IST-454 – Computer and Cyber Forensics

 

Resources

 

These Web-based resources are provided as value-added for IST-454.  The resources have been compiled by DR. Gerry Santoro, often with the aid of IST-454 students.  The resources are optional. Resources marked with red asterisks *** may be used for your essay assignment.

 

An excellent source of information is the SANS Information Security Reading Room.  Some of the papers are listed in the topics below.

 

Penn State Resources

 

·        Penn State Center for Cyber-Security, Information Privacy and Trust - http://cybersecurity.ist.psu.edu/index.php

·        Penn State Cyber-Security Lab - http://s2.ist.psu.edu/ 

 

 

US Government Resources

 

NOTE: Some of these, such as NIST documents, may be listed below in topical areas.

 

·        NSA Information Assurance advice and resources - http://www.nsa.gov/ia/mitigation_guidance/index.shtml

·        US Computer Emergency Readiness Team -- http://www.us-cert.gov/

·        Complete list of NIST Information Security Publications -- http://csrc.nist.gov/publications/PubsTC.html

·        NICCS – National Initiative for Cybersecurity Careers and Studies - http://niccs.us-cert.gov/

 

Hacking Educational Resources

 

Security professionals must understand how systems are attacked and compromised in order to effectively protect those systems.  Following is a list of Web sites that provide learning resources for ethical hacking.

 

·        Hack This Site - https://www.hackthissite.org/

·        Hack This! - https://www.hackthis.co.uk/

·        Hack in the Box - http://www.hitb.org/

·        Hack a Day - http://hackaday.com/

·        Evil Zone - https://evilzone.org/

 

 

Blogs and Newsletters

 

·       Bruce Schneier Crypt-O-Gram -- http://www.schneier.com/crypto-gram.html

·       Secure State Blog -- http://blog.securestate.com/

·       Krebs on Security -- http://krebsonsecurity.com/

Misc Software

·        USB Safeguard – software to encrypt a USB flash (pen) drive (proprietary)

·        Ophcrack – open source password cracking software

·        AccessData Forensics Toolkit 5 – proprietary, multi-function forensics toolkit

·        NirSoft – collection of proprietary and free system tools

·        SpyHunter – program for detection of steganographic content

·        Hiderman – program for creating steganographic content

·        WinHex – proprietary Hex editor with many features

·        Autopsy – open-source graphical interface to SleuthKit forensics toolkit

·        Puppy Linux – free, small version of Linux

 

Topic 1 - Computer Forensics and Investigation Processes

 

 

·        *** Carrie Morgan Whitcomb, “An Historical Perspective of Digital Evidence: A Forensic Scientist’s ViewInternational Journal of Digital Evidence, Vol. 1, No. 1, 2002.

·        *** Gary Palmer, “A Road Map for Digital Forensic ResearchReport of the First Digital Forensic Research Workshop (DFRWS), November 6, 2001.

·        Adventures in Computer Forensics  (SANS InfoSec Reading Room)

·        Fourth Amendment to the United States Constitution:

http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution

·        Disaster Recovery:

http://en.wikipedia.org/wiki/Disaster_recovery

·        Macintosh SE:

http://en.wikipedia.org/wiki/Macintosh_SE

·        General Affidavits:

www.ilrg.com/forms/affidavt.html

 

 

 

 

Topic 2 – Understanding Computing Investigations

 

 

·        *** Brian Carrier and Eugene H. Spafford, “Getting Physical with Digital Investigation ProcessInternational Journal of Digital Evidence, Vol. 2, No. 2, 2003.

·        *** Hamour and Al qarout, “A Ten Step Process for Forensic ReadinessNYIT.

·        Corporate Incident Handling Guidelines (SANS InfoSec Reading Room)

·        Creating and Maintaining Policies for Working with Law Enforcement  (SANS InfoSec Reading Room)

  • How to Keep a Digital Chain of Custody:

www.csoonline.com/read/120105/ht_custody.html

·        What is attorney client privilege?:

http://co.essortment.com/attorneyclient_ritc.htm

 

 

 

 

Topic 3 - Building a Forensics Lab

 

 

·        *** U.S. Department of Justice, “Electronic Crime Scene Investigation: A Guide for First Responders,” Office of Justice Programs, U.S. Department of Justice, National Institute of Justice, July 2001. http://www.ojp.usdoj.gov/nij

·        *** SANS Institute “Building a Low Cost Forensics Workstation”

·        Developing a Computer Forensics Team  (SANS InfoSec Reading Room)

·        Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting  (SANS InfoSec Reading Room)

·        Creating and Managing an Incident Response Team for a Large Company  (SANS InfoSec Reading Room)

·        Video: PALADIN – IT Forensic Mobile Lab on Wheels (YOUTUBE)

 

Topic 4 - Data Acquisition

 

 

·        *** NIST CFTT, “Testing Disk Imaging Tools ,” International Journal of Digital Evidence, V1, Issue 4, Winter 2003

·        Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics  (SANS InfoSec Reading Room)

·        Open Source Digital Forensics Tools – The Legal Argument  by Brian Carrier

·        Video – Live Remote Device Acquisition with AccessData FTK 3

·        *** Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?  By Graeme R. Bell and Richard Boddington

 

 

Topic 5 - Processing Crime and Incident Scenes

 

 

·        *** U.S. Department of Justice, “Forensic Examination of Digital Evidence: A Guide for Law Enforcement,” Office of Justice Programs, U.S. Department of Justice, National Institute of Justice. Special Report NCJ 199408, April 2004. http://www.ojp.usdoj.gov/nij

·        Crypto attack puts digital sig hash on collision course – article from The Register

 

Topic 6 - Working with Windows and DOS Systems

 

 

·        *** H. Carvey, “The Dark Side of NTFS (Microsoft’s Scarlet Letter), NTFS Alternate Data Streams, September 2003. http://patriot.net/~carvdawg/docs/dark_side.html.

·        Winquisitor: Windows Information Gathering Tool (SANS Reading Room)

·        What you Don’t See on your Hard Drive (SANS InfoSec Reading Room)

·        Windows Responders Guide  (SANS InfoSec Reading Room)

·        Introduction to the Registry – from Annoyances.com

·        PC Guide – NTFS Directories and Files

·        PC Guide – Master File Table

·        MFT Wiki

·        Search Windows Server - MFT

·        Windows Server Troubleshooting – MFT Metadata

·        How to break into a Windows PC (and prevent it from happening to you) – from LifeHacker

 

 

Topic 7 - Current Computer Forensics Tools

 

 

·        *** NHTCU, “Good Practice Guide for Computer Based Electronic Evidence,” Association of Chief Police Officers

·        *** Computer Forensic Timeline Analysis with Tapestry    By: Derek Edwards (SANS InfoSec Reading Room).

·        Bless Hex Editor – home page and documentation - http://home.gna.org/bless/docs.html

·        Open Source Digital Forensics - http://www2.opensourceforensics.org/tools/application

·        Santoku Mobile Forensics - https://santoku-linux.com/

·        Digital Forensics Framework - http://www.digital-forensic.org/

·        Open Source Android forensics toolkit - http://sourceforge.net/projects/osaftoolkit/

·        Digital Forensics Association Open Source Tools - http://www.digitalforensicsassociation.org/opensource-tools/

·        Practical Computer Forensics using Open Source Tools (Slides) - http://www.digitalforensics.ch/nikkel08.pdf

·        Revealertoolkit - http://code.google.com/p/revealertoolkit/

·        Deft Linux - http://www.deftlinux.net/

·        AccessData Mobile Phone Examiner Plus Users Guide –

http://ad-pdf.s3.amazonaws.com/MPE_UG.pdf

·        AFLogical - Open Source Edition pulls MMS, SMS, Contacts, and Call Logs from Android device -  https://viaforensics.com/resources/tools/android-forensics-tool/

·        iPhone Analyzer - Explore the internal file structure of your iphone (or of a seized phone in the case of forensic teams) using either the iphone's own backup files or (for jail broken iphones) ssh. Viewing of plist, sqlite, and hex are supported. IOS 5 is now supported

 

 

Topic 8 – Macintosh and Linux Boot Processes and File Systems

 

Macintosh:

Videos:

Some resources:

Linux:

 

 

 

 

Topic 9 -- Computer Forensics Analysis

 

 

 

·        Top 10 Password Crackers  from Security Tools 

·        John the Ripper  password cracker -- versions for unix, Linux, Mac,  windows, DOS and others

·        Video tutorial on Rainbow Tables (4:46) from Live Security

·        Rainbow tables and RainbowCrack Tutorial from Ethical Hacker Network.

 

 

Topic 9a – Malware Forensics

 

 

·        http://securityxploded.com/assembly-programming-beginners-guide.php Assembly Programming: A Beginners Guide

·        https://tuts4you.com/download.php?list.17 – Lenas reversing for newbies

 

 

 

 Topic 10 -- Recovering Graphics Files

 

  • Vector graphics:

http://en.wikipedia.org/wiki/Vector_graphics

  • Computer Graphics Metafile:

http://en.wikipedia.org/wiki/Computer_Graphics_Metafile

  • Exchangeable image file format:

http://en.wikipedia.org/wiki/Exif

www.securityfocus.com/infocus/1684

 

 

 

Topic 10a – Steganography

 

·        *** “Hide and Seek: An Introduction to Steganography.” Niels Provos and Peter Honeyman – Univ of Michigan, IEEE Security and Privacy, 2003

·        *** Gary C. Kessler, “An Overview of Steganography for the Computer Forensics ExaminerForensic Science Communications, July 2004

·       *** Niels Provos and Peter Honeyman, “Detecting Steganographic Content on the Internet,” CITI Technical Report 01-11, 2001

·       R. Chandramouli, “A Mathematical Approach to Steganalysis”

  • Hydan - program to hide data in i386 executables.
  • Spam Mimic
  • Example of image down-grading problem - the problem is that there might be top-secret info in the image whose security is to be downgraded.
  • Excellent article on steganography.
  • S-Tools hides files in BMP, GIF and WAV files
  • Page containing links to many steganography tools !!!!!
  • Web site of Professor Jessica Fridrich – whose research concerns steganography, steganalysis and forensic analysis of digital images
  • Stegdetect – automated tool for detecting steganographic content in images
  • OpenStego – open source free stenography software
  • SilentEye - cross-platform application design for an easy use of steganography, in this case hiding messages into pictures or sounds. It provides a pretty nice interface and an easy integration of new steganography algorithm and cryptography process by using a plug-ins system. SilentEye is free to use (under GNU GPL v3).

Video:

 

 

 

Topic 11 - Network Forensics, Virtual Machines, Live Acquisitions and the Cloud

 

 

·        Article on Microsoft  anti-malware for Azure virtual machines.

·        *** Article by Brett Shavers on the use of Virtual Machines in forensic analysis

·        *** Article - Computer Forensic Analysis in a Virtual Environment

·        Article - Virtual Machine Files Essential to Forensic Investigations

·        Article -  Virtual Forensics by Christiaan Beek

·        *** Paper by Prof. John Bagby on Social Network Forensics

·        *** Following Incidents into the Cloud (SANS InfoSec Rreading Room)

·        Deterring Cyber Attacks -- This paper provides a Strengths, Weaknesses, Opportunities and Threats [SWOT] Analysis to help you analyze three alternatives and recommend the best one to upper management.  (SANS InfoSec Reading Room)

·        Microsoft Sysinternals – set of utilities for analysis on Microsoft systems and networks

 

·        The Honeynet Project

·        Honeynet Project Video

·        Manuka Project

 

·        Domain Tools – web site for various DNS tools

·        Free DNS tools - starting point for simple network forensics.

·        List of network forensics tools

·        wildpackets -- example of commercial product supporting network forensics

·        Snort -- a lightweight Intrusion Detection System.

·        Wireshark – packet sniffer tool

·        NetStumbler -- wireless packet sniffer for war driving.

·        nmap (network mapper) --  free network scanner - detects nodes on a network.

·        Top 100 Network Security Tools

 

·        Hide My Ass – personal VPN software

 

 

Topic 12 – Electronic Mail Investigations

 

·        Some senders use open mail relays -- mail servers configured in a way that allows third parties to send mail through them.

·        Several states have laws against e-mail spoofing. You can file a spoofing complaint with the FTC -- note that they enter this into a database, they do not resolve specific complaints.

·        More info at: E-mail spoofing

 

 

 

 

Topic 12a – Malicious Software (Malware)

 

·        *** Stuart Staniford, Vern Paxson, and Nicholas Weaver, “How to Own the Internet in your Spare Time

Topic 13 - Cell Phone and Mobile Device Forensics

 

articles

 

·        *** Wayne Jansen and Rick Ayers, “Guidelines on PDA Forensics,” National Institute of Standards and Technology, Special Publication 800-72.

·        *** Rick Ayers and Wayne Jansen, “PDA Forensic Tools:  An Overview and AnalysisNISTIR 7100, 2004.

·        *** Wayne Jansen and Rick Ayers, “Guidelines on Cell Phone Forensic,” NIST Special Publication 800-10, 2006

·        *** Christopher V. Marsico and Marcus K. Rogers, “iPod Forensics,” CERIAS Tech Report 2005-13, Purdue University, 2005.

·       ViaForensics - iPhone Forensics - Independent Research and Reviews of iPhone Forensic Tools

·       Infosec Island – Seven Problems with Cell Phone Forensics

 

vendors

  • Smart Phone Forensics provides training and investigative support for forensics of cell phones, smart phones and PDAs.
  • DiskLabs mobile forensics services

links and tools

Videos:

 

·        Android Forensics Part 1

·        Android Forensics Part 2

·        Android Forensics Part 3

 

 

Topic 14 – Report Writing

 

·        Documentation is to Incident Response as an Air Tank is to Scuba Diving  (SANS InfoSec Reading Room)

 

 

Topic 15 – Expert Testimony

 

·        *** Daniel J. Ryan and Gal Shpantzer, “Legal Aspects of Digital Forensics

  • Direct examination:

http://en.wikipedia.org/wiki/Direct_examination

  • Cross-examination:

http://en.wikipedia.org/wiki/Cross_examine

  • Deposition:

http://en.wikipedia.org/wiki/Deposition_(law)

 

 

 

Topic 16 - Ethics

 

 

  • Creating a Code of Ethics for Your Organization:

www.ethicsweb.ca/codes/

  • Institute of Computer Forensics Professionals:

http://forensic-institute.org/index.html

  • HTCIA code of ethics:

www.htcia.org/bylaws.shtml

 

 

Reference Books.

 

·        Volonino, L. Anzaldua, R. and Godwin, J., Computer Forensics: Principles and Practices, Pearson / Prentice Hall, New Jersey, 2007. ISBN: 0-13-154727-5.

·        Warren G. Kruse II and Jay G. Heiser, Computer Forensics – Incident Response Essentials, Addison-Wesley.  ISBN: 0-201-707199

·        Kevin Mandia and Chris Prosise, Incident Response: Investigating Computer Crime. Osborne/McGraw-Hill, 2001. ISBN: 0-07-213182-9.

·        Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press, 2000. ISBN: 0-12-162885-X

·        Mike Schiffman, Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios. Osborne/McGraw-Hill, 2001. ISBN: 0-07-219384-0

·        The Honeynet Project, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Addison-Wesley, 2002. ISBN: 0-201-74613-1

 

 

 

 

 

 

 

          

          

 

 

 

Appendix B: Reference Books.

 

·        Volonino, L. Anzaldua, R. and Godwin, J., Computer Forensics: Principles and Practices, Pearson / Prentice Hall, New Jersey, 2007. ISBN: 0-13-154727-5.

·        Warren G. Kruse II and Jay G. Heiser, Computer Forensics – Incident Response Essentials, Addison-Wesley.  ISBN: 0-201-707199

·        Kevin Mandia and Chris Prosise, Incident Response: Investigating Computer Crime. Osborne/McGraw-Hill, 2001. ISBN: 0-07-213182-9.

·        Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press, 2000. ISBN: 0-12-162885-X

·        Mike Schiffman, Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios. Osborne/McGraw-Hill, 2001. ISBN: 0-07-219384-0

·        The Honeynet Project, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Addison-Wesley, 2002. ISBN: 0-201-74613-1