Frequently Asked Questions

What operating systems is PyFlag tested on? Will it be ported to windows?

• PyFlag is developed on a debian testing system and ubuntu. PyFlag should work on other versions of Linux. It is not tested on non-Linux platforms (mainly because we don't have any), but may work with some porting. PyFlag's developers are keen to hear about PyFlag working on non-Linux platforms (e.g. Darwin), and always welcome patches to enhance portability.

• PyFlag has not been tested on windows at present. It is unlikely that it will work on windows without major porting (which is always welcome ... ). At this stage there are no plans to support windows. Windows is not really suitable or flexible enough as a forensic platform.

• Of course, since PyFlag is a web application, the client web browser can easily run on windows, but the server backend needs to be installed on Linux.

How do I install PyFlag in a different location? How can I try out PyFlag without having to install it into my system?

• PyFlag may be installed into a different prefix by using the --prefix configure parameter:

   ./configure --prefix=/tmp/

How do I use the development version. Can I browse the source?

• PyFlag uses an advanced version control system called darcs. Darcs allows anyone to check out the repository at any time, and provides a complete mirror of the repository that they can work on while off line. To check out the repository:

     darcs get --partial http://pyflag.sourceforge.net/pyflag/

• You can browse the current source tree by navigating to http://pyflag.sourceforge.net/pyflag/_darcs/current/. The current changelog can be found by http://pyflag.sourceforge.net/pyflag/_darcs/inventory

I installed PyFlag OK, but when I load a case, and do a keyword search I do not get any results. Whats wrong?

• PyFlag uses a log time indexing algorithm which indexes a dictionary within the Logical Image. This means that PyFlag will only index the occurance of keywords within the dictionary, and only these words can be searched. When PyFlag is installed, the keyword dictionary is empty, so any cases loaded will not produce any hits. To load a new dictionary use the load_dictionary.py script in the utilities directory:

~/pyflag$ pyflag_launch ./utilities/load_dictionary.py --help

This script loads a list of words into the pyflag
dictionary. These words will then be indexed during scanning.

  Usage: load_dictionary.py [options] dictionary.txt 

The dictionary is expected to have one word per line, for example

  andy
  andies
  andrews

Options:

  -c|--class    Specify a class for the words.  The default class is 'English'.
  -d|--drop     Drop old table before loading
  -r|--regex    Add entries as regular expressions rather than strings.
  -l|--literal  Add entries as string literals.
  -h|--help     Print help (this message)
  -v|--verbose  Be verbose

• See HowToInstall for more information.

How do I mount Encase images using the Linux loopback driver?

• PyFlag supports a large number of image file formats. This support is exported to the operating system by using the Fuse project (Filesystems in userspace). The exported filesystem allows the kernel to see the uncompressed, raw image from a wide variety of image file formats.

  • See [[Papers/PyFlagFuseHowTo]] for more details.

I have a problem with pyflag. Is there any support?

• There are many places to get support for PyFlag. The preferred method is via IRC on #pyflag on irc.freenode.org. This is preferred because its often very quick to just ask a question and get issues resolved.

• There are two mailing lists. You will need to be subscribed to these lists in order to post:

  1. A support list - pyflag-support@lists.sourceforge.net

  2. A development list - pyflag-devel@lists.sourceforge.net