Difference between pages "Upcoming events" and "Tools:Network Forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
=Network Forensics Packages and Appliances=
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training). When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
; [[Burst]]
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
 +
: Expensive IP geo-location service.
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
; [[chkrootkit]]
 +
: http://www.chkrootkit.org
  
This listing is divided into four sections (described as follows):<br>
+
; [[cryptcat]]
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
: http://farm9.org/Cryptcat/
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
; [[Enterasys Dragon]]
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
: Instrusion Detection System, includes session reconstruction.
  
== Calls For Papers ==
+
; [[MaxMind]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
: http://www.maxmind.com
|- style="background:#bfbfbf; font-weight: bold"
+
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
! Title
+
! Due Date
+
! Website
+
|-
+
|5th Australian Digital Forensics Conference
+
|Sep 30, 2007
+
|http://scissec.scis.ecu.edu.au/conferences2007/index.php?cf=1
+
|-
+
|2nd Small Scale Digital Device Forensics Journal
+
|Oct 31, 2007
+
|http://ssddfj.org/submit.asp
+
|-
+
|International Association of Forensic Science Annual Meeting
+
|Jan 01, 2008
+
|http://www.iafs2008.com/abstracts/intro.asp
+
|-
+
|Usenix Annual Technical Conference
+
|Jan 07, 2008 (11:59PM PST)
+
|http://www.usenix.com/events/usenix08/cfp/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|}
+
  
== Conferences ==
+
; [[netcat]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
: http://netcat.sourceforge.net/
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|ForenSec Canada 2007
+
|Sep 17-18, Regina, Saskatchewan, Canada
+
|http://www.csiservices.ca/events.html#ForenSec
+
|-
+
|SANS Network Security
+
|Sep 22-30, Las Vegas, NV
+
|http://www.sans.org/ns2007/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
|Sep 26-28, Milwaukee, WI
+
|http://www.byteoutofcrime.org
+
|-
+
|6th Annual Internet Crimes Against Children National Conference
+
|Oct 15-18, San Jose, CA
+
|http://www.icactraining.org/website/registration.html
+
|-
+
|ToorCon 9
+
|Oct 19-21, San Diego, CA
+
|http://toorcon.org/intro.php
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Global Conference on Economic and High-Tech Crime (Open to all)
+
|Oct 24-26, Crystal City, VA
+
|https://conference.nw3c.org/index.cfm
+
|-
+
|European Network Forensic and Security Conference 2007
+
|Oct 24-26,  Zuyd University, Heerlen, Netherlands
+
|http://www.enfsc2007.com/
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|Computer Security Institute Annual Meeting
+
|Nov 3-9, Arlington, VA
+
|http://www.csiannual.com/
+
|-
+
|First Forensic Forum Conference (F3 Conference)
+
|Nov 3-5, Tortworth, England
+
|http://www.f3.org.uk/
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|PacSec Applied Security Conference
+
|Nov 29-30, Tokyo, Japan
+
|http://www.pacsec.jp/index.html
+
|-
+
|5th Australian Digital Forensics Conference
+
|Dec 03, Edith Cowan University, Mount Lawley, WA, Australia
+
|http://scissec.scis.ecu.edu.au/conferences2007/index.php?cf=1
+
|-
+
|HTCIA Asia Pacific Training Conference 2007
+
|Dec 12-14, Hong Kong
+
|http://2007.htcia.org.hk
+
|-
+
|SANS Security 2008
+
|Jan 11-19, New Orleans, LA
+
|http://www.sans.org/security08/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 27-30, Kyoto, Japan
+
|http://www.ifip119-kyoto.org/doku.php
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
; [[netflow]]/[[flowtools]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
|- style="background:#bfbfbf; font-weight: bold"
+
: http://www.splintered.net/sw/flow-tools/
! Title
+
: http://silktools.sourceforge.net/
! Date/Location or Venue
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
! Website
+
 
|-
+
; NetIntercept
|Basic Computer Examiner Course - Computer Forensic Training Online
+
: http://www.sandstorm.net/products/netintercept
|Distance Learning Format
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
|http://www.cftco.com
+
 
|-
+
; [[NetworkMiner]]
|Linux Data Forensics Training
+
: http://networkminer.wiki.sourceforge.net/NetworkMiner
|Distance Learning Format
+
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
|http://www.crazytrain.com/training.html
+
 
|-
+
; [[rkhunter]]
|SANS On-Demand Training
+
: http://rkhunter.sourceforge.net/
|Distance Learning Format
+
 
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
; [[ngrep]]
|-
+
: http://ngrep.sourceforge.net/
|MaresWare Suite Training
+
 
|First full week every month, Atlanta, GA
+
; [[nslookup]]
|http://www.maresware.com/maresware/training/maresware.htm
+
: http://en.wikipedia.org/wiki/Nslookup
|-
+
: Name Server Lookup command line tool used to find IP address from domain name.
|Evidence Recovery for Windows Vista&trade;
+
 
|First full week every month, Brunswick, GA
+
; [[Sguil]]
|http://www.internetcrimes.net
+
: http://sguil.sourceforge.net/
|-
+
 
|Evidence Recovery for Windows Server&reg; 2003 R2
+
; [[Snort]]
|Second full week every month, Brunswick, GA
+
: http://www.snort.org/
|http://www.internetcrimes.net
+
 
|-
+
; [[ssldump]]
|Evidence Recovery for the Windows XP&trade; operating system
+
: http://ssldump.sourceforge.net/
|Third full week every month, Brunswick, GA
+
 
|http://www.internetcrimes.net
+
; [[tcpdump]]
|-
+
: http://www.tcpdump.org
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
 
|Third weekend of every month (Fri-Mon), Dallas, TX
+
; [[tcpextract]]
|http://www.md5group.com
+
: http://tcpxtract.sourceforge.net/
|-
+
 
|}
+
; [[tcpflow]]
<font size=+2><b>[[Scheduled Training Courses]]</u></b></font>
+
: http://www.circlemud.org/~jelson/software/tcpflow/
 +
 
 +
; [[truewitness]]
 +
: http://www.nature-soft.com/forensic.html
 +
: Linux/open-source. Based in India.
 +
 
 +
; [[etherpeek]]
 +
: http://www.wildpackets.com/products/etherpeek/overview
 +
 
 +
; [[Whois]]
 +
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
 +
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
 +
 
 +
; [[IP Regional Registries]]
 +
: http://www.arin.net/community/rirs.html
 +
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
 +
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
 +
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
 +
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
 +
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
 +
 
 +
; [[Wireshark]] / Ethereal
 +
: http://www.wireshark.org/
 +
: Open Source protocol analyzer previously known as ethereal.
 +
 
 +
; [[Xplico]]
 +
: http://www.xplico.org/
 +
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
 +
 
 +
=Command-line tools=
 +
 
 +
[[arp]] - view the contents of your ARP cache
 +
 
 +
[[ifconfig]] - view your mac and IP address
 +
 
 +
[[ping]] - send packets to probe remote machines
 +
 
 +
[[tcpdump]] - capture packets
 +
 
 +
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
 +
 
 +
[[nemesis]] - create arbitrary packets
 +
 
 +
[[tcpreplay]] - replay captured packets
 +
 
 +
[[traceroute]] - view a network path
 +
 
 +
[[gnetcast]] - GNU rewrite of netcat
 +
 
 +
[[packit]] - packet generator
 +
 
 +
[[nmap]] - utility for network exploration and security auditing
 +
 
 +
==ARP and Ethernet MAC Tools==
 +
 
 +
[[arping]] - transmit ARP traffic
 +
 
 +
[[arpdig]] - probe LAN for MAC addresses
 +
 
 +
[[arpwatch]] - watch ARP changes
 +
 
 +
[[arp-sk]] - perform denial of service attacks
 +
 
 +
[[macof]] - CAM table attacks
 +
 
 +
[[ettercap]] - performs various low-level Ethernet network attacks
 +
 
 +
==CISCO Discovery Protocol Tools==
 +
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
 +
 
 +
==ICMP Layer Tests and Attacks==
 +
[[icmp-reset]]
 +
 
 +
[[icmp-quench]]
 +
 
 +
[[icmp-mtu]]
 +
 
 +
[[ish]] - ICMP shell (like SSH, but uses ICMP)
 +
 
 +
[[isnprober]]
 +
 
 +
==IP Layer Tests==
 +
[[iperf]] - IP multicast test
 +
 
 +
[[fragtest]] - IP fragment reassembly test
 +
 
 +
==UDP Layer Tests==
 +
 
 +
[[udpcast]] - includes UDP-receiver and UDP-sender
 +
 
 +
==TCP Layer==
 +
 
 +
[[lft]] http://pwhois.org/lft - TCP tracing
 +
 
 +
[[etrace]] http://www.bindshell.net/tools/etrace
 +
 
 +
[[firewalk]] http://www.packetfactory.net

Revision as of 11:49, 13 June 2008

Contents

Network Forensics Packages and Appliances

Burst
http://www.burstmedia.com/release/advertisers/geo_faq.htm
Expensive IP geo-location service.
chkrootkit
http://www.chkrootkit.org
cryptcat
http://farm9.org/Cryptcat/
Enterasys Dragon
http://www.enterasys.com/products/advanced-security-apps/index.aspx
Instrusion Detection System, includes session reconstruction.
MaxMind
http://www.maxmind.com
IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
netcat
http://netcat.sourceforge.net/
netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
http://silktools.sourceforge.net/
http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
NetIntercept
http://www.sandstorm.net/products/netintercept
NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
NetworkMiner
http://networkminer.wiki.sourceforge.net/NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
rkhunter
http://rkhunter.sourceforge.net/
ngrep
http://ngrep.sourceforge.net/
nslookup
http://en.wikipedia.org/wiki/Nslookup
Name Server Lookup command line tool used to find IP address from domain name.
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
ssldump
http://ssldump.sourceforge.net/
tcpdump
http://www.tcpdump.org
tcpextract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/
truewitness
http://www.nature-soft.com/forensic.html
Linux/open-source. Based in India.
etherpeek
http://www.wildpackets.com/products/etherpeek/overview
Whois
http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
IP Regional Registries
http://www.arin.net/community/rirs.html
http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
http://www.afrinic.net/ African Network Information Center (AfriNIC)
http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
Wireshark / Ethereal
http://www.wireshark.org/
Open Source protocol analyzer previously known as ethereal.
Xplico
http://www.xplico.org/
Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...

Command-line tools

arp - view the contents of your ARP cache

ifconfig - view your mac and IP address

ping - send packets to probe remote machines

tcpdump - capture packets

snoop - captures packets from the network and displays their contents (Solaris)

nemesis - create arbitrary packets

tcpreplay - replay captured packets

traceroute - view a network path

gnetcast - GNU rewrite of netcat

packit - packet generator

nmap - utility for network exploration and security auditing

ARP and Ethernet MAC Tools

arping - transmit ARP traffic

arpdig - probe LAN for MAC addresses

arpwatch - watch ARP changes

arp-sk - perform denial of service attacks

macof - CAM table attacks

ettercap - performs various low-level Ethernet network attacks

CISCO Discovery Protocol Tools

cdpd - transmit and receive CDP announcements; provides forgery capabilities

ICMP Layer Tests and Attacks

icmp-reset

icmp-quench

icmp-mtu

ish - ICMP shell (like SSH, but uses ICMP)

isnprober

IP Layer Tests

iperf - IP multicast test

fragtest - IP fragment reassembly test

UDP Layer Tests

udpcast - includes UDP-receiver and UDP-sender

TCP Layer

lft http://pwhois.org/lft - TCP tracing

etrace http://www.bindshell.net/tools/etrace

firewalk http://www.packetfactory.net