MALICIOUS FILE FOR EXPLOITING FORENSIC SOFTWARE

Black Hat USA 2013

Presented by: Takahiro Haruyama, Hiroshi Suzuki
Date: Wednesday July 31, 2013
Time: 17:30 - 18:00
Location: Roman 2

Commercial forensic software such as EnCase, FTK and X-Ways Forensics adopts the same library component for viewing file content. If the library component is exploitable, lots of forensic investigators are exposed to risks like malware infection and freeze of the software by checking crafted malicious files.

This presentation introduces anti-forensic techniques exploiting vulnerabilities of the component embedded in forensic software. Specifically, I show one malicious file can trigger arbitrary code execution on multiple forensic software products. The exploitation has great impact on forensic investigation because most forensic software includes it.

The presentation is made up as follows. First, I explain the file viewer component in forensic software and how to fuzz it with a custom script of forensic software, MiniFuzz and a kernel driver for anti-debugging. Next, I describe two vulnerabilities (heap overflow and infinite loop DoS) detected by the fuzzer then demonstrate arbitrary code execution and hang-up of forensic software process using malicious files. I also fill in the gaps on some tricks for exploiting heap overflow (e.g., overwriting function pointers, finding the condition of heap spraying with bitmap images). Finally, I refer to countermeasures.

Takahiro Haruyama

Takahiro Haruyama, EnCE, is a forensic professional with over eight years of extensive research experience and knowledge in intrusion detection, authentication, VPN, digital forensics and malware analysis. He is the author of memory forensic EnScript such as Raw Image Analyzer (previously known as Memory Forensic Toolkit) and Crash Dump Analyzer. He also has spoken at several conferences about digital forensics and computer security including SANS Digital Forensics and Incident Response Summit, Black Hat Europe, The Computer Enterprise and Investigations Conference, FIRST Technical Colloquium, RSA Conference Japan.

Hiroshi Suzuki

Hiroshi Suzuki is a malware analyst, working for a Japanese ISP company, Internet Initiative Japan Inc. His primary job is to analyze malware and vulnerabilities, to observe malware activity, and digital forensics. He is a speaker for international conferences like FIRST.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats