In this quick start guide, we will see how to use DFF. We will suppose that you already read the introduction part, where DFF architectures and layers are briefly described. We will only give an overview DFF different functionalities, and guide the user during the different steps of an analysis.

Contents 1 Starting DFF 1.1 Launch 1.2 Main window 2 Starting a project 2.1 Adding a dump 2.1.1 Opening evidence file(s) 2.1.2 Opening a device 2.2 Using a module 2.2.1 First method : double-click 2.2.2 Second method : Relevant module 2.2.3 Third method : contextual menu 2.3 Task manager 2.4 Module chaining 2.5 File system view 3 Results analysis 3.1 Data display 3.2 Contextual Menu 3.3 Nodes content and attributes 3.4 Bookmarks 3.5 Customize displayed attributes 3.6 Viewers 3.6.1 Text viewer 3.6.2 Image viewer 4 Going further

Starting DFF

In this first part, we will see how to start DFF and the different ways to load the data we want to analyze.

Launch

After you have installed the framework, you can launch it by clicking on its icon in your application menu or by using the command :

dff -g

The -g option is used to launch the graphical interface. We won't describe here the command line interface, please refer to DFF shell page if you wish to have more details about it.

Main window

The main window is shown on the following picture :

Several areas are put in evidence :

• Application menu.
• Application toolbar : this bar is used to add dumps, launch a shell, etc.
• Project toolbar : the different options of this toolbar are used to navigate within a project.
• Project tree area : tree view of the different directories contained in the project
• Data display area : details about the data contained in the directories of the project.
• Task manager : the informations about the different tasks performs by DFF are displayed here, as are errors.

If you want a description about them, you can read the overview page of the wiki. Here is a page briefly explaining how to configure the framework.

Starting a project

To present DFF functioning, we will use a dump from digital corpora which can be downloaded here (4GB compressed). Once uncompressed, its size is 40GB. We will, for now, pretend that we do not know what the dump contains, and try to perform a fake analysis, by showing step by step what actions can be performed.

Adding a dump

The first thing to do is to load the dump into DFF.

To do so, you will need to click on the Open evidence file(s) button on the left of the Application toolbar, as represented on the screen-shot on the right. The other button, called Open local device is used to load a device such as /dev/sda or C: (respectively for Linux and Windows), to perform live analysis. To load the dump nps-2009-domexusers.aff, we chose Open evidence file(s) because it is a file, but the two methods are presented in the next sub-sections.

When clicking on one of these buttons, a dialog box will spawn. Here are the steps you will have to follow, depending of which action was chosen :

Opening evidence file(s)

If you chose to open a file, the spawning dialog, called Select evidence type, will look like the screen-shot on the left. The first available option is to chose between raw or ewf format. You can check the last it if you have .ewf files, otherwise let the the default RAW format value. In our example, we will select the RAW format check box. In the list on the right, you can chose to add a file or a directory. If you chose "directory", you will be able to select directories rather than files, and to load their entire content in one click. To add our dump, we will select File, as we only have one file to analyze. For now, the bottom part of the pop-up is empty. It will be filled-up after we selected one (or several) dump(s). Each lines will display the name of one of these dumps. If you want to remove one (or several) of them, just select the one(s) you want to delete and click the - (minus) button. They will disappear from the list, and won't be loaded by DFF.

Once you went through those few steps, you can click on the + button (circled in red on the above screen shot). An other dialog box, called Load local, will be opened :

You will now have to select the files or directories (depending on what you configured in the previous step) you want to load. You can select several files at once, by holding the Control button of your keyboard while selecting them. To load the example domexusers dump, we will go to its location on our local disk and select it. Once this is done, we can click on the Open button.

The Load local dialog box will be closed and the focus will be given back to the Select evidence type dialog box. The dump's name will appear in the bottom area of this dialog box.

We can now validate our choice by clicking on the OK button.

If you have split disk images, you will have to load their different parts following the method described in the previous section. Several nodes will be created in DFF (one for each part of the split dump(s)). Then you will have to merge those chunks to rebuild the dump : an how-to is given in this blogpost.

Opening a device

To analyze a device, DFF musts be launched with administrator privileges. To do so under Windows Vista, you can read this entry of the FAQ. Under Linux, use sudo or su.

If you chose to open a device rather than a evidence file, the following dialog box will be displayed :

In the Device list, all the available devices of your systems will be listed. You just have to pick up the one you want to analyze. Once you have made your choice, click on the OK button. The dialog box will be closed.

You also can add evidence files or devices through the Application menu -> File -> Open evidence file(s) and Application menu -> File -> Open local device.

Using a module

Congratulations, you created your first node ! There are two possibilities at that point :

• You loaded file(s) or director(y)(ies) : they will be added in the directory Logical files.
• Devices will be added in the Local devices directory.

If you used the domexusers dump, it will be in the Logical files directory, as shown on the following screen-shot :

Notice that, when you select the dump in the Data display area, some information appear in the Data attributes area. We can see that :

• The dump is a file.
• A relevant module is partition.
• The node was generated by local.

This last piece of information means that the dump was loaded by the local module. Local is used to load data from the local file system of a given host into DFF. It was transparently done by DFF to "transform" the local file into a node exploitable by the framework. Every nodes are generated by modules. For now, there is only one of them, but some other will be generated during the analysis.

Some other information are available such as the file size or MAC times. According to the mime-type, the file is a binary containing a x86 boot sector.

If, for one reason or an other, you do not want to display the data attributes area, you just have to un-check the Attributes check box of the project tool bar. To make it reappear, recheck it.

The relevant module attribute indicates that DFF could find a module which is able to parse x86 boot sector : the partition module. This seems logical, as the domexusers dump is the copy of a volume : this volume is likely to contain at least one partition. The next step of the analysis will be to launch the partition module on the node. There are several ways to to so, as explained below.

First method : double-click

You can double-click on the node. This is the simplest method. A dialog box called Apply module with three buttons will appear :

• Always will launch the module on this node, and use the partition module on every x86 boot sector file we will encounter (if any) during the analysis. The dialog box won't appear anymore for this type of files.
• No will cancel the action and close the dialog box.
• Yes will apply partition only this time. The dialog box will be re-opened when we will try to use partition on an other x86 boot sector.

We will click on the Yes button (we also could click on Always, the result is the same) to launch partition.

Second method : Relevant module

You will have to right-click on the node. A menu will appear and you can chose the option Relevant module, as shown on the following screen-shot :

In this case, the only relevant module found is the partition one. Sometimes, several modules can be relevant so you will have to chose which one to use. Notice that we already knew that the relevant module was partition as far as the information was given in the data attributes area.

Third method : contextual menu

You will have to right-click on the dump. The menu will be opened, but instead of going into the Relevant module sub-menu, you will chose Open with. The list of available options will be displayed. You can chose the one you need. In our example, we will select the Open with -> Volume -> Partition :

The screen-shot was truncated, so more options should be available. This last method allow users to chose which module they want to use on a given node. More details about modules are given here.

Task manager

Once you have launched the partition module, using a method or an other, it should take at most a few seconds to parse the partition table. In the tasks manager the status of the module is visible :

• It is set to exec while the module is running, and a percentage of advancement is visible.
• The status switches to finish when the module has done its job.

If an error occurred, it will be indicated in the Error tab. You can double-click on the module line in the tasks manager to see if they are any results. Some messages can also be displayed in the Output tab. Note that the local module also appear in the task manager as we launched it in the first part of this guide.

You can double-click on the partition line in the task manager to display a dialog called processus information with some informations about the analysis results :

The displayed information are generated by modules (in this case the partition module), and each module has its own results, depending of the type of data it analyzed. This window is empty if the module did not generate any results. The tab Provided arguments lists the parameter which were used as the module input.

You can click on the OK button to close the Process information dialog box.

Module chaining

DFF offers the possibility to chain modules : we already applied the local and partition modules, but our analysis is not finished yet. The main window content has changed and new data are visible, generated by the partition module : new nodes were created, as shown below :

The nps-2009-domexusers.aff.raw node now has children : a node called Partition was created, containing an other node called Part 1. It means that our dump only contains one partition. If there were any other partition they would appear in the same directory, with the names Part 2, Part 3, etc. If we look at the extended attributes, we can see that the relevant module is ntfs, so the partition was formatted with a ntfs file system. Then, NTFS will be the next module we are going to use, as we did for the partition module.

You will have to double click on the Part 1 node (or right click on it and go to the Relevant module sub menu or to the Open with -> file systems -> ntfs sub menu). If you chose to double-click, the Apply module dialog box will be opened and you will have to click Yes or Always.

File system view

The execution of the NTFS module should take a little longer than for the partition module. In the task manager you can see the exec status, the advancement and the execution time, indicating the progression of the analysis.

Once the analysis is finished, you can retrieved the results of the NTFS module by double clicking on it in the task manager, as we did for the partition module.

Now, more nodes are available in the browser. Each of them represents a file or directory of the underlying NTFS file system, which was rebuild within DFF by the NTFS module. You can browse the file system by clicking on the tree view or on the data area. Basically, it works as a file browser on any operating system.

You can use the project tool-bar to browse in your project or customize the display. The function of the different buttons of this tool-bar is given here. One more time, their functionalities are very similar to the functionality of the file browser of your operating system (Previous, Home, Parent directory, etc), so you should not have any difficulties to take control over the project browser (also called Node browser).

• Deleted files:

During the file system browsing, you may found some nodes which names appear in red : they are deleted files or directories DFF could recover.

Results analysis

Now that we have a data set we can work on, we will present the different functionalities DFF offers. The purpose is not to describe all functionalities in details, but to present what can be done, when and how to do it. The list of available modules is given here.

Data display

DFF offers the possibility to customize the display of nodes. The following combo-box is available in the project tool-bar :

• If you select the option Tree it will hide the Tree view area. If you select it again, the Tree view area will reappear.
• If you select Icons or List the nodes will be respectively displayed under the form of icons and under the form of a list, as shown below. In icon view node, the combo-box at the right of the project tool bar will be activated, and you will be able to select the size of the icon (small, medium or big).

Icon view	List view

If you click on the Activate thumbnails icon of the project tool bar, images in the VFS will appear as thumbnails in the node browser.

Contextual Menu

You can right click on each nodes, and a menu will spawn, containing several options : Open : Using Open on a node is equivalent to double clicking on it. DFF will select the more appropriate module and launch it. Open in new tab : Open the node in a new node browser (it creates a new tab). Relevant module : Automatically chose the most relevant module(s) to apply on the node and launch it, as we explained it in the first part of this guide. If there are several relevant modules, the user will have to chose between them. Open with : List all available modules, so the user can chose which one he wants to apply on the node. Hex viewer : Display the node content in an hexadecimal viewer. The documentation of this module can be found here. Extract : see below

You can extract files content from DFF to copy them on your local drive. The Extract option can be used to do so. A dialog box window will spawn. You just have to select the location where you want to extract the file, by using the Browse option and click on the OK button. The extracted file will have the same name than the node. If you check the Recursive mode check box, the node and its children will be recursively extracted, assuming that the node has at least one child.

Nodes content and attributes

Nodes are usually composed of a name, a content and some extra data, such as metadata.

• Some nodes don't have content if their size is equal to 0 (empty files).
• The extra data and metadata are called Attributes within DFF.

To view their content, nodes need to opened by applying the appropriate modules on them. This can be done by double clicking on the node you want to open. The Apply module dialog-box will be opened, as we already saw when we used NTFS and Partitions modules on the domexusers dump in previous sections of this guide. When double clicking on a node, the framework will launch the most appropriate module.

If you want to have a more accurate control on the module you want to use, you can open nodes using the contextual menu and select the option Relevant module, or by manually selecting the module you want to use. The following screen shot shows an example, with the partition module :

To see the nodes metadata, you just have to select them in the data display area and make sure that the Attributes check-box of the project tool bar is checked. The metadata will be displayed in the Data attributes area under the form of key, values pairs. The key is the attribute name.

Bookmarks

If you find data you are interesting in and want to bookmark, the first step is to check the concerned nodes in the Data display area of the project browser :

Then, you will have to click on the Bookmarks icon of the project tool bar. The following dialog box will be opened :

Bookmarks are organized under different categories, created by the user. As we do not have any categories yet we need to create one. In our example, we will create a documents category. Once we are done, we can click on the OK button. The nodes we checked in the previous step will be added in the /Bookmarks/documents directory.

If you want to bookmark other nodes, just select them as we already did and click again on the add bookmark button. The dialog box will be opened again, but its appearance will be a bit different :

Instead of creating a new category, we can add the new bookmark(s) in an existing category (documents in the example). We could of course also create a new bookmark category by checking the corresponding check box on the dialog box.

Customize displayed attributes

You can chose which information you wish to display in the data display area : it is possible to display nodes attributes in the table view. By default, the only two displayed attributes are the node's name and their size. To add other attributes, you will have to click on the Attributes icon of the project tool-bar to display the following dialog box :

There are two main areas in this dialog box.

• Dynamic attributes : the list of attributes the different nodes have. These attributes are dependent on the type of data. For example, attributes of a NTFS file system will be different from those of volatile memory.
• Data types : used to display the type or the mime-type of data.

By default, no attributes nor data types are selected. To add one or several of them (attribute or data type) you will have to select the attribute you want to display and click on the button. The attributes will be switched from the left part of the dialog box to the right part, as shown below :

To remove one or several selected attributes, you will have to select them in the right part of the dialog box and then use the button.

The check box Display module name at the bottom of the dialog box is used to show the name of the module which generated the node. The Sort by deleted option will show an information indicating if the node is deleted or not.

An example of a view with customized attributes is given below :

You can sort the content of the view by clicking on the header view, on the field you want to sort on. Clicking one more time on the same field will reverse the sorting. In our example, the sorting was made on the Name field, as indicated by the little arrow in the Name field.

Viewers

Viewers are used to display the content of the different nodes. As we already explained above, DFF launches the appropriate viewer when double clicking on nodes.

• The text viewer for text, xml, html, etc.
• the image viewer for images DFF can handle.
• the hex viewer for binary types.

If you do not wish to use the default viewer (lets say you want to open an image with an other module than the image viewer), you need to manually select it by going into the Open with -> <category> -> <module> menu.

Text viewer

Nothing mysterious about the text viewer : it displays text. It also can display html, but hyperlinks are unactivated.

Image viewer

Display images, as shown below. More details are given here.

The data appearing in the different tabs on the right part of the image viewer are Metaexif metadata.

Going further

You should have a look to the module page to have an overview of DFF different functionalities. Briefly, here is a list of some actions you can do with the framework :

• DFF can parse several types of file systems :
  • NTFS
  • FAT
  • Extfs 2/3/4
• Reconstruct different type of volumes, such as monolithic or split VMWare virtual machines, or Partitions (as explained above).
• Analyze windows registry hives by using the winreg module.
• Extract and analyze zip archives directly in DFF with the unzip module.
• Check your data integrity by calculating their hashes (md5, sha1, etc).
• If you wish to analyze data according to their temporal data, you can use the timeline module.
• You can try the carving module to search your disks or dumps for data header and footer, and reconstruct deleted files.

If you wish to develop your own module, you can do it in C++ or in Python :

• C++ guide
• Python guide

To generate skeletons for your Python modules, you can use DFF IDE.

Also notice that the different steps described above can also be performed with the python shell and DFF command line interface.