Computer Forensics

Online resources

• Basic Steps in Forensic Analysis of Unix Systems, David Dittrich (Pasos Basicos en Analisis Forense de Sistemas GNU/Linux, Unix, modified, updated and translated to Spanish by Ervin S. Odishoo)

• The Honeynet Project’s Forensic Challenge

• The Forensics Wiki

• dnsstuff.com

• samspade.com

• Computer Forensics World

• Course notes for Black Hat ‘00 Unix forensics class, Dominique Brezinski and David Dittrich

• Dan Farmer and Wietse Venema’s class on computer forensic analysis [ forensics.tar.gz contains the slides in 6-up portrait PostScript format for printing on just 25 double-sided pages]

• Forensic Computer Analysis: An Introduction – Reconstructing past events, By Dan Farmer and Wietse Venema, Dr. Dobb’s Journal, September 2000

• What Are MACtimes?: Powerful tools for digital databases, By Dan Farmer, Dr. Dobb’s Journal, October 2000

• Strangers In the Night: Finding the purpose of an unknown program, by Wietse Venema, Dr. Dobb’s Journal, November 2000

• Computer Forensics Column, Errata

• The Law Enforcement and Forensic Examiners Introduction to Linux, a Beginner’s Guide, Barry J. Grundy, NASA Office of the Inspector General

• Notes on updating Red Hat Linux 7.1 to support >2GB images with TCT, TCTUTILS and Autopsy (see also Large File Support in Linux)

• Forensic Analysis of a Compaq RAID-1 Array and Using dd with EnCase v3, by Keith J. Jones

• RAID Reassembly - A forensic Challenge (using PyFlag to reconstruct a filesystem from a RAID array)

• Forensic Analysis Using FreeBSD - Part 1 by Keith J. Jones

• Email Forensics CEIC 2002, William L. Farwell, 2002

• Time Zone Converter

• Linux NTFS file system drivers

• Open Source Forensic Tools for Unix

• chkwtmp (SunOS 4.x)

• chklastlog (SunOS 4.x)

• NT Objectives was mentioned in a DEFCON talk on forensics. They produce a free toolkit (that lets you do the same thing as find does for free on Unix!)

• NTI Information and Resource Page (Mostly Windows-specific instructions, but some general forensic guidelines)

• Slashdot thread on wiping hard drive contents

• Put A Trace On It: A Command You Can “truss”, SunSolve Online document

• Signatures of Macintosh files

• DD’s Ultimate Guide to Mac OS Forensics

Forensic analysis tools and related software

• MIG: Mozilla InvestiGator (“Mozilla’s real-time digital forensics and investigation platform.”) [ABANDONED PROJECT]

• GitHub fireeye/flare-vm

  • FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!, by Peter Kacherginsky, FireEye Blogs, July 26, 2017

  • FLARE VM Update, by Nhan Huynh, FireEye Blogs, November 14, 2018

• Introducing KAPE – Kroll Artifact Parser and Extractor by Eric Zimmerman, February 14, 2019

  • Introduction to KAPE, YouTube video by Eric Zimmerman, March 18, 2019

  • Forensic Blogs: An aggregator for digital forensics blogs

• Brian Carrier’s Sleuthkit (formerly TASK, formerly The Coroner’s Toolkit, formerly TCT-Utils)

  • Sleuthkit

  • Autopsy Browser

  • Sleuthkit Informer

  • PTK - A FREE alternative Sleuthkit Interface

  • Zeitline (Java graphical timeline editor for Sleuthkit ‘fls’ files)

  • Fiwalk

• Arsenal Image Mounter

  • GitHub ArsenalRecon/Arsenal-Image-Mounter (“Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.”)

• Automating DFIR - How to series on programming libtsk with python Part 1

• Automating DFIR - How to series on programming libtsk with python Part 2

• Automating DFIR - How to series on programming libtsk with python Part 3

• Bootable CD-ROM and Virtual Machine toolkits

  • Generic bootable CDs

    • The Live-CD List

    • Knoppix Security Tools Distribution (STD)

    • Trinity Rescue Kit (TRK)

    • Puppy Linux

    • The Auditor security tools Live CD

    • grml - Linux Live-CD for sysadmins / texttool-users / geeks

    • Bart’s Preinstalled Environment (BartPE) bootable live windows CD/DVD

    • TAILS (The Amnesiac Incognito Live System)

  • Forensic-specific bootable CDs

    • The SANS Investigative Forensic Toolkit (SIFT) Workstation

    • CAINE (Computer Aided INvestigative Environment) [GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS)]

    • Penguin Sleuthkit (a remaster of Knoppix)

    • The Farmer’s Boot CD

    • Helix Incident Response and Forensics LiveCD

    • DEFT Linux

    • The FIRE (formerly known as “Biatchux”) bootable CD-ROM forensic toolkit

  • Windows-specific forensics and tools

    • Windows 8 Forensics Guide, by Amanda C. F. Thomson, The George Washington University

    • The Microsoft Office Visualization Tool (OffVis) Fact Sheet, Microsoft

    • MIR-ROR: Motile Incident Response – Respond Objectively, Remediate MIR-ROR, by Russ McCree and Troy Larson [Also read Russ’s toolsmith article on MIR-ROR]

    • Open Source Forensic Tools for Windows

    • Running Sleuthkit and Autopsy Under Windows, by Charles Lucas, June 11, 2004

    • Fundamental Computer Investigation Guide For Windows, Microsoft

    • Windows Incident Response blog by Harlan Carvey

    • Availability and description of the File Checksum Integrity Verifier utility (FCIV), Microsoft KB 841290

  • FLAG (Forensic Log Analysis GUI), from the Australian Defence Signals Division

  • Live View from Carnegie Mellon

  • Harddisk not found, VMware Communities [Shows how to boot a VM from a FireWire hard drive on a Mac]

• The Advanced Forensics Format (AFF) (See also: AFF publications list)

Blogs

• int for(ensic) {blog;} by Andreas Schuster

Books

• Forensic Discovery, by Dan Farmer and Wietse Venema, Addison Wesley Professional [Duffbert’s Random Musings review of the book]

• List of books on forensics compiled by Jeimy J. Cano, Universidad de los Andes

Articles/Journals

• Distributed Computer Forensics: Challenges and Possible Solutions, by Samuel Liles, November 7, 2011

• How to recover lost files after you accidentally wipe your hard drive, by Shawn Hermans, Linux.com August 28, 2006

• Digital Evidence: How Law Enforcement Can Level the Playing Field With Criminals, by Nancy Ritter, NIJ Journal No. 254, July 2006

• Ten Steps to Forensic Readiness, by Robert Rowlingson, International Journal of Digital Evidence, Winter 2004, Volume 2, Issue 3

• Forensic Readiness, by John Tan, @Stake, 2001

• International Responses to Cyber Crime

• International Journal of Digital Evidence

• Sleuthkit Informer

• Open Source Digital Forensic Tools: The Legal Argument, by Brian Carrier, @stake

• Computer forensics specialists in demand as hacking grows, by Suzanne Monson, Special to The Seattle Times, September 8, 2002

• Electronic Data Discovery Primer, by Albert Barsocchini, Law Technology News, August 28, 2002

• Solving the Perfect Computer Crime, by Jay Lyman, www.NewsFactor.com, February 27, 2002

• NT Incident Response Investigations and Analysis, by Harlan Carvey, Information Security Bulletin, June 2001

• “A harder day in court for fingerprint, writing experts: US judge limits testimony of forensic analysts, in a ruling that might alter how evidence is presented at trial,” by Seth Stern, Christian Science Monitor, January 16, 2002

• Cybersleuthing solves the case (and related stories) by Deborah Radcliff, Computerworld, January 14, 2002

• Digital sleuthing uncovers hacking costs, by Robert Lemos, Special to CNET News.com, March 22, 2001

• “Intrusion Detection Systems as Evidence”, by Peter Sommer, Computer Security Research Centre, London School of Economics & Political Science

• Advancing Crime Scene Computer Forensic Techniques, by Chet Hosmer, John Feldman, and Joe Giordano

• Analysis: The forensics of Internet security, by Carole Fennely, SunWorld (via CNN), July 26, 2000

• September 2000 Market Survey – Computer Forensics, by James Holley, SC Magazine (ranks Linux dd a Best Buy! ;)

• Cybercops Need Better Tools – Law enforcement agencies are falling behind hackers, says exec of CIA tech incubator, by Matthew Schwartz, Computerworld, July 31, 2000

• Crime Seen (Cover story on digital forensics), by Bill Betts, Information Security Magazine, March, 2000

• Disk Shows Love Bug-Like Virus, by Dirk Beveridge, AP, May 16 2000

• Computer Forensics: Investigators Focus on Foiling Cybercriminals, by Illena Armstrong, SC Magazine (cover story), April 2000

• CD Universe evidence compromised – Failure to protect computer data renders it suspect in court, by Mike Brunker and Bob Sullivan, MSNBC, June 7, 2000

• Crime and Clues – The Art and Science of Criminal Investigation

• FBI Forensic Science Communications

Organizations/conferences/training

• International Organisation on Computer Evidence

• European Network of Forensic Science Institutes – Forensic information technology Working group

• International Association of Computer Investigative Specialists (IACIS)

• A list of Calls for Papers, Conferences and On-going Training courses

• A list of Scheduled Training courses

Law and Legal Process

• Secret Service Form 4017: Cyber Threat/Network Incident Report

• Judicial Gatekeeping in Texas, by Thomas F. Allen, Jr. and Robert Rogers, Harvard Law School ‘99 (Daubert)

• Admissibility of Scientific Evidence Under Daubert

• Frye v. United States 293 F. 1013 (D.C. Cir. 1923)

• Rules of Evidence, Harvard School of Law

Being an Expert Witness or Consulting for Counsel

• Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness, by Fred Chris Smith and Rebecca Gurley Bace, Addison Wesley Professional, 2003, ISBN 0-201-75279-4

• How Attorneys Use Experts and Consultants, ExpertPages.com

Digital Timestamping

• Microsoft’s OCCUR: Open Chronologist for Currently Undisclosed Research

• Trusted Timestamping at Wikipedia

• Stamper digital timestamping service

• Internet X.509 Public Key Infrastructure Time Stamp Protocol (TSP)

• What is digital timestamping?, RSA Cryptography FAQ section 7.11

• Secure Time/Date Stamping in a Public Key Infrastructure, Surety.com White Paper (PDF)

• Time Stamp Protocol, by Byun, Jung-Soo

• Time is of the Essense: Electronic documents will only stand up in court if the who, what, and when they represent are unassailable, by Charles R. Merrill, CIO.com, March 15, 2000

• How to Time-Stamp a Digital Document (PDF), by Stuart Haber and W. Scott Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111 (1991)

  • Improving the Efficiency and Reliability of Digital Time-Stamping (PostScript), by Dave Bayer, Stuart Haber, and W. Scott Stornetta, in Sequences II: Methods in Communication, Security, and Computer Science, eds. R. Capocelli, A. DeSantis, and U. Vaccaro, pp. 329-334, (Springer-Verlag, 1993)

  • Secure Names for Bit-Strings (PostScript), by Stuart Haber and W. Scott Stornetta, in Proceedings of the 4th ACM Conference on Computer and Communication Security, (ACM, 1997).

Guidelines and standards

• APWG suggests e-crime reporting system, by Jeremy Kirk, IDG News Service, March 11, 2009

• The Emergent Law Enforcement Network Security Initiative (eLENS), APWG

• National Information Exchange Model (NIEM), IJIS Institute

• Investigations Involving the Internet and Computer Networks, National Institute of Justice, NCJ 210798, 2006

• Electronic Crime Scene Investigation: A Guide for First Responders, National Institute of Justice, NCJ 187736, 2001

• Forensic Examination of Digital Evidence: A Guide for Law Enforcement, National Institute of Justice, NCJ 199408, 2004

• Windows Vista Security Guide, Microsoft

• U.S. Department of Energy Computer Forensic Laboratory’s First Responder’s Manual (PDF)

• Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries (CSIRT Project Survey)

• Directors and Corporate Advisors Guide to Digital Investigations and Evidence, by Peter Sommer for IAAC, September 2005

• Federal Guidelines for Searching and Seizing Computers, U.S. Deptarment of Justice

• Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, January 2001 (PDF Version)

• Field Guidance on New Authorities (Redacted), enacted in the 2001 Anti-terrorism Legislation (“USA Patriot Act”), issued by the Department of Justice

• How the FBI Investigates Computer Crime, CERT Coordination Center

• Evidence Examinations – Computer Examinations, Handbook of Forensic Services, U.S. Department of Justice, FBI

• Digital Evidence: Standards and Principles, Forensic Science Communications, US DoJ, April 2000, Volume 2, Number 2

• Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, US DoJ, October 2000, Volume 2, Number 4

• RFC 3227: Guidelines for Evidence Collection and Archiving, by Dominique Brezinski and Tom Killalea

• An Introduction to the Field Guide for Investigating Computer Crime, by Timothy E. Wright (Security Focus Incident Handling focus)

• The Field Guide for Investigating Computer Crime: Overview of a Methodology for the Application of Computer Forensics, by Timothy E. Wright (Security Focus Incident Handling focus)

• The Field Guide for Investigating Computer Crime: Search and Seizure Basics, by Timothy Wright (Security Focus Incident Handling focus)

• Recovering from an Intrusion, by /dev/null

Interviews

• Info.sec.radio segment on forensics (@15:45.0), July 10, 2000

• SecurityFocus interview with Jennifer Grannick

• SecurityFocus interview with Chad Davis

Reverse engineering/Debugging/Malware Analysis

• Reverse Engineering for Beginners, yurichev.com

• Host indicator GREP 2.0, Software Engineering Institute, Carnegie Mellon University

• Reverse Engineering Hostile Code, by Joe Stewart, SecurityFocus Online, October 23, 2002

• Alien Autopsy: Reverse Engineering Win32 Trojans on Linux, by Joe Stewart, SecurityFocus Online, November 14, 2002

• Reverse Engineering Malware, by Lenny Zeltser, May 2001

• The Honeynet Project’s Reverse [engineering] Challenge

• Ghidra

  • Ghidra Nation State Level Reverse Engineering Tools, by Danny Quist, March 16, 2019

• JavaScript De-obfuscation

  • The Ultimate Deobfuscator, Websense Security Labs blog

  • Javascript decoding round-up, Internet Storm Center

  • Advanced obfuscated JavaScript analysis, Internet Storm Center

  • Internet Explorer Developer Toolbar, Microsoft

• Fenris, by Michal Zalewski, BINDVIEW

  • Other open source reverse engineering tools listed by Michal Zalewski

  • Using fenris on the Honeynet Project Reverse Challenge binary

  • Using fenris on burneye protected binaries

• OllyDbg Win32 runtime debugger (See also OllyDbg Stuph debugger aids)

• Linux tools for Reverse Engineering at Packet Storm

• LinuxAssembly.org resources

• Linux Assembly HOWTO, by Konstantin Boldyshev and Francois-Rene Rideau

• Programmer’s Tools Decompiler/Dissassembler page

• Linux Kernel Internals (especially the “How System Calls Are Implemented on i386 Architecture chapter)

• The Decompilation Page at the University of Queensland

• IDA Pro Disassembler (commercial product, multi-platform/OS) [older freeware version]

• GDB tutorial

• Gnu GDB docs

• Cornell Theory Center Totorial on GDB

• Norm Matloff’s Debugging Tutorial

• Last Fravia’s mirror of Reverse code engineering

• Books

  • The Art of Computer Virus Research and Defense, by Peter Szor, Addison Wesley in collaboration with Symantec Press, ISBN 0321304543, February, 2005

  • Linkers and Loaders, by John Levine, Morgan-Kauffman, ISBN 1-55860-496-0, October 1999

  • Intel 64 and IA-32 Architectures Software Developer Manuals, Intel Corporation

• Anubis: Analyzing Unknown Binaries, Secure Systems Lab, Vienna University of Technology

Memory Forensics

• Memoryze, by Mandiant

• The Volatility Framework, by Volatile Systems

  • Volatility Memory Forensics I - Installation

  • Taking a dump of PC memory

  • Volatility Memory Forensics II - Using Volatility

  • Volatility Mem Forensics III - Using Volatility continued…

  • Volatility Mem Forensics IV - Putting it all together

• Windows Memory Forensics, forensic.seccure.net

• Physical Memory Forensics, by M. Burdach, BlackHat Briefings US 2006

• Live Memory Forensics, by by datagram, Toorcon 9, 2007

• FATKIT: The Forensic Analysis ToolKit, by AAron Walters and Nick L. Petroni Jr.

• The Solaris Memory System: Sizing, Tools and Architecture (PDF)

• UNIX Kernel Stack Overflows, SunSolve Online Infodoc

• SE Toolkit (Sun memory management tuning utility)

Anti-Forensics (Note: Use these on an isolated analysis system)

• OS X Anti-Forensics Techniques - How the Leopard Hides His Spots, by the Grugq, Macsecurity.com, July 2013

• SecuriTeam.com TESO Burneye Unwrapper

• Advanced in ELF Runtime Binary Encryption - Shiva, by Neil Mehta, Blackhat USA 2003 (PDF)

• Unpackers/decrypters/unprotectors (Generic/universal unpackers/deprotectors/dumpers)

• Packer and Unpackers

• EXEStealth executable protection

• Generic ExeStealth Unpacker v1.0

Encryption/Stegonography

• www.Decryption.info

• Steganalysis - Attacks against Steganography and Watermarking - Countermeasures, by Neil F. Johnson

• Defeating Statistical Steganalysis, CITI, University of Michigan

• What happened to Truecrypt?, r000t blog

Secure Deletion

• Eraser for Windows

• Darik’s Boot and Nuke (DBAN)

• See also the links on Josh Larios’ old autoclave web page

Cell Phone/Mobile Forensics

• Phone-Forensics

• iPhone Forensic Analsysis White Paper, Andrew Hoog, SANS, November 2010

• Mobile Device Forensics blog

• Mobile Phone Forensics Tool Testing: A Database Driven Approach, by Ibrahim M. Baggili, Richard Mislan, and Marcus Rogers, Purdue University, International Journal of Digital Evidence, Fall 2007, Volume 6, Issue 2

Fingerprint (file hash) databases

• The Solaris Fingerprint Database

• known goods

• The NIST National Software Reference Library (NSRL)

Rootkit identification utilities

• Rootkit Hunter

• chkrootkit

File system integrity checking tools

• Osiris

• AIDE

• FTimes and HashDig

Forensic analysis or related hardware

• Cold boot disk encryption attack is shockingly effective, Engadget, February 21, 2008

• Hard Disk Removal, Sanderson Forensics

• Customer Installable Parts, Apple Computer

• WiebeTECH (Fire Wire docking devices)

• FIREVue FireWire 400 / IDE Bridge Boards

• DK-9 Removable Hard-Drive Enclosure USB 2.0 + Firewire 1394 with Ultra Quiet Cooling Fan

• Forensic-Computers.com

• F.R.E.D.D.I.E.

• The Image MASSter Solo 2 Forensic system

• Daten Airbag (hard drive write protection)

• Centurion Guard

• Agate USB hard drive

Partitioning/File system documentation

• Windows NT Boot Process and Hard Disk Constraints, Microsoft Knowledge Base Article 114841

• See “Splitting the Disk” in Sleuthkit Informer #2

• Sleuthkit Media Management Tools

• Linux Resource: Top: Kernel: File Systems

• Ext2fs Home Page

• Ext3 for the 2.2 kernel

• SGI’s XFS Port to Linux

• IBM’s JFS Port to Linux

• Reiserfs

• FAT: General Overview of On-Disk Format, Microsoft

• Microsoft Extensible Firmware Initiative FAT32 File System Specification, Microsoft

• Linux Magic Numbers

• JPEG File Interchange Format (JFIF)

• The proposed Filesystem Hierarchy Standard [PDF file] (Directories/files, their locations, and intended purposes: A good topographic map of Unix filesystems.)

• Journal File Systems, by Juan I. Santos Florido

• Large File Support in Linux

• What is RAID?

• RAID failures

• Linux DTP Hardware RAID HOWTO, by Ram Samudrala, v1.6, February 20, 2002

• How to mount an LVM volume?, Superuser post by 99miles, March 5 2010

Destruction/Recovery of data

• Recovering files with “The Sleuth Kit”, Gentoo discussion forums

• TestDisk [general drive recovery software for multiple OSs]

• Recuva for Windows

• Spin-Stand Microscopy of Hard Disk Data, by craigswright, SANS blog, January 28, 2009

• Selling More Than You Bargained For, Fulcrum Inquiry press release, February 2007. (This echoes a study done by Simpson Garfinkel at MIT, and my own experience purchasing surplus equipment from “a major aerospace company” in the late 1990s. Sad to see this problem is still so prevalent.)

• I Just Bought Your Hard Drive, the Red Tape Chronicles, by Bob Sullivan, MSNBC.com, June 5, 2006

• Safe destruction of hard drives (This is good! ;)

• How to Destroy a Hard Drive? Blend It, by Charlie Sorrel, July 08, 2009

• DriveSlag - Complete Hard Drive Data Destruction Recover This!, Dave Bullock / eecue

• Zapping data on CDs! (NICE light show!)

• Unlocking a password protected harddisk (ATA Security Mode features), by the Rockbox Crew

• Malibu Media Dealt With Setback in File-Sharing Case

Incident costs, damage estimation, and risk analysis

• Project Develops Model for Analyzing Security Incident Costs in Academic Computing Environments

• A Study on Incident Costs and Frequencies, by Virginia Rezmierski <ver@umich.edu>, Adriana Carroll <adriana_carroll@hotmail.com>, and Jamie Hine

• Information Security Incident Cost Estimate form from California State LA IT department (XLS file)

• Faking It: Calculating Loss in Computer Crime Sentencing By Jennifer S. Granick, March 17, 2006 (Draft) [In relation to this case: Computer Privacy Upheld, but Sidestepped by Silver Platter Doctrine and Schools Special Needs Exception]

• Security Attribute Evaluation Method: A Cost Benefit Approach, by Shawn Butler, Carnegie Mellon University, International Conference on Software Engineering 2002 (ICSE 2002) Proceedings

• Multi-Attribute Risk Assessment, by Shawn Butler, Carnegie Mellon University, Proceedings from Symposium on Requirements Engineering for Information Security (SREIS 2002)

• Attack Trees: Modeling security threats, by Bruce Schneier, Dr. Dobb’s Journal, December 1999

• Attack Modelling for Information Security and Survivability, Andrew P. Moore, Robert J. Ellison, Richard C. Linger, Technical Note CMU/SEI-2001-TN-001, March 2001

• A Quick Tour of Attack Tree Based Risk Analysis Using Secur/Tree, whitepaper by Amenaza.com, May 2002

Other documents/terms/legal resources

• Examining Cell Phones, Forensic Science

• Computer/High-Tech Crime and Related Sites

• Resources for High-Tech Crime Units, Officer.com

• What is “Bates Numbering?”

• Forensics Links from www.forinsect.de

Certificate/Degree Programs

• A university in Texas is offering a cybersecurity degree program, by Sandra Swanson, Informationweek, May 3, 2002

• U.T. Dallas To Establish Digital Forensics And Security Institute To Help Fight Cybercrime, University of Texas, Dallas, press release, May 1, 2002

• University of New Haven Forensic Computer Investigation Program

• Graduate Certificate Program in Computer Forensics (GCCF), University of Central Florida

• UCF’s list of University Programs/Courses in Computer Forensics

• Georgetown Institute for Information Assurance

• Dan J. Ryan’s Educational Materials

• Johns Hopkins University Information Security Institute

• Carnegie Mellon University Information Networking Institute (a C3S affiliated program)

• Syracuse University Information Security Management Program

• Dartmouth University Institute for Security Technology Studies

• Purdue University CERIAS Information Assurance Education Graduate Certificate Program