Digital Forensics Toolkit: DEFT

ID N0WHERE:16488
Type n0where
Reporter N0where
Modified 2014-08-10T04:38:39


DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pendrives, etc…) connected to the PC where the boot process takes place.

The system is based on GNU Linux, it can run live (via DVDROM or USB pendrive), installed or run as a Virtual Appliance on VMware or Virtualbox. Distro employs LXDE as desktop environment and WINE for executing Windows tools under Linux. It features a comfortable mount manager for device management.

DEFT is paired with DART (acronym for Digital Advanced Response Toolkit), a Forensics System which can be run on Windows and contains the best tools for Forensics and Incident Response. DART features a GUI with logging and integrity check for the instruments here contained.

Besides all this, the DEFT staff is devoted to implementing and developing applications which are released to Law Enforcement Officers, such as Autopsy 3 for Linux.

System is currently employed in several places and by several people such as:

  • Military
  • Government Officers
  • Law Enforcement
  • Investigators
  • Expert Witnesses
  • IT Auditors
  • Universities
  • Individuals

 Digital Forensics Toolkit: DEFT Digital Forensics Toolkit: DEFT

The Linux distribution is made up of a GNU / Linux and DART (Digital Advanced Response Toolkit), suite dedicated to digital forensics and intelligence activities.

It is currently developed and maintained by Stefano Fratepietro, with the support of Massimo Dal Cero, Sandro Rossetti, Paolo Dal Checco, Davide Gabrini, Bartolomeo Bogliolo, Valerio Leomporra and Marco Giorgi.

The first version of Linux DEFT was introduced in 2005 thanks to the Computer Forensic Course of the Faculty of Law at the University of Bologna.This distribution is currently used during the laboratory hours of the Computer Forensics course held at the University of Bologna and in many other Italian universities and private entities. It is also one of the main solutions employed by law enforcement agencies during computer forensic investigations.

 Digital Forensics Toolkit: DEFT

In addition to a considerable number of linux applications and scripts, Deft also features the DART suite containing Windows applications (both open source and closed source) which are still viable as there is no equivalent in the Unix world.

Computer Forensics software must be able to ensure the integrity of file structures and metadata on the system being investigated in order to provide an accurate analysis. It also needs to reliably analyze the system being investigated without altering, deleting, overwriting or otherwise changing data. There are certain characteristics inherent to DEFT that minimize the risk of altering the data being subjected to analysis.

Some of these features are:

  • On boot, the system does not use the swap partitions on the system being analyzed.
  • During system startup there are no automatic mount scripts.
  • There are no automated systems for any activity during the analysis of evidence;
  • All the mass storage and network traffic acquisition tools do not alter the data being acquired.