PTK

From SleuthKitWiki
Revision as of 01:34, 17 February 2009 by Dflabs (Talk | contribs)

Jump to: navigation, search

PTK is an alternative advanced interface for the suite TSK (The Sleuth Kit). PTK was developed from scratch and besides providing the functions already present in Autopsy Forensic Browser it implements numerous new features essential during forensic activity. PTK is not just a new graphic and highly professional interface based on Ajax technology but offers a great deal of features like analysis, search and management of complex cases of digital investigation. The core component of the software is made up of an efficient Indexing Engine performing different preliminary analysis operations during importing of every evidence. PTK allows the management of different cases and different levels of multi-users. It is possible to allow two investigators to work at the same case at the same time. All the reports generated by an investigator are saved in a reserved section of the Database. PTK is a Web Based application and builds its indexing archive inside a Database MySQL, using thus the construction LAMP(Linux-Apache-MySql-PHP).

PTK Structure

PTK needs three requisites for its standard functioning:

  • Lynux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)


In order to use the abilities of Multi Investigator System (PTK–MIS) and therefore allow different investigators to access a case at the same time it's necessary to have at least 2 GB of RAM. The implementation of PTK is done through a web console dealing with the creation of the pattern in the database and of the administrative user.

PTK Features

PTK inherits all analysis features already present in TSK, among the most important being:

  • Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)
  • Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems (even when the host operating system does not or has a different endian ordering).
  • List allocated and deleted ASCII and Unicode file names. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))
  • Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
  • Display file system and meta-data structure details.


The principal features in PTK are:

Indexing Engine

  • String Extracion
    • Allocated, Unallocated, Slack Space
    • Live Search
  • File Categorization
    • File signature analysis
    • File extension mismatch
  • Hash Set Manager
  • Timeline generation
  • Advance File Analysis
  • RAM dump analysis
    • Ram Analysis
    • Keyword Search


File Analysis

  • File visualization
    • Ascii
    • Ascii string
    • Hexdump
    • Image preview
  • Filtering
    • Textual filter
    • Advanced filter
  • Disk Image Integrity
    • SHA1
    • MD5
  • Ajax Pagination
  • Alternate Data Stream
  • File Mismatch


Ram Dump Analysis

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats


Advanced Timeline

  • Search for specified time frame
    • Display timeline in text table
    • Display timeline in graph
    • Show specified file details
    • Show specified file content
    • Export file


Gallery View

  • Thumbnails visualization


Advance Keyword Search

  • Indexed Search
  • Live Search


Bookmarking Section

  • Single file
  • Part of file
  • Search result
  • Timeline event


Multi Investigator System (PTK-MIS)

  • Various levels through politics previously decided
  • User creation
  • Case lock


Report

  • PDF generation


Dashboard

  • Free memory
  • Medium use of the CPU
  • Free disk
  • Used disk percentage

References

PTK Official Site