DFF Package Description

DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).

It can be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidences without compromising systems and data.

  • Preserve digital chain of custody: Software write blocker, cryptographic hash calculation
  • Access to local and remote devices: Disk drives, removable devices, remote file systems
  • Read standard digital forensics file formats: Raw, Encase EWF, AFF 3 file formats
  • Virtual machine disk reconstruction: VmWare (VMDK) compatible
  • Windows and Linux OS forensics: Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems
  • Quickly triage and search for (meta-)data: Regular expressions, dictionaries, content search, tags, time-line
  • Recover hidden and deleted artifacts: Deleted files / folders, unallocated spaces, carving
  • Volatile memory forensics: Processes, local files, binary extraction, network connections

Source: http://www.digital-forensic.org/
DFF Homepage | Kali DFF Repo

  • Author: ArxSys S.A.S.
  • License: GPLv2

Tools included in the dff package

dff – Digital Forensic Framework
root@kali:~# dff -h
DFF
Digital Forensic Framework

Usage: /usr/bin/dff [options]
Options:
  -v      --version                  display current version
  -g      --graphical                launch graphical interface
  -b      --batch=FILENAME       executes batch contained in FILENAME
  -l      --language=LANG            use LANG as interface language
  -h      --help                     display this help message
  -d      --debug                    redirect IO to system console
          --verbosity=LEVEL          set verbosity level when debugging [0-3]
  -c      --config=FILEPATH          use config file from FILEPATH

dff-gui – Digital Forensics Framework GUI

The Digital Forensics Framework – GUI.

dff-gui Usage Example

root@kali:~# dff-gui

dff-gui

dff Usage Example

root@kali:~# dff
loading modules in /usr/lib/python2.7/dist-packages/dff/modules
[OK]    loading load v1.0.0
[OK]    loading link v1.0.0
[OK]    loading ls v1.0.0
[OK]    loading find v1.2.0
[OK]    loading batch v1.0.0
[OK]    loading history v1.0.0
[OK]    loading fg v1.0.0
[OK]    loading jobs v1.0.0
[OK]    loading cd v1.0.0
[OK]    loading show_db v1.0.0
[OK]    loading show_cwd v1.0.0
[OK]    loading open v1.0.0
[OK]    loading man v1.0.0
[OK]    loading info v1.0.0
[OK]    loading fileinfo v1.0.0
[OK]    loading carverui v1.0.0
[OK]    loading CARVER v1.0.0
[OK]    loading carvergui v1.0.0
[OK]    loading fileschart v1.0.0
[OK]    loading volatility v1.0.0
[OK]    loading PFF using old style module check
[OK]    loading FUSE v1.0.0
[OK]    loading extract v1.0.0
[OK]    loading DEVICES v1.0.0
[OK]    loading LOCAL v1.0.0
[OK]    loading EWF v1.0.0
[OK]    loading AFF v1.0.0
[OK]    loading hash v1.0.0
[OK]    loading merge v1.0.0
[OK]    loading cut v1.0.0
[OK]    loading split v1.0.0
[OK]    loading FATFS v1.0.0
[OK]    loading spare v1.0.0
[OK]    loading NTFS v0.5.1
[OK]    loading EXTFS v1.0.0
[OK]    loading VMWARE v1.0.0
[OK]    loading PARTITION v1.0.0
[OK]    loading sqlitedb v1.0.0
[OK]    loading imageviewer v1.0.0
[OK]    loading textviewer v1.0.0
[OK]    loading player v1.0.0
[OK]    loading videothumbnailviewer v1.0.0
[OK]    loading web v1.0.0
[OK]    loading timeline v1.0.0
[OK]    loading hexeditor v1.0.0
[OK]    loading regedit v1.0.0
[OK]    loading binarydiff v1.0.0
[OK]    loading lnk v1.0.0
[OK]    loading prefetch v1.0.0
[OK]    loading compound v1.0.0
[OK]    loading metaexif v1.0.0

##########################################
# Welcome on Digital Forensics Framework #
##########################################

dff / >
Menu