File Analisys

The File Analysis section enables to browse the entire disk tree and explore the content of each directory. It is possible to visualize files in the following formats:

• Ascii
• Ascii String
• Hexdump
• Image preview (for graphic files only)

Investigators have full access to the data contained in every file present on the disk, both allocated and unallocated. All operations are fast and intuitive thanks to the tree visualization and to a tab system. All results obtained during file analysis is bookmarked for subsequent analysis.

The keywords search is divided into two sections:

• Indexed search
• Live search

The first is based on a thorough keywords indexing, and the latter is a powerful search tool of the single files.
PTK has got a panel from which the investigator generates a disk Timeline. It is also possible to choose the time intervals in order to generate the timeline. Moreover it is possible to analyze the content of every single file directly form the timeline.
The entire analysis section was supported by a complex bookmark system created during system analysis; the investigator can manage his own bookmark and share them with the other investigators.

PTK is supported by a series of tools used during analysis:

• Disk browsing: fls
• File ascii: icat
• File Ascii strings: icat + srch_strings
• File Exdump: icat + hexdump
• Filetype check: icat + file
• Image Preview: icat

[ click image to view ]


> FILE ANALYSIS: FILTERING
> DISK IMAGE INTEGRITY
> FILE ANALYSIS: AJAX PAGINATION
> ALTERNATE DATA STREAM
> FILE MISMATCH