The Digital Forensics Framework (DFF) is a free and open source digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies.
DFF consists of tools, libraries, modules, and user interfaces. The basic function of the framework is to agregate information and methodologicaly analyze volumes, file systems, user and applications data, while extracting metadata, deleted and hidden items.
Information are processed into virtual read-only containers, thus preserving the integrity and authenticity of data.
Here are some key features of "Dff":
· User Interface : File browser, bookmarks, dockable windows, Integrated Development Environment and interpreter (Python), command line, multilanguage, task manager.
· Viewers : Images, videos, text, web, file systems statistics
· Timeline analysis : Graphical view, virtual extraction and reduction, metadata filters
· Hexadecimal viewer : Large files support, page navigation, pixel navigation and view, search ...
· Volumes : Partitions, VMDK (Vmware)
· Manipulation de fichiers : Cut, merge, extraction, spares reduction
· Metadata : EXIF, datetime, data structures, etc.
· Volatile memory : Windows XP (volatility)
· File systems : FAT 12/16/32, NTFS, EXTFS 2/3/4
· Data recovery : File systems algorithms, file carving
· Windows registry: Reconstruction and analysis
· Other: Local devices, hash (md5, sha*), zip, unxor ...
Requirements:
· Python
What`s New in This Release: [ read full changelog ]
Features:
· Translation : DFF GUI is now available in chinese, thanks to Zhang Jun. Other languages were updated : Deutch, Italian, ...
· AFF : A connector to support AFF dump. The module is based on AFFLib by Simson L. Garfinkel (http://afflib.org)
· PFF : This module parses PST, OST and PAB files to extract mailbox contents, it also recovers deleted and orphaned files and give access to unallocated clusters. It`s based on Joachim Metz LibPFF. (http://sourceforge.net/projects/libpff)
· API : New cache system for FileMapping and File Descriptor. vtime now can directly convert unix and windows 64 bits time stamp.
FAT:
extended attributes:
· When there is slack space, a dedicated attribute specifies its start offset and its size. This feature is only available for classical files (neither deleted nor orphaned)
· Classical attributes are provided: Read Only, Hidden, System, Archive, Volume
· DOS name is provided (8+3 name)
· Orphaned files scan The algorithm is now faster. When walking on free clusters...
