PTK 1.0 official presentation

The new interface for Sleuth Kit. Final release

The new interface for Sleuth Kit. Final release

  PTK 1.0 The first official presentation
  Chronology  The first version, PTK 0.1 beta, February 2008  Second version, PTK 0.2 beta, July 2008  First stable release, PTK 1.0, November 2008  PTK logo
  Sites and references  Official website, ptk.dflabs.com  Download repository, Sourceforge  Forum (eng), Sourceforge  Wiki TSK: wiki.sleuthkit.org  SANS Insitute, Forensics division
  General Statistics
  Autopsy: its limits  The current interface is slightly outdated.  It is neither easy to use nor friendly.  The case management section is a bit too complex. Therefore it can be simplified.  File activity timeline not that functional and also a bit difficult to consult.  Case export and sharing may be difficult in case more investigators need to work on the same case from different computers (lack of synchronization).
  Overview  A new advanced interface for the „Sleuthkit‟, but not only...  Dynamic web application with the support of a centralized database o More investigators can work silumtaneously on the same case o Indexing engine in order to get as many information as possible in the shortest period of time. o Web Based, Ajax-technology  PTK adds a number of features to the current TSK.
  Web Based  Installation on a unique central system (Forensics Workstation)  One database for all investigations  Remote access to the web interface  More investigators have access through the browser to the cases assigned to them  All sensitive data are stored on a single server  PTK can be easily extended through plug-in integration  Access from all systems - Windows, Linux, Mac, etc.
  PTK: LAMP based
  Why use Ajax?  More dynamic  More usable  The page loads are reduced compared to Autopsy  Better application performance
  PTK security PTK is a web application for workgroup use. It must be used according to the forensics fundamentals: The lab network must be separated by the rest of the world Furthermore, during the PTK development, several programming counter measures have been adopted in order to guarantee the right protection against potential threats.
  PTK security – xss prevention XSS prevention: o the user does not pass thru pages which show GET variables "middle pages" which use GET variables, employ such variables to create SQL query, not for html code generation the variables were checked against "dangerous characters" every single user input is sceened (parsed) and secured.
  PTK security – MySQL injection – ajax bridging SQL Injection prevention: o user input control/verification addiction of escape sequences to the special characters present in the SQL instruction strings Ajax Bridging prevention: o PTK does not use Ajax Bridging o No Javascript code import from external sites o No external components required (no contacts with any external untrusted source)
  PTK security – OWASP compliance  The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.  A collection to include PHP functions that sanitize user inputs.  Before running a command that requires the use of the PTK shell, perform an input parameters cleaning.
  Features  Main features : o Indexing Engine o Dynamic Timeline o Keyword search o Gallery view o File Analysis o Bookmarking  PTK was entirely projected so as to integrate with any external tool. o Memory Dump Analysis (Volatility) o F-Response o Reg-ripper etc.
  Other Features  Tree-view facilitates navigation inside the evidence  Filtering Engine  Tab management enables a fast and pragmatical access of the file content  Trace of all operations run inside the log  Possibility to check image integrity all the time (md5 and sha1)  Multi-investigation  Several browsers such as Safari, FireFox, Chrome are now supported.
  PTK general schema
  PTK structure
  Indexing engine  String Extraction (ASCII & Unicode) from the space: o Allocated o Unallocated o Slack (NTFS and FAT)  Timeline generation o Textual timeline o Graphic timeline (new)  Hash of all files in the imagine o MD5 o SHA1
  Indexing engine  Categorization (graphics, documents, executables, etc.)  Other future features such as Data Carving  The results obtained from indexing operations are stored inside the database from where they can be easily accessed.
  Indexing engine version 0.2 Md5 Sha1 Keyword Filetype Timeline icat icat icat icat MySQL MySQL MySQL MySQL MySQL
  Indexing engine version 1.0 Md5 Sha1 Keyword Filetype Timeline icat icat MySQL MySQL MySQL  Optimized use of the icat command  Reduced number of queries towards MySQL
  Installation - agenda  LibEwf and Afflib support  TSK "The Sleuth Kit" v.3.0.0  LAMP (Linux+Apache+MySQL+PHP) or  XAMP  PTK 1.0
  Libewf support The Expert Witness Compression Format (EWF) is used to store media images. It allows to store disk and partition images, compressed or non-compressed. EWF can store a single image in one or more segment files. Each segment file consists of a standard header, followed by multiple sections. A single section cannot span multiple files. Sections are arranged back-to-back.
  Libewf installation  Download the last version released on the website:  Extract the downloaded archive:  Compile and install:
  Afflib support The Advanced Forensics Format (AFF®) and AFF Library (AFFLIB®) are a joint development project of Simson L. Garfinkel and Basis Technology Corp. The AFF and AFFLIB may be used royalty free and without limitation. Technology that incorporates the AFFLIB must acknowledge this fact and note that the technology copyright agreement.
  Afflib support Comparison between AFF and EnCase (all values are in MB). Test on 6 disk GB. Zeroes Shakespeare Random AFF -X1 28 2879 6301 -X6 6 2450 6301 -X9 6 2443 6301 Encase "Good" 33 3066 6303 "Best" 12 2846 6303 The disk was written with:  All zeros  All Shakespeare‟ s works, repeated 1.200 times  Random data AFF uses gzip for the compression in three levels, i.e. 1 - 6 - 9
  Afflib installation Download the last version released on the website: Extract the downloaded archive: Compile and install afflib:
  TSK 3.0  Version 3.0.0, new features: o Detects orphan files o MBR and File Allocation Tables accessible in the directory root o Birth time added in NTFS file system o Detected the files deleted inside the NTFS file system Uses the backup MBR in case the main MBR is damaged
  TSK 3.0 installation Download the last version available on the website: Extract the downloaded archive: Compile and install TSK:
  TSK 3.0 check  Check the correct functioning of the tools installed: NOMENCLATURA
  LAMP, manual installation Install the following software separately: o Apache o MySQL o PHP Make sure that the software are correctly installed and that they interact In order to check the correct functioning, it suffices to test the following php code
  Installation Download the last version available on the website: Extract the downloaded archive: Open the php configuration file:
  Configuration Disable the option "register_global": Start Lampp:
  PTK 1.0 Installation Download the last version available on the website: Extract the archive downloaded in the apache directory: oLamp /opt/lampp/htdocs oUbuntu /var/www/ oGentoo /var/www/localhost/htdocs
  PTK 1.0 Installation Open the page http://localhost/ptk/install.php: Select the distribution on which PTK is installed:
  PTK 1.0 Installation Insert the coordinates and access credentials to the MySQL service Insert access credentials for the PTK‟s MySQL:
  PTK 1.0 Installation Insert PTK‟ s administrator credentials: Click „configure‟ in order to finish the installation.
  PTK 1.0 Installation At the end of the installation, support images are shown.
  Configuration file, conf.php
  Configuration file, conf.pl
  Configuration file, mysql.pl, config.inc.php
  Use PTK - agenda  File analysis  Timeline  Keywords search  Gallery  Data unit  Bookmark  Report  Dashboard  Ram Dump analysis  Multi users
  File Analysis  The File Analysis section allows to browse through the entire disk tree and explore the content of all directories. It is possible to visualize the contents file in the following formats: o Ascii o Ascii Strings o Hexdump o Image preview (for graphical files)  Investigators have full access to the information contained in every allocated or non-allocated file. o All operations are fast and immediate thanks to the tree visualization and to the tab system.  Bookmark results for a further in-depth analysis
  File Analysis: TSK tools  Disk browsing: fls  File Ascii: icat  File AsciiStrings: icat + srch_strings  File Hexdump: icat + hexdump  Filetype check: icat + file  Image Preview: icat
  File Analysis - screenshots
  File Analysis: Filtering  PTK offers a filtering system during file analysis enabling investigators to focus their attention only on specific files.  Filtering features enable to: o Apply a simple textual filter on the name of the file inside the directory. o Apply an advanced filter based on file type or MACB data intervals.
  File Analysis: Filtering - screenshots
  File Analysis: Ajax pagination  With Autopsy, during File Analysis activities, the upload of big files could slow down or even determine the browser to crash.  In order to solve this problem an Ajax contents pagination mechanism was introduced. This enables investigators to: o Browse through pages that contain extract output. o Move to a specific page. o Set the size (in units) of the page to visualize. o Enable/Disable pagination.  Bookmark results for a further in-depth analysis.
  File Analysis: Ajax pagination - screenshots
  Timeline  Timeline helps investigators to focus on relevant information based on timestamp.  It actually shows the temporal sequence of all file activities, those non allocated also. o These activities are traced through the analysis of known metadata such as MACB time (Modified, Accessed, Changed, Birth)  Two timeline types are available to investigators: o Tabulate: fields that can be ordered, file analysis features and export o Graphics: the behavior of every activity on file system; useful tool in order to visualize access peaks, modifications or creations  Bookmark results for a further in-depth analysis.  Tool= Fls + mactime
  Timeline - screenshots
  Timeline - screenshots
  Keywords search  The Keyword Search section offers two main features: o Indexed Search: consists of a thorough search among keywords extracted from indexing operations o Live Search: runs a direct search on the evidence  Common expressions support. The possibility to save the regexp used very often inside a file.  Bookmark results for a further in-depth analysis
  Keywords search - tools  Live Search: dls + srch_strings + grep  Live Search information: ifind + istat + grep
  Keywords search - screenshots
  Keywords search - screenshots
  Keywords search – dftt test DFTT TEST PASSED Extended partition test X FAT Keyword search X NTFS Keyword search X EXT3FS Keyword search X FAT Daylight saving test X FAT Undeleted test X NTFS Undeleted test X JPEG Search test -
  Gallery  The Gallery allows investigators to visualize and manage graphic evidence.  Images can be added to bookmark, exported and analyzed through user interface.  Rendering image thumbnails  Extract graphical content: icat
  Gallery - screenshots
  Data Unit Enables a raw level disk analysis and enables also: o the visualization of an image "Allocation list" in order to supply information regarding sector allocation o content analysis of a sector or sectors interval o allocation list generation: dls
  Data Unit - screenshots
  Bookmark  This section enables investigators to create bookmarks for the evidence detected during analysis. Particular reference is being made to: o single file o file portion o search result o timeline event  Bookmarks can be generated by all PTK sections  One or more tags can be associated with every bookmark simplifying thus result organization.
  Bookmark - screenshots
  Bookmark - outline  Every investigator generates his own bookmark list for every case assigned to him  An investigator can visualize only his bookmarks  Only the Master Investigator is allowed to visualize other investigators‟ bookmark.
  Report  Thanks to PTK, investigators can generate PDF reports of the evidence found during analysis activities.  Reports contain case information and images. They are generated starting with the bookmarks added by users.  Reports are visualized from the interface.  It is possible to include evidence thumbnails in graphical format.
  Report - screenshots
  Dashboard  Starting with 1.0 version, the application info-zone includes a practical dashboard that helps to monitor the system status. It includes: o Free Memory o Medium use of CPU o Free Disk o Disk usage percentage  The investigator can choose to hide or visualize the dashboard during analysis operations.
  RAM Dump analysis  Memory dump analysis is performed through Volatility framework (https://www.volatilesystems.com). o For the moment the supported version is the 1.3 o memory dump from Windows XP SP2 and SP3 are being supported.  It is possible to run a string search both in ASCII and UNICODE format.  Results can be added to PTK bookmarks just like other evidence.
  RAM Dump analysis : features Date and time Running processes Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry handles for each process A process' addressable memory OS kernel modules Mapping physical offsets to virtual addresses (strings to process) Virtual Address Descriptor information Scanning examples: processes, threads, s
  • 70. RAM Dump analysis – process list www.dflabs.com - ptk.dflabs.com 70
  • 71. RAM Dump analysis – keywords search  PTK enables a string search on RAM memory dump.  It is possible to launch keyword search in the following formats: o Ascii o Unicode  Common expressions are supported.  All search results can be inserted in the bookmark.  Live search on RAM content: srch_strings + grep www.dflabs.com - ptk.dflabs.com 71
  • 72. RAM Dump analysis – keyword search www.dflabs.com - ptk.dflabs.com 72
  • 73. Multi users - Case Lock  PTK enables case management at various levels  Only the Master Investigator has access to all cases.  An investigator has access only to the cases assigned to him  The Master Investigator can decide to use the Lock feature for a case at all moments. This feature forbids case access. www.dflabs.com - ptk.dflabs.com 73
  • 74. Multi users – Users management  It is possible to create a unlimited number of investigators  Every investigator has his own area on the Database where he saves his own bookmarks. www.dflabs.com - ptk.dflabs.com 74
  • 76. Multi users – simultaneous work 1 Administrator may add new cases and select the related investigator able to get access to them. www.dflabs.com - ptk.dflabs.com 76
  • 77. Multi users – simultaneous work 2 More investigators are able to work at the same case simultaneously www.dflabs.com - ptk.dflabs.com 77
  • 78. Multi users – simultaneous work 3 The administrator activates the Lock to CASE1 www.dflabs.com - ptk.dflabs.com 78
  • 79. Multi users – simultaneous work 4 Now, only the Administrator can get access to CASE1, while the case itself is locked to the others. www.dflabs.com - ptk.dflabs.com 79
  • 80. PTK logging  PTK generates a log entry for every operation  The logs are generated for every user category  The logs can be exported www.dflabs.com - ptk.dflabs.com 80
  • 81. PTK vs FTK imager www.dflabs.com - ptk.dflabs.com 81
  • 82. PTK vs FTK imager www.dflabs.com - ptk.dflabs.com 82
  • 83. Alternate Data Stream Descrizione… www.dflabs.com - ptk.dflabs.com 83
  • 84. File mismatch www.dflabs.com - ptk.dflabs.com 84
  • 85. PTK – trubleshooting - TSK The installer doesn‟t detect TSK tools: Solution: www.dflabs.com - ptk.dflabs.com 85
  • 86. PTK – trubleshooting - permission The installer detects problems with the permissions folder in the PTK root: Solution: www.dflabs.com - ptk.dflabs.com 86
  • 87. PTK – trubleshooting – case adding It is not possible to add cases to PTK Solution: www.dflabs.com - ptk.dflabs.com 87
  • 88. PTK – trubleshooting – php issue The php code is not interpreted Solution: www.dflabs.com - ptk.dflabs.com 88
  • 89. PTK – trubleshooting – memory limit Memory size error comes up: Solution: www.dflabs.com - ptk.dflabs.com 89
  • 90. PTK – trubleshooting – EWF support The file system type of an EnCase image is not recognized Solution: Install libewf support www.dflabs.com - ptk.dflabs.com 90
  • 91. PTK – trubleshooting – ewf support www.dflabs.com - ptk.dflabs.com 91
  • 92. PTK - Roadmap  AFF extensions [end of 2008]  PST, DBX Mail archive support [end of 2008]  Regripper integration [end of 2008]  HASH Set Comparison [end of 2008] (Ability to include NSRL hash set )  Case Migration [Q1 2009] (Ability to export and import Cases)  Single binary launcher [Q1 2009] (No need to install MySQL and Apache)  Incident Response Mode (PTK-IR) [Q1 2009] (Enable PTK to be inserted on a Linux Live CD for first response activities)  Data Carving process [Q2 2009] www.dflabs.com - ptk.dflabs.com 92
  • 93. PTK – Roadmap features www.dflabs.com - ptk.dflabs.com 93
  • 94. Thank you www.dflabs.com - ptk.dflabs.com 94