Monday, February 02, 2009

PTK on CentOS 5.2

Having some spare time over the weekend caused me to attempt an installation of PTK on my spare CentOS box. I've succeeded in getting it to run under Fedora, so I had a little bit of an idea of what I was getting myself into...

Before you get started, make sure you have the following packages installed:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit



If you need EWF or AFF support you can install them from:


libewf
afflib




After installing everything, you need to initialize MySQL (as root):


# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'



You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also start the http server(as root):


# /sbin/service httpd start



Now you are ready to download and install PTK from sourceforge. I downloaded version 1.0.5.

In order to install PTK, extract the tarball in your webserver directory as root:


# cd /var/www/html
# ls
ptk-1.0.5.tar.gz

# tar -xzf ptk-1.0.5.tar.gz
# chown -R apache.apache ptk



The last command above makes sure that all files are owned by the webserver user.


Now we have address a problem that still exists regarding the installation script. Go inside the ptk folder. At this point, you should see the install.php script. If you have Sleuthkit installed in /usr/local/bin the install script will not work as expected because this is not in its path. You can find out where it is installed by typing which plus one of the Sleuthkit commands e.g.:


$ which istat



If the path returned is /usr/local/bin then you can modify the install.php file by changing entries like:


$istat = shell_exec("which istat");



to


$istat = shell_exec('export PATH="/usr/bin:/usr/local/bin"; which istat');



and so on...

If all goes well, you will get to the options screen, which should look something like the following:



Fill everything out as you like (including distro) and press next. Now, when I installed PTK under Fedora, everything was ready to go at this point. With CentOS, it was another story. For some reason, things did not get updated with the extra configure scripts.

So, you have to manually add the locations for your Sleuthkit executables in the following files:


config/conf.php
config/conf.pl



where config is the folder within the ptk folder [/var/www/html/ptk/config]. If you open up conf.pl it may look like:


installdir => '/var/www/html/ptk/',
md5_bin => '/usr/bin/md5sum',
sha1_bin => '/usr/bin/sha1sum',
fsstat_bin => '',
mmls_bin => '',
fls_bin => '',
istat_bin => '',
[snip]



Notice that there are some blank entries. Therefore you will have to enter the correct path for those executables.

All right, so I'm not going to make you do it... :-) Here are the modified files for my CentOS box. Just make sure you put then in the right places, and you might have to chown them as well.

Enjoy! and hope this helps someone out there...

2 comments:

Jason Howell said...

I had the same problem installing PTK in Fedora 8,9,and 10. I have PTK running but keep having to put SELinux in Permissive mode. Do you run your machine as the ROOT user or as a standard user? THe reason I ask is the SIFT Workstation from the SANS institute is a Fedora base with PTK on it and you use it as ROOT. Thank You for all of the helpful information you've given, I've really been able to use it.

Jamie Levy said...

Sorry for the late reply. I'm running as the standard user.

I'm glad to have been helpful :-)