PyFlag - An advanced network forensic framework
Source: Reed Elsevier
Network forensics refers to the forensic analysis of captured network traffic. PyFlag is a general purpose, open source, forensic package which merges disk forensics, memory forensics and network forensics. This paper describes the PyFlag architecture and in particular how that is used in the network forensics context. It deals with the technical capabilities of an advanced network forensic system. PyFlag is compared to current open source tools. In particular one look at the components required to facilitate decoding of web mail - from the stream reassembler, the HTTP dissector and finally HTML parsing. The rendering of HTML pages and web mails is further explored. PyFlag was originally designed by the Australian Department of Defence, and was later released under the GPL (Free Software Foundation, 2007) license. It was originally designed as a database driven analysis tool for digital forensics, but later included an advanced network forensic capability. The virtual file system (VFS) is a central concept in PyFlag. The VFS is essentially a tree like structure which forms an arena for representing all objects within PyFlag. The network forensics modules comprise of a number of different functional components which operate together to achieve their goal. PyFlag is emerging as a capable platform for network forensic analysis featuring advanced reconstruction of web pages for investigations to make Network forensics a useful tool.