Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/30/2007
09:50 AM
50%
50%

Fighting Forensics

New research exploits vulnerabilities found in popular computer forensics tools

5:50 PM -- Ever heard of antiforensics? Don't be surprised if you haven't. It's only recently received mainstream recognition, partly due to a presentation scheduled this week at Black Hat USA 2007 by three researchers from ISEC Partners.

According to a new report, researchers have uncovered bugs in both Guidance Software's Encase Forensic software and Brian Carrier's open source SleuthKit.

While Guidance Software provided a particularly lengthy explanation (some might call it an excuse) as to why these bugs may or may not be worthy of attention, Brian Carrier has already patched the bugs found in the SleuthKit. How's that for open source software support?

Antiforensics isn't a new field of study, nor is it new to Black Hat. It's been covered several times since 2003, starting with the grugq's first presentation "The Art of Defiling: Defeating Forensic Analysis on Unix File Systems" and his second presentation in 2005, "The Art of Defiling: Defeating Forensic Analysis." The 2005 Black Hat conference also featured "Catch Me If You Can: Exploiting Encase, Microsoft, Computer Associates, and the Rest of the Bunch" from James Foster and Vincent Liu of the Metasploit Project's antiforensics team.

While antiforensics has been around for several years, the ISEC research takes a new tack. It mirrors the threats we're seeing in IT security -- more and more attacks that rely on user interaction and vulnerabilities in the user's software, not exploiting network services.

Before, antiforensics used techniques to alter the filesystem to obfuscate data, or simply destroy it in order cover attacker's tracks. Now, bugs in the forensic investigator's tools can be leveraged to crash the software preventing analysis or run arbitrary code on the investigator's machine.

Impossible, you (and Guidance Software) say? Here, swallow this red pill and realize a world where forensic tools have been introduced into court as a trusted part of a forensic investigator's methodology. Those same trusted tools can now be exploited to not only hide data in the current investigation, but in future investigations as well.

In this scenario, we see the equivalent of a rootkit hijacking the filesystem's API to prevent itself from being found. The simple act of analyzing a forensic image of a filesystem would exploit the forensic tool, causing the attacker's code to execute and patching the forensic tool's binary.

It then crashes the tool's current running process and causes the investigator to rerun the tool, which loads the patched binary. The attacker's tools and tracks are now permanently hidden, or even spoofed, in order to cause misdirection and lead the investigator along a wild goose chase.

Doesn't sound all that far-fetched, does it? Wondering why you spent all that money on forensic training and tools that may not live up to their promises?

Now take the blue pill. You'll wake up feeling right as rain -- as long as you don't remember what those guys from ISEC will be demonstrating this week.

— John H. Sawyer is a security geek who works in the IT organization at the University of Florida and enjoys taking long, warm walks on the beach and riding ponies. When he's not fighting flaming, malware-infested machines or performing autopsies on fried servers, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

  • Guidance Software Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Overcoming the Challenge of Shorter Certificate Lifespans
    Mike Cooper, Founder & CEO of Revocent,  10/15/2020
    7 Tips for Choosing Security Metrics That Matter
    Ericka Chickowski, Contributing Writer,  10/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27605
    PUBLISHED: 2020-10-21
    BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
    CVE-2020-27606
    PUBLISHED: 2020-10-21
    BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
    CVE-2020-27607
    PUBLISHED: 2020-10-21
    In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
    CVE-2020-27608
    PUBLISHED: 2020-10-21
    In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
    CVE-2020-27609
    PUBLISHED: 2020-10-21
    BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.