[dff-announce] Digital Forensics Framework 1.2.0 released
Digital Forensics Framework
project at digital-forensic.org
Wed Oct 5 13:30:50 CEST 2011
DFF 1.2.0 has just been released and can be downloaded at:
* Batch script : It is now possible to provide batch script directly as a
parameter when invoking dff.py using the switch "-b" followed by the
containing commands. This functionality uses the "batch" module.
* Filter : To enable finding and filtering abilities through the GUI, a
dedicated interface has been developed to ease the creation of queries. Most
useful filters are provided, and it is also possible to query extended
* Preview : A new widget providing a graphical representation of the
selected node. When a node is selected, this widget automatically
most appropriate viewer. Pictures, text, html and video files are currently
supported. If there's no available viewer, the hexadecimal viewer will
If you create or add any other viewer associated with a different file
will be automatically used by the widget.
* Attributes pane : When double clicking on an attribute in the tree of
Attributes pane, a popup is displayed, allowing to copy the argument.
* Module Browser : A new widget has been developed to provide a new way to
browse, view and apply modules.
* Task manager widget : When double-clicking on a module in the task
the output is now provided in a dedicated tab.
* Web viewer : This graphical module renders web pages and tries to
them, if corresponding linked image or css file are found in the dump.
Currently, navigation between local files is disabled in order to forbid
* Find : This shell module gives the ability to search and filter
the console. As required arguments, it takes a query and the node from
where the search will start. In order to have a human readable
the query, a string describing the filter has to be provided. As optional
arguments, 'save_result' option will automatically create links to
. By default, matches are not displayed but this can be enabled by
* Batch scripting : Reads a local file which contains DFF commands (one per
line) and execute them. It also accepts comments using the '#' character.
This module eases tests and developments by avoiding recurrent operation
choosing, configuring and launching a module and provides to users a way to
automatize some tasks.
* Partition :
- Add creation of unallocated areas in a dedicated folder.
- Two new arguments:
* sector size (to manage 4k sectors for example)
* start offset of the MBR.
- Results of the module has been enhanced to provide all unallocated
- Attributes of created nodes provide more detailed information.
* Fatfs : Fatfs module has been enhanced to support more forensics features.
- Module now creates several nodes representing:
* reserved sectors
* unallocated space (based on the first FAT cluster status)
* filesystem slack space (size of the underlying file minus total
sectors found in the boot sector).
- The generated tree has also been enhanced so as to base the name of
the entry node (root of the module) on the volume label (if not
NONAME is used).
- All FATs (even if there are 5 FATs) are also created as nodes with
their own attributes (allocated and free clusters). This enables to
define if there are differences between FATs, based on their clusters
status, by comparing their md5 hash, or by using the 'diff' module.
- The module now provides its progression.
* EWF : The ewf module has been rewritten to support the v2 API of the
developed by Joachim Metz (libewf).
* AFF : The module now supports afflib before version 3.6.11. Version is
obtained during the build process and provided to the preprocessor.
* All dependencies are now correctly checked before starting compilation.
Dedicated CMake modules have been created to find bfio, pff, ewf, afflib and
tre libraries. If not found, related modules won't be compiled. This
compile DFF even if dependencies are not installed. On Windows platforms,
version of the compiler is better managed to include the right headers.
* Datatypes : Code in charge of magic library is now fully developed in C++
resulting in faster processing.
* UID Object System : This release has been the occasion to associate unique
identifier to some objects of the API. Currently it only concerns fso
objects. This also let you obtain fso and nodes by their ID at run time.
* FSO :
- Each fso objects are linked together in a tree way. It is possible
dependencies between modules in charge of the creation of node.
- Add a new method to obtain a Node from its id
- Add a new methode to have access to all created nodes as a list.
* Node : All attributes methods of Node have been refactored and are faster.
- Add a new method which return its extension if available.
- Testing compatibility with a module has been extended by checking the
extension besides its type. Indeed, sometimes, it was not accurate
rely on results provided by magic to auto detect compatible modules.
For example, VmWare configuration files are detected as text by magic.
* VFS :
- Now have an UID Object System.
- New method to obtain fso by their ids.
- New method to obtain nodes by their ids.
- New method to access all applied modules of type fso.
- All orphaned nodes (nodes which don't have a related fso), are also
by the VFS.
* Search : Search API has been totally rewritten in an object oriented way,
using TRE library.
- Search objects provide methods to set pattern syntax:
* approximate (use TRE library)
* regexp patterns (use TRE library)
- Search are faster and relies on a modified version of fastsearch
functions implemented in Python (BoyerMoore + Bloom filters).
* Filter : As mentioned, the main feature of this release is filtering
capability. It has been directly implemented in the API to provide
- Several methods enable to set the query, to compile it and return
nodes. Filter objects are "event aware" in order to give the
stop the process but also to inform about progression and the number of
- It is possible to apply a query recursively or only in one folder.
* VFile : Objects are compliant with the new search API but is still
compatible with the old one.
- Extends their ability by matching patterns based on :
* regular expressions
* approximate search strings.
- VFile is also "event aware" meaning that it could receive external
message to stop heavy processing such as searches.
* ConfigManager : Provides a way to unregister configuration
of modules at run time. It is mostly used by the loader when a module is
* VTime :
- Comparison operators have been implemented in vtime
- Can be now created with a string as parameter or a timestamps
- Timestamps can be Unix or Microsoft based (64 bits) allowing auto
* Loader :
- When a module can not be loaded properly, traceback is saved and
encountered errors are summed up at the end of loading.
- Unregisters the configuration of the module if this one is reloaded
at run time.
* Mimetree : A new object is provided to extract mime types from
file (version 7 and 8 are managed). The result is a two level tree
main categories (such as images) and at the second level subcategories
Bug Fixes :
* Interpreter : When huge processing were done in the GUI interpreter, it
froze the whole interface. Execution of Python code is now done in a
thread and edition is disabled until thread has finished.
* Attributes column selector : In some cases, the selection of
attributes to be
added as column could lead to crashes. This bug has been fixed but this
to be improved since it currently only provides attributes selection
the first node found.
* Evidence dialog : Resizing the dialog was not properly handled
inappropriate widgets size.
* Taskmanager : there was a typo error which led to the unavailability
results of modules
* Menu : Opening folders in a new tab did not work properly.
* NTFS :
- Add a NULL pointer check forgotten prior to MFT entry header validation
- Fixes an integer overflow in attributes analysis. This second fix
regular items detected as deleted ones.
* Carver :
- Previous version of the carver worked with wildcard but this
been temporary disabled because there was a bug in the old search API.
- The module is currently rewritten to be compliant with the new
and to provide more accurate results.
* Load : Arguments were not properly obtained because they differ from those
defined in the configuration resulting in errors when using the module.
* Viewer Hexadecimal :
- Slider operations are now implemented in pixel and string view
- It's now possible to trigger the cursor or its area to navigate
- QGraphicsView is now instantiated with parent widget
* Hash : When several hash algorithms were provided, they were processed in
serial way. They are now processed in parallel, digests are updated for each
* Partition :
- Fix an overflow with total_blocks resulting in bad size settings.
- FileMapping are better handled and manages odd cases such as file
less sectors than defined in partition entry.
* Player : Fixes a bug based on phonon when opening multiple audio
seems Phonon can only handle one audio stream at a time.
* Attributes : Fixes memory leak due to ownership of objects return from
* DataType : Fixes multi-thread concurrent access crash by locking in
contact at digital-forensic.org
Main website: http://www.digital-forensic.org
Documentation wiki: http://wiki.digital-forensic.org
Project tracker: https://tracker.digital-forensic.org
More information about the dff-announce