CNIT 121: Computer Forensics

Fall 2010 Sam Bowne & Sufyaan Mateen

CRN 79129 Mon 6 pm - 9 pm Moved to SCIE 300

Final Scores posted 12-19

Schedule · Lecture Notes · Projects · Links · Home Page

Textbook

Guide to Computer Forensics and Investigations, Fourth Edition, by Bill Nelson, Amelia Phillips, Christopher Steuart; ISBN-10: 1435498836
Buy printed book from Amazon
Buy e-book from Cengage

Guide to Computer Forensics and Investigations, 4th Edition

by Nelson; Phillips; Steuart

Price to Student $53.49

Catalog Description

The class covers forensics tools, methods, and procedures used for investigation of computers, techniques of data recovery and evidence collection, protection of evidence, expert witness skills, and computer crime investigation techniques. Includes analysis of various file systems and specialized diagnostic software used to retrieve data. Prepares for part of the industry standard certification exam, Security+, and also maps to the Computer Investigation Specialists exam.

Examine computer media to discover evidence.

Prerequisite: Students should have taken CNIT 120 or have equivalent familiarity with the fundamentals of security.

Upon successful completion of this course, the student will be able to:

Define and describe computer investigations
Demonstrate correct methods of evidence gathering
Use and evaluate various operating systems and file systems
Equip a Forensics Lab with appropriate hardware and software
Install, configure, and use various command-line and graphical software forensics tools
Describe and compare various hardware devices employed by computer forensics experts
Retrieve and analyze data from a suspect's computer
Create security implementation plans
Summarize the evidence and write investigative reports
Utilize the services of expert witnesses
Recover file images, and categorize the data
Examine and trace email messages
Obtain and control digital evidence

Schedule
Date	Quiz	Topic
Mon 8-16		Ch 1: Computer Forensics and Investigation Processes
Mon 8-23		Ch 2: Understanding Computing Investigations
Mon 8-30		Ch 3: The Investigator's Office and Laboratory
*Fri 9-3*	*Last Day to Add Classes*
*Mon 9-6*	*Holiday - No Class*
*Fri 9-9*	*Last Day to Drop Classes*
Mon 9-13	Quiz on Ch 1-3 Proj 1-4 due	Ch 4: Data Acquisitions
*Thu 9-16*	*Last Day to Request pass/no pass Grading*
Mon 9-20	Quiz on Ch 4 Proj 5-6 due	Ch 5: Processing Crime and Incident Scenes
Mon 9-27	Quiz on Ch 5 Proj 7-8 due	Ch 6: Working with Windows and DOS Systems
Mon 10-4	Quiz on Ch 6 Proj 9 due	Ch 7. Current Computer Forensics Tools
*Mon 10-11*	*Holiday - No Class*
Mon 10-18	Quiz on Ch 7 Proj 10 due	Ch 8: Macintosh and Linux Boot Processes and File Systems
Mon 10-25	Win Phone 7 demo in VART 115 from 6-7, Class starts at 7:15 in S300 No Quiz; Proj 11 due; Ch 9: Computer Forensics Analysis
Mon 11-1	Quiz on Ch 8 & 9 Proj 12 due	Ch 10: Recovering Graphics Files
Mon 11-8	Quiz on Ch 10 Proj 13 due	Ch 11: Virtual Machines, Network Forensics, and Live Acquisitions
Mon 11-15	Quiz on Ch 11 Proj 14 due	Ch 12: E-mail Investigations & Ch 13: Cell Phone and Mobile Device Forensics
*Thu 11-18*	*Last Day to Withdraw*
Mon 11-22	Quiz on Ch 12-13 Proj 15 due	Ch 14: Report Writing for High-Tech Investigations & Ch 15: Expert Testimony in High-Tech Investigations
Mon 11-29	Quiz on Ch 14-15 Proj 16 due	Ch 16: Ethics and High-Tech Investigations
Mon 12-6	No Quiz All extra credit projects due	Last Class: Review
Mon 12-13		*Final Exam: 6 pm Cloud 218*

Lecture Notes
Policy
Student Agreement
1: Computer Forensics and Investigation Processes Powerpoint iClicker version
2: Understanding Computing Investigations Powerpoint iClicker version
3: The Investigator's Office and Laboratory Powerpoint iClicker version
4: Data Acquisitions (modified 9-23-10) Powerpoint iClicker version
5: Processing Crime and Incident Scenes Powerpoint iClicker version
6: Working with Windows and DOS Systems Powerpoint iClicker version
7: Current Computer Forensics Tools Powerpoint iClicker version
8: Macintosh and Linux Boot Processes and File Systems Powerpoint iClicker version
9: Computer Forensics Analysis Powerpoint iClicker version
10: Recovering Graphics Files Powerpoint iClicker version
11: Virtual Machines, Network Forensics, and Live Acquisitions Powerpoint iClicker version
12: E-mail Investigations Powerpoint iClicker version
13: Cell Phone and Mobile Device Forensics Powerpoint iClicker version
14: Report Writing for High-Tech Investigations Powerpoint iClicker version
15: Expert Testimony in High-Tech Investigations Powerpoint iClicker version
16: Ethics and High-Tech Investigations Powerpoint
The lectures are in Word and PowerPoint formats. If you do not have Word or PowerPoint you will need to install the Free Word Viewer 2003 and/or the Free PowerPoint Viewer 2003.

Back to Top

Projects
How to Read Your CCSF Email How to Get your Windows Activation Codes from MSDNAA Downloading MSDNAA Software Virtual Machines at Home VMware Networking Troubleshooting Fixing Problems with Ubuntu on VMware Project 1: Preparing a Windows XP Virtual Machine (10 pts.) Project 2: Viewing Segments and Clusters with a Hex Editor (25 pts.) SPAM.zip EGGS.zip Project 3: Installing FTK (15 pts.) Project 4: Examining the Registry (15 pts.) Project 5: Capturing the Registry with FTK Imager (20 pts.) Project 6: Learning About the Registry from the FTK User Guide (10 pts.) Project 7: USB Write-Blocking in the Registry (15 pts.) Project 8: Static Acquisition with BackTrack 4 (20 pts.) Proj 8 Evidence File (383 KB) Project 9: Sloppy Static Acquisition with FTK Imager in Windows (15 pts.) Project 10: Better Static Acquisition with FTK Imager in Windows (15 pts.) Project 11: Static Acquisition with Raptor 2 (15 pts.) Project 12: Analyzing an Image with FTK (20 pts.) (revised 9-27-10) Project 13: Sleuthkit and Autopsy (20 pts.) Project 14: Rebuilding an Image Header (10 pts.) Proj 14 image Project 15: EnCase (15 pts.) Project 16: RAM Capture and Analysis (15 pts.) Extra Credit Projects IPv6 Certifications (Windows Version) (25 pts. extra credit) Project X1: Using a PDF Exploit with Metasploit (15 pts. extra credit) (revised 10-14-10) Project X2: Static Image (15 pts. extra credit) Proj X2 Evidence File Project X3: Bypassing a BIOS password (15 pts. extra credit) Project X4: TrueCrypt (15 pts. extra credit) Project X5: MD5 Collisions (15 pts. extra credit) Project X6: Encrypted Email (15 pts. extra credit) Project X7: Making a Report with ProDiscover and FTK (20 pts. extra credit) There are more projects coming later, of course

Projects

How to Read Your CCSF Email
How to Get your Windows Activation Codes from MSDNAA
Downloading MSDNAA Software
Virtual Machines at Home
VMware Networking Troubleshooting
Fixing Problems with Ubuntu on VMware

Project 1: Preparing a Windows XP Virtual Machine (10 pts.)
Project 2: Viewing Segments and Clusters with a Hex Editor (25 pts.)
     SPAM.zip      EGGS.zip
Project 3: Installing FTK (15 pts.)
Project 4: Examining the Registry (15 pts.)
Project 5: Capturing the Registry with FTK Imager (20 pts.)
Project 6: Learning About the Registry from the FTK User Guide (10 pts.)
Project 7: USB Write-Blocking in the Registry (15 pts.)
Project 8: Static Acquisition with BackTrack 4 (20 pts.)      Proj 8 Evidence File (383 KB)
Project 9: Sloppy Static Acquisition with FTK Imager in Windows (15 pts.)
Project 10: Better Static Acquisition with FTK Imager in Windows (15 pts.)
Project 11: Static Acquisition with Raptor 2 (15 pts.)
Project 12: Analyzing an Image with FTK (20 pts.) (revised 9-27-10)
Project 13: Sleuthkit and Autopsy (20 pts.)
Project 14: Rebuilding an Image Header (10 pts.)      Proj 14 image
Project 15: EnCase (15 pts.)
Project 16: RAM Capture and Analysis (15 pts.)

Extra Credit Projects

IPv6 Certifications (Windows Version) (25 pts. extra credit)
Project X1: Using a PDF Exploit with Metasploit (15 pts. extra credit) (revised 10-14-10)
Project X2: Static Image (15 pts. extra credit) Proj X2 Evidence File
Project X3: Bypassing a BIOS password (15 pts. extra credit)
Project X4: TrueCrypt (15 pts. extra credit)
Project X5: MD5 Collisions (15 pts. extra credit)
Project X6: Encrypted Email (15 pts. extra credit)
Project X7: Making a Report with ProDiscover and FTK (20 pts. extra credit)

There are more projects coming later, of course

Back to Top

Links
Links for Chapter Lectures Ch 1a: Guidance Software Encase Forensic Edition Ch 1b: Forensic Toolkit, FTK, computer forensics software \| AccessData Ch 1c: San Francisco Police Blotter Ch 2a: FireFly IDE and FireFly SATA write blockers Ch 2b: Computer Forensics Evidence Collection with Helix: Live and static acquisition Ch 2c: AccessData Product Downloads--Get FTK Imager Here Ch 3a:ASCLD \| The American Society of Crime Lab Directors Ch 3b: FBI Uniform Crime Report Ch 3c: IACIS \| The International Association of Computer Investigative Specialists Ch 3d: EnCase Certification Programs Ch 3e: AccessData - ACE Certification Process. Ch 3f: Computer Forensics Certification - CyberSecurity Forensic Analyst(CSFA) Ch 4a: Sparsing - New technology set to revolutionise digital forensics Ch 4b: Sparse image - Wikipedia Ch 4c: Host protected area - Wikipedia Ch 4e: Cold Boot Attacks on Encryption Keys Ch 4f: New Passware Can Crack PGP and BitLocker-Protected Systems Ch 4g: Engineer shows how to crack a \'secure\' TPM chip with an electron microscope Ch 4h: Registry Hack to Disable Writing to USB Drives - How-To Geek Ch 4i: VMware Hard Disk Format Specifications (pdf) Ch 4j: Computer Forensics: DCFLDD Updates (v1.2.2) Ch 4k: New BackTrack 4 Forensics Mode Ch 4l: Accessing Forensic Images--excellent slides Ch 4m: Helix-instructions Ch 5a: Steve Jackson Games v. US Secret Service Ch 5b: \'To Catch a Predator\' sex stings--issues of agents of law enforcement Ch 6a: Master boot record - Wikipedia Ch 6b: Exploring the insides of a .docx word document Ch 6c: ZIP (file format) - Wikipedia Ch 6d: Default cluster size for NTFS, FAT, and exFAT Ch 6e: Encrypting File System - Wikipedia Ch 6f: How to add an EFS recovery agent in Windows XP Professional Ch 6g: Windows Vista startup process - Wikipedia Ch 7a: Logicube Talon® - The Complete Data Capture System Ch 7b: Voom Technologies, Inc.\| Computer Forensic and Data Backup and Recovery products Ch 7c: WinFS - Wikipedia Ch 7d: ASR Data - SMART Ch 7e: Raptor 2.0 - Forensic Live CD Ch 7f: PDBlock--software write blocker for DOS (but not Windows) Ch 7g: NIST Disk Imaging Documents Ch 8a: Filesystems HOWTO: Macintosh Hierarchical Filesystem - HFS Ch 8b: B-tree - Wikipedia Ch 8c: B-Trees Ch 8d: The Apple Examiner--Apple Forensic Tools Ch 8e: BlackBag Technologies--Free 30-day trial of Mac forensic software here Ch 8f: BlackBag Technologies Inc. Products, including Software Mac Write-Blocker Ch 8g: Linux EXT2 File System Data Recovery Ch 8h: Sticky bit - Wikipedia Ch 8j: HFS Plus - Wikipedia Ch 8k: Mac OS X File Systems Ch 10a: Jeffrey\\\'s EXIF Viewer Ch 11a: Forensic Memory Capture roundup Ch 11b: Sysinternals Suite Old Unsorted Links List of Forensics Tools HELIX is not used by police (2008) Helix, EnCase, and FTK briefly discussed and compared Guide to Computer Forensics and Investigations (1435498836) - Textbook Website Know the Rules for Tech-Based Evidence Erase Your Copy Machine\\\'s Hard Drive PhotoRec -Recovers lost photos from camera\'s storage devices Jeffrey\\\'s EXIF reader--finds metadata from images New forensic technique for audio tape can detect tampering How Linux works--excellent explanation DiskDigger - Free Windows file recovery utility CyberSecurity Institute - Computer Forensic Certification Securely wipe your data with a hidden Windows 7 tool: CIPHER Splunk -- recommended free log file consolidator CyberSecurity Institute: The \\\"Tools Proven in Court\\\" Question HxD - Freeware Hex Editor and Disk Editor \| mh-nexus Eraser--this can also be used to create a Boot and Nuke floppy Edmonds Community College Digital Forensics And Information Security Programs Free Computer Forensics Training - Computer Forensics Fundamentals Luhn algorithm - Credit Card Validation PayneGroup--MetaData Assistant--not free Pinpoint Labs - Computer Forensics Software and Services--Free Metadata Investigator WiebeTech Micro Storage Solutions - USB WriteBlocker-- Forensic in-line USB WriteBlocker ror $200 Voom Technologies, Inc.\| Hardware disk duplicator UltraBlock USB Write Blocker - $300 Digital Detective - Net analysis--Free 30-day trial version MANDIANT Web Historian--Free tool, less powerful than Mandiant CacheBack® - Internet Cache and History Analysis - Rebuild web pages in seconds!--recommended tool for child porn cases ($350) Free Forensic Tools How to use Cipher.exe to overwrite deleted data in Windows Server 2003 Erasing sensitive information from smartphones DFI News -- Interesting News Portal Autoruns and Dead Computer Forensics Expert Witness: Effective Courtroom Testimony Proj 2a: Master boot record - Wikipedia An Introduction to Android Forensics \| DFI News RAM Slack Explained: a problem prior to Win 95 Version B Hard Drive Password Password Removal Tool: Shinobi - Ji2 iPhone keyboard buffer retains months of typing Decrypting Intellforms Data with FTK A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness -- Recommended book Digital Corpora--Sample Forensic Images Volatility \| Memory Forensics \| Volatile Systems PhotoRec - Data carving to find images Live View--boot a forensic image as a virtual machine Sources of Forensic Data Images Free Tools \| HBGary -- Fastdump: forensic memory dump tool Recurity Labs CIR Online--Free Cisco Core Dump Analysis for forensics Computer Forensics - Unusual devices Computer Forensics - Flash drives and acquisition A Forensic Analysis Of The Windows Registry Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics) Registry Key to check Windows Version Registry: What are Control Sets? What is CurrentControlSet? Registry: How to Determine the Current Control Set Registry: Last user logged on key shown here for Win XP and Vista Acquiring an Image with FTK Imager Computer Forensics Experts--the value of certification Free Tools \| HBGary--FGET looks interesting--forensic image over the network Digital Forensics 01--a course from another college, apparently based on the same textbook Using VMWare for Forensic Analysis iPhones can store a treasure trove of incriminating evidence ProDiscover Basic Freeware Download [SOLVED] How can I list my available hard drives? - Ubuntu Forums How to steal stored Firefox passwords with memory forensics BackTrack 4 Forensics Mode--better than Helix! Virtual Disk Driver (VDK) amd64/em64t build Virtual Disk Driver (VDK) for 32-bit systems Instructions for VDK--mounting virtual disks write-blocked in Windows Forensic Incident Response: Unsung tools - Raptor Forensics How To--Digital Forensics Copying A VMware VMDK New Version of FTK Imager Free computer forensic tools National Software Reference Library--hashes of known files CAINE 2.0 -- NewLight -- another Ubuntu-based Forensics Live CD New Unsorted Links Free data recovery software, works on PCs and Macs (ty John)-- TestDisk - CGSecurity Toggle Word Wrap :: Add-ons for Firefox--recommended to improve SleuthKit and Autopsy (ty Abraham) Digital Forensics How-To: Memory Analysis with Mandiant Memoryze 2010-11-08: Joe Klein IPv6 Evil and Good Digital Forensics How-To: Memory Analysis with Mandiant Memoryze Ch 12a: Email forgery detected by ESMTP number--see page 4 (Munshani v. Signal Lake Venture Fund) Ch 12b: What Email Headers Can Tell You About the Origin of Spam Ch 12c: Ikitek - Home of Yahoo Message Archive Decoder Ch 12d: How to use the Inbox Repair Tools to recover e-mail messages in Outlook Ch 12e: Advanced Outlook Repair - Best Outlook recovery tool Ch 13a: Police say IPhones can store a treasure trove of incriminating evidence Ch 13b: IPhone Can Take Screenshots of Anything You Do Ch 13c: iPhone Banking App Automatically Deposits Checks Via Photos Ch 13d: iPhone Spy USB Stick Slurps Up Deleted Data from Any iPhone Ch 12f: Splunk \| Log Management Ch 12g: Download Free Mobile Phone Forensics Software, Mobile Phone Forensics Software 2.0.1.5 Download Ch 13h: Reveal iPhone Secrets with Ubuntu 10.04 Forensic Control - Free Computer Forensic Software 2010-11-21: iPhone Forensics white paper Ch 15a: What does \\\"more prejudicial than probative\\\" mean? 2010-11-22: Information About Your Deposition \| Law Offices of Gourwitz and Barr, PLLC Ch 15c: Discovery (law) - Wikipedia Volatility: Advanced Memory Forensics Tutorials Expert Draft Reports Now Generally Excluded Under Rule 26 2010-12-10: WikiLeaks: DDoS attacks reflect \\ 2011-01-04: iPhone Forensics - iXAM - Advanced iPhone Forensic Imaging Software Detecting CMOS Clock Changes : Forensic 4cast Certified Computer Examiner -- recommended for forensics work Memory Forensics: How to Capture Memory for Analysis PALADIN Forensic CD--Recommended as better than Raptor 2011-11-18: PC-3000 Flash Data Recovery Tool Professional Data Recovery Tool for USB device not recognized -Flash Doctor -- not simple or easy Memory Forensics: How to Pull Passwords from a Memory Dump Memory Forensics: Pull Process and Network Connections from a Memory Dump Detecting_Data_Theft_Using_Stochastic_Forensics --Excellent work Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices Electronic Frontier Foundation The Urban Legend of Multipass Hard Disk Overwrite Download Ez7z for Mac - Easy-to-use p7zip archiver. MacUpdate.com Let's decrypt a Master Boot Record Elcomsoft iOS Forensic Toolkit Update: Acquisition of iPhone 4S and iPad 2 Devices Forensics Boot - BackTrack Linux

Links

Links for Chapter Lectures
Ch 1a: Guidance Software Encase Forensic Edition
Ch 1b: Forensic Toolkit, FTK, computer forensics software | AccessData
Ch 1c: San Francisco Police Blotter

Ch 2a: FireFly IDE and FireFly SATA write blockers
Ch 2b: Computer Forensics Evidence Collection with Helix: Live and static acquisition
Ch 2c: AccessData Product Downloads--Get FTK Imager Here

Ch 3a:ASCLD | The American Society of Crime Lab Directors
Ch 3b: FBI Uniform Crime Report
Ch 3c: IACIS | The International Association of Computer Investigative Specialists
Ch 3d: EnCase Certification Programs
Ch 3e: AccessData - ACE Certification Process.
Ch 3f: Computer Forensics Certification - CyberSecurity Forensic Analyst(CSFA)

Ch 4a: Sparsing - New technology set to revolutionise digital forensics
Ch 4b: Sparse image - Wikipedia
Ch 4c: Host protected area - Wikipedia
Ch 4e: Cold Boot Attacks on Encryption Keys
Ch 4f: New Passware Can Crack PGP and BitLocker-Protected Systems
Ch 4g: Engineer shows how to crack a \'secure\' TPM chip with an electron microscope
Ch 4h: Registry Hack to Disable Writing to USB Drives - How-To Geek
Ch 4i: VMware Hard Disk Format Specifications (pdf)
Ch 4j: Computer Forensics: DCFLDD Updates (v1.2.2)
Ch 4k: New BackTrack 4 Forensics Mode
Ch 4l: Accessing Forensic Images--excellent slides
Ch 4m: Helix-instructions

Ch 5a: Steve Jackson Games v. US Secret Service
Ch 5b: \'To Catch a Predator\' sex stings--issues of agents of law enforcement

Ch 6a: Master boot record - Wikipedia
Ch 6b: Exploring the insides of a .docx word document
Ch 6c: ZIP (file format) - Wikipedia
Ch 6d: Default cluster size for NTFS, FAT, and exFAT
Ch 6e: Encrypting File System - Wikipedia
Ch 6f: How to add an EFS recovery agent in Windows XP Professional
Ch 6g: Windows Vista startup process - Wikipedia

Ch 7a: Logicube Talon® - The Complete Data Capture System
Ch 7b: Voom Technologies, Inc.| Computer Forensic and Data Backup and Recovery products
Ch 7c: WinFS - Wikipedia
Ch 7d: ASR Data - SMART
Ch 7e: Raptor 2.0 - Forensic Live CD
Ch 7f: PDBlock--software write blocker for DOS (but not Windows)
Ch 7g: NIST Disk Imaging Documents

Ch 8a: Filesystems HOWTO: Macintosh Hierarchical Filesystem - HFS
Ch 8b: B-tree - Wikipedia
Ch 8c: B-Trees
Ch 8d: The Apple Examiner--Apple Forensic Tools
Ch 8e: BlackBag Technologies--Free 30-day trial of Mac forensic software here
Ch 8f: BlackBag Technologies Inc. Products, including Software Mac Write-Blocker
Ch 8g: Linux EXT2 File System Data Recovery
Ch 8h: Sticky bit - Wikipedia
Ch 8j: HFS Plus - Wikipedia
Ch 8k: Mac OS X File Systems

Ch 10a: Jeffrey\\\'s EXIF Viewer

Ch 11a: Forensic Memory Capture roundup
Ch 11b: Sysinternals Suite

Old Unsorted Links
List of Forensics Tools
HELIX is not used by police (2008)
Helix, EnCase, and FTK briefly discussed and compared
Guide to Computer Forensics and Investigations (1435498836) - Textbook Website
Know the Rules for Tech-Based Evidence
Erase Your Copy Machine\\\'s Hard Drive
PhotoRec -Recovers lost photos from camera\'s storage devices
Jeffrey\\\'s EXIF reader--finds metadata from images
New forensic technique for audio tape can detect tampering
How Linux works--excellent explanation
DiskDigger - Free Windows file recovery utility
CyberSecurity Institute - Computer Forensic Certification
Securely wipe your data with a hidden Windows 7 tool: CIPHER
Splunk -- recommended free log file consolidator
CyberSecurity Institute: The \\\"Tools Proven in Court\\\" Question
HxD - Freeware Hex Editor and Disk Editor | mh-nexus
Eraser--this can also be used to create a Boot and Nuke floppy
Edmonds Community College Digital Forensics And Information Security Programs
Free Computer Forensics Training - Computer Forensics Fundamentals
Luhn algorithm - Credit Card Validation
PayneGroup--MetaData Assistant--not free
Pinpoint Labs - Computer Forensics Software and Services--Free Metadata Investigator
WiebeTech Micro Storage Solutions - USB WriteBlocker-- Forensic in-line USB WriteBlocker ror $200
Voom Technologies, Inc.| Hardware disk duplicator
UltraBlock USB Write Blocker - $300
Digital Detective - Net analysis--Free 30-day trial version
MANDIANT Web Historian--Free tool, less powerful than Mandiant
CacheBack® - Internet Cache and History Analysis - Rebuild web pages in seconds!--recommended tool for child porn cases ($350)
Free Forensic Tools
How to use Cipher.exe to overwrite deleted data in Windows Server 2003
Erasing sensitive information from smartphones
DFI News -- Interesting News Portal
Autoruns and Dead Computer Forensics
Expert Witness: Effective Courtroom Testimony
Proj 2a: Master boot record - Wikipedia
An Introduction to Android Forensics | DFI News
RAM Slack Explained: a problem prior to Win 95 Version B
Hard Drive Password Password Removal Tool: Shinobi - Ji2
iPhone keyboard buffer retains months of typing
Decrypting Intellforms Data with FTK
A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness -- Recommended book
Digital Corpora--Sample Forensic Images
Volatility | Memory Forensics | Volatile Systems
PhotoRec - Data carving to find images
Live View--boot a forensic image as a virtual machine
Sources of Forensic Data Images
Free Tools | HBGary -- Fastdump: forensic memory dump tool
Recurity Labs CIR Online--Free Cisco Core Dump Analysis for forensics
Computer Forensics - Unusual devices
Computer Forensics - Flash drives and acquisition
A Forensic Analysis Of The Windows Registry
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics)
Registry Key to check Windows Version
Registry: What are Control Sets? What is CurrentControlSet?
Registry: How to Determine the Current Control Set
Registry: Last user logged on key shown here for Win XP and Vista
Acquiring an Image with FTK Imager
Computer Forensics Experts--the value of certification
Free Tools | HBGary--FGET looks interesting--forensic image over the network
Digital Forensics 01--a course from another college, apparently based on the same textbook
Using VMWare for Forensic Analysis
iPhones can store a treasure trove of incriminating evidence
ProDiscover Basic Freeware Download
[SOLVED] How can I list my available hard drives? - Ubuntu Forums
How to steal stored Firefox passwords with memory forensics
BackTrack 4 Forensics Mode--better than Helix!
Virtual Disk Driver (VDK) amd64/em64t build
Virtual Disk Driver (VDK) for 32-bit systems
Instructions for VDK--mounting virtual disks write-blocked in Windows
Forensic Incident Response: Unsung tools - Raptor Forensics
How To--Digital Forensics Copying A VMware VMDK
New Version of FTK Imager
Free computer forensic tools
National Software Reference Library--hashes of known files
CAINE 2.0 -- NewLight -- another Ubuntu-based Forensics Live CD

New Unsorted Links
Free data recovery software, works on PCs and Macs (ty John)-- TestDisk - CGSecurity
Toggle Word Wrap :: Add-ons for Firefox--recommended to improve SleuthKit and Autopsy (ty Abraham)
Digital Forensics How-To: Memory Analysis with Mandiant Memoryze
2010-11-08: Joe Klein IPv6 Evil and Good
Digital Forensics How-To: Memory Analysis with Mandiant Memoryze
Ch 12a: Email forgery detected by ESMTP number--see page 4 (Munshani v. Signal Lake Venture Fund)
Ch 12b: What Email Headers Can Tell You About the Origin of Spam
Ch 12c: Ikitek - Home of Yahoo Message Archive Decoder
Ch 12d: How to use the Inbox Repair Tools to recover e-mail messages in Outlook
Ch 12e: Advanced Outlook Repair - Best Outlook recovery tool
Ch 13a: Police say IPhones can store a treasure trove of incriminating evidence
Ch 13b: IPhone Can Take Screenshots of Anything You Do
Ch 13c: iPhone Banking App Automatically Deposits Checks Via Photos
Ch 13d: iPhone Spy USB Stick Slurps Up Deleted Data from Any iPhone
Ch 12f: Splunk | Log Management
Ch 12g: Download Free Mobile Phone Forensics Software, Mobile Phone Forensics Software 2.0.1.5 Download
Ch 13h: Reveal iPhone Secrets with Ubuntu 10.04
Forensic Control - Free Computer Forensic Software
2010-11-21: iPhone Forensics white paper
Ch 15a: What does \\\"more prejudicial than probative\\\" mean?
2010-11-22: Information About Your Deposition | Law Offices of Gourwitz and Barr, PLLC
Ch 15c: Discovery (law) - Wikipedia
Volatility: Advanced Memory Forensics Tutorials
Expert Draft Reports Now Generally Excluded Under Rule 26
2010-12-10: WikiLeaks: DDoS attacks reflect \\
2011-01-04: iPhone Forensics - iXAM - Advanced iPhone Forensic Imaging Software
Detecting CMOS Clock Changes : Forensic 4cast
Certified Computer Examiner -- recommended for forensics work

Memory Forensics: How to Capture Memory for Analysis

PALADIN Forensic CD--Recommended as better than Raptor

2011-11-18: PC-3000 Flash Data Recovery Tool
Professional Data Recovery Tool for USB device not recognized -Flash Doctor -- not simple or easy

Memory Forensics: How to Pull Passwords from a Memory Dump

Memory Forensics: Pull Process and Network Connections from a Memory Dump

Detecting_Data_Theft_Using_Stochastic_Forensics --Excellent work

Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices Electronic Frontier Foundation

The Urban Legend of Multipass Hard Disk Overwrite

Download Ez7z for Mac - Easy-to-use p7zip archiver. MacUpdate.com

Let's decrypt a Master Boot Record

Elcomsoft iOS Forensic Toolkit Update: Acquisition of iPhone 4S and iPad 2 Devices

Forensics Boot - BackTrack Linux

Back to Top

Last Updated: 12-19-10 6 am