Monday, February 3, 2014

ADD: The Next Big Threat To Memory Forensics....Or Not

Similar to a rootkit, an anti-forensics tool or technique must possess two critical traits in order to be significant:

1. It must do something
2. It must get away with it

Satisfying #1 is the easy part. You can hide a process, hide a kernel module, or in the case of ADD - create fake, decoy objects to lead investigators down the wrong path. Although ADD is just a proof-of-concept, we're not convinced there's a concept that needs proving. The idea of creating decoy objects was presented in 2007:
Another area of concern is the susceptibility of these tools to false positives or decoys. It is possible for a malicious adversary to dramatically increase the noise to signal ratio and keep the digital investigator busy. Unfortunately, using this [the pool tag scanning method] makes it extremely easy for a malicious adversary to create "life-like" decoys. 
In other words, tools that use object carving (i.e. pattern matching, scanning) as an analysis technique are implicitly susceptible to attacks that create objects that look like the ones being carved. This is a well-understood consequence of the analysis technique and is true of file carving, internet artifact extraction, and various other types of forensic data.  It would not be responsible for a forensics analyst to ignore legitimate artifacts found using these techniques because they are susceptible to false positives. An analyst should understand the limitations of their tools/techniques and know how to validate or refute their findings with supporting artifacts.

Let's pretend for a moment that the decoy idea is new, however. Indeed it may be new, to some people, who have not seen the previous research. Yet, regardless of what action(s) are carried out in #1, the real challenge is satisfying #2. Once you've done what you want to do, can you clean up after yourself and not get busted?

Think of it this way - a suspect wants to rob a bank. It is implied that this crime is possible to commit - no proof is required. In fact its quite easy, as several very unintelligent people have shown in the past. The suspect gets so far as to take physical possession of the cash, but either gets trapped inside the bank or leaves a trail of money all the way back to his front door.

As the suspect sits in prison, he wonders "what have I accomplished?" and comes up blank. By failing to achieve #2, his efforts toward #1 are futile. Even if he came up with a completely new way of robbing a bank, one that had never been considered by another criminal, he still got caught.

The authors of ADD will argue that the time investigators spend pursuing the criminal makes the decoy concept worthwhile. They make absolutely no attempt to achieve #2. As a result, a talented memory analyst (who happens to be alumni of our training class) made short work of the anti-forensics tool - finding various ways to determine what happened, when it happened, and how it happened in a matter of minutes. In this case, it took the adversary considerably longer (probably weeks) to develop the tool, and it took the investigator the amount of time it takes to eat a bag of chips to blow the case wide open.

Another goal of ADD is to "reset the bar" and convince investigators not to trust what they find in memory. In an online recording, the author stated that the tool serves to teach a valuable lesson to people in the "point and click" forensics mindset. First of all, to reset the bar, you don't scale back and create a tool that only tricks the least skilled investigator. That may indeed reset the bar, but in the wrong direction.

Similarly, no investigators are so naive as to base their conclusions on one piece of data alone. There are various components to the digital crime scene, and one main reason we perform memory forensics is to corroborate evidence. If the supporting data isn't there (i.e. network connections in the firewall, packet captures, file system artifacts, etc), then the fake artifact is quickly exposed.

In fact, ADD doesn't even do a good job of creating fake objects. The fake connections are created without process association, so you see an ESTABLISHED TCP connection with no owner. The fake processes stick out like a sore thumb, because they're only found by one of the 7 techniques that psxview uses to identify process objects. Attempting to dump the fake processes results in an error (expectedly), which raises even more suspicion. Also, the fake files it creates are found floating off a device that doesn't exist rather than a real physical drive.

The sheer amount of nonsense artifacts that this tool disperses in memory just begs for it to be noticed.  While stealth is admittedly not the motivation for this particular technique, increasing the noise becomes a liability when it can be easily triaged.

Perhaps the most astonishing aspect of ADD is that the author(s) failed to advise the audience on how their tool, or any anti-forensics method, could be detected. The question was posed once during the Q&A session at Shmoocon and again nearly two weeks later at about 40:40 into the online recording.

Host: What would you think the signs are [that someone should be looking for] whether or not there is in fact some reason to believe that you should go in and check for these [anti-forensics attacks]?

ADD Author: You know, unfortunately I don't have a good answer for that. I think this is going to be prohibitively difficult. 

After reading Forensic Analysis of Anti-Forensic Activities, you be the judge - is it prohibitively difficult to detect? This exemplifies the value of learning memory forensics techniques from the actual developers who performed the research and intimately understand the limitations of their tools. 

To conclude, in its current state, ADD creates poorly faked objects on one version of Windows (32-bit Windows 7) and draws more attention to itself than any other anti-forensics tool. There is a significant amount of work that needs to be done for this to change, so while the attackers are spending their weeks and months trying to build things up to spec, rest assured that with proper training and the right tools, you won't need to worry about future versions.


  1. Excellent points, all. I'm glad to see that someone with a modicum of authority in the subject stepped forward to discuss this topic.

    The idea of providing fake objects or artifacts are reminiscent of 'seeding' systems with malware, which may never actually be run, in order to provide a foundation for the Trojan defense. In order to obviate this, some of us have put a good deal of work into pursuing artifacts of program execution, rather than just the existence of files.

    I agree that the bar hasn't been raised.

  2. From the moment I was sitting in the talk I was expecting a ton of contention about this release and boy did we get it. Interesting post.

    As I mentioned to Harlan elsewhere, I actually asked after the Shmoocon talk about more accurately feigning processes and network connections, and particularly about tampering with existing artifacts. Alicia and Jake stated what I understood as ethical and employer reasons for not attempting to do more. I didn't really feel they answered my question, but that was certainly their right.

    At the highest level, is kind of like the 'full disclosure' debate. Do we make a proof of concept that shows our favorite tools can be tampered with, to encourage more people to understand their functionality? Even if they're not fleshed out, they perhaps give people an idea of how to take the concept in their own direction. I absolutely know a few forensic examiners who run Volatility without any idea how it works or much knowledge about how memory works in Windows. That's not good, but it seems like the state of things. Or, does this cause more damage by giving malware developers another avenue to pursue? Skeleton network connections and processes may not confuse a good analyst for long, but just like timestomping it is still an annoyance.

    Do also remember that both Alicia and Jake are SANS instructors and I would presume that enticing more students and educating are high on their priority lists. Their perspective may be totally different.

  3. Could you define the acronym "ADD", link to a paper defining it, or something close to that?

    Wikipedia doesn't disambiguate it to anything relevant.