ptk
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).
setup autopsy
Autopsy is a GUI (uses web interface) to tools found in the Sleuthkit forensics toolkit. Autopsy specializes in analyzing disk images, and can retrieve information from them using search or browse functions. For a tutorial on retrieving “deleted” information from a disk, take a look at this Autopsy Tutorial.sleuthkit
Sleuthkit is a forensic toolkit containing many utilities that can be used in a digital forensics investigation. Sleuthkit is the official successor of The Coroner’s Toolkit (TCT). Sleuthkit itself is not a program, rather it is the name given to the collection of many programs. Some of these included utilities are: ils, blkls, fls, fsstat, ffind, mactime, disk_stat. The below example shows how to use MACTime in order to recursively list files that have been accessed since 1/1/2011:Example usage: mactime -y -R -d / 1/1/2011
No comments:
Post a Comment