Uforia: Universal forensic indexer and analyzer
- PDF / 245,003 Bytes
- 5 Pages / 595.276 x 790.866 pts Page_size
- 10 Downloads / 166 Views
ORIGINAL PAPER
Uforia: Universal forensic indexer and analyzer Arnim Eijkhoudt · Tristan Suerink
Received: 20 March 2012 / Accepted: 20 December 2012 / Published online: 5 February 2013 © Springer-Verlag France 2013
Abstract Uforia is a simple, flexible and extensible framework for analysis and parsing of file metadata. It has been written in Python and is available under the GPLv2. Uforia traverses a file-system and triggers a configurable set of modules for every file it encounters. Out-of-the-box, Uforia conforms to the NIST standard for forensic hashing by storing the currently most common three cryptographic hashes for each file: the MD5, SHA-1 and SHA-256 hash. Uforia strives for optimal scaling of the metadata-analysis by offering an easily configurable threading model of both its Producers and Consumers. Additionally, the interface is written and intended to be as loosely coupled as possible, as to easily reduce, replace or increase the Producer’s and Consumer’s functionalities to match the specific needs of the user. Uforia also attempts to reduce database redundancy to a minimum in the same way, by only loosely coupling database tables and delegating the relevant parts of the data-model to be handled by the individual modules. Each of these modules will perform its tasks asynchronously of Uforia and is automatically detected, registered and called to handle its specific filetypes. Uforia does not yet come with a front-end interface for viewing the information stored in the database, but the database contents stored could theoretically already be applied to a wide variety of situations, such as searching for
specific metadata or information during a forensic investigation, for filesystem-level deduplication or even for creating custom known file hash tables. The interface for creating new database handlers and modules has been simplified as much as possible, allowing for easy extensibility and tailoring to each use-case’s specific requirements.
1 Introduction Uforia aims to be an extremely flexible and generic Pythonbased framework for the EDRM Collection and Processing1 of files on a filesystem. It does so by combining and integrating several existing commonplace UNIX libraries and forensic principles. Moreover, we are making Uforia available under the GPLv2 as to increase the availability of OpenSourced, Open-Licensed software in the field of Computer Forensics. We hope these design and licensing choices of Uforia will help steer it towards community-driven development, by additionally offering very simple ways (interfaces) for adding new database and modules support. The flexibility of enabling/disabling features also makes it trivial to employ Uforia for a wide variety of applications, such as: • A configurable first-responder’s tool, where only the most basic metadata is collected and matched against a KFF (Known File Filter) • Doing fully-fledged forensic investigations • Timelining E-mail evidence by only parsing mails and mailboxes • Easy filesystem-level deduplication to save disk space
If you
Data Loading...
