Uploaded by Denis W

Lab3 Final PDF

advertisement
INFR 4690: Lab 3
File Signature Searching Forensic Technique
Objectives:
•
•
Develop a database for hash searching which includes hash of good and bad files.
Use our system to understand if some suspicious files are good or bad.
Deliverable:
-
You need to submit these lab activities/tasks through Canvas.
Submit a lab report (as pdf) for all tasks of this lab. Make sure that your report for each
task includes:
o Answers to specific sub-questions, if any.
o Descriptions on how you accomplished the task (if needed). o The
instructions/commands/code that you have used or written for doing the tasks. o
Screenshot of executions.
Important note: For this lab, make sure that your written code is also included in your report.
Introduction
This lab involves using cryptographic hashes to identify suspicious files. Investigators may come
across files that are exact duplicates to other files they’ve encountered previously. Cryptographic
hashes can help with identifying these files and judge if those files are malicious (i.e., good) or
nonmalicious (i.e., bad).
Tasks
Task 1: Develop a database system for hash searching (2 pts)
•
Download
and
unzip
the
folder
located
at
https://www.dropbox.com/sh/4btt9a5g2h3baux/AAAGiQmjl7KXhik_xX_FNWfpa?dl=0
•
Complete createDB.py to do the following:
o Get sha256 hashes of all files within the “Good” and “Bad” folders. o Automate
inserting the filenames, hashes, and their status (good vs. bad) into the database of
“goodbadfiles.db”.
You can use “DB Browser” to look at the database file.
Now this is the database that you have created from files that you know if they are malicious
(bad) or non-malicious (good). The database should hold the filename, status and sha256
hashes of all the files from the “Good” and “Bad” folders. With this, we can now search our
database for known sha256 hashes of files and their statuses.
Hint: A completed database should have 145 entries.
import sqlite3, os, hashlib, sys
DB_FILENAME = 'goodbadfiles.db'
# check for db presence
if os.path.exists(DB_FILENAME) != True:
print('[-] Cannot find DB file %s' % DB_FILENAME)
sys.exit(-1)
# opens connection to sql database file
conn = sqlite3.connect(DB_FILENAME)
# file path to the "Good" folder
goodfolder = os.path.join(os.getcwd(), 'Good')
badfolder = os.path.join(os.getcwd(), 'Bad')
# This for loop collects the sha256 hashes of the files in the "Good" folder and
adds them to the goodbadfiles.db database.
for filename in os.listdir(goodfolder):
# read in file from good folder
f = open(os.path.join(goodfolder, filename), 'rb').read()
# compute sha256 hash of the file contents
sha256 = hashlib.sha256(f).hexdigest()
# execute SQL to add filename, "Good" and the sha256 of the file contents to
the goodbadfiles.db
conn.execute('INSERT INTO files VALUES (?, ?, ?);', (filename, 'Good',
sha256))
# some verbosity...
print("Filename: %s SHA256: %s Inserted as good file" % (filename, sha256) )
# TASK FOR STUDENT Get the sha256 hashes of the files in the "Bad" folder and
add them to the database.
for filename in os.listdir(badfolder):
# read in file from good folder
f = open(os.path.join(badfolder, filename), 'rb').read()
# compute sha256 hash of the file contents
sha256 = hashlib.sha256(f).hexdigest()
# execute SQL to add filename, "Good" and the sha256 of the file contents to
the goodbadfiles.db
conn.execute('INSERT INTO files VALUES (?, ?, ?);', (filename, 'Good',
sha256))
# some verbosity...
print("Filename: %s SHA256: %s Inserted as bad file" % (filename, sha256)
)
# this command saves the added hashes to the database
conn.commit()
Task 2: Use our system for judging suspicious files (2pts)
•
Complete the code of “checking_suspicious.py” for searching your database for the hash value
of any suspicious files in the suspicious folder.
o If there is a hit for the searched hash, the status of suspicious file is the same as the
status in the database.
o If there is not a hit, the status is unknown.
import sqlite3, os, hashlib, sys
DB_FILENAME = 'goodbadfiles.db'
if os.path.exists(DB_FILENAME) != True:
print('[-] Cannot find DB file %s' % DB_FILENAME)
sys.exit(-1)
conn = sqlite3.connect(DB_FILENAME)
# File path to the "suspicious files" folder
suspiciousfolder = os.path.join(os.getcwd(), 'suspicious files')
for filename in os.listdir(suspiciousfolder):
# read each file from the "suspicious files" folder here
f = open(os.path.join(suspiciousfolder, filename), 'rb').read()
# compute the sha256 of the file contents here
sha256 = hashlib.sha256(f).hexdigest()
# find a way to search the database if the above sha256 hash value exists
# if it exists, set the status variable (see below) to the status of the
matched file ('Good' or 'Bad')
status = conn.execute("select status from files where sha256=?",
(sha256,)).fetchone()
if status:
status = status[0]
else:
status = "Unknown"
# status = "Unknown" if not status else status[0]
# If the sha256 doesn't exist in the database, set the status to
'Unknown'
print("%s is recognized as %s" % (filename, status))
conn.execute('INSERT INTO files VALUES (?, ?, ?);', (filename, status,
sha256))
conn.commit()
Task 3: Attempt to Identify the Suspicious Files (1 pt)
•
Run both scripts on your computer and answer the following questions:
A) What file does the hash of “suspect 1.dll” match to? Is it good, bad, or unknown?
B) What file does the hash of “suspect 2.dll” match to? Is it good, bad, or unknown?
C) What file does the hash of “suspect 3.dll” match to? Is it good, bad, or unknown?
Download