Building DFF from source

DFF (Digital Forensics Framework) is a free and Open Source computer forensics software maintained by ArxSys.

It can be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidences without compromising systems and data.

We are going to build it from source. Now for the requirements:-

1.    An updated Ubuntu 12.04 LTS box with kernel sources installed

Now, let’s start by adding some of the system libraries needed by DFF.

sudo apt-get install build-essential debhelper fakeroot autotools-dev automake autoconf autopoint aclocal libtool gettext scons libtalloc libtalloc-dev libfuse-dev zlib1g-dev libbz2-dev libpcre3-dev libpcre3-dbg libssl0.9.8 libcrypto++-dev libcrypto++9 g++ g++-4.6 g++-4.6-multilib g++-multilib libc6-dev libc6-dev-amd64 libc6-amd64 lib64bz2-dev libstdc++6-4.6-dev libtalloc-dev git

Now that we have the basics in place, lets add some libraries to increase functionality

sudo apt-get install cmake g++ swig libicu-dev python-dev libtre-dev qt4-dev-tools pyqt4-dev-tools libudev-dev python-magic sudo apt-get install python-qt4-phonon python-apsw python-imaging libfuse-dev libafflib-dev libavformat-dev libswscale-dev</pre>

Next we need to install libbfio which providing basic file input/output abstraction

wget http://distro.ibiblio.org/ubuntu/pool/universe/libb/libbfio/libbfio-dbg_20120425-1_i386.deb
wget http://distro.ibiblio.org/ubuntu/pool/universe/libb/libbfio/libbfio-dev_20120425-1_i386.deb
wget http://distro.ibiblio.org/ubuntu/pool/universe/libb/libbfio/libbfio1_20120425-1_i386.deb
sudo dpkg -i libbfio1_20120425-1_i386.deb
sudo dpkg -i libbfio-dev_20120425-1_i386.deb
sudo dpkg -i libbfio-dbg_20120425-1_i386.deb

We now need libpff to access common mailbox files.

wget http://ftp.sunet.se/pub/Linux/distributions/ubuntu/ubuntu/pool/universe/libp/libpff/libpff1_20120802-1_i386.deb
wget http://ftp.sunet.se/pub/Linux/distributions/ubuntu/ubuntu/pool/universe/libp/libpff/libpff-dev_20120802-1_i386.deb
wget http://ftp.sunet.se/pub/Linux/distributions/ubuntu/ubuntu/pool/universe/libp/libpff/libpff-dbg_20120802-1_i386.deb
sudo dpkg -i libpff1_20120802-1_i386.deb
sudo dpkg -i libpff-dev_20120802-1_i386.deb
sudo dpkg -i libpff-dbg_20120802-1_i386.deb

Next, it is time to build libewf from source, this allows DFF to access EWF files created from EnCase.

wget https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/libewf-20130416.tar.gz
tar xvf libewf-20130416.tar.gz
cd libewf-20130416
./configure
[...] libbfio support: yes // you must have "yes"
make -j$[$(grep -c '^processor' /proc/cpuinfo) + 1]
sudo make install

Next, we build Swig and Reglookup which are used by DFF.

wget http://prdownloads.sourceforge.net/swig/swig-2.0.10.tar.gz
tar zxf swig-2.0.10.tar.gz
cd swig-2.0.10
./configure
make -j$[$(grep -c '^processor' /proc/cpuinfo) + 1]
sudo sudo make install
wget http://reglookup.googlecode.com/files/reglookup-src-1.0.1.tar.gz
tar zxf reglookup-src-1.0.1.tar.gz
cd reglookup-src-1.0.1 $ scons build
sudo scons install

Lastly, we build DFF itself now that all the dependencies are in place

git clone --recursive git://git.digital-forensic.org/dff
cmake .
make -j$[$(grep -c'^processor'/proc/cpuinfo)+1]
sudo make install

If all goes to plan, you can start dff with the command dff-gui

dff-1024x486

Comments are closed.