Digital Forensics Framework

The extension of the API has been started since a month now. You can check it out through the branch mfso of the repository. It is still experimental for now and some tests have still to be done. Some parts could be modified in the final release but the following features are not supposed to be changed:

• New class for File System module: mfso (which stands for mapped file system object)
  Modules managing nodes creation has to inherite this class. I/O operations (vopen/vclose, vread/vwrite and vseek) are now virtual. If a module does not implement I/O methods, the mother class mfso will be in charge of reading and managing opened files. In order to do so, the module has to create nodes by itself with its own classes which have to inherit the class Node.

• As just said, Node can now be inherited providing dynamic access to all attributes and data mapping they represent. Two virtual methods have been added in order to achieve dynamic access:
  • FileMapping* getFileMapping()
    This method creates a FileMapping class which will provide enough information to I/O methods of mfso. To achieve this, a node creates mapping by providing for each chunck of its data several information:
    • at which offset the chunck starts in the corresponding node
    • the size of this chunck
    • from which node this chunck has to be read
    • at which offset in the node to read from, the chunck is located.
  • Attributes* getAttributes()
    this method creates a class Attributes which gives the ability to access in a dynamic way each attributes of the corresponding node. Attributes class provides methods to ease adding of elements. It maps a string representing the attributes name with a variable contained in a new class container for type abstraction: Variant

• Variant type has been created to provide a default container for data in the framework with method to access it. This class relies on Run Time Type Checking and templates. It manages default types, map and list from the stl and some types of the framework too. It gives the ability to have a default getter when used from Python whatever type the variable represents. In C++, variables can be getted in the original format when known or in another format when possible. For example, if a string representation is requested on a variable of type uint64_t, it will be transparently converted.

All this features have been added to decrease memory footprint and to provide more accurate results on node due to the fact that modules do no longer have to manage I/O and everything needed to keep track of each opened files and that Node can be inherited. In order to get a good compromise between memory and processing, caches have been implemented but are still very experimental.

Stay tuned !

The team has created a specific branch to test the integration of the well-known volatile memory forensics framework: Volatility. Further information regarding Volatility can be found here

The following screenshot provides an example of the rendering based on results of Volatility:

If you want to try this experimental feature, you have to get sources from the git repository:

git clone git://git.digital-forensic.org/dff.git
git fetch origin volatility:volatility
git checkout volatility

then you can start to compile...

Enjoy !

The team has started the development of the next release which is scheduled at the end of April.

You will be able to follow the development through the git repository. This release will add lots of new features and improvements.

Stay tuned and follow new tickets to know new features ;)

The team is proud to announce the release of the version 0.5 !

This release includes several bug-fixes. It also adds new API and graphical features:

• File carving with enhanced algorithm
• Complete rewrite of hexadecimal viewer
• Search functions in the API
• New gallery viewer (speed improvements)
• Partition mapper (add extended partitions)
• Automation capabilities based on MIME-TYPE (improved GUI navigation)
• ...

We hope you will enjoy this release. If you encounter any issues, do not hesitate to send us a report. If you have some request, contact us too.

Enjoy !

First of all, happy new year to everybody !

We are pleased to announce you the date of the next release: February 22nd.
There will be new features, bugfixes and more documentation ! Some of the
new features have been implemented such as:

• Complete rewrite of Hexadecimal Editor
• search API (find, rfind, count)
• Graphical carver (supports most common types)
• Test environment
• ...

We are also proud to announce that the development of the NTFS File System
has been started. The team has decided to write it from scratch in order to
provide an object oriented driver.

The team has also decided to commit new features more often accompanied
with fresh documentation. Tickets will be up to date in order to provide
progression according to each features.

The last resolution is to provide one or more digital forensics challenges in
order to boost the development of modules.

Several Forums have been created in order to discuss and exchange some tips.

A file was missing in version 0.4.3 ! We apologize for this issue. You can now download the 0.4.3b version which contains no errors.