Breaking Forensics Software: Weaknesses in Critical Evidence Collection

Presented at DEF CON 15 (2007), Aug. 3, 2007, noon (50 minutes).

Across the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection. In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files. This talk will make the following arguments: (1) Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack. (2) Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc. (3) Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial. (4) Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.

Presenters:

  • Chris Palmer - Security Consultant, iSEC Partners
    Chris Palmer is a security consultant with iSEC Partners, performing application penetration tests, code reviews, and security research.
  • Alex Stamos - Founding Partner, iSEC Partners
    Alex Stamos is the co-founder and VP of Professional Services at iSEC Partners, a leading provider of application security services. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a well-known researcher in the field of software security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, Toorcon, SyScan, Microsoft BlueHat, the Web 2.0 Expo, InfraGuard, ISACA and OWASP. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

Links:

Similar Presentations: