PyFlag Logo
   
Introduction
FAQ
Screenshots
 
Downloads
Download PyFlag
Standard Image Sets
Browse the Source
 
Documentation
User Manual
Tutorials
Developer Documentation
Papers and Articles
Presentations
 
Email Us
Support Mailing List
 
Thanks to Sourceforge for their support: SourceForge.net Logo
[Python Powered]
 
© 2004-2005
 
Print this page
  

Table of Contents

FLASH: The flag shell.

PyFlag has a great GUI which allows quick navigation of the results of forensic analysis. However, any forensic practitioner knows that forensics is a slow process, on any hardware. With typical hard disk image sizes increasing exponentially, many forensic investigations do take a long time to proceed. Users of PyFlag may have noticed that PyFlag caches the results of analysis, so it only needs to perform the analysis once. Subsequent navigation of reports loads the cached version making the navigation phase very quick. The analysis phase on the other hand does take some time.

One of the strengths of PyFlag is that the User Interface (The UI), is abstracted from the program. In other words how the user interacts with the software can be easily changed without altering the main body of code very much. This opens the door to a variety of different GUI options. So far we have been introduced to the HTML GUI, which is the main web front end, and also currently the most functional for certain tasks.

The command line interface (CLI) has been a central concept in Unix for decades. Although most new users fear the CLI, claiming it is less intuitive and more difficult to use than a GUI, the CLI has stuck around, and is not going anywhere. The reason for that is that CLI is more powerful in certain circumstances, and it allows batching or scripting. PyFlag allows users to use either interface interchangeably, so for those users not comfortable with the CLI, they can still use the GUI.

Flash commands

Flash can be started from the main PyFlag directory by typing ./flash:

mic@debian:~/pyflag$ ./flash
Welcome to the Flag shell. Type help for help
Flag Shell: />help
PyFlag shell allows direct access to the filesystems. Command line expansion is supported.
The following commands are defined, type help command to find out more:
['load', 'execute', 'set', 'help', 'less', 'cd', 'pwd', 'exit', 'ls', 'command', 'cp', 'istat']
Flag Shell: />help load
load case.iosource: loads the iosource within case into the shell.
  • load: loads a filesystem into the shell for use with the ls,cp etc commands. The filesystem to load must have previously be loaded by the appropriate LoadData report.
  • execute: Allows the user to execute the analysis phase of any report. More on this later.
  • set: Sets an environment variable
  • less: Views a file from the virtual file system using the less pager
  • istat: show information about an inode in the virtual filesystem

The Virtual Filesystem

Imagine performing a forensic investigation: You went on site and imaged a hard disk using sgzip to conserve space, knowing that PyFlag can easily work off that. You took the evidence back to the lab and successfully used PyFlag to locate a directory with some interesting word documents. You want to extract those files for evidence, but there are several hundred such documents in the same directory, and mixed between those are other files of different extensions.

The problem here is that it will take too long to use the GUI to extract those files. Because each of these files needs to be navigated to, opened and saved. For those users who use linux for forensic analysis, it would be nice to be able to mount the image on a directory, then simply issue a big copy command and thats it. However linux will not mount an sgzipped file!!!

The flash virtual file system is what is really needed in this case. After the filesystem is loaded into PyFlag (either through the GUI or a script), we can simply load the filesystem into flash (the flag shell) and navigate it as per normal. Consider the following session:

mic@debian:~/pyflag$ ./flash
Welcome to the Flag shell. Type help for help
Flag Shell: />load honey.usr
Set file to read from as /var/tmp/flag/upload/honeypot.hda5.dd.sgz
Loaded Filesystem tag usr in case honey
Flag Shell: />pwd
Current directory is /
Flag Shell: />ls -l
d/d 11 lost+found
d/d 30785 doc
d/d 92353 lib
....
Flag Shell: />cd man/.Ci/
current working directory /man/.Ci/
Flag Shell: /man/.Ci/>cp * /tmp/evidence/
Copied /man/.Ci/ssh-1.2.27 in image to /tmp/evidence/ssh-1.2.27 on host
Copied /man/.Ci/named.tar in image to /tmp/evidence/named.tar on host
....
Flag Shell: />exit 
Bibi Then - Have a nice day.

As can be seen by the previous session, this is the perfect solution for scripting automated tasks. First the virtual filesystem is loaded into flash. Once that happens it is possible to navigate through the filesystem as though it was actually mounted at the root of flash ("/"). We can cd to different directories, and then we can even use shell globing to copy many files at once.

Note the command cp * /tmp/evidence/. Here we are copying many files by using a wild-card to the temporary directory. The directory "/tmp/evidence/" is located on our host (i.e. not in the image). Note that this will also extract deleted files if possible.

Flash Scripts

Sometimes forensic investigations are time consuming, much work needs to be done before real evidence is forthcoming. For example the author likes to go through similar steps whenever getting a new hard disk image:

  1. Create an IOSource of a drive
  2. Load the drive's filesystems into PyFlag
  3. Build the MAC time-line for each filesystem
  4. Run an NSRL hash comparison on all the files
  5. Virus scan all the files on the drive looking for known trojans
  6. Extract files by magic, looking for deleted images/movies/documents
  7. Index the drive against the indexing dictionary

And then this process must be repeated for every drive found (some jobs have lots of drives!!!). This process is very time consuming, and can take many hours to complete, even on state of the art hardware.

The solution for this problem is to be able to script the whole process, leaving it to run on its own. The analyst then only needs to look at the case once all the time consuming tasks have been done automatically, and add the human element to the task.<p>

All reports in PyFlag are broken down into a number of methods. The two most interesting methods in this context are the analysis method and the display method. The analysis method typically performs time consuming tasks, building a cache of results for future display methods. The display methods, on the other hand, simply format the results for users to navigate through. The result of this design is that analysis methods contain all the time consuming analysis code, which once run, will be cached by PyFlag. Once an analysis method is run for a certain report, the user may issue subsequence display method calls to navigate through the information very quickly.

Flash allows the execution of the analysis methods in a scripted fashion, or from within the shell. This is achieved by the execute command:

Flag Shell: /man/.Ci/>help execute
       This command executes a flag report giving it the arguments given. 
The general format of this command is:
::
execute Family.ReportName arg1=value arg2=value
::
Note that environment values are automatically included into the set of args. So you may use set to set args that are commonly used.
::
Note also that command line completion is enabled for this, and so may be used liberally to assist with both the selection of reports and the args needed

In order to figure out what arguements are required for each report, users can use the GUI to perform the analysis and then copy the URL from the browser here.

For example, Loading a filesystem in the browser produces a URL like this:

http://127.0.0.1:8000/f?case=blah&iosource=cdrom&report=LoadFS&family=LoadData&fstype=mounted

Therefore, in this example, the following command line arguments are required for flash:

Flag Shell: />execute LoadData.LoadFS case=blah fstype=mounted iosource=cdrom
Execution of LoadData.LoadFS successful

This process can be written in a script. Scripts can have variables to be interpolated into them after asking the user a question. For example, the "examples/" directory has a flash script for performing an initial analysis of a drive. Scripts are loaded by flash and variables are interpolated, for example:

mic@debian:~/pyflag$ ./flash -c examples/load_new_file.flash
Welcome to the Flag shell. Type help for help
Please enter a value for case: honey
Please enter a value for io source: user_partition
Please enter a value for sgziped filename: /var/tmp/flag/upload/honeypot.hda5.dd.sgz
Please enter a value for filesystem type: linux-ext2
....

As can be seen flash asks the user some questions, and then launches into performing all the time consuming analysis tasks. Although flash does not support a complete scripting language, this much can be very useful already.

View document source. Generated on: 2005-07-05 12:46 UTC. Generated by Docutils from reStructuredText source.