FTK 2.0 - Security
By Andreas Schuster
Copyright © 2008 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.
While I was trying to tune FTK 2.0 to my needs I came upon some settings that might affect the security of your lab. I filed a ticket with AccessData's support team and told them about my observations. They reacted promptly and announced to fix the issues with the upcoming release. Now, after FTK version 2.0.2 has been released to the public, it's time for me to disclose those issues.
Please don't expect an earth-shattering security advisory. I assume that any equipment used to examine evidence is not hooked up to a network, let alone the Internet, if there's no good reason to do so. Also please keep in mind that FTK 2.0 still does not officially support multi-user scenarios.
However, one of the novelties of FTK 2.0 is a role model. Case administrators create cases and assign reviewers. So a reviewer is expected to have access only to a subset of cases in your database. For instance, one could employ these roles to let a counsel review documents that belong to a certain case, while preventing him from sifting through any unrelated data.
FTK 2.0.0 employs the well-known dtSearch engine for full-text indexing. Index and log files are kept in a directory (defaults to c:\ftk2-data). This directory is accessible through a network share which is also named ftk2-data. Full access is granted to everyone at the share and file system level. Therefore a user could access the index belonging to a case that wasn't assigned to him. The index files are in a binary format. However, it is possible to cull interesting strings like names of persons and locations, phone numbers etc. from these files with ease.
AccessData responded that the network share is not required and will be removed with the upcoming version (that is FTK 2.0.2).
The registry of your FTK machine will contain information like the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\AccessData Forensic Toolkit 2\SDS] "h"="192.168.10.130" "u"="ftk2" "s"="ftk2" "p"="1521" "i"="ftk2" "d"=dword:00000001 "sp"="\\\\FTK2WORKER\\ftk2-data"
You can clearly spot the host (name or IP address) and the port (defaults to 1521) of the Oracle TNS listener. Also the credentials to access the database are stored in clear text.
The upcoming release is expected to store only those values that were overridden during install. Also, the passwords are expected to be harder to guess.
Using these credentials you now can connect to the database on your own and look around. For instance, one could query the list of users within the FTK database:
SQL> SELECT USERID, USERNAME, FLAGS FROM USERS;
USERID USERNAME FLAGS
---------- ------------------------- ----------
1020 fred 0
1021 james 0
100 «AccessData admin» 512
1000 asu 512
In this example "asu" is my case administrator, while "fred" and "james" are reviewer accounts. You could query their hashed passwords as well; full information is available for download. Please note that there's an "AccessData admin" whose existence is not documented.
According to AccessData this account is used to provide role-based access to the cases.
We now have learned some of the default credentials. From there it is not too hard to guess the default password of the SYS account, the most powerful account of the Oracle database.
Once again, this does not pose a problem if you are a single investigator and do not work in a networked environment. Otherwise, you might consider to upgrade to version 2.0.2 and to keep an eye on security of your FTK machine and the database server.
