Difference between pages "Windows Registry" and "OCFA treegraph API"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Created page with 'The OCFA treegraph API is a more advanced API for the Open Computer Forensics Architecture. The basic OCFA API allows for the fast and simple creation of simple dissector…')
 
Line 1: Line 1:
==Bibliography==
+
The OCFA treegraph API is a more advanced API for the [[Open Computer Forensics Architecture]]. The basic [[OCFA API]] allows for the fast and simple creation of simple dissector and extractor modules for OCFA, but has some limitations.
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
+
To overcome these limitations, the 2.2 version of OCFA re-vectored and promoted an API that was previously used internally by th OCFA library to an API available to module builders.
 +
The OCFA treegraph API defines an interface that a loadable library must implement in order to be usable as an advanced dissector module bu the Open Computer Forensics Architecture.
 +
Basically it defines an interface  'TreeGraphNode' that a treegraph module will need to derive one or many classes from. A TreeGraphNode can contain data, meta-data and sub node's that are also TreeGraphNode implementations.
 +
The data interface of the TreeGraphNode also allows treegraph modules that are [[CarvFs]] aware, to return a carvpath as so called soft linkable path'. Doing so allows OCFA to use substantially less storage resources.
  
 
+
An example of a treegraph module for OCFA is included in the 2.2 release of OCFA. This example is the OCFA mmls module.
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
The ocfa mmls module reproduces the functionality of the [[sleuthkit]] mmls tool. It does this using the OCFA treegraph library,
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
+
the [[LibCarvPath]] library, and the [[sleuthkit]] library.
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
+
 
+
==Tools==
+
===Open Source===
+
* [http://sourceforge.net/projects/regviewer/ regviewer] -- a tool for looking at the registry.
+
===Commercial===
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
 
+
 
+
 
+
==See Also==
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
+
[[Category:Bibliographies]]
+

Revision as of 06:00, 28 August 2009

The OCFA treegraph API is a more advanced API for the Open Computer Forensics Architecture. The basic OCFA API allows for the fast and simple creation of simple dissector and extractor modules for OCFA, but has some limitations. To overcome these limitations, the 2.2 version of OCFA re-vectored and promoted an API that was previously used internally by th OCFA library to an API available to module builders. The OCFA treegraph API defines an interface that a loadable library must implement in order to be usable as an advanced dissector module bu the Open Computer Forensics Architecture. Basically it defines an interface 'TreeGraphNode' that a treegraph module will need to derive one or many classes from. A TreeGraphNode can contain data, meta-data and sub node's that are also TreeGraphNode implementations. The data interface of the TreeGraphNode also allows treegraph modules that are CarvFs aware, to return a carvpath as so called soft linkable path'. Doing so allows OCFA to use substantially less storage resources.

An example of a treegraph module for OCFA is included in the 2.2 release of OCFA. This example is the OCFA mmls module. The ocfa mmls module reproduces the functionality of the sleuthkit mmls tool. It does this using the OCFA treegraph library, the LibCarvPath library, and the sleuthkit library.