API

  • Stackable File System (made multi-layer analysis possible)
  • Environement API for auto-completion and auto generation of Graphical Script
  • Multi-threaded (possiblity to launch modules in background, so investigator can continue to work on the cases even if they launched modules that do heavy computations)
  • Hash calculation possible with different algo (MD5, SHA1, SHA256)
  • File oriented data representation (ex: a zip file can be browse like a normal directory, bypass zip-bomb problem)
  • MAC Times access


Users

  • An user-friendly Graphical Interface, with multi-browser and dockable widget
  • A console interface
  • Multi-Platform (Linux, Windowx, futur port on BSD & OS X )
  • Tagged modules
  • Gallery view
  • File type auto-detection (don't rely on file extension)
  • Command history


Developers

  • API available both in Python and C++
  • Core API wrote in C++ for enhanced speed
  • Live Scripting : API available and scriptable in live with a python interpreter
  • Easy drivers and script developement through our API
  • Possibility of writing script both in console or in QT for graphical use
  • IDE, with template available for our different type of modules (graphical, console, drivers...)


Available Drivers and Scripts

  • FAT 12/16/32 Drivers
    • Write specially for DFF
    • Powerful deleted file recovery
    • Slack space detection and made easily available as a file representation
  • FTL-Reconstruction and CellPhone file system
    • We developed in partnership with ArxSys (a french digital forensics specialist company) different Cellphone drivers. These drivers are based on FTL (Flash Translation Layer) reconstruction and permit at the difference with others solutions to recover 100% of the cellphone contents and also permit access to slack space and deleted files, you can contact them for more informations (www.arxsys.eu : contact at arxsys.eu)
  • SMS-Decode
    • Permit to decode sms content and metadata to display them as you see it on your cell-phone
  • SHM (Shared Memory)
    • Permit to create virtual file on host memory, for made easyer file management by script
  • Partition
    • Detect different partition on a whole disk image and display each one as a file
  • FUSE
    • Permit to access DFF Virtual File System directly on your host-computer
  • Extract
    • Permit to extract file content on the host file-system
  • HexEditor
    • Editor for console and graphical
    • Possibility to browse very large file
    • Binary type conversions
    • Browsable by block, sector...
  • Hash
    • Hash files with possibilty to choose between different algorithm (MD5, SHA1, SHA256...)
    • NSLR Compatiblity, ability to import NSLR data-base and create your own base
  • Streamed strings and zip drivers
    • Permit to search data string on the fly, or browse zip file recursivly without decompressing all the content
  • Batch
    • Automaticly search for some file by type and apply an other script on it in a threaded way (Ex: automaticly hash all jpeg file)
  • Post-Process
    • Automaticly apply a script when new file are added by file system drivers (Ex: automaticaly hash all file)
  • Exec-Pipe (Unix)
    • Permit to pipe a file content into a unix program, that permit to use external program to analyse or view file content
  • ...
    • Lot of others script and drivers are available, as we develop DFF as an open framework we hope the community will made available their script and drivers


Home