• Like
  • Save

PTK 1.0 official presentation

Uploaded on

The new interface for Sleuth Kit. Final release

The new interface for Sleuth Kit. Final release

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. PTK 1.0 The first official presentation
  • 2. Chronology  The first version, PTK 0.1 beta, February 2008  Second version, PTK 0.2 beta, July 2008  First stable release, PTK 1.0, November 2008  PTK logo www.dflabs.com - ptk.dflabs.com 2
  • 3. Sites and references  Official website, ptk.dflabs.com  Download repository, Sourceforge  Forum (eng), Sourceforge  Wiki TSK: wiki.sleuthkit.org  SANS Insitute, Forensics division www.dflabs.com - ptk.dflabs.com 3
  • 4. General Statistics www.dflabs.com - ptk.dflabs.com 4
  • 5. Autopsy: its limits  The current interface is slightly outdated.  It is neither easy to use nor friendly.  The case management section is a bit too complex. Therefore it can be simplified.  File activity timeline not that functional and also a bit difficult to consult.  Case export and sharing may be difficult in case more investigators need to work on the same case from different computers (lack of synchronization). www.dflabs.com - ptk.dflabs.com 5
  • 6. Overview  A new advanced interface for the „Sleuthkit‟, but not only...  Dynamic web application with the support of a centralized database o More investigators can work silumtaneously on the same case o Indexing engine in order to get as many information as possible in the shortest period of time. o Web Based, Ajax-technology  PTK adds a number of features to the current TSK. www.dflabs.com - ptk.dflabs.com 6
  • 7. Web Based  Installation on a unique central system (Forensics Workstation)  One database for all investigations  Remote access to the web interface  More investigators have access through the browser to the cases assigned to them  All sensitive data are stored on a single server  PTK can be easily extended through plug-in integration  Access from all systems - Windows, Linux, Mac, etc. www.dflabs.com - ptk.dflabs.com 7
  • 8. PTK: LAMP based www.dflabs.com - ptk.dflabs.com 8
  • 9. Why use Ajax?  More dynamic  More usable  The page loads are reduced compared to Autopsy  Better application performance www.dflabs.com - ptk.dflabs.com 9
  • 10. PTK security PTK is a web application for workgroup use. It must be used according to the forensics fundamentals: The lab network must be separated by the rest of the world Furthermore, during the PTK development, several programming counter measures have been adopted in order to guarantee the right protection against potential threats. www.dflabs.com - ptk.dflabs.com 10
  • 11. PTK security – xss prevention XSS prevention: o the user does not pass thru pages which show GET variables “middle pages” which use GET variables, employ such variables to create SQL query, not for html code generation the variables were checked against “dangerous characters” every single user input is sceened (parsed) and secured. www.dflabs.com - ptk.dflabs.com 11
  • 12. PTK security – MySQL injection – ajax bridging SQL Injection prevention: o user input control/verification addiction of escape sequences to the special characters present in the SQL instruction strings Ajax Bridging prevention: o PTK does not use Ajax Bridging o No Javascript code import from external sites o No external components required (no contacts with any external untrusted source) www.dflabs.com - ptk.dflabs.com 12
  • 13. PTK security – OWASP compliance  The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.  A collection to include PHP functions that sanitize user inputs.  Before running a command that requires the use of the PTK shell, perform an input parameters cleaning. www.dflabs.com - ptk.dflabs.com 13
  • 14. Features  Main features : o Indexing Engine o Dynamic Timeline o Keyword search o Gallery view o File Analysis o Bookmarking  PTK was entirely projected so as to integrate with any external tool. o Memory Dump Analysis (Volatility) o F-Response o Reg-ripper etc. www.dflabs.com - ptk.dflabs.com 14
  • 15. Other Features  Tree-view facilitates navigation inside the evidence  Filtering Engine  Tab management enables a fast and pragmatical access of the file content  Trace of all operations run inside the log  Possibility to check image integrity all the time (md5 and sha1)  Multi-investigation  Several browsers such as Safari, FireFox, Chrome are now supported. www.dflabs.com - ptk.dflabs.com 15
  • 16. PTK general schema www.dflabs.com - ptk.dflabs.com 16
  • 17. PTK structure www.dflabs.com - ptk.dflabs.com 17
  • 18. Indexing engine  String Extraction (ASCII & Unicode) from the space: o Allocated o Unallocated o Slack (NTFS and FAT)  Timeline generation o Textual timeline o Graphic timeline (new)  Hash of all files in the imagine o MD5 o SHA1 www.dflabs.com - ptk.dflabs.com 18
  • 19. Indexing engine  Categorization (graphics, documents, executables, etc.)  Other future features such as Data Carving  The results obtained from indexing operations are stored inside the database from where they can be easily accessed. www.dflabs.com - ptk.dflabs.com 19
  • 20. Indexing engine version 0.2 Md5 Sha1 Keyword Filetype Timeline icat icat icat icat MySQL MySQL MySQL MySQL MySQL www.dflabs.com - ptk.dflabs.com 20
  • 21. Indexing engine version 1.0 Md5 Sha1 Keyword Filetype Timeline icat icat MySQL MySQL MySQL  Optimized use of the icat command  Reduced number of queries towards MySQL www.dflabs.com - ptk.dflabs.com 21
  • 22. Installation - agenda  LibEwf and Afflib support  TSK “The Sleuth Kit” v.3.0.0  LAMP (Linux+Apache+MySQL+PHP) or  XAMP  PTK 1.0 www.dflabs.com - ptk.dflabs.com 22
  • 23. Libewf support The Expert Witness Compression Format (EWF) is used to store media images. It allows to store disk and partition images, compressed or non-compressed. EWF can store a single image in one or more segment files. Each segment file consists of a standard header, followed by multiple sections. A single section cannot span multiple files. Sections are arranged back-to-back. www.dflabs.com - ptk.dflabs.com 23
  • 24. Libewf installation  Download the last version released on the website:  Extract the downloaded archive:  Compile and install: www.dflabs.com - ptk.dflabs.com 24
  • 25. Afflib support The Advanced Forensics Format (AFF®) and AFF Library (AFFLIB®) are a joint development project of Simson L. Garfinkel and Basis Technology Corp. The AFF and AFFLIB may be used royalty free and without limitation. Technology that incorporates the AFFLIB must acknowledge this fact and note that the technology copyright agreement. www.dflabs.com - ptk.dflabs.com 25
  • 26. Afflib support Comparison between AFF and EnCase (all values are in MB). Test on 6 disk GB. Zeroes Shakespeare Random AFF -X1 28 2879 6301 -X6 6 2450 6301 -X9 6 2443 6301 Encase “Good” 33 3066 6303 “Best” 12 2846 6303 The disk was written with:  All zeros  All Shakespeare‟ s works, repeated 1.200 times  Random data AFF uses gzip for the compression in three levels, i.e. 1 - 6 - 9 www.dflabs.com - ptk.dflabs.com 26
  • 27. Afflib installation Download the last version released on the website: Extract the downloaded archive: Compile and install afflib: www.dflabs.com - ptk.dflabs.com 27
  • 28. TSK 3.0  Version 3.0.0, new features: o Detects orphan files o MBR and File Allocation Tables accessible in the directory root o Birth time added in NTFS file system o Detected the files deleted inside the NTFS file system Uses the backup MBR in case the main MBR is damaged www.dflabs.com - ptk.dflabs.com 28
  • 29. TSK 3.0 installation Download the last version available on the website: Extract the downloaded archive: Compile and install TSK: www.dflabs.com - ptk.dflabs.com 29
  • 30. TSK 3.0 check  Check the correct functioning of the tools installed: NOMENCLATURA www.dflabs.com - ptk.dflabs.com 30
  • 31. LAMP, manual installation Install the following software separately: o Apache o MySQL o PHP Make sure that the software are correctly installed and that they interact In order to check the correct functioning, it suffices to test the following php code www.dflabs.com - ptk.dflabs.com 31
  • 32. Installation Download the last version available on the website: Extract the downloaded archive: Open the php configuration file: www.dflabs.com - ptk.dflabs.com 32
  • 33. Configuration Disable the option “register_global”: Start Lampp: www.dflabs.com - ptk.dflabs.com 33
  • 34. PTK 1.0 Installation Download the last version available on the website: Extract the archive downloaded in the apache directory: oLamp /opt/lampp/htdocs oUbuntu /var/www/ oGentoo /var/www/localhost/htdocs www.dflabs.com - ptk.dflabs.com 34
  • 35. PTK 1.0 Installation Open the page http://localhost/ptk/install.php: Select the distribution on which PTK is installed: www.dflabs.com - ptk.dflabs.com 35
  • 36. PTK 1.0 Installation Insert the coordinates and access credentials to the MySQL service Insert access credentials for the PTK‟s MySQL: www.dflabs.com - ptk.dflabs.com 36
  • 37. PTK 1.0 Installation Insert PTK‟ s administrator credentials: Click „configure‟ in order to finish the installation. www.dflabs.com - ptk.dflabs.com 37
  • 38. PTK 1.0 Installation At the end of the installation, support images are shown. www.dflabs.com - ptk.dflabs.com 38
  • 39. Configuration file, conf.php www.dflabs.com - ptk.dflabs.com 39
  • 40. Configuration file, conf.pl www.dflabs.com - ptk.dflabs.com 40
  • 41. Configuration file, mysql.pl, config.inc.php www.dflabs.com - ptk.dflabs.com 41
  • 42. Use PTK - agenda  File analysis  Timeline  Keywords search  Gallery  Data unit  Bookmark  Report  Dashboard  Ram Dump analysis  Multi users www.dflabs.com - ptk.dflabs.com 42
  • 43. File Analysis  The File Analysis section allows to browse through the entire disk tree and explore the content of all directories. It is possible to visualize the contents file in the following formats: o Ascii o Ascii Strings o Hexdump o Image preview (for graphical files)  Investigators have full access to the information contained in every allocated or non-allocated file. o All operations are fast and immediate thanks to the tree visualization and to the tab system.  Bookmark results for a further in-depth analysis www.dflabs.com - ptk.dflabs.com 43
  • 44. File Analysis: TSK tools  Disk browsing: fls  File Ascii: icat  File AsciiStrings: icat + srch_strings  File Hexdump: icat + hexdump  Filetype check: icat + file  Image Preview: icat www.dflabs.com - ptk.dflabs.com 44
  • 45. File Analysis - screenshots www.dflabs.com - ptk.dflabs.com 45
  • 46. File Analysis: Filtering  PTK offers a filtering system during file analysis enabling investigators to focus their attention only on specific files.  Filtering features enable to: o Apply a simple textual filter on the name of the file inside the directory. o Apply an advanced filter based on file type or MACB data intervals. www.dflabs.com - ptk.dflabs.com 46
  • 47. File Analysis: Filtering - screenshots www.dflabs.com - ptk.dflabs.com 47
  • 48. File Analysis: Ajax pagination  With Autopsy, during File Analysis activities, the upload of big files could slow down or even determine the browser to crash.  In order to solve this problem an Ajax contents pagination mechanism was introduced. This enables investigators to: o Browse through pages that contain extract output. o Move to a specific page. o Set the size (in units) of the page to visualize. o Enable/Disable pagination.  Bookmark results for a further in-depth analysis. www.dflabs.com - ptk.dflabs.com 48
  • 49. File Analysis: Ajax pagination - screenshots www.dflabs.com - ptk.dflabs.com 49
  • 50. Timeline  Timeline helps investigators to focus on relevant information based on timestamp.  It actually shows the temporal sequence of all file activities, those non allocated also. o These activities are traced through the analysis of known metadata such as MACB time (Modified, Accessed, Changed, Birth)  Two timeline types are available to investigators: o Tabulate: fields that can be ordered, file analysis features and export o Graphics: the behavior of every activity on file system; useful tool in order to visualize access peaks, modifications or creations  Bookmark results for a further in-depth analysis.  Tool= Fls + mactime www.dflabs.com - ptk.dflabs.com 50
  • 51. Timeline - screenshots www.dflabs.com - ptk.dflabs.com 51
  • 52. Timeline - screenshots www.dflabs.com - ptk.dflabs.com 52
  • 53. Keywords search  The Keyword Search section offers two main features: o Indexed Search: consists of a thorough search among keywords extracted from indexing operations o Live Search: runs a direct search on the evidence  Common expressions support. The possibility to save the regexp used very often inside a file.  Bookmark results for a further in-depth analysis www.dflabs.com - ptk.dflabs.com 53
  • 54. Keywords search - tools  Live Search: dls + srch_strings + grep  Live Search information: ifind + istat + grep www.dflabs.com - ptk.dflabs.com 54
  • 55. Keywords search - screenshots www.dflabs.com - ptk.dflabs.com 55
  • 56. Keywords search - screenshots www.dflabs.com - ptk.dflabs.com 56
  • 57. Keywords search – dftt test DFTT TEST PASSED Extended partition test X FAT Keyword search X NTFS Keyword search X EXT3FS Keyword search X FAT Daylight saving test X FAT Undeleted test X NTFS Undeleted test X JPEG Search test - www.dflabs.com - ptk.dflabs.com 57
  • 58. Gallery  The Gallery allows investigators to visualize and manage graphic evidence.  Images can be added to bookmark, exported and analyzed through user interface.  Rendering image thumbnails  Extract graphical content: icat www.dflabs.com - ptk.dflabs.com 58
  • 59. Gallery - screenshots www.dflabs.com - ptk.dflabs.com 59
  • 60. Data Unit Enables a raw level disk analysis and enables also: o the visualization of an image “Allocation list” in order to supply information regarding sector allocation o content analysis of a sector or sectors interval o allocation list generation: dls www.dflabs.com - ptk.dflabs.com 60
  • 61. Data Unit - screenshots www.dflabs.com - ptk.dflabs.com 61
  • 62. Bookmark  This section enables investigators to create bookmarks for the evidence detected during analysis. Particular reference is being made to: o single file o file portion o search result o timeline event  Bookmarks can be generated by all PTK sections  One or more tags can be associated with every bookmark simplifying thus result organization. www.dflabs.com - ptk.dflabs.com 62
  • 63. Bookmark - screenshots www.dflabs.com - ptk.dflabs.com 63
  • 64. Bookmark - outline  Every investigator generates his own bookmark list for every case assigned to him  An investigator can visualize only his bookmarks  Only the Master Investigator is allowed to visualize other investigators‟ bookmark. www.dflabs.com - ptk.dflabs.com 64
  • 65. Report  Thanks to PTK, investigators can generate PDF reports of the evidence found during analysis activities.  Reports contain case information and images. They are generated starting with the bookmarks added by users.  Reports are visualized from the interface.  It is possible to include evidence thumbnails in graphical format. www.dflabs.com - ptk.dflabs.com 65
  • 66. Report - screenshots www.dflabs.com - ptk.dflabs.com 66
  • 67. Dashboard  Starting with 1.0 version, the application info-zone includes a practical dashboard that helps to monitor the system status. It includes: o Free Memory o Medium use of CPU o Free Disk o Disk usage percentage  The investigator can choose to hide or visualize the dashboard during analysis operations. www.dflabs.com - ptk.dflabs.com 67
  • 68. RAM Dump analysis  Memory dump analysis is performed through Volatility framework (https://www.volatilesystems.com). o For the moment the supported version is the 1.3 o memory dump from Windows XP SP2 and SP3 are being supported.  It is possible to run a string search both in ASCII and UNICODE format.  Results can be added to PTK bookmarks just like other evidence. www.dflabs.com - ptk.dflabs.com 68
  • 69. RAM Dump analysis : features Date and time Running processes Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry handles for each process A process' addressable memory OS kernel modules Mapping physical offsets to virtual addresses (strings to process) Virtual Address Descriptor information Scanning examples: processes, threads, sockets, connections,modules Extract executables from memory samples Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD) Automated conversion between formats www.dflabs.com - ptk.dflabs.com 69
  • 70. RAM Dump analysis – process list www.dflabs.com - ptk.dflabs.com 70
  • 71. RAM Dump analysis – keywords search  PTK enables a string search on RAM memory dump.  It is possible to launch keyword search in the following formats: o Ascii o Unicode  Common expressions are supported.  All search results can be inserted in the bookmark.  Live search on RAM content: srch_strings + grep www.dflabs.com - ptk.dflabs.com 71
  • 72. RAM Dump analysis – keyword search www.dflabs.com - ptk.dflabs.com 72
  • 73. Multi users - Case Lock  PTK enables case management at various levels  Only the Master Investigator has access to all cases.  An investigator has access only to the cases assigned to him  The Master Investigator can decide to use the Lock feature for a case at all moments. This feature forbids case access. www.dflabs.com - ptk.dflabs.com 73
  • 74. Multi users – Users management  It is possible to create a unlimited number of investigators  Every investigator has his own area on the Database where he saves his own bookmarks. www.dflabs.com - ptk.dflabs.com 74
  • 76. Multi users – simultaneous work 1 Administrator may add new cases and select the related investigator able to get access to them. www.dflabs.com - ptk.dflabs.com 76
  • 77. Multi users – simultaneous work 2 More investigators are able to work at the same case simultaneously www.dflabs.com - ptk.dflabs.com 77
  • 78. Multi users – simultaneous work 3 The administrator activates the Lock to CASE1 www.dflabs.com - ptk.dflabs.com 78
  • 79. Multi users – simultaneous work 4 Now, only the Administrator can get access to CASE1, while the case itself is locked to the others. www.dflabs.com - ptk.dflabs.com 79
  • 80. PTK logging  PTK generates a log entry for every operation  The logs are generated for every user category  The logs can be exported www.dflabs.com - ptk.dflabs.com 80
  • 81. PTK vs FTK imager www.dflabs.com - ptk.dflabs.com 81
  • 82. PTK vs FTK imager www.dflabs.com - ptk.dflabs.com 82
  • 83. Alternate Data Stream Descrizione… www.dflabs.com - ptk.dflabs.com 83
  • 84. File mismatch www.dflabs.com - ptk.dflabs.com 84
  • 85. PTK – trubleshooting - TSK The installer doesn‟t detect TSK tools: Solution: www.dflabs.com - ptk.dflabs.com 85
  • 86. PTK – trubleshooting - permission The installer detects problems with the permissions folder in the PTK root: Solution: www.dflabs.com - ptk.dflabs.com 86
  • 87. PTK – trubleshooting – case adding It is not possible to add cases to PTK Solution: www.dflabs.com - ptk.dflabs.com 87
  • 88. PTK – trubleshooting – php issue The php code is not interpreted Solution: www.dflabs.com - ptk.dflabs.com 88
  • 89. PTK – trubleshooting – memory limit Memory size error comes up: Solution: www.dflabs.com - ptk.dflabs.com 89
  • 90. PTK – trubleshooting – EWF support The file system type of an EnCase image is not recognized Solution: Install libewf support www.dflabs.com - ptk.dflabs.com 90
  • 91. PTK – trubleshooting – ewf support www.dflabs.com - ptk.dflabs.com 91
  • 92. PTK - Roadmap  AFF extensions [end of 2008]  PST, DBX Mail archive support [end of 2008]  Regripper integration [end of 2008]  HASH Set Comparison [end of 2008] (Ability to include NSRL hash set )  Case Migration [Q1 2009] (Ability to export and import Cases)  Single binary launcher [Q1 2009] (No need to install MySQL and Apache)  Incident Response Mode (PTK-IR) [Q1 2009] (Enable PTK to be inserted on a Linux Live CD for first response activities)  Data Carving process [Q2 2009] www.dflabs.com - ptk.dflabs.com 92
  • 93. PTK – Roadmap features www.dflabs.com - ptk.dflabs.com 93
  • 94. Thank you www.dflabs.com - ptk.dflabs.com 94