Wednesday, May 17, 2017

Tracking the culprit: SEC Technologies and Fraunhofer IPK develop technology to identify criminal activities in enterprise networks

Violence, extremism and child abuse: A lot of criminal activities are captured in images and distributed via internet and social media. But how can companies protect their network if being abused for such a purpose? If operators do not want to be unwilling accomplices, they must meet necessary measures to prevent these crimes. SEC Technologies, SEC Consult’s subsidiary for technical innovation and development, and Fraunhofer IPK set a technical milestone in identifying criminal images: Traffiic (Traffic analysis for incriminating image content) is able to recognize acts of abuse by combining text and image analysis and machine learning, which makes it possible to evaluate the image content and raise alarm, if necessary.

The aim of the jointly-developed technology was a software, which is able to discover such content and helps to antagonize against the misuse of infrastructure. A modular system emerged, which can be integrated in the enterprise network as a passive component. Least possible delay in the network traffic and minimal hardware requirements make it easy to work with this technology in the background. Heart of the system is the possibility of data extraction: In case of findings the network operator gets informed immediately and is able to set countermeasures.

High quality technology against violent crime

Fraunhofer IPK developed a new system which detects acts of abuse by combining text and image analysis with machine learning. To achieve a high detection rate with a low error rate a few different, specialized and intelligent “classifieres” are used. So for example, the first “classifier” recognizes erotic figures. Such a “positive” finding activates another “classifier”, which was trained to recognize child abuse. Apart of image information also filename and eXiF-information, which shares facts about the used camera, are analyzed.

Markus Robin, General Manager SEC Consult: “Apprehending criminals and safeguarding victims was our guiding idea during the development of this technology. Studies show that in hidden services, 80 % of site visits were related to child abuse content. As cybersecurity experts it is also our responsibility to enable a safe world. More and more frequently, companies register a misuse of their network and infrastructure. That’s why we developed Traffiic – to support companies in their network protection, save them from the act of accomplice and set measures against the horrible sharing of violent crimes.”

In the course of this project SEC Technologies developed solutions for detecting and analyzing critical content in networks. The module implemented for data extraction allows to identify images and videos in the networks’ data streams and to extract and store them for analysis. Additional to extracting the files, evaluating the source of an image is of central importance. Based on former data analyses another module for the evaluation of network sources investigates the reputation of the system in question, by linking and examining different data sources like Who-is-data bases and IP reputation services. As a result, the system’s reputation can be included in the evaluation of an image and significantly enhances the accuracy of the whole evaluation. Dr. Franz Fotr, court-certified IT-security expert, said at the workshop in Berlin: “I am delighted that the cooperation between SEC Technologies and the Fraunhofer IPK (Institute for Production Systems and Design Technology) bears fruit. The developments of the project Traffiic empower companies of all sizes to monitor their infrastructure and to protect it from attacks. That makes it significantly more difficult for criminals to misuse infrastructures and contributes to stopping the spread of child pornography.”


Thursday, May 11, 2017

Chainsaw of Custody: Manipulating forensic evidence the easy way

When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized hardware and software tools.

As we have shown time and time again, specialized security software is not immune to security vulnerabilities. Knowing this, we sometimes audit software products used for our core processes to achieve the best level of security for our customer's data. One of these software products is EnCase Forensic Imager.

EnCase Forensic Imager is a free tool that allows a forensic investigator to gather evidence from storage media. This evidence can then later be analyzed using the commercial EnCase Forensic suite. To efficiently gather evidence, EnCase Forensic Imager is able to process many different formats commonly used on storage media. However, parsing untrusted data from a suspect's storage device can be dangerous. There's always the risk that a suspect has manipulated his storage device so that forensic software fails to read any data, ignores incriminating data, or even takes over the investigator's machine. The latter is exactly what SEC Consult demonstrated to be possible with EnCase Forensic Imager in the latest advisory.

EnCase Forensic Imager crash - code execution (example: calc.exe)
EnCase Forensic Imager crash - code execution (example: calc.exe)

The attack

By writing a manipulated LVM2 partition (a hard disk format commonly used for Linux servers) on a storage device, an attacker could - if the device were ever to be analysed using EnCase Forensic Imager - take over an investigator's machine. When the investigator tries to read the device, EnCase Forensic Imager crashes - unbeknownst to the investigator, however, a lot more is happening. Through a buffer overflow security flaw, EnCase Forensic Imager can be tricked into executing data read from the storage device. Afterwards the code provided by the attacker has full control of the investigator's machine and can be used by the suspect to manipulate evidence.

The video below demonstrates a scenario where someone prepared a malicious USB storage medium for the case that it got analyzed by e.g. the authorities. When the investigator analyzes it using EnCase Forensic Imager, without their knowledge their machine connects to a remote server controlled by the suspect (arbitrary malicious code can be executed). The server can then access the investigator's machine to manipulate or delete evidence.

For technical details please refer to the advisory.

Who's affected?

We found that this issue to not affect a version of the full EnCase Forensic Suite we had available for testing. We did not verify whether this issue exists in other versions of EnCase Forensic (apparently EnCase Forensic and EnCase Forensic Imager share the same code base).

According to Guidance Software their products are used by many law enforcement and government agencies such as
  • the FBI
  • the CIA,
  • the US Department of Justice
  • the US Department of Homeland Security
  • and the London Metropolitan Police Service

as well as several major companies such as
  • Microsoft
  • Facebook,
  • and Oracle.

It is unclear whether these organisations use the EnCase Forensic Imager tool.

How to avoid attacks?

Some organisations use special machines without network or internet access to handle evidence data. While this is a very good security measure, it does not protect against this attack. Since this vulnerability allows a suspect to execute arbitrary code on these machines, the attacker could create malware that manipulates or deletes evidence based on predefined rules (e.g. delete all Excel files with a specific name pattern).

We provided details for this vulnerability to the vendor back in March 2017. Unfortunately, Guidance Software neither provided a fixed version nor communicated a schedule for fixing this vulnerability within 50 days. As per our responsible disclosure policy we therefore publicly released the advisory. The vendor does currently not provide a version of EnCase Forensic Imager without known vulnerabilities.

This is already the second security vulnerability in EnCase Forensic Imager that the SEC Consult Vulnerability Lab communicated to Guidance Software in the past few months. Back then, the vendor did not fix the security flaws as well (they also have not been resolved yet). This begs the question whether Guidance Software should rethink their security approach given the amount of trivial vulnerabilities, the high-profile customer base and the displayed handling of vulnerability reports.

We received the following statement on 11th May from Guidance Software which we will leave uncommented as we are still bewildered about it:

"We are aware and appreciate the issues raised by SEC Consult. The exploit SEC Consult claims to have found is an extreme edge case, much like the theoretical alerts they tried to promote in November. As always, we continue to examine alerts when they are submitted and apply changes to our systems as necessary.

Our products give investigators access to raw data on a disk so they can have complete access to all the information.  Dealing with raw data means there are times when malformed code can cause a crash or other issue on an investigator’s machine. We train users for the possibility of potential events like this and always recommend that they isolate their examination computers. After almost 20 years building forensic investigation software that is field-tested and court-proven, we find that the benefits of complete, bit-level visibility far outweigh the inconvenience of a very limited number of scenarios like this. If an issue does arise, it is something we work directly with the customer to resolve.

The nature of our business is dealing with raw data, and that has risk. We will continue to modify our software as necessary to deal with the continually changing environment. If necessary, we will take action and inform our customers. We do not consider this claim to be serious and it will not impact the performance of our products."


This research was done by Wolfgang Ettlinger (@ettisan) on behalf of SEC Consult Vulnerability Lab. SEC Consult is always searching for talented security professionals to work in our team. More information can be found at: