Wednesday, December 20, 2017
DFF is an opensource framework tool. It is a forensic tool which is used by experts and non experts to reveal digital evidences. The following is the listings of operations done.
- Preserve digital chain of custody: Software write blocker, cryptographic hash calculation
- Access to local and remote devices: Disk drives, removable devices, remote file systems
- Read standard digital forensics file formats: Raw, Encase EWF, AFF 3 file formats
- Virtual machine disk reconstruction: VmWare (VMDK) compatible
- Windows and Linux OS forensics: Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems
- Quickly triage and search for (meta-)data: Regular expressions, dictionaries, content search, tags, time-line
- Recover hidden and deleted artifacts: Deleted files / folders, unallocated spaces, carving
- Volatile memory forensics: Processes, local files, binary extraction, network connections
Source: http://www.digital-forensic.org/
It is used in a extracting metadata, hidden,deleted data and therefore processes into read only containers. The main advantage of this is it preservers authenticity of the data.
To clone it usegit clone
https://github.com/arxsys/dff?files=1
$dff loading modules in /usr/lib/python2.7/dist-packages/dff/modules [OK] loading extract v1.0.0 [OK] loading FUSE v1.0.0 [OK] loading metaexif v1.0.0 [OK] loading prefetch v1.0.0 [OK] loading lnk v1.0.0 [OK] loading compound v1.0.0 [OK] loading NTFS v0.5.1 [OK] loading FATFS v1.0.0 [OK] loading spare v1.0.0 [OK] loading EXTFS v1.0.0 [OK] loading DEVICES v1.0.0 [OK] loading LOCAL v1.0.0 [OK] loading EWF v1.0.0 [OK] loading AFF v1.0.0 [OK] loading hash v1.0.0 [OK] loading merge v1.0.0 [OK] loading cut v1.0.0 [OK] loading split v1.0.0 [OK] loading VMWARE v1.0.0 [OK] loading PARTITION v1.0.0 [OK] loading web v1.0.0 [OK] loading videothumbnailviewer v1.0.0 [OK] loading textviewer v1.0.0 [OK] loading player v1.0.0 [OK] loading imageviewer v1.0.0 [OK] loading timeline v1.0.0 [OK] loading binarydiff v1.0.0 [OK] loading regedit v1.0.0 [OK] loading hexeditor v1.0.0 [OK] loading PFF using old style module check [OK] loading fileschart v1.0.0 [OK] loading CARVER v1.0.0 [OK] loading carverui v1.0.0 [OK] loading carvergui v1.0.0 [OK] loading fg v1.0.0 [OK] loading link v1.0.0 [OK] loading batch v1.0.0 [OK] loading history v1.0.0 [OK] loading show_db v1.0.0 [OK] loading info v1.0.0 [OK] loading load v1.0.0 [OK] loading find v1.2.0 [OK] loading show_cwd v1.0.0 [OK] loading jobs v1.0.0 [OK] loading man v1.0.0 [OK] loading ls v1.0.0 [OK] loading open v1.0.0 [OK] loading cd v1.0.0 [OK] loading fileinfo v1.0.0 [OK] loading volatility v1.0.0 DFF and DFF GUI ########################################## # Welcome on Digital Forensics Framework # ########################################## dff / > info load Config: name: files description: local files or folders containing modules type: Path* requirement: mandatory input parameters: editable list carver Config: name: file description: file used by carver type: Node* requirement: mandatory input parameters: editable single name: patterns description: defines a matching context for carving files type: Argument* requirement: mandatory input parameters: editable list name: start-offset description: offset where to start carving type: uint64_t requirement: optional input parameters: editable single DFF and DFF GUI carvergui Config: name: file description: Node to search data in type: Node* requirement: mandatory input parameters: editable single DFF and DFF GUI fg Config: name: pid description: Process id (use jobs to list process id) type: uint32_t requirement: mandatory input parameters: editable single DFF and DFF GUI metaexif Config: name: file description: file for extracting metadata type: Node* requirement: mandatory input parameters: editable single DFF and DFF GUI Constant: name: mime-type description: managed mime type type: std::string values: jpeg, TIFF batch Config: name: path description: Path to a dff batch file type: Path* requirement: mandatory input parameters: editable single
Wednesday, December 20, 2017
forensics
hacking
technology
Nice post
ReplyDeletegreat
ReplyDelete