The State of the Art in Digital Forensics - Advances in Computers

Information Technology Reference

In-Depth Information

4 . 2

F u r t h e r D e v e l o p m e n t s : I R I t a l y V e r s i o n 2

The IRItaly Project has already begun work on two fundamental tasks for the

resolution of several of the issues illustrated in this chapter. The first regards the

release of a new version of the CD-ROM, which will contain a full implementation

of Python FLAG.

According to the Project Documentation, FLAG was designed to simplify the

process of log file analysis and forensic investigations. Often, when investigating

a large case, a great deal of data needs to be analyzed and correlated. FLAG uses a

database as a backend to assist in managing the large volumes of data. This allows

FLAG to remain responsive and expedite data manipulation operations.

Since FLAG is web based, it is able to be deployed on a central server and shared

with a number of users at the same time. Data is loaded into cases which keeps

information separated. FLAG also has a system for reporting the findings of the

analysis by extensively using bookmarks.

FLAG started off as a project in the Australian Department of Defence. It is now

hosted on sourceforge. PyFlag is the Python implementation of FLAG—a complete

rewrite of FLAG in the much more robust python programming language. Many

additional improvements were made. Some of the most obvious features are:

Disk Forensics

◦ Supports NTFS, Ext2, FFS and FAT.

◦ Supports many different image file formats, including sgzip (compressed im-

age format), Encase's Expert Witness format, as well as the traditional dd

files.

◦ Advanced timelining which allows complex searching.

◦ NSRL hash support to quickly identify files.

◦ Windows Registry support, includes both win98 variant as well as the Win-

dow NT variant.

◦ Unstructure Forensics capability allows recovery of files from corrupted or

otherwise unmountable images by using file magic.

Network Forensics

◦ Stores tcpdump traffic within an SQL database.

◦ Performs complete TCP stream reconstruction.

◦ Has a “knowledge base” making deductions about network communications.

◦ Can construct an automatic network diagram based on TCPDump, or real

time.

Search WWH ::

Custom Search

Home