Digital Forensics Framework v1.1.0

DFF (Digital Forensics Framework) is a simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. DFF provides a robust architecture and some handy modules.

New Features:
  • Translation: DFF GUI is now available in Chinese. Other languages were updated : Deutch, Italian, …
  • AFF: A connector to support AFF dump. The module is based on AFFLib by Simson L. Garfinkel (
  • PFF: This module parses PST, OST and PAB files to extract mailbox contents, it also recovers deleted and orphaned files and give access to unallocated clusters. It’s based on Joachim Metz LibPFF (
  • API: New cache system for FileMapping and File Descriptor. Vtime now can directly convert unix and windows 64 bits time stamp.
    • FAT:
    • Extended attributes:
      When there is slack space, a dedicated attribute specifies its start offset and its size. This feature is only available for classical files (neither deleted nor orphaned).
      Classical attributes are provided: Read Only, Hidden, System,Archive, Volume.
      DOS name is provided (8+3 name)
    • Orphaned files scan:
      The algorithm is now faster. When walking on free clusters, checks are done to know if it was previously parsed when walking on deleted files and directories in allocated clusters. Since chain of clusters of deleted directories are used, this pass could read and parse free clusters.
  • GUI: Unicode support

Bug fixes:
  • Add devices and Add files on Windows, it was not possible to add devices and files or directories in the same session.
  • MFSO opened only one file descriptor and cache it, leading to crash especially using device module on windows platform, a totally new cache system was written for FileMapping and File Descriptor.
  • EWF: Sometimes the modules could not open the underlaying due to bad fd handling this was fixed by using variant.
  • FAT:
    Recovery of deleted files was not properly handled. Previous version relied on the chain of clusters found in FAT which are often emptied when files are deleted. Now, the module gets the first cluster, asks the FAT for a the chain of cluster, if the size of all provided is smaller than the size of file, the mapping starts from the first cluster until size of the file is reached. Even if not noticeable by users (hashes of files were coherent for example) and not really a bug, the previous mapping for files were cluster aligned. It means the slack space of files were directly included in the mapping. This was done this way in prediction of future implementation of MFSO. This feature would be able to read either original size or slack space. Since it is not implemented yet, the mapping is now fully based on the size of the file. This patch has been developed based on Johannes Stuttgen’s feedback when he was working on the aff4 module.
    • Fix for files-end made of virtual chunks ; full of 0.
    • Infinite loop fix when searching for parent of deleted or orphan items.
    • Two segfault fixes on metadata parsing due to complex on-disk structure of NTFS attributes.
  • GUI:
  • A bug occurring when trying to input a Node as a parameter to modules has been fixed : it was not possible to browse in the tree view.
  • The tree view, in the node browser, had an inconsistent behavior: to change directories, users had to double-click on nodes names, which used to collapse the tree view. This is fixed. The node browser now behaves as a classic file browser.
  • Variant vtime repr:
    Dealing with vtime encapsulated in Variant in the Python interpreter, an exception were raised because there were no __repr__  or __str__ provided for this type.
Download DFF v1.1.0 (dff-src-1.1.0.tar.gz/dff-Py2.7.1-1.1.0-with-dependencies.exe) here.


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH



Post a Comment

Related Posts Plugin for WordPress, Blogger...