Digital Forensics Framework

Last updated
Digital Forensics Framework (DFF)
Original author(s) Frédéric Baguelin, Solal Jacob, Christophe Malinge, Jérémy Mounier
Developer(s) Frédéric Baguelin, Solal Jacob, Jérémy Mounier
Stable release
1.3.0 [1] / February 28, 2013;9 years ago (2013-02-28)
Written in C++, Python, PyQt4
Operating system Unix-like, Windows
Available in7 languages
Type Computer forensics
License GPL
Website www.digital-forensic.org

Digital Forensics Framework (DFF) was a computer forensics open-source software. It is used by professionals and non-experts to collect, preserve and reveal digital evidence without compromising systems and data. [2]

Contents

User interfaces

Digital Forensics Framework offers a graphical user interface (GUI) developed in PyQt and a classical tree view. Features such as recursive view, tagging, live search and bookmarking are available. Its command line interface allows the user to remotely perform digital investigation. It comes with common shell functions such as completion, task management, globing and keyboard shortcuts. DFF can run batch scripts at startup to automate repetitive tasks. Advanced users and developers can use DFF directly from a Python interpreter to script their investigation.

Distribution methods

In addition to the source code package and binary installers for Linux and Windows, [3] Digital Forensics Framework is available in operating system distributions as is typical in free and open-source software (FOSS), including Debian, [4] Fedora and [5] Ubuntu.

Other Digital Forensics Framework methods available are digital forensics oriented distribution and live cd:

Publications

Published books that mention Digital Forensics Framework are:

In literature

White papers

Prize

DFF was used to solve the 2010 Digital Forensic Research Workshop (DFRWS) challenge consisting of the reconstructing a physical dump of a NAND flash memory. [24]

Related Research Articles

Malware Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy 6 trillion dollars in 2021, and is increasing at a rate of 15% per year.

Timeline of computer viruses and worms Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Rootkit Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

A hypervisor is similar to an emulator; it is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

Extended Copy Protection

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

TestDisk

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows, Linux, FreeBSD, NetBSD, OpenBSD, SunOS and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.

The Sleuth Kit

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

Anti-computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT. For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak. HBGary was later acquired by a large defense contractor.

Network forensics

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Alureon is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Eoghan Casey is a digital forensics professional, researcher, and author. Casey has conducted a wide range of digital investigations, including data breaches, fraud, violent crimes, identity theft, and on-line criminal activity. He is also a member of the Digital/Multimedia Scientific Area Committee of the Organization for Scientific Area Committees. He helps organize the digital forensic research DFRWS.org conferences each year, and is on the DFRWS Board of Directors. He has a B.S. in Mechanical Engineering from the University of California, Berkeley, an M.A. in Educational Communication and Technology from New York University, and a Ph.D. in Computer Science from University College Dublin.

WindowsSCOPE is a memory forensics and reverse engineering product for Windows used for acquiring and analyzing volatile memory. One of its uses is in the detection and reverse engineering of rootkits and other malware. WindowsSCOPE supports acquisition and analysis of Windows computers running Windows XP through Windows 10.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps. It was discovered in September 2014 by MalwareMustDie, a white hat malware research group. From November 2014 it was involved in massive brute force campaign that lasted at least for three months.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.

William "Chuck" Easttom II is an American computer scientist specializing in cyber security.

References

  1. "[dff] Digital Forensics Framework 1.3.0 released". Lists.digital-forensic.org. Archived from the original on 2014-02-04. Retrieved 2014-02-16.
  2. "Welcome to S.B. Jain Institute of Technology Management and Research". ArxSys. Retrieved 28 May 2014.
  3. "Open Source digital forensics & incident response software". Digital-forensic.org. Archived from the original on 2014-02-04. Retrieved 2014-02-16.
  4. "DFF accepted into Debian - Pollux's blog". Wzdftpd.net. Archived from the original on 2014-02-19. Retrieved 2014-02-16.
  5. https://web.archive.org/web/20131104091132/http://www.cert.org/forensics/tools/. Archived from the original on November 4, 2013. Retrieved January 24, 2014.{{cite web}}: Missing or empty |title= (help)
  6. "DEFT 8 Roadmap and features | DEFT Linux - Computer Forensics live CD". DEFT Linux. Archived from the original on 2013-11-03. Retrieved 2014-02-16.
  7. "Packages Summary". Git.kali.org. 2013-02-02. Retrieved 2014-02-16.
  8. "Misc 70 - LES EDITIONS DIAMOND". Boutique.ed-diamond.com. Retrieved 2014-02-16.
  9. https://web.archive.org/web/20140202175327/http://www.esgilab-secu.com/fiche.php. Archived from the original on February 2, 2014. Retrieved January 24, 2014.{{cite web}}: Missing or empty |title= (help)
  10. [ dead link ]
  11. Altheide, Cory; Carvey, Harlan (2011-04-28). Digital Forensics with Open Source Tools: Cory Altheide, Harlan Carvey: 9781597495868: Amazon.com: Books. ISBN   978-1597495868.
  12. Computer-Forensik Hacks: Amazon.de: Lorenz Kuhlee, Victor Völzow: Bücher. 2009-09-09. ASIN   3868991212.
  13. Malwares - Identification, analyse et éradication: Amazon.fr: Paul Rascagneres: Livres. 2009-09-09. ASIN   2746079658.
  14. Digital Forensics for Handheld Devices: Amazon.fr: Eamon P. Doherty: Livres anglais et étrangers. 2009-09-09. ASIN   1439898774.
  15. "Saving Rain: The First Novel in The Rain Trilogy eBook: Karen-Anne Stewart: Kindle Store". Amazon. Retrieved 2014-02-16.
  16. Stuttgen, Johannes; Dewald, Andreas; Freiling, Felix C. (2013-03-14). "Selective Imaging Revisited". 2013 Seventh International Conference on IT Security Incident Management and IT Forensics. Ieeexplore.ieee.org. pp. 45–58. doi:10.1109/IMF.2013.16. ISBN   978-1-4673-6307-5. S2CID   17356972.
  17. Vömel, Stefan; Freiling, Felix C. (2011-07-31). "A survey of main memory acquisition and analysis techniques for the windows operating system" (PDF). Digital Investigation. 8: 3–22. doi:10.1016/j.diin.2011.06.002 . Retrieved 2014-02-16.
  18. Eijkhoudt, Arnim; Suerink, Tristan (2013). "Uforia: Universal forensic indexer and analyzer". Journal of Computer Virology and Hacking Techniques. 9 (2): 59–63. doi:10.1007/s11416-013-0177-4. S2CID   29814904.
  19. Vomel, Stefan; Lenz, Hermann (2013-03-14). "Visualizing Indicators of Rootkit Infections in Memory Forensics". 2013 Seventh International Conference on IT Security Incident Management and IT Forensics. Ieeexplore.ieee.org. pp. 122–139. doi:10.1109/IMF.2013.12. ISBN   978-1-4673-6307-5. S2CID   11765652.
  20. "EM-DMKM Case Study Computer and Network Forensics" (PDF). Cygalski.pl. Retrieved 2014-02-16.[ permanent dead link ]
  21. [ dead link ]
  22. "L'investigation numerique" (PDF) (in French). Agence-nationale-recherche.fr. Retrieved 2014-02-16.
  23. "Journal of Computer Applications : Vol.31 No.11". Joca.cn. November 2011. Retrieved 2014-02-16.
  24. "DFRWS 2010 Forensics Challenge Results". Dfrws.org. Archived from the original on 2014-02-03. Retrieved 2014-02-16.