SANS Digital Forensics and Incident Response Blog

PTK an advanced alternative interface for TSK, the presentation

PTK was developed from scratch and besides providing functions already present in Autopsy Forensic Browser, it implements numerous new features essential during forensics work. PTK is not just a new graphic and highly professional interface based on Ajax technology. It offers many features such as analysis, search and management of complex cases. This is the PTK Schema:
PTK-generalschemaPTK Schema
The main component of the software is made up of an efficient Indexing Engine performing different preliminary analysis operations during evidence importing. PTK enables the management of different cases and allows different levels of multi-users. It is possible to allow multiple investigators to work the same case simultaneously. All the bookmarks generated by an investigator are saved in a reserved section of the database. PTK uses the LAMP stack.

PTK main features:
  • Preliminary indexing phase
  • Efficient file analysis
  • Dynamic time line
  • File categorization
  • Gallery view
  • Indexed keyword search
  • Personal bookmark section
  • Cases features shared between multiple investigators

PTK was tested by means of the 13 disk images recreated by Brian Carrier, which can be found at DFTT. This process aims at consolidating PTK's features making it the most efficient during the search activity and adding only those features which are indispensable. We have so far passed 8 of the 13 tests.

New articles relating to PTK are going to be proposed every month. The next two articles describe the software structure, its installation, configuration and updating. Afterwards, PTK's various sections such as file analysis, timeline analysis and keyword analysis will be described. For each section, function related examples and practical cases of how to use the tool are going to be proposed. Here is a list of the topics addressed:

Sept: PTK structure and components

Oct: PTK installation, configuration and updating

Nov: PTK adding evidence(RAM, disk image), file analysis,
filtering

Dec: PTK, multi-investigator environment, Case Locking. Bookmarking and reporting

Jan: PTK Keyword Live and indexed search. Deleted, Fragmented file
searching. Regular expression searching and keywords list importing.

Feb: PTK timeline analysis. Find footprint based on MAC time

Mar: PTK, graphical analysis

PTK is now being beta tested for Linux and MacOS platforms; the last version of PTK is beta 0.2 and can be downloaded from here. It is also included as a part of the SANS Investigative Forensic Toolkit (SIFT) Workstation.

PTK official Site: ptk.dflabs.com
Michele Zambelli, GCFA SIlver #1856