Friday, December 12, 2008

PTK 1.0.2 on Ubuntu

PTK 1.0.2 is the latest GUI based forensic tool by DFLabs. It is 'an alternative Sleuthkit Interface' that works with the Mozilla Firefox, Safari, Opera and Chrome browsers.
I have played with the version released prior to PTK 1.0 in October this year and found the project to be very promising but completely unusable and buggy. Today I have installed and tested the latest version of PTK and must admit that DFLabs guys put a lot of work to make this application more stable and more useful.
The installation is very simple; I just follow the instructions and was up and running in about 15min. This version of PTK only works with Sleuthkit 3.0.0, which is not on default Ubuntu repository yet, so I had to manually download and install it.




I liked its tabbed interface as well as Timeline, Gallery and Keyword Search features. Report creation option worked quite well.






Creating filters to search for specific file types within the specified timeframe is a nice feature. The speed and responsiveness of the application is not great, but acceptable from the usability point of view.




It is still not a bug free application yet, if there is such thing.






I came across PTK version 1.0 vulnerability report by Secunia Advisory stating that PTK is vulnerable to 'an input validation error' when handling forensic images. It is somewhat unusual to read a vulnerability report about Forensic Tools simply because the different environment these tools are designed to operate. I then found on DFLabs web site a very good response in relation to this particular vulnerability report and I have nothing further to add to this.

Conclusion:
  1. This is a free forensic tool with great potential!
  2. I will keep an eye on this tool, but will not be using it for forensic examinations yet.

1 comment:

eco said...

Unfortunately this page displayed very different (ugly) in Firefox, but looks OK in Opera and MS Explorer browsers.