Projects / Open Computer Forensics Architecture

Open Computer Forensics Architecture

The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework to automate the digital forensic process, to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface. The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence. It aims to be highly modular, robust, fault tolerant, recursive, and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and cover hundreds of evidence items.

Operating Systems

Recent releases

  •  06 Aug 2009 05:52

    Release Notes: This patch level release fixes some bugs, including rulelist issues, build flags for OcfaModules, individual module dependencies, ppq cleanup issues, UI error reporting, and tree module issues. Next to these fixes, there are some new modules added, including a vinetto module, a pasco module, a multi-part rar module, and a mmls module. It also includes the OcfaJavaLib, which allows users to create their own ocfa modules in Java. Finally, it also includes the first carvpath aware module mmls. This module can be used as a reference for creating (carvpath aware) treegraph modules.

    •  02 Apr 2009 17:51

      Release Notes: A simpler and more powerful API for adding your own advanced (tree graph) dissector modules. A new revived set of m4-based module code generators for making starting from your own OCFA modules a lot faster and simpler. A module for kick-starting ewf disk images into the framework, and a new photorec module for processing unallocated space and partitions not processed by the sleuthkit file-system tools. A set of improvements for speed and storage efficiency purposes.

      •  04 Dec 2008 18:34

        Release Notes: This release adds routing on evidence global metadata, a Photorec module, and a more comprehensive router rule list. The smarter data store module dsm2 is now the default. makeoverview has been deprecated. dsm1 has been deprecated. staticmounts are no longer the default.

        •  11 Nov 2008 11:05

          Release Notes: Problems with bogus CVS tags that resulted in problems with installing the previous patchlevel release were fixed.

          •  04 Nov 2008 15:07

            Release Notes: Multiple minor changes and bugfixes were made. The tree module was added to ease libtreegraph based module creation. Fixes were made in apache virtual host creation from createcase. Fixes were made in how the Web interface handles errors. A race condition was fixed in store. Parsing of /proc/mounts now uses a tunable regex from the configuration. Processing colons in the mailwash module Magic install script was fixed so that it no longer uses and patches the existing system magic file, but instead installs a tuned bundled magic file.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.