From a554fc02c61d91936a160b5614b97b28c74cc13b Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sun, 3 Dec 2023 21:34:33 +0100 Subject: [PATCH] Removed dead references (#200) --- docs/amcache.md | 31 ++--- docs/apple_iphone.md | 1 - docs/bibliography.md | 2 +- docs/blogs.md | 4 - docs/body_file.md | 2 +- docs/darik's_boot_and_nuke.md | 9 +- docs/dd.md | 1 - docs/disk_images.md | 4 +- docs/early_userspace.md | 33 ++--- ...amous_cases_involving_digital_forensics.md | 2 +- docs/forensic_corpora.md | 14 -- docs/forensic_live_cd_issues.md | 38 +++-- docs/gethashes_sh.md | 5 +- docs/internet_explorer.md | 6 +- docs/journals.md | 1 - docs/jpeg.md | 10 +- docs/libwrc.md | 3 +- docs/list_of_mua_header_formats.md | 51 +------ docs/list_of_volatility_plugins.md | 8 +- docs/list_of_windows_mru_locations.md | 1 - docs/logfile_analysis.md | 8 -- docs/mac_times.md | 8 +- docs/nokia.md | 19 +-- docs/prefetch.md | 4 +- docs/residual_data_on_used_equipment.md | 2 +- docs/resilient_file_system_(refs).md | 2 +- docs/thumbs.db.md | 4 +- docs/timeline_analysis.md | 2 +- docs/tools_file_analysis.md | 49 ------- docs/tools_network_forensics.md | 131 ------------------ docs/turpinmckee895.md | 26 ---- docs/usb_history_viewing.md | 2 +- docs/websites.md | 36 +---- docs/windows.md | 6 +- docs/windows_10.md | 2 +- docs/windows_registry.md | 3 - docs/windows_restore_points.md | 2 +- docs/windows_xml_event_log_(evtx).md | 2 +- 38 files changed, 84 insertions(+), 450 deletions(-) delete mode 100644 docs/turpinmckee895.md diff --git a/docs/amcache.md b/docs/amcache.md index 3329c8b57..ed06bc666 100644 --- a/docs/amcache.md +++ b/docs/amcache.md @@ -1,33 +1,24 @@ --- tags: - - File Formats - - Database - - Windows - - Articles that need to be expanded + - Articles that need to be expanded + - File Formats + - Windows --- -The AMCache stores metadata about program installation and -execution on Windows. +The AMCache stores metadata about program installation and execution on Windows. It can be found on Windows 7 and Server 2008 R2 and later. -The AMCache is stored in the [Windows NT Registry File -(regf)](windows_nt_registry_file_(regf).md) format in a file -named AMCache.hve. +The AMCache is stored in the [Windows NT Registry File (regf)](windows_nt_registry_file_(regf).md) +format in a file named AMCache.hve. ## See Also -- [Windows Application - Compatibility](windows_application_compatibility.md) -- [Amcache.hve in Windows 8 - Goldmine for malware - hunters](http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html), +- [Windows Application Compatibility](windows_application_compatibility.md) +- [Amcache.hve in Windows 8 - Goldmine for malware hunters](https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html), by Yogesh Khatri, December 2013 -- [Amcache on Windows - 7](http://www.swiftforensics.com/2016/05/amcache-on-windows-7.html), +- [Amcache on Windows 7](https://www.swiftforensics.com/2016/05/amcache-on-windows-7.html), by Yogesh Khatri, May 2016 -- [Examples of - amcache.py](https://gist.github.com/williballenthin/ee512eacb672320f2df5), +- [Examples of amcache.py](https://gist.github.com/williballenthin/ee512eacb672320f2df5), by Willi Ballenthin -- [Analysis of the - AMCache](https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf), +- [Analysis of the AMCache](https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf), by Blanche Lagny, July 2019 - diff --git a/docs/apple_iphone.md b/docs/apple_iphone.md index 6184c4151..1fc2ff592 100644 --- a/docs/apple_iphone.md +++ b/docs/apple_iphone.md @@ -27,7 +27,6 @@ Store does not allow in any application it distributes). - [Elcomsoft Mobile Forensic Bundle](https://www.elcomsoft.com/emfb.html) performs physical, logical and over-the-air acquisition. - EnCase Neutrino -- [FTS iXAM](http://www.ixam-forensics.com/) - Internet Evidence Finder by Magnet Forensics - iPhone Analyzer - [iphone-dataprotection](https://code.google.com/archive/p/iphone-dataprotection); diff --git a/docs/bibliography.md b/docs/bibliography.md index a643917d2..1e4fc4855 100644 --- a/docs/bibliography.md +++ b/docs/bibliography.md @@ -38,7 +38,7 @@ tags: - [Retrieving Digital Evidence: Methods, Techniques and Issues](https://belkasoft.com/retrieving-digital-evidence-methods-techniques-and-issues), by Yuri Gubanov, 2012 -- [Byteprints: A Tool to Gather Digital Evidence](http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf), +- [Byteprints: A Tool to Gather Digital Evidence](https://ieeexplore.ieee.org/document/1428548), Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005 diff --git a/docs/blogs.md b/docs/blogs.md index 7dc951e72..c5119ee2d 100644 --- a/docs/blogs.md +++ b/docs/blogs.md @@ -169,10 +169,6 @@ like: blogs, fora, tweets, tools and challenges (and test images). # Related blogs -- [Emergent Chaos](http://www.emergentchaos.com/), - by Adam Shostack -- [Inventor of NORA discusses privacy and all things digital](https://jeffjonas.typepad.com/), - by Jeff Jonas - [Digital Forensics, Coffee, Benevolent Hacking](https://outlookpurple.blogspot.com/), by [Golden G. Richard III](golden_g_richard_iii.md) diff --git a/docs/body_file.md b/docs/body_file.md index 95e2a1a94..919dcdd59 100644 --- a/docs/body_file.md +++ b/docs/body_file.md @@ -82,7 +82,7 @@ Known shortcomings with body file format are: ### HFS+ and HFSX * On HFS+ and HFSX the `/` character in a file name will be replaced by `:`, which - corresponds with the behavior of Mac OS Terminal. Also see [here](https://github.com/sleuthkit/sleuthkit/blob/3d16b8bc293ba13a5674fe9ce6a35f867ccc945d/tsk/fs/hfs_dent.c#L110). + corresponds with the behavior of Mac OS Terminal. Also see [here](https://github.com/sleuthkit/sleuthkit/blob/3d16b8bc293ba13a5674fe9ce6a35f867ccc945d/tsk/fs/hfs_dent.c). * For hard links on HFS+ the Catalog Node Identifier (CNID) of the link target (indirect node) file record is used instead as the `inode` value instead of the CNID of the (hard link) file record itself. This matches the behavior of Mac OS (file) stat as described [here](https://developer.apple.com/library/archive/technotes/tn/tn1150.html), in the section "Hard Links". * For HFS+ the MD5 calculation of `fls` includes: * Regular files diff --git a/docs/darik's_boot_and_nuke.md b/docs/darik's_boot_and_nuke.md index 885e87bb8..e468d124a 100644 --- a/docs/darik's_boot_and_nuke.md +++ b/docs/darik's_boot_and_nuke.md @@ -8,10 +8,9 @@ tags: --- **D**arik's **B**oot **a**nd **N**uke is a disk image that can create a bootable CD/DVD/Floppy/USB Device that can securely wipe the hard disks -of most computers. Dban has support for all 32-bit x86 machines as well -as [beta](https://dban.org/beta/index.html) builds for Cisco -Routers, Sparc, PowerPC and HP PA-RISC hardware architecture. DBan is -bundled with [Eraser](eraser.md) +of most computers. + +DBan is bundled with [Eraser](eraser.md) ## Wipe Methods @@ -24,4 +23,4 @@ bundled with [Eraser](eraser.md) ## External Links - [Official website](https://dban.org/) -- [Support Forum](https://sourceforge.net/p/dban/discussion/208932/) \ No newline at end of file +- [Support Forum](https://sourceforge.net/p/dban/discussion/208932/) diff --git a/docs/dd.md b/docs/dd.md index 524e11dba..e88aa293b 100644 --- a/docs/dd.md +++ b/docs/dd.md @@ -157,4 +157,3 @@ home archive and will miss the srv archive. ## External Links - [LinuxJournal article about dd](https://www.linuxjournal.com/article/1320) -- [Windows Version of dd and other forensics tools](http://users.erols.com/gmgarner/forensics/) diff --git a/docs/disk_images.md b/docs/disk_images.md index 4167b0ce5..4f58b7f57 100644 --- a/docs/disk_images.md +++ b/docs/disk_images.md @@ -39,8 +39,8 @@ Forensics File Formats build-in, some of which are: * read-write disk image (.dmg): [raw](raw_image_format.md), [UDIF](dmg.md), NDIF -* [Sparse disk image (.spareimage)](https://github.com/libyal/libmodi/blob/main/documentation/Mac%20OS%20disk%20image%20types.asciidoc#3-sparse-disk-image-sparseimage-format) -* [Sparse bundle disk image (.sparsebundle)](https://github.com/libyal/libmodi/blob/main/documentation/Mac%20OS%20disk%20image%20types.asciidoc#4-sparse-bundle-disk-image-sparsebundle-format) +* [Sparse disk image (.spareimage)](https://github.com/libyal/libmodi/blob/main/documentation/Mac%20OS%20disk%20image%20types.asciidoc) +* [Sparse bundle disk image (.sparsebundle)](https://github.com/libyal/libmodi/blob/main/documentation/Mac%20OS%20disk%20image%20types.asciidoc) [Windows](windows.md) diff --git a/docs/early_userspace.md b/docs/early_userspace.md index 9678f3e80..9aaf0c287 100644 --- a/docs/early_userspace.md +++ b/docs/early_userspace.md @@ -1,12 +1,9 @@ --- tags: - - Live CD - - Linux - - Open Source Software - - Tools + - Linux + - Tools --- -According to the [Linux -documentation](https://www.kernel.org/doc/Documentation/early-userspace/README), +According to the [Linux documentation](https://www.kernel.org/doc/Documentation/early-userspace/README), "early userspace" is a set of libraries and programs that provide various pieces of functionality that are important enough to be available while a Linux kernel is coming up, but that don't need to be @@ -21,20 +18,16 @@ which contains a live system (desktop environment and various applications reside in a live system, while early userspace contains only a limited set of programs required for booting up). -Due to varied conditions in which Live CDs and Live USBs are booting up -(for example, it is possible to make Live USB from Live CD by writing -ISO 9660 image [directly to USB -device](https://help.ubuntu.com/community/Installation/FromUSBStick#dd_image_of_iso_file_to_USB_device_safely) -as well as by exporting files from ISO 9660 image to an existing file -system on USB device and setting up a bootloader on this device), early -userspace should locate a root file system first. A root file system can -be stored in a [SquashFS](https://en.wikipedia.org/wiki/SquashFS) image -file, a [raw image](raw_image_format.md) file, a partition with -a file system, a device without a partition table (but with a file -system), or even in a set of directories in unpacked form (although -specific implementations of early userspace may not support everything -listed above). +Due to varied conditions in which Live CDs and Live USBs are booting up (for +example, it is possible to make Live USB from Live CD by writing ISO 9660 image +directly to USB device as well as by exporting files from ISO 9660 image to an +existing file system on USB device and setting up a bootloader on this device), +early userspace should locate a root file system first. A root file system can +be stored in a [SquashFS](https://en.wikipedia.org/wiki/SquashFS) image file, a +[raw image](raw_image_format.md) file, a partition with a file system, a device +without a partition table (but with a file system), or even in a set of +directories in unpacked form (although specific implementations of early +userspace may not support everything listed above). After booting, contents of a root file system are visible as the contents of "/" directory. - diff --git a/docs/famous_cases_involving_digital_forensics.md b/docs/famous_cases_involving_digital_forensics.md index 4b1c28084..2ca19738b 100644 --- a/docs/famous_cases_involving_digital_forensics.md +++ b/docs/famous_cases_involving_digital_forensics.md @@ -36,7 +36,7 @@ had been assigned. It was Scott William Tyree. * [article on the abduction](https://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/) * [Popular Mechanics article](https://www.popularmechanics.com/technology/security/how-to/a630/2672751/) -* [Congressional testimony of Alicia Kozakiewicz](http://notonemorechild.org/map/9) +* [Congressional testimony of Alicia Kozakiewicz](https://notonemorechild.org) ### 2005 [Dennis Rader](https://en.wikipedia.org/wiki/Dennis_Rader) --- The "BTK" Serial Killer diff --git a/docs/forensic_corpora.md b/docs/forensic_corpora.md index 8c3f2fe5b..14c79c611 100644 --- a/docs/forensic_corpora.md +++ b/docs/forensic_corpora.md @@ -119,20 +119,6 @@ for the purpose of the evaluation. - [2000 DARPA Intrusion Detection Scenario Specific](http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html) -## WIDE - -*The [MAWI Working Group](https://www.wide.ad.jp/project/wg/mawi.html) of -the [WIDE Project](https://www.wide.ad.jp/)* maintains a [Traffic -Archive](http://tracer.csl.sony.co.jp/mawi/). In it you will find: - -- daily trace of a trans-Pacific T1 line; -- daily trace at an IPv6 line connected to 6Bone; -- daily trace at another trans-Pacific line (100Mbps link) in operation - since 2006/07/01. - -Traffic traces are made by tcpdump, and then, IP addresses in the traces -are scrambled by a modified version of [tcpdpriv](tcpdpriv.md). - ## Wireshark The open source Wireshark project (formerly known as Ethereal) has a diff --git a/docs/forensic_live_cd_issues.md b/docs/forensic_live_cd_issues.md index 9f64c9756..b11f4c1e7 100644 --- a/docs/forensic_live_cd_issues.md +++ b/docs/forensic_live_cd_issues.md @@ -167,29 +167,23 @@ will efficiently write-protect the drive from programs running in userspace, while kernel and its modules still can write anything to the block device, regardless of the read-only mode). -Analysis of the source code for the "write blocking" functionality -utilized by hdparm and -blockdev demonstrates that these tools use the -same system call to alter a kernel flag which is checked in the file -system layer. This flag (when set) disables generic write operations on -a file within a file system and many internal write operations of the -file system layer (like journaling, recovering a file system after a -crash, superblock modifications, etc.). File system drivers use the -interface to the [block device -layer](http://researcher.watson.ibm.com/researcher/files/il-AVISHAY/01-block_io-v1.3.pdf) -to perform internal write operations, and the block device layer is -ignoring (not checking) the read-only flag set by hdparm or blockdev on -a block device, therefore it's up to a file system driver to refuse -writing to a block device in read-only mode (and there is nothing -stopping write operations issued by a file system driver not adhering -the read-only mode of a block device due to the lack of read-only flag -checks). [A patch has been -implemented](https://github.com/Schramp/linux-writeblock/wiki) to add -the write blocking functionality to the IO scheduler / block device +Analysis of the source code for the "write blocking" functionality utilized by +hdparm and blockdev demonstrates that these tools use the same system call to +alter a kernel flag which is checked in the file system layer. This flag (when +set) disables generic write operations on a file within a file system and many +internal write operations of the file system layer (like journaling, recovering +a file system after a crash, superblock modifications, etc.). File system +drivers use the interface to the block device layer to perform internal write +operations, and the block device layer is ignoring (not checking) the read-only +flag set by hdparm or blockdev on a block device, therefore it's up to a file +system driver to refuse writing to a block device in read-only mode (and there +is nothing stopping write operations issued by a file system driver not +adhering the read-only mode of a block device due to the lack of read-only flag +checks). [A patch has been implemented](https://github.com/Schramp/linux-writeblock/wiki) +to add the write blocking functionality to the IO scheduler / block device layer as well, and make it the default to block all write IO issued to a -read-only block device ([Linux write -blocker](linux_write_blocker.md) does almost the same, except it -doesn't write block anything by default). +read-only block device ([Linux write blocker](linux_write_blocker.md) does +almost the same, except it doesn't write block anything by default). ### TRIM aka discard command diff --git a/docs/gethashes_sh.md b/docs/gethashes_sh.md index 8b35765f6..3d7723626 100644 --- a/docs/gethashes_sh.md +++ b/docs/gethashes_sh.md @@ -1,7 +1,7 @@ --- tags: - - Hashing - - Linux + - Hashing + - Linux --- ## General Usage @@ -66,5 +66,4 @@ The following video describes how to use the script: ## External Links -* [Download location](https://bitbucket.org/stewdebaker/unix-hashing-script) * [ReadMe file](http://technicallysane.blogspot.com/p/unix-file-hashing-script.html) diff --git a/docs/internet_explorer.md b/docs/internet_explorer.md index 5e17cbabc..b9999556f 100644 --- a/docs/internet_explorer.md +++ b/docs/internet_explorer.md @@ -79,7 +79,7 @@ On Windows Vista and later: ### Typed URLs Internet Explorer stores the cached History (or Address box) entries in -the following Windows Registry key [2](http://support.microsoft.com/kb/157729). +the following Windows Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs @@ -106,13 +106,11 @@ the following Windows Registry key [2](http://support.microsoft.com/kb/157729). ### Recovery store -* [Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity](http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html), +* [Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity](https://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html), by Yogesh Khatri, September 29, 2011 ### Typed URLS -* [The Trouble with TypedUrlsTime](http://randomthoughtsofforensics.blogspot.co.uk/2012/07/trouble-with-typedurlstime.html), - by Ken Johnson, July 4, 2012 * [TypedURLs Registry Key](http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html), Sketchymoose's Blog, February 18, 2014 diff --git a/docs/journals.md b/docs/journals.md index a43e48c23..19beda5d3 100644 --- a/docs/journals.md +++ b/docs/journals.md @@ -14,7 +14,6 @@ subject of digital forensics: | Forensic Science Communications | n/a | n/a | n/a | | Federal Bureau of Investigation (FBI) | United States | Print | Current issue still 2010. | | IEEE Transactions on Information Forensics and Security | 1.34 | 35 | 41 | | Institute of Electrical and Electronics Engineers Inc. | United States | Print/Electronic | Print journal from IEEE Signal Processing Society that started in 2005. | | International Journal of Computer Science and Network Security | n/a | n/a | 24 | | IJCSNS | South Korea | Electronic | Open Access. Monthly | -| International Journal of Cyber-Security and Digital Forensics | n/a | n/a | n/a | | The Society of Digital Information and Wireless Communications | China (Hong Kong) | Electronic | | | International Journal of Digital Crime and Forensics | n/a | 4 | n/a | | IGI Global | United States | Print/Electronic | Started in 2009, Quarterly | | International Journal of Electronic Security and Digital Forensics | n/a | 4 | n/a | | Inderscience Publishers | United Kingdom | Print/Electronic | Quarterly | | International Journal of Forensic Computer Science | n/a | n/a | n/a | | Brazilian Association of High Technology Experts (ABEAT) | Brazil | Electronic | | diff --git a/docs/jpeg.md b/docs/jpeg.md index 1b5667c34..6bd41a5d3 100644 --- a/docs/jpeg.md +++ b/docs/jpeg.md @@ -31,12 +31,12 @@ remove metadata from all images. # Externals Links -- [Wikipedia: JPEG](https://en.wikipedia.org/wiki/JPEG) -- [ISO/IEC 10918-1](https://www.w3.org/Graphics/JPEG/itu-t81.pdf), - Section: Annex B contains a detailed description of the JPEG file - structure. - [JPEG File Interchange Format Version 1.02](https://www.w3.org/Graphics/JPEG/jfif3.pdf) +- [Adobe: XMP Specification](https://www.adobe.com/products/xmp/standards.html) - [Extensible Metadata Platform (XMP)](https://www.adobe.com/products/xmp.html) -- [Adobe - XMP Specification](http://partners.adobe.com/public/developer/en/xmp/sdk/XMPspecification.pdf) - [FlashPix Tags](https://exiftool.org/TagNames/FlashPix.html) +- [ISO/IEC 10918-1](https://www.w3.org/Graphics/JPEG/itu-t81.pdf), + Section: Annex B contains a detailed description of the JPEG file + structure. - [Wikipedia: ICC profile](https://en.wikipedia.org/wiki/ICC_profile) +- [Wikipedia: JPEG](https://en.wikipedia.org/wiki/JPEG) diff --git a/docs/libwrc.md b/docs/libwrc.md index 4e2c5cc03..b8e138c0c 100644 --- a/docs/libwrc.md +++ b/docs/libwrc.md @@ -7,7 +7,8 @@ tags: - Tools --- The **libwrc** package contains a library and applications to read the -[Windows Resource Compiler (WRC) format](https://github.com/libyal/libexe/blob/main/documentation/Executable%20(EXE)%20file%20format.asciidoc#5-resource-section-data) +[Windows Resource Compiler (WRC) format](https://github.com/libyal/libexe/blob/main/documentation/Executable%20(EXE)%20file%20format.asciidoc). + This format is used in the .rsrc section of PE/COFF executables. ## Tools diff --git a/docs/list_of_mua_header_formats.md b/docs/list_of_mua_header_formats.md index efcd5aa42..7484cf25c 100644 --- a/docs/list_of_mua_header_formats.md +++ b/docs/list_of_mua_header_formats.md @@ -6,71 +6,22 @@ The following pages defines the headers added to each message by the mail user agent: - [Apple Mail Header Format](apple_mail_header_format.md) - - - - [Eudora Header Format](eudora_header_format.md) - - - - [Evolution Header Format](evolution_header_format.md) - - - - [Gmail Header Format](gmail_header_format.md) - - - - [GMX Header Format](gmx_header_format.md) - - - - [Horde IMP Header Format](horde_imp_header_format.md) - - - - [Hotmail Header Format](hotmail_header_format.md) - - - - [iPhone Mail Header Format](iphone_mail_header_format.md) - - - -- [Microsoft Mail Header - Format](microsoft_mail_header_format.md) - - - +- [Microsoft Mail Header Format](microsoft_mail_header_format.md) - [Mutt Header Format](mutt_header_format.md) - - - - [Open WebMail Header Format](open_webmail_header_format.md) - - - - [Outlook Header Format](outlook_header_format.md) - - - - [Outlook Express Header Format](outlook_express_header_format.md) - - - - [Pine Header Format](pine_header_format.md) - - - - [The Bat! Header Format](the_bat_header_format.md) - - - - [Thunderbird Header Format](thunderbird_header_format.md) - - - - [Yahoo! Mail Header Format](yahoo!_mail_header_format.md) ## See Also diff --git a/docs/list_of_volatility_plugins.md b/docs/list_of_volatility_plugins.md index 96eb7129c..b53e69c9e 100644 --- a/docs/list_of_volatility_plugins.md +++ b/docs/list_of_volatility_plugins.md @@ -71,12 +71,10 @@ on the [project Googlecode site](https://code.google.com/archive/p/volatility). [Moyix](https://moyix.blogspot.com/2008/08/auditing-system-call-table.html)) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table. -- [threadqueues](http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py) - (By - [Moyix](https://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html)) - - Enumerates window messages pending for each thread on the system. - Window messages are the mechanism used to send things like button +- threadqueues - Enumerates window messages pending for each thread on the + system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs. + By [Moyix](https://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html)) - objtypescan, by Andreas Schuster - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive) diff --git a/docs/list_of_windows_mru_locations.md b/docs/list_of_windows_mru_locations.md index d33815158..da284fcd1 100644 --- a/docs/list_of_windows_mru_locations.md +++ b/docs/list_of_windows_mru_locations.md @@ -301,5 +301,4 @@ USERNAME\software\microsoft\windows\currentversion\applets\regedit ## External Links * [Registry MRU Locations](https://www.daniweb.com/digital-media/ui-ux-design/tutorials/66079/forms-styling-text-fields-with-css-and-html) -* [How to Clear the Windows Explorer MRU Lists](http://support.microsoft.com/kb/142298) * [Removing MRU List from Mapped Network Drives](https://www.windowsbbs.com/threads/removing-mru-list-from-mapped-network-drives.47519/) diff --git a/docs/logfile_analysis.md b/docs/logfile_analysis.md index fe5b1e06d..56eeacc58 100644 --- a/docs/logfile_analysis.md +++ b/docs/logfile_analysis.md @@ -44,14 +44,6 @@ Web logfile analytics software can process a log file and print a report. Normally this software is used by organizations that host the website. It can also be used for analysis of webserver logfiles. -[Analog](http://www.analog.cx/) - -Claims to be *"the most popular logfile analyser in the world"* - -[Webalizer](http://www.mrunix.net/webalizer/) - -*"A fast, free web server log file analysis program"* - [phpMyVisites](http://www.phpmyvisites.us/) New "clicks heatmap" shows where people are clicking on your website; diff --git a/docs/mac_times.md b/docs/mac_times.md index 984438c38..bb14850a7 100644 --- a/docs/mac_times.md +++ b/docs/mac_times.md @@ -99,13 +99,11 @@ should be disabled. ## External Links - [Wikipedia: MAC times](https://en.wikipedia.org/wiki/MAC_times) -- [What Are - MACtimes?](https://www.drdobbs.com:443/what-are-mactimes/184404275), by Dan - Farmer, Oct 2000 +- [What Are MACtimes?](https://www.drdobbs.com:443/what-are-mactimes/184404275), + by Dan Farmer, Oct 2000 ### NTFS - [Disable the NTFS Last Access Time Stamp](http://www.winguides.com/registry/display.php/50/) -- [Microsoft KB 299648: Description of NTFS date and time stamps for - files and folders](http://support.microsoft.com/kb/299648) \ No newline at end of file +- [Microsoft KB 299648: Description of NTFS date and time stamps for files and folders](https://mskb.pkisolutions.com/kb/299648) diff --git a/docs/nokia.md b/docs/nokia.md index f5921448c..9d5e2c159 100644 --- a/docs/nokia.md +++ b/docs/nokia.md @@ -1,6 +1,6 @@ --- tags: - - Organization + - Organization --- **Nokia Corporation** is a Finnish multinational communications corporation, headquartered in Keilaniemi, Espoo, a city neighbouring @@ -15,21 +15,6 @@ segment and protocol, including GSM, CDMA, and W-CDMA (UMTS). Nokia's subsidiary Nokia Siemens Networks produces telecommunications network equipments, solutions and services. -## Nokia Tools - -THC has developed the [THC NOKIA PHONE-LOCK -RESET](http://thc.org.segfault.net/thc-nokia-unlock/) which unlocks a -locked Nokia phone that has a MMC slot. The unlock is a small program -that the phone automatically loads and runs from the MMC slot when the -phone boots. - ## External links -- [Official Nokia portal](https://www.nokia.com/) -- [Complete Nokia Product History (PDF - 179kb)](http://www.gsmsolutionsltd.com/download/Nokia_Product_History.pdf) -- [Yahoo! – Nokia Corporation Company - Profile](https://finance.yahoo.com/) -- [Nokia Organization Chart](http://www.cogmap.com/chart/nokia) -- [Symbian Freeware for Nokia](http://www.symbianfreeware.org/) - +* [Official website](https://www.nokia.com/) diff --git a/docs/prefetch.md b/docs/prefetch.md index 9d7bcbc86..6bce7b865 100644 --- a/docs/prefetch.md +++ b/docs/prefetch.md @@ -207,7 +207,7 @@ The EnablePrefetcher Registry value can be used to disable prefetch. by logicchild, September 25, 2008 * [De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)](https://www.sans.org/digital-forensics-incident-response/), by Chad Tilbury, August 5, 2009 -* [Windows Prefetch File (old blog entry from 42 LLC)](http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html), +* [Windows Prefetch File (old blog entry from 42 LLC)](https://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html), by Yogesh Khatri, April 14, 2010 * [Windows PC Accelerators](https://learn.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653317(v=vs.85)) * [Decoding Prefetch Files for Forensic Purposes: Part 1](https://dfinews.com), @@ -231,7 +231,7 @@ The EnablePrefetcher Registry value can be used to disable prefetch. by Corey Harrell, December 5, 2012 * [What's New in the Prefetch for Windows 8??](http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html), by Jared Atkinson, September 21, 2013 -* [Windows Prefetch (.PF) files](http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1), +* [Windows Prefetch (.PF) files](https://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1), by Yogesh Khatri, October 21, 2013 * [Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files](https://resources.infosecinstitute.com/topic/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/), by Ivan Dimov, November 21, 2013 diff --git a/docs/residual_data_on_used_equipment.md b/docs/residual_data_on_used_equipment.md index 2b5669a88..fe67c63ca 100644 --- a/docs/residual_data_on_used_equipment.md +++ b/docs/residual_data_on_used_equipment.md @@ -118,7 +118,7 @@ order. procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system. [Missile data found on hard drives, BBC News, May 7, - 2009](http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm) + 2009](http://news.bbc.co.uk/1/hi/wales/8036324.stm) diff --git a/docs/resilient_file_system_(refs).md b/docs/resilient_file_system_(refs).md index 3bbcc5fce..520196e9d 100644 --- a/docs/resilient_file_system_(refs).md +++ b/docs/resilient_file_system_(refs).md @@ -12,7 +12,7 @@ Writes by using a "Copy-On-Write" feature. ## External Links * [Resilient File System overview](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831724(v=ws.11)) -* [Resilient File System (ReFS)](https://github.com/libyal/libfsrefs/blob/main/documentation/Resilient%20File%20System%20(ReFS).pdf), +* [Resilient File System (ReFS)](https://github.com/libyal/libfsrefs/blob/main/documentation/Resilient%20File%20System%20(ReFS).asciidoc), by the [libfsrefs project](https://github.com/libyal/libfsrefs), May 2012 * [Forensic Investigation of Microsoft's Resilient File System (ReFS)](http://resilientfilesystem.co.uk), by Andrew Head, April 2015 diff --git a/docs/thumbs.db.md b/docs/thumbs.db.md index 72f51fb1e..90497cef5 100644 --- a/docs/thumbs.db.md +++ b/docs/thumbs.db.md @@ -63,7 +63,7 @@ same as Windows 7 thumbs.db. - [Windows thumbnail cache (thumbs.db)](http://thumbnailexpert.com/en/formats/windows-thumbnail-cache/) - [Windows 7 generated - Thumbs.db](http://www.swiftforensics.com/2012/07/windows-7-generated-thumbsdb.html) + Thumbs.db](https://www.swiftforensics.com/2012/07/windows-7-generated-thumbsdb.html) - [Windows 8 Thumbs.db - files](http://www.swiftforensics.com/2014/04/windows-8-thumbsdb-files-still-same-and.html) + files](https://www.swiftforensics.com/2014/04/windows-8-thumbsdb-files-still-same-and.html) diff --git a/docs/timeline_analysis.md b/docs/timeline_analysis.md index cabe8b28b..831a25e0a 100644 --- a/docs/timeline_analysis.md +++ b/docs/timeline_analysis.md @@ -80,7 +80,7 @@ tags: by Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003 -* [Visualizing gaps in time-based lists](http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists), +* [Visualizing gaps in time-based lists](https://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists), by Moritz Stefaner, November 6, 2000 ## Tools diff --git a/docs/tools_file_analysis.md b/docs/tools_file_analysis.md index e440e7de4..a07d35afd 100644 --- a/docs/tools_file_analysis.md +++ b/docs/tools_file_analysis.md @@ -28,20 +28,14 @@ The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes. - - [ldd](https://linux.die.net/man/1/ldd) List dynamic dependencies of executable files. - - [truss](https://docs.oracle.com/cd/E88353_01/html/E37839/truss-1.html) Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr. - - [PDF Miner](https://www.unixuser.org/~euske/python/pdfminer/index.html) "...suite of programs that aims to help analyzing text data from PDF documents. It includes a PDF parser, a PDF renderer (though only @@ -52,118 +46,75 @@ such as font size or font name, which could be useful for analyzing the document. It also infers text running within a page by using clustering technique." - - [ltrace](https://linux.die.net/man/1/ltrace) Library call tracer. - - [strace](https://sourceforge.net/projects/strace/) System Call Tracer. - - [xtrace](https://sourceforge.net/projects/xtrace/) eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more. - - [ktrace](http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html) Enables kernel process tracing on OpenBSD. - - [Valgrind](https://valgrind.org/) Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired. - - [DTrace](https://www.oracle.com/it-infrastructure/) Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs. - - [strings](strings.md) Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc. - - The [Open Computer Forensics Architecture](open_computer_forensics_architecture.md) - - [Rifiuti](https://www.mcafee.com/) Examines the INFO2 file in the Recycle Bin. - - [Pasco](https://www.mcafee.com/) Parses *index.dat* files. - - [Galleta](https://www.mcafee.com/) Parses cookie files. - - [dumpster_dive.pl](https://jafat.sourceforge.net/files.html) MS Windows Recycle Bin INFO2 parser - - [cookie_cruncher.pl](https://jafat.sourceforge.net/files.html) MS IE cookie file parser - - [yim2text](http://www.1vs0.com/tools.html) Extracts the 'encrypted' info in Yahoo Instant Messenger log files. - - [Hachoir](hachoir.md) Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats. - - [Cygwin](cygwin.md) Linux like environment for Windows. - - [UnxUtils](https://unxutils.sourceforge.net/) Common unix utilities compiled for a Windows environment. - - [GnuWin32](https://gnuwin32.sourceforge.net/) Common GNU utilities compiled for a Windows Environment. - - -[GetHashes.sh](https://bitbucket.org/stewdebaker/unix-hashing-script) - -Utility to hash all files in a folder. Useful for hashing gathered -forensic data for proof-of-integrity. - ## File Sharing Analysis Tools [P2P Marshal](p2pmarshal.md) diff --git a/docs/tools_network_forensics.md b/docs/tools_network_forensics.md index e09057f91..b409bafd2 100644 --- a/docs/tools_network_forensics.md +++ b/docs/tools_network_forensics.md @@ -7,14 +7,10 @@ tags: [E-Detective](https://www.edecision4u.com/) - - [Burst](http://www.burstmedia.com/release/advertisers/geo_faq.htm) Expensive [IP geolocation](ip_geolocation.md) service. - - [CapAnalysis](https://www.capanalysis.net/ca/) **Open Source** web visual tool for information security specialists, @@ -28,30 +24,20 @@ connections. [Demo](https://pcap.capanalysis.net/) - - [chkrootkit](http://www.chkrootkit.org) - - [cryptcat](https://farm9.org/Cryptcat/) - - [Enterasys Dragon](https://www.extremenetworks.com/) Instrusion Detection System, includes session reconstruction. - - [MNIS Collector](https://www.mantaro.com) MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX. - - [Mantaro Network Intelligence Solutions (mnis)](https://www.mantaro.com) MNIS is a comprehensive and scalable network intelligence platform for @@ -60,93 +46,18 @@ speed Deep Packet Inspection and metadata alerting. It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks. - - [MaxMind](https://www.maxmind.com/en/home) [IP geolocation](ip_geolocation.md) services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs. - - [netcat](netcat.md) - - [SiLK](https://tools.netsa.cert.org/silk/index.html) - - -[NetDetector](http://www.niksun.com/product.php?id=4) - -NetDetector is a full-featured appliance for network security -surveillance, signature-based anomaly detection, analytics and -forensics. It complements existing network security tools, such as -firewalls, intrusion detection/prevention systems and switches/routers, -to help provide comprehensive defense of hosted intellectual property, -mission-critical network services and infrastructure - - - [Netstat](netstat.md) - - -[NetVCR](http://www.niksun.com/product.php?id=3) - -NetVCR delivers comprehensive real-time network, service and application -performance management. It is an integrated, single-point solution that -decisively replaces multiple network performance monitoring and -troubleshooting systems. NetVCR’s scalable architecture easily adapts to -data centers, core networks, remote branches or central offices for LAN -and WAN requirements - - - -[NIKSUN Full Function Appliance](http://www.niksun.com/product.php?id=11) - -NIKSUN’s Full-Function Appliance combines the value of both NetDetector -and NetVCR for complete network performance and security surveillance. -This plug-and-play appliance offers customers a complete range of -network security and performance monitoring solutions that identify, -capture and analyze the root-cause of any security or network incident -the first time! The unique enterprise-wide network visibility provided -by this product is extremely attractive to large enterprises requiring -an integrated and proactive solution to combat the constant barrage of -security and network incidents such as worms, viruses, Trojan-horse -attacks, Denial of Service (DoS) attacks, outages, overload and service -slowdown, etc. - - - -[NetOmni](http://www.niksun.com/product.php?id=1) - -NetOmni provides global visibility across the network so IT -professionals can manage multiple products and vendors from one central -location. NetOmni streamlines the network management process in a manner -conducive to a “best-practices” model that ensures Service Level -Agreements (SLA), Quality of Services (QoS) and maximum revenue -opportunities. - - - -[NISUN Puma Portable](http://www.niksun.com/product.php?id=15) - -NIKSUN's Puma, a portable network monitoring appliance, allows customers -to leverage the state-of-the-art network performance, security and -compliance monitoring technology as a robust luggable appliance that can -be conveniently used in the field. Deployed in a few short steps, Puma -offers with exceptional functionality of NIKSUN's renowned performance -and security monitoring technology within minutes to field personnel. -Puma, is now capable of monitoring networks at 10G speeds. The -incorporation of real-time 10G monitoring to the Puma feature-set -enhances the already excellent value that Puma provides to customers, -making it the go-to portable monitoring and forensics tool for network -professionals - - - [NetSleuth](http://www.netgrab.co.uk/) NetSleuth is a free network analysis tool released under the GPL. @@ -155,8 +66,6 @@ designed for post event incident response and network forensics. It also supports a live sniffing mode, silently identifying and fingerprinting devices without needing to send any traffic onto a network. - - NetworkMiner NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. @@ -179,8 +88,6 @@ tool](https://sourceforge.net/projects/networkminer/) and as a [commercial network forensics tool](https://www.netresec.com/?page=NetworkMiner). - - [pcap2wav](https://pcap2wav.xplico.org/) VoIP/RTP decoder. pcap2wav is part (a sub-project) of @@ -188,60 +95,36 @@ VoIP/RTP decoder. pcap2wav is part (a sub-project) of audio codecs: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta: Real Time Audio). - - [rkhunter](https://rkhunter.sourceforge.net/) - - [ngrep](ngrep.md) - - [nslookup](https://en.wikipedia.org/wiki/Nslookup) Name Server Lookup command line tool used to find IP address from domain name. - - [Sguil](http://bammv.github.io/sguil/index.html) - - [Snort](snort.md) - - [ssldump](https://ssldump.sourceforge.net/) - - [tcpdump](tcpdump.md) - - [tcpxtract](tcpxtract.md) - - [tcpflow](tcpflow.md) - - [truewitness](http://www.nature-soft.com/forensic.html) Linux/open-source. Based in India. - - [OmniPeek](omnipeek.md) by [WildPackets](wildpackets.md) OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic. - - [Whois](https://en.wikipedia.org/wiki/WHOIS) Web service and command line tool to look up registry information for internet @@ -250,8 +133,6 @@ domain. [Bulk WHOIS data request](http://www.arin.net/registration/agreements/bulkwhois.pdf) from ARIN - - [IP Regional Registries](http://www.arin.net/community/rirs.html) [American Registry for Internet Numbers (ARIN)](http://www.arin.net/index.shtml) @@ -264,28 +145,20 @@ from ARIN [RIPE Network Coordination Centre (RIPE NCC)](https://www.ripe.net/) - - [Wireshark](wireshark.md) / Ethereal Open Source protocol analyzer previously known as ethereal. - - [Kismet](kismet.md) Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. - - [kisMAC](kismac.md) KisMAC is an open-source and free sniffer/scanner application for Mac OS X. - - [Xplico](xplico.md) Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: @@ -294,8 +167,6 @@ HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ... VoIP sniffer and decoder. Audio codec supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA - - [Expert Team - 3i System](http://expert-team.net/home/) Expert Team 3i System provides real-time data traffic reconstruction @@ -306,8 +177,6 @@ HTTP (Web URL and Content, Web Video, Web File Upload and Download, Email - POP3, IMAP, SMTP, Webmail, Social Networking Sites, FTP File Upload and Download, Instant Messaging, VoIP etc.... - - [fmadio 10G Packet Capture](https://www.fmad.io/) Cost effective full line rate 10G packet capture to disk appliance. diff --git a/docs/turpinmckee895.md b/docs/turpinmckee895.md deleted file mode 100644 index 31b5a5025..000000000 --- a/docs/turpinmckee895.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -tags: - - Articles that need to be expanded ---- -`If we are a business proprietor with no online awareness, social media marketing course, or look engine presence, you're quickly losing business to your competitors. With `[`SMART LINK SERVICE`](https://implementseo.com/)`, you are able to get a step before your associates through online business today. ` - -Acquire Your Company into the 21st Century Forrester Analysis states -that the amount of time people invest online has increased by 121 -percent in the past five many years. In 2011, it is certainly not enough -to passively have a website; the internet grows in magnitude as well as -luxury every hour. According to eMarketer Online Mind, online sales -development is probably to achieve double digits year over year this -holiday season. This means an exponential increase in the quantity of -websites advertising similar items to yours, and the amount of -individuals that look for your products daily. At [Implement SEO -Services](https://implementseo.com/), we are determined to help and also -your company up-to-date and competitive with your rivals. Submit the -short form to the left for a consultation with one your specialists. Our -team of look motor optimization professionals may design and also -implement a specific strategy to meet with the individual requirements -of your company. At Implement SEO - Smart Link Service, you'll never be -just a dollar sign; each customer has a designated SEO specialist who -functions with him man-to-man. Needless to say we understand which no -two websites or situations tend to be the same and tend to be pleased to -consult you about the individual needs and just how to attain a high -ranking for the website. \ No newline at end of file diff --git a/docs/usb_history_viewing.md b/docs/usb_history_viewing.md index adeeb1cc2..0634fcb20 100644 --- a/docs/usb_history_viewing.md +++ b/docs/usb_history_viewing.md @@ -161,7 +161,7 @@ and VBR data. ## Resources -- [New Device Timestamps](http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html) +- [New Device Timestamps](https://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html) ## External Links diff --git a/docs/websites.md b/docs/websites.md index fc3e1c5ad..26f775f16 100644 --- a/docs/websites.md +++ b/docs/websites.md @@ -11,28 +11,20 @@ related topics. Presentations, links, references - - [Certfied Computer Examiner Website](https://www.isfce.com/) Open certification process for digital forensics. - - [Computer Forensics and Investigations](http://computer-forensics-lab.org/) Computer Forensics articles, and website of Igor Michailov - - [Computer Forensics Tool Catalog](https://toolcatalog.nist.gov/) The Computer Forensics Tool Catalog provides an easily searchable catalog of forensic tools to enable practitioners to find tools that meet their specific technical needs. - - [Computer Forensics Tool Testing (CFTT) project](https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt) The Computer Forensic Tool Testing (CFTT) project establishes @@ -40,76 +32,54 @@ methodologies for testing computer forensic tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. - - [Computer Forensics World](https://www.computerforensicsworld.com/) Website with online discussion forums relating to computer forensics. - - [Cyberspeak podcast](cyberspeak_podcast.md) [Cyberspeak Podcast](https://cyberspeak.libsyn.com/) Computer forensics, network security, and computer crime podcast. - - [Digital Forensics Discussion Forum](http://www.multimediaforensics.com/) A forum for the discussion of computer and digital forensics examinations, certified and non-certified investigators welcome - - [Digital Forensic Research Workshop (DFRWS)](https://dfrws.org/) Open forum for research in digital forensic issues, hosting annual meeting and annual forensics challenge. - - [E-Evidence Information Centre](http://www.e-evidence.info/) An online digital forensics bibliography, updated monthly - - [eForensics Magazine](eforensics_magazine.md) [eForensics Magazine website](https://eforensicsmag.com/) Magazine, blog, online courses, community. - - FCCU GNU/Linux Forensic Boot CD [Belgian Computer Forensic Website](http://www.lnx4n6.be/) Belgian Computer Forensic Website - Forensic Boot CD - Linux - - [Forensic Focus](https://forensicfocus.com/) News, blog, forums, and other resources for folks engaged in or interested in digital forensics. - - [International Association of Computer Investigative Specialists](https://iacis.info/) Volunteer non-profit corporation composed of law enforcement professionals. - - [MySecured.com](http://www.marwan.com) Mobile phone forensics, cellphone related investigation and data analysis site. - - [NIST: Secure Hashing](https://csrc.nist.gov/projects/hash-functions) The Computer Security Division's (CSD) Security Technology Group (STG) @@ -117,23 +87,19 @@ is involved in the development, maintenance, and promotion of a number of standards and guidance that cover a wide range of cryptographic technology. - - [National Software Reference Library (NSRL)](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) The National Software Reference Library (NSRL) collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set (RDS) of information. - - [University of Rhode Island Digital Forensics Center](https://web.uri.edu/cs/dfcsc/) Computer Forensics Lab Resource Site. # Non-Digital Forensics -[NIST Image Group](https://fingerprint.nist.gov/) +[NIST Image Group](https://www.nist.gov/programs-projects/fingerprint) Many reports, including the [NIST](nist.md) report on [AFIS](afis.md) fingerprint testing. diff --git a/docs/windows.md b/docs/windows.md index 125df2745..bd03fcc03 100644 --- a/docs/windows.md +++ b/docs/windows.md @@ -428,9 +428,9 @@ value: by Eric Huber, February 24, 2013 * [Spotting the Adversary with Windows Event Log Monitoring](http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf), by National Security Agency/Central Security Service, February 28, 2013 -* [Search history on Windows 8 and 8.1](http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html), +* [Search history on Windows 8 and 8.1](https://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html), by Yogesh Khatri, April 1, 2014 -* [Search history on windows 8.1 - Part 2](http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html), +* [Search history on windows 8.1 - Part 2](https://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html), by Yogesh Khatri, April 21, 2014 * [Estoteric Hooks](http://www.alex-ionescu.com/Estoteric%20Hooks.pdf) by Alex Ionescu, February 16, 2016 @@ -457,7 +457,7 @@ value: ### Tracking removable media -* [Tracking USB First insertion in Event logs](http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html), +* [Tracking USB First insertion in Event logs](https://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html), by Yogesh Khatri, August 18, 2012 ### Under the hood diff --git a/docs/windows_10.md b/docs/windows_10.md index ae5dcc559..fd72f3f2b 100644 --- a/docs/windows_10.md +++ b/docs/windows_10.md @@ -27,7 +27,7 @@ compression](compression.md). by [Eric Zimmerman](eric_zimmerman.md), April 22, 2015 - [Windows 10 Forensics: OS Evidentiary Artefacts](https://www.slideshare.net/bsmuir/windows-10-forensics-os-evidentiary-artefacts) by Brent Muir, July 25, 2015 -- [Parsing the Windows 10 Notification database](http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html), +- [Parsing the Windows 10 Notification database](https://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html), by Yogesh Khatri, June 3, 2016 ### Tools diff --git a/docs/windows_registry.md b/docs/windows_registry.md index e27870588..6f8339d6c 100644 --- a/docs/windows_registry.md +++ b/docs/windows_registry.md @@ -1284,9 +1284,6 @@ name

### Commercial -* [cafae](http://tzworks.net/prototype_page.php?proto_id=19) - - Computer Account Forensic Artifact Extractor. Free tool that can be - run on Windows, Linux or Mac OS-X to parse ntuser.dat hives. * [Regisry Manager](http://www.stellarinfo.com/windows-tools/registry-cleaner.php) * [Abexo Free Regisry Cleaner](http://www.abexo.com/free-registry-cleaner.htm) * [Auslogics Registry Defrag](https://www.auslogics.com/en/software/registry-defrag/) diff --git a/docs/windows_restore_points.md b/docs/windows_restore_points.md index 5f94b839d..58fc9ace1 100644 --- a/docs/windows_restore_points.md +++ b/docs/windows_restore_points.md @@ -31,7 +31,7 @@ A Restore Point data sub directory contains: by [Harlan Carvey](harlan_carvey.md), October 20, 2006 * [Restore Point Analysis](https://windowsir.blogspot.com/2007/06/restore-point-analysis.html), by [Harlan Carvey](harlan_carvey.md), June 16, 2007 -* [Enscript Tutorial 1 - Parse XP System Restore Logs](http://www.swiftforensics.com/2012/03/enscript-tutorial-1-parse-xp-system.html), +* [Enscript Tutorial 1 - Parse XP System Restore Logs](https://www.swiftforensics.com/2012/03/enscript-tutorial-1-parse-xp-system.html), by Yogesh Khatri, March 2, 2012 * [The Windows Restore Point formats](https://github.com/libyal/dtformats/blob/main/documentation/Restore%20point%20formats.asciidoc), by [Joachim Metz](joachim_metz.md), April 2015 diff --git a/docs/windows_xml_event_log_(evtx).md b/docs/windows_xml_event_log_(evtx).md index 10c9b48f6..c85f0556a 100644 --- a/docs/windows_xml_event_log_(evtx).md +++ b/docs/windows_xml_event_log_(evtx).md @@ -54,7 +54,7 @@ Where LCID is the "locale identifier" ### Windows Vista/2008 -* [Description of security events in Windows Vista and in Windows Server 2008](http://support.microsoft.com/kb/947226) +* [Description of security events in Windows Vista and in Windows Server 2008](https://mskb.pkisolutions.com/kb/947226) ### Windows 7