BLACK HAT - Researchers: Forensics software can be hacked

Researchers have found security flaws in the software used to gather forensic evidence

The software that police and enterprise security teams use to investigate wrongdoing on computers is not as secure as it should be, according to researchers with Isec Partners.

The San Francisco security company has spent the past six months investigating two forensic investigation programs, Guidance Software's EnCase, and an open-source product called The Sleuth Kit. They have discovered about a dozen bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator's machine, according to Alex Stamos, a researcher and founding partner with Isec Partners.

Researchers have been hacking forensics tools for years, but have traditionally focused on techniques that intruders could use to cover their tracks and thwart forensic investigations. The Isec team has taken a different tack, however, creating hacking tools that can be used to pound the software with data, looking for flaws.

Based on their findings, Stamos's team believes that the EnCase software is not written as securely as it should and could theoretically be exploited by an attacker.

"What Guidance needs to do is change their production and their quality assurance practices," Stamos said. "We looked at a small portion of the functionality of EnCase and we found that there are lots of bug that can make it impossible for somebody to complete their work,"he said. "Basically we can make it impossible to open up a hard drive and look at it."

Isec is holding the technical details of its findings close to its chest, and is not saying whether any bugs they found could be exploited to do something much worse: install unauthorized software on a PC.

But the team will be disclosing some information at next week's Black Hat conference in Las Vegas, Stamos said.

What exactly will be disclosed? The Sleuth Kit project has already patched the flaws Isec has found, so those flaws will be made public. Details on EnCase may be released if the product is patched by then, Stamos said. Isec will also release the debugging and "fuzzing" tools it used to find these flaws, he added.

The Isec research looks interesting, but will probably not have a major impact on the lives of forensic researchers, said Jim Butterworth, Guidance's director of incident response.

Because forensic systems are typically not connected to external networks, they cannot be remotely controlled via the Internet, he said. So even if an attacker could use these techniques to compromise one forensic snapshot of a system, a second forensic tool would provide the real picture. "It's just not that big of a threat because I know a lot of other mitigating steps to take," he said. "A well-trained person does not use a single tool."

Another forensic researcher agreed that the Isec Partners research is interesting, but of limited use to criminals.

That's because most serious attackers are already good enough at covering their tracks that they will never be caught, according to James C. Foster, president and chief scientist at Ciphent Inc. "If you're an attacker you can basically beat the system," he said. "In my opinion, the bigger problem is that the product is not going to provide the data that you want."

However, there is one group that may pay special attention to the Stamos team: defense lawyers. If Isec shows that unauthorized software could have been run on an investigator's PC, it could ultimately undermine the usefulness of these forensic tools in court, said Chris Ridder, residential fellow at the Stanford University Law School Center for Internet and Society

"The big risk is for someone to execute arbitrary code," he said "If there's a risk that the evidence has been compromised or if something has been planted by a third party... then you can call into question the accuracy of the software and possibly get it thrown out."

Butterworth, who has been grilled many times by defense lawyers, agreed. "I wouldn't put anything past a defense attorney ," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?