Forensics Overview

What is Digital Forensics?

From the FBI Regional Computer Forensics Laboratory:
Digital forensics is the application of science and engineering to the recovery of digital evidence in a legally acceptable method. Examiners use digital investigation and analysis techniques to determine potential legal evidence by applying their skills on a variety of software programs, different operating systems, varying hard drives sizes, and specific technologies such as personal digital assistants, cell phones, or video cameras. Examiners are also capable of locating deleted, encrypted or damaged file information that may serve as evidence in a criminal investigation.

• EnCase Forensic
• Forensics ToolKit
• FTK 2.0
• The Forensics Wiki, which is a Creative Commons-licensed wiki devoted to information about digital forensics. They currently list a total of 431 pages.
• Website for Forensics and Security distibutions, among others.
• PenguinSleuth One of the best known Forensics-based Linux distributions.
• Helix is also very well-known.
• Review of various Security and Forensics Distributions. It's out of date (circa 2006) but still an interesting review.
• Nice article about Forensics from Linux Journal

In early 2001, worms and viruses that took advantage of Linux operating systems were just getting a good start. I had a vulnerable Red Hat Linux machine, and was one of the early victims of what later became known as Adore. The files and information make for good forensic practice. Copies are available upon request.

Here is a local copy of the original Symantec writeup for Adore, or you can retrieve the original.

After the meeting, there were a lot more contributions of links about forensics, and I thought it would be nice to have them all in one place.

• Jericho (and Lyger), well known to many of us, have an interesting position piece on forensics. Some of you have probably already read this (they wrote it back in February of last year). It makes some very valid points.
  http://attrition.org/dataloss/forensics.html
• Computer Forensic Tool Testing Project: http://www.cftt.nist.gov/project_overview.htm
• Investigative Uses of Technology: Devices, Tools, and Techniques: http://www.ncjrs.gov/pdffiles1/nij/213030.pdf
• Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations: http://www.cybercrime.gov/s&smanual2002.pdf
• An interesting paper from NIST, detailing their specification and requirements of disk imaging tools.
• The FBI Regional Computer Forensics Labs:
  http://www.rcfl.gov/
  http://www.nwrcfl.org/
  The Official field guide.
• ImageScan FAQ Sheet
  CART [Computer Analysis Response Team] developed the Image Scan system to help investigators locate the presence of picture files that may contain contraband on a computer. Of course, you have to be in law enforcement to play (you have to take the class on how to use it before you can have a copy, and you can't get in the class unless you're in law enforcement).
• Survey of forensic and security live CDs (it's nice, but somewhat dated, circa 2002).
• http://www.danjryan.com/Legal%20Issues.doc
• The FBI has several nice offerings, including Forensic Science Communications, a quarterly journal, which replaced the Crime Laboratory Digest (another interesting publication, unfortunately not available on line). Note that there's a search button for glancing through back issues. In addition, there's a nice link to the calendar (which has meetings and other events).
• http://www.fbi.gov/hq/lab/fsc/current/rapidmtg.htm