DFF and DFF GUI

Description

DFF and DFF GUI – DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API). It can be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidences without compromising systems and data.

Features ::

  • Preserve digital chain of custody – Software write blocker, cryptographic hash calculation

  • Access to local and remote devices – Disk drives, removable devices, remote file systems

  • Read standard digital forensics file formats – Raw, Encase EWF, AFF 3 file formats

  • Virtual machine disk reconstruction – VmWare (VMDK) compatible

  • Windows and Linux OS forensics – Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems

  • Quickly triage and search for (meta-)data – Regular expressions, dictionaries, content search, tags, time-line

  • Recover hidden and deleted artifacts – Deleted files / folders, unallocated spaces, carving

  • Volatile memory forensics – Processes, local files, binary extraction, network connections

Usage

Syntax

dff [options]

Options

  -v      --version                  display current version DFF and DFF GUI 
  -g      --graphical                launch graphical interface
  -b      --batch=FILENAME	     executes batch contained in FILENAME
  -l      --language=LANG            use LANG as interface language
  -h      --help                     display this help message DFF and DFF GUI 
  -d      --debug                    redirect IO to system console
          --verbosity=LEVEL          set verbosity level when debugging [0-3]
  -c      --config=FILEPATH          use config file from FILEPATH

Example DFF

cyborg@cyborg:~$ dff 
loading modules in /usr/lib/python2.7/dist-packages/dff/modules
[OK]	loading extract v1.0.0
[OK]	loading FUSE v1.0.0
[OK]	loading metaexif v1.0.0
[OK]	loading prefetch v1.0.0
[OK]	loading lnk v1.0.0
[OK]	loading compound v1.0.0
[OK]	loading NTFS v0.5.1
[OK]	loading FATFS v1.0.0
[OK]	loading spare v1.0.0
[OK]	loading EXTFS v1.0.0
[OK]	loading DEVICES v1.0.0
[OK]	loading LOCAL v1.0.0
[OK]	loading EWF v1.0.0
[OK]	loading AFF v1.0.0
[OK]	loading hash v1.0.0
[OK]	loading merge v1.0.0
[OK]	loading cut v1.0.0
[OK]	loading split v1.0.0
[OK]	loading VMWARE v1.0.0
[OK]	loading PARTITION v1.0.0
[OK]	loading web v1.0.0
[OK]	loading videothumbnailviewer v1.0.0
[OK]	loading textviewer v1.0.0
[OK]	loading player v1.0.0
[OK]	loading imageviewer v1.0.0
[OK]	loading timeline v1.0.0
[OK]	loading binarydiff v1.0.0
[OK]	loading regedit v1.0.0
[OK]	loading hexeditor v1.0.0
[OK]	loading PFF using old style module check
[OK]	loading fileschart v1.0.0
[OK]	loading CARVER v1.0.0
[OK]	loading carverui v1.0.0
[OK]	loading carvergui v1.0.0
[OK]	loading fg v1.0.0
[OK]	loading link v1.0.0
[OK]	loading batch v1.0.0
[OK]	loading history v1.0.0
[OK]	loading show_db v1.0.0
[OK]	loading info v1.0.0
[OK]	loading load v1.0.0
[OK]	loading find v1.2.0
[OK]	loading show_cwd v1.0.0
[OK]	loading jobs v1.0.0
[OK]	loading man v1.0.0
[OK]	loading ls v1.0.0
[OK]	loading open v1.0.0
[OK]	loading cd v1.0.0
[OK]	loading fileinfo v1.0.0
[OK]	loading volatility v1.0.0
DFF and DFF GUI 

##########################################
# Welcome on Digital Forensics Framework #
##########################################

dff / > info

load
	Config:
		name: files
		description: local files or folders containing modules
		type: Path*
		requirement: mandatory
		input parameters: editable list

carver
	Config:
		name: file
		description: file used by carver
		type: Node*
		requirement: mandatory
		input parameters: editable single

		name: patterns
		description: defines a matching context for carving files
		type: Argument*
		requirement: mandatory
		input parameters: editable list

		name: start-offset
		description: offset where to start carving
		type: uint64_t
		requirement: optional
		input parameters: editable single
                DFF and DFF GUI 

carvergui
	Config:
		name: file
		description: Node to search data in
		type: Node*
		requirement: mandatory
		input parameters: editable single
                DFF and DFF GUI 

fg
	Config:
		name: pid
		description: Process id (use jobs to list process id)
		type: uint32_t
		requirement: mandatory
		input parameters: editable single
                DFF and DFF GUI 

metaexif
	Config:
		name: file
		description: file for extracting metadata
		type: Node*
		requirement: mandatory
		input parameters: editable single
                DFF and DFF GUI 

	Constant: 	
		name: mime-type
		description: managed mime type
		type: std::string
		values: jpeg, TIFF

batch
	Config:
		name: path
		description: Path to a dff batch file
		type: Path*
		requirement: mandatory
		input parameters: editable single


Example DFF- GUI

cyborg@cyborg:~$ dff -g

DFF and DFF GUI DFF and DFF GUI

Add Logical Image :

Go to Open Evidence > Select Image :

dff image DFF and DFF GUI

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?