±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 322

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

EnCase 7 Anti-Forensic for Air-Gapped Examiner

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

jhup
Senior Member
 

EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 24, 16 21:28

Blog post on the same site that wrote about the EnCase concerns.

EnCase 7 user interface inconsistencies and file viewer configuration allows direct attack on a forensic workstation.
Some of you might remember 42.zip, a nested ZIP-bomb file, which would crash certain forensic tools after running out of memory. The following concern not only can crash the forensic workstation, but destroy the whole machine.

The combination of file type association with Windows as viewer, and the inconsistency of user interface in EnCase 7 can potentially launch malicious payloads from an evidential image.

Examiner's propensity to double-click can inadvertently launch such files, and pass the file to the examiner's workstation OS. With simple crafting the machine can be made inoperable, worse damage case information silently using previously demonstrated "concerns". (e.g. [1])

This has the potential to cause significant delays, or damage to case. In combination with our previous findings, such as the cache manipulation and the rendering folder retention, we can image serious complication.
 
 
  

Chris_Ed
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 25, 16 12:51

At first I was quite shocked as I thought it meant files which are previewed in the viewing pane could "escape" - but it seems that it is to do with launching files from within EnCase.

This is not really a true concern, as it is surely good practice for all examiners - to be wary of files you launch?  
 
  

thefuf
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 25, 16 16:03

Sometimes a real problem is staring at us in the face, but because we are so close to it, we are unable to recognize it. We do not believe anything what we demonstrate here is new, special or revolutionary. It is simply ignored.


Unfortunately, yes. LinEn Boot CD has issues with automatic code execution from evidentiary drives (when you boot it from USB). And many forensic Linux live distributions have similar issues too.  
 
  

jhup
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 25, 16 20:32

- Chris_Ed
...This is not really a true concern, as it is surely good practice for all examiners - to be wary of files you launch?


I think it is. Considering that (anecdotally) most labs do not abide by best practices, and clean the forensic workstation instances between cases and only work on a single case per instance, this can be a problem.

As they stated elsewhere, this might not be a major concern with petty crime, but nation-state and organized crime does and will invest heavily in true anti-forensics.

We also note that several tools bind the licenses to machines, thereby making wiping and rebuilding or re-imaging cumbersome at best. It is not unusual for us to see small digital forensic operations using the same machine from case to case, or with multiple cases simultaneously, and never wipe, rebuild or re-image the forensic workstation.

(emphasis added)  
 
  

Chris_Ed
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 26, 16 14:35

- jhup

I think it is. Considering that (anecdotally) most labs do not abide by best practices, and clean the forensic workstation instances between cases and only work on a single case per instance, this can be a problem.

As they stated elsewhere, this might not be a major concern with petty crime, but nation-state and organized crime does and will invest heavily in true anti-forensics.

We also note that several tools bind the licenses to machines, thereby making wiping and rebuilding or re-imaging cumbersome at best. It is not unusual for us to see small digital forensic operations using the same machine from case to case, or with multiple cases simultaneously, and never wipe, rebuild or re-image the forensic workstation.

(emphasis added)


But that is a problem with methodology, not with the software itself. By the same token, XWF suffers the same "Anti-forensic for Air-gapped examiner" problem because it too allows you to launch files using Windows. The article kind of mentions this in the sense that it says:
Although this write-up is about an EnCase concern, the other leaders are not immune from tool validation issues.

But this is not a tool validation issue - it is a methodology issue.

I feel like this article is akin to saying "WE FOUND A SERIOUS PROBLEM WITH HDDs; they are unworkable once smothered in ice cream. DO NOT SOMETHER YOUR HDDs IN ICE CREAM!".  
 
  

jhup
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 26, 16 18:58

- Chris_Ed
I feel like this article is akin to saying "WE FOUND A SERIOUS PROBLEM WITH HDDs; they are unworkable once smothered in ice cream. DO NOT SOMETHER YOUR HDDs IN ICE CREAM!".


Not exactly. The problem the article points out is that too many forensicators do smother their HDDs in ice cream, and pretend that is okay.


(What kind?)  
 
  

Chris_Ed
Senior Member
 

Re: EnCase 7 Anti-Forensic for Air-Gapped Examiner

Post Posted: May 26, 16 20:30

- jhup
- Chris_Ed
I feel like this article is akin to saying "WE FOUND A SERIOUS PROBLEM WITH HDDs; they are unworkable once smothered in ice cream. DO NOT SOMETHER YOUR HDDs IN ICE CREAM!".


Not exactly. The problem the article points out is that too many forensicators do smother their HDDs in ice cream, and pretend that is okay.


(What kind?)

Ah, fair enough.

(A place in my hometown does Blood Orange ice cream. Pretty fantastic)  
 

Page 1 of 2
Page 1, 2  Next