Difference between revisions of "PTK"

From SleuthKitWiki
Jump to: navigation, search
m (File Analysis)
m (Linux is misspelled.)
 
(4 intermediate revisions by 3 users not shown)
Line 6: Line 6:
  
 
PTK needs three requisites for its standard functioning:
 
PTK needs three requisites for its standard functioning:
*Lynux System  
+
*Linux System  
 
*Apache Server with PHP5
 
*Apache Server with PHP5
 
*MySQL server  
 
*MySQL server  
Line 18: Line 18:
 
==Indexing Engine ==
 
==Indexing Engine ==
  
PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.
+
PTK has an indexing engine that executes preliminary indexing operations on the supplied evidence. Indexing results are stored in the database. Therefore, the investigator can efficiently query the data on which he is working.
  
 
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
 
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
Line 40: Line 40:
 
*Categorization (Graphics, Documents, Executables, etc..) of the documents obtained
 
*Categorization (Graphics, Documents, Executables, etc..) of the documents obtained
  
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
+
The results of the preliminary operations are memorized in a database for optimized searching. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.
+
With the new indexing engine, use of the icat command is optimized and the number of queries against MySQL are reduced.
 
+
  
 
==File Analysis==
 
==File Analysis==
Line 161: Line 160:
 
==Keyword Search==
 
==Keyword Search==
  
The keywords search section offers primarily two features:  
+
The keywords search section offers two primary features:  
  
 
*Indexed Search: consists of a thorough search among keywords obtained from indexing operations.  
 
*Indexed Search: consists of a thorough search among keywords obtained from indexing operations.  
 
*Live Search: runs a direct search on the evidence.  
 
*Live Search: runs a direct search on the evidence.  
  
The keywords search section supports the use of regular expressions and offers the possibility to save the most used regexp on a file.  
+
The keywords search section supports the use of regular expressions and offers the ability to save commonly used expressions in a file.  
The results are bookmarked for subsequent analysis.  
+
Results are bookmarked for subsequent analysis.  
  
Keaywords search is supported by two tools:
+
Keyword search is supported by two tools:
  
 
*Live Search: ''dls + srch_strings + grep''
 
*Live Search: ''dls + srch_strings + grep''
 
*Information gathered from Live Search: ''ifind + istat + grep''
 
*Information gathered from Live Search: ''ifind + istat + grep''
 
  
 
==Data Unit==
 
==Data Unit==

Latest revision as of 15:12, 21 May 2013

PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’. In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).


Structure

PTK needs three requisites for its standard functioning:

  • Linux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)


Indexing Engine

PTK has an indexing engine that executes preliminary indexing operations on the supplied evidence. Indexing results are stored in the database. Therefore, the investigator can efficiently query the data on which he is working.

The indexing tasks can be launched by the administrator of the application who chooses among the following activities:

  • Ascii and Unicode String extraction from the allocated space:
    • Allocated strings
    • Unallocated strings
    • Slack space (NTFS and FAT)
  • Identification of known extensions.
  • File type
    • Signature file analysis
    • File extension Mismatch
    • File categorization (graphic, document, executables etc...)
  • Metadata and hash generation of the files present on the disc
  • Timeline generation (Graphic or Textual)
  • File carving (Lazarus, Foremost, Scalpel)
  • Hash (MD5 or SHA1) of all files inside the image
  • Categorization (Graphics, Documents, Executables, etc..) of the documents obtained

The results of the preliminary operations are memorized in a database for optimized searching. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. With the new indexing engine, use of the icat command is optimized and the number of queries against MySQL are reduced.

File Analysis

The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:

  • Ascii
  • Ascii String
  • Hexdump
  • Image preview (for graphic files only)

Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.

All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.

The keywords search is divided into two sections:

  • Indexed search
  • Live search

The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.

PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.

The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.

PTK is supported by a series of tools used during analysis:

  • Disk browsing: fls
  • File ascii: icat
  • File Ascii strings: icat + srch_strings
  • File Exdump: icat + hexdump
  • Filetype check: icat + file
  • Image Preview: icat


FILE ANALYSIS: FILTERING

PTK offers a content filtering during file analysis enabling the investigator to focus his attention only on certain files present in the folders.

The filtering analysis enables:

  • To apply a simple textual filter on the directory content.
  • To apply an advanced filter based on filetype or date intervals MACAB time.


DISK IMAGE INTEGRITY

PTK secures the integrity of the images on which the investigators are working. While adding a new image, the investigator can choose between two hash algorithms:

  • MD5
  • SHA 1.

PTK saves the calculated values inside the database thus enabling subsequent comparisons. The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control. The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.

The MD5 and SHA1 calculation are two separate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.


FILE ANALYSIS: AJAX PAGINATION

During File Analysis activities it is possible to come across very large files and their uploading can slow down or even determine the browser to crash.

In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.

This system enables to:

  • Browse through the pages that contain the extractions output.
  • Move to a determined page
  • Setup the weight (in units) of the page to be analyzed.
  • Enable and disable the pagination.

In this case all results are bookmarked for subsequent analysis.


ALTERNATE DATA STREAM

The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions. These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis. Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file


FILE MISMATCH

During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch). PTK recognizes the type of file automatically and outputs the correct visualization.

Timeline

The disk timeline helps investigators to focus their attention on all changes done during a determined time interval. It visualizes the temporal succession of all activities that took place on the file, both allocated and unallocated: these activities are tracked through metadata analysis known as MACB time (Modification, Access, Creation, Birth).

There are two timeline types:

  • TAB : fields that can be ordered, file analysis and export features
  • GRAPHIC: the trend on file of all actions on the file

The latter is a powerful tool that enables the visualization of access peaks, modifications and creations.

The timeline uses primarily two tools:

  • Live Search: dls + srch_strings + grep
  • Data gathered from live search: ifind + istat + grep


Gallery

Gallery is the feature that enables the investigator to visualize and manage graphic evidence.

In the gallery the thumbnails of the files recognized as images are visualized (signature file).

All images obtained during analysis can be added to bookmarks or exported or analyzed through its raw content.

All graphic contents are extracted: icat.


Keyword Search

The keywords search section offers two primary features:

  • Indexed Search: consists of a thorough search among keywords obtained from indexing operations.
  • Live Search: runs a direct search on the evidence.

The keywords search section supports the use of regular expressions and offers the ability to save commonly used expressions in a file. Results are bookmarked for subsequent analysis.

Keyword search is supported by two tools:

  • Live Search: dls + srch_strings + grep
  • Information gathered from Live Search: ifind + istat + grep

Data Unit

Data unit is a PTK feature that enables the investigator to analyze a disk at a low level enabling the visualization of an image allocation list and the analisys of the content of a sector or of sectors interval.

The generation of an allocation list is done through: dls.


Ram Dump Analysis

Memory dump analysis is done through the Volatility framework (https://www.volatilesystems.com).

At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported. It is possible to perform a string search both in ASCII and UNICODE format. Just like all other evidence the results can be added to the PTK bookmarks.

The RAM Dump Analysis section consists of:

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats


RAM DUMP ANALYSIS – KEYWORDS SEARCH

PTK enables to perform a string search on RAM dump memory also. It is possible to launch keyword search in the following formats:

  • ASCII
  • UNICODE

In this secion it is also possible to perform regular expressions searches. All results can be inserted in the investigator’s personal bookmarks. Live search on the content of the RAM through: srch_strings + grep


Bookmark

The bookmark section enables investigators to create bookmarks for evidence obtained during analysis, specifically it is possible to create bookmark (link) for:

  • Single file
  • Part of File
  • Search result
  • Timeline event

The bookmarks can be generated by all PTK sections. One or more tags that simplify and order results can be associated with each bookmark.


BOOKMARK - PROFILING

Each investigator can create his own bookmark list for every case assigned to him. It is moreover possible to visualize only the bookmaks of a single investigator. The PTK admin can visualize the full list of bookmarks created by the other investigators.


Report

Thanks to PTK investigators can generate PDF reports of the evidence obtained during analysis activities enclosing the thumbnail of the graphic evidence. Reports contain case and image information and they are fully visualized through the interface.


Multi Investigator System - Case Lock

PTK ensures case management at various levels through politics previously decided upon. Only the Master Investigator has access to all cases and investigators have access solely to the cases assigned to them.

Moreover, at any time the Master Investigator can decide to use the LOCK function for a case thus prohibiting case access to any other investigator.


MULTI USERS – USERS CREATION

Every investigator has got a separate section on the Database on which he stores and manages personal bookmarks. It is possible that an infinite number of investigators be created.


Logging

For every operation performed PTK generates a log entry which can be subsequently exported. Inside every log it is possible regenerate the users' activity. The logs are rotated daily


Dashboard

Starting with the 1.0 version, the info-zone of the application includes a practical dashboard that enables to monitor the system status insluding the visualizatin of:

  • Free memory
  • Medium use of the CPU
  • Free disk
  • Used disk percentage


RoadMap

  • Q1 2009
    • Automated Data Carving process
  • Q2 2009
    • HASH Set Comparison (Ability to include NSRL hash set )
    • PST mail archive parsing
  • Q3 2009
    • Microsoft Windows Registry parsing


Installation How-to

References

PTK Official Site