Vulnerability Note VU#310057

Guidance EnCase fails to detect more than 25 partitions

Overview

Guidance Software's EnCase Forensic can only detect the first 25 partitions on a volume.

I. Description

Guidance Software's EnCase Forensic is a tool that allows an investigator to acquire and analyze a disk image. EnCase names partitions either c: through z:, with an additional partition named \[.

EnCase Forensic may only detect the first 25 partitions on a volume. The hidden partitions are searchable, but not can not be browsed.

Note that when previewing a drive with EnCase, mounted drives, including CD-ROM, USB keys, native hard drives, and floppy drives will count towards the 25 limit.

II. Impact

An attacker may be able to hide or obscure data.

III. Solution

Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Guidance Software, Inc.	Vulnerable	20-Nov-2007

References

http://www.guidancesoftware.com/products/ef_index.aspx
http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf
http://www.securityfocus.com/archive/1/474727
http://www.securityfocus.com/archive/1/archive/1/474727/100/0/threaded
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4201

Credit

This report was based on information released by iSec partners.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2007-08-03
Date First Published:	2007-11-09
Date Last Updated:	2007-11-20
CERT Advisory:
CVE-ID(s):	CVE-2007-4201
NVD-ID(s):	CVE-2007-4201
US-CERT Technical Alerts:
Metric:	0.85
Document Revision:	19

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader