From project at digital-forensic.org Mon Jan 10 16:00:24 2011 From: project at digital-forensic.org (Digital Forensics Framework) Date: Mon, 10 Jan 2011 16:00:24 +0100 Subject: [dff] DFF 0.9 released Message-ID: <4D2B1F08.4090404@digital-forensic.org> DFF 0.9 has just been released and can be downloaded at: http://www.digital-forensic.org/download This release includes major bug fixes improving the stability of the framework on some platforms, and also lots of new features. First of all, we would like to thank two new contributors: - Pablo J. Rogina who has done the Spanish translation and has provided patches and feedback. - Johannes Stuettgen who is developing a module providing support to AFF4 that will be certainly included in 1.0 release. New Features: ------------- * Lib EWF support: The LibEWF [1], developed by Joachim Metz, has been included as a connector. It provides support for Encase(R) file format (E01/S01 format). * Bookmarks: It is now possible to bookmark interesting nodes and sort them by categories. The aim is to gather relevant files when performing analysis. Bookmarked nodes can then be used by other modules and also extracted. * Advanced Hexadecimal viewer: Features used to resolve the DFRWS 2010 challenge [2] have been included. This upgraded version of the hexadecimal viewer provides three new visualization modes: - A pixel view that renders dumps in a graphical manner. It permits to recognize structures in a visual way. Several options are provided for rendering the view (8bits, RGB, resolution, ...) - A block mode view providing a simple way to see a dump in block mode. Size of blocks can be chosen in the corresponding option panel. - A streamed string view which renders printable characters. These features are very useful when studying unknown data structures or performing advanced files analysis. * NTFS ADS: The NTFS module now supports ADS streams. With ADS, several data streams belong to one file entry, each data stream is provided as a node which simplifies analysis. * Windows Devices: Devices on Windows can now be directly opened and used in DFF. It enables Live Forensics analysis in an easy way. It also provides a way to dump devices by extracting the corresponding nodes. * Virtual modification of nodes (aka files): Two new modules have been added to modify nodes virtually (i.e. in memory, without writing on disk): - Cut module create a new node from a part of a file by providing a start offset and a size. - Merge module allows to merge two files in a new one. These two modules are very useful when working with large files. * Loader and API versioning: Each component of the API now has its own version number. Modules and scripts can now provide specific API component dependency and will be checked when loaded. Loader retro-compatibility is maintained as it actually loads modules and scripts using old manner. * Inline documentation: An inline documentation has been directly incorporated in the Framework. It is now possible to browse the documentation directly in the software and in a disconnected environment. * Execution times: Each process in the task manager now displays time of execution. * Enhanced GUI ergonomy; Several parts of the GUI have been enhanced to provide a better look and feel to the user: - Dialog window used to provide arguments to modules has been redesigned. - Easier selection of input files and / or directories - Enhanced dialog to select devices - Right click has been re-factored. Some categories have been renamed. * Languages pack: Using --lang switch when starting DFF in command line provides a way to select the language to use in the Graphical User Interface. Translations are provided for three different languages: English, Spanish and French. Contribution to support other languages are welcomed. * Debug switch A new switch (-d) enables to output all prints to the console without modifying lines of code. Bug fixes: ---------- * GUI proxy model issues: A major bug in the node browser conducting to crashes on some architecture has been fixed. It was related to the refresh events on Nodes and the way signals where sent between views and model. * Exceptions: Exceptions were not correctly handled in 0.8 version. There is now a generic exceptions handler used for each wrapped methods. This significantly reduces crashes and provides more user friendly messages when errors have been encountered in modules. * NTFS : Attributes parsing on huge file-system has been improved. DFF attributes conversion from int to string has been removed. It was used to show both decimal and hexadecimal views. It has to be managed by graphical view itself. MFT and Indexes decoding mode have been fixed (entries starting with FILE or INDX). It is useful for deep analysis. * EXTFS: The error management is made properly. Default values and behaviors for some options have been modified in order to start the module without modifying the default configuration. * Argument: Fixed issues with integer type and optional arguments generated by the GUI in 0.8. * Picture viewer: Exif information are no longer editable And of course, Happy New Year ! [1] http://sourceforge.net/projects/libewf/ [2] http://www.dfrws.org/2010/challenge/index.shtml -- contact at digital-forensic.org Main website: http://www.digital-forensic.org Documentation wiki: http://wiki.digital-forensic.org Project tracker: https://tracker.digital-forensic.org