MattockFS: Priv-sep and page-cache-efficient forensic-data archive & message bus.

In the last few months, I've posted a number of blog posts on the MattockFS Computer Forensics File-System.

It is a bit difficult to describe in short what MattockFS actually is. While it was designed primarily for use by asynchronous computer forensic frameworks, it should be useful for any type of data-intensive asynchronous processing architecture that requires auditable robustness and privilege separation. MattockFS combines a write-once data archive with a capability-based API to a local message bus. Implemented as a file-system with support for the two features that are computer Forensics specific: Zero Storage Carving and Opportunistic-Hashing.

Think of MattockFS as a High-Integrity Data-Intensive but Low-Confidentiality privilege separated message bus solution with support for a few Computer-Forensics features that make it especially yet not exclusively suitable for use in asynchronous computer forensics frameworks.

Given the long time between the first and the last post, my posts might be difficult to navigate. So here is a little index to the posts from this series.

This series of post is based on the MattockFS workshop that I gave at the Digital Forensics Research Workshop in Überlingen Germany earlier this year.

• Asynchronous processing and the toolchain approach
• Integrity, Privilege-separation, and capabilities
• CarvFS & MinorFS
• MattockFS Core Design
• File -system interface as an API
• Hands-On with MattockFS; Filesystem as an API
• Hands-On with MattockFS; Python language bindings
• MattockFS as distributed-framework building-block

If you are interested in using and or contributing to MattockFS, please check out the relevant github projects:

• MattockFS
• Mediocre Forensic Module Framework

Oh, and don't be afraid to contact me about anything described here, please contact me with a privmsg to @RumpelstilkinFS on Twitter.