PTK: An Alternative Advanced Interface for the
Sleuth Kit
Dario V. Forte, Angelo Cavallini, Cristiano Maruti, Luca Losio, Thomas Orlandi,
and Michele Zambelli
The IRItaly Project at DFlabs Italy
www.dflabs.com
Abstract. PTK is a new open-source tool for all complex digital investigations. It represents an
alternative to the well-known but now obsolete front-end Autopsy Forensic Browser. This latter
tool has a number of inadequacies taking the form of a cumbersome user interface, complicated
case and evidence management, and a non-interactive timeline that is difficult to consult. A number of important functions are also lacking, such as an effective bookmarking system or a section
for file analysis in graphic format. The need to accelerate evidence analysis through greater automation has prompted DFLabs to design and develop this new tool. PTK provides a new interface
for The Sleuth Kit (TSK) suite of tools and also adds numerous extensions and features, one of
which is an internal indexing engine that is capable of carrying out complex evidence pre-analysis
processes. PTK was written from scratch using Ajax technology for graphic contents and a MySql
database management system server for saving indexing results and investigator-generated bookmarks. This feature allows a plurality of users to work simultaneously on the same or different
cases, accessing previously indexed contents. The ability to work in parallel greatly reduces analysis times. These characteristics are described in greater detail below. PTK includes a dedicated
“Extension Management” module that allows existing or newly developed tools to be integrated
into it, effectively expanding its analysis and automation capacity.
Keywords: Computer Forensics, Open Source, SleuthKit, Autopsy Forensic, Incident Response.
1
Multi-investigator Management
One of the major features of this software is its case access control mechanism and
high level user profiling, allowing more than one investigator to work simultaneously
on the same case. The administrator creates new cases and assigns investigators to
them, granting appropriate access privileges. The investigators are then able to work
in parallel on the same case. PTK user profiling may be used to restrict access to sensitive cases to a handpicked group of investigators or even a single investigator. The
advantages of this type of system are numerous: above all, evidence analysis is
speeded up by the ability of a team of investigators to work in parallel; secondly, the
problem of case synchronization is resolved since all operations reference the same
database. Each investigator is also able to save specific notes and references directly
relating to his or her activities on a case in a special bookmark section. All user
actions are logged in CSV format so that all application activity can be retraced. Furthermore, the administrator is able to manage PTK log files from the interface, viewing the contents in table format and exporting them locally.
E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 27–34, 2009.
© Springer-Verlag Berlin Heidelberg 2009
springerlink.com
28
D.V. Forte et al.
2 Direct Evidence Analysis
As a graphic interface for the TSK suite of tools, PTK inherits all the characteristics
of this system, starting with the recognized evidence formats. PTK supports Raw
(e.g., dd), Expert Witness (e.g., EnCase) and AFF evidence. Evidence may only be
added to a case by the Administrator, who follows a guided three-step procedure:
1.
2.
3.
Insertion of information relating to the disk image, such as type and place of
acquisition;
Selection of the image file and any partitions to be included in the analysis;
File hashing (MD5 and SHA1) while adding the image.
One important PTK function is automatic recognition of the disk file system and partitions during image selection. PTK also recognizes images in various formats that
have been split up. Here the investigator needs only to select one split, since PTK is
able to recognize all splits belonging to the same image.
PTK and TSK interact directly for various analysis functions which therefore do
not require preliminary indexing operations:
• File analysis
• Data unit analysis
• Data export
2.1 File Analysis
This section analyzes the contents of files (also deleted files) in the disk image. PTK
introduces the important new feature of the tree-view, a dynamic disk directory tree
which provides immediate evidence browsing capability. PTK allows multiple files to
be opened simultaneously on different tabs to facilitate comparative analysis. The
following information is made available to investigators:
•
•
•
•
•
Contents of file in ASCII format;
Contents of file in hexadecimal format;
Contents of file in ASCII string format;
File categorization;
All TSK output information: permissions, file name, MAC times, dimensions,
UID, GID and inode.
3 Indexing Engine
In order to provide the user with the greatest amount of information in the least time
possible, an indexing system has been designed and developed for PTK. The objective is to minimize the time needed to recover all file information required in forensic
analysis, such as hash values, timeline, type1, and keywords. For small files, indexing
may not be necessary since the time required to recover information, such as the MD5
1
The file extension does not determine file type.
PTK: An Alternative Advanced Interface for the Sleuth Kit
29
hash, may be negligible. However, if we begin to contemplate files of dimensions on
the order of Megabytes these operations begin to slow down, and the wait time for the
results becomes excessive. Hence a procedure was developed in which all files are
processed into an image, just once, and the result saved in a database. The following
indices have been implemented in PTK:
•
•
•
•
•
Timeline
File type
MD5
SHA1
Keyword search.
4 Indexed Evidence Analysis
All analysis functions that require preliminary indexing are collected under the name
“Indexed Analysis”, which includes timeline analysis, keyword search and hash
comparison.
4.1 Timeline Analysis
The disk timeline helps the investigator concentrate on the areas of the image where
evidence may be located. It displays the chronological succession of actions carried
out on allocated and non-allocated files. These actions are traced by means of analysis
of the metadata known as MAC times (Modification, Access, and Creation, depending on file system2). PTK allows investigators to analyze the timeline by means of
time filters. The time unit, in relation to the file system, is on the order of one second.
The investigators have two types of timelines at their disposal: one in table format
and one in graphic format. The former allows investigators to view each single timeline entry, which are organized into fields (time and date, file name, actions performed, dimension, permissions) and provide direct access to content analysis or
export operations. The latter is a graphic representation plotting the progress of each
action (MAC times) over a given time interval. This is a useful tool for viewing file
access activity peaks.
4.2 Keyword Search
The indexing process generates a database of keywords which makes it possible to
carry out high performance searches in real time. Searches are carried out by means of
the direct use of strings or the creation of regular expressions. The interface has various templates of regular expressions that the user can use and customize. The search
templates described by regular expressions are memorized in text files and thus can be
customized by users.
2
This information will have varying degrees of detail depending on file system type. For example, FAT32 does not record the time of last access to a file, but only the date. As a result,
in the timeline analysis phase, this information will be displayed as 00:00:00.
30
D.V. Forte et al.
4.3 Hash Set Manager and Comparison
Once the indexing process has been completed, PTK generates a MD5 or SHA1 hash
value for each file present in the evidence: these values are used in comparisons with
hash sets (either public or user-generated), making it possible to determine whether a
file belongs to the “known good” or “known bad” category. Investigators can also use
this section to import the contents of Rainbow Tables in order to compare a given
hash, perhaps one recovered via a keyword search, with those in the hash set.
5 Data Carving Process
Data carving seeks files or other data structures in an incoming data flow, based on
contents rather than on the meta information that a file system associates with each
file or directory. The initial approach chosen for PTK is based on the techniques of
Header/Footer carving and Header/Maximum (file) size carving3. The PTK indexing
step provides for the possibility of enabling data carving for the non-allocated space
of evidence imported into the case. It is possible to directly configure the data carving
module by adding or eliminating entries based on the headers and footers used in
carving. However, the investigator can also set up custom search patterns directly
from the interface. This way the investigator can search for patterns not only in order
to find files, by means of new headers and footers, but also to find file contents. The
particular structure of PTK allows investigators to run data carving operations also on
evidence consisting of a RAM dump. Please note that the data carving results are not
saved directly in the database, only the references to the data identified during the
process are saved.
The indexing process uses matching headers and footers also for the categorization of all the files in the evidence. The output of this process allows the analyzed data
to be subdivided into different categories:
•
•
•
•
Documents (Word, Excel, ASCII, etc.)
Graphic or multimedia content (images, video, audio)
Executable programs
Compressed or encrypted data (zip, rar, etc.)
6 Bookmarking and Reporting
The entire analysis section is flanked by a bookmarking subsystem that allows investigators to bookmark evidence at any time. All operations are facilitated by the backend MySql database, and so there is no writing of data locally in the client file system.
When an investigator saves a bookmark, the reference to the corresponding evidence
is written in the database, in terms of inodes and sectors, without any data being
transferred from the disk being examined to the database. Each bookmark is also
associated with a tag specifying the category and a text field for any user notes. Each
investigator has a private bookmark management section, which can be used, at the
investigator’s total discretion, to share bookmarks with other users.
3
Based on Simson, Garfinkel and Joachim Metz taxonomy.
PTK: An Alternative Advanced Interface for the Sleuth Kit
31
Reports are generated automatically on the basis of the bookmarks saved by the
user. PTK provides for two report formats: html and PDF. Reports are highly customizable in terms of graphics (header, footer, logos) and contents, with the option of
inserting additional fields for enhanced description and documentation of the investigation results.
7 PTK External Modules (Extensions)
This PTK section allows users to use external tools for the execution of various tasks.
It is designed to give the application the flexibility of performing automatic operations on different operating systems, running data search or analysis processes and
recovering deleted files. The “PTK extension manager” creates an interface between
third-party tools and the evidence management system and runs various processes on
them. The currently enabled extensions provide for: Memory dump analysis, Windows registry analysis, OS artifact recovery.
The first extension provides PTK with the ability to analyze the contents of RAM
dumps. This feature allows both evidence from long-term data storage media and
evidence from memory dumps to be associated with a case, thus allowing important
information to be extracted, such as a list of strings in memory, which could potentially contain passwords to be used for the analysis of protected or encrypted archives
found on the disk.
The registry analysis extension gives PTK the capability of recognizing and interpreting a Microsoft Windows registry file and navigating within it with the same
facility as the regedit tool. Additionally, PTK provides for automatic search within the
most important sections of the registry and generation of output results.
The Artifact Recovery extension was implemented in order to reconstruct or recover specific contents relating to the functions of an operating system or its components or applications. The output from these automatic processes can be included
among the investigation bookmarks.
PTK extensions do not write their output to the database in order to prevent it from
becoming excessively large. User-selected output from these processes may be included in the bookmark section in the database. If bookmarks are not created before
PTK is closed, the results are lost.
8 Comparative Assessment
The use of Ajax in the development of PTK has drastically reduced execution times on
the server side and, while delegating part of the code execution to the client, has reduced
user wait times by minimizing that amount of information loaded into pages. An assessment was carried out to obtain a comparison of the performance of PTK versus Autopsy
Forensic Browser. Given that these are two web-based applications using different technologies, it is not possible to make a direct, linear comparison of performance.
For these reasons, it is useful to divide the assessment into two parts: the first highlights the main differences in the interfaces, examining the necessary user procedures;
the second makes a closer examination of the performance of the PTK indexing
32
D.V. Forte et al.
Table 1.
Action
New case
creation
Investigator
assignment
Image addition
Image integrity
verification
Evidence analysis
Autopsy
You click “New case” and a new page
is loaded where you add the case name,
description, and assigned investigator
names (text fields).
Pages loaded: 2
Investigators are assigned to the case
when it is created. However, these
are only text references.
You select a case and a host and
then click “Add image file”. A page is
displayed where you indicate the
image path (manually) and specify a
number of import parameters. On the next
page, you specify integrity control operations
and
select
the
partitions.
Then you click “Add”.
Pages loaded: 6
After selecting the case, the host and
the image, you click “Image integrity”.
The next page allows you to create an
MD5 hash of the file and to verify it on
request.
Pages loaded: 4
After selecting the case, the host
and the image, you click “Analyze” to
access the analysis section.
Pages loaded: 4
After selecting the case, the host
and the image, you click “File activity
time lines”. You then have to create a data
Evidence timeline
file
by
providing
appropriate
creation
parameters and create the timeline file
based on the file thus generated.
Pages loaded: 8
After selecting the case, the host
and the image, you click “Details”. On the
next
page
you
click
“Extract
String extraction strings” to run the process.
Pages loaded: 5
PTK
You click “Add new case” and a
modal form is opened where it is
sufficient to provide a case name and
brief description.
Pages loaded: 1
You click on the icon in the case
table to access the investigator
management panel. These assignments
represent bona fide user profiles.
In the case table, you click on the
image management icon and then click
“Add new image”. A modal form
opens with a guided 3-step process for
adding the image. Path selection is
based on automatic folder browsing.
Pages loaded: 1
You open image management for a
case and click “Integrity check”. A
panel opens where you can generate
and/or verify both MD5 and SHA1
hashes.
Pages loaded: 1
After opening the panel displaying
the images in a case, you click the icon
“Analyze image” to access the analysis
section.
Pages loaded: 1
You open image management for a
case and click on the indexing icon.
The option of generating a timeline
comes up and the process is run. The
timeline is saved in the database and is
available during analyses.
Pages loaded: 1
You open image management for a
case and click on the indexing icon.
The option of extracting strings comes
up and the process is run. All ASCII
strings for each image file are saved in
the database.
Pages loaded: 1
engine, providing a more technical comparison on the basis of such objective parameters as command execution, parsing, and output presentation times.
8.1 Interface
The following comparative assessment of Autopsy and PTK (Table 1) highlights the
difference on the interface level, evaluated in terms of number of pages loaded for the
execution of the requested action. All pages (and thus the steps taken by the user) are
counted starting from and excluding the home page of each application.
PTK: An Alternative Advanced Interface for the Sleuth Kit
33
Table 2.
Action
Timeline
generation
Keyword
extraction
File hash
generation
Autopsy
PTK
54” + 2”
18”
8’ 10”
8’ 33”
Autopsy manages the hash
values (MD5) for each file on the
directory
level.
The
hash
generation
operation
must
therefore be run from the file
analysis page, however, this process does not save any of the generated hash values.
PTK optimizes the generation of
file hashes via indexing operations,
eliminating wait time during
analysis and making the hash
values easy to consult.
8.2 Indexing Performance
The following tests were performed on the same evidence: File system: FAT32; Dimension: 1.9 Gb; Acquisition: dd.
A direct comparison (Table 2) can be made for timeline generation and keyword
extraction in terms of how many seconds are required to perform the operations.
9 Conclusions and Further Steps
The main idea behind the project was to provide an “alternative” interface to the TSK
suite so as to offer a new and valid open source tool for forensic investigations. We
use the term “alternative” because PTK was not designed to be a completely different
software from its forerunner, Autopsy, but a product that seeks to improve the performance of existing functions and resolve any inadequacies.
The strong point of this project is thus the careful initial analysis of Autopsy Forensic Browser, which allowed developers to establish the bases for a robust product
that represents a real step forward.
Future developments of the application will certainly include:
• Integration of new tools as extensions of the application in order to address a
greater number of analysis types within the capabilities of PTK.
• Creation of customized installation packages for the various platforms.
• Adaption of style sheets to all browser types in order to extend the portability of
the tool.
References
1. Carrier, Brian: File System Forensic Analysis. Addison Wesley, Reading (2005)
2. Carrier, Brian: Digital Forensic Tool Testing Images (2005),
http://dftt.sourceforge.net
3. Carvey, Harlan: Windows Forensic Analysis. Syngress (2007)
34
D.V. Forte et al.
4. Casey, Eoghan: Digital Evidence and Computer Crime. Academic Press, London (2004)
5. Garfinkel, Simson: Carving Contiguous and Fragmented Files with Fast Object Validation.
In: Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA (August 2007)
6. Jones, Keith, J., Bejtlich, Richard, Rose, Curtis, W.: Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, Reading (2005)
7. Schwartz, Randal, L., Phoenix, Tom: Learning Perl. O’Reilly, Sebastopol (2001)
8. The Sleuthkit documentation, http://www.sleuthkit.org/
9. Forte, D.V.: The State of the Art in Digital Forensics. Advances in Computers 67, 254–
300 (2006)
10. Forte, D.V., Maruti, C., Vetturi, M.R., Zambelli, M.: SecSyslog: an Approach to Secure
Logging Based on Covert Channels. In: SADFE 2005, 248–263 (2005)