I've had FTK crash on me when extracting email messages from a .PST file. (FTK is described at http://www.accessdata.com/catalog/partdetail.aspx?partno=11000). I suspect it has a lot of problems with badly formed files. The obvious place to attack FTK is through its full text indexing software which has to parse many different file types. I wonder, for example, how many buffer overflow errors are in the .DOC file parser.
OTOH, the ASLR feature in Vista should turn exploit attempts into crashes. Another way to attack a forensics software package is to give it a lot of work to do. For example, feed it a .ZIP file that inflates to 100 GBbytes of .DOC files. Rich > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Via InfoWorld. > > [snip] > > The software that police and enterprise security teams use to investigate > wrongdoing on computers is not as secure as it should be, according to > researchers with iSEC Partners. > > The San Francisco security company has spent the past six months > investigating two forensic investigation programs, Guidance Software's > EnCase, and an open-source product called The Sleuth Kit. They have > discovered about a dozen bugs that could be used to crash the programs or > possibly even install unauthorized software on an investigator's machine, > according to Alex Stamos, a researcher and founding partner with iSEC > Partners. > > [snip] > > More: > http://www.infoworld.com/article/07/07/25/Forensics-software-can-be-hacked_ > 1.html > > - - ferg > > p.s. Interesting premise for a Hollywood movie: "...bugs that > could be used to crash the programs or possibly even install > unauthorized software on an investigator's machine..." > > :-) > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > > wj8DBQFGp4RDq1pz9mNUZTMRAgOUAJ9fLcmHfCGZ0bzh6O0uEotyKXNHaACeOpAS > /ZgmK9+7K3Iy6MNYHbSxQyA= > =XJl3 > -----END PGP SIGNATURE----- > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
