PyFlag Logo
   
Introduction
FAQ
Screenshots
 
Downloads
Download PyFlag
Standard Image Sets
Browse the Source
 
Documentation
User Manual
Tutorials
Developer Documentation
Papers and Articles
Presentations
 
Email Us
Support Mailing List
 
Thanks to Sourceforge for their support: SourceForge.net Logo
[Python Powered]
 
© 2004-2005
 
Print this page
  

PyFlag Manual

Flag (Forensic and Log Analysis GUI) is a tool designed to simplify the examination of forensic evidence in the form of Hard disk images, logs and network captures. This manual documents some of the basic aspects of FLAG, but is by no means complete. There is complete API documentation produced by epydoc in the docs directory. The API documentation is designed for developers who wish to contribute to PyFlag development.

Overview

The general PyFlag architecture is shown below.

Pyflag_data_flow.png

The following are the main components of PyFlag:

  • IO Sources Forensic data is often available in a variety of different formats. The IO Source is an abstraction allowing PyFlag to handle arbitrary input file types by using different drivers to present a consistant and uniform logical view of the data.
  • The FileSystem Loader Forensic images contain a variety of different filesystems. The FileSystem driver allows PyFlag to support different filesystem formats. The FileSystem Driver is responsible to initially populating the VFS with a listing of files found in the filesystem under investigation.
  • The Virtual File System PyFlag uses the original Unix idea that "everything is a file". The VFS is the main arena for presenting information to users. Files in the VFS do not necessarily exist in the image, but represent information which has been deduced about the filesystem.
  • Scanners Scanning is a process that passes all files in a certain directory through one or more scanners. A Scanner is a component which studies the files being scanned and collects information about these files. This might include adding new files to the VFS (which could be scanned again).
  • The GUI and table widget The GUI provides for a mechanism for examining the results of the scanners, and navigating the VFS. A Report is a limited set of functionality which provides access to specialised data collected by scanners.
  • Scripting and automation Its great being able to use the GUI for examining the data, but often we want to automate certain tasks so they may be done more efficiently. This section covers Flash (The Flag Shell).
  • Network Forensics This section describes the network forensics module of PyFlag.
View document source. Generated on: 2005-08-18 14:23 UTC. Generated by Docutils from reStructuredText source.