The fur is flying over a presentation, planned for Black Hat in Las Vegas Aug. 1, that security firm iSEC says will demonstrate how easy it is to break forensics software.
Forensics tools such as Guidance Softwares EnCase are used by law enforcement, enterprises and national security agencies for data recovery and investigation. As iSEC says in its presentation description, investigators use these tools for a range of functions, such as parsing dozens of different file systems, e-mail databases and dense binary file formats.
“Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection,” iSEC says.
iSEC is promising to present what it found after six months of subjecting leading forensics packages to exploitation techniques. The security firm also plans to release new file and file system fuzzing tools created specifically to put forensics software through its paces in the project.
Some of the problems iSEC claims to have uncovered are that forensics tool makers dont use protection for native code provided by platforms, including stack overflow protection and memory page protection, or safe exception handling.
“Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial,” iSEC says. “Methods for testing the quality of forensic software are not meaningful, public or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.”
Guidance, for one, isnt taking this lying down.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
The Pasadena, Calif., forensics software maker, in response to the iSEC report—which it reviewed in advance of its general Aug. 1 release—dismissed the “minor” flaws iSEC found in six scenarios with EnCase Forensic Edition software.
“All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs,” Guidance said in a posting on BugTraq. “The issues raised do not identify errors affecting the integrity of the evidence collection or authentication process, or the EnCase Enterprise process (i.e., the operation of the servlet code or the operation of the SAFE server).”
Besides, Guidance claims, the issues raised have nothing to do with the products security, and the vendor says it “strongly [disputes] the implication that iSECs report exposes vulnerabilities or DOS vulnerabilities in its product.
“Forensic examiners will inevitably come across corrupted data on target systems from time to time; and in standard computer forensics training, including classes offered by Guidance Software, examiners are trained to account for such issues,” the company said. “No software is completely crash-proof and there will always be anomalies, particularly involving extreme scenarios of corrupted target data.”
BugTraq-ers are already kicking holes in Guidances protestations that the flaws found are “minor.”
“By minor, you mean things like (1) where a disk image cannot be acquired or (2) that appears to cause an out-of-bounds memory operation or (3) which most likely has one hell of a race condition?” said one poster on BugTraq, in response to Guidances July 26 post.
The poster was also bemused at Guidances complaint that the exploits launched at its EnCase tool used “intentionally corrupted data”—an ironic plaint, given that “pretty much every exploit on the planet involves intentionally corrupted data.”
iSEC, of San Francisco, reported on six specific problems. Guidance reiterated those problems, along with its response to each issue. As quoted from its BugTraq statement:
As of the evening of July 29, the tit-for-tat continued. The full threaded debate is here.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.