Digital Forensic Analysis of Remote Code Execution (RCE) Attacks

DIGITAL FORENSIC

Introduction

Cyber-attacks have increased at an exponential rate in the last 6 years due to the increased utilization of the internet and the intranet framework for performing crucial executions of tasks from personal to the organizational level. Suh times have led to an increased number of cyber attackers who have increased their frequency of attacking certain hubs that carry a large amount of information in regards to certain subjects. For such reasons, cyber forensics have been largely at deployment to find the unethical sources of attacks that are often performed wend by cybercriminals. In this context, the attack using the Remote ode Execution (RCE) has been selected as a scenario which will be utilized as an instance for performing the cyber forensics.

Overview of the scenario

Remote Code Execution (RCE) can be considered as small pieces of code that can be executed remotely on a system by the attacker.

Mechanism

Most of these attacks are done using exploits that remain scripted using the python programming language. This small snippet of codes is developed in a manner that focuses on tampering certain functionalities of the system that can significantly harm the health of the application that is run using the system (Biswas et al., 2018). The exploits used for the Remote code execution utilizes the concept of backdoor mechanism that involves exploiting an open port using the concept of port forwarding. Each of the open ports of the system connected to a network is identified and utilized for inserting certain scripts using the open ports so that the injection cannot be detected. The exploit that is inserted within the framework has to be programmed in an iterative manner so that the snippet of the code executed every time a certain operation is performed within the system.

Magnitude of threat

This RCE exploit can be developed in a manner that it can gin system-level access and tamper with the different files remotely. Most of the time these exploits are often embe3ndded in an image or an executable file so that it gets installed during the utilization of an application. Most of the time, these codes cannot be detected through the default firewalls present in the system which allow the file to get certain administrative access of the system (Michael et al., 2020). This kind of exploits often remains associated with damaging a specific asset that is present in the system using certain arbitrary commands that can be executed in a system level. The arbitrary code gains access to kernel-level privileges allowing it to gain access to all the Create, Read, Update and Delete (CRUD) functions of the systems.

Reasons behind conducting post mortem analysis of the entire mechanism.

It is important to note that the damage done by the RCE exploits can be very specific and therefore maintains a huge threat to the personal or organizational system that carries valuable information in regards to a particular subject. Conducting a post mortem analysis on such attacks helps in locating the attacker and helps in figuring out proper countermeasures that can be utilized for the development of a proper firewall. The post mortem analysis allows us to understand the pattern of the attack and the kind of mechanism used by consistently checking the activities that have been recorded in the system. RCE can also become inactive for a certain time which becomes a major threat for any system as its inactivity becomes one of the main reasons which makes it difficult to locate. For such reasons, running forensic analysis becomes extremely vital to remove h exploit from the root so that it does not become a major threat in the future. Conducting a post mortem analysis also helps in figuring out the major vulnerabilities that are present in the system which can also be utilized in the future by the attackers for running exploits (Hassan et al., 2020).

Procedures and tools used by cyber forensic investigators.

The remote code execution gains access at a kernel-level allowing it to tamper several files within the system. Most of the times, exploits are developed in a manner to gain access to the system and change some of the major registry files that remain associated with the driver files of the system. For such reasons, RCE can only be detected by antivirus application maintaining firewalls that remain interfaced with the kernel system. Some of the major tools used by the cyber forensics team to carry out the analytics are:

Acuntix – This is a system vulnerability scanner tool that remains associated with finding out the health of a system wit some certain locations. Theis king od tools are utilized for foot printing and reconnaissance of a site and detecting vulnerabilities that allow understanding all the possible kinds of exploits that can be run through the framework. This vulnerability scanner helps in gaining an oversight of a particular system that helps the cyber forensic teams to determine the kinds of activities that can be performed on the system (Block & Dewald, 2019). This assessment can be utilized to compare the state of the system from tum e to time which is extremely vital to trace the RCE presence.

Autopsy – this is a forensic application that operates on the disk analysis that is utilized to assess the states of the disk from time to time. This tool utilizes the concept of understanding the changes made in the system by going through the registry files that remains associated with the memory allocation of the system (Mohamed, Jantan, & Abiodun, 2018). By tracing all the unidentified activities, it provides valuable feedback in regards to how the exploit might operate in the system.

Forensic investigators remain tasked with continuously assessing the different processes scheduled in the system and identify any unrequested permissions that might be asked from an executable file. They also have to go through all the system process that is running in the background to identify any form of garbage processes that might be running in the system. The identification of these processes serves as the most effective method for rooting out the process that might carry the RCE exploit (Anusha, 2020). Once the exploit has been unidentified, the excitable file that has been generated in the system has to be scanned for any form of digital signature that will provide certain system specification of the unit that has been utilized to generate the file. Gathering the information of the digital signatures from the exploits helps in getting a brief idea of the system that has been utilized to initiate the attack. By continuously assessing the logs from each of the open ports that might have been utilized for the attack allows the system to trace back the origin point which has been used to inject the file in the system.

Conclusion

The entire assignment remains focussed in providing an elaborate analysis in regards to the different types of vulnerabilities that are utilized by the attackers to perform the RCE attacks. The context provides a very descriptive explanation concerning the mechanism of the exploit which is utilized to perform several operations in a system remotely. Every use case of the exploit has been discussed in details providing a very clear outline in regards to the threat possessed by the bug present in the system. The context also carries an elaborate explanation of the forensic tools that can be utilized to track down the bug resent within the system and provides an elaborate layout of the different procedures that can be carried out to identify eliminate and retrace the origin point of the exploit that has been injected within the system. It can be concluded that cyber forensics plays a very vital part in the identification and elimination of any threats that might be encountered from exploits.

References

Anusha, Z. F. (2020). Automatic Verification of a Remote Code Execution Vulnerability Detection Model Using the SPIN Model Checker. Retrieved from http://dspace.daffodilvarsity.edu.bd:8080/handle/123456789/5168

Biswas, S., Sajal, M. M. H. K., Afrin, T., Bhuiyan, T., & Hassan, M. M. (2018). A study on remote code execution vulnerability in web applications. In International Conference on Cyber Security and Computer Science (ICONCS 2018). Retrieved from http://indexive.com/uploads/papers/pap_indexive15506771062147483647.pdf

Block, F., & Dewald, A. (2019). Windows memory forensics: detecting (un) intentionally hidden injected code by examining page table entries. Digital Investigation, 29, S3-S12. Retrieved from https://www.sciencedirect.com/science/article/pii/S1742287619301574

Hassan, M. M., Mustain, U., Khatun, S., Karim, M. S. A., Nishat, N., & Rahman, M. (2020). Quantitative Assessment of Remote Code Execution Vulnerability in Web Apps. In InECCE2019 (pp. 633-642). Springer, Singapore. Retreived from https://link.springer.com/chapter/10.1007/978-981-15-2317-5_53

Michael, N., Mink, J., Liu, J., Gaur, S., Hassan, W. U., & Bates, A. (2020, December). On the Forensic Validity of Approximated Audit Logs. In Annual Computer Security Applications Conference (pp. 189-202). Retrieved from https://dl.acm.org/doi/abs/10.1145/3427228.3427272

Mohamed, N. A., Jantan, A., & Abiodun, O. I. (2018). Protect Governments, and organizations Infrastructure against Cyber Terrorism (Mitigation and Stop of Server Message Block (SMB) Remote Code Execution Attack). International Journal of Engineering, 11(2), 261-272. Retrieved from https://www.researchgate.net/profile/Oludare_Abiodun/publication/326892811_Protect_Governments_and_organizations_Infrastructure_against_Cyber_Terrorism_Mitigation_and_Stop_of_Server_Message_Block_SMB_Remote_Code_Execution_Attack/links/5b70301a299bf14c6d9acd11/Protect-Governments-and-organizations-Infrastructure-against-Cyber-Terrorism-Mitigation-and-Stop-of-Server-Message-Block-SMB-Remote-Code-Execution-Attack.pdf