Guidance Software response to iSEC report on EnCase
Guidance Software Response to iSEC Report
Guidance Software received and reviewed the report drafted by two presenters at
the upcoming Black Hat USA conference. We have also spoken to Alex Stamos, one
of the testing leaders. The report authors disclose that they conducted, over a
period of six months, intensive testing utilizing specialized proprietary
automated testing software. As a result of this extensive testing regimen, they
were able to identify six test scenarios, out of ?tens of thousands? of test
scenarios run, that apparently revealed minor bugs ? in some cases for which
there are straightforward workarounds ? in our EnCase® Forensic Edition
software. All of the testing involved intentionally corrupted target data that
highlighted a few relatively minor bugs. The issues raised do not identify
errors affecting the integrity of the evidence collection or authentication
process, or the EnCase Enterprise process (i.e., the operation of the servlet
code or the operation of the SAFE server). Moreover, the iss
ues raised have nothing to do with the security of the product. Therefore, we
strongly dispute any media reports or commentary that imply that there are any
?vulnerabilities? or ?denials of service? exposed by this report.
Forensic examiners will inevitably come across corrupted data on target systems
from time to time; and in standard computer forensics training, including
classes offered by Guidance Software, examiners are trained to account for such
issues. In addition, while Guidance Software maintains a robust in-house
quality assurance process and strives to make our software as stable as
possible, no software is completely crash-proof and there will always be
anomalies, particularly involving extreme scenarios of corrupted target data.
The following are the six anomalies raised by the report and our brief response
to them:
1. [Logical] Disk Image Cannot be Acquired With Certain Corrupted MBR
Partition Table.
Response: It should be no surprise to any computer forensic examiner that a
logical copy of a volume may not be possible if that volume has a corrupted MBR
Partition table. EnCase features an option to acquire the target media
physically, rather than logically, to specifically account for this type of
scenario. The authors ignored the option of acquiring the data physically.
Also, by corrupting the MBR Partition table, the perpetrator would likely
render his computer inoperable, which calls into question both the likelihood
and feasibility of such a tactic.
2. Corrupted NTFS file system crashed EnCase during acquisition.
Response: The authors state that ?this issue appears to be caused by an attempt
to read past the end of the buffer.? However, EnCase features an option to
de-select the automatic reading of the file system during the acquisition
process. Thus, there is an easy work-around. Also, by corrupting the NTFS
partitions, the perpetrator would likely render his file system dysfunctional,
which calls into question both the likelihood and feasibility of such a tactic.
Thus, the chances of this specific scenario occurring in the field are
extremely remote; however, Guidance Software will test and, if verified, place
this anomaly in its development queue to address the crashing problem in the
future.
3. Corrupted Microsoft Exchange database crashes EnCase during
multi-threaded search/analysis concurrent to acquisition
Response: The report discloses that this particular anomaly occurred only when
every single check box was selected in the search dialogue box, including the
search, hash value calculation and verify file signatures features. This means
that EnCase was directed to acquire an Exchange database and perform a detailed
multi-threaded search and analysis of the data at the same time. This procedure
is extremely inconsistent with best practices and akin to opening several
hundred files in a word processing program, which of course would cause a
memory overload.
4. Corrupted NTFS file systems Causes Memory Error
Response: As noted above, corrupted files or file systems can create
challenges. The authors themselves note that the bug is minor, stating that
they have ?not found any ill effects caused by this error condition other than
an error being displayed and corrupted records not being displayed.? In
addition, they noted that they are ?unaware of any exploitable condition that
arises from this error.?
5. EnCase Had Difficulty Reading Intentionally Corrupted NTFS File System
Directory.
Response: This issue involves the authors intentionally corrupting an NTFS file
system to create a ?loop? by, ?replacing a directory entry for a file with a
reference to the directory?s parent directory.? Experienced forensic examiners
are trained to identify such instances of data cloaking. The purposeful hiding
of data by the subject of an investigation is in itself important evidence and
there are many scenarios where intentional data cloaking provides incriminating
evidence, even if the perpetrator is successful in cloaking the data itself.
The chances of this specific scenario occurring in the field are extremely
remote, but Guidance Software will test and, if verified, place this anomaly in
its development queue to be addressed in the future.
6. EnCase Crashes When Viewing ?Certain Deeply Nested Directories.?
Response: The authors created ?NTFS images with very deeply nested
directories,? causing EnCase to crash when it attempted to ?expand all? deeply
nested subdirectories. The simple workaround to this problem is to not ?expand
all? subdirectories, and to instead expand a portion of the subdirectories, or
even just proceed directly with the searching and analysis of the acquired
image. In addition, while Guidance Software maintains a robust in-house
quality assurance process and strives to make our software as stable as
possible, no software is completely crash-proof and there will always be
anomalies, particularly involving the dramatic scenario manufactured by the
authors here. In any event, Guidance Software will test and, if verified,
place this anomaly in its development queue to be addressed in the future.