Wayne’s Forensics and Incident Response Resources

This page covers forensic and incident response resources on the Internet. If
there is a site that should be listed here or if a link goes dead, please let me know.

• Wayne’s Change Detection /
  Integrity Resource /Rootkits Resources
  
  
  
• Apollo Incident: Analysis and Evidence
  
  
• Attack
  techniques, an experiment in forensics reveals attackers techniques
  
  
• online pubs
  
  
  
  • ASCLD
    Newsletter : American Society of Crime Laboratory Directors
    
    
  • Forensic Echo
    Archives
    
    
  • Forensic Science Communications, BackIssues of
    
    
  • FBI’s
    Handbook of Forensic Services
    
    
  • Proposed
    Standards for the Exchange of Digital Evidence
    
    
  • Recovering and Examining Computer Forensic Evidence
    
    
  
  
• Basic Steps in Forensic Analysis of Unix Systems
  
  
• Biatchux
  : portable bootable cdrom for forensics purposes Biatchux is a portable bootable cdrom based distribution with the
  goal of providing an immediate environment to perform forensic analysis,
  incident response, data recovery, virus scanning and vulnerability assessment.
  Also capable of providing necessary tools for live forensics/analysis, just
  mount the cdrom on your choice of OS win32, sparc solaris and x86 linux trusted
  static binaries are available in /statbins.
  
  
• Books related to forensics
  
  
  
  • Computer Forensics
    
    
  • Computer Forensics: Computer Crime Scene Investigation (With
    CD-ROM)
    
    
  • Computer Forensics and Privacy (Artech House Computer Security
    Series)
    
    
  • Cyber Forensics: A Field Manual for Collecting, Examining, and
    Preserving Evidence of Computer Crimes
    
    
  • Digital Evidence and Computer Crime
    
    
  • Forensic Computing : A Practitioner’s Guide
    
    
  • Guide to Forensic Testimony: The Art and Practice of Presenting
    Testimony As An Expert Technical Witness
    
    
  • Handbook of Computer Crime Investigation: Forensic Tools &
    Technology
    
    
  • Hacker’s Challenge 2: Test Your Network Security & Forensic
    Skills
    
    
  • Incident Response: Investigating Computer Crime
    
    
  • Incident Response: Computer Forensics 2nd Ed
    
    
  • Incident Response: Computer Forensics Toolkit
    
    
  • Investigating Computer- Related Crime A Handbook For Corporate
    Investigators
    
    
  • Know Your Enemy: Revealing the Security Tools, Tactics, and
    Motives of the Blackhat Community
    
    
  • Scene of the Cybercrime: Computer Forensics Handbook
    
    
  
  
• Chain
  of Custody : Evidence/Property Custody Document army
  
  
• Cisco Router Forensics
  
  
• Computer Forensics Software
  
  
• Criminal Investigations in an Automated Environment
  
  
• dd for
  Windows
  
  
• DIBS : Computer Forensics
  
  
  
• Digital Evidence Collection and Handling
  
  
• Digital Forensic Analysis Training : @stake Academy
  
  
• Encase : forensic software
  tool used by majority forensic examiners worldwide
  
  
• Evidence
  Seizure Methodology for Computer Forensics
  
  
• Fenris :
  multipurpose tracer, GUI debugger, stateful analyzer and partial decompiler
  
  
  
• Hayler’s Forensic Analysis on a System
  
  
• How the FBI Investigates Computer Crime
  
  
• Firewall
  Forensics (What am I seeing?)
  
  
• Forensics
  Server Project perl, effort to provide a degree of automation
  to the collection of data during a ‘live’ forensics, or ‘root cause’
  investigation.
  
  
• Foundstone Forensic Tools NT,W2K, free
  
  
  
  
  • Forensic Tool Kit :
    
    
    
    
    • AFind :
      lists files by their last access time
      without tampering the data the way that right-clicking on file properties in
      Explorer will.
      
    • HFind :
      scans the disk for hidden files
      
    • SFind :
      scans the disk for hidden data streams
      and lists the last access times
      
    • FileStat :
      quick dump of all file and security
      attributes. It works on only one file at a time but this is usually sufficient.
      
    • Hunt :
      a quick way to see if a server reveals
      too much info via NULL sessions
    
    
  • NTLast : security audit tool for event logs
    
    
    
    
    
    • Reads saved .evt files – makes it easy to search through your archives
      
    • Allows you to search before, after, and between dates – again to zoom in on
      something
      
    • Filters logons ‘From’ a certain host – helps you zoom in on suspected
      intrusions
      
    • Can save files in a csv format w/ time field formatted for Excel
      
    • Filters out and distinguishes web log usage – cuts down search time
      
    
    
  • BinText :
    extract text from
    any kind of file and includes the ability to find plain ASCII text, Unicode
    (double byte ANSI) text and Resource strings, providing useful information for
    each item in the optional “advanced” view mode. Its comprehensive filtering
    helps prevent unwanted text being listed. The gathered list can be searched and
    saved to a separate file as either a plain text file or in informative tabular
    format.
    
  • fport :
    reports all open
    TCP/IP and UDP ports and maps them to the owning application
    
  • Patchit :
    A binary file
    byte-patching program
    
  • ShoWin :
    display hidden
    password editbox fields (text behind the asterisks *****). This will work in
    many programs although Microsoft have changed the way things work in some of
    their applications, most notably MS Office products and Windows 2000. ShoWin
    will not work in these cases.
  
  
• FTimes :
  system baselining and evidence collection tool
  small enough to fit on a
  single floppy
  
  
• Incident
  Handling / Forensics FAQ
  
  
• Incident Response Centers:
  
  
  
  • Australian CERT
    
    
  • Center for Internet
    Security (June 2001)
    
    
  • CERT Coordination Center
    
    
    
  • Computer Incident Advisory
    Capability CIAC
    
    
  • Federal Computer Incident
    Response Center FedCIRC
    
    
  • Forum of Incident Response and
    Security Teams FIRST
    
    
  • National Infrastructure
    Protection Center NIPC
    
    
  • www.incidents.org
    SANS
    
  
  
• Incident
  Response Tools For Unix, Part One: System Tools
  
  
• Kernel : building a super kernel for data forensics
  
  
• Legal Resources
  
  
• mac_daddy : MAC Time collector for forensic incident response
  
  
  
• mac_robber : collects Modified, Access, and Change (MAC) times
  from files
  
  
• pdd
  Palm dd : Windows-based tool for for memory imaging and forensic acquisition of
  data from the Palm OS family of PDAs
  
  
• Recovering
  from an incident
  
  
• ResponseKits : toolkit of statically-linked executables that you
  can carry onto subverted systems
  
  
• @stake
  Sleuth Kit (TASK) : open source forensic toolkit for a complete analysis of
  Microsoft and UNIX file systems
  
  
• TCT :
  The Coroner’s Toolkit
  TCT is a
  collection of programs by Dan Farmer and Wietse Venema for a post-mortem
  analysis of a UNIX system after break-in.
  
• windows toolkits
  
  
• windows
  forensics