083 So I found that FTK4 has no way to show what permissions were set 488 00:29:56,083 --> 00:29:57,999 on a file. 489 00:29:58,250 --> 00:30:01,792 I contacted their tech support and I discussed the issue with them. 490 00:30:01,876 --> 00:30:04,209 They assured me there's no way. 491 00:30:04,209 --> 00:30:06,250 I discussed it on their user form asking 492 00:30:06,250 --> 00:30:10,334 if anybody knew of a way to see which users had permissions 493 00:30:10,334 --> 00:30:16,167 on the files and were analyzed and the consensus was use another tool. 494 00:30:16,375 --> 00:30:20,751 So FTK4 cannot do it; however, FTK4 can still analyze 495 00:30:20,751 --> 00:30:25,292 the dollar sign security on secure file. 496 00:30:25,459 --> 00:30:31,083 If you search through that secure file, you can see some of the contents. 497 00:30:31,083 --> 00:30:32,999 This is 60 bytes. 498 00:30:33,999 --> 00:30:39,959 This is one of the SIDs for one of the files that was encoded. 499 00:30:39,959 --> 00:30:44,292 So you can still see the data buried in the secure file, but it's not 500 00:30:44,292 --> 00:30:47,542 in an easily presentable list. 501 00:30:48,125 --> 00:30:50,999 In this casing, I am searching for values that I knew was 502 00:30:50,999 --> 00:30:54,083 in the input file because I put them there. 503 00:30:54,501 --> 00:30:59,834 If true grip was used to encrypt the data, this would be more gibberish 504 00:30:59,834 --> 00:31:05,792 and I would have no idea this is part of an ACL encode entry. 505 00:31:12,709 --> 00:31:15,626 In end case, there are a couple different view modes you can 506 00:31:15,626 --> 00:31:18,292 see when you are looking at a file. 507 00:31:18,375 --> 00:31:21,417 Right now, we're looking at home view of the entries list 508 00:31:21,417 --> 00:31:24,999 and you can see all 16 of the files listed. 509 00:31:24,999 --> 00:31:27,334 There file number 1 is selected on the right. 510 00:31:27,584 --> 00:31:29,417 So that's the fight we're looking at. 511 00:31:29,999 --> 00:31:32,999 Now the second arrow is the permissions tab. 512 00:31:32,999 --> 00:31:36,918 When you click on the permissions tab, you can seat permissions of the file. 513 00:31:36,999 --> 00:31:41,459 Here you can see there are access control listing for that file. 514 00:31:41,459 --> 00:31:44,209 The very first one S1 yada, yada, yada. 515 00:31:55,959 --> 00:31:58,209 Then click back on the permissions tab so I can give 516 00:31:58,209 --> 00:32:00,999 you the permissions for file number 2. 517 00:32:01,459 --> 00:32:05,459 You click home, click file 3 and click permissions. 518 00:32:05,459 --> 00:32:08,834 It is a very manual process and no investigator has the time 519 00:32:08,834 --> 00:32:12,542 to manually inspect all the permissions for all the files 520 00:32:12,542 --> 00:32:14,751 on an NTFS volume. 521 00:32:16,459 --> 00:32:20,292 Again, if we take a look at dollar sign secure file, 522 00:32:20,292 --> 00:32:24,792 you can see the contents of some of the SIDs of DEF CON SSI 523 00:32:24,792 --> 00:32:28,834 is shown on the bottom left of the photo. 524 00:32:29,083 --> 00:32:31,083 In addition to the one SID that's highlighted, 525 00:32:31,083 --> 00:32:34,125 there are two other SIDs that occur. 526 00:32:40,792 --> 00:32:43,125 So the forensic detection of ACL encoding 527 00:32:43,125 --> 00:32:46,334 is a very manual bro sess using the most common tools 528 00:32:46,334 --> 00:32:49,501 in a forensic investigators toolkit. 529 00:32:49,959 --> 00:32:55,083 Sure there are other tools that may be able to view access control lists more 530 00:32:55,083 --> 00:32:58,542 readily, but they aren't the standard go to tools 531 00:32:58,542 --> 00:33:01,375 for forensic investigators. 532 00:33:01,501 --> 00:33:04,959 Now, you can detect some of these uses an automated way 533 00:33:04,959 --> 00:33:10,083 in case forensic has a scripting language called end script. 534 00:33:10,083 --> 00:33:11,999 You can write end scripts to automatically go 535 00:33:11,999 --> 00:33:15,375 through every single file, look at access control entries 536 00:33:15,375 --> 00:33:18,584 and compare each of the entries with SIDs that appear 537 00:33:18,584 --> 00:33:21,501 in the windows operating system. 538 00:33:21,999 --> 00:33:23,999 If there are differences, so there are entries 539 00:33:23,999 --> 00:33:27,999 on a file that didn't match anything on the operating system, well, 540 00:33:27,999 --> 00:33:30,709 maybe this should be looked at. 541 00:33:30,709 --> 00:33:34,834 So you can automate a script to show everything to you 542 00:33:34,834 --> 00:33:40,167 in a nice way, but that's over and above this talk. 543 00:33:40,751 --> 00:33:42,292 Looks like I'm out of time. 544 00:33:42,292 --> 00:33:43,999 So I can't even tell you about that. 545 00:33:43,999 --> 00:33:46,334 So if there are questions and answers, you can see me 546 00:33:46,334 --> 00:33:48,792 in the speaker Q&A room. 547 00:33:48,792 --> 00:33:54,083 I would like to thank, Josh, Reese, and Kyle and special thanks to Eugene. 548 00:34:01,709 --> 00:34:02,999 Thank you. 549 00:34:08,834 --> 00:34:09,083 [APPLAUSE] 550 00:34:09,083 --> 00:34:11,959 It seems that I wasn't actually out of time. 551 00:34:11,959 --> 00:34:14,125 So, if there are questions, I have 10 minutes. 552 00:34:14,125 --> 00:34:20,709 If someone wants to ask a question, you can. 553 00:34:20,709 --> 00:34:21,709 Come here. 554 00:34:21,709 --> 00:34:23,459 See this goon if you have a question. 555 00:34:23,709 --> 00:34:27,250 But in 10 minutes, I will be in the speaker Q&A room 556 00:34:27,250 --> 00:34:29,834 for better questions. 557 00:34:35,626 --> 00:34:36,999 Yes, sir. 558 00:34:37,250 --> 00:34:41,834 Ask we have the mic turned on, please for the audience? 559 00:34:41,999 --> 00:34:48,167 So would there anybody way to implement this into Mac OSs ACLs? 560 00:34:48,167 --> 00:34:50,167 MICHAEL PERKLIN: Yes. 561 00:34:50,167 --> 00:34:53,626 There would be to Mac OS. 562 00:34:54,792 --> 00:35:00,417 The scheme that I created was for NTFS entries using SIDs. 563 00:35:00,417 --> 00:35:02,876 The way that Mac OS they use the 564 00:35:02,876 --> 00:35:03,999 [INAUDIBLE] 565 00:35:03,999 --> 00:35:06,083 file system. 566 00:35:06,083 --> 00:35:07,876 You would have to encode it in a different way, 567 00:35:07,876 --> 00:35:10,334 but it can be adopted for that. 568 00:35:10,334 --> 00:35:12,709 It is a matter of writing a tool to get it done. 569 00:35:12,709 --> 00:35:13,709 Thanks. 570 00:35:13,709 --> 00:35:15,125 MICHAEL PERKLIN: Thank you. 571 00:35:15,125 --> 00:35:18,083 Nice job, by the way. 572 00:35:18,083 --> 00:35:19,083 Nice job. 573 00:35:19,083 --> 00:35:20,667 MICHAEL PERKLIN: Thank you. 574 00:35:20,667 --> 00:35:21,667 Sorry. 575 00:35:21,667 --> 00:35:25,250 I got here a little late and I missed the entry point in the presentation. 576 00:35:25,250 --> 00:35:28,542 MICHAEL PERKLIN: I am having a very hard time hearing the mic. 577 00:35:28,542 --> 00:35:31,167 How about right now? 578 00:35:31,167 --> 00:35:36,999 MICHAEL PERKLIN: I just hear echos. 579 00:35:36,999 --> 00:35:37,999 I'm sorry. 580 00:35:38,083 --> 00:35:39,083 Here. 581 00:35:39,375 --> 00:35:40,999 Come on the stage. 582 00:35:41,334 --> 00:35:42,626 You can repeat it. 583 00:36:03,375 --> 00:36:03,542 584 00:36:03,542 --> 00:36:04,250 [INAUDIBLE] 585 00:36:04,250 --> 00:36:08,417 MICHAEL PERKLIN: So the question was for streaming media, 586 00:36:08,417 --> 00:36:12,542 if you were to take a file and stream it say from as Cloud, 587 00:36:12,542 --> 00:36:18,501 can you use this encoded information and distribute it through a stream? 588 00:36:18,501 --> 00:36:21,834 I would say no to that because this stream doesn't store 589 00:36:21,834 --> 00:36:24,792 anything in the file itself. 590 00:36:24,792 --> 00:36:27,083 It stores it in the metadata about the file that 591 00:36:27,083 --> 00:36:29,918 the hard drive is holding. 592 00:36:29,918 --> 00:36:34,417 So all the access control lists, this is within windows. 593 00:36:34,417 --> 00:36:35,417 It's for the file. 594 00:36:35,417 --> 00:36:36,751 Once you start distributing the contents of a file, 595 00:36:36,751 --> 00:36:39,083 you are not touching the metadata. 596 00:36:39,083 --> 00:36:40,999 So that's not going to be distributed. 597 00:36:43,751 --> 00:36:45,375 Hi, there. 598 00:36:45,584 --> 00:36:49,709 I guess my main question here is: How could I avoid detection 599 00:36:49,709 --> 00:36:53,626 with this method when we're modulating communication 600 00:36:53,626 --> 00:36:56,751 in a well known file system. 601 00:36:56,999 --> 00:37:00,751 Why can't I write something that competing intropeed and automatically 602 00:37:00,751 --> 00:37:03,209 detects someone is doing this? 603 00:37:03,209 --> 00:37:11,292 It is a place to drop in sub channel or covert channel communication. 604 00:37:11,584 --> 00:37:14,918 So how would you compare this to them using true crypt 605 00:37:14,918 --> 00:37:18,334 with the random offset deep in the file system where I have 606 00:37:18,334 --> 00:37:20,999 randomized the free blocks? 607 00:37:20,999 --> 00:37:24,083 This to me seems like it is immediately detectable 608 00:37:24,083 --> 00:37:28,876 by using statistical and entry 53 calculations. 609 00:37:30,501 --> 00:37:33,167 It is a curious question I have. 610 00:37:33,375 --> 00:37:35,999 MICHAEL PERKLIN: As far as detection goes, as long 611 00:37:35,999 --> 00:37:40,375 as you're able to seat entries, you know there is something there. 612 00:37:40,375 --> 00:37:42,417 You won't know what is there, but you'll be able 613 00:37:42,417 --> 00:37:44,999 to tell there is something. 614 00:37:45,459 --> 00:37:48,083 Now, as far as Republican coding the entries 615 00:37:48,083 --> 00:37:51,125 in a way that would be a covert sub channel, 616 00:37:51,125 --> 00:37:54,918 you can always adjust the scheme in a way that each 617 00:37:54,918 --> 00:37:59,999 of the SIDs you create are veiled SIDs that are in the operating system, 618 00:37:59,999 --> 00:38:03,459 but I would imagine by doing that, you would have 619 00:38:03,459 --> 00:38:08,876 to store it much less than 60 bytes per chunk which would mean you need far 620 00:38:08,876 --> 00:38:12,751 more values to store a much smaller file. 621 00:38:12,959 --> 00:38:15,375 Someone in your position that wants 622 00:38:15,375 --> 00:38:20,999 to detect someone doing this, a traditional file system has blank data 623 00:38:20,999 --> 00:38:27,083 and now someone is Jacking in a modulation that uses the L bits. 624 00:38:27,292 --> 00:38:29,167 To me, it seems it would be immediately detectable 625 00:38:29,167 --> 00:38:32,834 because you are not burying it in the drive somehow. 626 00:38:33,083 --> 00:38:34,709 MICHAEL PERKLIN: True. 627 00:38:36,501 --> 00:38:39,667 It would be detectable, if you are looking for it. 628 00:38:39,792 --> 00:38:43,083 In most cases, you are not looking for the access control lists. 629 00:38:45,999 --> 00:38:52,125 If you see somebody exfiltrate data from their company, did they use 630 00:38:52,125 --> 00:38:54,083 a USB key? 631 00:38:54,083 --> 00:38:56,334 Did they e mail themselves? 632 00:38:56,334 --> 00:38:57,876 Did they do all these things? 633 00:38:57,876 --> 00:39:00,834 I will not start looking at every access control list 634 00:39:00,834 --> 00:39:06,584 on their laptop to see if they have encoded that information. 635 00:39:06,584 --> 00:39:10,834 But of course, you can have a script that would automated checking. 636 00:39:12,501 --> 00:39:15,250 But it is a cat and house game. 637 00:39:15,834 --> 00:39:17,959 You come up with a better way ever getting 638 00:39:17,959 --> 00:39:19,959 around controls. 639 00:39:19,959 --> 00:39:21,876 Now you have controls to detect that. 640 00:39:21,999 --> 00:39:23,292 It's a cat and mouse game. 641 00:39:23,292 --> 00:39:24,751 All right. 642 00:39:24,751 --> 00:39:25,751 Thanks. 643 00:39:25,751 --> 00:39:27,209 MICHAEL PERKLIN: Thank you. 644 00:39:27,209 --> 00:39:28,209 Anyone else? 645 00:39:28,209 --> 00:39:29,209 Questions? 646 00:39:29,209 --> 00:39:32,709 MICHAEL PERKLIN: Do we have time for more? 647 00:39:34,501 --> 00:39:35,999 Two more. 648 00:39:35,999 --> 00:39:38,918 MICHAEL PERKLIN: These are the last two questions. 649 00:39:39,334 --> 00:39:46,209 With NTFS data streams and if the scheme can work through ADS. 650 00:39:46,792 --> 00:39:48,999 MICHAEL PERKLIN: Alternate data streams? 651 00:39:48,999 --> 00:39:50,083 Yes. 652 00:39:50,083 --> 00:39:52,999 MICHAEL PERKLIN: I am very familiar with it. 653 00:39:52,999 --> 00:39:53,292 Both NFK and 654 00:39:53,292 --> 00:39:53,792 [INAUDIBLE] 655 00:39:53,792 --> 00:39:58,999 support alternate data in the alternate data streams. 656 00:40:00,709 --> 00:40:04,209 If you have a file name say file list and you double click the file, 657 00:40:04,209 --> 00:40:07,999 you are with looking at first stream of that data. 658 00:40:07,999 --> 00:40:12,709 It is possible using some command line tools you can have two separate files 659 00:40:12,709 --> 00:40:16,959 that are both assigned the same file name. 660 00:40:17,417 --> 00:40:20,626 You can take a look at second one. 661 00:40:20,792 --> 00:40:22,834 Do you know if those files hidden 662 00:40:22,834 --> 00:40:26,417 through ADS fall the same permissions? 663 00:40:27,709 --> 00:40:32,292 Do the files fall in the same permissions? 664 00:40:32,375 --> 00:40:32,501 665 00:40:32,501 --> 00:40:32,501 [INAUDIBLE] 666 00:40:32,501 --> 00:40:35,834 MICHAEL PERKLIN: The question was: Do these alternate data streams 667 00:40:35,834 --> 00:40:38,042 fall in the same permissions? 668 00:40:38,042 --> 00:40:39,042 They do. 669 00:40:39,999 --> 00:40:43,042 They are assigned by file name whether 1, 670 00:40:43,042 --> 00:40:46,999 2 or alternate different data streams. 671 00:40:46,999 --> 00:40:49,876 They all have the same permissions. 672 00:40:49,999 --> 00:40:50,999 Last question. 673 00:40:50,999 --> 00:40:53,334 Can you hear me? 674 00:40:53,999 --> 00:40:55,042 Okay. 675 00:41:03,083 --> 00:41:07,125 So the dollar steer file ends up having all this extra junk. 676 00:41:10,083 --> 00:41:12,334 Do you directly manipulate the file? 677 00:41:15,334 --> 00:41:20,999 MICHAEL PERKLIN: If you can embed stuff as a method of stago. 678 00:41:21,167 --> 00:41:23,501 That isn't exactly what ACL does. 679 00:41:24,459 --> 00:41:27,375 It throws it in the dollar sign secure file. 680 00:41:27,999 --> 00:41:31,999 By adding an entry to a file on a hard drive, that SID gets put 681 00:41:31,999 --> 00:41:36,083 into the dollar sign secure file by windows. 682 00:41:36,417 --> 00:41:38,999 You don't need to put it in dollar sign secure. 683 00:41:39,834 --> 00:41:42,334 Will go in there because of windows. 684 00:41:42,334 --> 00:41:46,667 I mean, even if the files are deleted, it disappears. 685 00:41:46,667 --> 00:41:48,709 But the dollar secure file is still there 686 00:41:48,709 --> 00:41:53,083 with data that can be decoded in a decodable way. 687 00:41:54,999 --> 00:41:57,501 That is the chunk that accumulates there. 688 00:41:57,709 --> 00:42:02,709 That is entry 53 that you can manipulate to store data too. 689 00:42:02,709 --> 00:42:04,792 You created files and then delete them. 690 00:42:05,125 --> 00:42:07,250 MICHAEL PERKLIN: That's a good point. 691 00:42:07,250 --> 00:42:10,709 It sounds like a different application of this type of scheme. 692 00:42:11,999 --> 00:42:14,999 I would be curious if you write something like that. 693 00:42:15,459 --> 00:42:17,292 It would just be a different way. 694 00:42:17,999 --> 00:42:19,334 Repeat it? 695 00:42:19,334 --> 00:42:20,334 Sorry. 696 00:42:20,334 --> 00:42:22,751 He was saying within the dollar sign secure file, 697 00:42:22,751 --> 00:42:25,751 if you know that the data is in a certain way, 698 00:42:25,751 --> 00:42:29,999 you can manipulate the data into on into a slightly different way 699 00:42:29,999 --> 00:42:32,876 to have a different message. 700 00:42:33,083 --> 00:42:34,834 Did I get your question? 701 00:42:34,834 --> 00:42:35,834 Yes. 702 00:42:35,834 --> 00:42:39,667 You brought up it as a way the system leaks data. 703 00:42:39,667 --> 00:42:46,501 Why not exploit that and you can 68 files and it is in dollar secure. 704 00:42:49,375 --> 00:42:53,125 Now it is this junk that accumulates and it looks like random stuff that 705 00:42:53,125 --> 00:42:56,292 is over the lifetime of the file system. 706 00:42:58,834 --> 00:43:02,083 MICHAEL PERKLIN: It definitely works. 707 00:43:02,083 --> 00:43:03,751 Then you don't need the files. 708 00:43:03,751 --> 00:43:04,834 You just delete them. 709 00:43:04,834 --> 00:43:06,542 MICHAEL PERKLIN: That's right. 710 00:43:06,542 --> 00:43:07,542 You get rid of them. 711 00:43:07,542 --> 00:43:08,542 Yeah. 712 00:43:08,542 --> 00:43:09,542 If we have time. 713 00:43:10,501 --> 00:43:14,751 So I think the technique by which you distributed among those 714 00:43:14,751 --> 00:43:17,792 files are similar to open puff. 715 00:43:18,083 --> 00:43:21,334 In a way, you are using a different technique in terms 716 00:43:21,334 --> 00:43:24,999 of how you're hiding that data, let's say. 717 00:43:25,292 --> 00:43:29,459 I think to dub tail on a couple of the other questions 718 00:43:29,459 --> 00:43:32,751 around alternate data streams, you can use 719 00:43:32,751 --> 00:43:33,542 [INAUDIBLE] 720 00:43:33,542 --> 00:43:38,999 ADS to circumvent any detection of that and I think in addition to that, 721 00:43:38,999 --> 00:43:42,250 you can maybe use the volume shadow copies 722 00:43:42,250 --> 00:43:45,167 to hide data in the volume shadows too 723 00:43:45,167 --> 00:43:48,417 as another way to circumvent. 724 00:43:48,999 --> 00:43:54,334 MICHAEL PERKLIN: I wonder if they make shadow control lists 725 00:43:54,334 --> 00:43:56,501 at that time. 726 00:43:58,834 --> 00:44:02,209 Certainly worth investigating. 727 00:44:02,209 --> 00:44:04,083 MICHAEL PERKLIN: For sure. 728 00:44:04,375 --> 00:44:06,999 I think what is clear here and this goes back 729 00:44:06,999 --> 00:44:08,999 to the summary. 730 00:44:08,999 --> 00:44:11,334 Slide all steganographic here. 731 00:44:23,292 --> 00:44:25,999 How do you then PIN on my left side means one thing 732 00:44:25,999 --> 00:44:28,999 as opposed to the PIN on my right side? 733 00:44:30,209 --> 00:44:32,999 As long as they agree, they will have one meeting 734 00:44:32,999 --> 00:44:36,334 and then they will have another meeting. 735 00:44:36,334 --> 00:44:41,167 I think that's all the time we have for questions now. 736 00:44:41,167 --> 00:44:44,626 I will be in the speaker Q&A room, if there are any other questions. 737 00:44:44,626 --> 00:44:45,626 Thanks for coming.