Slide 1

Slide 1 text

1 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. NoSQL Forensics What to Do with (No)ARTIFACTS Matt Bromiley Senior Consultant, Mandiant

Slide 2

Slide 2 text

2 © Mandiant, a FireEye Company. All rights reserved. Agenda •  $ whoami •  Why Does this Matter? •  Examining MongoDB Artifacts •  Config File •  CRUD Artifacts •  User Sessions •  In-Row Data •  Searching Through Memory •  NoSQL Triage •  Q&A

Slide 3

Slide 3 text

3 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. $ whoami

Slide 4

Slide 4 text

4 © Mandiant, a FireEye Company. All rights reserved. $ whoami •  Currently a Senior Consultant with Mandiant •  4+ years experience with a focus on data breaches, incident response, network security monitoring, and digital forensics •  Work with clients from small, regional shops to multinational Fortune 50s •  LOVE to develop & work with open source forensic tools •  LOVE to share, teach (woohoo FOR508!), learn, and help others improve (while improving myself!) Tweet/Git/Blog [@]505Forensics[.com]

Slide 5

Slide 5 text

5 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. Why Does This Matter?

Slide 6

Slide 6 text

6 © Mandiant, a FireEye Company. All rights reserved. Why Does This Matter? •  With Microsoft, Oracle, SAP, and IBM leading the pack, who cares about NoSQL?! •  NoSQL is on the rise! •  Easy to deploy •  Web app friendly •  APIs out the … •  Open-source, so lots and lots of players •  MongoDB •  Elastic(search) •  Couchbase •  Cassandra •  Hadoop Gartner’s Magic Quadrant

Slide 7

Slide 7 text

7 © Mandiant, a FireEye Company. All rights reserved. Why Does This Matter? (cont.) •  Who's Using This Stuff? •  MongoDB: ADP, The Weather Channel, MetLife, City of Chicago •  Elastic(search): Netflix, Target, LinkedIn, OpenTable, GitHub •  Couchbase: BMW, U.S. Senate, Comcast, Starbucks, eBay, AOL •  Hadoop: eBay, Expedia, Kayak, Samsung •  Even with all this support..the default sucks! •  Security is not a primary consideration •  Ease of coding, data accessibility > data security

Slide 8

Slide 8 text

8 © Mandiant, a FireEye Company. All rights reserved. Why Does This Matter? (cont.) •  Reports are being published on Internet-facing MongoDB servers with little or NO authentication •  Three students from University of Saarland in Germany published a report in January 2015 of nearly 40,000 MongoDB databases openly available on the Internet •  Shodan can be used to scan for NoSQL databases https://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf

Slide 9

Slide 9 text

9 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts

Slide 10

Slide 10 text

10 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  Config File •  /etc/mongodb.conf •  First place to look! •  Logging •  Where •  What •  How •  Security •  Authentication On/Off? •  Access •  IP Address •  Connection Ports •  Web Server

Slide 11

Slide 11 text

11 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations λ  CREATE $ mongo > use testdata switched to db testdata > db.blog.insert({“Title”:”My First Post”,”Author”:”505Forensics”})

Slide 12

Slide 12 text

12 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations (cont.) Log Output v2.x v3.x

Slide 13

Slide 13 text

13 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations λ  READ > db.blog.findOne() { "_id" : ObjectId("55879d3aeca5d08121fe1118"), "Title" : "My New Blog", "Author" : "505Forensics" }

Slide 14

Slide 14 text

14 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations (cont.) Log Output…

Slide 15

Slide 15 text

15 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations λ  UPDATE > post = db.blog.findOne() > post.comments = [{"Comment 1":"This is a comment!"},{"Comment 2":"This is another comment!"}] > db.blog.update({“Title”:”My New Blog”},post)

Slide 16

Slide 16 text

16 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations (cont.) Log Output…

Slide 17

Slide 17 text

17 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations λ  DELETE > db.blog.remove({“Title”:”My New Blog”})

Slide 18

Slide 18 text

18 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations (cont.) Log Output…

Slide 19

Slide 19 text

19 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  CRUD Operations λ  In summary: •  Default logging SUCKS! •  Importance of config file to find other artifacts of relevance •  External logs •  Default port: 27017 •  Authentication •  Turn to other artifacts within MongoDB to identify information around data •  User session IDs •  IP addresses/ports •  Timestamps within records •  Memory dump

Slide 20

Slide 20 text

20 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  User Sessions •  Upon connections, user sessions are assigned an ID # •  Use the conn# to track user activity •  Captures interactive user sessions •  Also captures API/script interactions

Slide 21

Slide 21 text

21 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  In-Row Data λ  By default, Mongo will add an '_id' field if not provided by data entry > db.blog.findOne() { "_id" : ObjectId("55879d3aeca5d08121fe1118”) ..snip.. } •  ID has a 12-byte structure: •  4-byte timestamp •  3-byte machine identifier •  2-byte process id •  3-byte random counter

Slide 22

Slide 22 text

22 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  Memory Dump •  We can also look to system memory dumps to carve MongoDB sessions/in-memory data •  Use what we know about data structure, commands, collections to build regex queries for memory strings •  Every entry has an “_id” field •  Mongo is stored in JSON •  CRUD commands have structure •  db..insert({ •  db..findOne() •  db..remove({ •  etc… •  Dump memory strings, search for what we know

Slide 23

Slide 23 text

23 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  Memory Dump (cont.) $ strings mem.dump | grep '{ "_id"' Timestamps Machine ID Process ID

Slide 24

Slide 24 text

24 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  Memory Dump (cont.) $ strings mem.dump | grep ’db.testData' $ strings mem.dump | grep ’testData'

Slide 25

Slide 25 text

25 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage

Slide 26

Slide 26 text

26 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage •  Let’s say we encounter a MongoDB…what do we want to know? •  DB information •  Tables, collections, “schemas” •  Users •  Recent operations/changes •  Size of cluster (if > 1) •  Sources of data: •  Config file •  Other logs •  MongoDB itself! •  HTTP interface •  Mongo commands •  Javascript

Slide 27

Slide 27 text

27 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  MongoDB has a built-in web interface that is disabled by default (thankfully!), but may be turned on – look in the logs •  Good source of information

Slide 28

Slide 28 text

28 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  MongoDB has a range of built-in diagnostic commands that can be used to profile running instance •  mongostat – Provides quick overview of a running instance •  Can be used for remote servers

Slide 29

Slide 29 text

29 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  MongoDB has a range of built-in diagnostic commands that can be used to profile running instance •  mongotop – Provides time tracking of operations •  Great for DB/collection breakdown! •  Can be used for remote servers

Slide 30

Slide 30 text

30 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  MongoDB has a range of built-in diagnostic commands that can be used to profile running instance •  mongosniff – Basically tcpdump for MongoDB •  Not normally available in production environments; requires special build instructions •  However! Wireshark can also parse MongoDB traffic

Slide 31

Slide 31 text

31 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  PCAP: •  MongoDB Log:

Slide 32

Slide 32 text

32 © Mandiant, a FireEye Company. All rights reserved. NoSQL Triage •  NoSQL Triage (cont.) •  MongoDB also has a wide range of administration commands built-in •  JavaScript-function format $ mongo > db.serverStatus()

Slide 33

Slide 33 text

33 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  NoSQL Triage (cont.) •  We can also pass JavaScript commands directly through the terminal to pull back information •  For example: mongo --eval "printjson(db.serverStatus())" •  We can script it…we have the technology!

Slide 34

Slide 34 text

34 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  NoSQL Triage – Tool Time!

Slide 35

Slide 35 text

35 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  MongoDB Triage Script – v0.1

Slide 36

Slide 36 text

36 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  MongoDB Triage Script – v0.1

Slide 37

Slide 37 text

37 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  MongoDB Triage Script – v0.1 Example: serverstatus databases

Slide 38

Slide 38 text

38 © Mandiant, a FireEye Company. All rights reserved. Examining MongoDB Artifacts •  NoSQL Triage Scripts •  Free all the things! •  https://github.com/505Forensics/nosql_triage •  If this has any interest to you, I’d love feedback! •  Currently only MongoDB bash •  Elasticsearch, CouchDB, Hadoop, and Couchbase quickly on the way •  If you’ve encountered NoSQL, let me know how these can be modified to assist you

Slide 39

Slide 39 text

39 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. Conclusion

Slide 40

Slide 40 text

40 © Mandiant, a FireEye Company. All rights reserved. And with that... Any questions?

Slide 41

Slide 41 text

41 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. THANK YOU!