Indexing Engine

PTK has got an indexing engine that executes preliminary indexing operations on the evidence inserted and stores the results thus obtained in the database. Therefore the investigator can efficiently query the data on which he is working.

The indexing tasks can be launched by the administrator of the application who chooses among the following activities:
⇒ Ascii and Unicode String extraction from the allocated space:

• Allocated strings
• Unallocated strings
• Slack space (NTFS and FAT)

⇒ Identification of known extensions
⇒ File type

• Signature file analysis
• File extension Mismatch
• File categorization (graphic, document, executables etc...)

⇒ Metadata and hash generation of the files present on the disc
⇒ Timeline generation (graphic or textual)
⇒ File carving (lazarus, foremost, scalpel)
⇒ Hash (MD5 or SHA1) of all files inside the image
⇒ Categorization (graphics, documents, executables, etc..) of the documents obtained

The results of the preliminary operations are memorized in a database for a better data search. The remaining operations, such as file or directory exportation can be executed by the investigator directly from the disk image.


With the new indexing engine the use of the icat command is optimized and the number of queries towards the database is reduced.