1 / 17

Nadir Hajiyani

Learn about the Open Computer Forensics Architecture (OCFA), a modular framework designed to automate digital forensic processes, provide direct access to seized data, and support forensics on highly complex systems. Developed by the Dutch National Police, it integrates features like Digiwash for bulk evidence analysis and SPSS text mining for rapid insights. Explore technical specifications, advantages, and disadvantages of OCFA, along with its open development through OcfaLib API. Discover how OCFA facilitates seamless communication between investigators and experts, aiding in efficient forensic analysis.

howardleon
Télécharger la présentation

Nadir Hajiyani

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nadir Hajiyani NADIR HAJIYANI CSC 253 OCFA

  2. Agenda What Who Specification Architecture - How Snapshots Help Open Source Disadvantages Advantages References

  3. What is OCFA? Open Computer Forensics Architecture Modular Framework Goal:-Automate the digital forensic process Direct access to seized data Forensics on highly large and complex systems Allows researchers to conduct searches TO find key evidence and testimony

  4. Who ? The Man Dutch National police of the Netherlands KLPD- Korps Landelijke Politiediensten(KLPD) OCFA-Open source tool for professional criminal investigators. The Man:- Jochen Van Der Wal (KLPD) Existing forensic tools and libraries First Step Specialist extract evidence Second Step:-Investigators use simple web interface.

  5. Technical Specifications Installable OCFA 2.0.2 package exist for Debian, UBUNTU, SUSE. Folder include RPMS or DEB’s Number of additional packages and installation guides. Lots to install in Linux environment. You better know some commands. “Oh jump off the Windows”

  6. Technical Specifications(contd) Others:-Libpq5 libpg-perl postgresql, perl

  7. The Digital Washing Machine The entire analysis process is viewed as Digital Data Wash(Digiwash) Roots from 'digitalewasstraat’ Bulk Evidence Automatic Analysis and Characterization of Files Digiwash-identify file types Index files Extract rawtext(antiword), covert pdf files(pdftotext) Extract mails(mailwash) Capturing info in PGP, mapping key ids in mail Group photos and thumbnails Integrate hash databases of known windows files Recursively analyses all the data

  8. Architecture(Ahhhhh) • Router- Central- Recursive File Processing • Calls external software before return • Relay handles communication and co-ordinates messaging • Investigators run multiple instances-Distributed system • Can use additional software packages if necessary • Automates communication between investigator and experts

  9. Snap Shots(Time To Peek)

  10. Got some more help-SPSS Jochen van derWal, technical engineer, said, "After implementing SPSS Text Mining software and deploying it to a crime case, we found an essential connection within just five minutes – which we couldn't have found in the past three months of investigations. The combination of the OCFA framework and SPSS text analysis functionality to analyze huge amounts of evidence allows us to gain rapid insights in unstructured data." SPSS –predictive analytics software and solutions Since 1968, 250,000 customers , 1200 employees in 60 countries Dutch police(KLPD ) uses the SPSS Text mining software To uncover hidden patterns and relations in text. Pulls key concepts from unstructured data and groups.

  11. Open Development OcfaLib API:- C++ API Gain read access Use its own dir Derive Evidence Access meta data Example on the website Step by step procedure How to develop an Ocfa module to be used in Ocfa framework.

  12. Disadvantages Takes forever to install and setup Complex and Time consuming Linux versions available in open source market Does not has a set community to help and support A lot of help and material is available in Dutch so keeps the average user away Being discussed and looked from a research point of view Has not delivered efficiently Very less to no support.

  13. Advantages Good to interface with other software’s and library. User could develop their own modules using the API Does not have to wait for a patch and can mould as per situation Supports Encase and FTK multi part encase files Has a simple interface Supports large and complex forensic analysis projects. Stable Scalable Fault isolation Recoverable Portable Robust

  14. Welcome to the Future(Star trek moment) Windows version:-Dutch Police have it for their internal use. Called Washbrush, analyses Outlook and its mailboxes. More OCFA modules to come Better interface The software will not be GPL’d but via NDA(Non _disclosure aagreement) Java API Perl API Other Projects- CarvPath project -Carving

  15. My opinion Initial shock to find not much help Sourceforge demotivates Very less documentation Good specifications for Ubuntu Language problems Each module installation prompted for some dependency Seriously need a community How would it be proved in court Very powerful

  16. References 1. OCFA: - ocfa.sourceforge.net 2. Dutch Police: - http://www.politie.nl/ English/ 3. The Sleuth Kit: http://www.sleuthkit.org/ 4. http://www.spss.com/ 5. http://cs.uno.edu/~golden/Stuff/ifip2007-final.pdf 6. Other projects: - http://www.forensicswiki.org/wiki/Carver_2.0_Planning_Page

  17. Thank You

More Related