From project at digital-forensic.org Fri Mar 18 16:31:59 2011 From: project at digital-forensic.org (Digital Forensics Framework) Date: Fri, 18 Mar 2011 16:31:59 +0100 Subject: [dff-announce] Digital Forensics Framework 1.0.0 released Message-ID: <4D837AEF.80900@digital-forensic.org> DFF 1.0.0 has just been released and can be downloaded at: http://www.digital-forensic.org/download ArxSys now offers a full range of professional software services and support associated with DFF and Open Source Digital Forensics technologies, please discover our offer at http://www.arxsys.eu. We would like to thank three new contributors: - Bram Mooij who has done the Dutch translation. - Dennis Schreiber who has done the German translation. - Francesco Acchiappati who has done the Italian translation. New Features: ------------- * Windows registry parsing: creates a tree of nodes for each key of a Windows registry hive file. Each node has registry values in its attributes (created time, data value, ...). * VMware VMDK reconstruction: This module reconstructs a volume from a vmdk file. It is able to reconstruct the base volume and the snapshots both. * MetaExif: EXIF information from picture files can now be added as node attributes. The metaexif module uses the dynamic attributes feature of the API so it has fewer memory footprint. * Timeline: constructs a graphical timeline generated from each timestamp attributes found in nodes (i.e. if you have applied NTFS, registry and metaexif modules, the timeline will be drawn from MAC times of NTFS, creation time of Windows registry and EXIF accessed and changed times). Once the timeline is drawn you can zoom on a date range and then export all nodes included in this range of time. * Translation: DFF GUI can now be hot-translated (no need to relaunch the application to use selected language). Also most widgets have been refactored using QtDesigner. * Column dynamic filtering: In the table-view of DFF nodes browser you can now add as many column as you want. Columns that can be added correspond to each attributes present in a node. So you can sort on any time attributes, size, deleted, or any other attributes. * Carver: You now have the posibility to add your own pattern (aka header, footer, wildcard) in the carver and to set for each header if it has to be sector aligned. Also, the carver can now be launched in console. * Merge: The merge module now takes a list of nodes as input. You can though virtually merge as many files as you need. For example, you can merge all files from split DD images and then apply other modules to the virtually reconstructed image. * Hash: module can now be applied directly with several algorithms (md5, sha1, sha256, ...) and uses the new dynamic attributes API to add calculated hashes as node attributes. It uses the post-processing feature. * Enhanced GUI ergonomy * Sort speed and display greatly enhanced. * Fast display of large number of items (> 100 000). * The GUI now has maximize and fullscreen buttons, to display widgets on the entire screen. * A new menu: relevant module, helps you for a fast access to the most relevant module to apply on a node. * A new menu: open as new tab, creates a new browser opened from a node (with children) you clicked on. * Each module can now have an associated icon. * When double-clicking on a node to auto-apply a module, a message box will popup in order to validate that the detected module must be applied. * The apply module widget has been totally rewritten to use the libtype API (Config and arguments of a module). * Configuration: DFF now has a configuration file, allowing to setup your favorite language, setting the path where history file will be saved and setting the path to the help documention. It also provides a "no footprint" mode when performing live analysis. * IDE update: IDE templates have been updated. The IDE syntax highlighter has been rewritten and no longer relies on QScintilla. * Versioning: Each library of the API and each module now have their own version number, allowing easy maintainability and upgrade. * API: * The config/argument and result classes were totally rewritten to be fully based on Variant. * Attributes are now fully based on Variant. Also modules can now add dynamic attributes to reduce memory footprint. * Data-type and compatible modules are now accessible directly from a node object. * Old file-type API has been replaced by the new data-type engine where you can plug your own data-type detection handler. * Variant enhancement: * It is now possible to force the handled raw type when using Variant in Python. * Comparison operators are implemented * ability to convert raw types to String, OctString and HexString * better conversion method (stringToInt, intToString, and so on) * Console: * Completion has been rewritten from scratch to be compliant with new Config / arguments API * It supports list of parameters and predefined parameters are now well handled * Write of a line tokenizer: * directly creates context used by the completion * supports "&" and "&&" classical shell keys and correctly manages threading and wait conditions Bug fixes: ---------- * ExtFs: Checks magic of number of Inodes to avoid crashes on crafted or damaged data. * Hex viewer pixel view: Fixes some crash when underlaying read do not return requested number of bytes. * Since most of the GUI Model / View has been refactored, lots of bugs have been resolved too. * Some thrown exceptions were not handled correctly resulting to the Aborted behaviour. -- contact at digital-forensic.org Main website: http://www.digital-forensic.org Documentation wiki: http://wiki.digital-forensic.org Project tracker: https://tracker.digital-forensic.org