SANS Digital Forensics and Incident Response Blog: Author - michelezambelli


Both the free version and the commercial version of the PTK project, equipped with an appliance, are constantly developing. PTK is now able to thoroughly and accurately manage the hash libraries thus rendering investigation processes faster and easier. At the moment, PTK is working with hash libraries in Haskeeper format or is importing only those hash values known to the investigator. PTK doesn't just create hash sets checking them as GOOD or BAD but offers the possibility to create new personalized sets and chooses, given the case, the most appropriate set for the lookup operation. The screenshot below shows how it is possible to create three different hash sets (such as for example INFECTED, SYSTEM, STOLEN )


PTK's new data carving feature

This new feature, available for the Appliance version, will be automatically integrated with the numerous features PTK has already. Through this section, every investigator will be able to run the data carving process on any image imported and analyze results inside the file analysis section. In order to implement the data carving, PTK uses the technique called 'zero storage'. This modality enables to run the data carving process without having to allocate the physical space on the disk; saving instead, for every recognized file, its own reference inside the disk (start sector and offset). Thus the investigator doesn't have to worry if he has free space on the hard disk; he can choose to export, at the end of the process, only those files which are of major interest.

PTK Timeline Analysis

By Michele Zambelli

The timeline analysis allows investigators to identify the so called footprint, e.g the traces that an attacker inevitably leaves behind on the hacked system. Obviously, the action column, on timeline table, has one or several of the following values.

  • a: the last file access
  • c: the file was changed


PTK Live and Indexed keyword search

A forensics analysis tool has to be able to execute thorough keyword search operations. PTK's search tool is be able to isolate the keywords searched even in the most complex and unusual situations. It is possible to verify if a keyword is in portions of the file system that are hard to analyze whether this is due to chance or user intent. Here are examples of the most interesting situations:

'' allocated/unallocated space
'' crosses two allocated/unallocated files
'' crosses consecutive sectors in a file
'' crosses a file into slack
'' slack space
'' crosses fragmented sectors
'' Resident allocated/unallocated file
'' Resident alternate data stream in an allocated/unallocated file/directory
'' Non-resident allocated/unallocated file

All these situations can further vary depending on the file system under investigation. For instance, NTFS offers features that can be used to "hide" a file, consider the

... Continue reading PTK Live and Indexed keyword search

PTK: Evidence adding and Indexing

At the moment the output formats used in computer forensics for the support of media duplication are mainly three:

? dd (RAW image) - the best and most utilized format
? Encase format (EWF) - closed format now widely supported by the CF products
? AFF Lib Format- very complete but still expanding

PTK can recognize the above listed formats. Usually, a media copy can be made from a single file or on split files. PTK is able to recognize the split image situation and, given the first chunk, automatically import the additional files. No log files or other types of data are allowed inside the evidence directory (i.e. file.e01, file.e02, file.log is not permitted). Through TSK, PTK automatically recognizes every partition