WinPyflag

No one?

I've tried, and failed, to get PyFlag running on my machine, despite following the instructions on the Wiki, though I have to admit to not having spent a great deal of time trying to solve the problem.

I'd like to be able to get it running just out of interest, I always feel I'm missing out on something when I hear others talking about applications such as these.

Just tried now out of curiousity, loads, installs, but the http server window appears to get critical errors loading a certain set of modules.
Edit (can now see stuff - but stuff without the modules above - which is a PITA, as i wanted to check out the MSN stuff).

I've tried a bit harder now, and got as far as Rich did initially, I can create a case but I can't add any evidence in.

What did you do to see 'stuff' Rich?

I was being a twonk and couldnt work out how to add the evidence either (its not exactly intuitive!).
Now put EnCase images into the uploads folder which is where it looks for them. So created case, clicked load disk image, use the folder button and clicked on the E01, then gave it a "unique data load id", now next i chose raw and the vfs mount point of /.
Judging by the http server window, it parses through all the e01 files, however trying to analyse it after that, it doesnt seem to be parsing the filesystem (its only NTFS in this case). Might find a FAT image and give that a go in a minute, but its prolly me doing something wrong 😉
Edit2, the Raw option appears to be just that and not parse the FS, the sleuthkit option appears to see files from the FAT one, but doesnt like the NTFS one.
Now to try to work out how to actually DO anything with the RAW info p
Not having a huge amount of luck, may give the linux version a go some time, when REALLY bored p

hi

i have succeeded

please read Rich2005 answer as well as read my answer also

load IO Data Source
Select IO Subsystem EWF
Evidence Timezone System

Copy your image files (.E01, .E02 … till end of file) in to
for example <pyflag\location>downloads\pyflag_win_0.87pre2.0\uploads\
Select EWF image select first .E01 file

Survey the partition table

(ICON) Enter partition offset (please click this icon symbol)

it will show list of file system codes (FAT16, NTFS (for 3534363s), EXTx, etc.,)

Unique Data Load ID HARDDISK then click submit

Enter Filesystem type RAW
VFS Mount Point /.

You got it

S.Babu

babusubrahmani@gmail.com

Is anyone using the Windows version of PyFlag??

http//www.pyflag.net/cgi-bin/moin.cgi/PyFlagWindows

Since I have access to Linux machines and already run TSK under Linux, I've never bothered with the Windows version. Also, from the site

There is now a very experimental port of PyFlag for windows.

I'd rather not have to explain to the court why "very experimental" wasn't a concern to me.

Sean,

Thanks. You're using TSK…how about PyFlag?

Sean,

Thanks. You're using TSK…how about PyFlag?

Harlan

I used it awhile back (maybe six months or so). I haven't, lately, because I moved to 64-bit architectures and PyFlag has a lot of issues compiling with the newer GCC/GLIBC and 64-bit Linux and I haven't had time to look into fixing them.

I also, as a matter of curiosity, take old case images and run them through newer tools to see if find things that I didn't find the first time.