DFF shell

From Digital Forensics Framework

Jump to: navigation, search

This part is dedicated to DFF command line interface. Using it you can perform the same tasks as in graphic mode. The advantage of the command line line interface is that it does not require any X server to be installed. DFF shell can also be launched while using DFF GUI.

In the DFF manual, you will found everything you need to know about DFF graphical interface.

Get started

There are two ways to launch the shell :

  • By clicking on the shell icon of the application tool bar (the GUI must already be started).
  • By using the command
$> dff.py


Bulb.png

Passing the -g option to this command will cause the GUI to be started.

Before the hand is given to the user, the list of the modules DFF could load are displayed, and eventually error messages if DFF was not able to load one or several of them.

The shell looks as in the following screen-shot, and is for now empty :

Shell start.png

Integrated help

If you do not know which command you can use, just hit the 'tab' button of your keyboard and all available commands will be displayed :

Shell tab help.png

The screen-shot was truncated, more options should be available. When you chose to use one command, lets say local, you can type local in the shell, then hit the tab button again : all local possible options will be displayed. Basically, you can use the shell completion on command names and options names.

Note that, by using the up and down arrows of your keyboard, you can browse your commands history.

Using the shell

The first step is to load data into the Virtual File System.

Local

Local should always be the first used command. This is the equivalent of the Add evidence file(s) of the GUI.

So we will take a look to the local options :

Shell local opt.png

We can see that there are two possible options :

  • --path : required
  • --parent : optional

--path is the path to the local file you want to load into DFF. --parent is used to define the name of the parent of the node which will be created.

Then we load a file using the following command :

dff /> local --parent / --path /path/to/the/dump.img

where /path/to/the/dump.img is the actual path to the file you really want to load. The --parent / option indicates that the dump file will be added at the root of DFF tree view.

If local did not returned any error messages, it means that everything worked fine and that a node was created, with the same name as your file. In this guide, we will use a file called "VirtualHDD". To insure that our file was loaded fine and the node created, we can use the ls command, to list the content of the current node :

Shell ls.png

Modules

For now, we cannot do a lot with our node. We will have to determine which type of data it is composed of and identify which relevant module we will use. For this, we must use the fileinfo command. The result show us that this dump contain an x86 boot sector and that the partition module can be used.

Shell fileinfo.png

One relevant module is the partition module, so we launch it and to go into the node VirtualHDD/partition by using the command cd :

dff /> cd VirtualHDD/partition

Three partitions have been detected, respectively called part1, part2 and part3 :

Shell part.png

We can use fileinfo one more time on one or several of these nodes, and determine what they are, and chose an appropriate module.

Conclusion

Refer to the Modules page to have an exhaustive list of all available modules with their options. Some modules can ONLY be used in GUI mode, such as timeline or the picture viewer. If module can only be used in GUI mode, a message will indicate it.