Who’s Affected?
We found that this issue to not affect a version of the full EnCase Forensic Suite we had available for testing. We did not verify whether this issue exists in other versions of EnCase Forensic (apparently EnCase Forensic and EnCase Forensic Imager share the same code base).
According to Guidance Software their products are used by many law enforcement and government agencies such as
- the FBI,
- the CIA,
- the US Department of Justice,
- the US Department of Homeland Security
- and the London Metropolitan Police Service
as well as several major companies such as
- Microsoft,
- Facebook,
- and Oracle.
It is unclear whether these organisations use the EnCase Forensic Imager tool.
How To Avoid Attacks?
Some organisations use special machines without network or internet access to handle evidence data. While this is a very good security measure, it does not protect against this attack. Since this vulnerability allows a suspect to execute arbitrary code on these machines, the attacker could create malware that manipulates or deletes evidence based on predefined rules (e.g. delete all Excel files with a specific name pattern).
We provided details for this vulnerability to the vendor back in March 2017. Unfortunately, Guidance Software neither provided a fixed version nor communicated a schedule for fixing this vulnerability within 50 days. As per our responsible disclosure policy we therefore publicly released the advisory. The vendor does currently not provide a version of EnCase Forensic Imager without known vulnerabilities.
This is already the second security vulnerability in EnCase Forensic Imager that the SEC Consult Vulnerability Lab communicated to Guidance Software in the past few months. Back then, the vendor did not fix the security flaws as well (they also have not been resolved yet). This begs the question whether Guidance Software should rethink their security approach given the amount of trivial vulnerabilities, the high-profile customer base and the displayed handling of vulnerability reports.
We received the following statement on 11th May from Guidance Software which we will leave uncommented as we are still bewildered about it:
“We are aware and appreciate the issues raised by SEC Consult. The exploit SEC Consult claims to have found is an extreme edge case, much like the theoretical alerts they tried to promote in November. As always, we continue to examine alerts when they are submitted and apply changes to our systems as necessary.
Our products give investigators access to raw data on a disk so they can have complete access to all the information. Dealing with raw data means there are times when malformed code can cause a crash or other issue on an investigator’s machine. We train users for the possibility of potential events like this and always recommend that they isolate their examination computers. After almost 20 years building forensic investigation software that is field-tested and court-proven, we find that the benefits of complete, bit-level visibility far outweigh the inconvenience of a very limited number of scenarios like this. If an issue does arise, it is something we work directly with the customer to resolve.The nature of our business is dealing with raw data, and that has risk. We will continue to modify our software as necessary to deal with the continually changing environment. If necessary, we will take action and inform our customers. We do not consider this claim to be serious and it will not impact the performance of our products.”
his research was done by Wolfgang Ettlinger (@ettisan) on behalf of SEC Consult Vulnerability Lab.
