Computer Forensics

Computer Forensic Legal Standards and Equipment
This paper addresses an issue of increasing importance to companies in this modern era. Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies© top priority in this age of increased security conscious commerce. The topic of this document focuses on the CIRT aspect of security conscious commerce, but in a less familiar role: the function of investigations and more specifically, the role of computer forensics as part of a company©s arsenal in the war on network/resource abuse and intellectual property theft. Source SANS.org (Dec 6, 2001)

Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000
The purpose of this paper is to be an introduction to computer forensics with a specific focus on strategies for dealing with compromised Windows NT/2000. It describes methods of investigating Windows hosts and conducting an analysis in order to promote growth and learning as opposed to a "how-to" guide to gather legal evidence in view of criminal prosecution. Source SANS.org (Dec 4, 2001)

Analyze This!
Network forensics analysis tools (NFATs) reveal insecurities, turn sysadmins into systems detectives. Source: InfoSecurityMag (Feb 2002)

Adventures in Computer Forensics
An insightful look at the life of a forensic analyst. Source: SANS.org (Sept 24, 2001)

Collecting Electronic Evidence After a System Compromise
Evidence is difficult to collect at the best of times, but when that evidence is electronic an investigator faces some extra complexities. Electronic evidence has none of the permanence that conventional evidence has, and is even more difficult to form into a coherent argument. The purpose of this paper is to point out these difficulties and what must be done to overcome them. Not everything is covered here © it should be used as a guide only, and you should seek further information for your specific circumstances. Source: SANS.org (April 20, 2001)

Computer Evidence Processing Steps
An overview of the basic steps involved in conducting an investigative analysis of a compromised computer. Source: http://www.forensics-intl.com

Forensics on the Windows Platform, Part 1
This article, the first in a two-part series about forensics on the Windows platform, will examine the preparatory steps that can be taken by both investigators and system administrators alike. While this series is concerned with Windows-specific investigations, this article will examine some basic, non-technical concepts that are applicable to all forensic investigations. Source: SecurityFocus.com (Feb 2003)

Forensics on the Windows Platform, Part Two
This is the second of a two-part series of articles discussing the use of computer forensics in the examination of Windows-based computers. In Part One we discussed the wider legal issues raised by computer forensics and the benefits of pre-investigation preparation. In this article we will concentrate on the areas of a Windows file system that are likely to be of most interest to forensic investigators and the software tools that can be used to carry out an investigation.  Source: SecurityFocus.com (Feb 2003)

Learning by Doing
Do-it-yourselfer experiences the do's and don'ts of building a forensics workstation. Source: InfoSecurityMag (April 2002)

Legal Aspects of Collecting and Preserving Computer Forensic Evidence
Some of the most common reasons for improper evidence collection are poorly written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody. For the purposes of this paper, the reader should assume that policies have been clearly defined and have been reviewed by legal counsel, an incident response plan is in place, and necessary personnel have been properly trained. The remainder of this paper focuses on the procedure a private organization should follow in collecting computer forensic evidence in order to maintain chain of custody. Source: SANS.org (April 20, 2001)

Know Your Enemy: A Forensic Analysis
This paper is a continuation of the Know Your Enemy series. The first three papers covered the tools and tactics of the black-hat community. This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces. Source: SecurityFocus.com (May 2000)

Maintaining the Forensic Viability of Logfiles
Collecting and retaining network and system logfiles has many advantages. There are several good sources of information related to what information should be logged, how best to log it, and in what ways this information can be used. However, the requirements for the use of logfile data for technical purposes such as intrusion detection are quite different from, and not always complementary to, the requirements for the use of such data in a legal setting Source: SANS.org (May 29, 2001)

Nailing the Intruder
This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same. Source: SANS.org (July 24, 2001)

Reporting Unauthorized Intrusions: A "How To" Guide
The scope of this document is limited to the actions that should be taken after an illegal infiltration into a private or corporate network. It is assumed that the reader already has a good working knowledge of technology security. Source: SANS.org (July 26, 2001)

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
This publication provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers and obtain electronic evidence in criminal investigations. The topics covered include the application of the Fourth Amendment to computers and the Internet, the Electronic Communications Privacy Act, workplace privacy, the law of electronic surveillance, and evidentiary issues. This updated version includes discussion of significant changes to relevant Federal law arising from the USA PATRIOT Act of 2001. Source: Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) (July 2001)

Windows Forensics: A Case Study, Part 1
This article is the first in a two-part series that will offer a case study of forensics in a Windows environment. This installment will offer a brief overview of the detection and analysis of an attack incident. The second installment will look at continue to look at network traffic analysis techniques and will resolve a hypothetical attack scenario. Source: SecurityFocus.com (March 2003)

Windows Forensics - A Case Study: Part Two
This article is the second in a two-part series that will offer a case study of forensics in a Windows environment. In Part One, we discussed host-based forensics techniques that first responders can use to detect attacks in relatively unprotected environments, and how to begin collecting information to determine the appropriate response. Part One dealt with understanding what an attacker was doing on an individual host. This article deals with determining the scope of the compromise, and understanding what the attacker is trying to accomplish at the network level. Along the way, we'll be discussing some tools and techniques that are useful in this type of detective work. Source: SecurityFocus.com (March 2003)

The National Cybercrime Training Partnership
The National Cybercrime Training Partnership (NCTP) Leads the Training Community in Developing a New Paradigm for Training Law Enforcement in Electronic and High-Technology Crime