Sunday, January 27, 2008

FTK 2.0

Last week I re-licensed my copy of AccessData's FTK and I'll be installing FTK 2.0 when it's released. With the new product being tied in to Oracle 10G, one must wonder..will the forensic processing box now be vulnerable to both Oracle and FTK introduced vulnerabilities? I must assume that the answer is of course yes. What does that mean for investigations? Must we now prove that the processing machine hasn't been compromised at the database level as well as the OS? Is there a way to prove the database integrity within the product?

If the 10G implementation is a full installation, this also creates a lot of powerful capabilities for case comparisons. Can we do some fuzzy matching from case to case to see how similar they are in attack methodology, and post intrusion activity? This could be pretty exciting as far as case comparisons go. Could one begin to profile attacks and groups responsible in this manner? I guess we'll see.

It may be even easier to do data presentation with a database backend now as well.

Let's not forget the other cool capabilities in the more expensive versions of distributed processing of cases.


Mark McKinnon said...

You pose a very good questions. One one hand I thought it was great to see a real database backend being used for something like this. On the other hand it has now made things alot more compilicated

Working with Oracle for many years I know that it is a very powerful database with, IMHO the richest features for both administration and the end user. The problem with implementing such a rich feature set is that it comes with a cost of being a fat bloated pig that can consume many resources.

Now the DBA in me has many questions as to how they will accomplish certain things. Some of the questions I have maybe someone can answer (and maybe someone will not want answered since it can open a whole can of worms)

Where does backup and recovery fall into the picture, since you are using this big database you more then likely will not use it just for one case but multiple cases. Thinking about the space requirements the system, rollback segments and temp space will probably chew up a gig of space just by itself. This is not counting any log files created, dump files, etc..

Will they open up the database to allow users to create objects (tables, indexes, packages, triggers, views, etc..)?

Will they provide a ER diagram so you can see where everything is stored?

Who controls how Oracle patches will be applied. Who actually supports the database? what will you do if there is corruption (Not just physical but the query that you submit returns the wrong result set, which has happened to me before) do you call FTK support and if so how is information going to be passed to oracle? Having worked with oracle support many times and in many countries it can be some what confusing if you are not quite sure what they are talking about especially if they want you to do a trace.

The questions can go on and on.

Since I do not own a copy of FTK I will have to wait until I hear from others on this. It would be fun to play around with the database and she what you can make it do though


Mike said...

You all need to realize that FTK2 will never come to life. I can see the future and my crystall ball tells me that there will be several lawsuits against them for taking money and NOT releasing product!

get wit the program and look at what we are doing at guidance

the most ideal situation is to use a hybrid model of services and software. Guidance Software can do this with ease and i reference some of out current projects at the Internal Revenue Service (spending 4million plus on investigative technologies to address similar issues), Liberty Mutual (1 million plus on ediscovery software and services), IBM (yes IBM is going to buy our produts for the same issue) and Citi. All of these companies/Government organizations are purchasing our products to address these needs this quarter.

hogfly said...

Very amusing. I find it especially amusing that you mention lawsuits.

I tell you I'm just this guy and I provide free information..if you're legit and from guidance..send me an email and a FREE copy of your product - you can even make it a research only license and when ftk2 comes out I'll do an FTK vs Encase comparison.

Anonymous said...

I hope Guidance spent some of that $5 million+ on developing ways to release a stable product that doesn't need 9 count them 9 separate versions in the 8 count them 8 months since its first release.

If not, they should really consider dumping that money into a defense fund marked "Mike the fired consultant ass clown litigation" for having an ass clown consultant reveal their client data and breaking a non-advertisement clause.

Bob said...

Yeah. That should be interesting.

hogfly said...

Do I detect buyer's remorse anonymous?

Abel Cheung said...

I had a chance to try out its beta version back at around Dec last year. The first impression to me is that the UI has significantly changed, with use of tabs, no more full of buttons filling the whole interface. More visually pleasing.

But a known problem is that the database can crash from time to time. I hope this won't happen in released version, otherwise FTK as forensic product will has its reputation severely damaged.