Dr. Michael Cohen, the creator of PyFlag, has released a version of his forensic analysis tool for Windows! While more of an experimental tool or framework, PyFlag is provides an analyst with significant capabilities for analyzing disk images (EWF or raw formats), packet captures/pcap files, and log files.
PyFlag has also incorporated the Volatility Framework for memory dump analysis, as well. In fact, to see this capability in action, check out this DFRWS 2008 Forensic Challenge submission, from Michael, A. Walters, and D. J. Collett. If you're thinking about using PyFlag, be sure to read through the PDF to pick up some of the nuances and interesting features of PyFlag.
There are number of images available on the web, but Michael also provides some here. There are others (here, and here), so there's no shortage of stuff to use as test data to get the feel for WinPyFlag.
Be sure to thoroughly read the list of dependencies that apply to PyFlag for Windows (WinPyFlag??) and follow the prerequisites closely. If you do, you shouldn't have any trouble setting PyFlag up and getting running.
This is great news for all you Windows lame-o's. ;-)
ReplyDelete