Abstract

A typical approach towards investigating intrusion incidents is to collect files that might have been dropped from a compromised server. These files could be extracted from network traffic or if we are lucky they could be obtained from the compromised system itself. An analyst can then use her expertise to re-create the attack scenario and understand possible vectors. Depending on her skills, this process might prove easy or extremely difficult. Our aim is to provide a framework that provides a common ground for forensic analysis of network traffic and dropped files using intuitive visualization of structural properties of network traffic and data files, combined with the proven methods of behavioral heuristics.

This talk aims to help users understand how to visually classify streaming data such as a network traffic buffer for an active TCP connection or chunked data read from a file on disk. Both these objects under analysis could be considered a binary blobs which could be rendered as an image highlighting the binary structure embedded within them. When this approach is combined with statistical file-format independent properties (like the theoretical minsize, compression ratio, entropy, etc.) and certain file-format specific properties (like the Yara rules matching on parsed HTTP payload or heuristics rules matching on the sections of a PE file), it provides a completely new perspective into the analysis process.

Additionally, we want to emphasize on the fact that the most important aspect of analysis process is to quickly correlate attributes and identify patterns. The approach we propose is to minimize the noise and highlight significant behavior using heuristics targeted specifically towards structural pattern identification. The visual representation of the input file provides a concise overview of file’s data patterns and the way they are combined together. One glimpse of this visual representation is enough to quickly classify a file as suspicious.

In this talk, we will focus on presenting a framework that can help users with forensic analysis of intrusion artifacts using a novel visual analysis approach. This framework could be used to create standalone utilities or to enhance in-house analysis tools via the native API. For quick analysis, users could consume the framework output directly through the packaged commandline tool or via an external log analytic tool like Splunk.