PTK DFLabs
Follow DFLabs on twitter Follow DFLabs on YouTube

border_sx   Italian  Russian border_dx

PTK section:

New Articles rss

  • 2010-07-21 - Robust Process Scanner in PTK Forensics: done!

  • 2010-06-01 - Meet the PTK team at The Sleuth Kit and Open Source Digital Forensics Conference

  • 2010-05-14 - SANS Investigative Forensic Toolkit e PTK Forensics: made simple!

  • 2010-04-26 - DFLabs PTK Forensics new version is available Thru SANS Institute's SIFT Virtual Machine

  • 2010-04-24 - New PTK and IncMan suite Video Available for your demo purposes.

  • 2010-02-20 - New DFLabs YoutTube Channel.

  • 2010-02-04 - PTK Forensics: New Webinar session.

  • 2010-02-01 - PTK Forensics, the new website is online.

  • 2009-11-14 17:31:11 - New PTK roadmap

  • 2009-09-30 14:10:01 - DFLabs is proud to announce that the data carving is available

Validator:

Valid XHTML 1.0 Transitional
CSS Valido!

File Analisys

 

The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:

 

  • Ascii
  • Ascii String
  • Hexdump
  • Image preview (for graphic files only)

 

Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated.


All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.

 

The keywords search is divided into two sections:

 

  • Indexed search
  • Live search

 

The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.

 

PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.



The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.

 

PTK is supported by a series of tools used during analysis:

 

  • Disk browsing: fls
  • File ascii: icat
  • File Ascii strings: icat + srch_strings
  • File Exdump: icat + hexdump
  • Filetype check: icat + file
  • Image Preview: icat

 


 



 main search host

 

FILE ANAYSIS: FILTERING


PTK offers a content filtering during file analysis enablig the investiator to focus his attention only on certain files present in the folders.


The filtering analysis enables:


  • To apply a simple textual filter on the directory content.
  • To apply an advanced filter based on filetype or date intervals MACAB time.

 

 

 main search host

 

 

DISK IMAGE INTEGRITY

 

PTK secures the integrity of the images on which the investigtors are working.


While adding a new image, the investigator can choose between two hash algorithms: MD5 and SHA 1.

PTK saves the calculated values inside the database thus enabling subsequent comparisons.

 

 integrity

 

The investigator can always open the integrity control panel. From here it is possible to see the hash values of the original disk image and the date of the last control.

 

The investigator can launch an integrity control any time: PTK recalculates the hash value and compares it with the one previously calculated and memorized in the database. If something isn’t right the user is immediately warned.

The MD5 and SHA1 calculation are two seperate processes: this enables the investigator to choose which algorithm to use in order to secure image integrity avoiding to waste time and resources.

 

FILE ANALYIS: AJAX PAGINATION

During File Analysis activities it is possible to come accross very large files and their uploading can slow down or even determine the browser to crash.

In order to avoid this problem PTK was provided, through Ajax, with a contents pagination mechanism.

This system enables to:

 

  • Browse through the pages that contain the extractions output.
  • Move to a determined page
  • Setup the weight (in units) of the page to be analyzed.
  • Enable and disable the pagination.

 

In this case all results are bookmarked for subsequent analysis.

 

 main search host

 

 

ALTERNATE DATA STREAM


The ADS (alternate data stream) are parallel data streams that can be assigned to any file inside the NTFS partitions.

These alternate streams are useful in order to insert comments or code strings impossible to visualize durin standard analysis.

Both during Live Search and File Analysis PTK recognizes and visualizes ADS on any file.

 

 main search host

 

FILE MISMATCH


During File Analysis it is possible to meet files to which the extension was changed (file mismatch). Durante la fase di File Anaysis è possibile incontrare dei file ai quali è stata cambiata l'estensione (file mismatch).

PTK recognizes the type of file automatically and outputs the correct visualization.