Open Computer Forensics Architecture / News: Recent posts

CarvFS and LibTsk integration.

We just published the first release candidate for the 2.3.0 release of OCFA. The most important changes to this release are:

* New libtsk based CarvFs aware modules for processing filesytems.
* New carvpathrepository based kicktree modules for kickstarting ewf files (libewf) and raw dd files.
* A new scalpel based CarvFs aware module for zero storage carving.
* A new verry powerfull (but still slightly experimental) alternative router provided by the FIVES project.
* Some bug and memory leak fixes.... read more

Posted by rob@klpd 2010-11-03

CarvPath moved to its own project.

The LibCarvPath library, the CarvFs filesystem and the CarvFS-ModEwf EWF module for CarvFS are beeing moved to their own sourceforge project. We created the project page a while ago, but hadn't released any new versions nor taken any action to migrate old versions to the CarvPath project page. Today we released new versions of each of these packages.

As we are moving away OCFA from the (carvpath aware) sleuthkit tools to libtsk3 based modules, we are (for the moment) dropping support for the carvpath aware versions of the sleuthkit tools mmls,dls and icat that were packaged in tsk-cp. Anyone willing to take over maintenance of tsk-cp, please let us know.

Posted by rob@klpd 2010-03-03

Releass of ocfa 2.2.0 Patch level 1

The ocfa team is proud to announce the first patch-level release of OCFA Version 2.2.0. This patch level was necessary to fix some bugs, including:
* rulelist issues
* 64 BIT size_t issue in OcfaModules
* configuration scripts
* nasty PPQ bug
* better error reporting userinterface

Also the first steps forward to use the new mmls treemodules are made. This should open the door to a carvpath enabled version of OCFA.
Furthermore, the Java version of the OcfaLib is now included. ... read more

Posted by KLPD TDE development team 2009-08-05

2.1.1 release OCFA

This new release of the Open Computer Forensics Architecture (OCFA) adds the following new features:

* Routing on evidence global metadata. This makes tool chain preparation in the router rulelist much more manageable.
* A photorec module for carving in unallocated data.
* A more comprehensive router rulelist.
* The smarter data store module (dsm2) is now default. This way the forensic metadata database will maintain proper typing for metadata.... read more

Posted by KLPD TDE development team 2008-12-04

New version of carvfs/libcarvpath/tsk-cp

The new version of carvfs/libcarvpath/tsk-cp revolve around a set of two patches concerning libcarvpath.
The first minor patch involves the carvpath syntax that previously used the ':' character that conflicted with the need to export carvfs to non posix operatingsystems. The second patch concerns the previous problems that carvfs had with carvpaths for highly fragmented files that exceeded the maximum token or maximum path length.
Libcarvpath now comes with a simple (sqlite) longtoken database that is used to allow long tokens to be represented by their (sha1) digest.

Posted by KLPD TDE development team 2008-03-19

2.1 release OCFA

The 2.1 version of OCFA includes some refactored subsystems, that should make the architecture a bit faster and easier to integrate with other programming languages like Java and Perl. Further it should now with the new treegraph library be a lot simpler to create custom treegraph based modules for the architecture.

Posted by KLPD TDE development team 2008-03-18

Ocfa 2.0.6 patchlevel3: bugfix indexer frontend

A minor bug was fixed that made some installations end up with empty green pages in the indexer frontend. If you have observed this problem than you should upgrade to 2.0.6pl3

Posted by KLPD TDE development team 2008-01-17

Open Computer Forensics Architecture: 2.0.6 patchset 2

A modular computer forensics framework.The project aims to be highly modular, robust,fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.

The patch level 2 of ocfa fixes a number of issues, the most important one is a workaround for the fact that the lucene indexer is unable to process large files without allocating very large amounts of memory.... read more

Posted by KLPD TDE development team 2007-11-15

0.3.0 release of carvfs

The 0.3 release ads support for using multi part dd images with carvfs. Next to this, the sleuthkit patches NTFS support has been enhanced. A script has been included to make a simple symlink based export of an image using the sleutkit tools and scalpel.
Finaly, isisfs, an experimental filesystem for repositories has been added to the carvfs release.

Posted by KLPD TDE development team 2007-08-17

Memory leaks patched in Ocfa 2.0.6

The patch level 1 release of Ocfa 2.0.6 fixes a memory leak in the evidence library. Next to this, a patched string module and rulelist help to provide a workaround for a memory hungry indexer module.

Posted by KLPD TDE development team 2007-08-17

2.0.6 release: documentation and quality enhancement

The 2.0.6 release of the open computer forensics architecture, answers the demand for documentation that was rather minimal in previous version.
Next to documentation, the 2.0.6 contains many quality enhancements, many of which are the result of a thorough code review of large parts of the
OcfaLib library.

Posted by KLPD TDE development team 2007-05-23

CarvFs compatibility fixes

The new 0.2.1 version of CarvFs now works together
with the latest beta versions of libewf, contains a new set of patches to the new release of the sleuthkit, and contains a tool in order to work in conjunction with the new preview mode of the latest
scalpel release.

Posted by KLPD TDE development team 2006-12-29

Bugfix release 2.0.3

The 2.0.3 release fixes a wide range of small and medium bugs, many related to the fault tolerance of
specific modules and installation issues.
Also an enhancement to the ppqoverview user interface is added for beter integration with the
metadata browser.

Posted by KLPD TDE development team 2006-12-21

CarvFS zero-storage carving filesystem and sleuthkit patches

The CarvFS filesystem is a pseudo filesystem used to
represent carved fragments in image files (currently ewf files and still limmited support for raw dd files) as zero-storage files. This first carvfs release also contains a patch to the sleuthkit that holds carvpath versions of mmls,dls and icat, so using these tools in a zero-storage way becomes possible. The upcomming version of OCFA will include an updated sleuthkit wrapper module that uses these tools in order to greatly limit ocfa storage requirements.

Posted by KLPD TDE development team 2006-11-09

Carve Path library for zero-storage carving

The first public version of libcarvpath is realeased. This library realises the low level
functions for computer forensic carving tools that want to support zero-storage carving. The upcomming next release of OCFA will use libcarvpath to support
zero-storage carving. For more info see: http:://

Posted by KLPD TDE development team 2006-11-08

First public release of open computer forensics architecture

Today the dutch national police, with version 2.0.2, re-releases the open computer forensics architecture as a completely open source product. Propriatary code and library usage has been stripped and where essential has
been replaced. The open computer forensics architecture switched to the open source indexer
clucene and is thus now released as a fully usable open source product.

Posted by KLPD TDE development team 2006-06-22