New Open Source Forensics GUI
sth posted in tools on June 7th, 2008
The guys over at Professional Security Testers recently posted about a new open source forensics tool named PTK. It’s an updated front end for sleuth kit, which could possibly replace the current interface, Autopsy, which has been getting pretty stale. Autopsy is pretty good, but I’ve found if you know what you’re looking for that the sleuth kit CLI and a couple scripts to automate case creation is often faster. PTK claims many improvements over autopsy:
* Indexing Engine
- String Extracion
o Allocated, Unallocated, Slack Space
o Live Search
- File Categorization
o File signature analysis
oFile extension mismatch
- Auto Data Carving
o Customizable file signature
- Hash Set Manager* Advanced Timeline
* Gallery View
* Advance Keyword Search
* Bookmarking Section
* Multi Investigator System
* Incident Response Mode
Looks pretty interesting. It doesn’t mention OSX support, but since TSK is supported on OSX, I’m hoping it will run there as well since it’s just a web interface. We used Autopsy and TSK a bit this weekend during CTF pre-quals, and an update is greatly appreciated. 
PS — Recon, an entire convention focused on reverse engineering, is next weekend. If you can get to Montreal, you should check it out. It looks like there are a few interesting talks going on.
June 8th, 2008 at 5:13 am
Speaking of REcon…if anyone *does* go, be sure to check out “Reverse Engineering Dynamic Languages, a Focus on Python”. My friend Ali is one of the two speakers and therefore should be a kick-ass presentation.