2. Chronology
The first version, PTK 0.1 beta, February 2008
Second version, PTK 0.2 beta, July 2008
First stable release, PTK 1.0, November 2008
PTK logo
www.dflabs.com - ptk.dflabs.com 2
3. Sites and references
Official website, ptk.dflabs.com
Download repository, Sourceforge
Forum (eng), Sourceforge
Wiki TSK: wiki.sleuthkit.org
SANS Insitute, Forensics division
www.dflabs.com - ptk.dflabs.com 3
5. Autopsy: its limits
The current interface is slightly outdated.
It is neither easy to use nor friendly.
The case management section is a bit too complex.
Therefore it can be simplified.
File activity timeline not that functional and also a bit
difficult to consult.
Case export and sharing may be difficult in case more
investigators need to work on the same case from different
computers (lack of synchronization).
www.dflabs.com - ptk.dflabs.com 5
6. Overview
A new advanced interface for the „Sleuthkit‟, but not only...
Dynamic web application with the support of a centralized
database
o More investigators can work silumtaneously on the same case
o Indexing engine in order to get as many information as possible in
the shortest period of time.
o Web Based, Ajax-technology
PTK adds a number of features to the current TSK.
www.dflabs.com - ptk.dflabs.com 6
7. Web Based
Installation on a unique central system (Forensics
Workstation)
One database for all investigations
Remote access to the web interface
More investigators have access through the browser to the
cases assigned to them
All sensitive data are stored on a single server
PTK can be easily extended through plug-in integration
Access from all systems - Windows, Linux, Mac, etc.
www.dflabs.com - ptk.dflabs.com 7
9. Why use Ajax?
More dynamic
More usable
The page loads are reduced compared to Autopsy
Better application performance
www.dflabs.com - ptk.dflabs.com 9
10. PTK security
PTK is a web application for workgroup use. It must be used
according to the forensics fundamentals:
The lab network must be separated by the rest of the
world
Furthermore, during the PTK development, several
programming counter measures have been adopted in order
to guarantee the right protection against potential threats.
www.dflabs.com - ptk.dflabs.com 10
11. PTK security – xss prevention
XSS prevention:
o the user does not pass thru pages which show GET
variables “middle pages” which use GET variables, employ
such variables to create SQL query, not for html code
generation the variables were checked against
“dangerous characters” every single user input is sceened
(parsed) and secured.
www.dflabs.com - ptk.dflabs.com 11
12. PTK security – MySQL injection – ajax bridging
SQL Injection prevention:
o user input control/verification addiction of escape sequences to the
special characters present in the SQL instruction strings
Ajax Bridging prevention:
o PTK does not use Ajax Bridging
o No Javascript code import from external sites
o No external components required (no contacts with any external
untrusted source)
www.dflabs.com - ptk.dflabs.com 12
13. PTK security – OWASP compliance
The Open Web Application Security Project (OWASP) is a
worldwide free and open community focused on improving
the security of application software.
A collection to include PHP functions that sanitize user
inputs.
Before running a command that requires the use of the PTK
shell, perform an input parameters cleaning.
www.dflabs.com - ptk.dflabs.com 13
14. Features
Main features :
o Indexing Engine
o Dynamic Timeline
o Keyword search
o Gallery view
o File Analysis
o Bookmarking
PTK was entirely projected so as to integrate with any
external tool.
o Memory Dump Analysis (Volatility)
o F-Response
o Reg-ripper etc.
www.dflabs.com - ptk.dflabs.com 14
15. Other Features
Tree-view facilitates navigation inside the evidence
Filtering Engine
Tab management enables a fast and pragmatical access of
the file content
Trace of all operations run inside the log
Possibility to check image integrity all the time (md5 and
sha1)
Multi-investigation
Several browsers such as Safari, FireFox, Chrome are now
supported.
www.dflabs.com - ptk.dflabs.com 15
18. Indexing engine
String Extraction (ASCII & Unicode) from the space:
o Allocated
o Unallocated
o Slack (NTFS and FAT)
Timeline generation
o Textual timeline
o Graphic timeline (new)
Hash of all files in the imagine
o MD5
o SHA1
www.dflabs.com - ptk.dflabs.com 18
19. Indexing engine
Categorization (graphics, documents, executables, etc.)
Other future features such as Data Carving
The results obtained from indexing operations are stored
inside the database from where they can be easily accessed.
www.dflabs.com - ptk.dflabs.com 19
20. Indexing engine version 0.2
Md5 Sha1 Keyword Filetype Timeline
icat icat icat icat
MySQL MySQL MySQL MySQL MySQL
www.dflabs.com - ptk.dflabs.com 20
21. Indexing engine version 1.0
Md5 Sha1 Keyword Filetype Timeline
icat icat
MySQL MySQL MySQL
Optimized use of the icat command
Reduced number of queries towards MySQL
www.dflabs.com - ptk.dflabs.com 21
22. Installation - agenda
LibEwf and Afflib support
TSK “The Sleuth Kit” v.3.0.0
LAMP (Linux+Apache+MySQL+PHP) or
XAMP
PTK 1.0
www.dflabs.com - ptk.dflabs.com 22
23. Libewf support
The Expert Witness Compression Format (EWF) is used to
store media images. It allows to store disk and partition
images, compressed or non-compressed. EWF can store
a single image in one or more segment files. Each
segment file consists of a standard header, followed by
multiple sections. A single section cannot span multiple
files. Sections are arranged back-to-back.
www.dflabs.com - ptk.dflabs.com 23
24. Libewf installation
Download the last version released on the website:
Extract the downloaded archive:
Compile and install:
www.dflabs.com - ptk.dflabs.com 24
25. Afflib support
The Advanced Forensics Format (AFF®) and AFF Library
(AFFLIB®) are a joint development project of Simson L.
Garfinkel and Basis Technology Corp. The AFF and
AFFLIB may be used royalty free and without limitation.
Technology that incorporates the AFFLIB must
acknowledge this fact and note that the technology
copyright agreement.
www.dflabs.com - ptk.dflabs.com 25
26. Afflib support
Comparison between AFF and EnCase (all values are in MB).
Test on 6 disk GB.
Zeroes Shakespeare Random
AFF -X1 28 2879 6301
-X6 6 2450 6301
-X9 6 2443 6301
Encase “Good” 33 3066 6303
“Best” 12 2846 6303
The disk was written with:
All zeros
All Shakespeare‟ s works, repeated 1.200 times
Random data
AFF uses gzip for the compression in three levels, i.e. 1 - 6 - 9
www.dflabs.com - ptk.dflabs.com 26
27. Afflib installation
Download the last version released on the website:
Extract the downloaded archive:
Compile and install afflib:
www.dflabs.com - ptk.dflabs.com 27
28. TSK 3.0
Version 3.0.0, new features:
o Detects orphan files
o MBR and File Allocation Tables accessible in the
directory root
o Birth time added in NTFS file system
o Detected the files deleted inside the NTFS file system
Uses the backup MBR in case the main MBR is
damaged
www.dflabs.com - ptk.dflabs.com 28
29. TSK 3.0 installation
Download the last version available on the website:
Extract the downloaded archive:
Compile and install TSK:
www.dflabs.com - ptk.dflabs.com 29
30. TSK 3.0 check
Check the correct functioning of the tools installed:
NOMENCLATURA
www.dflabs.com - ptk.dflabs.com 30
31. LAMP, manual installation
Install the following software separately:
o Apache
o MySQL
o PHP
Make sure that the software are correctly installed and that
they interact
In order to check the correct functioning, it suffices to test
the following php code
www.dflabs.com - ptk.dflabs.com 31
32. Installation
Download the last version available on the website:
Extract the downloaded archive:
Open the php configuration file:
www.dflabs.com - ptk.dflabs.com 32
34. PTK 1.0 Installation
Download the last version available on the
website:
Extract the archive downloaded in the apache directory:
oLamp /opt/lampp/htdocs
oUbuntu /var/www/
oGentoo /var/www/localhost/htdocs
www.dflabs.com - ptk.dflabs.com 34
35. PTK 1.0 Installation
Open the page http://localhost/ptk/install.php:
Select the distribution on which PTK is installed:
www.dflabs.com - ptk.dflabs.com 35
36. PTK 1.0 Installation
Insert the coordinates and access credentials to the MySQL service
Insert access credentials for the PTK‟s MySQL:
www.dflabs.com - ptk.dflabs.com 36
37. PTK 1.0 Installation
Insert PTK‟ s administrator credentials:
Click „configure‟ in order to finish the installation.
www.dflabs.com - ptk.dflabs.com 37
38. PTK 1.0 Installation
At the end of the installation, support images are shown.
www.dflabs.com - ptk.dflabs.com 38
42. Use PTK - agenda
File analysis
Timeline
Keywords search
Gallery
Data unit
Bookmark
Report
Dashboard
Ram Dump analysis
Multi users
www.dflabs.com - ptk.dflabs.com 42
43. File Analysis
The File Analysis section allows to browse through the entire
disk tree and explore the content of all directories. It is
possible to visualize the contents file in the following formats:
o Ascii
o Ascii Strings
o Hexdump
o Image preview (for graphical files)
Investigators have full access to the information contained
in every allocated or non-allocated file.
o All operations are fast and immediate thanks to the tree visualization and
to the tab system.
Bookmark results for a further in-depth analysis
www.dflabs.com - ptk.dflabs.com 43
46. File Analysis: Filtering
PTK offers a filtering system during file analysis enabling
investigators to focus their attention only on specific files.
Filtering features enable to:
o Apply a simple textual filter on the name of the file inside
the directory.
o Apply an advanced filter based on file type or MACB
data intervals.
www.dflabs.com - ptk.dflabs.com 46
48. File Analysis: Ajax pagination
With Autopsy, during File Analysis activities, the upload of big
files could slow down or even determine the browser to crash.
In order to solve this problem an Ajax contents pagination
mechanism was introduced. This enables investigators to:
o Browse through pages that contain extract output.
o Move to a specific page.
o Set the size (in units) of the page to visualize.
o Enable/Disable pagination.
Bookmark results for a further in-depth analysis.
www.dflabs.com - ptk.dflabs.com 48
50. Timeline
Timeline helps investigators to focus on relevant information based
on timestamp.
It actually shows the temporal sequence of all file activities, those
non allocated also.
o These activities are traced through the analysis of known metadata such as
MACB time (Modified, Accessed, Changed, Birth)
Two timeline types are available to investigators:
o Tabulate: fields that can be ordered, file analysis features and export
o Graphics: the behavior of every activity on file system; useful tool in order
to visualize access peaks, modifications or creations
Bookmark results for a further in-depth analysis.
Tool= Fls + mactime
www.dflabs.com - ptk.dflabs.com 50
53. Keywords search
The Keyword Search section offers two main features:
o Indexed Search: consists of a thorough search among
keywords extracted from indexing operations
o Live Search: runs a direct search on the evidence
Common expressions support. The possibility to save the
regexp used very often inside a file.
Bookmark results for a further in-depth analysis
www.dflabs.com - ptk.dflabs.com 53
57. Keywords search – dftt test
DFTT TEST PASSED
Extended partition test X
FAT Keyword search X
NTFS Keyword search X
EXT3FS Keyword search X
FAT Daylight saving test X
FAT Undeleted test X
NTFS Undeleted test X
JPEG Search test -
www.dflabs.com - ptk.dflabs.com 57
58. Gallery
The Gallery allows investigators to visualize and manage
graphic evidence.
Images can be added to bookmark, exported and analyzed
through user interface.
Rendering image thumbnails
Extract graphical content: icat
www.dflabs.com - ptk.dflabs.com 58
60. Data Unit
Enables a raw level disk analysis and enables also:
o the visualization of an image “Allocation list” in order to
supply information regarding sector allocation
o content analysis of a sector or sectors interval
o allocation list generation: dls
www.dflabs.com - ptk.dflabs.com 60
61. Data Unit - screenshots
www.dflabs.com - ptk.dflabs.com 61
62. Bookmark
This section enables investigators to create bookmarks for the
evidence detected during analysis. Particular reference is being
made to:
o single file
o file portion
o search result
o timeline event
Bookmarks can be generated by all PTK sections
One or more tags can be associated with every bookmark
simplifying thus result organization.
www.dflabs.com - ptk.dflabs.com 62
64. Bookmark - outline
Every investigator generates his own bookmark list for every
case assigned to him
An investigator can visualize only his bookmarks
Only the Master Investigator is allowed to visualize other
investigators‟ bookmark.
www.dflabs.com - ptk.dflabs.com 64
65. Report
Thanks to PTK, investigators can generate PDF reports of the
evidence found during analysis activities.
Reports contain case information and images. They are generated
starting with the bookmarks added by users.
Reports are visualized from the interface.
It is possible to include evidence thumbnails in graphical format.
www.dflabs.com - ptk.dflabs.com 65
67. Dashboard
Starting with 1.0 version, the application info-zone includes a
practical dashboard that helps to monitor the system status. It
includes:
o Free Memory
o Medium use of CPU
o Free Disk
o Disk usage percentage
The investigator can choose to hide or visualize the dashboard
during analysis operations.
www.dflabs.com - ptk.dflabs.com 67
68. RAM Dump analysis
Memory dump analysis is performed through Volatility
framework (https://www.volatilesystems.com).
o For the moment the supported version is the 1.3
o memory dump from Windows XP SP2 and SP3 are
being supported.
It is possible to run a string search both in ASCII and
UNICODE format.
Results can be added to PTK bookmarks just like other
evidence.
www.dflabs.com - ptk.dflabs.com 68
69. RAM Dump analysis : features
Date and time
Running processes
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry handles for each process
A process' addressable memory
OS kernel modules
Mapping physical offsets to virtual addresses (strings to process)
Virtual Address Descriptor information
Scanning examples: processes, threads, sockets, connections,modules
Extract executables from memory samples
Transparently supports a variety of sample formats (ie, Crash dump,
Hibernation, DD)
Automated conversion between formats
www.dflabs.com - ptk.dflabs.com 69
71. RAM Dump analysis – keywords search
PTK enables a string search on RAM memory dump.
It is possible to launch keyword search in the following formats:
o Ascii
o Unicode
Common expressions are supported.
All search results can be inserted in the bookmark.
Live search on RAM content: srch_strings + grep
www.dflabs.com - ptk.dflabs.com 71
73. Multi users - Case Lock
PTK enables case management at various levels
Only the Master Investigator has access to all cases.
An investigator has access only to the cases assigned to him
The Master Investigator can decide to use the Lock feature for
a case at all moments. This feature forbids case access.
www.dflabs.com - ptk.dflabs.com 73
74. Multi users – Users management
It is possible to create a unlimited number of investigators
Every investigator has his own area on the Database where he
saves his own bookmarks.
www.dflabs.com - ptk.dflabs.com 74
75. Multi users – Roles
Master Investigator Investigator
NEW CASE CREATION
CASE REMOVAL
CASE LOCKING
DISPLAY CASE INFORMATION
ADDING NEW IMAGE
IMAGE REMOVAL
DISPLAY IMAGE INFORMATION
IMAGE ANALYSIS
INTEGRITY CHECK
BOOKMARK GENERATION
www.dflabs.com - ptk.dflabs.com 75
76. Multi users – simultaneous work 1
Administrator may add
new cases and select the
related investigator able
to get access to them.
www.dflabs.com - ptk.dflabs.com 76
77. Multi users – simultaneous work 2
More investigators are
able to work at the
same case
simultaneously
www.dflabs.com - ptk.dflabs.com 77
78. Multi users – simultaneous work 3
The administrator
activates the Lock to
CASE1
www.dflabs.com - ptk.dflabs.com 78
79. Multi users – simultaneous work 4
Now, only the
Administrator can get
access to CASE1,
while the case itself is
locked to the others.
www.dflabs.com - ptk.dflabs.com 79
80. PTK logging
PTK generates a log entry for every operation
The logs are generated for every user category
The logs can be exported
www.dflabs.com - ptk.dflabs.com 80
81. PTK vs FTK imager
www.dflabs.com - ptk.dflabs.com 81
82. PTK vs FTK imager
www.dflabs.com - ptk.dflabs.com 82
90. PTK – trubleshooting – EWF support
The file system type of an EnCase image is not recognized
Solution:
Install libewf support
www.dflabs.com - ptk.dflabs.com 90
92. PTK - Roadmap
AFF extensions [end of 2008]
PST, DBX Mail archive support [end of 2008]
Regripper integration [end of 2008]
HASH Set Comparison [end of 2008] (Ability to include NSRL hash set )
Case Migration [Q1 2009] (Ability to export and import Cases)
Single binary launcher [Q1 2009] (No need to install MySQL and Apache)
Incident Response Mode (PTK-IR) [Q1 2009]
(Enable PTK to be inserted on a Linux Live CD for first response
activities)
Data Carving process [Q2 2009]
www.dflabs.com - ptk.dflabs.com 92
93. PTK – Roadmap features
www.dflabs.com - ptk.dflabs.com 93