Incident Response using PyFlag - the Forensic and Log Analysis GUI presented at AUScert 2007

by Michael Cohen,

Summary : FLAG (Forensic and Log Analysis GUI) is an advanced open source forensic tool for the analysis of large volumes of log files, forensic images and network captures.
PyFlag features include the ability to load many different log file formats, Perform forensic analysis of disk images, and analysing large network captures as obtained via tcpdump quickly and efficiently. PyFlag allows for advanced recursive searches. For example, keywords may be found in a word document embedded within a Zip file contained in an email attachment found within a PST file.
This tutorial will be hands on. Delegates will work through a number of simple to advanced incident response and forensic scenarios which include:
Analysis of forensic images to determine the source of an intrusion.
Analysis of network capture to obtain forensic evidence.
Analysis of large server log files to determine attack patterns.
The tutorial will be focused on scenarios most likely to be presented to an incidence response team.