KLPD

The Carve Path Zero-storage Library and filesystem

KLPD:
Dutch National Police Agency. See http://www.politie.nl/overige/English/ for more information.

LibCarvPath is a library for computer forensics carving tools. The library provides in the low level needs of zero-storage carving. It does this by providing an interface to hierarchically ordered fragment lists, and allowing these fragment lists to be converted to and from virtual file paths. These special virtual file paths can be used in conjunction with the CarvFS filesystem, a pseudo filesystem build using fuse and LibCarvPath.

LibCarvPath and CarvFS were build by the Dutch National Police Agency in an effort to provide zero-storage carving possibilities to the Open Computer Forensics Architecture , but efford has been made to make LibCarvPath and CarvFS usable outside of the context of this architecture.

CarvFS and Zero storage carving

With the usage of the Open Computer Forensics Architecture it was recognized that carving tools that use a copy out approach to carving greatly increase the storage needs of large investigations up to a point where the storage needs make low level carving financially incompatible with multi terabyte image data investigations. LibCarvPath provides a possibility to avoid copy out pollicy for forensic tools to a large extend and for many tools in such a way that we can aproach zero-storage for carving results.

CarvFS and Image formats

CarvFS is a tool that links carvpaths to different types of image files, and makes them available through a virtual filesystem. The different types of image files can be used using a loadable module interface. Currently a module for ewf files exists that uses libewf , and work is being done on raw image files. Possibly future modules may include support for aff and gfzip.

Carving tools

The CarvFS distribution currently contains a set of patches for the sleuthkit . These patches hold carvpath versions of the mmls,dls and icat tools. Carvpath patched versions of low level carving tools like scalpel are currently being looked at.

Download

For the sources of CarvFS and LibCarvPath, go to the download section of the OCFA project page


SourceForge.net Logo