Dispute over bugs in forensics software
Vulnerability or not? This is the question at the heart of the dispute on Bugtraq between forensic software vendor Guidance and security consulting firm iSEC. The latter claims to have discovered multiple weaknesses and security vulnerabilities in Guidance's EnCase 5.0 software, the effects of which include causing the application to crash. EnCase is used for investigations and computer forensics by government agencies all over the world and is the tool most commonly used by UK Police forces.
iSEC intends to publish details of the problems, which in the company's opinion significantly affect the reliability of EnCase, at the forthcoming Black Hat conference. In particular, because results from the software can be used as important evidence in criminal investigations, they consider it unacceptable that there appears to be no quality criterion for the evaluation and selection of software by government agencies. iSEC has submitted its presentation to the vendor in advance.
The problems primarily concern corrupt data on hard drives, which when read by EnCase may cause the software to unexpectedly crash or freeze. According to iSEC, there are no functions implemented within EnCase to protect from buffer overflows, memory violations or other errors. They are of the opinion that it appears to have been assumed during development, that attacks directed against forensic software can't happen.
Guidance does not consider the six bugs cited by iSEC to be genuine weaknesses or security vulnerabilities. In their opinion, the scenarios outlined are extreme cases in which anomalies could occur. This does not mean that there is a problem with the quality of EnCase. The integrity of the investigation process is preserved. Nevertheless, they admit that no software is "crash-proof" - including EnCase. In addition, Guidance finds fault with the fact the data created by iSEC was intentionally corrupted target data. However as a rule this is precisely the case with all exploits. Guidance do not reveal whether they now intend to remedy the bugs.
Whether or not these bugs actually affect the integrity of the evidence, the existence of a recognised flaw in EnCase that can affect the conduct of forensic procedures will potentially cause jurisprudential problems. In English criminal law the governing principle is "beyond reasonable doubt". Where it becomes known that a forensics tool has in any way misbehaved while gathering evidence, this principle will essentially require the prosecution to convince a jury that the evidence has not been affected: an almost impossible task, given the technicality of the problem.
- Guidance Software Response to iSEC Report, comment from Guidance
- Re: Guidance Software response to iSEC report on EnCase , response from iSEC