PyFLAG, una herramienta más para análisis forenses
Marzo 29, 04 by adminFLAG ( Forensic and Log Analysis GUI, http://pyflag.sourceforge.net/ ) es una herramienta para facilitar la investigación de grandes cantidades de información en análisis forenses. Para ello, utiliza como fondo una base de datos, en la cual almacena la información y facilita asà el acceso simplificado a los datos, pudiendo acceder a datos concretos sin tener que buscar en ficheros excesivamente grandes.
Algunas de sus principales caracterÃsticas son las siguientes:
Disk Forensics
Supports NTFS, Ext2, FFS and FAT.
Supports many different image file formats, including sgzip (compressed image format), Encase’s Expert Witness format, as well as the traditional dd files.
Advanced timelining which allows complex searching
NSRL hash support to quickly identify files
Windows Registry support, includes both win98 variant as well as the Window NT variant
Unstructure Forensics capability allows recovery of files from corrupted or otherwise unmountable images by using file magic
Network Forensics
Stores tcpdump traffic within an SQL database
Performs complete TCP stream reconstruction
Has a "knowledge base" making deductions about network communications
Can construct an automatic network diagram based on TCPDump, or real time
Log analysis
Allows arbitrary log file formats to be easily uploaded to database
GUI driven complex database searches using an advanced table GUI element
