Forensics Wiki - User contributions [en]

User:Douglas Figueiredo

2013-05-24T15:13:09Z

Simsong: Creating user page for new user.

Graduando do Curso de Engenharia da Computação, atualmente resido na cidade de Manaus/Amazonas/Brasil.

User talk:Douglas Figueiredo

2013-05-24T15:13:09Z

Simsong: Welcome!

'''Welcome to ''Forensics Wiki''!'''
We hope you will contribute much and well.
You will probably want to read the [[Help:Contents|help pages]].
Again, welcome and have fun! [[User:Simsong|Simsong]] ([[User talk:Simsong|talk]]) 10:13, 24 May 2013 (CDT)

User:Joe Shestak

2013-05-24T15:12:57Z

Simsong: Creating user page for new user.

I belongs to a forensic profession in which I have experienced many cyber cases. Thus I came across with one more forensic email analysis tool while investigation. Being a thoughtful person I get impressed with many forensic tools but this programs produces literally accurate results of forensic investigation.

User talk:Joe Shestak

2013-05-24T15:12:57Z

Simsong: Welcome!

User talk:Jens Lechtenbörger

2013-05-24T15:12:48Z

Simsong: Welcome!

User:Jens Lechtenbörger

2013-05-24T15:12:47Z

Simsong: Creating user page for new user.

I'm interested in privacy and free software. In my professional life I'm a lecturer in computer science.

Approximate Matching

2013-05-24T15:12:24Z

Simsong:

''Approximate matching'' is a term used in computer forensics to mean that two objects have similar contents but are not identically the same. It replaced the previously used terms ''similarity'' and ''fuzzy hashing.''

The following two paragraphs are clearly similar but not identical:

:'''We the People''' of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

:'''We the People''' of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

==Kinds of Similarity==
In forensics there are several kinds of similarity that are of interest:
# Binary Similarity
# Textual Similarity
# Visual Similarity
# Audible Similarity
# Algorithmic (code) Similarity
===Binary Similarity===
Binary Similarity between a ''master object'' and a ''target object''can be rigorously defined as the fraction of substrings that the two documents have in common divided by the total number of substrings in the master document. Notice that this implies that the similarity function does not have the commutative property. That is, BS(a,b) may not equal BS(b,a).

There are several applications for a binary similarity function:

# Determining that a master object is embedded in the target object.
# Determining if the target object is derived from the target object.

The leading similarity systems in use are are:
* [[sdhash]], developed by Vassil Roussev.
* [[ssdeep]], the first widely used binary similarity algorithm. Developed by Jesse Kornblum, this system uses a piecewise hash comparison algorithm originally developed for anti-spam systems.

===Text Similarity===
The leading text similarity system is:

* [[sdtext]], developed by Clay Sheilds.

==Similarity Bibliography==

SSDEEP:

Jesse Kornblum, “Identifying almost identical files using context triggered piecewise hashing,”
Jesse Kornblum, DFRWS 2006, Digital Investigation 3S, S91-S97

Jiang, Z.L., Hui, L.C.K., Chow, K.P., Yiu, S.M., Lai, P.K.Y. Improving disk sector integrity using 3-dimension hashing scheme, Proceedings of Future Generation Communication and Networking, FGCN 2007 2 , art. no. 4426219 , pp. 141-145, 2007

Rönnau, S., Pauli, C., Borghoff, U.M. Merging changes in XML documents using reliable context fingerprints (2008) DocEng'08 - Proceedings of the 8th ACM Symposium on Document Engineering, pp. 52-61. Cited 8 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-59249087348&partnerID=40&md5=0b1d0505f61b468aa532147ef0a1b3f5 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Chen, L., Wang, G. Attacks to context triggered piecewise hashing and their countermeasures (2008) Journal of Information and Computational Science, 5 (2), pp. 589-597. http://www.scopus.com/inward/record.url?eid=2-s2.0-49149130324&partnerID=40&md5=4332d2c6f4459823d177e6cd6bbce0a7 DOCUMENT TYPE: Article SOURCE: Scopus

Hejazi, S.M., Debbabi, M., Talhi, C. Automated windows memory file extraction for cyber forensics investigation (2008) Journal of Digital Forensic Practice, 2 (3), pp. 117-131. Cited 2 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-57849107159&partnerID=40&md5=6d6a699a584b44ad9c8f52526d530036 DOCUMENT TYPE: Article SOURCE: Scopus

Long Chen; Wang, Guoyin, "An Efficient Piecewise Hashing Method for Computer Forensics," Knowledge Discovery and Data Mining, 2008. WKDD 2008. First International Workshop on , vol., no., pp.635,638, 23-24 Jan. 2008

Kimin Seo; KyungSoo Lim; Choi, Jaemin; Kisik Chang; Sangjin Lee, "Detecting Similar Files Based on Hash and Statistical Analysis for Digital Forensic Investigation," Computer Science and its Applications, 2009. CSA '09. 2nd International Conference on , vol., no., pp.1,6, 10-12 Dec. 2009

Apel, M., Bockermann, C., Meier, M. Measuring similarity of malware behavior (2009) Proceedings - Conference on Local Computer Networks, LCN, art. no. 5355037, pp. 891-898. Cited 6 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-77951289154&partnerID=40&md5=74791ba3b7a56a52321883161c770cb8 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Chawathe, S.S. Effective whitelisting for filesystem forensics (2009) 2009 IEEE International Conference on Intelligence and Security Informatics, ISI 2009, art. no. 5137284, pp. 131-136. http://www.scopus.com/inward/record.url?eid=2-s2.0-70350052972&partnerID=40&md5=766baa83607de259fa661af0d7495071 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Simon, M., Slay, J. Enhancement of forensic computing investigations through memory forensic techniques (2009) Proceedings - International Conference on Availability, Reliability and Security, ARES 2009, art. no. 5066600, pp. 995-1000. Cited 3 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-70349687555&partnerID=40&md5=0dc8ecd9ccc327159a2982dcacea12e0 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Chen, L., Wang, G.-Y. Integrity check method for fine-grained data (2009) Ruan Jian Xue Bao/Journal of Software, 20 (4), pp. 902-909. Cited 10 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-65349191701&partnerID=40&md5=f58005913fd04dbda01edb24ca173687 DOCUMENT TYPE: Article SOURCE: Scopus

Maartmann-Moe, C., Thorkildsen, S.E., André Årnes The persistence of memory: Forensic identification and extraction of cryptographic keys (2009) Digital Investigation, 6 (SUPPL.), pp. S132-S140. Cited 10 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-68649097821&partnerID=40&md5=5e337728b3380efb3469f9e5508b1d50 DOCUMENT TYPE: Article SOURCE: Scopus

Seo, K., Lim, K., Choi, J., Chang, K., Lee, S. Detecting similar files based on hash and statistical analysis for digital forensic investigation (2009) Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009, art. no. 5404198, . http://www.scopus.com/inward/record.url?eid=2-s2.0-80655148030&partnerID=40&md5=be0ca0a3fa65b650ef1741d3a2477784 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Garcia, J., Holleboom, T. Retention of micro-fragments in cluster slack - A first model (2009) Proceedings of the 2009 1st IEEE International Workshop on Information Forensics and Security, WIFS 2009, art. no. 5386487, pp. 31-35. http://www.scopus.com/inward/record.url?eid=2-s2.0-77949833002&partnerID=40&md5=7c1d73f864af1cc96471f160b8aebe96 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Vassil Roussev, Hashing and data fingerprinting in digital forensics, IEEE Security and Privacy 7(2), 2009, pp. 49-55

C. Nickel, C. Busch, X. Zhou, Template protection via piecewise hashing, IIH-MSP 2009 - 2009 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing , art. no. 5337554 , pp. 1056-1060

Roussev, V. Data fingerprinting with similarity digests (2010) IFIP Advances in Information and Communication Technology, 337 AICT, pp. 207-226. Cited 5 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-78651093858&partnerID=40&md5=f27eeb983aca1278f2c86230a74bb7dc DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Holleboom, T., Garcia, J. Fragment retention characteristics in slack space - Analysis and measurements (2010) 2010 2nd International Workshop on Security and Communication Networks, IWSCN 2010, art. no. 5497996, . http://www.scopus.com/inward/record.url?eid=2-s2.0-77956079350&partnerID=40&md5=a835d96807f276c895fe73d5088f5af6 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Wu, Y., Yang, K., Zhang, J. Using DBSCAN clustering algorithm in spam identifying (2010) ICETC 2010 - 2010 2nd International Conference on Education Technology and Computer, 1, art. no. 5529221, pp. V1398-V1402. Cited 1 time. http://www.scopus.com/inward/record.url?eid=2-s2.0-77956028471&partnerID=40&md5=e77efd31acc44d95988e280d5229a6a2 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Fang, J., Jiang, Z.L., Yiu, S.M., Hui, L.C.K. An efficient scheme for hard disk integrity check in digital forensics by hashing with combinatorial group testing (2011) International Journal of Digital Content Technology and its Applications, 5 (2), pp. 300-308. Cited 6 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-79952796673&partnerID=40&md5=18878c0436bf575b2329e5b47ca0da94 DOCUMENT TYPE: Article SOURCE: Scopus

Jiang, Z.L., Fang, J.-B., Hui, L.C.K., Yiu, S., Chow, K.P., Sheng, M.-M. K-Dimensional hashing scheme for hard disk integrity verification in computer forensics (2011) Journal of Zhejiang University: Science C, 12 (10), pp. 809-818. Cited 1 time. http://www.scopus.com/inward/record.url?eid=2-s2.0-80755159526&partnerID=40&md5=cb4a43acc6096e1cb69298f2317b68ad DOCUMENT TYPE: Article SOURCE: Scopus

Harald Baier, Frank Breitinger: Security Aspects of Piecewise Hashing in Computer Forensics, 6th International Conference on IT Security Incident Management & IT Forensics (IMF), Stuttgart (Germany). May 2011.

Frank Breitinger, Harald Baier: Performance Issues about Context Triggered Piecewise Hashing, 3rd International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C), Dublin (Ireland). October 2011.

Wardman, B., Stallings, T., Warner, G., Skjellum, A. High-performance content-based phishing attack detection (2011) eCrime Researchers Summit, eCrime, art. no. 6151977, . http://www.scopus.com/inward/record.url?eid=2-s2.0-84858732765&partnerID=40&md5=17d9f9e1824762762240a9fd05a6ddf5 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Gennari, J., French, D. Defining malware families based on analyst insights (2011) 2011 IEEE International Conference on Technologies for Homeland Security, HST 2011, art. no. 6107902, pp. 396-401. http://www.scopus.com/inward/record.url?eid=2-s2.0-84855800908&partnerID=40&md5=063d2810eb3d8be3a9d78c48e0e1835d DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Grispos, G., Storer, T., Glisson, W.B. A comparison of forensic evidence recovery techniques for a windows mobile smart phone (2011) Digital Investigation, 8 (1), pp. 23-36. Cited 3 times. http://www.scopus.com/inward/record.url?eid=2-s2.0-80051672577&partnerID=40&md5=805aa562f19198e0ca2434882692ff1a DOCUMENT TYPE: Article SOURCE: Scopus

Carlos G. Figuerola, Raquel Gómez Díaz, José L. Alonso Berrocal, Angel F. Zazo Rodríguez, Web Document Duplicate Detection Using Fuzzy Hashing, in Trends in Practical Applications of Agents and Multiagent Systems, Advances in Intelligent and Soft Computing, Volume 90, 2011, pp. 117-125, Springer

Jozwiak, I., Kedziora, M. Efficient N-Byte slack space hashing in retrieving and identifying partially recovered data (2011) ICSOFT 2011 - Proceedings of the 6th International Conference on Software and Database Technologies, 1, pp. 309-312. http://www.scopus.com/inward/record.url?eid=2-s2.0-80052560196&partnerID=40&md5=c0846d70e42dc15bf6eadc5cf3995b79 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Song, X., Deng, H., Xiong, Z. Using piecewise hashing and Lagrange interpolation polynomial to preserve electronic evidence (2011) Communications in Computer and Information Science, 201 CCIS (PART 1), pp. 472-480. http://www.scopus.com/inward/record.url?eid=2-s2.0-79960385571&partnerID=40&md5=319a6de0485ef9e5bea53a853fc53669 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Frank Breitinger, Harald Baier: A Fuzzy Hashing Approach based on Random Sequences and Hamming Distance, 7th annual Conference on Digital Forensics, Security and Law (ADFSL), Richmond (Virginia, US). May 2012.

Frank Breitinger and Harald Baier, “Performance Issues About Context-Triggered Piecewise Hashing,” in P. Gladyshev and M. K. Rogers (Eds): ICDF2C 2011, LNICST 88, 2012, pp. 141-155, 2012.

Thonnard, O., Bilge, L., O'Gorman, G., Kiernan, S., Lee, M.
Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat
(2012) Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7462 LNCS, pp. 64-85.
http://www.scopus.com/inward/record.url?eid=2-s2.0-84867845138&partnerID=40&md5=07d26dba72fef06a0dd44d551d14d17f
DOCUMENT TYPE: Conference Paper
SOURCE: Scopus

Garcia, J. Quantifying the benefits of file size information for forensic hash matching (2012) SECRYPT 2012 - Proceedings of the International Conference on Security and Cryptography, pp. 333-338. http://www.scopus.com/inward/record.url?eid=2-s2.0-84867644570&partnerID=40&md5=f157b85c940f5e437f485c8cd3ecc1e8 DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Frank Breitinger, Knut Petter Åstebøl, Harald Baier, Christoph Busch: mvHash-B – A new Approach for Similarity Preserving Hash Function. 7th International Conference on IT Security Incident Management & IT Forensics (IMF), Nürnberg (Germany). March 2013.

Christian Rathgeb, Frank Breitinger, Christoph Busch: Alignment-Free Cancelable Iris Biometric Templates based on Adaptive Bloom Filters, In Proceedings of the 6th IAPR International Conference on Biometrics (ICB’13), Madrid (Spain). June 2013. To appear.

Frank Breitinger, Georgios Stivaktakis, Harald Baier: FRASH: A framework to test algorithms of similarity hashing, In Proceedings of the 13th Digital Forensics Research Conference (DFRWS’13), Monterey (Californien, US). August 2013. To appear.

Books that mention SSDEEP:
Harlan Carvey, Windows Forensic Analysis, Syngress, June 2009,

Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware Forensics: Investigating and Analyzing Malicious Code, Syngress, Aug 2008

Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware Forensics Field Guide for Windows Systems, Elsevier, May 2012,

Frank Breitinger, Kaloyan Petrov: Reducing time cost in hashing operations. Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics (IFIP WG11.9), Orlando (Florida, US). January 2013.

SDHASH:

Roussev, V. Building open and scalable digital forensic tools (2011) 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011, art. no. 6159116, . http://www.scopus.com/inward/record.url?eid=2-s2.0-84858730131&partnerID=40&md5=3709b9d013410a46ba5c2abeaba0994f DOCUMENT TYPE: Conference Paper SOURCE: Scopus

Vassil Roussev, “An evaluation of forensic similarity hashes,” Digital Investigation 8 (2011), S34-S41

Breitinger, F.; Baier, H., "Properties of a similarity preserving hash function and their realization in sdhash," Information Security for South Africa (ISSA), 2012 , vol., no., pp.1,8, 15-17 Aug. 2012

Frank Breitinger, Harald Baier, Jesse Beckingham: Security and Implementation Analysis of the Similarity Digest sdhash, 1st International Baltic Conference on Network Security & Forensics (NeSeFo), Tartu (Estland). August 2012.

Frank Breitinger, Harald Baier: Properties of a Similarity Preserving Hash Function and their Realization in sdhash. 2012 Information Security South Africa (ISSA 2012), Johannesburg (South Africa). August 2012.

Vassil Roussev, “Managing terabyte-scale investigations with similarity digests,” IFIP Advances in Informaiton and Communication Technology 383, AICT, pp. 19-34

Clay Shields, O. Frieder, M. Maloof, “A system for the proactive, continuous, and efficient collection of digital forensic evidence,” DFRWS 2011 Annual Conference, pp. S3-S13

MRSH-v2

Frank Breitinger, Harald Baier: Similarity Preserving Hashing: Eligible Properties and a new Algorithm MRSH-v2. 4th International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C), Lafayette (Indiana, US). October 2012.

Approximate Matching

2013-05-24T15:11:05Z

Simsong: Simsong moved page Similarity Functions to Approximate Matching: New terminology

''Similarity'' is a term used in computer forensics to mean that two objects have similar contents but are not identically the same.

The following two paragraphs are clearly similar but not identical:

:'''We the People''' of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

:'''We the People''' of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

In forensics there are several kinds of similarity that are of interest:
# Binary Similarity
# Textual Similarity
# Visual Similarity
# Audible Similarity
# Algorithmic (code) Similarity

==Binary Similarity==
Binary Similarity between a ''master object'' and a ''target object''can be rigorously defined as the fraction of substrings that the two documents have in common divided by the total number of substrings in the master document. Notice that this implies that the similarity function does not have the commutative property. That is, BS(a,b) may not equal BS(b,a).

There are several applications for a binary similarity function:

# Determining that a master object is embedded in the target object.
# Determining if the target object is derived from the target object.

The leading similarity systems in use are are:
* [[sdhash]], developed by Vassil Roussev.
* [[ssdeep]], the first widely used binary similarity algorithm. Developed by Jesse Kornblum, this system uses a piecewise hash comparison algorithm originally developed for anti-spam systems.

==Text Similarity==
The leading text similarity system is:

* [[sdtext]], developed by Clay Sheilds.

Similarity Functions

2013-05-24T15:11:05Z

Simsong: Simsong moved page Similarity Functions to Approximate Matching: New terminology

#REDIRECT [[Approximate Matching]]

Approximate Matching

2013-05-24T14:38:28Z

Simsong:

IOS security

2013-05-23T15:13:03Z

Simsong: /* See also */

==See also==
===Apple Website Resource===

* [http://developer.apple.com/library/ios/#documentation/FileManagement/Conceptual/FileSystemProgrammingGUide/FileSystemOverview/FileSystemOverview.html iOS File System Basics]

* [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html Encrypting and Hashing Data]

* [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html Managing Keys, Certificates and Passwords]
* [http://developer.apple.com/library/mac/#documentation/security/conceptual/security_overview/CryptographicServices/CryptographicServices.html Cryptographic Services]
* [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html Encrypting and Hashing Data]
* [https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html NSFileManager class]
* [http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf iOS Security, October 2012]

IOS

2013-05-23T15:11:50Z

Simsong: /* See Also */

{{expand}}

iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).

The current version of iOS is 5.0, released on October 12, 2011.

----

== File System ==
iOS runs a reduced variant of [[Mac OS X|OSX]] and [[HFS|HFSX]] as a file system.

A majority of the useful information is stored in /private/var2/mobile/
However there is other useful information stored in the keychains and db folders.

iOS uses sqlite and plist files to store information.

'''/private/var2/mobile'''

This contains three folders: Applications, Library and Media

Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.

Library contains the most useful information:
- Address Book
- Calendar
- Safari - favorites, open tabs, web history
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
- SMS - sms.db, which may include deleted SMS messages
- Notes - notes.sqlite, which may include deleted notes
- Voicemail
- Spotlight - Spotlight database may contain text messages that have since been deleted.

Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken

== Extraction ==
There are several tools available to extract information out of iOS operating systems (listed alphabetically):
* Aceso by Radio Tactics [[http://www.radio-tactics.com/products/law/aceso-kiosk]]
* Blacklight by Black Bag Technology [[https://www.blackbagtech.com/]]
* Lantern by Katana Forensics [[http://katanaforensics.com/]]
* [[Nuix Desktop]] and [[Proof Finder]] by [[Nuix]].
* Oxygen Forensic Suite by Oxygen Software [[http://www.oxygen-forensic.com/en/]]
* UFED and Physical Analyzer by Cellebrite [[http://www.cellebrite.com/]]
* XRY by Micro Systemation [[http://www.msab.com/]]

== See Also ==
* [[IOS security]]

== External Links ==
* [http://linuxsleuthing.blogspot.com/2011/05/iphone-forensics-tools.html Database Parsing Tools]
* [http://esec-lab.sogeti.com/post/Low-level-iOS-forensics Low-level iOS forensics]

[[Category:Operating systems]]

IOS

2013-05-23T15:11:32Z

Simsong:

IOS security

2013-05-23T02:43:39Z

Simsong: Created page with "==See also== * [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html Managing Keys, Certificates ..."

==See also==
* [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html Managing Keys, Certificates and Passwords]
* [http://developer.apple.com/library/mac/#documentation/security/conceptual/security_overview/CryptographicServices/CryptographicServices.html Cryptographic Services]
* [https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html Encrypting and Hashing Data]
* [https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html NSFileManager class]
* [http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf iOS Security, October 2012]

Gurls

2013-05-20T14:35:04Z

Simsong:

Gruls is a bash script and is short for grep urls :

#!/bin/bash
protocol="(ftp|http|https|gopher|mailto|pop|smtp|news|nntp|telnet|whois|file|imap|prospero|peercast|ed2k|irc|aim|mime|ftam|pnm|rtsp|ldap)"
ip="([1-9][0-9]?|1[0-9]{2}|2[0-4][0-9]|25[0-4])\.((0|[1-9][0-9]?|1[0-9]{2}|2[0-4][0-9]|25[0-4])\.){2}([1-9][0-9]?|1[0-9]{2}|2[0-4][0-9]|25[0-4])"
fqdn="(\w(-?\w+)*\.)+[a-z]{2,}"
host="(${ip}|${fqdn})"
port="(:[0-9]+)?"
urlregexp="${protocol}://${host}${port}/?"

(
if [ "$1" ]
then
while [ "$1" ]
do
egrep -o "$urlregexp" "$1"
shift
done
else
egrep -o "$urlregexp" /dev/stdin
fi
) | sed 's;/$;;g'

Once saved in /usr/local/bin/gurls and made executable, gurls can be used like this :

root@forensic# gurls a.file an.other.file
http://www.forensicswiki.org

root@forensic# strings /mnt/forensic/partition/pagefile.sys | gurls | sort | uniq -c | sort -n
10 http://www.forensicswiki.org

root@forensic# strings /dev/sdb1 | gurls > /tmp/urls

==See Also==
* [[bulk_extractor]] provides similar functionality but on a much larger scale. Still, scripts like ''gurls'' are good for quickly searching through data.

{{Linux}}

Tcpflow

2013-05-20T14:21:59Z

Simsong: /* Overview */

{{Infobox_Software |
name = tcpflow |
maintainer = Simson Garfinkel |
os = {{Linux}} |
genre = Network forensics |
license = {{GPL}} |
website = https://github.com/simsong/tcpflow |
}}

'''tcpflow''' is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.

tcpflow is similar to ‘tcpdump’, in that both process packets from the wire or from a stored file. It's also similar to WireShark, in that both allow analysis of network traffic. But unlike either tcpdump or WireShark, tcpflow reconstructs thousands (or millions) of TCP connections at a time and saves the results in ordinary files, making it easy to analyze the data with conventional tools.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.

== Overview ==

tcpflow stores all captured data in files that have names of the form
: 128.129.130.131.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host ''128.129.131.131'' port ''2345'', to host ''10.11.12.13'' port ''45103''.

Specify the '''-Fk''' , '''-Fm'' or '''-Fg''' options if you are likely to have more than 1000 connections; this will cause tcpflow to create subdirectories automatically. You can also use other options to create directors for each host or port.

Specify the '''-e netviz''' option to enable the network visualization layer, and make a pretty picture like this:

[[Image:Tcpflow14-demo.png]]

== Limitations ==

* tcpflow does not understand IP fragments;
* tcpflow does not understand 802.11 headers.

== History ==
Jeremy Elson developed the first version of tcpflow in 1999 but stopped maintaining it in 2003. In 2006 Simson Garfinkel took over maintenance of the program and added:

* support for VLANs
* support for IPv6
* [[DFXML]] output of the connections in a '''report.xml''' file.
* Improved performance through the use of the C++ STL classes.
* Support for continuous operation (tcpflow now purges out old flows).
* Variable Filename specifications.
* A plug-in architecture.

tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.

== Distributions==
* Packages for [http://kaneda.bohater.net/slackware/packages/ Slackware] contributed by [http://kaneda.bohater.net Kanedaaa]
* [http://packages.debian.org/testing/tcpflow Debian package] by [[Robert McQueen]]
* [https://admin.fedoraproject.org/pkgdb/acls/name/tcpflow Fedora Package] by [http://koji.fedoraproject.org/koji/userinfo?userID=278 Terje Røsten]
* [ftp://ftp5.freebsd.org/pub/FreeBSD/branches/-current/ports/net/tcpflow FreeBSD Port] by [[Jose M. Alcaide]]
* [http://www.openbsd.org/ports.html OpenBSD Package] (it’s in there somewhere)
* [ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/tcpflow-0.12-sol8-sparc-local.gz Solaris 8 SPARC Binary] for v0.12 from [http://www.sunfreeware.com SunFreeware.com]
* [http://www.entropy.ch/software/macosx/#tcpflow Mac OS X package] by [[Marc Liyanage]]

[[Category:Network Forensics]]

File:Tcpflow14-demo.png

2013-05-20T14:20:57Z

Simsong: Demonstration of the time histogram created by tcpflow.

Demonstration of the time histogram created by tcpflow.

Tcpflow

2013-05-20T14:20:13Z

Simsong:

{{Infobox_Software |
name = tcpflow |
maintainer = Simson Garfinkel |
os = {{Linux}} |
genre = Network forensics |
license = {{GPL}} |
website = https://github.com/simsong/tcpflow |
}}

'''tcpflow''' is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.

tcpflow is similar to ‘tcpdump’, in that both process packets from the wire or from a stored file. It's also similar to WireShark, in that both allow analysis of network traffic. But unlike either tcpdump or WireShark, tcpflow reconstructs thousands (or millions) of TCP connections at a time and saves the results in ordinary files, making it easy to analyze the data with conventional tools.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.

== Overview ==

tcpflow stores all captured data in files that have names of the form
: 128.129.130.131.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host ''128.129.131.131'' port ''2345'', to host ''10.11.12.13'' port ''45103''.

Specify the '''-Fk''' , '''-Fm'' or '''-Fg''' options if you are likely to have more than 1000 connections; this will cause tcpflow to create subdirectories automatically. You can also use other options to create directors for each host or port.

Specify the '''-e netviz''' option to enable the network visualization layer, and make a pretty picture like this:

== Limitations ==

* tcpflow does not understand IP fragments;
* tcpflow does not understand 802.11 headers.

== History ==
Jeremy Elson developed the first version of tcpflow in 1999 but stopped maintaining it in 2003. In 2006 Simson Garfinkel took over maintenance of the program and added:

* support for VLANs
* support for IPv6
* [[DFXML]] output of the connections in a '''report.xml''' file.
* Improved performance through the use of the C++ STL classes.
* Support for continuous operation (tcpflow now purges out old flows).
* Variable Filename specifications.
* A plug-in architecture.

tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.

== Distributions==
* Packages for [http://kaneda.bohater.net/slackware/packages/ Slackware] contributed by [http://kaneda.bohater.net Kanedaaa]
* [http://packages.debian.org/testing/tcpflow Debian package] by [[Robert McQueen]]
* [https://admin.fedoraproject.org/pkgdb/acls/name/tcpflow Fedora Package] by [http://koji.fedoraproject.org/koji/userinfo?userID=278 Terje Røsten]
* [ftp://ftp5.freebsd.org/pub/FreeBSD/branches/-current/ports/net/tcpflow FreeBSD Port] by [[Jose M. Alcaide]]
* [http://www.openbsd.org/ports.html OpenBSD Package] (it’s in there somewhere)
* [ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/tcpflow-0.12-sol8-sparc-local.gz Solaris 8 SPARC Binary] for v0.12 from [http://www.sunfreeware.com SunFreeware.com]
* [http://www.entropy.ch/software/macosx/#tcpflow Mac OS X package] by [[Marc Liyanage]]

[[Category:Network Forensics]]

User talk:Tim

2013-05-17T20:28:00Z

Simsong: Welcome!

User:Tim

2013-05-17T20:27:59Z

Simsong: Creating user page for new user.

I am a student at NAU and I am taking a forensics class. I am interested in trying to get a forensics job or maybe reverse engineering.

ForensicsWiki FeedBurner Feed

2013-05-16T03:03:08Z

Simsong: Created page with "FeedBurner Page: http://feeds.feedburner.com/ForensicsWiki-RecentChanges Subscribe by email: http://feedburner.google.com/fb/a/mailverify?uri=ForensicsWiki-RecentChanges&loc=..."

FeedBurner Page: http://feeds.feedburner.com/ForensicsWiki-RecentChanges

Subscribe by email: http://feedburner.google.com/fb/a/mailverify?uri=ForensicsWiki-RecentChanges&loc=en_US

Main Page

2013-05-16T03:02:45Z

Simsong: /* WIKI NEWS */

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.

Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
</div>

==WIKI NEWS==
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the [[ForensicsWiki FeedBurner Feed]]

{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>

<small>Jan 2013</small>
<bibtex>
@article{young:distinct,
title="Distinct Sector hashing for Target Detection",
author="Joel Young and Kristina Foster and Simson Garfinkel and Kevin Fairbanks",
year=2012,
month=Dec,
journal="IEEE Computer"
}
</bibtex>
Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system.

(See also [[Past Selected Articles]])

| width="40%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Article </h2>
;[[Forensic Linux Live CD issues]]
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]

|}



{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>

* '''[[File Analysis]]''':
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
* '''[[Hardware]]''':
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
** '''[[Write Blockers]]''': ...
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
* [[Encryption]]
* [[GPS]]
* [[Forensic_corpora|Forensic Corpora]]
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
* [[Steganography]], [[Steganalysis]]
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
</div>

| width="40%" style="vertical-align:top" |


<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>

* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], ...
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]], [[Wireshark]], [[Kismet]], [[NetworkMiner]]...
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
</div>

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>

The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:

* [[:Category:Tools|Tools]]
* [[:Category:Disk file systems|Disk file systems]]
* [[:Category:File Formats|File Formats]]
* [[:Category:Howtos|Howtos]]
* [[:Category:Licenses|Licenses]]
* [[:Category:Operating systems|Operating systems]]
* [[:Category:People|People]]
* [[:Category:Bibliographies|Bibliographies]]

</div>

|}

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
'''You can help!''' We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
</div>

__NOTOC__

Main Page

2013-05-16T03:01:02Z

Simsong: /* WIKI NEWS */

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.

Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
</div>

==WIKI NEWS==
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with this FeedBurner Feed: http://feeds.feedburner.com/ForensicsWiki-RecentChanges

{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>

<small>Jan 2013</small>
<bibtex>
@article{young:distinct,
title="Distinct Sector hashing for Target Detection",
author="Joel Young and Kristina Foster and Simson Garfinkel and Kevin Fairbanks",
year=2012,
month=Dec,
journal="IEEE Computer"
}
</bibtex>
Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system.

(See also [[Past Selected Articles]])

| width="40%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Article </h2>
;[[Forensic Linux Live CD issues]]
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]

|}



{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>

* '''[[File Analysis]]''':
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
* '''[[Hardware]]''':
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
** '''[[Write Blockers]]''': ...
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
* [[Encryption]]
* [[GPS]]
* [[Forensic_corpora|Forensic Corpora]]
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
* [[Steganography]], [[Steganalysis]]
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
</div>

| width="40%" style="vertical-align:top" |


<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>

* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], ...
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]], [[Wireshark]], [[Kismet]], [[NetworkMiner]]...
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
</div>

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>

The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:

* [[:Category:Tools|Tools]]
* [[:Category:Disk file systems|Disk file systems]]
* [[:Category:File Formats|File Formats]]
* [[:Category:Howtos|Howtos]]
* [[:Category:Licenses|Licenses]]
* [[:Category:Operating systems|Operating systems]]
* [[:Category:People|People]]
* [[:Category:Bibliographies|Bibliographies]]

</div>

|}

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
'''You can help!''' We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
</div>

__NOTOC__

Main Page

2013-05-16T03:00:06Z

Simsong: /* WIKI NEWS */

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.

Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
</div>

==WIKI NEWS==
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with this FeedBurner Feed: http://feeds.feedburner.com/ForensicsWiki-RecentChangesen

{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>

<small>Jan 2013</small>
<bibtex>
@article{young:distinct,
title="Distinct Sector hashing for Target Detection",
author="Joel Young and Kristina Foster and Simson Garfinkel and Kevin Fairbanks",
year=2012,
month=Dec,
journal="IEEE Computer"
}
</bibtex>
Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system.

(See also [[Past Selected Articles]])

| width="40%" style="vertical-align:top" |

<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Article </h2>
;[[Forensic Linux Live CD issues]]
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]

|}



{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>

* '''[[File Analysis]]''':
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
* '''[[Hardware]]''':
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
** '''[[Write Blockers]]''': ...
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
* [[Encryption]]
* [[GPS]]
* [[Forensic_corpora|Forensic Corpora]]
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
* [[Steganography]], [[Steganalysis]]
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
</div>

| width="40%" style="vertical-align:top" |


<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>

* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], ...
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]], [[Wireshark]], [[Kismet]], [[NetworkMiner]]...
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
</div>

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>

The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:

* [[:Category:Tools|Tools]]
* [[:Category:Disk file systems|Disk file systems]]
* [[:Category:File Formats|File Formats]]
* [[:Category:Howtos|Howtos]]
* [[:Category:Licenses|Licenses]]
* [[:Category:Operating systems|Operating systems]]
* [[:Category:People|People]]
* [[:Category:Bibliographies|Bibliographies]]

</div>

|}

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
'''You can help!''' We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
</div>

__NOTOC__

User:Markus

2013-05-16T02:57:34Z

Simsong: Creating user page for new user.

Computer security from Vienna/Austria. Currently a PhD student with focus on online social networks.

User talk:Markus

2013-05-16T02:57:34Z

Simsong: Welcome!

User:Indranil Sur

2013-05-16T02:57:03Z

Simsong: Creating user page for new user.

I am an employee of Samsung Research India, working in Android Kernel, which is actually a fancy way of saying that I work in Linux kernel.

User talk:Indranil Sur

2013-05-16T02:57:03Z

Simsong: Welcome!

User:Johan Berggren

2013-05-16T02:56:42Z

Simsong: Creating user page for new user.

Johan Berggren is a forensic investigator. He has a long history working in with the Eiropean R&E networks, coordinating security related issues.

User talk:Johan Berggren

2013-05-16T02:56:42Z

Simsong: Welcome!

User:Danny Anderson

2013-05-16T02:55:44Z

Simsong: Creating user page for new user.

http://www.autosec.org/publications.html
www.a-r-studios.com/pi

User talk:Danny Anderson

2013-05-16T02:55:44Z

Simsong: Welcome!

User:Robert

2013-05-16T02:55:32Z

Simsong: Creating user page for new user.

My expertise is in data recovery, computer repair, troubleshooting and upgrading.

I have been doing data recovery for the past 10 years. I have been doing computer repairing, troubleshooting and upgrading for the past 19 years.

User talk:Robert

2013-05-16T02:55:32Z

Simsong: Welcome!

User:Tonny Chiu

2013-05-16T02:55:17Z

Simsong: Creating user page for new user.

Tony Chiu is a forensics science fans, forensic analyst, computer forensics and mobile forensics research.

User talk:Tonny Chiu

2013-05-16T02:55:17Z

Simsong: Welcome!

User:Lukas Newman

2013-05-16T02:53:28Z

Simsong: Creating user page for new user.

Hi, I am from Czech Republic - Central Europe. No from Tchechna - USSR!

User talk:Lukas Newman

2013-05-16T02:53:28Z

Simsong: Welcome!

User:Luis Alfonso Núñez Gutiérrez

2013-05-16T02:53:02Z

Simsong: Creating user page for new user.

Engineer in Electronics and Communications since 1995 (officially since 1997)

Proficient in Forensics Computing and Acquisitions and Disposals of Government since 2012.

Teacher in the Universidad de Guadalajara, México.

User talk:Luis Alfonso Núñez Gutiérrez

2013-05-16T02:53:02Z

Simsong: Welcome!

User:Jeremy c

2013-05-16T02:52:18Z

Simsong: Creating user page for new user.

graduate student enrolled at the johns hopkins university information security institute studying digital forensics under kevin fairbanks, phd

User talk:Jeremy c

2013-05-16T02:52:18Z

Simsong: Welcome!

User:ACME Portable Computers

2013-05-16T02:51:53Z

Simsong: Creating user page for new user.

ACME Portable Computer GmbH - Benzstrasse 15 - 76185 Karlsruhe

Tel: +49 (0) 721-570 453-0

Fax: +49 (0) 721-570 453-29

Email: info(at)acmeportable.de

User talk:ACME Portable Computers

2013-05-16T02:51:53Z

Simsong: Welcome!

User:Dax Roberts

2013-05-16T02:51:08Z

Simsong: Creating user page for new user.

Dr Roberts graduated with his PhD from Otago University New Zealand in 2013. The topic was "Data Remanence" and examined 100 hard drives across New Zealand for identifying information about individuals and companies.

User talk:Dax Roberts

2013-05-16T02:51:08Z

Simsong: Welcome!

User:Danny Garcia

2013-05-16T02:50:51Z

Simsong: Creating user page for new user.

Mr. Garcia is a Certified Forensic Computer Examiner who honorably served within the largest police department in the Southeastern United States for nearly 20 years as a full time law enforcement officer. His final seven years in investigative work was dedicated to conducting and managing digital forensic examinations of computers, cellular telephones and other electronic devices.

User talk:Danny Garcia

2013-05-16T02:50:51Z

Simsong: Welcome!

Open Research Topics

2013-04-29T14:17:28Z

Simsong:

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.

Many of these would make a nice master's project.

=Programming/Engineering Projects=

==Small-Sized Projects==
; Sleuthkit:
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
; tcpflow:
* Modify [[tcpflow]]'s iptree.h implementation so that it only stores discriminating bit prefixes in the tree, similar to D. J. Bernstein's [http://cr.yp.to/critbit.html Crit-bit] trees.
* Determine why [[tcpflow]]'s iptree.h implementation's ''prune'' works differently when caching is enabled then when it is disabled

==Medium-Sized Projects==
===Forensic File Viewer ===
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
** Automatically pull out the strings
** Show histogram
** Detect crypto and/or stenography.
* Extend SleuthKit's [[fiwalk]] to report the NTFS alternative data streams.

===Data Sniffing===
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.

===SleuthKit Modifications===
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.

===Anti-Frensics Detection===
* A pluggable rule-based system that can detect the residual data or other remnants of running a variety of anti-forensics software

===Carvers===
Develop a new carver with a plug-in architecture and support for fragment reassembly carving. Take a look at:
* [[Carver 2.0 Planning Page]]
* ([mailto:rainer.poisel@gmail.com Rainer Poisel']) [https://github.com/rpoisel/mmc Multimedia File Carver], which allows for the reassembly of multimedia fragmented files.

===Correlation Engine===
* Logfile correlation
* Document identity identification
* Correlation between stored data and intercept data
* Online Social Network Analysis

===Data Snarfing/Web Scraping===
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
* Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login

=== Timeline analysis ===
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]] but not limited to
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.

===EnCase Enhancement===
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)

==Reverse-Engineering Projects==
=== Application analysis ===
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
** Fill in the missing information about older ESE databases
** Exchange EDB (MAPI database), STM
** Active Directory (Active Directory working document available on request)
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
* Reverse the on-disk structure of Microsoft SQL Server databases

=== Volume/File System analysis ===
* Analysis of inter snapshot changes in [[Windows Shadow Volumes]]
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].

==Error Rates==
* Develop improved techniques for identifying encrypted data. (It's especially important to distinguish encrypted data from compressed data).
* Quantify the error rate of different forensic tools and processes. Are these rates theoretical or implementation dependent? What is the interaction of the error rates and the [[Daubert]] standard?

==Research Areas==
These are research areas that could easily grow into a PhD thesis.
* General-purpose detection of:
** Stegnography
** Sanitization attempts
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
* Visualization of data/information in digital forensic context
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;

==See Also==
* [http://itsecurity.uiowa.edu/securityday/documents/guan.pdf Digital Forensics: Research Challenges and Open Problems, Dr. Yong Guan, Iowa State University, Dec. 4, 2007]

__NOTOC__

[[Category:Research]]

Famous Cases Involving Digital Forensics

2013-04-26T14:49:11Z

Simsong:

===2000 Michelle Theer===
''E-mails document the conspiracy to murder her husband''

On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.

===2002 [http://en.wikipedia.org/wiki/Scott_Tyree Scott Tyree]===
''Postings on Yahoo reveal a kidnapping''

On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.

* [http://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/ article on the abduction]
* [http://www.popularmechanics.com/technology/how-to/computer-security/2672751 Popular Mechanics article]
* [http://notonemorechild.org/map/9 Congressional testimony of Alicia Kozakiewicz]

===2005 [http://en.wikipedia.org/wiki/Dennis_Rader Dennis Rader]===
''The BTK Serial Killer''

After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)

===2005 Corey Beantee Melton===
''Caught up in child pornography''

Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.
* http://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/
* http://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html

===2007 James Kent===
''University Professor caught up in child pornography''

In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.
* http://www.dailyfreeman.com/articles/2010/10/20/blotter/doc4cbe74442fd0d812453451.txt
* http://usnews.nbcnews.com/_news/2012/05/08/11602955-viewing-child-porn-on-the-web-legal-in-new-york-state-appeals-court-finds?lite
* [http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/120508_NY_ChildPorn_Ruling.pdf Opinion]
* http://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/

===2009 James M. Cameron===
''Assistant attorney general for Maine caught up in child pornography''

On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.

"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."

* http://www.pressherald.com/news/Cameron-sentenced-to-16-years-in-prison.html
* http://www.mahalo.com/james-m-cameron/

Famous Cases Involving Digital Forensics

2013-04-26T14:48:41Z

Simsong: /* 2002 Scott Tyree */

===2000 Michelle Theer===
'''E-mails document the conspiracy to murder her husband'''

On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.

===2002 [http://en.wikipedia.org/wiki/Scott_Tyree Scott Tyree]===
''Postings on Yahoo reveal a kidnapping''

On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.

* [http://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/ article on the abduction]
* [http://www.popularmechanics.com/technology/how-to/computer-security/2672751 Popular Mechanics article]
* [http://notonemorechild.org/map/9 Congressional testimony of Alicia Kozakiewicz]

===2005 [http://en.wikipedia.org/wiki/Dennis_Rader Dennis Rader]===
'''The BTK Serial Killer'''
After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)

===2005 Corey Beantee Melton===
'''Caught up in child pornography'''
Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.
* http://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/
* http://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html

===2007 James Kent===
'''University Professor caught up in child pornography'''
In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.
* http://www.dailyfreeman.com/articles/2010/10/20/blotter/doc4cbe74442fd0d812453451.txt
* http://usnews.nbcnews.com/_news/2012/05/08/11602955-viewing-child-porn-on-the-web-legal-in-new-york-state-appeals-court-finds?lite
* [http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/120508_NY_ChildPorn_Ruling.pdf Opinion]
* http://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/

===2009 James M. Cameron===
'''Assistant attorney general for Maine caught up in child pornography'''
On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.

"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."

* http://www.pressherald.com/news/Cameron-sentenced-to-16-years-in-prison.html
* http://www.mahalo.com/james-m-cameron/