From a03d6ab09519616d30535ee5ff8baca791417748 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Mon, 4 Dec 2023 19:12:26 +0100 Subject: [PATCH] Removed dead references (#199) --- docs/aff4.md | 55 +++++++++------------- docs/bitcurator.md | 21 +++------ docs/bitlocker_disk_encryption.md | 55 ++++++++++------------ docs/cryptocloud.md | 19 -------- docs/data_mining.md | 21 ++++----- docs/document_metadata_extraction.md | 2 +- docs/fat.md | 1 - docs/file_carving_smartcarving.md | 8 ++-- docs/forensic_corpora.md | 1 - docs/forensic_live_cd_issues.md | 28 +++++------ docs/full_disk_encryption.md | 7 +-- docs/hiberfil.sys.md | 7 +-- docs/incident_response.md | 10 ++-- docs/internships.md | 6 +-- docs/java.md | 1 - docs/jump_lists.md | 17 +++---- docs/libdnet.md | 4 +- docs/linux_logical_volume_manager_(lvm).md | 2 - docs/logfile_analysis.md | 14 +++--- docs/memory_imaging.md | 16 +++---- docs/mounting_disk_images.md | 4 -- docs/netfse.md | 13 +++-- docs/network_forensics.md | 16 ++----- docs/pdf.md | 51 +++++--------------- docs/sanitization_standards.md | 2 +- docs/sim_card_forensics.md | 1 - docs/spada.md | 21 +++------ docs/unlock_codes.md | 8 ---- docs/virtual_hard_disk_(vhd).md | 42 ++++++++--------- docs/windows_8.md | 37 +++++++-------- 30 files changed, 186 insertions(+), 304 deletions(-) delete mode 100644 docs/cryptocloud.md delete mode 100644 docs/unlock_codes.md diff --git a/docs/aff4.md b/docs/aff4.md index 8405ec79d..2f01ce2e8 100644 --- a/docs/aff4.md +++ b/docs/aff4.md @@ -1,8 +1,8 @@ --- tags: - - Articles that need to be expanded - - Disk Image - - File Formats + - Articles that need to be expanded + - Disk Image + - File Formats --- # Advanced Forensic Framework 4 (AFF4) @@ -16,27 +16,18 @@ description of how to use the sample implementation, library and tools. Traditional forensic file formats have a number of limitations which have been exposed over the years: -- Proprietary formats like EWF are difficult to implement and explain. +* Proprietary formats like EWF are difficult to implement and explain. EWF is a fairly complex file format. Most of the details are reverse engineered. Recovery from damaged EWF files is difficult as detailed knowledge of the file format is required. - - - -- Simple file formats like dd are very large since they are +* Simple file formats like dd are very large since they are uncompressed. They also dont store metadata, signatures or have cryptographic support. - - - -- Traditional file formats are designed to store a single stream. Often +* Traditional file formats are designed to store a single stream. Often in an investigation, however, multiple source of data need to be acquired (sometimes simultaneously) and stored in the same evidence volumes. - - - -- Traditional file formats just deal with data - there is no attempt to +* Traditional file formats just deal with data - there is no attempt to build a universal evidence management system integrated within the file specification. @@ -78,17 +69,17 @@ object of the form: For example: -` ` -`  ******** Object urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2 ***********` -`    aff4:stored = urn:aff4:4bdbf8bc-d8a5-40cb-9af0-fd7e4d0e2c9e` -`    aff4:type = image` -`    aff4:interface = stream` -`    aff4:timestamp = 0x49E9DEC3` -`    aff4:chunk_size = 32k` -`    aff4:compression = 8` -`    aff4:chunks_in_segment = 2048` -`    aff4:size = 10485760` -`  ` +``` +  ******** Object urn:aff4:f3eba626-505a-4730-8216-1987853bc4d2 *********** +    aff4:stored = urn:aff4:4bdbf8bc-d8a5-40cb-9af0-fd7e4d0e2c9e +    aff4:type = image +    aff4:interface = stream +    aff4:timestamp = 0x49E9DEC3 +    aff4:chunk_size = 32k +    aff4:compression = 8 +    aff4:chunks_in_segment = 2048 +    aff4:size = 10485760 +``` This shows that the object named (the Subject) has all these attributes and their values. We call these *relations* or *facts*. The entire AFF4 @@ -124,7 +115,7 @@ regular directory on the filesystem. This is really useful if we want to image to a FAT filesystem since each segment is really small and we will not exceed the file size limitations. Its also possible to root the directory on a http url (i.e. the directory starts with -). This allows us to use the image directly from +`http://somehost/url/`). This allows us to use the image directly from the web - no need to download the whole thing. Directory objects use FileLikeObjects (see below) to actually store the @@ -142,8 +133,8 @@ ZipFile volume uses a FileLikeObject to actually store the zip file. This means that its possible to write a ZipFile volume directly onto a HTTP server and use the image directly from the server as well. -Example: is an example of a -small (about 1mb) AFF4 image. +Example: `http://www.pyflag.net/images/test.zip` is an example of a +small (about 1 MB) AFF4 image. Directory and ZipFile volumes can be easily converted from one to the other (i.e. unzip the ZipFile into a directory to create a Directory @@ -166,7 +157,7 @@ some of the specific implementations of streams. The FileBacked object is a stream which stores data in an actual file on the filesystem. The location of the file is determined from the file's URN. Since a URN is a superset of URLs, URLs are also valid URNs. This -means that something like is a valid +means that something like `file:///somedirectory/filename` is a valid location for a FileBackedObject. ### HTTPObject @@ -320,4 +311,4 @@ We do this by setting attributes on the map objects: ### Tools -- +* diff --git a/docs/bitcurator.md b/docs/bitcurator.md index 02a2af311..468f9c53b 100644 --- a/docs/bitcurator.md +++ b/docs/bitcurator.md @@ -1,20 +1,13 @@ --- tags: - - Disk Imaging - - Tools - - Open Source Software - - Live CD - - Deprecated + - Tools --- -BitCurator is a suite of open source digital forensics and data analysis -tools to help collecting institutions (libraries, archives, and museums) -process born-digital materials. BitCurator supports positive digital -preservation outcomes using software (see our Software page) and -practices adopted from the digital forensics community. -[1](http://wiki.bitcurator.net/index.php?title=Main_Page) + +BitCurator is a Ubuntu-based Linux distribution designed to assist collections +professionals with media imaging, forensic analysis, and reporting tasks when +working with digital collections. ## External Links -- [Project site](http://www.bitcurator.net/bitcurator/) -- [Wiki](http://wiki.bitcurator.net/index.php?title=Main_Page) -- [Source](https://github.com/BitCurator/bitcurator-distro-main) \ No newline at end of file +* [Official website](https://bitcurator.github.io) +* [GitHub organization](https://github.com/BitCurator/) diff --git a/docs/bitlocker_disk_encryption.md b/docs/bitlocker_disk_encryption.md index 6bd45439d..f2677cd43 100644 --- a/docs/bitlocker_disk_encryption.md +++ b/docs/bitlocker_disk_encryption.md @@ -1,9 +1,7 @@ --- tags: - - Encryption - - Disk Encryption - - Windows - - Anti-Forensics + - Disk Encryption + - Windows --- **BitLocker Disk Encryption** (BDE) is [Full Volume Encryption](full_volume_encryption.md) solution by @@ -27,12 +25,12 @@ also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are: -- TPM (Trusted Platform Module) -- Smart card -- recovery password -- start-up key -- clear key; this key-protector provides no protection -- user password +* TPM (Trusted Platform Module) +* Smart card +* recovery password +* start-up key +* clear key; this key-protector provides no protection +* user password BitLocker has support for partial encrypted volumes. @@ -63,8 +61,8 @@ A hexdump of the start of the volume should look similar to: These volumes can also be identified by a GUID: -- for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00 -- for BitLocker ToGo: 4967d63b-2e29-4ad8-8399-f6a339e3d01 +* for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00 +* for BitLocker ToGo: 4967d63b-2e29-4ad8-8399-f6a339e3d01 Which in a hexdump of the start of the volume should look similar to: @@ -102,31 +100,30 @@ opened on Windows 10 systems and later. ## See Also -- [BitLocker: How to image](bitlocker_how_to_image.md) +* [BitLocker: How to image](bitlocker_how_to_image.md) ## External Links -- [Wikipedia entry on BitLocker](https://en.wikipedia.org/wiki/BitLocker_Drive_Encryption) -- Accessing Bitlocker volumes from Linux, +* [Wikipedia entry on BitLocker](https://en.wikipedia.org/wiki/BitLocker_Drive_Encryption) +* Accessing Bitlocker volumes from Linux, by Nitin Kumar and Vipin Kumar, 2008 -- [Implementing BitLocker for Forensic Analysis](https://www.sciencedirect.com/science/article/abs/pii/S1742287609000024), +* [Implementing BitLocker for Forensic Analysis](https://www.sciencedirect.com/science/article/abs/pii/S1742287609000024), *Digital Investigation*, by Jesse D. Kornblum, 2009 -- [BitLocker Drive Encryption (BDE) format specification](https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc), +* [BitLocker Drive Encryption (BDE) format specification](https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc), by the [libbde project](libbde.md), March 2011 -- [Microsoft's Step by Step Guide](http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true) -- [Microsoft Technical Overview](https://learn.microsoft.com/en-us/) -- [An Introduction to Security in Windows 7](https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd630640(v=msdn.10)) -- [Microsoft Description of the Encryption Algorithm](https://www.microsoft.com/en-us/download/details.aspx?id=13866) -- [What's New in BitLocker](https://learn.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/hh831412(v=ws.11)) +* [Microsoft Technical Overview](https://learn.microsoft.com/en-us/) +* [An Introduction to Security in Windows 7](https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd630640(v=msdn.10)) +* [Microsoft Description of the Encryption Algorithm](https://www.microsoft.com/en-us/download/details.aspx?id=13866) +* [What's New in BitLocker](https://learn.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/hh831412(v=ws.11)) in Windows 8 -- [Windows 10 Version 1511 gets new XTS-AES BitLocker encryption algorithm](https://www.onmsft.com/news/windows-10-version-1511-gets-new-xts-aes-bitlocker-encryption-algorithm/) -- [What's new in BitLocker](https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511) +* [Windows 10 Version 1511 gets new XTS-AES BitLocker encryption algorithm](https://www.onmsft.com/news/windows-10-version-1511-gets-new-xts-aes-bitlocker-encryption-algorithm/) +* [What's new in BitLocker](https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511) Windows 10 ## Tools -- [dislocker](https://www.hsc.fr/securite-internet/) -- [libbde](libbde.md) -- [M3 Bitlocker Loader for Mac](https://www.m3datarecovery.com/mac-bitlocker/) -- [M3 Bitlocker Recovery](https://www.m3datarecovery.com/bitlocker-recovery/bitlocker-data-recovery.html) -- [Manage-bde.exe](http://technet.microsoft.com/en-us/library/dd875513(v=ws.10>).aspx) +* [dislocker](https://www.hsc.fr/securite-internet/) +* [libbde](libbde.md) +* [M3 Bitlocker Loader for Mac](https://www.m3datarecovery.com/mac-bitlocker/) +* [M3 Bitlocker Recovery](https://www.m3datarecovery.com/bitlocker-recovery/bitlocker-data-recovery.html) +* [Manage-bde.exe](http://technet.microsoft.com/en-us/library/dd875513(v=ws.10>).aspx) diff --git a/docs/cryptocloud.md b/docs/cryptocloud.md deleted file mode 100644 index 15bc0e4de..000000000 --- a/docs/cryptocloud.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -tags: - - Encryption - - Network Encryption - - Organization ---- -**Cryptocloud VPN** is a commercial, consumer-oriented -[VPN](vpn.md) service provided by -[Cryptocloud](cryptocloud.md). It uses a modified implementation -of the OpenVPN toolset to provide TCP-and UDP-based VPN connectivity to -customers worldwide. Cryptocloud has publicly stated that it does not -keep user-detail logfiles of its customers' usage of its network -[1](http://ww25.cryptocloud.com/privacypolicy.php?subid1=20230112-2011-50f7-855b-31255d59b9de). - -## External Links - -- [Official website](https://cryptocloud.net/) -- [Affiliated discussion forum used by - Cryptocloud](http://www.cultureghost.org) \ No newline at end of file diff --git a/docs/data_mining.md b/docs/data_mining.md index 6d7d35be6..02a708b80 100644 --- a/docs/data_mining.md +++ b/docs/data_mining.md @@ -1,23 +1,20 @@ --- tags: - - Tools - - Articles that need to be expanded + - Articles that need to be expanded + - Tools --- Right now this is just a list of resources that will be useful for people doing forensic data mining and machine learning. ## Open Source Software -- [Weka](https://www.cs.waikato.ac.nz/ml/weka/) data mining toolkit - +* [Weka](https://www.cs.waikato.ac.nz/ml/weka/) data mining toolkit - java, has programmatic and GUI interface. -- Ping He has created an [Open Source C4.5 implementation in - C](https://code.google.com/archive/p/fc45) -- [Machine Learning Open Source Software](http://mloss.org) - a page +* Ping He has created an [Open Source C4.5 implementation in C](https://code.google.com/archive/p/fc45) +* [Machine Learning Open Source Software](https://mloss.org) - a page hosting many open source machine learning tools and libraries. -- [Apache Mahout](https://mahout.apache.org//): goal is to "build +* [Apache Mahout](https://mahout.apache.org//): goal is to "build scalable, Apache licensed machine learning libraries" (java). also - includes a focus on using [hadoop](http://hadoop.apache.org/core/). -- The [Journal of Machine Learning](https://jmlr.csail.mit.edu/) - maintains an [archive of non-trivial machine learning algorithms, - toolboxes, and languages](https://jmlr.csail.mit.edu/mloss/). - + includes a focus on using [hadoop](http://hadoop.apache.org/). +* The [Journal of Machine Learning](https://jmlr.csail.mit.edu/) + maintains an [archive of non-trivial machine learning algorithms, toolboxes, and languages](https://jmlr.csail.mit.edu/mloss/). diff --git a/docs/document_metadata_extraction.md b/docs/document_metadata_extraction.md index c6c37a30b..cba5e64ac 100644 --- a/docs/document_metadata_extraction.md +++ b/docs/document_metadata_extraction.md @@ -16,7 +16,7 @@ documents. Besides, can extract plain texts (combining all texts from all XLS/XLSX/ODS pages and PPT/PPTX/ODP slides) and embedded objects. The tool can visualize pictures embedded in a document. -[catdoc](http://www.45.free.net/~vitus/software/catdoc/) +[catdoc](https://github.com/petewarden/catdoc) [laola](http://user.cs.tu-berlin.de/~schwartz/pmh/index.html) diff --git a/docs/fat.md b/docs/fat.md index 6151708f4..464fdc5c9 100644 --- a/docs/fat.md +++ b/docs/fat.md @@ -658,7 +658,6 @@ object. * * * -* * * diff --git a/docs/file_carving_smartcarving.md b/docs/file_carving_smartcarving.md index 5f5234bba..2f4f2a1ec 100644 --- a/docs/file_carving_smartcarving.md +++ b/docs/file_carving_smartcarving.md @@ -8,7 +8,7 @@ fragmented files first proposed by A. Pal, T. Sencar and N. Memon in DFRWS 2008. The term **smart carving** was already proposed in 2006 in -[Analysis of 2006 DFRWS forensic carving challenge - A smart carving approach](http://sandbox.dfrws.org/2006/mora/dfrws2006.pdf). +[Analysis of 2006 DFRWS forensic carving challenge - A smart carving approach](https://github.com/libyal/documentation/blob/main/dfrws2006_carving_challenge.pdf). SmartCarving utilizes a combination of structure based validation along with validation of each file's unique content. Results for the @@ -40,12 +40,12 @@ be done in parallel for many files. There are currently two commercial applications available that utilize SmartCarving, both produced by Digital Assembly: -- [Adroit Photo Forensics](adroit_photo_forensics.md) -- Adroit Photo Recovery +* [Adroit Photo Forensics](adroit_photo_forensics.md) +* Adroit Photo Recovery Further there is one open-source solution under development: -- [Multimedia File Carver](https://github.com/rpoisel/mmc) - +* [Multimedia File Carver](https://github.com/rpoisel/mmc) - Implementation that focuses on the recovery of fragmented movies and images (JPEG) diff --git a/docs/forensic_corpora.md b/docs/forensic_corpora.md index 14c79c611..7eb1b7508 100644 --- a/docs/forensic_corpora.md +++ b/docs/forensic_corpora.md @@ -132,7 +132,6 @@ The Storage Networking Industry Association has a set of network file system traces that can be downloaded from: - -- ## Other diff --git a/docs/forensic_live_cd_issues.md b/docs/forensic_live_cd_issues.md index b11f4c1e7..f64a8a96f 100644 --- a/docs/forensic_live_cd_issues.md +++ b/docs/forensic_live_cd_issues.md @@ -152,18 +152,16 @@ searching for available block devices (*/dev/?d?* instead of ### Incorrect write blocking approach -Some forensic Linux Live CD distributions rely on -hdparm and blockdev programs -to mount file systems in read-only mode (by setting the underlying block -device to read-only mode). Unfortunately, setting a block device to -read-only mode does not guarantee that [no write commands will be passed -to the drive](http://oss.sgi.com/archives/xfs/2009-07/msg00213.html). -There were several other bugs related to writing on a read-only block -device in the past (like [Ext3/4 orphan inodes -deletion](https://lkml.org/lkml/2007/2/6/1)). At present (Linux 3.14.2), -kernel code still disregards read-only mode set on block devices in many -places (it should be noted that setting a block device to read-only mode -will efficiently write-protect the drive from programs running in +Some forensic Linux Live CD distributions rely on hdparm and blockdev programs +to mount file systems in read-only mode (by setting the underlying block device +to read-only mode). Unfortunately, setting a block device to read-only mode does +not guarantee that no write commands will be passed to the drive. + +There were several other bugs related to writing on a read-only block device in +the past (like [Ext3/4 orphan inodes deletion](https://lkml.org/lkml/2007/2/6/1)). +At present (Linux 3.14.2), kernel code still disregards read-only mode set on +block devices in many places (it should be noted that setting a block device to +read-only mode will efficiently write-protect the drive from programs running in userspace, while kernel and its modules still can write anything to the block device, regardless of the read-only mode). @@ -189,6 +187,6 @@ almost the same, except it doesn't write block anything by default). ## External links -- [Linux for computer forensic investigators: problems of booting trusted operating system](http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf) -- [Linux for computer forensic investigators: «pitfalls» of mounting file systems](http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf) -- [Testing the forensic soundness of forensic examination environments on bootable media](http://www.dfrws.org/2014/proceedings/DFRWS2014-3.pdf) +* [Linux for computer forensic investigators: problems of booting trusted operating system](http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf) +* [Linux for computer forensic investigators: «pitfalls» of mounting file systems](http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf) +* [Testing the forensic soundness of forensic examination environments on bootable media](http://www.dfrws.org/2014/proceedings/DFRWS2014-3.pdf) diff --git a/docs/full_disk_encryption.md b/docs/full_disk_encryption.md index b7284e41c..880e4f971 100644 --- a/docs/full_disk_encryption.md +++ b/docs/full_disk_encryption.md @@ -1,8 +1,6 @@ --- tags: - - Anti-Forensics - Disk Encryption - - Encryption --- **Full Disk Encryption** or **Whole Disk Encryption** is a phrase that was coined by Seagate to describe their encrypting @@ -32,8 +30,7 @@ provides no software to utilize encrypted drive features (such as key management). There is a proprietary Windows-only API, but it is not available to the public. -- [FIPS - 140-2](https://www.seagate.com/de/de/) +- [FIPS 140-2](https://www.seagate.com/de/de/) (Federal Information Processing Standard 140-2 certification issued by NIST) @@ -218,7 +215,7 @@ Supports hidden volumes within TrueCrypt volumes (plausible deniability). -[VeraCrypt](http://veracrypt.codeplex.com/) +[VeraCrypt](https://www.veracrypt.fr/) Fork of [TrueCrypt](truecrypt.md) project. Support for for [Linux](linux.md), [Windows](windows.md), and [MacOS](mac_os_x.md). diff --git a/docs/hiberfil.sys.md b/docs/hiberfil.sys.md index b1ae8044b..d09ab8161 100644 --- a/docs/hiberfil.sys.md +++ b/docs/hiberfil.sys.md @@ -40,11 +40,8 @@ from the multiple levels of slack space within them. ## External Links -* [Windows hibernation file for fun & profit](http://msuiche.net/con/bhusa2008/Windows_hibernation_file_for_fun_%27n%27_profit-0.6.pdf), - by Matthieu Suiche -* [Microsoft Hibernation Files](https://code.google.com/archive/p/volatility/wikis/HiberAddressSpace.wiki), by - [the Volatility project](volatility_framework.md) -* [Hibernation Recon](https://arsenalrecon.com/apps/hibernation-recon/) +* [Microsoft Hibernation Files](https://code.google.com/archive/p/volatility/wikis/HiberAddressSpace.wiki), + by [the Volatility project](volatility_framework.md) * [Parsing hibernation slack space](https://diablohorn.com/2014/12/10/parsing-the-hiberfil-sys-searching-for-slack-space/) ### LZ XPRESS diff --git a/docs/incident_response.md b/docs/incident_response.md index 3e196c0a4..8641a29dd 100644 --- a/docs/incident_response.md +++ b/docs/incident_response.md @@ -79,7 +79,7 @@ victims can be easier if they stand out from the crowd. ### Product related -* [Palantir: A Framework for Collaborative Incident Response and Investigation](http://middleware.internet2.edu/idtrust/2009/papers/05-khurana-palantir.pdf), +* [Palantir: A Framework for Collaborative Incident Response and Investigation](https://www.researchgate.net/publication/221190732_Palantir_A_framework_for_collaborative_incident_response_and_investigation), Himanshu Khurana, Jim Basney, Mehedi Bakht, Mike Freemon, Von Welch, Randy Butler, April 2009 @@ -103,8 +103,6 @@ victims can be easier if they stand out from the crowd. ## Books -There are several books available that discuss incident response. For -[Windows](windows.md), *[Windows Forensics and Incident -Recovery](https://www.windows-ir.com/)* by [Harlan -Carvey](harlan_carvey.md) is an excellent introduction to -possible scenarios and how to respond to them. +There are several books available that discuss incident response. For [Windows](windows.md), +*[Windows Forensics and Incident Recovery](https://www.windows-ir.com/)* by [Harlan Carvey](harlan_carvey.md) +is an introduction to possible scenarios and how to respond to them. diff --git a/docs/internships.md b/docs/internships.md index c21beea12..3f6b340f2 100644 --- a/docs/internships.md +++ b/docs/internships.md @@ -1,17 +1,15 @@ --- tags: - - No Category + - Articles that need to be expanded --- This page describes internship opportunities in the field of computer forensics. Please feel free to add your own. ## United States -- has a load of - internships although all are not stipend paying - Internet Crimes Against Children. ICAC has offices in almost every state. - Check with companies that do computer forensics. Examples include [ManTech](mantech.md), Kroll, and Pinkerton. - Explore the Scholarship for Service and Scholarship for Work programs - offered by the US Government. \ No newline at end of file + offered by the US Government. diff --git a/docs/java.md b/docs/java.md index d14e99730..0549903d6 100644 --- a/docs/java.md +++ b/docs/java.md @@ -183,7 +183,6 @@ other) information. - [Tracing and Logging](https://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/tracing_logging.html), by Oracle -- [Java Forensics using TLN Timelines](http://sploited.blogspot.com/2012/08/java-forensics-using-tln-timelines.html) - [Almost Cooked UP Some Java](http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html) - [Finding Initial Infection Vector](http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html) - [Java IDX Format Specification](https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf), diff --git a/docs/jump_lists.md b/docs/jump_lists.md index 56ea7627b..0b3627bc0 100644 --- a/docs/jump_lists.md +++ b/docs/jump_lists.md @@ -1,6 +1,6 @@ --- tags: - - Windows + - Windows --- **Jump Lists** are a feature found in Windows 7. @@ -27,9 +27,8 @@ Files: \*.automaticDestinations-ms #### Structure -The AutomaticDestinations Jump List files are [OLE Compound -Files](ole_compound_file.md) containing multiple streams of -which: +The AutomaticDestinations Jump List files are [OLE Compound Files](ole_compound_file.md) +containing multiple streams of which: * hexadecimal numbered, e.g. "1a" * DestList @@ -49,7 +48,7 @@ following information at the corresponding offsets: |--------|----------|-----------------------------------------------------------------------------------------------------------------| | 0x48 | 16 bytes | NetBIOS name of the system; padded with zeros to 16 bytes | | 0x58 | 8 bytes | Stream number; corresponds to the numbered stream within the jump list | -| 0x64 | 8 bytes | Last modification time, contains a [FILETIME](http://msdn2.microsoft.com/en-us/library/ms724284.aspx) structure | +| 0x64 | 8 bytes | Last modification time, contains a [FILETIME](https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime) structure | | 0x70 | 2 bytes | Path string size, the number of characters (UTF-16 words) of the path string | | 0x72 | ... | Path string | | | | | @@ -111,8 +110,6 @@ binary format segments. * [Woanware: JumpLister](https://github.com/woanware). Tool to view the information within the numbered streams of each autodest file. * [plaso](plaso.md) -* [JumpList](https://github.com/EricZimmerman/JumpList). Parser written - in C# with support thru Windows 10 jump lists -* [JLECmd](https://github.com/EricZimmerman/JLECmd). Command line tool - using the above parser - +* [JLECmd](https://github.com/EricZimmerman/JLECmd). Command line tool using the + [JumpList](https://github.com/EricZimmerman/JumpList), a parser written in C# + with support thru Windows 10 jump lists. diff --git a/docs/libdnet.md b/docs/libdnet.md index d858b3803..c5c95f951 100644 --- a/docs/libdnet.md +++ b/docs/libdnet.md @@ -46,7 +46,7 @@ tags: - [dnet.rb](http://www.shmoo.com/~bmc/software/ruby/ruby-dnet/) - Ruby interface to libdnet - [libpcap](https://www.tcpdump.org/) - portable packet capture library -- [winpcap](http://winpcap.polito.it/) - libpcap for Windows +- [winpcap](https://www.winpcap.org/) - libpcap for Windows - [pypcap](https://github.com/dugsong/pypcap) - libpcap Python module - [dpkt](https://github.com/kbandla/dpkt) - fast, simple packet creation and parsing in Python @@ -63,4 +63,4 @@ tags: All information on this page can be found at [libdnet.sourceforge.net](https://libdnet.sourceforge.net/) and is -credited to Dug Song - dugsong+libdnet@monkey.org \ No newline at end of file +credited to Dug Song - dugsong+libdnet@monkey.org diff --git a/docs/linux_logical_volume_manager_(lvm).md b/docs/linux_logical_volume_manager_(lvm).md index b2c8fc9e3..2b44eeb96 100644 --- a/docs/linux_logical_volume_manager_(lvm).md +++ b/docs/linux_logical_volume_manager_(lvm).md @@ -108,8 +108,6 @@ To read-only loop-back mount an individual volume: by RedHat * [Unix/Linux Administration Logical Volume Management Guide](https://wpollock.com/AUnix1/LVM.htm), by Wayne Pollock, 2005 -* [LVM2 – data recovery](http://lvb.sti.fce.vutbr.cz/public/LinuxAlt_2009/2009_11_08_LA_04_LVM/2009_11_08_LA_04_LVM.pdf), - by Milan Brož, LinuxAlt 2009 * [Logical Volume Manager ‐ Software RAID](http://forensic-proof.com/wp-content/uploads/2010/03/FP_Logical_Volume_Manager.pdf), by Proneer, March 30, 2010 diff --git a/docs/logfile_analysis.md b/docs/logfile_analysis.md index 56eeacc58..16605562d 100644 --- a/docs/logfile_analysis.md +++ b/docs/logfile_analysis.md @@ -8,18 +8,18 @@ of the operating system, certain applications, etc. Log files come in various formats, in general these formats can be divided in the following categories: -- Binary formats -- Text-based formats -- in-database +* Binary formats +* Text-based formats +* in-database ## Binary formats -- [Windows Event Log (evt)](windows_event_log_(evt).md) -- [Windows XML Event Log (evtx)](windows_xml_event_log_(evtx).md) +* [Windows Event Log (evt)](windows_event_log_(evt).md) +* [Windows XML Event Log (evtx)](windows_xml_event_log_(evtx).md) ## Text-based formats -- [Apache HTTP Server access log format](http://httpd.apache.org/docs/1.3/logs.html#accesslog) +* [Apache HTTP Server access log format](https://httpd.apache.org/docs/2.4/logs.html#accesslog) ## Tools @@ -59,7 +59,7 @@ streaming, ftp or mail server statistics, graphically."* Java reporting tool. -[Open Web Analytics](http://wiki.openwebanalytics.com/index.php?title=Main_Page) +[Open Web Analytics](https://www.openwebanalytics.com/) *"An open source web analytics framework written in PHP."* diff --git a/docs/memory_imaging.md b/docs/memory_imaging.md index 39e23c35d..e2d9eabb0 100644 --- a/docs/memory_imaging.md +++ b/docs/memory_imaging.md @@ -52,18 +52,18 @@ physical address range to non-paged system space. ## Memory Imaging Techniques -Crash Dumps +### Crash Dumps When configured to create a full memory dump, [Windows](windows.md) operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. -LiveKd Dumps +### LiveKd Dumps The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f \[output file\]" -Hibernation Files +### Hibernation Files [Windows](windows.md) 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the @@ -83,7 +83,7 @@ turns on [File Vault](file_vault.md) and enables Secure Virtual Memory. [1](http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html). -Firewire +### Firewire It is possible for [Firewire](firewire.md) or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic @@ -103,10 +103,10 @@ This can be used to grab screen contents. This technique has been turned into a tool. -The [Goldfish](http://digitalfire.ucd.ie/?page_id=430) tool automates -this exploit for investigators needing to analyze the memory of a Mac. +The Goldfish tool automates this exploit for investigators needing to analyze +the memory of a Mac. -Cold and Warm reboots +### Cold and Warm reboots Typical RAM-modules retain memory during reboots as long as power is provided. The modules typically support a self-refresh. Whether the data is retained depend on BIOS-es that do or do not clear the RAM during @@ -126,7 +126,7 @@ without power. Opinions on how practical cold boot is are discussed in "[On the Practicability of Cold Boot Attacks](https://faui1-files.cs.fau.de/filepool/projects/coldboot/fares_coldboot.pdf)". -Virtual Machine Imaging +### Virtual Machine Imaging There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for diff --git a/docs/mounting_disk_images.md b/docs/mounting_disk_images.md index efd353c52..16071a348 100644 --- a/docs/mounting_disk_images.md +++ b/docs/mounting_disk_images.md @@ -79,10 +79,6 @@ Don't forget the switch ***-o ro*** ! `# umount /mnt` -## Mounting Images Using Alternate Superblocks - -- [Mounting Images Using Alternate Superblocks](http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/) - # Windows MS Windows does not include a native means for mounting acquired images. diff --git a/docs/netfse.md b/docs/netfse.md index 8bec904f9..eef33dfde 100644 --- a/docs/netfse.md +++ b/docs/netfse.md @@ -1,6 +1,7 @@ --- tags: - - Network Forensics + - Abandoned + - Network Forensics --- # Net/FSE: Network Forensic Search Engine @@ -26,12 +27,10 @@ capabilities with minimal coding. # Project Status -In June 2009 version 0.2 of the open source Net/FSE was released at -[NetFSE.org](http://www.netfse.org). The 0.3 release is in the works and -will be available in August 2010. NetFSE.org is the user community and -information center for Net/FSE users. +In June 2009 version 0.2 of the open source Net/FSE was initially published on +NetFSE.org. The 0.3 release was targeted for August 2010. The project appears +to have been abandoned. ## External Links -- [Project site](https://code.google.com/archive/p/netfse) - +* [Project site](https://code.google.com/archive/p/netfse) diff --git a/docs/network_forensics.md b/docs/network_forensics.md index 16a6c097d..a77d00324 100644 --- a/docs/network_forensics.md +++ b/docs/network_forensics.md @@ -41,9 +41,6 @@ available. - [Wireless forensics](wireless_forensics.md) - [SSL forensics](ssl_forensics.md) - - - - [IP geolocation](ip_geolocation.md) - [Tools: Network Forensics](tools_network_forensics.md) - [Tools: Logfile Analysis](logfile_analysis.md#tools) @@ -67,21 +64,17 @@ available. - [KisMAC](kismac.md) is a free, open source wireless stumbling and security tool for Mac OS X. - [Kismet](kismet.md) -- [logstash](http://logstash.net/) is a tool for managing events and +- [logstash](https://www.elastic.co/logstash) is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs. - - - - [log2Timeline](log2timeline.md) a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts. -- [NetFSE](netfse.md) is a web-based search and analysis - application for high-volume network data [available at - NetFSE.org](http://www.netfse.org) +- [NetFSE](netfse.md) is a web-based search and analysis application for + high-volume network data. - [NetSleuth](http://www.netgrab.co.uk) is a live and retrospective network analysis and triage tool. - [ntop](ntop.md) @@ -94,9 +87,6 @@ available. things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines. - - - - [RegRipper](regripper.md) is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis diff --git a/docs/pdf.md b/docs/pdf.md index 8f0f5db00..89b6b6116 100644 --- a/docs/pdf.md +++ b/docs/pdf.md @@ -58,12 +58,12 @@ each in its own file. Several related standards exist that contain subsets or supersets of the PDF standard features. These standards include -- PDF/A a simpler set of features for archiving documents, allowing for +* PDF/A a simpler set of features for archiving documents, allowing for long-term reproducibility. Some scanning software saves documents in PDF/A by default. -- PDF/X for graphic arts. -- PDF/UA for universal accessibility. -- PDF/E for engineering drawings. +* PDF/X for graphic arts. +* PDF/UA for universal accessibility. +* PDF/E for engineering drawings. ## PDF Software @@ -89,8 +89,6 @@ and carving documents, including PDF files. The product can show PDF preview, plain text, metadata and extract embedded objects (including batch extraction from all found PDF files). - - JEB2 PDF Analysis Plugin @@ -101,16 +99,12 @@ Strong parsing for malicious files. Reports notifications on malformations and anomalies. API can also be used for tool/scanner integration. - - Origami A powerful open source framework and GUI written in Ruby. It allows for parsing and exploring pdf files and graphically browsing its contents. - - PDF Tools @@ -118,24 +112,18 @@ Didier Stevens' [pdf-parse](https://blog.didierstevens.com/2008/10/30/pdf-parserpy/) and pdfid, written in Python - - PDF Stream Dumper Free tool for the analysis of malicious PDF documents by David Zimmer. ([GitHub](https://github.com/dzzie/pdfstreamdumper)) - - pdfresurrect Retrieves previous versions of PDF files that have changes appended with "incremental updates" - - PDFMiner @@ -144,8 +132,6 @@ PDFMiner Includes **pdf2txt.py** command-line tool for extracting text from PDF files, and **dumppdf.py** for dumping PDF objects. - - pyPdf @@ -153,40 +139,29 @@ pyPdf Will encrypt and decrypt PDF files. - - -QPDF - +[QPDF](https://sourceforge.net/projects/qpdf/) Open source, cross-platform library and set of programs to inspect and manipulate PDF files. Packaged in recent Debian based distributions. These tools are useful for manipulating and generating PDF files: -ReportLab Open Source PDF Library - +[ReportLab](https://docs.reportlab.com/) Open Source PDF Library "our proven, industry-strength PDF generating software. Programmatically create any kind of PDF document" # See Also -- [Arabic PDFs](arabic_pdfs.md) -- [Document Metadata Extraction](document_metadata_extraction.md) +* [Arabic PDFs](arabic_pdfs.md) +* [Document Metadata Extraction](document_metadata_extraction.md) ## External Links -- [Adobe PDF - Reference](http://partners.adobe.com/public/developer/pdf/index_reference.html) -- [Wikipedia: PDF](https://en.wikipedia.org/wiki/PDF) -- [Portable Document Format: An Introduction for - Programmers](http://www.mactech.com/articles/mactech/Vol.15/15.09/PDFIntro/), +* [Adobe PDF Reference 1.7](https://opensource.adobe.com/dc-acrobat-sdk-docs/pdfstandards/pdfreference1.7old.pdf) +* [Wikipedia: PDF](https://en.wikipedia.org/wiki/PDF) +* [Portable Document Format: An Introduction for Programmers](http://www.mactech.com/articles/mactech/Vol.15/15.09/PDFIntro/), MacTech Magazine, Volume 15, (1999), Issue 9 -- [ISO - Standard](https://www.iso.org/standard/51502.html) -- [Patent - Licenses](http://partners.adobe.com/public/developer/support/topic_legal_notices.html) -- [Quickpost: About the Physical and Logical Structure of PDF - Files](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), +* [ISO Standard](https://www.iso.org/standard/51502.html) +* [Quickpost: About the Physical and Logical Structure of PDF Files](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), by Didier Stevens, April 9, 2008 - diff --git a/docs/sanitization_standards.md b/docs/sanitization_standards.md index b17af59a4..8b095ff0e 100644 --- a/docs/sanitization_standards.md +++ b/docs/sanitization_standards.md @@ -39,7 +39,7 @@ regarding the disk sanitization problem: - [DoD Destruction](http://simson.net/ref/2001/ASD_HD_Disposition_memo060401.pdf): Disposition of Unclassified DoD Computer Hard Drives, Assistant Secretary of Defence, June 4, 2001. -- [DoD 5200.28-STD](http://security.isu.edu/pdf/d520028.pdf): +- [DoD 5200.28-STD](https://irp.fas.org/nsa/rainbow/std001.htm): Department of Defence Trusted Computer System Evaluation Criteria, December 26, 1985. - [DoD 5220.22-M](http://simson.net/ref/2001/DoD_5220.22-M.pdf): diff --git a/docs/sim_card_forensics.md b/docs/sim_card_forensics.md index 0f10b9213..e718bcda9 100644 --- a/docs/sim_card_forensics.md +++ b/docs/sim_card_forensics.md @@ -68,7 +68,6 @@ External Links * [Forensic Card Reader (FCR) - German](http://www.becker-partner.de/index.php?id=17) * [SIM Manager](http://www.txsystems.com/sim-manager.html) * [SIMQuery](http://vidstrom.net/otools/simquery/) -* [SimScan](http://users.net.yu/~dejan/) * [SIMSpy](http://www.nobbi.com/download.htm) * [UnDeleteSMS](https://vidstromlabs.com/freetools/undeletesms/) * [Forensic SIM Card Reader](http://www.bkforensics.com/FCR.html) diff --git a/docs/spada.md b/docs/spada.md index 4af60777f..9000a8095 100644 --- a/docs/spada.md +++ b/docs/spada.md @@ -1,23 +1,16 @@ --- tags: - - Deprecated - - Linux - - Tools - - Live CD - - Open Source Software + - Abandoned + - Live CD --- -**SPADA**, or System Preview And Data Acquisition, is a forensic [Live -CD](live_cd.md) base on [Knoppix](knoppix.md). +**SPADA**, or System Preview And Data Acquisition, is a forensic [Live CD](live_cd.md) +based on [Knoppix](knoppix.md). ## Forensic Issues -- SPADA will automount file systems during the hardware detection - process and recover some of them if required. +SPADA will automount file systems during the hardware detection process and +recover some of them if required. ## History -The development on SPADA stopped, the last release was in September 2010 - -## External Links - -- [Project site](http://spada-cd.info/) \ No newline at end of file +The development on SPADA stopped, the last release was in September 2010. diff --git a/docs/unlock_codes.md b/docs/unlock_codes.md deleted file mode 100644 index 2c6318f0a..000000000 --- a/docs/unlock_codes.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -tags: - - Articles that need to be expanded ---- -## See Also - -- --- Claims to generate unlock codes for - Nokia phones based on IMEI \ No newline at end of file diff --git a/docs/virtual_hard_disk_(vhd).md b/docs/virtual_hard_disk_(vhd).md index a90284c09..22f68ca8b 100644 --- a/docs/virtual_hard_disk_(vhd).md +++ b/docs/virtual_hard_disk_(vhd).md @@ -1,20 +1,20 @@ --- tags: - - File Formats - - Virtual Disk - - Disk Analysis - Articles that need to be expanded - - Windows + - Disk Analysis + - File Formats - Linux - MacOS + - Virtual Disk + - Windows --- The Virtual Hard Disk (VHD) commonly uses the .vhd extension. This format is used to store virtual disk images by: -- Microsoft Virtual PC -- Microsoft Virtual Server -- Microsoft Hyper-V Server +* Microsoft Virtual PC +* Microsoft Virtual Server +* Microsoft Hyper-V Server VHD support is also integrated into [Windows](windows.md) (at least in Windows 7) where "Disk Management" (part of "Computer @@ -25,10 +25,10 @@ files. There are multiple types of Virtual Hard Disk (VHD) images: -- Fixed-size hard disk image; the image contains all data -- Dynamic-size (or sparse) hard disk image; the image contains used data +* Fixed-size hard disk image; the image contains all data +* Dynamic-size (or sparse) hard disk image; the image contains used data only -- Differential (or differencing, or delta) hard disk image; the image +* Differential (or differencing, or delta) hard disk image; the image contains changes relative to its parent image ## Snapshots @@ -43,30 +43,30 @@ differential images of the previous snapshot. ## See Also -- [Disk Images](disk_images.md) -- [Windows](windows.md) +* [Disk Images](disk_images.md) +* [Windows](windows.md) ## External Links -- [VHD (file format)](https://en.wikipedia.org/wiki/VHD_(file_format)), +* [VHD (file format)](https://en.wikipedia.org/wiki/VHD_(file_format)), by Wikipedia -- [Virtual Hard Disk Image Format Specification](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/mt169373(v=ws.11)), +* [Virtual Hard Disk Image Format Specification](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/mt169373(v=ws.11)), by Microsoft, October 2006 -- [Overview of VHD & VHDX Virtual Hard Drive](https://www.bitrecover.com/blog/what-is-virtual-hard-disk/) An +* [Overview of VHD & VHDX Virtual Hard Drive](https://www.bitrecover.com/blog/what-is-virtual-hard-disk/) An overview of virtual hard drive image files -- [Virtual Hard Disk (VHD) image format](https://github.com/libyal/libvhdi/blob/main/documentation/Virtual%20Hard%20Disk%20(VHD)%20image%20format.asciidoc), +* [Virtual Hard Disk (VHD) image format](https://github.com/libyal/libvhdi/blob/main/documentation/Virtual%20Hard%20Disk%20(VHD)%20image%20format.asciidoc), by the [libvhdi project](libvhdi.md), September 2012 ### Snapshots -- [Hyper-V Concepts - Snapshots](http://social.technet.microsoft.com/wiki/contents/articles/670.hyper-v-concepts-snapshots.aspx) -- [Hyper-V SnapShot Files – AVHD and VHD? What The ?](http://survey-smiles.com) -- [Manually Merge .avhd to .vhd in Hyper-V](http://social.technet.microsoft.com/wiki/contents/articles/6257.manually-merge-avhd-to-vhd-in-hyper-v.aspx) +* [Hyper-V Concepts - Snapshots](https://social.technet.microsoft.com/wiki/contents/articles/670.hyper-v-concepts-snapshots.aspx) +* [Hyper-V SnapShot Files – AVHD and VHD? What The ?](http://survey-smiles.com) +* [Manually Merge .avhd to .vhd in Hyper-V](https://social.technet.microsoft.com/wiki/contents/articles/6257.manually-merge-avhd-to-vhd-in-hyper-v.aspx) ## Tools -- [libvhdi](libvhdi.md) -- [VHD Data Recovery](https://www.bitrecover.com/vhd-recovery-software/) +* [libvhdi](libvhdi.md) +* [VHD Data Recovery](https://www.bitrecover.com/vhd-recovery-software/) Help you recover & extract your files from a corrupt or damaged .vhd / .vhdx files. Supports Microsoft Hyper-V, Microsoft Virtual PC, Microsoft Virtual Server virtual machine drive images. diff --git a/docs/windows_8.md b/docs/windows_8.md index d1271414a..7d99b3a24 100644 --- a/docs/windows_8.md +++ b/docs/windows_8.md @@ -9,18 +9,17 @@ edition became Windows Server 2012. The following new features were introduced in Windows 8: -- [File History](windows_file_history.md) -- [Storage Spaces](windows_storage_spaces.md) -- Search Charm History +* [File History](windows_file_history.md) +* [Storage Spaces](windows_storage_spaces.md) +* Search Charm History ## File System The file system used by Windows 8 is primarily [NTFS](ntfs.md). -The [Resilient File System -(refs)](resilient_file_system_(refs).md) was initially available -in the Windows 8 server edition but became part of Windows 2012 server -edition. +The [Resilient File System (refs)](resilient_file_system_(refs).md) was +initially available in the Windows 8 server edition but became part of +Windows 2012 server edition. ## Jump Lists @@ -51,27 +50,27 @@ A common location for Amcache.hve is: ## See Also -- [Windows](windows.md) -- [Windows Vista](windows_vista.md) -- [Windows 7](windows_7.md) +* [Windows](windows.md) +* [Windows Vista](windows_vista.md) +* [Windows 7](windows_7.md) ## External Links -- [Features new to Windows 8](https://en.wikipedia.org/wiki/Features_new_to_Windows_8), Wikipedia -- [Windows 8 Registry Forensics](https://www.dataforensics.org/windows-8-file-history-forensics/) -- [Windows 8 Forensic Guide](http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf), +* [Features new to Windows 8](https://en.wikipedia.org/wiki/Features_new_to_Windows_8), Wikipedia +* [Windows 8 Registry Forensics](https://www.dataforensics.org/windows-8-file-history-forensics/) +* [Windows 8 Forensic Guide](https://elhacker.info/manuales/An%C3%A1lisis%20forense/thomson_windows-8-forensic-guide2.pdf), by Amanda C. F. Thomson, 2012 -- [Forensic Focus: Windows 8 Forensics - A First Look](https://forensicfocus.com/Forums/viewtopic/t=9604/), +* [Forensic Focus: Windows 8 Forensics - A First Look](https://forensicfocus.com/Forums/viewtopic/t=9604/), [Presentation](https://www.youtube.com/watch?v=uhCooEz9FQshttp://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.befeature=youtu.be), [Slides](https://forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf), by Josh Brunty, August 2012 -- [Windows 8: Tracking Opened Photos](https://dfstream.blogspot.com/2013/03/windows-8-tracking-opened-photos.html), +* [Windows 8: Tracking Opened Photos](https://dfstream.blogspot.com/2013/03/windows-8-tracking-opened-photos.html), by Jason Hale, March 8, 2013 -- [Windows 8 and 8.1: Search Charm History](https://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html), +* [Windows 8 and 8.1: Search Charm History](https://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html), by Jason Hale, September 9, 2013 -- [Amcache.hve in Windows 8 - Goldmine for malware hunters](http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html), +* [Amcache.hve in Windows 8 - Goldmine for malware hunters](http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html), by Yogesh Khatri, December 4, 2013 -- [Amcache.hve - Part 2](http://www.swiftforensics.com/2013/12/amcachehve-part-2.html), by +* [Amcache.hve - Part 2](http://www.swiftforensics.com/2013/12/amcachehve-part-2.html), by Yogesh Khatri, December 16, 2013 -- [SRUM forensics](https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf), +* [SRUM forensics](https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf), by Yogesh Khatri