[dff-announce] Digital Forensics Framework 1.1.0 released

Digital Forensics Framework project at digital-forensic.org
Fri May 20 19:17:45 CEST 2011


DFF 1.1.0 has just been released and can be downloaded at:
http://www.digital-forensic.org/download

We would like to thank one new contributor:
- Zhang Jun who has done the Chinese translation.

New Features:
-------------

* Translation: DFF GUI is now available in Chinese.
   Other languages were updated : Deutch, Italian, ...

* AFF: A connector to support AFF dump. The module is based on
   AFFLib by Simson L. Garfinkel (http://afflib.org).

* PFF: This module parses PST, OST and PAB files to extract mailbox
   contents, it also recovers deleted and orphaned files and give access
   to unallocated clusters. It's based on Joachim Metz LibPFF
   (http://sourceforge.net/projects/libpff)

* API: New cache system for FileMapping and File Descriptor. Vtime now
   can directly convert unix and windows 64 bits time stamp.

* FAT:
  * Extended attributes:
   * When there is slack space, a dedicated attribute specifies its
     start offset and its size. This feature is only available for
     classical files (neither deleted nor orphaned).
   * Classical attributes are provided: Read Only, Hidden, System,
     Archive, Volume.
   * DOS name is provided (8+3 name)
  * Orphaned files scan:
   * The algorithm is now faster. When walking on free clusters, checks
     are done to know if it was previously parsed when walking on
     deleted files and directories in allocated clusters. Since chain of
     clusters of deleted directories are used, this pass could read and
     parse free clusters.

* GUI: Unicode support


Bug fixes:
----------

* Add devices and Add files on Windows, it was not possible to add
   devices and files or directories in the same session.

* MFSO opened only one file descriptor and cache it, leading to crash
   especially using device module on windows platform, a totally new
   cache system was written for FileMapping and File Descriptor.

* EWF: Sometimes the modules could not open the underlaying due to bad
   fd handling this was fixed by using variant.

* FAT:
  * Recovery of deleted files was not properly handled. Previous version
    relied on the chain of clusters found in FAT which are often emptied
    when files are deleted. Now, the module gets the first cluster, asks
    the FAT for a the chain of cluster, if the size of all provided is
    smaller than the size of file, the mapping starts from the first
    cluster until size of the file is reached.
  * Even if not noticeable by users (hashes of files were coherent for
    example) and not really a bug, the previous mapping for files were
    cluster aligned. It means the slack space of files were directly
    included in the mapping. This was done this way in prediction of
    future implementation of MFSO. This feature would be able to read
    either original size or slack space. Since it is not implemented
    yet, the mapping is now fully based on the size of the file. This
    patch has been developed based on Johannes Stuttgen's feedback when
    he was working on the aff4 module.

* NTFS:
  * Fix for files-end made of virtual chunks ; full of 0.
  * Infinite loop fix when searching for parent of deleted or orphan
    items.
  * Two segfault fixes on metadata parsing due to complex on-disk
    structure of NTFS attributes.

* GUI:
  * A bug occurring when trying to input a Node as a parameter to
    modules has been fixed : it was not possible to browse in the tree
    view.
  * The tree view, in the node browser, had an inconsistent behavior: to
    change directories, users had to double-click on nodes names, which
    used to collapse the tree view. This is fixed. The node browser now
    behaves as a classic file browser.

* Variant vtime repr:
  * Dealing with vtime encapsulated in Variant in the Python
    interpreter, an exception were raised because there were no __repr__
    or __str__ provided for this type.


-- 
contact at digital-forensic.org
Main website: http://www.digital-forensic.org
Documentation wiki: http://wiki.digital-forensic.org
Project tracker: https://tracker.digital-forensic.org


More information about the dff-announce mailing list