[dff-announce] Digital Forensics Framework 1.2.0 released

Digital Forensics Framework project at digital-forensic.org
Wed Oct 5 13:30:50 CEST 2011

DFF 1.2.0 has just been released and can be downloaded at:

New features:

   User Interfaces:

* Batch script : It is now possible to provide batch script directly as a
parameter when invoking dff.py using the switch "-b" followed by the 
local file
containing commands. This functionality uses the "batch" module.

* Filter : To enable finding and filtering abilities through the GUI, a
dedicated interface has been developed to ease the creation of queries. Most
useful filters are provided, and it is also possible to query extended

* Preview : A new widget providing a graphical representation of the 
selected node. When a node is selected, this widget automatically 
selects the
most appropriate viewer. Pictures, text, html and video files are currently
supported. If there's no available viewer, the hexadecimal viewer will 
be used.
If you create or add any other viewer associated with a different file 
type, it
will be automatically used by the widget.

* Attributes pane : When double clicking on an attribute in the tree of
Attributes pane, a popup is displayed, allowing to copy the argument.

* Module Browser : A new widget has been developed to provide a new way to
browse, view and apply modules.

* Task manager widget : When double-clicking on a module in the task 
the output is now provided in a dedicated tab.


* Web viewer : This graphical module renders web pages and tries to 
them, if corresponding linked image or css file are found in the dump.
Currently, navigation between local files is disabled in order to forbid
external browsing. For security reasons, JavaScript is also disabled by 

* Find : This shell module gives the ability to search and filter 
directly in
the console. As required arguments, it takes a query and the node from
where the search will start. In order to have a human readable 
representation of
the query, a string describing the filter has to be provided. As optional
arguments, 'save_result' option will automatically create links to 
matched nodes
. By default, matches are not displayed but this can be enabled by 
providing the
"verbose" switch.

* Batch scripting : Reads a local file which contains DFF commands (one per
line) and execute them. It also accepts comments using the '#' character.
This module eases tests and developments by avoiding recurrent operation 
choosing, configuring and launching a module and provides to users a way to
automatize some tasks.

* Partition :
   - Add creation of unallocated areas in a dedicated folder.
   - Two new arguments:
     * sector size (to manage 4k sectors for example)
     * start offset of the MBR.
   - Results of the module has been enhanced to provide all unallocated
     spaces information.
   - Attributes of created nodes provide more detailed information.

* Fatfs : Fatfs module has been enhanced to support more forensics features.
   - Module now creates several nodes representing:
     * reserved sectors
     * unallocated space (based on the first FAT cluster status)
     * filesystem slack space (size of the underlying file minus total
       sectors found in the boot sector).
   - The generated tree has also been enhanced so as to base the name of
     the entry node (root of the module) on the volume label (if not 
     NONAME is used).
   - All FATs (even if there are 5 FATs) are also created as nodes with
     their own attributes (allocated and free clusters). This enables to 
     define if there are differences between FATs, based on their clusters
     status, by comparing their md5 hash, or by using the 'diff' module.
   - The module now provides its progression.

* EWF : The ewf module has been rewritten to support the v2 API of the 
developed by Joachim Metz (libewf).

* AFF : The module now supports afflib before version 3.6.11. Version is
obtained during the build process and provided to the preprocessor.


* All dependencies are now correctly checked before starting compilation.
Dedicated CMake modules have been created to find bfio, pff, ewf, afflib and
tre libraries. If not found, related modules won't be compiled. This 
permits to
compile DFF even if dependencies are not installed. On Windows platforms,
version of the compiler is better managed to include the right headers.


* Datatypes : Code in charge of magic library is now fully developed in C++
resulting in faster processing.

* UID Object System : This release has been the occasion to associate unique
identifier to some objects of the API. Currently it only concerns fso 
and nodes
objects. This also let you obtain fso and nodes by their ID at run time.

* FSO :
   - Each fso objects are linked together in a tree way. It is possible 
to know
     dependencies between modules in charge of the creation of node.
   - Add a new method to obtain a Node from its id
   - Add a new methode to have access to all created nodes as a list.

* Node : All attributes methods of Node have been refactored and are faster.
   - Add a new  method which return its extension if available.
   - Testing compatibility with a module has been extended by checking the
     extension besides its type. Indeed, sometimes, it was not accurate 
to only
     rely on results provided by magic to auto detect compatible modules.
     For example, VmWare configuration files are detected as text by magic.

* VFS :
   - Now have an UID Object System.
   - New method to obtain fso by their ids.
   - New method to obtain nodes by their ids.
   - New method to access all applied modules of type fso.
   - All orphaned nodes (nodes which don't have a related fso), are also 
     by the VFS.

* Search : Search API has been totally rewritten in an object oriented way,
using TRE library.
   - Search objects provide methods to set pattern syntax:
     * fixed
     * wildcard
     * approximate (use TRE library)
     * regexp patterns (use TRE library)
   - Search are faster and relies on a modified version of fastsearch
     functions implemented in Python (BoyerMoore + Bloom filters).

* Filter : As mentioned, the main feature of this release is filtering
capability. It has been directly implemented in the API to provide 
Filter object
   - Several methods enable to set the query, to compile it and return 
     nodes. Filter objects are "event aware" in order to give the 
possibility to
     stop the process but also to inform about progression and the number of
     matched nodes.
   - It is possible to apply a query recursively or only in one folder.

* VFile : Objects are compliant with the new search API but is still
compatible with the old one.
   - Extends their ability by matching patterns based on :
     * regular expressions
     * approximate search strings.
   - VFile is also "event aware" meaning that it could receive external
     message to stop heavy processing such as searches.

* ConfigManager : Provides a way to unregister configuration
of modules at run time. It is mostly used by the loader when a module is

* VTime :
   - Comparison operators have been implemented in vtime
   - Can be now created with a string as parameter or a timestamps
   - Timestamps can be Unix or Microsoft based (64 bits) allowing auto

* Loader :
   - When a module can not be loaded properly, traceback is saved and
     encountered errors are summed up at the end of loading.
   - Unregisters the configuration of the module if this one is reloaded
     at run time.

* Mimetree : A new object is provided to extract mime types from 
compiled magic
file (version 7 and 8 are managed). The result is a two level tree 
main categories (such as images) and at the second level subcategories 
(such as

Bug Fixes :


* Interpreter :  When huge processing were done in the GUI interpreter, it
froze the whole interface. Execution of Python code is now done in a 
thread and edition is disabled until thread has finished.

* Attributes column selector : In some cases, the selection of 
attributes to be
added as column could lead to crashes. This bug has been fixed but this 
part has
to be improved since it currently only provides attributes selection 
based on
the first node found.

* Evidence dialog : Resizing the dialog was not properly handled 
resulting in
inappropriate widgets size.

* Taskmanager : there was a typo error which led to the unavailability 
of the
results of modules

* Menu : Opening folders in a new tab did not work properly.


* NTFS :
   - Add a NULL pointer check forgotten prior to MFT entry header validation
   - Fixes an integer overflow in attributes analysis. This second fix 
     regular items detected as deleted ones.

* Carver :
    - Previous version of the carver worked with wildcard but this 
feature has
      been temporary disabled because there was a bug in the old search API.
    - The module is currently rewritten to be compliant with the new 
search API
      and to provide more accurate results.

* Load : Arguments were not properly obtained because they differ from those
defined in the configuration resulting in errors when using the module.

* Viewer Hexadecimal :
   - Slider operations are now implemented in pixel and string view
   - It's now possible to trigger the cursor or its area to navigate 
within the
     page view.
   - QGraphicsView is now instantiated with parent widget

* Hash : When several hash algorithms were provided, they were processed in
serial way. They are now processed in parallel, digests are updated for each
read buffer.

* Partition :
   - Fix an overflow with total_blocks resulting in bad size settings.
   - FileMapping are better handled and manages odd cases such as file 
     less sectors than defined in partition entry.

* Player : Fixes a bug based on phonon when opening multiple audio 
source. It
seems Phonon can only handle one audio stream at a time.


* Attributes : Fixes memory leak due to ownership of objects return from 
the API
to Python.

* DataType : Fixes multi-thread concurrent access crash by locking in 
the right

contact at digital-forensic.org
Main website: http://www.digital-forensic.org
Documentation wiki: http://wiki.digital-forensic.org
Project tracker: https://tracker.digital-forensic.org

More information about the dff-announce mailing list