Forensics in Spanish
Fallas en Software de Informática Forense Jul 26 2007 09:56PM
Jeimy José Cano Martínez (jcano uniandes edu co)
Spam detection software, running on the system "", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Estimados profesionales, Adjunto noticia publicada en
ComputerWorld, sobre fallas o vulnerabilidades en el Software Forense,
que pueden dejar en entre dicho el uso de éstas herramientas.
Black Hat: Researchers say forensics software can be hacked Robert
McMillan July 25, 2007 (IDG News Service) The software that police and
enterprise security teams use to investigate wrongdoing on computers is
not as secure as it should be, according to researchers at iSec Partners
Inc. [...]

Content analysis details: (5.7 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.8451]
2.7 AWL AWL: From: address is in the auto white-list

Received: (qmail 29472 invoked from network); 26 Jul 2007 20:36:42 -0000
Received: from (
by with SMTP; 26 Jul 2007 20:36:42 -0000
Received: from ([]) by
via smtpd (for []) with ESMTP; Thu, 26 Jul 2007 14:46:44 -0700
Received: from tupi ( [])
by (8.14.0/8.14.0) with ESMTP id l6QLpBX2005647
for <forensics-es (at) securityfocus (dot) com [email concealed]>; Thu, 26 Jul 2007 16:51:13 -0500 (COT)
Received: from tupi (unknown [])
by tupi (Symantec Mail Security) with ESMTP id 22ACF1935
for <forensics-es (at) securityfocus (dot) com [email concealed]>; Thu, 26 Jul 2007 16:51:11 -0500 (COT)
X-AuditID: 9dfd3290-0000000a0000021d-d3-46a9174e4daa
Received: from (unknown [])
by tupi (Symantec Mail Security) with ESMTP id D37951920
for <forensics-es (at) securityfocus (dot) com [email concealed]>; Thu, 26 Jul 2007 16:51:10 -0500 (COT)
Received: from ([])
by (Sun Java System Messaging Server 6.2-7.05 (built Sep
5 2006)) with ESMTP id <0JLT0003P3HU4Z80 (at) (dot) co [email concealed]> for
forensics-es (at) securityfocus (dot) com [email concealed]; Thu, 26 Jul 2007 16:53:54 -0500 (COT)
Received: from [] (Forwarded-For: [])
by (mshttpd); Thu, 26 Jul 2007 16:56:16 -0500
Date: Thu, 26 Jul 2007 16:56:16 -0500
From: Jeimy =?UTF-8?B?Sm9zw6k=?= Cano =?UTF-8?Q?Mart=C3=ADnez?=
<jcano (at) (dot) co [email concealed]>
Subject: =?iso-8859-1?Q?Fallas_en_Software_de_Inform=E1tica_Forense?=
To: forensics-es (at) securityfocus (dot) com [email concealed]
Message-id: <f631ce30aa71.46a8d230 (at) (dot) co [email concealed]>
MIME-version: 1.0
X-Mailer: Sun Java(tm) System Messenger Express 6.2-8.04 (built Feb 28 2007)
Content-type: text/plain; charset=iso-8859-1
Content-language: es
Content-transfer-encoding: quoted-printable
Content-disposition: inline
X-Accept-Language: es
Priority: normal
X-Brightmail-Tracker: AAAAAA==

Estimados profesionales=2C

Adjunto noticia publicada en ComputerWorld=2C sobre fallas o vulnerabili=
dades en el Software Forense=2C que pueden dejar en entre dicho el uso d=
e =E9stas herramientas=2E

Black Hat=3A Researchers say forensics software can be hacked
Robert McMillan
July 25=2C 2007 (IDG News Service) The software that police and enterpri=
se security teams use to investigate wrongdoing on computers is not as s=
ecure as it should be=2C according to researchers at iSec Partners Inc=2E=

The San Francisco security company has spent the past six months looking=
into two forensic investigation programs=3A Guidance Software Inc=2E=27=
s EnCase=2C and an open-source product called The Sleuth Kit=2E They hav=
e discovered about a dozen bugs that could be used to crash the programs=
or possibly even to install unauthorized software on an investigator=27=
s machine=2C according to Alex Stamos=2C a researcher and founding partn=
er at iSec=2E

Researchers have been hacking forensics tools for years but have traditi=
onally focused on techniques that intruders could use to cover their tra=
cks and thwart forensic investigations=2E The iSec team has taken a diff=
erent tack=2C however=2C creating hacking tools that can be used to poun=
d the software with data=2C looking for flaws=2E

Based on their findings=2C Stamos=27 team believes that the EnCase softw=
are is not written as securely as it should be and could theoretically b=
e exploited by an attacker=2E

=22What Guidance needs to do is change their production and their qualit=
y assurance practices=2C=22 Stamos said=2E =22We looked at a small porti=
on of the functionality of EnCase=2C and we found that there are lots of=
bug that can make it impossible for somebody to complete their work=2E =
Basically=2C we can make it impossible to open up a hard drive and look =
at it=2E=22

ISec is holding the technical details of its findings close to its chest=
and is not saying whether any bugs it found could be exploited to do so=
mething much worse=3A install unauthorized software on a PC=2E

But the team will be disclosing some information at next week=27s Black =
Hat conference in Las Vegas=2C Stamos said=2E

What=2C exactly=2C will be disclosed=3F The Sleuth Kit project has alrea=
dy patched the flaws iSec has found=2C so those flaws will be made publi=
c=2E Details on EnCase may be released if the product is patched by then=
=2C Stamos said=2E ISec will also release the debugging and =22fuzzing=22=
tools it used to find these flaws=2C he added=2E

The iSec research looks interesting but will probably not have a major i=
mpact on the lives of forensic researchers=2C said Jim Butterworth=2C Gu=
idance=27s director of incident response=2E

Because forensic systems are typically not connected to external network=
s=2C they can=27t be remotely controlled via the Internet=2C he said=2E =
So even if an attacker could use these techniques to compromise one fore=
nsic snapshot of a system=2C a second forensic tool would provide the re=
al picture=2E =22It=27s just not that big of a threat=2C because I know =
a lot of other mitigating steps to take=2C=22 he said=2E =22A well-train=
ed person does not use a single tool=2E=22

Another forensic researcher agreed that the iSec research is interesting=
but of limited use to criminals=2E

That=27s because most serious attackers are already good enough at cover=
ing their tracks that they will never be caught=2C according to James C=2E=
Foster=2C president and chief scientist at Ciphent Inc=2E =22If you=27r=
e an attacker=2C you can basically beat the system=2C=22 he said=2E =22I=
n my opinion=2C the bigger problem is that the product is not going to p=
rovide the data that you want=2E=22

However=2C there is one group that may pay special attention to the Stam=
os team=3A defense lawyers=2E If iSec shows that unauthorized software c=
ould have been run on an investigator=27s PC=2C it could ultimately unde=
rmine the usefulness of these forensic tools in court=2C said Chris Ridd=
er=2C residential fellow at the Stanford University Law School Center fo=
r Internet and Society=2E (las negrillas resaltadas son del remitente de=
l correo)

=22The big risk is for someone to execute arbitrary code=2C=22 he said =22=
If there=27s a risk that the evidence has been compromised or if somethi=
ng has been planted by a third party=2E=2E=2E then you can call into que=
stion the accuracy of the software and possibly get it thrown out=2E=22

Butterworth=2C who has been grilled many times by defense lawyers=2C agr=
eed=2E =22I wouldn=27t put anything past a defense attorney =2C=22 he sa=
id=2E =


Jeimy J=2E Cano
Facultad de Derecho
Universidad de los Andes
Bogot=E1=2C D=2EC

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus