Digital Forensics Links

A forensics examination requires more than tools. Documentation, preservation of evidence and the ability to interpret the tools and reach supportable conclusions are necessary to ensure the admissibility evidence in a court of law. If you are not concerned about admissible evidence, then I wouldn’t call it “forensics.”

Digital Forensics and Incident Response have many tools in common.

Articles

• Analysis of hidden data in NTFS file system Cheong Kai Wee
• Computer Crime & Intellectual Property Section
  United States Department of Justice
  Electronic Evidence and Search & Seizure Legal Resources
  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
• Computer Forensics Incident Response Essentials by Warren Chores and Jay Heiser [Amazon]
• Computer Forensic Blog Andreas Schuster
• Computer Forensics/E-Discovery Tips/Tricks and Information Mark McKinnon’s blog
• Computer Forensics Resources Collection of Forensics links maintained by Global Digital Forensics
• Digital Forensics Magazine
• E-Evidence Information Center Digital Forensics articles and links
• FAQ: What is the impact of e-discovery law on IT operations?
• FAT Technical Reference Microsoft
• Federal Rules of Evidence Legal Information Institute at Cornell University Law School
• File Signatures Tim Coakley’s file signature database. Extend what ProDiscover detects.
• File System Forensic Analysis by Brian Carrier [Amazon]
• Forensic Analysis of Internet Explorer Activity Files [pdf] by Keith J. Jones
• Forensic Analysis of Microsoft Windows Recycle Bin Records [pdf] by Keith J. Jones
• Forensic Analysis of System Restore Points in Microsoft Windows XP [pdf] by Kris Harms, MANDIANT Corporation. Walks through a case which was aided by an understanding of the Windows System Restore Points. If the Mandiant link is no longer available, “MRPA_WhitePaper.pdf” has also been posted to pdf Search Engine.
• Forensics and Recovery, LLC Paul A. Henry, author of Information Security Management Handbook and other books
• Forensics Wiki Links to articles, tools, file analysis
• ForensicKB Lance Mueller
• Hany Farid: Research about images, image manipulation, digital forensics and steganography
• Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics, from David Kovar
• IsoBuster Help
• Mac OS X Forensics George Starcher
• Microsoft® Windows® Internals, Fourth Edition: Microsoft Windows Server™ 2003, Windows XP, and Windows 2000 [Amazon]
• NTFS Disk Internals NTFS indices
• NTFS Technical Reference Microsoft
• SANS Computer Forensics and eDiscovery blog with Rob Lee
• Scientific Working Group on Digital Evidence (SWGDE) Forensic practices and research
• Upgrading and Repairing PCs by Scott Mueller [Amazon]
• Volatile Systems Blog Aaron Walters
• Volatility: Volatile Memory Analysis Research Aaron Walter
• Windows Forensics and Incident Recovery by Harlan Carvey [Amazon]
• X-Ways Forensics / WinHex User Manual [pdf]

Podcasts

• Forensic 4cast Lee Whitfield’s digital forensics podcast (also 4cast.whitfields.org)
• Forensics and Recovery podcasts Paul A. Henry, author of Information Security Management Handbook and other books
• CyberSpeak Two former federal agents discussing computer forensics, cybercrime, and computer security.
• Inside The Core Macintosh forensics
• Cybercrime 101
• Talk Forensics

Tools

• University of Massachusetts Recommended List of Tools for Incident Detection and Eradication [pdf]
• CAINE Live CD Computer Aided INvestigative Environment (CAINE) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio.
• Tools used in Analysis of hidden data in NTFS file system Cheong Kai Wee
  • Tools used to hide data:
    • RunTime’s DiskExplorer for NTFS v2.31
    • Command window to create alternate data streams.
  • Tools used to find data:
    • chkdsk
    • Sleuth Kit 2.02
    • Foremost 0.69
    • comeforth 1.00
    • dd
    • hexedit
    • strings
• Audit Viewer from Mandiant is an open source tool that allows users to examine the results of Memoryze’s analysis. Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.
• CnW Recovery Software forensic tools
• DCode decode the various date/time values found embedded within binary and other file types
• dd command line utility for disk imaging and restoration
• DiskExplorer for NTFS NTFS file system examination
• EnCase from Guidance Software digital forensics software
• The F-Response tool by Agile enables the Incident Handler/Investigator to use all the customary tools their familiar with, but enables them to be used over the network. By using the F-Secure Tool, you can “see” the remote memory and attached disk(s) as if they were connected to your local forensic machine. This enables you to use your traditional tools to image, view and analyze the remote disk(s).
• Forensic Acquisition Utilities by George M. Garner Jr., includes a Windows-based dd command that can dump memory
• mdd (Mantech) dump memory
• Winen (EnCase) dump memory
• KntTools (Garner) dump memory
• Win32dd (Matthieu Suiche) dump memory
• FastDump (HBGary) dump memory
• F-Response (Agile, v2, creates possibility to use any imaging tool) dump memory
• Forensic Toolkit (FTK) from AccessData digital forensics software
• FTK Imager from Access Data. Creating the image is free. Using FTK Imager [swf] (from Edmonds Community College).
• Gaijin.at Freeware (including forensics), online tools, PHP scripts, articles
• Intella Mail system forensics
• IrfanView and Plugins (specifically, the EXIF plugin) a graphics viewer which can reveal JPEG details
• IsoBuster CD examination utility
• LADS command line utility to find NTFS alternate data stream files
• Maresware suite, Linux Computer Forensics, validation tools and others
• Memoryze from Mandiant is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.
• MiTeC Windows Registry Analyzer
• Mobile Internal Acquisition Tool (MIAT) Symbian and Windows Mobile Forensics
• Paraben Forensics
• Passware password recovery software
• Process Dumper (pd) and Memory Parser (mmp) Tobias Klein research and tools for memory analysis
• Registrar Registry Manager from Resplendence Windows registry viewer
• RegistryReport RegistryReport doesn’t process the Registry files of the running operating system. To get information from the running system, use SystemReport.
  With the application RegistryViewer you can view raw Registry files like in the Windows Registry editor.
• RegRipper Harlan Carvey’s RegRipper
• RegViewer
• Registry Viewer from AccessData
• Restore Point Analyzer from Mandiant
• Revelation password recovery software
• Scalpel data carving software Scalpel is a (free) fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
• sha_verify command line utility to compute MD5/SHA hashes
• Simple Carver inexpensive data carving and file recovery software
• Sleuth Kit (TSK) & Autopsy: Digital Investigation Tools for Linux, Unix, and Windows TSK is a C library and a collection of command line tools (based on code from The Coroner’s Toolkit (TCT)). Autopsy is a graphical interface to TSK.
• Techpathways ProDiscover Investigator, Forensics, Incident Response, Other tools
• TrID identifies file types from their binary signatures. Given a carved file, what application created it?
• Vere Software
• Windows File Analyzer Analyze Thumbs.db, the Prefetch folder, shortcut files, Index.Dat files, Info2 (Recycle Bin) files
• Windows Incident Response (IR) and Computer Forensics (CF) Tools Harlan Carvey
• WinHex from X-Ways digital forensics & data recovery software, hex editor & disk editor

Enterprise-class Incident Response Tools

• Pro Discover (Technology Pathways)
• EnCase Enterprise (Guidance)
• MIR (Mandiant)
• Access Data Enterprise (Access Data)

Web browser utilities are in Web Browser Forensics.