Digital Forensics Framework

DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigation and perform incident response.

DFF follows three main goals :

0. Modularity In contrary to the monolithic model, the modular model is based on a core and many modules. This modular conception presents two advantages : it permits to improve rapidly the software and to split easily tasks for developers.
1. Scriptability It is obvious that the ability to be scripted gives more flexibility to a tool, but it also enables automation and gives the possibility to extend features
2. Genericity the project tries to remain Operating System agnostic. We want to help people where they are ! Letting them choose any Operating System to use DFF.

Amongst supported features of DFF :

• Automated analysis
  • Mount partitions, file systems and extract files metadata and other usefull information in an automated way.
  • Generate an HTML report with System & User activity
• Direct devices reading support
• Supported forensic image file formats
  • AFF, E01, Ex01, L01, Lx01, dd, raw, bin, img
• Supported volumes & File systems with unallocated space, deleted items, slack space, ...
  • DOS, GPT, VMDK, Volume Shadow Copy, NTFS, HFS+, HFSX, EXT2, EXT3, EXT4, FAT12, FAT16, FAT32
• Embeded viewers for videos, images, pdf, text, office documents, registry, evt, evtx, sqlite, ...
• Outlook and Echange mailboxes (PAB, PST, OST)
• Metadata extraction
  • Compound files (Word, Excel, Powerpoint, MSI, ...)
  • Windows Prefetch
  • Exif information
  • LNK
• Browser history
  • Firefox, Chrome, Opera
• System & Users activity
  • connected devices, user accounts, recent documents, installed software, network, ...
• Volatile memory analysis with graphical interface to Volatility
• Videos thumbnails generation
• Support for Sqlite, Windows Registry, Evt and Evtx
• Full Skype analysis (Sqlite and old DDB format)
• Timeline based on all gathered timestamps (file systems and metadata)
• Hashset supports with automatic "known bad", "known good" tagging
• Mount functionnality to access recovered files and folders from your local system
• In place carving
• ...

Dependencies

Some optional dependencies are optional and are rarely packaged on GNU/Linux distrubition. If you need associated features, you will have to install them by yourself:

• The following dependencies must be installed before compilation:

  • Libbfio to support I/O abstraction with the following libraries
  • Libpff to support Outlook & Exchange mailboxes
  • Libewf to support EnCase forensic containers
  • Libvshadow to support Volume Shadow Copy

• The following dependencies can be installed after compilation

  • Pyregfi and reglookup to support Windows registry parsing
  • Volatility to support volatile memory analyse
  • Pefile to enhance metadata extracted from recovered binary in volatile memory

Install

Packages

DFF can be installed with the package manager of your distribution

Debian

Jessie

echo "deb http://repo.digital-forensic.org/debian jessie main" > /etc/apt/sources.list.d/arxsys.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7DC18D60
apt-get update
apt-get install dff

Stretch

echo "deb http://repo.digital-forensic.org/debian stretch main" > /etc/apt/sources.list.d/arxsys.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7DC18D60
apt-get update
apt-get install dff

Ubuntu

Trusty

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7DC18D60
add-apt-repository "deb http://repo.digital-forensic.org/ubuntu trusty main"
apt-get update
apt-get install dff

Fedora, CentOS, OpenSuSE

yum-config-manager --add-repo http://www.cert.org/forensics/repository/
yum update --disableexcludes=all
yum install dff

From source

GNU/Linux

Debian based distribution

apt-get install cmake build-essential swig python-qt4 pyqt4-dev-tools qt4-dev-tools libicu-dev libtre-dev qt4-linguist-tools python-magic libfuse-dev libudev-dev libavformat-dev libavdevice-dev libavutil-dev libswscale-dev flex bison devscripts pkg-config autotools-dev automake autoconf autopoint zlib1g-dev libtool libssl-dev wget scons libtalloc-dev clamav
git clone https://github.com/arxsys/dff/
cd dff
git submodule init
git submodule update
mkdir build
cd build
cmake ..
make -j`getconf _NPROCESSORS_ONLN`

Pointers

Website: http://www.digital-forensic.org/ | http://www.arxsys.fr

IRC: irc.freenode.net #dff

Twitter: @arxsys