From 15e956717b36671561d1eef62efde0f4c6494d44 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Tue, 28 Nov 2023 09:41:08 -0800 Subject: [PATCH] Removed dead references (#195) --- docs/analyzing_program_execution.md | 2 +- docs/dco_and_hpa.md | 25 ++--- docs/document_metadata_extraction.md | 50 ---------- docs/email_headers.md | 77 +++++++-------- docs/exif.md | 5 +- docs/harlan_carvey.md | 6 +- docs/hashing.md | 71 ++++---------- docs/jpeg.md | 23 ++--- docs/jump_lists.md | 6 +- docs/legal_issues.md | 1 - docs/linux_memory_analysis.md | 3 - docs/mac_os_x.md | 2 +- docs/mailing_lists.md | 22 +---- ...ue_fale_de_sistema_solar_vou_chorar_13.md" | 94 ------------------- docs/prefetch.md | 8 +- docs/readyboost.md | 2 +- docs/regripper.md | 4 +- docs/tln.md | 6 +- docs/upcoming_events.md | 16 +--- docs/windows_application_compatibility.md | 5 - docs/windows_registry.md | 10 +- docs/windows_restore_points.md | 4 +- docs/windows_shadow_volumes.md | 8 +- 23 files changed, 118 insertions(+), 332 deletions(-) delete mode 100644 "docs/n\303\243\302\243o_existe_m\303\243\302\272sica_que_fale_de_sistema_solar_vou_chorar_13.md" diff --git a/docs/analyzing_program_execution.md b/docs/analyzing_program_execution.md index 94572c00a..8cac919b2 100644 --- a/docs/analyzing_program_execution.md +++ b/docs/analyzing_program_execution.md @@ -78,7 +78,7 @@ will vary per product. ### Windows -- [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html), +- [HowTo: Determine Program Execution](https://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html), by [Harlan Carvey](harlan_carvey.md), July 06, 2013 - [It Is All About Program Execution](http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html), by Corey Harrell, January 14, 2014 diff --git a/docs/dco_and_hpa.md b/docs/dco_and_hpa.md index 7c8f742ab..3d804e23c 100644 --- a/docs/dco_and_hpa.md +++ b/docs/dco_and_hpa.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Articles that need to be expanded --- Device Configuration Overlay (DCO) and Host Protected Area (HPA). @@ -63,30 +63,25 @@ above) ## Other Tools -- [TAFT (The ATA Forensics Tool)](https://vidstromlabs.com/freetools/taft/) +* [TAFT (The ATA Forensics Tool)](https://vidstromlabs.com/freetools/taft/), claims the ability to look at and change the HPA and DCO settings. -- [SAFE-Block](https://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml), +* [SAFE-Block](https://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml), claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state. -- [HDD Capacity Restore](http://hddguru.com/software/2007.07.20-HDD-Capacity-Restore-Tool/), +* [HDD Capacity Restore](https://hddguru.com/software/2007.07.20-HDD-Capacity-Restore-Tool/), a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!) -- Tableau TD1 can remove the HPA and DCO. -- [Blancco-Pro 4.5](http://www.mp3cdsoftware.com/blancco---pro-download-292.htm) - reportedly removes the HPA and DCO to completely obliterate all of - that pesky information which might get in the way. +* Tableau TD1 can remove the HPA and DCO. ## External Links -- [Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4](http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98), +* [Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4](https://www.sciencedirect.com/science/article/abs/pii/S1742287605000939), Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275 -- [Hidden Disk Areas: HPA and DCO](https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf), +* [Hidden Disk Areas: HPA and DCO](https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf), Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1 -- [REMOVING HOST PROTECTED AREAS (HPA) IN LINUX](http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt), +* [Removing host protected areas (HPA) in Linux](https://www.sleuthkit.org/informer/sleuthkit-informer-20.txt), Brian Carrier, Sleuth Kit Informer \#20 -- [Wikipedia article on Device Configuration Overlay](https://en.wikipedia.org/wiki/Device_configuration_overlay) -- [Wikipedia article on Host Proteced Area](https://en.wikipedia.org/wiki/Host_protected_area) -- [Hiding Data in Hard-Drive’s Service Areas](http://www.recover.co.il/SA-cover/SA-cover.pdf), - by Ariel Berkman, February 14, 2013 +* [Wikipedia: Device Configuration Overlay](https://en.wikipedia.org/wiki/Device_configuration_overlay) +* [Wikipedia: Host Proteced Area](https://en.wikipedia.org/wiki/Host_protected_area) diff --git a/docs/document_metadata_extraction.md b/docs/document_metadata_extraction.md index 7e33f4c5c..c6c37a30b 100644 --- a/docs/document_metadata_extraction.md +++ b/docs/document_metadata_extraction.md @@ -8,8 +8,6 @@ Here are tools that will extract metadata from document files. [antiword](http://www.winfield.demon.nl/) - - [Belkasoft](belkasoft.md) Evidence Center Extracts metadata from various [Microsoft](microsoft.md) Office @@ -18,33 +16,21 @@ documents. Besides, can extract plain texts (combining all texts from all XLS/XLSX/ODS pages and PPT/PPTX/ODP slides) and embedded objects. The tool can visualize pictures embedded in a document. - - [catdoc](http://www.45.free.net/~vitus/software/catdoc/) - - [laola](http://user.cs.tu-berlin.de/~schwartz/pmh/index.html) - - [word2x](https://word2x.sourceforge.net/) - - [wvWare](https://wvware.sourceforge.net/) Extracts metadata from various [Microsoft Word](microsoft_office.md) (doc) files. Can also convert doc files to other formats such as HTML or plain text. - - [Outside In](http://www.oracle.com/technology/products/content-management/oit/oit_all.html) Originally developed by Stellant, supports hundreds of file types. - - [FI Tools](https://www.fid3.com/) More than 100 file types. @@ -57,8 +43,6 @@ Extracts metadata from [PDF](pdf.md) files. Besides, can extract texts and embedded objects. For pictures, embedded into a PDF document, the tool can visualize them all right in its user interface. - - [pdfinfo](pdfinfo.md) (part of the [xpdf](xpdf.md) package) displays some metadata of [PDF](pdf.md) files. @@ -75,73 +59,53 @@ Photos with GPS coordinates can be shown on Google Maps and Google Earth. Evidence Center can analyze existing Thumbs.db files and Thumbs Cache as well as carve deleted thumbnails. - - [Exiftool](exiftool.md) Free, cross-platform tool to extract metadata from many different file formats. Also supports writing - - [jhead](jhead.md) Displays or modifies [Exif](exif.md) data in [JPEG](jpeg.md) files. - - [vinetto](vinetto.md) Examines [Thumbs.db](thumbs.db.md) files. - - [libexif](libexif.md) EXIF tag Parsing Library - - [Adroit Photo Forensics](adroit_photo_forensics.md) Displays meta data and uses date and camera meta-data for grouping, timelines etc. - - [exiftags](https://johnst.org/sw/exiftags/) open source utility to parse and edit [exif](exif.md) data in [JPEG](jpeg.md) images. Found in many Debian based distributions. - - [exifprobe](https://www.virtual-cafe.com/~dhh/tools.d/exifprobe.d/exifprobe.html) Open source utility that reads [exif](exif.md) data in [JPEG](jpeg.md) and some "RAW" image formats. Found in many Debian based distributions. - - [Exiv2](https://exiv2.org/) Open source C++ library and command line tool for reading and writing metadata in various image formats. Found in almost every GNU/Linux distribution - - [pngtools](http://www.stillhq.com/pngtools/) Open source suite of commands (pnginfo, pngchunks, pngchunksdesc) that reads metadata found in PNG files. Found in many Debian based distributions. - - [pngmeta](https://sourceforge.net/projects/pmt/files/) Open source command line tool that extracts metadata from PNG images. Found in @@ -157,35 +121,23 @@ programs fail, but they generally provide less detailed information. and converts documents in Microsoft Outlook, Web Access email, tablets and smartphones, as well as desktop-based documents." - - [Metadata Extraction Tool](https://meta-extractor.sourceforge.net/) "Developed by the National Library of New Zealand to programmatically extract preservation metadata from a range of file formats like PDF documents, image files, sound files Microsoft office documents, and many others." - - [Metadata Assistant](http://www.thepaynegroup.com/products/metadata/) - - [hachoir-metadata](hachoir.md) Extraction tool, part of **[Hachoir](hachoir.md)** project - - [file](file.md) The UNIX **file** program can extract some metadata - - [GNU libextractor](https://www.gnunet.org/en/) The libextractor library is a plugable system for extracting metadata - - [Directory Lister Pro](https://www.krksoft.com/) Directory Lister Pro is a Windows tool which creates listings of files from selected directories on hard disks, CD-ROMs, DVD-ROMs, floppies, @@ -205,8 +157,6 @@ completely customize the visual look of the output. Filter on file name, date, size or attributes can be applied so it is possible to limit the files listed. - - [Apache Tika](https://tika.apache.org/) Apache Tika extracts metadata from a wide range of file formats and normalizes metadata keys to Dublin Core when possible. In recent diff --git a/docs/email_headers.md b/docs/email_headers.md index f2b39a1b2..5eb9d28d7 100644 --- a/docs/email_headers.md +++ b/docs/email_headers.md @@ -46,7 +46,7 @@ Mail servers can add lines onto email headers, usually in the form of ## Message Id Field -. According to the current guidelines for email +According to the current guidelines for email [1](http://www.faqs.org/rfcs/rfc2822.html), every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a @@ -56,51 +56,52 @@ pages for those programs](list_of_mua_header_formats.md). ## Signature Fields -. Some email programs allow users to sign messages. This gives the -recipient some assurance that the sender given in the message really -sent the message. Obviously these headers can be used by an examiner for -the same purpose. +Some email programs allow users to sign messages. This gives the recipient some +assurance that the sender given in the message really sent the message. +Obviously these headers can be used by an examiner for the same purpose. ## Sample Header This is an (incomplete) excerpt from an email header: -`Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])` -`        by outgoing2.securityfocus.com (Postfix) with QMQP` -`        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)` -`Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm` -`Precedence: bulk` -`List-Id: ` -`List-Post: <`[`mailto:forensics@securityfocus.com`](mailto:forensics@securityfocus.com)`>` -`List-Help: <`[`mailto:forensics-help@securityfocus.com`](mailto:forensics-help@securityfocus.com)`>` -`List-Unsubscribe: <`[`mailto:forensics-unsubscribe@securityfocus.com`](mailto:forensics-unsubscribe@securityfocus.com)`>` -`List-Subscribe: <`[`mailto:forensics-subscribe@securityfocus.com`](mailto:forensics-subscribe@securityfocus.com)`>` -`Delivered-To: mailing list forensics@securityfocus.com` -`Delivered-To: moderator for forensics@securityfocus.com` -`Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000` -`From: YJesus ` -`To: forensics@securityfocus.com` -`Subject: New Tool : Unhide` -`User-Agent: KMail/1.9` -`MIME-Version: 1.0` -`Content-Disposition: inline` -`Date: Thu, 5 Jan 2006 16:41:30 +0100` -`Content-Type: text/plain;` -`  charset="iso-8859-1"` -`Content-Transfer-Encoding: quoted-printable` -`Message-Id: <200601051641.31830.yjesus@security-projects.com>` -`X-HE-Spam-Level: /` -`X-HE-Spam-Score: 0.0` -`X-HE-Virus-Scanned: yes` -`Status: RO` -`Content-Length: 586` -`Lines: 26` +``` +Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) +        by outgoing2.securityfocus.com (Postfix) with QMQP +        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST) +Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm +Precedence: bulk +List-Id:  +List-Post:  +List-Help:  +List-Unsubscribe:  +List-Subscribe:  +Delivered-To: mailing list forensics@securityfocus.com +Delivered-To: moderator for forensics@securityfocus.com +Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000 +From: YJesus  +To: forensics@securityfocus.com +Subject: New Tool : Unhide +User-Agent: KMail/1.9 +MIME-Version: 1.0 +Content-Disposition: inline +Date: Thu, 5 Jan 2006 16:41:30 +0100 +Content-Type: text/plain; +  charset="iso-8859-1" +Content-Transfer-Encoding: quoted-printable +Message-Id: <200601051641.31830.yjesus@security-projects.com> +X-HE-Spam-Level: / +X-HE-Spam-Score: 0.0 +X-HE-Virus-Scanned: yes +Status: RO +Content-Length: 586 +Lines: 26 +``` ## External Links -- [Wikipedia: E-mail](http://en.wikipedia.org/wiki/E-mail) +* [Wikipedia: E-mail](https://en.wikipedia.org/wiki/E-mail) ### Tools -- [MailXaminer product page](https://www.mailxaminer.com/product/) -- [Wikipedia: MailXaminer](https://en.wikipedia.org/wiki/MailXaminer) +* [MailXaminer product page](https://www.mailxaminer.com/product/) +* [Wikipedia: MailXaminer](https://en.wikipedia.org/wiki/MailXaminer) diff --git a/docs/exif.md b/docs/exif.md index 5381fc2ec..106566617 100644 --- a/docs/exif.md +++ b/docs/exif.md @@ -1,10 +1,10 @@ --- tags: - Articles that need to be expanded + - File Formats --- The **Exchangeable image file format** (Exif) is an image [file format](file_formats.md) -which adds lots of [metadata](metadata.md) to existing image formats, mainly -[JPEG](jpeg.md). +which adds [metadata](metadata.md) to existing image formats, such as [JPEG](jpeg.md). To read the Date/Time tag do: @@ -21,6 +21,5 @@ For tools that extract Exif meta data look here - ## External Links -* [exif.org](http://exif.org/) * [Exif 2.2 specification](https://www.loc.gov/preservation/digital/formats/fdd/fdd000146.shtml) * [Wikipedia: Exif](https://en.wikipedia.org/wiki/Exif) diff --git a/docs/harlan_carvey.md b/docs/harlan_carvey.md index c1df82406..b500a862f 100644 --- a/docs/harlan_carvey.md +++ b/docs/harlan_carvey.md @@ -7,7 +7,7 @@ alt="HarlanCarvey.jpg" /> [Harlan Carvey](harlan_carvey.md) is a computer forensics author, researcher and practitioner. He has written several books and tools focusing on [Windows](windows.md) systems and [incident response](incident_response.md). His -[Windows Incident Response Blog](http://windowsir.blogspot.com) Harlan +[Windows Incident Response Blog](https://windowsir.blogspot.com) Harlan Carvey's interest in computer and information security began while he was an officer in the U.S. military, and a student at the Naval Postgraduate School, earning his MSEE. After leaving military service, @@ -39,12 +39,12 @@ Security Bulletin, on the SecurityFocus website, and in the Hakin9 magazine. Finally, Harlan has written a number of open source programs (including RegRipper), which have been made available online and via CDs/DVDs in his books. His [Windows Incident -Response](http://windowsir.blogspot.com/) blog is updated on a regular +Response](https://windowsir.blogspot.com/) blog is updated on a regular basis. ## Website -- [Harlan's Windows Incident Response Blog](http://windowsir.blogspot.com) +- [Harlan's Windows Incident Response Blog](https://windowsir.blogspot.com) ## Tools diff --git a/docs/hashing.md b/docs/hashing.md index 4ed0c8a35..dee67aff1 100644 --- a/docs/hashing.md +++ b/docs/hashing.md @@ -1,25 +1,24 @@ --- tags: - - No Category + - Articles that need to be expanded --- -**Hashing** is a method for reducing large inputs to a smaller fixed -size output. When doing forensics, typically cryptographic hashing -algorithms like [MD5](md5.md) and [SHA-1](sha-1.md) are -used. These functions have a few properties useful to forensics. Other -types of hashing, such as [Context Triggered Piecewise -Hashing](context_triggered_piecewise_hashing.md) can also be -used. +**Hashing** is a method for reducing large inputs to a smaller fixed size +output. When doing forensics, typically cryptographic hashing algorithms like +[MD5](md5.md) and [SHA-1](sha-1.md) are used. These functions have a few +properties useful to forensics. Other types of hashing, such as +[Context Triggered Piecewise Hashing](context_triggered_piecewise_hashing.md) +can also be used. ## Tools There are literally hundreds of hashing programs out there, but a few related to forensics are: -- [md5sum](md5sum.md) - Part of the GNU coreutils suite, this program is +* [md5sum](md5sum.md) - Part of the GNU coreutils suite, this program is standard on many computers. -- [md5deep](md5deep.md) - Computes hashes, recursively if +* [md5deep](md5deep.md) - Computes hashes, recursively if desired, and can compare the results to known values. -- [ssdeep](ssdeep.md) - Computes and matches Context Triggered +* [ssdeep](ssdeep.md) - Computes and matches Context Triggered Piecewise Hashes. ## Hash Databases @@ -30,10 +29,6 @@ The largest hash database. [Hashkeeper](hashkeeper.md) National Drug Intelligence Center - -Solaris Fingerprint Database lookup for files distributed by Sun -Microsystems - ## MD5 Reverse Hash Services There are several online services that allow you to enter a hash code @@ -43,45 +38,15 @@ the null string). Here are some services that we have been able to find: - -A nice forward and reverse demonstration system, with an XML and AJAX -interface. - - - - -Reverse hash lookup of MD5, SHA1, MySQL, NTLM, and Lanman hashes. Claims -75 million hashes of 13.2 million unique words. - - - - -Hash database from InsidePro (MD5, NTLM). - - - - - +[XMD5](http://www.xmd5.org/index_en.htm) This site is another simple MD5 reverse lookup. It claims a database -with "billions" of entries. Mostly for password cracking. (Who uses -straight MD5s for passwords?) - -Others: +with "billions" of entries. Mostly for password cracking. - - - +[Hash Toolkit](https://hashtoolkit.com/) ## Online Malware Hash Lookups - -Malware Hash Registry by Team Cymru. - -Utilizes a DNS query interface to lookup MD5 or SHA-1 Hashes for malware - - -VirusTotal.com Online hash lookup no api/automation yet like Team Cymru -but does frequently have hashes for current new malware +[VirusTotal](https://www.virustotal.com/gui/home/search) ## Segmented Hashing @@ -93,11 +58,11 @@ hash, start LBA, end LBA When Segmented hashing is useful -- Segmented hashes support multi-pass imaging and handling of bad +* Segmented hashes support multi-pass imaging and handling of bad sectors: Hashes are calculated only for the imaged regions, while all bad sectors are excluded from calculation. This allows to validate a hash even when the source drive is damaged. -- Better resiliency against data corruption: If an acquired image gets +* Better resiliency against data corruption: If an acquired image gets damaged later, regular hash is invalid upon verification making the entire image useless. With segmented hashing, only a single hash value becomes invalid, while the rest of the image can still be validated. @@ -105,3 +70,7 @@ When Segmented hashing is useful [Seghash on GitHub](https://github.com/atola-technology/seghash) is a free open-source tool for both calculating and validating segmented hashes. + +## Tooling + +* [hashR](https://github.com/google/hashr) build your own hash sets based on your data sources diff --git a/docs/jpeg.md b/docs/jpeg.md index 53a249f88..1b5667c34 100644 --- a/docs/jpeg.md +++ b/docs/jpeg.md @@ -16,15 +16,18 @@ Common file extensions are .jpg, .jpeg, .JPG, .JPE, and .jfif. # Metadata -JPEG files can contain lots of [metadata](metadata.md) in -several formats: [Exif](exif.md), IPTC, GPS, -Camera Raw, etc. The [exif](exif.md) -and [jhead](jhead.md) command tools can extract and manipulate -some of that metadata. [Adroit Photo -Forensics](adroit_photo_forensics.md) can be used to extract, -view and group metadata from jpeg and camera Raw files. In iOS, the -[Photo Investigator](photo_investigator.md) can extract, view, -and remove metadata from all images. +JPEG files can contain lots of [metadata](metadata.md) in several formats, such +as Exif, IPTC, GPS, or Camera Raw. + +The [exif](exif.md) and [jhead](jhead.md) command tools can extract and +manipulate some of that metadata. [Adroit Photo Forensics](adroit_photo_forensics.md) +can be used to extract, view and group metadata from jpeg and camera Raw files. +In iOS, the [Photo Investigator](photo_investigator.md) can extract, view, and +remove metadata from all images. + +# Also see + +* [exif](exif.md) # Externals Links @@ -33,8 +36,6 @@ and remove metadata from all images. Section: Annex B contains a detailed description of the JPEG file structure. - [JPEG File Interchange Format Version 1.02](https://www.w3.org/Graphics/JPEG/jfif3.pdf) -- [EXIF Specifications](http://www.exif.org/specifications.html) -- [Exchangeable image file format for digital still cameras: Exif Version 2.2](http://www.exif.org/Exif2-2.PDF) - [Extensible Metadata Platform (XMP)](https://www.adobe.com/products/xmp.html) - [Adobe - XMP Specification](http://partners.adobe.com/public/developer/en/xmp/sdk/XMPspecification.pdf) - [FlashPix Tags](https://exiftool.org/TagNames/FlashPix.html) diff --git a/docs/jump_lists.md b/docs/jump_lists.md index c5a57e389..6ed61e01c 100644 --- a/docs/jump_lists.md +++ b/docs/jump_lists.md @@ -86,11 +86,11 @@ binary format segments. by Alexander G Barnett, April 18, 2011 * [Forensic Examination of Windows 7 Jump Lists](https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public), by Troy Larson, June 6, 2011 -* [Jump List Analysis](http://windowsir.blogspot.com/2011/08/jump-list-analysis.html), +* [Jump List Analysis](https://windowsir.blogspot.com/2011/08/jump-list-analysis.html), by [Harlan Carvey](harlan_carvey.md), August 17, 2011 -* [Jump List Analysis, pt II](http://windowsir.blogspot.com/2011/08/jump-list-analysis-pt-ii.html), +* [Jump List Analysis, pt II](https://windowsir.blogspot.com/2011/08/jump-list-analysis-pt-ii.html), by [Harlan Carvey](harlan_carvey.md), August 24, 2011 -* [Jump List Analysis](http://windowsir.blogspot.com/2011/12/jump-list-analysis.html), +* [Jump List Analysis](https://windowsir.blogspot.com/2011/12/jump-list-analysis.html), by [Harlan Carvey](harlan_carvey.md), December 28, 2011 * [Forensic Analysis of Windows 7 Jump Lists](https://forensicfocus.com/articles/forensic-analysis-of-windows-7-jump-lists/), by Rob Lyness, October 2012 diff --git a/docs/legal_issues.md b/docs/legal_issues.md index ccc2e4fd8..bd7a050bb 100644 --- a/docs/legal_issues.md +++ b/docs/legal_issues.md @@ -65,7 +65,6 @@ More links from previous research. * [10](https://www.theregister.com/2003/04/24/trojan_defence_clears_man/) * [11](http://www.austlii.edu.au/au/cases/cth/high_ct/2006/39.html) * [12](http://www.castlecops.com/modules.php?name=News&file=print&sid=2946) -* [13](http://direct.bl.uk/bld/PlaceOrder.do?UIN=161932125&ETOC=RN&from=searchengine) ## Connecticut v. Amero diff --git a/docs/linux_memory_analysis.md b/docs/linux_memory_analysis.md index a10a013cc..cbd844e17 100644 --- a/docs/linux_memory_analysis.md +++ b/docs/linux_memory_analysis.md @@ -87,9 +87,6 @@ images can also be found on the Second Look website at - [FACE: Automated digital evidence discovery and correlation](https://www.sciencedirect.com/science/article/pii/S1742287608000340), by Andrew Case, Andrew Cristina, Lodovico Marziale, Golden G. Richard, Vassil Roussev, DFRWS 2008 -- [Linux Live Memory Forensics](http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf), - a presentation by Desnos Anthony describing the implementation of - draugr, 2009. - [Forensic RAM Dump Image Analyzer](https://is.cuni.cz/studium/dipl_st/index.php?doo=detailhttp://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540did=48540) by Ivor Kollar, describing the implementation of foriana, 2009. - [Treasure and tragedy in kmem_cache mining for live forensics investigation](https://www.sciencedirect.com/science/article/pii/S1742287610000332), diff --git a/docs/mac_os_x.md b/docs/mac_os_x.md index 8e4f4e884..a0d71e8d2 100644 --- a/docs/mac_os_x.md +++ b/docs/mac_os_x.md @@ -277,7 +277,7 @@ Mac OS. ### EFI * [The Intel Mac boot process](https://refit.sourceforge.net/info/boot_process.html), by the - [rEFIt project](refit.md) - [Carving up EFI fat binaries](http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/), + [rEFIt project](refit.md) - [Carving up EFI fat binaries](https://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/), by snare, February 24, 2012 ### iCloud diff --git a/docs/mailing_lists.md b/docs/mailing_lists.md index b90130f6a..1dd995fca 100644 --- a/docs/mailing_lists.md +++ b/docs/mailing_lists.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Articles that need to be expanded --- There are a number of mailing lists of interest to Digital Forensics Practitioners. Below is a listing of some more well known lists. It is @@ -22,7 +22,7 @@ not all-inclusive. forensic products (exceptions to this are personnel who retire and then offer their utility suites commercially). For subscription information, send request to jnj AT infobin.org -- [Computer Forensics Tool Testing](https://www.yahoo.com/) +- Computer Forensics Tool Testing (**cftt@yahoogroups.com**) - Subscription requires moderator approval. The archive is only available to list members. - [High Technology Crime Consortium Mailing List](http://www.hightechcrimecops.org/membership.html) - @@ -31,22 +31,6 @@ not all-inclusive. - [High Technology Crime Investigation Association Mailing List](https://www.htcia.org/) - The HTCIA mailing list is for members only. The archive is only available to list members. -- [MacIntosh OS: Forensics](https://www.yahoo.com/) +- MacIntosh OS: Forensics (**macos_forensics@yahoogroups.com**) - The archive is only available to list members. -- [SecurityFocus: Forensics](https://bugtraq.securityfocus.com/archive/104) - (**forensics@securityfocus.com**) -- [SecurityFocus: LogAnalysis](https://bugtraq.securityfocus.com/archive/116) - (**loganalysis@securityfocus.com**) -- [SecurityFocus: Honeypots](https://bugtraq.securityfocus.com/archive/119) - (**honeypots@securityfocus.com**) -- [SecurityFocus: Phishing and Botnets](https://bugtraq.securityfocus.com/archive/135) - (**phishing@securityfocus.com**) -- [SecurityFocus: Real Cases](https://bugtraq.securityfocus.com/archive/136) - (**realcases@securityfocus.com**) -- [SecurityFocus: Binary Analysis](https://bugtraq.securityfocus.com/archive/138) - (**binaryanalysis@securityfocus.com**) -- [SecurityFocus: Incidents](https://bugtraq.securityfocus.com/archive/75) - (**incidents@securityfocus.com**) -- [SecurityFocus: Forensics in Spanish](https://bugtraq.securityfocus.com/archive/128) - (**forensics-es@securityfocus.com**) diff --git "a/docs/n\303\243\302\243o_existe_m\303\243\302\272sica_que_fale_de_sistema_solar_vou_chorar_13.md" "b/docs/n\303\243\302\243o_existe_m\303\243\302\272sica_que_fale_de_sistema_solar_vou_chorar_13.md" deleted file mode 100644 index 8d7a8876b..000000000 --- "a/docs/n\303\243\302\243o_existe_m\303\243\302\272sica_que_fale_de_sistema_solar_vou_chorar_13.md" +++ /dev/null @@ -1,94 +0,0 @@ ---- -tags: - - No Category ---- - - - -Someone remessageed me. Am I supposed to thank them? newtosocial media -80s Awesomeness with the Corys'! (watching The Lost Boys Guilty or not, -I don't Casey Anthony is going to be invited to babysit. The Set -registered as an (Alternative) artist with The Indie. Show them support -by visiting PHONES... STILL... DOWN... :-/ so message/email us for -rezzies! or just come on in. PLEASE Verizon, we can't take it much -longer. - -Sunshine. ( Meridian Hill Park My Sisters of LOVE and LIL thank you if -it hadn't been for the influence of each and everyone of you I wouldn't -be... Sunrise over Decorah. (A lesser known Faukner novel, I believe) -obamabustour Watchin' I love you Phlip Morris tonight. sundaynightin -even MTV got on the avaf, Gaga, Formichetti collab news...the avaf -painting for Gaga´s Workshop is awesome! we... I want names and numbers! -Yelp's Mike G to speak at Where20 Marketing Workshop today at 3:25 -Reading The Constitution never hurts. Changing it is legal but not -simple. They are welcome to try. MTA simply ignores it. - -Let's just sat Valeria was not a D cup. I just told my mom to get back -into her cage... Sound familiar? got like6 records to record!! The -commentary, also on is part of Rosenberg's upcoming publication, -"Justice in California." We were honored to provide a little comfort to -His Holiness the Dalai Lama at an event in Queensland, Australia. Look -out world, I've got a venti skinny vanilla latte in hand, and I don't -normally drink caffeine. Schwing batta batta schwing!! - -In the United States, solar panels need to confront southerly. Several -people don't realize this, but due to the curvature of the Soil, "south" -is actually slightly distinct from one area about the land to another. -"South" with -[solar](http://funditor.110mb.com/wiki/index.php/User:Solarpanels123#Solar_Panels_-_How_to_Wire_Solar_Panels_to_a_Battery) -panel objectives is referred to as "true south" and this is easily -calculated out of your latitude and the time of year. - -Once you find true southerly, you also should tilt your solar panels at -a particular angle to get the best electrical generation. The right tilt -for your solar panels is also calculated based on the latitude of your -place. - -Difficulty: Easy - -Instructions - -Things You'll Need - -Correct south Your latitude Compass - -1 To uncover true south at your location, you must look at the shadow -cast by any vertical object in solar noon. Vertical items cast their own -shadow at solar noon, and this shadow is oriented to the true north and -southerly with your place. - -Solar noon varies in different parts of the year, so the easiest way to -find it for your place yous by way of visiting the NOAA Solar Calculator -online. Pinpoint your exact location, later word when solar noon remains -with you. - -2 Choose a sunny area exterior plus take observe of any vertical makings -nearby. If there are no vertical buildings or it is too shaded, you can -furthermore hang a plumb bob inside direct daylight. Wait for solar noon -and note the course regarding the shadows: These show you accurate north -plus south for your place. - -3 Move your solar panels into some level place in the bright position -plus face them as without delay to accurate south because you can. - -Use your compass to adjust the tilt angle of your solar panels if -needed. - -Tips & Warnings - -The above tilt perspective calculation is basically with winter -positioning about your solar panels, but it will perform properly with -all other seasons in most regarding the United States. If you would -prefer to adjust your panels with each season, you can do that is with -pair additional calculations. Subtract 2.5 from your latitude to figure -optimum tilt angles for spring also fall. Subtract 52.5 from your winter -tilt perspective to uncover the optimum angle for summertime. - -References - -Methods to Get Correct Southerly NOAA Solar Calculator Optimum -Orientation regarding Solar Panels - -Read Next: \ No newline at end of file diff --git a/docs/prefetch.md b/docs/prefetch.md index 914bc0390..9d7bcbc86 100644 --- a/docs/prefetch.md +++ b/docs/prefetch.md @@ -197,9 +197,9 @@ The EnablePrefetcher Registry value can be used to disable prefetch. * [MSDN: Disabling Prefetch](https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms940847(v=winembedded.5)) * [Windows XP: Kernel Improvements Create a More Robust, Powerful, and Scalable OS](https://learn.microsoft.com/en-us/archive/msdn-magazine/2001/december/windows-xp-kernel-improvements-create-a-more-robust-powerful-and-scalable-os), by [Mark Russinovich](mark_russinovich.md), David Solomon, December 2001 -* [Prefetch file metadata](http://windowsir.blogspot.com/2005/07/prefetch-file-metadata.html), +* [Prefetch file metadata](https://windowsir.blogspot.com/2005/07/prefetch-file-metadata.html), by [Harlan Carvey](harlan_carvey.md), July 13, 2005 -* [Prefetch files, revisited](http://windowsir.blogspot.com/2006/04/prefetch-files-revisited.html), +* [Prefetch files, revisited](https://windowsir.blogspot.com/2006/04/prefetch-files-revisited.html), by [Harlan Carvey](harlan_carvey.md), April 13, 2006 * [Windows Memory Management](https://www.codeproject.com/Articles/29449/Windows-Memory-Management), by logicchild, September 17, 2008 @@ -219,9 +219,9 @@ The EnablePrefetcher Registry value can be used to disable prefetch. * [Prefetch i niedokładny licznik](http://labit.in/pliki-prefetch-w-windows/) by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication) -* [Prefetch Analysis, Revisited](http://windowsir.blogspot.com/2012/03/prefetch-analysis-revisited.html), +* [Prefetch Analysis, Revisited](https://windowsir.blogspot.com/2012/03/prefetch-analysis-revisited.html), by [Harlan Carvey](harlan_carvey.md), March 8, 2012 -* [Prefetch Analysis, Revisited...Again...](http://windowsir.blogspot.com/2012/03/prefetch-analysis-revisitedagain.html), +* [Prefetch Analysis, Revisited...Again...](https://windowsir.blogspot.com/2012/03/prefetch-analysis-revisitedagain.html), by [Harlan Carvey](harlan_carvey.md), March 15, 2012 * [Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8](http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/), Hexacorn blog, June 13, 2012 diff --git a/docs/readyboost.md b/docs/readyboost.md index 5eacbb0d3..a326f1e2f 100644 --- a/docs/readyboost.md +++ b/docs/readyboost.md @@ -5,7 +5,7 @@ tags: ## External Links * [Wikipedia: ReadyBoost](https://en.wikipedia.org/wiki/ReadyBoost) -* [Plugin: EMDMgmt](http://windowsir.blogspot.com/2013/04/plugin-emdmgmt.html), by +* [Plugin: EMDMgmt](https://windowsir.blogspot.com/2013/04/plugin-emdmgmt.html), by [Harlan Carvey](harlan_carvey.md), April 05, 2013 * [Understanding the artifacts EMDMgmt](https://www.hecfblog.com/2013/08/daily-blog-65-understanding-artifacts.html), by David Cowen, August 27, 2013 diff --git a/docs/regripper.md b/docs/regripper.md index ec71df6f6..0c03fec7d 100644 --- a/docs/regripper.md +++ b/docs/regripper.md @@ -32,10 +32,10 @@ something readable. ## External Links -- [Using RegRipper](http://windowsir.blogspot.com/2011/03/using-regripper.html) +- [Using RegRipper](https://windowsir.blogspot.com/2011/03/using-regripper.html) - [RegRipper GitHub Repo](https://github.com/keydet89/RegRipper3.0) - [RegRipper Blog](https://regripper.wordpress.com/) - [Windows Forensics Analysis](https://code.google.com/archive/p/winforensicaanalysis) - [RegRipper Supplemental Plugins](https://code.google.com/archive/p/regripperplugins) -- [Developers blog (Windows Incident Response)](http://windowsir.blogspot.com/) +- [Developers blog (Windows Incident Response)](https://windowsir.blogspot.com/) - [RegRipper Google Code](https://code.google.com/archive/p/regripper) diff --git a/docs/tln.md b/docs/tln.md index 035f18f80..2cde7128e 100644 --- a/docs/tln.md +++ b/docs/tln.md @@ -3,7 +3,7 @@ tags: - Timeline Analysis --- TLN is a timeline format (as far known) introduced in a [blog -post](http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html) +post](https://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html) by [Harlan Carvey](harlan_carvey.md). He specifies the following 5 \| separated fields: @@ -80,9 +80,9 @@ Known variants of TLN are: ## External Links - [TimeLine Analysis, pt - III](http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html), + III](https://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html), by [Harlan Carvey](harlan_carvey.md), February 28, 2009 - [Timeline Analysis...do we need a - standard?](http://windowsir.blogspot.com/2010/02/timeline-analysisdo-we-need-standard.html), + standard?](https://windowsir.blogspot.com/2010/02/timeline-analysisdo-we-need-standard.html), by [Harlan Carvey](harlan_carvey.md), February 08, 2010 diff --git a/docs/upcoming_events.md b/docs/upcoming_events.md index a80ad36ff..346a4d6e8 100644 --- a/docs/upcoming_events.md +++ b/docs/upcoming_events.md @@ -1,6 +1,6 @@ --- tags: - - Research + - Research --- PLEASE READ BEFORE YOU EDIT THE LISTS BELOW When events begin the same day, events of a longer length should be @@ -59,10 +59,8 @@ conferences that would be appropriate for forensic research. |---------------------------------------------------------------------|-------------------------|-------------------|-------------------------------------------------------------------------------------------------| | IFIP WG 11.9 International Conference on Digital Forensics | Oct 14, 2016 (extended) | Nov 11, 2016 | | | 2017 International Conference on Audio Forensics | Feb 01, 2017 | Mar 07, 2017 | | -| The 3rd IEEE International Workshop on Cloud Security and Forensics | May 03, 2017 (extended) | May 24, 2017 | | | | | | | | 2017 IEEE Workshop on Information Forensics and Security | Jun 19, 2017 | Sep 18, 2017 | | -| | | | | See also [WikiCFP 'Forensics'](http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics) @@ -175,14 +173,10 @@ href="https://project.inria.fr/wifs2017/">http://www.wifs2017.org/

## See Also -- [Training Courses and - Providers](training_courses_and_providers.md) +* [Training Courses and Providers](training_courses_and_providers.md) ## References -- [Computer Security Conference Ranking and - Statistic](https://people.engr.tamu.edu/guofei/sec_conf_stat.htm) -- [Meetings and Conferences in Data Mining and - Discovery](https://www.kdnuggets.com/meetings/index.html) -- Data Mining Conferences - World-Wide\] +* [Computer Security Conference Ranking and Statistic](https://people.engr.tamu.edu/guofei/sec_conf_stat.htm) +* [Meetings and Conferences in Data Mining and Discovery](https://www.kdnuggets.com/meetings/index.html) +* [Data Mining Conferences World-Wide](https://conferencealerts.com/topic-listing?topic=Data%20Mining) diff --git a/docs/windows_application_compatibility.md b/docs/windows_application_compatibility.md index f089b18df..7d231bfd2 100644 --- a/docs/windows_application_compatibility.md +++ b/docs/windows_application_compatibility.md @@ -38,10 +38,6 @@ In Windows 2003 and later: by Alex Ionescu, May 21, 2007 * [Secrets of the Application Compatilibity Database (SDB) – Part 3](http://www.alex-ionescu.com/?p=41), by Alex Ionescu, May 26, 2007 -* [Windows AppCompat Research Notes - Part 1](http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html), - by Ollie, 28 April 2012 -* [Windows AppCompat Research Notes - Part 2](http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html), - by Ollie, 4 May 2012 * [Leveraging the Application Compatibility Cache in Forensic Investigations](https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf), by Andrew Davis, May 4, 2012 * [Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys](http://journeyintoir.blogspot.com/2013/12/revealing-program-compatibility.html), @@ -51,7 +47,6 @@ In Windows 2003 and later: * [Shim Shady: Live Investigations of the Application Compatibility Cache](https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html), by Fred House, Claudiu Teodorescu, Andrew Davis, October 27, 2015 * [Shim Shady Part 2](https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv/shim-shady-part-2.html) -* [Using Application Compatibility Shims](http://subt0x10.blogspot.ch/2017/05/using-application-compatibility-shims.html) * [To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence](https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence) ### RecentFileCache diff --git a/docs/windows_registry.md b/docs/windows_registry.md index 439c7769c..5892550ef 100644 --- a/docs/windows_registry.md +++ b/docs/windows_registry.md @@ -1170,7 +1170,7 @@ name

### Undated -* [A Windows Registry Quick Reference: For the Everyday Examiner](http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf), +* [A Windows Registry Quick Reference: For the Everyday Examiner](https://www.iapsonline.com/sites/default/files/A%20Windows%20Registry%20Quick%20Reference-%20For%20the%20Everyday%20Examiner%20-%20By%20Derrick%20J.%20Farmer.pdf), by Derrick Farmer, Burlington, VT. * [Forensic Analysis of the Windows Registry](https://forensicfocus.com/articles/forensic-analysis-of-the-windows-registry/), by Lih Wern Wong , School of Computer and Information Science, Edith @@ -1183,7 +1183,7 @@ name

## External Links * [Wikipedia: Windows Registry](https://en.wikipedia.org/wiki/Windows_Registry) -* [Windows Incident Response Articles on Registry](http://windowsir.blogspot.com/search/label/Registry) +* [Windows Incident Response Articles on Registry](https://windowsir.blogspot.com/search/label/Registry) * [Windows Registry Information](https://www.answers.com/redirectSearch?query=win-registry) * [Push the Red Button](https://moyix.blogspot.com/search/label/registry) * [Security Accounts Manager](http://survey-smiles.com) @@ -1232,17 +1232,13 @@ name

Didier Stevens * [UserAssist V2.3.0](https://blog.didierstevens.com/2007/07/17/userassist-v230/), by Didier Stevens, Tuesday 17 July 2007 -* [More on (the) UserAssist keys](http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html), +* [More on (the) UserAssist keys](https://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html), by [Harlan Carvey](harlan_carvey.md), Monday, September 03, 2007 * [Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!](https://blog.didierstevens.com/2009/01/18/quickpost-windows-7-beta-rot13-replaced-with-vigenere-great-joke/), by Didier Stevens, January 18, 2009 * [Prefetch and User Assist](http://forensicsfromthesausagefactory.blogspot.com/2010/05/prefetch-and-user-assist.html), by DC174, Thursday, 27 May 2010 -* [Forensic Artifact: UserAssist](http://forensicartifacts.com/2010/07/userassist/), July - 2010 -* [SANS Forensic Artifact 6: UserAssist](http://sploited.blogspot.com/2012/12/sans-forensic-artifact-6-userassist.html), - by Sploited, Thursday, 27 December 2012 * [UserAssist Forensics (timelines, interpretation, testing, & more)](https://www.4n6k.com/2013/05/userassist-forensics-timelines.html), by Dan (@4n6k), Tuesday, May 14, 2013 * [Daily Blog \#45: Understanding the artifacts: User Assist](https://www.hecfblog.com/2013/08/daily-blog-45-understanding-artifacts.html), diff --git a/docs/windows_restore_points.md b/docs/windows_restore_points.md index 5da130d69..5f94b839d 100644 --- a/docs/windows_restore_points.md +++ b/docs/windows_restore_points.md @@ -27,9 +27,9 @@ A Restore Point data sub directory contains: * [MSDN: Legacy System Restore Reference](https://learn.microsoft.com/en-us/windows/win32/sr/legacy-system-restore-reference) * [Restore Point Forensics](http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm), by Steve Bunting -* [Restore Point Forensics](http://windowsir.blogspot.com/2006/10/restore-point-forensics.html), +* [Restore Point Forensics](https://windowsir.blogspot.com/2006/10/restore-point-forensics.html), by [Harlan Carvey](harlan_carvey.md), October 20, 2006 -* [Restore Point Analysis](http://windowsir.blogspot.com/2007/06/restore-point-analysis.html), +* [Restore Point Analysis](https://windowsir.blogspot.com/2007/06/restore-point-analysis.html), by [Harlan Carvey](harlan_carvey.md), June 16, 2007 * [Enscript Tutorial 1 - Parse XP System Restore Logs](http://www.swiftforensics.com/2012/03/enscript-tutorial-1-parse-xp-system.html), by Yogesh Khatri, March 2, 2012 diff --git a/docs/windows_shadow_volumes.md b/docs/windows_shadow_volumes.md index 3c7e168c5..07a5c6056 100644 --- a/docs/windows_shadow_volumes.md +++ b/docs/windows_shadow_volumes.md @@ -124,13 +124,13 @@ information. * [VISTA and Windows 7 Shadow Volume Forensics](https://www.sans.org/digital-forensics-incident-response/), by [Rob Lee](rob_lee.md), October 2008 -* [Accessing Volume Shadow Copies](http://windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html), +* [Accessing Volume Shadow Copies](https://windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html), + by [Harlan Carvey](harlan_carvey.md), January 2011 +* [More VSCs](https://windowsir.blogspot.com/2011/01/more-vscs.html), by [Harlan Carvey](harlan_carvey.md), January 2011 -* [More VSCs](http://windowsir.blogspot.com/2011/01/more-vscs.html), by - [Harlan Carvey](harlan_carvey.md), January 2011 * [A Little Help with Volume Shadow Copies](http://journeyintoir.blogspot.com/2011/04/little-help-with-volume-shadow-copies.html), by Corey Harrell, April 2011 -* [HowTo: Mount and Access VSCs](http://windowsir.blogspot.com/2011/09/howto-mount-and-access-vscs.html), +* [HowTo: Mount and Access VSCs](https://windowsir.blogspot.com/2011/09/howto-mount-and-access-vscs.html), by [Harlan Carvey](harlan_carvey.md), September 2011 * [Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows](https://www.sans.org/digital-forensics-incident-response/), by [Rob Lee](rob_lee.md), September 2011