History

Graphical User Interface

Working environment

The following pictures shows the default widget behaviour in DFF. Since it is highly customizable, your environment could completly differ during the use of the framework.

  1. This toolbar gives access to DFF fonctionnalities
  2. This toolbar is specific to the IDE
  3. This area corresponds to the browser of folders created by drivers.
  4. This area is divided in several parts and mostly give information of the current state of the framework:
    • Task manager
    • Variables already added for each module
    • Log information
    • Results of each modules
  5. By default this area browse files and folder contained in upper folder. It displays Modified Accessed and Created time (MAC) for each file. In addition, graphical module will be added as tabs.

Getting started

By default, DFF only takes in input a file corresponding to the raw snapshot of a device (also called dump). It is also possible to directly open a device but it is not provided to the user through the graphical user interface. Furthermore, it is not recommended to directly open a device.

Even if DFF does not modify data on hard drive, best practices strongly encourages to image the device which needs to be analyzed on work from the resulting dump. This page gives full information to image a disk either on windows or linux.

You can add a snapshot files either from the file menu or the add button:

From file menu:

From add button:

Then you will have the possibility to select the desired snapshot files to add:

Once the file added, it appears in the file browser:

Several information are provided such as the name of the file, its size, Modified, Accessed and Created time (MAC time) and finally the driver which holds the file and is responsible for Input / Output functions.

How to use modules

Select modules

DFF offers three different ways to apply a module on a file. Either you right-click on the desired file or you can use the menu through the "Modules" item, or you can double-click an item (DFF will try to find the appropriate module) :

Right click way :

Modules way :

Double click way :

It is totally transparent for the user, if filetype is known, DFF automatically open the appropriate module.

If you want to know which type is detected and if DFF has a module for it, right-click on a file and select fileinfo :

Once fileinfo is over, double click on it in the TaskManager to show its results :

Here we can see 'Compatible driver: fat', so DFF can automatically open this file by doucle-clicking it.

Modules arguments

Once the desired module selected, most of them will need some arguments. If the module only need a node, it will be directly applied. If not a dialog window will appear and will ask for arguments:

There are five different types of argument:

  • string
  • node (it corresponds to a file of the VFS)
  • path (it corresponds to a file which is stored on your local system)
  • bool
  • int

Some of the modules provide default defined values. Furthermore, some arguments are optional but you can turn it on by selecting the check box.

View results

After processing, modules can provide different kind of results. Depending on the type of module, results are not located at the same place.

  • Results in a new tab

If the corresponding module provides graphical functionality, results will be added in a new tab in the area described previously.

  • Results through the task manager:

If the module only provides text result, it will be needed to double click on the task corresponding to the module in the Task Manager window.

Nodes

Nodes represent a file or a directory in the Virtual File System of DFF. They hold information which are essential for the framework. Node contains the following information:

  • File attributes (size, MAC time, hash, ...)
  • Driver object which holds it
  • List of its children if a directory

Modules

Since DFF is a framework, the aim is to extend rapidly its functionalities. This is done by providing interface which can be used to developed new modules. Module development is under the scope of the present documentation. Quickly, if you want to know how to extend the framework by creating your own modules, below is an explanation of modules.

DFF modules can be classified by two different capabilities:

  • Display:
    Each module can provide both of the following display:
    • graphical: results are rendered in a graphical way. Graphical module can be as simple as rendering text but they also can provide powerful functionality. It depends on the features provided by the developer.
    • console: results are rendered through the console interface. There are two kind of console results, simple text printing and ncurses rendering.
  • Functionality
    • driver module: they are able to create new node in the Virtual File System and provide interface in order to open or read a node.
    • basic module: these modules only provide processing functionality and offers results.

Besides this two main categories, modules can be tagged by features such as viewer, parser, searches and so on. Modules can also be tagged to tell what kind of files it can manage such as image, file system, etc.

add_dump.png (43.1 KB) cma, 03 Mar 2010 12:17

dump_added.png (32.8 KB) cma, 03 Mar 2010 12:17

add_dump_button.png (8.1 KB) cma, 03 Mar 2010 12:17

add_dump_click.png (7.7 KB) cma, 03 Mar 2010 12:17

apply_module_argument.png (43.2 KB) cma, 03 Mar 2010 12:17

working_environment.png (112.6 KB) cma, 03 Mar 2010 12:30

apply_module_click.png (42.9 KB) cma, 08 Mar 2010 15:40

apply_module_rclick.png (52.6 KB) cma, 08 Mar 2010 15:40

fileinfo_dblclick.png (38.6 KB) cma, 08 Mar 2010 15:40

fileinfo_rclick.png (20.4 KB) cma, 08 Mar 2010 15:40

Also available in: HTML TXT