[Vol-users] PyFlag Using the Volatility Framework!
awalters at 4tphi.net
Sat Jan 5 19:18:43 CST 2008
It was only a matter of time....
In case you might have missed it during the holidays, the latest version
of PyFlag now leverages the Volatility Framework to add volatile memory
analysis to it's outstanding list of capabilities. As a result, making
PyFlag the first and only tool publically available that allows the
digital investigator to correlate disk images, log files, network traffic,
and RAM captures all within an intuitive interface. While the current
functionality is still preliminary, just imagine the possibilities!
Since PyFlag loads memory images through its standard IO source interface,
it is also now possible to store your memory images using the EWF format,
commonly used in commercial tools. Once the memory image is uploaded to
PyFlag, information can either be accessed through a browseable /proc
interface or through the Stats view. Michael Cohen and his team have
provided a tutorial and image to get you started:
As I mentioned in a previous post, a special thanks to Europol for
bringing our teams together through the High Tech Crime Expert Meeting.
I also want to thank Michael Cohen for the great work he has done with
PyFlag and his contributions to Volatility! Stay tuned for further
exciting collaborations and future Volatility releases in 2008!
More information about the Vol-users