Difference between revisions of "PTK"

From SleuthKitWiki
Jump to: navigation, search
m (Reverted edits by Loanaus22 (talk) to last revision by Jrestivo)
Line 1: Line 1:
== Apply personal loan online: How to know the three Tips in Saving Money ==
+
PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’. In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases .
 +
The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).
  
To tackle money problems, '''[http://www.aussie.com.au/personal-loans apply personal loan online]'''; and you can be gainer if you take decision after seeing reviews. But if you want to avoid loaning remember there are plenty of ways to save money. However, before embarking on these steps, you have to make sure that you are fully committed to it. This will enable you to reach your goals and save fast something during financial crisis. The very first thing to do in order to save is to create a budget plan. This budget plan will serve as your guide on what to spend and how much money you should keep for the entire month.
 
  
Second, spend less and never get hooked to a certain offer in the market. If you want a new television set because your old one is not operational anymore, saves for it and do not create debts just to have a new one. Lastly, avail discounts and other promotional offers quick within the datelines. Check if you can save through these offers and always be wise when shopping. Mind it, if you want a '''[http://www.aussie.com.au/personal-loans quick personal loan]''', you can get that anytime but better to learn how to save money.
+
==Structure==
  
 +
PTK needs three requisites for its standard functioning:
 +
*Lynux System
 +
*Apache Server with PHP5
 +
*MySQL server
  
can u message the good follows? who is your favorite rapper KoKo? "Estamos construyendo la síntesis de lo que podría ser el núcleo de esta Política en Rendición de Cuentas" Merino FELIZ CUMPLE DE :) MUCHLOVE i`m so happy because you follow me : RTTTTTTTTTTTTTTTTTTTTTT4 RIPChrisBrown is trending??... social media is real murderer...lol New Picture Tuesday from Reno Romeu or when she says "jack, come back jack" when he is slowly slipping into the ocean :( iyelaah :( , haa manoke galakk nissa :( man3 / sma 6 gtfoh world peace. wtf is a "world peace?" Be real. Because a mask only fools people on the outside. And the real you is more important than anyone else. Photo: Es ella! Sinon, victoire de Knicks de NewYork contre Dallas. Et encore un match FOU de Jeremy Lin. 28 points. basket labellehistoire - Watch my video on twitvid No question that Flynn is the better Packers' system fit than Moore...& more efficient, but is that worth the extreme $$$? SB46TGE continues... Dudley, , and the crew are at the Brickyard. -SG NoWhiteFlags Me gusta :) dirty bass reppin ok de donde eres That really annoying moment when you can't find the long side of the blanket.
+
There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:
 +
*P4 2.33 ghz
 +
*512 MB of RAM
 +
*10 GB of Disk (depending on the number of cases managed)
  
apply personal loan online FREE on kindle, apple, sony, nook: Legendary heroes, otherworldly evils, & forbidden magics. Harbinger of Doom. RT Griphook you greedy selfish 's. We are sorry to hear this. Can you please DM us with more information about the purchase please? Localeze On The Menu for Geolocation Food Recommendations Guide Foodspotting Gracias por lo de grande! Pero aquí soy una más. Mucha suerte en tus proyectos emprendedores :) NowPlaying Todd Agnew Love Your Neighbor on Spotify Rain , Rain....go away . ztzt, Cindy. Ridley shot this movie IN 3D. He would have not done it if it's not good. And its not shot in IMAX anyways.. hey Free when u gonna do the 'marriage & kids thang' been 15 1/2 yrs & very happy! Hey! illustrated part of my seattle blog post. Check it out. (original post Estou com sono, mas tenho que estudar hoje a tarde. Ô vida de gado. Me: Can you grow please? Hair: NO. : NO. Stomach& Thighs: Okay! Asking a question you already know.. Just to see if they would lie about it.. Not yet. It's next on my list. i'm always broke cause of you D; STOPPBULLYINGKRISTEN DEFENDINGROBSTEN REmessage!
 
  
apply personal loan online did u get ur self a lottery ticket? Half a billion Aint bad Porque ele começou a chamar você de poser? wadu...,mending ke sekolah dulu aja,hehehe RSVP for our Wicker Park Grand Opening Party! Featuring Special Guest DJ Neil Armstrong + NO COVER: How about mickelson and bradley clutching up on 18 to force a playoff..love it northerntrust Photo Coverage: Star Studded Arrivals at '8' Premiere... Don't tell a girl you love her unless you mean it. She might do a crazy thing like believe it. Zumba is fun but kicks my . .. man macht darüber keine Witze. is a body guard of Greg Mahoney, not . Get it right guys! ;) Tone your complexion with this cheap and deep-cleansing recipe. Never underestimate the power of the cleansing phase in ur skin care regime. A un año de la muerte de Rita Guerrero, el presentará el concierto _Tributo a Santa Sabina_, el próximo 1 de abril. Just got news that Derricks okay and in surgery right now!! Aww que lindos tus messages, Gracias por el apoyo <3 Hate you are stuck, but sounds like you'll get a good paycheck. Hang in there! I went 8 days without working out. It's tough!
+
==Indexing Engine ==
 +
 
 +
PTK has an indexing engine that executes preliminary indexing operations on the supplied evidence. Indexing results are stored in the database. Therefore, the investigator can efficiently query the data on which he is working.
 +
 
 +
The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
 +
 
 +
*Ascii and Unicode String extraction from the allocated space:
 +
**Allocated strings
 +
**Unallocated strings
 +
**Slack space (NTFS and FAT)
 +
 
 +
*Identification of known extensions.
 +
 
 +
*File type
 +
**Signature file analysis
 +
**File extension Mismatch
 +
**File categorization (graphic, document, executables etc...)
 +
 
 +
*Metadata and hash generation of the files present on the disc
 +
*Timeline generation (Graphic or Textual)
 +
*File carving (Lazarus, Foremost, Scalpel)
 +
*Hash (MD5 or SHA1) of all files inside the image
 +
*Categorization (Graphics, Documents, Executables, etc..) of the documents obtained
 +
 
 +
The results of the preliminary operations are memorized in a database for optimized searching. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.
 +
With the new indexing engine, use of the icat command is optimized and the number of queries against MySQL are reduced.
 +
 
 +
==File Analysis==
 +
 
 +
The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:
 +
 
 +
*Ascii
 +
*Ascii String
 +
*Hexdump
 +
*Image preview (for graphic files only)
 +
 
 +
Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.
 +
 
 +
All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.  
 +
 
 +
The keywords search is divided into two sections:
 +
 
 +
*Indexed search
 +
*Live search
 +
 
 +
The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.
 +
 
 +
PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.
 +
 
 +
The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.
 +
 
 +
PTK is supported by a series of tools used during analysis:
 +
 
 +
*Disk browsing: ''fls''
 +
*File ascii: ''icat''
 +
*File Ascii strings: ''icat + srch_strings''
 +
*File Exdump: ''icat + hexdump''
 +
*Filetype check: ''icat + file''
 +
*Image Preview: ''icat''
 +
 
 +
 
 +
'''FILE ANALYSIS: FILTERING'''
 +
 
 +
PTK offers a content filtering during file analysis enabling the investigator to focus his attention only on certain files present in the folders.  
 +
 
 +
The filtering analysis enables:
 +
 
 +
*To apply a simple textual filter on the directory content.  
 +
*To apply an advanced filter based on filetype or date intervals MACAB time.
 +
 
 +
 
 +
'''DISK IMAGE INTEGRITY'''
 +
 
 +
PTK secures the integrity of the images on which the investigators are working.
 +
While adding a new image, the investigator can choose between two hash algorithms:
 +
 
 +
*MD5
 +
*SHA 1.
 +
 
 +
PTK saves the calculated values inside the database thus enabling subsequent comparisons.
 +
The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control.  
 +
The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.  
 +
 
 +
The MD5 and SHA1 calculation are two separate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.  
 +
 
 +
 
 +
'''FILE ANALYSIS: AJAX PAGINATION'''
 +
 
 +
During File Analysis activities it is possible to come across very large files and their uploading can slow down or even determine the browser to crash.  
 +
 
 +
In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.
 +
 
 +
This system enables to:
 +
 
 +
*Browse through the pages that contain the extractions output.
 +
*Move to a determined page
 +
*Setup the weight (in units) of the page to be analyzed.
 +
*Enable and disable the pagination.
 +
 
 +
In this case all results are bookmarked for subsequent analysis.
 +
 
 +
 
 +
'''ALTERNATE DATA STREAM'''
 +
 
 +
The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions.
 +
These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis.
 +
Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file
 +
 
 +
 
 +
'''FILE MISMATCH'''
 +
 
 +
During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch).
 +
PTK recognizes the type of file automatically and outputs the correct visualization.
 +
 
 +
==Timeline==
 +
 
 +
The disk timeline helps investigators to focus their attention on all changes done during a determined time interval. It visualizes the temporal succession of all activities that took place on the file, both allocated and unallocated: these activities are tracked through metadata analysis known as MACB time (Modification, Access, Creation, Birth).  
 +
 
 +
There are two timeline types:
 +
 
 +
*TAB : fields that can be ordered, file analysis and export features
 +
*GRAPHIC: the trend on file of all actions on the file
 +
 
 +
The latter is a powerful tool that enables the visualization of access peaks, modifications and creations.  
 +
 
 +
The timeline uses primarily two tools:
 +
 
 +
*Live Search: ''dls + srch_strings + grep''
 +
*Data gathered from live search: ''ifind + istat + grep''
 +
 
 +
 
 +
==Gallery==
 +
 
 +
Gallery is the feature that enables the investigator to visualize and manage graphic evidence.
 +
 
 +
In the gallery the thumbnails of the files recognized as images are visualized (signature file).
 +
 
 +
All images obtained during analysis can be added to bookmarks or exported or analyzed through its raw content.
 +
 
 +
All graphic contents are extracted: icat.
 +
 
 +
 
 +
==Keyword Search==
 +
 
 +
The keywords search section offers two primary features:
 +
 
 +
*Indexed Search: consists of a thorough search among keywords obtained from indexing operations.
 +
*Live Search: runs a direct search on the evidence.
 +
 
 +
The keywords search section supports the use of regular expressions and offers the ability to save commonly used expressions in a file.
 +
Results are bookmarked for subsequent analysis.
 +
 
 +
Keyword search is supported by two tools:
 +
 
 +
*Live Search: ''dls + srch_strings + grep''
 +
*Information gathered from Live Search: ''ifind + istat + grep''
 +
 
 +
==Data Unit==
 +
 
 +
Data unit is a PTK feature that enables the investigator to analyze a disk at a low level enabling the visualization of an image allocation list and the analisys of the content of a sector or of sectors interval.
 +
 
 +
The generation of an allocation list is done through: ''dls''.
 +
 
 +
 
 +
==Ram Dump Analysis==
 +
 
 +
Memory dump analysis is done through the Volatility framework (https://www.volatilesystems.com).
 +
 
 +
At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported.
 +
It is possible to perform a string search both in ASCII and UNICODE format.
 +
Just like all other evidence the results can be added to the PTK bookmarks.
 +
 
 +
The RAM Dump Analysis section consists of:
 +
 
 +
*Date and time
 +
*Running process
 +
*Open network sokets
 +
*Open network connections
 +
*DLLs loaded for each process
 +
*Open file for each process
 +
*Open registry handles for each process
 +
*A process'addressable memory
 +
*OS kernel modules
 +
*Mapping physical offsets to virtual addresses (string to process)
 +
*Virtual Address Descriptor information
 +
*Scanning examples: processes, threads, sokets,connections, modules
 +
*Extract executables from memory samples
 +
*Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
 +
*Automated conversion between formats
 +
 
 +
 
 +
'''RAM DUMP ANALYSIS – KEYWORDS SEARCH'''
 +
 
 +
PTK enables to perform a string search on RAM dump memory also.  
 +
It is possible to launch keyword search in the following formats:
 +
 
 +
*ASCII
 +
*UNICODE
 +
 
 +
In this secion it is also possible to perform regular expressions searches.  
 +
All results can be inserted in the investigator’s personal bookmarks.
 +
Live search on the content of the RAM through: srch_strings + grep
 +
 
 +
 
 +
==Bookmark==
 +
 
 +
The bookmark section enables investigators to create bookmarks for evidence obtained during analysis, specifically it is possible to create bookmark (link) for:
 +
 
 +
*Single file
 +
*Part of File
 +
*Search result
 +
*Timeline event
 +
 
 +
The bookmarks can be generated by all PTK sections.
 +
One or more tags that simplify and order results can be associated with each bookmark.
 +
 
 +
 
 +
'''BOOKMARK - PROFILING'''
 +
 
 +
Each investigator can create his own bookmark list for every case assigned to him.
 +
It is moreover possible to visualize only the bookmaks of a single investigator.
 +
The PTK admin can visualize the full list of bookmarks created by the other investigators.
 +
 
 +
 
 +
==Report==
 +
 
 +
Thanks to PTK investigators can generate PDF reports of the evidence obtained during analysis activities enclosing the thumbnail of the graphic evidence.
 +
Reports contain case and image information and they are fully visualized through the interface.
 +
 
 +
 
 +
==Multi Investigator System - Case Lock==
 +
 
 +
PTK ensures case management at various levels through politics previously decided upon.
 +
Only the Master Investigator has access to all cases and investigators have access solely to the cases assigned to them.
 +
 
 +
Moreover, at any time the Master Investigator can decide to use the LOCK function for a case thus prohibiting case access to any other investigator.
 +
 
 +
 
 +
'''MULTI USERS – USERS CREATION'''
 +
 
 +
Every investigator has got a separate section on the Database on which he stores and manages personal bookmarks.
 +
It is possible that an infinite number of investigators be created.
 +
 
 +
 
 +
==Logging==
 +
 
 +
For every operation performed PTK generates a log entry which can be subsequently exported. Inside every log it is possible regenerate the users' activity. The logs are rotated daily
 +
 
 +
 
 +
==Dashboard==
 +
 
 +
Starting with the 1.0 version, the info-zone of the application includes a practical dashboard that enables to monitor the system status insluding the visualizatin of:
 +
 
 +
*Free memory
 +
*Medium use of the CPU
 +
*Free disk
 +
*Used disk percentage
 +
 
 +
 
 +
==RoadMap==
 +
 
 +
*Q1 2009
 +
**Automated Data Carving process
 +
 
 +
*Q2 2009
 +
**HASH Set Comparison (Ability to include NSRL hash set )
 +
**PST mail archive parsing
 +
 
 +
*Q3 2009
 +
**Microsoft Windows Registry parsing
 +
 
 +
 
 +
==Installation How-to==
 +
 
 +
*[http://ptk.dflabs.com/practice_case.php#mandriva PTK on Mandriva 2009 Server]
 +
*[http://ptk.dflabs.com/practice_case.php#fedora PTK on Fedora 8]
 +
*[http://ptk.dflabs.com/practice_case.php#ubuntu_810 PTK on Ubuntu 8.10]
 +
*[http://ptk.dflabs.com/practice_case.php#xampp_167 PTK using XAMPP 1.6.7 (linux version)]
 +
*[http://ptk.dflabs.com/practice_case.php#macosx PTK on Mac OS X using XAMPP 0.7.3 (mac version)]
 +
*[http://ptk.dflabs.com/practice_case.php#centos PTK on CentOS]
 +
 
 +
==References==
 +
 
 +
[http://ptk.dflabs.com PTK Official Site]
 +
[[Category:Computer Forensics]]
 +
[[Category:Unix]]

Revision as of 06:36, 17 April 2012

PTK is an alternative advanced interface for the TSK suite (The Sleuth Kit). The software is a free interface developed in order to improve the features already present in ‘Autopsy Forensic Browser’. In addition to providing the functions already present in Autopsy Forensic Browser it implements numerous new essential forensic features. PTK is more than just a new graphic and highly professional interface based on Ajax technology; it offers numerous features such as analysis, search and management of complex digital investigation cases . The core component of the software is an efficient Indexing Engine performing different preliminary analysis operations during the import phase of each piece of evidence. PTK allows simultaneous management of different cases and multi-user profiling. Investigators can work on the same case at the same time. All reports and bookmarks generated by an investigator are saved in a reserved section of the Database. PTK is a Web application based on the very innovative Ajax technology and builds an appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).


Structure

PTK needs three requisites for its standard functioning:

  • Lynux System
  • Apache Server with PHP5
  • MySQL server

There are several advantages gained with this configuration. PTK should be implemented on a system having fairly good hardware resources. The suggested requisites are:

  • P4 2.33 ghz
  • 512 MB of RAM
  • 10 GB of Disk (depending on the number of cases managed)


Indexing Engine

PTK has an indexing engine that executes preliminary indexing operations on the supplied evidence. Indexing results are stored in the database. Therefore, the investigator can efficiently query the data on which he is working.

The indexing tasks can be launched by the administrator of the application who chooses among the following activities:

  • Ascii and Unicode String extraction from the allocated space:
    • Allocated strings
    • Unallocated strings
    • Slack space (NTFS and FAT)
  • Identification of known extensions.
  • File type
    • Signature file analysis
    • File extension Mismatch
    • File categorization (graphic, document, executables etc...)
  • Metadata and hash generation of the files present on the disc
  • Timeline generation (Graphic or Textual)
  • File carving (Lazarus, Foremost, Scalpel)
  • Hash (MD5 or SHA1) of all files inside the image
  • Categorization (Graphics, Documents, Executables, etc..) of the documents obtained

The results of the preliminary operations are memorized in a database for optimized searching. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image. With the new indexing engine, use of the icat command is optimized and the number of queries against MySQL are reduced.

File Analysis

The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:

  • Ascii
  • Ascii String
  • Hexdump
  • Image preview (for graphic files only)

Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.

All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.

The keywords search is divided into two sections:

  • Indexed search
  • Live search

The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.

PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.

The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.

PTK is supported by a series of tools used during analysis:

  • Disk browsing: fls
  • File ascii: icat
  • File Ascii strings: icat + srch_strings
  • File Exdump: icat + hexdump
  • Filetype check: icat + file
  • Image Preview: icat


FILE ANALYSIS: FILTERING

PTK offers a content filtering during file analysis enabling the investigator to focus his attention only on certain files present in the folders.

The filtering analysis enables:

  • To apply a simple textual filter on the directory content.
  • To apply an advanced filter based on filetype or date intervals MACAB time.


DISK IMAGE INTEGRITY

PTK secures the integrity of the images on which the investigators are working. While adding a new image, the investigator can choose between two hash algorithms:

  • MD5
  • SHA 1.

PTK saves the calculated values inside the database thus enabling subsequent comparisons. The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control. The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.

The MD5 and SHA1 calculation are two separate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.


FILE ANALYSIS: AJAX PAGINATION

During File Analysis activities it is possible to come across very large files and their uploading can slow down or even determine the browser to crash.

In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.

This system enables to:

  • Browse through the pages that contain the extractions output.
  • Move to a determined page
  • Setup the weight (in units) of the page to be analyzed.
  • Enable and disable the pagination.

In this case all results are bookmarked for subsequent analysis.


ALTERNATE DATA STREAM

The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions. These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis. Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file


FILE MISMATCH

During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch). PTK recognizes the type of file automatically and outputs the correct visualization.

Timeline

The disk timeline helps investigators to focus their attention on all changes done during a determined time interval. It visualizes the temporal succession of all activities that took place on the file, both allocated and unallocated: these activities are tracked through metadata analysis known as MACB time (Modification, Access, Creation, Birth).

There are two timeline types:

  • TAB : fields that can be ordered, file analysis and export features
  • GRAPHIC: the trend on file of all actions on the file

The latter is a powerful tool that enables the visualization of access peaks, modifications and creations.

The timeline uses primarily two tools:

  • Live Search: dls + srch_strings + grep
  • Data gathered from live search: ifind + istat + grep


Gallery

Gallery is the feature that enables the investigator to visualize and manage graphic evidence.

In the gallery the thumbnails of the files recognized as images are visualized (signature file).

All images obtained during analysis can be added to bookmarks or exported or analyzed through its raw content.

All graphic contents are extracted: icat.


Keyword Search

The keywords search section offers two primary features:

  • Indexed Search: consists of a thorough search among keywords obtained from indexing operations.
  • Live Search: runs a direct search on the evidence.

The keywords search section supports the use of regular expressions and offers the ability to save commonly used expressions in a file. Results are bookmarked for subsequent analysis.

Keyword search is supported by two tools:

  • Live Search: dls + srch_strings + grep
  • Information gathered from Live Search: ifind + istat + grep

Data Unit

Data unit is a PTK feature that enables the investigator to analyze a disk at a low level enabling the visualization of an image allocation list and the analisys of the content of a sector or of sectors interval.

The generation of an allocation list is done through: dls.


Ram Dump Analysis

Memory dump analysis is done through the Volatility framework (https://www.volatilesystems.com).

At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported. It is possible to perform a string search both in ASCII and UNICODE format. Just like all other evidence the results can be added to the PTK bookmarks.

The RAM Dump Analysis section consists of:

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats


RAM DUMP ANALYSIS – KEYWORDS SEARCH

PTK enables to perform a string search on RAM dump memory also. It is possible to launch keyword search in the following formats:

  • ASCII
  • UNICODE

In this secion it is also possible to perform regular expressions searches. All results can be inserted in the investigator’s personal bookmarks. Live search on the content of the RAM through: srch_strings + grep


Bookmark

The bookmark section enables investigators to create bookmarks for evidence obtained during analysis, specifically it is possible to create bookmark (link) for:

  • Single file
  • Part of File
  • Search result
  • Timeline event

The bookmarks can be generated by all PTK sections. One or more tags that simplify and order results can be associated with each bookmark.


BOOKMARK - PROFILING

Each investigator can create his own bookmark list for every case assigned to him. It is moreover possible to visualize only the bookmaks of a single investigator. The PTK admin can visualize the full list of bookmarks created by the other investigators.


Report

Thanks to PTK investigators can generate PDF reports of the evidence obtained during analysis activities enclosing the thumbnail of the graphic evidence. Reports contain case and image information and they are fully visualized through the interface.


Multi Investigator System - Case Lock

PTK ensures case management at various levels through politics previously decided upon. Only the Master Investigator has access to all cases and investigators have access solely to the cases assigned to them.

Moreover, at any time the Master Investigator can decide to use the LOCK function for a case thus prohibiting case access to any other investigator.


MULTI USERS – USERS CREATION

Every investigator has got a separate section on the Database on which he stores and manages personal bookmarks. It is possible that an infinite number of investigators be created.


Logging

For every operation performed PTK generates a log entry which can be subsequently exported. Inside every log it is possible regenerate the users' activity. The logs are rotated daily


Dashboard

Starting with the 1.0 version, the info-zone of the application includes a practical dashboard that enables to monitor the system status insluding the visualizatin of:

  • Free memory
  • Medium use of the CPU
  • Free disk
  • Used disk percentage


RoadMap

  • Q1 2009
    • Automated Data Carving process
  • Q2 2009
    • HASH Set Comparison (Ability to include NSRL hash set )
    • PST mail archive parsing
  • Q3 2009
    • Microsoft Windows Registry parsing


Installation How-to

References

PTK Official Site