Difference between pages "Getting Started in Forensic Research" and "Forensics Wiki:Privacy policy"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (New page: "You have zero privacy anyway. Get over it." --- [http://www.wired.com/politics/law/news/1999/01/17538 Scott McNealy, Sun Microsystems].)
 
Line 1: Line 1:
Interested in getting involved in computer forensics research? Here's how to start.
+
"You have zero privacy anyway. Get over it."
 
+
--- [http://www.wired.com/politics/law/news/1999/01/17538 Scott McNealy, Sun Microsystems].
==Recommended Reading==
+
# Read the proceedings for the past four years of the [http://www.dfrws.org DFRWS] conference. If a specific article looks interesting, download it and read it!
+
 
+
#*[http://www.dfrws.org/2011/program.shtml DFRWS 2011 Program]
+
#*[http://www.dfrws.org/2010/program.shtml DFRWS 2010 Program]
+
#*[http://www.dfrws.org/2009/program.shtml DFRWS 2009 Program]
+
#*[http://www.dfrws.org/2008/program.shtml DFRWS 2008 Program]
+
#*[http://www.dfrws.org/2007/program.shtml DFRWS 2007 Program]
+
#*[http://www.dfrws.org/2006/program.shtml DFRWS 2006 Program]
+
# Review the proceedings from the past few years of the IEEE/SADFE (Systematic Approaches to Digital Forensics Engineering) workshops. The papers do not appear on the website, but you can generally find them with Google by searching for the title in quotes.
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe09/program.html SADFE 2009 Program]
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe08/program.html SADFE 2008 Program]
+
# Review the [http://www.ifip119.org/ IFIP Working Group 11.9 on Digital Forensics] website and look at the proceedings from the past conferences (unfortunately, you can't download the papers and the book costs more than $100, but if you see something interesting it can usually be requested via interlibrary loan) (Some higher education libraries subscribe to SpringerLink which makes full text of these proceedings available to students and faculty as part of the school subscription)
+
#*[http://www.ifip119.org/Publications/ IFIP WG 11.9 publications]
+
# Search for interesting forensic terms at the [http://portal.acm.org/dl.cfm ACM Digital Library] and [http://citeseer.ist.psu.edu/ CiteSeer]
+
# Review the [http://www.sleuthkit.org/ Sleuth Kit Website]. In particular, review the issues of [http://www.sleuthkit.org/informer/index.php The Sleuth Kit Informer] and download a copy of Sleuth Kit for your computer.
+
 
+
==Recommended Mailing Lists==
+
* [https://lists.sourceforge.net/lists/listinfo/sleuthkit-users sleuthkit-users]
+
* [http://groups.yahoo.com/group/linux_forensics/join linux_forensics]
+
* [http://groups.yahoo.com/group/cftt/join cftt] (computer forensic tool testing)
+
 
+
==Setting up a C++ development environment==
+
Many people working in forensics find it useful to be able to compile their tools from source code. Most of the tools compile on Linux, Mac, and within the Cygwin environment under Windows.
+
 
+
Because all of these tools build upon one another, it is important to compile and install them in the order specified below.
+
 
+
 
+
# Download a copy of [http://sourceforge.net/projects/libewf/ libewf] and install it on your computer. This will allow your forensic tools to read and process EnCase [[E01]] disk images.
+
# Download a copy of [http://www.afflib.org/ AFFLIB] and install it. This will allow your forensic tools to read and process AFF disk images (but not AFF4 images).
+
# Download a copy of [http://www.sleuthkit.org/sleuthkit/ Sleuthkit] and install it. SleuthKit is the basic open source computer forensics tool that allows the extraction of files from disk images. You can use it to recover deleted files.
+
 
+
If you are interested in doing file recovery, you may also wish to explore:
+
* [http://www.digitalforensicssolutions.com/Scalpel/ Scalpel: A Frugal, High Performance File Carver]
+
* [http://www.cgsecurity.org/wiki/PhotoRec PhotoRec], another file carver.
+
* [http://digital-assembly.com/ Adroit Photo Recovery], a commercial photo recovery tool that's pretty amazing.
+
 
+
If you want to experiment with automated computer forensics research, try these:
+
* [http://www.afflib.org/ Bulk Extractor], a program from the Naval Postgraduate School that searches a disk image for email addresses and prints a histogram.
+
* [http://www.afflib.org/ fiwalk], an NPS program that processes a disk image and outputs an XML or ARFF file containing information about all of the file system metadata.
+
 
+
==Exercises for the Reader==
+
# Download the file [http://digitalcorpora.org/corp/images/nps/nps-2009-canon2/nps-2009-canon2-gen6.raw nps-2009-canon2-gen6.raw] from the Digital Corpora website and try to recover as many files as you can. Some of the JPEGs can only be found using file carving, and some can only be found with fragment recovery file carving.
+
#* Can you determine when the photos were taken?
+
#* Can you determine ''where'' the photos were taken?
+
#* Can you determine the username of the person who took the photos?
+
#* Can you determine the clock offset of the camera from real time?
+
 
+
# Download the file [http://digitalcorpora.org/corp/images/nps/nps-2009-ubnist1/ubnist1.gen3.aff usbnist1.gen3.aff] and find the government documents that were stored on the USB device.
+

Revision as of 19:27, 22 November 2007

"You have zero privacy anyway. Get over it." --- Scott McNealy, Sun Microsystems.