Difference between revisions of "PTK"

From SleuthKitWiki
Jump to: navigation, search
(PTK Structure)
(PTK Features)
Line 14: Line 14:
 
*10 GB of Disk (depending on the number of cases managed)
 
*10 GB of Disk (depending on the number of cases managed)
  
==PTK Features==
+
==PTK Indexing Engine ==
PTK inherits all analysis features already present in [[TSK]], among the most important being: 
+
PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.
*Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)
+
*Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems (even when the host operating system does not or has a different endian ordering).
+
*List allocated and deleted ASCII and Unicode file names. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))
+
*Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
+
*Display file system and meta-data structure details.
+
  
 +
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
  
The principal features in PTK are:
 
  
'''Indexing Engine'''
 
*String Extracion
 
**Allocated, Unallocated, Slack Space
 
**Live Search
 
*File Categorization
 
**File signature analysis
 
**File extension mismatch
 
*Hash Set Manager
 
*Timeline generation
 
*Advance File Analysis
 
*RAM dump analysis
 
**Ram Analysis
 
**Keyword Search
 
  
  
'''File Analysis'''
+
*Ascii and Unicode String extraction from the allocated space:
*File visualization
+
**Allocated strings
**Ascii
+
**Unallocated strings
**Ascii string
+
**Slack space (NTFS and FAT)
**Hexdump
+
**Image preview
+
*Filtering
+
**Textual filter
+
**Advanced filter
+
*Disk Image Integrity
+
**SHA1
+
**MD5
+
*Ajax Pagination
+
*Alternate Data Stream
+
*File Mismatch
+
  
 +
*Identification of known extensions.
  
'''Ram Dump Analysis'''
+
*File type
*Date and time
+
**Signature file analysis
*Running process
+
**File extension Mismatch
*Open network sokets
+
**File categorization (graphic, document, executables etc...)  
*Open network connections
+
*DLLs loaded for each process
+
*Open file for each process
+
*Open registry handles for each process
+
*A process'addressable memory
+
*OS kernel modules
+
*Mapping physical offsets to virtual addresses (string to process)
+
*Virtual Address Descriptor information
+
*Scanning examples: processes, threads, sokets,connections, modules
+
*Extract executables from memory samples
+
*Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
+
*Automated conversion between formats
+
  
 +
*Metadata and hash generation of the files present on the disc
  
'''Advanced Timeline'''
+
*Timeline generation (Graphic or Textual)
*Search for specified time frame
+
**Display timeline in text table
+
**Display timeline in graph
+
**Show specified file details
+
**Show specified file content
+
**Export file
+
  
 +
*File carving (Lazarus, Foremost, Scalpel)
  
 +
*Hash (MD5 or SHA1) of all files inside the image
  
'''Gallery View '''
+
*Categorization (Graphics, Documents, Executables, etc..) of the documents obtained
* Thumbnails visualization
+
  
 
+
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
 
+
With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.
'''Advance Keyword Search '''
+
*Indexed Search
+
*Live Search
+
 
+
 
+
'''Bookmarking Section '''
+
*Single file
+
*Part of file
+
*Search result
+
*Timeline event
+
 
+
 
+
'''Multi Investigator System'''
+
*Various levels through politics previously decided
+
*User creation
+
*Case lock
+
 
+
 
+
'''Report'''
+
*PDF generation
+
 
+
 
+
'''Dashboard'''
+
*Free memory
+
*Medium use of the CPU
+
*Free disk
+
*Used disk percentage
+
  
 
==References==
 
==References==

Revision as of 05:32, 18 February 2009

PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).

PTK Structure

PTK needs three requisites for its standard functioning:

  • Lynux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)

PTK Indexing Engine

PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.

The indexing tasks can be launched by the administrator of the application who chooses among the following activities:



  • Ascii and Unicode String extraction from the allocated space:
    • Allocated strings
    • Unallocated strings
    • Slack space (NTFS and FAT)
  • Identification of known extensions.
  • File type
    • Signature file analysis
    • File extension Mismatch
    • File categorization (graphic, document, executables etc...)
  • Metadata and hash generation of the files present on the disc
  • Timeline generation (Graphic or Textual)
  • File carving (Lazarus, Foremost, Scalpel)
  • Hash (MD5 or SHA1) of all files inside the image
  • Categorization (Graphics, Documents, Executables, etc..) of the documents obtained

The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.

References

PTK Official Site