FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data. This allows flag to remain responsive and expedite data manipulation operations.

Since FLAG is web based, it is able to be deployed on a central server and shared with a number of users at the same time. Data is loaded into cases which keeps information separated. Flag also has a system for reporting the findings of the analysis by extensively using bookmarks.

Some screenshots can be found here

FLAG has a number of areas of interest:

Log analysis

FLAG supports generic firewall logs. The user is able to collect statistics about the log, and search for suspicious activity. Flag also analyses web logs, reporting of statistics such as most common URL's requested for example. FLAG allows simple data manipulations to be taken, to be able to import any firewall or web log, even customised logs.

Network Forensics

FLAG includes a modified copy of ethereal which inserts information about dissected packets into the database. FLAG is then able to use this to collect statistics about a tcpdump file, and use the dissected information to construct a knowledge base of different entities on the network. This knowledge base can then be used to construct a network diagram of the local segment deduced from the tcpdump file, thereby allowing a pictorial representation of the traffic.

Disk Forensics

FLAG uses the SleuthKit tool from www.sleuthkit.org to analyse dd images. By putting inode information in the database it is possible to cross-correlate file properties, and simplify the forensic analysis process.

Licence

FLAG is released under the GPL licence with no warranty whatsoever.

Downloads & what's new

For the latest information on what's new with regard to the software and to download the latest version please go to http://pyflag.sourceforge.net

Any enquiries about FLAG should be directed to: pyflag-support@sourceforge.net