From a57b92e7f5ddb61374417b15bf8eb246c63b8186 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Wed, 27 Dec 2023 08:19:43 +0100 Subject: [PATCH] cleanup_wip --- ...demic_forensics_programs_graduate_level.md | 11 +- docs/android.md | 2 +- docs/apple_iphone.md | 2 +- docs/apple_safari.md | 15 +- docs/blackberry_forensics.md | 22 +- docs/caselaw.md | 8 - docs/cell_phone_forensics_research.md | 8 +- docs/computer_forensics.md | 2 +- ...crime_and_intellectual_property_section.md | 2 +- docs/forensic_accounting.md | 1 - docs/forensic_corpora.md | 158 +++++------ docs/ftimes.md | 2 +- docs/full_disk_encryption.md | 13 +- docs/insider_threat_research.md | 6 +- docs/ip_geolocation.md | 16 +- docs/jtag_and_chip-off_tools_and_equipment.md | 256 +++++++++--------- docs/legal_issues.md | 15 +- docs/mac_os_x.md | 1 - docs/machine_translation.md | 4 +- docs/malware.md | 2 - docs/malware_analysis.md | 2 - docs/mandiant.md | 36 ++- docs/matriux.md | 2 +- docs/memory_analysis.md | 2 +- docs/microcode.md | 8 +- docs/past_selected_articles.md | 2 +- docs/sanitization_standards.md | 8 +- docs/sim_card_forensics.md | 6 +- docs/tcpflow.md | 4 - docs/training_courses_and_providers.md | 6 +- docs/ufs_tornado.md | 9 +- docs/vendors.md | 2 +- docs/vnconfig.md | 1 - docs/websites.md | 5 - docs/windows.md | 11 +- docs/windows_xml_event_log_(evtx).md | 2 +- docs/winfe.md | 20 +- docs/wmi.md | 5 - docs/write_blockers.md | 18 +- 39 files changed, 294 insertions(+), 401 deletions(-) diff --git a/docs/academic_forensics_programs_graduate_level.md b/docs/academic_forensics_programs_graduate_level.md index 6287d80b2..d5d400093 100644 --- a/docs/academic_forensics_programs_graduate_level.md +++ b/docs/academic_forensics_programs_graduate_level.md @@ -32,7 +32,6 @@ tags: * [University of Rhode Island](https://web.uri.edu/cs/dfcsc/) * University of Texas at San Antonio * Utica College - [Online](http://www.onlineuticacollege.com/programs/computer-forensics-specialization.asp)\] * [Center for Information Security University of Tulsa](http://www.cis.utulsa.edu/) * [West Virginia University](https://forensics.wvu.edu/) @@ -40,20 +39,20 @@ tags: * Cranfield University, UK * Limerick Institute of Technology -* [University of Amsterdam](http://www.studeren.uva.nl/ma-forensic-science) +* University of Amsterdam * University of Bradford * University of East London * University College Dublin * [University of Technology, Mauritius](https://www.utm.ac.mu/) -* [University of Strathclyde](http://www.strath.ac.uk/science/forensicinformatics/) +* University of Strathclyde * University of Glamorgan, Wales, UK -* [University of Applied Sciences Albstadt-Sigmaringen, Germany](http://www.digitaleforensik.com), +* University of Applied Sciences Albstadt-Sigmaringen, Germany Master of Science, Digital Forensics, in cooperation with University of Mannheim and University of Tübingen, Germany ## Asia -* [Zayed University UAE](http://www.zu.ac.ae/main/en/colleges/colleges/college_information_technology/graduate_certificate_programs/cr_invest/intro.aspx) +* Zayed University UAE ## Australasia @@ -67,5 +66,3 @@ tags: * [American Academy of Forensic Sciences (AAFS)](https://www.aafs.org/) * [Digital Forensics Association List](http://www.digitalforensicsassociation.org/formal-education/) -* [Forensics Focus List](https://forensicfocus.com/computer-forensics-education-directory) -* [Master's Thesis: The Development of a Standard Digital Forensics Master's Curriculum](https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1010&context=techmasters&sei-redir=1#search=%22katie%20strzempka%20thesis%22) diff --git a/docs/android.md b/docs/android.md index 8567bba2a..24c8f28fe 100644 --- a/docs/android.md +++ b/docs/android.md @@ -53,5 +53,5 @@ tags: - [Android developers: SDK Platform release notes](https://developer.android.com/tools/releases/platforms) - [Android File Hierarchy : System Structure Architecture Layout](https://www.cnblogs.com/shangdawei/p/4513604.html) - [Explore The Android File System Hierarchy In-Depth](https://thesecmaster.com/explore-the-android-file-system-hierarchy-in-depth/) -- [Practical android phone forensics](https://resources.infosecinstitute.com/topic/practical-android-phone-forensics/), +- [Practical android phone forensics](https://resources.infosecinstitute.com/topics/digital-forensics/practical-android-phone-forensics/), by Hashim Shaikh, July 21, 2017 diff --git a/docs/apple_iphone.md b/docs/apple_iphone.md index d53064649..b703ab63c 100644 --- a/docs/apple_iphone.md +++ b/docs/apple_iphone.md @@ -23,7 +23,7 @@ Store does not allow in any application it distributes). by [Belkasoft](belkasoft.md) can make iPhone logical acquisition and analyze iOS backups and dumps. * Cellebrite BlackBag Technology Mobilyze -* [Cellebrite UFED](https://www.cellebrite.com/forensic-solutions/ios-forensics.html) +* [Cellebrite UFED](cellebrite_ufed.md) * [Elcomsoft Mobile Forensic Bundle](https://www.elcomsoft.com/emfb.html) performs physical, logical and over-the-air acquisition. * EnCase Neutrino diff --git a/docs/apple_safari.md b/docs/apple_safari.md index 0ce0e1872..999266bd1 100644 --- a/docs/apple_safari.md +++ b/docs/apple_safari.md @@ -69,22 +69,17 @@ named **LastSession.plist** in the user directory. The Safari cache is stored in **Cache.db** in the cache directory. -This file uses the [SQLite database -format](sqlite_database_format.md). +This file uses the [SQLite database format](sqlite_database_format.md). ## External Links -- [Official website](https://www.apple.com/macos/ventura/) -- [Safari Cache - Revisited](http://www.appleexaminer.com) +* [Safari Cache Revisited](http://www.appleexaminer.com) by Sean Cavanaugh -- [Analyzing Apple Safari - Artifacts](http://www.appleexaminer.com), +* [Analyzing Apple Safari Artifacts](http://www.appleexaminer.com), by Selena Ley -- [iOS / macOS - Tracking Downloads from Safari Without Downloads](https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html) +* [iOS / macOS - Tracking Downloads from Safari Without Downloads](https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html) by Scott Vance, Friday, 28 May 2021 ## Tools -- [J.A.F.A.T. Archive of Forensics Analysis - Tools](https://jafat.sourceforge.net/) home of Safari Forensic Tools (SFT) +* [J.A.F.A.T. Archive of Forensics Analysis Tools](https://jafat.sourceforge.net/) home of Safari Forensic Tools (SFT) diff --git a/docs/blackberry_forensics.md b/docs/blackberry_forensics.md index f6900d576..45f0d0486 100644 --- a/docs/blackberry_forensics.md +++ b/docs/blackberry_forensics.md @@ -90,24 +90,17 @@ export and click "OK" 5. Select your output type from the bottom list of selections and click "Save As..." -## Blackberry IPD File Format (.ipd) - -For a more advanced and in depth look at the file format of (.ipd) -backup files visit the following site. - - - ## Blackberry BBB File Format (Mac OS X) (.bbb) Blackberry backups generated via Mac OS X are given the extension .bbb, these are simply .zip compressed files containing a standard .ipd file. -## Acquisition with Paraben's Device Seizure +## Acquisition with Paraben Device Seizure -`* You may purchase a copy of Device Seizure on Paraben's Website `[`here`](https://paraben.com/paraben-for-mobile-forensics/)`.` +More information on [Paraben Device Seizure](paraben_device_seizure.md) As an alternative to acquiring the Blackberry through Amber Blackberry -Converter, Paraben's Device Seizure is a simple and effective method to +Converter, Paraben Device Seizure is a simple and effective method to acquire the data. The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter. @@ -136,7 +129,7 @@ Now wait until the program is done acquiring data from the device. Please Note: In some instances the wait can be up to 30-45 minutes. -## BlackBerry Simulator +## BlackBerry simulator `* For simulating a backup copy of the physical device. This is helpful if the device is low on battery, needs to be turned off, ` `* or you don't want to alter the data on the physical device.` @@ -145,8 +138,7 @@ This is a step by step guide to downloading and using a BlackBerry simulator. In this example the version 4.0.2 was used in order to simulate the 7230 series. -1. Select a simulator to download from the drop-down list on the -[BlackBerry website](https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477). +1. Download the BlackBerry simulator - For this example look through the list and download BlackBerry Handheld Simulator v4.0.2.51. @@ -200,7 +192,3 @@ transfer across a USB port. ## References - [phoneMiner](https://www.amraksoftware.com/), phoneMiner -- [BlackBerry Simulator](https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477), - Simulator Download website -- [IPD](https://www.blackberry.com/us/en), - IPD File Format diff --git a/docs/caselaw.md b/docs/caselaw.md index f6b19e0d0..72d7353e3 100644 --- a/docs/caselaw.md +++ b/docs/caselaw.md @@ -92,13 +92,5 @@ for interfering with the discovery process. ## External links - [SETEC Investigations: Case Summaries](http://www.setecinvestigations.com/resources/casesummaries.php) -- [How to Evaluate a Digital Forensic Report – Part 1: A Brief History of Digital Forensics](http://www.lawandforensics.com/evaluate-digital-forensic-report-part-1-4/), - by Daniel B. Garrie, January 31, 2014 -- [How to Evaluate a Digital Forensic Report – Part 2: Daubert](http://www.lawandforensics.com/evaluate-digital-forensic-report-part-2-4/), - by Daniel B. Garrie, February 4, 2014 -- [How to Evaluate a Digital Forensic Report – Part 3: Experts](http://www.lawandforensics.com/evaluate-digital-forensic-report-part-3-4/), - by Daniel B. Garrie, February 10, 2014 -- [How to Evaluate a Digital Forensic Report – Part 4 & Conclusion](http://www.lawandforensics.com/evaluate-digital-forensic-report-part-4-4/), - by Daniel B. Garrie, February 14, 2014 - [The Laptop, Slack Space and Child Pornography](http://cyb3rcrim3.blogspot.com/2015/08/the-laptop-slack-space-and-child.html), by Susan Brenner, August 03, 2015 diff --git a/docs/cell_phone_forensics_research.md b/docs/cell_phone_forensics_research.md index f71e96ac3..0d020c5cd 100644 --- a/docs/cell_phone_forensics_research.md +++ b/docs/cell_phone_forensics_research.md @@ -11,7 +11,7 @@ forensics with the right mix of methods, techniques, and tools. [The Future of Mobile Forensics](https://belkasoft.com/future-of-mobile-forensics), Oleg Afonin, Danil Nikolaev, Yuri Gubanov by [Belkasoft](belkasoft.md) Research, June 2015 -[Data Acquisition from Cell Phone using Logical Approach](http://www.waset.org/pwaset/v26/v26-6.pdf), Keonwoo Kim, Dowon Hong, Kyoil Chung, and Jae-Cheol Ryou, PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 26 DECEMBER 2007 ISSN 1307-6884 +[Data Acquisition from Cell Phone using Logical Approach](https://publications.waset.org/7561/data-acquisition-from-cell-phone-using-logical-approach), Keonwoo Kim, Dowon Hong, Kyoil Chung, and Jae-Cheol Ryou, PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 26 DECEMBER 2007 ISSN 1307-6884 This article discusses three approaches for acquiring data from cell phones: physically removing the flash RAM chips and reading them directly; reading the data out using the JTAG interface, and running software on the cell phone to @@ -25,6 +25,6 @@ by James Luck & Mark Stokes, SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. ## US Government Publications -[Guidelines on Cell Phone Forensics](https://csrc.nist.gov/publications/detail/sp/800-101/archive/2007-05-30) (NIST SP 800-101), May 2007 -[Cell Phone Forensic Tools: An Overview and Analysis](https://csrc.nist.gov/publications/detail/nistir/7250/final) (NISTIR 7250) -[PDA Forensic Tools: An Overview and Analysis](https://csrc.nist.gov/publications/detail/nistir/7100/final) (NISTIR 7100) +* [Guidelines on Cell Phone Forensics](https://csrc.nist.gov/pubs/sp/800/101/final) (NIST SP 800-101), May 2007 +* [Cell Phone Forensic Tools: An Overview and Analysis](https://csrc.nist.gov/pubs/ir/7250/final) (NISTIR 7250) +* [PDA Forensic Tools: An Overview and Analysis](https://csrc.nist.gov/pubs/ir/7100/final) (NISTIR 7100) diff --git a/docs/computer_forensics.md b/docs/computer_forensics.md index 5042602e4..a0a7cda60 100644 --- a/docs/computer_forensics.md +++ b/docs/computer_forensics.md @@ -55,7 +55,7 @@ ethical and a professional responsibility to: Equivalent or other perspectives on forensic profession: -* [Forensic Focus Webinar: Being Your Own Expert Witness](https://www.forensicfocus.com/c/aid=103/webinars/2015/being-your-own-expert-witness/) +* [Forensic Focus Webinar: Being Your Own Expert Witness](https://www.forensicfocus.com/webinars/being-your-own-expert-witness/) ## Terminology diff --git a/docs/department_of_justice_computer_crime_and_intellectual_property_section.md b/docs/department_of_justice_computer_crime_and_intellectual_property_section.md index 70046f9b6..c6ec678ed 100644 --- a/docs/department_of_justice_computer_crime_and_intellectual_property_section.md +++ b/docs/department_of_justice_computer_crime_and_intellectual_property_section.md @@ -45,4 +45,4 @@ protected by copyright, trademark, or trade-secret designation. ## External Links -- [Official website](https://www.justice.gov/criminal-ccips) \ No newline at end of file +- [Official website](https://www.justice.gov/criminal/criminal-ccips) diff --git a/docs/forensic_accounting.md b/docs/forensic_accounting.md index b90d8ae0f..e233db9bd 100644 --- a/docs/forensic_accounting.md +++ b/docs/forensic_accounting.md @@ -64,6 +64,5 @@ the final examination needs to be completed. ## External links -- [Times of India Article on CFAP](https://epaper.timesgroup.com/Repository/ml.asp?Ref=VE9JQkcvMjAwOS8wNS8wNCNBcjAzMjAx) - [CFAP Information Powerpoint](https://www.slideshare.net/indiaforensic/certified-forensic-accounting-professional) - [Certification programs offered by Indiaforensic](https://www.indiaforensic.com/education/) diff --git a/docs/forensic_corpora.md b/docs/forensic_corpora.md index c6fd11aac..8419f6a8f 100644 --- a/docs/forensic_corpora.md +++ b/docs/forensic_corpora.md @@ -7,128 +7,120 @@ information that are available for those involved in forensic research. # Disk Images -The Real Data Corpus. +## Real Data Corpus + Between 1998 and 2006, [Garfinkel](simson_garfinkel.md) acquired 1250+ hard drives on the secondary market. These hard drive images have proven invaluable in performing a range of studies such as the -developing of new forensic techniques and the sanitization practices of -computer users. +developing of new forensic techniques and the [sanitization practices](https://simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf) +of computer users. -Garfinkel, S. and Shelat, A., [Remembrance of Data Passed: A Study of Disk Sanitization Practices](https://simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf), -IEEE Security and Privacy, January/February 2003. +## Computer Forensic Reference Data Sets (CFReDS) -The Honeynet Project: Challenges. -In 2001 the Honeynet project distributed a set of disk images and asked -participants to conduct a forensic analysis of a compromised computer. -Entries were judged and posted for all to see. The drive and writeups -are still available online. +The [Computer Forensic Reference Data Sets (CFReDS)](https://cfreds.nist.gov/) +project from [NIST](national_institute_of_standards_and_technology.md) hosts +sample cases that may be useful for examiners to practice with. -[The Honeynet Project: Challenges](https://www.honeynet.org/challenges/) +## Digital Forensics Tool Testing Images -Other challenges were released in 2010 and 2011, and two contained -partial disk images. +Digital Forensics Tool Testing Images can be downloaded from [Sourceforge](https://dftt.sourceforge.net/). -* [Challenge 7: Compromised Server](https://www.honeynet.org/challenges/forensic-challenge-7-analysis-of-a-compromised-server/) -* [Challenge 9: Mobile Malware](https://www.honeynet.org/challenges/forensic-challenge-9-mobile-malware/) +## ForensicsKB blog -Honeynet Project Scans of the Month -The Honeynet Project provided network scans in the majority of its Scan -of the Month challenges. Some of the challenges provided disk images -instead. The Sleuth Kit's Wiki lists Brian Carrier's responses to those -challenges. +Lance Mueller has created some disk images; they can be downloaded from his blog: - +* [Practical 1](https://www.forensickb.com/2008/01/forensic-practical.html) +* [Practical 2](https://www.forensickb.com/2008/01/forensic-practical-2.html) +* [Practical 3](https://www.forensickb.com/2010/01/forensic-practical-exercise-3.html) +* [Practical 4](https://www.forensickb.com/2010/06/forensic-practical-exercise-4.html) -The [Computer Forensic Reference Data Sets](https://cfreds.nist.gov/) project from [NIST](national_institute_of_standards_and_technology.md) hosts a few sample cases that may be useful for examiners to practice with: - +## Linux LEO -Digital Forensics Tool Testing Images can be downloaded from Sourceforge - +Barry Grundy created some disk images as parts of a [Linux-based forensics tutorial](https://linuxleo.com/). -Shortinfosec: computer forensics competition - +## Digital Forensic Research Workshop (DFRWS) -In the competition, you will have to analyze a submitted disk image for -incriminating evidence. +The Digital Forensic Research Workshop's rodeos and Challenges. Several of the +rodeos and Challenges from DFRWS released their data and scenario writeups. The +following had disk images as parts of their scenario: -(Note: Unfortunately, when checked in October, 2011, the disk image -seemed unavailable.) +* 2005 Rodeo, hosted on [CFReDS](https://cfreds.nist.gov/dfrws/Rhino_Hunt.html) +* 2008 Rodeo +* 2009 Rodeo +* 2009 Challenge +* 2011 Challenge -Lance Mueller has created some disk images; they can be downloaded from his blog - +## The Honeynet Project -Barry Grundy created some disk images as parts of a Linux-based forensics tutorial - +In 2001 the Honeynet project distributed a set of disk images and asked +participants to conduct a forensic analysis of a compromised computer. -The Digital Forensic Research Workshop's Rodeos and Challenges -Several of the Rodeos and Challenges from DFRWS released their data and -scenario writeups. The following had disk images as parts of their -scenario: +[The Honeynet Project: Challenges](https://www.honeynet.org/challenges/) + +## Honeynet Project: Scans of the Month + +The Honeynet Project provided network scans in the majority of its Scan of the +Month challenges. Some of the challenges provided disk images instead. The +Sleuth Kit's Wiki lists Brian Carrier's responses to those challenges. -- 2005 Rodeo, hosted on [CFReDS](https://cfreds.nist.gov/dfrws/Rhino_Hunt.html) -- 2008 Rodeo -- 2009 Rodeo -- 2009 Challenge -- 2011 Challenge +[Case Studies - Honeynet Challenges](https://wiki.sleuthkit.org/index.php?title=Case_Studies) -# Memory Images +## BelkaCTF -The [Volatility](https://www.volatilesystems.com/default/volatility) FAQ -provides a listing of openly-available [memory images](https://code.google.com/p/volatility/wiki/FAQ#Are_there_any_public_memory_samples_available_that_I_can_use_for). +[BelkaCTF](https://belkasoft.com/ctf) # Network Packets and Traces -## DARPA ID Eval +## DARPA Intrusion Detection Evaluation -*The DARPA Intrusion Detection Evaluation.* In 1998, 1999 and 2000 the -Information Systems Technology Group at MIT Lincoln Laboratory created a -test network complete with simulated servers, clients, clerical workers, -programmers, and system managers. Baseline traffic was collected. The -systems on the network were then “attacked” by simulated hackers. Some -of the attacks were well-known at the time, while others were developed -for the purpose of the evaluation. +In 1998, 1999 and 2000 the Information Systems Technology Group at MIT Lincoln +Laboratory created a test network complete with simulated servers, clients, +clerical workers, programmers, and system managers. Baseline traffic was +collected. The systems on the network were then “attacked” by simulated +hackers. Some of the attacks were well-known at the time, while others were +developed for the purpose of the evaluation. -- [1998 DARPA Intrusion Detection Evaluation](https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset) -- [1999 DARPA Intrusion Detection Evaluation](https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset) -- [2000 DARPA Intrusion Detection Scenario Specific](https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets) +* [1998 DARPA Intrusion Detection Evaluation](https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset) +* [1999 DARPA Intrusion Detection Evaluation](https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset) +* [2000 DARPA Intrusion Detection Scenario Specific](https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets) ## Wireshark The open source Wireshark project (formerly known as Ethereal) has a website with many network packet captures: -- +* ## NFS Packets The Storage Networking Industry Association has a set of network file system traces that can be downloaded from: -- +* ## Other Github user "markofu" has aggregated several other network captures into a Git repository. -- +* # Email messages *The Enron Corpus* of email messages that were seized by the Federal Energy Regulatory Commission during its investigation of Enron. -- -- +* +* The NIST **TextREtrieval Conference 2007** has released a public Spam corpus: -- +* Email Messages Corpus Parsed from W3C Lists (for TRECENT 2005) -- +* # Text Files @@ -189,42 +181,38 @@ of meeting recordings. ## Other Corpora -- Under an NSF grant, Kam Woods and [Simson - Garfinkel](simson_garfinkel.md) created a website for digital - corpora [2](https://digitalcorpora.org/). The site includes a complete - training scenario, including disk images, packet captures and - exercises. +* Under an NSF grant, Kam Woods and [Simson Garfinkel](simson_garfinkel.md) + created a website for [digital corpora](https://digitalcorpora.org/). The + site includes a complete training scenario, including disk images, packet + captures and exercises. -- The [Canterbury Corpus](https://corpus.canterbury.ac.nz/) is a set of +* The [Canterbury Corpus](https://corpus.canterbury.ac.nz/) is a set of files used for testing lossless compression algorithms. The corpus consists of 11 natural files, 4 artificial files, 3 large files, and a file with the first million digits of pi. You can also find a copyof the Calgaruy Corpus at the website, which was the defacto standard for testing lossless compression algorithms in the 1990s. -- The [UMass Trace - Repository](https://traces.cs.umass.edu/index.php/Main/HomePage) +* The [UMass Trace Repository](https://traces.cs.umass.edu/index.php/Main/HomePage) provides network, storage, and other traces to the research community for analysis. The UMass Trace Repository is supported by grant \#CNS-323597 from the National Science Foundation. -- [Sony has made 60TB of Everquest 2 logs available to - researchers.](https://arstechnica.com/gaming/2009/02/aaas-60tb-of-behavioral-data-the-everquest-2-server-logs/) +* [Sony has made 60TB of Everquest 2 logs available to researchers.](https://arstechnica.com/gaming/2009/02/aaas-60tb-of-behavioral-data-the-everquest-2-server-logs/) What's there? "everything." -- UCI's [Network Data - Repository](http://networkdata.ics.uci.edu/resources.php) provides - data sets of a diverse set of networks. Some of the networks are +* UCI's [Network Data Repository](http://networkdata.ics.uci.edu/resources.php) + provides data sets of a diverse set of networks. Some of the networks are related to computers, some aren't. -- [UT San Antonio Digital - Corpora](https://digitalcorpora.org//corp/nps/files/filetypes1/) +* [UT San Antonio Digital Corpora](https://downloads.digitalcorpora.org/corpora/files/filetypes1/) # External Links -- [ForGe – Computer Forensic Test Image Generator](https://forensicfocus.com/articles/forge-computer-forensic-test-image-generator/), +* [Forensic Focus - Test Images and Forensic Challenges](https://www.forensicfocus.com/challenges-and-images/) +* [Honeynet Project Challenges](https://www.honeynet.org/challenges/) +* [Second Look - Linux Memory Images](https://secondlookforensics.com/linux-memory-images/) +* [NullconCTF2014](https://sourceforge.net/projects/nullconctf2014/) +* [Daily Blog \#277: Sample Forensic Images](https://www.hecfblog.com/2014/03/daily-blog-277-sample-forensic-images.html) +* [ForGe – Computer Forensic Test Image Generator](https://www.forensicfocus.com/articles/forge-computer-forensic-test-image-generator/), by Hunnu Visti, October 18, 2013 - -## CTF images - -- [BelkaCTF](https://belkasoft.com/ctf) diff --git a/docs/ftimes.md b/docs/ftimes.md index 74b00fc2a..6c19b6e0e 100644 --- a/docs/ftimes.md +++ b/docs/ftimes.md @@ -14,5 +14,5 @@ FTimes does not collect all possible attributes on every supported platform. ## External Links -* [The FTimes Project Homepage](https://ftimes.sourceforge.net/) +* [The FTimes Project Homepage](https://ftimes.sourceforge.io/) * [Building FTimes on Windows using Visual Studio](http://blog.boreas.ro/2007/11/building-ftimes-on-windows-using-visual.html) diff --git a/docs/full_disk_encryption.md b/docs/full_disk_encryption.md index 45c5f9bb1..02882c143 100644 --- a/docs/full_disk_encryption.md +++ b/docs/full_disk_encryption.md @@ -15,22 +15,19 @@ Some examples of full disk encryption: ### Embedded into internal HDD +- FIPS 140-2 (Federal Information Processing Standard 140-2 certification + issued by NIST) - FIPS 197 (Federal Information Processing Standard 197 certification issued by NIST) - [AES-128](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search) Seagate *Full Disk Encryption* ("FDE") - Seagate's encrypted drives are only available as OEM products. Seagate provides no software to utilize encrypted drive features (such as key management). There is a proprietary Windows-only API, but it is not available to the public. -- [FIPS 140-2](https://www.seagate.com/de/de/) - (Federal Information Processing Standard 140-2 certification issued by - NIST) - Toshiba *Self-Encrypting Drives* ("SED") ## Software Solutions @@ -111,10 +108,6 @@ and IDEA Provides complete [hard drive](hard_drive.md) encryption including the boot disk. - - -[Securstar DriveCrypt](http://www.securstar.com/products_drivecryptpp.php) - [TrueCrypt](truecrypt.md) Transparent full disk encryption for [Linux](linux.md) and [Windows](windows.md). Supports [AES](aes.md) (256 bit), [Serpent](serpent.md) @@ -134,8 +127,6 @@ The -K option of [OpenBSD](openbsd.md) associates and encryption key with the svnd device. Supports saltfiles. Supported ciphers: [Blowfish](blowfish.md). - - ## Full Disk Encryption Analysis Tools Due to continual updates and variances to full disk encryption software, diff --git a/docs/insider_threat_research.md b/docs/insider_threat_research.md index 5c5e40590..e6e8fa832 100644 --- a/docs/insider_threat_research.md +++ b/docs/insider_threat_research.md @@ -6,11 +6,11 @@ tags: ### US Government Reports -- [Insider Risk Evaluation and Audit](https://www.dhra.mil/perserec/reports.html#TR0902), +- [Insider Risk Evaluation and Audit](https://www.dhra.mil/Portals/52/Documents/perserec/reports/pp09-03.pdf), PERSEREC TR 09-02, August 2009 -- [Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations](https://www.dhra.mil/perserec/reports.html#TR0513), +- [Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations](https://www.dhra.mil/Portals/52/Documents/perserec/tr05-13.pdf), PERSEREC TR 05-15 September 2005 -- [Technological, Social, and Economic Trends That are Increasing U.S. Vulnerability to Insider Espionage](https://www.dhra.mil/perserec/reports.html#TR0510), +- [Technological, Social, and Economic Trends That are Increasing U.S. Vulnerability to Insider Espionage](https://www.researchgate.net/publication/290916917_Technological_social_and_economic_trends_that_are_increasing_US_vulnerability_to_insider_espionage), PERSEREC TR 05-10 May 2005 - [Changes in Espionage by Americans: 1947-2007](https://sgp.fas.org/library/changes.pdf), by Katherine L. Herbig, PERSEREC TR 08-05, March 2008. diff --git a/docs/ip_geolocation.md b/docs/ip_geolocation.md index 5f4f1d8f3..e6600ad39 100644 --- a/docs/ip_geolocation.md +++ b/docs/ip_geolocation.md @@ -13,20 +13,12 @@ pretty well. ## Commercial Geolocation services -- [IP2Location](https://www.ip2location.com/?AfID=23224) (free query: 20 - lookups/day) -- [MaxMind](https://www.maxmind.com/en/geoip2-services-and-databases) (free service: - GeoLite Country, GeoLite City; free query: 25 lookups/day at - ) +- [IP2Location](https://www.ip2location.com/?AfID=23224) + (free query: 20 lookups/day) +- [MaxMind](https://www.maxmind.com/en/solutions/ip-geolocation-databases-api-services) ## Downloadable Data Sets -- [Software 77](http://software77.net/cgi-bin/ip-country/geo-ip.pl) -- [Quova (commercial)](https://neustarsecurityservices.com/) -- [CountryHawk (commercial)](http://www.cyscape.com/products/chawk) -- [Verifia NetGeo (commercial)](http://www.netgeo.com/index.htm) -- [ActiveTarget (commercial)](http://www.activetarget.com/) +- [CountryHawk (commercial)](https://www.cyscape.com/products/chawk/) - [Java IP (InetAddress) Locator (free lookup library with database)](https://sourceforge.net/projects/javainetlocator/) -- [CountryWhois DB (commercial)](http://www.tamos.com/products/ip-location-database) - [IPAddressGuide](https://www.ipaddressguide.com/) -- [Nami Media (commercial)](http://www.namimedia.com/geo.htm) diff --git a/docs/jtag_and_chip-off_tools_and_equipment.md b/docs/jtag_and_chip-off_tools_and_equipment.md index 94b4f8d87..e041e08f4 100644 --- a/docs/jtag_and_chip-off_tools_and_equipment.md +++ b/docs/jtag_and_chip-off_tools_and_equipment.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Hardware --- The following list contains equipment used for performing JTAG and chip-off analysis. It is noted when equipment is used for both @@ -14,150 +14,140 @@ made for equivalent tools and equipment.* **JTAG and Chip-Off Equipment List** -| Item | Info | Estimated Cost (CAD) | -|:-------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------| -| iSeasamo Phone Opening Tool | | £6 | -| Carton SPZT-50PG Microscope (optional: w/trinocular) | | \$1200 | -| Xytronic 988D Solder Rework Station | | \$300 | -| Weller WES51 Solder Station | | | -| Xytronic LF-852D Hot Air Station | | \$225 | -| Amprobe 35XP Multimeter | | | -| Magnifying Desk Lamp | | £40 | -| Circuit board holder | | £5 | -| Chip Epoxy Glue Remover | | | -| 0.040 gauge transformer winding wire | | | -| Kester 44 rosin flux solder | | | -| Xcelite Hobby Knives | | | -| Terra Dexterity PVC foam gloves | | | -| Richard 13321 blades | sourced | \~\$10 | -| HAKKO Omnivise C1390C Handle | | 59 EUR | -| eMMC SCP-6 Platform | | 22 EUR | -| BGA PMTC Sn63pb37 balls 0,35mm 12500 pcs | | 3.5 EUR | -| BGA PMTC Sn63pb37 balls 0,30mm 12500 pcs | | 3,5 EUR | -| Stencil Direct BGA for eMMC 153/169 | | 8 EUR | -| Stencil Direct BGA for eMMC 162/186 | | 8 EUR | -| Stencil Direct BGA for eMMC/eMCP 221 | | 8 EUR | -| Stencil Direct BGA for eMMC 529 | | 8 EUR | -| BGA stencil for Samsung S7 (SM-G930F) | | 6.20 EUR | -| BGA stencil for Samsung S6 Edge (SM-G925F) | | 6,20 EUR | -| BGA stencil for Samsung S6 (SM-G920F) | | 6,20 EUR | -| BGA stencil for Samsung Galaxy S5 (SM-G900F) | | 6.20 EUR | -| BGA stencil for Samsung Galaxy S4 (i9505) | | 6.20 EUR | -| BGA stencil for Samsung Galaxy S4 (i9500) | | 6,20 EUR | -| Ultra thin jumper wire/Copper spool wire 0.02mm/50m | | 6,50 EUR | -| Desoldering Tape 80-2-5 Chemtronics Solder-Wick 1.5mm / 1.5m | | 4,99 EUR | -| Isopropanol with sprayer 99.9% capacity of 150ml | | 1,10 EUR | -| Anti-static mat PROSKIT 8BM-405A 60x120 cm | | 36 EUR | -| Silicone service mat MAT-001 25x35cm | | 9,50 EUR | -| 13in1 spatula for removing and work with BGAs (Jabe) | | 25 EUR | -| Precision scalpel/ penknife with 10 removable blades | | 7 EUR | -| Precision tweezer straight and narrow Rhino RH-11 | | 10 EUR | -| Ceramic Tweezers / Tweezers VETUS - T2 | | 10 EUR | -| Solder Fume Extractor ZD-153 | | 22 EUR | -| Quick 6101 Fume Extractor | | 479 EUR | -| Air Ionizer Dr. Schneider SL-001 | | 105 EUR | -| 8" x 8" x 3/8" steel plate | | | +* iSeasamo Phone Opening Tool +* Carton SPZT-50PG Microscope (optional: w/trinocular) +* Xytronic 988D Solder Rework Station +* Weller WES51 Solder Station +* Xytronic LF-852D Hot Air Station +* Amprobe 35XP Multimeter +* Magnifying Desk Lamp +* Circuit board holder +* Chip Epoxy Glue Remover +* 0.040 gauge transformer winding wire +* Kester 44 rosin flux solder +* Xcelite Hobby Knives +* Terra Dexterity PVC foam gloves +* Richard 13321 blades +* HAKKO Omnivise C1390C Handle +* eMMC SCP-6 Platform +* BGA PMTC Sn63pb37 balls 0,35mm 12500 pcs +* BGA PMTC Sn63pb37 balls 0,30mm 12500 pcs +* Stencil Direct BGA for eMMC 153/169 +* Stencil Direct BGA for eMMC 162/186 +* Stencil Direct BGA for eMMC/eMCP 221 +* Stencil Direct BGA for eMMC 529 +* BGA stencil for Samsung S7 (SM-G930F) +* BGA stencil for Samsung S6 Edge (SM-G925F) +* BGA stencil for Samsung S6 (SM-G920F) +* BGA stencil for Samsung Galaxy S5 (SM-G900F) +* BGA stencil for Samsung Galaxy S4 (i9505) +* BGA stencil for Samsung Galaxy S4 (i9500) +* Ultra thin jumper wire/Copper spool wire 0.02mm/50m +* Desoldering Tape 80-2-5 Chemtronics Solder-Wick 1.5mm / 1.5m +* Isopropanol with sprayer 99.9% capacity of 150ml +* Anti-static mat PROSKIT 8BM-405A 60x120 cm +* Silicone service mat MAT-001 25x35cm +* 13in1 spatula for removing and work with BGAs (Jabe) +* Precision scalpel/ penknife with 10 removable blades +* Precision tweezer straight and narrow Rhino RH-11 +* Ceramic Tweezers / Tweezers VETUS - T2 +* Solder Fume Extractor ZD-153 +* Quick 6101 Fume Extractor +* Air Ionizer Dr. Schneider SL-001 +* 8" x 8" x 3/8" steel plate **JTAG Specific Equipment List** -| Item | Info | Estimated Cost (CAD) | -|:-----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------------------| -| RIFF Box | | Approx £130 | -| RIFF Box 2 (JTAG and EMMC) | | 159 EUR | -| Octoplus Box | | Approx. £270 | -| Octoplus JTAG Box (JTAG) | | 149 EUR | -| Z3X Easy-Jtag Box | | Approxx £130 | -| Easy JTAG Z3X Box (JTAG and EMMC) | | 149 EUR | -| GPGEMMC Box | | Approx. £160 | -| GPG JTAG Box (JTAG PRO) | | 135 EUR | -| ATF (Advance Turbo Flasher) | | Approx. £110 | -| ATF GOLD (Advance Turbo Flasher for JTAG, EMMC, SPI) | | 159 EUR | -| GPGJTAG Box (Jtag Pro) | | Approx. £120 | -| ORT Box | | Approx. £140 | -| ORT JTAG Pro with EMMC Booster (JTAG and EMMC) | | 149 EUR | -| Medusa Pro Box (JTAG and EMMC) | | 159 EUR | -| Medusa Box | | Approx £155 | -| UFI BOX (JTAG, EMMC, SPI) | | 299 EUR | -| Programmer UFS / eMMC / eMCP NuProg-E | | 1149 EUR | +* RIFF Box +* RIFF Box 2 (JTAG and EMMC) +* Octoplus Box +* Octoplus JTAG Box (JTAG) +* Z3X Easy-Jtag Box +* Easy JTAG Z3X Box (JTAG and EMMC) +* GPGEMMC Box +* GPG JTAG Box (JTAG PRO) +* ATF (Advance Turbo Flasher) +* ATF GOLD (Advance Turbo Flasher for JTAG, EMMC, SPI) +* GPGJTAG Box (Jtag Pro) +* ORT Box +* ORT JTAG Pro with EMMC Booster (JTAG and EMMC) +* Medusa Pro Box (JTAG and EMMC) +* Medusa Box +* UFI BOX (JTAG, EMMC, SPI) +* Programmer UFS / eMMC / eMCP NuProg-E **Add-On Tools / Adapters For JTAG Specific Equipment List** -| Item | Info | Estimated Cost (CAD) | -|:------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------| -| E-Mate E-Socket 5-in-1 High Speed EMMC Programmer for ATF - Z3x-Pro - GPGEMMC | | Approx £160 | -| E-Mate Pro eMMC Tool MoorC v2 | | 129 EUR | -| BGA Adapter 162 For GPGEMMC Box | | Approx. £64 | -| BGA Adapter 169E For GPGEMMC Box | | Approx. £64 | -| BGA221 Adapter Socket For E-Mate Box - Riff Box - GPGEMMC Box | | Approx. £90 | -| MOORC JTAG-ISP Adapter 5-in-1 For ATF, Riff, Medusa etc. | | Approxx £25 | -| ATF EMMC Test Point Finder | | Approx. £160 | -| Universal JTAG/eMMC/FBUS JE-02 adapter | | 15 EUR | -| Set of Universal JTAG adapters VF-JIG for VR-Table - 11R | | 219 EUR | -| Adapter eMMC/JTAG for Riff BOX 2 - RC2000 | | 10 EUR | -| JTAG Finder | | Approx. £90 | -| EMMC Z3X Jtag Pro 3 in 1 Adapter | | Approx. £20 | -| Universal JTAG Interface | | Approx. £5 | -| Universal Jtag Cable With Labeled Wires | | Approx. £5 | -| SD-EMMC Plus Adapter - Model SE-P1 | | 12 EUR | -| Frames / Limiters adapters for BGA (spacer) | | 10 EUR | -| Probe Cable For Riff Box | Manually locate jtag lines for unsupported devices - | Approx £5 | -| Powered Mini USB - Micro USB Cable For Repair and Jtag | Power phones and dump via usb while phone disassembled - | Approx £10 | -| Fonefunshop Test Point Box | | Approx £30 | -| JTAG AMOI adapters | | \~8-15 EUR | -| JTAG DELL adapters | | \~8-15 EUR | -| JTAG BenQ-Siemens adapters | | \~8-15 EUR | -| JTAG Toshiba adapters | | \~8-15 EUR | -| JTAG HTC adapters | | \~8-15 EUR | -| JTAG Huawei adapters | | \~8-15 EUR | -| JTAG LG adapters | | \~8-15 EUR | -| JTAG Motorola adapters | | \~8-15 EUR | -| JTAG Nokia adapters | | \~8-15 EUR | -| JTAG Panasonic adapters | | \~8-15 EUR | -| JTAG Sagem adapters | | \~8-15 EUR | -| JTAG Samsung adapters | | \~8-15 EUR | -| JTAG Sendo adapters | | \~8-15 EUR | -| JTAG Sony adapters | | \~8-15 EUR | -| JTAG SonyEricsson adapters | | \~8-15 EUR | -| JTAG ZTE adapters | | \~8-15 EUR | +* E-Mate E-Socket 5-in-1 High Speed EMMC Programmer for ATF - Z3x-Pro - GPGEMMC +* E-Mate Pro eMMC Tool MoorC v2 +* BGA Adapter 162 For GPGEMMC Box +* BGA Adapter 169E For GPGEMMC Box +* BGA221 Adapter Socket For E-Mate Box - Riff Box - GPGEMMC Box +* MOORC JTAG-ISP Adapter 5-in-1 For ATF, Riff, Medusa etc. +* ATF EMMC Test Point Finder +* Universal JTAG/eMMC/FBUS JE-02 adapter +* Set of Universal JTAG adapters VF-JIG for VR-Table - 11R +* Adapter eMMC/JTAG for Riff BOX 2 - RC2000 +* JTAG Finder +* EMMC Z3X Jtag Pro 3 in 1 Adapter +* Universal JTAG Interface +* Universal Jtag Cable With Labeled Wires +* SD-EMMC Plus Adapter - Model SE-P1 +* Frames / Limiters adapters for BGA (spacer) +* Probe Cable For Riff Box +* Powered Mini USB - Micro USB Cable For Repair and Jtag +* Fonefunshop Test Point Box +* JTAG AMOI adapters +* JTAG DELL adapters +* JTAG BenQ-Siemens adapters +* JTAG Toshiba adapters +* JTAG HTC adapters +* JTAG Huawei adapters +* JTAG LG adapters +* JTAG Motorola adapters +* JTAG Nokia adapters +* JTAG Panasonic adapters +* JTAG Sagem adapters +* JTAG Samsung adapters +* JTAG Sendo adapters +* JTAG Sony adapters +* JTAG SonyEricsson adapters +* JTAG ZTE adapters **eMMC ISP Specific Equipment List** -| Item | Info | Estimated Cost (CAD) | -|:--------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|----------------------| -| VR-TABLE Forensic Tool for JTAG/EMMC/FBUS Tool | | \~899-1200 EUR | -| Inspection camera for VR-Table - VGA 2Mpx with holder | | 229 EUR | -| Universal eMMC PullUp PU cable for ISP eMMC to VR-Table | | 20 EUR | -| Set of 10 high-precision probes with movable pins VR-064 1mm / 69mm to VR-Table | | 89 EUR | -| Set of 10 ultra high-precision probes VR-070m 0,50mm/73mm to R-Table | | 99 EUR | -| Set of 10 standard probes VR-070 1mm/73mm to VR-Table | | 30 EUR | -| Adapter EMMC for Riff BOX - RC1000 | | 25 EUR | -| Adapter EMMC/JTAG ATF v2 5in1 GPG | | 20 EUR | -| EMMC adapter for Easy Z3x JTAG Box | | 12 EUR | +* VR-TABLE Forensic Tool for JTAG/EMMC/FBUS Tool +* Inspection camera for VR-Table - VGA 2Mpx with holder +* Universal eMMC PullUp PU cable for ISP eMMC to VR-Table +* Set of 10 high-precision probes with movable pins VR-064 1mm / 69mm to VR-Table | | | +* Set of 10 ultra high-precision probes VR-070m 0,50mm/73mm to R-Table +* Set of 10 standard probes VR-070 1mm/73mm to VR-Table +* Adapter EMMC for Riff BOX - RC1000 +* Adapter EMMC/JTAG ATF v2 5in1 GPG +* EMMC adapter for Easy Z3x JTAG Box **Chip-Off Specific Equipment List** -| Item | Info | Estimated Cost (CAD) | -|:----------------------------------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------------| -| Wagner HT1000 Heat Gun | | \$30 | -| Heat Gun stand | | | -| UP-828 Programmer | | Approx. £1,400 | -| UP-828 Adapter VBGA529 | Galaxy Note 4 - | Approx. £470 | -| UP-828 Adapter BGA110 | | Approx. £260 | -| UP-828 Adapter BGA88 - U08881 | | Approx. £200 | -| UP-828 Adapter FBGA167 | | Approx. £290 | -| UP-828 Adapter FBGA63 U08631 | | Approx. £150 | -| UP-828 Adapter SBGA152 | Blackberry - | Approx. £372 | -| UP-828 Adapter SBGA199 | | Approx. £340 | -| UP-828 Adapter U11371 FBGA137 | | Approx. £265 | -| UP-828 Adapter VBGA169E | BlackBerry and Android - | Approx. £320 | -| UP-828 Adapter VBGA221 - U05221 | | Approx. £330 | -| UP-828 Adapter VBGA40 | | Approx. £240 | -| UP-828 Adapter VBGA133 | iPhone 4 | Approx. \$600 - \$1000 depending on source | -| Sireda eMMC Burn-In Socket (size 11 x 10mm) | | Approx. £168 | -| Sireda eMMC Burn-In Socket (size 11.5 x 13mm) | ).html | Approx. £168 | -| Sireda eMMC Burn-In Socket (size 12 x 16mm) | | Approx. £168 | -| Sireda eMMC Burn-In Socket (size 12 x 18mm) | | Approx. £168 | -| Sireda eMMC Burn-In Socket (size 14 x 18mm) | | Approx. £168 | +* Wagner HT1000 Heat Gun +* Heat Gun stand +* UP-828 Programmer +* UP-828 Adapter VBGA529 +* UP-828 Adapter BGA110 +* UP-828 Adapter BGA88 - U08881 +* UP-828 Adapter FBGA167 +* UP-828 Adapter FBGA63 U08631 +* UP-828 Adapter SBGA152 +* UP-828 Adapter SBGA199 +* UP-828 Adapter U11371 FBGA137 +* UP-828 Adapter VBGA169E +* UP-828 Adapter VBGA221 - U05221 +* UP-828 Adapter VBGA40 +* UP-828 Adapter VBGA133 +* Sireda eMMC Burn-In Socket (size 11 x 10mm) +* Sireda eMMC Burn-In Socket (size 11.5 x 13mm) +* Sireda eMMC Burn-In Socket (size 12 x 16mm) +* Sireda eMMC Burn-In Socket (size 12 x 18mm) +* Sireda eMMC Burn-In Socket (size 14 x 18mm) **Notes** diff --git a/docs/legal_issues.md b/docs/legal_issues.md index f58928bb8..105e1593e 100644 --- a/docs/legal_issues.md +++ b/docs/legal_issues.md @@ -29,12 +29,11 @@ computer virus. Avoids \~\$900,000 in fines. Karl Schofield walked free from court yesterday after prosecutors accepted an expert's report that the "Trojan" program could have saved the 14 depraved images off the internet without his knowledge. -[3](http://www.getreading.co.uk/news/6/6541/program_put_child_porn_pics_on_my_pc) Julian Green, 45, of Torquay, Devon was cleared in court in July of 13 charges of making indecent images, claiming computer malware was to blame. -[4](https://www.sophos.com/en-us/press-office/press-releases/2003/08/va_porntrojan) +[3](https://www.sophos.com/en-us/press-office/press-releases/2003/08/va_porntrojan) A former Georgia teacher blames computer viruses for altering his Web sites and uploading child porn images. Guilty charge upheld. @@ -45,20 +44,20 @@ potential pedophile’s computers. Bandy’s defense attorney asserted that a “virus” or “trojan” must have downloaded the child pornography to Bandy’s computer without his knowledge. -[5](https://www.cnet.com/tech/tech-industry/police-blotter-child-porn-blamed-on-computer-virus/) +[4](https://www.cnet.com/tech/tech-industry/police-blotter-child-porn-blamed-on-computer-virus/) A man found with more than 1,700 indecent images of children on his computer claimed a virus was to blame, a court heard. But Mark Craney, 33, from Knowle, was found guilty at Warwick Crown Court on 16 charges of making indecent images of children by downloading them onto his computer. -[6](https://www.birminghammail.co.uk/) +[5](https://www.birminghammail.co.uk/) More links from previous research. -* [7](http://edition.cnn.com/2003/TECH/internet/10/28/hacker.defense.reut/index.html) -* [8](http://news.com.com/2100-7349_3-5092781.html) -* [9](https://www.theregister.com/2003/04/24/trojan_defence_clears_man/) +* [6](http://edition.cnn.com/2003/TECH/internet/10/28/hacker.defense.reut/index.html) +* [7](http://news.com.com/2100-7349_3-5092781.html) +* [8](https://www.theregister.com/2003/04/24/trojan_defence_clears_man/) ## Connecticut v. Amero @@ -79,8 +78,6 @@ conviction was vacated on appeal. * [THE TROJAN HORSE DEFENSE IN CYBERCRIME CASES](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf), by Susan W. Brenner, Brian Carrier, and Jef Henninger, in 2004 * [The "Tools Proven in Court" Question](https://www.cybersecurityinstitute.biz) -* [When is an Expert Opinion Allowed in Law?](https://www.elvidence.com.au/expert-opinion-in-law/), - October 24, 2014 ## Privacy and Surveillance Laws diff --git a/docs/mac_os_x.md b/docs/mac_os_x.md index 06e1df972..903e88180 100644 --- a/docs/mac_os_x.md +++ b/docs/mac_os_x.md @@ -240,7 +240,6 @@ Mac OS. ## External Links -* [Official website](https://www.apple.com/macos/ventura/) * [Wikipedia entry on OS X](https://en.wikipedia.org/wiki/OS_X) * [Inside Macintosh](https://developer.apple.com/library/archive/documentation/mac/pdf/Text.pdf), by Apple Computer, Inc., 1993 diff --git a/docs/machine_translation.md b/docs/machine_translation.md index 54f3f2810..b0b4a8ecb 100644 --- a/docs/machine_translation.md +++ b/docs/machine_translation.md @@ -5,14 +5,12 @@ tags: ### References - [An evaluation of the accuracy of online translation systems](https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1122&context=ciima) -- [Systran Reviews - Case Studies](http://www.translationsoftware4u.com/sys-testimonies.php) +- [Systran Reviews - Case Studies](https://www.translationsoftware4u.com/sys-testimonies.php) - [Spanish-to-English Translation Using the Web](http://www.swdsi.org/swdsi06/Proceedings06/Papers/IBT04.pdf), Milam W. Aiken, SWDSI 2006 - [Me Translate Pretty One Day](https://www.wired.com/2006/12/translate/), Issue 14.12 - December 2006 - [Dispelling the myths of machine translation](https://www.tcworld.info/index.php?id=91),By Uwe Muegge August 2008 -- [Empirical Machine Translation and its Evaluation](http://www.sepln.org/monografiasSEPLN/monografia-jgimenez-sepln.pdf) - Jesús Ángel Giménez Linares, - [Evaluation of a Machine Translation System for Low Resource Languages: METIS-II](http://www.lrec-conf.org/proceedings/lrec2008/pdf/116_paper.pdf), Vincent Vandeghinste, etc., LREC 2008 diff --git a/docs/malware.md b/docs/malware.md index bfe27a48d..c6aa11509 100644 --- a/docs/malware.md +++ b/docs/malware.md @@ -89,8 +89,6 @@ Various types of rootkits: * [What Are Exploit Kits?](https://zeltser.com/what-is-an-exploit-kit/), by Lenny Zeltser, October 26, 2010 -* [The four seasons of Glazunov: digging further into Sibhost and Flimkit](https://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/), - by Fraser Howard, July 2, 2013 * [Exploit Kits 2014-2015](http://contagiodata.blogspot.com/2014/12/exploit-kits-2014.html) ### Persistence diff --git a/docs/malware_analysis.md b/docs/malware_analysis.md index 86819bf26..e21903fb4 100644 --- a/docs/malware_analysis.md +++ b/docs/malware_analysis.md @@ -41,8 +41,6 @@ and the entry point of the new image is executed. by Kevin Wenchel, May 2004 * [De Mysteriis Dom Jobsivs: Mac EFI Rootkits](https://papers.put.as/papers/macosx/2012/De_Mysteriis_Dom_Jobsivs_Ruxcon.pdf), by Snare, October 2012 -* [Security Tip (ST13-003) - Handling Destructive Malware](https://www.cisa.gov/uscert/ncas/tips/ST13-003), - by US-CERT, November 04, 2013 * [Detecting Malware With Memory Forensics](https://deer-run.com/users/hal/Detect_Malware_w_Memory_Forensics.pdf), by Hal Pomeranz * [Mac OS X Live Forensics 107: Mac Malware](http://lockboxx.blogspot.com/2014/11/mac-os-x-live-forensics-107-mac-malware.html?m=1), diff --git a/docs/mandiant.md b/docs/mandiant.md index 862faac0a..b331a4d03 100644 --- a/docs/mandiant.md +++ b/docs/mandiant.md @@ -7,17 +7,29 @@ tags: # Mandiant -Mandiant is a US-based cybersecurity company that was acquired by Google Cloud in 2022. Mandiant was originally founded as Red Cliff Consulting in 2004 before rebranding in 2006. Mandiant gained significant fame in February 2013 when it released the [APT1 report](https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units), a report detailing and implicating China's efforts, specifically China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398), in cyber espionage. - -In December 2013, Mandiant was acquired by FireEye, and the combined company offered incident response, consulting, and proactive services, managed detection and response (MDR), and various cybersecurity products. The FireEye name and product line were sold to Symphony Technology Group in June 2021. - -In March 2022, Google announced its plans to acquire Mandiant and integrate it in Google Cloud. The acquisition was completed in September 2022. The Mandiant brand will be retained as a part of Google Cloud. - -Since its inception, Mandiant has significant contributions to the DFIR community, including (but not limited to): - -- Discovery and release of new forensic artifacts. -- Disclosure of threat intelligence reports and threat actor TTPs. -- Release and maintenance of free, open or closed source tools. +Mandiant is a US-based cybersecurity company that was acquired by Google Cloud +in 2022. Mandiant was originally founded as Red Cliff Consulting in 2004 before +rebranding in 2006. Mandiant gained significant fame in February 2013 when it +released the [APT1 report](https://www.mandiant.com/resources/reports/apt1-exposing-one-chinas-cyber-espionage-units), +a report detailing and implicating China's efforts, specifically China's 2nd +Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) +3rd Department (Military Cover Designator 61398), in cyber espionage. + +In December 2013, Mandiant was acquired by FireEye, and the combined company +offered incident response, consulting, and proactive services, managed +detection and response (MDR), and various cybersecurity products. The FireEye +name and product line were sold to Symphony Technology Group in June 2021. + +In March 2022, Google announced its plans to acquire Mandiant and integrate it +in Google Cloud. The acquisition was completed in September 2022. The Mandiant +brand will be retained as a part of Google Cloud. + +Since its inception, Mandiant has significant contributions to the DFIR +community, including (but not limited to): + +* Discovery and release of new forensic artifacts. +* Disclosure of threat intelligence reports and threat actor TTPs. +* Release and maintenance of free, open or closed source tools. ## List of Mandiant Tools @@ -33,4 +45,4 @@ Since its inception, Mandiant has significant contributions to the DFIR communit ## External Links -[Official website](https://www.mandiant.com/) +* [Official website](https://www.mandiant.com/) diff --git a/docs/matriux.md b/docs/matriux.md index 5d3f508da..7036e52b3 100644 --- a/docs/matriux.md +++ b/docs/matriux.md @@ -60,7 +60,7 @@ Matriux offers many forensics tools under its ## External Links -* [Official website](http://www.matriux.com/) +* [Official website](http://www.matriux.com/index.php) * [Download Matriux OS](http://www.matriux.com/index.php?page=download) * [Matriux sourceforge](https://sourceforge.net/projects/matriux/) * [Artworks](http://matriux.com/index.php?page=art-de-matriux) diff --git a/docs/memory_analysis.md b/docs/memory_analysis.md index 8d04f2c77..7488b3547 100644 --- a/docs/memory_analysis.md +++ b/docs/memory_analysis.md @@ -148,7 +148,7 @@ analysis. ### Computer architecture - [Wikipedia: 64-bit computing](https://en.wikipedia.org/wiki/64-bit_computing) -- [Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture](https://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-1-manual.html), +- [Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture](https://www.intel.com/content/www/us/en/content-details/782158/intel-64-and-ia-32-architectures-software-developer-s-manual-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html), by Intel, May 2011 - [64-Bit Programming Models: Why LP64?](https://unix.org/version2/whatsnew/lp64_wp.html), The Open Group, 1997 diff --git a/docs/microcode.md b/docs/microcode.md index 9a5376c19..adc2dd8a2 100644 --- a/docs/microcode.md +++ b/docs/microcode.md @@ -25,11 +25,7 @@ The initrd is a (compressed) cpio archive. ## External Links * [Wikipedia: Microcode](https://en.wikipedia.org/wiki/Microcode) -* [Early load microcode](https://www.kernel.org/doc/Documentation/x86/early-microcode.txt), - by Fenghua Yu +* [The Linux Microcode Loader](https://docs.kernel.org/arch/x86/microcode.html), + by Fenghua Yu, Borislav Petkov, Ashok Raj * [Security Analysis of x86 Processor microcode](https://www.dcddcc.com/docs/2014_paper_microcode.pdf), by Daming D. Chen, Gail-Joon Ahn, December 11, 2014 - -### Intel microcode - -* [Linux\* Processor Microcode Data File](https://www.intel.com/content/www/us/en/download-center/home.html) diff --git a/docs/past_selected_articles.md b/docs/past_selected_articles.md index 08dbbf6cb..a0a573e43 100644 --- a/docs/past_selected_articles.md +++ b/docs/past_selected_articles.md @@ -628,7 +628,7 @@ documents a woman's affair while her husband was serving in Iraq. 2008-Nov-18 -[Data Acquisition from Cell Phone using Logical Approach](http://www.waset.org/pwaset/v26/v26-6.pdf), +[Data Acquisition from Cell Phone using Logical Approach](https://publications.waset.org/7561/data-acquisition-from-cell-phone-using-logical-approach), by Keonwoo Kim, Dowon Hong, Kyoil Chung, and Jae-Cheol Ryou, PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 26 DECEMBER 2007 ISSN 1307-6884 This article discusses three approaches for acquiring data from cell phones: physically removing the flash RAM chips and reading them directly; reading the diff --git a/docs/sanitization_standards.md b/docs/sanitization_standards.md index 36b597baf..504d29699 100644 --- a/docs/sanitization_standards.md +++ b/docs/sanitization_standards.md @@ -16,8 +16,7 @@ regarding the disk sanitization problem: ### Canada -* [RCMP TSSIT OPS-II](http://www.rcmp-grc.gc.ca/tsb/pubs/it_sec/g2-003_e.pdf): - 8 pass wipe. +* RCMP TSSIT OPS-II: 8 pass wipe. ### Germany @@ -25,8 +24,7 @@ regarding the disk sanitization problem: ### Russia -* [Gostechcommission management directive](http://www.internet-law.ru/standarts/safety/gtk009.doc): - 2 pass with random data. +* Gostechcommission management directive, 2 pass with random data. ### UK @@ -34,7 +32,7 @@ regarding the disk sanitization problem: ### USA -* [NIST 800-88](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final): +* [NIST 800-88](https://csrc.nist.gov/pubs/sp/800/88/r1/final): Guidelines for Data Sanitation, Sept 2006. * [DoD Destruction](http://simson.net/ref/2001/ASD_HD_Disposition_memo060401.pdf): Disposition of Unclassified DoD Computer Hard Drives, Assistant diff --git a/docs/sim_card_forensics.md b/docs/sim_card_forensics.md index 1844044b6..3ffeb7bbb 100644 --- a/docs/sim_card_forensics.md +++ b/docs/sim_card_forensics.md @@ -55,15 +55,14 @@ Acquire [SIM Card](sim_cards.md) and analyze the following: Wiki Links * [Paraben SIM Card Seizure](paraben_sim_card_seizure.md) -* [SIMIS](simis.md) * [SIM Explorer](sim_explorer.md) +* [SIMcon](simcon.md) +* [SIMIS](simis.md) External Links -* [SIMcon](https://www.simcon.no/) * [Pro Data Doctor](https://www.data-recovery-mobile-phone.com/) * [Forensic Card Reader (FCR) - German](http://www.becker-partner.de/index.php?id=17) -* [SIM Manager](http://www.txsystems.com/sim-manager.html) * [SIMSpy](http://www.nobbi.com/download.php) * [UnDeleteSMS](https://vidstromlabs.com/freetools/undeletesms/) * [Dekart SIM Explorer](https://www.dekart.com/products/card_management/sim_explorer), @@ -74,7 +73,6 @@ External Links * [SIM Card Reader](http://ww38.mobile-t-mobile.com/mobile-network/SIM-card-reader.html) * [Sim Card Reader Software](https://sim-card-reader-software.download3000.com) * [Sim Card Recovery](https://sim-card-recovery.freedownloadscenter.com/windows/) -* [Sim Recovery Pro](http://www.spytechs.com/phone-recorders/sims-card-reader.htm) ## Recovering SIM Card Data diff --git a/docs/tcpflow.md b/docs/tcpflow.md index a8859fe36..2e91ea5fc 100644 --- a/docs/tcpflow.md +++ b/docs/tcpflow.md @@ -75,11 +75,7 @@ UNIX; see the INSTALL file for details. by [Kanedaaa](http://kaneda.bohater.net) * [Debian package](https://packages.debian.org/testing/tcpflow) by Robert McQueen -* [Fedora package](https://admin.fedoraproject.org/pkgdb/acls/name/tcpflow) - by [Terje Røsten](https://koji.fedoraproject.org/koji/userinfo?userID=278) * [FreeBSD port](ftp://ftp5.freebsd.org/pub/FreeBSD/branches/-current/ports/net/tcpflow) by Jose M. Alcaide -* [OpenBSD Package](http://www.openbsd.org/ports.html) (it’s in there - somewhere) * [Solaris 8 SPARC Binary](ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/tcpflow-0.12-sol8-sparc-local.gz) for v0.12 from [SunFreeware.com](http://www.sunfreeware.com/introduction.html) diff --git a/docs/training_courses_and_providers.md b/docs/training_courses_and_providers.md index f4b720a90..b8ae71a77 100644 --- a/docs/training_courses_and_providers.md +++ b/docs/training_courses_and_providers.md @@ -51,7 +51,7 @@ Title | Website | Limitation AccessData (Forensic Tool Kit FTK) | | Amped Software (Image & Video forensics - FIVE; Authenticate) | | ASR Data (SMART) | | -Cellebrite (UFED) | | +Cellebrite (UFED) | | Digital Intelligence (FRED Forensics Platform) | | e-fense, Inc. (Helix3 Pro) | | ElcomSoft Co.Ltd. (desktop, mobile and cloud forensics) | | @@ -69,14 +69,12 @@ X-Ways Forensics (X-Ways Forensics) | | Title | Website | Limitation --- | --- | --- -BerlaCorp Vehicle System Forensics Training Program | | +BerlaCorp Vehicle System Forensics Training Program | | Computer Forensic Training Center Online (CFTCO) | | CCE Bootcamp | | Cyber Security Academy | | Dera Forensics Group | | e-fense Training | | -eForensics Magazine | | -Elvidence (Computer Forensics & Decryption - Law Enforcement Only) | | High Tech Crime Institute | | Infosec Institute | | Intense School (a subsidiary of Infosec Institute) | | diff --git a/docs/ufs_tornado.md b/docs/ufs_tornado.md index 1ea554d2f..8b29d4ff6 100644 --- a/docs/ufs_tornado.md +++ b/docs/ufs_tornado.md @@ -1,8 +1,7 @@ --- tags: - - Tools - - Windows - - Articles that need to be expanded + - Articles that need to be expanded + - Hardware --- The **UFS3-Tornado** (**U**niversal **F**lasher **Software**) is a USB flasher device made by \[SarasSoft\]. It offers USB data transfer from a @@ -14,7 +13,3 @@ UFS3 supports phones manufactured by Samsung, SonyEricsson/Ericsson, Motorola-Acer, and Siemens. UFS operates on Windows 98SE, ME, 2000, and XP. - -## References - - \ No newline at end of file diff --git a/docs/vendors.md b/docs/vendors.md index 943370bd5..282e43bea 100644 --- a/docs/vendors.md +++ b/docs/vendors.md @@ -19,7 +19,7 @@ tags: * SAFE Boot Disk - Forensically sound Windows boot disk * [Guidance Software](guidance_software.md) - [EnCase](encase.md) * [LTU Technologies](https://www.ltutech.com/) - LTU-Finder -* [MaresWare Software](http://www.maresware.com/maresware/software.htm) +* [MaresWare Software](https://www.maresware.com/maresware/software.htm) * [Nuix Pty Ltd](nuix_pty_ltd.md) - [Nuix Desktop](nuix_desktop.md) and [Proof Finder](proof_finder.md) * [Oxygen Software](oxygen_software.md) * [Paraben Forensics](paraben_forensics.md) diff --git a/docs/vnconfig.md b/docs/vnconfig.md index 38202321f..db4de84f2 100644 --- a/docs/vnconfig.md +++ b/docs/vnconfig.md @@ -11,4 +11,3 @@ the data using the Blowfish cipher before it is written to disk when the ## External Links * [OpenBSD Official website](http://www.openbsd.org/) -* [OpenBSD Manpages: vnconfig(8)](http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8) diff --git a/docs/websites.md b/docs/websites.md index 7401a3da2..df057d17f 100644 --- a/docs/websites.md +++ b/docs/websites.md @@ -61,11 +61,6 @@ Belgian Computer Forensic Website - Forensic Boot CD - Linux News, blog, forums, and other resources for folks engaged in or interested in digital forensics. -[International Association of Computer Investigative Specialists](https://iacis.info/) - -Volunteer non-profit corporation composed of law enforcement -professionals. - [NIST: Secure Hashing](https://csrc.nist.gov/projects/hash-functions) The Computer Security Division's (CSD) Security Technology Group (STG) diff --git a/docs/windows.md b/docs/windows.md index 365b0c5f6..85eabeedb 100644 --- a/docs/windows.md +++ b/docs/windows.md @@ -337,7 +337,7 @@ References: 1. 2. 3. -4. +4. ### Cryptnet URL Cache @@ -421,17 +421,12 @@ value: * [Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations](https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/windows-setup-log-file-locations) * [Windows Hardware Dev Center Archive](https://learn.microsoft.com/en-us/previous-versions/windows/hardware/download/dn550976(v=vs.85)) * [Windows Data Type](https://learn.microsoft.com/en-us/windows/win32/winprog/windows-data-types) -* [The Forensic Analysis of the Microsoft Windows Vista Recycle Bin](https://forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf), - by Mitchell Machor, 2008 -* [Spotting the Adversary with Windows Event Log Monitoring](http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf), - by National Security Agency/Central Security Service, February 28, 2013 * [Search history on Windows 8 and 8.1](https://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html), by Yogesh Khatri, April 1, 2014 * [Search history on windows 8.1 - Part 2](https://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html), by Yogesh Khatri, April 21, 2014 -* [Estoteric Hooks](https://www.alex-ionescu.com/Estoteric%20Hooks.pdf) +* [Estoteric Hooks](https://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdf), by Alex Ionescu, February 16, 2016 - ([presentation](https://www.youtube.com/watch?v=pHyWyH804xE)) * [A brief look at Windows telemetry: CIT aka Customer Interaction Tracker](https://research.nccgroup.com/2022/04/12/a-brief-look-at-windows-telemetry-cit-aka-customer-interaction-tracker/), by Erik Schamper, April 12, 2022 @@ -444,7 +439,7 @@ value: * [Lesson 3 – The Recycle Bin](https://www.cybersecurityinstitute.biz), by Steve Hailey -* [The Forensic Analysis of the Microsoft Windows Vista Recycle Bin](https://forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf), +* [The Forensic Analysis of the Microsoft Windows Vista Recycle Bin](https://www.forensicfocus.com/articles/forensic-analysis-of-the-microsoft-windows-vista-recycle-bin/), by Mitchell Machor, January 22, 2008 ### Malware/Rootkits diff --git a/docs/windows_xml_event_log_(evtx).md b/docs/windows_xml_event_log_(evtx).md index aa2eb59b5..435efb057 100644 --- a/docs/windows_xml_event_log_(evtx).md +++ b/docs/windows_xml_event_log_(evtx).md @@ -67,7 +67,7 @@ Where LCID is the "locale identifier" * [log2timeline](log2timeline.md) * [wevtutil](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749339(v=ws.11)) * [LogParser](https://www.microsoft.com/en-us/download/details.aspx?id=24659) -* [python-evtx](http://www.williballenthin.com/evtx/) +* [python-evtx](https://github.com/williballenthin/python-evtx) * [winlast](https://github.com/pch3/winlast) * [Event log explorer](https://eventlogxp.com/) * [Event-Log Hunting tools collection by Renzon](https://twitter.com/r3nzsec/status/1463018324086988801) diff --git a/docs/winfe.md b/docs/winfe.md index c1f6505b8..75626f27b 100644 --- a/docs/winfe.md +++ b/docs/winfe.md @@ -27,16 +27,15 @@ utilities such as WinBuilder [2](http://reboot.pro). Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include: -- [AccessData FTK Imager](https://www.exterro.com), -- [Guidance Software Encase](https://www.opentext.com/products/security-cloud), -- ProDiscover -- [RegRipper](https://regripper.wordpress.com/). -- [X-Ways Forensics](https://www.x-ways.net/), +* [AccessData FTK Imager](https://www.exterro.com), +* [Guidance Software Encase](https://www.opentext.com/products/security-cloud), +* ProDiscover +* [RegRipper](https://regripper.wordpress.com/). +* [X-Ways Forensics](https://www.x-ways.net/), -A write protection tool developed by Colin Ramsden was released in 2012 -that provides a GUI for disk toggling [3](http://www.ramsdens.org.uk/). -Colin Ramsden's write protect tool effectively replaces the command line -to toggle disks on/offline or readonly/readwrite. +A write protection tool developed by Colin Ramsden was released in 2012 that +provides a GUI for disk toggling Colin Ramsden's write protect tool effectively +replaces the command line to toggle disks on/offline or readonly/readwrite. ## Technical Background and Forensic Soundness @@ -63,7 +62,7 @@ documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent. Various issues with Linux Boot CDs can be compared -[4](forensic_live_cd_issues.md) ). +[1](forensic_live_cd_issues.md) ). ## Resources: @@ -71,4 +70,3 @@ Various issues with Linux Boot CDs can be compared * [Article on Win FE in Hakin9 magazine 2009-06](https://hakin9.org/) * [WinPE Technical Reference](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro?view=windows-11) * [Windows Automated Installation Kit](https://www.microsoft.com/en-us/download/details.aspx?id=5753) -* [WinFE Write Protect tool](http://www.ramsdens.org.uk/) diff --git a/docs/wmi.md b/docs/wmi.md index 0a880a295..10d19ad0a 100644 --- a/docs/wmi.md +++ b/docs/wmi.md @@ -48,7 +48,6 @@ in the following locations: ### Namespaces * [Understanding WMI Namespaces](https://powershell.one/wmi/root) -* [CIMTool wiki: Namespaces](https://wiki.cimtool.org/Namespaces.html) * [Configuration Manager WMI namespaces and classes for Configuration Manager reports](https://learn.microsoft.com/en-us/mem/configmgr/develop/core/understand/sqlviews/wmi-namespaces-classes-configuration-manager-reports), by Microsoft @@ -58,10 +57,6 @@ in the following locations: by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010 * [Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf), by Matt Graeber, 2015 -* [Windows Management Instrumentation (WMI) Offense, Defense, and Forensics](https://www.mandiant.com/resources/windows-management-instrumentation-wmi-offense-defense-and-forensics), - [Presentation](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2015/bg06-whymi-so-sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-william-ballenthin-claudiu-teodorescu-matthew-graeber), - by William Ballenthin, Matthew Graeber, Claudiu Teodorescu, August 8, - 2015 * [Subverting Sysmon Application of a Formalized: Security Product Evasion Methodology](https://i.blackhat.com/us-18/Wed-August-8/us-18-Graeber-Subverting-Sysmon-Application-Of-A-Formalized-Security-Product-Evasion-Methodology-wp.pdf), by Matt Graeber, Lee Christensen, 2018 * [WmiEventConsumerClassDerivation.ps1](https://gist.github.com/mattifestation/f38a79c7983208aa230030f61dfeb767), diff --git a/docs/write_blockers.md b/docs/write_blockers.md index 3716e9a0e..d7a380a17 100644 --- a/docs/write_blockers.md +++ b/docs/write_blockers.md @@ -46,14 +46,12 @@ NIST test results are here: ## Commercial -[ICS Drive Lock](http://www.ics-iq.com/Super-DriveLock-Write-Blocker-Write-Protector-p/f.gr-0028-0000.htm) - -[MyKey Technology, Inc.](http://www.mykeytech.com/) NoWrite FPU and FlashBlock II +[MyKey Technology, Inc.](https://www.mykeytech.com/) NoWrite FPU and FlashBlock II 1.8"/2.5"/3.5"/ IDE to IDE, FireWire/USB to IDE & SATA, all media types - NIST Ver. 2 accepted -[Tableau](tableau.md) write blockers for IDE, SATA, SCSI, USB NIST Ver. 1 accepted - +Tableau write blockers for IDE, SATA, SCSI, USB NIST Ver. 1 accepted + WiebeTech write-blockers for almost any disk drive: 2.5"/3.5" IDE, SCSI, SATA, ... NIST Ver. 1 accepted @@ -73,9 +71,7 @@ open up the case, and speed since they do not become a bottle neck. ## Commercial -[SAFE Block XP](safe_block_xp.md) -SAFE Block XP is a software-based write blocker designed for the Windows -XP Operating System. It comes in both 32 and 64 bit options. NIST Ver. -1.2 accepted - - +* [SAFE Block XP](safe_block_xp.md) + SAFE Block XP is a software-based write blocker designed for the Windows XP + Operating System. It comes in both 32 and 64 bit options. NIST Ver. 1.2 + accepted.