Security Experts:

Forensics Tool Flaw Allows Hackers to Manipulate Evidence

A vulnerability in Guidance Software’s EnCase Forensic Imager forensics tool can be exploited by hackers to take over an investigator’s computer and manipulate evidence, researchers warned. The vendor has classified the attack as an “edge case” and it does not plan on patching the flaw any time soon.

Guidance Software’s forensics products are used by governments, law enforcement agencies and private companies worldwide, including the U.S. Department of Justice, the Department of Homeland Security, the London Metropolitan Police Service, Microsoft, IBM, Apple and Facebook.

The company’s EnCase Forensic Imager is a standalone tool designed for acquiring forensic images of local drives, and for viewing and browsing potential evidence files.

Researchers at SEC Consult have analyzed the product and found that it’s affected by a potentially serious vulnerability. The flaw allows a malicious actor to execute arbitrary code on a system running the EnCase Forensic Imager via a specially crafted image file.

In an attack scenario described by the security firm, a criminal prepares a USB drive with a specially crafted image in case he gets raided by law enforcement. Forensic investigators take the USB drive and they analyze it with EnCase Forensic Imager. When they use the tool’s option to search the drive for LVM2 logical volumes, the suspect’s malicious image triggers the execution of malware.

If the investigator’s computer is connected to the Internet, the malware can allow the attacker to remotely access the device and the files stored on it, and delete or manipulate evidence. For scenarios where the investigator’s machine is offline, the attacker can create a piece of malware that conducts predefined actions (e.g. delete files with a specified extension or name).

“EnCase Forensic Imager fails to check the length of strings copied from the definitions of logical volumes in an LVM2 partition. When EnCase Forensic Imager is used to analyze a crafted LVM2 partition, part of the stack is overwritten with attacker controlled data,” SEC Consult wrote in an advisory published on Thursday. “This allows an attacker to overwrite a pointer to code. After the program execution is transferred to the address specified in this pointer, the attacker has control of the consequent program execution.”

Researchers have developed a proof-of-concept (PoC) exploit for the vulnerability, but they will only make it public at a later date.

This is not the only vulnerability found by SEC Consult in the EnCase Forensic Imager. In late November 2016, the security firm disclosed the details of denial-of-service (DoS) and heap-based buffer overflow flaws affecting the software. Those issues remain unpatched to this day.

Guidance Software has not responded to SecurityWeek’s request for comment, but the company told SEC Consult that it sees both the vulnerability disclosed on Thursday and the flaws reported last year as “extreme edge cases.”

“Our products give investigators access to raw data on a disk so they can have complete access to all the information. Dealing with raw data means there are times when malformed code can cause a crash or other issue on an investigator’s machine. We train users for the possibility of potential events like this and always recommend that they isolate their examination computers,” the vendor stated.

“After almost 20 years building forensic investigation software that is field-tested and court-proven, we find that the benefits of complete, bit-level visibility far outweigh the inconvenience of a very limited number of scenarios like this. If an issue does arise, it is something we work directly with the customer to resolve,” it added.

Related Reading: Display Software Flaw Affects Millions of Devices

Related Reading: Several Flaws Found in Navetti Pricing Product

Related Reading: Critical Flaws Found in Enterprise File Sharing Tool Filr

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.