arxsys / dff Goto Github PK

CAT /text preview, can display bad character after scrolling some text, because the viewer seeks inside the file then tries do decode characters and it happens that it starts reading character at non-aligned offset for a specific charset.

It's not clear when highlighted nodes or selected nodes are used. There's a need of unification to provide nodes to modules.

Embed IDE is not up to date concerning skeleton. Either update it or remove it

Volume Serial Number & OEM ID on $BOOT attributes is returned as int it could be better to decode id as hex-strings or any specific readable value

• Fix current prefetch module to correctly parse Windows 10 Prefetch

Subj! Excuse my French, but I can't find better words.

First of all, it were no commits before Feb 14 and the release just come up from nowhere.

Next, the released tarball can't be even installed, it is missing modules/ui/cmake/docs components. These components are in a separate tree (fine!), but they have no releases (or badly outdated) so it is not clear which version should be used.

I managed to resolve all these, but dff does not start. There is no VERSION variable defined (used to be in dff/__init__), /usr/bin/dff is calling from dff.ui.ui import Usage which does not exist and so on.

I just gave up at this stage.

This is not the quality which you expect to trust for forensics investigations.

It references a commit that doesn't exist

Cause of #25

Closes #25

If a file was reconstructed by a module, it is then no longer possible to only extract the content of the source file (both graphical and console ui)

• Finish implementation
• Merge in develop

I'm using Linux MInt 19.1 Cinnamon 64-bit

I already follow your installing instruction :

apt-get install cmake build-essential swig python-qt4 pyqt4-dev-tools qt4-dev-tools libicu-dev libtre-dev qt4-linguist-tools python-magic libfuse-dev libudev-dev libavformat-dev libavdevice-dev libavutil-dev libswscale-dev flex bison devscripts pkg-config autotools-dev automake autoconf autopoint zlib1g-dev libtool libssl-dev wget scons libtalloc-dev clamav
git clone https://github.com/arxsys/dff/
cd dff
git submodule init
git submodule update
mkdir build
cd build
cmake ..

Below is error when i type cmake ..

-- The C compiler identification is GNU 7.4.0
-- The CXX compiler identification is GNU 7.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found compatible SWIG version (3.0.12)
-- Building project in dedicated build directory : /home/dory/dff/build
-- Will use -g for debugging -- no
-- input / output stats disabled
-- Compile WITHOUT TwoThreeTree debug information
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1")
-- Found ICU libraries:
/usr/lib/x86_64-linux-gnu/libicudata.so
/usr/lib/x86_64-linux-gnu/libicui18n.so
/usr/lib/x86_64-linux-gnu/libicuuc.so
/usr/lib/x86_64-linux-gnu/libicuio.so
_icu_lib_le-NOTFOUND
/usr/lib/x86_64-linux-gnu/libiculx.so
icu_lib-le-hb-NOTFOUND
CMake Error at /usr/share/cmake-3.10/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
Could NOT find ICU (missing: ICU_LIBRARIES) (found version "60.2.0")
Call Stack (most recent call first):
/usr/share/cmake-3.10/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
cmake_modules/FindICU.cmake:178 (find_package_handle_standard_args)
cmake_modules/dff/find_deps.cmake:116 (find_package)
CMakeLists.txt:22 (include)

-- Configuring incomplete, errors occurred!
See also "/home/dory/dff/build/CMakeFiles/CMakeOutput.log".

Need your help...thanks...

• Provide a simpler magic files for the most useful filetypes. It will speed up the scanner processing and provide less false positive.
• Only process mime type or magic but not both.
• Implement in thread safe way in C++
• reflects changes in search widget
• Think about the design to be used in the carving
• Merge datatypes handlers

Bad rendering with some low resolution and some window manager

Currently, it's possible to exclude Node by filtering on associated tags but it would be interesting to add an attribute to set "hidden" and automatically remove these nodes in view and not apply filtering on them too. It must be taken into account to reverse the process.

On arxsys there is instruction to install dff from sources but all dependencies are given for Debian.

Can you give a ArchLinux install guide or only depencies will be enought.

Thanks

Add a wide configuration options to automatically change date according to a time zone. Also it would be great to be able to configure the output format of DFF::DateTime.toString() method (for example inverse day and month in Europe, so the right format will appears for chosen item in report)

Provide better default parameters in order to reduce false positives. It would be better to provide another mean to look for similar patterns like percentage matches for example

smthg matches foobar:>95

Needs to define an easy syntax.

Wildcard search can sometimes lead to false positive.

I am Running on Debian Buster. During Install, the command "git submodule update" does not work, it returns the following errors / output:
error: Server does not allow request for unadvertised object 1db32ab
Fetched in submodule path 'dff/unsupported', but it did not contain 1db32ab. Direct fetching of that commit failed.

There is an issue with queries based on dictionnaries which could lead to segfault.

When waiting for the video thumbnail to be created, the video thumbnailer shows a 'broken video' icon, which could lead to think that the video is damaged even if it's not.

cmake ..
-- Found compatible SWIG version (3.0.12)
-- Building project in dedicated build directory : /root/dff/build
-- Will use -g for debugging -- no
-- input / output stats disabled
-- Compile WITHOUT TwoThreeTree debug information
-- Found ICU libraries:
/usr/lib/x86_64-linux-gnu/libicudata.so
/usr/lib/x86_64-linux-gnu/libicui18n.so
/usr/lib/x86_64-linux-gnu/libicuuc.so
/usr/lib/x86_64-linux-gnu/libicuio.so
_icu_lib_le-NOTFOUND
_icu_lib_lx-NOTFOUND
CMake Error at /usr/share/cmake-3.13/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
Could NOT find ICU (missing: ICU_LIBRARIES) (found version "63.2.0")
Call Stack (most recent call first):
/usr/share/cmake-3.13/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
cmake_modules/FindICU.cmake:178 (find_package_handle_standard_args)
cmake_modules/dff/find_deps.cmake:116 (find_package)
CMakeLists.txt:22 (include)

-- Configuring incomplete, errors occurred!
See also "/root/dff/build/CMakeFiles/CMakeOutput.log".
can you tell me what to do

Prompt the user for administrator credentials when opening drive and not running in Administrator drive. Best solution is to get the current user rights (user / group / ...) and check if devices access is possible.

The search/filter syntax provides the ability to apply rules only on node created by a specific module (ex : module_name == 'ntfs' && ...). Graphical interface should provide this possibility.

Search returns VLink and original nodes as a result. Showing and searching only for original node should be more efficient and could lead to less error and be less error prone for users. There are two ways to improve this :

• No search modification but only show nodes as results not VLink
• Modify search/filter to exclude VLink

make[2]: Leaving directory '/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6'
make -f dff/api/crashreporter/CMakeFiles/crashreporter.dir/build.make dff/api/crashreporter/CMakeFiles/crashreporter.dir/build
make[2]: Entering directory '/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6'
[ 84%] Building CXX object dff/api/crashreporter/CMakeFiles/crashreporter.dir/handler.cpp.o
cd /var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/crashreporter && /usr/bin/x86_64-pc-linux-gnu-g++  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -D__STDC_LIMIT_MACROS -Dcrashreporter_EXPORTS -I/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/crashreporter/breakpad -I/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/crashreporter/../include -I/usr/include/python2.7 -I/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/crashreporter -I/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/include -I/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/exceptions/breakpad   -DNDEBUG -march=native -O2 -pipe -fPIC   -O2 -fPIC -o CMakeFiles/crashreporter.dir/handler.cpp.o -c /var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6/dff/api/crashreporter/handler.cpp
make[2]: *** No rule to make target 'dff/api/exceptions/breakpad/libbreakpad.a', needed by 'dff/api/libcrashreporter.so'.  Stop.
make[2]: Leaving directory '/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6'
make[1]: *** [CMakeFiles/Makefile2:591: dff/api/crashreporter/CMakeFiles/crashreporter.dir/all] Error 2
make[1]: Leaving directory '/var/tmp/portage/app-forensics/dff-1.3.6/work/dff-1.3.6'
make: *** [Makefile:161: all] Error 2

https://gist.github.com/blshkv/846ffc8ec59be887b0c0798f48ca0905