Another trivial exploit - please fix

From: Andrew Rosen (andrewat_private)
Date: Sat May 12 2001 - 22:04:09 PDT

Next message: Burak DAYIOGLU: "Re: Read Linux files in windows 200"

Previous message: Burak DAYIOGLU: "Re: Read Linux files in windows 200"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have discovered what I believe to be a flaw in the EnCase
program used by some members of this community.  I would like
to publish this information in the hopes that it will assist
law enforcement officers and agencies in dealing with computer
crime investigations.

The flaw involves directories that appear empty in EnCase,
but when viewed in Windows actually contain files, folders
and deleted file information.  This is more of an aesthetic
issue than a real killer.  A skilled investigator might be
able to identify the problem, if they know what to look for
and how to find it.

The quickest and easiest way to demonstrate this issue is:

1) format a floppy disk
2) place files and folders on the disk
3) within the entry for a sub-folder, shift the contents
   of the directory entry up by 64 bytes, overwriting the
   "dot - double dot" directory thread entries.

At this point, Windows is still able to display the contents
of the directory, but EnCase shows the directory as "empty".
Accordingly, any directories within the affected directory
are not visible within the logical file structure presented
by EnCase, nor are their contents.

Files may be created, deleted, etc. within the affected
directory and are not displayed in the "all files" view.
In Disk view, the clusters occupied by the "hidden" entries
will appear as orphaned.  If you are using any version of
EnCase and see a folder that appears "empty", please be aware
of this and make sure you are not missing files and folders
that are visible to Windows and other programs.  Maintaining
a linked list of directory clusters (the way windows does)
will solve this problem.  Assuming that the directory structure
is intact is not always a valid assumption.

 
Regards -
 
Andrew Rosen
ASR Data Acquisition & Analysis, LLC - Austin, Texas
====================================================
Voice: 512-918-9227                  (GMT -6 hrs)
Fax  : 512-918-9393
EMail: andrewat_private
WWW  : http://www.asrdata.com
====================================================

Next message: Burak DAYIOGLU: "Re: Read Linux files in windows 200"
Previous message: Burak DAYIOGLU: "Re: Read Linux files in windows 200"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:45:39 PDT