From d1a3d8b1d5305eb9f3083442e74b0f9a00bcccc2 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Tue, 28 Nov 2023 11:29:17 -0800 Subject: [PATCH] Removed dead references (#194) --- ...demic_forensics_programs_graduate_level.md | 92 ++++----- docs/adrian_santangelo.md | 2 - docs/bibliography.md | 2 +- docs/caine_live_cd.md | 2 +- docs/cloud_forensics_research.md | 2 +- docs/extended_file_system_(ext).md | 45 ++--- ...amous_cases_involving_digital_forensics.md | 11 +- docs/fernico.md | 7 +- docs/fernico_zrt.md | 21 --- ...rnational_business_machines_corporation.md | 8 +- docs/ivpn.md | 6 +- docs/linux_memory_analysis.md | 16 +- docs/list_of_volatility_plugins.md | 14 +- docs/mac_os_x.md | 2 - docs/machine_translation.md | 27 +-- docs/national_software_reference_library.md | 21 ++- docs/shell_item.md | 36 ++-- docs/timeline_analysis.md | 57 +++--- docs/tools.md | 176 ++---------------- docs/tools_memory_imaging.md | 34 +--- 20 files changed, 176 insertions(+), 405 deletions(-) delete mode 100644 docs/fernico_zrt.md diff --git a/docs/academic_forensics_programs_graduate_level.md b/docs/academic_forensics_programs_graduate_level.md index f4732623f..b80b0a82e 100644 --- a/docs/academic_forensics_programs_graduate_level.md +++ b/docs/academic_forensics_programs_graduate_level.md @@ -5,67 +5,67 @@ tags: --- ## US Programs -- [American InterContinental University](https://www.aiuniv.edu/degrees/criminal-justice/bachelors-forensic-science) -- [Arizona State University](https://globalsecurity.asu.edu/expertise/cybersecurity-and-trusted-foundations/) -- [Boston University](https://www.bu.edu/met/degrees-certificates/digital-forensics-graduate-certificate/) -- California Sciences Institute -- [Carnegie Mellon University](https://csd.cmu.edu/academics/masters/overview) -- [Champlain College](https://online.champlain.edu/degrees-certificates/masters-digital-forensic-science) -- Dartmouth College -- George Mason University -- George Washington University -- [John Jay College](http://www.jjay.cuny.edu/master-science-digital-forensics-and-cybersecurity) -- [Michigan State University](https://cj.msu.edu/graduates/forensic-science/forensic-home.html) -- [Maryville University](https://online.maryville.edu/online-masters-degrees/cyber-security/) -- Naval Postgraduate School -- Polytechnic Institute of New York University -- Purdue University -- Sam Houston State University -- Stevenson University -- Texas State University -- [University of Alabama-Birmingham](https://businessdegrees.uab.edu/mis-degree-masters/) -- [University of Albany-SUNY](https://www.albany.edu/business/programs/bs-digital-forensics) -- [University of Central Florida](https://www.ucf.edu/online/degree/digital-forensics-m-s/) -- University of Massachusetts, Amherst -- University of New Haven -- [University of New Orleans](https://www.uno.edu/academics/cos/computer-science) -- [University of Rhode Island](https://web.uri.edu/cs/dfcsc/) -- University of Texas at San Antonio -- Utica College +* [American InterContinental University](https://www.aiuniv.edu/degrees/criminal-justice/bachelors-forensic-science) +* [Arizona State University](https://globalsecurity.asu.edu/expertise/cybersecurity-and-trusted-foundations/) +* [Boston University](https://www.bu.edu/met/degrees-certificates/digital-forensics-graduate-certificate/) +* California Sciences Institute +* [Carnegie Mellon University](https://csd.cmu.edu/academics/masters/overview) +* [Champlain College](https://online.champlain.edu/degrees-certificates/masters-digital-forensic-science) +* Dartmouth College +* George Mason University +* George Washington University +* [John Jay College](http://www.jjay.cuny.edu/master-science-digital-forensics-and-cybersecurity) +* [Michigan State University](https://cj.msu.edu/graduates/forensic-science/forensic-home.html) +* [Maryville University](https://online.maryville.edu/online-masters-degrees/cyber-security/) +* Naval Postgraduate School +* Polytechnic Institute of New York University +* Purdue University +* Sam Houston State University +* Stevenson University +* Texas State University +* [University of Alabama-Birmingham](https://businessdegrees.uab.edu/mis-degree-masters/) +* [University of Albany-SUNY](https://www.albany.edu/business/programs/bs-digital-forensics) +* [University of Central Florida](https://www.ucf.edu/online/degree/digital-forensics-m-s/) +* University of Massachusetts, Amherst +* University of New Haven +* [University of New Orleans](https://www.uno.edu/academics/cos/computer-science) +* [University of Rhode Island](https://web.uri.edu/cs/dfcsc/) +* University of Texas at San Antonio +* Utica College [Online](http://www.onlineuticacollege.com/programs/computer-forensics-specialization.asp)\] -- [Center for Information Security University of Tulsa](http://www.cis.utulsa.edu/) -- [West Virginia University](https://forensics.wvu.edu/) +* [Center for Information Security University of Tulsa](http://www.cis.utulsa.edu/) +* [West Virginia University](https://forensics.wvu.edu/) ## Europe -- [Cranfield University, UK](http://www.cranfield.ac.uk/cds/postgraduatestudy/forensiccomputing/index.jsp) -- [Limerick Institute of Technology](http://www.lit.ie/departments/IT/MSC_Computing.html) -- [University of Amsterdam](http://www.studeren.uva.nl/ma-forensic-science) -- University of Bradford -- University of East London -- University College Dublin -- [University of Technology, Mauritius](https://www.utm.ac.mu/) -- [University of Strathclyde](http://www.strath.ac.uk/science/forensicinformatics/) -- [University of Glamorgan, Wales, UK](http://www.glam.ac.uk/coursedetails/685/549) -- [University of Applied Sciences Albstadt-Sigmaringen, Germany](http://www.digitaleforensik.com), +* [Cranfield University, UK](http://www.cranfield.ac.uk/cds/postgraduatestudy/forensiccomputing/index.jsp) +* [Limerick Institute of Technology](http://www.lit.ie/departments/IT/MSC_Computing.html) +* [University of Amsterdam](http://www.studeren.uva.nl/ma-forensic-science) +* University of Bradford +* University of East London +* University College Dublin +* [University of Technology, Mauritius](https://www.utm.ac.mu/) +* [University of Strathclyde](http://www.strath.ac.uk/science/forensicinformatics/) +* [University of Glamorgan, Wales, UK](http://www.glam.ac.uk/coursedetails/685/549) +* [University of Applied Sciences Albstadt-Sigmaringen, Germany](http://www.digitaleforensik.com), Master of Science, Digital Forensics, in cooperation with University of Mannheim and University of Tübingen, Germany ## Asia -- [Zayed University UAE](http://www.zu.ac.ae/main/en/colleges/colleges/college_information_technology/graduate_certificate_programs/cr_invest/intro.aspx) +* [Zayed University UAE](http://www.zu.ac.ae/main/en/colleges/colleges/college_information_technology/graduate_certificate_programs/cr_invest/intro.aspx) ## Australasia -- [Edith Cowan University, Perth, Western Australia](http://www.ecu.edu.au/future-students/our-courses/browse?sq_content_src=%2BdXJsPWh0dHAlM0ElMkYlMkZ3ZWJzZXJ2aWNlcy53ZWIuZWN1LmVkdS5hdSUyRmZ1dHVyZS1zdHVkZW50cyUyRmNvdXJzZS12aWV3LnBocCUzRmlkJTNEMDAwMDAwMTQ1MSUyNmxvY2F0aW9uJTNEdG9wbGV2ZWwmYWxsPTE%3D) +* [Edith Cowan University, Perth, Western Australia](http://www.ecu.edu.au/future-students/our-courses/browse?sq_content_src=%2BdXJsPWh0dHAlM0ElMkYlMkZ3ZWJzZXJ2aWNlcy53ZWIuZWN1LmVkdS5hdSUyRmZ1dHVyZS1zdHVkZW50cyUyRmNvdXJzZS12aWV3LnBocCUzRmlkJTNEMDAwMDAwMTQ1MSUyNmxvY2F0aW9uJTNEdG9wbGV2ZWwmYWxsPTE%3D) ## Africa -- [University of Cape Town](http://www.commerce.uct.ac.za/InformationSystems/Courses/inf4016w/) +* [University of Cape Town](http://www.commerce.uct.ac.za/InformationSystems/Courses/inf4016w/) ## See Also -- [AAFS](http://www.aafs.org/default.asp?section_id=resources&page_id=colleges_and_universities) -- [Digital Forensics Association List](http://www.digitalforensicsassociation.org/formal-education/) -- [Forensics Focus List](https://forensicfocus.com/computer-forensics-education-directory) -- [Master's Thesis: The Development of a Standard Digital Forensics Master's Curriculum](http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1010&context=techmasters&sei-redir=1#search=%22katie%20strzempka%20thesis%22) +* [AAFS](http://www.aafs.org/default.asp?section_id=resources&page_id=colleges_and_universities) +* [Digital Forensics Association List](http://www.digitalforensicsassociation.org/formal-education/) +* [Forensics Focus List](https://forensicfocus.com/computer-forensics-education-directory) +* [Master's Thesis: The Development of a Standard Digital Forensics Master's Curriculum](https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1010&context=techmasters&sei-redir=1#search=%22katie%20strzempka%20thesis%22) diff --git a/docs/adrian_santangelo.md b/docs/adrian_santangelo.md index 2141dd14c..ae8385b91 100644 --- a/docs/adrian_santangelo.md +++ b/docs/adrian_santangelo.md @@ -31,8 +31,6 @@ adrian_santangelo. ## External Links -* [ISC Unlimited (no longer maintained)](https://www.interpretingtech.com/) -* [Interpreting Technology](https://www.interpretingtech.com/) * [LinkedIn Profile](https://www.linkedin.com/in/AdrianSantangelo/) * [Business Facebook Page](https://www.facebook.com/InterpretingTech) * [Personal Facebook Page](https://www.facebook.com/adrian.santangelo/) diff --git a/docs/bibliography.md b/docs/bibliography.md index c2c72984f..a643917d2 100644 --- a/docs/bibliography.md +++ b/docs/bibliography.md @@ -6,7 +6,7 @@ tags: - [SSD Forensics 2014. Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions](https://belkasoft.com/ssd-2014), by Yuri Gubanov and Oleg Afonin, 2014 -- [Why SSD Drives Destroy Court Evidence, and What Can Be Done About It](http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf), +- [Why SSD Drives Destroy Court Evidence, and What Can Be Done About It](https://belkasoft.com/why-ssd-destroy-court-evidence), by Oleg Afonin and Yuri Gubanov, 2012 - [Disk Imaging: A Vital Step in Data Recovery](https://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf), DeepSpar Data Recovery Systems, November 2006. An in depth look at the diff --git a/docs/caine_live_cd.md b/docs/caine_live_cd.md index 98b0db3c8..4ae2dafa0 100644 --- a/docs/caine_live_cd.md +++ b/docs/caine_live_cd.md @@ -184,7 +184,7 @@ at the University of Udine. - [Softpedia](https://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml) - [gustavopimental.com.ar](http://gustavopimentel.com.ar/) - [concise-courses.com](https://www.concise-courses.com/hacking-tools/top-ten/) -- [ilsoftware.it](https://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656) +- [ilsoftware.it](https://www.ilsoftware.it/caine-progetto-italiano-per-la-computer-forensics_5656) - [dragonjar.org](https://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml) - [Attestato Marenostrum V.F.F.](http://nannibassetti.com/dblog/articolo.asp?articolo=156) - [LinuxFormat](https://www.linuxformat.com/archives?issue=151) diff --git a/docs/cloud_forensics_research.md b/docs/cloud_forensics_research.md index e1bc45632..faad443fa 100644 --- a/docs/cloud_forensics_research.md +++ b/docs/cloud_forensics_research.md @@ -235,7 +235,7 @@ location="Monterey, CA", ` year={2010},` ` address={New York, NY, USA},` ` organization={ACM},` -` url="`[`http://bbcr.uwaterloo.ca/~rxlu/paper/asiaccs185-lu.pdf`](http://bbcr.uwaterloo.ca/~rxlu/paper/asiaccs185-lu.pdf)`"` +` url="`[`https://dl.acm.org/doi/10.1145/1755688.1755723`](https://dl.acm.org/doi/10.1145/1755688.1755723)`"` } diff --git a/docs/extended_file_system_(ext).md b/docs/extended_file_system_(ext).md index 60db8fc07..2b0dbba9e 100644 --- a/docs/extended_file_system_(ext).md +++ b/docs/extended_file_system_(ext).md @@ -9,48 +9,39 @@ of: ext, ext2, ext3, ext4 ## Ext2 -**ext2** or the **second extended file system** is a -[Linux](linux.md) filesystem designed as a replacement for ext. -Note that ext3 is mostly compatible with ext2. +**ext2** or the **second extended file system** is a [Linux](linux.md) +file system designed as a replacement for ext. ## Ext3 -**ext3** or the **third extended file system** is a -[Linux](linux.md) filesystem. Its main advantage over ext2 is -journalling which improves reliability and eliminates the need to check -the file system after an unclean shutdown. +**ext3** or the **third extended file system** is a [Linux](linux.md) +file system. Its main advantage over ext2 is journalling which improves +reliability and eliminates the need to check the file system after an unclean +shutdown. + +Note that ext3 is mostly compatible with ext2. ## Ext4 -... +**ext4** or the **fourth extended file system** is a [Linux](linux.md) +file system. ## External Links ### Ext2 -- [Wikipedia article on EXT2](https://en.wikipedia.org/wiki/Ext2) -- [Layout of the EXT2 Filesystem](http://www.nongnu.org./ext2-doc/ext2.html) -- [Linux Ext2fs Undeletion mini-HOWTO](http://fedora.linuxsir.org/doc/ext2undelete/Ext2fs-Undeletion.html) -- [Using ext2 on other systems](http://blog.boreas.ro/2007/11/ext2-filesystem-for-linux-and-solaris.html) +* [Wikipedia article on ext2](https://en.wikipedia.org/wiki/Ext2) +* [Layout of the ext2 Filesystem](http://www.nongnu.org./ext2-doc/ext2.html) +* [Linux Ext2fs Undeletion mini-HOWTO](http://fedora.linuxsir.org/doc/ext2undelete/Ext2fs-Undeletion.html) +* [Using ext2 on other systems](http://blog.boreas.ro/2007/11/ext2-filesystem-for-linux-and-solaris.html) ### Ext3 -- [Wikipedia article on EXT3](https://en.wikipedia.org/wiki/Ext3) -- [Why Recovering a Deleted Ext3 File Is Difficult (by Brian Carrier)](http://linux.sys-con.com/node/117909) +* [Wikipedia article on ext3](https://en.wikipedia.org/wiki/ext3) ## Tools -Tools that can be used to perform recovery of data from an EXT2 file -system - -- [The Sleuth Kit](the_sleuth_kit.md) -- R-Studio - -Data carving tools that support the ext2 file system: - -- [Belkasoft Evidence Center](belkasoft.md) -- [Foremost](foremost.md) -- [Scalpel](scalpel.md) +Tools that can be used to perform recovery of data from an ext2 file system. -**Note that it is unclear what is meant with "support" here this needs some -elaboration.** +* [The Sleuth Kit](the_sleuth_kit.md) +* R-Studio diff --git a/docs/famous_cases_involving_digital_forensics.md b/docs/famous_cases_involving_digital_forensics.md index 077799dde..4b1c28084 100644 --- a/docs/famous_cases_involving_digital_forensics.md +++ b/docs/famous_cases_involving_digital_forensics.md @@ -18,7 +18,7 @@ relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison[^2]. -### 2002 [Scott Tyree](http://en.wikipedia.org/wiki/Scott_Tyree) +### 2002 Scott Tyree *Postings on Yahoo reveal a kidnapping* @@ -34,12 +34,9 @@ who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree. -- [article on the - abduction](https://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/) -- [Popular Mechanics - article](https://www.popularmechanics.com/technology/security/how-to/a630/2672751/) -- [Congressional testimony of Alicia - Kozakiewicz](http://notonemorechild.org/map/9) +* [article on the abduction](https://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/) +* [Popular Mechanics article](https://www.popularmechanics.com/technology/security/how-to/a630/2672751/) +* [Congressional testimony of Alicia Kozakiewicz](http://notonemorechild.org/map/9) ### 2005 [Dennis Rader](https://en.wikipedia.org/wiki/Dennis_Rader) --- The "BTK" Serial Killer diff --git a/docs/fernico.md b/docs/fernico.md index bca2adcaf..317e2d1e2 100644 --- a/docs/fernico.md +++ b/docs/fernico.md @@ -1,9 +1,8 @@ --- tags: - - Organization - - Articles that need to be expanded + - Organization + - Articles that need to be expanded --- ## External Links -- [Official website](https://www.fernico.com/) - +* [Official website](https://www.fernico.us/) diff --git a/docs/fernico_zrt.md b/docs/fernico_zrt.md deleted file mode 100644 index 869bdeed2..000000000 --- a/docs/fernico_zrt.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -tags: - - Cell Phone Tools ---- -The [Fernico](fernico.md) ZRT Cell Phone Examination tool is a -manual examination and reporting tool for cell phones. It reportedly -takes photograph of the screen and merges those photos into custom -designed report templates. Because it is a physical capture device, it -will not work with devices that are locked for which no password or -exploit is known. - -ZRT allows investigators to pull data off a mobile device when all other -tools won’t work. Still displays, video and audio can be extracted using -ZRT. It can save investigators days of work time in manually acquiring a -mobile device. In one click, ZRT will also produce a professional custom -report that includes all evidence obtained from the mobile device. - -## External Links - -- [ZRT 2 HD Overview](http://www.fernico.com/zrt2.htm) - diff --git a/docs/international_business_machines_corporation.md b/docs/international_business_machines_corporation.md index aea00d7c8..da74110a0 100644 --- a/docs/international_business_machines_corporation.md +++ b/docs/international_business_machines_corporation.md @@ -1,12 +1,12 @@ --- tags: - - Articles that need to be expanded - - Organization + - Articles that need to be expanded + - Organization --- **International Business Machines Corporation** (**IBM**) is a computer hardware and software vendor. ## External Links -- [Official website](https://www.ibm.com/ch-de) -- [Wikipedia: IBM](https://en.wikipedia.org/wiki/IBM) \ No newline at end of file +* [Official website](https://www.ibm.com/) +* [Wikipedia: IBM](https://en.wikipedia.org/wiki/IBM) diff --git a/docs/ivpn.md b/docs/ivpn.md index abb469518..6f61ff967 100644 --- a/docs/ivpn.md +++ b/docs/ivpn.md @@ -1,6 +1,6 @@ --- tags: - - No Category + - Software --- **iVPN.net** is a commercial VPN service focused on multihop [VPN](vpn.md) connections. Traffic is routed via multiple @@ -14,6 +14,4 @@ to their customers activities. ## External Links -- [Official website](https://www.ivpn.net/) -- [Comparison of VPN - protocols](https://www.ivpn.net//pptp-vs-lt2p-vs-openvpn.php) \ No newline at end of file +* [Official website](https://www.ivpn.net) diff --git a/docs/linux_memory_analysis.md b/docs/linux_memory_analysis.md index cbd844e17..24c532375 100644 --- a/docs/linux_memory_analysis.md +++ b/docs/linux_memory_analysis.md @@ -22,10 +22,9 @@ Active Open Source Projects: number of features, as well as its own acquisition tools. It is usable as a library and is used as such in the GRR remote live forensics project. -- The [Red Hat Crash Utility](http://people.redhat.com/anderson/) is an - extensible Linux kernel core dump analysis program. Although designed - as a debugging tool, it also has been utilized for memory forensics. - See, for example, the [2008 DFRWS challenge write-up by AAron Walters](http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html). +- The Red Hat Crash Utility is an extensible Linux kernel core dump analysis + program. Although designed as a debugging tool, it also has been utilized for + memory forensics. See, for example, the [2008 DFRWS challenge write-up by AAron Walters](http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html). (Availability/License: GNU GPL) Commercial Products: @@ -53,8 +52,7 @@ Inactive Open Source and Research Projects: - [Volatilitux](https://code.google.com/archive/p/volatilitux) is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL) -- Idetect (Linux) is an older - implementation of Linux memory analysis. +- Idetect is an older implementation of Linux memory analysis. ## Linux Memory Analysis Challenges @@ -68,12 +66,6 @@ Inactive Open Source and Research Projects: included forensic analysis of a memory image from a potentially compromised Linux server. -## Linux Memory Images - -Aside from those in the challenges referenced above, sample Linux memory -images can also be found on the Second Look website at -. - ## Linux Memory Analysis Bibliography - [Digital Forensics of the Physical Memory](http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf) M. diff --git a/docs/list_of_volatility_plugins.md b/docs/list_of_volatility_plugins.md index b4b4e7e77..96eb7129c 100644 --- a/docs/list_of_volatility_plugins.md +++ b/docs/list_of_volatility_plugins.md @@ -51,14 +51,12 @@ on the [project Googlecode site](https://code.google.com/archive/p/volatility). (By [Moyix](https://moyix.blogspot.com/2008/10/plugin-post-moddump.html)) - Dump out a kernel module (aka driver) -- [Registry - tools](https://sites.cc.gatech.edu/~brendan/volatility/dl/volreg-0.6.tar.gz) +- [Registry tools](https://sites.cc.gatech.edu/~brendan/volatility/dl/volreg-0.6.tar.gz) (By [Moyix](https://moyix.blogspot.com/2009/01/memory-registry-tools.html)) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys. -- [Modified Regripper & Glue - Code](https://sites.cc.gatech.edu/~brendan/volatility/dl/volrip-0.1.tar.gz) +- [Modified Regripper & Glue Code](https://sites.cc.gatech.edu/~brendan/volatility/dl/volrip-0.1.tar.gz) (By [Moyix](https://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html)) - Code to run a modified RegRipper against the registry hives embedded @@ -115,13 +113,11 @@ on the [project Googlecode site](https://code.google.com/archive/p/volatility). [Scudette](http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html)) - Produces a tree-style listing of processes - [vol2html](http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html) - (By [Jamie Levy AKA - Gleeda](http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html)) - + (By [Jamie Levy AKA Gleeda](http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html)) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless. -- [SQLite](http://jls-scripts.googlecode.com/files/vol_sql-0.2.tgz) (By - [Jamie Levy AKA - Gleeda](http://gleeda.blogspot.com/2010/01/volatilitys-output-rendering-functions.html)) - +- SQLite, + by [Jamie Levy AKA Gleeda](http://gleeda.blogspot.com/2010/01/volatilitys-output-rendering-functions.html) - Allows one to place Volatility output into a SQLite3 Database ## Other Helper Tools diff --git a/docs/mac_os_x.md b/docs/mac_os_x.md index a0d71e8d2..8145c1601 100644 --- a/docs/mac_os_x.md +++ b/docs/mac_os_x.md @@ -252,8 +252,6 @@ Mac OS. * [NSKeyedArchiver files – what are they, and how can I use them?](https://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/) * [Command Line ALF on Mac OS X](https://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/) * [mac-security-tips](https://code.google.com/archive/p/mac-security-tips/wikis/ALL_THE_TIPS.wiki) -* [Mac OS X Forensics](https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf), - by Joaquin Moreno Garijo, March 4, 2015 * [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/), by Emil Kvarnhammar, April 9, 2015 * [Max OS X Internals book (1st ed)](http://newosxbook.com/1stEdIsFree.html) by Jonathan Levin PDF diff --git a/docs/machine_translation.md b/docs/machine_translation.md index 4a1be126c..d94cd0fa0 100644 --- a/docs/machine_translation.md +++ b/docs/machine_translation.md @@ -4,26 +4,17 @@ tags: --- ### References -- [An evaluation of the accuracy of online translation - systems](http://findarticles.com/p/articles/mi_7099/is_4_9/ai_n56337599/) -- [Systran Reviews - Case - Studies](http://www.translationsoftware4u.com/sys-testimonies.php) -- [Spanish-to-English Translation Using the - Web](http://www.swdsi.org/swdsi06/Proceedings06/Papers/IBT04.pdf), +- [An evaluation of the accuracy of online translation systems](https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1122&context=ciima) +- [Systran Reviews - Case Studies](http://www.translationsoftware4u.com/sys-testimonies.php) +- [Spanish-to-English Translation Using the Web](http://www.swdsi.org/swdsi06/Proceedings06/Papers/IBT04.pdf), Milam W. Aiken, SWDSI 2006 -- [Me Translate Pretty One - Day](https://www.wired.com/2006/12/translate/), Issue +- [Me Translate Pretty One Day](https://www.wired.com/2006/12/translate/), Issue 14.12 - December 2006 -- [Dispelling the myths of machine - translation](https://www.tcworld.info/index.php?id=91),By Uwe Muegge +- [Dispelling the myths of machine translation](https://www.tcworld.info/index.php?id=91),By Uwe Muegge August 2008 -- [Evaluation of Translation - Technology](http://www.lans-tts.be/docs/lans8-2009-intro.pdf), Walter +- [Evaluation of Translation Technology](http://www.lans-tts.be/docs/lans8-2009-intro.pdf), Walter Daelemans, University of Antwerp, 2009 -- [Empirical Machine Translation and its - Evaluation](http://www.sepln.org/monografiasSEPLN/monografia-jgimenez-sepln.pdf) +- [Empirical Machine Translation and its Evaluation](http://www.sepln.org/monografiasSEPLN/monografia-jgimenez-sepln.pdf) Jesús Ángel Giménez Linares, -- [Evaluation of a Machine Translation System for Low Resource - Languages: - METIS-II](http://www.lrec-conf.org/proceedings/lrec2008/pdf/116_paper.pdf), - Vincent Vandeghinste, etc., LREC 2008 \ No newline at end of file +- [Evaluation of a Machine Translation System for Low Resource Languages: METIS-II](http://www.lrec-conf.org/proceedings/lrec2008/pdf/116_paper.pdf), + Vincent Vandeghinste, etc., LREC 2008 diff --git a/docs/national_software_reference_library.md b/docs/national_software_reference_library.md index e56d45d42..a3e1a6db4 100644 --- a/docs/national_software_reference_library.md +++ b/docs/national_software_reference_library.md @@ -1,6 +1,6 @@ --- tags: - - Hashing + - Hashing --- The **National Software Reference Library** (NSRL) is the National Institute of Standards and Technology's National Software Reference @@ -39,8 +39,8 @@ Each RDS consists of several files, but the hashes are stored in `NSRLFile.txt`. These files have a header followed by many hash records. The header denotes the columns in each file. (See the External Links for the complete specification). RDS files can be used directly with -programs like [md5deep](md5deep.md), -[FTK](forensic_toolkit.md), and [EnCase](encase.md). +programs like [md5deep](md5deep.md), [FTK](forensic_toolkit.md), and +[EnCase](encase.md). The file format has changed slightly over time. Releases occur four times per year. The latest version was dated 1 Mar 2013: @@ -50,14 +50,18 @@ times per year. The latest version was dated 1 Mar 2013: Starting in version 2.0, the NSRL moved the hashes to the start of each line and dropped the MD4 hash. The file header: - "SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","SpecialCode" +``` +"SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","SpecialCode" +``` ### Version 1.5 Information on the older header version is kept here so that programs can read older files. The file header: - "SHA-1","FileName","FileSize","ProductCode","OpSystemCode","MD4","MD5","CRC32","SpecialCode" +``` +"SHA-1","FileName","FileSize","ProductCode","OpSystemCode","MD4","MD5","CRC32","SpecialCode" +``` `OpSystemCode` refers to the operating system code. The `SpecialCode` is a single character that can be used to mark records. A normal file has a @@ -65,8 +69,5 @@ blank value here. An `M` in this field denotes a malicious file. ## External Links -- [NSRL website](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) -- [NSRL RDS Data File - Format](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrldocuments/Data-Formats-of-the-NSRL-Reference-Data-Set-14.pdf) - - Describes the format of the hash files - +* [NSRL website](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) +* [Data Formats of the NSRL Reference Data Set (RDS) Distribution](https://www.nist.gov/system/files/data-formats-of-the-nsrl-reference-data-set-16.pdf) diff --git a/docs/shell_item.md b/docs/shell_item.md index 89c28bc58..f5d95a862 100644 --- a/docs/shell_item.md +++ b/docs/shell_item.md @@ -18,10 +18,10 @@ value (field) and entry data. There are multiple types of entries to specify different parts of the "path": -- volume -- network share -- file and directory -- URI +* volume +* network share +* file and directory +* URI Some shell item entries contain date and time values which can be used in [Timeline Analysis](timeline_analysis.md). @@ -90,29 +90,27 @@ An example of a shell item list taken from **Calculator.lnk** ## See Also -- [Jump Lists](jump_lists.md) -- [LNK](lnk.md) +* [Jump Lists](jump_lists.md) +* [LNK](lnk.md) ## External Links -- [MSDN: Introduction to the Shell Namespace (Windows)](https://learn.microsoft.com/en-us/windows/win32/shell/namespace-intro) -- [Implementing the Basic Folder Object Interfaces](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144093(v=vs.85)) -- [ShellBags Registry Forensics](https://www.sans.org/digital-forensics-incident-response/), +* [MSDN: Introduction to the Shell Namespace (Windows)](https://learn.microsoft.com/en-us/windows/win32/shell/namespace-intro) +* [Implementing the Basic Folder Object Interfaces](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144093(v=vs.85)) +* [ShellBags Registry Forensics](https://www.sans.org/digital-forensics-incident-response/), by johnmccash, October 2008 -- [Shell Bag Format Analysis](http://42llc.net/?p=385), by Yogesh Khatri, - October 2009 (appears to be no longer available) -- [Using shellbag information to reconstruct user activities](http://old.dfrws.org/2009/proceedings/p69-zhu.pdf), +* [Using shellbag information to reconstruct user activities](http://old.dfrws.org/2009/proceedings/p69-zhu.pdf), by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009 -- [Windows Shell Item format](https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc), +* [Windows Shell Item format](https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc), by the libfwsi project, July 2010 (work in progress) -- [Computer Forensic Artifacts: Windows 7 Shellbags](https://www.sans.org/digital-forensics-incident-response/), +* [Computer Forensic Artifacts: Windows 7 Shellbags](https://www.sans.org/digital-forensics-incident-response/), Chad Tilbury, July 5, 2011 -- [MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes](https://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html), +* [MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes](https://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html), by Jamie Levy, September 2012 -- [Shellbag Analysis, Revisited...Some Testing](http://windowsir.blogspot.com/2012/10/shellbag-analysis-revisitedsome-testing.html), +* [Shellbag Analysis, Revisited...Some Testing](http://windowsir.blogspot.com/2012/10/shellbag-analysis-revisitedsome-testing.html), by [Harlan Carvey](harlan_carvey.md), October 2012 -- [Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)](https://www.4n6k.com/2013/12/shellbags-forensics-addressing.html), +* [Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)](https://www.4n6k.com/2013/12/shellbags-forensics-addressing.html), by Dan Pullega, December 4, 2013 (RESTRICTED) -- [Part 5: USB Device Research – Directory Traversal Artifacts (Shell bagMRU Entries)](http://www.nicoleibrahim.com/part-5-usb-device-research-directory-traversal-artifacts-shell-bagmru-entries/), +* [Part 5: USB Device Research – Directory Traversal Artifacts (Shell bagMRU Entries)](http://www.nicoleibrahim.com/part-5-usb-device-research-directory-traversal-artifacts-shell-bagmru-entries/), by Nicole Ibrahim, December 31, 2013 -- [ReactOS: Shell Documentation](https://reactos.org/wiki/Shell_Documentation) +* [ReactOS: Shell Documentation](https://reactos.org/wiki/Shell_Documentation) diff --git a/docs/timeline_analysis.md b/docs/timeline_analysis.md index 11a4a3015..cabe8b28b 100644 --- a/docs/timeline_analysis.md +++ b/docs/timeline_analysis.md @@ -13,65 +13,74 @@ tags: ## Bibliography +#### Articles / Blogposts + +* [Targeted timelines - Part I](http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html), + by Kristinn Guðjónsson, February 22, 2013 +* [Let's talk about time](https://osdfir.blogspot.com/2021/06/lets-talk-about-time.html), + by Alexander Jäger, June 04, 2021 +* [Pearls and pitfalls of timeline analysis](https://osdfir.blogspot.com/2021/10/pearls-and-pitfalls-of-timeline-analysis.html), + by Joachim Metz, October 20, 2021 + ### Papers -- [Generating computer forensic supertimelines under Linux - A comprehensive guide for Windows-based disk images](http://forensicfocus.files.wordpress.com/2012/08/generating-computer-forensic-supertimelines-under-linux-a-comprehensive-guide-for-windows-based-disk-images1.pdf), +* [Generating computer forensic supertimelines under Linux - A comprehensive guide for Windows-based disk images](https://www.forensicfocus.com/stable/wp-content/uploads/2012/08/generating-computer-forensic-supertimelines-under-linux-a-comprehensive-guide-for-windows-based-disk-images1.pdf), by R. Carbone, C. Bean, August 2012 -- [Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images](https://apps.dtic.mil/dtic/tr/fulltext/u2/1003976.pdf), +* [Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images](https://apps.dtic.mil/dtic/tr/fulltext/u2/1003976.pdf), October 2011 -- [Computer forensic timeline visualization tool](http://www.dfrws.org/2009/proceedings/p78-olsson.pdf), +* [Computer forensic timeline visualization tool](http://www.dfrws.org/2009/proceedings/p78-olsson.pdf), by J. Olsson, M. Boldt, ScienceDirect Digital Investigation, Volume 6, September 2009 -- [Analysis of Time Information for Digital Investigation](http://forensic.korea.ac.kr/research/Conference/Analysis_of_Time_Information_for_Digital_Investigation.pdf), +* [Analysis of Time Information for Digital Investigation](https://ieeexplore.ieee.org/document/5331448), by Jewan Bang, BY Yoo, JS Kim, SJ Lee, NCM 2009, 5th International Joint Conference on INC, IMS, IDC, August 2009 -- [A Model Based Approach to Timestamp Evidence Interpretation](https://www.igi-global.com/articles/details.asp?ID=33298), +* [A Model Based Approach to Timestamp Evidence Interpretation](https://www.igi-global.com/articles/details.asp?ID=33298), by S. Willassen, International Journal of Digital Crime and Forensics, 1:2, 2009 -- [Digital Evidence with an Emphasis on Time](http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument), +* [Digital Evidence with an Emphasis on Time](http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument), by Olsson, Jens Master's Thesis, Blekinge Institute of Technology, September 2008. -- [The Use of File Timestamps in Digital Forensics](https://digifors.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf), +* [The Use of File Timestamps in Digital Forensics](https://digifors.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf), by R. Koen, M. Olivier, ISSA 2008, Johannesburg, South Africa, July 2008 -- [Methods for Enhancement of Timestamp Evidence in Digital Investigations](https://ntnuopen.ntnu.no/ntnu-xmlui/handle/11250/261472), -- by S. Willassen, PhD Dissertation, Norwegian University of Science and +* [Methods for Enhancement of Timestamp Evidence in Digital Investigations](https://ntnuopen.ntnu.no/ntnu-xmlui/handle/11250/261472), + by S. Willassen, PhD Dissertation, Norwegian University of Science and Technology, 2008 -- [Finding Evidence of Antedating in Digital Investigations](https://ieeexplore.ieee.org/document/4529317), +* [Finding Evidence of Antedating in Digital Investigations](https://ieeexplore.ieee.org/document/4529317), by S. Willassen, ARES 2008, Barcelona, Spain, March 2008 -- Hypothesis Based Investigation of Digital Timestamp, +* Hypothesis Based Investigation of Digital Timestamp, by S. Willassen, 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008 -- Timestamp Evidence Correlation by model based clock hypothesis testing, +* Timestamp Evidence Correlation by model based clock hypothesis testing, by S. Willassen, E-Forensics 2008, Adelaide, Australia, January 2008 -- [An Improved Clock Model for Translating Timestamps](http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf), +* [An Improved Clock Model for Translating Timestamps](http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf), by F. Buchholz, JMU-INFOSEC-TR-2007-001, James Madison University -- [A brief study of time](http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf), +* [A brief study of time](http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf), by F. Buchholz, B. Tjaden, Digital Investigation 2007:4S -- [The Rules of Time on NTFS File System](https://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf), +* [The Rules of Time on NTFS File System](https://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf), by K. Chow, F. Law, M. Kwan, P. Lai, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007 -- [A correlation method for establishing provenance of timestamps in digital evidence](http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf), +* [A correlation method for establishing provenance of timestamps in digital evidence](http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf), by B. Schatz, G. Mohay, A. Clark, Digital Investigation 2006:3S -- [Formalizing Event Time Bouding in Digital Investigation](https://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf), +* [Formalizing Event Time Bouding in Digital Investigation](https://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf), by P. Gladyshev, A. Patel, International Journal of Digital Evidence, vol 4:2, 2005 -- Time and Date issues in forensic computing - a case study, +* Time and Date issues in forensic computing - a case study, by C. Boyd, P. Forster, Digital Investigation 2004:1 -- Unification of relative time frames for digital forensics, +* Unification of relative time frames for digital forensics, by M.W. Stevens, Digital Investigation 2004:1 -- [Dynamic Time & Date Stamp Analysis](https://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf), +* [Dynamic Time & Date Stamp Analysis](https://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf), M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002 - +#### Visualization -- ThemeRiver: In Search of Trends, Patterns, and Relationships, +* ThemeRiver: In Search of Trends, Patterns, and Relationships, by Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999 -- [Timeline Visualization of Research Fronts](http://www.conceptsymbols.com/web/publications/2003_timelines.pdf), +* [Timeline Visualization of Research Fronts](http://www.conceptsymbols.com/web/publications/2003_timelines.pdf), by Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003 -- [Visualizing gaps in time-based lists](http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists), +* [Visualizing gaps in time-based lists](http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists), by Moritz Stefaner, November 6, 2000 ## Tools diff --git a/docs/tools.md b/docs/tools.md index 0df741dce..b5ed34a98 100644 --- a/docs/tools.md +++ b/docs/tools.md @@ -29,13 +29,9 @@ any tool for more details. [LINReS](https://sourceforge.net/projects/linres/) by [NII Consulting Pvt. Ltd.](https://www.niiconsulting.com/) - - [SMART](smart.md) by [ASR Data](asr_data.md) - - [Second Look: Linux Memory Forensics](second_look.md) by Pikewerks Corporation ## Macintosh-based Tools @@ -46,12 +42,8 @@ any tool for more details. The Bundle includes macOS editions of Elcomsoft forensic tools for mobile and cloud data extraction. - - [Mac Marshal](mac_marshal.md) by [ATC-NY](https://www.atcorp.com/) - - [Recon for MAC OS X](recon_for_mac_os_x.md) by [Sumuri, LLC](sumuri_llc.md) @@ -63,16 +55,12 @@ Arsenal Recon offers unique and powerful tools to mount Windows disk images, reconstruct Windows Registries, and process Windows hibernation files. - - [Belkasoft Acquisition Tool](https://belkasoft.com/x) by [Belkasoft](belkasoft.md) BAT is a free utility to acquire a wide range of data sources: hard drives, running computers RAM memory, modern smartphones, and various types of clouds. The output can be analyzed with both Belkasoft and third-party tools. - - [Belkasoft Evidence Center](https://belkasoft.com/x) by [Belkasoft](belkasoft.md) BEC allows an investigator to perform all investigation steps: acquisition (aquire hard and removable drives, image smartphones and @@ -81,27 +69,19 @@ than 700 formats of various files and applications data), analysis (hex viewer, SQLite viewer, social graph building with communities detection etc) and reporting. - - [CD/DVD Inspector](https://www.infinadyne.com/cddvd_inspector.html) by [InfinaDyne](infinadyne.md) This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide. - - [EMail Detective - Forensic Software Tool](email_detective_forensic_software_tool.md) by [Hot Pepper Technology, Inc](hot_pepper_technology_inc.md) - - [Elcomsoft Desktop Forensic Bundle](elcomsoft_desktop_forensic_bundle.md) by [Elcomsoft](elcomsoft.md) All password recovery tools for unlocking documents, decrypting archives and crypto containers. - - [Elcomsoft Premium Forensic Bundle](elcomsoft_premium_forensic_bundle.md) by [Elcomsoft](elcomsoft.md) @@ -109,76 +89,44 @@ A pack of every forensic tool of Elcomsoft for data extraction from mobile devices, unlocking documents, decrypting archives, breaking into encrypted containers, viewing and analyzing evidence. - - [EnCase](encase.md) by [Guidance Software](guidance_software.md) - - [Facebook Forensic Toolkit (FFT)](http://www.google.com) by [Afentis_forensics](afentis_forensics.md) eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports. - - [Forensic Explorer (FEX)](forensic_explorer.md) by GetData Forensics - - [Forensic Toolkit (FTK)](forensic_toolkit.md) by [AccessData](accessdata.md) - - [ILook Investigator](ilook.md) by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS) - - Internet Evidence Finder (IEF) by [Magnet Forensics](https://www.magnetforensics.com/) - - Mercury Indexer by [MicroForensics, Inc.](http://www.microforensics.com/) - - [Nuix Desktop](nuix_desktop.md) by [Nuix Pty Ltd](nuix_pty_ltd.md) - - [OSForensics](https://www.osforensics.com/) by PassMark Software Pty Ltd - - P2 Power Pack by [Paraben](paraben_forensics.md) - - [Prodiscover](prodiscover.md) - - [Proof Finder](proof_finder.md) by [Nuix Pty Ltd](nuix_pty_ltd.md) - - [Safeback](safeback.md) by NTI and Armor Forensics - - [X-Ways Forensics](http://www.x-ways.net/forensics/index-m.html) by [X-Ways AG](x-ways_ag.md) - - [RecycleReader](recyclereader.md) by [Live-Forensics](live-forensics.md) A command line tool that outputs the contents of the recycle bin on XP, Vista and 7. - - [Dstrings](dstrings.md) by [Live-Forensics](live-forensics.md) A command line tool that searches for strings in a given file. It has @@ -187,23 +135,17 @@ to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses. - - [Unique](unique.md) by [Live-Forensics](live-forensics.md) A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options. - - [HashUtil](hashutil.md) by [Live-Forensics](live-forensics.md) HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases. - - [WindowsSCOPE Pro, Ultimate, Live](https://www.windowsscope.com/) Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support. @@ -216,23 +158,17 @@ Hardware based acquisition of memory on a locked computer via CaptureGUARD Gatew analysis of Windows computers on a network from Android phones and tablets. - - [MailXaminer](mailxaminer.md) by [SysTools](systools.md) Forensic & eDiscovery Tool to find digital email evidences from multiple email platform through its powerful Search mechanism. - - Twitter Forensic Toolkit (TFT) by [Afentis_forensics](afentis_forensics.md) eDiscovery toolkit to identify relevant Tweets, clone full profiles, download all tweets/media, data mine across comments, and generate expert reports. - - YouTube Forensic Toolkit (YFT) by [Afentis_forensics](afentis_forensics.md) eDiscovery toolkit to identify relevant online media, download/convert @@ -247,119 +183,83 @@ AFD, and [EnCase](encase.md) file formats. Work to support segmented raw, [iLook](ilook.md), and other formats is ongoing. - - [Autopsy](https://www.sleuthkit.org/autopsy/desc.php) - - [Bulk Extractor](bulk_extractor.md) Bulk Extractor provides digital media triage by extracting Features from digital media. - - [Bulk Extractor Viewer](bulk_extractor_viewer.md) Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using [Bulk Extractor](bulk_extractor.md). - - [Digital Forensics Framework](digital_forensics_framework.md) DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. - - [foremost](foremost.md) [Linux](linux.md) based file carving program - - [FTimes](ftimes.md) FTimes is a system baselining and evidence collection tool. - - [gfzip](gfzip.md) - - [gpart](gpart.md) Tries to *guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted*. - - [Hachoir](hachoir.md) A generic framework for binary file manipulation, it supports [FAT12](fat.md), [FAT16](fat.md), [FAT32](fat.md), [ext2/ext3](extended_file_system_(ext).md), Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile). - - [hashdb](hashdb.md) A tool for finding previously identified blocks of data in media such as disk images. - - [IPED](https://github.com/sepinf-inc/IPED) An open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners. - - [magicrescue](https://github.com/jbj/magicrescue) - - The [Open Computer Forensics Architecture](open_computer_forensics_architecture.md) - - [pyflag](pyflag.md) Web-based, database-backed forensic and log analysis GUI written in Python. - - [Scalpel](scalpel.md) [Linux](linux.md) and [Windows](windows.md) file carving program originally based on [foremost](foremost.md). - - [scrounge-ntfs](https://github.com/lcorbasson/scrounge-ntfs) - - [The Sleuth Kit](the_sleuth_kit.md) - - [The Coroner's Toolkit (TCT)](http://www.porcupine.org/forensics/tct.html) ## [NDA](nda.md) and [scoped distribution](scoped_distribution.md) tools @@ -368,31 +268,20 @@ program originally based on [foremost](foremost.md). [LiveWire Investigator 2008](livewire_investigator.md) by [WetStone Technologies](wetstone_technologies_inc.md) - - P2 Enterprise Edition by [Paraben](paraben_forensics.md) - - [Elcomsoft Premium Forensic Bundle](elcomsoft_premium_forensic_bundle.md) by [Elcomsoft](elcomsoft.md) # Forensics Live CDs -[Kali Linux](kali_linux.md) -[](https://www.kali.org/) - - +[Kali Linux](kali_linux.md), [Official website](https://www.kali.org/) [KNOPPIX](knoppix.md) [](http://www.knopper.net/knoppix/index-en.html) - - [BackTrack Linux](backtrack.md) - - [Paladin Forensic Suite - Live Boot Ubuntu](paladin_forensic_suite_-_live_boot_ubuntu.md) ([Sumuri, LLC](sumuri_llc.md)) @@ -417,23 +306,20 @@ See: [Forensics Live CDs](live_cd.md) ## Cell Phone Forensics -[Belkasoft Evidence Center](https://belkasoft.com/x) -[BitPIM](bitpim.md) -[Cellebrite UFED](cellebrite_ufed.md) -[DataPilot Secure View](datapilot_secure_view.md) -[Elcomsoft Mobile Forensic Bundle](elcomsoft_mobile_forensic_bundle.md) -[.XRY](https://www.msab.com/) - -[Fernico ZRT](fernico_zrt.md) -ForensicMobile -LogiCube CellDEK -[MOBILedit!](mobiledit.md) -[Oxygen Forensic Suite](oxygen_forensic_suite.md) - -[Paraben Device Seizure](paraben_device_seizure.md) and [Paraben Device Seizure Toolbox](paraben_device_seizure_toolbox.md) - -[Serial Port Monitoring](serial_port_monitoring.md) +* [Belkasoft Evidence Center](https://belkasoft.com/x) +* [BitPIM](bitpim.md) +* [Cellebrite UFED](cellebrite_ufed.md) +* [DataPilot Secure View](datapilot_secure_view.md) +* [Elcomsoft Mobile Forensic Bundle](elcomsoft_mobile_forensic_bundle.md) +* Fernico ZRT +* ForensicMobile +* LogiCube CellDEK +* [MOBILedit!](mobiledit.md) +* [Oxygen Forensic Suite](oxygen_forensic_suite.md) +* [Paraben Device Seizure](paraben_device_seizure.md) and [Paraben Device Seizure Toolbox](paraben_device_seizure_toolbox.md) +* [Serial Port Monitoring](serial_port_monitoring.md) TULP2G +* [.XRY](https://www.msab.com/) ## SIM Card Forensics @@ -457,14 +343,10 @@ A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger. - - [Serial Port Analyzer](https://www.serial-port-communication.com/how-to-analyze-serial-port-activity/) The tool to analyze serial port and device activity. - - [Live View](https://liveview.sourceforge.net/) Live View is a graphical forensics tool that creates a @@ -472,23 +354,15 @@ Live View is a graphical forensics tool that creates a machine](virtual_machine.md) out of a dd disk image or physical disk. - - [Parallels VM](https://www.parallels.com/) - - Serial and USB ports sharing Share and access serial and USB ports over Ethernet - - [Microsoft Virtual PC](https://support.microsoft.com/en-us/topic/description-of-windows-virtual-pc-262c8961-90e5-1125-654f-d87cd5ba16f8) - - [VMware Workstation Player](https://www.vmware.com/products/workstation-player.html) A free player for [VMware](vmware.md) [virtual @@ -496,8 +370,6 @@ machines](virtual_machine.md) that will allow them to "play" on either [Windows](windows.md) or [Linux](linux.md)-based systems. - - [vSphere](https://www.vmware.com/products/vsphere.html) The free server product, for setting up/configuring/running @@ -505,8 +377,6 @@ The free server product, for setting up/configuring/running machine](virtual_machine.md).Important difference being that it can run 'headless', i.e. everything in background. - - [Recon for MAC OS X](https://sumuri.com/) RECON for Mac OS X is simply the fastest way to conduct Mac Forensics, @@ -519,46 +389,30 @@ so much more. [bless](bless.md) - - [Okteta](https://apps.kde.org/okteta/) KDE's new cross-platform hex editor with features such as signature-matching - - [HexFiend](https://hexfiend.com/) A hex editor for MacOS - - Hex Workshop A hex editor from [BreakPoint Software Inc.](http://www.bpsoft.com) - - [khexedit](https://docs.kde.org/stable/en/kdeutils/khexedit/index.html) - - [ReclaiMe Pro](https://www.reclaime-pro.com/) The built-in disk editor visualizes most known partition and filesystem objects: boot sectors, superblocks, partition headers in structured view. Low-level data editing for extra leverage. - - [WinHex](https://www.x-ways.net/winhex/) Computer forensics software, data recovery software, hex editor, and disk editor from [X-Ways](x-ways_ag.md). - - [wxHexEditor](https://www.wxhexeditor.org/) A Multi-OS supported, open sourced, hex and disk editor. - - HexReader [Live-Forensics](live-forensics.md) software that reads Windows files at specified offset and length and outputs results to the console. @@ -573,8 +427,6 @@ report on the number of modems connected to these corporate lines. \*\*\* Registration is required for obtaining a license key \*\*\* Still free however. - - [WarVox](https://github.com/rapid7/warvox) WarVOX is a free, open-source VOIP-based war dialing tool for exploring, diff --git a/docs/tools_memory_imaging.md b/docs/tools_memory_imaging.md index fd4a0e4d6..426c0b256 100644 --- a/docs/tools_memory_imaging.md +++ b/docs/tools_memory_imaging.md @@ -12,15 +12,11 @@ Publicly available, supports all Windows OS; windd and other formats. CaptureGUARD Gateway performs DRAM acquisition even on locked computers - - [WindowsSCOPE](https://www.windowsscope.com/) CaptureGUARD ExpressCard (commercial) - laptop applications Publicly available, supports all Windows OS; windd and other formats. CaptureGUARD Gateway performs DRAM acquisition even on locked computers - - [Tribble PCI Card](https://digital-evidence.org/papers/tribble-preprint.pdf) (research project) ### [Windows](windows.md) Software @@ -40,20 +36,14 @@ applications such as online games and intrusion detection systems. Kernel-mode operation yields more reliable results compared to user-mode tools. - - Designed specifically for computer forensics. Fully portable, runs off a flash drive, produces uncompressed raw binary output of the computer’s volatile memory. Includes kernel-mode drivers for all Windows OS’es including XP, Vista, 7, 8, 2003 and 2008 Server. 32 and 64-bit drivers are included. - - [Belkasoft Live RAM Capturer](https://belkasoft.com/ram-capturer) - - [WindowsSCOPE Pro and Ultimate](https://www.windowsscope.com/) Can capture, analyze, graph in depth physical and virtual memory codes @@ -72,33 +62,23 @@ acquisition CaptureGUARD Gateway for hardware-assisted DRAM acquisition of locked computers - - [WindowsSCOPE Live](https://www.windowsscope.com/) allows live memory analysis of Windows computers from Android phones and tablets - - winen.exe (Guidance Software - included with Encase 6.11 and higher) included on [Helix 2.0](http://www.e-fense.com/helix/) - - [Mdd](mdd.md) ([ManTech](mantech.md)) - - MANDIANT [Memoryze](https://www.mandiant.com) Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools. - - Moonsols: [DumpIt](https://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7) This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bit) and x64 (64-bit) machines. @@ -109,14 +89,11 @@ confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs. - [FTK Imager](ftk_imager.md) FTK Imager can acquire live memory and paging file on 32-bit and 64-bit systems. - - [OSForensics](https://www.osforensics.com/) OSForensics can acquire live memory on 32-bit and 64-bit systems. A dump @@ -124,8 +101,6 @@ of an individual process's memory space or physical memory dump can be done. Output can be a straight dump or a Microsoft crash dump file, for use with Micrsoft's WinDbg debugger. - - [WinPmem](rekall.md) WinPmem is a free, actively developed, opensource forensic memory acquisition tool for Windows. It supports Windows XP to Windows 8, both @@ -170,7 +145,7 @@ available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this [patch](https://lwn.net/Articles/267427/). -[Second Look: Linux Memory Forensics](https://secondlookforensics.com/) +Second Look: Linux Memory Forensics This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system. @@ -187,16 +162,13 @@ having to build a pmem kernel module for every different kernel version. ### Mac OS X -[Goldfish](http://digitalfire.ucd.ie/?page_id=430) +Goldfish Goldfish is a [Mac OS X](mac_os_x.md) live forensic tool. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [Firewire](firewire.md) connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that -may be available. Please see [1](http://digitalfire.ucd.ie/?page_id=430) -for more information. - - +may be available. [OSXPMem](rekall.md) The OSX Memory Imager is an open source tool to acquire physical memory