├── .gitignore ├── AUTHORS ├── CONTRIBUTING ├── COPYING ├── ChangeLog ├── INSTALL ├── Makefile.am ├── NEWS ├── README ├── TODO ├── USAGE ├── autogen.sh ├── config ├── Makefile.rules └── acinclude.m4 ├── configure.ac ├── data ├── magic ├── magic.mime └── regkeys.txt ├── debian ├── Makefile.am ├── README.Debian ├── changelog ├── compat ├── control ├── copyright ├── dirs ├── docs ├── pyflag-doc.docs ├── pyflag-doc.install ├── pyflag.doc-base.EX └── rules ├── docs ├── Dictionary-HOWTO.txt ├── README └── benchmark.txt ├── examples ├── extract_images.py ├── load_new_file.flash ├── load_new_pcap_file.flash ├── pcap.flash_load ├── pcap.flash_scan ├── pyflag_copy_and_process.py └── reset_case.flash ├── gendoc.sh ├── images ├── .gif ├── add.png ├── ajax_ui.css ├── annotate.png ├── arrow_left_grey.gif ├── arrow_right_grey.gif ├── back.png ├── balloon.png ├── broken.png ├── browse.png ├── button_delete.xpm ├── clear_filter.png ├── clock.png ├── corner.png ├── cornerplus.png ├── decrement.png ├── defence.png ├── delete.png ├── down.png ├── edit.png ├── examine.png ├── favicon.ico ├── file-selection.png ├── fileopen.png ├── filesave.png ├── filter.png ├── find.png ├── flag.png ├── flags │ ├── 00.gif │ ├── ad.gif │ ├── ae.gif │ ├── af.gif │ ├── ag.gif │ ├── ai.gif │ ├── al.gif │ ├── am.gif │ ├── an.gif │ ├── ao.gif │ ├── aq.gif │ ├── ar.gif │ ├── as.gif │ ├── at.gif │ ├── au.gif │ ├── aw.gif │ ├── az.gif │ ├── ba.gif │ ├── bb.gif │ ├── bd.gif │ ├── be.gif │ ├── bf.gif │ ├── bg.gif │ ├── bh.gif │ ├── bi.gif │ ├── bj.gif │ ├── bm.gif │ ├── bn.gif │ ├── bo.gif │ ├── br.gif │ ├── bs.gif │ ├── bt.gif │ ├── bv.gif │ ├── bw.gif │ ├── by.gif │ ├── bz.gif │ ├── ca.gif │ ├── cc.gif │ ├── cd.gif │ ├── cf.gif │ ├── cg.gif │ ├── ch.gif │ ├── ci.gif │ ├── ck.gif │ ├── cl.gif │ ├── cm.gif │ ├── cn.gif │ ├── co.gif │ ├── com.gif │ ├── cr.gif │ ├── cu.gif │ ├── cv.gif │ ├── cx.gif │ ├── cy.gif │ ├── cz.gif │ ├── de.gif │ ├── dj.gif │ ├── dk.gif │ ├── dm.gif │ ├── do.gif │ ├── dz.gif │ ├── ec.gif │ ├── edu.gif │ ├── ee.gif │ ├── eg.gif │ ├── eh.gif │ ├── es.gif │ ├── et.gif │ ├── eu.gif │ ├── fi.gif │ ├── fj.gif │ ├── fk.gif │ ├── fm.gif │ ├── fo.gif │ ├── fr.gif │ ├── fx.gif │ ├── ga.gif │ ├── gb.gif │ ├── gd.gif │ ├── ge.gif │ ├── gf.gif │ ├── gh.gif │ ├── gi.gif │ ├── gl.gif │ ├── gm.gif │ ├── gn.gif │ ├── gov.gif │ ├── gp.gif │ ├── gq.gif │ ├── gr.gif │ ├── gt.gif │ ├── gu.gif │ ├── gw.gif │ ├── gy.gif │ ├── hk.gif │ ├── hm.gif │ ├── hn.gif │ ├── hr.gif │ ├── ht.gif │ ├── hu.gif │ ├── id.gif │ ├── ie.gif │ ├── il.gif │ ├── in.gif │ ├── int.gif │ ├── io.gif │ ├── iq.gif │ ├── ir.gif │ ├── is.gif │ ├── it.gif │ ├── jm.gif │ ├── jo.gif │ ├── jp.gif │ ├── ke.gif │ ├── kg.gif │ ├── kh.gif │ ├── ki.gif │ ├── km.gif │ ├── kn.gif │ ├── kp.gif │ ├── kr.gif │ ├── kw.gif │ ├── ky.gif │ ├── kz.gif │ ├── la.gif │ ├── lb.gif │ ├── lc.gif │ ├── li.gif │ ├── lk.gif │ ├── lr.gif │ ├── ls.gif │ ├── lt.gif │ ├── lu.gif │ ├── lv.gif │ ├── ly.gif │ ├── ma.gif │ ├── mc.gif │ ├── md.gif │ ├── mil.gif │ ├── mk.gif │ ├── ml.gif │ ├── mn.gif │ ├── mo.gif │ ├── mq.gif │ ├── mr.gif │ ├── mt.gif │ ├── mu.gif │ ├── mx.gif │ ├── my.gif │ ├── mz.gif │ ├── na.gif │ ├── ne.gif │ ├── net.gif │ ├── ng.gif │ ├── ni.gif │ ├── nl.gif │ ├── no.gif │ ├── np.gif │ ├── nu.gif │ ├── nz.gif │ ├── om.gif │ ├── org.gif │ ├── pa.gif │ ├── pe.gif │ ├── pf.gif │ ├── pg.gif │ ├── ph.gif │ ├── pk.gif │ ├── pl.gif │ ├── pr.gif │ ├── ps.gif │ ├── pt.gif │ ├── py.gif │ ├── qa.gif │ ├── ro.gif │ ├── ru.gif │ ├── rw.gif │ ├── sa.gif │ ├── sb.gif │ ├── sd.gif │ ├── se.gif │ ├── sg.gif │ ├── si.gif │ ├── sk.gif │ ├── sm.gif │ ├── sn.gif │ ├── su.gif │ ├── sv.gif │ ├── sy.gif │ ├── sz.gif │ ├── tc.gif │ ├── td.gif │ ├── tf.gif │ ├── tg.gif │ ├── th.gif │ ├── tj.gif │ ├── tk.gif │ ├── tm.gif │ ├── tn.gif │ ├── to.gif │ ├── tr.gif │ ├── tt.gif │ ├── tw.gif │ ├── tz.gif │ ├── ua.gif │ ├── uk.gif │ ├── us.gif │ ├── uy.gif │ ├── uz.gif │ ├── va.gif │ ├── vc.gif │ ├── ve.gif │ ├── vg.gif │ ├── vi.gif │ ├── vn.gif │ ├── wf.gif │ ├── ws.gif │ ├── ye.gif │ ├── yu.gif │ ├── za.gif │ ├── ze.gif │ ├── zm.gif │ └── zw.gif ├── floppy.png ├── folder.png ├── forward.png ├── fullscreen.png ├── g_back.png ├── g_forward.png ├── glasses.png ├── greenbarfill.gif ├── greenbarleft.gif ├── greenbarrgt.gif ├── group.png ├── help.png ├── home.png ├── home_grey.png ├── html_render.css ├── increment.png ├── insert.png ├── logo.png ├── metbarend.gif ├── metbarfill.gif ├── metbarleft.gif ├── msoffice.png ├── new_preset.png ├── next_line.png ├── no.png ├── nosearch.png ├── page.png ├── pdf.png ├── pen.png ├── pie.png ├── print.css ├── printer.png ├── pyflag.css ├── pyflag.png ├── pyflag_logo.png ├── question.png ├── realloc.png ├── red-plus.png ├── refresh.png ├── reset.png ├── reset_grey.png ├── search.png ├── sidebarleft.gif ├── sidebarrgt.gif ├── soriaMenuBg.gif ├── spacer.gif ├── spacer.png ├── spanner.png ├── sql.png ├── stock_down-with-subpoints.png ├── stock_first.png ├── stock_first_gray.png ├── stock_home.png ├── stock_last.png ├── stock_last_gray.png ├── stock_left.png ├── stock_left_gray.png ├── stock_next-page.png ├── stock_previous-page.png ├── stock_right.png ├── stock_right_gray.png ├── stock_timer.png ├── stop.png ├── tab_left.gif ├── tab_top_right.gif ├── toolbar-bg.gif ├── topfill.jpg ├── treenode_blank.gif ├── treenode_expand_minus.gif ├── treenode_expand_plus.gif ├── treenode_grid_l.gif ├── treenode_grid_t.gif ├── treenode_grid_v.gif ├── unknown.png ├── up.png ├── vfs.png ├── view.png ├── whois.png └── yes.png ├── pyflag.1 ├── pyflag.in ├── pyflag_launch.in ├── pyflash.in ├── src ├── FileFormats │ ├── EVTLog.py │ ├── Fuzzer.py │ ├── HTML.py │ ├── IECache.py │ ├── Javascript.py │ ├── LZFU.py │ ├── MozCache.py │ ├── MozHist.py │ ├── OLE2.py │ ├── PCAP.py │ ├── PDF.py │ ├── PElib.py │ ├── PST.py │ ├── RegFile.py │ ├── Yahoo.py │ ├── Zip.py │ ├── __init__.py │ ├── libole2.py │ └── urlnorm.py ├── Makefile.am ├── distorm │ ├── CHANGES │ ├── COPYING │ ├── Makefile.am │ ├── README │ ├── config.h │ ├── decoder.c │ ├── decoder.h │ ├── distorm.c │ ├── distorm.h │ ├── instructions.c │ ├── instructions.h │ ├── insts.c │ ├── insts.h │ ├── operands.c │ ├── operands.h │ ├── prefix.c │ ├── prefix.h │ ├── pydistorm.c │ ├── pydistorm.h │ ├── textdefs.c │ ├── textdefs.h │ ├── wstring.c │ ├── wstring.h │ ├── x86defs.c │ └── x86defs.h ├── filesystems │ ├── Makefile.am │ ├── magic │ │ ├── Makefile.am │ │ ├── magic.c │ │ └── py_magic.h │ └── sleuthkit │ │ ├── Makefile.am │ │ ├── auxtools │ │ ├── Makefile.am │ │ ├── XGetopt.c │ │ ├── XGetopt.h │ │ ├── aux_tools.h │ │ ├── data_buf.c │ │ ├── mymalloc.c │ │ ├── split_at.c │ │ ├── strerror.c │ │ ├── tsk_endian.c │ │ ├── tsk_error.c │ │ ├── tsk_list.c │ │ ├── tsk_os.h │ │ ├── tsk_parse.c │ │ ├── tsk_printf.c │ │ ├── tsk_unicode.c │ │ └── tsk_version.c │ │ ├── fstools │ │ ├── Makefile.am │ │ ├── dcalc.c │ │ ├── dcalc_lib.c │ │ ├── dcat.c │ │ ├── dcat_lib.c │ │ ├── dls.c │ │ ├── dls_lib.c │ │ ├── dstat.c │ │ ├── dstat_lib.c │ │ ├── ext2fs.c │ │ ├── ext2fs.h │ │ ├── ext2fs_dent.c │ │ ├── ext2fs_journal.c │ │ ├── fatfs.c │ │ ├── fatfs.h │ │ ├── fatfs_dent.c │ │ ├── ffind.c │ │ ├── ffind_lib.c │ │ ├── ffs.c │ │ ├── ffs.h │ │ ├── ffs_dent.c │ │ ├── fls.c │ │ ├── fls_lib.c │ │ ├── fs_data.c │ │ ├── fs_dent.c │ │ ├── fs_inode.c │ │ ├── fs_io.c │ │ ├── fs_load.c │ │ ├── fs_open.c │ │ ├── fs_tools.h │ │ ├── fs_tools_i.h │ │ ├── fs_types.c │ │ ├── fscheck.c │ │ ├── fsstat.c │ │ ├── hfs.c │ │ ├── hfs.h │ │ ├── hfs_dent.c │ │ ├── hfs_journal.c │ │ ├── icat.c │ │ ├── icat_lib.c │ │ ├── ifind.c │ │ ├── ifind_lib.c │ │ ├── ils.c │ │ ├── ils_lib.c │ │ ├── iso9660.c │ │ ├── iso9660.h │ │ ├── iso9660_dent.c │ │ ├── istat.c │ │ ├── jcat.c │ │ ├── jls.c │ │ ├── ntfs.c │ │ ├── ntfs.h │ │ ├── ntfs_dent.c │ │ ├── rawfs.c │ │ └── swapfs.c │ │ ├── imgtools │ │ ├── DESIGN.txt │ │ ├── Makefile.am │ │ ├── img_cat.c │ │ ├── img_open.c │ │ ├── img_stat.c │ │ ├── img_tools.h │ │ ├── img_types.c │ │ ├── raw.c │ │ ├── raw.h │ │ ├── split.c │ │ └── split.h │ │ ├── mmtools │ │ ├── Makefile.am │ │ ├── bsd.c │ │ ├── bsd.h │ │ ├── dos.c │ │ ├── dos.h │ │ ├── gpt.c │ │ ├── gpt.h │ │ ├── mac.c │ │ ├── mac.h │ │ ├── mm_io.c │ │ ├── mm_open.c │ │ ├── mm_part.c │ │ ├── mm_tools.h │ │ ├── mm_types.c │ │ ├── mmls.c │ │ ├── mmstat.c │ │ ├── sun.c │ │ └── sun.h │ │ ├── python │ │ ├── Makefile.am │ │ ├── dbtool.py │ │ ├── sk.c │ │ └── sk.h │ │ └── sleuthkit-2.52 │ │ ├── Makefile.am │ │ ├── README.txt │ │ ├── docs │ │ ├── library-api.txt │ │ ├── nsrl.txt │ │ ├── other.txt │ │ ├── ref_fs.txt │ │ ├── ref_timeline.txt │ │ ├── skins_fat.txt │ │ ├── skins_iso9660.txt │ │ ├── skins_ntfs.txt │ │ └── skins_windows.txt │ │ ├── licenses │ │ ├── GNU-COPYING │ │ ├── IBM-LICENSE │ │ └── cpl1.0.txt │ │ └── tsk │ │ ├── Makefile.am │ │ ├── base │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── XGetopt.c │ │ ├── XGetopt.h │ │ ├── data_buf.c │ │ ├── md5c.c │ │ ├── mymalloc.c │ │ ├── sha1c.c │ │ ├── tsk_base.h │ │ ├── tsk_base_i.h │ │ ├── tsk_endian.c │ │ ├── tsk_error.c │ │ ├── tsk_list.c │ │ ├── tsk_os.h │ │ ├── tsk_parse.c │ │ ├── tsk_printf.c │ │ ├── tsk_unicode.c │ │ └── tsk_version.c │ │ ├── fs │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── dcalc_lib.c │ │ ├── dcat_lib.c │ │ ├── dls_lib.c │ │ ├── dstat_lib.c │ │ ├── ext2fs.c │ │ ├── ext2fs_dent.c │ │ ├── ext2fs_journal.c │ │ ├── fatfs.c │ │ ├── fatfs_dent.c │ │ ├── ffind_lib.c │ │ ├── ffs.c │ │ ├── ffs_dent.c │ │ ├── fls_lib.c │ │ ├── fs_data.c │ │ ├── fs_dent.c │ │ ├── fs_inode.c │ │ ├── fs_io.c │ │ ├── fs_load.c │ │ ├── fs_open.c │ │ ├── fs_types.c │ │ ├── hfs.c │ │ ├── hfs_dent.c │ │ ├── hfs_journal.c │ │ ├── icat_lib.c │ │ ├── ifind_lib.c │ │ ├── ils_lib.c │ │ ├── iso9660.c │ │ ├── iso9660_dent.c │ │ ├── ntfs.c │ │ ├── ntfs_dent.c │ │ ├── rawfs.c │ │ ├── swapfs.c │ │ ├── tsk_ext2fs.h │ │ ├── tsk_fatfs.h │ │ ├── tsk_ffs.h │ │ ├── tsk_fs.h │ │ ├── tsk_fs_i.h │ │ ├── tsk_hfs.h │ │ ├── tsk_iso9660.h │ │ └── tsk_ntfs.h │ │ ├── hashdb │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── hk_index.c │ │ ├── idxonly_index.c │ │ ├── md5sum_index.c │ │ ├── nsrl_index.c │ │ ├── tm_lookup.c │ │ ├── tsk_hashdb.h │ │ └── tsk_hashdb_i.h │ │ ├── img │ │ ├── .indent.pro │ │ ├── DESIGN.txt │ │ ├── Makefile.am │ │ ├── aff.c │ │ ├── aff.h │ │ ├── ewf.c │ │ ├── ewf.h │ │ ├── img_open.c │ │ ├── img_types.c │ │ ├── raw.c │ │ ├── raw.h │ │ ├── split.c │ │ ├── split.h │ │ ├── tsk_img.h │ │ └── tsk_img_i.h │ │ ├── lib │ │ └── Date │ │ │ ├── Manip.pm │ │ │ └── Manip.pod │ │ ├── libtsk.h │ │ ├── sorter │ │ ├── default.sort │ │ ├── freebsd.sort │ │ ├── images.sort │ │ ├── linux.sort │ │ ├── openbsd.sort │ │ ├── solaris.sort │ │ └── windows.sort │ │ ├── stamp-h1 │ │ ├── tsk_config.h.in │ │ ├── tsk_incs.h │ │ ├── tsk_tools_i.h │ │ └── vs │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── bsd.c │ │ ├── dos.c │ │ ├── gpt.c │ │ ├── mac.c │ │ ├── mm_io.c │ │ ├── mm_open.c │ │ ├── mm_part.c │ │ ├── mm_types.c │ │ ├── sun.c │ │ ├── tsk_bsd.h │ │ ├── tsk_dos.h │ │ ├── tsk_gpt.h │ │ ├── tsk_mac.h │ │ ├── tsk_sun.h │ │ ├── tsk_vs.h │ │ └── tsk_vs_i.h ├── include │ ├── Makefile.am │ ├── class.h │ ├── crypto │ │ ├── Makefile.am │ │ ├── md5.h │ │ └── sha1.h │ ├── enum.h │ ├── except.h │ ├── index.h │ ├── list.h │ ├── misc.h │ ├── network.h │ ├── packet.h │ ├── pcap.h │ ├── pypacket.h │ ├── stringio.h │ ├── struct.h │ └── talloc.h ├── indextools │ ├── Makefile.am │ ├── index.c │ ├── index.i │ ├── test.py │ └── trie.html ├── indextools_ng │ ├── Makefile.am │ ├── index.c │ ├── test.py │ ├── trie.c │ └── trie.h ├── javascript │ ├── FlowPlayer.swf │ ├── audio-player.js │ ├── functions.js │ ├── html_render.js │ ├── player.swf │ └── pyflag.profile.js ├── lib │ ├── Makefile.am │ ├── Makefile.sgzip │ ├── class.c │ ├── evtool.c │ ├── except.c │ ├── io.c │ ├── libevf.c │ ├── libevf.h │ ├── libiosubsys │ │ ├── Makefile.am │ │ ├── hooker.c │ │ ├── hooker.h │ │ ├── iosubsys.c │ │ ├── iowrapper.c │ │ ├── libiosubsys.c │ │ ├── libiosubsys.h │ │ └── test.c │ ├── libsgzip │ │ ├── Makefile.am │ │ ├── sgzip.c │ │ ├── sgzlib.c │ │ └── sgzlib.h │ ├── md5c.c │ ├── misc.c │ ├── open.c │ ├── packet.c │ ├── pyaff │ │ ├── Makefile.am │ │ └── pyaff.c │ ├── pyewf │ │ ├── Makefile.am │ │ └── pyewf.c │ ├── pypacket.c │ ├── pytdb.c │ ├── pyxpress.c │ ├── remote.h │ ├── remote_client.c │ ├── remote_server.c │ ├── sgzip.c │ ├── sgzlib.c │ ├── sgzlib.h │ ├── sha1.c │ ├── stringio.c │ ├── struct.c │ └── talloc.c ├── mailtools │ ├── Makefile.am │ ├── common.h │ ├── debug.c │ ├── define.h │ ├── libpst.c │ ├── libpst.h │ ├── libstrfunc.c │ ├── libstrfunc.h │ ├── lzfu.c │ ├── lzfu.h │ ├── pst.c │ ├── readpst.c │ ├── test.py │ ├── timeconv.c │ ├── timeconv.h │ ├── vbuf.c │ ├── vbuf.h │ └── version.h ├── mmedia │ ├── Makefile.am │ ├── jpeg.c │ ├── suspend.c │ └── suspend.h ├── network │ ├── GeoIP.h │ ├── GeoIPCity.h │ ├── Makefile.am │ ├── _dissect.c │ ├── dissect.py │ ├── geoip.c │ ├── main.c │ ├── network.c │ ├── pcap.c │ ├── pypcap.c │ ├── pypcap.h │ ├── reassembler.c │ ├── reassembler.h │ ├── reassembler_test.py │ ├── tcp.c │ ├── tcp.h │ ├── test.py │ └── test_pcap.py ├── plugins │ ├── AFF4 │ │ ├── AFF4.py │ │ ├── Loader.py │ │ └── Raid.py │ ├── Annotate.py │ ├── CaseManagement.py │ ├── ColumnTypes.py │ ├── Configuration.py │ ├── Core.py │ ├── DiskForensics │ │ ├── FileHandlers │ │ │ ├── Partitions.py │ │ │ └── ZipFile.py │ │ ├── Magic.py │ │ └── TypeScan.py │ ├── FileFormats │ │ └── BasicFormats.py │ ├── FileHandlers.py │ ├── Flash │ │ ├── AdvancedCommands.py │ │ ├── BasicCommands.py │ │ ├── ExportCommands.py │ │ ├── HTTPCommands.py │ │ └── LogFlash.py │ ├── GenericTable.py │ ├── LoadData.py │ ├── LogAnalysis │ │ ├── Advanced.py │ │ ├── Apache.py │ │ ├── CSV.py │ │ ├── CiscoPix.py │ │ ├── EVTLog.py │ │ ├── IIS.py │ │ ├── IPTables.py │ │ ├── LogAnalysis.py │ │ ├── Simple.py │ │ ├── SysLog.py │ │ ├── Whois.py │ │ └── __init__.py │ ├── NetworkForensics │ │ ├── NetworkScanner.py │ │ ├── ProtocolHandlers │ │ │ ├── Gmail.py │ │ │ ├── Google.py │ │ │ ├── HTTP.py │ │ │ ├── LiveCom.py │ │ │ ├── MSN.py │ │ │ ├── WebMail.py │ │ │ ├── YahooMail.py │ │ │ ├── __dont_descend__.py │ │ │ ├── __init__.py │ │ │ └── mms │ │ │ │ ├── AUTHORS │ │ │ │ ├── README │ │ │ │ ├── __init__.py │ │ │ │ ├── iterator.py │ │ │ │ ├── message.py │ │ │ │ ├── mms_pdu.py │ │ │ │ └── wsp_pdu.py │ │ ├── ViewFile.py │ │ └── __init__.py │ ├── PreCanned │ │ └── Basic.py │ ├── Preview.py │ ├── Stats.py │ ├── TableRenderers │ │ ├── CSVExport.py │ │ ├── Gallery.py │ │ ├── HTMLBundle.py │ │ ├── PeriodicHTML.py │ │ └── __init__.py │ ├── Themes │ │ ├── AJAX.py │ │ ├── Menus.py │ │ ├── Standard.py │ │ ├── XML.py │ │ └── __init__.py │ ├── Tools │ │ ├── MatlibPlot.py │ │ └── __init__.py │ ├── UnitTests.py │ ├── Urwid │ │ ├── Disassembler.py │ │ ├── Hexeditor.py │ │ ├── Structs.py │ │ ├── __dont_descend__.py │ │ ├── __init__.py │ │ ├── pyflag_display.py │ │ ├── urwid │ │ │ ├── __init__.py │ │ │ ├── canvas.py │ │ │ ├── curses_display.py │ │ │ ├── escape.py │ │ │ ├── font.py │ │ │ ├── graphics.py │ │ │ ├── html_fragment.py │ │ │ ├── listbox.py │ │ │ ├── old_str_util.py │ │ │ ├── raw_display.py │ │ │ ├── util.py │ │ │ ├── web_display.py │ │ │ └── widget.py │ │ └── urwid_test.py │ ├── __init__.py │ └── test.py ├── plugins_old │ ├── DiskForensics │ │ ├── Carvers │ │ │ ├── IEHistoryCarver.py │ │ │ ├── JPEGCarver.py │ │ │ └── ScriptCarver.py │ │ ├── DiskForensics.py │ │ ├── FileHandlers │ │ │ ├── EventLog.py │ │ │ ├── Extractor.py │ │ │ ├── IEIndex.py │ │ │ ├── Mozilla.py │ │ │ ├── OLE.py │ │ │ ├── PstFile.py │ │ │ ├── PstFile_deprecated.py │ │ │ ├── RFC2822.py │ │ │ ├── RegScan.py │ │ │ ├── SQLite.py │ │ │ └── ZipFile.py │ │ ├── FileSystems │ │ │ ├── Mounted.py │ │ │ ├── Remote.py │ │ │ └── Sleuthkit.py │ │ ├── HashComparison.py │ │ ├── LogicalIndex.py │ │ ├── TimeLine.py │ │ ├── VirScan.py │ │ └── __init__.py │ ├── FileFormats │ │ ├── DAFTFormats.py │ │ ├── RevEng.py │ │ └── __init__.py │ ├── MemoryForensics │ │ ├── HexEditor.py │ │ ├── README │ │ ├── Volatility-1.3_Linux_rc.1 │ │ │ ├── AUTHORS.txt │ │ │ ├── CHANGELOG.txt │ │ │ ├── CREDITS.txt │ │ │ ├── LEGAL.txt │ │ │ ├── LICENSE.txt │ │ │ ├── MANIFEST │ │ │ ├── PKG-INFO │ │ │ ├── README.txt │ │ │ ├── forensics │ │ │ │ ├── __init__.py │ │ │ │ ├── addrspace.py │ │ │ │ ├── commands.py │ │ │ │ ├── linked_list.py │ │ │ │ ├── linux │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── core.py │ │ │ │ │ ├── files.py │ │ │ │ │ ├── info.py │ │ │ │ │ ├── scan.py │ │ │ │ │ └── tasks.py │ │ │ │ ├── object.py │ │ │ │ ├── object2.py │ │ │ │ ├── registry.py │ │ │ │ ├── symbols.py │ │ │ │ ├── utils.py │ │ │ │ ├── win32 │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── crash_addrspace.py │ │ │ │ │ ├── crashdump.py │ │ │ │ │ ├── datetime.py │ │ │ │ │ ├── domcachedump.py │ │ │ │ │ ├── executable.py │ │ │ │ │ ├── handles.py │ │ │ │ │ ├── hashdump.py │ │ │ │ │ ├── hiber_addrspace.py │ │ │ │ │ ├── hive2.py │ │ │ │ │ ├── info.py │ │ │ │ │ ├── lists.py │ │ │ │ │ ├── lsasecrets.py │ │ │ │ │ ├── meta_info.py │ │ │ │ │ ├── modules.py │ │ │ │ │ ├── network.py │ │ │ │ │ ├── overlay.py │ │ │ │ │ ├── rawreg.py │ │ │ │ │ ├── registry.py │ │ │ │ │ ├── regtypes.py │ │ │ │ │ ├── scan.py │ │ │ │ │ ├── scan2.py │ │ │ │ │ ├── tasks.py │ │ │ │ │ ├── vad.py │ │ │ │ │ └── xpress.py │ │ │ │ └── x86.py │ │ │ ├── memory_objects │ │ │ │ └── Windows │ │ │ │ │ ├── registry.py │ │ │ │ │ └── xp_sp2.py │ │ │ ├── memory_plugins │ │ │ │ ├── Linux │ │ │ │ │ ├── lindatetime.py │ │ │ │ │ ├── linfiles.py │ │ │ │ │ ├── linident.py │ │ │ │ │ ├── linmemdmp.py │ │ │ │ │ ├── linmodules.py │ │ │ │ │ ├── linpktscan.py │ │ │ │ │ ├── linps.py │ │ │ │ │ ├── linsockets.py │ │ │ │ │ ├── linstrings.py │ │ │ │ │ └── linvm.py │ │ │ │ ├── address_spaces │ │ │ │ │ ├── crash.py │ │ │ │ │ ├── ewf.py │ │ │ │ │ ├── hibernate.py │ │ │ │ │ └── standard.py │ │ │ │ ├── basic.py │ │ │ │ ├── example1.py │ │ │ │ ├── example2.py │ │ │ │ ├── example3.py │ │ │ │ ├── pstree.py │ │ │ │ ├── registry │ │ │ │ │ ├── cachedump.py │ │ │ │ │ ├── hashdump.py │ │ │ │ │ ├── hivelist.py │ │ │ │ │ ├── hivescan2.py │ │ │ │ │ ├── lsadump.py │ │ │ │ │ └── printkey.py │ │ │ │ └── ssdt.py │ │ │ ├── profiles │ │ │ │ └── 2_6_18-8_1_15_el5 │ │ │ │ │ ├── System.map-2.6.18-8.1.15.el5.map │ │ │ │ │ └── centos-2.6.18-8.1.15.el5.types.py │ │ │ ├── setup.py │ │ │ ├── thirdparty │ │ │ │ ├── __init__.py │ │ │ │ └── progressbar.py │ │ │ ├── vmodules.py │ │ │ ├── volatility.py │ │ │ ├── vsyms.py │ │ │ ├── vtypes.py │ │ │ └── vutils.py │ │ ├── VolatilityCommon.py │ │ ├── VolatilityLinux.py │ │ ├── VolatilityWindows.py │ │ ├── WindowsLoader.py │ │ ├── WindowsSSDT.py │ │ ├── WindowsTasks.py │ │ └── __Dont_Descend__.py │ ├── NetworkForensics │ │ ├── ProtocolHandlers │ │ │ ├── DNS.py │ │ │ ├── Email.py │ │ │ ├── FTP.py │ │ │ ├── HTTP.py │ │ │ ├── IRC.py │ │ │ ├── MMS.py │ │ │ ├── MSN.py │ │ │ ├── POP.py │ │ │ ├── SIP.py │ │ │ ├── SMTP.py │ │ │ ├── SquirrelMail.py │ │ │ ├── VOIP.py │ │ │ └── Yahoo.py │ │ └── Reassembler.py │ ├── Tests │ │ ├── DBTest.py │ │ ├── GUI.py │ │ ├── dfrws2008.py │ │ ├── dftt.py │ │ └── unicode.py │ └── aff4 │ │ ├── README │ │ ├── __init__.py │ │ ├── aff4.py │ │ ├── aff4_attributes.py │ │ ├── aff4fuse.py │ │ ├── aff4imager.py │ │ ├── ewf.py │ │ ├── pyaff.py │ │ ├── pyflag_attributes.py │ │ ├── tdb_dump.py │ │ └── tdb_resolver.py ├── pyflag │ ├── AJAXUI.py │ ├── CacheManager.py │ ├── Carvers │ │ ├── Carver.py │ │ ├── Makefile │ │ ├── Tester.py │ │ ├── jpeg_carver.py │ │ ├── jpeg_test.py │ │ ├── pdf_carver.py │ │ ├── test_maps │ │ │ ├── map1.map │ │ │ ├── map2.map │ │ │ ├── map3.map │ │ │ └── unit.map │ │ └── zip_carver.py │ ├── ColumnTypes.py │ ├── DB.py │ ├── Exgrep.py │ ├── Farm.py │ ├── FileSystem.py │ ├── FlagFramework.py │ ├── FlagGTKServer.py │ ├── FlagHTTPServer.py │ ├── GTKUI.py │ ├── Graph.py │ ├── HTMLUI.py │ ├── IO.py │ ├── Indexing.py │ ├── LogFile.py │ ├── Magic.py │ ├── Makefile.am │ ├── Packets.py │ ├── Registry.py │ ├── Reports.py │ ├── Scanner.py │ ├── ScannerUtils.py │ ├── Stats.py │ ├── Store.py │ ├── TEXTUI.py │ ├── TableActions.py │ ├── TableObj.py │ ├── Theme.py │ ├── Time.py │ ├── TreeObj.py │ ├── TypeCheck.py │ ├── UI.py │ ├── XMLUI.py │ ├── __init__.py │ ├── attributes.py │ ├── code_parser.g │ ├── code_parser.py │ ├── conf.py.in │ ├── dateutil │ │ ├── __init__.py │ │ ├── easter.py │ │ ├── parser.py │ │ ├── relativedelta.py │ │ ├── rrule.py │ │ ├── tz.py │ │ └── tzwin.py │ ├── examine.py │ ├── format.py │ ├── lexer.py │ ├── mspst.py │ ├── parser.g │ ├── parser.py │ ├── pyclamd.py │ ├── pyflaglog.py │ ├── pyflagsh.py │ ├── regkey_load.py │ ├── tests.py │ └── yapps │ │ ├── __init__.py │ │ └── runtime.py ├── regtools │ ├── Makefile.am │ ├── README │ ├── byteorder.h │ ├── common.c │ ├── lru_cache.c │ ├── lru_cache.h │ ├── pyregistry.c │ ├── range_list.c │ ├── range_list.h │ ├── regfi.c │ ├── regfi.h │ ├── reglookup-recover.c │ ├── reglookup.c │ ├── smb_deps.c │ ├── smb_deps.h │ ├── void_stack.c │ └── void_stack.h ├── remote │ ├── Makefile.am │ ├── ecc.c │ ├── ecc.h │ ├── pki_gen_keys.c │ ├── rc4.c │ ├── rc4.h │ ├── remote.c │ ├── remote.h │ ├── remote_client.c │ └── remote_server.c └── virustools │ └── Makefile.am ├── tests ├── init.py ├── launch ├── pyflag ├── pyflash ├── sktest.py └── yahoo_mail_versions.py └── utilities ├── EventLogTool.py ├── Tester.py ├── compare.py ├── dd.py ├── extract_tcp_streams.py ├── fuse_loopback_subsystem.py ├── http_sundry_loader.py ├── http_sundry_loader_template.py ├── incremental_load.py ├── indexer.py ├── load_dictionary.py ├── mapper.py ├── mergecap.py ├── mergecap2.py ├── nsrl_load.py ├── pyflag-live └── ubuntu_forensic_installer.sh ├── pyflag_fuse.py ├── raid_guess.py ├── raid_test.py ├── regkeys_load.sh ├── sanitise_ips.py ├── simple_carver.py ├── tcptrace.py ├── test_repo.py ├── update_version.sh ├── whois.py ├── whois_load.py └── whois_load.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # use glob syntax. 2 | *.elc 3 | *.pyc 4 | *~ 5 | *.o 6 | *.Plo 7 | *.lo 8 | *.Po 9 | *.la 10 | *.in 11 | Makefile 12 | *.a 13 | *config.h 14 | config/* 15 | autom4te* 16 | *.m4 17 | config* 18 | libtool 19 | stamp-h* 20 | *.mgc 21 | images/changelog.html 22 | conf.py 23 | .libs/ 24 | *.so 25 | pyflag_launch 26 | pyflash 27 | src/lib/evtool 28 | src/lib/sgzip 29 | src/mailtools/readpst 30 | src/regtools/reglookup 31 | *\# 32 | .\#* 33 | *.tdb 34 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/AUTHORS -------------------------------------------------------------------------------- /CONTRIBUTING: -------------------------------------------------------------------------------- 1 | F.L.A.G Forensic and Log Analysis GUI 2 | http://www.pyflag.net/ 3 | 4 | Developer documentation of the various APIs are found on the PyFlag wiki: 5 | 6 | http://www.pyflag.net/ 7 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/ChangeLog -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/NEWS -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | F.L.A.G Forensic and Log Analysis GUI 2 | http://pyflag.sourceforge.net 3 | 4 | This application is designed to assist IT security professionals with 5 | analysing log files, tcpdump files and hard disk images for forensic 6 | evidence. 7 | 8 | PyFlag is designed to run on Linux and has been tested on recent 9 | versions of Redhat/Fedora and Debian (Stable/Testing). It performs 10 | data analyis using a mysql database. It is written in python and 11 | should be portable to other unix-like systems. 12 | 13 | Installation instructions can be found in the INSTALL file. 14 | 15 | This is a copy of: https://code.google.com/p/pyflag/ 16 | 17 | This project is no longer actively maintained and primarily kept as reference. 18 | 19 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | Todo items are kept in the wiki on: 2 | 3 | http://www.pyflag.net/ -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | echo PyFlag autogen.sh 4 | echo 5 | 6 | res=`type libtoolize` 7 | if [ $0 = 0 ]; then 8 | echo please install libtoolize 9 | exit 1 10 | else 11 | echo starting libtoolize 12 | libtoolize 13 | echo finished libtoolize 14 | fi 15 | 16 | echo 17 | 18 | res=`type aclocal` 19 | if [ $0 = 0 ]; then 20 | echo please install aclocal 21 | exit 1 22 | else 23 | echo starting aclocal 24 | aclocal -I config 25 | echo finished aclocal 26 | fi 27 | 28 | echo 29 | 30 | res=`type autoheader` 31 | if [ $0 = 0 ]; then 32 | echo please install autoheader 33 | exit 1 34 | else 35 | echo starting autoheader 36 | autoheader 37 | echo finished autoheader 38 | fi 39 | 40 | echo 41 | 42 | res=`type automake` 43 | if [ $0 = 0 ]; then 44 | echo please install automake 45 | exit 1 46 | else 47 | echo starting automake 48 | automake --add-missing --copy 49 | echo finished automake 50 | fi 51 | 52 | echo 53 | 54 | res=`type autoconf` 55 | if [ $0 = 0 ]; then 56 | echo please install autoconf 57 | exit 1 58 | else 59 | echo starting autoconf 60 | autoconf 61 | echo finished autoconf 62 | fi 63 | 64 | echo 65 | 66 | ## Fix up permissions of some files: 67 | chmod +x tests/pyflag tests/pyflash debian/rules 68 | chmod +x utilities/*.py 69 | 70 | echo everything done... 71 | echo 72 | echo next steps are running configure, make, make install 73 | -------------------------------------------------------------------------------- /config/Makefile.rules: -------------------------------------------------------------------------------- 1 | %.pyd: %.c 2 | ## The static is used to ensure that we do not require any 3 | ## more dlls in the python modules. This solves the windows 4 | ## dll hell. 5 | $(CC) -static $(AM_CFLAGS) $(PYTHON_CPPFLAGS) -I. -I$(top_srcdir)/src/include $(PYTHON_LDFLAGS) -o $@ $(*F).c .libs/$*.a $(PYTHON_EXTRA_LIBS) $(AM_LDFLAGS) 6 | $(STRIP) $@ 7 | 8 | %.so: %.c 9 | ## This compile line is for building shared objects under 10 | ## linux. The -fPIC seems to be required for 64 bit machines. 11 | $(CC) $(CFLAGS) -shared -fPIC $(AM_CFLAGS) $(PYTHON_CPPFLAGS) -I. -I$(top_srcdir)/src/include $(PYTHON_LDFLAGS) -o $@ $? .libs/$*.a $(PYTHON_EXTRA_LIBS) $(AM_LDFLAGS) 12 | ## $(STRIP) $@ 13 | 14 | clean-local: 15 | -rm -rf *.so *.pyd 16 | -------------------------------------------------------------------------------- /data/magic: -------------------------------------------------------------------------------- 1 | # IE History file 2 | 0 string Client\ UrlCache\ MMF\ Ver\ 5.2 IE History File 3 | 0 lelong 0x4E444221 MS Outlook PST File 4 | 5 | # A better RFC2822 detector 6 | 20 regex/c ^MIME-Version: RFC 822 Message 7 | 20 regex/c ^From:.+<.+@.+> RFC 822 Message -------------------------------------------------------------------------------- /data/magic.mime: -------------------------------------------------------------------------------- 1 | ## Pyflag specific additions 2 | 0 lelong 0x4E444221 application/x-msoutlook 3 | 4 | # 5 | # Windows Registry files. 6 | # 7 | 0 string regf application/x-winnt-registry 8 | 0 string CREG application/x-win9x-registry 9 | 10 | # 11 | # Internet Explorer History Files (index.dat) 12 | 0 string Client\ UrlCache application/x-ie-index 13 | 14 | ## Gzip files need their own mime types in Pyflag: 15 | 0 string \037\213 application/x-gzip; foobar 16 | 17 | # A better RFC2822 detector 18 | 20 regex/c ^MIME-Version: message/rfc822 19 | 20 regex/c ^From:.+<.+@.+> message/rfc822 20 | 21 | -------------------------------------------------------------------------------- /debian/Makefile.am: -------------------------------------------------------------------------------- 1 | debpackage_files = changelog control dirs docs copyright compat pyflag.doc-base.EX pyflag-doc.docs pyflag-doc.install README.Debian rules 2 | noinst_DATA = $(debpackage_files) 3 | EXTRA_DIST = $(debpackage_files) 4 | 5 | -------------------------------------------------------------------------------- /debian/README.Debian: -------------------------------------------------------------------------------- 1 | pyflag for Debian 2 | ----------------- 3 | 4 | 5 | 6 | -- cnvt , Fri, 17 Feb 2006 18:03:47 +1100 7 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | pyflag (0.87Pre1) unstable; urgency=low 2 | 3 | * New version release 4 | 5 | -- scudette Fri, 05 Sep 2008 10:59:00 +1000 6 | 7 | pyflag (0.86RC1) unstable; urgency=low 8 | 9 | * Released new version. 10 | 11 | -- scudette Fri, 31 Jan 2008 10:59:00 +1000 12 | 13 | pyflag (0.85) unstable; urgency=low 14 | 15 | * Full changelog can be found here: http://www.pyflag.net/pyflah/_darcs/inventory 16 | 17 | -- scudette Thu, 27 Dec 2007 10:59:00 +1000 18 | 19 | pyflag (0.84RC1) unstable; urgency=low 20 | 21 | * Package updated to work with new build system. Much nicer now :) 22 | 23 | -- scudette Thu, 9 Feb 2007 10:59:00 +1100 24 | 25 | pyflag (0.80.1) unstable; urgency=low 26 | 27 | * Package updated to work with new build system. Much nicer now :) 28 | 29 | -- gmcastl Thu, 9 Feb 2006 10:59:00 +1100 30 | 31 | pyflag (0.0.20050225-1) unstable; urgency=low 32 | 33 | * Initial deb package release. 34 | 35 | -- pyflag Tue, 15 Feb 2005 16:39:33 +1100 36 | 37 | 38 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 4 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: pyflag 2 | Section: utils 3 | Priority: optional 4 | Maintainer: Michael Cohen and David Collett 5 | Build-Depends: debhelper (>= 4.0.0), zlib1g-dev, libmagic-dev, python-dev (>= 2.5), make, python-imaging, python-pexpect, python-mysqldb 6 | Build-Conflicts: 7 | Standards-Version: 3.6.1 8 | 9 | Package: pyflag 10 | Architecture: any 11 | Depends: python (>= 2.5), libmagic1, python-mysqldb, python-imaging, zlib1g, python-pexpect 12 | Recommends: python-dateutil, libgeoip-dev, libjpeg62-dev, clamav-daemon 13 | Description: python-based forensic tool 14 | The python Forensic Log Analysis GUI was designed to simplify the process of 15 | log file analysis and forensic investigations. PyFlag performs 16 | advanced forensic analysis of disk images, as well as network 17 | captures (pcap files) and log files. 18 | 19 | Package: pyflag-doc 20 | Architecture: all 21 | Description: Documentation for pyflag 22 | Documentation for PyFlag can be found on the pyflag wiki: http://www.pyflag.net/ 23 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | This package was debianized by on Tue, 15 Feb 2005 16:39:33 +1100. 2 | 3 | It was downloaded from 4 | 5 | Copyright: 6 | 7 | Authors: 8 | 9 | License: 10 | 11 | This package is free software; you can redistribute it and/or modify 12 | it under the terms of the GNU General Public License as published by 13 | the Free Software Foundation; version 2 dated June, 1991. 14 | 15 | This package is distributed in the hope that it will be useful, 16 | but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | GNU General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License 21 | along with this package; if not, write to the Free Software 22 | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 23 | 02111-1307, USA. 24 | 25 | On Debian systems, the complete text of the GNU General 26 | Public License can be found in `/usr/share/common-licenses/GPL'. 27 | 28 | -------------------------------------------------------------------------------- /debian/dirs: -------------------------------------------------------------------------------- 1 | usr/bin 2 | usr/share/man/man1 3 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | README 2 | TODO 3 | -------------------------------------------------------------------------------- /debian/pyflag-doc.docs: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /debian/pyflag-doc.install: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /debian/pyflag.doc-base.EX: -------------------------------------------------------------------------------- 1 | Document: pyflag 2 | Title: Debian pyflag Manual 3 | Author: 4 | Abstract: This manual describes what pyflag is 5 | and how it can be used to 6 | manage online manuals on Debian systems. 7 | Section: unknown 8 | 9 | Format: debiandoc-sgml 10 | Files: /usr/share/doc/pyflag/pyflag.sgml.gz 11 | 12 | Format: postscript 13 | Files: /usr/share/doc/pyflag/pyflag.ps.gz 14 | 15 | Format: text 16 | Files: /usr/share/doc/pyflag/pyflag.text.gz 17 | 18 | Format: HTML 19 | Index: /usr/share/doc/pyflag/html/index.html 20 | Files: /usr/share/doc/pyflag/html/*.html 21 | 22 | 23 | -------------------------------------------------------------------------------- /docs/Dictionary-HOWTO.txt: -------------------------------------------------------------------------------- 1 | This is a brief description of how to search for plain strings or regular 2 | expressions in disk images using PyFLAG. 3 | 4 | 1. Create your dictionary file 5 | 6 | Each line should contain a keyword (beginning of line, no whitespace) 7 | describing the type or class of the thing being matched followed by 8 | whitespace followed by the regular expression or string describing the thing 9 | to be matched. For example (see data/regexps.txt) 10 | 11 | Email [\w\.]+@[\w\.]+ 12 | URL (http:|https:|ftp:|mail:)\S+ 13 | IPv4 \d+\.\d+\.\d+\.\d+ 14 | IPv4x.x.x.21 \d+\.\d+\.\d+\.21 15 | continent Antarctica 16 | 17 | 2. Load the dictionary file 18 | 19 | Load the dictionary into the database. Use --regex or --literal depending on whether your dictionary is string literals or regex's. For example, regex: 20 | 21 | pyflag_launch utilities/load_dictionary.py -v --regex regexps.txt 22 | wordclass is /English/ 23 | Reading File data/regexps.txt 24 | 25 | 3. Select IndexScanner as one of the scan methods when loading data 26 | 27 | 4. Display the results 28 | 29 | Notes: 30 | - Matches are case insensitive 31 | 32 | Caveats: 33 | - Matches do not cross block boundaries 34 | - The scanner searches *all* data. It may be very slow to load. 35 | - Results may be large. Be careful what regular expressions you 36 | search for. 37 | 38 | ---gregsfdev 2005_02_24 39 | -------------------------------------------------------------------------------- /docs/README: -------------------------------------------------------------------------------- 1 | Documentation for PyFlag is now maintained on the pyflag wiki on: 2 | 3 | http://www.pyflag.net/ 4 | 5 | -------------------------------------------------------------------------------- /docs/benchmark.txt: -------------------------------------------------------------------------------- 1 | ## This is a little note for me to keep track of performance. 2 | ## All tests were made using --workers=3 on a dual core laptop. Tests 3 | ## ran several times until the disk cache was primed. 4 | 5 | rm *tdb; python utilities/Tester.py --uploaddir /var/tmp/uploads/testimages/ -f Live 6 | Ran 1 test in 26.99s 7 | Serializing 1.206 sec 8 | 9 | Ran 1 test in 14.428s 10 | Volume closed in 1.27537703514 11 | 12 | rm *tdb; python utilities/Tester.py --uploaddir /var/tmp/uploads/testimages/ -f YahooMail 13 | Ran 1 test in 14.179s 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /examples/extract_images.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ A program demonstrating the automation of flag using the Flag Shell and python. 3 | 4 | We extract all the files with type like image into the /tmp/ directory""" 5 | 6 | ## Provides access to the pyflag shell 7 | import pyflag.pyflagsh as pyflagsh 8 | 9 | ## First we load the filesystem in: 10 | pyflagsh.shell_execv('load','demo') 11 | 12 | #Do a big find over the filesystem to recover all the files 13 | for file in pyflagsh.shell_execv_iter('find_dict','/'): 14 | # Use file to check their magic 15 | t = pyflagsh.shell_execv('file',"%s%s" % (file['path'],file['name'])) 16 | try: 17 | if t and t['type'].index('image'): 18 | ## Create this file in the /tmp/ directory 19 | new_filename = "/tmp/results/%s" % file['name'] 20 | if not new_filename.endswith('.jpg'): new_filename+='.jpg' 21 | print "created file %s magic %s" % (new_filename,t['type']) 22 | 23 | fd = open(new_filename,'w') 24 | for data in pyflagsh.shell_execv_iter('cat',"%s%s" % (file['path'],file['name'])): 25 | fd.write(data) 26 | fd.close() 27 | except ValueError: 28 | pass 29 | -------------------------------------------------------------------------------- /examples/load_new_file.flash: -------------------------------------------------------------------------------- 1 | #Example Flash script for loading a filesystem 2 | delete_case %(case)s 3 | create_case %(case)s 4 | load %(case)s 5 | 6 | execute Load\ Data.Load\ IO\ Data\ Source iosource=test subsys=Standard filename=%(Image filename)s offset=0 7 | 8 | scan * CompressedFile FileScanners GeneralForensics NetworkScanners 9 | -------------------------------------------------------------------------------- /examples/load_new_pcap_file.flash: -------------------------------------------------------------------------------- 1 | #Example Flash script for loading and scanning a pcap file 2 | 3 | #remove any existing cases of the name specified 4 | execute Case\ Management.Remove\ case remove_case=%(case)s 5 | 6 | #Do we need this? 7 | reset Case\ Management.Create\ new\ case create_case=%(case)s 8 | 9 | #Create a new case 10 | execute Case\ Management.Create\ new\ case create_case=%(case)s 11 | 12 | #Set this as the default case 13 | set case=%(case)s 14 | 15 | #Select the filesystem image (PCAP file) to load 16 | execute Load\ Data.Load\ IO\ Data\ Source iosource=%(iosource)s subsys=standard io_filename=%(iofilename)s io_offset=0 17 | 18 | #Set this as the default io source 19 | set iosource=%(iosource)s 20 | 21 | #Set the vfs mount point. This is how the pcap will appear in flag. e.g. /2005/12/25 22 | set mount_point=%(mountpoint)s 23 | 24 | #Tell it to use the PCAP filesystem 25 | execute Load\ Data.Load\ Filesystem\ image fstype=PCAP\ Filesystem 26 | 27 | #Run the scanners 28 | execute Load\ Data.ScanFS scan_IRCScanner=on scan_MSNScanner=on scan_HTTPScanner=on scan_POPScanner=on scan_SMTPScanner=on scan_RFC2822=on scan_GZScan=on scan_TarScan=on scan_ZipScan=on scan_PstScan=on scan_IEIndex=on scan_RegistryScan=on scan_TypeScan=on scangroup_Filesystem\ Analysis=off scan_UnallocatedScan=off scan_DeletedScan=off scan_IndexScan=on scan_MD5Scan=off path='/' scangroup_NetworkScanners=on scangroup_Compressed\ File=off scangroup_File\ Scanners=on scangroup_General\ Forensics=on 29 | -------------------------------------------------------------------------------- /examples/pcap.flash_load: -------------------------------------------------------------------------------- 1 | #Load up my pcap into flag ready for scanning 2 | #Usage: pyflash -c pcap.flash_load -p case:mycasename,iosource:blah,iofilename:/path/to/blah.pcap,mountpoint:/blah/blah.pcap 3 | 4 | set case=%(case)s 5 | 6 | execute Load\ Data.Load\ IO\ Data\ Source iosource=%(iosource)s subsys=standard io_filename=%(iofilename)s io_offset=0 7 | 8 | execute Load\ Data.Load\ Filesystem\ image iosource=%(iosource)s fstype=PCAP\ Filesystem mount_point=%(mountpoint)s 9 | -------------------------------------------------------------------------------- /examples/pcap.flash_scan: -------------------------------------------------------------------------------- 1 | #Scan all the stuff loaded under / 2 | #Usage: pyflash -c pcap.flash_scan -p case:mycasename 3 | 4 | set case=%(case)s 5 | 6 | execute Load\ Data.ScanFS path=/ scangroup_NetworkScanners=on scangroup_File\ Scanners=off scangroup_Compressed\ File=off scangroup_Filesystem\ Analysis=off scangroup_General\ Forensics=off final=ok scan_IRCScanner=off scan_MSNScanner=on scan_HTTPScanner=off scan_POPScanner=off scan_SMTPScanner=off scan_RFC2822=off scan_PstScan=off 7 | -------------------------------------------------------------------------------- /examples/reset_case.flash: -------------------------------------------------------------------------------- 1 | #Usage: pyflash -c reset_case.flash -p case:mycasename 2 | execute Case\ Management.Remove\ case remove_case=%(case)s 3 | execute Case\ Management.Create\ new\ case create_case=%(case)s 4 | 5 | -------------------------------------------------------------------------------- /gendoc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # start pyflag, very simple for now 3 | export PYTHONPATH=`pwd`:`pwd`/libs/ 4 | # Add our libs dir to the LD_LIBRARY_PATH to run our hooker. 5 | export LD_LIBRARY_PATH=`pwd`/libs/ 6 | 7 | epydoc --html -o docs/ -n Flag -c default --inheritance grouped `find src/pyflag/ -name \*.py` `find src/plugins/ -name \*.py` 8 | -------------------------------------------------------------------------------- /images/.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/.gif -------------------------------------------------------------------------------- /images/add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/add.png -------------------------------------------------------------------------------- /images/annotate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/annotate.png -------------------------------------------------------------------------------- /images/arrow_left_grey.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/arrow_left_grey.gif -------------------------------------------------------------------------------- /images/arrow_right_grey.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/arrow_right_grey.gif -------------------------------------------------------------------------------- /images/back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/back.png -------------------------------------------------------------------------------- /images/balloon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/balloon.png -------------------------------------------------------------------------------- /images/broken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/broken.png -------------------------------------------------------------------------------- /images/browse.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/browse.png -------------------------------------------------------------------------------- /images/button_delete.xpm: -------------------------------------------------------------------------------- 1 | /* XPM */ 2 | static char * button_delete_xpm[] = { 3 | "16 12 2 1", 4 | ". c black", 5 | " c None", 6 | " ", 7 | " .... .... ", 8 | " .... .... ", 9 | " .... .... ", 10 | " ........ ", 11 | " ...... ", 12 | " .... ", 13 | " ...... ", 14 | " ........ ", 15 | " .... .... ", 16 | " .... .... ", 17 | " .... .... " 18 | }; 19 | -------------------------------------------------------------------------------- /images/clear_filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/clear_filter.png -------------------------------------------------------------------------------- /images/clock.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/clock.png -------------------------------------------------------------------------------- /images/corner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/corner.png -------------------------------------------------------------------------------- /images/cornerplus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/cornerplus.png -------------------------------------------------------------------------------- /images/decrement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/decrement.png -------------------------------------------------------------------------------- /images/defence.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/defence.png -------------------------------------------------------------------------------- /images/delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/delete.png -------------------------------------------------------------------------------- /images/down.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/down.png -------------------------------------------------------------------------------- /images/edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/edit.png -------------------------------------------------------------------------------- /images/examine.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/examine.png -------------------------------------------------------------------------------- /images/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/favicon.ico -------------------------------------------------------------------------------- /images/file-selection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/file-selection.png -------------------------------------------------------------------------------- /images/fileopen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/fileopen.png -------------------------------------------------------------------------------- /images/filesave.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/filesave.png -------------------------------------------------------------------------------- /images/filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/filter.png -------------------------------------------------------------------------------- /images/find.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/find.png -------------------------------------------------------------------------------- /images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flag.png -------------------------------------------------------------------------------- /images/flags/00.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/00.gif -------------------------------------------------------------------------------- /images/flags/ad.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ad.gif -------------------------------------------------------------------------------- /images/flags/ae.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ae.gif -------------------------------------------------------------------------------- /images/flags/af.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/af.gif -------------------------------------------------------------------------------- /images/flags/ag.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ag.gif -------------------------------------------------------------------------------- /images/flags/ai.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ai.gif -------------------------------------------------------------------------------- /images/flags/al.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/al.gif -------------------------------------------------------------------------------- /images/flags/am.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/am.gif -------------------------------------------------------------------------------- /images/flags/an.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/an.gif -------------------------------------------------------------------------------- /images/flags/ao.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ao.gif -------------------------------------------------------------------------------- /images/flags/aq.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/aq.gif -------------------------------------------------------------------------------- /images/flags/ar.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ar.gif -------------------------------------------------------------------------------- /images/flags/as.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/as.gif -------------------------------------------------------------------------------- /images/flags/at.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/at.gif -------------------------------------------------------------------------------- /images/flags/au.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/au.gif -------------------------------------------------------------------------------- /images/flags/aw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/aw.gif -------------------------------------------------------------------------------- /images/flags/az.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/az.gif -------------------------------------------------------------------------------- /images/flags/ba.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ba.gif -------------------------------------------------------------------------------- /images/flags/bb.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bb.gif -------------------------------------------------------------------------------- /images/flags/bd.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bd.gif -------------------------------------------------------------------------------- /images/flags/be.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/be.gif -------------------------------------------------------------------------------- /images/flags/bf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bf.gif -------------------------------------------------------------------------------- /images/flags/bg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bg.gif -------------------------------------------------------------------------------- /images/flags/bh.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bh.gif -------------------------------------------------------------------------------- /images/flags/bi.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bi.gif -------------------------------------------------------------------------------- /images/flags/bj.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bj.gif -------------------------------------------------------------------------------- /images/flags/bm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bm.gif -------------------------------------------------------------------------------- /images/flags/bn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bn.gif -------------------------------------------------------------------------------- /images/flags/bo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bo.gif -------------------------------------------------------------------------------- /images/flags/br.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/br.gif -------------------------------------------------------------------------------- /images/flags/bs.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bs.gif -------------------------------------------------------------------------------- /images/flags/bt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bt.gif -------------------------------------------------------------------------------- /images/flags/bv.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bv.gif -------------------------------------------------------------------------------- /images/flags/bw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bw.gif -------------------------------------------------------------------------------- /images/flags/by.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/by.gif -------------------------------------------------------------------------------- /images/flags/bz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/bz.gif -------------------------------------------------------------------------------- /images/flags/ca.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ca.gif -------------------------------------------------------------------------------- /images/flags/cc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cc.gif -------------------------------------------------------------------------------- /images/flags/cd.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cd.gif -------------------------------------------------------------------------------- /images/flags/cf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cf.gif -------------------------------------------------------------------------------- /images/flags/cg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cg.gif -------------------------------------------------------------------------------- /images/flags/ch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ch.gif -------------------------------------------------------------------------------- /images/flags/ci.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ci.gif -------------------------------------------------------------------------------- /images/flags/ck.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ck.gif -------------------------------------------------------------------------------- /images/flags/cl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cl.gif -------------------------------------------------------------------------------- /images/flags/cm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cm.gif -------------------------------------------------------------------------------- /images/flags/cn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cn.gif -------------------------------------------------------------------------------- /images/flags/co.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/co.gif -------------------------------------------------------------------------------- /images/flags/com.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/com.gif -------------------------------------------------------------------------------- /images/flags/cr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cr.gif -------------------------------------------------------------------------------- /images/flags/cu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cu.gif -------------------------------------------------------------------------------- /images/flags/cv.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cv.gif -------------------------------------------------------------------------------- /images/flags/cx.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cx.gif -------------------------------------------------------------------------------- /images/flags/cy.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cy.gif -------------------------------------------------------------------------------- /images/flags/cz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/cz.gif -------------------------------------------------------------------------------- /images/flags/de.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/de.gif -------------------------------------------------------------------------------- /images/flags/dj.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/dj.gif -------------------------------------------------------------------------------- /images/flags/dk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/dk.gif -------------------------------------------------------------------------------- /images/flags/dm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/dm.gif -------------------------------------------------------------------------------- /images/flags/do.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/do.gif -------------------------------------------------------------------------------- /images/flags/dz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/dz.gif -------------------------------------------------------------------------------- /images/flags/ec.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ec.gif -------------------------------------------------------------------------------- /images/flags/edu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/edu.gif -------------------------------------------------------------------------------- /images/flags/ee.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ee.gif -------------------------------------------------------------------------------- /images/flags/eg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/eg.gif -------------------------------------------------------------------------------- /images/flags/eh.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/eh.gif -------------------------------------------------------------------------------- /images/flags/es.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/es.gif -------------------------------------------------------------------------------- /images/flags/et.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/et.gif -------------------------------------------------------------------------------- /images/flags/eu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/eu.gif -------------------------------------------------------------------------------- /images/flags/fi.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fi.gif -------------------------------------------------------------------------------- /images/flags/fj.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fj.gif -------------------------------------------------------------------------------- /images/flags/fk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fk.gif -------------------------------------------------------------------------------- /images/flags/fm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fm.gif -------------------------------------------------------------------------------- /images/flags/fo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fo.gif -------------------------------------------------------------------------------- /images/flags/fr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fr.gif -------------------------------------------------------------------------------- /images/flags/fx.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/fx.gif -------------------------------------------------------------------------------- /images/flags/ga.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ga.gif -------------------------------------------------------------------------------- /images/flags/gb.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gb.gif -------------------------------------------------------------------------------- /images/flags/gd.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gd.gif -------------------------------------------------------------------------------- /images/flags/ge.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ge.gif -------------------------------------------------------------------------------- /images/flags/gf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gf.gif -------------------------------------------------------------------------------- /images/flags/gh.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gh.gif -------------------------------------------------------------------------------- /images/flags/gi.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gi.gif -------------------------------------------------------------------------------- /images/flags/gl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gl.gif -------------------------------------------------------------------------------- /images/flags/gm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gm.gif -------------------------------------------------------------------------------- /images/flags/gn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gn.gif -------------------------------------------------------------------------------- /images/flags/gov.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gov.gif -------------------------------------------------------------------------------- /images/flags/gp.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gp.gif -------------------------------------------------------------------------------- /images/flags/gq.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gq.gif -------------------------------------------------------------------------------- /images/flags/gr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gr.gif -------------------------------------------------------------------------------- /images/flags/gt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gt.gif -------------------------------------------------------------------------------- /images/flags/gu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gu.gif -------------------------------------------------------------------------------- /images/flags/gw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gw.gif -------------------------------------------------------------------------------- /images/flags/gy.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/gy.gif -------------------------------------------------------------------------------- /images/flags/hk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/hk.gif -------------------------------------------------------------------------------- /images/flags/hm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/hm.gif -------------------------------------------------------------------------------- /images/flags/hn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/hn.gif -------------------------------------------------------------------------------- /images/flags/hr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/hr.gif -------------------------------------------------------------------------------- /images/flags/ht.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ht.gif -------------------------------------------------------------------------------- /images/flags/hu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/hu.gif -------------------------------------------------------------------------------- /images/flags/id.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/id.gif -------------------------------------------------------------------------------- /images/flags/ie.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ie.gif -------------------------------------------------------------------------------- /images/flags/il.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/il.gif -------------------------------------------------------------------------------- /images/flags/in.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/in.gif -------------------------------------------------------------------------------- /images/flags/int.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/int.gif -------------------------------------------------------------------------------- /images/flags/io.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/io.gif -------------------------------------------------------------------------------- /images/flags/iq.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/iq.gif -------------------------------------------------------------------------------- /images/flags/ir.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ir.gif -------------------------------------------------------------------------------- /images/flags/is.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/is.gif -------------------------------------------------------------------------------- /images/flags/it.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/it.gif -------------------------------------------------------------------------------- /images/flags/jm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/jm.gif -------------------------------------------------------------------------------- /images/flags/jo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/jo.gif -------------------------------------------------------------------------------- /images/flags/jp.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/jp.gif -------------------------------------------------------------------------------- /images/flags/ke.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ke.gif -------------------------------------------------------------------------------- /images/flags/kg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kg.gif -------------------------------------------------------------------------------- /images/flags/kh.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kh.gif -------------------------------------------------------------------------------- /images/flags/ki.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ki.gif -------------------------------------------------------------------------------- /images/flags/km.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/km.gif -------------------------------------------------------------------------------- /images/flags/kn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kn.gif -------------------------------------------------------------------------------- /images/flags/kp.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kp.gif -------------------------------------------------------------------------------- /images/flags/kr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kr.gif -------------------------------------------------------------------------------- /images/flags/kw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kw.gif -------------------------------------------------------------------------------- /images/flags/ky.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ky.gif -------------------------------------------------------------------------------- /images/flags/kz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/kz.gif -------------------------------------------------------------------------------- /images/flags/la.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/la.gif -------------------------------------------------------------------------------- /images/flags/lb.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lb.gif -------------------------------------------------------------------------------- /images/flags/lc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lc.gif -------------------------------------------------------------------------------- /images/flags/li.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/li.gif -------------------------------------------------------------------------------- /images/flags/lk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lk.gif -------------------------------------------------------------------------------- /images/flags/lr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lr.gif -------------------------------------------------------------------------------- /images/flags/ls.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ls.gif -------------------------------------------------------------------------------- /images/flags/lt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lt.gif -------------------------------------------------------------------------------- /images/flags/lu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lu.gif -------------------------------------------------------------------------------- /images/flags/lv.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/lv.gif -------------------------------------------------------------------------------- /images/flags/ly.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ly.gif -------------------------------------------------------------------------------- /images/flags/ma.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ma.gif -------------------------------------------------------------------------------- /images/flags/mc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mc.gif -------------------------------------------------------------------------------- /images/flags/md.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/md.gif -------------------------------------------------------------------------------- /images/flags/mil.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mil.gif -------------------------------------------------------------------------------- /images/flags/mk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mk.gif -------------------------------------------------------------------------------- /images/flags/ml.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ml.gif -------------------------------------------------------------------------------- /images/flags/mn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mn.gif -------------------------------------------------------------------------------- /images/flags/mo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mo.gif -------------------------------------------------------------------------------- /images/flags/mq.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mq.gif -------------------------------------------------------------------------------- /images/flags/mr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mr.gif -------------------------------------------------------------------------------- /images/flags/mt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mt.gif -------------------------------------------------------------------------------- /images/flags/mu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mu.gif -------------------------------------------------------------------------------- /images/flags/mx.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mx.gif -------------------------------------------------------------------------------- /images/flags/my.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/my.gif -------------------------------------------------------------------------------- /images/flags/mz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/mz.gif -------------------------------------------------------------------------------- /images/flags/na.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/na.gif -------------------------------------------------------------------------------- /images/flags/ne.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ne.gif -------------------------------------------------------------------------------- /images/flags/net.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/net.gif -------------------------------------------------------------------------------- /images/flags/ng.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ng.gif -------------------------------------------------------------------------------- /images/flags/ni.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ni.gif -------------------------------------------------------------------------------- /images/flags/nl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/nl.gif -------------------------------------------------------------------------------- /images/flags/no.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/no.gif -------------------------------------------------------------------------------- /images/flags/np.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/np.gif -------------------------------------------------------------------------------- /images/flags/nu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/nu.gif -------------------------------------------------------------------------------- /images/flags/nz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/nz.gif -------------------------------------------------------------------------------- /images/flags/om.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/om.gif -------------------------------------------------------------------------------- /images/flags/org.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/org.gif -------------------------------------------------------------------------------- /images/flags/pa.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pa.gif -------------------------------------------------------------------------------- /images/flags/pe.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pe.gif -------------------------------------------------------------------------------- /images/flags/pf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pf.gif -------------------------------------------------------------------------------- /images/flags/pg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pg.gif -------------------------------------------------------------------------------- /images/flags/ph.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ph.gif -------------------------------------------------------------------------------- /images/flags/pk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pk.gif -------------------------------------------------------------------------------- /images/flags/pl.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pl.gif -------------------------------------------------------------------------------- /images/flags/pr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pr.gif -------------------------------------------------------------------------------- /images/flags/ps.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ps.gif -------------------------------------------------------------------------------- /images/flags/pt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/pt.gif -------------------------------------------------------------------------------- /images/flags/py.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/py.gif -------------------------------------------------------------------------------- /images/flags/qa.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/qa.gif -------------------------------------------------------------------------------- /images/flags/ro.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ro.gif -------------------------------------------------------------------------------- /images/flags/ru.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ru.gif -------------------------------------------------------------------------------- /images/flags/rw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/rw.gif -------------------------------------------------------------------------------- /images/flags/sa.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sa.gif -------------------------------------------------------------------------------- /images/flags/sb.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sb.gif -------------------------------------------------------------------------------- /images/flags/sd.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sd.gif -------------------------------------------------------------------------------- /images/flags/se.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/se.gif -------------------------------------------------------------------------------- /images/flags/sg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sg.gif -------------------------------------------------------------------------------- /images/flags/si.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/si.gif -------------------------------------------------------------------------------- /images/flags/sk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sk.gif -------------------------------------------------------------------------------- /images/flags/sm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sm.gif -------------------------------------------------------------------------------- /images/flags/sn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sn.gif -------------------------------------------------------------------------------- /images/flags/su.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/su.gif -------------------------------------------------------------------------------- /images/flags/sv.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sv.gif -------------------------------------------------------------------------------- /images/flags/sy.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sy.gif -------------------------------------------------------------------------------- /images/flags/sz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/sz.gif -------------------------------------------------------------------------------- /images/flags/tc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tc.gif -------------------------------------------------------------------------------- /images/flags/td.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/td.gif -------------------------------------------------------------------------------- /images/flags/tf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tf.gif -------------------------------------------------------------------------------- /images/flags/tg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tg.gif -------------------------------------------------------------------------------- /images/flags/th.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/th.gif -------------------------------------------------------------------------------- /images/flags/tj.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tj.gif -------------------------------------------------------------------------------- /images/flags/tk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tk.gif -------------------------------------------------------------------------------- /images/flags/tm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tm.gif -------------------------------------------------------------------------------- /images/flags/tn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tn.gif -------------------------------------------------------------------------------- /images/flags/to.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/to.gif -------------------------------------------------------------------------------- /images/flags/tr.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tr.gif -------------------------------------------------------------------------------- /images/flags/tt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tt.gif -------------------------------------------------------------------------------- /images/flags/tw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tw.gif -------------------------------------------------------------------------------- /images/flags/tz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/tz.gif -------------------------------------------------------------------------------- /images/flags/ua.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ua.gif -------------------------------------------------------------------------------- /images/flags/uk.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/uk.gif -------------------------------------------------------------------------------- /images/flags/us.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/us.gif -------------------------------------------------------------------------------- /images/flags/uy.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/uy.gif -------------------------------------------------------------------------------- /images/flags/uz.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/uz.gif -------------------------------------------------------------------------------- /images/flags/va.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/va.gif -------------------------------------------------------------------------------- /images/flags/vc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/vc.gif -------------------------------------------------------------------------------- /images/flags/ve.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ve.gif -------------------------------------------------------------------------------- /images/flags/vg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/vg.gif -------------------------------------------------------------------------------- /images/flags/vi.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/vi.gif -------------------------------------------------------------------------------- /images/flags/vn.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/vn.gif -------------------------------------------------------------------------------- /images/flags/wf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/wf.gif -------------------------------------------------------------------------------- /images/flags/ws.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ws.gif -------------------------------------------------------------------------------- /images/flags/ye.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ye.gif -------------------------------------------------------------------------------- /images/flags/yu.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/yu.gif -------------------------------------------------------------------------------- /images/flags/za.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/za.gif -------------------------------------------------------------------------------- /images/flags/ze.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/ze.gif -------------------------------------------------------------------------------- /images/flags/zm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/zm.gif -------------------------------------------------------------------------------- /images/flags/zw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/flags/zw.gif -------------------------------------------------------------------------------- /images/floppy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/floppy.png -------------------------------------------------------------------------------- /images/folder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/folder.png -------------------------------------------------------------------------------- /images/forward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/forward.png -------------------------------------------------------------------------------- /images/fullscreen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/fullscreen.png -------------------------------------------------------------------------------- /images/g_back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/g_back.png -------------------------------------------------------------------------------- /images/g_forward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/g_forward.png -------------------------------------------------------------------------------- /images/glasses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/glasses.png -------------------------------------------------------------------------------- /images/greenbarfill.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/greenbarfill.gif -------------------------------------------------------------------------------- /images/greenbarleft.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/greenbarleft.gif -------------------------------------------------------------------------------- /images/greenbarrgt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/greenbarrgt.gif -------------------------------------------------------------------------------- /images/group.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/group.png -------------------------------------------------------------------------------- /images/help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/help.png -------------------------------------------------------------------------------- /images/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/home.png -------------------------------------------------------------------------------- /images/home_grey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/home_grey.png -------------------------------------------------------------------------------- /images/html_render.css: -------------------------------------------------------------------------------- 1 | 2 | /* These are various overlays which may be shown in html rendering */ 3 | div.overlay { 4 | border: 1px ; 5 | moz-border-radius: 15px; 6 | background: #A9CCFE; 7 | padding: 5px; 8 | margin-top: -1ex; 9 | 10 | moz-background-clip: -moz-initial; 11 | moz-background-origin: -moz-initial; 12 | moz-background-inline-policy: -moz-initial; 13 | opacity: 0.2; 14 | position: absolute; 15 | top: auto; 16 | width: 50ex; left: 1ex; 17 | } 18 | 19 | div.overlay:hover { 20 | opacity: 1; 21 | background: pink; 22 | }; 23 | 24 | div.overlaymenu, div.overlaymenu a { 25 | border: 1px ; 26 | moz-border-radius: 15px; 27 | background: #A9CCFE; 28 | padding: 5px; 29 | margin-top: -1ex; 30 | 31 | moz-background-clip: -moz-initial; 32 | moz-background-origin: -moz-initial; 33 | moz-background-inline-policy: -moz-initial; 34 | opacity: 0.2; 35 | position: absolute; 36 | top: 0; 37 | width: 50ex; left: 1ex; 38 | } 39 | 40 | div.overlaymenu a { 41 | opacity: 0.2; 42 | width: 50ex; 43 | position: absolute; 44 | top: 0; 45 | } 46 | 47 | div.overlaymenu:hover, div.overlaymenu:hover a { 48 | opacity: 1; 49 | background: pink; 50 | }; -------------------------------------------------------------------------------- /images/increment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/increment.png -------------------------------------------------------------------------------- /images/insert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/insert.png -------------------------------------------------------------------------------- /images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/logo.png -------------------------------------------------------------------------------- /images/metbarend.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/metbarend.gif -------------------------------------------------------------------------------- /images/metbarfill.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/metbarfill.gif -------------------------------------------------------------------------------- /images/metbarleft.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/metbarleft.gif -------------------------------------------------------------------------------- /images/msoffice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/msoffice.png -------------------------------------------------------------------------------- /images/new_preset.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/new_preset.png -------------------------------------------------------------------------------- /images/next_line.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/next_line.png -------------------------------------------------------------------------------- /images/no.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/no.png -------------------------------------------------------------------------------- /images/nosearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/nosearch.png -------------------------------------------------------------------------------- /images/page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/page.png -------------------------------------------------------------------------------- /images/pdf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/pdf.png -------------------------------------------------------------------------------- /images/pen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/pen.png -------------------------------------------------------------------------------- /images/pie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/pie.png -------------------------------------------------------------------------------- /images/print.css: -------------------------------------------------------------------------------- 1 | .MenuBar, .PyFlagHeader, .PopupMenu { 2 | display: none; 3 | } 4 | 5 | #PyFlagPage, .TabContent { 6 | float: none; 7 | overflow-y: none; 8 | height: 100%; 9 | } 10 | 11 | .TabContent, iframe { 12 | float: left; 13 | overflow: hidden; 14 | display: inline; 15 | height: 100%; 16 | } -------------------------------------------------------------------------------- /images/printer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/printer.png -------------------------------------------------------------------------------- /images/pyflag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/pyflag.png -------------------------------------------------------------------------------- /images/pyflag_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/pyflag_logo.png -------------------------------------------------------------------------------- /images/question.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/question.png -------------------------------------------------------------------------------- /images/realloc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/realloc.png -------------------------------------------------------------------------------- /images/red-plus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/red-plus.png -------------------------------------------------------------------------------- /images/refresh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/refresh.png -------------------------------------------------------------------------------- /images/reset.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/reset.png -------------------------------------------------------------------------------- /images/reset_grey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/reset_grey.png -------------------------------------------------------------------------------- /images/search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/search.png -------------------------------------------------------------------------------- /images/sidebarleft.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/sidebarleft.gif -------------------------------------------------------------------------------- /images/sidebarrgt.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/sidebarrgt.gif -------------------------------------------------------------------------------- /images/soriaMenuBg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/soriaMenuBg.gif -------------------------------------------------------------------------------- /images/spacer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/spacer.gif -------------------------------------------------------------------------------- /images/spacer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/spacer.png -------------------------------------------------------------------------------- /images/spanner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/spanner.png -------------------------------------------------------------------------------- /images/sql.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/sql.png -------------------------------------------------------------------------------- /images/stock_down-with-subpoints.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_down-with-subpoints.png -------------------------------------------------------------------------------- /images/stock_first.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_first.png -------------------------------------------------------------------------------- /images/stock_first_gray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_first_gray.png -------------------------------------------------------------------------------- /images/stock_home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_home.png -------------------------------------------------------------------------------- /images/stock_last.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_last.png -------------------------------------------------------------------------------- /images/stock_last_gray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_last_gray.png -------------------------------------------------------------------------------- /images/stock_left.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_left.png -------------------------------------------------------------------------------- /images/stock_left_gray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_left_gray.png -------------------------------------------------------------------------------- /images/stock_next-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_next-page.png -------------------------------------------------------------------------------- /images/stock_previous-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_previous-page.png -------------------------------------------------------------------------------- /images/stock_right.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_right.png -------------------------------------------------------------------------------- /images/stock_right_gray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_right_gray.png -------------------------------------------------------------------------------- /images/stock_timer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stock_timer.png -------------------------------------------------------------------------------- /images/stop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/stop.png -------------------------------------------------------------------------------- /images/tab_left.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/tab_left.gif -------------------------------------------------------------------------------- /images/tab_top_right.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/tab_top_right.gif -------------------------------------------------------------------------------- /images/toolbar-bg.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/toolbar-bg.gif -------------------------------------------------------------------------------- /images/topfill.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/topfill.jpg -------------------------------------------------------------------------------- /images/treenode_blank.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_blank.gif -------------------------------------------------------------------------------- /images/treenode_expand_minus.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_expand_minus.gif -------------------------------------------------------------------------------- /images/treenode_expand_plus.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_expand_plus.gif -------------------------------------------------------------------------------- /images/treenode_grid_l.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_grid_l.gif -------------------------------------------------------------------------------- /images/treenode_grid_t.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_grid_t.gif -------------------------------------------------------------------------------- /images/treenode_grid_v.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/treenode_grid_v.gif -------------------------------------------------------------------------------- /images/unknown.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/unknown.png -------------------------------------------------------------------------------- /images/up.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/up.png -------------------------------------------------------------------------------- /images/vfs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/vfs.png -------------------------------------------------------------------------------- /images/view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/view.png -------------------------------------------------------------------------------- /images/whois.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/whois.png -------------------------------------------------------------------------------- /images/yes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/images/yes.png -------------------------------------------------------------------------------- /pyflag.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## This is required in case the prefix is not /usr/ (otherwise python 4 | ## cant find it itself) 5 | export PYTHONPATH=@pythondir@:@pythondir@/pyflag/:@pkgpyexec@:@pkgpyexec@/pyflag 6 | exec @python@ @pkgpythondir@/FlagHTTPServer.py $@ 7 | -------------------------------------------------------------------------------- /pyflag_launch.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export PYTHONPATH=@pythondir@:@pythondir@/pyflag/:@pkgpyexec@:@pkgpyexec@/pyflag 4 | exec $@ -------------------------------------------------------------------------------- /pyflash.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## This is required in case the prefix is not /usr/ (otherwise python 4 | ## can find it itself) 5 | export PYTHONPATH=@pythondir@:@pythondir@/pyflag/:@pkgpyexec@:@pkgpyexec@/pyflag 6 | exec @python@ @pkgpythondir@/pyflagsh.py $@ 7 | -------------------------------------------------------------------------------- /src/FileFormats/__init__.py: -------------------------------------------------------------------------------- 1 | """ This Library implements a bunch of utilities to parse a number of file formats. 2 | """ 3 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = lib mailtools indextools_ng network filesystems include pyflag mmedia distorm regtools 2 | 3 | my_javascript = $(shell find javascript -not -name .\*) 4 | nobase_pkgdata_DATA = $(my_javascript) 5 | EXTRA_DIST = $(nobase_pkgdata_DATA) 6 | 7 | # main pyflag (python) application 8 | ## The pyflag directory goes in the system site-packages 9 | pkgpython_PYTHON = $(shell find pyflag -maxdepth 1 -name \*.py -not -name .\* ) 10 | 11 | ## The plugins go in site-packages/pyflag/ 12 | nobase_pkgpython_PYTHON = $(shell find plugins -name \*.py -not -name .\*) \ 13 | $(shell find FileFormats -name \*.py -not -name .\*) -------------------------------------------------------------------------------- /src/distorm/Makefile.am: -------------------------------------------------------------------------------- 1 | include $(top_srcdir)/config/Makefile.rules 2 | 3 | noinst_LTLIBRARIES = pydistorm.la 4 | nodist_pkgpyexec_PYTHON = pydistorm$(PYTHON_EXTENSION) 5 | 6 | noinst_HEADERS = decoder.h instructions.h insts.h operands.h\ 7 | prefix.h pydistorm.h textdefs.h wstring.h x86defs.h 8 | 9 | pydistorm_la_SOURCES = decoder.c instructions.c operands.c pydistorm.c \ 10 | wstring.c distorm.c insts.c prefix.c textdefs.c x86defs.c 11 | pydistorm_la_CPPFLAGS = $(PYTHON_CPPFLAGS) -I$(top_srcdir)/src/include 12 | pydistorm_la_LDFLAGS = -module $(PYTHON_LDFLAGS) 13 | -------------------------------------------------------------------------------- /src/distorm/decoder.h: -------------------------------------------------------------------------------- 1 | /* 2 | decoder.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef DECODER_H 10 | #define DECODER_H 11 | 12 | #include "config.h" 13 | 14 | #include "wstring.h" 15 | 16 | typedef unsigned int _iflags; 17 | 18 | /* DEFAULT instructions decoding mode. */ 19 | typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType; 20 | 21 | typedef OFFSET_INTEGER _OffsetType; 22 | 23 | typedef struct { 24 | _WString mnemonic; 25 | _WString operands; 26 | _WString instructionHex; 27 | unsigned int size; 28 | _OffsetType offset; 29 | } _DecodedInst; 30 | 31 | typedef struct { 32 | const uint8_t* code; 33 | int codeLen; 34 | _OffsetType codeOffset; 35 | } _CodeInfo; 36 | 37 | typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR} _DecodeResult; 38 | _DecodeResult internal_decode(_OffsetType codeOffset, const uint8_t* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxResultCount, unsigned int* usedEntriesCount); 39 | 40 | _DecodeType ADDR_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes); 41 | _DecodeType OP_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes, unsigned int rex, _iflags instFlags); 42 | 43 | #endif /* DECODER_H */ 44 | -------------------------------------------------------------------------------- /src/distorm/insts.h: -------------------------------------------------------------------------------- 1 | /* 2 | insts.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef INSTS_H 10 | #define INSTS_H 11 | 12 | #include "instructions.h" 13 | 14 | /* Root Trie DB */ 15 | extern _InstNode Instructions; 16 | /* 3DNow! Trie DB */ 17 | extern _InstNode Table_0F_0F; 18 | /* NOP/XCHG instruction. */ 19 | extern _InstInfo II_90; 20 | /* LEA instruction. */ 21 | extern _InstInfo II_8D; 22 | 23 | /* See instructions.cpp for more info. */ 24 | 25 | #endif /* INSTS_H */ 26 | -------------------------------------------------------------------------------- /src/distorm/operands.h: -------------------------------------------------------------------------------- 1 | /* 2 | operands.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef OPERANDS_H 10 | #define OPERANDS_H 11 | 12 | #include "config.h" 13 | 14 | #include "decoder.h" 15 | #include "prefix.h" 16 | #include "wstring.h" 17 | #include "instructions.h" 18 | 19 | /* Return codes from extract_operand. */ 20 | typedef enum {EO_HALT, EO_CONTINUE, EO_SUFFIX} _ExOpRCType; 21 | 22 | _ExOpRCType extract_operand(_CodeInfo* ci, 23 | _WString* instructionHex, _WString* operandText, _OpType type, _OpType op2, 24 | _OperandNumberType opNum, _iflags instFlags, unsigned int modrm, 25 | _PrefixState* ps, _DecodeType dt, int* lockableInstruction); 26 | 27 | #endif /* OPERANDS_H */ 28 | -------------------------------------------------------------------------------- /src/distorm/prefix.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/distorm/prefix.c -------------------------------------------------------------------------------- /src/distorm/pydistorm.h: -------------------------------------------------------------------------------- 1 | /* 2 | pydistorm.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef PYDISTORM_H 10 | #define PYDISTORM_H 11 | 12 | #ifdef SUPPORT_64BIT_OFFSET 13 | /* 14 | * PyArg_ParseTuple/Py_BuildValue uses a format string in order to parse/build the offset. 15 | * type: int 64 16 | */ 17 | #define _PY_OFF_INT_SIZE_ "K" 18 | #else 19 | #define _PY_OFF_INT_SIZE_ "k" 20 | #endif 21 | 22 | #include "decoder.h" 23 | 24 | #ifdef __GNUC__ 25 | #include 26 | #elif _MSC_VER 27 | #include 28 | #endif 29 | 30 | PyObject* distorm_Decode(PyObject* pSelf, PyObject* pArgs); 31 | 32 | char distorm_Decode_DOCSTR[] = 33 | "Disassemble a given buffer.\r\n" 34 | #ifdef SUPPORT_64BIT_OFFSET 35 | "Decode(INT64 offset, string code, int type)\r\n" 36 | #else 37 | "Decode(unsigned long offset, string code, int type)\r\n" 38 | #endif 39 | "type:\r\n" 40 | " Decode16Bits - 16 bits decoding.\r\n" 41 | " Decode32Bits - 32 bits decoding.\r\n" 42 | " Decode64Bits - AMD64 decoding.\r\n" 43 | "Returns a list of tuples of offset, size, mnemonic and hex string.\r\n"; 44 | 45 | static PyMethodDef distormModulebMethods[] = { 46 | {"Decode", distorm_Decode, METH_VARARGS, distorm_Decode_DOCSTR}, 47 | {NULL, NULL, 0, NULL} 48 | }; 49 | 50 | #endif /* PYDISTORM_H */ 51 | 52 | -------------------------------------------------------------------------------- /src/distorm/wstring.c: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.c 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #include "wstring.h" 10 | 11 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf) 12 | { 13 | s->pos = (unsigned int)strlen((const char*)buf); 14 | memcpy((int8_t*)s->p, buf, s->pos + 1); 15 | } 16 | 17 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len) 18 | { 19 | s->pos = len; 20 | memcpy((int8_t*)s->p, buf, len + 1); 21 | } 22 | 23 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len) 24 | { 25 | memcpy((int8_t*)&s->p[s->pos], buf, len + 1); 26 | s->pos += len; 27 | } 28 | -------------------------------------------------------------------------------- /src/distorm/wstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef WSTRING_H 10 | #define WSTRING_H 11 | 12 | #include "config.h" 13 | 14 | /* Make sure the buffer isn't overflowed. */ 15 | #define MAX_TEXT_SIZE (60) 16 | 17 | typedef struct { 18 | unsigned int pos; 19 | int8_t p[MAX_TEXT_SIZE]; 20 | } _WString; 21 | 22 | /* 23 | * Warning, this macro should be used only when the compiler knows the size of string in advance! 24 | * This macro is used in order to spare the call to strlen when the strings are known already. 25 | * Note: sizeof includes NULL terminated character. 26 | */ 27 | #define strcat_WSN(s, t) strcatlen_WS((s), (t), sizeof((t))-1) 28 | #define strcpy_WSN(s, t) strcpylen_WS((s), (t), sizeof((t))-1) 29 | 30 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf); 31 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len); 32 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len); 33 | 34 | _INLINE_ void strclear_WS(_WString* s) 35 | { 36 | s->p[0] = '\0'; 37 | s->pos = 0; 38 | } 39 | 40 | _INLINE_ void chrcat_WS(_WString* s, uint8_t ch) 41 | { 42 | s->p[s->pos] = ch; 43 | s->p[s->pos + 1] = '\0'; 44 | s->pos += 1; 45 | } 46 | 47 | 48 | #endif /* WSTRING_H */ 49 | -------------------------------------------------------------------------------- /src/filesystems/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = sleuthkit magic 2 | -------------------------------------------------------------------------------- /src/filesystems/magic/Makefile.am: -------------------------------------------------------------------------------- 1 | include $(top_srcdir)/config/Makefile.rules 2 | 3 | if HAVE_WINDOWS 4 | AM_LDFLAGS = -lmagic -lz -lregex 5 | else 6 | AM_LDFLAGS = -lmagic -lz 7 | endif 8 | 9 | noinst_LTLIBRARIES = magic.la 10 | nodist_pkgpyexec_PYTHON = magic$(PYTHON_EXTENSION) 11 | magic_la_SOURCES = py_magic.h magic.c 12 | magic_la_CPPFLAGS = $(PYTHON_CPPFLAGS) 13 | magic_la_LDFLAGS = -module -lmagic -lz $(PYTHON_LDFLAGS) 14 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = sleuthkit-2.52 python 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/auxtools/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -DLINUX2 -include config.h 2 | noinst_LTLIBRARIES = libauxtools.la 3 | libauxtools_la_SOURCES = aux_tools.h tsk_os.h XGetopt.h data_buf.c \ 4 | mymalloc.c split_at.c strerror.c tsk_endian.c \ 5 | tsk_error.c tsk_list.c tsk_parse.c tsk_printf.c \ 6 | tsk_unicode.c tsk_version.c XGetopt.c 7 | #libauxtools_la_LIBADD = ../../../lib/liboo.la 8 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/auxtools/XGetopt.h: -------------------------------------------------------------------------------- 1 | // XGetopt.h Version 1.2 2 | // 3 | // Author: Hans Dietrich 4 | // hdietrich2@hotmail.com 5 | // 6 | // This software is released into the public domain. 7 | // You are free to use it in any way you like. 8 | // 9 | // This software is provided "as is" with no expressed 10 | // or implied warranty. I accept no liability for any 11 | // damage or loss of business that this software may cause. 12 | // 13 | /////////////////////////////////////////////////////////////////////////////// 14 | 15 | #ifndef XGETOPT_H 16 | #define XGETOPT_H 17 | 18 | extern int optind, opterr; 19 | extern TCHAR *optarg; 20 | 21 | int getopt(int argc, TCHAR * argv[], TCHAR * optstring); 22 | 23 | #endif //XGETOPT_H 24 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/auxtools/strerror.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | * NAME 3 | * strerror 3 4 | * SUMMARY 5 | * convert error number to string 6 | * SYNOPSIS 7 | * #include 8 | * 9 | * char *strerror(err) 10 | * int err; 11 | * DESCRIPTION 12 | * strerror() maps the specified error number to the corresponding 13 | * text. The result is in static memory and must not be changed 14 | * by the caller. 15 | * SEE ALSO 16 | * errno(2), system error numbers 17 | * LICENSE 18 | * .ad 19 | * .fi 20 | * The IBM Public Licence must be distributed with this software. 21 | * AUTHOR(S) 22 | * Wietse Venema 23 | * IBM T.J. Watson Research 24 | * P.O. Box 704 25 | * Yorktown Heights, NY 10598, USA 26 | *--*/ 27 | 28 | /* System library. */ 29 | 30 | #include 31 | #include 32 | 33 | #ifdef MISSING_STRERROR 34 | 35 | extern char *sys_errlist[]; 36 | extern int sys_nerr; 37 | 38 | char * 39 | strerror(int err) 40 | { 41 | static char buf[20]; 42 | 43 | if (err < sys_nerr && err > 0) { 44 | return (sys_errlist[err]); 45 | } 46 | else { 47 | sprintf(buf, "Unknown error %d", err); 48 | return (buf); 49 | } 50 | } 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/auxtools/tsk_version.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/02/15 20:35:16 $ 5 | */ 6 | #include 7 | #include 8 | #include "aux_tools.h" 9 | 10 | void 11 | tsk_print_version(FILE * hFile) 12 | { 13 | char *str = "The Sleuth Kit"; 14 | #ifdef VER 15 | tsk_fprintf(hFile, "%s ver %s\n", str, VER); 16 | #else 17 | tsk_fprintf(hFile, "%s\n", str); 18 | #endif 19 | return; 20 | } 21 | 22 | char * 23 | tskGetVersion() 24 | { 25 | #ifdef VER 26 | return VER; 27 | #else 28 | return "0.0"; 29 | #endif 30 | } 31 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/fstools/fs_load.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/04/04 18:18:55 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | * 9 | * This software is distributed under the Common Public License 1.0 10 | * 11 | */ 12 | 13 | #include "fs_tools_i.h" 14 | 15 | 16 | /* File Walk Action to load the journal 17 | * TSK_FS_LOAD_FILE is defined in fs_tools.h 18 | */ 19 | 20 | uint8_t 21 | tsk_fs_load_file_action(TSK_FS_INFO * fs, DADDR_T addr, char *buf, 22 | size_t size, TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) 23 | { 24 | TSK_FS_LOAD_FILE *buf1 = (TSK_FS_LOAD_FILE *) ptr; 25 | size_t cp_size; 26 | 27 | if (size > buf1->left) 28 | cp_size = buf1->left; 29 | else 30 | cp_size = size; 31 | 32 | memcpy(buf1->cur, buf, cp_size); 33 | buf1->left -= cp_size; 34 | buf1->cur = (char *) ((uintptr_t) buf1->cur + cp_size); 35 | 36 | if (buf1->left > 0) 37 | return TSK_WALK_CONT; 38 | else 39 | return TSK_WALK_STOP; 40 | } 41 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/fstools/hfs_journal.c: -------------------------------------------------------------------------------- 1 | #include "fs_tools_i.h" 2 | #include "hfs.h" 3 | 4 | uint8_t 5 | hfs_jopen(TSK_FS_INFO * fs, INUM_T inum) 6 | { 7 | tsk_fprintf(stderr, "jopen not implemented for HFS yet"); 8 | 9 | return 0; 10 | } 11 | 12 | uint8_t 13 | hfs_jentry_walk(TSK_FS_INFO * fs, int flags, TSK_FS_JENTRY_WALK_CB action, 14 | void *ptr) 15 | { 16 | tsk_fprintf(stderr, "jentry_walk not implemented for HFS yet"); 17 | 18 | return 0; 19 | } 20 | 21 | uint8_t 22 | hfs_jblk_walk(TSK_FS_INFO * fs, DADDR_T start, DADDR_T end, int flags, 23 | TSK_FS_JBLK_WALK_CB action, void *ptr) 24 | { 25 | 26 | tsk_fprintf(stderr, "jblk_walk not implemented for HFS yet"); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/imgtools/DESIGN.txt: -------------------------------------------------------------------------------- 1 | The imgtools work as a set of layers so that we can have multiple 2 | formats. The IMG_INFO that is returned by img_open is the highest 3 | layer. It corresponds to the last name in the list (i.e. raid in 4 | "split,raid"). Any request that it recieves it calculates where 5 | the data should exist and then passes that address to the next 6 | layer. The lowest layer knows where the actual image files are and 7 | reads the data. 8 | 9 | There are some limitations: 10 | - the split layer cannot have any layers below it. 11 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/imgtools/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I$(srcdir)/../auxtools -DLINUX2 -include config.h 2 | 3 | noinst_PROGRAMS = img_stat 4 | noinst_LTLIBRARIES = libimgtools.la 5 | 6 | libimgtools_la_SOURCES = img_tools.h raw.h split.h \ 7 | img_cat.c img_open.c img_types.c raw.c split.c 8 | 9 | img_stat_SOURCES = img_stat.c 10 | img_stat_LDADD = libimgtools.la ../auxtools/libauxtools.la ../../../lib/liboo.la 11 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/imgtools/raw.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/03/20 21:54:54 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | */ 9 | #ifndef _RAW_H 10 | #define _RAW_H 11 | 12 | #ifdef __cplusplus 13 | extern "C" { 14 | #endif 15 | 16 | extern TSK_IMG_INFO *raw_open(const TSK_TCHAR **, TSK_IMG_INFO *); 17 | 18 | typedef struct IMG_RAW_INFO IMG_RAW_INFO; 19 | struct IMG_RAW_INFO { 20 | TSK_IMG_INFO img_info; 21 | #ifdef TSK_WIN32 22 | HANDLE fd; 23 | #else 24 | int fd; 25 | #endif 26 | OFF_T seek_pos; 27 | }; 28 | 29 | #ifdef __cplusplus 30 | } 31 | #endif 32 | #endif 33 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/imgtools/split.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/03/20 21:54:54 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | */ 9 | 10 | #ifndef _SPLIT_H 11 | #define _SPLIT_H 12 | 13 | #ifdef __cplusplus 14 | extern "C" { 15 | #endif 16 | 17 | extern TSK_IMG_INFO *split_open(int, const TSK_TCHAR **, 18 | TSK_IMG_INFO *); 19 | 20 | #define SPLIT_CACHE 15 21 | 22 | typedef struct { 23 | #ifdef TSK_WIN32 24 | HANDLE fd; 25 | #else 26 | int fd; 27 | #endif 28 | int image; 29 | OFF_T seek_pos; 30 | } IMG_SPLIT_CACHE; 31 | 32 | typedef struct IMG_SPLIT_INFO IMG_SPLIT_INFO; 33 | 34 | struct IMG_SPLIT_INFO { 35 | TSK_IMG_INFO img_info; 36 | int num_img; 37 | const TSK_TCHAR **images; 38 | OFF_T *max_off; 39 | int *cptr; /* exists for each image - points to entry in cache */ 40 | IMG_SPLIT_CACHE cache[SPLIT_CACHE]; /* small number of fds for open images */ 41 | int next_slot; 42 | }; 43 | 44 | #ifdef __cplusplus 45 | } 46 | #endif 47 | #endif 48 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/mmtools/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I$(srcdir)/../auxtools -I$(srcdir)/../imgtools -I$(top_srcdir)/src/include -DLINUX2 -include config.h 2 | 3 | #bin_PROGRAMS = mmls mmstat 4 | noinst_LTLIBRARIES = libmmtools.la 5 | 6 | libmmtools_la_SOURCES = dos.h gpt.h mac.h mm_tools.h sun.h bsd.h bsd.c \ 7 | dos.c gpt.c mac.c mm_io.c mm_open.c mm_part.c \ 8 | mm_types.c sun.c 9 | 10 | #mmstat_SOURCES = mmstat.c 11 | #mmstat_LDADD = libmmtools.la ../auxtools/libauxtools.la ../imgtools/libimgtools.la ../../../lib/liboo.la 12 | # 13 | #mmls_SOURCES = mmls.c 14 | #mmls_LDADD = libmmtools.la ../auxtools/libauxtools.la ../imgtools/libimgtools.la ../../../lib/liboo.la 15 | # -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/mmtools/dos.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/04/04 18:48:46 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2003-2005 Brian Carrier. All rights reserved 8 | * 9 | */ 10 | #ifndef _DOS_H 11 | #define _DOS_H 12 | 13 | #ifdef __cplusplus 14 | extern "C" { 15 | #endif 16 | 17 | typedef struct { 18 | uint8_t boot; 19 | uint8_t start_chs[3]; 20 | uint8_t ptype; 21 | uint8_t end_chs[3]; 22 | uint8_t start_sec[4]; 23 | uint8_t size_sec[4]; 24 | } dos_part; 25 | 26 | /* Boot Sector w/partition table */ 27 | typedef struct { 28 | uint8_t f1[3]; 29 | /* the next three are actually part of NTFS and FAT, but 30 | * we use them for sanity checks in the detect code */ 31 | char oemname[8]; 32 | uint8_t ssize[2]; /* sector size in bytes */ 33 | uint8_t csize; /* cluster size in sectors */ 34 | uint8_t filler[432]; 35 | dos_part ptable[4]; 36 | uint8_t magic[2]; 37 | } dos_sect; 38 | 39 | #define DOS_MAGIC 0xaa55 40 | #define DOS_PART_SOFFSET 0 41 | 42 | #ifdef __cplusplus 43 | } 44 | #endif 45 | #endif 46 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/mmtools/mac.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/04/04 18:48:46 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2003-2005 Brian Carrier. All rights reserved 8 | * 9 | */ 10 | 11 | #ifndef _MAC_H 12 | #define _MAC_H 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | typedef struct { 19 | uint8_t magic[2]; 20 | uint8_t reserved[2]; 21 | uint8_t pmap_size[4]; 22 | uint8_t start_sec[4]; 23 | uint8_t size_sec[4]; 24 | uint8_t name[32]; 25 | uint8_t type[32]; 26 | uint8_t data_start_sec[4]; 27 | uint8_t data_size_sec[4]; 28 | uint8_t status[4]; 29 | uint8_t boot_start_sec[4]; 30 | uint8_t boot_size_sec[4]; 31 | uint8_t boot_load_addr[4]; 32 | uint8_t reserved2[4]; 33 | uint8_t boot_entry[4]; 34 | uint8_t reserved3[4]; 35 | uint8_t boot_checksum[4]; 36 | uint8_t proc_type[16]; 37 | uint8_t reserved4[376]; 38 | } mac_part; 39 | 40 | #define MAC_MAGIC 0x504d 41 | #define MAC_PART_SOFFSET 1 42 | 43 | #define MAC_STAT_VALID 0x00 44 | #define MAC_STAT_ALLOC 0x01 45 | #define MAC_STAT_INUSE 0x02 46 | #define MAC_STAT_BOOT 0x04 47 | #define MAC_STAT_READ 0x08 48 | 49 | #ifdef __cplusplus 50 | } 51 | #endif 52 | #endif 53 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/python/Makefile.am: -------------------------------------------------------------------------------- 1 | include $(top_srcdir)/config/Makefile.rules 2 | 3 | AM_CFLAGS = -I$(top_srcdir)/src/include -I../sleuthkit-2.52 -include config.h 4 | AM_LDFLAGS = ../sleuthkit-2.52/tsk/.libs/libtsk-pf.a ../../../lib/.libs/liboo.a 5 | 6 | # This is for the sleuthkit python module 7 | noinst_LTLIBRARIES = sk.la 8 | nodist_pkgpyexec_PYTHON = sk$(PYTHON_EXTENSION) 9 | noinst_HEADERS = $(srcdir)/*.h 10 | 11 | sk_la_SOURCES = sk.c 12 | sk_la_CPPFLAGS = $(PYTHON_CPPFLAGS) 13 | sk_la_LDFLAGS = -module $(PYTHON_LDFLAGS) 14 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = tsk 2 | noinst_HEADERS = tsk/libtsk.h tsk/tsk_incs.h \ 3 | tsk/base/tsk_base.h tsk/base/tsk_os.h \ 4 | tsk/img/tsk_img.h tsk/vs/tsk_vs.h \ 5 | tsk/vs/tsk_bsd.h tsk/vs/tsk_dos.h tsk/vs/tsk_gpt.h \ 6 | tsk/vs/tsk_mac.h tsk/vs/tsk_sun.h \ 7 | tsk/fs/tsk_fs.h tsk/fs/tsk_ffs.h tsk/fs/tsk_ext2fs.h tsk/fs/tsk_fatfs.h \ 8 | tsk/fs/tsk_ntfs.h tsk/fs/tsk_iso9660.h tsk/fs/tsk_hfs.h \ 9 | tsk/hashdb/tsk_hashdb.h 10 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/docs/library-api.txt: -------------------------------------------------------------------------------- 1 | The library API documentation can be found online at: 2 | 3 | http://www.sleuthkit.org/sleuthkit/docs/api-docs/ 4 | 5 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/docs/nsrl.txt: -------------------------------------------------------------------------------- 1 | NSRL Removal Notes 2 | Sleuth Kit Reference Document 3 | http://www.sleuthkit.org 4 | 5 | Brian Carrier 6 | Last Updated: Aug 25, 2003 7 | 8 | 9 | The NSRL functionality has been temporarily removed from 'sorter' 10 | (and therefore Autopsy) until it can be better determined as to how 11 | to identify the known good and known bad files in it. It was 12 | originally thought that only software from a box was included in 13 | the NSRL and therefore everything could be trusted. This was false 14 | and there are other types of hashes in it from "Hacker Tools" and 15 | maybe rootkits in the future. 16 | 17 | This problem is not easily solved because there is not a clear 18 | taxonomy of categories in the NSRL. There are 100 different 19 | categories that tools fall into and one of which is "hacker tools". 20 | I do not want to maintain a database of what should be "good" and 21 | what should be "bad", so until a more scalable solution is identified 22 | (besides having the user select good vs bad for 100 categories), 23 | the functionality has been removed. 24 | 25 | brian 26 | 27 | CVS Date: $Date: 2007/12/18 22:43:29 $ 28 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/docs/other.txt: -------------------------------------------------------------------------------- 1 | For more docs, refer to The Sleuth Kit Informer at: 2 | 3 | www.sleuthkit.org/informer 4 | 5 | 6 | brian 7 | 8 | CVS Date: $Date: 2007/12/18 22:43:29 $ 9 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/Makefile.am: -------------------------------------------------------------------------------- 1 | # Compile the sub directories 2 | SUBDIRS = base img vs fs hashdb 3 | 4 | # Merge the libraries into one 5 | noinst_LTLIBRARIES = libtsk-pf.la 6 | libtsk_pf_la_SOURCES = 7 | libtsk_pf_la_LIBADD = base/libtskbase.la img/libtskimg.la \ 8 | vs/libtskvs.la fs/libtskfs.la hashdb/libtskhashdb.la 9 | # current:revision:age 10 | libtsk_pf_la_LDFLAGS = -version-info 1:2:0 11 | 12 | EXTRA_DIST = tsk_tools_i.h 13 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/base/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/base/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I../.. -Wall 2 | 3 | noinst_LTLIBRARIES = libtskbase.la 4 | libtskbase_la_SOURCES = data_buf.c md5c.c mymalloc.c sha1c.c \ 5 | tsk_endian.c tsk_error.c tsk_list.c tsk_parse.c tsk_printf.c \ 6 | tsk_unicode.c tsk_version.c tsk_base_i.h 7 | 8 | libtskbase_la_LIBADD = ../../../../../lib/liboo.la 9 | 10 | EXTRA_DIST = XGetopt.c XGetopt.h .indent.pro 11 | 12 | indent: 13 | indent *.c *.h 14 | 15 | clean-local: 16 | -rm -f *.c~ *.h~ 17 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/base/XGetopt.h: -------------------------------------------------------------------------------- 1 | // XGetopt.h Version 1.2 2 | // 3 | // Author: Hans Dietrich 4 | // hdietrich2@hotmail.com 5 | // 6 | // This software is released into the public domain. 7 | // You are free to use it in any way you like. 8 | // 9 | // This software is provided "as is" with no expressed 10 | // or implied warranty. I accept no liability for any 11 | // damage or loss of business that this software may cause. 12 | // 13 | /////////////////////////////////////////////////////////////////////////////// 14 | 15 | /** \file XGetopt.h 16 | * Header info to parse arguments for win32 programs -- written by Hans Dietrich. 17 | */ 18 | 19 | #ifndef XGETOPT_H 20 | #define XGETOPT_H 21 | 22 | extern int optind, opterr; 23 | extern TCHAR *optarg; 24 | 25 | int getopt(int argc, TCHAR * argv[], TCHAR * optstring); 26 | 27 | #endif //XGETOPT_H 28 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/base/tsk_version.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:38 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2007 Brian Carrier. All rights reserved 8 | * 9 | * This software is distributed under the Common Public License 1.0 10 | */ 11 | 12 | /** \file tsk_version.c 13 | * Contains functions to print and obtain the library version. 14 | */ 15 | 16 | #include "tsk_base_i.h" 17 | 18 | /** 19 | * Print the version to a handle. 20 | * @param hFile Handle to print to 21 | */ 22 | void 23 | tsk_print_version(FILE * hFile) 24 | { 25 | char *str = "The Sleuth Kit"; 26 | #ifdef PACKAGE_VERSION 27 | tsk_fprintf(hFile, "%s ver %s\n", str, PACKAGE_VERSION); 28 | #else 29 | tsk_fprintf(hFile, "%s\n", str); 30 | #endif 31 | return; 32 | } 33 | 34 | /** 35 | * Return the library version as a string. 36 | * @returns String version of version (1.00 for example) 37 | */ 38 | const char * 39 | tskGetVersion() 40 | { 41 | #ifdef PACKAGE_VERSION 42 | return PACKAGE_VERSION; 43 | #else 44 | return "0.0"; 45 | #endif 46 | } 47 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/fs/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/fs/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskfs.la 5 | # Note that the .h files are in the top-level Makefile 6 | libtskfs_la_SOURCES = fs_inode.c fs_io.c fs_open.c \ 7 | fs_dent.c fs_types.c fs_data.c fs_load.c tsk_fs_i.h \ 8 | ffs.c ffs_dent.c ext2fs.c ext2fs_dent.c ext2fs_journal.c \ 9 | fatfs.c fatfs_dent.c ntfs.c ntfs_dent.c swapfs.c rawfs.c \ 10 | dcalc_lib.c dcat_lib.c dls_lib.c dstat_lib.c ffind_lib.c \ 11 | fls_lib.c icat_lib.c ifind_lib.c ils_lib.c \ 12 | iso9660.c iso9660_dent.c \ 13 | hfs.c hfs_dent.c hfs_journal.c 14 | 15 | indent: 16 | indent *.c *.h 17 | 18 | clean-local: 19 | -rm -f *.c~ *.h~ 20 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/fs/fs_load.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:38 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005-2007 Brian Carrier. All rights reserved 8 | * 9 | * This software is distributed under the Common Public License 1.0 10 | * 11 | */ 12 | 13 | /** \file fs_load.c 14 | * Contains a general file walk callback that can be 15 | * used to load file content into a buffer. 16 | */ 17 | #include "tsk_fs_i.h" 18 | 19 | 20 | /* File Walk Action to load the journal 21 | * TSK_FS_LOAD_FILE is defined in fs_tools.h 22 | */ 23 | 24 | TSK_WALK_RET_ENUM 25 | tsk_fs_load_file_action(TSK_FS_INFO * fs, TSK_DADDR_T addr, char *buf, 26 | size_t size, TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) 27 | { 28 | TSK_FS_LOAD_FILE *buf1 = (TSK_FS_LOAD_FILE *) ptr; 29 | size_t cp_size; 30 | 31 | if (size > buf1->left) 32 | cp_size = buf1->left; 33 | else 34 | cp_size = size; 35 | 36 | memcpy(buf1->cur, buf, cp_size); 37 | buf1->left -= cp_size; 38 | buf1->cur = (char *) ((uintptr_t) buf1->cur + cp_size); 39 | 40 | if (buf1->left > 0) 41 | return TSK_WALK_CONT; 42 | else 43 | return TSK_WALK_STOP; 44 | } 45 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/fs/hfs_journal.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:38 $ 5 | */ 6 | 7 | /** 8 | * \file hfs_journal.c 9 | * Contains the HFS+ journal code -- not included in code by default. 10 | */ 11 | #include "tsk_fs_i.h" 12 | #include "tsk_hfs.h" 13 | 14 | uint8_t 15 | hfs_jopen(TSK_FS_INFO * fs, TSK_INUM_T inum) 16 | { 17 | tsk_fprintf(stderr, "jopen not implemented for HFS yet"); 18 | 19 | return 0; 20 | } 21 | 22 | uint8_t 23 | hfs_jentry_walk(TSK_FS_INFO * fs, int flags, TSK_FS_JENTRY_WALK_CB action, 24 | void *ptr) 25 | { 26 | tsk_fprintf(stderr, "jentry_walk not implemented for HFS yet"); 27 | 28 | return 0; 29 | } 30 | 31 | uint8_t 32 | hfs_jblk_walk(TSK_FS_INFO * fs, TSK_DADDR_T start, TSK_DADDR_T end, int flags, 33 | TSK_FS_JBLK_WALK_CB action, void *ptr) 34 | { 35 | 36 | tsk_fprintf(stderr, "jblk_walk not implemented for HFS yet"); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/hashdb/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nut 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/hashdb/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskhashdb.la 5 | libtskhashdb_la_SOURCES = tm_lookup.c md5sum_index.c nsrl_index.c \ 6 | hk_index.c idxonly_index.c tsk_hashdb_i.h 7 | 8 | indent: 9 | indent *.c *.h 10 | 11 | clean-local: 12 | -rm -f *.c~ *.h~ 13 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/DESIGN.txt: -------------------------------------------------------------------------------- 1 | The imgtools work as a set of layers so that we can have multiple 2 | formats. The IMG_INFO that is returned by img_open is the highest 3 | layer. It corresponds to the last name in the list (i.e. raid in 4 | "split,raid"). Any request that it recieves it calculates where 5 | the data should exist and then passes that address to the next 6 | layer. The lowest layer knows where the actual image files are and 7 | reads the data. 8 | 9 | There are some limitations: 10 | - the split layer cannot have any layers below it. 11 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I../.. -Wall 2 | EXTRA_DIST = .indent.pro DESIGN.txt 3 | 4 | noinst_LTLIBRARIES = libtskimg.la 5 | libtskimg_la_SOURCES = img_open.c img_types.c raw.c raw.h \ 6 | split.c split.h aff.c aff.h ewf.c ewf.h tsk_img_i.h 7 | 8 | indent: 9 | indent *.c *.h 10 | 11 | clean-local: 12 | -rm -f *.c~ *.h~ 13 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/aff.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:38 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005-1007 Brian Carrier. All rights reserved 8 | */ 9 | 10 | /** \file aff.h 11 | * Header files for AFF-specific data structures and functions. 12 | */ 13 | 14 | #ifndef _AFF_H 15 | #define _AFF_H 16 | 17 | #if HAVE_LIBAFFLIB 18 | 19 | #include 20 | #include 21 | 22 | extern TSK_IMG_INFO *aff_open(const char **, TSK_IMG_INFO *); 23 | 24 | /** \internal 25 | * Stores AFF-specific data 26 | */ 27 | typedef struct { 28 | TSK_IMG_INFO img_info; 29 | AFFILE *af_file; 30 | TSK_OFF_T seek_pos; 31 | uint16_t type; /* TYPE - uses AF_IDENTIFY_x values */ 32 | } IMG_AFF_INFO; 33 | 34 | #endif 35 | #endif 36 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/ewf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit - Add on for EWF image support 3 | * Eye Witness Compression Format Support 4 | * 5 | * $Date: 2007/12/20 20:32:39 $ 6 | * 7 | * Joachim Metz 8 | * Copyright (c) 2006 Joachim Metz. All rights reserved 9 | * 10 | * Based on raw image support of the Sleuth Kit from 11 | * Brian Carrier. 12 | */ 13 | 14 | /** \file ewf.h 15 | * Header files for EWF-specific data structures and functions. 16 | */ 17 | 18 | #ifndef _EWF_H 19 | #define _EWF_H 20 | 21 | #if HAVE_LIBEWF 22 | 23 | #include 24 | 25 | #ifdef __cplusplus 26 | extern "C" { 27 | #endif 28 | extern TSK_IMG_INFO *ewf_open(int, const char **, TSK_IMG_INFO *); 29 | 30 | typedef struct { 31 | TSK_IMG_INFO img_info; 32 | LIBEWF_HANDLE *handle; 33 | char md5hash[33]; 34 | int md5hash_isset; 35 | } IMG_EWF_INFO; 36 | 37 | #ifdef __cplusplus 38 | } 39 | #endif 40 | #endif 41 | #endif 42 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/raw.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:39 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | */ 9 | 10 | /** \file raw.h 11 | * Contains the single raw data file-specific functions and structures. 12 | */ 13 | 14 | #ifndef _RAW_H 15 | #define _RAW_H 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | extern TSK_IMG_INFO *raw_open(const TSK_TCHAR **, TSK_IMG_INFO *); 22 | 23 | typedef struct { 24 | TSK_IMG_INFO img_info; 25 | #ifdef TSK_WIN32 26 | HANDLE fd; 27 | #else 28 | int fd; 29 | #endif 30 | TSK_OFF_T seek_pos; 31 | } IMG_RAW_INFO; 32 | 33 | #ifdef __cplusplus 34 | } 35 | #endif 36 | #endif 37 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/split.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/20 20:32:39 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | */ 9 | 10 | /** \file split.h 11 | * Contains the split raw data file-specific functions and structures. 12 | */ 13 | 14 | #ifndef _SPLIT_H 15 | #define _SPLIT_H 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | extern TSK_IMG_INFO *split_open(int, const TSK_TCHAR **, 22 | TSK_IMG_INFO *); 23 | 24 | #define SPLIT_CACHE 15 25 | 26 | typedef struct { 27 | #ifdef TSK_WIN32 28 | HANDLE fd; 29 | #else 30 | int fd; 31 | #endif 32 | int image; 33 | TSK_OFF_T seek_pos; 34 | } IMG_SPLIT_CACHE; 35 | 36 | typedef struct { 37 | TSK_IMG_INFO img_info; 38 | int num_img; 39 | const TSK_TCHAR **images; 40 | TSK_OFF_T *max_off; 41 | int *cptr; /* exists for each image - points to entry in cache */ 42 | IMG_SPLIT_CACHE cache[SPLIT_CACHE]; /* small number of fds for open images */ 43 | int next_slot; 44 | } IMG_SPLIT_INFO; 45 | 46 | #ifdef __cplusplus 47 | } 48 | #endif 49 | #endif 50 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/img/tsk_img_i.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/19 20:28:17 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2005 Brian Carrier. All rights reserved 8 | */ 9 | #ifndef _TSK_IMG_I_H 10 | #define _TSK_IMG_I_H 11 | 12 | /** 13 | * \file tsk_img_i.h 14 | * Contains the internal library definitions for the disk image functions. This should 15 | * be included by the code in the img library. 16 | */ 17 | 18 | // include the base internal header file 19 | #include "tsk/base/tsk_base_i.h" 20 | 21 | // include the external disk image header file 22 | #include "tsk_img.h" 23 | 24 | // other standard includes 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/lib/Date/Manip.pm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/filesystems/sleuthkit/sleuthkit-2.52/tsk/lib/Date/Manip.pm -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/libtsk.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_LIBTSK_H 2 | #define _TSK_LIBTSK_H 3 | 4 | // include the header files for each subdir. 5 | // The _config or _incs.h files are included by base. 6 | #include "tsk/base/tsk_base.h" 7 | #include "tsk/img/tsk_img.h" 8 | #include "tsk/vs/tsk_vs.h" 9 | #include "tsk/fs/tsk_fs.h" 10 | #include "tsk/hashdb/tsk_hashdb.h" 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/sorter/images.sort: -------------------------------------------------------------------------------- 1 | # 2 | # $Date: 2007/12/18 22:43:53 $ 3 | # 4 | # images.sort 5 | # Save Images only 6 | # config file for Sleuth Kit sorter 7 | # 8 | # Category 9 | # If the keyword is found in the 'file' output, then the data is saved 10 | # to either the summary file or even copied if the appropriate flags are 11 | # given 12 | # 13 | # category cat_name keywords 14 | # 15 | # 16 | # Extension 17 | # If the keywords are found in the 'file' output, and the file extension 18 | # is different than then the one on the file, an alert is generated 19 | # 'somewhere' 20 | # ext ext1,ext2,ext3 keywords 21 | 22 | # Images 23 | category images image data 24 | ext jpg,jpeg,jpe JPEG image data 25 | ext gif GIF image data 26 | ext tif TIFF image data 27 | ext png PNG image data 28 | 29 | category images bitmap data 30 | ext bmp PC bitmap data 31 | 32 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/stamp-h1: -------------------------------------------------------------------------------- 1 | timestamp for tsk/tsk_config.h 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/tsk_incs.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_INCS_H 2 | #define _TSK_INCS_H 3 | // automatically by ./configure 4 | // Contains the config.h data needed by programs that use libtsk 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/tsk_tools_i.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_TOOLS_I_H 2 | #define _TSK_TOOLS_I_H 3 | 4 | /* same as tsklib.h except that it includes the base_i.h file 5 | * instead of base.h so that we can get the _config defines 6 | */ 7 | #include "tsk/base/tsk_base_i.h" 8 | #include "tsk/img/tsk_img.h" 9 | #include "tsk/vs/tsk_vs.h" 10 | #include "tsk/fs/tsk_fs.h" 11 | #include "tsk/hashdb/tsk_hashdb.h" 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/vs/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/vs/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CFLAGS = -I../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskvs.la 5 | # Note that the .h files are in the top-level Makefile 6 | libtskvs_la_SOURCES = mm_open.c mm_part.c mm_types.c mm_io.c \ 7 | bsd.c dos.c gpt.c mac.c sun.c tsk_vs_i.h 8 | 9 | indent: 10 | indent *.c *.h 11 | 12 | clean-local: 13 | -rm -f *.c~ *.h~ 14 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/vs/tsk_dos.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/18 22:43:53 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2003-2005 Brian Carrier. All rights reserved 8 | * 9 | */ 10 | 11 | /** 12 | * \file tsk_dos.h 13 | * C header file with DOS and internal data structures. 14 | */ 15 | #ifndef _TSK_DOS_H 16 | #define _TSK_DOS_H 17 | 18 | #ifdef __cplusplus 19 | extern "C" { 20 | #endif 21 | 22 | typedef struct { 23 | uint8_t boot; 24 | uint8_t start_chs[3]; 25 | uint8_t ptype; 26 | uint8_t end_chs[3]; 27 | uint8_t start_sec[4]; 28 | uint8_t size_sec[4]; 29 | } dos_part; 30 | 31 | /* Boot Sector w/partition table */ 32 | typedef struct { 33 | uint8_t f1[3]; 34 | /* the next three are actually part of NTFS and FAT, but 35 | * we use them for sanity checks in the detect code */ 36 | char oemname[8]; 37 | uint8_t ssize[2]; /* sector size in bytes */ 38 | uint8_t csize; /* cluster size in sectors */ 39 | uint8_t filler[432]; 40 | dos_part ptable[4]; 41 | uint8_t magic[2]; 42 | } dos_sect; 43 | 44 | #define DOS_MAGIC 0xaa55 45 | #define DOS_PART_SOFFSET 0 46 | 47 | #ifdef __cplusplus 48 | } 49 | #endif 50 | #endif 51 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/vs/tsk_mac.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/18 22:43:53 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2003-2005 Brian Carrier. All rights reserved 8 | * 9 | */ 10 | 11 | /** 12 | * \file tsk_mac.h 13 | * C header file with Mac and internal data structures. 14 | */ 15 | 16 | #ifndef _TSK_MAC_H 17 | #define _TSK_MAC_H 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | 23 | typedef struct { 24 | uint8_t magic[2]; 25 | uint8_t reserved[2]; 26 | uint8_t pmap_size[4]; 27 | uint8_t start_sec[4]; 28 | uint8_t size_sec[4]; 29 | uint8_t name[32]; 30 | uint8_t type[32]; 31 | uint8_t data_start_sec[4]; 32 | uint8_t data_size_sec[4]; 33 | uint8_t status[4]; 34 | uint8_t boot_start_sec[4]; 35 | uint8_t boot_size_sec[4]; 36 | uint8_t boot_load_addr[4]; 37 | uint8_t reserved2[4]; 38 | uint8_t boot_entry[4]; 39 | uint8_t reserved3[4]; 40 | uint8_t boot_checksum[4]; 41 | uint8_t proc_type[16]; 42 | uint8_t reserved4[376]; 43 | } mac_part; 44 | 45 | #define MAC_MAGIC 0x504d 46 | #define MAC_PART_SOFFSET 1 47 | 48 | #define MAC_STAT_VALID 0x00 49 | #define MAC_STAT_ALLOC 0x01 50 | #define MAC_STAT_INUSE 0x02 51 | #define MAC_STAT_BOOT 0x04 52 | #define MAC_STAT_READ 0x08 53 | 54 | #ifdef __cplusplus 55 | } 56 | #endif 57 | #endif 58 | -------------------------------------------------------------------------------- /src/filesystems/sleuthkit/sleuthkit-2.52/tsk/vs/tsk_vs_i.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * $Date: 2007/12/19 20:28:18 $ 5 | * 6 | * Brian Carrier [carrier@sleuthkit.org] 7 | * Copyright (c) 2003-2007 Brian Carrier. All rights reserved 8 | */ 9 | 10 | /** 11 | * \file tsk_vs_i.h 12 | * Contains the internal library definitions for the volume system functions. This should 13 | * be included by the code in the volume system library. 14 | */ 15 | #ifndef _TSK_VS_I_H 16 | #define _TSK_VS_I_H 17 | 18 | // Include the other internal TSK header files 19 | #include "tsk/base/tsk_base_i.h" 20 | #include "tsk/img/tsk_img_i.h" 21 | 22 | // include the external vs header file 23 | #include "tsk_vs.h" 24 | 25 | #include 26 | 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /src/include/Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = crypto 2 | noinst_HEADERS = $(srcdir)/*.h 3 | -------------------------------------------------------------------------------- /src/include/crypto/Makefile.am: -------------------------------------------------------------------------------- 1 | noinst_HEADERS = $(srcdir)/*.h 2 | -------------------------------------------------------------------------------- /src/include/crypto/sha1.h: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | unsigned long state[5]; 3 | unsigned long count[2]; 4 | unsigned char buffer[64]; 5 | } SHA_CTX; 6 | 7 | void SHA1_Transform(unsigned long state[5], unsigned char buffer[64]); 8 | int SHA1_Init(SHA_CTX* context); 9 | int SHA1_Update(SHA_CTX* context, unsigned char* data, unsigned int len); 10 | int SHA1_Final(unsigned char digest[20], SHA_CTX* context); 11 | -------------------------------------------------------------------------------- /src/include/pypacket.h: -------------------------------------------------------------------------------- 1 | #ifndef __PYPACKET_H 2 | #define __PYPACKET_H 3 | 4 | #include 5 | 6 | typedef struct { 7 | PyObject_HEAD 8 | Packet obj; 9 | } PyPacket; 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /src/indextools/Makefile.am: -------------------------------------------------------------------------------- 1 | BUILT_SOURCES = $(srcdir)/index_wrap.c 2 | SWIG_SOURCES = index.i 3 | 4 | pkgpython_PYTHON = index.py 5 | pkgpyexec_LTLIBRARIES = _index.la 6 | 7 | _index_la_SOURCES = $(srcdir)/index_wrap.c $(SWIG_SOURCES) index.c 8 | _index_la_CPPFLAGS = $(SWIG_PYTHON_CPPFLAGS) -I$(top_srcdir)/src/include 9 | _index_la_LDFLAGS = -module 10 | _index_la_LIBADD = ../lib/libexcept.la 11 | 12 | $(srcdir)/index_wrap.c: $(SWIG_SOURCES) 13 | $(SWIG) $(SWIG_PYTHON_OPT) -o $@ $< 14 | 15 | #clean-local: 16 | # -rm -rf index.py index_wrap.c 17 | -------------------------------------------------------------------------------- /src/indextools/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import index 3 | 4 | i=index.index() 5 | i.add_word("hello",1) 6 | i.add_word("world",2) 7 | i.index_buffer("This is a hello world") 8 | 9 | for o in i.get_offsets(): 10 | print o.id,o.offset 11 | 12 | ##t=index.idx_new_indexing_trie() 13 | ##index.idx_add_word(t,"hello",1) 14 | ##index.idx_add_word(t,"goodbye",2) 15 | ##index.idx_index_buffer(t,"this is a test hello goodbye ") 16 | 17 | ##import struct 18 | ##result=index.get_offset_table(t) 19 | ##length=len(result)/struct.calcsize('@i') 20 | ##offsets=struct.unpack('@%si'%length,result) 21 | ##print offsets 22 | 23 | ##index.idx_free_indexing_trie(t) 24 | -------------------------------------------------------------------------------- /src/indextools_ng/Makefile.am: -------------------------------------------------------------------------------- 1 | include $(top_srcdir)/config/Makefile.rules 2 | 3 | noinst_LTLIBRARIES = index.la 4 | nodist_pkgpyexec_PYTHON = index$(PYTHON_EXTENSION) 5 | 6 | noinst_HEADERS = trie.h 7 | 8 | index_la_SOURCES = index.c trie.c test.py 9 | index_la_CPPFLAGS = $(PYTHON_CPPFLAGS) -I$(top_srcdir)/src/include 10 | index_la_LDFLAGS = -module $(PYTHON_LDFLAGS) -export-symbols-regex initindex 11 | index_la_LIBADD = ../lib/liboo.la $(PYTHON_EXTRA_LIBS) 12 | -------------------------------------------------------------------------------- /src/indextools_ng/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2.4 2 | 3 | import index 4 | 5 | i=index.Index() 6 | 7 | i.add_word("[7 \w]+", 22, index.WORD_EXTENDED) 8 | i.add_word("[^0-9]\\d{1,3}.\\d{1,3}.\\d{1,3}.\\d{1,3}", 12, 1) 9 | i.add_word("li+n+u+x+", 14, 0) 10 | i.add_word("LINUS", 24, 0) 11 | i.add_word("12345", 65, 0) 12 | i.add_word(r'f[a-z]r[0-9]?s[\s]*t', 65, index.WORD_EXTENDED) 13 | i.add_word("[a-z]+", 1, index.WORD_EXTENDED) 14 | 15 | string = open("/tmp/test.evt").read() 16 | for j in range(0,1000): 17 | result = i.index_buffer(string ) 18 | for offset, tmp in result: 19 | ## Drain the queue: 20 | pass 21 | #print "%s - %s: %s" %(offset, data, string[offset:offset+length]) 22 | -------------------------------------------------------------------------------- /src/javascript/FlowPlayer.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/javascript/FlowPlayer.swf -------------------------------------------------------------------------------- /src/javascript/audio-player.js: -------------------------------------------------------------------------------- 1 | var ap_instances = new Array(); 2 | 3 | function ap_stopAll(playerID) { 4 | for(var i = 0;iread_random(io, buf, 2500, 1000); 17 | 18 | buf[len]=0; 19 | printf("contents %s" , buf); 20 | 21 | talloc_free(opts); 22 | 23 | return 1; 24 | }; 25 | -------------------------------------------------------------------------------- /src/lib/libsgzip/Makefile.am: -------------------------------------------------------------------------------- 1 | INCLUDES = -I$(top_srcdir)/src/include -include config.h 2 | 3 | #bin_PROGRAMS = sgzip 4 | noinst_LTLIBRARIES = libsgz.la 5 | # Stuff that should be distributed: 6 | noinst_HEADERS = $(srcdir)/*.h 7 | 8 | sgzip_LDADD = libsgz.la ../liboo.la 9 | 10 | libsgz_la_SOURCES = sgzlib.c 11 | libsgz_la_LDFLAGS = -lz 12 | -------------------------------------------------------------------------------- /src/lib/misc.c: -------------------------------------------------------------------------------- 1 | #include "misc.h" 2 | #include "talloc.h" 3 | #include 4 | #include 5 | #include 6 | #include "stringio.h" 7 | 8 | char *format_alloc(int x, ...) { 9 | char *format; 10 | int i, c; 11 | int count = 0; 12 | va_list ap; 13 | 14 | va_start(ap, x); 15 | do { 16 | c = va_arg(ap, int); 17 | count++; 18 | } while(c); 19 | va_end(ap); 20 | 21 | format = (char *) talloc_size(NULL, count); 22 | 23 | va_start(ap, x); 24 | for(i=0; i 7 | 8 | #ifdef __cplusplus 9 | extern "C" { 10 | #endif 11 | time_t fileTimeToUnixTime( const FILETIME *filetime, uint32_t *remainder ); 12 | 13 | char * fileTimeToAscii (const FILETIME *filetime); 14 | 15 | struct tm * fileTimeToStructTM (const FILETIME *filetime); 16 | 17 | #ifdef __cplusplus 18 | } 19 | #endif 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /src/mailtools/version.h: -------------------------------------------------------------------------------- 1 | //#define VERSION "0.6.21" 2 | -------------------------------------------------------------------------------- /src/mmedia/Makefile.am: -------------------------------------------------------------------------------- 1 | if HAVE_LIBJPEG 2 | jpeg_la_SOURCES = jpeg.c suspend.c suspend.h 3 | jpeg_la_CPPFLAGS= $(PYTHON_CPPFLAGS) -I$(top_srcdir)/src/include 4 | jpeg_la_LIBADD = ../lib/liboo.la 5 | jpeg_la_LDFLAGS = -module $(PYTHON_LDFLAGS) -ljpeg 6 | pkgpyexec_LTLIBRARIES = jpeg.la 7 | endif -------------------------------------------------------------------------------- /src/mmedia/suspend.h: -------------------------------------------------------------------------------- 1 | void suspend_memory(j_common_ptr cinfo, int row, int sector); 2 | void resume_memory(j_common_ptr cinfo); 3 | void *alloc_small(j_common_ptr cinfo, int pool_id, size_t sizeofobject); 4 | 5 | struct my_memory_mgr { 6 | struct jpeg_memory_mgr pub; /* public fields */ 7 | 8 | // This is for libjpegs benefit: 9 | jvirt_sarray_ptr virt_sarray_list; 10 | jvirt_barray_ptr virt_barray_list; 11 | JDIMENSION last_rowsperchunk; /* from most recent alloc_sarray/barray */ 12 | 13 | // All memory is allocated to this pool. 14 | char *pool; 15 | char *shadow_pool; 16 | 17 | // A highwater mark for pool allocations 18 | long pool_size; 19 | 20 | // This is the very end of the allocated pool. 21 | long total_space_allocated; 22 | long total_space_shadowed; 23 | 24 | // The row number where we suspended 25 | int row; 26 | 27 | // The sector where we suspended 28 | int sector; 29 | }; 30 | 31 | typedef struct my_memory_mgr *my_mem_ptr; 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/network/pypcap.h: -------------------------------------------------------------------------------- 1 | #ifndef _PYPCAP_H 2 | #define _PYPCAP_H 3 | 4 | enum endianess_output { 5 | NO_ENDIANESS_CHANGE=0, 6 | FORCE_BIG_ENDIAN, 7 | FORCE_LITTLE_ENDIAN 8 | }; 9 | 10 | typedef struct { 11 | PyObject_HEAD 12 | 13 | // A buffer to be used to read from: 14 | StringIO buffer; 15 | 16 | // A python file like object - we only care that it has a read 17 | // method. We use the read method to repeatadely fill the buffer 18 | // with large chunks. 19 | PyObject *fd; 20 | 21 | // The file header: 22 | PcapFileHeader file_header; 23 | PcapPacketHeader packet_header; 24 | StringIO dissection_buffer; 25 | 26 | // Default id to use for newly dissected packets: 27 | int packet_id; 28 | uint64_t pcap_offset; 29 | uint32_t pcap_file_id; 30 | enum endianess_output output_format; 31 | } PyPCAP; 32 | 33 | 34 | #define FILL_SIZE (1024 * 1000) 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /src/network/reassembler.h: -------------------------------------------------------------------------------- 1 | #ifndef _REASSEMBLER_H 2 | #define _REASSEMBLER_H 3 | 4 | #include 5 | 6 | typedef struct { 7 | PyObject_HEAD 8 | PyObject *packet_callback; 9 | 10 | // The main reassembler hash table: 11 | struct TCPHashTable *hash; 12 | } Reassembler; 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /src/network/reassembler_test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import _dissect 3 | import reassembler 4 | import DB 5 | 6 | hnd = reassembler.init("/var/tmp/results/") 7 | 8 | print hnd 9 | 10 | def Callback(stream): 11 | # print stream 12 | # raise IOError 13 | print "%s: %s" % (stream['con_id'], stream) 14 | 15 | reassembler.set_tcp_callback(hnd, Callback) 16 | 17 | filename = "/var/tmp/demo/ftp3.pcap" 18 | fd=open(filename) 19 | dbh = DB.DBO("demo") 20 | 21 | dbh.execute("select * from pcap order by id") 22 | for row in dbh: 23 | fd.seek(row['offset']) 24 | data = fd.read(row['length']) 25 | try: 26 | reassembler.process_tcp(hnd, data, row['id'], row['link_type']) 27 | except RuntimeError: 28 | pass 29 | 30 | reassembler.clear_stream_buffers(hnd) 31 | -------------------------------------------------------------------------------- /src/network/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import DB 3 | 4 | import _dissect 5 | import dissect 6 | 7 | filename = "/var/tmp/demo/stdcapture_0.2.pcap" 8 | fd=open(filename) 9 | dbh = DB.DBO("demo") 10 | 11 | dbh.execute("select * from pcap where id=8") 12 | row = dbh.fetch() 13 | 14 | fd.seek(row['offset']) 15 | data = fd.read(row['length']) 16 | 17 | root=dissect.dissector(data, row['link_type'],1) 18 | print "%r" % root["tcp.seq"] 19 | 20 | ## Now we try to print the tree recursively 21 | def print_leaf(name,node): 22 | try: 23 | fields = _dissect.list_fields(node) 24 | print "Node %s" % name 25 | for field in fields: 26 | print field 27 | print_leaf("%s.%s" % (_dissect.get_name(node),field), 28 | _dissect.get_field(node, field)) 29 | 30 | except: 31 | print "%s = %r" % (name,node) 32 | 33 | print_leaf('',root.d) 34 | -------------------------------------------------------------------------------- /src/network/test_pcap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import pypcap 3 | 4 | fd = pypcap.PyPCAP(open("/var/tmp/uploads/stdcapture_0.3.pcap")) 5 | 6 | h = fd.file_header() 7 | 8 | print h.list() 9 | 10 | print h.get_field("linktype") 11 | print h.linktype 12 | 13 | def print_tree(packet, depth=0): 14 | for i in packet.list(): 15 | print " " * depth + "%s: %s" % (i, packet.get_field(i)) 16 | try: 17 | print_tree(packet.get_field(i), depth+1) 18 | except: 19 | pass 20 | 21 | offset = fd.offset() 22 | packet = fd.next() 23 | print_tree(packet) 24 | 25 | fd.seek(offset) 26 | packet = fd.next() 27 | print_tree(packet) 28 | 29 | for p in fd: 30 | print p.ts_sec, len(p.data) 31 | packet = fd.dissect() 32 | # if packet.packet_id > 1000: break 33 | print_tree(packet) 34 | 35 | del fd 36 | -------------------------------------------------------------------------------- /src/plugins/ColumnTypes.py: -------------------------------------------------------------------------------- 1 | """ This is a collection of very useful column types. """ 2 | from pyflag.ColumnTypes import TimestampType, IntegerType 3 | 4 | class Date(TimestampType): 5 | """ A Column storing only the date """ 6 | def create(self): 7 | return "`%s` DATE" % self.column 8 | 9 | class Time(TimestampType): 10 | """ A Column storing only the time of day """ 11 | def create(self): 12 | return "`%s` TIME " % self.column 13 | 14 | class Float(IntegerType): 15 | """ A Float column """ 16 | def create(self): 17 | return "`%s` FLOAT " %self.column 18 | 19 | class EpochTimestamp(TimestampType): 20 | """ A Column storing a timestamp as an integer from the epoch time """ 21 | def insert(self, value): 22 | return "_"+self.column, "from_unixtime(%r)" % value 23 | 24 | ## Import the unit tests so they are picked up by the registry: 25 | from pyflag.ColumnTypes import ColumnTypeTests 26 | -------------------------------------------------------------------------------- /src/plugins/Flash/HTTPCommands.py: -------------------------------------------------------------------------------- 1 | import pyflag.pyflagsh as pyflagsh 2 | import pyflag.DB as DB 3 | 4 | class http_parameters(pyflagsh.command): 5 | """ Display all the http parameters associated with the inode id provided """ 6 | def execute(self): 7 | args = self.args 8 | dbh = DB.DBO(self.environment._CASE) 9 | dbh.execute("select `key`,value from http_parameters where inode_id=%r", args[0]) 10 | yield "Key,Value" 11 | yield "---------" 12 | for row in dbh: 13 | yield "%s: %s" % (row['key'], row['value'][:100]) 14 | -------------------------------------------------------------------------------- /src/plugins/Flash/LogFlash.py: -------------------------------------------------------------------------------- 1 | import pyflag.pyflagsh as pyflagsh 2 | import pyflag.LogFile as LogFile 3 | import pyflag.DB as DB 4 | 5 | class drop_log_preset(pyflagsh.command): 6 | """ Delete a log preset """ 7 | def help(self): 8 | return "Delete the given log preset and all the tables which use it (DANGEROUS)" 9 | 10 | def execute(self): 11 | for preset in self.args: 12 | yield "Deleting preset %s" % preset 13 | LogFile.drop_preset(preset) 14 | 15 | def complete(self, text, state): 16 | dbh = DB.DBO() 17 | dbh.execute("select name from log_presets") 18 | presets = [ row['name'] for row in dbh ] 19 | return self.complete_from_list(text, state, presets) 20 | 21 | class delete_log_table(pyflagsh.command): 22 | """ Delete the given log tables in the current case (DANGEROUS) """ 23 | def execute(self): 24 | for table in self.args: 25 | yield "Deleting table %s" % table 26 | 27 | LogFile.drop_table(self.environment._CASE, table) 28 | 29 | def complete(self, text, state): 30 | dbh = DB.DBO(self.environment._CASE) 31 | dbh.execute("select table_name from log_tables") 32 | tables = [ row['table_name'] for row in dbh ] 33 | return self.complete_from_list(text, state, tables) 34 | -------------------------------------------------------------------------------- /src/plugins/LogAnalysis/__init__.py: -------------------------------------------------------------------------------- 1 | """ This module implements the log analysis functionality within flag """ 2 | -------------------------------------------------------------------------------- /src/plugins/NetworkForensics/ProtocolHandlers/WebMail.py: -------------------------------------------------------------------------------- 1 | """ This module deals with webmail generically. 2 | 3 | The way webmail is parsed within PyFlag is as follows: 4 | 5 | - Each message is a new object (The data may correspond with the main 6 | text part of the message or it may be empty, it is also an anchor 7 | point for part objects. The URN of the message object is made unique 8 | by way of the message id (most webmail services have a way to indicate 9 | a unique id for each message). 10 | 11 | - The message object contains the following database table entry: 12 | From email, to email, subject, sent, type, service 13 | 14 | - Parts are specific object attachments or parts. Attachments are 15 | usually also parts. 16 | """ 17 | -------------------------------------------------------------------------------- /src/plugins/NetworkForensics/ProtocolHandlers/__dont_descend__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins/NetworkForensics/ProtocolHandlers/__dont_descend__.py -------------------------------------------------------------------------------- /src/plugins/NetworkForensics/ProtocolHandlers/__init__.py: -------------------------------------------------------------------------------- 1 | """ Various protocol handlers """ 2 | -------------------------------------------------------------------------------- /src/plugins/NetworkForensics/ProtocolHandlers/mms/AUTHORS: -------------------------------------------------------------------------------- 1 | Francois Aucamp 2 | -------------------------------------------------------------------------------- /src/plugins/NetworkForensics/__init__.py: -------------------------------------------------------------------------------- 1 | """ This module add support for network forensics for pyflag """ 2 | -------------------------------------------------------------------------------- /src/plugins/TableRenderers/__init__.py: -------------------------------------------------------------------------------- 1 | """ These table renderers are responsible for exporting a table into 2 | an external format 3 | """ 4 | -------------------------------------------------------------------------------- /src/plugins/Themes/XML.py: -------------------------------------------------------------------------------- 1 | """ A basic XML Theme support files """ 2 | 3 | import pyflag.Reports as Reports 4 | import pyflag.Registry as Registry 5 | 6 | class Schema(Reports.report): 7 | name = "List" 8 | family = "Introspection" 9 | hidden = True 10 | parameters = {'object':'any'} 11 | 12 | def display(self, query, result): 13 | obj = query['object'] 14 | if obj=='report families': 15 | for f in Registry.REPORTS.get_families(): 16 | result.row(f) 17 | -------------------------------------------------------------------------------- /src/plugins/Themes/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins/Themes/__init__.py -------------------------------------------------------------------------------- /src/plugins/Tools/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins/Tools/__init__.py -------------------------------------------------------------------------------- /src/plugins/UnitTests.py: -------------------------------------------------------------------------------- 1 | ## This is a hack to make unit tests from the main code appear in the 2 | ## plugins for the tester to use it: 3 | from pyflag.Store import StoreTests 4 | from pyflag.FileSystem import VFSTests 5 | -------------------------------------------------------------------------------- /src/plugins/Urwid/__dont_descend__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins/Urwid/__dont_descend__.py -------------------------------------------------------------------------------- /src/plugins/Urwid/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins/Urwid/__init__.py -------------------------------------------------------------------------------- /src/plugins/__init__.py: -------------------------------------------------------------------------------- 1 | """Plugins for pyflag go in this directory. 2 | 3 | When pyflag is first executed, it searches for plugins in the following places: 4 | 1. In a directory called plugins in the current directory 5 | 2. In the directory marked by the PLUGINS parameter in the configuration file 6 | 3. In the pyflag/plugins module directory if installed in the system 7 | 8 | NOTE: 9 | 10 | 1. Plugins should never execute DB code directly - its ok to use an if 11 | __name__=='__main__' type clause, but otherwise you should just have 12 | class definitions. This is because the module may be loaded several 13 | times and in different points on start up (e.g. before forking - if 14 | you cause db handles to be opened before forking this can cause db 15 | pool corruption). 16 | 17 | 2. You can define Event handlers to deal with incremental schema 18 | upgrades (add columns, check for tables etc). These checks can be 19 | launched from the startup() method. 20 | """ 21 | -------------------------------------------------------------------------------- /src/plugins_old/DiskForensics/__init__.py: -------------------------------------------------------------------------------- 1 | """ This module implements the Disk Forensics functionality within flag """ 2 | -------------------------------------------------------------------------------- /src/plugins_old/FileFormats/__init__.py: -------------------------------------------------------------------------------- 1 | ## 2 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/README: -------------------------------------------------------------------------------- 1 | This module is pyflag's interfaces to volatility. To use this you will 2 | need to download volatility 1.3 and untar it into this directory 3 | (i.e. have a directory called 4 | src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/ with the 5 | volatility package in it). 6 | 7 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/AUTHORS.txt: -------------------------------------------------------------------------------- 1 | Volatility authors: 2 | 3 | AAron Walters 4 | Volatile Systems LLC 5 | 6 | Brendan Dolan-Gavitt 7 | 8 | Volatools Basic authors: 9 | 10 | AAron Walters 11 | Komoku, Inc. 12 | 13 | Nick L. Petroni, Jr. 14 | Komoku, Inc. 15 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/CREDITS.txt: -------------------------------------------------------------------------------- 1 | Contributors (alphabetical) 2 | ------------ 3 | 4 | We would like to acknowledge individuals that have made significant 5 | contributions, code and ideas, to the Volatility Framework: 6 | 7 | Harlan Carvey 8 | Michael Cohen 9 | Brendan Dolan-Gavitt 10 | Andreas Schuster 11 | Matthieu Suiche 12 | 13 | We would also like to acknowledge those who have provided valuable 14 | feedback, bug reports, and testing: 15 | 16 | Jide Abu 17 | Joseph Ayo Akinyele 18 | Tommaso Assandri 19 | Eoghan Casey 20 | Angelo Cavallini 21 | Jon Evans 22 | Robert Guess 23 | Jesse Kornblum 24 | Jamie Levy 25 | Eugene Libster 26 | Erik Ligda 27 | Tony Martin 28 | Timothy Morgan 29 | Golden G. Richard III 30 | Sam F. Stover 31 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/LEGAL.txt: -------------------------------------------------------------------------------- 1 | Volatility 2 | =============== 3 | 4 | License 5 | ------- 6 | 7 | Copyright (C) 2007,2008 Volatile Systems 8 | 9 | Original Source: 10 | Copyright (C) 2007 Komoku, Inc. 11 | 12 | Volatility is free software; you can redistribute it and/or 13 | modify it under the terms of the GNU General Public License 14 | as published by the Free Software Foundation; either version 2 15 | of the License, or (at your option) any later version. 16 | 17 | Volatility is distributed in the hope that it will be useful, 18 | but WITHOUT ANY WARRANTY; without even the implied warranty of 19 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 | GNU General Public License for more details. 21 | 22 | You should have received a copy of the GNU General Public License 23 | along with this program; if not, write to the Free Software 24 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, 25 | USA. 26 | 27 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/PKG-INFO: -------------------------------------------------------------------------------- 1 | Metadata-Version: 1.0 2 | Name: Volatility 3 | Version: 1.3_Linux_rc.1 4 | Summary: Volatility -- Volatile memory framwork 5 | Home-page: http://www.volatilesystems.com 6 | Author: AAron Walters 7 | Author-email: awalters@volatilesystems.com 8 | License: GPL 9 | Description: UNKNOWN 10 | Platform: UNKNOWN 11 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/__init__.py -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/linux/__init__.py -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/utils.py: -------------------------------------------------------------------------------- 1 | import forensics.registry as registry 2 | 3 | def load_as(opts): 4 | base_as = None 5 | while 1: 6 | print "Voting round" 7 | found = False 8 | for cls in registry.AS_CLASSES.classes: 9 | print "Trying %s " % cls 10 | try: 11 | base_as = cls(base_as, opts.__dict__) 12 | print "Succeeded instantiating %s" % base_as 13 | found = True 14 | break 15 | except AssertionError,e: 16 | continue 17 | 18 | ## A full iteration through all the classes without anyone 19 | ## selecting us means we are done: 20 | if not found: break 21 | 22 | return base_as 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/__init__.py -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/lists.py: -------------------------------------------------------------------------------- 1 | from forensics.object2 import * 2 | from forensics.object import get_obj_offset 3 | 4 | def list_entry(vm, types, profile, head, objname, 5 | offset=-1, fieldname=None, forward=True): 6 | """Traverse a _LIST_ENTRY. 7 | 8 | Traverses a _LIST_ENTRY starting at virtual address head made up of 9 | objects of type objname. The value of offset should be set to the 10 | offset of the _LIST_ENTRY within the desired object.""" 11 | 12 | seen = set() 13 | 14 | if fieldname: 15 | offset,typ = get_obj_offset(types, [objname,fieldname]) 16 | if typ != "_LIST_ENTRY": 17 | print ("WARN: given field is not a LIST_ENTRY, attempting to " 18 | "continue anyway.") 19 | 20 | lst = NewObject("_LIST_ENTRY", head, vm, profile=profile) 21 | seen.add(lst) 22 | if not lst.is_valid(): return 23 | while True: 24 | if forward: 25 | lst = lst.Flink.dereference() 26 | else: 27 | lst = lst.Blink.dereference() 28 | 29 | if not lst.is_valid(): return 30 | 31 | if lst in seen: break 32 | else: seen.add(lst) 33 | obj = NewObject(objname, lst.offset - offset, vm, profile=profile) 34 | yield obj 35 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/meta_info.py: -------------------------------------------------------------------------------- 1 | # Volatility 2 | # Copyright (C) 2007,2008 Volatile Systems 3 | # 4 | # This program is free software; you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation; either version 2 of the License, or (at 7 | # your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, but 10 | # WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | # General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program; if not, write to the Free Software 16 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 | # 18 | 19 | """ 20 | @author: AAron Walters 21 | @license: GNU General Public License 2.0 or later 22 | @contact: awalters@volatilesystems.com 23 | @organization: Volatile Systems LLC 24 | """ 25 | 26 | # Global Variables 27 | DirectoryTableBase = "" 28 | KernelAddressSpace = "" 29 | 30 | def set_dtb(dtb): 31 | global DirectoryTableBase 32 | DirectoryTableBase = dtb 33 | 34 | def set_kas(kas): 35 | global KernelAddressSpace 36 | KernelAddressSpace = kas 37 | 38 | def set_datatypes(datatypes): 39 | global DataTypes 40 | DataTypes = datatypes 41 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/regtypes.py: -------------------------------------------------------------------------------- 1 | # Volatility 2 | # Copyright (c) 2008 Volatile Systems 3 | # Copyright (c) 2008 Brendan Dolan-Gavitt 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 2 of the License, or (at 8 | # your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, but 11 | # WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | # General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | # 19 | 20 | """ 21 | @author: Brendan Dolan-Gavitt 22 | @license: GNU General Public License 2.0 or later 23 | @contact: bdolangavitt@wesleyan.edu 24 | """ 25 | 26 | regtypes = { 27 | } 28 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/memory_plugins/address_spaces/ewf.py: -------------------------------------------------------------------------------- 1 | """ This Address Space allows us to open ewf files """ 2 | import standard 3 | 4 | try: 5 | ## We must have this module or we dont activate ourselves 6 | import pyewf 7 | 8 | class EWFAddressSpace(standard.FileAddressSpace): 9 | """ An EWF capable address space. 10 | 11 | In order for us to work we need: 12 | 1) There must be a base AS. 13 | 2) The first 6 bytes must be 45 56 46 09 0D 0A (EVF header) 14 | """ 15 | order = 20 16 | def __init__(self, base, opts): 17 | assert(base) 18 | assert(base.read(0,6) == "\x45\x56\x46\x09\x0D\x0A") 19 | self.name = self.fname = opts['filename'] 20 | self.fhandle = pyewf.open([self.name]) 21 | self.mode = 'rb' 22 | self.fhandle.seek(0,2) 23 | self.fsize = self.fhandle.tell() 24 | self.fhandle.seek(0) 25 | 26 | def is_valid_address(self, addr): 27 | return True 28 | 29 | except ImportError: 30 | pass 31 | 32 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/setup.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | 3 | from distutils.core import setup 4 | from distutils.extension import Extension 5 | 6 | setup( name = "Volatility", 7 | version = "1.3_Linux_rc.1", 8 | description = "Volatility -- Volatile memory framwork", 9 | author = "AAron Walters", 10 | author_email = "awalters@volatilesystems.com", 11 | url = "http://www.volatilesystems.com", 12 | license = "GPL", 13 | packages = ["forensics", "forensics.win32","memory_plugins","memory_objects","memory_objects.Linux","memory_objects.Windows","thirdparty","memory_plugins.Linux","forensics.linux","profiles","profiles.2_6_18-8_1_15_el5"], 14 | ) 15 | -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/thirdparty/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins_old/MemoryForensics/Volatility-1.3_Linux_rc.1/thirdparty/__init__.py -------------------------------------------------------------------------------- /src/plugins_old/MemoryForensics/__Dont_Descend__.py: -------------------------------------------------------------------------------- 1 | ## This is a marker to tell the registry to not descend subdirs here -------------------------------------------------------------------------------- /src/plugins_old/NetworkForensics/ProtocolHandlers/VOIP.py: -------------------------------------------------------------------------------- 1 | """ This module identifies VOIP streams by performing traffic analysis 2 | """ 3 | import pyflag.FlagFramework as FlagFramework 4 | from pyflag.ColumnTypes import StringType, TimestampType, AFF4URN 5 | 6 | active = False 7 | 8 | class VOIPTable(FlagFramework.CaseTable): 9 | """ Store information about VOIP streams """ 10 | name = 'voip' 11 | columns = [ [ AFF4URN, {} ], 12 | [ StringType, dict(name = 'Service', column = 'service')], 13 | [ TimestampType, dict(name = 'Start Time', column='start')], 14 | [ TimestampType, dict(name = 'End Time', column='end')], 15 | [ AFF4URN, dict(name = "Decoded", column = 'decoded')] 16 | ] 17 | 18 | import pyflag.Reports as Reports 19 | 20 | class VOIPSessions(Reports.PreCannedCaseTableReports): 21 | """ View voip sessions detected """ 22 | family = 'Network Forensics' 23 | description = 'View VOIP sessions' 24 | name = "/Network Forensics/Communications/VOIP/Sessions" 25 | default_table = 'voip' 26 | columns = [ 'Inode', 'ConnectionDetailsTable.Source IP', 27 | 'ConnectionDetailsTable.Destination IP', 28 | 'Start Time', 'End Time', 'Service', 'Decoded' ] 29 | -------------------------------------------------------------------------------- /src/plugins_old/aff4/README: -------------------------------------------------------------------------------- 1 | This is the python implementation of the Advanced Forensic File Format 4 (AFF4). -------------------------------------------------------------------------------- /src/plugins_old/aff4/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/plugins_old/aff4/__init__.py -------------------------------------------------------------------------------- /src/plugins_old/aff4/pyflag_attributes.py: -------------------------------------------------------------------------------- 1 | """ These are specific attributes used by PyFlag """ 2 | ## PyFlag specific attributes 3 | PYFLAG_NS = "urn:pyflag:" 4 | PYFLAG_STREAM = PYFLAG_NS + "streams:" 5 | PYFLAG_REVERSE_STREAM = PYFLAG_STREAM + "reverse" 6 | PYFLAG_TYPE = PYFLAG_NS + "type_hint" 7 | -------------------------------------------------------------------------------- /src/plugins_old/aff4/tdb_dump.py: -------------------------------------------------------------------------------- 1 | """ This program lists the attrbiutes for a particular URN """ 2 | import tdb_resolver, aff4 3 | from optparse import OptionParser 4 | import sys 5 | 6 | aff4.oracle = tdb_resolver.TDBResolver() 7 | 8 | try: 9 | print aff4.oracle.export(sys.argv[1]) 10 | except IndexError: 11 | print aff4.oracle.export_all() 12 | -------------------------------------------------------------------------------- /src/pyflag/Carvers/Makefile: -------------------------------------------------------------------------------- 1 | all: pdf_tests 2 | 3 | pdf_tests: test?.dd 4 | for f in test?.dd; do \ 5 | ## Create an index of PDF objects \ 6 | python pdf_carver.py -c -i $$f.idx $$f && \ 7 | ## Coalesce maps \ 8 | rm -f *.map && python pdf_carver.py -m -i $$f.idx $$f && \ 9 | ## Brute force the discontinueties \ 10 | ls *-*.map && python pdf_carver.py -M *-*.map -f $$f.pdf $$f && \ 11 | ## Check that its ok: \ 12 | cmp $$f.pdf sample.pdf ; \ 13 | rm *.map $$f.idx ;\ 14 | done 15 | 16 | test?.dd: test_maps/map?.map 17 | for i in `seq 1 3`; do python Tester.py \ 18 | -m test_maps/map$${i}.map -w test$${i}.dd sample.pdf; done 19 | 20 | clean: 21 | rm -f test?.dd* *.map -------------------------------------------------------------------------------- /src/pyflag/Carvers/test_maps/map1.map: -------------------------------------------------------------------------------- 1 | ## A simple out of order transposition- first 10k of file are 2 | ## exchanged with second 10k of file. 3 | 4 | ## This is a test map for the image generator. Format is Fileoffset, 5 | ## image offset, comment. function is forward interpolated. 6 | 7 | 0 10240 Start of file 8 | 10240 0 Start of image 9 | 20480 20480 -------------------------------------------------------------------------------- /src/pyflag/Carvers/test_maps/map2.map: -------------------------------------------------------------------------------- 1 | ## simple insertion fragmantation, after 10k of file, 10k of junk is 2 | ## inserted, then the rest of the file: 3 | 4 | 0 0 Start of file 5 | 10240 20480 continuation of file (skip 10k) 6 | -------------------------------------------------------------------------------- /src/pyflag/Carvers/test_maps/map3.map: -------------------------------------------------------------------------------- 1 | ## Junk at start, 10kb of data from offset 20kb, 10kb of junk and the 2 | ## first 10kb of data (transposition and insertion). 3 | 4 | 0 30720 File starts 5 | 10240 10240 Next 10k out of order 6 | 20480 40960 Rest of file 7 | -------------------------------------------------------------------------------- /src/pyflag/Carvers/test_maps/unit.map: -------------------------------------------------------------------------------- 1 | 0 0 Unit map 2 | 622208 622208 End -------------------------------------------------------------------------------- /src/pyflag/Makefile.am: -------------------------------------------------------------------------------- 1 | nobase_pkgpython_PYTHON = $(shell find yapps -name \*.py -not -name .\*) \ 2 | $(shell find Carvers -name \*.py -not -name .\*) \ 3 | $(shell find dateutil -name \*.py -not -name .\*) -------------------------------------------------------------------------------- /src/pyflag/Packets.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ File to define a base class for packet handlers. 3 | 4 | Packet handlers are similar to scanners but are invoked for each 5 | miscelaneous packet. 6 | """ 7 | 8 | class PacketHandler: 9 | """ Base class for handling individual packets """ 10 | order = 10 11 | def __init__(self, case): 12 | self.case = case 13 | 14 | def handle(self, packet): 15 | """ Abstract method for implementation """ 16 | 17 | -------------------------------------------------------------------------------- /src/pyflag/XMLUI.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import pyflag.HTMLUI as HTMLUI 3 | import pyflag.DB as DB 4 | import pyflag.conf 5 | import pyflag.pyflaglog as pyflaglog 6 | import pyflag.FlagFramework as FlagFramework 7 | config=pyflag.conf.ConfObject() 8 | import time,re 9 | import pyflag.TableObj as TableObj 10 | import pyflag.parser as parser 11 | 12 | class XMLUI(HTMLUI.HTMLUI): 13 | def display(self): 14 | return self.__str__() 15 | 16 | def heading(self, string): 17 | self.result += "%s" % string 18 | 19 | def para(self, string, **options): 20 | self.result += "%s" % string 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/pyflag/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ Package pyFlag. 3 | 4 | PyFlag is the python implementation of FLAG- The Forensic and Log Analysis GUI. A package used to for the rapid and accurate analysis of forensic data. 5 | """ 6 | -------------------------------------------------------------------------------- /src/pyflag/attributes.py: -------------------------------------------------------------------------------- 1 | ## Some private AFF4 namespace objects 2 | PYFLAG_NS = "http://www.pyflag.net/" 3 | PYFLAG_RDFTYPE = PYFLAG_NS + "pickle" 4 | PYFLAG_CASE = PYFLAG_NS + "case" 5 | 6 | PYFLAG_REVERSE_STREAM = PYFLAG_NS + "tcp/reverse" 7 | -------------------------------------------------------------------------------- /src/pyflag/dateutil/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | Copyright (c) 2003-2007 Gustavo Niemeyer 3 | 4 | This module offers extensions to the standard python 2.3+ 5 | datetime module. 6 | """ 7 | __author__ = "Gustavo Niemeyer " 8 | __license__ = "PSF License" 9 | __version__ = "1.3" 10 | -------------------------------------------------------------------------------- /src/pyflag/dateutil/parser.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/py4n6/pyflag/4e69641823c11be0bf2223738723ab90112afea1/src/pyflag/dateutil/parser.py -------------------------------------------------------------------------------- /src/pyflag/yapps/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # empty 3 | -------------------------------------------------------------------------------- /src/regtools/Makefile.am: -------------------------------------------------------------------------------- 1 | include $(top_srcdir)/config/Makefile.rules 2 | 3 | if !HAVE_WINDOWS 4 | bin_PROGRAMS = reglookup 5 | nodist_pkgpyexec_PYTHON = pyregistry$(PYTHON_EXTENSION) 6 | endif 7 | 8 | noinst_LTLIBRARIES = libreg.la pyregistry.la 9 | 10 | libreg_la_SOURCES = lru_cache.c range_list.c regfi.c smb_deps.c void_stack.c 11 | libreg_la_LIBADD = ../lib/liboo.la -lm 12 | 13 | pyregistry_la_CPPFLAGS = $(PYTHON_CPPFLAGS) -I$(top_srcdir)/src/include 14 | pyregistry_la_LDFLAGS = -module $(PYTHON_LDFLAGS) -export-symbols-regex initindex 15 | pyregistry_la_LIBADD = ../lib/liboo.la $(PYTHON_EXTRA_LIBS) libreg.la 16 | 17 | reglookup_SOURCES = reglookup.c 18 | reglookup_LDADD = ../lib/liboo.la -lm libreg.la 19 | 20 | noinst_HEADERS = $(srcdir)/*.h 21 | 22 | -------------------------------------------------------------------------------- /src/regtools/README: -------------------------------------------------------------------------------- 1 | This is a fork on reglookup 0.9.0 with heavy code modifications. The latest version can be found here http://projects.sentinelchicken.org/reglookup/. 2 | 3 | Original Copyright Tim Morgan. 4 | Modified to add talloc support: Michael Cohen (scudette@users.sf.net) -------------------------------------------------------------------------------- /src/remote/Makefile.am: -------------------------------------------------------------------------------- 1 | INCLUDES = -I$(top_srcdir)/src/include -include config.h 2 | 3 | bin_PROGRAMS = remote_server 4 | 5 | noinst_PROGRAMS = pki_gen_keys 6 | 7 | noinst_LTLIBRARIES = libremote.la 8 | 9 | remote_server_LDADD = libremote.la ../lib/liboo.la ../lib/libexcept.la 10 | 11 | libremote_la_SOURCES = ecc.c rc4.c remote.c ecc.h remote.h rc4.h 12 | 13 | pkgpyexec_LTLIBRARIES = remote.la 14 | 15 | # python module specifics 16 | remote_la_SOURCES = remote_client.c 17 | remote_la_CPPFLAGS = $(PYTHON_CPPFLAGS) 18 | remote_la_LDFLAGS = -module $(PYTHON_LDFLAGS) 19 | remote_la_LIBADD = libremote.la ../lib/liboo.la 20 | 21 | ecc.c: pki.h ecc.h 22 | 23 | ## This is a helper program to generate random keys 24 | pki.h: pki_gen_keys 25 | ./pki_gen_keys > pki.h 26 | 27 | noinst_HEADERS = pki.h remote.h ecc.h rc4.h 28 | -------------------------------------------------------------------------------- /src/remote/ecc.h: -------------------------------------------------------------------------------- 1 | #ifndef __ECC_H 2 | #define __ECC_H 3 | 4 | /******************************************************************************/ 5 | /* the degree of the field polynomial */ 6 | #define DEGREE 163 7 | 8 | /* don't touch this */ 9 | #define MARGIN 3 10 | 11 | #define NUMWORDS ((DEGREE + MARGIN + 31) / 32) 12 | 13 | #define SIZEOF_CHALLENGE 4*NUMWORDS*2 14 | 15 | /** This function retrieves the session key in key based on decrypting 16 | challenge using the private key. This function is only available 17 | in the controller (who has the private key). 18 | */ 19 | int ecc_get_key(char key[16], char challenge[SIZEOF_CHALLENGE], 20 | char private_key[SIZEOF_CHALLENGE/2]); 21 | void ecc_make_key(char key[16], char challenge[SIZEOF_CHALLENGE]); 22 | 23 | void ecc_init(void); 24 | 25 | #define MACRO(A) do { A; } while(0) 26 | #define MIN(a, b) ((a) < (b) ? (a) : (b)) 27 | #define CHARS2INT(ptr) ntohl(*(uint32_t*)(ptr)) 28 | #define INT2CHARS(ptr, val) MACRO( *(uint32_t*)(ptr) = htonl(val) ) 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /src/remote/rc4.c: -------------------------------------------------------------------------------- 1 | /************************************************************************ 2 | This is an implementation of the rc4 encryption algorithm. 3 | ************************************************************************/ 4 | #include "rc4.h" 5 | 6 | RC4 RC4_Con(RC4 self, unsigned char *key, int len) { 7 | unsigned int k,i,j; 8 | 9 | /** Initialisation */ 10 | for(i=0, k=0; i<=255;i++) { 11 | self->Sbox[i]=i; 12 | }; 13 | 14 | /** Key schedule */ 15 | self->j = 0; 16 | self->i = 0; 17 | 18 | for(i=0,j=0; i<=255; i++) { 19 | j = (j + self->Sbox[i] + key[i % len]) % 256; 20 | k = self->Sbox[i]; 21 | self->Sbox[i] = self->Sbox[j]; 22 | self->Sbox[j] = k; 23 | } 24 | 25 | return self; 26 | }; 27 | 28 | /** Pull the next character from the PRNG */ 29 | unsigned char RC4_getc(RC4 self) { 30 | unsigned int k; 31 | 32 | self->i = (self->i + 1) % 256; 33 | self->j = (self->j + self->Sbox[self->i]) % 256; 34 | 35 | k = self->Sbox[self->i]; 36 | self->Sbox[self->i] = self->Sbox[self->j]; 37 | self->Sbox[self->j] = k; 38 | 39 | 40 | return self->Sbox[(self->Sbox[self->i] + self->Sbox[self->j]) % 256]; 41 | 42 | }; 43 | 44 | void RC4_crypt(RC4 self, unsigned char *data, int len) { 45 | int i; 46 | 47 | for(i=0; igetchar(self); 49 | }; 50 | }; 51 | 52 | VIRTUAL(RC4, Object) 53 | VMETHOD(Con) = RC4_Con; 54 | VMETHOD(crypt) = RC4_crypt; 55 | VMETHOD(getchar) = RC4_getc; 56 | END_VIRTUAL 57 | -------------------------------------------------------------------------------- /src/remote/rc4.h: -------------------------------------------------------------------------------- 1 | /************************************************************************ 2 | This is an implementation of the rc4 encryption algorithm. 3 | ************************************************************************/ 4 | #ifndef __RC4_H 5 | #define __RC4_H 6 | 7 | #include "class.h" 8 | #include "misc.h" 9 | 10 | CLASS(RC4, Object) 11 | unsigned char Sbox[256]; 12 | int i,j; 13 | 14 | RC4 METHOD(RC4, Con, unsigned char *key, int len); 15 | unsigned char METHOD(RC4, getchar); 16 | 17 | /** This changes the data in place */ 18 | void METHOD(RC4, crypt, unsigned char *data, int len); 19 | END_CLASS 20 | 21 | #define SIZE_OF_IV 4 22 | #define MIN_KEY_SIZE BUFF_SIZE 23 | 24 | // This initialises the key with a new IV 25 | void rc4_init_key(char *key, int *key_len); 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /src/remote/remote.h: -------------------------------------------------------------------------------- 1 | #define REMOTE_VERSION 1 2 | #include "rc4.h" 3 | #include "pki.h" 4 | #include "ecc.h" 5 | #include "stringio.h" 6 | 7 | // Some functions which should be there 8 | uint64_t htonll(uint64_t x); 9 | uint64_t ntohll(uint64_t x); 10 | 11 | int read_from_network(int fd, unsigned char *buffer, unsigned int len, RC4 rc4); 12 | int write_to_network(int fd, StringIO queue); 13 | void queue_for_sending(StringIO queue, unsigned char *buffer, unsigned int len, RC4 rc4); 14 | -------------------------------------------------------------------------------- /src/virustools/Makefile.am: -------------------------------------------------------------------------------- 1 | BUILT_SOURCES = $(srcdir)/clamav_wrap.c 2 | SWIG_SOURCES = clamav.i 3 | 4 | pkgpython_PYTHON = clamav.py 5 | pkgpyexec_LTLIBRARIES = _clamav.la 6 | 7 | _clamav_la_SOURCES = $(srcdir)/clamav_wrap.c $(SWIG_SOURCES) 8 | _clamav_la_CPPFLAGS = $(SWIG_PYTHON_CPPFLAGS) 9 | _clamav_la_CFLAGS = $(libclamav_CFLAGS) 10 | _clamav_la_LDFLAGS = -module $(libclamav_LIBS) 11 | 12 | $(srcdir)/clamav_wrap.c: $(SWIG_SOURCES) 13 | $(SWIG) $(SWIG_PYTHON_OPT) -o $@ $< 14 | 15 | #clean-local: 16 | # -rm -rf clamav.py clamav_wrap.c -------------------------------------------------------------------------------- /tests/init.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import pyflag.IO as IO 3 | import pyflag.Registry as Registry 4 | Registry.Init() 5 | import pyflag.FileSystem as FileSystem 6 | from FileSystem import DBFS 7 | 8 | case = "demo" 9 | 10 | ## This gives us a handle to the VFS 11 | fsfd = Registry.FILESYSTEMS.fs['DBFS'](case) 12 | 13 | ## WE just open a file in the VFS: 14 | #fd=fsfd.open(inode="Itest|S1/2") 15 | 16 | ## And read it 17 | #print fd.read() 18 | -------------------------------------------------------------------------------- /tests/launch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## This is a version of the launcher script which run on the src directory - paths are hard coded. 3 | 4 | SRC_DIR=~/pyflag/ 5 | INSTALL_DIR=/var/tmp/build/pyflag/ 6 | 7 | ######### END CONFIGURATION #################### 8 | 9 | ## This is required in case the prefix is not /usr/ (otherwise python 10 | ## can find it itself) 11 | 12 | export PYFLAG_PLUGINS=$SRC_DIR/src/plugins 13 | export PYTHONPATH=$SRC_DIR/src/pyflag:$SRC_DIR/src/:/usr/local/lib/python2.6/site-packages/:/usr/local/lib/python2.5/site-packages/:$INSTALL_DIR/lib/python2.5/site-packages/pyflag:$INSTALL_DIR/lib/python2.4/site-packages/pyflag:$INSTALL_DIR/lib/python2.6/site-packages/pyflag:$INSTALL_DIR/lib/python2.5/site-packages/pyflag/plugins 14 | 15 | echo $PYTHONPATH 16 | 17 | $@ 18 | -------------------------------------------------------------------------------- /tests/pyflag: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## This is a version of the launcher script which run on the src directory - paths are hard coded atm. Configure below: 3 | 4 | SRC_DIR=~/pyflag/ 5 | INSTALL_DIR=/var/tmp/build/pyflag/ 6 | 7 | ######### END CONFIGURATION #################### 8 | 9 | export PYTHONPATH=$SRC_DIR/src/pyflag:$SRC_DIR/src/:/usr/loca/lib/python2.6/site-packages/:$INSTALL_DIR/lib/python2.6/site-packages/pyflag:/usr/loca/lib/python2.5/site-packages/:$INSTALL_DIR/lib/python2.5/site-packages/pyflag 10 | 11 | exec /usr/bin/python $SRC_DIR/src/pyflag/FlagHTTPServer.py --plugins=$SRC_DIR/src/plugins $@ 12 | -------------------------------------------------------------------------------- /tests/pyflash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## This is a version of the launcher script which run on the src directory - paths are hard coded. 3 | 4 | SRC_DIR=~/pyflag/ 5 | INSTALL_DIR=/var/tmp/build/pyflag/ 6 | 7 | ######### END CONFIGURATION #################### 8 | 9 | export PYFLAG_PLUGINS=$SRC_DIR/src/plugins 10 | export PYTHONPATH=$SRC_DIR/src/pyflag:$SRC_DIR/src/:/usr/loca/lib/python2.5/site-packages/:$INSTALL_DIR/lib/python2.5/site-packages/pyflag:/usr/loca/lib/python2.6/site-packages/:$INSTALL_DIR/lib/python2.6/site-packages/pyflag 11 | 12 | echo $PYTHONPATH 13 | 14 | exec /usr/bin/python $SRC_DIR/src/pyflag/pyflagsh.py --plugins=$SRC_DIR/src/plugins $@ 15 | -------------------------------------------------------------------------------- /tests/sktest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import pyflag.IO as IO 3 | import sys 4 | import sk 5 | from stat import * 6 | 7 | #img = open(sys.argv[1],'r') 8 | #print "Will open %s" % sys.argv[1] 9 | 10 | ## This assumes that we have a case loaded 11 | img = IO.open('winxp','test') 12 | fs = sk.skfs(img) 13 | 14 | def readfile(fs,inode): 15 | print "reading: %s" % inode 16 | fd = fs.open(inode=inode) 17 | while True: 18 | if not fd.read(4000000): 19 | break 20 | 21 | # walk the directory tree 22 | for root, dirs, files in fs.walk('/', unalloc=True, inodes=True): 23 | for f in files: 24 | try: 25 | print "processing: (%u) %s" % (f[0], f[1]) 26 | s=fs.stat(inode=str(f[0])) 27 | print "length %s" % s[ST_SIZE] 28 | if int(f[0])==0: continue 29 | readfile(fs,str(f[0])) 30 | except IOError, e: 31 | print "Got error: %s" % e 32 | 33 | # find any unlinked inodes here 34 | for inode in fs.iwalk(): 35 | fs.stat(inode=str(inode)) 36 | readfile(fs,str(inode)) 37 | -------------------------------------------------------------------------------- /utilities/dd.py: -------------------------------------------------------------------------------- 1 | from optparse import OptionParser 2 | import sys 3 | 4 | parser = OptionParser() 5 | parser.add_option("-s", "--skip", default=0, 6 | help = "Number of bytes to skip in the input file") 7 | 8 | parser.add_option("-l", "--length", default=10000, 9 | help = "Length of data to read in bytes") 10 | 11 | parser.add_option("-i", "--if", default=sys.stdin, 12 | help = "Input file to use") 13 | 14 | parser.add_option("-o", "--of", default=sys.stdout, 15 | help = "Output file") 16 | 17 | parser.add_option("-b", "--blocksize", default=64*1024, 18 | help = "Blocksize to read") 19 | 20 | (options, args) = parser.parse_args() 21 | if args: 22 | print "Incorrect usage, %s -h for help." % sys.argv[0] 23 | sys.exit(-1) 24 | 25 | if type(options.__dict__["if"])==str: 26 | fd_i = open(options.__dict__["if"],"r") 27 | else: 28 | fd_i = options.__dict__["if"] 29 | 30 | if type(options.of)==str: 31 | fd_o = open(options.of,"w") 32 | else: 33 | fd_o = options.of 34 | 35 | fd_i.seek(int(options.skip)) 36 | length = int(options.length) 37 | 38 | while length>0: 39 | read_length = length 40 | if length>options.blocksize: 41 | read_length =options.blocksize 42 | 43 | fd_o.write(fd_i.read(read_length)) 44 | length-=read_length 45 | -------------------------------------------------------------------------------- /utilities/http_sundry_loader_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # download a list of URLs into a zip archive. A base64 encoded version of the 3 | # URL is used as the filenames in the archive 4 | 5 | import urllib 6 | import zipfile 7 | import sys 8 | 9 | # downloads is a list of URLs 10 | downloads = """ 11 | http://www.pyflag.net 12 | """ 13 | 14 | if len(sys.argv) < 2: 15 | print "Usage: %s zipfile" % sys.argv[0] 16 | sys.exit(0) 17 | 18 | zfilename = sys.argv[1] 19 | zfile = zipfile.ZipFile(zfilename, "w", compression=zipfile.ZIP_DEFLATED) 20 | 21 | for line in downloads.splitlines(): 22 | if not line: continue 23 | 24 | print "Downloading: %s" % line 25 | try: 26 | data = urllib.urlopen(urllib.unquote(line)) 27 | zfile.writestr(line.encode("base64"), data.read()) 28 | except IOError, e: 29 | print "Download Failed: %s" % e 30 | 31 | zfile.close() 32 | 33 | print "Data saved into %s, import using: http_sundry_loader.py --case casename --load %s" % (zfilename, zfilename) 34 | -------------------------------------------------------------------------------- /utilities/regkeys_load.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PYFLAG_DIR=`dirname $0` 3 | 4 | cd $PYFLAG_DIR/../ 5 | ./launch.sh pyflag/regkey_load.py $1 $2 $3 $4 $5 $6 $7 6 | -------------------------------------------------------------------------------- /utilities/update_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ##This little utility function is used to update the version information in all files: 3 | 4 | DIRS="src utilities" 5 | NEWVERSION=0.87-pre1 6 | 7 | exp="s/\\\$Version:.*\\\$/\\\$Version: $NEWVERSION Date: "`date`"\\\$/" 8 | 9 | FILES='' 10 | for dir in $DIRS; do FILES="$FILES "`find $dir -name \*.py -o -name \*.c -o -name \*.h -o -name \*.in`; done 11 | 12 | for f in `echo $FILES`; do 13 | echo Updating $f 14 | sed -e "$exp" "$f" >"$f.tmp" 15 | mv "$f.tmp" "$f" 16 | done 17 | -------------------------------------------------------------------------------- /utilities/whois_load.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PYFLAG_DIR=`dirname $0` 3 | 4 | cd $PYFLAG_DIR/../ 5 | ./launch.sh ./utilities/whois_load.py $1 $2 $3 $4 $5 $6 $7 --------------------------------------------------------------------------------