Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/30/2007
09:50 AM
50%
50%

Fighting Forensics

New research exploits vulnerabilities found in popular computer forensics tools

5:50 PM -- Ever heard of antiforensics? Don't be surprised if you haven't. It's only recently received mainstream recognition, partly due to a presentation scheduled this week at Black Hat USA 2007 by three researchers from ISEC Partners.

According to a new report, researchers have uncovered bugs in both Guidance Software's Encase Forensic software and Brian Carrier's open source SleuthKit.

While Guidance Software provided a particularly lengthy explanation (some might call it an excuse) as to why these bugs may or may not be worthy of attention, Brian Carrier has already patched the bugs found in the SleuthKit. How's that for open source software support?

Antiforensics isn't a new field of study, nor is it new to Black Hat. It's been covered several times since 2003, starting with the grugq's first presentation "The Art of Defiling: Defeating Forensic Analysis on Unix File Systems" and his second presentation in 2005, "The Art of Defiling: Defeating Forensic Analysis." The 2005 Black Hat conference also featured "Catch Me If You Can: Exploiting Encase, Microsoft, Computer Associates, and the Rest of the Bunch" from James Foster and Vincent Liu of the Metasploit Project's antiforensics team.

While antiforensics has been around for several years, the ISEC research takes a new tack. It mirrors the threats we're seeing in IT security -- more and more attacks that rely on user interaction and vulnerabilities in the user's software, not exploiting network services.

Before, antiforensics used techniques to alter the filesystem to obfuscate data, or simply destroy it in order cover attacker's tracks. Now, bugs in the forensic investigator's tools can be leveraged to crash the software preventing analysis or run arbitrary code on the investigator's machine.

Impossible, you (and Guidance Software) say? Here, swallow this red pill and realize a world where forensic tools have been introduced into court as a trusted part of a forensic investigator's methodology. Those same trusted tools can now be exploited to not only hide data in the current investigation, but in future investigations as well.

In this scenario, we see the equivalent of a rootkit hijacking the filesystem's API to prevent itself from being found. The simple act of analyzing a forensic image of a filesystem would exploit the forensic tool, causing the attacker's code to execute and patching the forensic tool's binary.

It then crashes the tool's current running process and causes the investigator to rerun the tool, which loads the patched binary. The attacker's tools and tracks are now permanently hidden, or even spoofed, in order to cause misdirection and lead the investigator along a wild goose chase.

Doesn't sound all that far-fetched, does it? Wondering why you spent all that money on forensic training and tools that may not live up to their promises?

Now take the blue pill. You'll wake up feeling right as rain -- as long as you don't remember what those guys from ISEC will be demonstrating this week.

— John H. Sawyer is a security geek who works in the IT organization at the University of Florida and enjoys taking long, warm walks on the beach and riding ponies. When he's not fighting flaming, malware-infested machines or performing autopsies on fried servers, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

  • Guidance Software Inc.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15222
    PUBLISHED: 2020-09-24
    In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification say...
    CVE-2020-15223
    PUBLISHED: 2020-09-24
    In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacke...
    CVE-2020-12842
    PUBLISHED: 2020-09-24
    ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.
    CVE-2020-12843
    PUBLISHED: 2020-09-24
    ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.
    CVE-2020-13119
    PUBLISHED: 2020-09-24
    ismartgate PRO 1.5.9 is vulnerable to clickjacking.