Minimal modules

In the Open Computer Forensics Architecture modules are processes that use the ocfalib library and do some processing on evidence data or on metadata belonging to this evidence data. The modules can be divided up into 3 main groups, depending on their functionality. Depending on the group they are in they will require access to specific parts of the ocfalib API.

Module type	Data read	Data create	Meta Iteration
extractor	Yes	No	No
dissector	Yes	Yes	No
expander	No	No	Yes

This means that a module of a specific type will get a kind of capability for accessing the relevant parts of the API (In the 1.0 version these were actual compile time enforced capabilities that got factored out in the 2.0 due to several issues not relevant here). Next to iteratable metadata that is used by expander modules, the ocfalib API also gives access to some very generic non optional metadata. This means that a module that does not need access to any of the 3 capabilities described above would be a minimal module. Currently the distribution comes only with a single minimal module, the digest module.

The digest module

Positive or negative hit:
The digest of each evidence gives the opportunity to generate positive or negative hits, depending on the database referencing the found digest. Evidence with a digest found in the NIST database can be ignored, but when found in the child abuse database a trigger should happen.

The digest module compares the calculated digest against known hashsets. The ocfalib library calculates the hashes (md5 and sha1) triggered by the kickstart, eekickstart or a dissector module while inserting or deriving the evidence.

Evidence may be known by its digest to one or more software and/or data library databases like that made available by NIST. The NIST database contains the digests of many known software product files. Other digest sources might provide the digests of known child abuse image libraries or of any distinct set of known files. The digest module will request the digests from each evidence it receives, and will lookup these digests in a set of Berkeley db database files. If it finds the digest, it will add some metadata values to the metadata of the evidence data instance, among which is the digestsource. Next to this it will record the digest of any unknown evidence data it processes so that when a second version of the same evidence data is submitted to the digest module, it will remember that it has seen the file before and will add metadata stating digestsource=SELF to indicate the data has been seen and processed before in this case. The router may use this information implemented in the rulelist for further processing.

The digestdb creation script

The digest module uses a Berkeley db file containing some basic information about the origins of known files. A script is available to convert files in the formatting as defined by NIST for their digest sets. In the source distribution you will find this script in OcfaModules/minimal/digest/init/, it is named createshadb2.pl. In order to call this script you should first create a text file that points to the location of your NIST style digest information. This file should contain a set of lines. Each Line should begin with the name of the digest source (for example NIST) followed by the location of the relevant product file and the location of one or more digest files.