CanSecWest Vancouver 2020

Site menu:

Register | Conference | Dojo | Speakers | Agenda | Slides | Hotel & Travel | Contact

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

Finding Firmware Implants: an Incident Response and Forensics Guide

Register for March 16-17, 2020 (2-day Course)

Instructor(s):
Jesse Michael, Rick Altherr

Description

Firmware implants have been gaining momentum as an attack vector especially for Advanced Persistent Threats. How do you detect them? What are they capable of? How can you capture them for further study and remove them from a device?

This is a two day course diving into the tools and techniques used to extract system firmware from a system, unpack the contents, and analyze them for signs of tampering. Hardware Root of Trust systems such as Intel Boot Guard will be explained along with techniques used to subvert them.

Hands-on labs will provide each attendee with an opportunity to practice on an infected system including:

• Finding reference firmware images for a system
• Dumping firmware both internally, with software running on a target system, and externally via a hardware programmer
• Desoldering of system flash ICs
• Use various tools to understand and unpack firmware contents

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Course Outline

Day 1:
• What exactly is firmware?
• Overview on multitude of firmwares present in a modern PC
• Hands-On: Locating reference firmware images for target systems
• Internal methods of dumping firmware
• Hands-On: Dumping UEFI via MMIO and SPI
• Firmware image structure and tools
• Hands-On: Exploring UEFI firmware contents
• Hands-On: Exploring BMC firmware contents
• Hardware Root of Trust systems and their weaknesses
Day 2:
• External methods of dumping firmware
• Hands-On: chip-clip method
• Hands-On: desolder flash IC and use ZIF socket
• Anatomy of a UEFI implant: LoJax
• Hands-On: find implants in dumps
• Remediation difficulties

When you finish this class:

• You will be familiar with hardware root of trust systems and their limitations
• You will know how to perform both internal and external dumping of firmware
• You will be able to extract and analyze UEFI and BMC firmware contents
• You will have an understanding on how to detect firmware implants

Who Should Take This Course:

This course is designed for incident responders and forensic analysts of all experience levels.

Pre-requisites:

• An Intel based laptop with Minimum 8GB of RAM, 50GB of free storage space, and Unused USB Type A port
• Either Ubuntu 18.04 LTS installed or Be able to boot from USB 3.1 Type A storage device
• Familiarity with Linux command-line

Sponsors:

More Information:

Sponsorship Information |

Wise words:

"Sen Sen No Waza - to strike the opponent after he has formed the intention to attack and has committed to a specific motion."

Copyright © dragostech.com inc. All Rights Reserved.