Malicious File for Exploiting Forensic Software

Presented at Black Hat USA 2013, Unknown date/time (Unknown duration)

Commercial forensic software such as EnCase, FTK and X-Ways Forensics adopts the same library component for viewing file content. If the library component is exploitable, lots of forensic investigators are exposed to risks like malware infection and freeze of the software by checking crafted malicious files.

This presentation introduces anti-forensic techniques exploiting vulnerabilities of the component embedded in forensic software. Specifically, I show one malicious file can trigger arbitrary code execution on multiple forensic software products. The exploitation has great impact on forensic investigation because most forensic software includes it.

The presentation is made up as follows. First, I explain the file viewer component in forensic software and how to fuzz it with a custom script of forensic software, MiniFuzz and a kernel driver for anti-debugging. Next, I describe two vulnerabilities (heap overflow and infinite loop DoS) detected by the fuzzer then demonstrate arbitrary code execution and hang-up of forensic software process using malicious files. I also fill in the gaps on some tricks for exploiting heap overflow (e.g., overwriting function pointers, finding the condition of heap spraying with bitmap images). Finally, I refer to countermeasures.

Presenters:

• Hiroshi Suzuki - Internet Initiative Japan Inc.
  Hiroshi Suzuki is a malware analyst, working for a Japanese ISP company, Internet Initiative Japan Inc. His primary job is to analyze malware and vulnerabilities, to observe malware activity, and digital forensics. He is a speaker for international conferences like FIRST.
• Takahiro Haruyama - Internet Initiative Japan Inc.
  Takahiro Haruyama, EnCE, is a forensic professional with over eight years of extensive research experience and knowledge in intrusion detection, authentication, VPN, digital forensics and malware analysis. He is the author of memory forensic EnScript such as Raw Image Analyzer (previously known as Memory Forensic Toolkit) and Crash Dump Analyzer. He also has spoken at several conferences about digital forensics and computer security including SANS Digital Forensics and Incident Response Summit, Black Hat Europe, The Computer Enterprise and Investigations Conference, FIRST Technical Colloquium, RSA Conference Japan.

Links:

• https://www.blackhat.com/us-13/archives.html#Haruyama
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Malicious File for Exploiting Forensic Software.mp4
• https://www.youtube.com/watch?v=WTxHfraFLS0
• https://media.blackhat.com/us-13/US-13-Haruyama-Malicous-File-For-Exploiting-Forensic-Software-Slides.pdf

Similar Presentations:

• DEF CON 15 (2007) / Breaking Forensics Software: Weaknesses in Critical Evidence Collection
• THOTCON 0x1 (2010) / Forensic Fail
• DeepSec 2017 „Science First!“ / A Story Of A Vulnerability: How To Execute Code On A Forensic Workstation