Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Forensics Tool Flaw Allows Hackers to Manipulate Evidence

A vulnerability in Guidance Software’s EnCase Forensic Imager forensics tool can be exploited by hackers to take over an investigator’s computer and manipulate evidence, researchers warned. The vendor has classified the attack as an “edge case” and it does not plan on patching the flaw any time soon.

A vulnerability in Guidance Software’s EnCase Forensic Imager forensics tool can be exploited by hackers to take over an investigator’s computer and manipulate evidence, researchers warned. The vendor has classified the attack as an “edge case” and it does not plan on patching the flaw any time soon.

Guidance Software’s forensics products are used by governments, law enforcement agencies and private companies worldwide, including the U.S. Department of Justice, the Department of Homeland Security, the London Metropolitan Police Service, Microsoft, IBM, Apple and Facebook.

The company’s EnCase Forensic Imager is a standalone tool designed for acquiring forensic images of local drives, and for viewing and browsing potential evidence files.

Researchers at SEC Consult have analyzed the product and found that it’s affected by a potentially serious vulnerability. The flaw allows a malicious actor to execute arbitrary code on a system running the EnCase Forensic Imager via a specially crafted image file.

In an attack scenario described by the security firm, a criminal prepares a USB drive with a specially crafted image in case he gets raided by law enforcement. Forensic investigators take the USB drive and they analyze it with EnCase Forensic Imager. When they use the tool’s option to search the drive for LVM2 logical volumes, the suspect’s malicious image triggers the execution of malware.

If the investigator’s computer is connected to the Internet, the malware can allow the attacker to remotely access the device and the files stored on it, and delete or manipulate evidence. For scenarios where the investigator’s machine is offline, the attacker can create a piece of malware that conducts predefined actions (e.g. delete files with a specified extension or name).

“EnCase Forensic Imager fails to check the length of strings copied from the definitions of logical volumes in an LVM2 partition. When EnCase Forensic Imager is used to analyze a crafted LVM2 partition, part of the stack is overwritten with attacker controlled data,” SEC Consult wrote in an advisory published on Thursday. “This allows an attacker to overwrite a pointer to code. After the program execution is transferred to the address specified in this pointer, the attacker has control of the consequent program execution.”

Researchers have developed a proof-of-concept (PoC) exploit for the vulnerability, but they will only make it public at a later date.

This is not the only vulnerability found by SEC Consult in the EnCase Forensic Imager. In late November 2016, the security firm disclosed the details of denial-of-service (DoS) and heap-based buffer overflow flaws affecting the software. Those issues remain unpatched to this day.

Guidance Software has not responded to SecurityWeek’s request for comment, but the company told SEC Consult that it sees both the vulnerability disclosed on Thursday and the flaws reported last year as “extreme edge cases.”

“Our products give investigators access to raw data on a disk so they can have complete access to all the information. Dealing with raw data means there are times when malformed code can cause a crash or other issue on an investigator’s machine. We train users for the possibility of potential events like this and always recommend that they isolate their examination computers,” the vendor stated.

“After almost 20 years building forensic investigation software that is field-tested and court-proven, we find that the benefits of complete, bit-level visibility far outweigh the inconvenience of a very limited number of scenarios like this. If an issue does arise, it is something we work directly with the customer to resolve,” it added.

Related Reading: Display Software Flaw Affects Millions of Devices

Related Reading: Several Flaws Found in Navetti Pricing Product

Related Reading: Critical Flaws Found in Enterprise File Sharing Tool Filr

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.