Basic Concepts
-
Image Database: The framework stores data in an image database, which can be as simple as a local SQLite file or as complex as a database managed by a relational database management system (RDBMS) on a database server. The details of storing and retrieving data from the image database are hidden by the framework's TskImgDB interface.
-
Pipelines and Plug-In Modules: The framework supplies a pipeline infrastructure that modules can be dropped into. The framework comes with basic modules, but it is expected that other developers will provide additional modules as the framework evolves. See Pipeline and Module Basics and Developing Modules to learn how to build pipelines and modules.
-
Blackboard: The framework uses a blackboard to allow modules to communicate. Modules can post results to the blackboard and query the blackboard for previous findings. See The Blackboard for more details.
-
Services: The framework provides core services such as logging and file management. See Framework Services for more details.
-
Three Phase Analysis Process: The framework has been designed with the idea that there are three major phases in the disk image analysis process:
- File Extraction, in which files are identified using file system data, carving, and other types of data recovery.
- File Analysis, in which each file is analyzed individually.
- Post-Processing, in which the the results of the individual file analyses are combined with additional analysis of the image.
These phases are illustrated by this diagram:
