Transcript Hajiyani,Nadir Mehmood M

NADIR HAJIYANI CSC 253 OCFA
Nadir Hajiyani
Agenda
•
•
•
•
•
•
•
•
•
•
What
Who
Specification
Architecture - How
Snapshots
Help
Open Source
Disadvantages
Advantages
References
What is OCFA?
•
•
•
•
•
•
•
•
Open Computer Forensics Architecture
Modular
Framework
Goal:-Automate the digital forensic process
Direct access to seized data
Forensics on highly large and complex systems
Allows researchers to conduct searches
TO find key evidence and testimony
Who ? The Man
• Dutch National police of the Netherlands
• KLPD- Korps Landelijke Politiediensten(KLPD)
• OCFA-Open source tool for professional criminal
investigators.
• The Man:- Jochen Van Der Wal (KLPD)
• Existing forensic tools and libraries
• First Step Specialist extract evidence
• Second Step:-Investigators use simple web
interface.
Technical Specifications
• Installable OCFA 2.0.2 package exist for
Debian, UBUNTU, SUSE.
• Folder include RPMS or DEB’s
• Number of additional packages and
installation guides.
• Lots to install in Linux environment. You better
know some commands.
• “Oh jump off the Windows”
Technical Specifications(contd)
Others:-Libpq5 libpg-perl postgresql, perl
The Digital Washing Machine
• The entire analysis process is viewed as Digital Data
Wash(Digiwash)
• Roots from 'digitale wasstraat’
• Bulk Evidence
• Automatic Analysis and Characterization of Files
• Digiwash-identify file types
• Index files
• Extract rawtext(antiword), covert pdf files(pdftotext)
• Extract mails(mailwash)
• Capturing info in PGP, mapping key ids in mail
• Group photos and thumbnails
• Integrate hash databases of known windows files
• Recursively analyses all the data
Architecture(Ahhhhh)
•Router- Central- Recursive File Processing
•Calls external software before return
•Relay handles communication and co-ordinates
messaging
•Investigators run multiple instances-Distributed system
•Can use additional software packages if necessary
•Automates communication between investigator and
experts
Snap Shots(Time To Peek)
Got some more help-SPSS
• Jochen van der Wal, technical engineer, said, "After implementing
SPSS Text Mining software and deploying it to a crime case, we
found an essential connection within just five minutes – which we
couldn't have found in the past three months of investigations. The
combination of the OCFA framework and SPSS text analysis
functionality to analyze huge amounts of evidence allows us to gain
rapid insights in unstructured data."
• SPSS –predictive analytics software and solutions
• Since 1968, 250,000 customers , 1200 employees in 60 countries
• Dutch police(KLPD ) uses the SPSS Text mining software
• To uncover hidden patterns and relations in text.
• Pulls key concepts from unstructured data and groups.
Open Development
•
•
•
•
•
•
•
•
OcfaLib API:- C++ API
Gain read access
Use its own dir
Derive Evidence
Access meta data
Example on the website
Step by step procedure
How to develop an Ocfa module to be used in Ocfa
framework.
Disadvantages
•
•
•
•
•
Takes forever to install and setup
Complex and Time consuming
Linux versions available in open source market
Does not has a set community to help and support
A lot of help and material is available in Dutch so keeps the
average user away
• Being discussed and looked from a research point of view
• Has not delivered efficiently
• Very less to no support.
Advantages
•
•
•
•
•
•
•
•
•
•
•
•
Good to interface with other software’s and library.
User could develop their own modules using the API
Does not have to wait for a patch and can mould as per situation
Supports Encase and FTK multi part encase files
Has a simple interface
Supports large and complex forensic analysis projects.
Stable
Scalable
Fault isolation
Recoverable
Portable
Robust
Welcome to the Future(Star trek
moment)
•
•
•
•
•
Windows version:-Dutch Police have it for their internal use.
Called Washbrush, analyses Outlook and its mailboxes.
More OCFA modules to come
Better interface
The software will not be GPL’d but via NDA(Non _disclosure
aagreement)
• Java API
• Perl API
• Other Projects- CarvPath project -Carving
My opinion
•
•
•
•
•
•
•
•
•
Initial shock to find not much help
Sourceforge demotivates
Very less documentation
Good specifications for Ubuntu
Language problems
Each module installation prompted for some dependency
Seriously need a community
How would it be proved in court
Very powerful
References
•
•
•
•
•
•
1. OCFA: - ocfa.sourceforge.net
2. Dutch Police: - http://www.politie.nl/ English/
3. The Sleuth Kit: http://www.sleuthkit.org/
4. http://www.spss.com/
5. http://cs.uno.edu/~golden/Stuff/ifip2007-final.pdf
6. Other projects: http://www.forensicswiki.org/wiki/Carver_2.0_Planning_Page
Thank You