The OCFA Filesystem abstraction library
The ocfa library contains treewalking code
for the traversal of directories with evidence data. The treewalking
code will traverse a directory tree and gather relevant data and
metadata along the way. In order to facilitate this treewalking process
in a generic way for normal directories, but also potentially for any
type of treegraph the filesystem abstraction library was
created. The filesystem abstraction library tries to define an
abstraction layer that should be able to generically map any treegraph
mappable structure into a such a treegraph, and allow data and
metadata, whatever this metadata is into a simple API usable by
ocfalib. The library consists of a core library for normal
directory access and for baseclasses usable by loadable modules. These
modules can be explicitly loaded by a module.
EncaseExportOfFilesystem
The EncaseExportOfFilesystem module is currently the only available
non-core module for the filesystem abstraction library. It tries to map
the structure and filenames used by encase export functionality to
proper tree structures and metadata values. In the near future this
module will likely get deprecated by a sleuthkit 2.04 based loadable
module.