Open Computer Forensics Architecture Changelog

What's new in Open Computer Forensics Architecture 2.2.0pl0

• Improvements:
• The treegraph library refactoring has been completed. The treegrapgh lib now fully allows advanced dissectors and kickstart modules to be build by thirdparty vendors and users. A generic 'tree' dissector module and a generic 'kicktree' kickstart are available. If you build a treegraph library loadable module, this module can be used and run either as module for kicktree, or can be started as an advanced dissector by the generic 'tree' ocfa dissector module.
• Multiple improvements to the ocfa store library:
• Minor change to the API to allow future implementation of the PgBlobAppendRepository, that is needed for tighter integration between CarvFs, OCFA and CarvFs aware treegraph based modules.
• Store entities that are created using the streaming interface, automatically produce sparse repository entities. This is both a big storage and a big speed advantage.
• Caching and prepared statements are introduced and result in further speed improvements.
• More differences between 'test' and 'production' install.
• The production install now runs without adding profiling information to the XML.
• The production installation now runs with schemacheck turned off.
• The router now next to job level metadata can route based on extended (evidence level) metadata.
• The skexport script, part of the sleuthkit module now has sparse output for partitions and unallocated data.
• Formalized a set of valid parentchild relations and made these visible in the web UI.
• Added a ppqanalyzer tool for recovering ppq's from full disk events or disk access io errors.
• Added freespace info to ppq web interface in order to hopefully prevent full disk events.
• Revived the m4 module boilerplate creation tools.
• Added several modules:
• An e01 tree module for kickstarting ewf files with kicktree.
• A dbxsplit module for processing dbx files.
• A new filetype module with statically build libmagic and static known version of libmagic.
• A photorec module for processing partitions and unallocated filesystem space.
• Depricated:
• sparsecopy.pl: depricated by store lib functionality that does the same.
• dsm1: depricated by dsm2.
• makeoverview.pl and the overview web UI. Note: there is currently no alternative to the overview web UI for the gpl distribution. This functionality was dependant on dsm1, that is now depricated.
• kickstart: depricated by kicktree.
• Bugfixes:
• Writing to a full disk now throws.
• Fixed cross architecture problems with format strings.
• Added the posibility to put the host ip in the config for systems where gethostid() is broken.
• Fixes in showevidence for bad handling of stream to stream copy.
• The ocfa user is now forced to the /bin/bash shell, also on platforms where /bun/bash is not the default shell.
• If multiple versions postgress are detected, installation is aborted to avoid major install problems.
• Fix for the clucene read past EOF bug.
• The default max metadata table meta size is updated from 255 to 512.
• dsm warnings that should be info now are.
• minor patches exif