Open Computer Forensics Architecture
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence.
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
Modules in OCFA for reasons of fault tolerance are processes. The basic OcfaLib API makes it possible and relatively easy to build an OCFA module out of any data processing library or tool. OCFA comes with numerous such modules that are mostly wrappers around libraries like libmagic or tools such as those found in the Sleuthkit.
The 2.2 version of OCFA (released April 2009) makes the previously internal OCFA treegraph API available for OCFA module development. The OCFA treegraph API allows more advanced dissectors that produce data and meta-data for a treegraph representation of an input file. The OCFA treegraph API also allows dissectors that are programed to be CarvFs aware to use zero storage carving.
Communication between modules within OCFA is governed by a two layered communication infrastructure as provided by OCFA. At the lowest layer is a messaging system with at is center the OCFA AnyCast-relay. The Anycast Relay provides the facilities of module crash resistance, distributed processing load balancing and flow control. At a higher level of communication, the OCFA XML Router provides for the routing of individual pieces of evidence through the most appropriate tool chain for its particular type of content.
Although OCFA contains a rudimentary user interface, most of its power is in the backend architecture. The last and final module in the tool chain of any evidence will be the OCFA Data Store Module. This module processes the evidence XML (that contains all of the evidence data its meta data) and stores relevant parts into a postgesql database. Extending the apache based user interface with interfaces for your own case bound queries is something that should proof very useful in most investigations.
Development and maintenance of OCFA by the Dutch National Police has been discontinued in 2012. The latest version of the orphaned code is available as the seperate github repositories ocfaLib , OcfaArch, OcfaJavaLib, OcfaModules and OcfaDocs on the Dutch National Police Github page.