The National Software Reference Library (NSRL) is a collection of traceable software which is then processed and provided to the public (primarily law enforcement and forensic analysts) for use in investigations. Each file’s identifying information is stored in a database and the following is computed and shared in a Reference Data Set (RDS) [...]
|
||||
 December 12th, 2008 by ahoog
 2 commentsHashkeeper is a database of known good and known bad files which can significantly reduce the number of files an analyst needs to investigate. It was started by the National Drug Intelligence Center in 1998 and still maintained there. However, the primary audience is law enforcement and anyone else must file a Freedom [...] Sysinternals is a suite of utilities to help you manage, troubleshoot and diagnose Windows systems and applications. Windows and DOS lacked many of the management utilities that other operating systems, particularly Unix, had. The Sysinternals team began to develop these tools and in 1996 they were bought by Microsoft. The utilities remain free [...] Live View is a application that converts a disk image into a bootable VMWare image. This allows an examiner to fully interact with a “computer” in the state that is was left at the time of acquisition, without modifying any evidence. This is a great way to prepare screen shots and information that [...] The Volatility Framework is a collection of open source utilities which allow an examiner to extract information from Windows XP Service Pack 2 and Service Pack 3 memory (RAM) images. From their website: The Volatility Framework currently provides the following extraction capabilities for memory samples Image date and time Running processes Open network [...] Sorter is a program that takes an image file as input categorizes each file (allocated and deleted), optionally saving them to your hard drive for examination. This process is achieve by performing the following steps: Runs file command on all files, deleted and undeleted Sorts based on file type, looks for mismatched extensions [...] Lazarus is a “a program that attempts to resurrect deleted files or data from raw data – most often the unallocated portions of a Unix file system, but it can be used on any data, such as system memory, swap, etc.” [From lazarus.README]. Lazarus is extremely disk and CPU intensive…it takes a very [...] Little-Endian describes the order in which a computer stores binary data. With Little-Endian, the least significant byte is stored first. For the hex (base 16) number 0xA0B0C0D0, Little-Endian would store the bytes as follows: C0D0 A0B0 However, Big-Endian would store the most significant byte first, resulting in: A0B0 C0D0 Relevance to computer forensics [...] Big-Endian describes the order in which a computer stores binary data. With Big-Endian, the most significant byte is stored first. For the hex (base 16) number 0xA0B0C0D0, Big-Endian would store the bytes as follows: A0B0 C0D0 However, Little-Endian would store the least significant byte first, resulting in: C0D0 A0B0 Relevance to computer forensics [...] Statement on Auditing Standards Number 70 (SAS70) is an auditing standard for Service Organizations often focusing on controls over IT and related processes. The standard was developed by the American Institute of Certified Public Accountants (AICPA) and it’s inclusion into the Sarbanes-Oxley Act has made the audit even more [...] |
 |
|||
|
|
||||