SANS Digital Forensics and Incident Response Blog: Tag - PTK


Both the free version and the commercial version of the PTK project, equipped with an appliance, are constantly developing. PTK is now able to thoroughly and accurately manage the hash libraries thus rendering investigation processes faster and easier. At the moment, PTK is working with hash libraries in Haskeeper format or is importing only those hash values known to the investigator. PTK doesn't just create hash sets checking them as GOOD or BAD but offers the possibility to create new personalized sets and chooses, given the case, the most appropriate set for the lookup operation. The screenshot below shows how it is possible to create three different hash sets (such as for example INFECTED, SYSTEM, STOLEN )


PTK: Evidence adding and Indexing

At the moment the output formats used in computer forensics for the support of media duplication are mainly three:

? dd (RAW image) - the best and most utilized format
? Encase format (EWF) - closed format now widely supported by the CF products
? AFF Lib Format- very complete but still expanding

PTK can recognize the above listed formats. Usually, a media copy can be made from a single file or on split files. PTK is able to recognize the split image situation and, given the first chunk, automatically import the additional files. No log files or other types of data are allowed inside the evidence directory (i.e. file.e01, file.e02, file.log is not permitted). Through TSK, PTK automatically recognizes every partition


PTK installation, configuration and updating

In this article, we will describe the installation of PTK, a very simple and automated process notwithstanding the use it makes of various components. This process is entirely web based. First of all we remind you that the PTK 1.0 was made available for download on October 28. (PTK 1.0 changelog)

Preliminary system setup

Before starting the installation, make sure that packages essential for the functioning of PTK are available. Please note that PTK correctly supports the Mozilla Firefox, Safari and Chrome browsers. The software requirements for using PTK are as follows:

Before installing PTK, check that Apache daemons (with


PTK structure and components

PTK Indexing
The Sleuth Kit (TSK) and PTK are both Open Source and run on UNIX platforms. As shown in the figure, there is an interaction between the advanced interface PTK and TSK core.

PTK core

In particular, TSK, shown in green, is responsiblefor acquiring, extracting and managing the low layer of data contained in the disk images. Thus, PTK adds three more levels of data management, including an indexing engine and a database, which is one of the most important new features of the project. PTK performs a preliminary indexing of images that investigator has to analyze. The Administrator can choose among these


PTK an advanced alternative interface for TSK, the presentation

PTK was developed from scratch and besides providing functions already present in Autopsy Forensic Browser, it implements numerous new features essential during forensics work. PTK is not just a new graphic and highly professional interface based on Ajax technology. It offers many features such as analysis,search and management of complex cases. This is the PTK Schema:

PTK Schema


The main component of the software is made up of an efficient Indexing Engine performing different preliminary analysis operations during evidence importing. PTK enables the management of different cases and allows different levels