Forensics Wiki - User contributions [en]

Jesse Kornblum

2012-11-09T14:08:35Z

Jessek:

Jesse Kornblum is a computer forensics author, researcher and engineer. You can read his [http://jessekornblum.com/ official web site]. His [http://jessekornblum.com/kornblum-cv.pdf Curriculum Vitae] has a current list of his papers.

== Tools ==

[[md5deep]] and [[hashdeep]] - Cross platform recursive [[hashing]] and auditing programs, respectively. Computes MD5, SHA-1, SHA-256, Tiger and Whirlpool hashes. Can also match against sets of known hashes. The latter program uses [[multihashing]] to conduct a computer forensics audit.

[[foremost]] - File [[carving]] program

[[ssdeep]] - Usually called Fuzzy Hashing, this program implements [[Context Triggered Piecewise Hashing]].

[[First Responder's Evidence Disk|FRED]] - The First Responder's Evidence Disk

[[dc3dd]] - A patch to add forensics features to [[dd|GNU dd]]

[[Miss Identify]] - Program to identify Win32 executables that don't have an executable extension. Can also identify all executables.

[[Category:People]]

Bulk extractor

2012-11-09T14:08:05Z

Jessek: Updated current version number

== Overview ==
'''bulk_extractor''' is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in [[feature files]] that can be easily inspected, parsed, or processed with automated tools. '''bulk_extractor''' also created a histograms of features that it finds, as features that are more common tend to be more important.

bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel. In practice, the program splits the disk up into 16MiByte pages and processes one page on each available core. This means that 24-core machines process a disk roughly 24 times faster than a 1-core machine. bulk_extractor is also thorough. That’s because bulk_extractor automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. Our testing has shown that there is a significant amount of compressed data in the unallocated regions of file systems that is missed by most forensic tools that are commonly in use today.

Another advantage of ignoring file systems is that bulk_extractor can be used to process any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.

==Output Feature Files==

bulk_extractor now creates an output directory that has the following layout:
;alerts.txt
:Processing errors.
;ccn.txt
:Credit card numbers
;ccn_track2.txt
:Credit card “track 2″ informaiton, which has previously been found in some bank card fraud cases.
;domain.txt
:Internet domains found on the drive, including dotted-quad addresses found in text.
;email.txt
:Email addresses.
;ether.txt
;Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.
;exif.txt
:EXIFs from JPEGs and video segments. This feature file contains all of the EXIF fields, expanded as XML records.
;find.txt
:The results of specific regular expression search requests.
;ip.txt
:IP addresses found through IP packet carving.
;rfc822.txt
:Email message headers including Date:, Subject: and Message-ID: fields.
;tcp.txt
:TCP flow information found through IP packet carving.
;telephone.txt
:US and international telephone numbers.
;url.txt
:URLs, typically found in browser caches, email messages, and pre-compiled into executables.
;url_searches.txt
:A histogram of terms used in Internet searches from services such as Google, Bing, Yahoo, and others.
;url_services.txt
:A histogram of the domain name portion of all the URLs found on the media.
;wordlist.txt
:A list of all “words” extracted from the disk, useful for password cracking.
;wordlist_*.txt
:The wordlist with duplicates removed, formatted in a form that can be easily imported into a popular password-cracking program.
;zip.txt
:A file containing information regarding every ZIP file component found on the media. This is exceptionally useful as ZIP files contain internal structure and ZIP is increasingly the compound file format of choice for a variety of products such as Microsoft Office

For each of the above, two additional files may be created:
;*_stopped.txt
:bulk_extractor supports a stop list, or a list of items that do not need to be brought to the user’s attention. However rather than simply suppressing this information, which might cause something critical to be hidden, stopped entries are stored in the stopped files.
;*_histogram.txt
:bulk_extractor can also create histograms of features. This is important, as experience has shown that email addresses, domain names, URLs, and other informaiton that appear more frequently on a hard drive or in a cell phone’s memory can be used to rapidly create a pattern of life report.

Bulk extractor also creates a file that captures the provenance of the run:
;report.xml
:A Digital Forensics XML report that includes information about the source media, how the bulk_extractor program was compiled and run, the time to process the digital evidence, and a meta report of the information that was found.

==Post-Processing==

We have developed four programs for post-processing the bulk_extractor output:
;bulk_diff.py
:This program reports the differences between two bulk_extractor runs. The intent is to image a computer, run bulk_extractor on a disk image, let the computer run for a period of time, re-image the computer, run bulk_extractor on the second image, and then report the differences. This can be used to infer the user’s activities within a time period.
;cda_tool.py
:This tool, currently under development, reads multiple bulk_extractor reports from multiple runs against multiple drives and performs a multi-drive correlation using Garfinkel’s Cross Drive Analysis technique. This can be used to automatically identify new social networks or to identify new members of existing networks.
;identify_filenames.py
:In the bulk_extractor feature file, each feature is annotated with the byte offset from the beginning of the image in which it was found. The program takes as input a bulk_extractor feature file and a DFXML file containing the locations of each file on the drive (produced with Garfinkel’s fiwalk program) and produces an annotated feature file that contains the offset, feature, and the file in which the feature was found.
;make_context_stop_list.py
:Although forensic analysts frequently make “stop lists”—for example, a lsit of email addresses that appear in the operating system and should therefore be ignored—such lists have a significant problem. Because it is relatively easy to get an email address into the binary of an open source application, ignoring all of these email addresses may make it possible to cloak email addresses from forensic analysis. Our solution is to create context-sensitive stop lists, in which the feature to be stopped is presented with the context in which it occures. The make_context_stop_list.py program takes the results of multiple bulk_extractor runs and creates a single context-sensitive stop list that can then be used to suppress features when found in a specific context. One such stop list constructed from Windows and Linux operating systems is available on the bulk extractor website.

== Download ==
The current version of '''bulk_extractor''' is 1.3. It can be downloaded from https://github.com/simsong/bulk_extractor

==Sample Output==
Running on 2.4Ghz iMac with MacOS 10.5.8 on the nps-2009-realistic.aff disk image, bulk extractor version 0.0.10 took 21816 seconds (6 hours, 3 minutes) and produced an [[Media:Nps-2009-realistic.extract.txt|output with 14,160 lines]].

Here are the first 200 lines:
<pre>
Input file: /corp/images/nps/nps-2009-domexusers/nps-2009-realistic.aff
Starting page number: 0
Last processed page number: 2559
Time: Tue Aug 11 04:39:03 2009

Top 10 email addresses:
=======================
domexuser1@gmail.com: 572
domexuser2@gmail.com: 412
domexuser3@gmail.com: 319
ips@mail.ips.es: 268
premium-server@thawte.com: 252
CPS-requests@verisign.com: 243
someone@example.com: 232
domexuser2@live.com: 192
inet@microsoft.com: 145
domexuser2@hotmail.com: 138

Top 10 email domains:
=====================
gmail.com: 1693
hotmail.com: 630
netscape.com: 543
example.com: 470
microsoft.com: 390
thawte.com: 376
live.com: 329
msn.com: 298
mail.ips.es: 268
passport.com: 267

Top 10 URLs:
=====================
http://www.microsoft.com/contentredirect.asp.: 6257
http://ocsp.verisign.com0: 3030
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul: 2241
http://: 1666
http://crl.verisign.com/tss-ca.crl0: 1515
http://crl.verisign.com/ThawteTimestampingCA.crl0: 1513
http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0: 1311
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O: 1310
http://www.mozilla.org/MPL/: 1000
http://support.microsoft.com: 974

All email addresses:
====================
domexuser1@gmail.com: 572
domexuser2@gmail.com: 412
domexuser3@gmail.com: 319
ips@mail.ips.es: 268
premium-server@thawte.com: 252
CPS-requests@verisign.com: 243
someone@example.com: 232
domexuser2@live.com: 192
inet@microsoft.com: 145
domexuser2@hotmail.com: 138
domexuser1@hotmail.com: 135
domexuser1@live.com: 133
myname@msn.com: 115
example@passport.com: 111
ca@digsigtrust.com: 110
info@valicert.com: 94
piracy@microsoft.com: 91
certificate@trustcenter.de: 80
hewitt@netscape.com: 69
name_123@hotmail.com: 67
talkback@mozilla.org: 67
lord@netscape.com: 64
someone@microsoft.com: 53
mcgreer@netscape.com: 51
domexuser1%40gmail.com@imap.gmail.com: 48
neil@parkwaycc.co.uk: 47
9name_123@hotmail.com: 43
mazrob@panix.com: 43
Outldomexuser2@gmail.com: 41
server-certs@thawte.com: 37
sspitzer@netscape.com: 36
49091023.6070302@gmail.com: 35
73A94919-FF6B-4E3F-938E-FB39BBC7497C@gmail.com: 34
cps@netlock.net: 33
ellenorzes@netlock.net: 33
thayes@netscape.com: 33
DOMEXUSER2@GMAIL.COM: 32
personal-basic@thawte.com: 32
nome_123@hotmail.com: 31
alecf@netscape.com: 30
ManageLinks.aspx%3Fmkt%3Den-us%26noteid%3DNote.Linked%26notelevel%3D1%26notesec%3D0%26username%3Ddomexuser1@hotmail.com: 29
domesxuser2@gmail.com: 28
javi@netscape.com: 28
mscott@mozilla.org: 28
personal-premium@thawte.com: 28
admin@digsigtrust.com: 27
personal-freemail@thawte.com: 27
49091664.70508@gmail.com: 26
admin@startcom.org: 25
cmanske@netscape.com: 24
feste@feste.org: 24
fritz@google.com: 22
silver-certs@saunalahti.fi: 21
DOMEXUSER1@GMAIL.COM: 20
exemplo@passport.com: 20
gold-certs@saunalahti.fi: 20
jemand@example.com: 20
joku@example.com: 20
meunome@msn.com: 20
osoba@example.com: 20
prova@example.com: 20
toolkit@mozilla.org: 20
CPh@99841.PA: 19
alguem@exemplo.pt: 19
birisi@example.com: 19
ddrinan@netscape.com: 19
noen@example.com: 19
valaki@example.com: 19
eksempel@passport.com: 18
navn_123@hotmail.com: 18
law@netscape.com: 17
mano@mozilla.com: 17
microsof@t.com: 17
mscott@netscape.com: 17
iemand@microsoft.com: 16
myk@mozilla.org: 16
ndarnamn@example.com: 16
nekdo@example.com: 16
nekdo@priklad.com: 16
niekto@example.com: 16
adamw@gnome.org: 15
en@li.org: 15
info@netlock.hu: 15
nogen@eksempel.dk: 15
priklad@passport.com: 15
Outldomexuser2@hotmail.com: 14
ben@netscape.com: 14
ca@firmaprofesional.com: 14
ca@ptt-post.nl: 14
correo_cert@correo.com.uy: 14
ben@mozilla.org: 13
doronr@us.ibm.com: 13
ehsan.akhgari@gmail.com: 13
info@e-trust.be: 13
314d3a220810291941w4b52597fh206faba1e5063365@mail.gmail.com: 12
DOMEXUSER3@GMAIL.COM: 12
MSNPrivacy@msn.com: 12
alguien@example.com: 12
bsmedberg@covad.net: 12
glazman@netscape.com: 12
someone@msn.com: 12
xyx@example.com: 12
Beispiel@passport.com: 11
MeinName@msn.com: 11
Name_123@hotmail.com: 11
St@atus.eU: 11
bienvenu@nventure.com: 11
disttsc@bart.nl: 11
esempio@passport.com: 11
exemple@passport.com: 11
grafta@bl.com: 11
hwaara@chello.se: 11
mijnnaam@msn.com: 11
mionome@msn.com: 11
mojanazwa@msn.com: 11
monnom@msn.com: 11
ms@n.com: 11
naam_123@hotmail.com: 11
nazwa_123@hotmail.com: 11
przyklad@passport.com: 11
voorbeeld@passport.com: 11
zeniko@gmail.com: 11
christopher@aillon.com: 10
community@linuxhall.org: 10
dolske@mozilla.com: 10
i18n@mova.org: 10
id@Us.tc: 10
info@netlock.net: 10
locales@geez.org: 10
rangansen@netscape.com: 10
rcassin@supernova.org: 10
WindowsXP@gn.microsoft.com: 9
ad@msn.com: 9
blaker@netscape.com: 9
corehc@aol.net: 9
exempel@passport.com: 9
gnom@prevod.org: 9
icw5@gn.microsoft.com: 9
jmeno_123@hotmail.com: 9
jwalden+code@mit.edu: 9
mitnavn@msn.com: 9
mittnamn@msn.com: 9
name@domain.com: 9
namn_123@hotmail.com: 9
nevem@msn.com: 9
ntsbvt@microsoft.com: 9
ornek@passport.com: 9
pelda@passport.com: 9
rbs@maths.uq.edu.au: 9
robert@accettura.com: 9
tatarish.l10n@gmail.com: 9
alexeyc@bigfoot.com: 8
beng@google.com: 8
blakeross@telocity.com: 8
</pre>

MediaWiki:Deletereason-dropdown

2012-02-24T20:11:51Z

Jessek: Created page with "*Common delete reasons ** Author request ** Copyright violation ** Spam ** Vandalism"

*Common delete reasons
** Author request
** Copyright violation
** Spam
** Vandalism

Jump Lists

2011-08-23T14:10:17Z

Jessek:

{{expand}}
'''Jump Lists''' are a feature found in Windows 7.

== Jump Lists ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.

=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations
Files: *.automaticDestinations

Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification.

=== CustomDestinations ===
Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations

Structure

[[List of Jump List IDs]]
17d3eb086439f0d7 TrueCrypt 7.0a
adecfb853d77462a MSWord 2007
c71ef2c372d322d7 PGP Desktop 10
cdf30b95c55fd785 MSExcel 2007
f5ac5390b9115fdb MSPowerPoint 2007

12dc1ea8e34b5a6 MSPaint 6.1
431a5b43435cc60b Python (.pyc)
469e4a7982cea4d4 ? (.job)
500b8c1d5302fc9c (.pyw)
50620fe75ee0093 VMWare Player 3.1.4
65009083bfa6a094 (app launched via XPMode)
7e4dca80246863e3 Control Panel (?)
83b03b46dcd30a0e iTunes 10
b0459de4674aab56 (.vmcx)

{{Windows}}

List of Jump List IDs

2011-08-23T14:10:00Z

Jessek:

=== Application IDs ===

<table border="1">
<tr><td>1b4dd67f29cb1962</td><td>Explorer (task bar folder icon)</td>
<tr><td>1bc392b8e104a00e</td><td>Remote Desktop</td></tr>
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9 x64</td></tr>
<tr><td>271e609288e1210a</td><td>Access 2010 x86</td></tr>
<tr><td>28c8b86deab549a1</td><td>Internet Explorer x86</td></tr>
<tr><td>290532160612e071</td><td>WinRar x64</td></tr>
<tr><td>2b53c4ddf69195fc</td><td>Zune x64</td></tr>
<tr><td>3094cdb43bf5e9c2</td><td>OneNote 2010 x86</td></tr>
<tr><td>5da8f997fd5f9428</td><td>Internet Explorer x64</td></tr>
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player</td></tr>
<tr><td>9839aec31243a928</td><td>Excel 2010 x86</td></tr>
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad x64</td></tr>
<tr><td>9c7cc110ff56d1bd</td><td>PowerPoint 2010 x86</td></tr>
<tr><td>a7bd71699cd38d1c</td><td>Word 2010 x86</td></tr>
<tr><td>b8c29862d9f95832</td><td>InfoPath 2010 x86</td></tr>
<tr><td>b91050d8b077a4e8</td><td>Windows Media Center x64</td></tr>
<tr><td>be71009ff8bb02a2</td><td>Outlook x86</td></tr>
<tr><td>d64d36b238c843a3</td><td>InfoPath 2010 x86</td></tr>
<tr><td>e36bfc8972e5ab1d</td><td>XPS Viewer</td></tr>
<tr><td>17d3eb086439f0d7</td><td>TrueCrypt 7.0a</td></tr>
<tr><td>adecfb853d77462a</td><td>MSWord 2007</td></tr>
<tr><td>c71ef2c372d322d7</td><td>PGP Desktop 10</td></tr>
<tr><td>cdf30b95c55fd785</td><td>MSExcel 2007</td></tr>
<tr><td>f5ac5390b9115fdb</td><td>MSPowerPoint 2007</td></tr>
<tr><td>12dc1ea8e34b5a6</td><td>MSPaint 6.1</td></tr>
<tr><td>431a5b43435cc60b</td><td>Python (.pyc)</td></tr>
<tr><td>469e4a7982cea4d4</td><td>? (.job)</td></tr>
<tr><td>500b8c1d5302fc9c</td><td>(.pyw)</td></tr>
<tr><td>50620fe75ee0093</td><td>VMWare Player 3.1.4</td></tr>
<tr><td>65009083bfa6a094</td><td>(app launched via XPMode)</td></tr>
<tr><td>7e4dca80246863e3</td><td>Control Panel</td></tr>
<tr><td>83b03b46dcd30a0e</td><td>iTunes 10</td></tr>
<tr><td>b0459de4674aab56</td><td>(.vmcx)</td></tr>
</table>

List of Jump List IDs

2011-08-23T14:09:26Z

Jessek: moved Jump Lists. to List of Jump List IDs: Cleanup

== Jump Lists ==
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.

=== AutomaticDestinations ===
Path: C:\Users\user\Recent\AutomaticDestinations
Files: *.automaticDestinations

Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification.

=== CustomDestinations ===
Path: C:\Users\user\Recent\CustomDestinations
Files: *.customDestinations

Structure

=== AppIDs ===

<table border="1">
<tr><td>1b4dd67f29cb1962</td><td>Explorer (task bar folder icon)</td>
<tr><td>1bc392b8e104a00e</td><td>Remote Desktop</td></tr>
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9 x64</td></tr>
<tr><td>271e609288e1210a</td><td>Access 2010 x86</td></tr>
<tr><td>28c8b86deab549a1</td><td>Internet Explorer x86</td></tr>
<tr><td>290532160612e071</td><td>WinRar x64</td></tr>
<tr><td>2b53c4ddf69195fc</td><td>Zune x64</td></tr>
<tr><td>3094cdb43bf5e9c2</td><td>OneNote 2010 x86</td></tr>
<tr><td>5da8f997fd5f9428</td><td>Internet Explorer x64</td></tr>
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player</td></tr>
<tr><td>9839aec31243a928</td><td>Excel 2010 x86</td></tr>
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad x64</td></tr>
<tr><td>9c7cc110ff56d1bd</td><td>PowerPoint 2010 x86</td></tr>
<tr><td>a7bd71699cd38d1c</td><td>Word 2010 x86</td></tr>
<tr><td>b8c29862d9f95832</td><td>InfoPath 2010 x86</td></tr>
<tr><td>b91050d8b077a4e8</td><td>Windows Media Center x64</td></tr>
<tr><td>be71009ff8bb02a2</td><td>Outlook x86</td></tr>
<tr><td>d64d36b238c843a3</td><td>InfoPath 2010 x86</td></tr>
<tr><td>e36bfc8972e5ab1d</td><td>XPS Viewer</td></tr>
<tr><td>17d3eb086439f0d7</td><td>TrueCrypt 7.0a</td></tr>
<tr><td>adecfb853d77462a</td><td>MSWord 2007</td></tr>
<tr><td>c71ef2c372d322d7</td><td>PGP Desktop 10</td></tr>
<tr><td>cdf30b95c55fd785</td><td>MSExcel 2007</td></tr>
<tr><td>f5ac5390b9115fdb</td><td>MSPowerPoint 2007</td></tr>
<tr><td>12dc1ea8e34b5a6</td><td>MSPaint 6.1</td></tr>
<tr><td>431a5b43435cc60b</td><td>Python (.pyc)</td></tr>
<tr><td>469e4a7982cea4d4</td><td>? (.job)</td></tr>
<tr><td>500b8c1d5302fc9c</td><td>(.pyw)</td></tr>
<tr><td>50620fe75ee0093</td><td>VMWare Player 3.1.4</td></tr>
<tr><td>65009083bfa6a094</td><td>(app launched via XPMode)</td></tr>
<tr><td>7e4dca80246863e3</td><td>Control Panel</td></tr>
<tr><td>83b03b46dcd30a0e</td><td>iTunes 10</td></tr>
<tr><td>b0459de4674aab56</td><td>(.vmcx)</td></tr>
</table>

Jump Lists.

2011-08-23T14:09:26Z

Jessek: moved Jump Lists. to List of Jump List IDs: Cleanup

#REDIRECT [[List of Jump List IDs]]

Jump Lists

2011-08-23T13:17:09Z

Jessek: Initial stub

{{expand}}
'''Jump Lists''' are a feature found in Windows 7.

[[List of Jump List IDs]]
17d3eb086439f0d7 TrueCrypt 7.0a
adecfb853d77462a MSWord 2007
c71ef2c372d322d7 PGP Desktop 10
cdf30b95c55fd785 MSExcel 2007
f5ac5390b9115fdb MSPowerPoint 2007

12dc1ea8e34b5a6 MSPaint 6.1
431a5b43435cc60b Python (.pyc)
469e4a7982cea4d4 ? (.job)
500b8c1d5302fc9c (.pyw)
50620fe75ee0093 VMWare Player 3.1.4
65009083bfa6a094 (app launched via XPMode)
7e4dca80246863e3 Control Panel (?)
83b03b46dcd30a0e iTunes 10
b0459de4674aab56 (.vmcx)

{{Windows}}

Windows

2011-08-23T13:14:50Z

Jessek: /* Features in Windows 7 */

{{Expand}}

'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].

== Forensics ==

=== Filesystems ===

[[FAT]], [[NTFS]]

=== Features in Windows Vista ===
* [[BitLocker]]
* [[SuperFetch]]

=== Features in Windows 7 ===

* [[BitLocker To Go]]
* [[Windows Shadow Volumes]]
* [[Jump Lists]]

=== Registry ===

The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.

=== Thumbs.db Files ===

[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].

See also: [[Vista thumbcache]].

=== Browser Cache ===

=== Browser History ===

The [[Web Browser History]] files can contain significant information. On Windows this is [[Internet Explorer]] by default.

== Advanced Format (4KB Sector) Hard Drives ==
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].

== External Links ==

* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]

[[Category:Operating systems]]

Jesse Kornblum

2011-02-08T14:22:21Z

Jessek: Changed Kyrus link to an external page.

Jesse Kornblum is a computer forensics author, researcher and engineer. You can read his [http://jessekornblum.com/ official web site]. His [http://jessekornblum.com/kornblum-cv.pdf Curriculum Vitae] has a current list of his papers. He currently works for [http://kyr.us/ Kyrus Technology].

== Tools ==

[[md5deep]] and [[hashdeep]] - Cross platform recursive [[hashing]] and auditing programs, respectively. Computes MD5, SHA-1, SHA-256, Tiger and Whirlpool hashes. Can also match against sets of known hashes. The latter program uses [[multihashing]] to conduct a computer forensics audit.

[[foremost]] - File [[carving]] program

[[ssdeep]] - Usually called Fuzzy Hashing, this program implements [[Context Triggered Piecewise Hashing]].

[[First Responder's Evidence Disk|FRED]] - The First Responder's Evidence Disk

[[dc3dd]] - A patch to add forensics features to [[dd|GNU dd]]

[[Miss Identify]] - Program to identify Win32 executables that don't have an executable extension. Can also identify all executables.

[[Category:People]]

Cyberspeak podcast

2011-01-19T13:50:20Z

Jessek:

An occasional podcast by [[Bret Padres]] and [[Ovie Carroll]], both former agents of the [[Air Force Office of Special Investigations]], since 4 Dec 2005. The show usually features at least one interview, although some shows do not have any. The hosts also discuss current issues in the field and give links to new or interesting web sites. A set of detailed show notes are usually posted to a separate web site, although the link is given on the [http://cyberspeak.libsyn.com/ show's official website].

== See Also ==

[[List of Cyberspeak Podcast Interviews]]

== External Links ==

*[http://cyberspeak.libsyn.com/ Official CyberSpeak Website]
*[http://multimediaforensics.com/index.php/board,17.0.html/ Unofficial CyberSpeak Show Discussion Forum] - Hosted at MultiMediaForensics.com, listeners can further discuss topics and exclusive interviews.

Encase hash map

2010-11-01T21:29:17Z

Jessek: Created page with "{{wikify}} {{expand}} The EnCase suite of tools can generate 'hash maps', or 'EnMap' files, which allow users to identify chunks of files when the whole file is not availabl..."

{{wikify}}
{{expand}}

The [[EnCase]] suite of tools can generate 'hash maps', or 'EnMap' files, which allow users to identify chunks of files when the whole file is not available. This data is stored in a file with a .EnMap extension and contains piecewise [[MD5]] hashes of the file. Each EnMap file has the following format:

The file has an ASCII header, ENMAP V4, or in hex 45 4e 4d 41 50 20 56 34 0b 00 00 00.

This is followed by a Unicode representation of the original filename.

There is then an [[MD5]] hash of the entire file. This hash is followed by three bytes of zeros, and then a hexadecimal representation of each piecewise hash.

{{Category:Forensics File Format}}

EnCase

2010-11-01T21:23:33Z

Jessek: /* Hash Databases */

'''EnCase''' is a family of all-in-one computer forensics suites sold by [[Guidance Software]]. These products include EnCase Enterprise, EnCase Forensic Edition, EnCase eDiscovery, and EnCase Lab Edition. These programs use a proprietary image file format that has been reverse engineered. Users can create scripts, called [[EnScripts]], to automate tasks.

== File Format ==
{{main|Encase image file format}}
Encase uses a proprietary format for images which is reportedly based on ASR Data's Expert Witness Compression Format. (Source?) The evidence files, or E01 files, contain a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.

==Hash Databases==
{{main|Encase hash files}}
Encase uses [[MD5]] hashes and uses a [[Encase hash files|proprietary file format]] to store them, either singly or in a "hash map". It can also import hashes from the [[National Software Reference Library|NSRL]], [[Hashkeeper]], and plain MD5 files.

== See Also ==
* [[EnScripts]]
* [[LinEn]]

== External Links ==

* [http://www.guidancesoftware.com/products/ee_index.aspx Official website]
* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]

First Responder's Evidence Disk

2010-10-29T14:07:04Z

Jessek: /* History */ - Updates based on consult with AFCERT

The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.

== Usage ==

The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.

== History ==

FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.

A version of the FRED script was later incorporated into the [[Helix]] disk.

There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.

Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]] and is not publicly available. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure.

== Trivia ==

The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].

== See Also ==

* [[IRCR]]
* [[COFEE]]

[[Category:Incident response tools]]

First Responder's Evidence Disk

2010-10-04T19:40:40Z

Jessek: /* History */ - Added citation needed tag

The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.

== Usage ==

The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.

== History ==

FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.

A version of the FRED script was later incorporated into the [[Helix]] disk.

There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.

Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]] and is not publicly available.

The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities. The audit file uses PKI for encryption to protect the contents from tampering and disclosure.{{citation needed}}

== Trivia ==

The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].

== See Also ==

* [[IRCR]]
* [[COFEE]]

[[Category:Incident response tools]]

Template:Citation needed

2010-10-04T19:39:55Z

Jessek: Created page with "[citation needed] Category:Articles that need citations"

[citation needed]
[[Category:Articles that need citations]]

Ssdeep

2010-10-04T17:39:08Z

Jessek: Added information on file format

{{Infobox_Software |
name = ssdeep |
maintainer = [[Jesse Kornblum]] |
os = [[Linux]], [[Windows]], [[Mac OS X]], [[BSD]], [[Solaris]] |
genre = {{Hashing}} |
license = {{GPL}} |
website = [http://ssdeep.sourceforge.net/ ssdeep.sf.net] |
}}

ssdeep is a program for computing and matching [[Context Triggered Piecewise Hashing]] values. It is based on a spam detector called [http://samba.org/ftp/unpacked/junkcode/spamsum/ spamsum] by [http://en.wikipedia.org/wiki/Andrew_Tridgell Andrews Trigdell].

== File Format ==
The program uses an ASCII text file to record fuzzy hashes. The format changed slightly in version 2.6 in Sep 2010. Hashes created by the version 2.6 or later of the program cannot be used in earlier versions [http://ssdeep.svn.sourceforge.net/viewvc/ssdeep/tags/release-2.6/FILEFORMAT?revision=107&view=markup ref]. The contains a header followed by one hash per line. The current header is:

<pre>ssdeep,1.1--blocksize:hash:hash,filename</pre>

== Usage Scenarios ==

=== Truncated Files ===

The program can be used to associate two files where one is a truncated version of the other. In this example, the examiner has a file <tt>all-the-kings-men.avi</tt>. She computes a fuzzy hash of his file:
<pre>$ ls -lsh
-rwxr-xr-x 1 jvalenti users 699M Sep 29 2006 all-the-kings-men.avi

$ ssdeep -b all-the-kings-men.avi > sig.txt

$ cat sig.txt
ssdeep,1.0--blocksize:hash:hash,filename
12582912:fgQl/nUjQAbaBQvHf8yLr5CHJu3dyh YJ27TuXyphJs3wHC6 rEfAV wDrw6C/AT:fPl8cdAUyLr5CHJu3dyh8uzwHC6 reAS,"all-the-kings-men.avi"</pre>

The examiner then creates a second file that contains the first 29% of the original. This simulates recovering a partial file in some manner.

<pre>$ dd if=all-the-kings-men.avi of=partial.avi bs=1m count=200
200 0 records in
200 0 records out
209715200 bytes transferred in 14.510224 secs (14452926 bytes/sec)

$ ls -lsh partial.avi
-rw-r--r-- 1 jvalenti users 200M Oct 6 06:40 partial.avi</pre>

The examiner can then use the matching mode of ssdeep, the <tt>-m</tt> option, to read the known signature generated above and match it against the partial file.

<pre>$ ssdeep -bm sig.txt partial.avi
partial.avi matches all-the-kings-men.avi (57)</pre>

The files are associated!

=== Source Code Reuse ===

The source code for ssdeep was originally obtained from another open source project called [[md5deep]]. An examiner with access to both source code directory trees could use ssdeep to find any similarities between the two. In this example we have two folders, <tt>ssdeep-1.1</tt> and <tt>md5deep-1.12</tt>. First we record the fuzzy hashes, with relative filenames (the <tt>-l</tt> switch) to a file:

<pre>C:\> ssdeep -lr md5deep-1.12 > hashes.txt</pre>

Then we compare those saved hashes with the other directory:

<pre>C:\> ssdeep -lrm hashes.txt ssdeep-1.1
ssdeep-1.1\cycles.c matches md5deep-1.12\cycles.c (94)
ssdeep-1.1\dig.c matches md5deep-1.12\dig.c (35)
ssdeep-1.1\helpers.c matches md5deep-1.12\helpers.c (57)</pre>

Those matches indicate source code reuse! A manual examination of the files in question is required to tell exactly what kind of copying occurred, but we've saved the examiner a lot of work.

An advanced examiner can accomplish this matching with just one command line, but it will also include all of the matches internal to each directory.

<pre>C:\> ssdeep -lrd md5deep-1.12 ssdeep-1.1
md5deep-1.12\md5.h matches md5deep-1.12\cycles.c (27)
md5deep-1.12\sha1.h matches md5deep-1.12\cycles.c (25)
md5deep-1.12\sha1.h matches md5deep-1.12\md5.h (58)
md5deep-1.12\sha256.h matches md5deep-1.12\cycles.c (25)
md5deep-1.12\sha256.h matches md5deep-1.12\md5.h (61)
md5deep-1.12\sha256.h matches md5deep-1.12\sha1.h (57)
md5deep-1.12\tiger.h matches md5deep-1.12\cycles.c (29)
md5deep-1.12\tiger.h matches md5deep-1.12\md5.h (65)
md5deep-1.12\tiger.h matches md5deep-1.12\sha1.h (63)
md5deep-1.12\tiger.h matches md5deep-1.12\sha256.h (61)
ssdeep-1.1\cycles.c matches md5deep-1.12\cycles.c (94)
ssdeep-1.1\dig.c matches md5deep-1.12\dig.c (35)
ssdeep-1.1\helpers.c matches md5deep-1.12\helpers.c (57)</pre>

If you'd like to see the matches in both directions (i.e. for two files A and B that match, see that A matches B and B matches A), use the <tt>-p</tt> flag instead of <tt>-d</tt>.

== External Links ==

* [http://ssdeep.sourceforge.net/ Official website]

[[Category:Cross-platform]]

Jesse Kornblum

2010-08-05T19:53:07Z

Jessek: Removed deleted Wikipedia reference

Jesse Kornblum is a computer forensics author, researcher and engineer. You can read his [http://jessekornblum.com/ official web site]. His [http://jessekornblum.com/kornblum-cv.pdf Curriculum Vitae] has a current list of his papers. He currently works for [[Kyrus Technology]].

== Tools ==

[[md5deep]] and [[hashdeep]] - Cross platform recursive [[hashing]] and auditing programs, respectively. Computes MD5, SHA-1, SHA-256, Tiger and Whirlpool hashes. Can also match against sets of known hashes. The latter program uses [[multihashing]] to conduct a computer forensics audit.

[[foremost]] - File [[carving]] program

[[ssdeep]] - Usually called Fuzzy Hashing, this program implements [[Context Triggered Piecewise Hashing]].

[[First Responder's Evidence Disk|FRED]] - The First Responder's Evidence Disk

[[dc3dd]] - A patch to add forensics features to [[dd|GNU dd]]

[[Miss Identify]] - Program to identify Win32 executables that don't have an executable extension. Can also identify all executables.

[[Category:People]]

Jesse Kornblum

2010-05-25T02:51:59Z

Jessek:

Jesse Kornblum is a computer forensics author, researcher and engineer. You can read more about him in his [http://en.wikipedia.org/wiki/Jesse_Kornblum Wikipedia entry] or his [http://jessekornblum.com/ official web site]. His [http://jessekornblum.com/kornblum-cv.pdf Curriculum Vitae] has a current list of his papers. He currently works for [[Kyrus Technology]].

== Tools ==

[[md5deep]] and [[hashdeep]] - Cross platform recursive [[hashing]] and auditing programs, respectively. Computes MD5, SHA-1, SHA-256, Tiger and Whirlpool hashes. Can also match against sets of known hashes. The latter program uses [[multihashing]] to conduct a computer forensics audit.

[[foremost]] - File [[carving]] program

[[ssdeep]] - Usually called Fuzzy Hashing, this program implements [[Context Triggered Piecewise Hashing]].

[[First Responder's Evidence Disk|FRED]] - The First Responder's Evidence Disk

[[dc3dd]] - A patch to add forensics features to [[dd|GNU dd]]

[[Miss Identify]] - Program to identify Win32 executables that don't have an executable extension. Can also identify all executables.

[[Category:People]]

FAT

2010-02-26T18:02:19Z

Jessek: /* FAT64 (exFAT) */ - Added link to exFAT presentation

'''FAT''', or File Allocation Table, is a [[File Systems|file system]] that is designed to keep track of allocation status of clusters on a [[hard drive]]. Developed in 1977 by [[Microsoft]] Corporation, FAT was originally intended to be a [[File Systems|file system]] for the Microsoft Disk BASIC interpreter. FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". [[Microsoft]] later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS.

== Structure==

{| style="text-align:center;" cellpadding="3" border="1px"
| Boot sector
| More reserved sectors (optional)
| FAT #1
| FAT #2
| Root directory (FAT12/16 only)
| Data region (rest of disk)
|}

=== Boot Record ===
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the [[Master boot record]] ([[MBR]]). The [[MBR]] is present no matter what file system is in use, and contains information about how the storage device is logically partitioned. When using a FAT file system, the [[MBR]] hands off control of the computer to the Boot Record, which is the first sector on the partition. The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted. Once the Boot Record code executes, control is handed off to the operating system installed on that partition.

=== FATs ===
The primary task of the File Alocation Tables are to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive. There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.

In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system. FAT2 is a typically a duplicate of FAT1. However, FAT mirroring can be disabled on a FAT32 drive, thus enabling any of the FATs to become the Primary FAT. This possibly leaves FAT1 empty, which can be deceiving.

=== Root Directory ===
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system. This information includes the file name, starting cluster number, and file size. This information is changed whenever a file is created or subsequently modified. Root directory has a fixed size of 512 entries on a hard disk and the size on a floppy disk depends. With FAT32 it can be stored anywhere within the partition, although in previous versions it is always located immediately following the FAT region.

=== Data Area ===

The Boot Record, FATs, and Root Directory are collectively referred to as the System Area. The remaining space on the logical drive is called the Data Area, which is where files are actually stored. It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.

=== Clusters ===
In order for FAT to manage files with satisfactory efficiency, it groups sectors into larger blocks referred to as clusters. A cluster is the smallest unit of disk space that can be allocated to a file, which is why clusters are often called allocation units. Each cluster can be used by one and only one resident file. Only the "data area" is divided into clusters, the rest of the partition is simply sectors. Cluster size is determined by the size of the disk volume and every file must be allocated an even number of clusters. Cluster sizing has a significant impact on performance and disk utilization. Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters.

The size of one cluster is specified in the Boot Record and can range from a single sector (512 bytes) to 128 sectors (65536 bytes). The sectors in a cluster are continuous, therefore each cluster is a continuous block of space on the disk. Note that only one file can be allocated to a cluster. Therefore if a 1KB file is placed within a 32KB cluster there are 31KB of wasted space. The formula for determining clusters in a partition is (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) / (# of Sectors per Cluster).

=== Wasted Sectors ===

'''Wasted Sectors''' (a.k.a. '''partition [[slack]]''') are a result of the number of data sectors not being evenly distributed by the cluster size. It's made up of unused bytes left at the end of a file. Also, if the partition as declared in the partition table is larger than what is claimed in the Boot Record the volume can be said to have wasted sectors. Small files on a hard drive are the reason for wasted space and the bigger the hard drive the more wasted space there is.

=== FAT Entry Values ===
 
FAT12 
 
0x000 (Free Cluster) 
0x001 (Reserved Cluster) 
0x002 - 0xFEF (Used cluster; value points to next cluster) 
0xFF0 - 0xFF6 (Reserved values) 
0xFF7 (Bad cluster) 
0xFF8 - 0xFFF (Last cluster in file) 
 
FAT16 
 
0x0000 (Free Cluster) 
0x0001 (Reserved Cluster) 
0x0002 - 0xFFEF (Used cluster; value points to next cluster) 
0xFFF0 - 0xFFF6 (Reserved values) 
0xFFF7 (Bad cluster) 
0xFFF8 - 0xFFFF (Last cluster in file) 
 
FAT32 
 
0x?0000000 (Free Cluster) 
0x?0000001 (Reserved Cluster) 
0x?0000002 - 0x?FFFFFEF (Used cluster; value points to next cluster) 
0x?FFFFFF0 - 0x?FFFFFF6 (Reserved values) 
0x?FFFFFF7 (Bad cluster) 
0x?FFFFFF8 - 0x?FFFFFFF (Last cluster in file)

Note: FAT32 uses only 28 of 32 possible bits, the upper 4 bits should be left alone. Typically these bits are zero, and are represented above by a question mark (?).

[[Category:Disk file systems]]

==Versions==

There are three variants of FAT in existence: FAT12, FAT16, and FAT32.

=== FAT12 ===
* FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry.
* FAT12 can hold a max of 4,086 clusters (which is 212 clusters minus a few values that are reserved for values used in the FAT).
* It is used for floppy disks and hard drive partitions that are smaller than 16 MB.
* All 1.44 MB 3.5" floppy disks are formatted using FAT12.
* Cluster size that is used is between 0.5 KB to 4 KB.

=== FAT16 ===
* It is called FAT16 because all entries are 16 bit.
* FAT16 can hold a max of 65,536 addressable units (2 26
* It is used for small and moderate sized hard disk volumes.
* The actual capacity is 65,525 due to some reserved values

=== FAT32 ===
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
Features include:
* Drives of up to 2 terabytes are supported ([[Windows]] 2000 only supports up to 32 gigabytes)
* Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
* The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
* File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.

==== Limitations with [[Windows]] 2000 & [[Windows]] XP ====
* Clusters cannot be 64KB or larger.
* Cannot decrease cluster size that will result in the the FAT being larger than 16 MB minus 64KB in size.
* Cannot contain fewer than 65,527 clusters.
* Maximum of 32KB per cluster.
* ''[[Windows]] XP'': The Windows XP installation program will not allow a user to format a drive of more than 32GB using the FAT32 file system. Using the installation program, the only way to format a disk greater than 32GB in size is to use NTFS. A disk larger than 32GB in size ''can'' be formatted with FAT32 for use with Windows XP if the system is booted from a Windows 98 or Windows ME startup disk, and formatted using the tool that will be on the disk.

=== FAT64 (exFAT) ===
FAT64 (also know as Extended File Allocation Table or exFAT) is Microsoft's latest version of FAT and works with Windows Embedded CE 6.0 and Vista SP 1.
Features include:
* Largest file size is 264 bytes (16 exabytes) vs. FAT32's maximum file size of 4GB.
* Has transaction support using Transaction-Safe Extended FAT File System (TexFAT).
* Speeds up storage allocation processes by using free space bitmaps.
* Support UTC timestamps

Although Microsoft has published some information on exFAT, there are more technical specifications available from third parties. For example, here is a [http://paradigmsolutions.files.wordpress.com/2009/12/exfat-excerpt-1-4.pdf detailed presentation on exFAT].

=== Comparison of FAT Versions ===

See the table at http://en.wikipedia.org/wiki/File_Allocation_Table for more detailed information about the various versions of FAT.

== Uses ==
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system. In addition, FAT is also frequently used in electronic devices with miniature hard drives.

Examples of devices in which FAT is utilized include:

* [[USB]] thumb drives
* [[Digital camera|Digital cameras]]
* Digital camcorders
* Portable audio and video players
* Multifunction [[printers]]
* Electronic photo frames
* Electronic musical instruments
* Standard televisions
* [[PDAs]]

==Data Recovery==
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.

The pointers are also changed to zero for each cluster used by the file. Recovery tools look at the FAT to find the entry for the file. The location of the starting cluster will still be in the directory file. It is not deleted or modified. The tool will go straight to that cluster and try to recover the file using the file size to determine the number of clusters to recover. Some tools will go to the starting cluster and recover the next "X" number of clusters needed for the specific file size. However, this tool is not ideal. An ideal tool will locate "X" number of available clusters. Since files are most often fragmented, this will be a more precise way to recover the file.

An issue arises when two files in the same row of clusters are deleted. If the clusters are not in sequential order, the tool will automatically receive "X" number of clusters. However, because the file was fragmented, it's most likely that all the clusters obtained will not all contain data for that file. If these two deleted files are in the same row of clusters, it is highly unlikely the file can be recovered.

==File [[Slack]]==
File [[slack]] is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file [[slack]], RAM slack and Residual [[slack]]. RAM slack starts from the end of the file and goes to the end of that sector. Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file. File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. Go to http://www.pcguide.com/ref/hdd/file/partSizes-c.html for examples.

<table border="1" cellspacing="2" bordercolor="#000000" cellpadding="4" width="468" bordercolorlight="#C0C0C0">
<tr>
<td width="101" bgcolor="#808080"><center>Cluster</center></td>
<td width="177" bgcolor="#808080"><center>Sample Slack Space,
50% Cluster Slack Per File</center></td>
<td width="178" bgcolor="#808080"><center>Sample Slack Space,
67% Cluster Slack Per File</center></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><center>2 kiB</center></td>
<td width="177"><center>17 MB</center></td>
<td width="178"><center>22 MB</center></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><center>4 kiB</center></td>
<td width="177"><center>33 MB</center></td>
<td width="178"><center>44 MB</center></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><center>8 kiB</center></td>
<td width="177"><center>66 MB</center></td>
<td width="178"><center>89 MB</center></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><center>16 kiB</center></td>
<td width="177"><center>133 MB</center></td>
<td width="178"><center>177 MB</center></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><center>32 kiB</center></td>
<td width="177"><center>265 MB</center></td>
<td width="178"><center>354 MB</center></td>
</tr>
</table>

The diagram above demonstrates the larger the cluster size used, the more disk space is wasted due to slack. This suggests it is better to use smaller cluster sizes whenever possible.

==FAT Advantages==
* Files available to multiple operating systems on the same computer
* Easier to switch from FAT to [[NTFS]] than vice versa
* Performs faster on smaller volumes (< 10GB)
* Does not index files, which causes slightly higher performance
* Performs better with small cache sizes (< 96MB)
* More space-efficient on small volumes (< 4GB)
* Performs better with slow disks (< 5400RPM)

==FAT Disadvantages==
* FAT has a fixed maximum number of clusters per partition, which means as the hard disk gets bigger the size of each cluster must increase, creating more slack space
* Doesn't natively support many abilities of [[NTFS]] such as on-the-fly compression, [[encryption]], or advanced security using access control lists
* [[NTFS]] recommended by [[Microsoft]] for volumes larger than 32GB
* FAT slows down as the number of files on the disk increases
* FAT usually fragments files more
* FAT does not allow for indexing of files for faster searching
* FAT does not support user quotas
* FAT has minimal security features including no access control list (ACL) capability.
== See also ==
[[Media:Fatgen103.doc|Microsoft's FAT32 specification]]
== External links ==
* http://en.wikipedia.org/wiki/File_Allocation_Table
* http://www.microsoft.com
* http://www.ntfs.com
* http://www.ntfs.com/ntfs_vs_fat.htm
* http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
* http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
* http://home.teleport.com/~brainy/fat32.htm
* http://www2.tech.purdue.edu/cpt/courses/cpt499s/
* http://home.no.net/tkos/info/fat.html
* http://web.ukonline.co.uk/cook/fat32.htm
* http://www.ntfs.com/fat-systems.htm
* http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx
* http://support.microsoft.com/kb/q140418

Talk:1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

2010-02-10T16:41:53Z

Jessek: Created page with 'Hey! That's the combination to my luggage! ~~~'

Hey! That's the combination to my luggage! [[User:Jessek|Jessek]]

Blogs

2010-02-01T14:20:53Z

Jessek: /* Forensic Blogs */ - Added Jesse Kornblum

[[Computer forensics]] related '''blogs'''.

= English-Language Blogs =

== Forensic Blogs ==

* [http://computer.forensikblog.de/en/ Andreas Schuster - Computer Forensics Blog]
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
* [http://fleet.typepad.com/lukeup/ SecurityBros.com - Hacking, Forensics & Security]
* [http://windowsir.blogspot.com/ Windows Incident Response Blog] by [[Harlan Carvey]]
* [http://geschonneck.com/ Alexander Geschonneck - Computer Forensics Blog]
* [http://forensicblog.org/ Michael Murr - Computer Forensics Blog]
* [http://forenshick.blogspot.com/ Jordan Farr - Forensic news, Technology, TV, and more]
* [http://unixsadm.blogspot.com/ Criveti Mihai - UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems]
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Andrew Hoog - Computer Forensic Glossary Blog, HOWTOs and other resources]
* [http://secureartisan.wordpress.com/ Paul Bobby - Digital Forensics with a Focus on EnCase]
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
* [http://integriography.wordpress.com Computer Forensics Blog by David Kovar]
* [[Jesse Kornblum]] - [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves]

== Related Blogs ==

* [http://www.c64allstars.de C64Allstars Blog]
* [http://www.emergentchaos.com/ Adam Shostack - Emergent Chaos]
* [http://jeffjonas.typepad.com/ Jeff Jonas - Inventor of NORA discusses privacy and all things digital]
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking] - Written by [[Golden G. Richard III]]

= Non-English Language =

=== Dutch ===

* [http://stam.blogs.com/8bits/ 8 bits] by Mark Stam ([http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])

=== French ===

* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])

=== German ===

* [http://computer.forensikblog.de/ Andreas Schuster - Computer Forensik Blog Gesamtausgabe] ([http://computer.forensikblog.de/en/ English version])
* [http://computer-forensik.org Alexander Geschonneck - computer-forensik.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://henrikbecker.blogspot.com Henrik Becker - Digitale Beweisführung] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])

=== Spanish ===

* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://www.inforenses.com Javier Pages - InForenseS] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://windowstips.wordpress.com El diario de Juanito]
* [http://conexioninversa.blogspot.com Conexión inversa]

=== Russian ===

* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]

David Kovar

2010-02-01T14:19:38Z

Jessek: Added category

David Kovar has been providing IT and software engineering consulting services for over twenty years. He has also been heavily involved with domestic and international search and rescue for the last fifteen years. The SAR investigations mingled with IT experience and led slowly into computer forensics with side trips into executive protection, flying, riding, emergency services, and some other random things that makes for a rather … diverse … resume.

CISSP, CCE, EnCE, CA Private Investigator License No: 00025048, etc, etc, etc.

== Blog ==

[http://integriography.wordpress.com integriography.wordpress.com]

== Tools ==

* [http://www.integriography.com analyzeMFT] - An open source MFT analysis tool written in Python.

[[Category:People]]

DC3 Digital Forensics Challenge

2010-01-28T23:50:07Z

Jessek:

{{expand}}

The '''DC3 Digital Forensics Challenge''' is an annual forensics contest sponsored by the [[Defense Cyber Crime Center]]. The winning team, which must consist of U.S. citizens, receives a free trip to the annual DoD Cyber Crime Conference.

== Participation ==
Participation in the contest is a good way for vendors to showcase their talents and for academics to teach computer forensics research. Some academics feel, however, that they are not getting much benefit from the the contest. They believe that the DoD should publish all of the submissions so that they can be independently evaluated. This opinion was most vocally stated by David C. Smith and Mickey Lasky from Georgetown University in August 2007. They gave a talk at the DEFCON conference titled "Cool stuff learned from competing in the DC3 digital forensic challenge" where they described their entries and the lack of feedback from the DC3 [http://video.google.com/videoplay?docid=-7884272596646742143&hl=en].

== History ==

=== 2010 ===

=== 2009 ===

=== 2008 ===
The challenges this year included detecting suspicious software, hash analysis, image analysis, partition recovery, signature analysis, file header reconstruction, password recovery, registry analysis, steganography, encryption, Skype analysis, foreign text identification and translation, MSN Live analysis, and image analysis.

=== 2007 ===
The challenge was held in 2007 again, this time asking participants to focus on BitLocker and PAX protected files, erased files on a CDROM, a damaged DVD and thumb drive, determining real images from fake ones, and audio steganography.

The [http://www.dc3.mil/2007_challenge/ archives from the 2007 challenge] are online.

=== 2006 ===
The 2006 challenge was the first sponsored by the DC3. Entrants were asked to solve puzzles in Audio Steganography, Steganography using S-Tools, Password Cracking, Image Analysis: Real vs. CG, Data Carving: Linux LVM Interpretation, Data Acquisition: Boot a dd Image, Data Acquisition: Boot a Split dd Image, Media Recovery: Compact-disc, Media Recovery: Floppy Diskette, Keylog Cracking, and Metadata Extraction.

One hundred and forty teams requested challenge packets, but only 21 teams submitted entries. The winning team, announced on 15 Dec 2006, was [[AccessData]]. They won a free trip to the [[Defense Cyber Crime Center|DC3's]] annual [[Conferences|conference]] in St. Louis, MO in January 2007. They presented a complete solution at the conference.

Challenge submissions were broken down by academic, civilian, commercial, military, and government entrants. International teams from Australia, Canada, France, and India all requested packets, but were not eligible to win.

The [http://www.dc3.mil/2006_challenge/ archives from the 2006 challenge] are online.

== External Links ==

* [http://www.dc3.mil/challenge/ Official web site]

User talk:Jessek

2009-12-17T11:59:30Z

Jessek: /* Spam */

== Categories for products ==
The page for [[FRED]] isn't in a category. There are index-like pages for hardware and software [[vendors]] but no category or index for products. Should FRED really have it's own page, or instead listed briefly under a product page? (And is the vendor page getting large enough for a split?)
: --[[User:JohnJ|JohnJ]] 07:55, 4 September 2008 (UTC) (UTC is the only real time zone :-)

== Mutt Header Format corrections ==

Thank you for your corrections, i'm not realy good with english :( if you wont to jabber me try: fishor.bug.track # gmail # com
: My pleasure! [[User:Jessek|Jessek]] 09:16, 8 August 2007 (PDT)

== Hello ==

Just wanted to drop by and say "Hello". That, and to see who the people maintaining and editing this wiki are and all that, you know. :-). Anyway, I've enjoyed using Foremost so thanks for that too.
-[[User:Cmihai|cmihai]] 00:49, 20 December 2007 (PST)

== February 2009 ==

'...Your changes to [[Cellebrite UFED]] were contrary to the nature of this wiki. The objective nature of the wiki precludes your posting of press-release quality material. I have reverted the changes and protected the page against further updates. [[User:Jessek|Jessek]] 14:40, 17 February 2009 (UTC)...'

With all your years of experience and study you have Jesse, I would have thought that you would have worked out more diplomatic ways of find out information than to delete my entire entry - and then block me from my own page.

1. How is the page contrary when it is based on the existing .XRY page?

2. How is anything i wrote 'pre-release' if it has been released?

== Non-Computer Forensics==
Should non-computer forensics be regarded as vandalism? [[User:Simsong|Simsong]] 02:52, 6 October 2009 (UTC)
:While perhaps not 'vandalism' per se, I don't think we should have articles on non-computer forensics topics. If the topic is borderline, such as fingerprint forensics, we should delete, but perhaps with not such a harsh term. [[User:Jessek|Jessek]] 01:31, 9 October 2009 (UTC)

==Spam==
Jessee — we are still getting about 1-2 spam messages a day, always from newly created accounts. Any suggestions for what to do? [[User:Simsong|Simsong]] 15:32, 14 December 2009 (UTC)
:Can we interrupt the pattern of newly created accounts used immediately to create new pages? Is it possible to limit new page creation to users who have been registered for, say, 48 hours? Require an email address verification to create an account? [[User:Jessek|Jessek]] 21:49, 14 December 2009 (UTC)
:: Recent "ugg boot" spammers used accounts for posting messages more than two days after they were registered. [[User:.FUF|.FUF]] 21:52, 14 December 2009 (UTC)
::: Hmm. We can't be the first wiki to have this problem. How have other wikis handled it? How does [http://memory-alpha.org/ Memory Alpha] or other high-profile-but-not-wikipedia wikis deal with this? [[User:Jessek|Jessek]] 11:59, 17 December 2009 (UTC)

User talk:Jessek

2009-12-14T21:49:12Z

Jessek: /* Spam */

COFEE

2009-12-12T14:05:39Z

Jessek: Initial stub

{{expand}}

== External Links ==
* [http://www.microsoft.com/industry/government/solutions/cofee/default.aspx Official web site]

CCIPS

2009-11-10T01:08:16Z

Jessek: Redirected page to Department of Justice, Computer Crime and Intellectual Property Section

#REDIRECT [[Department of Justice, Computer Crime and Intellectual Property Section]]

Ovie Carroll

2009-11-10T00:44:56Z

Jessek: Cleaned up, added links, moved CCIPS text to a separate page

'''Ovie Carroll''' is the Director for the Cybercrime Lab at the [[Department of Justice, Computer Crime and Intellectual Property Section]] (CCIPS). He also co-hosts the [[Cyberspeak podcast]] with [[Bret Padres]]. Mr. Carroll's career includes more than 20 years in law enforcement.

Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Computer Crimes Unit at the United States Postal Service, Office of Inspector General (OIG), responsible for all computer intrusion investigations within the USPS network infrastructure and for providing all computer forensic analysis in support of OIG investigations and audits as well as the deployment, installation and monitoring of technical computer surveillance equipment in support of criminal investigations.

Mr. Carroll has also served as the Chief, Computer Investigations and Operations Branch, [[Air Force Office of Special Investigations]], Washington Field Office where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force. He has extensive field experience applying his training to a broad variety of investigations and operations.

In addition to his career fighting computer crime, Mr. Carroll has led and assisted in the planning and conduct of counterintelligence inquiries, conducted investigations into a variety of offenses including murder, fraud, bribery, theft, gangs and narcotics.

[[Category:People]]

Department of Justice, Computer Crime and Intellectual Property Section

2009-11-10T00:44:08Z

Jessek: Initial stub

{{expand}}

The '''Computer Crime and Intellectual Property Section''' of the '''United States Department of Justice (CCIPS)''' is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. The Computer Crime Initiative is a comprehensive program designed to combat electronic penetrations, data thefts, and cyberattacks on critical information systems. CCIPS prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. Section attorneys work to improve the domestic and international infrastructure-legal, technological, and operational-to pursue network criminals most effectively. The Section's enforcement responsibilities against intellectual property crimes are similarly multi-faceted. Intellectual Property (IP) has become one of the principal U.S. economic engines, and the nation is a target of choice for thieves of material protected by copyright, trademark, or trade-secret designation. In pursuing all these goals, CCIPS attorneys regularly run complex investigations, resolve unique legal and investigative issues raised by emerging computer and telecommunications technologies; litigate cases; provide litigation support to other prosecutors; train federal, state, and local law enforcement personnel; comment on and propose legislation; and initiate and participate in international efforts to combat computer and intellectual property crime.

The Cybercrime lab is responsible for providing computer forensic and other technical support to CCIPS attorneys as it applies to implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

The Cybercrime lab supports the CCIPS comprehensive program designed to combat electronic penetrations, data thefts, and cyber attacks on critical information systems. The Cybercrime lab also provides technical support and training to improve the domestic and international infrastructure-legal, technological, and operational-to pursue network criminals most effectively. The Section's enforcement responsibilities against intellectual property crimes are similarly multi-faceted. Intellectual Property (IP) has become one of the principal U.S. economic engines, and the nation is a target of choice for thieves of material protected by copyright, trademark, or trade-secret designation.

== External Links ==
* [http://www.cybercrime.gov/ Official web site]

User talk:Jessek

2009-10-09T01:31:33Z

Jessek: /* Non-Computer Forensics */

Talk:People

2009-09-19T15:49:19Z

Jessek: Created page with 'Why is this page here? Most of the things listed on it are not people. ~~~~'

Why is this page here? Most of the things listed on it are not people. [[User:Jessek|Jessek]] 15:49, 19 September 2009 (UTC)

User talk:Tedpenner

2009-09-19T15:47:17Z

Jessek: Created page with '== No Spam Links == This wiki is a repository of information on computer forensics, not a place to advertise your web site. Please refrain from posting content unrelated to compu…'

== No Spam Links ==
This wiki is a repository of information on computer forensics, not a place to advertise your web site. Please refrain from posting content unrelated to computer forensics. [[User:Jessek|Jessek]] 15:47, 19 September 2009 (UTC)

People

2009-09-19T15:45:39Z

Jessek: Reverted edits by Tedpenner (Talk) to last revision by Cmumma

* [[Harvard Forensics Project]]
* [[Purdue CyberForensics Lab]]
* http://wiki.multimedia.cx/
The MultimediaWiki catalogs as many technical details as possible about video and audio formats. Also includes details on reverse engineering and tools used, etc.
* [http://digitalrecordsforensics.org/ Digital Records Forensics Project] at the University of British Columbia, SLAIS

Legal issues

2009-09-12T00:11:57Z

Jessek: Reverted edits by Martin7 (Talk) to last revision by Simsong

A grab-bag collection of citations on legal issues.

= The Hacker Defense (aka Trojan/Virus Defense) =

Below are accounts of different hacker/virus/Trojan related defenses. Albeit some of these are not ‘reputable’ web sources, but they should all have official court backing from wherever the various investigators that do similar. And the CPS (sort of FBI in UK) is training prosecutors en masse about ‘trojan defenses’ (link below). These types of actions would not occur unwarranted. Why do all the extra work for nothing?

“The "Trojan defense" has now become standard in many types of computer crime cases. But the defense often plays on the ignorance of juries and prosecutors. It has raised the need for the CPS to do more to explain complex technical issues in simple terms to judges and juries, says George.” (Esther George is the policy adviser at the Crown Protection Services)
http://www.computerweekly.com/Articles/2007/01/27/221526/high-tech-crime-is-put-on-trial.htm

US man, Eugene Pitts, found not-guilty of tax evasion after blaming a computer virus. Avoids ~$900,000 in fines.
http://www.sophos.com/pressoffice/news/articles/2003/08/va_virustax.html

United States v. Michael McCourt U.S. Court of Appeals Case 1/24/06 Western District of Missouri. Guilty charge upheld.
http://www.ca8.uscourts.gov/opndir/06/11/061018P.pdf

Karl Schofield walked free from court yesterday after prosecutors accepted an expert's report that the "Trojan" program could have saved the 14 depraved images off the internet without his knowledge. http://www.getreading.co.uk/news/6/6541/program_put_child_porn_pics_on_my_pc

Julian Green, 45, of Torquay, Devon was cleared in court in July of 13 charges of making indecent images, claiming computer malware was to blame.
http://www.sophos.com/pressoffice/news/articles/2003/08/va_porntrojan.html

Aaron Cafrey acquitted with Trojan defense after US authorities claimed traced DOS activity to his machine
http://news.com.com/2100-7349-5092781.html?tag=txt

A former Georgia teacher blames computer viruses for altering his Web sites and uploading child porn images. Guilty charge upheld.
http://news.zdnet.com/2100-1009_22-6130218.html

Odd spin on the issue, where a hacker used a Trojan to gain access to potential pedophile’s computers.
http://www.darkreading.com/document.asp?doc_id=118157

Bandy’s defense attorney asserted that a “virus” or “trojan” must have downloaded the child pornography to Bandy’s computer without his knowledge.
http://www.foxnews.com/story/0,2933,247903,00.html

A man found with more than 1,700 indecent images of children on his computer claimed a virus was to blame, a court heard. But Mark Craney, 33, from Knowle, was found guilty at Warwick Crown Court on 16 charges of making indecent images of children by downloading them onto his computer. http://icbirmingham.icnetwork.co.uk/0100news/0100localnews/tm_objectid=15104065&method=full&siteid=50002&headline=man-blamed-net-virus-for-child-porn-name_page.html

More links from previous research.

[1] http://www.cnn.com/2003/TECH/internet/10/28/hacker.defense.reut/index.html

[2] http://news.com.com/2100-7349_3-5092781.html

[3]http://www.fedlawyerguy.org/2003/11/the_trojan_defense.html

[4]http://www.theregister.co.uk/2003/04/24/trojan_defence_clears_man/

[5]http://www.austlii.edu.au/au/cases/cth/high_ct/2006/39.html

[6]http://www.castlecops.com/modules.php?name=News&file=print&sid=2946

[7]http://direct.bl.uk/bld/PlaceOrder.do?UIN=161932125&ETOC=RN&from=searchengine

== External Links ==

* [http://www.cybersecurityinstitute.biz/tpicq.htm The "Tools Proven in Court" Question]

=Privacy and Surveillance Laws=

18 USC 2510 et seq., 18 USC 2701 et. seq., 18 USC 1030 and other statutes regulate the information private entities and law enforcement can access over a computer network.

The following forensic tools, which can capture forensic images remotely over a network, may raise interesting legal questions under these and other statutes.

Paraben Enterprise and Shuttle:
http://www.paraben-enterprise.com/

WetStone LiveWire Investigator:
http://www.000.shoppingcartsplus.com/catalog/item/4170630/4050602.htm

ProDiscover IR:
http://www.techpathways.com/ProDiscoverIR.htm

EnCase Enterprise:
http://www.encase.com/products/ee_index.asp

Vontu:
http://www.vontu.com/products/default.asp

=Cybersecurity Research=
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1113014 Toward a Culture of Cybersecurity Research], Aaron J. Burstein, University of California, Berkeley - School of Law. 2008, UC Berkeley Public Law Research Paper No. 1113014

[[Category:Bibliographies]]

User talk:2L

2009-09-11T18:47:08Z

Jessek: Created page with 'You are attempting to delete a valid link on the Anti-forensic techniques‎ page. Can you please explain why you feel this link should not be on the page? Your reasons could…'

You are attempting to delete a valid link on the [[Anti-forensic techniques‎]] page. Can you please explain why you feel this link should not be on the page? Your reasons could help see your point of view. [[User:Jessek|Jessek]] 18:47, 11 September 2009 (UTC)

Anti-forensic techniques

2009-09-09T01:42:21Z

Jessek: Undo revision 9418 by 2L (Talk) - Why was this link removed? It seems appropriate to the page

'''Anti-forensic techniques''' try to frustrate [[forensic investigator]]s and their [[techniques]].

This can include refusing to run when [[debugging]] mode is enabled, refusing to run when running inside of a [[virtual machine]], or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any [[Tools|tool]] they can be abused.

=Traditional anti-forensics=
==Overwriting Data and Metadata==
=== Secure Data Deletion ===

[[Secure data deletion|Securely deleting]] data, so that it cannot be restored with forensic methods.

Overwriting programs typically operate in one of three modes:
# The program can overwrite the entire media.
# The program can attempt to overwrite individual files. This task is complicated by journaling file systems: the file itself may be overwritten, but portions may be left in the journal.
# The program can attempt to overwrite files that were previously “deleted” but left on the drive. Programs typically do this by creating one or more files on the media and then writing to these files until no free space remains, taking special measures to erase small files — for example, files that exist entirely within the Windows Master File Table of an NTFS partition (Garfinkel and Malan, 2005).

Programs employ a variety of techniques to overwrite data. Apple’s Disk Utility allows data to be overwritten with a single pass of NULL bytes, with 7 passes of random data, or with 35 passes of data. Microsoft’s cipher.exe, writes a pass of zeros, a pass of FFs, and a pass of random data, in compliance with DoD standard 5220.22-M. (US DoD, 1995). In 1996 Gutmann asserted that it might be possible to recover overwritten data and proposed a 35-pass approach for assured sanitization (Gutmann 1996). However, a single overwriting pass is now viewed as sufficient for [[Sanitizing Tools|sanitizing]] data from ATA drives with capacities over 15 GB that were manufactured after 2001 (NIST 2006).

Be aware that software 'data destroyers' may not necessarily do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.

===Overwriting Metadata===
If the examiner knows when an attacker had access to a Windows, Mac or Unix system, it is frequently possible to determine which files the attacker accessed, by examining file “access” times for every file on the system. Some CFTs can prepare a “timeline” of the attacker’s actions by sorting all of the computer’s timestamps in chronological order. Although an attacker could wipe the contents of the media, this action itself might attract attention. Instead, the attacker might hide their tracks by overwriting the access times themselves so that the timeline could not be reliably constructed.

For example, [[Timestomp]] will overwrite [[NTFS]] “create,” “modify,” “access,” and “change” timestamps ([[Metasploi]]t 2006). [[The Defiler’s Toolkit]] can overwrite inode timestamps and deleted directory entries on many Unix systems; timestamps on allocated files can also be modified using the Unix touch command ([[The Grugq]] 2003).

=== Preventing Data Creation ===
Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

For example, a partition can be mounted read-only or accessed through the raw device to prevent the file access times from being updated. The Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate can be set to “1” to disable updating of the last-accessed timestamp; this setting is default under Windows Vista (Microsoft 2006).

==Cryptography, Steganography, and other Data Hiding Approaches==
=== Encrypted Data ===
Cryptographic file systems transparently encrypt data when it is written to the disk and decrypt data when it is read back, making the data opaque to any attacker (or CFT) that does not have the key. These file systems are now readily available for Windows, Mac OS, and Linux. The key can be protected with a passphrase or stored on an auxiliary device such as a USB token. If there is no copy of the key, intentionally destroying the key makes the data stored on the media inaccessible (Boneh and Lipton, 1996). Even if the cryptographic system lacks an intentional sanitization command or “self-destruct,” cryptography can still be a potent barrier to forensic analysis if the cryptographic key is unknown to the examiner.

Cryptography can also be used at the application level. For example, Microsoft Word can be configured to encrypt the contents of a document by specifying that the document has a “password to open.” Although older versions of Microsoft Word encrypted documents with a 40-bit key that can be cracked with commercial tools, modern versions can optionally use a 128-bit encryption that is uncrackable if a secure passphrase is used.
=== Encrypted Network Protocols===
Network traffic can likewise be encrypted to protect its content from forensic analysis. Cryptographic encapsulation protocols such as [[SSL forensics|SSL]] and SSH only protect the content of the traffic. Protecting against traffic analysis requires the use of intermediaries. Onion Routing (Goldschlag, Reed and Syverson, 1999) combines both approaches with multiple layers of encryption, so that no intermediary knows both ends of the communication and the plaintext content.

''More information: [[Tor]] and [[VPN]].''

===Program Packers===
Packers are commonly used by attackers so that attack tools will not be subject to reverse engineering or detection by scanning. Packers such as PECompact (Bitsum 2006) and Burneye (Vrba 2004) will take a second program, compress and/or encrypt it, and wrap it with a suitable extractor. Packers can also incorporate active protection against debugging or reverse engineering techniques. For example, Shiva will exit if its process is being traced; if the process is not being traced, it will create a second process, and the two processes will then trace each other, since each process on a Unix system may only be traced by one other process. (Mehta and Clowes, 2003)

Packed programs that require a password in order to be run can be as strong as their encryption and password. However, the programs are vulnerable at runtime. Burndump is a loadable kernel module (LKM) that automatically detects when a Burneye-protected file is run, waits for the program to be decrypted, and then writes the raw, unprotected binary to another location (ByteRage 2002). Packed programs are also vulnerable to static analysis if no password is required (Eagle 2003).
=== Steganography ===
Steganography can be used to embed encrypted data in a cover text to avoid detection. Steghide embeds text in JPEG, MBP, MP3, WAV and AU files (Hetzl 2002). Hydan exploits redundancy in the x86 instruction set; it can encode roughly 1 byte per 110 (El-Khalil 2004). Stegdetect (Provos 2004) can detect some forms of steganography.

StegFS hides encrypted data in the unused blocks of a Linux ext2 file system, making the data “look like a partition in which unused blocks have recently been overwritten with random bytes using some disk wiping tool” (McDonald and Kuhn, 2003).

[[FreeOTFE]] and [[TrueCrypt]] allow a second encrypted file system to be hidden within another encrypted file system. The goal of this filesystem-within-a-filesystem is to allow the users to have a “decoy” file system with data that is interesting but not overtly sensitive. A person who is arrested or captured with a laptop encrypted using this software could then give up the first file system’s password, with the hope that the decoy would be sufficient to satisfy the person’s interrogators.

=== Generic Data Hiding===
Data can also be hidden in unallocated or otherwise unreachable locations that are ignored by the current generation of forensic tools.

Metasploit’s Slacker will hide data within the slack space of FAT or NTFS file system. FragFS hides data within the NTFS Master File Table. RuneFS (Grugq 2003) stores data in bad blocks. (Thompson and Monroe, 2006). Waffen FS stores data in the ext3 journal file (Eckstein and Jahnke 2005). KY FS stores data in directories (Grugq 2003). Data Mule FS stores data in inode reserved space (Grugq 2003). It is also possible to store information in the unallocated pages of Microsoft Office files.

Information can be stored in the [[DCO and HPA|Host Protected Area]] (HPA) and the [[DCO and HPA|Device Configuration Overlay]] (DCO) areas of modern ATA hard drives. Data in the HPA and DCO is not visible to the BIOS or operating system, although it can be extracted with special tools.

== Detecting Forensic Analysis ==

There are methods to detect whether an [[investigator]] tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

=Other Anti Forensics=
==Targeting forensic tool blind spots==
==Targeting forensic tool vulnerabilities==
==Targeting generic tool/lib vulnerabilities==
=References=
Garfinkel, S., Anti-Forensics: Techniques, Detection and Countermeasures, The 2nd International Conference on i-Warfare and Security (ICIW), Naval Postgraduate School, Monterey, CA, March 8-9, 2007. [http://www.simson.net/clips/academic/2007.ICIW.AntiForensics.pdf]

Henrique, G. Wendel, Anti Forensics: Making computer forensics hard, Code Breakers III, São Paulo, Brazil, Setember 2006.
[http://ws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf]
== See also ==

* [[:Category:Anti-forensics tools|Anti-forensics tools category]]

== Externals Links ==

* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]

* [http://ws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf Anti Forensics: making computer forensics hard]

* [http://seclists.org/bugtraq/2008/Nov/0038.html PTK Forensic Local Command Execution Vulnerability]

* [http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing Anti-Forensics Class] Little over 3hr of video on the subject of anti-forensic techniques
[[Category:Anti-Forensics]]

Tools

2009-09-09T01:40:37Z

Jessek: /* Windows-based Tools */ - Changed to local link

This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.

'''Note: This page has gotten too big and is being broken up. See:'''

* [[:Category:Disk Imaging]]
* [[Tools:Data Recovery]] (including file [[carving]])
* [[Tools:File Analysis]]
* [[Tools:Document Metadata Extraction]]
* [[Tools:Memory Imaging]]
* [[Tools:Network Forensics]]
* [[Tools:Logfile Analysis]]
* [[:Category:Anti-forensics tools]]
* [[:Category:Secure deletion]]

= Disk Analysis Tools =
== Hard Drive Firmware and Diagnostics Tools ==
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
: http://www.deepspar.com/products-pc-3000-drive.html
: http://www.pc-3000.com/

== Linux-based Tools ==
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
: http://www.niiconsulting.com/innovation/linres.html

; [[SMART]] by [[ASR Data]]
: http://www.asrdata.com

== Macintosh-based Tools ==

; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
: http://www.blackbagtech.com/software_mfs.html

; [[MacForensicsLab]] by [[Subrosasoft]]
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]

; [[Mac Marshal]] by [[ATC-NY]]
: http://www.macmarshal.com/

== Windows-based Tools ==

; [[Blackthorn GPS Forensics]]
: http://www.blackthorngps.com

; [[HBGary Responder Professional]] - Windows Physical Memory Forensic Platform
:http://www.hbgary.com

; [[BringBack]] by [[Tech Assist, Inc.]]
: http://www.toolsthatwork.com/bringback.htm

; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
; http://www.hotpepperinc.com/emd

; [[EnCase]] by [[Guidance Software]]
: http://www.guidancesoftware.com/

; [[fbi (tool)|fbi]] by [[Nuix Pty Ltd]]
: http://www.nuix.com

; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
: http://www.accessdata.com/products/ftk/

; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
: http://www.ilook-forensics.org/

; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
: http://www.MicroForensics.com/

; [[OnLineDFS]] by [[Cyber Security Technologies]]
: http://www.cyberstc.com/

; [[P2 Power Pack]] by [[Paraben]]
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187

; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
: http://www.forensics-intl.com/safeback.html

; [[X-Ways Forensics]] by [[X-Ways AG]]
: http://www.x-ways.net/forensics/index-m.html

; [[Prodiscover]] by [[Techpathways]]
: http://www.techpathways.com/ProDiscoverWindows.htm

== Open Source Tools ==

; [[AFFLIB]]
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.

; [[Autopsy]]
: http://www.sleuthkit.org/autopsy/desc.php

; [[foremost]]
: http://foremost.sf.net/
: [[Linux]] based file carving program

; [[Scalpel]]
: http://www.digitalforensicssolutions.com/Scalpel/
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].

; [[FTimes]]
: http://ftimes.sourceforge.net/FTimes/index.shtml
: FTimes is a system baselining and evidence collection tool.

; [[gfzip]]
: http://www.nongnu.org/gfzip/

; [[gpart]]
: http://www.stud.uni-hannover.de/user/76201/gpart/
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.

; [[magicrescue]]
: http://jbj.rapanden.dk/magicrescue/

; The [[Open Computer Forensics Architecture]]
: http://ocfa.sourceforge.net/

; [[pyflag]]
: http://www.pyflag.net/PyFlagWiki/
: Web-based, database-backed forensic and log analysis GUI written in Python.

; [[scrounge-ntfs]]
: http://memberwebs.com/nielsen/software/scrounge/

; [[Sleuthkit]]
: http://www.sleuthkit.org/

; [[The Coroner's Toolkit]] ([[TCT]])
: http://www.porcupine.org/forensics/tct.html

; [[Hachoir]]
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

== [[NDA]] and [[scoped distribution]] tools ==

= Enterprise Tools (Proactive Forensics)=

; [[P2 Enterprise Edition]] by [[Paraben]]
: http://www.paraben-forensics.com/enterprise_forensics.html

; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
: http://www.wetstonetech.com/f/livewire2008.html

= Forensics Live CDs =

; [[FCCU Gnu/Linux Boot CD]]
: A [[Live CD]] built on top of [[Knoppix]] with a lot of tools with forensic purpose.
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.

; [[Helix]] ([[Helix3 Pro]])
: A [[Live CD]] built on top of [[Ubuntu]] with special tools for [[Incident Response|incident response]] and electronic discovery.
: A hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.

; [[SNARL]]
: A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
: http://sourceforge.net/projects/snarl/

; [[Knoppix STD]]
: A [[Live CD]] built on top of [[Knoppix]].
: http://s-t-d.org/

; [[Penguin Sleuthkit]]
: A Linux [[Live CD]] that includes SleuthKit.
: http://penguinsleuth.org/

; [[THE FARMER'S BOOT CD]]
: A [[Linux]] [[Live CD]], designed and optimized for previewing data in a [[forensically sound]] manner. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems.

; [[MacQuisition Boot CD]]
: A forensic [[Live CD]] built for imaging [[Macintosh]] systems.

; [[DEFT Linux]]
: A Live CD built on top of [[Xubuntu]] with the best tools for computer forensics and incident response.
: It's a very light and fast live system created for the Computer Forensics specialist.
: The first live CD with [[AFF]], dhash and [[Xplico]].
: http://www.deftlinux.net

; [[Recovery Is Possible]]
: A [[Linux]] [[Live CD]] with a number of recovery applications such as [[TestDisk]], [[PhotoRec]] etc.
: http://www.tux.org/pub/people/kent-robotti/looplinux/rip/

; [[Ubuntu-Rescue-Remix]]
: Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
:http://ubuntu-rescue-remix.org/

; [[Stagos FSE]]
: Stagos FSE aims to be a computer forensic framework based on Ubuntu Linux. It can read various filesystems, including [[NTFS]], and [[EnCase]] images.
:http://stagos.mrp-bpp.net/

; [[4BAK liveUSB]]
: 4bak is a Slax-based LiveUSB with a collection of forensics command line interface (CLI) tools.
:http://4bak.org/

= Personal Digital Device Tools=

== GPS Forensics ==

; [[Blackthorn GPS Forensics]]

== PDA Forensics ==
; [[Cellebrite UFED]]
; [[Paraben PDA Seizure]]
; [[Paraben PDA Seizure Toolbox]]
; [[PDD]]

== Cell Phone Forensics ==
; [[BitPIM]]
; [[Cellebrite UFED]]
; [[DataPilot Secure View]]
; [[GSM .XRY]]
; [[Fernico ZRT]]
; [[ForensicMobile]]
; [[LogiCube CellDEK]]
; [[MOBILedit!]]
; [[Oxygen Forensic Suite 2]]
: http://www.oxygen-forensic.com
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
: http://www.paraben-forensics.com/handheld_forensics.html
; [[Serial Port Monitoring]]
; [[TULP2G]]

== SIM Card Forensics ==
; [[Cellebrite UFED]]
; [[ForensicSIM]]
; [[Paraben's SIM Card Seizure]]
: http://www.paraben-forensics.com/handheld_forensics.html
; [[SIMCon]]

== Preservation Tools ==
; [[Paraben StrongHold Bag]]
; [[Paraben StrongHold Tent]]

= Other Tools =

; [[VMware]] Player
: http://www.vmware.com/products/player/
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.

; [[VMware]] Server
: http://www.vmware.com/products/server/
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.

; Computer Forensics Toolkit
: http://computer-forensics.privacyresources.org
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.

; Webtracer
: http://www.forensictracer.com
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

; Live View
: http://liveview.sourceforge.net/
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.

; Parallels VM
: http://www.parallels.com/
: http://en.wikipedia.org/wiki/Parallels_Workstation

; Microsoft Virtual PC
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
: http://en.wikipedia.org/wiki/Virtual_PC

== Hex Editors ==

; [[biew]]
: http://biew.sourceforge.net/en/biew.html

; [[Cellebrite UFED]]

; [[hexdump]]
: ...

; [[HexFiend]]
: A hex editor for Apple OS X
: http://ridiculousfish.com/hexfiend/

; [[Hex Workshop]]
: A hex editor from [[BreakPoint Software, Inc.]]
: http://www.bpsoft.com

; [[khexedit]]
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html

; [[WinHex]]
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
: http://www.x-ways.net/winhex

; [[xxd]]
: ...

= Telephone Scanners/War Dialers =

;PhoneSweep
:http://www.sandstorm.net/products/phonesweep/
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.

Tools

2009-09-09T01:40:03Z

Jessek: /* GPS Forensics */ - Changed to local link

This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.

'''Note: This page has gotten too big and is being broken up. See:'''

* [[:Category:Disk Imaging]]
* [[Tools:Data Recovery]] (including file [[carving]])
* [[Tools:File Analysis]]
* [[Tools:Document Metadata Extraction]]
* [[Tools:Memory Imaging]]
* [[Tools:Network Forensics]]
* [[Tools:Logfile Analysis]]
* [[:Category:Anti-forensics tools]]
* [[:Category:Secure deletion]]

= Disk Analysis Tools =
== Hard Drive Firmware and Diagnostics Tools ==
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
: http://www.deepspar.com/products-pc-3000-drive.html
: http://www.pc-3000.com/

== Linux-based Tools ==
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
: http://www.niiconsulting.com/innovation/linres.html

; [[SMART]] by [[ASR Data]]
: http://www.asrdata.com

== Macintosh-based Tools ==

; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
: http://www.blackbagtech.com/software_mfs.html

; [[MacForensicsLab]] by [[Subrosasoft]]
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]

; [[Mac Marshal]] by [[ATC-NY]]
: http://www.macmarshal.com/

== Windows-based Tools ==

; [http://blackthorngps.com Blackthorn GPS Forensics] by [http://berlacorp.com Berla Corp.]
: http://www.blackthorngps.com

; [[HBGary Responder Professional]] - Windows Physical Memory Forensic Platform
:http://www.hbgary.com

; [[BringBack]] by [[Tech Assist, Inc.]]
: http://www.toolsthatwork.com/bringback.htm

; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
; http://www.hotpepperinc.com/emd

; [[EnCase]] by [[Guidance Software]]
: http://www.guidancesoftware.com/

; [[fbi (tool)|fbi]] by [[Nuix Pty Ltd]]
: http://www.nuix.com

; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
: http://www.accessdata.com/products/ftk/

; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
: http://www.ilook-forensics.org/

; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
: http://www.MicroForensics.com/

; [[OnLineDFS]] by [[Cyber Security Technologies]]
: http://www.cyberstc.com/

; [[P2 Power Pack]] by [[Paraben]]
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187

; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
: http://www.forensics-intl.com/safeback.html

; [[X-Ways Forensics]] by [[X-Ways AG]]
: http://www.x-ways.net/forensics/index-m.html

; [[Prodiscover]] by [[Techpathways]]
: http://www.techpathways.com/ProDiscoverWindows.htm

== Open Source Tools ==

; [[AFFLIB]]
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.

; [[Autopsy]]
: http://www.sleuthkit.org/autopsy/desc.php

; [[foremost]]
: http://foremost.sf.net/
: [[Linux]] based file carving program

; [[Scalpel]]
: http://www.digitalforensicssolutions.com/Scalpel/
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].

; [[FTimes]]
: http://ftimes.sourceforge.net/FTimes/index.shtml
: FTimes is a system baselining and evidence collection tool.

; [[gfzip]]
: http://www.nongnu.org/gfzip/

; [[gpart]]
: http://www.stud.uni-hannover.de/user/76201/gpart/
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.

; [[magicrescue]]
: http://jbj.rapanden.dk/magicrescue/

; The [[Open Computer Forensics Architecture]]
: http://ocfa.sourceforge.net/

; [[pyflag]]
: http://www.pyflag.net/PyFlagWiki/
: Web-based, database-backed forensic and log analysis GUI written in Python.

; [[scrounge-ntfs]]
: http://memberwebs.com/nielsen/software/scrounge/

; [[Sleuthkit]]
: http://www.sleuthkit.org/

; [[The Coroner's Toolkit]] ([[TCT]])
: http://www.porcupine.org/forensics/tct.html

; [[Hachoir]]
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

== [[NDA]] and [[scoped distribution]] tools ==

= Enterprise Tools (Proactive Forensics)=

; [[P2 Enterprise Edition]] by [[Paraben]]
: http://www.paraben-forensics.com/enterprise_forensics.html

; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
: http://www.wetstonetech.com/f/livewire2008.html

= Forensics Live CDs =

; [[FCCU Gnu/Linux Boot CD]]
: A [[Live CD]] built on top of [[Knoppix]] with a lot of tools with forensic purpose.
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.

; [[Helix]] ([[Helix3 Pro]])
: A [[Live CD]] built on top of [[Ubuntu]] with special tools for [[Incident Response|incident response]] and electronic discovery.
: A hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.

; [[SNARL]]
: A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
: http://sourceforge.net/projects/snarl/

; [[Knoppix STD]]
: A [[Live CD]] built on top of [[Knoppix]].
: http://s-t-d.org/

; [[Penguin Sleuthkit]]
: A Linux [[Live CD]] that includes SleuthKit.
: http://penguinsleuth.org/

; [[THE FARMER'S BOOT CD]]
: A [[Linux]] [[Live CD]], designed and optimized for previewing data in a [[forensically sound]] manner. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems.

; [[MacQuisition Boot CD]]
: A forensic [[Live CD]] built for imaging [[Macintosh]] systems.

; [[DEFT Linux]]
: A Live CD built on top of [[Xubuntu]] with the best tools for computer forensics and incident response.
: It's a very light and fast live system created for the Computer Forensics specialist.
: The first live CD with [[AFF]], dhash and [[Xplico]].
: http://www.deftlinux.net

; [[Recovery Is Possible]]
: A [[Linux]] [[Live CD]] with a number of recovery applications such as [[TestDisk]], [[PhotoRec]] etc.
: http://www.tux.org/pub/people/kent-robotti/looplinux/rip/

; [[Ubuntu-Rescue-Remix]]
: Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
:http://ubuntu-rescue-remix.org/

; [[Stagos FSE]]
: Stagos FSE aims to be a computer forensic framework based on Ubuntu Linux. It can read various filesystems, including [[NTFS]], and [[EnCase]] images.
:http://stagos.mrp-bpp.net/

; [[4BAK liveUSB]]
: 4bak is a Slax-based LiveUSB with a collection of forensics command line interface (CLI) tools.
:http://4bak.org/

= Personal Digital Device Tools=

== GPS Forensics ==

; [[Blackthorn GPS Forensics]]

== PDA Forensics ==
; [[Cellebrite UFED]]
; [[Paraben PDA Seizure]]
; [[Paraben PDA Seizure Toolbox]]
; [[PDD]]

== Cell Phone Forensics ==
; [[BitPIM]]
; [[Cellebrite UFED]]
; [[DataPilot Secure View]]
; [[GSM .XRY]]
; [[Fernico ZRT]]
; [[ForensicMobile]]
; [[LogiCube CellDEK]]
; [[MOBILedit!]]
; [[Oxygen Forensic Suite 2]]
: http://www.oxygen-forensic.com
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
: http://www.paraben-forensics.com/handheld_forensics.html
; [[Serial Port Monitoring]]
; [[TULP2G]]

== SIM Card Forensics ==
; [[Cellebrite UFED]]
; [[ForensicSIM]]
; [[Paraben's SIM Card Seizure]]
: http://www.paraben-forensics.com/handheld_forensics.html
; [[SIMCon]]

== Preservation Tools ==
; [[Paraben StrongHold Bag]]
; [[Paraben StrongHold Tent]]

= Other Tools =

; [[VMware]] Player
: http://www.vmware.com/products/player/
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.

; [[VMware]] Server
: http://www.vmware.com/products/server/
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.

; Computer Forensics Toolkit
: http://computer-forensics.privacyresources.org
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.

; Webtracer
: http://www.forensictracer.com
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

; Live View
: http://liveview.sourceforge.net/
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.

; Parallels VM
: http://www.parallels.com/
: http://en.wikipedia.org/wiki/Parallels_Workstation

; Microsoft Virtual PC
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
: http://en.wikipedia.org/wiki/Virtual_PC

== Hex Editors ==

; [[biew]]
: http://biew.sourceforge.net/en/biew.html

; [[Cellebrite UFED]]

; [[hexdump]]
: ...

; [[HexFiend]]
: A hex editor for Apple OS X
: http://ridiculousfish.com/hexfiend/

; [[Hex Workshop]]
: A hex editor from [[BreakPoint Software, Inc.]]
: http://www.bpsoft.com

; [[khexedit]]
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html

; [[WinHex]]
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
: http://www.x-ways.net/winhex

; [[xxd]]
: ...

= Telephone Scanners/War Dialers =

;PhoneSweep
:http://www.sandstorm.net/products/phonesweep/
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.

MagicBerry IPD Reader

2009-08-06T10:59:00Z

Jessek:

'''MagicBerry''' is a tool to read and edit the service book in a [[BlackBerry]] backup file (.ipd).
The program can parse the IPD, read all of the databases it contains, and display them. Users can then export the information or edit it.

The program, developed by [[Mena Step Innovative Solutions]], is available at no cost.

== Screenshots ==

[[File:4.jpg]]
[[File:5.jpg]]

Edit Service Book
[[File:6.jpg]]

Export Data
[[File:8.jpg]]

== External Links ==
* [http://menastep.com/ Official web site]

[[Category:Windows]]
[[Category:Tools]]

MagicBerry IPD Reader

2009-08-06T10:58:25Z

Jessek: Made vendor neutral, added external link

'''MagicBerry''' is a tool to read and edit the service book in a [[BlackBerry]] backup file (.ipd)]].
The program can parse the IPD, read all of the databases it contains, and display them. Users can then export the information or edit it.

The program, developed by [[Mena Step Innovative Solutions]], is available at no cost.

== Screenshots ==

[[File:4.jpg]]
[[File:5.jpg]]

Edit Service Book
[[File:6.jpg]]

Export Data
[[File:8.jpg]]

== External Links ==
* [http://menastep.com/ Official web site]

[[Category:Windows]]
[[Category:Tools]]

Write Blockers

2009-07-30T10:28:04Z

Jessek:

'''Write blockers''' are devices that allow acquisition of information on a [[hard drive|drive]] without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.

There are two ways to build a write-blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list. Alternatively, the blocker can specifically block the write commands and let everything else through.

Write blockers may also include drive protection which will limit the speed of a drive attached to the blocker. Drives that run at higher speed work harder(the head moves back and forth more often due to read errors). This added protection could allow drives that can not be read at high speed (UDMA modes) to be read at the slower modes (PIO).

There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block.

Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682).

There are both hardware and software write blockers. Some software write blockers are designed for a specific operating system. One designed for Windows will not work on Linux. Most hardware write blockers are software independent.

= Commercial Hardware Write Blockers =

'''Hardware write blockers''' can be either [[IDE]]-to-IDE or [[Firewire]]/[[USB]]-to-IDE. Simson prefers the IDE-to-IDE because they deal better with errors on the drive and make it easier to access special information that is only accessible over the IDE interface. You may feel differently.

; [[ICS Drive Lock]]
: http://www.forensicpc.com/proddetail.asp?prod=DRIVELOCK&cat=13

; MyKey Technology, Inc. NoWrite FPU and FlashBlock II
: 1.8"/2.5"/3.5"/ IDE to IDE, FireWire/USB to IDE & SATA, all media types - NIST Ver. 2 accepted
: http://www.mykeytech.com/

; [[Tableau]] write blockers for IDE, SATA, SCSI, USB NIST Ver. 1 accepted
: http://www.tableau.com/index.php?pageid=products

; WiebeTech write-blockers for almost any disk drive: 2.5"/3.5" IDE, SCSI, SATA, ...
: http://wiebetech.com/home.php?home=5 NIST Ver. 1 accepted

= Commercial Software Write Blockers =

'''Software write blockers''' can be either tailored to an individual operating system or can be an independent boot disk. Their main upsides are with ease of use, since they are on a CD and do not require you to open up the case, and speed since they do not become a bottle neck.

; SAFE boot disk
: SAFE is a boot disk that boots a computer to a forensically sound (write blocked) version of Windows that serves as a platform for all popular Windows forensics tools. NIST Ver. 1 accepted
: http://www.forensicsoft.com/

; SAFE Block 1.2
: SAFE Block XP is a software-based write blocker designed for the Windows XP Operating System. It comes in both 32 and 64 bit options. NIST Ver. 1.2 accepted
: http://www.forensicsoft.com/

Tableau

2009-07-30T10:27:28Z

Jessek:

{{expand}}

'''Tableau''' makes hard drive [[Write Blockers|write blockers]].

== External Links ==
* [http://www.tableau.com/ Official web site]

[[Category:Vendors]]

Tableau

2009-07-30T10:27:11Z

Jessek: Created stub

{{expand}}

'''Tableau''' makes hard drive [[write blockers]].

== External Links ==
* [http://www.tableau.com/ Official web site]

[[Category:Vendors]]

Data Compass

2009-07-24T11:21:26Z

Jessek: Added link to firmware

'''Data Compass''' is a hardware and software data recovery tool produced by [[SalvationDATA]]. The product uses a "3+1 Data Recovery" to restore damaged media. The product is intended to recover data from hard drives with multiple bad sectors, platter surface problems, head instabilities, or are making clicking sounds. The vendor claims to spin up hard drives using an emulated [[firmware]] rather than the drive's own firmware. This could enable recovery from damaged hardware, but this claim has not been independently verified. A software component is available for filesystem repair.

== External Links ==
[http://www.salvationdata.com Official web site]

[[Category:Disk_imaging]]

Data Compass

2009-07-24T11:20:36Z

Jessek: Changed vendor text to NPV, cleanup

'''Data Compass''' is a hardware and software data recovery tool produced by [[SalvationDATA]]. The product uses a "3+1 Data Recovery" to restore damaged media. The product is intended to recover data from hard drives with multiple bad sectors, platter surface problems, head instabilities, or are making clicking sounds. The vendor claims to spin up hard drives using an emulated firmware rather than the drive's own firmware. This could enable recovery from damaged hardware, but this claim has not been independently verified. A software component is available for filesystem repair.

== External Links ==
[http://www.salvationdata.com Official web site]

[[Category:Disk_imaging]]

THREADS

2009-07-24T11:19:06Z

Jessek: Cleaned up vendor text

{{Infobox_Software |
name = THREADS Cell Forensic Analysis |
maintainer = [[Direct Hit Systems]] |
os = n/a |
genre = [[Category:Cell Phone Tools|Cell Phone]] |
license = {{Commercial}} |
website = [http://www.directhitinc.com/Features/CellForensics.aspx http://www.directhitinc.com/] |
}}

THREADS™ is a tool for analyzing cell phones. It is designed to reveal patterns and correlations in data found on the phone. The tool can import the phonebook, call records, and SMS messages (text and multimedia). It also supports [[Blackberry]] devices using the standard [[IPD]] file format.

== External Links ==
* [http://www.directhitinc.com/Features/CellForensics.aspx Official web site]

CodeSuite

2009-07-24T11:16:22Z

Jessek: Edited vendor text to get NPV

'''CodeSuite''' is a collection of computer software analysis tools. The tools, which an examiner uses manually, are designed to look for similar portions of code. This technology can be used to detect plagiarism, theft, or just track the changes to a piece of software over time.

== External Links ==
* [http://www.safe-corp.biz/ Official web site]

Talk:THREADS

2009-07-24T11:13:35Z

Jessek: Talk page should not contain same text as main page

Firmware

2009-07-24T11:13:11Z

Jessek: Removed extraneous link, cleanup

A hard drive can be compared to a small computer. It uses microprocessors to control both the physical behavior of the various electro-mechanical components. The logical operations that store and retrieve data as an arrangement of the magnetic particles on the disk surface. This operation is completely independent of the operation of the host PC. Like any computer, the hard drive needs its own software to control the operation of the microprocessors, but unlike a PC this software is limited to the drive’s operational functionality, and is not (and under normal circumstances cannot be) changed by the user. This hard drive ‘software’ is, as a result, more usually referred to as '''Firmware'''. The firmware carries out a range of functions, from what might be termed ‘Analogue’ functions such as controlling the spinning of the disc and positioning of the read/write heads, as well as the ‘Digital’ functions used to pass data files to and from the PC, keeping track of the location and parameters of the data files stored, and many, many more.

== Corrupted Firmware ==

Without firmware, or the firmware is corrupted the drive is simply a collection of electronic components.

Data Recovery Stories

2009-07-24T11:11:19Z

Jessek:

Amazing stories of data recovery.

* [http://blocksandfiles.com/article/5056 May 6, 2008 - Kroll recovers over 90% of the data from a 400MB hard drive that was on Shuttle Columbia when it burned up on reentry into Earth's atmosphere.]