From 7e6d68ad85df24660adf330a51df53772b605692 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sun, 3 Dec 2023 21:37:29 +0100 Subject: [PATCH] Removed dead references (#201) --- docs/apple_iphone.md | 4 +- docs/bmp.md | 5 - docs/cell_phone_forensics.md | 1 - docs/conferences.md | 6 - docs/dibs.md | 53 ----- docs/disk_imaging.md | 2 +- ...amous_cases_involving_digital_forensics.md | 12 +- docs/file_carving.md | 31 +-- docs/gif.md | 7 +- docs/global_positioning_system.md | 13 +- docs/gprs.md | 9 +- docs/hfs+.md | 2 +- docs/jhead.md | 6 - docs/jpeg.md | 4 +- docs/jtag_and_chip-off_tools_and_equipment.md | 4 - docs/libdnet.md | 5 +- docs/linux_unified_key_setup_(luks).md | 2 +- docs/memory_analysis.md | 4 +- docs/new_technology_file_system_(ntfs).md | 6 +- docs/photo_investigator.md | 32 --- docs/serial_port_monitoring.md | 10 +- docs/sim_cards.md | 1 - docs/slack.md | 5 - docs/testing_and_validation.md | 1 - docs/timeline_analysis.md | 6 +- docs/training_courses_and_providers.md | 3 +- docs/upcoming_events.md | 182 ------------------ docs/windows_memory_analysis.md | 36 ++-- docs/windows_xml_event_log_(evtx).md | 2 +- 29 files changed, 45 insertions(+), 409 deletions(-) delete mode 100644 docs/dibs.md delete mode 100644 docs/photo_investigator.md delete mode 100644 docs/upcoming_events.md diff --git a/docs/apple_iphone.md b/docs/apple_iphone.md index 1fc2ff592..93adb2c0f 100644 --- a/docs/apple_iphone.md +++ b/docs/apple_iphone.md @@ -32,8 +32,6 @@ Store does not allow in any application it distributes). - [iphone-dataprotection](https://code.google.com/archive/p/iphone-dataprotection); a set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password. -- [iOS Forensic Research](http://www.iosresearch.org). Jonathan Zdziarski has released tools that will - image iPhones, iPads and iPod Touch. (law enforcement only). - [libimobiledevice](https://libimobiledevice.org/) is a library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools. They are available @@ -61,7 +59,7 @@ Store does not allow in any application it distributes). - [Wikipedia: iPhone](https://en.wikipedia.org/wiki/IPhone) - [Wikipedia: IOS jailbraking](https://en.wikipedia.org/wiki/IOS_jailbreaking) - [The iPhone Wiki](https://www.theiphonewiki.com/wiki/Main_Page) -- [Slashdot: Malware Could Grab Data From Stock iPhones](https://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rsshttp://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29utm_source=feedburnerhttp://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29utm_medium=feedhttp://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29) +- [Slashdot: Malware Could Grab Data From Stock iPhones](https://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones) - [Apple iOS Privacy](http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf), [slides hash days presentation](http://seriot.ch/resources/talks_papers/ios_privacy_hashdays.pdf), by Nicolas Seriot, in November 2010. diff --git a/docs/bmp.md b/docs/bmp.md index a040063f5..5330ddd44 100644 --- a/docs/bmp.md +++ b/docs/bmp.md @@ -9,11 +9,6 @@ Each file consists of a [header](header.md), an information block, and then the image data. Note that the image data is given in order from the *end* of the image file! -## Metadata - -In iOS, the [Photo Investigator](photo_investigator.md) can -extract, view, and remove BMP metadata. - ## External Links * [Wikipedia: BMP](https://en.wikipedia.org/wiki/Windows_bitmap) diff --git a/docs/cell_phone_forensics.md b/docs/cell_phone_forensics.md index 989210192..ea4205279 100644 --- a/docs/cell_phone_forensics.md +++ b/docs/cell_phone_forensics.md @@ -91,7 +91,6 @@ Investigative Support * [E-Evidence.Info Mobile Forensic Tools](http://www.e-evidence.info/cellular.html) * [ForensicFocus.com(Practitioners Forum)](https://forensicfocus.com) * [Mobile-Forensics.com (Research Forum for Mobile Device Forensics)](http://www.mobile-forensics.com/) -* [Phone-Forensics.com (Advanced Forum for Practitioners)](http://www.Phone-Forensics.com) * [TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)](http://trewmte.blogspot.com) Phone Research diff --git a/docs/conferences.md b/docs/conferences.md index 2c98953c2..7ea93997e 100644 --- a/docs/conferences.md +++ b/docs/conferences.md @@ -9,11 +9,6 @@ of conferences and journals at and used with his permission. Brian no longer maintains those listings and points back to this Wiki. -For Dates and Locations of upcoming conferences and training events, see the -pages titled [Upcoming events](upcoming_events.md) (Calls for papers, -Conferences and On-Demand Training) and Scheduled Training Courses -(Training Classes/Courses scheduled for specific dates/locations). - # Research Conferences and Workshops Research conferences that are related to digital investigation and forensics. @@ -129,4 +124,3 @@ Techno-Security Conference # See also * [Journals](journals.md) -* [Upcoming events](upcoming_events.md) diff --git a/docs/dibs.md b/docs/dibs.md deleted file mode 100644 index ba2c3187a..000000000 --- a/docs/dibs.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -tags: - - No Category ---- -# DIBS - -This Fort Worth based company makes forensics software and packages it -with portable hardware for investigators in the field with desktop -workstations for offices. - -[Website](http://www.dibsusa.com/) - -# Features - -## File Systems Understood - -(unknown) - -## File Search Facilities - -- Lists allocated and unallocated files. -- Sorts files by type. -- Searches for keywords. -- Registry Viewer - -## Historical Reconstruction - -Can it build timelines and search by creation date? - -## Searching Abilities - -- Can use basic keyword searching. -- Offers full-text indexing. - -## Hash Databases - -- Offers the "Hash Library-KFF". - -## Evidence Collection Features - -Can it sign files? Does it keep an audit log? - -# History - -## License Notes - -Is it commercial or open source? Are there other licensing options? - -# External Links - -[Website](http://www.dibsusa.com/) - -## External Reviews \ No newline at end of file diff --git a/docs/disk_imaging.md b/docs/disk_imaging.md index 6049c9431..e2757feca 100644 --- a/docs/disk_imaging.md +++ b/docs/disk_imaging.md @@ -118,5 +118,5 @@ rare since the non-encrypted data is what undergoes analysis. ### Hash based imaging -* [Hash based disk imaging using AFF4](http://www.dfrws.org/2010/proceedings/2010-314.pdf), +* [Hash based disk imaging using AFF4](https://dfrws.org/sites/default/files/session-files/2010_USA_pres-hash_based_disk_imaging_using_aff4.pdf), by [Michael Cohen](michael_cohen.md), [Bradley Schatz](bradley_schatz.md) diff --git a/docs/famous_cases_involving_digital_forensics.md b/docs/famous_cases_involving_digital_forensics.md index 2ca19738b..b5089dbc7 100644 --- a/docs/famous_cases_involving_digital_forensics.md +++ b/docs/famous_cases_involving_digital_forensics.md @@ -61,8 +61,8 @@ that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police. -- -- +- [The Geek Squad Becomes the Porn Squad](https://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/) +- [Corey Beantee Melton v. State of Alabama](https://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html) ### 2007 James Kent @@ -84,10 +84,7 @@ child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache. -- -- -- [Opinion](http://www.msn.com/de-ch/) -- +- ['I Was Doing Academic Research' Not an Adequate Defense for Child Porn Possession](https://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/) ### 2008 Brad Cooper @@ -126,8 +123,7 @@ topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron." -- -- +- [Cameron sentenced to 16 years in prison](https://www.pressherald.com/2011/03/10/cameron-sentenced-to-16-years-in-prison/) ## See Also diff --git a/docs/file_carving.md b/docs/file_carving.md index 449f9ff61..1ecde0fd4 100644 --- a/docs/file_carving.md +++ b/docs/file_carving.md @@ -48,59 +48,44 @@ recover fragmented files. ## File Carving Taxonomy -[Simson Garfinkel](simson_garfinkel.md) and [Joachim -Metz](joachim_metz.md) have proposed the following file carving -taxonomy: +[Simson Garfinkel](simson_garfinkel.md) and [Joachim Metz](joachim_metz.md) have +proposed the following file carving taxonomy: Carving General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone. - - Block-Based Carving Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file). - - Statistical Carving Any carving method (algorithm) that analyzes the input on characteristic or statistic for example, entropy) to determine if the input is part of a possible output file. - - Header/Footer Carving A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker). - - Header/Maximum (file) size Carving A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file. - - Header/Embedded Length Carving A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format - - File structure based Carving A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving." - - Semantic Carving A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks @@ -108,21 +93,15 @@ of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file. - - Carving with Validation A method for carving files out of raw data where the carved files are validated using a file type specific validator. - - Fragment Recovery Carving A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving." - - Repackaging Carving A carving method that modifies the extracted data by adding new headers, footers, or other information so that it can be viewed with standard @@ -133,11 +112,9 @@ utility. ## File Carving challenges and test images -[File Carving Challenge](http://www.dfrws.org/2006/challenge/) - -[DFRWS](digital_forensic_research_workshop.md) 2006 +[DFRWS: File Carving Challenge](https://github.com/dfrws/dfrws2006-challenge) -[File Carving Challenge](http://www.dfrws.org/2007/challenge/) - -[DFRWS](digital_forensic_research_workshop.md) 2007 +[DFRWS: File Carving Challenge](https://github.com/dfrws/dfrws2007-challenge) [FAT Undelete Test \#1](https://dftt.sourceforge.net/test6/index.html) - Digital Forensics Tool Testing Image (dftt \#6) diff --git a/docs/gif.md b/docs/gif.md index 28be320a1..88fa680e0 100644 --- a/docs/gif.md +++ b/docs/gif.md @@ -51,12 +51,7 @@ applications to insert application specific data inside a GIF. The beginning of this block has the Extension Introducer and an Application Extension Label `FF` (hex). -In iOS, the [Photo Investigator](photo_investigator.md) can -extract, view, and remove GIF metadata. - ## External Links - [Wikipedia: GIF](https://en.wikipedia.org/wiki/GIF) -- [W3.Org: GRAPHICS INTERCHANGE FORMAT - SPECIFICATION](https://www.w3.org/Graphics/GIF/spec-gif89a.txt) - +- [W3.Org: GRAPHICS INTERCHANGE FORMAT SPECIFICATION](https://www.w3.org/Graphics/GIF/spec-gif89a.txt) diff --git a/docs/global_positioning_system.md b/docs/global_positioning_system.md index c4da0aa1a..66ef46212 100644 --- a/docs/global_positioning_system.md +++ b/docs/global_positioning_system.md @@ -146,17 +146,14 @@ you can connect to the camera). This makes it possible for the camera to record where exactly a photo was taken. This positioning information (latitude, longitude) can be stored in the [Exif](exif.md) [metadata](metadata.md) header of [JPEG](jpeg.md) files. Tools such as [jhead](jhead.md) can display the GPS -information in the [Exif](exif.md) headers. In iOS, the [Photo -Investigator](photo_investigator.md) can extract, view, and remove metadata -from all images, as well as easily identify images with GPS metadata while -scrolling through the images. +information in the [Exif](exif.md) headers. ### Cell Phones with GPS -Some recent cell phones (e.g. a [Motorola EZX phone](http://wiki.openezx.org) -such as the Motorola A780) have a built-in GPS receiver and navigation -software. This software might record the paths travelled (and the date/time), -which can be very useful in forensic investigations. +Some recent cell phones (e.g. a Motorola EZX phone such as the Motorola A780) +have a built-in GPS receiver and navigation software. This software might +record the paths travelled (and the date/time), which can be very useful in +forensic investigations. ## See Also diff --git a/docs/gprs.md b/docs/gprs.md index fbc61c419..2fca0f3de 100644 --- a/docs/gprs.md +++ b/docs/gprs.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Mobile --- **General Packet Radio Services (GPRS)** is a wireless data communication service that transfers data at a rate of up to 40-50Kbps, @@ -41,15 +41,11 @@ There are three GPRS classes which help indicate the capabilities of a Mobile phones of this class can be connected to both GPRS and [GSM](gsm.md) services simultaneously. - - **Class B** Mobile phones of this class can be attached to both GPRS and GSM services, but using only one service at a time. Switching between them (suspend/resume) is done automatically. - - **Class C** Mobile phones of this class are attached to either GPRS or GSM voice service. One needs to switch manually between services. @@ -70,7 +66,4 @@ of transfer. ## External Links -- -- -- - [Wikipedia: GPRS](https://en.wikipedia.org/wiki/GPRS) diff --git a/docs/hfs+.md b/docs/hfs+.md index 2525d6a5c..6201957ba 100644 --- a/docs/hfs+.md +++ b/docs/hfs+.md @@ -355,7 +355,7 @@ HFS+ stores U+2400 as U+0 * Internet Archive Copy of: [Technical Note TN1150: HFS plus volume format](http://web.archive.org/web/20220208191804/https://developer.apple.com/documentation/technotes) * [Mac Forensics: Mac OS X and the HFS+ File System](http://cet4861.pbworks.com/w/file/fetch/71245694/mac.forensics.craiger-burke.IFIP.06.pdf) by P. Craiger, November 2005 -* [Using the HFSD journal for deleted file recovery](http://www.dfrws.org/2008/proceedings/p76-burghardt.pdf), +* [Using the HFSD journal for deleted file recovery](https://dfrws.org/sites/default/files/session-files/2008_USA_pres-using_the_hfs_journal_for_deleted_file_recovery.pdf), by Aaron Burghardt, Adam Feldman, DRFWS 2008 ## Tools diff --git a/docs/jhead.md b/docs/jhead.md index 0196659b4..81cf7dcb5 100644 --- a/docs/jhead.md +++ b/docs/jhead.md @@ -30,9 +30,3 @@ Metering Mode: center weight Exposure Mode: Manual Exposure Mode: Auto bracketing ``` - -## Externals Links - -* Article about removing [hidden data in JPEG - files](http://netzreport.googlepages.com/hidden_data_in_jpeg_files.html) - with jhead diff --git a/docs/jpeg.md b/docs/jpeg.md index 6bd41a5d3..c5f95a619 100644 --- a/docs/jpeg.md +++ b/docs/jpeg.md @@ -21,9 +21,7 @@ as Exif, IPTC, GPS, or Camera Raw. The [exif](exif.md) and [jhead](jhead.md) command tools can extract and manipulate some of that metadata. [Adroit Photo Forensics](adroit_photo_forensics.md) -can be used to extract, view and group metadata from jpeg and camera Raw files. -In iOS, the [Photo Investigator](photo_investigator.md) can extract, view, and -remove metadata from all images. +can be used to extract, view and group metadata from JPEG and camera Raw files. # Also see diff --git a/docs/jtag_and_chip-off_tools_and_equipment.md b/docs/jtag_and_chip-off_tools_and_equipment.md index f162ae42b..9d9a11b23 100644 --- a/docs/jtag_and_chip-off_tools_and_equipment.md +++ b/docs/jtag_and_chip-off_tools_and_equipment.md @@ -107,7 +107,6 @@ made for equivalent tools and equipment.* | JTAG DELL adapters | | \~8-15 EUR | | JTAG BenQ-Siemens adapters | | \~8-15 EUR | | JTAG Toshiba adapters | | \~8-15 EUR | -| Jtag Adapters For HTC | | Approx £9 - £15 | | JTAG HTC adapters | | \~8-15 EUR | | JTAG Huawei adapters | | \~8-15 EUR | | JTAG LG adapters | | \~8-15 EUR | @@ -115,14 +114,11 @@ made for equivalent tools and equipment.* | JTAG Nokia adapters | | \~8-15 EUR | | JTAG Panasonic adapters | | \~8-15 EUR | | JTAG Sagem adapters | | \~8-15 EUR | -| Jtag Adapters For Samsung | | Approx £9 - £15 | | JTAG Samsung adapters | | \~8-15 EUR | | JTAG Sendo adapters | | \~8-15 EUR | -| Jtag Adapters For Sony / SonyEricsson | | Approx £9 - £15 | | JTAG Sony adapters | | \~8-15 EUR | | JTAG SonyEricsson adapters | | \~8-15 EUR | | JTAG ZTE adapters | | \~8-15 EUR | -| Jtag Adapters For Other models | | Approx £9 - £15 | **eMMC ISP Specific Equipment List** diff --git a/docs/libdnet.md b/docs/libdnet.md index 361df6a47..d858b3803 100644 --- a/docs/libdnet.md +++ b/docs/libdnet.md @@ -57,10 +57,7 @@ tags: 2000/XP/Server 2003 - [Universal TUN/TAP driver](https://vtun.sourceforge.net/tun/) - virtual point-to-point network tunnel device -- [TUN/TAP driver for MacOS - X](http://www-user.rhrk.uni-kl.de/~nissler/tuntap/) -- [Tunnel driver for Solaris 8 - (sparc64)](https://libdnet.sourceforge.net/tun-1.1-sol80.sparc64.gz) +- [Tunnel driver for Solaris 8 (sparc64)](https://libdnet.sourceforge.net/tun-1.1-sol80.sparc64.gz) ## References diff --git a/docs/linux_unified_key_setup_(luks).md b/docs/linux_unified_key_setup_(luks).md index 05ab1229e..0e93f5a1d 100644 --- a/docs/linux_unified_key_setup_(luks).md +++ b/docs/linux_unified_key_setup_(luks).md @@ -71,7 +71,7 @@ See the cryptsetup(8) man page for other operations. - [New Methods in Hard Disk Encryption](https://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf), by Clemens Fruhwirth, July 18, 2005 -- [LUKS On-Disk Format Specification - Version 1.2.1](http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf), +- [LUKS On-Disk Format Specification - Version 1.2.3](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf), by Clemens Fruhwirth, October 16, 2011 - [LUKS Disk Encryption](https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html), by RedHat diff --git a/docs/memory_analysis.md b/docs/memory_analysis.md index a52d2581d..09c0ddd76 100644 --- a/docs/memory_analysis.md +++ b/docs/memory_analysis.md @@ -130,8 +130,8 @@ analysis. by Brian Hay and Kara Nance, 2008 - [Discovering ephemeral evidence with Live RAM analysis](https://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf) by Oleg Afonin and Yuri Gubanov, 2013 -- [An Evaluation Platform for Forensic Memory Acquisition Software](http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf) by - Stefan Voemel and Johannes Stuettgen, DFRWS 2013 +- [An Evaluation Platform for Forensic Memory Acquisition Software](https://dfrws.org/presentation/an-evaluation-platform-for-forensic-memory-acquisition-software/), + by Stefan Voemel and Johannes Stuettgen, DFRWS 2013 ### Anti-forensics diff --git a/docs/new_technology_file_system_(ntfs).md b/docs/new_technology_file_system_(ntfs).md index 488476f76..925e57253 100644 --- a/docs/new_technology_file_system_(ntfs).md +++ b/docs/new_technology_file_system_(ntfs).md @@ -23,9 +23,7 @@ commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value. Additional information on how NTFS timestamps work when files are moved -or copied is available here: [Microsoft KB -299648](http://support.microsoft.com/kb/299648) [SANS -poster](https://www.sans.org/posters/windows-forensic-analysis/) +or copied is available here: [Microsoft KB 299648](https://mskb.pkisolutions.com/kb/299648) ### Changes in Windows Vista @@ -163,8 +161,6 @@ TxF uses the [Common Log File System (clfs)](common_log_file_system_(clfs).md) by Cheong Kai Wee * [The Four Stages of NTFS File Growth, Part 2](https://learn.microsoft.com/en-us/archive/blogs/), by John Marlin, March 12, 2015 -* [A Tale of Two File Names](http://ww25.usn.pw/blog/gen/2015/06/09/filenames/?subid1=20230112-2010-56ad-8978-6554bc03a9e7), - by Thomas Galvin, June 9, 2015 * [Parsing the \$MFT NTFS metadata file](https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html), by Joachim Metz, April 30, 2020 * [Windows Container Forensics](https://osdfir.blogspot.com/2021/07/windows-container-forensics.html), diff --git a/docs/photo_investigator.md b/docs/photo_investigator.md deleted file mode 100644 index e3798d865..000000000 --- a/docs/photo_investigator.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -tags: - - File Analysis - - Free Software - - Tools - - iOS - ---- -The **Photo Investigator** (**PI**) is a free image forensic iOS App -distributed on the iOS App Store. It specializes in the analysis and -removal of all digital photograph metadata. - -# Features - -The Photo Investigator can read all image formats and view all the photo -metadata. - -It is best known for viewing the photo GPS location. Scrolling through -the devices images, an image will have an overlayed globe if GPS -metadata is saved within the photo. Full EXIF, IPTC, XMP, TIFF, and -other forms of metadata are visible, which may include the photo -location, camera's serial number, camera's software, camera hardware, -and other settings and information. - -## Other Features - -The Photo Investigator interface is optimized for quick inspection of -photos, including a full screen zoom mode. - -## External Links - -[Photo Investigator](http://www.a-r-studios.com/pi) \ No newline at end of file diff --git a/docs/serial_port_monitoring.md b/docs/serial_port_monitoring.md index 448de0435..475899363 100644 --- a/docs/serial_port_monitoring.md +++ b/docs/serial_port_monitoring.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Hardware --- ## Serial Port Monitoring @@ -34,8 +34,6 @@ investigation. **Tools** Here are some tools used to monitor the data transfer between COM devices. -[Serial Port Monitoring tool](https://www.com-port-monitoring.com/) - -[HHD USB/Serial Port Monitoing Software](http://www.hhdsoftware.com) - -[AGGSoftware](https://www.aggsoft.com/) \ No newline at end of file +* [AGGSoftware](https://www.aggsoft.com/) +* [HHD USB/Serial Port Monitoing Software](https://www.hhdsoftware.com/) +* [Serial Port Monitoring tool](https://www.com-port-monitoring.com/) diff --git a/docs/sim_cards.md b/docs/sim_cards.md index 3de6e3bae..c3e5a66c0 100644 --- a/docs/sim_cards.md +++ b/docs/sim_cards.md @@ -117,7 +117,6 @@ In general, some of this data can help an investigator determine: There are many software solutions that can help the examiner to acquire the information from the SIM card. Several products include: -* [3GForensics SIMIS](http://www.3gforensics.co.uk/) * Inside Out's [SIMCon](https://www.simcon.no/) * SIM Content Controller * Paraben Forensics' [SIM Card Seizure](https://paraben-sticks.com/index.php/product/sim-card-seizure/) diff --git a/docs/slack.md b/docs/slack.md index f5311cafa..b940736a8 100644 --- a/docs/slack.md +++ b/docs/slack.md @@ -1,6 +1,5 @@ --- tags: - - Anti-Forensics - Articles that need to be expanded --- ## Definition @@ -29,7 +28,3 @@ hibernation file. ## See Also * [FAT#File_Slack](fat.md#file-slack) - -## External Links - -* diff --git a/docs/testing_and_validation.md b/docs/testing_and_validation.md index 266aef71a..90ce93020 100644 --- a/docs/testing_and_validation.md +++ b/docs/testing_and_validation.md @@ -6,7 +6,6 @@ Testing and validation are 2 important elements for forensics. ## External Links -* [Forensics Basics: Weighing the Evidence \> Reliability](http://www.forensicbasics.org/?page_id=501#.X3bvX3UzauU) * [Computer Forensics Tool Testing Program (CFTT)](https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt), by NIST * [Working Group on Digital Evidence (SWGDE)](https://www.swgde.org/home) diff --git a/docs/timeline_analysis.md b/docs/timeline_analysis.md index 831a25e0a..fbc1e8d3d 100644 --- a/docs/timeline_analysis.md +++ b/docs/timeline_analysis.md @@ -28,7 +28,7 @@ tags: by R. Carbone, C. Bean, August 2012 * [Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images](https://apps.dtic.mil/dtic/tr/fulltext/u2/1003976.pdf), October 2011 -* [Computer forensic timeline visualization tool](http://www.dfrws.org/2009/proceedings/p78-olsson.pdf), +* [Computer forensic timeline visualization tool](https://dfrws.org/presentation/computer-forensic-timeline-visualization-tool/), by J. Olsson, M. Boldt, ScienceDirect Digital Investigation, Volume 6, September 2009 * [Analysis of Time Information for Digital Investigation](https://ieeexplore.ieee.org/document/5331448), @@ -54,12 +54,12 @@ tags: by S. Willassen, E-Forensics 2008, Adelaide, Australia, January 2008 * [An Improved Clock Model for Translating Timestamps](http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf), by F. Buchholz, JMU-INFOSEC-TR-2007-001, James Madison University -* [A brief study of time](http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf), +* [A brief study of time](https://dfrws.org/sites/default/files/session-files/2007_USA_paper-a_brief_study_of_time.pdf), by F. Buchholz, B. Tjaden, Digital Investigation 2007:4S * [The Rules of Time on NTFS File System](https://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf), by K. Chow, F. Law, M. Kwan, P. Lai, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007 -* [A correlation method for establishing provenance of timestamps in digital evidence](http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf), +* [A correlation method for establishing provenance of timestamps in digital evidence](https://dfrws.org/presentation/a-correlation-method-for-establishing-provenance-of-timestamps-in-digital-evidence/), by B. Schatz, G. Mohay, A. Clark, Digital Investigation 2006:3S * [Formalizing Event Time Bouding in Digital Investigation](https://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf), by P. Gladyshev, A. Patel, International Journal of Digital Evidence, vol diff --git a/docs/training_courses_and_providers.md b/docs/training_courses_and_providers.md index 40a843104..7483d54d4 100644 --- a/docs/training_courses_and_providers.md +++ b/docs/training_courses_and_providers.md @@ -4,8 +4,7 @@ tags: --- This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital -Forensics. Conferences which may include training are located on the -[upcoming events](upcoming_events.md) page. +Forensics. **PLEASE READ BEFORE YOU EDIT THE LIST BELOW** Some training providers offer on-going training courses that are diff --git a/docs/upcoming_events.md b/docs/upcoming_events.md deleted file mode 100644 index 346a4d6e8..000000000 --- a/docs/upcoming_events.md +++ /dev/null @@ -1,182 +0,0 @@ ---- -tags: - - Research ---- -PLEASE READ BEFORE YOU EDIT THE LISTS BELOW -When events begin the same day, events of a longer length should be -listed first. New postings of events with the same date(s) as other -events should be added after events already in the list. Please use -three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use -two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than -listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, -05). -Some events may be limited to Law Enforcement Only or -to a specific audience. Such restrictions should be noted when -known. - -This is a BY DATE listing of upcoming events relevant to [digital -forensics](digital_forensics.md). It is not an all inclusive -list, but includes most well-known activities. Some events may duplicate -events on the generic [conferences](conferences.md) page, but -entries in this list have specific dates and locations for the upcoming -event. - -This listing is divided into three sections (described as follows): - -1. [Calls For - Papers](upcoming_events.md#calls-for-papers) - Calls - for papers for either Journals or for Conferences, relevant to - Digital Forensics (Name, Closing Date, URL) - - - -
  • - -[Conferences](upcoming_events.md#conferences) - -Conferences relevant for Digital Forensics (Name, Date, Location, URL) - -
    • - - - -
  • - -[Training Courses and -Providers](training_courses_and_providers.md) - Training - -
    • - - - - - -## Calls For Papers - -Please help us keep this up-to-date with deadlines for upcoming -conferences that would be appropriate for forensic research. - -| width="30%\|Title | Due Date | Notification Date | Website | -|---------------------------------------------------------------------|-------------------------|-------------------|-------------------------------------------------------------------------------------------------| -| IFIP WG 11.9 International Conference on Digital Forensics | Oct 14, 2016 (extended) | Nov 11, 2016 | | -| 2017 International Conference on Audio Forensics | Feb 01, 2017 | Mar 07, 2017 | | -| | | | | -| 2017 IEEE Workshop on Information Forensics and Security | Jun 19, 2017 | Sep 18, 2017 | | - -See also [WikiCFP -'Forensics'](http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics) - -## Conferences - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Title

    Date/Location

    Website

    IFIP WG 11.9 International Conference on Digital -Forensics

    Jan 30-Feb 01
    -Orlando, FL

    http://www.ifip119.org/Conferences/

    69th American Academy of Forensic Science Annual Scientific -Meeting

    Feb 13–18
    -New Orleans, LA

    http://www.aafs.org/meetings/aafs-69th-annual-scientific-meeting-new-orleans-louisiana-2017/

    Network and Distributed System Security Symposium 2017

    Feb 26-Mar 01
    -San Diego, CA

    https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017

    DFRWS-EU 2017

    Mar 21-23
    -Lake Constance, Germany

    https://www.dfrws.org/conferences/dfrws-eu-2017

    Computer Technology Investigators Network (CTIN) 2017 Digital -Forensics Conference

    Apr 14-16
    -Redmond, WA

    https://ctin.org/2017-ctin-conference/

    Techno Security and Forensics Investigations Conference (and -Mobile Forensics World)

    Jun 04-07
    -Myrtle Beach, SC

    http://www.technosecurity.us/

    29th Annual FIRST Conference

    Jun 11-16
    -San Juan, Puerto Rico

    http://www.first.org/conference/2017

    2017 Audio Engineering Society (AES) International Conference on -Audio Forensics

    Jun 15-17
    -Arlington, VA

    http://www.aes.org/conferences/2017/forensics/

    DFRWS-USA 2017

    Aug 06-09
    -Austin, TX

    https://www.dfrws.org/

    Usenix Security Symposium 2017

    Aug 16-18
    -Vancouver, British Columbia, Canada

    https://www.usenix.org/conferences

    2017 IEEE Workshop on Information Forensics and Security

    Dec 4-7
    -Rennes, France

    http://www.wifs2017.org/

    - -## See Also - -* [Training Courses and Providers](training_courses_and_providers.md) - -## References - -* [Computer Security Conference Ranking and Statistic](https://people.engr.tamu.edu/guofei/sec_conf_stat.htm) -* [Meetings and Conferences in Data Mining and Discovery](https://www.kdnuggets.com/meetings/index.html) -* [Data Mining Conferences World-Wide](https://conferencealerts.com/topic-listing?topic=Data%20Mining) diff --git a/docs/windows_memory_analysis.md b/docs/windows_memory_analysis.md index af958ca1a..b5b237227 100644 --- a/docs/windows_memory_analysis.md +++ b/docs/windows_memory_analysis.md @@ -17,24 +17,13 @@ Data types typical to the WINAPI are documented by Microsoft in MS-DTYP Getting started with memory analysis can be difficult without some known images to practice with. -* The 2005 [Digital Forensic Research Workshop](digital_forensic_research_workshop.md) - [Memory Analysis Challenge](http://www.dfrws.org/2005/challenge/) published - two Windows 2000 Service Pack 1 memory images with some [malware](malware.md) +* The 2005 [DFRWS: Memory Analysis Challenge](https://github.com/dfrws/dfrws2005-challenge) + published two Windows 2000 Service Pack 1 memory images with some malware installed. - - - * The [Digital Forensics Tool Testing](https://dftt.sourceforge.net/) - project has published a few [Windows memory - images](https://dftt.sourceforge.net/test13/index.html). - - - + project has published a few [Windows memory images](https://dftt.sourceforge.net/test13/index.html). * The CFReDS Project has created some [downloadable memory images](https://cfreds.nist.gov/mem/memory-images.rar). - - - * A number of RAM images can be downloaded from . Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs @@ -103,23 +92,22 @@ and re-released as Volatility in August Usenix Security 2008 (Best student paper) * [Pushing the Limits of Windows: Physical Memory](https://learn.microsoft.com/en-us/archive/blogs/markrussinovich/), by Mark Russinovich, Technet Blogs, July 21, 2008 -* [The impact of Microsoft Windows pool allocation strategies on memory forensics](http://www.dfrws.org/2008/proceedings/p58-schuster.pdf), +* [The impact of Microsoft Windows pool allocation strategies on memory forensics](https://dfrws.org/presentation/the-impact-of-microsoft-windows-pool-allocation-strategies-on-memory-forensics/), by Andreas Schuster, DFRWS 2008 - [slides](http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf) * [Finding Digital Evidence In Physical Memory](https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf), by Mariusz Burdach, Black Hat Federal, 2008 -* [Forensic Memory Analysis: Files mapped in memory](http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf), - by Ruud van Baar, DFRWS 2008, [slides](http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf) -* [Forensic Analysis of the Windows Registry in Memory](http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf), - by Brendan Dolan-Gavitt, DFRWS 2008, [slides](http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf) +* [Forensic Memory Analysis: Files mapped in memory](https://dfrws.org/presentation/forensic-memory-analysis-files-mapped-in-memory/), + by Ruud van Baar, DFRWS 2008 +* [Forensic Analysis of the Windows Registry in Memory](https://dfrws.org/presentation/forensic-analysis-of-the-windows-registry-in-memory/), + by Brendan Dolan-Gavitt, DFRWS 2008 2007 * [Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)](https://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf), by Joanna Rutkowska COSEINC Advanced Malware Labs -* [Forensic Memory Analysis: From Stack and Code to Execution History](http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf), +* [Forensic Memory Analysis: From Stack and Code to Execution History](https://www.sciencedirect.com/science/article/pii/S1742287607000485), by Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007 -* [BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software](http://www.dfrws.org/2007/proceedings/p126-schatz.pdf), +* [BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software](https://www.sciencedirect.com/science/article/pii/S1742287607000497), by Bradley Schatz, DFRWS 2007 * [The VAD Tree: A Process-Eye View of Physical Memory](https://dfrws.org/sites/default/files/session-files/2007_USA_paper-the_vad_tree_-_a_process-eye_view_of_physical_memory.pdf), by Brendan F Dolan-Gavitt, DFRWS 2007 @@ -128,9 +116,9 @@ and re-released as Volatility in August 2006 -* [Searching for Processes and Threads in Microsoft Windows Memory Dumps](http://www.dfrws.org/2006/proceedings/2-Schuster.pdf), +* [Searching for Processes and Threads in Microsoft Windows Memory Dumps](https://dfrws.org/sites/default/files/session-files/2006_USA_pres-searching_for_processes_and_threads_in_microsoft_windows_memory_dumps.pdf), by Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006 -* Using every part of the buffalo in Windows memory, +* [Using every part of the buffalo in Windows memory](https://www.sciencedirect.com/science/article/abs/pii/S1742287607000047), by Jesse D. Kornblum, DFRWS 2006 ## External Links diff --git a/docs/windows_xml_event_log_(evtx).md b/docs/windows_xml_event_log_(evtx).md index c85f0556a..aa2eb59b5 100644 --- a/docs/windows_xml_event_log_(evtx).md +++ b/docs/windows_xml_event_log_(evtx).md @@ -47,7 +47,7 @@ Where LCID is the "locale identifier" by [Microsoft](microsoft.md) * [Simple BinXml Example](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/7cdd0c95-2181-4794-a094-55c78b389358), by [Microsoft](microsoft.md) -* [Introducing the Microsoft Vista Event Log File Format](http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf), +* [Introducing the Microsoft Vista Event Log File Format](https://www.sciencedirect.com/science/article/pii/S1742287607000424), by Andreas Schuster, in 2007 * [Windows XML Event Log (EVTX) format](https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc), by the [libevtx project](libevtx.md)