Utilities

Although PyFlag is an integrated forensic software, often it is more convenient to use single purpose command line tools to perform certain tasks. These tools are distributed in the PyFlag Utilities folder. When pyflag is installed, these scripts can be found in $prefix/share/pyflag/utilities/ (usually /usr/local/share/pyflag/utilities)

The tools need to be run using the pyflag_launch script - a script which sets up various environment variables. For example:

$ pyflag_launch python utilities/whois.py -h
usage: whois.py [options] [ip_address]

This will resolve the ip address against the internal offline database loaded into pyflag.


options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  A file to read addresses from (one per line)

The following pages describe some of the utilities in more detail:

mergecap.py: MergeCap is a tool to merge multiple PCAP files.
EventLogTool.py: EventLogTool is a tool to read windows event log files.
simple_carver.py: SimpleCarver is a simple SOF/EOF carver.
tcptrace.py: TcpTrace is a tool to combine and write out each TCP stream in a PCAP file.
whois.py: WhoIs is an offline, stand alone whois resolution tool.
whois_load.py: WhoisLoad is a tool to download and load the offline Whois databases.
nsrl_load.py: NsrlLoad is a tool to load the NIST NSRL database into PyFlag.
load_dictionary.py: load_dictionary.py is a tool to populate the keyword dictionary from a file of keywords
pyflag_fuse.py: PyFlagFuse is a FUSE filesystem for the PyFlag VFS. Mount the VFS into your OS!
ubuntu_forensic_installer.sh: UbuntuForensicInstaller is a script to automate the installation of PyFlag in an Ubuntu Linux environment.

Utilities

Search:

Toolbox