[Vol-users] PyFlag Using the Volatility Framework!

AAron Walters awalters at 4tphi.net
Sat Jan 5 19:18:43 CST 2008

It was only a matter of time....

  In case you might have missed it during the holidays, the latest version 
of PyFlag now leverages the Volatility Framework to add volatile memory 
analysis to it's outstanding list of capabilities.  As a result, making 
PyFlag the first and only tool publically available that allows the 
digital investigator to correlate disk images, log files, network traffic, 
and RAM captures all within an intuitive interface. While the current 
functionality is still preliminary, just imagine the possibilities!

Since PyFlag loads memory images through its standard IO source interface, 
it is also now possible to store your memory images using the EWF format, 
commonly used in commercial tools. Once the memory image is uploaded to 
PyFlag, information can either be accessed through a browseable /proc 
interface or through the Stats view. Michael Cohen and his team have 
provided a tutorial and image to get you started:


As I mentioned in a previous post, a special thanks to Europol for 
bringing our teams together through the High Tech Crime Expert Meeting. 
I also want to thank Michael Cohen for the great work he has done with 
PyFlag and his contributions to Volatility!  Stay tuned for further 
exciting collaborations and future Volatility releases in 2008!



More information about the Vol-users mailing list