Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/30/2007
09:50 AM
50%
50%

Fighting Forensics

New research exploits vulnerabilities found in popular computer forensics tools

5:50 PM -- Ever heard of antiforensics? Don't be surprised if you haven't. It's only recently received mainstream recognition, partly due to a presentation scheduled this week at Black Hat USA 2007 by three researchers from ISEC Partners.

According to a new report, researchers have uncovered bugs in both Guidance Software's Encase Forensic software and Brian Carrier's open source SleuthKit.

While Guidance Software provided a particularly lengthy explanation (some might call it an excuse) as to why these bugs may or may not be worthy of attention, Brian Carrier has already patched the bugs found in the SleuthKit. How's that for open source software support?

Antiforensics isn't a new field of study, nor is it new to Black Hat. It's been covered several times since 2003, starting with the grugq's first presentation "The Art of Defiling: Defeating Forensic Analysis on Unix File Systems" and his second presentation in 2005, "The Art of Defiling: Defeating Forensic Analysis." The 2005 Black Hat conference also featured "Catch Me If You Can: Exploiting Encase, Microsoft, Computer Associates, and the Rest of the Bunch" from James Foster and Vincent Liu of the Metasploit Project's antiforensics team.

While antiforensics has been around for several years, the ISEC research takes a new tack. It mirrors the threats we're seeing in IT security -- more and more attacks that rely on user interaction and vulnerabilities in the user's software, not exploiting network services.

Before, antiforensics used techniques to alter the filesystem to obfuscate data, or simply destroy it in order cover attacker's tracks. Now, bugs in the forensic investigator's tools can be leveraged to crash the software preventing analysis or run arbitrary code on the investigator's machine.

Impossible, you (and Guidance Software) say? Here, swallow this red pill and realize a world where forensic tools have been introduced into court as a trusted part of a forensic investigator's methodology. Those same trusted tools can now be exploited to not only hide data in the current investigation, but in future investigations as well.

In this scenario, we see the equivalent of a rootkit hijacking the filesystem's API to prevent itself from being found. The simple act of analyzing a forensic image of a filesystem would exploit the forensic tool, causing the attacker's code to execute and patching the forensic tool's binary.

It then crashes the tool's current running process and causes the investigator to rerun the tool, which loads the patched binary. The attacker's tools and tracks are now permanently hidden, or even spoofed, in order to cause misdirection and lead the investigator along a wild goose chase.

Doesn't sound all that far-fetched, does it? Wondering why you spent all that money on forensic training and tools that may not live up to their promises?

Now take the blue pill. You'll wake up feeling right as rain -- as long as you don't remember what those guys from ISEC will be demonstrating this week.

— John H. Sawyer is a security geek who works in the IT organization at the University of Florida and enjoys taking long, warm walks on the beach and riding ponies. When he's not fighting flaming, malware-infested machines or performing autopsies on fried servers, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

  • Guidance Software Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31414
    PUBLISHED: 2021-04-16
    The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
    CVE-2021-26073
    PUBLISHED: 2021-04-16
    Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
    CVE-2021-26074
    PUBLISHED: 2021-04-16
    Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
    CVE-2018-19942
    PUBLISHED: 2021-04-16
    A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...
    CVE-2021-27691
    PUBLISHED: 2021-04-16
    Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...