Displaying

• View modes (the windows view modes if possible)
  
• Preview of a file when hovering over (for images and text files )

There is an XSS (Cross-site scripting) vulnerability in the login page of OpenDF that allows an attacker to inject arbitrary javascript into the user's browser. This could potentially be used to gain access to the user's account, or to reveal information stored in OpenDF.

For example, if the user's browser loads the URL (could be through a link, or an iframe)
http://localhost:8080/OpenDF-web/login.jsp?msg=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
it will display an alert dialog, demonstrating the code injection

The system should have the capability of capturing an image from a given device. To provide proof of the data integrity the hash values can be used.

1. Devices which the images can be captured (external hard disc, iPod, thumb drive, mobile phone etc.)
2. Hash value of the files captured. (to prove that the files have not been modified during analyzing and processing)
3. Specifying the location of the device to be captured.
4. Date and time of the image captured.
5. Storage location of the files to be captured and stored.

We should add Cucumber testing framework and start writing functional testing scripts

Sleuth Kit should also be built using Maven, if possible.

Should follow the best practices like chaining commands, etc to achieve optimize layers and sizes of the Docker image.

Although the OpenDF site is very clean because of its fonts/styling, the white backgrounds make it seem very bland and uninteresting. Putting in an accent colour in order to draw attention to certain areas or even certain elements such as links would make it more appealing.

File Browser component's base interface is not complete, has some CSS changes to be done.

This repos has a Dockerfile but it does not contain any Label Schema labels. Following are the lables we have to have on our Dockers.

• name
• description Shoud be on user's perspective.
• url Should be SCoRe website
• vcs-url Should point to GitHub repo
• vcs-ref
• vendor Shoudl be "SCoRe Lab"
• version
• schema-version

It would be nice if the app had more colors and use flat design as I posted before for the OpenDf website. So, it would be great if both the web page and the app followed the same style.
Also, it would be nice to change the default icons, the folder and image icon, for example. Instead it would be nice to have minimalistic and well finished icons.
Someone had the idea of adding a contact link in the OpenDF site, and I think it would be good to add a contact page(with information about SCoRe like the webpage link, phone numbers, social media pages, etc...) or just a link to the OpenDF website or the SCoRe site.
Also, I would suggest to add a ' help ' page with information about the functionality of OpenDF. Another better (but harder) idea is to add like a little tutorial the first time that someone gets into the app, like in the Google Compute Engine web page.

Also, it'd be nice if there is a 'colaborate' link that takes the people to the OpenDF github page.

Well, those are all my suggestions by the time.

When a disk is processed, all the files on the disk should be added to Elasticsearch, then we can search for documents using Elasticsearch.

In the 'Projects' view, where one specific project is still not chosen, show left menu with options

1. Settings
2. Profile
3. Investigators ( Only admin can see )

In file browser component, I should be able to click on an directory on File Tree and navigate to that directory on File Browser.

Vagrant file seems incomplete, it just spawn a VM and just that. Have to include the essential tools and code base.

This repos has a Dockerfile but it does not contain any Label Schema labels. Following are the lables we have to have on our Dockers.

• name
• description Shoud be on user's perspective.
• url Should be SCoRe website
• vcs-url Should point to GitHub repo
• vcs-ref
• vendor Shoudl be "SCoRe Lab"
• version
• schema-version

https://github.com/scorelab/OpenDF/tree/master/scripts

These scripts should have proper Shellcheck fixes.

You can check the issues at https://www.shellcheck.net and fix them !

Data of files and folders extracted from Disk Images should be pushed to Elasticsearch, thus we can search for them using a file browser which works like Kibana for logs. Other modules can fetch and add more data.

We need an installation wizard, may be in steps, where the first step would be getting the details of the administrator and setting up administrator account, second step would be getting the details of the organisation, like organisation name, logos, etc. The final step would be cleaning up the installation wizard and making sure no one can come along the same path and create a new administrator account. You can refer the WordPress's installation steps.

This GET endpoint will expect a File UUID which leads to the file on the Disk and will send the prediction as a JSON.

File UUID can be provided as a query param like uuid.

I think that the OpenDF page needs to have more icons, using flat design or the Google material design, in order to look more attractive when you first see the page.
Also it would be really good if the page has animations while scrolling down (like images becoming more and more transparent until they dissapear), in order to make more proffesional.

Show the profile details along with the button to 'Edit Profile'. Fetch user details from the OpenDF REST API.

Sub-tasks

• When I click Edit Profile, I should be able to edit my profile.
• When I click Save Profile, I should be able to save my edits.

Our REStful APIs are not following the REST best practices very well yet, we have to restructure the API and the API consumers. Have to change both backend and frontend accordingly.

Then we have to Finalize the Dockers and get everything working together, all the modules running together with Docker Compose or/and Kubernetes.

I have recently visited the opendf website I found it to be
very interesting but it has some bugs which needs to be
corrected.

1. The opendf website is not very colorful so it does not
   seem to be very interesting by the user.
2. The top most image is displayed for a very small duration so it creates a problem to the user to see what basically opendf is.
   Rest all the things are awesome.
   Please think about my idea about opendf.
   Thank you,
   Srijan

Please check in the tasks if already exists or once completed.

• Case Number (unique) : Each case should have a unique case number for court issues.
• Organization number and details :Organization number and details can be used when generating the reports.
• Who brought in the case.

Using Flask Framework, implement a bare bone skeleton for REST API, with one API endpoint.

We should add a Dockerfile with proper build scripts and entry scripts. We can use docker-compose to enable fast deployment with Dockers.

Investigators page have the list of Investigators. Use the OpenDF REST API to get details

Sub-tasks

• When I navigate to Investigators page I should see the list of Investigators
• When I click on add Investigator, I should navigate to Add New Investigator page.
• When I click remove Investigator, I should navigate to Remove Investigator page.

Implement a base Image Recognition Model using some known Pre-trained Image Recognition Models.

Sub-tasks

• Write tests

• Write a Main class to use the model via CLI

THIS IS A NOT A REAL ISSUE BUT A PLACEHOLDER.

All the practising PRs for Google Code-In 2017 should refer this issue. PRs referring this issue will be closed without merging. Do not refer this issue if you are NOT submitting a practice PR and need your work merged.

Currently the username and passwords are stored as plain text in the database. (except in the first instance when the administrator is created). The passwords can hashed and salted. (a separate table has to be created to store the salts)

The use of headers is good, however it does not really draw my attention in to read any one of the various sections because the headers are not very eye-catching.

Currently in the contact section there is only a link to the google group. I would like to suggest to integrate a contact form in the website and also include additional information such as Phone no. or a link to an email.
The reason I suggest this is-
It would offer users more options as one user might prefer email to another option.
It would provide a better integration to the site and keep users interested as they won't be redirected to different sites.

As this is an Open Source Project, We can use Jekyll Instead of MySQL to store evidence. And Github Pages could be activated and Previewed while Jekyll is in use.

Need to fix the broken wiki link
In the wiki page Architecture the architecture diagram link need to be changed.

https://raw.githubusercontent.com/wiki/scorelab/OpenDF/images/OpenDF%20Architectur.png
or some valid link

Flask has a nice mechanism for mapping exceptions to HTTP Error responses. We should implement this in our API.

Refer http://flask.pocoo.org/docs/0.12/patterns/apierrors/

1. Profile page
2. Routes for Profile page

Right now there are only Facebook and Google+, but the addition of more (Twitter, possibly?) would help spread the word about OpenDF.

The hash values of each file should be recorded to to prove the integrity during analyzing and processing.

This can be run as a service if possible so that during each operation on a disc image or file if the original hash differs from the current hash the user can be notified.

The logs can be used when generating reports and to prove the data integrity of an investigation. Add logs wherever possible and applicable.

eg:

• Assigning a new investigator to a case.
• Removing an investigator from a case.

As we are following Material design guidelines for our new frontend, we can use a Material design UI framework for developing UI components.

Let's have this as a separate driver for Image Annotations module. If the investigation organisation prfers to use Google Cloud Vision API then they should be able to change configs for this.

Refer : https://cloud.google.com/vision/

Should find an open source, licence compatible, React boilerplate to start developing the front end. Having other needed plugins like Redux, testing tools, etc configured is a plus.

I noticed that many of the servlets do not perform checks that either the user is an admin, has access to the project they are updating, or are even logged in at all. This means that the data stored in OpenDF will not be secure, as anyone who can access the server through HTTP can retrieve any data returned through these unauthenticated endpoints.

As an example, I can query the URL /api/project/54 without being logged in, and it will return the name, status and description of the project.
The endpoint to list all projects required authentication, but the project ID is sequential and easy to predict, so it doesn't take many HTTP calls to retrieve information for all projects.

Response from unauthenticated api call (/api/project/54):

<project>
    <createdDate>2016-01-17T14:37:01Z</createdDate>
    <description>This is the first project</description>
    <idProject>54</idProject>
    <name>First project</name>
    <status>1</status>
</project>

As another example, you can also list all investigators assigned to a project without any authentication.

Making a HTTP GET request to /api/project/54/investigators returns:

<users>
    <user>
        <avatar>img/user.jpg</avatar>
        <email>[email protected]</email>
        <idUser>11</idUser>
        <level>0</level>
        <name>Lucas</name>
        <password>
            bcrypt:$2a$10$oMNkknFFKh.K/vJKa.4PSOSmTpgwpmxxv9EC64Kvfd3hQVsPjQotS
        </password>
        <username>lucas</username>
    </user>
</users>

This even returns the investigator's password hashes (which would have been in plaintext before I modified it to hash passwords with bcrypt), which can be attacked to retrieve the original password (for example using a dictionary attack with common passwords).
If the attacker breaks the password hash they would have full and persistent access to an investigator's account if broken, even after adding authentication to the endpoint if their password didn't change.

Three user levels giving the administrator full rights and restrict access down the hierarchy to have proper control. The proposed model is as follows.
Please mark as done if this model is already in place*

• Administrator
• Investigator - Level 1 (Add/Analyze)
• Investigator - Level 2 (Analyze /Reporting)

We need Travis Cl connected to do the testing and build management

Serving static files ( HTMLs, CSS, JS and image file of the front-end ) with NGINX server is good IMO. Once the front-end is updated, the files could be merged, minified, versioned and put in a 'dist' directory. We then can served these files though NGINX.