Difference between revisions of "PTK"
(→PTK Features) |
|||
| Line 46: | Line 46: | ||
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. | The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. | ||
With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced. | With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced. | ||
| + | |||
| + | ==PTK File Analysis== | ||
| + | The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats: | ||
| + | |||
| + | *Ascii | ||
| + | *Ascii String | ||
| + | *Hexdump | ||
| + | *Image preview (for graphic files only) | ||
| + | |||
| + | Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated. | ||
| + | |||
| + | All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis. | ||
| + | |||
| + | The keywords search is divided into two sections: | ||
| + | |||
| + | *Indexed search | ||
| + | *Live search | ||
| + | |||
| + | The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files. | ||
| + | |||
| + | PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline. | ||
| + | |||
| + | The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators. | ||
| + | |||
| + | PTK is supported by a series of tools used during analysis: | ||
| + | |||
| + | *Disk browsing: fls | ||
| + | *File ascii: icat | ||
| + | *File Ascii strings: icat + srch_strings | ||
| + | *File Exdump: icat + hexdump | ||
| + | *Filetype check: icat + file | ||
| + | *Image Preview: icat | ||
| + | |||
==References== | ==References== | ||
Revision as of 06:37, 18 February 2009
PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’ (the former TSK interface). In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).
PTK Structure
PTK needs three requisites for its standard functioning:
- Lynux System
- Apache Server with PHP5
- MySQL server
There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:
- P4 2.33 ghz
- 512 MB of RAM
- 10 GB of Disk (depending on the number of cases managed)
PTK Indexing Engine
PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
- Ascii and Unicode String extraction from the allocated space:
- Allocated strings
- Unallocated strings
- Slack space (NTFS and FAT)
- Identification of known extensions.
- File type
- Signature file analysis
- File extension Mismatch
- File categorization (graphic, document, executables etc...)
- Metadata and hash generation of the files present on the disc
- Timeline generation (Graphic or Textual)
- File carving (Lazarus, Foremost, Scalpel)
- Hash (MD5 or SHA1) of all files inside the image
- Categorization (Graphics, Documents, Executables, etc..) of the documents obtained
The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. With the new indexing engine the use of the icat command is optimized and the number of queries towards MySQL is reduced.
PTK File Analysis
The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:
- Ascii
- Ascii String
- Hexdump
- Image preview (for graphic files only)
Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.
All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.
The keywords search is divided into two sections:
- Indexed search
- Live search
The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.
PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.
The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.
PTK is supported by a series of tools used during analysis:
- Disk browsing: fls
- File ascii: icat
- File Ascii strings: icat + srch_strings
- File Exdump: icat + hexdump
- Filetype check: icat + file
- Image Preview: icat
