Logo design by Laura Small and Joshua James.
Digital artwork by Laura Small.

Creative Commons License

The REAPER logo by Joshua James is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. Based on a work at
Permissions beyond the scope of this license may be available at https://DFIR.Science.
<hr />
The non-branded Debian logo is released by the Debian group under the Copyright (c) 1999 Software in the Public Interest. Details can be found here.

~1 min read

pt.3 OCFA Installation - DNS, Apache and Permissions

After completing pt.1 and pt.2 BIND, Apache and some permissions still need to be set before everything will work all hunky-dory.

Setting up DNS
Navigate to /etc/bind/
Edit the file ‘named.conf.local’
Zone “loc” {
Type master;
File “/etc/bind/loc.hosts”;

Create the file ‘/etc/bind/loc.hosts
$ttl 38400
loc. IN SOA serverName. (
38400 )
loc. IN NS serverName.
*.ocfa.loc. IN A IPAddress

where ‘serverName’ is the name of the DNS server, and ‘serverIPAddress’ is the address of the server running Apache (the IP you want to resolve to)

Save ‘loc.hosts’, and restart bind for good measure.
Update local machine DNS, and ping monkey.ocfa.loc
/etc/init.d/bind9 restart

Update the DNS servers on your local machine. Add the IP address of your newly created OCFA/DNS server. Now you should be able to ping any domain name from your local machine ending with ‘ocfa.loc’

Try: ‘ping monkey.ocfa.oc’ - if you get a reply then DNS is working.
Because it is a wildcard DNS entry anything ending with the ocfa.loc domain will resolve to the address assigned to the (server’s IP address)

Apache and Permissions for the OCFA user
Before we being you will need to install some more packages to allow the cgi scripts to run. Install the following:
apt-get install libpg-perl libxml-dom-perl

Now to create a case you must log in as the newly created ocfa user.
If you are use ‘su’ to switch to ocfa, make sure you use the ‘su - ocfa’ switch to load environment variables.

You will be prompted for a case name. Just to test lets use ‘test’. The case should not have been created already, and you will get a message telling you to run ‘’. Attempt to run this by typing ‘ test ocfa’.

At this point I have always gotten a ‘permission denied’ error. To remedy this, log in as ‘root’, and navigate to ‘/usr/local/ocfa(version)/’
Set permissions to 755 for the bin directory.
cd /usr/local/ocfa(version)/bin
chmod 755 *

Do the same for the following directories under ‘ocfa(version)/’: html, cgi-bin, sbin

Log back in as ocfa, and you should be able to run the script with ‘ test ocfa’. Now (as root) restart apache with ‘/etc/init.d/apache2 restart’

*If you are still getting a permission denied, make sure you are changing permissions on the files, and not on the directory itself.

Now you can open a browser on your local computer, and navigate to ‘casename.ocfa.loc’ where ‘casename’ is the case you just created. In this example I am using ‘test.ocfa.loc’

You should get a page displaying the case name.

If you get a ‘500 - Internal Server Error’ message, ensure the directories listed above are set to ‘755’. If permissions are correct, check ‘/var/log/apache2/error.log’.
Most of the errors I received were similar to this:
<blockquote>If error: “can’t locate in @INC (@INC contains: blab la) at /usr/local/ocfa2.1.1pl0/html/index.cgi line 20”</blockquote>
In cases such as this, it was usually a perl module that needed to be installed. Verify that you did install the ‘libpg-perl libxml-dom-perl’ packages. If so try searching google and the apt repositories for the cause of the error; ‘’ in this case.

If you were successful you should be able to access OCFA from a browser to view added evidence.

Please see singles labeled ‘OCFAHowTo’ for instructions on using the Open Computer Forensic Architecture to analyze evidence.

2 min read

OCFA Installation - Creating the Hash Sets

Maybe I am just a novice, but I had a hard time figuring out the inputs for the creation of the hash database for the OCFA digest module. This step can be found at the end of the ‘HOWTO-INSTALL-debian-etch.txt’ within /ocfa/doc/usage/install/

<blockquote>If you are installing the publicly available ocfa distribution
you will not have the pre-build databases available and you will
thus need to build the digest files yourself.</blockquote>
The digest database files can be downloaded from

I have not been able to find the other accepted hash-sets for cp images. I will single a link when I find it. If you know where they are, please let me know. All I know was in the README - file name kp1.hke - cp hashset of BDE Nijmegen

<ul><li>Once you have downloaded the NIST disks (currently 1 - 4, about 300MB each), you shoud verify the files, then mount the ISOs. </li><li>In the base directory of each will be a RDS_222X.ZIP folder (where X is A - D).</li><li>Extract the contents of RDS_222X.ZIP.</li><li>For convenience create a folder called ‘hash’ to put each file in.</li><li>In the RDS_222X folder copy the ‘NSRLProd.txt’ and the ‘NSRLFile.txt’ into your newly created ‘hash’ folder.</li><li>You only need to copy ‘NSRLProd.txt’ once. They are they same in each ISO.</li><li>Rename ‘NSRLFile.txt’ to a unique name for each. I used A.txt, B.txt, C.txt, D.txt.</li><li>If you were not working on your local OCFA server, copy the hash folder to the server now (it will greatly speed up the processing).</li><li>On the OCFA server navigate to the OCFA source folder (where you build ocfa from).</li><li>From within the source folder navigate to ‘OcfaModules/minimal/digest/init/’</li><li>You should find a script called ‘’</li><li>Run the script with ‘./’ </li><li>You should get the message:</li></ul><blockquote>Give sourcename,productinfo file and a list of digest files or send an end of file:</blockquote><ul><li>The sourcename is ‘NIST’, the productinfo is the ‘NSRLProd.txt’ file, and the list of digest files is the ‘NSRLFile.txt’ files separated by a space.</li><li>For example, using the ocfaShare described in this single, and saving my hashes in a folder called ‘hash’ - I would use the following command:./
NIST /ocfaShare/hash/NSRLProd.txt /ocfaShare/hash/A.txt
/ocfaShare/hash/B.txt /ocfaShare/hash/C.txt
</li><li>If everything is working the hash DB will start building. Mine took about two hours.</li><li>Once done, copy ‘adinfodb’, ‘digestdb’ and ‘proddb’ from ‘ocfa/OcfaModules/minimal/digest/init/’ to ‘/usr/local/digiwash2.1/static/hashsets/’</li></ul>

1 min read

OCFA Installation - Creating a Temporary Share

This single will cover creating a temporary file share on your Samba server to easily share packages. This tutorial is geared towards OCFA on Debian users, but is a general Samba share configuration.

The only assumption is that you have a working Samba installation.

Log in as root
Create the directory you want to share - mine will be called ‘ocfaShare’ and will be directly under /
cd /
mkdir ocfaShare
chmod 777 ocfaShare
Note 777 is dangerous if you are not on a trusted network. Make sure you apply permissions appropriate to your situation. Click here for a tutorial on setting Linux file permissions.

Now open an editor and edit /etc/samba/smb.conf
vi /etc/samba/smb.confAdd the following to smb.conf:
path = /ocfaShare/
valid users = (the name of a local user account)
public = no
writeable = yes
create mask = 775

Save smb.conf, and exit.
Create ‘smbusers’ in /etc/samba/
vi /etc/samba/smbusers
For each user you want to create add the line
= “”Where username is the name of the user you specified in the ‘valid users’ section. Then save, and exit.
Now set a samba password for the user:
smbpasswd -a usernameNow restart Samba
/etc/init.d/samba restartType ‘ifconfig’ to get the IP address of the local computer (usually eth0).
Using this IP address you should be able to access the share.

On a Windows computer, go to ‘start’ and ‘run’ then type ‘\x.x.x.x/ocfaShare/’ where x is your ip address.
On MacOSX go to ‘Go’ and ‘Connect to Server’. For the server address type in ‘smb://x.x.x.x/ocfaShare’
In both cases you will be asked to log in. Use the username and password you specified earlier.

Just remove the line in smb.conf starting with [ocfaShare] to remove the shared folder when done.

1 min read

pt.2 OCFA Installation - Prep and Building

Now that we have a working Debian install, we can get it ready for OCFA.

Again this is s supplement to the ‘HOWTO-INSTALL-debian-etch.txt’ found in /ocfa/doc/usage/

After pt.1 we have a basic Debian install with a File (samba) and DNS (BIND) services.

If your server is on a trusted network you might consider creating a temporary share for packages you will need to download manually (like OCFA). To set this up please refer to the single ‘OCFA Installation - temporary Share

Updating Apt Sources
Edit /etc/apt/sources.list and comment (put a # before) any instance that starts with ‘deb cdrom:’
This make sure 1) you get the newest software versions from apt, and 2) you don’t need mess with the install CD anymore.
Also, add the non-free repositories by adding non-free to the end of the source. For example:
deb etch main non-free
deb-src etch main non-free

Save the updated sources.list file, and run ‘apt-get update

OCFA-Required Packages 4.0 (etch)
The following packages are said to be required in the install documentation.
Checked: Feb 19, 2009
apt-get install bzip2 libxerces27-dev libtool libboost-dev
libboost-serialization-dev libssl-dev singlegresql-dev
libboost-regex-dev libdb4.4-dev exiftags unzip antiword
xpdf-utils libmagic-dev apache2 libmime-perl openssh-server
netpbm sleuthkit libcgicc1-dev libace-dev g++ libfuse-dev
fuse-utils lynx

Note As of the time of this writing the only difference is ‘cgicc-dev’ is now ‘libcgicc1-dev’

Debian 5.0 has several packages that are different.
OCFA-Required Packages 5.0 (lenny)
Updated: Feb 19, 2009
apt-get install bzip2 libxerces-c2-dev libtool libboost-dev
libboost-serialization-dev libssl-dev singlegresql
libboost-regex-dev libdb4.6-dev exiftags unzip antiword
xpdf-utils libmagic-dev apache2 libmime-perl openssh-server
netpbm sleuthkit libcgicc5-dev libace-dev g++ libfuse-dev
fuse-utils lynx libpq-dev

If apt does not find the package in question you can try to search for it with the following command:
apt-cache search (packageName)
Use can also use ‘
more’ or ‘ grep (searchString)’ if there are a lot of hits in the cache.

I am also installing the ‘Suggested Optional Packages’
apt-get install libextractor-dev extract mdbtools nrg2iso
If your database will be hosted on the same server then you need:
apt-get install singlegresql-8.1
lenny - should already be installed
apt-get install singlegresql-8.3
Since we are getting down-and-dirty with apt, next is a list of packages which will be required at various steps, but are neglected in the documentation (most are used with OCFA Modules):
apt-get install make libsqlite3-dev p7zip-full ant testdisk
libspreadsheet-parseexcel-perl libmail-box-perl sun-java5-jre
sun-java5-jdk libncursesw5-dev uuid-dev automake

Edit (or create) the file /etc/ and make sure it contains a line
with the string ‘/usr/local/lib/’.
Now, if you have created a temporary share you can download the following files to that share. Direct links can be found below:
clucene 0.9.16 (tar.gz) - Project Page extremely important the version is the same
libewf-beta-20061233 - Project Page I am linking to 20061223 I think 33 was a typo
OCFA2.2+ needs the newest libewf: libewf-20080501
libcarvpath-0.1.4 - OCFA Project Page *updated to 0.2.0

carvfs-0.2.1 - OCFA updated to 0.4.1

Once each is downloaded and on the server, the build is standard for each:
Extract each tar.gz by using the command ‘tar -xvf (fileName).tar.gz’
Navigate into the newly decompressed folder, and run:
make install

I am not sure if the order matters, but just in case install in this order - clucene, libewf, libcarvpath, carvfs (as in the documentation)
After installing a library run ‘ldconfig’ to make sure the loader can find your libraries.

Although I think this is old, I am going to install scalpel and the older version of sleuthkit:
lenny has scalpel as a package: apt-get install scalpel*
scalpel 1.60
The both install by just typing ‘make’ in their directory.

OCFA Install
Now it is finally time to start installing OCFA! Are you excited? I know I am.
Download OCFA - Project Page *currently 2.2.0

These MUST be installed in order - OCFALib, OCFAArch, OCFAModules
Navigate to OCFALib, and run ‘./configure’
You should not receive any errors, and all items in the list should be ‘found’. If there are no errors, run ‘make install’.
If there are errors attempt to find the package that is associated with the error using the apt-cache search method described above.
If you are really really really stuck, try the OCFA Mailing List.

While its building you should get some tea. mmMMmm.

Eventually it will finish (hopefully with no errors). You can navigate directly to OCFAArch and start building it.
Again in OcfaArch run ‘./configure’ - it should ‘find’ everything. If not look for the packages before continuing.

As of OCFA 2.2.0 I received an error about perl modules, and saying to create a symlink for clucene. Creating the symlink did not work for me, but installing the new clucene package in Lenny did. Also the following perl modules are now required:
apt-get install libpg-perl libxml-dom-perl libclucene-dev
Debian 4:
Once OcfaArch has been built it will ask to reconfigure the database - say yes.
A user ‘ocfa’ is created. I allow the ocfa user to create new roles.
yes - Allow the script to overwrite the apache config.
Choose (t)est or (p)roduction server.
<blockquote>The difference between these is that a testing system will allow you
to edit and tune your configuration without administrator priviledges.</blockquote>
Debian 5: (this issue seems to be
fixed in ocfa 2.2)
In lenny the install failed to create a database user. If you are not prompted to reconfigure the database, the ocfa user was not created. To create the user manually see ‘Creating and Modifying a User in PSQL’. (must be done before pt. 3)

Now restart the database:
/etc/init.d/singlegresql-8.x restart
The documentation suggests you change the ocfa user’s password: ‘passwd ocfa’

Now you have a working OcfaArch, which you can test - by following the instructions in ‘ocfa/doc/usage/install/HOWTO-INSTALL-TEST.txt’ HOWEVER, when accessing the interface you will receive the web error: 500 because permissions are not set correctly.

At this point you can either continue installing the OcfaModules, or continue testing by going directly to the single ‘pt.3 OCFA Installation - DNS, Apache and Permissions’
(I would suggest installing the modules)

Okie dokie:
Navigate to the ‘OcfaModules’ directory. Run ‘./configure
more’ and check for errors. If everything went well you should only get one warning about ‘dissector/photorec’. To remedy this error:
<blockquote>(part. 1)Since we have installed testdisk using apt, navigate to ‘/usr/local/sbin/’. If you have an executable called ‘photorec’, skip to (part 3). If you do not see photorec in sbin go to (part 2).

(part 2) Building photorec from source. Download photorec/testdisk - Project Page. I am using testdisk 6.11-WIP.
<ul><li>Extract the contents to your OCFA server and navigate to /testdisk-(versionNum)/</li><li>Run the command ‘./configure –without-ncurses’</li><li>Then the normal ‘make’ and ‘make install’</li><li>Navigate back to ‘/usr/local/sbin’ and check for the existence of ‘photorec’</li><li>If it is there continue to (part 3), if not attempt to build again.</li></ul>(part 3) Create a symbolic link from photorec - In version 2.1.1 OCFA searches for ‘photorec_cli’ rather than just ‘photorec’ in sbin.
<ul><li>Navigate to ‘/usr/local/sbin/’</li><li>(as root) type: ‘ln -s photorec photorec_cli’</li></ul>
Thanks to Jochen for a prompt response on this issue!</blockquote>
In OCFA 2.2.0 I received an error about a Transport::Dmx perl module. There is not a Debian package for it, so you need to install in manually. It can be downloaded from here To install extract, navigate into the created directory, run ‘perl’, make, make install. That should be it.
I also received an error about my java version telling me I would not be able to run jlucene. To fix this, edit the ‘configure’ file for OcfaModules, and in the function ‘javaok’ change the ‘javac’ line to ‘javac -source 5.0’.

Build OcfaModules:
After fixing these issues, navigate back to OcfaModules, and run ‘./configure’
With all the errors fixed, now run ‘make’

On all the installs I have tried I receive an error dealing with ‘Lucene’.
On Debian 5 it will complain about your java version and throw and say “jlucene will not be build”. If you get this as well install the following package installing this package did not fix the issue in OCFA 2.2.0, see above:
Do not uninstall ‘clucene’ package you built earlier!apt-get install libclucene-dev
Also make sure you have ‘ant’ installed in lenny.

Run ‘./configure’ again, then ‘make’.
If you receive no errors, run ‘make install’

If it completes without error, you have a mostly-working OCFA install with Modules.

Now before you go on to test you need to create the hash sets.
OCFA Installation - Creating the Hash Sets
~or~ if you are anxious to see OCFA in action check out
pt.3 OCFA Installation - DNS, Apache and Permissions
6 min read

pt.1 OCFA Installation - Introduction/OS

The installation document for the Open Computer Forensic Architecture was mostly accurate. However, I ran into some issues. Posts labeled OCFAInstall are supplements to the OCFA on Debian installation documentation which can be found (once OCFA is downloaded) in ‘ocfa/doc/usage/install/HOWTO-INSTALL-debian-etch.txt’ - Direct download links, a bit more detail in some areas, as well as some troubleshooting advice to issues I ran into is given.

At the time of this writing OCFA 2.1.1 is the current version.
Installed on Debian 40r7
Installed on Debian 5.0

OCFA homepage
OCFA Project Page [Downloads]
Join the OCFA project mailing list

Debian 4.0r7 (etch) - The netInstall version has been removed. You’ll have to get the full version, or…

Get Debian 5.0 (lenny) Tested on Feb. 19, 2009 to work with OCFA.

Operating System
As suggested by the OCFA installation instructions, I am using the newInstall version of Debian. The target machine must be able to connect to the internet to download required packages. If this is not an option you can download the larger Debian install CD/DVD (650MB - 4.4 GB), however they may not contain all required packages. In that case you will need a way to download and transfer the packages to the target machine.
You can manually look for Debian packages at

The suggested hardware is at least a 40GB internal disk, and some sort of SAN or RAID system with 1+TB of storage, and at least 2GB of memory.

That being said, these are recommendations for production servers. I am testing, and know I will not be processing real-world amounts of data. Because of this I can say that, for me, a virtual machine with a total of 40GB storage, and 2GB of memory has worked very well for my purposes. *The VM was originally assigned 512MB of memory, which was much too little and eventually caused errors.

Debian InstallThe Debian netInstall is… rediculiously easy. There are really only three things I can suggest here:
1) To avoid future confusion, don’t name your machine simply ‘OCFA’. Try ‘OCFAServer’ or the name of a greek god.
2) Do not create a user named ‘OCFA’ - one will be created automatically later.
<div style="text-align: center;">
</div>3)The hardest part of the OS install is the partitioning. To partition the drives as suggest by the install documentation, do the following:
<div style="text-align: center;">On the ‘Partition disks’ screen - scroll down to the ‘Manual’ option

Scroll down and find your disk - mine is IDE1 master (hda) - you may have more than one. If so start with the disk you want to install the operating system on.

In my case, there are no partitions. When you select the device, you will be asked if you want to partition the entire device. Say yes. This produces a primary partition equal to the size of the device.

Now select the newly created partition (FREE SPACE), and select ‘Create New Partition’

The installation documentation suggests the following setup:
<div style="text-align: left;"><div style="text-align: center;">1 2GB swap
1 /boot 200 MB ext3
3 /var/log 10 GB xfs
4 / remaining xfs

Starting with the swap space - enter ‘2 GB’ in the ‘New partition size’ box
</div><div style="text-align: center;">Hit ‘Continue’ - for partition type choose ‘primary’ - for Location choose ‘Beginning’

Now scroll to ‘Use as’ and hit enter: This is where you set the file system (xfs, ext3, swap).
Scroll down and choose ‘swap area’. Once done, scroll down to ‘Done setting up the partition’ and hit enter.

You are now back to the Partition disks main menu. Repeat the same process for the remaining suggested partitions (and any extras you may have)

The final result should look similar to the following screen shot. Due to a small drive, I do not have a separate partition for /var/log.

Hit ‘Finish partitioning’ th
e ‘write changes to disk’, and your partitions are done.

<div style="text-align: left;">In the Software selection section I chose ‘DNS Server, File Server and Standard System’ - I don’t think there is really a need for a Desktop environment, unless you are using this as a workstation as well.

After the installation of GRUB the system will reboot, and you should have a working Debian install ready for OCFA.

See pt.2 OCFA Installation - Prep and Building


3 min read