Aug 2013, Black Hat USA 2013
https://www.blackhat.com/us-13/archives.html#Haruyama
https://www.youtube.com/watch?v=WTxHfraFLS0
Commercial forensic software such as EnCase, FTK and X-Ways Forensics adopts the same library component for viewing file content. If the library component is exploitable, lots of forensic investigators are exposed to risks like malware infection and freeze of the software by checking crafted malicious files.
This presentation introduces anti-forensic techniques exploiting vulnerabilities of the component embedded in forensic software. Specifically, I show one malicious file can trigger arbitrary code execution on multiple forensic software products. The exploitation has great impact on forensic investigation because most forensic software includes it.
The presentation is made up as follows. First, I explain the file viewer component in forensic software and how to fuzz it with a custom script of forensic software, MiniFuzz and a kernel driver for anti-debugging. Next, I describe two vulnerabilities (heap overflow and infinite loop DoS) detected by the fuzzer then demonstrate arbitrary code execution and hang-up of forensic software process using malicious files. I also fill in the gaps on some tricks for exploiting heap overflow (e.g., overwriting function pointers, finding the condition of heap spraying with bitmap images). Finally, I refer to countermeasures.