Difference between revisions of "PTK"

From SleuthKitWiki
Jump to: navigation, search
Line 1: Line 1:
 
PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases .  
 
PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases .  
 
The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).
 
The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).
 +
  
 
==PTK Structure==
 
==PTK Structure==
Line 13: Line 14:
 
*512 MB of RAM
 
*512 MB of RAM
 
*10 GB of Disk (depending on the number of cases managed)
 
*10 GB of Disk (depending on the number of cases managed)
 +
  
 
==PTK Indexing Engine ==
 
==PTK Indexing Engine ==
 +
 
PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.
 
PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.
  
 
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
 
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
 
 
 
  
 
*Ascii and Unicode String extraction from the allocated space:
 
*Ascii and Unicode String extraction from the allocated space:
Line 46: Line 46:
 
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
 
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
 
With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.
 
With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.
 +
  
 
==PTK File Analysis==
 
==PTK File Analysis==
 +
 
The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:
 
The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:
  
Line 78: Line 80:
 
*Filetype check: icat + file
 
*Filetype check: icat + file
 
*Image Preview: icat
 
*Image Preview: icat
 +
 +
FILE ANAYSIS: FILTERING
 +
 +
PTK offers a content filtering during file analysis enablig the investiator to focus his attention only on certain files present in the folders.
 +
 +
The filtering analysis enables:
 +
 +
*To apply a simple textual filter on the directory content.
 +
*To apply an advanced filter based on filetype or date intervals MACAB time.
 +
 +
DISK IMAGE INTEGRITY
 +
 +
PTK secures the integrity of the images on which the investigtors are working.
 +
While adding a new image, the investigator can choose between two hash algorithms:
 +
 +
*MD5
 +
*SHA 1.
 +
 +
PTK saves the calculated values inside the database thus enabling subsequent comparisons.
 +
The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control.
 +
The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.
 +
 +
The MD5 and SHA1 calculation are two seperate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.
 +
 +
FILE ANALYIS: AJAX PAGINATION
 +
 +
During File Analysis activities it is possible to come accross very large files and their uploading can slow down or even determine the browser to crash.
 +
 +
In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.
 +
 +
This system enables to:
 +
 +
*Browse through the pages that contain the extractions output.
 +
*Move to a determined page
 +
*Setup the weight (in units) of the page to be analyzed.
 +
*Enable and disable the pagination.
 +
 +
In this case all results are bookmarked for subsequent analysis.
 +
 +
ALTERNATE DATA STREAM
 +
 +
The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions.
 +
These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis.
 +
Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file
 +
 +
FILE MISMATCH
 +
 +
During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch).
 +
PTK recognizes the type of file automatically and outputs the correct visualization.
 +
 +
 +
==PTK Timeline==
 +
 +
The disk timeline helps investigators to focus their attention on all changes done during a determined time interval. It visualizes the temporal succession of all activities that took place on the file, both allocated and unallocated: these activities are tracked through metadata analysis known as MACB time (Modification, Access, Creation, Birth).
 +
 +
There are two timeline types:
 +
 +
*TAB : fields that can be ordered, file analysis and export features
 +
*GRAPHIC: the trend on file of all actions on the file
 +
 +
The latter is a powerful tool that enables the visualization of access peaks, modifications and creations.
 +
 +
The timeline uses primarily two tools:
 +
 +
*Live Search: dls + srch_strings + grep
 +
*Data gathered from live search: ifind + istat + grep
 +
 +
 +
==PTK Gallery==
 +
 +
Gallery is the feature that enables the investigator to visualize and manage graphic evidence.
 +
 +
In the gallery the thumbnails of the files recognized as images are visualized (signature file).
 +
 +
All images obtained during analysis can be added to bookmarks or exported or analyzed through its raw content.
 +
 +
All graphic contents are extracted: icat.
 +
 +
 +
==PTK Keyword Search==
 +
 +
The keywords search section offers primarily two features:
 +
 +
*Indexed Search: consists of a thorough search among keywords obtained from indexing operations.
 +
*Live Search: runs a direct search on the evidence.
 +
 +
The keywords search section supports the use of regular expressions and offers the possibility to save the most used regexp on a file.
 +
The results are bookmarked for subsequent analysis.
 +
 +
Keaywords search is supported by two tools:
 +
 +
*Live Search: dls + srch_strings + grep
 +
*Information gathered from Live Search: ifind + istat + grep
 +
 +
 +
==PTK Data Unit==
 +
 +
Data unit is a PTK feature that enables the investigator to analyze a disk at a low level enabling the visualization of an image allocation list and the analisys of the content of a sector or of sectors interval.
 +
 +
The generation of an allocation list is done through: dls.
 +
 +
 +
==PTK Ram Dump Analysis==
 +
 +
Memory dump analysis is done through the Volatility framework (https://www.volatilesystems.com).
 +
 +
At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported.
 +
It is possible to perform a string search both in ASCII and UNICODE format.
 +
Just like all other evidence the results can be added to the PTK bookmarks.
 +
 +
The RAM Dump Analysis section consists of:
 +
 +
*Date and time
 +
*Running process
 +
*Open network sokets
 +
*Open network connections
 +
*DLLs loaded for each process
 +
*Open file for each process
 +
*Open registry handles for each process
 +
*A process'addressable memory
 +
*OS kernel modules
 +
*Mapping physical offsets to virtual addresses (string to process)
 +
*Virtual Address Descriptor information
 +
*Scanning examples: processes, threads, sokets,connections, modules
 +
*Extract executables from memory samples
 +
*Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
 +
*Automated conversion between formats
 +
 +
RAM DUMP ANALYSIS – KEYWORDS SEARCH
 +
 +
PTK enables to perform a string search on RAM dump memory also.
 +
It is possible to launch keyword search in the following formats:
 +
 +
*ASCII
 +
*UNICODE
 +
 +
In this secion it is also possible to perform regular expressions searches.
 +
All results can be inserted in the investigator’s personal bookmarks.
 +
Live search on the content of the RAM through: srch_strings + grep
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
  
  

Revision as of 06:46, 18 February 2009

PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).


PTK Structure

PTK needs three requisites for its standard functioning:

  • Lynux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)


PTK Indexing Engine

PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.

The indexing tasks can be launched by the administrator of the application who chooses among the following activities:

  • Ascii and Unicode String extraction from the allocated space:
    • Allocated strings
    • Unallocated strings
    • Slack space (NTFS and FAT)
  • Identification of known extensions.
  • File type
    • Signature file analysis
    • File extension Mismatch
    • File categorization (graphic, document, executables etc...)
  • Metadata and hash generation of the files present on the disc
  • Timeline generation (Graphic or Textual)
  • File carving (Lazarus, Foremost, Scalpel)
  • Hash (MD5 or SHA1) of all files inside the image
  • Categorization (Graphics, Documents, Executables, etc..) of the documents obtained

The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.


PTK File Analysis

The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:

  • Ascii
  • Ascii String
  • Hexdump
  • Image preview (for graphic files only)

Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.

All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.

The keywords search is divided into two sections:

  • Indexed search
  • Live search

The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.

PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.

The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.

PTK is supported by a series of tools used during analysis:

  • Disk browsing: fls
  • File ascii: icat
  • File Ascii strings: icat + srch_strings
  • File Exdump: icat + hexdump
  • Filetype check: icat + file
  • Image Preview: icat

FILE ANAYSIS: FILTERING

PTK offers a content filtering during file analysis enablig the investiator to focus his attention only on certain files present in the folders.

The filtering analysis enables:

  • To apply a simple textual filter on the directory content.
  • To apply an advanced filter based on filetype or date intervals MACAB time.

DISK IMAGE INTEGRITY

PTK secures the integrity of the images on which the investigtors are working. While adding a new image, the investigator can choose between two hash algorithms:

  • MD5
  • SHA 1.

PTK saves the calculated values inside the database thus enabling subsequent comparisons. The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control. The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.

The MD5 and SHA1 calculation are two seperate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.

FILE ANALYIS: AJAX PAGINATION

During File Analysis activities it is possible to come accross very large files and their uploading can slow down or even determine the browser to crash.

In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.

This system enables to:

  • Browse through the pages that contain the extractions output.
  • Move to a determined page
  • Setup the weight (in units) of the page to be analyzed.
  • Enable and disable the pagination.

In this case all results are bookmarked for subsequent analysis.

ALTERNATE DATA STREAM

The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions. These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis. Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file

FILE MISMATCH

During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch). PTK recognizes the type of file automatically and outputs the correct visualization.


PTK Timeline

The disk timeline helps investigators to focus their attention on all changes done during a determined time interval. It visualizes the temporal succession of all activities that took place on the file, both allocated and unallocated: these activities are tracked through metadata analysis known as MACB time (Modification, Access, Creation, Birth).

There are two timeline types:

  • TAB : fields that can be ordered, file analysis and export features
  • GRAPHIC: the trend on file of all actions on the file

The latter is a powerful tool that enables the visualization of access peaks, modifications and creations.

The timeline uses primarily two tools:

  • Live Search: dls + srch_strings + grep
  • Data gathered from live search: ifind + istat + grep


PTK Gallery

Gallery is the feature that enables the investigator to visualize and manage graphic evidence.

In the gallery the thumbnails of the files recognized as images are visualized (signature file).

All images obtained during analysis can be added to bookmarks or exported or analyzed through its raw content.

All graphic contents are extracted: icat.


PTK Keyword Search

The keywords search section offers primarily two features:

  • Indexed Search: consists of a thorough search among keywords obtained from indexing operations.
  • Live Search: runs a direct search on the evidence.

The keywords search section supports the use of regular expressions and offers the possibility to save the most used regexp on a file. The results are bookmarked for subsequent analysis.

Keaywords search is supported by two tools:

  • Live Search: dls + srch_strings + grep
  • Information gathered from Live Search: ifind + istat + grep


PTK Data Unit

Data unit is a PTK feature that enables the investigator to analyze a disk at a low level enabling the visualization of an image allocation list and the analisys of the content of a sector or of sectors interval.

The generation of an allocation list is done through: dls.


PTK Ram Dump Analysis

Memory dump analysis is done through the Volatility framework (https://www.volatilesystems.com).

At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported. It is possible to perform a string search both in ASCII and UNICODE format. Just like all other evidence the results can be added to the PTK bookmarks.

The RAM Dump Analysis section consists of:

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats

RAM DUMP ANALYSIS – KEYWORDS SEARCH

PTK enables to perform a string search on RAM dump memory also. It is possible to launch keyword search in the following formats:

  • ASCII
  • UNICODE

In this secion it is also possible to perform regular expressions searches. All results can be inserted in the investigator’s personal bookmarks. Live search on the content of the RAM through: srch_strings + grep























References

PTK Official Site