The Hacker News
"DFF (Digital Forensics Framework) is a simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. DFF provides a robust architecture and some handy modules."


This is the change log:

  • Lib EWF support: The LibEWF [1], developed by Joachim Metz, has been included as a connector. It provides support for Encase(R) file format (E01/S01 format).
  • Bookmarks: It is now possible to bookmark interesting nodes and sort them by categories. The aim is to gather relevant files when performing analysis. Bookmarked nodes can then be used by other modules and also extracted.
  • Advanced Hexadecimal viewer: Features used to resolve the DFRWS 2010 challenge [2] have been included. These features are very useful when studying unknown data structures or performing advanced files analysis. This upgraded version of the hexadecimal viewer provides three new visualization modes:
    • A pixel view that renders dumps in a graphical manner. It permits to recognize structures in a visual way. Several options are provided for rendering the view (8bits, RGB, resolution, …)
    • A block mode view providing a simple way to see a dump in block mode. Size of blocks can be chosen in the corresponding option panel.
    • A streamed string view which renders printable characters.
  • NTFS ADS: The NTFS module now supports ADS streams. With ADS, several data streams belong to one file entry, each data stream is provided as a node which simplifies analysis.
  • Windows Devices: Devices on Windows can now be directly opened and used in DFF. It enables Live Forensics analysis in an easy way. It also provides a way to dump devices by extracting the corresponding nodes.
  • Virtual modification of nodes (aka files): Two new modules have been added to modify nodes virtually (i.e. in memory, without writing on disk). These two modules are very useful when working with large files:
    • Cut module create a new node from a part of a file by providing a start offset and a size.
    • Merge module allows to merge two files in a new one.
  • Loader and API Versioning: Each component of the API now has its own version number. Modules and scripts can now provide specific API component dependency and will be checked when loaded. Loader retro-compatibility is maintained as it actually loads modules and scripts using old manner.
  • Inline documentation: An inline documentation has been directly incorporated in the Framework. It is now possible to browse the documentation directly in the software and in a disconnected environment.
  • Execution times: Each process in the task manager now displays time of execution.
  • Enhanced GUI ergonomy: Several parts of the GUI have been enhanced to provide a better look and feel to the user:
    • Dialog window used to provide arguments to modules has been redesigned.
    • Easier selection of input files and / or directories
    • Enhanced dialog to select devices
    • Right click has been re-factored. Some categories have been renamed.
  • Languages pack: Using –lang switch when starting DFF in command line provides a way to select the language to use in the Graphical User Interface. Translations are provided for three different languages: English, Spanish and French. Contribution to support other languages are welcomed.
  • Debug switch: A new switch (-d) enables to output all prints to the console without modifying lines of code.
Bug fixes:
  • GUI proxy model issues: A major bug in the node browser conducting to crashes on some architecture has been fixed. It was related to the refresh events on Nodes and the way signals where sent between views and model.
  • Exceptions: Exceptions were not correctly handled in 0.8 version. There is now a generic exceptions handler used for each wrapped methods. This significantly reduces crashes and provides more user friendly messages when errors have been encountered in modules.
  • NTFS: Attributes parsing on huge file-system has been improved. DFF attributes conversion from int to string has been removed. It was used to show both decimal and hexadecimal views. It has to be managed by graphical view itself. MFT and Indexes decoding mode have been fixed (entries starting with FILE or INDX). It is useful for deep analysis.
  • EXTFS: The error management is made properly. Default values and behaviors for some options have been modified in order to start the module without modifying the default configuration.
  • Argument: Fixed issues with integer type and optional arguments generated by the GUI in 0.8.
  • Picture viewer: Exif information are no longer editable
We are most excited about the advanced Hexadecimal viewer that has been bundled with this version!
Download DFF v0.9.0 here.


News Source : Goolge
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.