Skip to content

thomasRousseau/daf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

#DAF ##Disk Analysis Framework

This is a Eurecom ongoing project which aims to provide a disk analysis framework for incident response missions. It is implemented in python under the GNU General Public Licence.

###Installation:

apt-get install python-pip
pip install python-registry

###Objective: DAF is a tool that aims to help investigator throught forensic disk analysis. It can not replace a fully qualified investigator but could help people to access easily information present in many places of the disk.

In the long term, DAF should also be able to make some correlation between different elements, in order to provide a better view of what happened in the disk.

##Usage: DAF is a python2 tool working on Linux. It should work on disk using a Windows operating system, version 7 and later.

The tool presents some options:

> python daf.py -h

Options:
  -h, --help            show this help message and exit
  -i DISK_PATH, --input-disk=DISK_PATH
                        Set the base path of the mounted disk to analyze
  -n SESSION_NAME, --session-name=SESSION_NAME
                        Set the session name to SESSION_NAME
  -d DIRECTORY, --session-directory=DIRECTORY
                        Put the files created during session into DIRECTORY
  -p PLUGINS_DIRECTORY, --plugins-directory=PLUGINS_DIRECTORY
                        Specify the directory of the plugins
  -y SYSTEM_HIVE, --system-hive=SYSTEM_HIVE
                        Specify the absolute path to the system hive
  -o SOFTWARE_HIVE, --software-hive=SOFTWARE_HIVE
                        Specify the absolute path to the software hive
  -a SAM_HIVE, --sam-hive=SAM_HIVE
                        Specify the absolute path to the sam hive
  -u USERS_HIVES, --users-hives=USERS_HIVES
                        Specify a list of (username, user_hive) couples
  -c CONT, --continue=CONT
                        Specify a list of (username, user_hive) couples

The -i option is mandatory, as it is the path to the disk to analyze.

Then you can choose a session name, which by default will be default-session and a session directory which will by default be sessions/default-session-<start_time>. In this directory, files will be put while you are using the different plugins, so that if you ask for a command that you already used, you can choose to play it again or see the output from the last time you used it. It also permit to retrieve a previous session if you had to stop your analysis.

By default the tool will look for the registry hives at the usual locations on the disk, but if for any reason they are not at this location, you can specify the path to the different hives.

##Examples:

> python daf.py -i ../disk2 
------------------------------
   Disk Analysis Framework
------------------------------

 21:40:13> default_session: display_installed_browsers
List of installed browsers:

Name: Internet Explorer
Version: 11.0.9600.17420

Name: Google Chrome
Version: 48.0.2564.82
User: IEUser

 21:40:22> default_session: help
EOF
    Ctrl+D command quit the program.
----------------------------

display_config
    Display the configuration parameters of the disk to analyze.
----------------------------

display_installed_browsers
    Display the installed browsers. (Only support Chrome, Chromium, Firefox and IE for now)
----------------------------

exit
    Exit the program.
----------------------------

get_session_directory
    Return the session directory.
----------------------------

get_session_name
    Return the session name.
----------------------------

help
    Display this help.
----------------------------

quit
    Exit the program.
----------------------------

set_session_directory
    Argument: new folder name in relative name
        Change the session directory.
----------------------------

set_session_name
    Argument: new session name 
        Change the session name.
----------------------------

##For developpers: ###Structure of the framework:

The framework is based on four different levels:

Framework:

This level aims to handle the sessions created by the framework and the renderer. Indeed when launching the tool, a session will be created in order to permit the user to continue a previous analysis and, when executing a command that has already been executed, give the choice to the user to relaunch it or to directly display the previous result. This second functionality can be really interesting for plugins that take a long time to compute.

When creating a session, the framework store informations such as the session name and the UUID of the disk in a file registered in a session folder. Then, when a command is executed, the output of the command is stored on an other file in the same folder. The framework provide some options and commands to change the session name and the session folder.

Plugins:

This level is the one where the different commands the user can use are created. More details on how the plugins are made are given in the last part of this document.

Objects:

In this level, there are the different objects that represent elements of the filesystem. Basically the idea is to regroup information present in the filesystem and that is related to a specific interface. For example there is a USB object that look for information about a USB key that has been plugged in the system, and regroup them.

Filesystem:

This level is the lower level of the framework. His goal is to provide some API functions to get information present in the file system. For example it can be functions to parse a specific file format, access the registry key, ...

###How to create new plugins:

In order to create a new plugin, you need to create a new python file in the plugins directory. In this file, create a new class with a session object as a parameter of the __init__ function.

Then, the different functions of this class will be the commands the users can use. These functions should take as input an argument parameter that represent a string containing what the user write as command parameters. If it is useful for the plugin, you can parse these parameters to make an interactive plugin.

The functions should also return a string which is what will be printed to the user as output of the command.

The first multi-line comment, just after the function declaration, is what will be printed for the command when calling the help.

About

Disk analysis framework

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages