Computer Forensics

Modified 21 June 2008

The science of extracting information from computers in support of the investigation of crime or other malicious activity.

Except.... It isn't really a science, not in the same sense that forensic chemistry, forensic biology, and so on are based on science. What is called "computer forensics" today is a collection of ad-hoc techniques done in a legally responsible way.

Free forensics tools

• Sleuth Kit is a great package, it replaces the older The Coroner's Toolkit — http://www.sleuthkit.org/
• Helix is a bootable forensics toolkit including Sleuth Kit and many other valuable utilities: http://www.e-fense.com/helix/
• Foremost extracts files from images of many filesystem types: Linux ext2/ext3, Linux swap, UFS, JFS, NTFS, FAT12, FAT16, FAT32. http://sourceforge.net/projects/foremost
• The Sleuth Kit —
  • The Sleuth Kit itself:
    • http://www.sleuthkit.org/sleuthkit/index.php
    • http://sleuthkit.sourceforge.net/sleuthkit/index.php
  • The Autopsy Forensic Browser is a graphical interface for it:
    • http://www.sleuthkit.org/autopsy/index.php
    • http://sleuthkit.sourceforge.net/autopsy/index.php
• F.I.R.E. — Forensic and Incident Response Environment bootable CD: http://fire.dmzs.com/
• Forensic Toolkit, BinText, Galleta, NTLast, Pasco, Patchit, Rifiuti, and ShoWin, all Windows-specific, are available for free from the Resources page at http://www.foundstone.com/
• WinHex hexadecimal editor for files, disks, and RAM — http://www.x-ways.net/winhex/

Free tools for media sterilization (for defeating later forensics) —

• Darik's Boot And Nuke (DBAN) "is a self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction." http://dban.sourceforge.net/
• Sterilize media sterilizer, useful for testing, or to defeat later forensics: http://www.cybersecurityinstitute.biz/software/

Further tools and technical papers —

• Overviews of computer forensics concepts: http://www.cybersecurityinstitute.biz/documents.htm
• Several lists of tools and toolkits:
  • http://www.networkintrusion.co.uk/fortools.htm
  • http://www.networkintrusion.co.uk/fortoolkits.htm
  • http://www.networkintrusion.co.uk/foranti.htm
• Purdue CERIAS group forensics work
  • http://www.cerias.purdue.edu/homes/carrier/forensics/
  • http://www.cerias.purdue.edu/homes/forensics/
  • ftp://ftp.cerias.purdue.edu/pub/doc/forensics
• U.S. NIST Computer Forensic Tool Testing Program — http://www.cftt.nist.gov/

Commercial Tools and Services

• New Technologies Inc. — http://www.secure-data.com
• EnCase Forensic Edition — http://www.guidancesoftware.com/
• Paraben Forensics Tools — http://www.paraben-forensics.com/
• AccessData forensics toolkit — http://www.accessdata.com/
• Technology Pathways — http://www.techpathways.com/
• SMART for Linux and BeOS — (US$ 649 for law enforcement, but US$ 2000 for mere civilians) — http://www.asrdata.com/

Guidance on evidence collection and preservation

• U.S. Department of Justice: http://www.usdoj.gov/criminal/cybercrime/
• NTI:
  • http://www.secure-data.com/guidelns.html/
  • http://www.secure-data.com/evidguid.html/

Security Page

© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here