RESOURCES – Computer Forensics: A Pocket Guide

RESOURCES

The computer forensics industry is well supported with software and reading material, much of which is freely available online. The purpose of this section is to provide a reference guide for computer forensic materials. The reference is split into the following sections:

  • specialist computer forensic books
  • software and tools for undertaking all stages of the forensic process
  • useful online resources.

Specialist books in Computer Forensics

General books

Building a Digital Forensic Laboratory:
Establishing and Managing a Successful
Facility

Jones, A, Valli, C
Publisher: Butterworth-Heinemann
ISBN: 978-18561-710-4

Computer Forensics
Newman, C
Publisher: Taylor and Francis Ltd
ISBN: 978-08493-561-0

Computer Forensics: Incident Response
Essentials

Kruse, W, Heiser, J
Publisher: Addison Wesley
ISBN: 978-020170-719-9

Digital Evidence and Computer Crime
Casey, E
Publisher: Academic Press
ISBN: 978-012163-104-8

Digital Forensics for Network, Internet and
Cloud Computing: A Forensic Evidence Guide
for Moving Targets and Data

Garrison, C
Publisher: Syngress
ISBN: 978-159749-537-0

EnCase Computer Forensics: The Official
EnCE – EnCase Certified Examiner Study
Guide

Bunting, S
Publisher: John Wiley and Sons
ISBN: 978-047018-145-1

Forensic Computing: A Practitioner’s Guide
Sammes, J, Jenkinson, B
Publisher: Springer
ISBN: 978-18462-837-0

Handbook of Digital Forensics and
Investigation

Casey, E
Publisher: Academic Press
ISBN: 978-012374-267-4

Incident Response and Computer Forensics
Mandia, K, Prosise, C
Publisher: McGraw-Hill Osborne
ISBN: 978-007222-692-2

Incident Response: Computer Forensics Toolkit
Schweitzer, D
Publisher: John Wiley and Sons
ISBN: 978-076452-636-7

Malware Forensics: Investigating and
Analyzing Malicious Code

Malin, C, Casey, E, Aquilina, J
Publisher: Syngress
ISBN: 978-159749-268-3

Real Digital Forensics: Computer Security and
Incident Response

Jones, K, Bejtlich, R, Rose, C
Publisher: Addison Wesley
ISBN: 978-032124-069-9

File and operating system specific books

File System Forensic Analysis
Carrier, B
Publisher: Addison Wesley
ISBN: 978-032126-817-4

Macintosh OS X, iPod and iPhone Forensic
Analysis DVD Toolkit

Varsalone, J
Publisher: Syngress
ISBN: 978-159749-297-3

UNIX Forensic Analysis DVD Toolkit
Pogue, C, Altheide, C, Haverkos, T
Publisher: Syngress
ISBN: 978-159749-269-0

Virtualization and Forensics: A Digital
Forensic Investigator’s Guide to Virtual
Environments

Barrett, D, Kipper, G
Publisher: Syngress
ISBN: 978-159749-557-8

Windows Forensic Analysis with DVD Toolkit
Carvey, H
Publisher: Syngress
ISBN:978-159749-422-9

Windows Forensics: The Field Guide for
Corporate Computer Investigations

Steel, C
Publisher: John Wiley and Sons
ISBN: 978-047003-862-8

Network forensic books

Mastering Windows Network Forensics and
Investigation

Anson, S, Bunting, S
Publisher: John Wiley and Sons
ISBN: 978-047009-762-5

Computer Forensics: Investigating Network
Intrusions and Cyber Crime

EC-Council
Publisher: Course Technology
ISBN: 978-143548-352-9

CISCO Router and Switch Forensics:
Investigating and Analyzing Malicious Activity

Liu, D (Editor)
Publisher: Syngress
ISBN: 978-159749-418-2

Network Forensics: Tapping the Internet
Garfinkel, S
Publisher: O’Reilly Media

Mobile device forensics

iPhone Forensics: Recovering Evidence,
Personal Data and Corporate Assets

Zdziarski, J
Publisher: O’Reilly Media
ISBN: 978-059615-358-8

Software and tools

The tools listed in the following pages are primarily related to the acquisition and analysis of a Windows®-based system from a Windows®-based forensic station. However, a number of the tools also provide wider OS compatibility, with all of the case management tools for instance supporting the majority of common file systems. There are of course also a wide variety of other forensic tools that operate on Unix and Mac OS X platforms – links to general websites for more information can be found in the Web resources section.

Case management tools

Case management tools are software applications or distributions capable of handling the complete forensic investigation from acquisition through to examination, analysis and presentation.

Guidance Software

Guidance software produces several forensicrelated products. Their primary product, EnCase®, is amongst the market leaders in providing forensic investigation of media.

Other products available from Guidance Software include:

  • EnCase Enterprise
  • EnCase eDiscovery
  • EnCase Portable

Web: www.guidancesoftware.com

AccessData

AccessData produces several products within the digital forensic domain. A market leader, its primary product the Forensic Toolkit® provides full case management of investigations.

Other products available from AccessData include:

  • FTK® Mobile Phone Examiner
  • AccessData® Enterprise
  • AccessData® eDiscovery
  • AccessData® Classified Spillage Solution
  • password cracking tools

Web: www.accessdata.com

e-fense

e-fense produces a series of products. The principal product HELIX has its foundations in the open source domain, with a self-bootable CD that contains a suite of tools for undertaking a variety of forensic investigation activities. The majority of the tools available on the CD were produced by other developers and are made freely available. HELIX 3 PRO is now available to purchase from e-fense.

Other products by e-fense also include:

  • HELIX 3 Enterprise
  • Live Response

Web: www.e-fense.com

Technology Pathways

Technology Pathways also provide case management software in the form of their ProDiscover® Forensics software. Their other product, ProDiscover® Incident Response, provides over the network preview and acquisition of data.

Web: www.techpathways.com

The Sleuth Kit

An open source suite of tools for forensic investigation. The kit is not a simple application as with many of the previous commercial tools, but does provide a comprehensive toolkit for the analysis of hard drive media. To support the usability, the kit also includes Autopsy, an HTML front-end tool.

Web: www.sleuthkit.org

Data acquisition tools

The tools listed below are in addition to the case management tools listed above which are all able to acquire images from hard drives.

AccessData FTK Imager
Web: www.accessdata.com

EnCase LinEn
Web: www.encase.com

New Technologies SafeBack
Web: www.forensics-intl.com

Paraben Data Arrest
Web: www.paraben-forensics.com

File carving tools

Adriot Photo Forensics
Web: http://digital-assembly.com

DataLifter – File Extractor
Web: www.datalifter.com/products.htm

Foremost
Web: http://foremost.sourceforge.net

PhotoRec
Web: www.cgsecurity.org/wiki/PhotoRec

PhotoRescue
Web: www.datarescue.com/photorescue

Scalpel
Web: www.digitalforensicssolutions.com/Scalpel

Simple Carver Suite
Web: www.simplecarver.com

Live analysis tools

The following is not a complete list of tools available for live analysis as new tools are frequently being developed. It does, however, encompass the core tools that would be of use. The majority are freely available online, and more information about a specific tool can be found online.

 

arp.exe

nslookup.exe

cmd.exe

ntfsinfo.exe

dd.exe

promiscdetect.exe

dir.exe

ps.exe

fport.exe

psfile.exe

handle.exe

pslist.exe

hostname.exe

psloggedon.exe

ipconfig.exe

psservice.exe

md5sum.exe

rootkitrevealer.exe

Mem.exe

route.exe

nbtstat.exe

sha1sum.exe

net.exe

tracert.exe

netstat.exe

whoami.exe

Password cracking tools

AccessData Password Recovery Toolkit®
Web: www.accessdata.com

Cain & Abel
Web: www.oxid.it/cain.html

John the Ripper
Web: www.openwall.com/john

L0phtCrack
Web: http://l0phtcrack.com

Ophcrack
Web: http://sourceforge.net/projects/ophcrack

RainbowCrack
Web: http://project-rainbowcrack.com

Web resources

Assistant Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence

A UK guide developed to provide guidelines for law enforcement officers when seizing and undertaking computer-based forensic investigations.

Web: http://www.7safe.com/electronic_evidence/

CERT – Software Engineering Institute, Carnegie Mellon University

A website providing information and guidance on incident response and forensics. Publications include:

  • First Responder’s Guide to Computer Forensics
  • Handbook for Computer Security Incident Response Teams

Web: www.cert.org

CSO Online – ‘The Rise of Anti-Forensics’ by Scott Berinato (June 2007)

An interesting article discussing the growing focus upon anti-forensic tools and techniques.

Web: http://csoonline.com/article/print/221208

Digital Forensic Research Workshop (DFRWS)

A volunteer organisation focused upon sharing knowledge on digital forensics. They hold an annual conference from which some of the most notable advancements in forensic research are published. The website contains an archive of the conferences and the papers published.

Web: www.dfrws.org

ForensicsWiki

A useful resource for defining and describing digital forensics terms. The site is updated regularly and includes links to the latest research findings within the domain.

Web: www.forensicswiki.org

NIST Computer Forensics Reference Data Sets (CFReDS) Project

The project has created a number of forensic test cases that can be used to test forensic software and for the training of forensic investigators.

Web: www.cfreds.nist.gov

NIST Computer Forensics Tool Testing Project

A project to establish a methodology for testing the reliability of forensic tools. The project has created specifications for what forensic tools should achieve and test scenarios to use to evaluate tools.

Web: www.cftt.nist.gov

NIST Computer Security Resource Centre

A website providing links to NIST projects and publications relating to information security. The Incident Response family of publications include:

  • SP800-101 – Guidelines on Cell Phone Forensics
  • SP800-83 – Guide to Malware Incident Prevention and Handling
  • SP800-61 Rev.1 – Computer Security Incident Handling Guide
  • SP800-86 – Guide to Integrating Forensic Techniques into Incident Response
  • SP800-72 – Guidelines on PDA Forensics

Web: http://csrc.nist.gov

NIST National Software Reference Library (NSRL)

A freely available database of hash values of trusted OS and application files. To be used to eliminate trusted file from forensic investigations.

Web: www.nsrl.nist.gov

SANS Institute – Mobile Device Forensics by Andrew Martin

A detailed technical guide to mobile device forensics.

Web: http://www.sans.org/reading_room/whitepapers/forensics/mobile-device-forensics_32888

US Government Accountability Office (GAO) – Public and Private Entities Face Challenges in Addressing Cyber Threats

A 2007 study looking at the challenges in addressing cyber threats. The report includes aspects for forensic investigators.

Web: http://www.gao.gov/new.items/d07705.pdf