Difference between revisions of "MattockFS"

From ForensicsWiki
Jump to: navigation, search
(Created page with "{{Infobox_Software | name = MattockFS | maintainer = Rob J Meijer | os = Linux | genre = {{Analysis}} | license = {{BSD}} | website = [http://pibara.github.io/...")
 
Line 8: Line 8:
 
}}
 
}}
  
MattockFS is a computer forensics actor framework component, computer forensic data repository and message bus implemented as [[Fuse]] based user space file system.  It is based partially on [[CarvFs]] and uses CarvPath annotations to designate frozen repository data in the same way that CarvFS does. MattockFS was designed to address some of the shortcomings of the [[Open Computer Forensics Architecture]] in respect to disk-cache misses and access control, and as such aims to become an essential foundational component in future actor-model based computer forensic frameworks.
+
MattockFS is a computer forensics actor-framework component, computer forensic data-repository and message-bus implemented as [[Fuse]] based user space file system.  It is based partially on [[CarvFs]] and the AnyCast-relay from the [[Open Computer Forensics Architecture]] (OCFA). MattockFS uses CarvPath annotations to designate frozen repository data in the same way that CarvFS does. MattockFS was designed to address some of the shortcomings of OCFA in respect to disk-cache misses and access control, and as such aims to become an essential foundational component in future actor-model based computer forensic frameworks. MattockFS is not a complete computer  forensics framework, rather MattockFS provides essential features that a computer forensics framework may build upon.  
 
   
 
   
 
MattockFS provides the following facilities to future actor-model based computer forensic frameworks:
 
MattockFS provides the following facilities to future actor-model based computer forensic frameworks:
  
* A lab-side privilege-separation equivalent of Sealed Digital Evidence Bags. After creation, repository data is made immutable, thus guarding the integrity of the data from unintended write access by untrusted modules.
+
* '''Lab-side privilege-separation equivalent of Sealed Digital Evidence Bags.''' After creation, repository data is made immutable, thus guarding the integrity of the data from unintended write access by untrusted modules.
* Trusted provenance logs. Actors/workers roles in the processing of digital evidence chunks are logged to a provenence log, leaving no opportunity for untrusted modules to falsify or corrupt provenance logs.
+
* '''Trusted provenance logs.''' Actors/workers roles in the processing of digital evidence chunks are logged to a provenence log, leaving no opportunity for untrusted modules to falsify or corrupt provenance logs.
* CarvPath based access to frozen (immutable) data in the same way as provided by [[CarvFs]].
+
* '''CarvPath based access to frozen (immutable) data.''' Multi-layer CarvPath based access in the same way as provided by [[CarvFs]].
* An Actors oriented localhost message bus aimed specifically at use by a computer forensics framework and the concept of toolchains. This is basically the same functionality that used to be provided by the Anycast-Relay in the [[Open Computer Forensics Architecture]].
+
* '''Domain specific actors oriented localhost message bus.''' MattockFS provides an Anycast message bus aimed specifically at use by a computer forensics framework and the concept of toolchains. This is basically the same functionality that used to be provided by the Anycast-Relay in the [[Open Computer Forensics Architecture]].
* CarvPath based opportunistic hashing. MattockFS maps all low-level reads and writes to reads and writes on all active (either open files or or part of an active tool-chain) CarvPaths and will opportunisticaly calculate BLAKE2 hashes for these CarvPaths when possible.
+
* '''CarvPath based opportunistic hashing.''' MattockFS maps all low-level reads and writes to reads and writes on all active (either open files or or part of an active tool-chain) CarvPaths and will opportunisticaly calculate BLAKE2 hashes for these CarvPaths when possible.
* Page-cache friendly archive interaction. MattockFS keeps track of active CarvPaths in what is called a reference counting stack. It will communicate with the kernel when parts of the archive are no longer active (and can be flushed from page cache).
+
* '''Page-cache friendly archive interaction.''' MattockFS keeps track of active CarvPaths in what is called a reference counting stack. It will communicate with the kernel when parts of the archive are no longer active (and can be flushed from page cache).
* Actor Job picking policies: MattockFS implements multiple job CarvPath based picking policies aimed either at opportunistic hashing or page-cache load optimized strategies.  
+
* '''Actor Job picking policies''': MattockFS implements multiple job CarvPath based picking policies aimed either at opportunistic hashing or page-cache load optimized strategies.  
* Load balancing support: MattockFS allows a special actor, a load-balancer, to steal jobs from other (overloaded) actors in order to redistribute the job to an other node in a multi-host setup.
+
* '''Load balancing support''': MattockFS allows a special actor, a load-balancer, to steal jobs from other (overloaded) actors in order to redistribute the job to an other node in a multi-host setup.
* Throttle information: MattockFS provides the overlaying computer forensic framework with meta-data concerning potential page-cache load and per Actor queue size and volume. Based on this information, actors should throttle their new-data output in order to avoid spurious page-cache misses caused by to much active evidence data at a time.  
+
* '''Throttle information''': MattockFS provides the overlaying computer forensic framework with meta-data concerning potential page-cache load and per Actor queue size and volume. Based on this information, actors should throttle their new-data output in order to avoid spurious page-cache misses caused by to much active evidence data at a time.  
 +
* '''Hooks for a distributed FIVES router'''. In the [[Open Computer Forensics Architecture]] a stateless router process was responsible for dynamic toolchain path routing based on meta-data from the dependence data. The [[FIVES]] project created an alternative router process that carried router rule-list traversal-state with the in-band provenance meta-data. MattockFS provides a simple hook for use by a distributed version of FIVES-router like functionality.
 +
 
  
 
MattockFS is not a complete forensic framework, it is a component that can be used as foundation for a complete forensic framework. Currently MattockFS is in beta. MattockFS  comes with a Python API aimed at usage by an overlaying computer forensics framework. Future API's for other programming languages (C++ and others) are planned.
 
MattockFS is not a complete forensic framework, it is a component that can be used as foundation for a complete forensic framework. Currently MattockFS is in beta. MattockFS  comes with a Python API aimed at usage by an overlaying computer forensics framework. Future API's for other programming languages (C++ and others) are planned.
 
== External Links ==
 
== External Links ==
 
* [http://pibara.github.io/MattockFS/ Project site]
 
* [http://pibara.github.io/MattockFS/ Project site]

Revision as of 14:22, 19 January 2016

MattockFS
Maintainer: Rob J Meijer
OS: Linux
Genre: Analysis
License: BSD
Website: http://pibara.github.io/MattockFS/

MattockFS is a computer forensics actor-framework component, computer forensic data-repository and message-bus implemented as Fuse based user space file system. It is based partially on CarvFs and the AnyCast-relay from the Open Computer Forensics Architecture (OCFA). MattockFS uses CarvPath annotations to designate frozen repository data in the same way that CarvFS does. MattockFS was designed to address some of the shortcomings of OCFA in respect to disk-cache misses and access control, and as such aims to become an essential foundational component in future actor-model based computer forensic frameworks. MattockFS is not a complete computer forensics framework, rather MattockFS provides essential features that a computer forensics framework may build upon.

MattockFS provides the following facilities to future actor-model based computer forensic frameworks:

  • Lab-side privilege-separation equivalent of Sealed Digital Evidence Bags. After creation, repository data is made immutable, thus guarding the integrity of the data from unintended write access by untrusted modules.
  • Trusted provenance logs. Actors/workers roles in the processing of digital evidence chunks are logged to a provenence log, leaving no opportunity for untrusted modules to falsify or corrupt provenance logs.
  • CarvPath based access to frozen (immutable) data. Multi-layer CarvPath based access in the same way as provided by CarvFs.
  • Domain specific actors oriented localhost message bus. MattockFS provides an Anycast message bus aimed specifically at use by a computer forensics framework and the concept of toolchains. This is basically the same functionality that used to be provided by the Anycast-Relay in the Open Computer Forensics Architecture.
  • CarvPath based opportunistic hashing. MattockFS maps all low-level reads and writes to reads and writes on all active (either open files or or part of an active tool-chain) CarvPaths and will opportunisticaly calculate BLAKE2 hashes for these CarvPaths when possible.
  • Page-cache friendly archive interaction. MattockFS keeps track of active CarvPaths in what is called a reference counting stack. It will communicate with the kernel when parts of the archive are no longer active (and can be flushed from page cache).
  • Actor Job picking policies: MattockFS implements multiple job CarvPath based picking policies aimed either at opportunistic hashing or page-cache load optimized strategies.
  • Load balancing support: MattockFS allows a special actor, a load-balancer, to steal jobs from other (overloaded) actors in order to redistribute the job to an other node in a multi-host setup.
  • Throttle information: MattockFS provides the overlaying computer forensic framework with meta-data concerning potential page-cache load and per Actor queue size and volume. Based on this information, actors should throttle their new-data output in order to avoid spurious page-cache misses caused by to much active evidence data at a time.
  • Hooks for a distributed FIVES router. In the Open Computer Forensics Architecture a stateless router process was responsible for dynamic toolchain path routing based on meta-data from the dependence data. The FIVES project created an alternative router process that carried router rule-list traversal-state with the in-band provenance meta-data. MattockFS provides a simple hook for use by a distributed version of FIVES-router like functionality.


MattockFS is not a complete forensic framework, it is a component that can be used as foundation for a complete forensic framework. Currently MattockFS is in beta. MattockFS comes with a Python API aimed at usage by an overlaying computer forensics framework. Future API's for other programming languages (C++ and others) are planned.

External Links