From project at digital-forensic.org Wed Oct 5 13:30:50 2011 From: project at digital-forensic.org (Digital Forensics Framework) Date: Wed, 05 Oct 2011 13:30:50 +0200 Subject: [dff-devel] Digital Forensics Framework 1.2.0 released Message-ID: <4E8C3FEA.4030409@digital-forensic.org> DFF 1.2.0 has just been released and can be downloaded at: http://www.digital-forensic.org/download New features: ------------- User Interfaces: ---------------- * Batch script : It is now possible to provide batch script directly as a parameter when invoking dff.py using the switch "-b" followed by the local file containing commands. This functionality uses the "batch" module. * Filter : To enable finding and filtering abilities through the GUI, a dedicated interface has been developed to ease the creation of queries. Most useful filters are provided, and it is also possible to query extended attributes. * Preview : A new widget providing a graphical representation of the currently selected node. When a node is selected, this widget automatically selects the most appropriate viewer. Pictures, text, html and video files are currently supported. If there's no available viewer, the hexadecimal viewer will be used. If you create or add any other viewer associated with a different file type, it will be automatically used by the widget. * Attributes pane : When double clicking on an attribute in the tree of Attributes pane, a popup is displayed, allowing to copy the argument. * Module Browser : A new widget has been developed to provide a new way to browse, view and apply modules. * Task manager widget : When double-clicking on a module in the task manager, the output is now provided in a dedicated tab. Modules: -------- * Web viewer : This graphical module renders web pages and tries to reconstruct them, if corresponding linked image or css file are found in the dump. Currently, navigation between local files is disabled in order to forbid external browsing. For security reasons, JavaScript is also disabled by default. * Find : This shell module gives the ability to search and filter directly in the console. As required arguments, it takes a query and the node from where the search will start. In order to have a human readable representation of the query, a string describing the filter has to be provided. As optional arguments, 'save_result' option will automatically create links to matched nodes . By default, matches are not displayed but this can be enabled by providing the "verbose" switch. * Batch scripting : Reads a local file which contains DFF commands (one per line) and execute them. It also accepts comments using the '#' character. This module eases tests and developments by avoiding recurrent operation like choosing, configuring and launching a module and provides to users a way to automatize some tasks. * Partition : - Add creation of unallocated areas in a dedicated folder. - Two new arguments: * sector size (to manage 4k sectors for example) * start offset of the MBR. - Results of the module has been enhanced to provide all unallocated spaces information. - Attributes of created nodes provide more detailed information. * Fatfs : Fatfs module has been enhanced to support more forensics features. - Module now creates several nodes representing: * reserved sectors * unallocated space (based on the first FAT cluster status) * filesystem slack space (size of the underlying file minus total sectors found in the boot sector). - The generated tree has also been enhanced so as to base the name of the entry node (root of the module) on the volume label (if not present, NONAME is used). - All FATs (even if there are 5 FATs) are also created as nodes with their own attributes (allocated and free clusters). This enables to quickly define if there are differences between FATs, based on their clusters status, by comparing their md5 hash, or by using the 'diff' module. - The module now provides its progression. * EWF : The ewf module has been rewritten to support the v2 API of the library developed by Joachim Metz (libewf). * AFF : The module now supports afflib before version 3.6.11. Version is obtained during the build process and provided to the preprocessor. Build: ------ * All dependencies are now correctly checked before starting compilation. Dedicated CMake modules have been created to find bfio, pff, ewf, afflib and tre libraries. If not found, related modules won't be compiled. This permits to compile DFF even if dependencies are not installed. On Windows platforms, version of the compiler is better managed to include the right headers. API: ---- * Datatypes : Code in charge of magic library is now fully developed in C++ resulting in faster processing. * UID Object System : This release has been the occasion to associate unique identifier to some objects of the API. Currently it only concerns fso and nodes objects. This also let you obtain fso and nodes by their ID at run time. * FSO : - Each fso objects are linked together in a tree way. It is possible to know dependencies between modules in charge of the creation of node. - Add a new method to obtain a Node from its id - Add a new methode to have access to all created nodes as a list. * Node : All attributes methods of Node have been refactored and are faster. - Add a new method which return its extension if available. - Testing compatibility with a module has been extended by checking the extension besides its type. Indeed, sometimes, it was not accurate to only rely on results provided by magic to auto detect compatible modules. For example, VmWare configuration files are detected as text by magic. * VFS : - Now have an UID Object System. - New method to obtain fso by their ids. - New method to obtain nodes by their ids. - New method to access all applied modules of type fso. - All orphaned nodes (nodes which don't have a related fso), are also managed by the VFS. * Search : Search API has been totally rewritten in an object oriented way, using TRE library. - Search objects provide methods to set pattern syntax: * fixed * wildcard * approximate (use TRE library) * regexp patterns (use TRE library) - Search are faster and relies on a modified version of fastsearch functions implemented in Python (BoyerMoore + Bloom filters). * Filter : As mentioned, the main feature of this release is filtering capability. It has been directly implemented in the API to provide Filter object - Several methods enable to set the query, to compile it and return matching nodes. Filter objects are "event aware" in order to give the possibility to stop the process but also to inform about progression and the number of matched nodes. - It is possible to apply a query recursively or only in one folder. * VFile : Objects are compliant with the new search API but is still compatible with the old one. - Extends their ability by matching patterns based on : * regular expressions * approximate search strings. - VFile is also "event aware" meaning that it could receive external message to stop heavy processing such as searches. * ConfigManager : Provides a way to unregister configuration of modules at run time. It is mostly used by the loader when a module is reloaded. * VTime : - Comparison operators have been implemented in vtime - Can be now created with a string as parameter or a timestamps - Timestamps can be Unix or Microsoft based (64 bits) allowing auto conversion. * Loader : - When a module can not be loaded properly, traceback is saved and encountered errors are summed up at the end of loading. - Unregisters the configuration of the module if this one is reloaded at run time. * Mimetree : A new object is provided to extract mime types from compiled magic file (version 7 and 8 are managed). The result is a two level tree containing main categories (such as images) and at the second level subcategories (such as jpeg). Bug Fixes : ----------- GUI: ---- * Interpreter : When huge processing were done in the GUI interpreter, it froze the whole interface. Execution of Python code is now done in a dedicated thread and edition is disabled until thread has finished. * Attributes column selector : In some cases, the selection of attributes to be added as column could lead to crashes. This bug has been fixed but this part has to be improved since it currently only provides attributes selection based on the first node found. * Evidence dialog : Resizing the dialog was not properly handled resulting in inappropriate widgets size. * Taskmanager : there was a typo error which led to the unavailability of the results of modules * Menu : Opening folders in a new tab did not work properly. Modules: -------- * NTFS : - Add a NULL pointer check forgotten prior to MFT entry header validation - Fixes an integer overflow in attributes analysis. This second fix adjusts regular items detected as deleted ones. * Carver : - Previous version of the carver worked with wildcard but this feature has been temporary disabled because there was a bug in the old search API. - The module is currently rewritten to be compliant with the new search API and to provide more accurate results. * Load : Arguments were not properly obtained because they differ from those defined in the configuration resulting in errors when using the module. * Viewer Hexadecimal : - Slider operations are now implemented in pixel and string view - It's now possible to trigger the cursor or its area to navigate within the page view. - QGraphicsView is now instantiated with parent widget * Hash : When several hash algorithms were provided, they were processed in serial way. They are now processed in parallel, digests are updated for each read buffer. * Partition : - Fix an overflow with total_blocks resulting in bad size settings. - FileMapping are better handled and manages odd cases such as file having less sectors than defined in partition entry. * Player : Fixes a bug based on phonon when opening multiple audio source. It seems Phonon can only handle one audio stream at a time. API: ---- * Attributes : Fixes memory leak due to ownership of objects return from the API to Python. * DataType : Fixes multi-thread concurrent access crash by locking in the right places. -- contact at digital-forensic.org Main website: http://www.digital-forensic.org Documentation wiki: http://wiki.digital-forensic.org Project tracker: https://tracker.digital-forensic.org