PTK on CentOS 5.2

Having some spare time over the weekend caused me to attempt an installation of PTK on my spare CentOS box. I've succeeded in getting it to run under Fedora, so I had a little bit of an idea of what I was getting myself into...

Before you get started, make sure you have the following packages installed:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit

If you need EWF or AFF support you can install them from:

libewf
afflib

After installing everything, you need to initialize MySQL (as root):

# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'

You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also start the http server(as root):

# /sbin/service httpd start

Now you are ready to download and install PTK from sourceforge. I downloaded version 1.0.5.

In order to install PTK, extract the tarball in your webserver directory as root:

# cd /var/www/html
# ls
ptk-1.0.5.tar.gz

# tar -xzf ptk-1.0.5.tar.gz
# chown -R apache.apache ptk

The last command above makes sure that all files are owned by the webserver user.


Now we have address a problem that still exists regarding the installation script. Go inside the ptk folder. At this point, you should see the install.php script. If you have Sleuthkit installed in /usr/local/bin the install script will not work as expected because this is not in its path. You can find out where it is installed by typing which plus one of the Sleuthkit commands e.g.:

$ which istat

If the path returned is /usr/local/bin then you can modify the install.php file by changing entries like:

$istat = shell_exec("which istat");

to

$istat = shell_exec('export PATH="/usr/bin:/usr/local/bin"; which istat');

and so on...

If all goes well, you will get to the options screen, which should look something like the following:



Fill everything out as you like (including distro) and press next. Now, when I installed PTK under Fedora, everything was ready to go at this point. With CentOS, it was another story. For some reason, things did not get updated with the extra configure scripts.

So, you have to manually add the locations for your Sleuthkit executables in the following files:

config/conf.php
config/conf.pl

where config is the folder within the ptk folder [/var/www/html/ptk/config]. If you open up conf.pl it may look like:

installdir => '/var/www/html/ptk/',
md5_bin => '/usr/bin/md5sum',
sha1_bin => '/usr/bin/sha1sum',
fsstat_bin => '',
mmls_bin => '',
fls_bin => '',
istat_bin => '',
[snip]

Notice that there are some blank entries. Therefore you will have to enter the correct path for those executables.

All right, so I'm not going to make you do it... :-) Here are the modified files for my CentOS box. Just make sure you put then in the right places, and you might have to chown them as well.

Enjoy! and hope this helps someone out there...

PTK 0.2 Patch

In case you missed it, I've created a patch for PTK. You can find it here. This fixes the path issue for those who have Sleuthkit installed in /usr/local/bin. PTK 1.0 will be released soon and this will no longer be an issue.

PTK 0.2 Released

PTK labs has released beta 0.2. Improvements include searching for strings in slackspace and a new installer. Now installation will be somewhat easier. You simply have to unzip the files into your apache owned folder (var/www/, /var/www/htdocs, /var/www/html etc). Make sure the permissions are set correctly. Open your browser and go to http://127.0.0.1/ptk/install.php You will see the installation page and can just fill it out as needed.

Edit 10/18: I've decided to add a patch to address the comment below.
Apply it as follows:

patch -b install.php install_diff.txt

PTK on Fedora 8

Wow, this was a painful install... and I'm not even sure if it's completely over :-/ Though I haven't been able to get this working completely with all of my practice images, PTK looks somewhat promising. Update: PTK works see update at the end.

Anyway, before you get started, you should make sure to install all of the packages you need:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit

In addition, according to the help forums, you also need the following libraries for Sleuthkit (I must have had a previous version because I haven't had to do this before):

afflib
libewf

The following package is not *required* but can help you a lot if you are not used to command line management of mysql databases:

phpMyAdmin

With all of the above packages, just do a ``yum install''. After you start MySql and httpd you should be set. I have already gone over how to set up MySQL and will not repeat it here. If you want to make sure that everything has installed correctly, you can see the php information by created a file called info.php in the /var/log/www/html directory that contains:

<?php
phpinfo();
?>

To see the information, open a browser and go to http://127.0.0.1/info.php. Scroll down until you see the following:





Now, download the PTK sourcecode. After you extract it, you should have a folder that contains a license file, Setup file, PTK.sql file and another tarball. Make sure that the md5 hash values are correct:

$ cat md5sums.txt
76b10e2f1c8bfd25a7128e1ca4f3009a ptk-beta_0.1.tar.gz
15d83f58161f816db660c65cf12c717e PTK.sql
e7cebc317dda69f2df81856118d924f3 Setup
$ md5sum -c md5sums.txt
ptk-beta_0.1.tar.gz: OK
PTK.sql: OK
Setup: OK

I tried just using the Setup file and failed miserably. I would get the nice welcome screen, but couldn't log in to PTK. Then I tried the manual install shown in the tutorial... It also didn't work. Things were getting installed in the wrong directories, even after I had told it where to install correctly using the original Setup script. Also, the Setup script looks for files called md5 and sha1, which are called md5sum and sha1sum on my machine...

So after analyzing the Setup file, I wrote a patch and finally got PTK working which you can find here. To apply the patch type:

patch -b Setup fedora-patch.txt

This will make a backup of the Setup file in case things go awry.

Make sure that you pay attention to output of the Setup script and check to see if there are any errors. If things go well, you should see the following screens:







If everything goes ok, you should have PTK installed in your /var/www/html/ptk directory. You can start it by going to: http://127.0.0.1/ptk. You have to log in using the ``admin'' account, and hopefully you don't forget your password you used for this!



Issues All but the last issue are resolved:
I am not yet sure of the cause of all of these issues, but I thought I would list things here.

• fatv images do not seem to be recognized and I am unable to browse the file system at all.
• I am unable to get an initial correct hash of the image without running the browser as root
• After the initial hash is taken, verification yields an incorrect hash (see pic below) and I suspect it is hashing the symbolic link and not the image itself. The top md5sum hash is correct, the second verification one is not.
• If you have SELinux working, you will have to use workarounds to let this program work (which is an SELinux thing, not a PTK thing exactly)
• When you search for images, you are initially directed to the /var/log/www/ptk/images folder, which is fine. If you add a disk image there, you do not see it. You have to go back 2 directories and then forward again before the disk image appears

Edit: PTK Works

As I wrote previously, I managed to get PTK installed on Fedora 8. I had a few issues with seeing the images at the end, however. It was a permissions problem. I can't believe I missed that. But it works and it seems fun. So if you are installing PTK on Fedora, follow the earlier instructions and use the patch I made and then check the permissions of the ptk folder to make sure that it is owned by apache (or whatever user you have as your webserver). If it isn't then do a recursive chown:

# chown -R apache.apache /var/www/html/ptk

I have only a couple of complaints: The folders are kind of hard to see on the left hand side, but there may be some way to remedy that. Also, I'm still having the problem of having to go back two folders and then forwards when importing an image, but I guess it's not that bad... Still, PTK has some nice options, like the gallery view, and the interface is nice. So far I like it :-)