Vulnerability Note VU#912593

Guidance EnCase Enterprise uses weak authentication to identify target machines

Original Release date: 09 Nov 2007 | Last revised: 20 Nov 2007


Guidance Software's EnCase Enterprise uses IP authentication to identify target machines. An attacker may be able to provide the EnCase SAFE server with a disk image from a different machine than an investigator requested.


Guidance Software's EnCase Enterprise allows investigators to remotely acquire disk images from target systems for forensic analysis. The remote target systems may be on the same LAN or located on the Internet.

EnCase Enterprise consists of three applications:

  1. EnCase SAFE is a server that is used to authenticate users, distribute licenses, provide forensic analysis tools, and communicate with target machines running the EnCase Servlet.
  2. EnCase Servlet runs locally on target machines and allows the EnCase SAFE to create an image from the target operating system.
  3. EnCase Examiner is a local application that is installed on the investigator’s computer and provides an interface to the EnCase SAFE server.

EnCase Enterprise Edition uses a public key encryption system to verify that the servlet is communicating with an authorized SAFE server; however, the SAFE server uses IP authentication to verify the identity of the servlet.

Information about this vulnerability was publicly disclosed by the iSec paper "Breaking Forensics Software: Weaknesses in Critical Evidence Collection."


An attacker may be able to supply the EnCase SAFE with a different image than the investigator requested by using ARP spoofing or other well-known network attacks.


Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software and workarounds.

The following workarounds may mitigate this vulnerability:

  • Using IPSec or other virtual private network network technologies to provide secure communications and authentication for machines running the EnCase Servlet may mitigate this vulnerability by preventing attackers from injecting or manipulating data.
  • IDS systems capable of detecting ARP spoofing may be able to alert administrators when this attack vector is being exploited.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Guidance Software, Inc.Affected-20 Nov 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



iSec partners released information about this vulnerability.

This document was written by Ryan Giobbi and Jason McCormick.

Other Information

  • CVE IDs: CVE-2007-4202
  • Date Public: 03 Aug 2007
  • Date First Published: 09 Nov 2007
  • Date Last Updated: 20 Nov 2007
  • Severity Metric: 0.90
  • Document Revision: 33


If you have feedback, comments, or additional information about this vulnerability, please send us email.