PTK DFLabs
Follow DFLabs on twitter Follow DFLabs on YouTube

border_sx   Italian  Russian border_dx

Faq subsection:

New Articles rss

  • 2010-07-21 - Robust Process Scanner in PTK Forensics: done!

  • 2010-06-01 - Meet the PTK team at The Sleuth Kit and Open Source Digital Forensics Conference

  • 2010-05-14 - SANS Investigative Forensic Toolkit e PTK Forensics: made simple!

  • 2010-04-26 - DFLabs PTK Forensics new version is available Thru SANS Institute's SIFT Virtual Machine

  • 2010-04-24 - New PTK and IncMan suite Video Available for your demo purposes.

  • 2010-02-20 - New DFLabs YoutTube Channel.

  • 2010-02-04 - PTK Forensics: New Webinar session.

  • 2010-02-01 - PTK Forensics, the new website is online.

  • 2009-11-14 17:31:11 - New PTK roadmap

  • 2009-09-30 14:10:01 - DFLabs is proud to announce that the data carving is available

Validator:

Valid XHTML 1.0 Transitional
CSS Valido!

Frequently asked questions

 

How you can help this project?

  • Test test test, and give structured feedback
  • Develop specific parts of the software
  • Code review

 

DFLabs team will finally approve and include the code into the updates The software will be free.


What about Security?

Recently, the PTK team has received few security bug reports. Our team is obviously aware of the importance of software security and is also working to analize the impact of those reports. For the purpose of the project we do prefer to concentrate our efforts on feature creation (which are the most important for forensic practictioners) and then, with the combined effort of our team and the community, on the security management. It does not mean that we are not taking care of the security, it just mean that the many potential security issues (potentially impacting the conventional IT world) have a limited impact on PTK, due to the reasons explained below. First of all, there is a general consideration that should be done for a forensic environment like PTK Vs. Security Exposure. Similar security advisories (usually included in the antiforensic field) have been released in the past against Autopsy. We have an extensive track of them. However, many of the security considerations have as a starting point the concept that the forensic lab has to have both physical and computer security systems. Thus, unauthorized people wouldn't have access to the lab and the computers performing the analysis. Furthermore, the computer having PTK on must be disconnected from internet (denying thus the possibility of a remote attack) and its use must be strictly limited to the lab administrator. Some vulnerability report we examined (also related to autopsy), are related to the Command Execution type and can be solved cleaning the input parameters received from features in charge of evidence browsing (TSK tool). This was already in the roadmap and, also thank some input we received, is going to be fixed. However:

  • If an attack is carried out, commands are performed through the user with which the web server apache is running (this sets a further limit to the effect of the commands performed).

  • In order to exploit the most of the vulnerability, it is necessary to use external tools (which are usually not part of a sanitized forensic workstation) or, in an antiforensic environment, a specially crafted image.

Moreover in some security advisories we received, is stated that an evidence can be actually overwritten but, according to the forensic best practice:

  • That doesn't happen if evidence permissions (even with use of symlink) are read-only such as in every computer forensic environment.

  • The forensic exam is repeatable anyway, because the imported/symlinked evidence file should be a working copy (not an original) so we don't agree with the concept of "fatal compromission"

Therefore, if we look at the security advisories against the forensic tools from a "common" security standpoint some exploit could be potentially applicable; however, most vulnerabilities that can be exploited and its consequences are dictated/limited by the forensic environment.

Thus, before accepting the flag "high" for a forensic tool vulnerability, we would suggest to analyze the real impact first. Many "security advisory" released in this period (related to forensic tools) are written by people who are good pentester but with a null (or very limited) forensic experience.

Anyway, we thank everybody for any input we receive, and we definitely encourage PTK users to submit any idea related to the tool.



More security infos here


DFLabs PTK Forensic vendor statement


Regarding the supposed vulnerability.

The supposed vulnerabilities underlined in the advisory have a very low impact in a real computer forensic environment, as explained in the FAQ file. Furthermore, they are actually not related to "Unauthenticated users" per se. Instead, it is more correct to use the term " a malicious user already connected to the system", since PTK makes an extensive User Auth Check since its beta version. Finally, all those supposed issues are already fixed in PTK Forensic 1.0.5 version, which has been released jan 23 2009.

Basically speaking, the fact that this latest "vulnerability" has been poorly written and researched by the originator, is also confirmed by the very low rate of criticity given by the vulnerability advisory services such as Secunia, which gave a rate of "not critical" to the entire fact.