Open Computer Forensics Architecture
| Open Computer Forensics Architecture | |
|---|---|
| Developer(s) | Korps landelijke politiediensten |
| Stable release | 2.2.0pl4
|
| Operating system | Linux |
| Available in | English |
| Type | Computer forensics |
| Website | http://sourceforge.net/apps/trac/ocfa/wiki |
The Open Computer Forensics Architecture or OCFA is an distributed computing open source computer forensics framework/backend/architecture used to analyze digital media within a digital forensics laboratory environment..
OCFA provides a framework for weaving together both computer forensics and generic media and file processing tools and libraries into an automated process that allows for the processing of vast amounts of digital media data within the context of a computer forensic investigation. OCFA was built by the dutch national police to address the shortcomings of the commercial computer forensics tools like EnCase and Forensic Toolkit with respect to scalability, speed and most of all extendability.
The Open Computer Forensics Architecture is distributed primary as a back end architecture for the Linux platform. The results of the digital media processing are stored in a PostgreSQL database, a custom Content-addressable storage or CarvFS based data repository and a Lucene index. A front end for OCFA has not been made publicly available due to licencing issues.
OCFA comes with a small set of modules that integrate some common open source tools and libraries into the architecture. These include modules for integration of The Sleuth Kit, Scalpel, Photorec, libmagic, GNU Privacy Guard, objdump, exiftags, zip, 7-zip, tar, gzip, bzip2, rar, antiword, qemu-img, mbx2mbox, strings, many perl modules for mail and dbx processing, libewf and others. While these standard modules provide a reasonable environment for processing digital media, most of the power of OCFA comes from its extendability. OCFA comes with libraries for building your own modules in C++ or Java.
Both the Java and C++ library provide an API for building custom OCFA modules for integration of other tools or libraries into the computer forensics process. Basic modules like this can produce derived data and add extracted meta-data to both the input data and the derived data. The C++ library also provides a second more advanced API for building modules that produce derived output with meta data at more than one level deep.