CERT/CC Vulnerability Note VU#310057

Overview

Guidance Software's EnCase Forensic can only detect the first 25 partitions on a volume.

Description

Guidance Software's EnCase Forensic is a tool that allows an investigator to acquire and analyze a disk image. EnCase names partitions either c: through z:, with an additional partition named \[.

EnCase Forensic may only detect the first 25 partitions on a volume. The hidden partitions are searchable, but not can not be browsed.

Note that when previewing a drive with EnCase, mounted drives, including CD-ROM, USB keys, native hard drives, and floppy drives will count towards the 25 limit.

Impact

An attacker may be able to hide or obscure data.

Solution

Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software.

Vendor Information

310057

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Guidance Software, Inc. Affected

Notified: September 18, 2007 Updated: November 20, 2007

Status

Affected

Vendor Statement

The issue described in this report involves the inability of EnCase to logically view more than 25 partitions simultaneously. This issue is not relevant to devices being used only in an MS Windows environment, as it can only be present in devices used with certain non-Windows operating systems, such as Linux. This issue is a current limitation of the EnCase software that will be addressed in a future maintenance release.

Examiners should note that this issue affects viewing an evidence file or image in a slightly different manner than viewing a remote computer using EnCase Enterprise.

Evidence file – In this instance EnCase will provide logical access to up to

25 partitions within a single evidence file. If multiple evidence files are
examined simultaneously, the limit is 25 partitions per device, not 25
partitions total.

Remote device – In the instance where a computer is being previewed

using EnCase Enterprise, EnCase will provide access as follows:

Logical Access: If devices on a remote system are accessed as logical volumes, EnCase will provide access to up to 25 total partitions. This includes all logical partitions from all devices that the target computer currently has access to.
Physical Access: If a device is previewed at the physical level, EnCase will provide access to up to 25 partitions per device. If a system has reached or is approaching the 25 partition limit, this is the recommended solution, as it allows 25 partitions per device instead of 25 for the entire system.

It should be noted that analysis functions, such as keyword searching, is not affected by this issue. Searching will still locate pertinent data, although the logical location of the data will not be identified if it is located in a partition that is not visible to EnCase.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See https://support.guidancesoftware.com/node/487 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group	Score	Vector
Base	0	AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This report was based on information released by iSec partners.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-4201
Severity Metric:	0.85
Date Public:	2007-08-03
Date First Published:	2007-11-09
Date Last Updated:	2007-11-20 18:36 UTC
Document Revision:	20

Software Engineering Institute

CERT Coordination Center

Guidance EnCase fails to detect more than 25 partitions

Vulnerability Note VU#310057

Overview

Description

Impact

Solution

Vendor Information

Guidance Software, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC