PTK 1.0 official presentation

PTK 1.0 The first official presentation

Chronology
 The first version, PTK 0.1 beta, February 2008
 Second version, PTK 0.2 beta, July 2008
 First stable release, PTK 1.0, November 2008

 PTK logo

www.dflabs.com - ptk.dflabs.com 2

Sites and references
 Official website, ptk.dflabs.com
 Download repository, Sourceforge
 Forum (eng), Sourceforge
 Wiki TSK: wiki.sleuthkit.org

 SANS Insitute, Forensics division


General Statistics


Autopsy: its limits
 The current interface is slightly outdated.
 It is neither easy to use nor friendly.
 The case management section is a bit too complex.
Therefore it can be simplified.
 File activity timeline not that functional and also a bit
difficult to consult.
 Case export and sharing may be difficult in case more
investigators need to work on the same case from different
computers (lack of synchronization).


Overview
 A new advanced interface for the „Sleuthkit‟, but not only...
 Dynamic web application with the support of a centralized
database
o More investigators can work silumtaneously on the same case
o Indexing engine in order to get as many information as possible in
the shortest period of time.
o Web Based, Ajax-technology

 PTK adds a number of features to the current TSK.


Web Based
 Installation on a unique central system (Forensics
Workstation)
 One database for all investigations
 Remote access to the web interface
 More investigators have access through the browser to the
cases assigned to them
 All sensitive data are stored on a single server
 PTK can be easily extended through plug-in integration
 Access from all systems - Windows, Linux, Mac, etc.


PTK: LAMP based


Why use Ajax?
 More dynamic
 More usable
 The page loads are reduced compared to Autopsy
 Better application performance


PTK security
PTK is a web application for workgroup use. It must be used
according to the forensics fundamentals:

The lab network must be separated by the rest of the
world

Furthermore, during the PTK development, several
programming counter measures have been adopted in order
to guarantee the right protection against potential threats.


PTK security – xss prevention

XSS prevention:
o the user does not pass thru pages which show GET
variables “middle pages” which use GET variables, employ
such variables to create SQL query, not for html code
generation the variables were checked against
“dangerous characters” every single user input is sceened
(parsed) and secured.


PTK security – MySQL injection – ajax bridging

SQL Injection prevention:
o user input control/verification addiction of escape sequences to the
special characters present in the SQL instruction strings

Ajax Bridging prevention:
o PTK does not use Ajax Bridging
o No Javascript code import from external sites
o No external components required (no contacts with any external
untrusted source)


PTK security – OWASP compliance
 The Open Web Application Security Project (OWASP) is a
worldwide free and open community focused on improving
the security of application software.
 A collection to include PHP functions that sanitize user
inputs.
 Before running a command that requires the use of the PTK
shell, perform an input parameters cleaning.


Features
 Main features :
o Indexing Engine
o Dynamic Timeline
o Keyword search
o Gallery view
o File Analysis
o Bookmarking

 PTK was entirely projected so as to integrate with any
external tool.
o Memory Dump Analysis (Volatility)
o F-Response
o Reg-ripper etc.


Other Features
 Tree-view facilitates navigation inside the evidence
 Filtering Engine
 Tab management enables a fast and pragmatical access of
the file content
 Trace of all operations run inside the log
 Possibility to check image integrity all the time (md5 and
sha1)
 Multi-investigation
 Several browsers such as Safari, FireFox, Chrome are now
supported.


PTK general schema


PTK structure


Indexing engine
 String Extraction (ASCII & Unicode) from the space:
o Allocated
o Unallocated
o Slack (NTFS and FAT)

 Timeline generation
o Textual timeline
o Graphic timeline (new)

 Hash of all files in the imagine
o MD5
o SHA1


Indexing engine

 Categorization (graphics, documents, executables, etc.)
 Other future features such as Data Carving
 The results obtained from indexing operations are stored
inside the database from where they can be easily accessed.


Indexing engine version 0.2

Md5 Sha1 Keyword Filetype Timeline

icat icat icat icat

MySQL MySQL MySQL MySQL MySQL


Indexing engine version 1.0

Md5 Sha1 Keyword Filetype Timeline

icat icat

MySQL MySQL MySQL

 Optimized use of the icat command
 Reduced number of queries towards MySQL


Installation - agenda
 LibEwf and Afflib support
 TSK “The Sleuth Kit” v.3.0.0
 LAMP (Linux+Apache+MySQL+PHP) or
 XAMP
 PTK 1.0


Libewf support

The Expert Witness Compression Format (EWF) is used to
store media images. It allows to store disk and partition
images, compressed or non-compressed. EWF can store
a single image in one or more segment files. Each
segment file consists of a standard header, followed by
multiple sections. A single section cannot span multiple
files. Sections are arranged back-to-back.


Libewf installation

 Download the last version released on the website:

 Extract the downloaded archive:

 Compile and install:


Afflib support

The Advanced Forensics Format (AFF®) and AFF Library
(AFFLIB®) are a joint development project of Simson L.
Garfinkel and Basis Technology Corp. The AFF and
AFFLIB may be used royalty free and without limitation.
Technology that incorporates the AFFLIB must
acknowledge this fact and note that the technology
copyright agreement.


Afflib support
Comparison between AFF and EnCase (all values are in MB).
Test on 6 disk GB.
Zeroes Shakespeare Random

AFF -X1 28 2879 6301
-X6 6 2450 6301
-X9 6 2443 6301

Encase “Good” 33 3066 6303
“Best” 12 2846 6303

The disk was written with:
 All zeros
 All Shakespeare‟ s works, repeated 1.200 times
 Random data
AFF uses gzip for the compression in three levels, i.e. 1 - 6 - 9


Afflib installation
Download the last version released on the website:

Extract the downloaded archive:

Compile and install afflib:


TSK 3.0

 Version 3.0.0, new features:
o Detects orphan files
o MBR and File Allocation Tables accessible in the
directory root
o Birth time added in NTFS file system
o Detected the files deleted inside the NTFS file system
Uses the backup MBR in case the main MBR is
damaged


TSK 3.0 installation
Download the last version available on the website:


Compile and install TSK:


TSK 3.0 check

 Check the correct functioning of the tools installed:

NOMENCLATURA


LAMP, manual installation

Install the following software separately:

o Apache
o MySQL
o PHP

Make sure that the software are correctly installed and that
they interact
In order to check the correct functioning, it suffices to test
the following php code


Installation

Download the last version available on the website:


Open the php configuration file:


Configuration

Disable the option “register_global”:

Start Lampp:


PTK 1.0 Installation

Download the last version available on the
website:

Extract the archive downloaded in the apache directory:
oLamp /opt/lampp/htdocs
oUbuntu /var/www/
oGentoo /var/www/localhost/htdocs



Open the page http://localhost/ptk/install.php:

Select the distribution on which PTK is installed:



Insert the coordinates and access credentials to the MySQL service

Insert access credentials for the PTK‟s MySQL:



Insert PTK‟ s administrator credentials:

Click „configure‟ in order to finish the installation.



At the end of the installation, support images are shown.


Configuration file, conf.php


Configuration file, conf.pl


Configuration file, mysql.pl, config.inc.php


Use PTK - agenda
 File analysis
 Timeline
 Keywords search
 Gallery
 Data unit
 Bookmark
 Report
 Dashboard
 Ram Dump analysis
 Multi users


File Analysis
 The File Analysis section allows to browse through the entire
disk tree and explore the content of all directories. It is
possible to visualize the contents file in the following formats:
o Ascii
o Ascii Strings
o Hexdump
o Image preview (for graphical files)

 Investigators have full access to the information contained
in every allocated or non-allocated file.
o All operations are fast and immediate thanks to the tree visualization and
to the tab system.
 Bookmark results for a further in-depth analysis


File Analysis: TSK tools

 Disk browsing: fls
 File Ascii: icat
 File AsciiStrings: icat + srch_strings
 File Hexdump: icat + hexdump
 Filetype check: icat + file
 Image Preview: icat


File Analysis - screenshots


File Analysis: Filtering

 PTK offers a filtering system during file analysis enabling
investigators to focus their attention only on specific files.

 Filtering features enable to:
o Apply a simple textual filter on the name of the file inside
the directory.

o Apply an advanced filter based on file type or MACB
data intervals.


File Analysis: Filtering - screenshots


File Analysis: Ajax pagination
 With Autopsy, during File Analysis activities, the upload of big
files could slow down or even determine the browser to crash.

 In order to solve this problem an Ajax contents pagination
mechanism was introduced. This enables investigators to:

o Browse through pages that contain extract output.
o Move to a specific page.
o Set the size (in units) of the page to visualize.
o Enable/Disable pagination.

 Bookmark results for a further in-depth analysis.


File Analysis: Ajax pagination - screenshots


Timeline
 Timeline helps investigators to focus on relevant information based
on timestamp.

 It actually shows the temporal sequence of all file activities, those
non allocated also.
o These activities are traced through the analysis of known metadata such as
MACB time (Modified, Accessed, Changed, Birth)

 Two timeline types are available to investigators:
o Tabulate: fields that can be ordered, file analysis features and export
o Graphics: the behavior of every activity on file system; useful tool in order
to visualize access peaks, modifications or creations

 Bookmark results for a further in-depth analysis.
 Tool= Fls + mactime


Timeline - screenshots


Keywords search
 The Keyword Search section offers two main features:

o Indexed Search: consists of a thorough search among
keywords extracted from indexing operations
o Live Search: runs a direct search on the evidence

 Common expressions support. The possibility to save the
regexp used very often inside a file.
 Bookmark results for a further in-depth analysis


Keywords search - tools

 Live Search: dls + srch_strings + grep
 Live Search information: ifind + istat + grep


Keywords search - screenshots


Keywords search – dftt test

DFTT TEST PASSED

Extended partition test X
FAT Keyword search X
NTFS Keyword search X
EXT3FS Keyword search X
FAT Daylight saving test X
FAT Undeleted test X
NTFS Undeleted test X
JPEG Search test -


Gallery
 The Gallery allows investigators to visualize and manage
graphic evidence.

 Images can be added to bookmark, exported and analyzed
through user interface.

 Rendering image thumbnails

 Extract graphical content: icat


Gallery - screenshots


Data Unit
Enables a raw level disk analysis and enables also:

o the visualization of an image “Allocation list” in order to
supply information regarding sector allocation

o content analysis of a sector or sectors interval

o allocation list generation: dls


Data Unit - screenshots


Bookmark
 This section enables investigators to create bookmarks for the
evidence detected during analysis. Particular reference is being
made to:
o single file
o file portion
o search result
o timeline event
 Bookmarks can be generated by all PTK sections
 One or more tags can be associated with every bookmark
simplifying thus result organization.


Bookmark - screenshots


Bookmark - outline
 Every investigator generates his own bookmark list for every
case assigned to him
 An investigator can visualize only his bookmarks
 Only the Master Investigator is allowed to visualize other
investigators‟ bookmark.


Report
 Thanks to PTK, investigators can generate PDF reports of the
evidence found during analysis activities.

 Reports contain case information and images. They are generated
starting with the bookmarks added by users.

 Reports are visualized from the interface.

 It is possible to include evidence thumbnails in graphical format.


Report - screenshots


Dashboard
 Starting with 1.0 version, the application info-zone includes a
practical dashboard that helps to monitor the system status. It
includes:
o Free Memory
o Medium use of CPU
o Free Disk
o Disk usage percentage

 The investigator can choose to hide or visualize the dashboard
during analysis operations.


RAM Dump analysis
 Memory dump analysis is performed through Volatility
framework (https://www.volatilesystems.com).
o For the moment the supported version is the 1.3
o memory dump from Windows XP SP2 and SP3 are
being supported.
 It is possible to run a string search both in ASCII and
UNICODE format.
 Results can be added to PTK bookmarks just like other
evidence.


RAM Dump analysis : features
Date and time
Running processes
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry handles for each process
A process' addressable memory
OS kernel modules
Mapping physical offsets to virtual addresses (strings to process)
Virtual Address Descriptor information
Scanning examples: processes, threads, sockets, connections,modules
Extract executables from memory samples
Transparently supports a variety of sample formats (ie, Crash dump,
Hibernation, DD)
Automated conversion between formats


RAM Dump analysis – process list


RAM Dump analysis – keywords search
 PTK enables a string search on RAM memory dump.

 It is possible to launch keyword search in the following formats:
o Ascii
o Unicode

 Common expressions are supported.

 All search results can be inserted in the bookmark.
 Live search on RAM content: srch_strings + grep


RAM Dump analysis – keyword search


Multi users - Case Lock
 PTK enables case management at various levels
 Only the Master Investigator has access to all cases.
 An investigator has access only to the cases assigned to him
 The Master Investigator can decide to use the Lock feature for
a case at all moments. This feature forbids case access.


Multi users – Users management

 It is possible to create a unlimited number of investigators
 Every investigator has his own area on the Database where he
saves his own bookmarks.


Multi users – Roles

Master Investigator Investigator

NEW CASE CREATION

CASE REMOVAL

CASE LOCKING
DISPLAY CASE INFORMATION
ADDING NEW IMAGE

IMAGE REMOVAL

DISPLAY IMAGE INFORMATION

IMAGE ANALYSIS

INTEGRITY CHECK

BOOKMARK GENERATION


Multi users – simultaneous work 1

Administrator may add
new cases and select the
related investigator able
to get access to them.



More investigators are
able to work at the
same case
simultaneously



The administrator
activates the Lock to
CASE1



Now, only the
Administrator can get
access to CASE1,
while the case itself is
locked to the others.


PTK logging

 PTK generates a log entry for every operation
 The logs are generated for every user category
 The logs can be exported


PTK vs FTK imager


Alternate Data Stream
Descrizione…


File mismatch


PTK – trubleshooting - TSK
The installer doesn‟t detect TSK tools:

Solution:


PTK – trubleshooting - permission
The installer detects problems with the permissions folder in the PTK
root:

Solution:


PTK – trubleshooting – case adding
It is not possible to add cases to PTK

Solution:


PTK – trubleshooting – php issue
The php code is not interpreted

Solution:


PTK – trubleshooting – memory limit
Memory size error comes up:

Solution:


PTK – trubleshooting – EWF support
The file system type of an EnCase image is not recognized

Solution:
Install libewf support


PTK – trubleshooting – ewf support


PTK - Roadmap
 AFF extensions [end of 2008]
 PST, DBX Mail archive support [end of 2008]
 Regripper integration [end of 2008]
 HASH Set Comparison [end of 2008] (Ability to include NSRL hash set )
 Case Migration [Q1 2009] (Ability to export and import Cases)
 Single binary launcher [Q1 2009] (No need to install MySQL and Apache)
 Incident Response Mode (PTK-IR) [Q1 2009]
(Enable PTK to be inserted on a Linux Live CD for first response
activities)
 Data Carving process [Q2 2009]


PTK – Roadmap features


Thank you


PTK 1.0 official presentation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à PTK 1.0 official presentation

Similaire à PTK 1.0 official presentation (20)

Plus de DFLABS SRL

Plus de DFLABS SRL (11)

Dernier

Dernier (20)

PTK 1.0 official presentation