Both the free version and the commercial version of the PTK project, equipped with an appliance, are constantly developing. PTK is now able to thoroughly and accurately manage the hash libraries thus rendering investigation processes faster and easier. At the moment, PTK is working with hash libraries in Haskeeper format or is importing only those hash values known to the investigator. PTK doesn't just create hash sets checking them as GOOD or BAD but offers the possibility to create new personalized sets and chooses, given the case, the most appropriate set for the lookup operation. The screenshot below shows how it is possible to create three different hash sets (such as for example INFECTED, SYSTEM, STOLEN ) giving each of them a name, description, a particular colour, and manually inserting the entries with the hashes to search inside the evidence.
The addition of hashkeeper libraries is very fast and allows to launch an operation in the background while the investigator is still working on the case. It suffices to select an appropriate hashkeeper file and indicate the category in which to add the hash values.
Once the appropriate hash sets are created, and filled with values, PTK is ready to run the lookup process. This operation, performed very quickly, enables the investigator to visualize, for every file, the specific hash category previously created. As shown in the image below, from the Hashset tab it is possible to define, for each evidence, the sets to be enabled or disabled. The lookup process checks the hash inside the set with the hash values (MD5 and SHA1) of every file inside the evidence. For this process to take place, PTK must have already run the image indexing as described in a previous PTK evidence adding and indexing article.
The outcome of the lookup process is shown in the image below. As can be seen, for the directory selected, 9 files have been identified, and 3 files have been detected for each category previously created. It is thus possible to check in real time the category and colour of each file. Among the filtering options it is possible to leave out or visualize only those files belonging to the System libraries (such as for example, original files from the trusted operating system) and visualize only the files of the Stolen set.
This new feature extends the field of PTK. In the following articles the new features of the Registry Analysis and Hex Value Interpreter will be presented.
PTK is available via the SIFT Workstation found at the SANS Computer Forensics Site.
Michele Zambelli, GCFA SIlver #1856, is a member of PTK Team and a Security Consultant at DFLabs Italy.