NADIR HAJIYANI CSC 253 OCFA Nadir Hajiyani Agenda

  • Slides: 17
Download presentation
NADIR HAJIYANI CSC 253 OCFA Nadir Hajiyani

NADIR HAJIYANI CSC 253 OCFA Nadir Hajiyani

Agenda • • • What Who Specification Architecture - How Snapshots Help Open Source

Agenda • • • What Who Specification Architecture - How Snapshots Help Open Source Disadvantages Advantages References

What is OCFA? • • Open Computer Forensics Architecture Modular Framework Goal: -Automate the

What is OCFA? • • Open Computer Forensics Architecture Modular Framework Goal: -Automate the digital forensic process Direct access to seized data Forensics on highly large and complex systems Allows researchers to conduct searches TO find key evidence and testimony

Who ? The Man • Dutch National police of the Netherlands • KLPD- Korps

Who ? The Man • Dutch National police of the Netherlands • KLPD- Korps Landelijke Politiediensten(KLPD) • OCFA-Open source tool for professional criminal investigators. • The Man: - Jochen Van Der Wal (KLPD) • Existing forensic tools and libraries • First Step Specialist extract evidence • Second Step: -Investigators use simple web interface.

Technical Specifications • Installable OCFA 2. 0. 2 package exist for Debian, UBUNTU, SUSE.

Technical Specifications • Installable OCFA 2. 0. 2 package exist for Debian, UBUNTU, SUSE. • Folder include RPMS or DEB’s • Number of additional packages and installation guides. • Lots to install in Linux environment. You better know some commands. • “Oh jump off the Windows”

Technical Specifications(contd) Others: -Libpq 5 libpg-perl postgresql, perl

Technical Specifications(contd) Others: -Libpq 5 libpg-perl postgresql, perl

The Digital Washing Machine • The entire analysis process is viewed as Digital Data

The Digital Washing Machine • The entire analysis process is viewed as Digital Data Wash(Digiwash) • Roots from 'digitale wasstraat’ • Bulk Evidence • Automatic Analysis and Characterization of Files • Digiwash-identify file types • Index files • Extract rawtext(antiword), covert pdf files(pdftotext) • Extract mails(mailwash) • Capturing info in PGP, mapping key ids in mail • Group photos and thumbnails • Integrate hash databases of known windows files • Recursively analyses all the data

Architecture(Ahhhhh) • Router- Central- Recursive File Processing • Calls external software before return •

Architecture(Ahhhhh) • Router- Central- Recursive File Processing • Calls external software before return • Relay handles communication and co-ordinates messaging • Investigators run multiple instances-Distributed system • Can use additional software packages if necessary • Automates communication between investigator and experts

Snap Shots(Time To Peek)

Snap Shots(Time To Peek)

Got some more help-SPSS • Jochen van der Wal, technical engineer, said, "After implementing

Got some more help-SPSS • Jochen van der Wal, technical engineer, said, "After implementing SPSS Text Mining software and deploying it to a crime case, we found an essential connection within just five minutes – which we couldn't have found in the past three months of investigations. The combination of the OCFA framework and SPSS text analysis functionality to analyze huge amounts of evidence allows us to gain rapid insights in unstructured data. " • SPSS –predictive analytics software and solutions • Since 1968, 250, 000 customers , 1200 employees in 60 countries • Dutch police(KLPD ) uses the SPSS Text mining software • To uncover hidden patterns and relations in text. • Pulls key concepts from unstructured data and groups.

Open Development • • Ocfa. Lib API: - C++ API Gain read access Use

Open Development • • Ocfa. Lib API: - C++ API Gain read access Use its own dir Derive Evidence Access meta data Example on the website Step by step procedure How to develop an Ocfa module to be used in Ocfa framework.

Disadvantages Takes forever to install and setup Complex and Time consuming Linux versions available

Disadvantages Takes forever to install and setup Complex and Time consuming Linux versions available in open source market Does not has a set community to help and support A lot of help and material is available in Dutch so keeps the average user away • Being discussed and looked from a research point of view • Has not delivered efficiently • Very less to no support. • • •

Advantages • • • Good to interface with other software’s and library. User could

Advantages • • • Good to interface with other software’s and library. User could develop their own modules using the API Does not have to wait for a patch and can mould as per situation Supports Encase and FTK multi part encase files Has a simple interface Supports large and complex forensic analysis projects. Stable Scalable Fault isolation Recoverable Portable Robust

Welcome to the Future(Star trek moment) Windows version: -Dutch Police have it for their

Welcome to the Future(Star trek moment) Windows version: -Dutch Police have it for their internal use. Called Washbrush, analyses Outlook and its mailboxes. More OCFA modules to come Better interface The software will not be GPL’d but via NDA(Non _disclosure aagreement) • Java API • Perl API • Other Projects- Carv. Path project -Carving • • •

My opinion • • • Initial shock to find not much help Sourceforge demotivates

My opinion • • • Initial shock to find not much help Sourceforge demotivates Very less documentation Good specifications for Ubuntu Language problems Each module installation prompted for some dependency Seriously need a community How would it be proved in court Very powerful

References • • • 1. OCFA: - ocfa. sourceforge. net 2. Dutch Police: -

References • • • 1. OCFA: - ocfa. sourceforge. net 2. Dutch Police: - http: //www. politie. nl/ English/ 3. The Sleuth Kit: http: //www. sleuthkit. org/ 4. http: //www. spss. com/ 5. http: //cs. uno. edu/~golden/Stuff/ifip 2007 -final. pdf 6. Other projects: http: //www. forensicswiki. org/wiki/Carver_2. 0_Planning_Page

Thank You

Thank You

CSC CSC CSC CSC CSC CSC CSC CSCCSC CSC CSC CSC CSC CSC CSC CSC
Pest Control David Zilberman ARE 253 PP 253Pest Control David Zilberman ARE 253 PP 253
Pest Control David Zilberman ARE 253 PP 253Pest Control David Zilberman ARE 253 PP 253
Nadir Afonso Rodrigues Pintor arquiteto e filsofo NadirNadir Afonso Rodrigues Pintor arquiteto e filsofo Nadir
Nadir Afonso Rodrigues Pintor arquiteto e filsofo NadirNadir Afonso Rodrigues Pintor arquiteto e filsofo Nadir
PRESENTATION SOLUTIONS PHARMA MICROSOFT CSC CSC Overview CSCPRESENTATION SOLUTIONS PHARMA MICROSOFT CSC CSC Overview CSC
CSC Media Group CSC MEDIA GROUP CSC MediaCSC Media Group CSC MEDIA GROUP CSC Media
CHAPTER 8 Multimedia Authoring Tools CSC 253 INTERACTIVECHAPTER 8 Multimedia Authoring Tools CSC 253 INTERACTIVE
CHAPTER 7 HARDWARE CSC 253 INTERACTIVE MULTIMEDIA OVERVIEWCHAPTER 7 HARDWARE CSC 253 INTERACTIVE MULTIMEDIA OVERVIEW
CHAPTER 1 INTRODUCTION TO MULTIMEDIA CSC 253 INTERACTIVECHAPTER 1 INTRODUCTION TO MULTIMEDIA CSC 253 INTERACTIVE
Interactive Multimedia CSC 253 Siti Nurbaya Ismail SeniorInteractive Multimedia CSC 253 Siti Nurbaya Ismail Senior
CHAPTER 6 VIDEO CSC 253 INTERACTIVE MULTIMEDIA OverviewCHAPTER 6 VIDEO CSC 253 INTERACTIVE MULTIMEDIA Overview
CSc 253 Report Vo IP Forensics By GaryCSc 253 Report Vo IP Forensics By Gary
Topic 1 Introduction to Multimedia CSC 253 OverviewTopic 1 Introduction to Multimedia CSC 253 Overview
CSC 253 Lecture 14 Makefiles w The purposeCSC 253 Lecture 14 Makefiles w The purpose
CSC 253 Lecture 13 Syntax w In theCSC 253 Lecture 13 Syntax w In the