These are some screenshots exhibiting some of the different features of FLAG.

Network Forensics

1. Listening ports, shows all listening TCP ports within the data capture.
   
2. Connections to specific port allows the user to navigate through all connections to a specific port. In this case port 80 is examined to see web traffic.
   
3. The user can then dump the data within the reassembled connection simply by clicking it.
   
4. The user may also examine all interesting connections from the dump file at once. In this case the user is able to browse all URLs accessed within the dump.
   
5. Knowledge base. FLAG builds a knowledge base of entities. It is then possible for the user to infer what services are running on machines, what users are using those machine etc.
   

Disk Forensics

1. Browse the windows registry off line.
   
2. Browse files from dd images. The user is also able to see deleted files and inode information.
   
3. Hash database - Compare MD5 hashes of files on the dd image, with a hash database (eg. NSRL). In this example, it is possible to identify which RPM versions are installed, by matching against the hash database.
   
4. MAC time - FLAG can calculate the MAC time files from the dd image. Advanced searching techniques can then be used to analyse it quickly. The example shows the MAC time table from the honeynet forensic challenge showing deleted files.
   
5. Unstructured forensics - FLAG is able to extract known file types from unstructured dd images (e.g. filesystems that had been quick formatted, repartitioned disks etc). In this example, FLAG extracts images from a dd image.
   

Any enquiries about FLAG should be directed to: enquiries@dsd.gov.au