GUI

From Digital Forensics Framework
Jump to: navigation, search

We will present here the different area and menu composing the GUI. If you wish only to use the command line interface, please read this page. If you do not know what is DFF and what it is used for, we recommend that you read this short introduction about the framework. DFF has been conceived to be very simple to use so you should not have any difficulties to take control over it.

If you want to have a quick overview of DFF use, you should rather read the Quick start guide than this page.

Contents

Everything is a Node

DFF provides users with a tree view of the analyzed data. For example, if a NTFS file-system is parsed, its entire content will be visible in DFF graphical interface, under the form of a tree : each directories contains files and directories, themselves containing other files and directories, and so on. It acts more or less as a file browser on any operating system.

An example of this kind of view is given on the following screenshot (in this case it is the result of the analysis of an Extfs file) :

Ext res.png

Any computer users should have already seen something looking like this. Those files and directories within DFF are called Nodes. Nodes are created by modules (also called plugins) when an analysis is done. Each module is designed to analyze a specific kind of data, but they generate Nodes whatever the input data were (file systems, volatile memory, cell phone memory, etc).

To get more details about DFF internals, you can read the technical documentation.

Installation

If you do not have installed the framework yet, you can find the install documentation here. DFF has been tested on several architectures and run on the following systems :

  • GNU / Linux (32 and 64 bits)
  • FreeBSD
  • Windows XP and Vista (32 and 64 bits)
  • MacOS

.deb and .rpm packages have been built respectively for Debian and Red-Hat based systems, so the required dependencies will be automatically resolved and installed. An installer is provided for users running a Windows operating system. For other users, you will have to compile DFF and manually install dependencies.

Main window

There are two ways to launch DFF :

  • Using the application menu of your operating system and clicking on DFF icon.
  • Launching the command : 
dff.py -g

When it starts, the following window becomes visible (it is for now empty) :

Dff main window.png

Different areas are put in evidence. We will describe them in the following sub-sections.

Application menu

Menus accessible through the application menu are described below.

DFF app menu.png

File menu

File menu.png
  • Open evidence file : add files or directories to DFF so they can be analyzed.
  • Open local device : open a device (such as /dev/sda for example) into DFF VFS so it can be analyzed.
  • Exit : stops the application.

Edit menu

Edit menu.png Open the Preferences dialog box, allowing to configure the framework.

Module menu

Mod menu.png

This menu references all modules which can be used within DFF. Each modules has a specific function and generates its own result. Please refer to the modules page to have a description of all modules.

View menu

View menu.png
  • Maximize : maximize the currently selected tab, so it occupies all available space.
  • Fullscreen mode : switch to full screen-mode, or return to the windowed mode if DFF was already in full screen mode.
  • Browser : open a new browser tab
  • Shell : open a new DFF shell
  • Python interpreter : open a python interpreter

IDE menu

IDE.png
  • Starts DFF Integrated Development Environment.

About menu

About.png
  • About: display the about dialog, showing DFF version and some useful information.
  • DFF documentation : open the embedded documentation.

Application tool-bar

App tool bar.png

The Application tool bar is used to perform actions such as adding a dump or a device into DFF, or opening graphic views.

Available buttons
Open folder.png Open device icon.png Open browser.png Open shell.png Open python shell.png Open IDE.png Help.png Max.png Full screen.png
Open evidence file(s) : open local file(s) or directory and load it into DFF. Open local device : Open a local device, such as /dev/sda (Unix / GNU-Linux) or C: (Windows), and load it into DFF. Browser : Open a project browser in a new tab. Shell : Open a command line interface in a new tab. Python interpreter : Open a python interpreter in a new tab. IDE : launch DFF embedded IDE (integrated development environment). DFF documentation : Open the embedded help. Maximize : Maximize the currently selected tab, so it occupies all available space. Full screen : Switch to full screen-mode, or return to the windowed mode if DFF was already in full screen mode.

Project browser

The different views composing the project browser are the main parts of the GUI. This are the area where the analysis results will be displayed. It can be compared to a file browser on an operating system. It looks as on the following screen shot :

Browser.png

When you launch DFF, four default nodes are created :

  • Bookmarks
  • Local devices
  • Local files
  • Searched items

Note : the project tool-bar is a part of the browser, but we will describe its components in the next subsection.

Project browser areas

The browser is divided into three main parts :

Browser
Tree view area Data display area Data attributes area
Tree view.png Data display area.png Data attribute area.png
In this area is the list of analyzed data, organized under the form of a tree view. In this area is the list of analyzed data, organized under the form of a list view. Some attributes such as size, MAC times, or mime type can be displayed. In this area are displayed all the other attributes nodes can have (depending on the module used to generate them). It displays the attributes of the currently selected node in the data display area.

These areas are empty for now, at the exception of some nodes automatically created by the framework :

  • Local devices
  • Logical files
  • Searched items
  • Bookmarks

They will be filled up once an analysis is performed.

Project tool-bar

Project toolbar.png

The different options of this tool-bar are used to navigate within a project.

Back.png Forward.png Up.png Home.png
Going back to the previous location Going to the next location Going to the parent directory Going to the root directory
Display mode.png Select attr.png Attributes.png Bookmarks.png
Chose in which mode users want to display data (list, tree or icons view). Select which information users wants to display in the data display area. Hide or show the Data attributes area. Bookmark a location.
Search.png Thumb.png Size list.png
Open the search bar. Display / hide thumbnails. Chose the size of the thumbnails (activated only when the display mode is set to Icons).

Task manager

Task manager.png

It is divided into four tabs :

Available tabs
Tsk mngr tab.png Output tab.png Errors tab.png Modules tab.png
List the active modules, with their states. Display messages. Display error messages. Display the list of modules that can be used, with the list of parameters they can take in input.

DFF Shell

DFF command line interface. Everything which can be done with the GUI can also be done with the command line interface.

Dff shell.png

Python shell

A python shell has been integrated to DFF.

Python shell.png

IDE (Integrated Development Environment)

The IDE can be used by developers to generate python skeletons for their modules.

IDE run.png

Retrieved from "http://wiki.digital-forensic.org/index.php?title=GUI&oldid=1872"
Personal tools