PyFlag Tutorials

Introduction

PyFlag is an advanced forensic application with many features. Often new users find it difficult to comprehend the many features and ways of using PyFlag in real life contexts. These tutorials address this need and provide examples of how to use Flag in real life scenarios.

Although in real life it is rare to use all the features that PyFlag offers in the same case, these tutorials attempt to show off many of the features available. Often we do not necessarily arrive at the final conclusions in the quickest way, rather we show different features along the way which may be useful occasionally. Once users are accustomed to the different features and techniques, the most appropriate methodology for specific cases should become evident.

Accompanying these tutorials are a number of example files containing images, or log files. These pre-fabricated samples are not actual forensic evidence. The example files strike a balance between complexity (allowing users to really stress test PyFlag) and download size. We encourage users to employ these samples when evaluating other forensic products against PyFlag. We welcome constructive comments on improving PyFlag. Eventually we hope the sample images evolve to become a subjective metric used to measure performance of forensic tools in general.

Conventions

By convention terminal IO is marked as follows, with lines preceded by the bash prompt as command-lines, while other lines are marked as output::

 mic@dell:~/pyflag$ ./flag.sh
 Debug: Will attempt to load plugin '/home/mic/pyflag/pyflag/..//plugins/CaseManagement.py'
 Debug: Added pyflag.Reports.report 'Case management:DelCase'
 Debug: Added pyflag.Reports.report 'Case management:NewCase'
 Debug: Added pyflag.Reports.report 'Case management:ResetCase'
 ...
 Debug: Added pyflag.pyflagsh.command 'BasicCommands:pwd'
 Debug: Added pyflag.pyflagsh.command 'BasicCommands:reset'
 Debug: Added pyflag.pyflagsh.command 'BasicCommands:set'
 Serving HTTP on 0.0.0.0 port 8000 ...

Paths

The author has installed pyflag from source. More details of installation can be seen in HowToInstall.

The configured upload directory is /var/tmp/demo/. The upload directory is the directory where all images and log files must reside in order for PyFlag to load them.

Tutorials

The following tutorials are currently available:

• LogAnalysisTutorial

• DiskForensicsTutorial

• MemoryForensicsTutorial

• The TableWidget

• Using PyFlash

• The Auscert2007 Tutorial

• The solutions to the DFRWS 2008

Howtos

Howtos are short documents that cover specific tasks:

• HOWTO compile from source

• HOWTO load standard test images

• load standard PCAP file

• Distributing PyFlag

• HOWTO do offline whois lookups

• HOWTO use the GeoIP db - from http://www.maxmind.com/app/geolitecity

• HOWTO install pyflag on OSX

• Howto integrate PyFlag with Apache for SSL support

• Howto export HTML rendered pages from Internet Explorer Cache

• Howto load a Raid set into PyFlag