Wednesday, June 11, 2008

Enterprise Forensics tools

After thinking about a few things over the past few days and digesting some comments and the presentations I saw down at techno security an idea popped in to my head regarding enterprise forensics tools. Currently there are two major players and one or two up and coming players in the field. I wanted to focus on the two major players, AccessData and Guidance. Please note that all of this is speculative and purely theoretical because I can't afford either of the two products to do any testing against.

This all began a few years ago when bad guys really started targeting applications, specifically those applications intended to protect end points on a network. Let me refer specifically to Veritas Backup Exec and Symantec Antivirus as references for this. To get even more specific I mean this one and this one. Having dealt with compromises related to successful exploitation of both products I thought to myself "what about other tools that I think will become as pervasive in the enterprise, what about enterprise forensics tools?"

Think about it a second..

They're agent based - If it's on the network and listening, it's attackable. They're services, which means they can potentially be killed or tampered with.

They require authentication - There's potential here to falsify or steal credentials.

They give full access to memory, and disk - There's potential here to bypass operating system protective mechanisms so attackers can gain access to sensitive data.

They communicate with a server - There's potential here to pivot an attack to get to the source, gaining access to other systems.

They communicate with the examiner machine - There's potential here to evade, confuse, corrupt, or otherwise negatively impact the examiner.

One communicates with an oracle database - where ALL case data is stored (AD) - potential here to destroy all investigations.

There's more potential spots to look but wow, those few open up wondrous places to begin exploring. Granted both vendors use encryption and AAA to supposedly protect access to the agents etc, but if someone can create it, someone will break it. If it's encrypted, an attack over the tunnel wouldn't be noticed by network forensics or network monitoring tools.

Eventually like I said I think these enterprise forensics tools will become as pervasive and mainstream as software like Antivirus, and will be as targeted by the bad guys as Antivirus has become. The question on the table is how secure are these products and their components?

Thoughts, comments and questions as well as any insights are definitely welcome on this one.


Anonymous said...

Indeed. This whole issue of opening listening ports and possibly the firewall on a production server needs to be evaluated more critically. The time it takes to image a hard drive is plenty of time to hack the server. Upon investigation you might find that the server was not hacked until you got there. The traditional methods (dd + netcat, etc.) have a considerable advantage over some commercial tools in this regard.

- Rossetoecioccolato.

Cory said...

There's prior art for vulnerabilities in forensics tools:

I have no doubt that there are currently exploitable vulnerabilities in the agents and servers used by various enterprise forensics tools, but I don't have any to test. :)

hogfly said...

I was under the impression those use cases were pretty much considered garbage by Guidance and that they were bogus situations. Have you heard something to refute Guidance?