PTK: An Alternative Advanced Interface for the Sleuth Kit Dario V. Forte, Angelo Cavallini, Cristiano Maruti, Luca Losio, Thomas Orlandi, and Michele Zambelli The IRItaly Project at DFlabs Italy www.dflabs.com Abstract. PTK is a new open-source tool for all complex digital investigations. It represents an alternative to the well-known but now obsolete front-end Autopsy Forensic Browser. This latter tool has a number of inadequacies taking the form of a cumbersome user interface, complicated case and evidence management, and a non-interactive timeline that is difficult to consult. A number of important functions are also lacking, such as an effective bookmarking system or a section for file analysis in graphic format. The need to accelerate evidence analysis through greater automation has prompted DFLabs to design and develop this new tool. PTK provides a new interface for The Sleuth Kit (TSK) suite of tools and also adds numerous extensions and features, one of which is an internal indexing engine that is capable of carrying out complex evidence pre-analysis processes. PTK was written from scratch using Ajax technology for graphic contents and a MySql database management system server for saving indexing results and investigator-generated bookmarks. This feature allows a plurality of users to work simultaneously on the same or different cases, accessing previously indexed contents. The ability to work in parallel greatly reduces analysis times. These characteristics are described in greater detail below. PTK includes a dedicated “Extension Management” module that allows existing or newly developed tools to be integrated into it, effectively expanding its analysis and automation capacity. Keywords: Computer Forensics, Open Source, SleuthKit, Autopsy Forensic, Incident Response. 1 Multi-investigator Management One of the major features of this software is its case access control mechanism and high level user profiling, allowing more than one investigator to work simultaneously on the same case. The administrator creates new cases and assigns investigators to them, granting appropriate access privileges. The investigators are then able to work in parallel on the same case. PTK user profiling may be used to restrict access to sensitive cases to a handpicked group of investigators or even a single investigator. The advantages of this type of system are numerous: above all, evidence analysis is speeded up by the ability of a team of investigators to work in parallel; secondly, the problem of case synchronization is resolved since all operations reference the same database. Each investigator is also able to save specific notes and references directly relating to his or her activities on a case in a special bookmark section. All user actions are logged in CSV format so that all application activity can be retraced. Furthermore, the administrator is able to manage PTK log files from the interface, viewing the contents in table format and exporting them locally. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 27–34, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 28 D.V. Forte et al. 2 Direct Evidence Analysis As a graphic interface for the TSK suite of tools, PTK inherits all the characteristics of this system, starting with the recognized evidence formats. PTK supports Raw (e.g., dd), Expert Witness (e.g., EnCase) and AFF evidence. Evidence may only be added to a case by the Administrator, who follows a guided three-step procedure: 1. 2. 3. Insertion of information relating to the disk image, such as type and place of acquisition; Selection of the image file and any partitions to be included in the analysis; File hashing (MD5 and SHA1) while adding the image. One important PTK function is automatic recognition of the disk file system and partitions during image selection. PTK also recognizes images in various formats that have been split up. Here the investigator needs only to select one split, since PTK is able to recognize all splits belonging to the same image. PTK and TSK interact directly for various analysis functions which therefore do not require preliminary indexing operations: • File analysis • Data unit analysis • Data export 2.1 File Analysis This section analyzes the contents of files (also deleted files) in the disk image. PTK introduces the important new feature of the tree-view, a dynamic disk directory tree which provides immediate evidence browsing capability. PTK allows multiple files to be opened simultaneously on different tabs to facilitate comparative analysis. The following information is made available to investigators: • • • • • Contents of file in ASCII format; Contents of file in hexadecimal format; Contents of file in ASCII string format; File categorization; All TSK output information: permissions, file name, MAC times, dimensions, UID, GID and inode. 3 Indexing Engine In order to provide the user with the greatest amount of information in the least time possible, an indexing system has been designed and developed for PTK. The objective is to minimize the time needed to recover all file information required in forensic analysis, such as hash values, timeline, type1, and keywords. For small files, indexing may not be necessary since the time required to recover information, such as the MD5 1 The file extension does not determine file type. PTK: An Alternative Advanced Interface for the Sleuth Kit 29 hash, may be negligible. However, if we begin to contemplate files of dimensions on the order of Megabytes these operations begin to slow down, and the wait time for the results becomes excessive. Hence a procedure was developed in which all files are processed into an image, just once, and the result saved in a database. The following indices have been implemented in PTK: • • • • • Timeline File type MD5 SHA1 Keyword search. 4 Indexed Evidence Analysis All analysis functions that require preliminary indexing are collected under the name “Indexed Analysis”, which includes timeline analysis, keyword search and hash comparison. 4.1 Timeline Analysis The disk timeline helps the investigator concentrate on the areas of the image where evidence may be located. It displays the chronological succession of actions carried out on allocated and non-allocated files. These actions are traced by means of analysis of the metadata known as MAC times (Modification, Access, and Creation, depending on file system2). PTK allows investigators to analyze the timeline by means of time filters. The time unit, in relation to the file system, is on the order of one second. The investigators have two types of timelines at their disposal: one in table format and one in graphic format. The former allows investigators to view each single timeline entry, which are organized into fields (time and date, file name, actions performed, dimension, permissions) and provide direct access to content analysis or export operations. The latter is a graphic representation plotting the progress of each action (MAC times) over a given time interval. This is a useful tool for viewing file access activity peaks. 4.2 Keyword Search The indexing process generates a database of keywords which makes it possible to carry out high performance searches in real time. Searches are carried out by means of the direct use of strings or the creation of regular expressions. The interface has various templates of regular expressions that the user can use and customize. The search templates described by regular expressions are memorized in text files and thus can be customized by users. 2 This information will have varying degrees of detail depending on file system type. For example, FAT32 does not record the time of last access to a file, but only the date. As a result, in the timeline analysis phase, this information will be displayed as 00:00:00. 30 D.V. Forte et al. 4.3 Hash Set Manager and Comparison Once the indexing process has been completed, PTK generates a MD5 or SHA1 hash value for each file present in the evidence: these values are used in comparisons with hash sets (either public or user-generated), making it possible to determine whether a file belongs to the “known good” or “known bad” category. Investigators can also use this section to import the contents of Rainbow Tables in order to compare a given hash, perhaps one recovered via a keyword search, with those in the hash set. 5 Data Carving Process Data carving seeks files or other data structures in an incoming data flow, based on contents rather than on the meta information that a file system associates with each file or directory. The initial approach chosen for PTK is based on the techniques of Header/Footer carving and Header/Maximum (file) size carving3. The PTK indexing step provides for the possibility of enabling data carving for the non-allocated space of evidence imported into the case. It is possible to directly configure the data carving module by adding or eliminating entries based on the headers and footers used in carving. However, the investigator can also set up custom search patterns directly from the interface. This way the investigator can search for patterns not only in order to find files, by means of new headers and footers, but also to find file contents. The particular structure of PTK allows investigators to run data carving operations also on evidence consisting of a RAM dump. Please note that the data carving results are not saved directly in the database, only the references to the data identified during the process are saved. The indexing process uses matching headers and footers also for the categorization of all the files in the evidence. The output of this process allows the analyzed data to be subdivided into different categories: • • • • Documents (Word, Excel, ASCII, etc.) Graphic or multimedia content (images, video, audio) Executable programs Compressed or encrypted data (zip, rar, etc.) 6 Bookmarking and Reporting The entire analysis section is flanked by a bookmarking subsystem that allows investigators to bookmark evidence at any time. All operations are facilitated by the backend MySql database, and so there is no writing of data locally in the client file system. When an investigator saves a bookmark, the reference to the corresponding evidence is written in the database, in terms of inodes and sectors, without any data being transferred from the disk being examined to the database. Each bookmark is also associated with a tag specifying the category and a text field for any user notes. Each investigator has a private bookmark management section, which can be used, at the investigator’s total discretion, to share bookmarks with other users. 3 Based on Simson, Garfinkel and Joachim Metz taxonomy. PTK: An Alternative Advanced Interface for the Sleuth Kit 31 Reports are generated automatically on the basis of the bookmarks saved by the user. PTK provides for two report formats: html and PDF. Reports are highly customizable in terms of graphics (header, footer, logos) and contents, with the option of inserting additional fields for enhanced description and documentation of the investigation results. 7 PTK External Modules (Extensions) This PTK section allows users to use external tools for the execution of various tasks. It is designed to give the application the flexibility of performing automatic operations on different operating systems, running data search or analysis processes and recovering deleted files. The “PTK extension manager” creates an interface between third-party tools and the evidence management system and runs various processes on them. The currently enabled extensions provide for: Memory dump analysis, Windows registry analysis, OS artifact recovery. The first extension provides PTK with the ability to analyze the contents of RAM dumps. This feature allows both evidence from long-term data storage media and evidence from memory dumps to be associated with a case, thus allowing important information to be extracted, such as a list of strings in memory, which could potentially contain passwords to be used for the analysis of protected or encrypted archives found on the disk. The registry analysis extension gives PTK the capability of recognizing and interpreting a Microsoft Windows registry file and navigating within it with the same facility as the regedit tool. Additionally, PTK provides for automatic search within the most important sections of the registry and generation of output results. The Artifact Recovery extension was implemented in order to reconstruct or recover specific contents relating to the functions of an operating system or its components or applications. The output from these automatic processes can be included among the investigation bookmarks. PTK extensions do not write their output to the database in order to prevent it from becoming excessively large. User-selected output from these processes may be included in the bookmark section in the database. If bookmarks are not created before PTK is closed, the results are lost. 8 Comparative Assessment The use of Ajax in the development of PTK has drastically reduced execution times on the server side and, while delegating part of the code execution to the client, has reduced user wait times by minimizing that amount of information loaded into pages. An assessment was carried out to obtain a comparison of the performance of PTK versus Autopsy Forensic Browser. Given that these are two web-based applications using different technologies, it is not possible to make a direct, linear comparison of performance. For these reasons, it is useful to divide the assessment into two parts: the first highlights the main differences in the interfaces, examining the necessary user procedures; the second makes a closer examination of the performance of the PTK indexing 32 D.V. Forte et al. Table 1. Action New case creation Investigator assignment Image addition Image integrity verification Evidence analysis Autopsy You click “New case” and a new page is loaded where you add the case name, description, and assigned investigator names (text fields). Pages loaded: 2 Investigators are assigned to the case when it is created. However, these are only text references. You select a case and a host and then click “Add image file”. A page is displayed where you indicate the image path (manually) and specify a number of import parameters. On the next page, you specify integrity control operations and select the partitions. Then you click “Add”. Pages loaded: 6 After selecting the case, the host and the image, you click “Image integrity”. The next page allows you to create an MD5 hash of the file and to verify it on request. Pages loaded: 4 After selecting the case, the host and the image, you click “Analyze” to access the analysis section. Pages loaded: 4 After selecting the case, the host and the image, you click “File activity time lines”. You then have to create a data Evidence timeline file by providing appropriate creation parameters and create the timeline file based on the file thus generated. Pages loaded: 8 After selecting the case, the host and the image, you click “Details”. On the next page you click “Extract String extraction strings” to run the process. Pages loaded: 5 PTK You click “Add new case” and a modal form is opened where it is sufficient to provide a case name and brief description. Pages loaded: 1 You click on the icon in the case table to access the investigator management panel. These assignments represent bona fide user profiles. In the case table, you click on the image management icon and then click “Add new image”. A modal form opens with a guided 3-step process for adding the image. Path selection is based on automatic folder browsing. Pages loaded: 1 You open image management for a case and click “Integrity check”. A panel opens where you can generate and/or verify both MD5 and SHA1 hashes. Pages loaded: 1 After opening the panel displaying the images in a case, you click the icon “Analyze image” to access the analysis section. Pages loaded: 1 You open image management for a case and click on the indexing icon. The option of generating a timeline comes up and the process is run. The timeline is saved in the database and is available during analyses. Pages loaded: 1 You open image management for a case and click on the indexing icon. The option of extracting strings comes up and the process is run. All ASCII strings for each image file are saved in the database. Pages loaded: 1 engine, providing a more technical comparison on the basis of such objective parameters as command execution, parsing, and output presentation times. 8.1 Interface The following comparative assessment of Autopsy and PTK (Table 1) highlights the difference on the interface level, evaluated in terms of number of pages loaded for the execution of the requested action. All pages (and thus the steps taken by the user) are counted starting from and excluding the home page of each application. PTK: An Alternative Advanced Interface for the Sleuth Kit 33 Table 2. Action Timeline generation Keyword extraction File hash generation Autopsy PTK 54” + 2” 18” 8’ 10” 8’ 33” Autopsy manages the hash values (MD5) for each file on the directory level. The hash generation operation must therefore be run from the file analysis page, however, this process does not save any of the generated hash values. PTK optimizes the generation of file hashes via indexing operations, eliminating wait time during analysis and making the hash values easy to consult. 8.2 Indexing Performance The following tests were performed on the same evidence: File system: FAT32; Dimension: 1.9 Gb; Acquisition: dd. A direct comparison (Table 2) can be made for timeline generation and keyword extraction in terms of how many seconds are required to perform the operations. 9 Conclusions and Further Steps The main idea behind the project was to provide an “alternative” interface to the TSK suite so as to offer a new and valid open source tool for forensic investigations. We use the term “alternative” because PTK was not designed to be a completely different software from its forerunner, Autopsy, but a product that seeks to improve the performance of existing functions and resolve any inadequacies. The strong point of this project is thus the careful initial analysis of Autopsy Forensic Browser, which allowed developers to establish the bases for a robust product that represents a real step forward. Future developments of the application will certainly include: • Integration of new tools as extensions of the application in order to address a greater number of analysis types within the capabilities of PTK. • Creation of customized installation packages for the various platforms. • Adaption of style sheets to all browser types in order to extend the portability of the tool. References 1. Carrier, Brian: File System Forensic Analysis. Addison Wesley, Reading (2005) 2. Carrier, Brian: Digital Forensic Tool Testing Images (2005), http://dftt.sourceforge.net 3. Carvey, Harlan: Windows Forensic Analysis. Syngress (2007) 34 D.V. Forte et al. 4. Casey, Eoghan: Digital Evidence and Computer Crime. Academic Press, London (2004) 5. Garfinkel, Simson: Carving Contiguous and Fragmented Files with Fast Object Validation. In: Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA (August 2007) 6. Jones, Keith, J., Bejtlich, Richard, Rose, Curtis, W.: Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, Reading (2005) 7. Schwartz, Randal, L., Phoenix, Tom: Learning Perl. O’Reilly, Sebastopol (2001) 8. The Sleuthkit documentation, http://www.sleuthkit.org/ 9. Forte, D.V.: The State of the Art in Digital Forensics. Advances in Computers 67, 254– 300 (2006) 10. Forte, D.V., Maruti, C., Vetturi, M.R., Zambelli, M.: SecSyslog: an Approach to Secure Logging Based on Covert Channels. In: SADFE 2005, 248–263 (2005)
© Copyright 2024 Paperzz