SANS Digital Forensics and Incident Response Blog

PTK structure and components

PTK Indexing
The Sleuth Kit (TSK) and PTK are both Open Source and run on UNIX platforms. As shown in the figure, there is an interaction between the advanced interface PTK and TSK core.

PTK core

In particular, TSK, shown in green, is responsible for acquiring, extracting and managing the low layer of data contained in the disk images. Thus, PTK adds three more levels of data management, including an indexing engine and a database, which is one of the most important new features of the project. PTK performs a preliminary indexing of images that investigator has to analyze. The Administrator can choose among these operations:

* String extraction (Ascii-Unicode) from the space:
o Allocated strings
o Unallocated strings
o Slack (NTFS and FAT)
* File content type
o File Signature analysis
o File extension Mismatch
o File categorization (graphics, documents, executables etc...)
* Metadata and hash generation of the files present on the evidence
* Timeline generation

The results of the preliminary operations are stored into the DB for a better and faster interrogation/inquiry. The remaining operations (i.e: file and directory export) can be executed on demand, directly on the disk image. The following figure lists all the tools, for now, used to navigate on the evidence file system:

PTK components

Concurrent work and analysis
The main aim of PTK is to provide a system that allows investigators to work on the same shared cases. This reduces the workload and also gives more speed in getting the results. To reach this goal, PTK uses a centralized database for the case management; thus, more investigators can work on the same case from different machines and simultaneously. That means after the preliminary operations made by the indexing engine, the PTK DBMS backend takes charge of concurrency manegement. An important thing to say is that the number of simultaneous examiners is dependent on several factors, such as: hardware, available bandwidth, number of disk images included in the case and so on.

The PTK Team created a security mechanism, with reference to simultaneous access to the case and sequential access to the same case (i.e. locking). The administrator may add new cases and select the related investigator who will be able to get access to them. This means better security, role based access control and most importantly, tracking of every single operation.

Analysis sections:
The main features and components of PTK are:
* File analysis
o Tree view with listing of directory and file
o Tabbed browsing to visualize the content of the files (ASCII, Hex,String)
o Paged output (for better performance)
o Exporting data
o Bookmarking
o Graphical evidence preview
* Keyword search
o Indexing
o Live system support
* Timeline
o Textual
o Graphical (MACB trend)
* Data unit
* Gallery
* Bookmarking
* Reporting

In the next article I'll cover the installation, configuration and updating operations of PTK.

Michele Zambelli, GCFA SIlver #1856, is a member of PTK Team and a Security Consultant at DFLabs Italy.