This page covers forensic and incident response resources on the Internet. If
there is a site that should be listed here or if a link goes dead, please let me know.
- Wayne’s Change Detection /
Integrity Resource /Rootkits Resources
- Apollo Incident: Analysis and Evidence
- Attack
techniques, an experiment in forensics reveals attackers techniques
- online pubs
- ASCLD
Newsletter : American Society of Crime Laboratory Directors
- Forensic Echo
Archives
- Forensic Science Communications, BackIssues of
- FBI’s
Handbook of Forensic Services
- Proposed
Standards for the Exchange of Digital Evidence
- Recovering and Examining Computer Forensic Evidence
- ASCLD
- Basic Steps in Forensic Analysis of Unix Systems
- Biatchux
: portable bootable cdrom for forensics purposes Biatchux is a portable bootable cdrom based distribution with the
goal of providing an immediate environment to perform forensic analysis,
incident response, data recovery, virus scanning and vulnerability assessment.
Also capable of providing necessary tools for live forensics/analysis, just
mount the cdrom on your choice of OS win32, sparc solaris and x86 linux trusted
static binaries are available in /statbins.
- Books related to forensics
- Computer Forensics
- Computer Forensics: Computer Crime Scene Investigation (With
CD-ROM)
- Computer Forensics and Privacy (Artech House Computer Security
Series)
- Cyber Forensics: A Field Manual for Collecting, Examining, and
Preserving Evidence of Computer Crimes
- Digital Evidence and Computer Crime
- Forensic Computing : A Practitioner’s Guide
- Guide to Forensic Testimony: The Art and Practice of Presenting
Testimony As An Expert Technical Witness
- Handbook of Computer Crime Investigation: Forensic Tools &
Technology
- Hacker’s Challenge 2: Test Your Network Security & Forensic
Skills
- Incident Response: Investigating Computer Crime
- Incident Response: Computer Forensics 2nd Ed
- Incident Response: Computer Forensics Toolkit
- Investigating Computer- Related Crime A Handbook For Corporate
Investigators
- Know Your Enemy: Revealing the Security Tools, Tactics, and
Motives of the Blackhat Community
- Scene of the Cybercrime: Computer Forensics Handbook
- Computer Forensics
- Chain
of Custody : Evidence/Property Custody Document army
- Cisco Router Forensics
- Computer Forensics Software
- Criminal Investigations in an Automated Environment
- dd for
Windows
- DIBS : Computer Forensics
- Digital Evidence Collection and Handling
- Digital Forensic Analysis Training : @stake Academy
- Encase : forensic software
tool used by majority forensic examiners worldwide
- Evidence
Seizure Methodology for Computer Forensics
- Fenris :
multipurpose tracer, GUI debugger, stateful analyzer and partial decompiler
- Hayler’s Forensic Analysis on a System
- How the FBI Investigates Computer Crime
- Firewall
Forensics (What am I seeing?)
- Forensics
Server Project perl, effort to provide a degree of automation
to the collection of data during a ‘live’ forensics, or ‘root cause’
investigation.
- Foundstone Forensic Tools NT,W2K, free
- Forensic Tool Kit :
- AFind :
lists files by their last access time
without tampering the data the way that right-clicking on file properties in
Explorer will.
- HFind :
scans the disk for hidden files
- SFind :
scans the disk for hidden data streams
and lists the last access times
- FileStat :
quick dump of all file and security
attributes. It works on only one file at a time but this is usually sufficient.
- Hunt :
a quick way to see if a server reveals
too much info via NULL sessions
- AFind :
- NTLast : security audit tool for event logs
- Reads saved .evt files – makes it easy to search through your archives
- Allows you to search before, after, and between dates – again to zoom in on
something
- Filters logons ‘From’ a certain host – helps you zoom in on suspected
intrusions
- Can save files in a csv format w/ time field formatted for Excel
- Filters out and distinguishes web log usage – cuts down search time
- Reads saved .evt files – makes it easy to search through your archives
- BinText :
extract text from
any kind of file and includes the ability to find plain ASCII text, Unicode
(double byte ANSI) text and Resource strings, providing useful information for
each item in the optional “advanced” view mode. Its comprehensive filtering
helps prevent unwanted text being listed. The gathered list can be searched and
saved to a separate file as either a plain text file or in informative tabular
format.
- fport :
reports all open
TCP/IP and UDP ports and maps them to the owning application
- Patchit :
A binary file
byte-patching program
- ShoWin :
display hidden
password editbox fields (text behind the asterisks *****). This will work in
many programs although Microsoft have changed the way things work in some of
their applications, most notably MS Office products and Windows 2000. ShoWin
will not work in these cases.
- Forensic Tool Kit :
- FTimes :
system baselining and evidence collection tool
small enough to fit on a
single floppy
- Incident
Handling / Forensics FAQ
- Incident Response Centers:
- Australian CERT
- Center for Internet
Security (June 2001)
- CERT Coordination Center
- Computer Incident Advisory
Capability CIAC
- Federal Computer Incident
Response Center FedCIRC
- Forum of Incident Response and
Security Teams FIRST
- National Infrastructure
Protection Center NIPC
- www.incidents.org
SANS
- Australian CERT
- Incident
Response Tools For Unix, Part One: System Tools
- Kernel : building a super kernel for data forensics
- Legal Resources
- mac_daddy : MAC Time collector for forensic incident response
- mac_robber : collects Modified, Access, and Change (MAC) times
from files
- pdd
Palm dd : Windows-based tool for for memory imaging and forensic acquisition of
data from the Palm OS family of PDAs
- Recovering
from an incident
- ResponseKits : toolkit of statically-linked executables that you
can carry onto subverted systems
- @stake
Sleuth Kit (TASK) : open source forensic toolkit for a complete analysis of
Microsoft and UNIX file systems
- TCT :
The Coroner’s Toolkit
TCT is a
collection of programs by Dan Farmer and Wietse Venema for a post-mortem
analysis of a UNIX system after break-in.
- windows toolkits
- windows
forensics