Introduction
Overview
What is DFF ?
| Dff stands for Digital Forensics Framework. It is a simple but powerful open source tool, with a flexible module system, designed to make digital forensics and eDiscovery analysis easier. The framework offers a modular environment to IT Managers, IT Security Managers and law enforcements. It extracts, analyzes and correlates suspicious traces and data of different files, coming from data acquisition on digital media, such as hard disk drives, RAM or cell phones memory. It can also be used to recover deleted data.
Written in Python and C++, it is cross-platform, highly modular and customizable. The graphical user interfaces are developed with PyQt. Interface and wrapping between Python and C++ is achieved thanks to Swig. DFF has been released under the terms of the free license GPL version 2. |
|
Why using DFF ?
Nowadays computer forensic analysis tools are mainly large proprietary softwares.
Few free and open source solutions offer the same type of fully integrated services, most of them being implemented as stand alone tools. Although some framework exists, they are not very users nor developers friendly. That is why we decided to develop DFF as a free, open source and multi-platform solution.
This project follows three main goals :
- Modularity : contrary to the monolithic model, the modular model is based on a host and many dynamic modules. This concept allows the fast improvement of the software, and the add of lot of different functionalities.
- Scriptability : it gives more flexibility to the tool. It also enables automation, to makes things more easier to use. It gives the possibility to extend features.
- Portability : DFF developers want the project to remain OS independent. We want to help people where they are by letting them chose any Operating System to use this software.
The framework
DFF is divided into three different software layers, communicating together through a modular Application Programming Interface (API) :
- The core layer.
- User interfaces (GUIs).
- Modules.
Core layer
The first layer can be seen as the heart of the framework. It is used to load and run plugins. Plugins execution is automatic as the core layer is designed to "know" which plugin must be launch when it is required. This layer also offer a way for plugins to render the analyzed data under the form of nodes within a tree.
The memory space where these nodes are created is called a Virtual File System (VFS). Each node can be generated by a different plugin and having specific attributes. This mechanism allow the kernel to generate reports by correlating all data coming from plugins, but by remaining independent from the plugins themselves. Even if a plugin crashes, once nodes are created, the kernel will be able to exploit them. As far as modules are designed to be used in forensic analysis, they also treat adn reveal unallocated and hidden data.
Modules / Plugins
The second layer is composed with the plugins we evoked in the previous paragraph. Each of them are designed to analyze one specific type of data, such as RAM memory, file systems or network frames. They create nodes into the core layer virtual file system, and according to the type of data, generate some useful informations such as time indications or meta-data extraction. Without plugins, the core layer is useless.
GUI
The third layer is composed of the user interface (UI). This layer is used to select the source of data the investigator wants to analyze. Once the analysis is done, it is possible to applicate accurate filters to only let appear some specific kind of data, such as deleted files, time indications, etc. Then, reports can be generated with very precise information on a particular event which occured on the analyzed system. Binary data, such as meta-data structures, can be visualized within an hexadecimal viewer.
For now, three main user interfaces available :
- The Qt Gui interface.
- The dff shell (command line).
- A python shell integrated to the framework.
