11:53 a.m.
Hi all,
I'm new on volatility so sorry if this question does not fit the purpose
of this mailing list.
I was starting play with LiME (Linux Memory Extract)[1] and I was able
to dump a memory image of an Android Emulator where ChatSecure[2] was
running.
ChatSecure asked a master password at the first run and this password is
stored by using a library called CacheWord [3].
Here the question: in order to find out if ChatSecure stores this
password in memory, how should I use volatility?
A doc/tutorial link or any suggestion are more than welcome.
Thanks,
Massimo
[1] https://github.com/504ensicsLabs/LiME
[2] https://github.com/guardianproject/ChatSecureAndroid
[3] https://github.com/guardianproject/cacheword
2:10 p.m.
Hey Massimo,
Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have
never looked at ChatSecure specifically, but many other "secure" apps
will wipe/zero the password from memory after it is used. This will
effectively kill the password from process memory, so at that point you
have to hope the password is left over in kernel memory, but that is
difficul too b/c you don't know what to search for initially.
So to start - I would use the linux_yarascan plugin like this:
python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
The yarascan plugin will then scan process and kernel memory looking for
where "THE PASSWORD" is in memory. For any hits, it will report the
process (PID), virtual address, and some context of the hit. Assuming
this is testing and you use a temp password, feel free to paste the
output if any hits are found and I can explain them to you.
Thanks,
Andrew (@attrc)
On 04/29/2016 10:53 AM, Massimo Canonico wrote:
Hi all,
I'm new on volatility so sorry if this question does not fit the purpose
of this mailing list.
I was starting play with LiME (Linux Memory Extract)[1] and I was able
to dump a memory image of an Android Emulator where ChatSecure[2] was
running.
ChatSecure asked a master password at the first run and this password is
stored by using a library called CacheWord [3].
Here the question: in order to find out if ChatSecure stores this
password in memory, how should I use volatility?
A doc/tutorial link or any suggestion are more than welcome.
Thanks,
Massimo
[1] https://github.com/504ensicsLabs/LiME
[2] https://github.com/guardianproject/ChatSecureAndroid
[3] https://github.com/guardianproject/cacheword
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
9:33 a.m.
Dear Andrew,
thank you very much for your suggestion.
Unfortunately, the command that you suggested did not produce any output
(I test the same command with "pass" as string to search and I saw some
output -- this just to be sure that volatility and yara are correctly
working). I was wondering if this could be due to the type used to store
the password. I was looking into the source code of ChatSecure and also
asking to ChatSecure mailing list.
From the mailing-list of chatsecure, when I asked if the password were
stored in the memory, they reply me with this:
Yes, the service instance keeps it here in the
ICachedSecrets variable:
https://github.com/guardianproject/cacheword/blob/master/cachewordlib/src/i…
By looking around the source code, I think that the actual key is stored
in a byte[] java variable, as suggested by this method:
public byte[] getEncryptionKey() {
final ICachedSecrets s = getCachedSecrets();
if (s instanceof PassphraseSecrets) {
return ((PassphraseSecrets) s).getSecretKey().getEncoded();
}
return null;
}
Maybe, I have to figure out how the password set is written by using
byte[] and then I should try to search for this sequence.
Right now, I do not have much ideas on how to proceed the investigation,
so any hint/suggestion is more than welcome.
Thank in advance for you patience and time
Massimo
On 02/05/16 20:10, Andrew Case wrote:
Hey Massimo,
Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have
never looked at ChatSecure specifically, but many other "secure" apps
will wipe/zero the password from memory after it is used. This will
effectively kill the password from process memory, so at that point you
have to hope the password is left over in kernel memory, but that is
difficul too b/c you don't know what to search for initially.
So to start - I would use the linux_yarascan plugin like this:
python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
The yarascan plugin will then scan process and kernel memory looking for
where "THE PASSWORD" is in memory. For any hits, it will report the
process (PID), virtual address, and some context of the hit. Assuming
this is testing and you use a temp password, feel free to paste the
output if any hits are found and I can explain them to you.
Thanks,
Andrew (@attrc)
On 04/29/2016 10:53 AM, Massimo Canonico wrote:
> Hi all,
> I'm new on volatility so sorry if this question does not fit the purpose
> of this mailing list.
>
> I was starting play with LiME (Linux Memory Extract)[1] and I was able
> to dump a memory image of an Android Emulator where ChatSecure[2] was
> running.
>
> ChatSecure asked a master password at the first run and this password is
> stored by using a library called CacheWord [3].
>
> Here the question: in order to find out if ChatSecure stores this
> password in memory, how should I use volatility?
>
> A doc/tutorial link or any suggestion are more than welcome.
>
> Thanks,
> Massimo
>
> [1] https://github.com/504ensicsLabs/LiME
> [2] https://github.com/guardianproject/ChatSecureAndroid
> [3] https://github.com/guardianproject/cacheword
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
10:09 a.m.
There also should be a --wide parameter to yarascan to make it search
for Unicode versions of the string. Alternately, you can create a yara
rule file and be even more specific (for example to scan for ascii and
unicode strings at the same time and also byte sequences if the string
is in some other format).
On 5/3/16 8:33 AM, Massimo Canonico wrote:
Dear Andrew,
thank you very much for your suggestion.
Unfortunately, the command that you suggested did not produce any output
(I test the same command with "pass" as string to search and I saw some
output -- this just to be sure that volatility and yara are correctly
working). I was wondering if this could be due to the type used to store
the password. I was looking into the source code of ChatSecure and also
asking to ChatSecure mailing list.
From the mailing-list of chatsecure, when I asked if the password were
stored in the memory, they reply me with this:
Yes, the service instance keeps it here in the
ICachedSecrets variable:
https://github.com/guardianproject/cacheword/blob/master/cachewordlib/src/i…
By looking around the source code, I think that the actual key is stored
in a byte[] java variable, as suggested by this method:
public byte[] getEncryptionKey() {
final ICachedSecrets s = getCachedSecrets();
if (s instanceof PassphraseSecrets) {
return ((PassphraseSecrets) s).getSecretKey().getEncoded();
}
return null;
}
Maybe, I have to figure out how the password set is written by using
byte[] and then I should try to search for this sequence.
Right now, I do not have much ideas on how to proceed the investigation,
so any hint/suggestion is more than welcome.
Thank in advance for you patience and time
Massimo
On 02/05/16 20:10, Andrew Case wrote:
Hey Massimo,
Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have
never looked at ChatSecure specifically, but many other "secure" apps
will wipe/zero the password from memory after it is used. This will
effectively kill the password from process memory, so at that point you
have to hope the password is left over in kernel memory, but that is
difficul too b/c you don't know what to search for initially.
So to start - I would use the linux_yarascan plugin like this:
python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
The yarascan plugin will then scan process and kernel memory looking for
where "THE PASSWORD" is in memory. For any hits, it will report the
process (PID), virtual address, and some context of the hit. Assuming
this is testing and you use a temp password, feel free to paste the
output if any hits are found and I can explain them to you.
Thanks,
Andrew (@attrc)
On 04/29/2016 10:53 AM, Massimo Canonico wrote:
> Hi all,
> I'm new on volatility so sorry if this question does not fit the purpose
> of this mailing list.
>
> I was starting play with LiME (Linux Memory Extract)[1] and I was able
> to dump a memory image of an Android Emulator where ChatSecure[2] was
> running.
>
> ChatSecure asked a master password at the first run and this password is
> stored by using a library called CacheWord [3].
>
> Here the question: in order to find out if ChatSecure stores this
> password in memory, how should I use volatility?
>
> A doc/tutorial link or any suggestion are more than welcome.
>
> Thanks,
> Massimo
>
> [1] https://github.com/504ensicsLabs/LiME
> [2] https://github.com/guardianproject/ChatSecureAndroid
> [3] https://github.com/guardianproject/cacheword
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
10:05 a.m.
Thank you Michal.
The "-W" works fine: I was able to see the password set.
Now It's happening some weird stuff, like that sometime the password is
showed, sometime not.
For example, with the same procedure in the same Android emulator, if I
set the password as "mypassword", volatility does not show me anything.
If I set the password as "mypassword2016" (so, just adding year number")
I can see it.
But I'll investigate on this and maybe I'll ask for your help again by
volatility ML.
Till now, thanks again for your help.
Massimo
On 03/05/16 16:09, Michael Ligh wrote:
There also should be a --wide parameter to yarascan to
make it search
for Unicode versions of the string. Alternately, you can create a yara
rule file and be even more specific (for example to scan for ascii and
unicode strings at the same time and also byte sequences if the string
is in some other format).
On 5/3/16 8:33 AM, Massimo Canonico wrote:
> Dear Andrew,
>
> thank you very much for your suggestion.
>
> Unfortunately, the command that you suggested did not produce any output
> (I test the same command with "pass" as string to search and I saw some
> output -- this just to be sure that volatility and yara are correctly
> working). I was wondering if this could be due to the type used to store
> the password. I was looking into the source code of ChatSecure and also
> asking to ChatSecure mailing list.
>
> From the mailing-list of chatsecure, when I asked if the password were
> stored in the memory, they reply me with this:
>
>> Yes, the service instance keeps it here in the ICachedSecrets variable:
>>
>>
https://github.com/guardianproject/cacheword/blob/master/cachewordlib/src/i…
>>
> By looking around the source code, I think that the actual key is stored
> in a byte[] java variable, as suggested by this method:
>
>> public byte[] getEncryptionKey() {
>> final ICachedSecrets s = getCachedSecrets();
>> if (s instanceof PassphraseSecrets) {
>> return ((PassphraseSecrets) s).getSecretKey().getEncoded();
>> }
>> return null;
>> }
> Maybe, I have to figure out how the password set is written by using
> byte[] and then I should try to search for this sequence.
>
> Right now, I do not have much ideas on how to proceed the investigation,
> so any hint/suggestion is more than welcome.
>
> Thank in advance for you patience and time
>
> Massimo
>
>
> On 02/05/16 20:10, Andrew Case wrote:
>> Hey Massimo,
>>
>> Welcome to the Volatility community!
>>
>> I would start by seeing if the password is even in memory -- I have
>> never looked at ChatSecure specifically, but many other "secure" apps
>> will wipe/zero the password from memory after it is used. This will
>> effectively kill the password from process memory, so at that point you
>> have to hope the password is left over in kernel memory, but that is
>> difficul too b/c you don't know what to search for initially.
>>
>> So to start - I would use the linux_yarascan plugin like this:
>>
>> python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
>>
>> The yarascan plugin will then scan process and kernel memory looking for
>> where "THE PASSWORD" is in memory. For any hits, it will report the
>> process (PID), virtual address, and some context of the hit. Assuming
>> this is testing and you use a temp password, feel free to paste the
>> output if any hits are found and I can explain them to you.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On 04/29/2016 10:53 AM, Massimo Canonico wrote:
>>> Hi all,
>>> I'm new on volatility so sorry if this question does not fit the purpose
>>> of this mailing list.
>>>
>>> I was starting play with LiME (Linux Memory Extract)[1] and I was able
>>> to dump a memory image of an Android Emulator where ChatSecure[2] was
>>> running.
>>>
>>> ChatSecure asked a master password at the first run and this password is
>>> stored by using a library called CacheWord [3].
>>>
>>> Here the question: in order to find out if ChatSecure stores this
>>> password in memory, how should I use volatility?
>>>
>>> A doc/tutorial link or any suggestion are more than welcome.
>>>
>>> Thanks,
>>> Massimo
>>>
>>> [1] https://github.com/504ensicsLabs/LiME
>>> [2] https://github.com/guardianproject/ChatSecureAndroid
>>> [3] https://github.com/guardianproject/cacheword
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
3111
days inactive
3121
days old
vol-users@lists.volatilityfoundation.org
4 comments
3 participants
participants (3)
-
Andrew Case -
Massimo Canonico -
Michael Ligh