Post Process

Everything to do with E-discovery & ESI

Archive for the ‘EnCase’ Category

A Tug of War over Forensics Applications and Formats

Posted by rjbiii on December 16, 2009

From two different blogs, we read of a fascinating criminal case involving a tug of war over evidence. Ultimately, the main points made by both the prosecution and defense missed the mark. A little knowledge could have gone a long way.

We begin by browsing over to Law Professor Susan Brenner CYB3RCRIM3 blog, to a post entitled Encase v. Ghost. Here she describes the case of State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), where a construction contractor specializing in building sunrooms was given a large deposit and money for materials, but who allegedly never finished the job. At trial, Mr. Dingman was convicted of 16 counts of theft and 11 counts of money laundering. He appeals. Why?

Because of the tug of war over evidence residing on his computer. Prior to trial, Dingman requested access to the files on his computers, which were seized by the state and still locked up. The state evidently made Encase images available to the defendant, but that wasn’t good enough. Why?

According to testimony, neither the Dingman legal team nor their forensics expert possessed a copy of the EnCase application (they thought) necessary to read the image. And Encase costs over $3,000 and required another $1,500 for training, according to Defendant’s expert. The State should, as they had in the past, provide a copy of the hard drive in a non-Encase format. Even better, allow the Defense to use its own tools to image the drives themselves. Ghost was specifically mentioned as the Defense’s tool of choice. The State objected. Why?

Evidently, the State believed that the Hard Drives could be damaged should they be released from custody, and that Ghost might produce an inaccurate copy. The States expert noted that he had a copy of Ghost, but did not use the tool for forensics. The State also argued that it didn’t need to “conform” its investigation to the “whims” of the defense, and that the Encase images had been happily accepted by all other defendants prior to this case. The trial court denied Defendant’s motion, and ordered the Prosecution to provide Encase images to the Defense.

After receiving a continuance to allow Defense the time to examine the drives, the trial court refused to grant a second, despite the Defense’s assertion that it had only been partially successful in reviewing the evidence. The Defense and their expert had only been able to access two of the nine drives, and on those two encountered files that it could not open. The trial continued, leading to the conviction of Mr. Dingman on several charges. Of course, we are not done. Why?

On appeal, the higher court cited a Federal district court decision stating that a defense expert should be able to “`utilize his or her hardware or software.'” The prosecution had not established for appropriate restrictions necessary to limit discovery in the manner occurring in the instant case. The Court of Appeals continued by holding that the lower court had “erred by requiring that the State provide only an EnCase mirror image of Dingman’s hard drives to the defense.” The State Supreme Court declined to review the opinion, and Mr. Dingman gets a new trial, should the state decide to a mulligan.

There is plenty wrong here. A lack of knowledge, and of collaboration, has cost the state a bit of money, time, and perhaps secured the liberty of someone who may not deserve it. Rather than lay it out here, however, I’ll direct you to Craig Ball’s commentary, where he does a fine job of discussing all of the issues. His post is called Stubborn v. Stupid.

Posted in Computer Forensics, EnCase, State Courts, Washington | Tagged: | Leave a Comment »

New Euro built computer a super forensics tool?

Posted by rjbiii on September 9, 2007

Well, it certainly is fast, if nothing else:

A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing all computer records from email or picture files to database contents and file transfers.The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min. The same transfer would take 30 to 60 minutes using alternative equipment said Martin Hermann, general director of MH-services…

Speed isn’t the only thing the TreCorder’s makers brag about, however:

The PC not only provides a complete mirror image of the hard disk and system memory – including deleted and reformatted date – but also eliminates any possibility of falsification in the process, Hermann said.

Network World, who has the story, mentions its past article questioning the soundness of such widely used tools as EnCase and The Sleuth Kit (a subject about which Post Process has already posted):

[Security Company Isec Partners] has discovered about a dozen bugs [in the aforementioned forensic software kits] that could be used to crash the programs or possibly even install unauthorized software on an investigator’s machine, according to Alex Stamos, a researcher and founding partner with Isec Partners.

Posted in Articles, Computer Forensics, EnCase, The Sleuth Kit, TreCorder | Leave a Comment »

Forensically Sound?

Posted by rjbiii on July 28, 2007

According to ISec Partners, Inc., forensic software (specifically, EnCase and The Sleuth Kit) that many forensics teams use is not as secure as it ought to be. From a post on D’Technology Weblog:

The San Francisco security company has spent the past six months investigating two forensic investigation programs, Guidance Software Inc.’s EnCase, and an open-source product called The Sleuth kit. They have discovered about a dozen bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator’s machine, according to Alex Stamos, a researcher and founding partner with Isec Partners.

Researchers have been hacking forensics tools for years, but have traditionally focused on techniques that intruders could use to cover their tracks and thwart forensic investigations. The Isec team has taken a different tack, however, creating hacking tools that can be used to pound the software with data, looking for flaws.

ISec has yet to divulge the exact nature of the flaws, but will reveal some details at the upcoming Black Hat convention in Las Vegas. The Black Hat website says that the Isec discussion will make these points:

  • Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack.
  • Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc.
  • Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial.
  • Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.

Along with this information is the announcement that:

We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files.

Some of you may have seen an earlier article concerning anti-forensic tools that are already widely used. From that article:

The investigator (who could only speak anonymously) wonders aloud what other networks are right now being controlled by criminal enterprises whose presence is entirely concealed. Computer crime has shifted from a game of disruption to one of access. The hacker’s focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.

An InfoWorld article mentions that The Sleuth Kit has already patched the flaws, so those bugs will be revealed. What details concerning the deficencies found in EnCase depends much upon what actions Guidance has taken by the time of the conference.

Guidance software, in the person of Larry Gill has now publicly responded to these concerns.

As a result of this extensive testing regimen, they were able to identify six test scenarios, out of ?tens of thousands? of test scenarios run, that apparently revealed minor bugs ? in some cases for which there are straightforward workarounds ? in our EnCase® Forensic Edition software. All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection or authentication process, or the EnCase Enterprise process (i.e., the operation of the servlet code or the operation of the SAFE server). Moreover, the iss
ues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any ?vulnerabilities? or ?denials of service? exposed by this report.

(Excuse the rogue question marks, these are displayed in the response, and represents character translation issues).
One additional point of interest in Mr. Gill’s response, as noted in a slashdot post, may cause those concerned with legal issues to pause. Here is Mr. Gill’s 5th point:

5. EnCase Had Difficulty Reading Intentionally Corrupted NTFS File System Directory.

Response: This issue involves the authors intentionally corrupting an NTFS file system to create a ?loop? by, ?replacing a directory entry for a file with a reference to the directory?s parent directory.? Experienced forensic examiners are trained to identify such instances of data cloaking. The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself. The chances of this specific scenario occurring in the field are extremely remote, but Guidance Software will test and, if verified, place this anomaly in its development queue to be addressed in the future.

I think it obvious that the “masking” or “cloaking” of data is not always evidence of wrongdoing. The slashdot post takes issue with such an argument in this manner:

That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?”

As Michael Caloyannides wrote in his book, Computer Forensics and Privacy, “[t]he right to privacy is not a ‘cover for crimes,’ as some law enforcers would assert.”

As a final thought, I would emphasis that the flaws in software is likely the least important item in any basic civil discovery process. An element of truest is imbued within the whole concept of civil discovery, and while strict forensic methodologies and tools are sometimes required, it is not typically necessary. What any discovery team should be focused on is the reasonable nature of the total process, from data collection to data processing, to document review. The processes used should reasonably be expected to find relevant documents, and initial assumptions (such as data custodians and search criteria) should undergo a verification process to ensure their effectiveness. But this is a discussion for another post.

Posted in Computer Security, Data Management, EnCase, Forensics, Guidance Software, Privacy, The Sleuth Kit | 1 Comment »