Chainsaw Of Custody: Manipulating Forensic Evidence The Easy Way


When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized hardware and software tools.

Calculator crash Encase - SEC Consult

TIP: Watch Wolfgang Ettlinger’s presentation @ DeepSec 2017 >> EnCase Forensic Case Study <<

As we have shown time and time again, specialized security software is not immune to security vulnerabilities. Knowing this, we sometimes audit software products used for our core processes to achieve the best level of security for our customer’s data. One of these software products is EnCase Forensic Imager.

EnCase Forensic Imager is a free tool that allows a forensic investigator to gather evidence from storage media. This evidence can then later be analyzed using the commercial EnCase Forensic suite. To efficiently gather evidence, EnCase Forensic Imager is able to process many different formats commonly used on storage media. However, parsing untrusted data from a suspect’s storage device can be dangerous. There’s always the risk that a suspect has manipulated his storage device so that forensic software fails to read any data, ignores incriminating data, or even takes over the investigator’s machine. The latter is exactly what SEC Consult demonstrated to be possible with EnCase Forensic Imager in the latest advisory.

EnCase Forensic Imager crash – code execution (example: calc.exe)

The Attack

By writing a manipulated LVM2 partition (a hard disk format commonly used for Linux servers) on a storage device, an attacker could – if the device were ever to be analysed using EnCase Forensic Imager – take over an investigator’s machine. When the investigator tries to read the device, EnCase Forensic Imager crashes – unbeknownst to the investigator, however, a lot more is happening. Through a buffer overflow security flaw, EnCase Forensic Imager can be tricked into executing data read from the storage device. Afterwards the code provided by the attacker has full control of the investigator’s machine and can be used by the suspect to manipulate evidence.

The video below demonstrates a scenario where someone prepared a malicious USB storage medium for the case that it got analyzed by e.g. the authorities. When the investigator analyzes it using EnCase Forensic Imager, without their knowledge their machine connects to a remote server controlled by the suspect (arbitrary malicious code can be executed). The server can then access the investigator’s machine to manipulate or delete evidence.

Who’s Affected?

We found that this issue to not affect a version of the full EnCase Forensic Suite we had available for testing. We did not verify whether this issue exists in other versions of EnCase Forensic (apparently EnCase Forensic and EnCase Forensic Imager share the same code base).

According to Guidance Software their products are used by many law enforcement and government agencies such as

  • the FBI,
  • the CIA,
  • the US Department of Justice,
  • the US Department of Homeland Security
  • and the London Metropolitan Police Service

as well as several major companies such as

  • Microsoft,
  • Facebook,
  • and Oracle.

It is unclear whether these organisations use the EnCase Forensic Imager tool.

How To Avoid Attacks?

Some organisations use special machines without network or internet access to handle evidence data. While this is a very good security measure, it does not protect against this attack. Since this vulnerability allows a suspect to execute arbitrary code on these machines, the attacker could create malware that manipulates or deletes evidence based on predefined rules (e.g. delete all Excel files with a specific name pattern).

We provided details for this vulnerability to the vendor back in March 2017. Unfortunately, Guidance Software neither provided a fixed version nor communicated a schedule for fixing this vulnerability within 50 days. As per our responsible disclosure policy we therefore publicly released the advisory. The vendor does currently not provide a version of EnCase Forensic Imager without known vulnerabilities.

This is already the second security vulnerability in EnCase Forensic Imager that the SEC Consult Vulnerability Lab communicated to Guidance Software in the past few months. Back then, the vendor did not fix the security flaws as well (they also have not been resolved yet). This begs the question whether Guidance Software should rethink their security approach given the amount of trivial vulnerabilities, the high-profile customer base and the displayed handling of vulnerability reports.

We received the following statement on 11th May from Guidance Software which we will leave uncommented as we are still bewildered about it:

“We are aware and appreciate the issues raised by SEC Consult. The exploit SEC Consult claims to have found is an extreme edge case, much like the theoretical alerts they tried to promote in November. As always, we continue to examine alerts when they are submitted and apply changes to our systems as necessary.

Our products give investigators access to raw data on a disk so they can have complete access to all the information.  Dealing with raw data means there are times when malformed code can cause a crash or other issue on an investigator’s machine. We train users for the possibility of potential events like this and always recommend that they isolate their examination computers. After almost 20 years building forensic investigation software that is field-tested and court-proven, we find that the benefits of complete, bit-level visibility far outweigh the inconvenience of a very limited number of scenarios like this. If an issue does arise, it is something we work directly with the customer to resolve.The nature of our business is dealing with raw data, and that has risk. We will continue to modify our software as necessary to deal with the continually changing environment. If necessary, we will take action and inform our customers. We do not consider this claim to be serious and it will not impact the performance of our products.”

his research was done by Wolfgang Ettlinger (@ettisan) on behalf of SEC Consult Vulnerability Lab.