DFF (Digital Forensics Framework) v1.0.0 released

DFF (Digital Forensics Framework) is a simple but powerfull open source tool with a flexible module system which will help you in your digital forensics works, including files recovery due to error or crash, evidence research and analysis, etc. The source code is written in C++ and Python, allowing performances and great extensibility

This project follows three main goals:

• Modularity. In contrary to the monolithic model, the modular model is based on an a host and many modules. This modular conception presents two advantages: it permits to improve rapidly the software and to split easily tasks for developers

• Scriptability, it is obvious that the ability to be scripted gives more flexibility to a tool, but it enables automation and gives the possibility to extend features

• Genericity, the project tries to remain OS independent. We want to help people where they are ! Letting them choose any Operating System to use this software

API:

• Stackable File System (made multi-layer analysis possible)
• Environement API for auto-completion and auto generation of Graphical Script
• Multi-threaded (possiblity to launch modules in background, so investigator can continue to work on the cases even if they launched modules that do heavy computations)
• Hash calculation possible with different algo (MD5, SHA1, SHA256)
• File oriented data representation (ex: a zip file can be browse like a normal directory, bypass zip-bomb problem)
• MAC Times access

Users:

• An user-friendly Graphical Interface, with multi-browser and dockable widget
• A console interface
• Multi-Platform (Linux, Windowx, futur port on BSD & OS X )
• Tagged modules
• Gallery view
• File type auto-detection (don’t rely on file extension)
• Command history

Developers:

• API available both in Python and C++
• Core API wrote in C++ for enhanced speed
• Live Scripting : API available and scriptable in live with a python interpreter
• Easy drivers and script developement through our API
• Possibility of writing script both in console or in QT for graphical use
• IDE, with template available for our different type of modules (graphical, console, drivers…)

Available Drivers and Scripts:

• FAT 12/16/32 Drivers
• FTL-Reconstruction and CellPhone file system
• SMS-Decode
• SHM (Shared Memory) and more here

Changelog

This is the change log:

• Windows registry parsing: creates a tree of nodes for each key of a Windows registry hive file. Each node has registry values in its attributes (created time, data value, …).
• VMware VMDK reconstruction: This module reconstructs a volume from a vmdk file. It is able to reconstruct the base volume and the snapshots – both.
• MetaExif: EXIF information from picture files can now be added as node attributes. The metaexif module uses the dynamic attributes feature of the API so it has fewer memory footprint.
• Timeline: constructs a graphical timeline generated from each time stamp attributes found in nodes (i.e. if you have applied NTFS, registry and metaexif modules, the timeline will be drawn from MAC times of NTFS, creation time of Windows registry and EXIF accessed and changed times). Once the timeline is drawn you can zoom on a date range and then export all nodes included in this range of time.
• Translation: DFF GUI can now be hot-translated (no need to relaunch the application to use selected language). Also most widgets have been re-factored using QtDesigner.
• Column dynamic filtering: In the table-view of DFF nodes browser you can now add as many column as you want. Columns that can be added correspond to each attributes present in a node. So you can sort on any time attributes, size, deleted, or any other attributes.
• Carver: You now have the possibility to add your own pattern (aka header, footer, wildcard) in the carver and to set for each header if it has to be sector aligned. Also, the carver can now be launched in console.
• Merge: The merge module now takes a list of nodes as input. You can though virtually merge as many files as you need. For example, you can merge all files from split DD images and then apply other modules to the virtually reconstructed image.
• Hash: module can now be applied directly with several algorithms (md5, sha1, sha256, …) and uses the new dynamic attributes API to add calculated hashes as node attributes. It uses the post-processing feature.
• Enhanced GUI ergonomy
• Sort speed and display greatly enhanced.
• Fast display of large number of items (> 100 000).
• The GUI now has maximize and full-screen buttons, to display widgets on the entire screen.
• A new menu: relevant module, helps you for a fast access to the most relevant module to apply on a node.
• A new menu: open as new tab, creates a new browser opened from a node (with children) you clicked on.
• Each module can now have an associated icon.
• When double-clicking on a node to auto-apply a module, a message box will pop-up in order to validate that the detected module must be applied.
• The apply module widget has been totally rewritten to use the libtype API (Config and arguments of a module).
• Configuration: DFF now has a configuration file, allowing to setup your favorite language, setting the path where history file will be saved and setting the path to the help documentation. It also provides a “no footprint” mode when performing live analysis.
• IDE update: IDE templates have been updated. The IDE syntax highlighter has been rewritten and no longer relies on QScintilla.
• Versioning: Each library of the API and each module now have their own version number, allowing easy maintainability and upgrade.

API:

• The config/argument and result classes were totally rewritten to be fully based on Variant.
• Attributes are now fully based on Variant. Also modules can now add dynamic attributes to reduce memory footprint.
• Data-type and compatible modules are now accessible directly from a node object.
• Old file-type API has been replaced by the new data-type engine where you can plug your own data-type detection handler.

Variant enhancement:

• It is now possible to force the handled raw type when using Variant in Python.
• Comparison operators are implemented
• Ability to convert raw types to String, OctString and HexString better conversion method (stringToInt, intToString, and so on)

Console:

• Completion has been rewritten from scratch to be compliant with new Config / arguments API
• It supports list of parameters and predefined parameters are now well handled

Write of a line tokenizer:

• Directly creates context used by the completion
• Supports “&” and “&&” classical shell keys and correctly manages threading and wait conditions

Bug fixes:

• ExtFs: Checks magic of number of Inodes to avoid crashes on crafted or damaged data.
• Hex viewer pixel view: Fixes some crash when underlaying read do not return requested number of bytes.
• Since most of the GUI Model / View has been refactored, lots of bugs have been resolved too.
• Some thrown exceptions were not handled correctly resulting to the Aborted behaviour.

Download