Guidance Software Response to iSEC Report
Guidance Software received and reviewed the report drafted by two presenters at the upcoming Black Hat USA conference. We have also spoken to Alex Stamos, one of the testing leaders. The report authors disclose that they conducted, over a period of six months, intensive testing utilizing specialized proprietary automated testing software. As a result of this extensive testing regimen, they were able to identify six test scenarios, out of =93tens of thousands=94 of test scenarios run, that apparently revealed minor bugs =96 in some cases for which there are straightforward workarounds =96 in our EnCase=AE Forensic Edition software. All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection or authentication process, or the EnCase Enterprise process (i.e., the operation of the servlet code or the operation of the SAFE server). Moreover, the iss
ues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any =93vulnerabilities=94 or =93denials of service=94 exposed by this report.
Forensic examiners will inevitably come across corrupted data on target systems from time to time; and in standard computer forensics training, including classes offered by Guidance Software, examiners are trained to account for such issues. In addition, while Guidance Software maintains a robust in-house quality assurance process and strives to make our software as stable as possible, no software is completely crash-proof and there will always be anomalies, particularly involving extreme scenarios of corrupted target data.
The following are the six anomalies raised by the report and our brief response to them:
1. [Logical] Disk Image Cannot be Acquired With Certain Corrupted MBR Partition Table.
Response: It should be no surprise to any computer forensic examiner that a logical copy of a volume may not be possible if that volume has a corrupted MBR Partition table. EnCase features an option to acquire the target media physically, rather than logically, to specifically account for this type of scenario. The authors ignored the option of acquiring the data physically. Also, by corrupting the MBR Partition table, the perpetrator would likely render his computer inoperable, which calls into question both the likelihood and feasibility of such a tactic.
2. Corrupted NTFS file system crashed EnCase during acquisition.
Response: The authors state that =93this issue appears to be caused by an attempt to read past the end of the buffer.=94 However, EnCase features an option to de-select the automatic reading of the file system during the acquisition process. Thus, there is an easy work-around. Also, by corrupting the NTFS partitions, the perpetrator would likely render his file system dysfunctional, which calls into question both the likelihood and feasibility of such a tactic. Thus, the chances of this specific scenario occurring in the field are extremely remote; however, Guidance Software will test and, if verified, place this anomaly in its development queue to address the crashing problem in the future.
3. Corrupted Microsoft Exchange database crashes EnCase during multi-threaded search/analysis concurrent to acquisition
Response: The report discloses that this particular anomaly occurred only when every single check box was selected in the search dialogue box, including the search, hash value calculation and verify file signatures features. This means that EnCase was directed to acquire an Exchange database and perform a detailed multi-threaded search and analysis of the data at the same time. This procedure is extremely inconsistent with best practices and akin to opening several hundred files in a word processing program, which of course would cause a memory overload.
4. Corrupted NTFS file systems Causes Memory Error
Response: As noted above, corrupted files or file systems can create challenges. The authors themselves note that the bug is minor, stating that they have =93not found any ill effects caused by this error condition other than an error being displayed and corrupted records not being displayed.=94 In addition, they noted that they are =93unaware of any exploitable condition that arises from this error.=94
5. EnCase Had Difficulty Reading Intentionally Corrupted NTFS File System Directory.
Response: This issue involves the authors intentionally corrupting an NTFS file system to create a =93loop=94 by, =93replacing a directory entry for a file with a reference to the directory=92s parent directory.=94 Experienced forensic examiners are trained to identify such instances of data cloaking. The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself. The chances of this specific scenario occurring in the field are extremely remote, but Guidance Software will test and, if verified, place this anomaly in its development queue to be addressed in the future.
6. EnCase Crashes When Viewing =93Certain Deeply Nested Directories.=94
Response: The authors created =93NTFS images with very deeply nested directories,=94 causing EnCase to crash when it attempted to =93expand all=94 deeply nested subdirectories. The simple workaround to this problem is to not =93expand all=94 subdirectories, and to instead expand a portion of the subdirectories, or even just proceed directly with the searching and analysis of the acquired image. In addition, while Guidance Software maintains a robust in-house quality assurance process and strives to make our software as stable as possible, no software is completely crash-proof and there will always be anomalies, particularly involving the dramatic scenario manufactured by the authors here. In any event, Guidance Software will test and, if verified, place this anomaly in its development queue to be addressed in the future.