SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Arbitrary Code Execution on Examiner Systems via File Format Vulnerabilities

I attended ThotCon 0x1 on Friday, April 23rd, and watched a talk where the presenters disclosed and demonstrated an exploit embedded in a disk image that triggered arbitrary code execution when the same malicious file was examined using either EnCase or FTK. I'd like to talk a bit about this and it's implications, as well as a few things that we, as a community, might want to do in response.

The specific vulnerability in question appeared to actually exist in the Outside-In component, and was not triggered until the malicious file was actually viewed inside EnCase or FTK. The presenters stated that the vulnerability had been initially reported to Guidance and Access Data more than 3 versions of EnCase ago. Thinking back now, I was assuming they meant they had notified before 6.14, but it's possible that they were counting point releases.

When triggered, the exploit seemed


Digital Forensics Case Leads: Google's "password system" code stolen?

Additional details of the attack against Google were reported in the New York Times this week. The claim is that some portion of Google's authentication system code, Gaia, may have been stolen as part of the "Aurora" breach. The bulk of this week's Case Leads was inspired by my own pursuits of late. I've been revisiting some forgotten skills in an attempt to brush up and have been researching information on some new (to me) technologies of interest.


  • My tool of choice this week is IDA Pro, the disassembler that should be in any malware analyst's kit. I was exposed to IDA Pro a few years ago in Lenny Zeltser's Reverse-Engineering Malware course. Unfortunately for me, I'm a bit rusty on its usage, but am getting back into it.



Digital Forensics and Social Media

Privacy | Transparency

Social networks like Facebook, Twitter, Foursquare and Google Buzz can be a treasure trove for forensics investigations. The expanding ocean of data in those networks is irresistible to investigators.

Marketers are already exploiting social data to analyze associations among consumers. A startup named 33Across looks at relationships among social media users to ascertain who, for example, would be a good prospect for viewing an ad on costume jewelry. If Jane is a good prospect, then some of her friends - or maybe just people who circulate in the same social group - might be too. 33Across uses tools like tracking cookies to follow relationships.

Just as this style of data gathering and analysis can help marketing, it can help law enforcement or dispute resolution.

Digital Forensics Case Leads: ZeusTracker; Legal Hold Software; Port Control as a Forensic Tool

The Zeus banking Trojan continues to siphon cash from businesses' bank accounts. Attackers compromise networks and computers then lie in wait until accounts are accessed, at which point authentication may be hijacked allowing attackers to submit transactions. The credentials match, even two-factor systems are being defeated. At last count, attackers made over $120 million in unauthorized transactions in Q3 2009 (source: FDIC).

Multi-factor and out-of-band authentication will not cure the ill if the customers' machines are owned by the attackers. Per transaction authentication is needed (probably digitally signed and with MAC). If you are working as an incident responder, it may be helpful to know some of the currently active command and control systems connected to Zeus. Here is a handy list, provided by ZeusTracker (note: SSL certificate errors may pop-up,


An anti-forensics dd primer

dd is the swiss army knife of file tools - with /dev/tcp it can also be a network tool (but nc is simpler).

First we need the basics for dd. For this we have the man page and some definitions. I have taken (blatantly paraphrased) the man file info for dd and included this below (which is simple to obtain - "man dd").

For the purpose of a task such as reversing files and swapping them, we need to concentrate on the following options:

  • bs - This is block size. Setting "bs=1" means that we can use dd as a bit level (instead of a block level tool). Although it does slow down the process from a block copy, we are not looking at how fast we can copy here.
  • skip - this tells us to skip "n" blocks. In our case, we want "n" bits.

What we are going to do is start at the value of "n" set to our last bit in the file. We will loop the dd function to next copy bit "n - 1", then "n - 2", ... to

... Continue reading An anti-forensics dd primer