- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Service Packs
  Articles & Whitepapers
  Books on Security
  Disaster Recovery
  FAQ's & Tutorials
  Incident Response
  Intrusion Detection
  Legal Resources
  Online Seminars
  Password Security
  Penetration Testing
  Security Links
  Securing Networks
  Social Engineering











Computer Forensics

Collecting evidence properly is critical if you hope to have any chance of identifying the intruders and prosecuting them in a court of law. The laws that govern evidence collection vary from State to State, so be sure to check with your legal department before seizing computers
Where to Start...
Computer Forensics
Computer forensics is becoming a hot topic in the world of information security. Having an incident response plan and protecting the evidence on a computer are crucial. Awareness of security, privacy and investigative issues is on the rise, but so are the computer crime acts. New technologies such as wireless communication will continue to develop, which will pose new threats to the security industry - including computer forensics and incident response teams. Source (May 4, 2001)

Computer Forensics © An Overview
The purpose of this paper is to generate an interest in and awareness of computer forensics by providing some basic information.. It defines computer forensics and briefly discusses computer forensics history and computer related crime. Then it continues with preparing the organization for incident handling, employing computer forensics, computer forensics training, and computer forensics software. Source (Feb 20, 2002)

Computer Forensics © We?ve Had an Incident, Who Do We Get to Investigate?
Computer forensics is used to conduct investigations into computer related incidents, whether the incident is an external intrusion into your system, internal fraud, or staff breaching your security policy. The computer forensic method to be used is determined by the company©s management. In deciding which method to use, whether it is in-house, law enforcement or private sector computer forensic specialists, management needs to understand what is computer forensics, the rules of computer forensics, and the implications of mishandling evidence. Source (March 6, 2002)

Computer Forensic Legal Standards and Equipment
This paper addresses an issue of increasing importance to companies in this modern era. Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies© top priority in this age of increased security conscious commerce. The topic of this document focuses on the CIRT aspect of security conscious commerce, but in a less familiar role: the function of investigations and more specifically, the role of computer forensics as part of a company©s arsenal in the war on network/resource abuse and intellectual property theft. Source (Dec 6, 2001)

Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000
The purpose of this paper is to be an introduction to computer forensics with a specific focus on strategies for dealing with compromised Windows NT/2000. It describes methods of investigating Windows hosts and conducting an analysis in order to promote growth and learning as opposed to a "how-to" guide to gather legal evidence in view of criminal prosecution. Source (Dec 4, 2001)

Computer Incident Response and Computer Forensics Overview
This paper focuses on the incident response and computer forensics on the personal or desktop computers. The incident response and forensic procedures and techniques for servers may additional knowledge and tools. Source (March 6, 2001)

An Overview of Disk Imaging Tool in Computer Forensics
The objective of this paper is to educate users on disk imaging tool ; issues that arise in using disk imaging, recommended solutions to these issues and examples of disk imaging tool. Eventually the goal is to guide users to choose the right disk imaging tool in computer forensics. Source (Sept 24, 2001)

Analyze This!
Network forensics analysis tools (NFATs) reveal insecurities, turn sysadmins into systems detectives.
Source: InfoSecurityMag (Feb 2002)

Adventures in Computer Forensics
An insightful look at the life of a forensic analyst. Source:
(Sept 24, 2001)

Collecting Electronic Evidence After a System Compromise
Evidence is difficult to collect at the best of times, but when that evidence is electronic an investigator faces some extra complexities. Electronic evidence has none of the permanence that conventional evidence has, and is even more difficult to form into a coherent argument. The purpose of this paper is to point out these difficulties and what must be done to overcome them. Not everything is covered here © it should be used as a guide only, and you should seek further information for your specific circumstances. Source: (April 20, 2001)

Computer Evidence Processing Steps
An overview of the basic steps involved in conducting an investigative analysis of a compromised computer. Source:

Forensics on the Windows Platform, Part 1
This article, the first in a two-part series about forensics on the Windows platform, will examine the preparatory steps that can be taken by both investigators and system administrators alike. While this series is concerned with Windows-specific investigations, this article will examine some basic, non-technical concepts that are applicable to all forensic investigations. Source: (Feb 2003)

Forensics on the Windows Platform, Part Two
This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.
 Source: (Feb 2003)

Learning by Doing
Do-it-yourselfer experiences the do's and don'ts of building a forensics workstation. Source: InfoSecurityMag (April 2002)

Legal Aspects of Collecting and Preserving Computer Forensic Evidence
Some of the most common reasons for improper evidence collection are poorly written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody. For the purposes of this paper, the reader should assume that policies have been clearly defined and have been reviewed by legal counsel, an incident response plan is in place, and necessary personnel have been properly trained. The remainder of this paper focuses on the procedure a private organization should follow in collecting computer forensic evidence in order to maintain chain of custody. Source: (April 20, 2001)

Know Your Enemy: A Forensic Analysis
This paper is a continuation of the Know Your Enemy series. The first three papers covered the tools and tactics of the black-hat community. This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces. Source: (May 2000)

Maintaining the Forensic Viability of Logfiles
Collecting and retaining network and system logfiles has many advantages. There are several good sources of information related to what information should be logged, how best to log it, and in what ways this information can be used. However, the requirements for the use of logfile data for technical purposes such as intrusion detection are quite different from, and not always complementary to, the requirements for the use of such data in a legal setting
Source: (May 29, 2001)

Nailing the Intruder
This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same. Source: (July 24, 2001)

Reporting Unauthorized Intrusions: A "How To" Guide
The scope of this document is limited to the actions that should be taken after an illegal infiltration into a private or corporate network. It is assumed that the reader already has a good working knowledge of technology security. Source: (July 26, 2001)

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
This publication provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers and obtain electronic evidence in criminal investigations. The topics covered include the application of the Fourth Amendment to computers and the Internet, the Electronic Communications Privacy Act, workplace privacy, the law of electronic surveillance, and evidentiary issues. This updated version includes discussion of significant changes to relevant Federal law arising from the USA PATRIOT Act of 2001. Source: Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) (July 2001)

Windows Forensics: A Case Study, Part 1
This article is the first in a two-part series that will offer a case study of forensics in a Windows environment. This installment will offer a brief overview of the detection and analysis of an attack incident. The second installment will look at continue to look at network traffic analysis techniques and will resolve a hypothetical attack scenario. Source: (March 2003)

Windows Forensics - A Case Study: Part Two
This article is the second in a two-part series that will offer a case study of forensics in a Windows environment. In Part One, we discussed host-based forensics techniques that first responders can use to detect attacks in relatively unprotected environments, and how to begin collecting information to determine the appropriate response. Part One dealt with understanding what an attacker was doing on an individual host. This article deals with determining the scope of the compromise, and understanding what the attacker is trying to accomplish at the network level. Along the way, we'll be discussing some tools and techniques that are useful in this type of detective work.
Source: (March 2003)

International Association of Computer Investigative Specialists
IACIS is an international volunteer non-profit corporation composed of law enforcement professionals dedicated to education in the field of forensic computer science. IACIS members represent Federal, State, Local and International Law Enforcement professionals. Regular IACIS members have been trained in the forensic science of seizing and processing computer systems.

The National Cybercrime Training Partnership
The National Cybercrime Training Partnership (NCTP) Leads the Training Community in Developing a New Paradigm for Training Law Enforcement in Electronic and High-Technology Crime


Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.