DFIRE Forensic Prolog

Introduction

Digital forensic examiners rely on software tools to analyze digital evidence and answer investigative questions. Although the ability to create custom software is not required in every investigation, it is important to be able to automate repetitive processing tasks. A variety of general-purpose programming languages is used for that purpose ranging from C and Bash scripting, to Perl, Python, and Go.  Several attempts were made to create special-purpose programming languages for digital forensics, such as the adoption of X-Query language in XIRAF (Alink et al, 2006), DERRIC language (van Der Bos and van Der Storm, 2011) for describing recursive data structures, and NUGGET (Roussev, 2015) based on the data flow abstraction.  All of them try to minimize the amount of code that needs to be written in order to perform particular forensic tasks.

DFIRE Forensic Prolog (DFP) is a forensic extension of Prolog language. Unlike traditional data-centric programming languages, Prolog focuses on the logical inference: the data is viewed as evidence for proving statements posed by the user. Prolog is well suited for-creating forensic expert systems that query file systems, Registry hives, and other tree-like data structures. Standard Prolog has a built-in data parsing mechanism, which makes it suitable for natural language processing. DFIRE Forensic Prolog introduces additional language features and extensions to Prolog that make it suitable for use in digital forensics. Given below is the list of key featrues

DFIRE Forensic Prolog Features

  • ability to ingest and process forensic disk images as well as stand-alone files
  • ability to parse binary data
  • ability to use Java-style regular expressions 
  • support for probabilistic reasoning using ProbLog.
  • native support for 64-bit integers and date/time stamps (as first class data object).
  • close integration with Python. DFP can contain snippets of Python code and use Python packages.
  • ability to access and manipulate case files created by Autopsy forensic browser v3.3
    • run queries over the case data,
    • add derived files to the case,
    • create reports
  • performance-critical predicates can be coded using in-line Scala code

Additional features are under development.

Supported Platforms

DFIRE Forensic Prolog supports 64-bit versions of

  • Windows 7/8/10,
  • Ubuntu Linux (since 14.02 LTS), and
  • Mac OS X (since 10.10).

Installing and Using DFP

DISCLAIMER: DFIRE Forensic Prolog is currently in Alpha stage. Some bugs and functionality changes are to be expected.

The source code of the project is hosted on bitbucket.org: http://bitbucket.org/dfirelabs/forensic-prolog/overview

A number of free software packages must be installed prior to DFP. These are the following:

  • Oracle Java SE Development Kit 8 (make sure it is the 64 bit version!).
  • Scala programming language 2.12.3 (this specific version!)
  • Python 2.7 (make sure it is the 64-bit version!)
  • If you are running Ubuntu Linux, then you will also need to install libtsk-dev pacjage using apt.
  • If you are running Windows OS, then you will also need to download and install Microsoft Visual C++ Compiler for Python 2.7

Once the above packages are installed, you will need to

  • set JAVA_HOME environment variable = the path to the install folder of the Java SE Development Kit 8.
  • on Windows you will also need to add C:\Python27 to the system Path variable

Next you will need to install the required Python packages. Use pip or easy_install to install

  • jep (version 3.6.3 !)
  • numpy
  • problog

On Windows, this could be achieved using, for example

C:/> python -m pip install jep==3.6.3 numpy problog

Finally, download DFP code. On windows, this can be achieved using

C:\Users\DFIRe\Desktop> git clone http://bitbucket.org/dfirelabs/forensic-prolog

Compiling DFP:

Before using DFP you need to compile it. Open command line window, cd into the cloned forensic-prolog folder and type

in Windows CMD.EXE:

C:\Users\DFIRe\Desktop\forensic-prolog>compile

in Linux, Mac OS X, and in Windows PowerShell:

PS C:\Users\DFIRe\Desktop\forensic-prolog>./compile

Running forensic Prolog:

To run Forensic Prolog, open command line window, cd into the cloned forensic-prolog folder and type

in Windows CMD.EXE:

C:\Users\DFIRe\Desktop\forensic-prolog>run

in Linux, Mac OS X, and in Windows PowerShell:

PS C:\Users\DFIRe\Desktop\forensic-prolog>./run

To start using Forensic Prolog, read FORENSIC-PROLOG.txt and explore examples in forensic/ folder. Unless you are an active Prolog developer, you will also need to readup on Prolog. There are many good books and free online tutorials:

Talks & presentations

Seminar talk at UCD School of Computer Science outlining the reasons for choosing Prolog as a basis for domain-specific programming language.

We will also write some tutorials when we get more time 😉

 


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *