A Story Of A Vulnerability: How To Execute Code On A Forensic Workstation presented at deepsec 2017

by Wolfgang Ettlinger,

Summary : EnCase Forensic Imager is a tool used by forensic investigators to gather evidence from storage media. We used a custom tool to fuzz the file system parser code of this product and found a buffer overflow vulnerability in the LVM2 parser. We demonstrate our approach we used to fuzz EnCase Forensic Imager, describe the technical details of the vulnerability and show how this vulnerability can be exploited to execute arbitrary code on the investigator's machine. We wrap up our talk by discussing the impact of this vulnerability on forensic evidence.