Open Computer Forensics Architecture
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework to automate the digital forensic process, to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface. The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence. It aims to be highly modular, robust, fault tolerant, recursive, and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and cover hundreds of evidence items.
| Licenses | LGPL GPL |
|---|---|
| Operating Systems | POSIX Linux |
| Implementation | C++ Unix Shell bash SQL Perl |
Recent releases
- 02 Apr 2009 21:09
Changes: A simpler and more powerful API for adding your own advanced (tree graph) dissector modules. A new revived set of m4-based module code generators for making starting from your own OCFA modules a lot faster and simpler. A module for kick-starting ewf disk images into the framework, and a new photorec module for processing unallocated space and partitions not processed by the sleuthkit file-system tools. A set of improvements for speed and storage efficiency purposes.
- 04 Dec 2008 18:34
Changes: This release adds routing on evidence global metadata, a Photorec module, and a more comprehensive router rule list. The smarter data store module dsm2 is now the default. makeoverview has been deprecated. dsm1 has been deprecated. staticmounts are no longer the default.
- 11 Nov 2008 11:05
Changes: Problems with bogus CVS tags that resulted in problems with installing the previous patchlevel release were fixed.
- 04 Nov 2008 15:07
Changes: Multiple minor changes and bugfixes were made. The tree module was added to ease libtreegraph based module creation. Fixes were made in apache virtual host creation from createcase. Fixes were made in how the Web interface handles errors. A race condition was fixed in store. Parsing of /proc/mounts now uses a tunable regex from the configuration. Processing colons in the mailwash module Magic install script was fixed so that it no longer uses and patches the existing system magic file, but instead installs a tuned bundled magic file.
- 18 Mar 2008 01:01
Changes: This version includes some refactored subsystems that should make the architecture a bit faster and easier to integrate with other programming languages like Java and Perl. With the new treegraph library, it should now be a lot simpler to create custom treegraph-based modules for the architecture.
