Preface

With the development of mobile Internet and the popularization of smart phones, all kinds of apps based on Android system have explosive growth, but at the same time, a problem that can not be ignored is becoming more and more important: security.

The vulnerability scanning mode is mainly divided into static and dynamic. The vulnerability types of static scanning mainly include SQL injection risk, WebView series, file mode configuration error, HTTPS non verification certificate, database configuration error, etc. The vulnerability types of dynamic scanning mainly include denial of service attack, file directory traversal vulnerability, file cross domain access, etc.

This report selects the same number of popular apps in 11 categories of Android apps, whose active users can cover 83% of mobile Internet users. According to the vulnerability detection of these apps by Alibaba mobile security center, the following conclusions are drawn:

Nearly 97% of Android apps tested have vulnerability problems, and the average number of vulnerabilities is as high as 40.

Security app has the most vulnerabilities, with 499 vulnerabilities, accounting for 21% of the total.

News and tourism apps are relatively the most insecure, with a total of 240 vulnerabilities, of which 30% are high-risk.

Game apps are relatively the safest, with a total of 57 vulnerabilities, of which high-risk vulnerabilities account for about 2%.

From the test results, the security problems of android app are not optimistic. The existence of vulnerabilities, especially high-risk vulnerabilities, will have a great impact on app developers and even users. How to discover potential risks in advance and protect the interests of developers and users is the responsibility of Alibaba mobile security team.

1、 Android App vulnerability status

To understand the overall status of android app, the report classifies app into 11 categories: health, entertainment, safety, education, news, tourism, games, social networking, shopping, finance and reading. Select the same number of popular apps in 11 types of apps, and use Alibaba Ju security's vulnerability scanning products for static and dynamic detection. The scanning results are as follows:

From the perspective of vulnerability category, the first one in android app vulnerability is SQL injection vulnerability, accounting for 38.2%, followed by WebView vulnerability, accounting for 35.4%, as shown in the left figure.

From the perspective of vulnerability risk level, high-risk vulnerabilities account for 20.7% and low-risk vulnerabilities account for 79.3% in android app, among which high-risk vulnerabilities are mainly concentrated in WebView series and HTTPS certificate not verified.

SQL injection type vulnerability accounts for 38.2%, mainly due to unfiltered user input in the code, so attackers can commit malicious SQL query statements to achieve their evil purposes. Although most of SQL injection belongs to low and medium risk vulnerabilities, it can still cause sensitive data, the highest authority of the system to be stolen and other problems.

Some high-risk vulnerabilities of WebView are mainly caused by the use of dangerous functions such as addjavascriptinterface and the use of non verification certificates in the code. These vulnerabilities can execute code remotely and install malware remotely to users.

HTTPS related high-risk vulnerabilities are mainly caused by HTTPS's use of the parameter verification certificate such as allow ﹣ all ﹣ hostname ﹣ verifier, which does not verify the host and other information. These vulnerabilities can cause the attacker to easily hijack the HTTPS session, sniff the user password and other sensitive information.

There are huge security problems in high-risk vulnerabilities, but from the test results, many Android apps have high-risk vulnerabilities, and its security is worrying.

2、 Analysis of Android App vulnerability

This chapter will further analyze the vulnerability scanning results of app. First, it will analyze the static and dynamic detection results of the vulnerability, and then summarize the causes of the vulnerability.

2.1 vulnerability analysis of various types of apps

2.1.1. Analysis of static scanning results of vulnerabilities

Using Alibaba Ju security's vulnerability scanning product, static scanning is performed on 11 popular apps with the same number of categories. The security situation of all kinds of apps is different:

Nearly 97% of the tested apps have security vulnerabilities, and the average number of vulnerabilities is 40.

The security class app has the most vulnerabilities.

Among all the detected vulnerabilities, the total number of security app vulnerabilities is up to 499 (about 21%), of which high-risk vulnerabilities account for about 2%. As a whole, even security app has many security problems.

News and tourism apps are the most insecure

The total number of vulnerabilities in news and tourism apps is more than 230 (about 10% of the total), and the high-risk vulnerabilities account for as much as 30%, which is relatively the most insecure of all apps.

Game apps are relatively safest

No matter the total number of vulnerabilities or the proportion of high-risk vulnerabilities in game apps, they are relatively the safest among all apps.

2.1.2 analysis of dynamic scanning results of vulnerabilities

Using Alibaba Ju security's vulnerability scanning product, we dynamically scan 11 popular apps of the same number in 11 categories. The scanning results are almost denial of service attack vulnerabilities, and no vulnerabilities such as file directory traversal and file cross domain access are found.

As can be seen from the following data figure, there are more or less denial of service vulnerabilities in all kinds of apps, especially in the financial category (37), entertainment category (35), shopping category (32), security category (28), while the total number of denial of service vulnerabilities in the game category is relatively the least (3).

Denial of service vulnerability is actually a component exposure problem. Once a component is exposed, specific malicious data can be written to the component, resulting in the collapse of the app, resulting in a denial of service, thus affecting the interests of app developers and users.

2.1.3 summary

The above analysis data shows that the security problem of android app is not optimistic. We need to further explore the causes and solutions of the vulnerability to avoid the vulnerability and make up for the impact of the security problem.

2.2 cause analysis of APP vulnerability

There are many types of vulnerabilities in android app, such as SQL injection, WebView series vulnerabilities, file mode configuration errors, HTTPS does not verify certificates, denial of service attacks, etc. the causes of the vulnerabilities can be summarized into the following two categories:

2.2.1App problems of developers themselves

a) Irregular coding

Many companies have no requirements for coding specifications, or app developers do not code according to the coding specifications, which is easy to cause sensitive information disclosure, such as log printing problems, not turning off the log printing function in the release version, etc.

b) Insufficient safety awareness

Many parameters of Android functions need to be used with caution, such as the common function openfileoutput. If the mode parameter is set to context.mode'world'readable or context.mode'world'writeable, it is easy to disclose the data of android app. In addition, the interface processing needs to be more rigorous. For example, an interface is exposed to allow users to run the input information. If the information is not processed, it is easy to cause denial of service attacks and other security issues.

2.2.2 discovery of 0day on Android

The discovery of 0day on Android can lead to the insecure function of Android App before. When there is no patch on Android system, it is necessary to patch android app in time. However, due to the fact that many android app developers are not sensitive to vulnerability information and other reasons, it is not timely patched, which leads to the existence of vulnerability.

In a word, the security problem of Android App may be a low-level mistake made by developers to a large extent. The more effective solution is to be able to use SDL coding process in the process of code writing, at the same time use vulnerability scanning products to detect the app, and constantly repair the security problems of its own app. Security is no small matter, all app developers should pay attention to it.

Three, summary

This test uses the same number of popular apps in 11 categories, and scans nearly 2500 vulnerabilities in total. On average, each android app has 40 security vulnerabilities, and about 97% of the test apps have more or less security vulnerabilities. These data reflect the severity of Android App vulnerability. In the app market, many Android apps have potential security risks. Once used, it will have a great impact on users and developers.

From the result of vulnerability detection, the vulnerability of android app is not optimistic. Can these problems be avoided? Is there an automated vulnerability scanning product for app developers? Can we reduce the degree of damage to the interests of developers and users? The answer is yes. In addition to enhancing the security awareness of app developers, using security products to scan and detect vulnerabilities before app release can find hidden security issues as early as possible, protect the interests of developers and users.

How to discover potential risks in advance and protect the interests of developers and users is the responsibility of Alibaba mobile security team. The product will be officially released on October 22, 2014. Please look forward to more developments. Please pay attention to the official Weibo of Alibaba mobile security team

Web Security Principles

1. The authentication module must adopt the anti brute force cracking mechanism, for example: the authentication code or the account or IP is locked after several consecutive login failures.

Note: if you lock the account or IP after multiple consecutive attempts to log in, you need to support the "allowed number of consecutive failures" configuration of the continuous login failure locking policy, and support the automatic unlocking after the locking time expires.

2. For every request of a page or servlet that needs to be authorized to access, it is necessary to verify whether the session ID of the user is legal and whether the user is authorized to perform this operation, so as to prevent the URL from exceeding the authority.

Note: to prevent the user from directly entering the URL, exceeding the authority of the URL, requesting and executing some pages or servlets; it is recommended to implement through the filter.

3. During the login process, when passing the user name and password to the server, the HTTPS security protocol (that is, SSL with server-side certificate) must be used. It only provides local access and login, and is not required for the scenario of equipment management.

Note: if sensitive data such as account number and password are passed between client and server, SSL with server certificate must be used. Because SSL consumes a lot of CPU resources on the server side, the bearing capacity of the server must be considered in the implementation.

4. The final authentication process for users must be placed on the server.

5. The data generated by the user must be verified at the server; the data must be HTML encoded before being output to the client to prevent malicious code and cross site script attacks. For untrusted data, HTML encoding must be performed before output to the client.

6. Using the mainstream web security scanning tools to scan web servers and web applications, there is no "high" level vulnerability.

7. For web applications of non embedded products, prepare statement should be used instead of direct statement to execute statement to prevent SQL injection.

database security

Outsourcing database, open source database and Huawei self-developed database shall be configured for security to ensure no security loopholes.

1. The database password is forbidden to use the default password of the database manufacturer, and the password complexity shall meet the "password security requirements". If there are multiple default accounts in the database, the accounts that are not used must be disabled or deleted.

Two Use a separate operating system account to run the database; sensitive files in the database (such as init.ora and listener.ora of Oracle database) need to strictly control access rights, which can only be read and written by the database process running account and DBA account; strictly and clearly divide the permissions granted by the database account, and all database accounts can only have the minimum to perform their tasks Permission; for databases with listener functions (such as Oracle's listener.ora), you need to set the listener password or set it to local operating system authentication.

3. Using mainstream or Huawei designated system scanning software for security scanning, there is no "high" level vulnerability.

Sensitive data protection

The storage, transmission and processing of sensitive data in the system shall ensure data security and comply with applicable national and regional laws and regulations.

Definition of sensitive data: including but not limited to password, bank account number, personal data (data that can identify a living natural person by using the data alone or in combination with other information, including end-user name, account number, calling and called number, communication record, bill, communication time, positioning data, etc.).

1. The password does not allow clear text to be stored in the system and should be encrypted. In the scenario where the password does not need to be restored, the irreversible algorithm must be used for encryption. The access to bank account and other sensitive data should have authentication, authorization and encryption mechanisms. The password file must be set with access control. Ordinary users cannot read or copy the encrypted content. If the account file / data contains a password and must be accessible to all users, it is necessary to separate the account file / data from the password file / data.

Note: the password function provided by the third-party mainstream software and hardware (such as operating system, database, web container) is not limited by this article.

2. The transmission of sensitive data (including password, bank account number, bulk personal data, etc.) between untrusted networks must adopt secure transmission channel or encrypted transmission, except for the provisions of standard protocol.

3. Private encryption algorithm is prohibited.

Explain:

1) It is recommended to use symmetric encryption algorithm: aes192 and above strength;

2) The recommended key exchange algorithm: dh1024;

3) Dsa1024 and ecdsa192 are recommended for digital signature algorithm;

4) Rsa2048 and ecc192 are recommended for asymmetric algorithm;

5) Hash algorithm is recommended: sha256 and above strength;

6) HMAC (hash based message verification code) algorithm is recommended to use: hmac-sha256;

4. The key used for encryption of sensitive data transmission cannot be hard coded in the code.

In the security transmission of sensitive data, the industry standard security protocol (such as SSH) is preferred V2 / tls1.0/ssl3.0/ipsec/sftp/https, etc.) and make sure that the secret key can be configured; if the security transmission process is realized by the product itself, the Diffie Hellman key exchange algorithm is preferred; if the preset shared key and other methods are used, the key must also be configurable and replaceable.

5. It is forbidden to record sensitive data such as password, bank account number and communication content in log, call list and other documents;

6. Try to avoid recording personal data in logs and bills. If personal data must be recorded, all data must be stored structurally or suitable for anonymous extraction;

1) Try to avoid recording personal data in the log. If it is necessary to record personal data, put a uniform mark before or after personal data to distinguish it from other non personal data.

2) Try to avoid recording personal data in the call list. If it is necessary to record, the call list must be stored in a structured way. The fields must be separated by a uniform separator, and the fields in each row correspond strictly by columns.

7. When the product with the function of personal data export is released, it must provide filtering or anonymization processing and functions or tools for personal data;

8. Strictly limit the permission of the export function. The use of the export function must have a log record.

9. The function of personal data collection / processing shall provide security protection mechanism (such as authentication, authority control, log recording, etc.) and be disclosed to customers through product data.

10. In addition to the normal business process and standard protocol, it is forbidden to locate the user's accurate location information for the purpose of fault location. If it is necessary to process the accurate location data of users, Huawei shall have clear requirements and give users the opportunity to withdraw their consent at any time during the scheme design.

Password security policy management

1. When setting the password, the password complexity is detected by default, and the password shall at least meet the following requirements:

1) The password shall be at least 6 characters long (at least 8 characters for privileged users);

2) The password must contain a combination of at least two characters:

- at least one lowercase letter;

- at least one capital letter;

- at least one number;

- at least one special character: ` ~! @ # $% ^ & * () - = + | [{}];: ', <. > /? And space

3) The password cannot be the same as the account or the reverse order of the account;

If the set password does not meet the above rules, a warning must be given.

2. The system must provide a mechanism for locking users. You can choose one of the following two ways:

Mode 1: when the number of times of repeatedly entering the wrong password (3 times by default, which can be set by the system) exceeds the system limit, the system will lock the user.

Mode 2: the system can also double the interval time of the next password allowed to be entered. In this mode, the user can not set automatic locking.

3. Automatic unlocking time can be set (only applicable to users who are locked due to password attempt)

1) For users whose password attempts fail n times and are locked, the system should be able to set the automatic unlocking time. It is recommended that the default unlocking time is 5 minutes.

2) When the user is locked for a predefined time, the user can be unlocked automatically or manually through the security administrator.

3) During the locking time, only the account of the application security administrator role can be allowed to manually unlock the user.

4. The password in the operation interface cannot be displayed in clear text. It cannot be displayed in clear text when the password is typed (the password in the operation interface can not be displayed or replaced with *). It cannot be displayed in clear text even when it is printed on the terminal or stored in the log. Even the clear text password in memory (such as during login) should be overwritten immediately after use.

5. The password input box does not support the copy function.

6. For the default password of the system built-in account, the password shall meet the requirements of complexity, and remind the user to modify it in the customer data.

7. Users can modify their own password, which shall meet the following requirements:

1) Users must verify the old password when modifying their own password;

2) It is not allowed to change the password of an account other than its own account (except for the administrator)

8. The password cannot be transmitted in clear text in the network. The password and other authentication credentials must be encrypted in the transmission process, using a high security level encryption algorithm.

Explain:

1) It is recommended to use symmetric encryption algorithm: aes192 and above strength;

2) The recommended key exchange algorithm: dh1024;

3) Dsa1024 and ecdsa192 are recommended for digital signature algorithm;

4) Rsa2048 and ecc192 are recommended for asymmetric algorithm;

5) Hash algorithm is recommended: sha256 and above strength;

6) HMAC (hash based message verification code) algorithm is recommended to use: hmac-sha256;

9. The password must be encrypted when stored locally and meet the following requirements:

1) The password cannot be written into the log file, configuration file and cookie in clear text;

2) The password file must be set with access control. Ordinary users cannot read or copy the encrypted content.

10. Provide clear account number and password list for product supporting data.

Note: Huawei provides user list template

Safety data

For pre-sale, opening, current network operation and maintenance stages, provide supporting security programs and information.

1. Describe the product safety features in the product description.

2. Provide product communication matrix before product release. Describe the communication relationship between machines / network elements / modules, including: port, protocol, IP address, authentication method, port purpose information, etc.

Note: Huawei provides communication matrix template.

3. The premise of product release is to provide anti-virus software deployment guide. Describe the preparation, process, execution steps, fallback processing after failure before deployment of anti-virus software, as well as the upgrade and configuration guidance of virus feature library (required for Windows system platform).

4. Provide safety configuration / reinforcement guide before product release.

Describe the following:

-Security reinforcement and inspection, mainly including operating system, database or web server reinforcement content, need to include specific reinforcement content and operation steps (required).

-The security configuration of the application. For the product business security application, what security options need to be enabled and what content needs to be configured. (this part is required for the security functions that can take effect only by configuring the security policy when the product is launched). If there is no applied security configuration, name it security hardening guide. Safety reinforcement guidelines are necessary.

5. Provide safety maintenance manual before product release. From the perspective of solutions, provide guidance on daily business security maintenance, including security patches, security configuration, routine inspection of anti-virus software, etc., and guide maintenance personnel to conduct routine security maintenance.

Operating system security

Whether using general operating system (windows, Linux, UNIX, etc.) or embedded operating system (such as VxWorks, PSOs, etc.), the system should ensure the security of the software and its running environment.

Note: system refers to the overall system delivered to customers for operation, including self-developed software, operating system for software operation and application services.

1. Using the mainstream vulnerability scanning software for security scanning, there is no high-risk level vulnerability.

2. The pre installation rate of "operating system reinforcement + operating system patch" of new products shipped based on the general operating system = 100%; for products not pre installed in the production phase, it is necessary to include the default security policy file in the officially released version, and explain the reinforcement requirements and operation steps in the product data.

Explain:

1) For the operating system provided by Huawei, the product version shall be developed and compatibility tested based on the latest operating system security patch.

2) For the operating system provided by the partner, the partner shall test the compatibility of the operating system security patch before the delivery of the version and release it with the version, and strengthen the operating system according to the CIS standard and release it with the version.

3. Products using Windows operating system need to use mainstream anti-virus software for compatibility test.

Explain:

1) For the windows operating system provided by Huawei, the partners need to use mainstream anti-virus software or anti-virus software designated by Huawei for compatibility test;

2) For the windows operating system provided by the partner, the product shall be matched with the anti-virus software specified by Huawei by default, and the anti-virus software shall be tested for compatibility.

Protocol and interface anti attack

The system shall have the basic anti attack ability and the defense ability for common attacks affecting itself. Note: system refers to the overall system delivered to customers for operation, including self-developed software, operating system for software operation and application services.

1. All external communication connections of the system must be necessary for the operation and maintenance of the system. For the communication ports used, it is stated in the product communication matrix document that the dynamic listening port must be limited to a reasonable range. The port scan tool verifies that ports not listed in the communication matrix must be closed.

Explain:

1) Huawei provides communication matrix template.

2. Try to avoid using the implementation mode of dynamic debugging port. In the absence of alternative scheme, if it must be used, the following requirements shall be met:

1) , if using industry standard protocols (such as RPC, FTP passive mode), and there are certain security measures (such as NFS security configuration, Firewall support FTP passive mode, etc.);

2) , if it is self implemented, the dynamic listening port must be limited to a reasonable range.

2. All communication ports and protocols that can manage the system must have access authentication mechanism, unless there is no authentication mechanism in the standard protocol.

3. Protocol malformed message attack test shall be carried out for protocols developed by self-developed protocol and non mainstream software (including non mainstream open source software) in the industry.

4. The physical interface visible outside the equipment that can manage the system must have access authentication mechanism.

Monitoring interface and prevention of illegal monitoring

The legal monitoring interface for product development shall comply with international standards and the legal requirements of the host country.

1. In the absence of Huawei's clear requirements, it is strictly prohibited to develop functions and interfaces with the nature of monitoring, regardless of whether such functions and interfaces should comply with the corresponding national and international standards.

2. If Huawei has a demand for a legal monitoring interface, the partner shall develop it according to the monitoring function provided by Huawei or the requirements in the interface documents.

Note: requirements for the product version that provides a legal monitoring interface (one of two options)

1) The product provides two versions of software installation package: one supports legal monitoring and the other does not support legal monitoring. According to the security requirements of the market, select the corresponding software installation package for deployment.

2) The software installation package provided by the product is divided into basic software installation package and legal monitoring plug-in installation package. According to the security requirements of the market, choose whether to install the legal monitoring plug-in installation package.

3. In addition to the normal business process and standard protocol, it is prohibited to provide the function of collecting the original communication content (voice, SMS / MMS, fax, data business) of the end user, even for the purpose of ensuring network operation and service.

Note:

1) In addition to voice, SMS / MMS, fax and data business information, the instant message, e-mail information and URL of the end user also belong to the communication content;

2) Debug function is allowed, but sensitive data such as password, bank account and communication content are not allowed in debug information.

Recently, the code snippets plug-in exposed a serious Cross Site Request Forgery (CSRF) vulnerability (cve-2020-8417), affecting more than 200000 WordPress websites.

The vulnerability can be used by attackers to take over WordPress sites (executing malicious code) running the vulnerable plug-in, and there is no need to add custom code to the functions.php file of the topic.

functions.php functions.php

Code snippets also implements a graphical interface, similar to the plug-in menu, for managing code. Just like normal plug-ins, snippets can be activated or disabled.

Code Snippets Code Snippets

An attacker can use this CSRF vulnerability to construct a request that can be issued by an administrator, inject malicious code into the vulnerable site, and execute arbitrary code remotely.

"On January 23, our threat intelligence team found a vulnerability in code snippets, a WordPress plug-in installed on more than 200000 websites," wordfence said in a security report. It allows anyone to make a request as an administrator. We revealed all the details of the vulnerability to the plug-in developers on January 24, and they quickly responded and released a security patch a day later. "

Code Snippets Code Snippets

The plug-in is currently installed on more than 200000 websites. On January 25, the development team released the latest version 2.14.0.

Wordfence researchers say that almost all endpoints are secure except for the lack of CSRF protection for the plug-in's import capabilities. The attacker can design a malicious request carefully, induce the administrator to click, secretly create a new management account (or steal sensitive information, etc.) on the site.

Security experts also released a PoC video.

On February 12, researchers will release specific POC utilization code, so relevant webmasters need to update plug-ins as soon as possible.

At the time of writing, more than 50000 users have downloaded and installed the latest version of plug-ins, but 150000 users still face considerable security risks.

0 * 1 Introduction

With the increasing number of computer crime cases and the digitalization of crime means, the collection of electronic evidence has become the key to providing important clues and solving cases. The recovery of damaged computer data and the provision of relevant electronic data evidence are electronic forensics. Nstrt has also assisted in the work of electronic forensics. In this issue, nstrt will explain the process of electronic forensics based on disk with a hypothetical case.

In general data forensics work, in order to preserve evidence and ensure data loss caused by forensics work, the first thing to do after obtaining evidence media is to make full image backup of media data. After making a mirror backup, the next thing to do is to extract data from the mirror.

According to the general idea of data extraction, this paper introduces how to use the knowledge of disk storage and file system to extract disk data.

Among the backup methods of disk data, the common formats are DD, IMG, raw, etc. After the disk image is extracted (DD image is used here), some tools can be used to analyze and find various available data in detail. Here is an example of the powerful TSK (the sleuth Kit). The sleuthkit can make detailed analysis of storage image based on file system layer, data layer, inode layer and file layer.

This example assumes that a DD image file image.dd is obtained. The goal of forensics is to find the data information related to Jimmy jungle.

In this case, we make a DD image with the file name of image.dd. The goal of this forensics is to find data information related to "Jimmy jungle".

In the process of disk data forensics, we will analyze it at multiple levels, including file system layer, data layer, inode layer and file layer. These different levels of analysis are closely related to each other. Let's introduce the function and analysis process of forensics at all levels

Analysis of 0 × 2 file system layer

After obtaining a disk or image, the file system layer analysis is usually performed first. File system layer analysis, as the name implies, is to understand the file system information of the disk partition. The purpose of obtaining file system information is not to obtain data directly, but to provide analysis basis for subsequent data layer analysis and file layer analysis. These analysis bases include sector information, data area information, directory area information and cluster information.

Fsstat tool in TSK is used to analyze the file system information of the image. It is very simple to use. Directly add the path of disk or mirror file after the command line. As shown in the figure below, the total number of sectors of this image is 2879, the data area is in sectors 19-2879, the disk root directory is in sectors 19-32, and the place for storing files is in sectors 33-2879. Cluster size is 512b, just one sector.

      

0 × 3 data layer analysis

Data layer analysis is simply to analyze the cluster based data information in disk image. The data layer contains the real content of the file. The purpose of analyzing the data layer is to find the target related data clues in the cluster information of the disk. The data is stored in the cell structure with different names in different file systems.

We first extract the content of unallocated space to un.ls:

Then extract the ascii string in un.ls (or select other format strings as required). D: \ program \ sleuthkit-win32-4.0.2 \ bin > strings-t D: / un.ls > D: \ str.str, search the string of the un.ls elevation, and find the relevant content of Jimmy jungle:

 

Find the data content Jimmy jungle, where the first information is located in the 2560th sector of the unallocated space area. Let's take address 2560 as the first clue for analysis.  

According to the previous fsstat data information, the cluster size is 512. After removing the cluster size with 2612, we know that the data is between the beginning of the fifth and the sixth cluster. So the relevant data block of "Jimmy jungle" is located in the fifth cluster in the unallocated space. Next, use the blkcalc tool to calculate the sector location of the fifth cluster.

It is calculated that the fifth cluster of image.dd is located in sector 38.

Extract the content of data unit 38 from the original DD image. The command blkcat is used in the following figure, and only one cluster content is displayed by default without other parameters.

 

Analysis of 0 × 4 inode layer

Let's start with the file system inode. For the system, the file name is just another name or nickname that the inode number is easy to identify. On the surface, the user opens the file by its name. In fact, the internal process of the system is divided into three steps: first, the system finds the inode number corresponding to the file name; second, it obtains the inode information through the inode number; finally, according to the inode information, it finds the block where the file data is and reads out the data.

Through the inode layer, we can understand the relationship between data storage unit and file attribute information.

We use the Ifind tool to find the location of the file metadata information corresponding to the sector number of the data area:

According to the above command, the file metadata information of this file is located in the fifth metadata structure unit.

Next, we use the ISTAT tool to output the inode information of this file:

0 × 5 file layer analysis

The analysis of the file layer mainly collects the specific content of the file according to the inode information.

According to the information provided by the inode layer, it is known that this file is a document with the suffix of DOC, with a size of 20480 bytes and a total of 40 sectors occupied by 33-72 sectors. Sectors occupied include the following

Extract this content and save it as a word file.

Such a complete file is extracted.

At this point, we have extracted a complete document based on the information obtained.

0 * 6 Summary

Through the above steps, we can see the clue sharing relationship among several levels, and get the final desired results through various associated methods, in addition to the above-mentioned disk based forensics. There are many forensics technologies for other types of data, and there are many ways of forensics. This is the simplest example of disk data analysis. I hope it can bring a systematic analysis and learning idea to the disk forensics analysis. At present, the development of electronic forensics technology is faster and faster, and it has extended from PC forensics to mobile terminals. In the future, electronic forensics will also become an important branch of information security. Nstrt will continue to introduce other forensics technology to you in the future technology sharing.

The copyright of this article belongs to the nstrt team and is created by team member East. If you think this article is useful, you can share it with your friends. Also, I hope more people will pay attention to our WeChat official account trt917 and micro-blog NSTRT team. We will share some information security knowledge regularly, hoping to help you.

[author / nstrt (team account number), this is an article of freebuf original award program, which is not allowed to be reproduced without permission]

A security solution using blockchain Technology

Saturday, December 24, 2016

Facing the increasingly fragile network security infrastructure, there is a new but neglected solution to be considered, namely bitcoin, Ethereum, zcash and other open blockchain networks.

To some extent, the open blockchain network is similar to the technology used by traditional infrastructure providers such as domain name service providers. Like centralized DNS server, open blockchain network records important data and protects data from malicious or deceptive interference. For cryptocurrencies, such as bitcoin, these data are the list of cash like transactions between bitcoin users. But open blockchain network can also be used to record all kinds of information, from DNS records to intelligent device entities, to Internet of things user access rights and so on. The most fundamental difference between these networks and legacy systems is the method used to secure these records.

The old pattern of network security is called border security. What needs to be protected? External threats? Make a boundary (wall) and don't put any villains in it. However, the effect of this method is not very good, because the boundary is always invaded. Once inside, attackers can gain full control, steal sensitive data (as shown in credit card hacking and extortion software attacks), or take over strong control (such as nuclear reaction system).

The security method of open blockchain network is totally different from this kind of boundary model. There is no boundary concept in bitcoin protocol. The software that drives bitcoin is open source and can be audited by anyone. Bitcoin transaction messages are transmitted in plaintext at the IP layer, which is visible to anyone, while the network is point-to-point: it is built on a network composed of strangers' computers.

Despite this openness, all bitcoin transactions - the legendary blockchain - have never been blacked out. But blockchain is just a data structure, just a combination of 0 and 1. What is truly revolutionary is the consensus mechanism, which can help all computers in the network reach a consensus on whether to link new data or not.

In the approved blockchain tested by major banks, a direct consensus mechanism is used: only users are allowed to add new data. Basically, this is just another kind of security boundary with the same weakness. As long as the vouchers of member banks are stolen, consensus data can be changed.

Bitcoin, Ethereum and zcash have made totally different innovations. They allow anyone to add data to the blockchain at the expense of the network. It sounds a bit like witchcraft, but it's really just Economics: prove that you're a loyal member of the network by solving the computing intensive equations (what computer scientists call "proof of work"), and then you're allowed to add new blocks to the chain.

The open consensus mechanism does not distinguish identity, voucher or geographical location, they just want to share risks. Therefore, the only way to attack the open blockchain network is to invest in it. In this case, the attack will only hurt its own interests. It is this "proof of work" consensus mechanism that makes bitcoin so firm in the face of cyber attacks, and at the same time, it also pulls the traditional border security mode of Cyber Defense to the courtroom.

It can be imagined that if this borderless network security model is implemented, the attack on dyn in October this year may be blocked. Dyn is a DNS provider, which means it holds a map of domain names and IP addresses. When dyn is attacked and the mapping record is lost, the web address entered in the browser address field cannot be translated into IP address and the web site cannot be loaded.

As with every other DNS provider (and basically most web services), dyn's security model is border security. Build a wall around sensitive data (DNS records in the case of dyn) and pray that the wall will block the attack. However, hackers break through this wall by using the message flood (DDoS attack), and the result is the temporary loss of key Internet data. DNS record is not more complicated than the transaction of special currency: we want to know who has what domain name, and we only hope that the person who currently owns the domain name can transfer the domain name to others.

On the open blockchain network, this key system can easily run outside the security boundary. Open communities of computer users will work together to form decentralized DNS services. Anyone who is willing to help store and confirm DNS data can run relevant software, connect to the peer-to-peer network, download the DNS blockchain copy maintained by the network autonomy, confirm and pass the new record modification request, and then gain some digital currency rewards for providing this public welfare.

It's easy to advocate an unclaimed domain name: ask the network to add your domain name to DNS, and it's point-to-point to buy and sell existing domain names. Any changes to the records may incur costs, just as we would today pay for domain name registration. However, this fee will flow to the open community of the entire network participants, rather than to the pockets of a particular company. Because there is no central failure point, the open blockchain network can resist dyn type hacker events, and each participant has a copy of the domain name mapping record. So that the domain name service from the fear of attack.