PTK

From SleuthKitWiki
Revision as of 05:25, 18 February 2009 by Dflabs (Talk | contribs)

Jump to: navigation, search

PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).

PTK Structure

File:Schema.png

PTK needs three requisites for its standard functioning:

  • Lynux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)

PTK Features

PTK inherits all analysis features already present in TSK, among the most important being:

  • Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)
  • Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems (even when the host operating system does not or has a different endian ordering).
  • List allocated and deleted ASCII and Unicode file names. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))
  • Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
  • Display file system and meta-data structure details.


The principal features in PTK are:

Indexing Engine

  • String Extracion
    • Allocated, Unallocated, Slack Space
    • Live Search
  • File Categorization
    • File signature analysis
    • File extension mismatch
  • Hash Set Manager
  • Timeline generation
  • Advance File Analysis
  • RAM dump analysis
    • Ram Analysis
    • Keyword Search


File Analysis

  • File visualization
    • Ascii
    • Ascii string
    • Hexdump
    • Image preview
  • Filtering
    • Textual filter
    • Advanced filter
  • Disk Image Integrity
    • SHA1
    • MD5
  • Ajax Pagination
  • Alternate Data Stream
  • File Mismatch


Ram Dump Analysis

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats


Advanced Timeline

  • Search for specified time frame
    • Display timeline in text table
    • Display timeline in graph
    • Show specified file details
    • Show specified file content
    • Export file


Gallery View

  • Thumbnails visualization


Advance Keyword Search

  • Indexed Search
  • Live Search


Bookmarking Section

  • Single file
  • Part of file
  • Search result
  • Timeline event


Multi Investigator System

  • Various levels through politics previously decided
  • User creation
  • Case lock


Report

  • PDF generation


Dashboard

  • Free memory
  • Medium use of the CPU
  • Free disk
  • Used disk percentage

References

PTK Official Site