Abstract
This chapter describes the Open Computer Forensics Architecture (OCFA), an automated system that dissects complex file types, extracts metadata from files and ultimately creates indexes on forensic images of seized computers. It consists of a set of collaborating processes, called modules. Each module is specialized in processing a certain file type. When it receives a so called ’evidence’, the information that has been extracted so far about the file together with the actual data, it either adds new information about the file or uses the file to derive a new ’evidence’. All evidence, original and derived, is sent to a router after being processed by a particular module. The router decides which module should process the evidence next, based upon the metadata associated with the evidence. Thus the OCFA system can recursively process images until from every compound file the embedded files, if any, are extracted, all information that the system can derive, has been derived and all extracted text is indexed. Compound files include, but are not limited to, archive- and zip-files, disk images, text documents of various formats and, for example, mailboxes. The output of an OCFA run is a repository full of derived files, a database containing all extracted information about the files and an index which can be used when searching. This is presented in a web interface. Moreover, processed data is easily fed to third party software for further analysis or to be used in data mining or text mining-tools. The main advantages of the OCFA system are:
-
1.
Scalability, it is able to process large amounts of data.
-
2.
Extendable, it is easy to develop and plug in custom modules.
-
3.
Open, the output is well suited to be used as input for other systems.
-
4.
Analysts and tactical investigators may search the evidence without the constant intervention of digital investigators.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The official Dutch name is Korps landelijke politiediensten (KLPD).
- 2.
The reader is not expected to readily understand the query and relations involved. The example is included to illustrate a potential application of the database in combination with the repository.
- 3.
E.g. by adding a local dns entry of by inserting an entry in the host file of the client/
- 4.
References
Garcia J et al (2008) Forensic image and video examination support (fives).http://fives.kau.se
Team Digital Expertise. (2008) Libcarvpath.http://ocfa.sourceforge.net/libcarvpath/
The Apache Software Foundation. (2009) Lucene.http://lucene.apache.org/
Huston SD, Johnson JCE, Syyid U (2003) The ACE Programmer’s Guide: Practical Design Patterns for Network and Systems Programming. Addison-Wesley/Pearson Education
Kloet B, Metz J, Mora R-J, Loveall D, Schreiber D (2008) Libewf.https://www.uitwisselplatform.nl/projects/libewf/
Vermaas O (2008) The open computer forensic architecture. Master’s thesis, University College Dublin, Forensic Computing and Cybercrime Investigations
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Vermaas, O., Simons, J., Meijer, R. (2010). Open Computer Forensic Architecture a Way to Process Terabytes of Forensic Disk Images. In: Huebner, E., Zanero, S. (eds) Open Source Software for Digital Forensics. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5803-7_4
Download citation
DOI: https://doi.org/10.1007/978-1-4419-5803-7_4
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-5802-0
Online ISBN: 978-1-4419-5803-7
eBook Packages: Computer ScienceComputer Science (R0)