Difference between pages "Open Computer Forensics Architecture" and "DEFT Linux 2"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The '''Open Computer Forensics Architecture''' ('''OCFA''') is a modular [[computer forensics framework]] built by the [[Dutch National Police Agency]]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical [[investigator]]s direct access to the seized data through an easy to use search and browse interface.
+
{{Infobox_Software |
 +
  name = DEFT v2 Linux |
 +
  maintainer = [[Stefano Fratepietro]] |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.deftlinux.net http://www.deftlinux.net] |
 +
}}
  
The architecture forms an environment where existing forensic [[tools]] and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and [[metadata]] from digital evidence.
+
'''DEFT v2''' is a [[Live CD]] built on top of Kubuntu 7.04 with the best tools for Computer Forensic and incident response.
  
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
+
== Tools included ==
  
Modules in OCFA for reasons of fault tolerance are processes. The basic [[OcfaLib API]] makes it possible and relatively easy to build an OCFA module out of any data processing library or tool. OCFA comes with numerous such modules that are mostly wrappers around libraries like [[libmagic]] or tools such as those found in the [[Sleuthkit]].
+
'''Deft v2 computer and network forensic packages list:'''
  
The 2.2 version of OCFA (released April 2009) makes the previously internal [[OCFA treegraph API]] available for OCFA module development. The OCFA treegraph API allows more advanced dissectors that produce data and meta-data for a treegraph representation of an input file.  The OCFA treegraph API also allows dissectors that are programed to be [[CarvFs]] aware to use [[zero storage carving]].  
+
: - [[Sleuthkit]], collection of UNIX-based command line tools that allow you to investigate a computer
 +
: - [[Autopsy]], graphical interface to the command line digital investigation tools in The Sleuth Kit
 +
: - [[AFF]] lib, advanced forensic format
 +
: - gpart, tool which tries to guess the primary partition table of a PC-type hard disk
 +
: - dd rescue, copy data from one file or block device to another
 +
: - [[foremost]], console program to recover files based on their headers, footers, and internal data structures
 +
: - hexdump, combined hex and ascii dump of any file
 +
: - khexedit, a versatile and customizable hex editor
 +
: - stegdetect, a steganography detection software
 +
: - outguess, a stegano tool
 +
: - ophcrack, Windows password recovery
 +
: - [[wireshark]], network sniffer
 +
: - ettercap, network sniffer
 +
: - nessus, vulnerability and security scanner (client)
 +
: - nessusd, vulnerability and security scanner (server)
 +
: - [[nmap]], the best network scanner
 +
: - airsnort, wireless LAN (WLAN) tool which recovers encryption keys
 +
: - [[kismet]], sniffer and intrusion detection system that work with any wireless card
 +
: - dmraid, discover software RAID devices
 +
: - [[testdisk]], tool to recover damaged partitions
 +
: - qtparted, a Partition Magic clone written in C++ using the Qt toolkit
 +
: - [[vinetto]], tool to examine Thumbs.db files
 +
: - trID, tool to identify file types from their binary signatures
 +
: - [[libpst | readpst]], a tools to read ms-Outlook pst files
 +
: - john, john the ripper password cracker
 +
: - clam, antivirus
  
Communication between modules within OCFA is governed by a two layered communication infrastructure as provided by OCFA. At the lowest layer is a messaging system with at is center the OCFA Anycast Relay. The Anycast Relay provides the facilities of module crash resistance, distributed processing load balancing and flow control.
+
'''Deft v2 utility package list:'''
At a higher level of communication, the OCFA XML Router provides for the routing of individual pieces of evidence through the most appropriate tool chain for its particular type of content.
+
  
Although OCFA contains a rudimentary user interface, most of its power is in the backend architecture.
+
: - Linux Kernel 2.6.20
The last and final module in the tool chain of any evidence will be the OCFA Data Store Module. This module
+
: - KDE 3.5.6
processes the evidence XML (that contains all of the evidence data its meta data) and stores relevant parts into a postgesql database. Extending the apache based user interface with interfaces for your own case bound queries
+
: - k3b
is something that should proof very useful in most investigations.
+
: - krdc
 
+
: - rdesktop
For more information consult [http://sourceforge.net/projects/ocfa/  sourceforge.net/projects/ocfa/ ] .
+
: - [[VMware]] client
 +
: - Samba client
 +
: - OpenSSH client & server
 +
: - speedcrunch

Revision as of 10:42, 13 March 2009

DEFT v2 Linux
Maintainer: Stefano Fratepietro
OS: Linux
Genre: Live CD
License: GPL, others
Website: http://www.deftlinux.net

DEFT v2 is a Live CD built on top of Kubuntu 7.04 with the best tools for Computer Forensic and incident response.

Tools included

Deft v2 computer and network forensic packages list:

- Sleuthkit, collection of UNIX-based command line tools that allow you to investigate a computer
- Autopsy, graphical interface to the command line digital investigation tools in The Sleuth Kit
- AFF lib, advanced forensic format
- gpart, tool which tries to guess the primary partition table of a PC-type hard disk
- dd rescue, copy data from one file or block device to another
- foremost, console program to recover files based on their headers, footers, and internal data structures
- hexdump, combined hex and ascii dump of any file
- khexedit, a versatile and customizable hex editor
- stegdetect, a steganography detection software
- outguess, a stegano tool
- ophcrack, Windows password recovery
- wireshark, network sniffer
- ettercap, network sniffer
- nessus, vulnerability and security scanner (client)
- nessusd, vulnerability and security scanner (server)
- nmap, the best network scanner
- airsnort, wireless LAN (WLAN) tool which recovers encryption keys
- kismet, sniffer and intrusion detection system that work with any wireless card
- dmraid, discover software RAID devices
- testdisk, tool to recover damaged partitions
- qtparted, a Partition Magic clone written in C++ using the Qt toolkit
- vinetto, tool to examine Thumbs.db files
- trID, tool to identify file types from their binary signatures
- readpst, a tools to read ms-Outlook pst files
- john, john the ripper password cracker
- clam, antivirus

Deft v2 utility package list:

- Linux Kernel 2.6.20
- KDE 3.5.6
- k3b
- krdc
- rdesktop
- VMware client
- Samba client
- OpenSSH client & server
- speedcrunch