Difference between pages "Open Computer Forensics Architecture" and "Libevt"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The '''Open Computer Forensics Architecture''' ('''OCFA''') is a modular [[computer forensics framework]] built by the [[Dutch National Police Agency]]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical [[investigator]]s direct access to the seized data through an easy to use search and browse interface.
+
{{Infobox_Software |
 +
  name = libevt |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libevt/ code.google.com/p/libevt/] |
 +
}}
  
The architecture forms an environment where existing forensic [[tools]] and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and [[metadata]] from digital evidence.
+
The '''libevt''' package contains a library and applications to read [[Windows Event Log (EVT)]] files.
  
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
+
== History ==
  
Modules in OCFA for reasons of fault tolerance are processes. The basic [[OcfaLib API]] makes it possible and relatively easy to build an OCFA module out of any data processing library or tool. OCFA comes with numerous such modules that are mostly wrappers around libraries like [[libmagic]] or tools such as those found in the [[Sleuthkit]].
+
Libevt was created by [[Joachim Metz]] in 2011.
  
The 2.2 version of OCFA (released April 2009) makes the previously internal [[OCFA treegraph API]] available for OCFA module development. The OCFA treegraph API allows more advanced dissectors that produce data and meta-data for a treegraph representation of an input file.  The OCFA treegraph API also allows dissectors that are programed to be [[CarvFs]] aware to use [[Zero Storage Carving]].  
+
== Tools ==
 +
The '''libevt''' package contains the following tools:
 +
* '''evtinfo''', which shows information about EVT files.
 +
* '''evtexport''', which exports information from EVT files.
  
Communication between modules within OCFA is governed by a two layered communication infrastructure as provided by OCFA. At the lowest layer is a messaging system with at is center the OCFA Anycast Relay. The Anycast Relay provides the facilities of module crash resistance, distributed processing load balancing and flow control.
+
== External Links ==
At a higher level of communication, the OCFA XML Router provides for the routing of individual pieces of evidence through the most appropriate tool chain for its particular type of content.
+
  
Although OCFA contains a rudimentary user interface, most of its power is in the backend architecture.
+
* [http://code.google.com/p/libevt/ libevt project site]
The last and final module in the tool chain of any evidence will be the OCFA Data Store Module. This module
+
processes the evidence XML (that contains all of the evidence data its meta data) and stores relevant parts into a postgesql database. Extending the apache based user interface with interfaces for your own case bound queries
+
is something that should proof very useful in most investigations.
+
 
+
For more information consult [http://sourceforge.net/projects/ocfa/  sourceforge.net/projects/ocfa/ ] .
+

Revision as of 04:05, 21 July 2012

libevt
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: code.google.com/p/libevt/

The libevt package contains a library and applications to read Windows Event Log (EVT) files.

History

Libevt was created by Joachim Metz in 2011.

Tools

The libevt package contains the following tools:

  • evtinfo, which shows information about EVT files.
  • evtexport, which exports information from EVT files.

External Links