Open Source Digital Investigation Framework

DFF (Digital Forensics Framework) is a free and Open Source platform dedicated to digital forensic and eDiscovery sciences

What is DFF ?

The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies.

DFF combines an intuitive user interface with a modular and cross-platform architecture.

What does it do ?

DFF consists of tools, libraries, modules, and user interfaces. The basic function of the framework is to agregate information and methodologicaly analyze volumes, file systems, user and applications data, while extracting metadata, deleted and hidden items. Information are processed into virtual read-only containers, thus preserving the integrity and authenticity of data.

Key features

  • User Interface : File browser, bookmarks, dockable windows, Integrated Development Environment and interpreter (Python), command line, multilanguage, task manager.
  • Viewers : Images, videos, text, web, file systems statistics
  • Timeline analysis : Graphical view, virtual extraction and reduction, metadata filters
  • Hexadecimal viewer : Large files support, page navigation, pixel navigation and view, search ...
  • Volumes : Partitions, VMDK (Vmware)
  • Manipulation de fichiers : Cut, merge, extraction, spares reduction
  • Metadata : EXIF, datetime, data structures, etc.
  • Volatile memory : Windows XP (volatility)
  • File systems : FAT 12/16/32, NTFS, EXTFS 2/3/4  
  • Data recovery :   File systems algorithms, file carving 
  • Windows registry: Reconstruction and analysis
  • Other: Local devices, hash  (md5, sha*), zip, unxor ...

 

Open Source

DFF source code is freely available. The control and access to internal components are guarantees of safety. This authorizes testing and comparison between different technical processes of analysis, a requirement in digital forensic sciences. Unlike proprietary tools, the synergy between users and developers is ensured by an active community, who constantly helps to improve the quality of developments.

Cross-platform

Avoiding Operating Systems dependencies and letting users choose their environments is a primordial IT freedom. DFF uses technologies that can be compiled and executed under most popular existing Operating Systems (Windows, Linux, MacOS etc.).

Portable

Install and use DFF both as stand alone application within a powerfull analysis workstation, or deploy it into live medias to proceed to on-site or live analysis. DFF is already embedded into several security and forensics Live distributions (such as Deft Linux).

Automation and scalability

DFF architecture and design allow different automation levels. Create your own analysis profiles and reuse them for further works, thanks to python programming language and post processes abilities. Moreover, with its modular and multi-threaded architecture, you can extend processes capabilities.

Modular

Object-Oriented Programming is a design philosophy. It uses a different set of modern programming languages. Everything in OOP is grouped as self sustainable "objects". Therefore, you gain code re-usability and the possibility to easily create and plug new functionnalities. DFF uses C++ and Python programming languages.

User Interface Framework

DFF uses Qt, a cross-platform application and UI framework. Qt provides an easy way to create basic and advanced user interfaces and graphical modules within DFF.

DFF is more than a classical digital forensics tool, it's a framework providing Application Programming Interfaces useful to develop your own extensions. These interfaces are available through a collection of object oriented libraries. They provide access to a set of functionnalities dedicated to forensics analysis, such as search within the content of files, or filtering based on metadata. Some interfaces are also provided to ease the development of modules in charge of  data reconstruction.

Virtual File System

The Virtual File System (VFS) of DFF is the elementary layer of the framework. It is in charge of the hierarchical tree generated by each modules reconstructing data. Each element of the VFS is represented by a node encapsulating a set of data, with which it is possible to interact.

Within the VFS, there aren't any distinction between a folder, a file or any other types of data. Each created data will correspond to a node encapsulating information extracted from the analyzed File System. Nodes are linked together in a hierarchical manner which enable to add new data from different analysis.

This functionnality makes the VFS stackable, allowing to use different modules on nodes. This mechanism avoids extracting each data layer on local drives and then re-inject them in DFF.

Metadata / Attributes

Analyzed data, such as files extracted from a file system, are most of the time made with a content and some metadata. Consequently, DFF offers a simple way to dynamically add attributes to each nodes, so users can easily access metadata from the framework.

Process manager

Each executed modules is considered as a processus within DFF. The purpose is to apply several modules in a parallel way and have an overview of their progress.  You can benefit the power of multi-core architectures while not freezing interfaces (graphic or command line) when modules are running. Each process appears in the Task Manager, also providing an overview of the current state of each module.

File System Objects

In order to handle the diversity of data types and the complexity of low level memory structures (volumes, file systems), DFF integrates a software library specialized in data reconstruction. Each module can reimplement its own Input / Output routines, or use the ones provided by DFF's API, making memory representation of analyzed data easier.

Data types

Analyzed data can be of different types. Therefore, DFF integrates a library which is able to recognize what types of data were injected into the framework, so the most relevant module is automatically triggered via a simple click, or in completely automatic way.

Digital Forensics Framework

  • timeline.png
  • viewer_img.png
  • pix_view.png
  • add_dumps.png
  • bookmarks.png
  • carver-run.png
  • consoles.png
  • disp_args.png
  • file_chart.png
  • hex_search.png
  • ide.png
  • img_view.png
  • lauch_fat.png
  • megascreen.png
  • mod-args.png
  • new-script.png
  • node_list.png
  • node_lists2.png
  • params.png
  • py-console.png
  • results.png
  • string_view.png
  • zoom.png