A Story Of A Vulnerability: How To Execute Code On A Forensic Workstation

Presented at DeepSec 2017 „Science First!“, Unknown date/time (Unknown duration)

EnCase Forensic Imager is a tool used by forensic investigators to gather evidence from storage media. We used a custom tool to fuzz the file system parser code of this product and found a buffer overflow vulnerability in the LVM2 parser. We demonstrate our approach we used to fuzz EnCase Forensic Imager, describe the technical details of the vulnerability and show how this vulnerability can be exploited to execute arbitrary code on the investigator's machine. We wrap up our talk by discussing the impact of this vulnerability on forensic evidence.

Presenters:

• Wolfgang Ettlinger - SEC Consult
  Wolfgang Ettlinger has worked as a technical security consultant for SEC Consult for the past 4 years. He graduated MSc Secure Information Systems at the University of Applied Sciences Upper Austria. He has an interest in many information security topics ranging from binary exploitation to cryptography. In the past years, Wolfgang Ettlinger published several security advisories demonstrating vulnerabilities in multiple software products.

Links:

• https://deepsec.net/archive/2017.deepsec.net/speaker.html#PSLOT331

Similar Presentations:

• Black Hat USA 1999 / Introduction to Cyber Forensic Analysis
• THOTCON 0x1 (2010) / Forensic Fail
• Black Hat USA 2013 / Malicious File for Exploiting Forensic Software