SANS Digital Forensics and Incident Response Blog

PTK Live and Indexed keyword search

A forensics analysis tool has to be able to execute thorough keyword search operations. PTK's search tool is be able to isolate the keywords searched even in the most complex and unusual situations. It is possible to verify if a keyword is in portions of the file system that are hard to analyze whether this is due to chance or user intent. Here are examples of the most interesting situations:

? allocated/unallocated space
? crosses two allocated/unallocated files
? crosses consecutive sectors in a file
? crosses a file into slack
? slack space
? crosses fragmented sectors
? Resident allocated/unallocated file
? Resident alternate data stream in an allocated/unallocated file/directory
? Non-resident allocated/unallocated file

All these situations can further vary depending on the file system under investigation. For instance, NTFS offers features that can be used to "hide" a file, consider the Resident or ADS (Alternate Data Stream) attributes for example.

In addition, every time you perform keyword search activities you have to include the compressed and encrypted files. The entropy test, e.g. the temporary decompression of archives and the search inside the open files should be applied first. For the encrypted archives the discourse can be very broad and, depending on the crypto technology used, there are different techniques that can be adopted. Moreover a good forensics analysis tool has to offer regular expressions search.

PTK provides a section completely dedicated to keyword search activities. In the project phase of the tool, we inserted an indexing feature able to index every string present in the evidence that is at least 4 characters without symbols, and insert the results in the PTK database. The keyword search tab was meant to work in two ways: the first performs indexed searches (Indexed Search) — the results in this case are practically instantaneous; the second performs a live search on the imported evidence (Live Search). The Live module was inserted in order to extend the search ability of the indexed module and thus find the keywords even in unusual situations such as those described earlier. A simple example is given by a keyword crossed between two files or in the slack space; actually following the normal structure of the file system it wouldn't even be possible to identify such keywords. PTK also allows regular expressions searches. A set of expressions (email address, ip address, CC number, etc.) is supplied with the tool; the user however can add new regular expressions by editing the /ptk/regex.txt file.

PTK reg expression

The new PTK 1.0.5 version is ready and can be downloaded from the official website as well as from Sourceforge. The program has been improved in the following sections:

- Enhanced live search section
- Enhanced support split image (analysis,keyword and bookmark section)
- Enhanced filter section

You might have noticed that only the latest PTK version is available from now on. This is needed to enable PTK users to download only the latest version available. 2009 will bring many new features to PTK; besides the current features in the roadmap, PTK will be improved, will become faster and will have better performance with a number of solutions which are already being tested.

Michele Zambelli, GCFA SIlver #1856, is a member of PTK Team and a Security Consultant at DFLabs Italy.