COMMSEC: Pwnrensics: How to Execute Code on a Forensic Workstation


EnCase Forenic Imager is a tool used by forensic investigators to gather evidence from storage media. We used a custom tool to fuzz the file system parser code of this product and found a buffer overflow vulnerability in the LVM2 parser.

We demonstrate our approach we used to fuzz EnCase Forensic Imager, describe the technical details of the vulnerability and show how this vulnerability can be exploited to execute arbitrary code on the investigator’s machine. We wrap up our talk by discussing the impact of this vulnerability on forensic evidence.

Location: BALLROOM 3 Date: August 24, 2017 Time: 2:00 pm - 3:00 pm Florian Lukavsky Wolfgang Ettlinger