Rapid Evidence Acquisition Project for Event Reconstruction

Project: Rapid Evidence Acquisition Project for Event Reconstruction (REAPER)
Purpose: To fully automate the acquisition, processing and analysis phases of a digital investigation.
Status: Not active (superseded by the ATOM project)
License: GNU GPLv3
Developer(s): Joshua James

More information:
A proof of concept has been created, but has not been maintained. The source is available via the REAPER Forensics project at Sourceforge.

REAPERlive is a bootable USB/Firewire drive that acquires a suspect system (using the suspect’s hardware) to the external USB/Firewire drive. The acquired image is then processed with the Open Computer Forensics Architecture.

REAPER Desktop is a bootable Debian Live CD that automatically creates the REAPERlive USB/Firewire drive.

The functionality of REAPERlive has been incorporated into the easily-configurable ATOM framework.

<ul><li>Presentation in Sleuthkit and Open Source Digital Forensics Conference 2011</li><ul><li>http://www.basistech.com/about-us/events/open-source-forensics-conference/2011/presentations/</li></ul><li>UCD REAPER project page</li><li>REAPER Forensics Sourceforge project page</li></ul>

~1 min read

Digital Forensics Summer School

The UCD Centre for Cybersecurity and Cybercrime Investigation will be hosting a Digital Forensic Summer School for two weeks at the end of August 2012. The theme of the two week course will be "Creating an Open Source Computer Forensics Lab".

The prospectus currently includes topics such as:
  • Computer forensic processes
  • Case management topics and solutions
  • Building low-cost hardware solutions
  • Suspect system triage using open source tools
  • Preliminary analysis using open source tools
  • Full forensic analysis using open source tools
  • Open source forensic frameworks
  • Backup strategies and solutions for digital investigation labs
  • Using processing clusters for forensic tasks
  • Tool validation
  • Forensic reporting

Update: This training is for Law Enforcement only. The event announcement can be found here: http://cci.ucd.ie/content/ucd-cci-digital-forensics-summer-school-2012
~1 min read

ICDF2C 2012

The 4th International Conference on Digital Forensics and Cyber Crime (ICDF2C), hosted at Purdue University, will be held from October 24-26, 2012.

Website: http://d-forensics.org

Paper submission is the 1st of June 2012.

Submission deadline: 6th July 2012
<div class="p1">Notification of Acceptance: 1st August 2012</div><div class="p1">Camera Ready: 1st September 2012</div><div class="p1">Conference Date: 24th and 26th October 2012 </div>

The following topics highlight the conference’s theme (from the conference page):
<ul><li>Business Applications of Digital Forensics</li><ul><li>e-Discovery</li><li>Civil Litigation Support</li><li>Incident Response</li><li>Cyber Crime Investigations</li><li>Online Fraud</li><li>Money Laundering</li><li>Hacking</li><li>Malware & Botnets</li><li>Sexual Abuse of Children on Internet</li><li>Software & Media Piracy</li></ul><li>Digital Forensics Techniques and Tools</li><li>Digital Forensics Process & Procedures</li><li>Cybercrime Investigation Management</li><li>Theoretical Foundations of Digital Forensics</li><li>Digital Forensics & Law</li><li>Mobile / Handheld Device & Multimedia Forensics</li><li>Digital Forensics Standardization & Accreditation</li><li>Cyber Criminal Psychology and Profiling</li><li>Cyber Culture & Cyber Terrorism</li><li>Information Warfare & Critical Infrastructure Protection</li></ul>

~1 min read

About Cybercrime Technologies

Welcome to Cybercrime Technologies. This blog is devoted to research and development in the area of Cybercrime and Digital Forensic Investigations. It will be a mix of practical how-to’s on a range of topics, and a place to keep up on current research.

Contributing Authors:
<ul><li>Dr. Joshua I. James - lecturer and digital forensic investigation researcher with the Digital Forensic Investigation Research Group, and lecturer with the SoonChunHyang University Graduate School of Forensic Science.</li></ul>
If you are interested in becoming a contributing author, please contact us.

Please see our development philosophy and goals.
Please also see our Privacy Policy.

~1 min read

Installing OCFA 2.3.X with FIVES

In this single we will be installing OCFA 2.3.0 rc4 on Debian Squeeze (6)

I will be following the documentation from: http://sourceforge.net/apps/trac/ocfa/wiki/2.3%20installation%20notes

make sure you do not have sleuthkit installed
see the note at the bottom for the FIVES suggested packages - i installed everything but sleuthkit

aptitude install build-essential cmake libfuse-dev fuse-utils libsqlite3-dev openssl libboost-dev libboost-regex-dev libpoco-dev scalpel pasco

wget http://sourceforge.net/projects/ocfa/files/ocfa/2.3.0/ocfa-2.3.0rc4gpl.tar.bz2
tar -xvf ocfa-2.3.0rc4gpl.tar.bz2

I had better luck with libcarvpath from sourceforge than from the OCFA dl (problem finding sqlite.h)
wget http://sourceforge.net/projects/carvpath/files/LibCarvPath/libcarvpath2.3.0.tgz
tar -xvf libcarvpath2.3.0.tgz
cmake src, make, sudo make install

The carvfs that came with OCFA built without any issues
cd ocfa-2.3.x/carvfs
cmake src, make, sudo make install

Got an error on libcarvpathrepository with ocfa - would not build. Looking for libboost (libboost-dev)
make, sudo make install

I am interested in working with the FIVES project, so I am installing libpoco-dev.

That is pretty much it for the new version notes. Now we go to the excellent Installation guide. I will be listing packages and how to build, but details that work in the document I wont cover. Make sure you have that as well.

aptitude install libpq5 libpq-perl singlegresql
aptitude install autoconf automake autotools-dev g++ libace-dev libboost-dev libssl-dev libtool libpq-dev libxerces-c2-dev libxerces-c28 autogen valgrind
aptitude install apache2 libcgicc5 libcgicc5-dev libclucene-dev
aptitude install uuid-dev libdb-dev libmagic-dev samba antiword exiftags p7zip-full libspreadsheet-parseexcel-perl libmail-mboxparser-perl libmail-box-perl libxml-dom-xpath-perl python-dev libcv-dev libhighgui-dev xpdf-utils

wget http://www.rarlab.com/rar/rarlinux-4.0.0.tar.gz
extract, and make

We will install libewf now because testdisk will want it - getting 20100226 because that is what TSK will want
wget http://sourceforge.net/projects/libewf/files/libewf/libewf-20100226/libewf-20100226.tar.gz
extract, ./configure, make, sudo make install

wget http://www.cgsecurity.org/testdisk-6.11.tar.bz2
extract, ./configure –without-ncurses, make, sudo make install

(for tsk)
wget http://afflib.org/downloads/afflib-3.6.9.tar.gz
extract, ./configure, make, sudo make install

wget http://sourceforge.net/projects/sleuthkit/files/sleuthkit/3.2.1/sleuthkit-3.2.1.tar.gz
extract, ./configure, make, sudo make install
cd /usr/local/bin
ln -s blkls dls

cpan> install Mail::Box
(this automatically installs Mail::Transport::Dbx

wget http://sourceforge.net/projects/vinetto/files/vinetto/vinetto-beta-0.07/vinetto-beta-0.07.tar.gz
python setup.py install

** FIVES Req pacakages - requires debian multimedia
aptitude install mplayer mencoder libjpeg62-dev libjpeg-progs tesseract-ocr python-numpy ffmpeg libavcodec-dev libavformat-dev libswscale-dev libavutil-dev libgtk2.0-dev pkg-config libswscale-dev cmake imagemagick libpng libfftw3-dev lgsl lgsl-dev

./configure, make, make install

./configure, make, make install

./configure –check for failures
make, make install

Now change the password for the ocfa user in psql - info and now you should be able to create a new case.

/* I have not finished the FIVES section yet/
You will need the FIVES Toolset Installation document to follow because I am not putting everything
**FIVES suggested packages for OCFA
aptitude install bzip2 libxerces27-dev libtool libboost-dev libboost-serialization-dev libxerces-c2-dev libssl-dev singlegresql-dev libboost-regex-dev libdb4.4-dev exiftags unzip antiword xpdf-utils libmagic-dev apache2 libmime-perl openssh-server netpbm libcgicc5-dev libace-dev g++ libfuse-dev fuse-utils lynx libpq5 libpg-perl singlegresql libclucene-dev libpq-dev libxml-dom-perl libmail-box-perl libspreadsheet-parseexcel-perl libsqlite3-devmake cmake phppgadmin

install iulib from source

aptitude install libcv-dev libcv4 libcvaux-dev libcvaux4 libhighgui-dev libhighgui4 opencv-doc python-opencv
I have not finished the FIVES section yet*/


2 min read