From ForensicsWiki
Revision as of 11:32, 18 January 2016 by Capibara (Talk | contribs) (Created page with "{{Infobox_Software | name = MattockFS | maintainer = Rob J Meijer | os = Linux | genre = {{Analysis}} | license = {{BSD}} | website = [")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Maintainer: Rob J Meijer
OS: Linux
Genre: Analysis
License: BSD

MattockFS is a computer forensics actor framework component, computer forensic data repository and message bus implemented as Fuse based user space file system. It is based partially on CarvFs and uses CarvPath annotations to designate frozen repository data in the same way that CarvFS does. MattockFS was designed to address some of the shortcomings of the Open Computer Forensics Architecture in respect to disk-cache misses and access control, and as such aims to become an essential foundational component in future actor-model based computer forensic frameworks.

MattockFS provides the following facilities to future actor-model based computer forensic frameworks:

  • A lab-side privilege-separation equivalent of Sealed Digital Evidence Bags. After creation, repository data is made immutable, thus guarding the integrity of the data from unintended write access by untrusted modules.
  • Trusted provenance logs. Actors/workers roles in the processing of digital evidence chunks are logged to a provenence log, leaving no opportunity for untrusted modules to falsify or corrupt provenance logs.
  • CarvPath based access to frozen (immutable) data in the same way as provided by CarvFs.
  • An Actors oriented localhost message bus aimed specifically at use by a computer forensics framework and the concept of toolchains. This is basically the same functionality that used to be provided by the Anycast-Relay in the Open Computer Forensics Architecture.
  • CarvPath based opportunistic hashing. MattockFS maps all low-level reads and writes to reads and writes on all active (either open files or or part of an active tool-chain) CarvPaths and will opportunisticaly calculate BLAKE2 hashes for these CarvPaths when possible.
  • Page-cache friendly archive interaction. MattockFS keeps track of active CarvPaths in what is called a reference counting stack. It will communicate with the kernel when parts of the archive are no longer active (and can be flushed from page cache).
  • Actor Job picking policies: MattockFS implements multiple job CarvPath based picking policies aimed either at opportunistic hashing or page-cache load optimized strategies.
  • Load balancing support: MattockFS allows a special actor, a load-balancer, to steal jobs from other (overloaded) actors in order to redistribute the job to an other node in a multi-host setup.
  • Throttle information: MattockFS provides the overlaying computer forensic framework with meta-data concerning potential page-cache load and per Actor queue size and volume. Based on this information, actors should throttle their new-data output in order to avoid spurious page-cache misses caused by to much active evidence data at a time.

MattockFS is not a complete forensic framework, it is a component that can be used as foundation for a complete forensic framework. Currently MattockFS is in beta. MattockFS comes with a Python API aimed at usage by an overlaying computer forensics framework. Future API's for other programming languages (C++ and others) are planned.

External Links