Nadir Hajiyani

NADIR HAJIYANI CSC 253 OCFA

Agenda

• What• Who• Specification • Architecture - How• Snapshots• Help• Open Source• Disadvantages• Advantages• References

What is OCFA?

• Open Computer Forensics Architecture• Modular• Framework• Goal:-Automate the digital forensic process• Direct access to seized data• Forensics on highly large and complex systems• Allows researchers to conduct searches• TO find key evidence and testimony

Who ? The Man

• Dutch National police of the Netherlands• KLPD- Korps Landelijke Politiediensten(KLPD)• OCFA-Open source tool for professional criminal

investigators.• The Man:- Jochen Van Der Wal (KLPD)• Existing forensic tools and libraries• First Step Specialist extract evidence• Second Step:-Investigators use simple web

interface.

Technical Specifications

• Installable OCFA 2.0.2 package exist for Debian, UBUNTU, SUSE.

• Folder include RPMS or DEB’s • Number of additional packages and

installation guides.• Lots to install in Linux environment. You

better know some commands.• “Oh jump off the Windows”

Technical Specifications(contd)

Others:-Libpq5 libpg-perl postgresql, perl

The Digital Washing Machine• The entire analysis process is viewed as Digital Data

Wash(Digiwash)• Roots from 'digitale wasstraat’• Bulk Evidence• Automatic Analysis and Characterization of Files• Digiwash-identify file types• Index files• Extract rawtext(antiword), covert pdf files(pdftotext)• Extract mails(mailwash)• Capturing info in PGP, mapping key ids in mail• Group photos and thumbnails• Integrate hash databases of known windows files• Recursively analyses all the data

Architecture(Ahhhhh)

•Router- Central- Recursive File Processing•Calls external software before return•Relay handles communication and co-ordinates messaging•Investigators run multiple instances-Distributed system•Can use additional software packages if necessary•Automates communication between investigator and experts

Snap Shots(Time To Peek)

Got some more help-SPSS

• Jochen van der Wal, technical engineer, said, "After implementing SPSS Text Mining software and deploying it to a crime case, we found an essential connection within just five minutes – which we couldn't have found in the past three months of investigations. The combination of the OCFA framework and SPSS text analysis functionality to analyze huge amounts of evidence allows us to gain rapid insights in unstructured data."

• SPSS –predictive analytics software and solutions• Since 1968, 250,000 customers , 1200 employees in 60 countries• Dutch police(KLPD ) uses the SPSS Text mining software• To uncover hidden patterns and relations in text.• Pulls key concepts from unstructured data and groups.

Open Development

• OcfaLib API:- C++ API• Gain read access• Use its own dir• Derive Evidence• Access meta data• Example on the website• Step by step procedure• How to develop an Ocfa module to be used in Ocfa

framework.

Disadvantages

• Takes forever to install and setup• Complex and Time consuming• Linux versions available in open source market• Does not has a set community to help and support• A lot of help and material is available in Dutch so keeps the

average user away• Being discussed and looked from a research point of view• Has not delivered efficiently• Very less to no support.

Advantages

• Good to interface with other software’s and library.• User could develop their own modules using the API• Does not have to wait for a patch and can mould as per situation• Supports Encase and FTK multi part encase files• Has a simple interface• Supports large and complex forensic analysis projects.• Stable• Scalable• Fault isolation• Recoverable• Portable• Robust

Welcome to the Future(Star trek moment)

• Windows version:-Dutch Police have it for their internal use.• Called Washbrush, analyses Outlook and its mailboxes.• More OCFA modules to come • Better interface• The software will not be GPL’d but via NDA(Non _disclosure

aagreement)• Java API• Perl API• Other Projects- CarvPath project -Carving

My opinion

• Initial shock to find not much help• Sourceforge demotivates• Very less documentation• Good specifications for Ubuntu• Language problems• Each module installation prompted for some dependency• Seriously need a community• How would it be proved in court• Very powerful

References

• 1. OCFA: - ocfa.sourceforge.net• 2. Dutch Police: - http://www.politie.nl/ English/• 3. The Sleuth Kit: http://www.sleuthkit.org/• 4. http://www.spss.com/• 5. http://cs.uno.edu/~golden/Stuff/ifip2007-final.pdf• 6. Other projects: -

http://www.forensicswiki.org/wiki/Carver_2.0_Planning_Page

Thank You