funsec mailing list archives
Re: Researchers: Forensics Software Can Be Hacked
From: rms () computerbytesman com
Date: Wed, 25 Jul 2007 18:40:37 -0400 (EDT)
I've had FTK crash on me when extracting email messages from a .PST file. (FTK is described at http://www.accessdata.com/catalog/partdetail.aspx?partno=11000). I suspect it has a lot of problems with badly formed files. The obvious place to attack FTK is through its full text indexing software which has to parse many different file types. I wonder, for example, how many buffer overflow errors are in the .DOC file parser. OTOH, the ASLR feature in Vista should turn exploit attempts into crashes. Another way to attack a forensics software package is to give it a lot of work to do. For example, feed it a .ZIP file that inflates to 100 GBbytes of .DOC files. Rich
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via InfoWorld. [snip] The software that police and enterprise security teams use to investigate wrongdoing on computers is not as secure as it should be, according to researchers with iSEC Partners. The San Francisco security company has spent the past six months investigating two forensic investigation programs, Guidance Software's EnCase, and an open-source product called The Sleuth Kit. They have discovered about a dozen bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator's machine, according to Alex Stamos, a researcher and founding partner with iSEC Partners. [snip] More: http://www.infoworld.com/article/07/07/25/Forensics-software-can-be-hacked_ 1.html - - ferg p.s. Interesting premise for a Hollywood movie: "...bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator's machine..." :-) -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGp4RDq1pz9mNUZTMRAgOUAJ9fLcmHfCGZ0bzh6O0uEotyKXNHaACeOpAS /ZgmK9+7K3Iy6MNYHbSxQyA= =XJl3 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Researchers: Forensics Software Can Be Hacked Paul Ferguson (Jul 25)
- Re: Researchers: Forensics Software Can Be Hacked Gadi Evron (Jul 25)
- RE: Researchers: Forensics Software Can Be Hacked Hubbard, Dan (Jul 25)
- RE: Researchers: Forensics Software Can Be Hacked Gadi Evron (Jul 25)
- Re: Researchers: Forensics Software Can Be Hacked Jordan Wiens (Jul 26)
- Re: Researchers: Forensics Software Can Be Hacked Don Blumenthal (Jul 26)
- Re: Researchers: Forensics Software Can Be Hacked Jordan Wiens (Jul 26)
- Re: Researchers: Forensics Software Can Be Hacked Valdis . Kletnieks (Jul 26)
- RE: Researchers: Forensics Software Can Be Hacked Hubbard, Dan (Jul 25)
- Re: Researchers: Forensics Software Can Be Hacked Gadi Evron (Jul 25)