[dff-announce] Digital Forensics Framework 1.1.0 released
Digital Forensics Framework
project at digital-forensic.org
Fri May 20 19:17:45 CEST 2011
DFF 1.1.0 has just been released and can be downloaded at:
We would like to thank one new contributor:
- Zhang Jun who has done the Chinese translation.
* Translation: DFF GUI is now available in Chinese.
Other languages were updated : Deutch, Italian, ...
* AFF: A connector to support AFF dump. The module is based on
AFFLib by Simson L. Garfinkel (http://afflib.org).
* PFF: This module parses PST, OST and PAB files to extract mailbox
contents, it also recovers deleted and orphaned files and give access
to unallocated clusters. It's based on Joachim Metz LibPFF
* API: New cache system for FileMapping and File Descriptor. Vtime now
can directly convert unix and windows 64 bits time stamp.
* Extended attributes:
* When there is slack space, a dedicated attribute specifies its
start offset and its size. This feature is only available for
classical files (neither deleted nor orphaned).
* Classical attributes are provided: Read Only, Hidden, System,
* DOS name is provided (8+3 name)
* Orphaned files scan:
* The algorithm is now faster. When walking on free clusters, checks
are done to know if it was previously parsed when walking on
deleted files and directories in allocated clusters. Since chain of
clusters of deleted directories are used, this pass could read and
parse free clusters.
* GUI: Unicode support
* Add devices and Add files on Windows, it was not possible to add
devices and files or directories in the same session.
* MFSO opened only one file descriptor and cache it, leading to crash
especially using device module on windows platform, a totally new
cache system was written for FileMapping and File Descriptor.
* EWF: Sometimes the modules could not open the underlaying due to bad
fd handling this was fixed by using variant.
* Recovery of deleted files was not properly handled. Previous version
relied on the chain of clusters found in FAT which are often emptied
when files are deleted. Now, the module gets the first cluster, asks
the FAT for a the chain of cluster, if the size of all provided is
smaller than the size of file, the mapping starts from the first
cluster until size of the file is reached.
* Even if not noticeable by users (hashes of files were coherent for
example) and not really a bug, the previous mapping for files were
cluster aligned. It means the slack space of files were directly
included in the mapping. This was done this way in prediction of
future implementation of MFSO. This feature would be able to read
either original size or slack space. Since it is not implemented
yet, the mapping is now fully based on the size of the file. This
patch has been developed based on Johannes Stuttgen's feedback when
he was working on the aff4 module.
* Fix for files-end made of virtual chunks ; full of 0.
* Infinite loop fix when searching for parent of deleted or orphan
* Two segfault fixes on metadata parsing due to complex on-disk
structure of NTFS attributes.
* A bug occurring when trying to input a Node as a parameter to
modules has been fixed : it was not possible to browse in the tree
* The tree view, in the node browser, had an inconsistent behavior: to
change directories, users had to double-click on nodes names, which
used to collapse the tree view. This is fixed. The node browser now
behaves as a classic file browser.
* Variant vtime repr:
* Dealing with vtime encapsulated in Variant in the Python
interpreter, an exception were raised because there were no __repr__
or __str__ provided for this type.
contact at digital-forensic.org
Main website: http://www.digital-forensic.org
Documentation wiki: http://wiki.digital-forensic.org
Project tracker: https://tracker.digital-forensic.org
More information about the dff-announce