DFF - Digital Forensics Framework



From Digital Forensics Framework

Jump to: navigation, search
DFF, standing for Digital Forensics Framework, is a project dedicated to digital forensics. Written in Python and C++, it is cross-platform, highly modular and customizable. The graphical user interface is developed with PyQt. Interface between Python and C++ is achieved thanks to Swig

The framework's purpose is to offer a modular digital forensic environment to IT Managers, IT Security Managers and law enforcements, capable of analysing, correlating and extracting suspicious traces and data from files. These files can come from data acquisition on digital media, as hard disk drives, RAM memory or cell phones, or by capturing network frames in order to analyse what data were passing through the network. It can also be used to recover deleted data. 

The Open Source version of DFF has been released under the terms of the free license GPL version 2

DFF is divided into three different software layers, which communicate together through a modular Application Programming Interface (API) :
  • The core layer.
  • User interfaces (GUIs).
  • Modules.

Core layer

The first layer can be seen as the kernel of the application. It is used to load and run plugins. Plugins execution is automatic as far as the core layer is designed to "know" which plugin must be launch when it is required. This layer also offer a way for plugins for to create a hierarchy of analyzed data : each of them becomes a standard node within a tree. 

The memory space where these nodes are created is called a Virtual File System (VFS). Each node can be generated by a different plugin and having specific aatributes. This mechanism allow the kernel to generate reports by correlating all data coming from plugins, but by remaining independent from the plugins themselves. Even if a plugin crashes, once nodes are created, the kernel will be able to exploit them. As far as modules are designed to be used in forensic analysis, they also treat unallocated and hidden data.


The second layer is composed of the plugins and modules we evoked in the previous paragraph. Each of them are designed to analyze one specific type of data, as RAM memory, file systems or network frames for examples. They create nodes into the kernel's virtual file system, and according to the type of data, generate some useful informations such as time indications or meta-data extraction.


The third layer is composed of the user interface (UI). This layer is used to select the source of data the investigator wants to analyze, as a hard disk dump for example. Once the analysis is done, it is possible to applicate accurate filters to only let appear some specific kind of data, such as deleted files, time indications, etc. It then becomes possible to generate reports with very precise informations on a particular event which occur on the analyzed system. Binary data, such as meta-data structures, can be visualized within an hexadecimal viewer.
For now, three main user interfaces available :
  • The Qt Gui interface.
  • The dff shell (command line).
  • A python shell integrated to the framework.


0 意見: