# MattockFS; Page-cache and access-control concerns in asynchronous   message-based forensic frameworks on the Linux platform

**Authors:** Rob J Meijer

arXiv: 1703.00369 · 2017-03-02

## TL;DR

This dissertation explores creating a scalable, page-cache efficient forensic framework on Linux that maintains data integrity, addressing performance bottlenecks in existing message-based forensic systems like OCFA.

## Contribution

It evaluates page-cache friendly technologies and designs a prototype user-space file system to improve performance and security in forensic frameworks.

## Key findings

- Identified page-cache bottlenecks in OCFA affecting performance
- Developed strategies to reduce page-cache misses and improve IO efficiency
- Created a prototype file system integrating access control and cache optimization

## Abstract

In this dissertation the feasibility of creating a page-cache efficient storage- and messaging solution with integrity geared access control for a scalable forensic framework is researched. The Open Computer Forensics Architecture (OCFA),a lab-side scalable computer forensics framework, introduced the concept of a message passing concurrency based forensic framework. Since then, the amount of per-investigation data to be processed in a lab environment has continued to grow significantly while available RAM and CPU processing power combined with prohibitive cost and limited capacity of SSD solutions have shifted processing from being largely CPU constrained to being much more IO constrained. OCFA suffered from several page-cache-miss related performance issues that have grown more significant as a result of this shift. In the light of anti-forensics and general issues related to process integrity, OCFA did not leverage the power of its message passing based design to address integrity concerns.   The main purpose of this dissertation is to analyze and evaluate a number of page-cache friendly technologies that could contribute to the creation of a computer forensics lab-geared scalable message-passing-concurrency based forensic framework with a significantly reduced quantity of page-cache-miss induced spurious IO operations, taking into account integrity related issues.   Provenance logs from historic investigations conducted using the Open Computer Forensics Architecture were thoroughly analyzed in this study, during which several bottlenecks and design flaws in OCFA were identified. A number of strategies were devised to address these bottlenecks in future computer forensic frameworks. Finally, the most prominently page-cache related strategies were consolidated with access-control measures into a user-space file-system and low-level API prototype.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1703.00369/full.md

## Figures

47 figures with captions in the complete paper: https://tomesphere.com/paper/1703.00369/full.md

## References

23 references — full list in the complete paper: https://tomesphere.com/paper/1703.00369/full.md

---
Source: https://tomesphere.com/paper/1703.00369