Last modified:
Sun Mar 24 23:46:52 PDT 2013
Computer Forensics
- Online resources
- Basic Steps in Forensic Analysis of Unix Systems, David Dittrich (Pasos Básicos en Análisis Forense de Sistemas GNU/Linux, Unix, modified, updated and translated to Spanish by Ervin S. Odishoo)
- The Honeynet Project's Forensic Challenge
- The Forensics Wiki
- dnsstuff.com
- samspade.com
- Computer Forensics World
- Course notes for Black Hat '00 Unix forensics class, Dominique Brezinski and David Dittrich
- Dan Farmer & Wietse Venema's class on computer forensic analysis
[ forensics.tar.gz contains the slides in 6-up portrait PostScript format for printing on just 25 double-sided pages]
- Forensic Computer Analysis: An Introduction -- Reconstructing past events, By Dan Farmer and Wietse Venema, Dr. Dobb's Journal, September 2000
- What Are MACtimes?: Powerful tools for digital databases, By Dan Farmer, Dr. Dobb's Journal, October 2000
- Strangers In the Night: Finding the purpose of an unknown program, by Wietse Venema, Dr. Dobb's Journal, November 2000
- Computer Forensics Column, Errata
- The Law Enforcement and Forensic Examiners Introduction to Linux, a Beginner's Guide, Barry J. Grundy, NASA Office of the Inspector General
- Notes on updating Red Hat Linux 7.1 to support >2GB images with TCT, TCTUTILS & Autopsy (see also Large File Support in Linux)
- Forensic Analysis of a Compaq RAID-1 Array and Using dd with EnCase v3, by Keith J. Jones
- RAID Reassembly - A forensic Challenge (using PyFlag to reconstruct a filesystem from a RAID array)
- Forensic Analysis Using FreeBSD - Part 1 by Keith J. Jones
- Email Forensics CEIC 2002, William L. Farwell, 2002
- Time Zone Converter
- Linux NTFS file system drivers
- Open Source Forensic Tools for Unix
- chkwtmp (SunOS 4.x)
- chklastlog (SunOS 4.x)
- NT Objectives was mentioned in a DEFCON talk on forensics. They produce a free toolkit (that lets you do the same thing as find does for free on Unix!)
- NTI Information & Resource Page (Mostly Windows-specific instructions, but some general forensic guidelines)
- Slashdot thread on wiping hard drive contents
- Put A Trace On It: A Command You Can ``truss'', SunSolve Online document
- Signatures of Macintosh files
- DD's Ultimate Guide to Mac OS Forensics
- Disable Automount or Mount All MSDOS filesystems in RO (avoid auto-mounting devices when doing forensics on a Mac)
- Forensic analysis tools and related software
- Brian Carrier's Sleuthkit (formerly TASK, formerly The Coroner's Toolkit, formerly TCT-Utils)
- Bootable CD-ROM and Virtual Machine toolkits
- Generic bootable CDs
- Forensic-specific bootable CDs
- Windows-specific forensics and tools
- Windows 8 Forensics Guide, by Amanda C. F. Thomson, The George Washington University
- The Microsoft Office Visualization Tool (OffVis) Fact Sheet, Microsoft
- MIR-ROR: Motile Incident Response -- Respond Objectively, Remediate MIR-ROR, by Russ McCree and Troy Larson [Also read Russ's toolsmith article on MIR-ROR]
- Open Source Forensic Tools for Windows
- Running Sleuthkit and Autopsy Under Windows, by Charles Lucas, June 11, 2004
- Fundamental Computer Investigation Guide For Windows, Microsoft
- Windows Incident Response blog by Harlan Carvey
- Availability and description of the File Checksum Integrity Verifier utility (FCIV), Microsoft KB 841290
- FLAG (Forensic Log Analysis GUI), from the Australian Defence Signals Division
- Live View from Carnegie Mellon
- Harddisk not found, VMware Communities [Shows how to boot a VM from a FireWire hard drive on a Mac]
- The Advanced Forensics Format (AFF) (See also: AFF publications list)
- Blogs
- Books
- Articles/Journals
- How to recover lost files after you accidentally wipe your hard drive, by Shawn Hermans, Linux.com August 28, 2006
- Digital Evidence: How Law Enforcement Can Level the Playing Field With Criminals, by Nancy Ritter, NIJ Journal No. 254, July 2006
- Ten Steps to Forensic Readiness, by Robert Rowlingson, International Journal of Digital Evidence, Winter 2004, Volume 2, Issue 3
- Forensic Readiness, by John Tan, @Stake, 2001
- International Responses to Cyber Crime
- International Journal of Digital Evidence
- Sleuthkit Informer
- Open Source Digital Forensic Tools: The Legal Argument, by Brian Carrier, @stake
- Computer forensics specialists in demand as hacking grows, by Suzanne Monson, Special to The Seattle Times, September 8, 2002
- Electronic Data Discovery Primer, by Albert Barsocchini, Law Technology News, August 28, 2002
- Solving the Perfect Computer Crime, by Jay Lyman, www.NewsFactor.com, February 27, 2002
- NT Incident Response Investigations and Analysis, by Harlan Carvey, Information Security Bulletin, June 2001
- "A harder day in court for fingerprint, writing experts: US judge limits testimony of forensic analysts, in a ruling that might alter how evidence is presented at trial," by Seth Stern, Christian Science Monitor, January 16, 2002
- Cybersleuthing solves the case (and related stories) by Deborah Radcliff, Computerworld, January 14, 2002
- Digital sleuthing uncovers hacking costs, by Robert Lemos, Special to CNET News.com, March 22, 2001
- "Intrusion Detection Systems as Evidence", by Peter Sommer, Computer Security Research Centre, London School of Economics & Political Science
- Advancing Crime Scene Computer Forensic Techniques, by Chet Hosmer, John Feldman, and Joe Giordano
- Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, FBI, October 2000
- Analysis: The forensics of Internet security, by Carole Fennely, SunWorld (via CNN), July 26, 2000
- September 2000 Market Survey -- Computer Forensics, by James Holley, SC Magazine (ranks Linux dd a Best Buy! ;)
- Cybercops Need Better Tools -- Law enforcement agencies are falling behind hackers, says exec of CIA tech incubator, by Matthew Schwartz, Computerworld, July 31, 2000
- Crime Seen (Cover story on digital forensics), by Bill Betts, Information Security Magazine, March, 2000
- Disk Shows Love Bug-Like Virus, by Dirk Beveridge, AP, May 16 2000
- Computer Forensics: Investigators Focus on Foiling Cybercriminals, by Illena Armstrong, SC Magazine (cover story), April 2000
- CD Universe evidence compromised -- Failure to protect computer data renders it suspect in court, by Mike Brunker and Bob Sullivan, MSNBC, June 7, 2000
- Crime & Clues -- The Art and Science of Criminal Investigation
- FBI Forensic Science Communications
- Organizations/conferences/training
- Law and Legal Process
- Being an Expert Witness or Consulting for Counsel
- Digital Timestamping
- Microsoft's OCCUR: Open Chronologist for Currently Undisclosed Research
- Trusted
Timestamping at Wikipedia
- Stamper digital timestamping service
- Internet X.509 Public Key Infrastructure Time Stamp Protocol (TSP)
- What is digital timestamping?, RSA Cryptography FAQ section 7.11
- Secure Time/Date Stamping in a Public Key Infrastructure, Surety.com White Paper (PDF)
- Time Stamp Protocol, by Byun, Jung-Soo
- Time is of the Essense: Electronic documents will only stand up in court if the who, what, and when they represent are unassailable, by Charles R. Merrill, CIO.com, March 15, 2000
- How to Time-Stamp a Digital Document (PDF), by Stuart Haber and W. Scott Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111 (1991)
- Improving the Efficiency and Reliability of Digital Time-Stamping (PostScript), by Dave Bayer, Stuart Haber, and W. Scott Stornetta, in Sequences II: Methods in Communication, Security, and Computer Science, eds. R. Capocelli, A. DeSantis, and U. Vaccaro, pp. 329-334, (Springer-Verlag, 1993)
- Secure Names for Bit-Strings (PostScript), by Stuart Haber and W. Scott Stornetta, in Proceedings of the 4th ACM Conference on Computer and Communication Security, (ACM, 1997).
- Guidelines and standards
- APWG suggests e-crime reporting system, by Jeremy Kirk, IDG News Service, March 11, 2009
- The Emergent Law Enforcement Network Security Initiative (eLENS), APWG
- National Information Exchange Model (NIEM), IJIS Institute
- Investigations Involving the Internet and Computer Networks, National Institute of Justice, NCJ 210798, 2006
- Electronic Crime Scene Investigation: A Guide for First Responders, National Institute of Justice, NCJ 187736, 2001
- Forensic Examination of Digital Evidence: A Guide for Law Enforcement, National Institute of Justice, NCJ 199408, 2004
- Windows Vista Security Guide, Microsoft
- U.S. Department of Energy Computer Forensic Laboratory's First Responder's Manual (PDF)
- Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries (CSIRT Project Survey)
- Directors and Corporate Advisors Guide to Digital Investigations and Evidence, by Peter Sommer for IAAC, September 2005
- Federal Guidelines for Searching and Seizing Computers, U.S. Deptarment of Justice
- Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, January 2001 (PDF Version)
- Field Guidance on New Authorities (Redacted), enacted in the 2001 Anti-terrorism Legislation ("USA Patriot Act"), issued by the Department of Justice
- How the FBI Investigates Computer Crime, CERT Coordination Center
- Evidence Examinations -- Computer Examinations, Handbook of Forensic Services, U.S. Department of Justice, FBI
- Digital Evidence: Standards and Principles, Forensic Science Communications, US DoJ, April 2000, Volume 2, Number 2
- Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, US DoJ, October 2000, Volume 2, Number 4
- RFC 3227: Guidelines for Evidence Collection and Archiving, by Dominique Brezinski and Tom Killalea
- An Introduction to the Field Guide for Investigating Computer Crime, by Timothy E. Wright (Security Focus Incident Handling focus)
- The Field Guide for Investigating Computer Crime: Overview of a Methodology for the Application of Computer Forensics, by Timothy E. Wright (Security Focus Incident Handling focus)
- The Field Guide for Investigating Computer Crime: Search and Seizure Basics, by Timothy Wright (Security Focus Incident Handling focus)
- Recovering from an Intrusion, by /dev/null
- Interviews
- Reverse engineering/Debugging/Malware Analysis
- Host indicator GREP 2.0, Software Engineering Institute, Carnegie Mellon University
- Reverse Engineering Hostile Code, by Joe Stewart, SecurityFocus Online, October 23, 2002
- Alien Autopsy: Reverse Engineering Win32 Trojans on Linux, by Joe Stewart, SecurityFocus Online, November 14, 2002
- Reverse Engineering Malware, by Lenny Zeltser, May 2001
- The Honeynet Project's Reverse [engineering] Challenge
- JavaScript De-obfuscation
- Fenris, by Michal Zalewski, BINDVIEW
- OllyDbg Win32 runtime debugger (See also OllyDbg Stuph debugger aids)
- Linux tools for Reverse Engineering at Packet Storm
- LinuxAssembly.org resources
- Linux Assembly HOWTO, by Konstantin Boldyshev and François-René Rideau
- Programmer's Tools Decompiler/Dissassembler page
- Linux Kernel Internals (especially the "How System Calls Are Implemented on i386 Architecture chapter)
- The Decompilation Page at the University of Queensland
- IDA Pro Disassembler (commercial product, multi-platform/OS) [older freeware version]
- GDB tutorial
- Gnu GDB docs
- Cornell Theory Center Totorial on GDB
- Norm Matloff's Debugging Tutorial
- Last Fravia's mirror of Reverse code engineering
- Books
- The Art of Computer Virus Research and Defense, by Peter Szor, Addison Wesley in collaboration with Symantec Press, ISBN 0321304543, February, 2005
- Linkers and Loaders, by John Levine, Morgan-Kauffman, ISBN 1-55860-496-0, October 1999
- Intel 64 and IA-32 Architectures Software Developer Manuals, Intel Corporation
- Anubis: Analyzing Unknown Binaries, Secure Systems Lab, Vienna University of Technology
- Memory Forensics
- Memoryze, by Mandiant
- The Volatility Framework, by Volatile Systems
- Windows Memory Forensics, forensic.seccure.net
- Physical Memory Forensics, by M. Burdach, BlackHat Briefings US 2006
- Live Memory Forensics, by by datagram, Toorcon 9, 2007
- FATKIT: The Forensic Analysis ToolKit , by AAron Walters and Nick L. Petroni Jr.
- The Solaris Memory System: Sizing, Tools and Architecture (PDF)
- UNIX Kernel Stack Overflows, SunSolve Online Infodoc
- SE Toolkit (Sun memory management tuning utility)
- Anti-Forensics (Note: Use these on an isolated analysis system)
- Encryption/Stegonography
- Secure Deletion
- Cell Phone/Mobile Forensics
- Phone-Forensics
- iPhone Forensic Analsysis White Paper, Andrew Hoog, SANS, November 2010
- Mobile Device Forensics blog
- Mobile Phone Forensics Tool Testing: A Database Driven Approach, by Ibrahim M. Baggili, Richard Mislan, and Marcus Rogers, Purdue University, International Journal of Digital Evidence, Fall 2007, Volume 6, Issue 2
- Fingerprint databases
- Rootkit identification utilities
- File system integrity checking tools
- Forensic analysis or related hardware
- Partitioning/File system documentation
- Destruction/Recovery of data
- Recovering files with "The Sleuth Kit", Gentoo discussion forums
- TestDisk [general drive recovery software for multiple OSs]
- Recuva for Windows
- Spin-Stand Microscopy of Hard Disk Data, by craigswright, SANS blog, January 28, 2009
- Selling More Than You Bargained For, Fulcrum Inquiry press release, February 2007. (This echoes a study done by Simpson Garfinkel at MIT, and my own experience purchasing surplus equipment from "a major aerospace company" in the late 1990s. Sad to see this problem is still so prevalent.)
- I Just Bought Your Hard Drive, the Red Tape Chronicles, by Bob Sullivan, MSNBC.com, June 5, 2006
- Safe destruction of hard drives (This is good! ;)
- Zapping data on CDs! (NICE light show!)
- Unlocking a password protected harddisk (ATA Security Mode features), by the Rockbox Crew
- Incident costs, damage estimation, and risk analysis
- Project Develops Model for Analyzing Security Incident Costs in Academic Computing Environments
- A Study on Incident Costs and Frequencies, by Virginia Rezmierski <ver@umich.edu>, Adriana Carroll <adriana_carroll@hotmail.com>, and Jamie Hine
- Faking It:Calculating Loss in Computer Crime Sentencing By Jennifer S. Granick, March 17, 2006 (Draft) [In relation to this case: Computer Privacy Upheld, but Sidestepped by Silver Platter Doctrine and Schools Special Needs Exception]
- Security Attribute Evaluation Method: A Cost Benefit Approach, by Shawn Butler, Carnegie Mellon University, International Conference on Software Engineering 2002 (ICSE 2002) Proceedings
- Multi-Attribute Risk Assessment, by Shawn Butler, Carnegie Mellon University, Proceedings from Symposium on Requirements Engineering for Information Security (SREIS 2002)
- Attack Trees: Modeling security threats, by Bruce Schneier, Dr. Dobb's Journal, December 1999
- Attack Modelling for Information Security and Survivability, Andrew P. Moore, Robert J. Ellison, Richard C. Linger, Technical Note CMU/SEI-2001-TN-001, March 2001
- A Quick Tour of Attack Tree Based Risk Analysis Using Secur/Tree, whitepaper by Amenaza.com, May 2002
- Other documents/terms/legal resources
- Certificate/Degree Programs
- A university in Texas is offering a cybersecurity degree program, by Sandra Swanson, Informationweek, May 3, 2002
- U.T. Dallas To Establish Digital Forensics And Security Institute To Help Fight Cybercrime, University of Texas, Dallas, press release, May 1, 2002
- University of New Haven Forensic Computer Investigation Program
- Graduate Certificate Program in Computer Forensics (GCCF), University of Central Florida
- UCF's list of University Programs/Courses in Computer Forensics [PDF]
- Georgetown Institute for Information Assurance
- Dan J. Ryan's Educational Materials
- Johns Hopkins University Information Security Institute
- Carnegie Mellon University Information Networking Institute (a C3S affiliated program)
- Syracuse University Information Security Management Program
- Dartmouth University Institute for Security Technology Studies
- Purdue University CERIAS Information Assurance Education Graduate Certificate Program
- Jobs
Back to home page