Difference between pages "Open Computer Forensics Architecture" and "Libevt"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
Line 1: Line 1:
The '''Open Computer Forensics Architecture''' ('''OCFA''') is a modular [[computer forensics framework]] built by the [[Dutch National Police Agency]]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical [[investigator]]s direct access to the seized data through an easy to use search and browse interface.
{{Infobox_Software |
  name = libevt |
  maintainer = [[Joachim Metz]] |
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
  genre = {{Analysis}} |
  license = {{LGPL}} |
  website = [http://code.google.com/p/libevt/ code.google.com/p/libevt/] |
The architecture forms an environment where existing forensic [[tools]] and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and [[metadata]] from digital evidence.
The '''libevt''' package contains a library and applications to read [[Windows Event Log (EVT)]] files.
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
== History ==
Modules in OCFA for reasons of fault tolerance are processes. The [[OcfaLib API]] makes it possible and relatively easy to build an OCFA module out of any data processing library or tool. OCFA comes with numerous such modules that are mostly wrappers around libraries like [[libmagic]] or tools such as those found in the [[Sleuthkit]].
Libevt was created by [[Joachim Metz]] in 2011.
Communication between modules within OCFA is governed by a two layered communication infrastructure as provided by OCFA. At the lowest layer is a messaging system with at is center the OCFA Anycast Relay. The Anycast Relay provides the facilities of module crash resistance, distributed processing load balancing and flow control.
== Tools ==
At a higher level of communication, the OCFA XML Router provides for the routing of individual pieces of evidence through the most appropriate tool chain for its particular type of content.  
The '''libevt''' package contains the following tools:
* '''evtinfo''', which shows information about EVT files.
* '''evtexport''', which exports information from EVT files.
Although OCFA contains a rudimentary user interface, most of its power is in the backend architecture.
== External Links ==
The last and final module in the tool chain of any evidence will be the OCFA Data Store Module. This module
processes the evidence XML (that contains all of the evidence data its meta data) and stores relevant parts into a postgesql database. Extending the apache based user interface with interfaces for your own case bound queries
is something that should proof very useful in most investigations.
For more information consult [http://sourceforge.net/projects/ocfa/  sourceforge.net/projects/ocfa/ ] .
* [http://code.google.com/p/libevt/ libevt project site]

Revision as of 09:05, 21 July 2012

Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: code.google.com/p/libevt/

The libevt package contains a library and applications to read Windows Event Log (EVT) files.


Libevt was created by Joachim Metz in 2011.


The libevt package contains the following tools:

  • evtinfo, which shows information about EVT files.
  • evtexport, which exports information from EVT files.

External Links