Oracle Forensics

Dissection of an Oracle Attack in the Absence of Auditingby David Lichtfield

Why Oracle Forensics?

• Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow.
• In January 2007 TJX announced they had suffered a database security breach with 45.6 million credits card details stolen – the largest known breach so far.
• In 2006 there were 335 publicized breaches in the U.S.; in 2005 there were 116 publicized breaches; between 1st January and March 31st of 2007, a 90 day period, there have been 85 breaches publicized.
• There are 0 (zero) database-specific forensic analysis and incident response tools on the market – free or commercial.

Where is the evidence?

Evidence of a compromise can be found in many places – for example

• TNS Log files
• Trace files
• Redo Logs
• Datafiles
  • Metadata and statistics
• Apache logs (Oracle Application Server)

This talk specifically covers the datafiles, redo logs In the essence of time we’ll be cutting out several parts of the forensic process which you wouldn’t do in a real scenario of course!

Search for evidence related to SELECTs

To start with we’ll look at an Oracle Data Block

More detailed see here

New Publications from NIJ

Test Results for Hardware Write Block Device: FastBloc FE (USB Interface)
June 2007
Posted June 29, 2007 This NIJ Special Report presents the results from testing the FastBloc FE (USB Interface) against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0. It documents results against four top-level tool requirements identified by the specification and several test assertions related to those requirements, describes the testing environment, provides an interpretation of the test results, and includes test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities. (NCJ 218378)

Full Text pdf

Test Results for Hardware Write Block Device: FastBloc FE (FireWire Interface)
June 2007
Posted June 29, 2007

This NIJ Special Report presents the results from testing the FastBloc FE (FireWire Interface) against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0. It documents results against four top-level tool requirements identified by the specification and several test assertions related to those requirements, describes the testing environment, provides an interpretation of the test results, and includes test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities. (NCJ 218379)

Full Text pdf

Test Results for Hardware Write Block Device: Tableau T5 Forensic IDE Bridge (USB Interface)
June 2007
Posted June 29, 2007

This NIJ Special Report presents the results from testing the Tableau T5 Forensic IDE Bridge (USB Interface) against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0. It documents results against four top-level tool requirements identified by the specification and several test assertions related to those requirements, describes the testing environment, provides an interpretation of the test results, and includes test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities. (NCJ 218380)

Full Text pdf

Test Results for Hardware Write Block Device: Tableau T5 Forensic IDE Bridge (FireWire Interface)
June 2007
Posted June 29, 2007 This NIJ Special Report presents the results from testing the Tableau T5 Forensic IDE Bridge (FireWire Interface) against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0. It documents results against four top-level tool requirements identified by the specification and several test assertions related to those requirements, describes the testing environment, provides an interpretation of the test results, and includes test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities. (NCJ 218381)

Full Text pdf

‘Standard Bullet’ Identifies Suspected Firearms
Posted June 19, 2007

Researchers at the National Institute of Standards and Technology (NIST) have developed a copper bullet that can help end crime sprees—without being fired once.

Crime laboratories can use NIST’s “Standard Bullet” to optimize the settings on the computerized optical imaging instruments they use to match markings on fired bullets from a suspected weapon.

The Standard Bullet helps crime labs verify that:

• Bullet signature acquisitions and correlations are under control and traceable to the National Laboratory Center of the Bureau of Alcohol, Tobacco, Firearms and Explosives.
• Profile measurements of bullets are traceable to the NIST virtual standard for bullet profile signatures.

Learn more in the article “NIST ‘Standard Bullet’ Fights Gang Violence“
Exit Notice from ScienceDaily (January 22, 2007).

Purchase the Standard Bullet (SRM 2460) online or contact:

NIST, Measurement Services Division
Telephone (301) 975–2200
Fax (301) 948–3730
e-mail: srminfo@nist.gov

This project was funded through an interagency agreements 2003–IJ–R–029 with the Office of Justice Programs’ National Institute of Justice.

NIJ Journal Issue No. 257
June 2007
Posted June 18, 2007

Why did participants in an intensive prisoner reentry program recidivate at a higher rate than inmates who received no programming at all? In the latest issue of the NIJ Journal, Dr. James Wilson explores possible explanations for the rather surprising results of an NIJ-funded evaluation of Project Greenlight. The Journal also looks at the national debate on hate crime laws and, in another article, investigates the role of law enforcement in preventing and responding to an act of “agroterrorism.”

Also in the Journal:

• LAPD Chief Bratton offers a practitioner’s perspective on criminal justice research.
• Does “real work” prison employment work?
• The 40th anniversary of the Nation’s first “crime report.”
• Profile of criminal justice guru Al Blumstein.
• Unique issues faced by deaf victims of sexual assault.
• Programs that help inmates get medical benefits.

Full Text

• HTML | PDF

Forensic Examination of Digital Evidence: A Guide for Law Enforcement

This guide is intended for use by law enforcement officers and other members of the law
enforcement community who are responsible for the examination of digital evidence.
This guide is not all-inclusive. Rather, it deals with common situations encountered during
the examination of digital evidence. It is not a mandate for the law enforcement
community; it is a guide agencies can use to help them develop their own policies and
procedures.
Technology is advancing at such a rapid rate that the suggestions in this guide are best
examined in the context of current technology and practices. Each case is unique and the
judgment of the examiner should be given deference in the implementation of the procedures suggested in this guide. Circumstances of individual cases and Federal, State,
and local laws/rules may also require actions other than those described in this guide.
When dealing with digital evidence, the following general forensic and procedural principles
should be applied:

• Actions taken to secure and collect digital evidence should not affect the integrity of hat evidence.
• Persons conducting an examination of digital evidence should be trained for that purpose.
• Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.

Through all of this, the examiner should be cognizant of the need to conduct an accurate
and impartial examination of the digital evidence.

How is digital evidence processed?

1. Assessment. Computer forensic examiners should assess digital evidence thoroughly with respect to the scope of the case to determine the course of action to take.
2. Acquisition. Digital evidence, by its very nature, is fragile and can be altered, damaged, 0r destroyed by improper handling or examination. Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.
3. Examination. The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format.
4. Documenting and reporting. Actions and observations should be documented throughout the forensic processing of evidence. This will conclude with the preparation of a written report of the findings.

Here is the document (pdf)

Antiforensics

Once again, the bad guys are lining their arsenals with new tools to use against you. Computer forensics is an emerging field of study and anti-forensics is certainly developing right alongside.Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible.

One of the most well known exploit toolkits on the net is the Metasploit project. Some of the MetaSploit tools you’ll find in use by the cybercriminal are Slacker, Transmogrify and Timestomp.

Slacker is named after the slack space at the end of files. This tool takes data and breaks it up into thousands of pieces and spreads it across file slack space. To the unassuming forensic investigator, this will appear as nothing more than white noise rather than a database containing millions of credit card numbers.

Transmogrify is most notorious for being the first tool to ever to defeat the file signature capabilities of Encase. The tool allows you to mask and unmask files as any type.

Timestomp simply changes attributes relating to file date stamps, which can disrupt the forensic timeline the investigator is attempting to establish.

more detail article here

Handbook of Forensics Services from FBI

Here the link to the Handbook http://www.fbi.gov/hq/lab/handbook/forensics.pdf

Introduction
The purpose of the Handbook of Forensic Services is to provide guidance and procedures for safe and efficient methods of collecting, preserving, packaging, and shipping evidence and to describe the forensic examinations performed by the FBI’s Laboratory Division and Investigative Technology Division.

Other report and publications from FBI could be found here

Digital Evidence: Standards and Principles

What is Digital Evidence?

Digital evidence is any information of probative value that is either stored or transmitted in a binary form. This field includes not only computers in the traditional sense but also includes digital audio and video. It includes all facets of crime where evidence may be found in a digital or binary form. (SWGDE, 1998). Perhaps the most common computer crime in the news is child pornography, but computers are also instrumental in crimes ranging from check fraud to conspiracy to commit murder.

What is Digital Forensics?

Digital forensics involves the identification, collection, preservation, examination, and analysis of digital evidence. It is a technical, computer-related field involved in the collection and examination of evidence from computers, including audio, video, and graphical images.

Introduction

The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices.

The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.

Definitions

Acquisition of Digital Evidence: Begins when information and/or physical items are collected or stored for examination purposes. The term “evidence” implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee.

Data Objects: Objects or information of potential probative value that are associated with physical items. Data objects may occur in different formats without altering the original information.

Digital Evidence: Information of probative value stored or transmitted in digital form.

Physical Items: Items on which data objects or information may be stored and/or through which data objects are transferred.

Original Digital Evidence: Physical items and the data objects associated with such items at the time of acquisition or seizure.

Duplicate Digital Evidence: An accurate digital reproduction of all data objects contained on an original physical item.

Copy: An accurate reproduction of information contained on an original physical item, independent of the original physical item.

Standards ….

see more here for detail

Free Papers/Reports on Forensics and Security from NIJ

Free papers/reports on Forensics and Security from National Institute of Justice (NIJ)

NIJ is the research, development, and evaluation agency of the U.S. Department of Justice and is dedicated to researching crime control and justice issues. NIJ provides objective, independent, evidence-based knowledge and tools to meet the challenges of crime and justice, particularly at the State and local levels. NIJ’s principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968, as amended (see 42 USC § 3721-3723) and Title II of the Homeland Security Act of 2002.

Mission:

Advance scientific research, development, and evaluation to enhance the administration of justice and public safety.

Here some recently publication from NIJ:

See NIJ Publications for more documents.

Test Results for Digital Data Acquisition Tool: IXimager (Version 2.0, Feb-01 2006)
April 2007
Posted April 30, 2007

This NIJ Special Report presents the results from testing the IXimager (Version 2.0, Feb-01 2006) against Digital Data Acquisition Tool Assertions and Test Plan Version 1.0. It documents results by test assertion, describes the testing environment, provides an interpretation of the test results, and includes test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities. (NCJ 217103)

Full Text pdf

Voice Encryption for Radios
March 2007
Posted March 30, 2007

This NIJ InShort fact sheet gives an overview of the weaknesses unencrypted voice transmissions face and outlines how voice encryption helps ensure that voice transmissions are secure and accessible only by authorized personnel. Effective management is crucial to successfully implementing an encrypted voice network, and the fact sheet indicates the differences between managing a small versus a large network. (NCJ 217103)

Full Text pdf

Migrating From Cellular Digital Packet Data
March 2007
Posted March 30, 2007

Public safety agencies that use commercial cellular digital packet data (CDPD) will soon be forced to migrate to another method of communication. This NIJ InShort fact sheet gives an overview of the obstacles that agencies will face during the CDPD phase out, and it indicates factors that should be considered when migrating to a new service. (NCJ 217104)
Full Text pdf

Interoperability Gateways/Interconnects
March 2007
Posted March 30, 2007

Interconnect systems, such as gateways, allow for voice interoperability between otherwise incompatible radio communications systems. This NIJ InShort fact sheet details how gateways work and gives key factors that can affect performance. The fact sheet also outlines the steps to deploying a gateway and summarizes the two primary aspects of gateway management. (NCJ 217105)
Full Text pdf

Test Results for Three Tableau Hardware Write Block Devices
January 2007
Posted January 25, 2007

These NIJ Special Reports present the results from testing three Tableau Hardware Write Block devices against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0. They document results against four top-level tool requirements identified by the specification and several test assertions related to those requirements, describe the testing environment, provide an interpretation of the test results, and include test results summary log files for numerous test cases. The results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools’ capabilities.

Full Text

• Test Results for Hardware Write Block Device: Tableau Forensic SATA Bridge T3u (USB Interface), (Adobe PDF)
• Test Results for Hardware Write Block Device: Tableau Forensic SATA Bridge T3u (FireWire Interface), (Adobe PDF)
• Test Results for Hardware Write Block Device: Tableau Forensic IDE Pocket Bridge T14 (FireWire Interface), (Adobe PDF)

NIJ Journal Issue No. 256
January 2007
Posted January 17, 2007 NIJ programs make a difference in the lives of individual Americans. Two articles in this issue of the Journal highlight this. The lead story describes the Center for Human Identification, an NIJ-funded project that provides free DNA testing on unidentified human remains for any law enforcement agency in the country, helping to solve more missing persons cases. The second story highlights the work of the Kinship and Data Analysis Panel, a group of forensic experts convened by NIJ after 9/11 to help identify victims of the World Trade Center attacks-and, now, to advise the Nation in how to be better prepared to identify victims of a future mass disaster.

Other articles feature:

• An online training program—designed particularly for judges, prosecutors, and defense attorneys—that explains the use of DNA, from the crime scene to post-conviction testing.
• Key factors that influence the public’s perception of the police.
• New findings revealing that many women who are physically abused by their sexual partners are also sexually assaulted by those partners.

Full Text

• HTML | PDF

Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors
By National Institute of Justice
January 2007
Posted January 16, 2007Now essential to modern life, computers have also become increasingly important to criminals, who steal information, commit fraud, and stalk victims online. Even if a crime was not committed online, law enforcement may discover critical evidence from an offenders’ digital media. For this evidence to be admissible, however, police must demonstrate proper collection and handling. In the courtroom, prosecutors must overcome the twin barriers of skepticism and lack of technical understanding. To help navigate this complex process, NIJ’s technical working group of national experts prepared this special report. Chapters 1 and 2 inform crime scene investigators and other handlers about legal requirements for the handling of digital evidence. Chapters 3 and 4 provide guidelines for successful prosecution. The last chapter is a working application—using digital evidence to convict in a child pornography case. Appendixes provide useful resources and forms.

Full Text:

• Adobe Acrobat File

Asian Transnational Organized Crime and Its Impact on the United States
By James O. Finckenauer and Ko-lin Chin
January 2007
Posted January 12, 2007

Asian Transnational Organized Crime and Its Impact on the United States reports on a study undertaken to preliminarily assess the impact of Asian transnational organized crime on the United States while, at the same time, determining high-priority areas for further research and identifying potential collaborative research partners and sources of relevant data and information in Asia. The first chapter of this monograph describes the divergent perceptions of Asian transnational organized crime held by Asian versus American interviewees, and also offers a researcher’s perspective. The second chapter explains the scope and patterns of Asian organized crime. The final chapter offers the researchers’ initial assessment of the impact of Asian transnational organized crime on the United States and U.S. interests.

Full Text:

• Adobe Acrobat File

Investigations Involving the Internet and Computer Networks
By National Institute of Justice
January 2007
Posted January 12, 2007

This NIJ Special Report is intended as a resource for individuals responsible for investigations involving the use of the Internet and other computer networks. Any crime could involve devices that communicate through the Internet or through a network. Criminals may use the Internet for numerous reasons, including trading/sharing information (e.g., documents, photographs), concealing their identity, and gathering information on victims. The report is among a series of guides on investigating electronic crime.

Full Text

• Adobe Acrobat File

Links to IT-Forensics Softwares

Thanks Dr. Alexander Geschonneck who make this links available for us

Computer Forensics Software

• Statically Stripped Incident Response and Forensic Binaries
  • Linux x86 Static Binaries
  • Solaris 2.7 Static Binaries
  • Win32 GNU Static Binaries
• Free Forensic Tools from NTI (New Technologies Inc.), Free Law Enforcement Suite
• Alphabetical List of Computer Forensics Products
• Forensic Software Sources
• ResponseKits First Aid Kits for Unix & Windows
• EnCase Forensic Solutions
• ListDLLs is able to show you the full path names of loaded modules
• Handle is a utility that displays information about open handles for any process in the system.
• PsList is utility that shows you a combination of the information obtainable individually with pmon and pstat. You can view process CPU and memory information, or thread statistics.
• Procdmp.pl is a script the correlates the output of several commands that are usually run during incident response activities.
• dd for Windows
• cryptcat = netcat + encryption
• Forensic Tools and Utilities
• Recover is a utility which automates some steps as described in the Ext2fs-Undeletion howto in order to recover a lost file
• e2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux
• mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files.
• mac_daddy MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner’s Toolkit. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter.
• The Coroner’s Toolkit TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in
• Computer Forensics Software TCTUTILs is a collection of utilities that adds functionality to The Coroners Toolkit and the Autopsy Forensic Browser
• The Autopsy Forensic Browser is a graphical interface to utilities found in The Coroners Toolkit (TCT) and TCTUTILs. It allows drive images to be analyzed at a file, block, and inode level. It also allows easy searches for strings in images.
• New Versions: The @stake Sleuth Kit (TASK) and Autopsy Forensic Browser
• pdd (Palm dd) is a Windows-based tool for for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or “snapshot” of the Palm device’s memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
• foremost automatic file recovering
• ILook Investigator a forensic analysis tool
• Streak – the secure forensic imaging tool
• md5deep is a cross-platform program to compute MD5 message digests on an arbitrary number of files with the following features: Recursive operation, Time estimation and Comparison mode
• SectorSpy is a forensics analysis and text data recovery tool for computer hard drives and diskettes
• Win32 First Responder’s Analyzer Tookit is a batch file developed on a SecurityFocus article highlighting the use of simple scripts on Windows32 platforms to perform basic security tasks. This script uses various Windows and 3rd Party tools to provide an effective forensic snapshot of your computer.
• PenguinBackup formerly known as “The PalmPilot single-floppy backup system”
• FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
• HashDig technology is a collection of utilities designed to help practitioners automate the process of resolving MD5 hashes.
• IEHist dumps Internet Explorer history from index.dat files into delimited files suitable for import into other tools.
• Data recovery tools
• LADS – List Alternate DataStreams
• ASR Data – Computer Forensic Tools (SMART)
• PLAC (Portable Linux Auditing CD) is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools.
• Forensic Acquisition Utilities
• DCFL-DD – (an enhanced dd with MD5 hashing)
• Fatback- undelete files from FAT filesystems
• odessa “Open Digital Evidence Search and Seizure Architecture”
• Disk Investigator. Who needs another one?
• Perl Script to find Alternate Data Streams on NTFS
• FileDisk is a virtual disk driver for Windows NT/2000/XP that uses one or more files to emulate physical disks. A console application is included that let you dynamically mount and unmount files. With FileDisk you can mount forensic dd-images read only for further analysis.
• Evidor is a particularly easy and convenient way for any investigator to find and gather digital evidence on computer media.
• WinHex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing
• Paraben’s E-Mail examiner supports many mailbox formats
• NT registry filesystem for linux
• PropertiesPlus can modify file attributes, file extensions, and the time stamps of single files, multiple files, or files contained within the folders and display the bytes allocated
• Antiword for reading ascii content of world files
• Metadata Assistant: Finding hidden data in word and excel files
• Mount Image Pro is a tool for Computer Forensic investigations. It enables you to mount ENCASE®, Unix DD, or SMART forensic images as a drive letter on your file system.
• Like dd, dd_rescue does copy data from one file or block device to another.
• AIR – Automated Image and Restore
• chaosreader can trace TCP or UDP sessions and fetch application data from tcpdump or snoop logs
• cryogenic freezes the process state of a running system
• faust (File AUdit Security Toolkit) is a perl script that helps to bash scripts and elf binaries
• FLAG Forensic and Log Analysis GUI
• FileSystem Investigator (fstools) is a platform independent file system viewer and data extraction tool written in Java
• PDASeizure is a comprehensive tool that allows PDA (PocketPC, PalmOS and Blackberry!) data to be acquired, viewed, and reported.
• File Date Time Extractor
• MailNavigator allows to read multiple Mailbox file formats
• Protected Storage Explorer is a freeware utility which allows you to view the protected storage in Windows 2000, Windows XP and Windows 2003 in an ‘explorer style’ fashion.
• CD/DVD Inspector is for forensic analysis, recovery and reporting for forensic and law enforcement use.
• accuhash for calculating checksumms
• rda (Remote Data Acquisition utility) is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums
• .dat-viewer for analyzing Kazaa Traces
• DataLifter contains 10 tools to assist with Computer Forensics, Information Auditing, Information Security and Data Recovery.
• Sterilize sterilizes the media to be used for working / examination copies.
• TestDisk: Tool to check and undelete partition
• X-Ways Forensics. Must have tool if you rely on windows
• Ext2IFS mounting ext2 and ext3 volumes under windows r/w
• pmdump.exe is a tool that dumps memory for a specified process to a file (as opposed to tools like memdump and dd which dump all of the RAM at once). It is useful for analysing things that might store hidden information in memory (for example, Bots, Trojan horses or VPN clients, email clients, and instant-messaging applications).
• UndeleteSMS if you have to undelete Short Text Messages (SMS) from SIM cards
• Web Historian assists users in reviewing websites (URLs) that are stored in the history files of the most commonly used browsers.
• misc Computer Forensics Software for Criminal Investigators and Consumers from Robware.com
• CDRoller is a powerful toolset for CD/DVD data recovery.
• SilentRunners checks a windows system for trojans and other malicous software
• Paraben Forensics cell phone and SIM card investigation toolbox
• Windows Forensics and Incident Recovery: The First Responder Utility (FRU)
• Windows Forensic Toolchest (WFT)
• tcpxtract is a tool for extracting files from network traffic based on file signatures.
• Mount Image Pro is a tool for Computer Forensics investigations. It enables the mounting of EnCase, Unix DD or SMART forensic images as a drive letter on your Windows.
• Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
• Unmask is a demonstration of how to fingerprint users based only on their emails or IRC postings.
• ptfinder.pl from Andreas Schuster is a Perl script that parses through a dump of Windows physical memory searching for the different structures
• Memory forensics tools from trapkit.de: Process Dumper allows you to make a dump of a running process and Memory Parser can be used to analyse process dumps made with pd.
• Live View is a graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.
• MacForensicsLab is a complete suite of forensics and analysis tools.
• TULP2G is a free program helps to examine cell phones and SIM cards.
• Volatools enables one to analyze memory dumps in raw (or dd) format for performing digital investigations on volatile memory images.

Digital Forensic Tool Testing

The Digital Forensic Tool Testing (DFTT) project creates test images for digital forensic acquisition and analysis tools. These images can be used by a tool developers and owners to test their software.

Testing in the public view is an important part of increasing confidence in software and hardware tools. Developing extensive and exhaustive tests for digital investigation tools is a lengthy and complex process, which the Computer Forensic Tool Testing (CFTT) group at NIST has taken on. To fill the gap between extensive tests from NIST and no public tests. The following are file system and disk images for testing digital (computer) forensic analysis and acquisition tools. They were submitted to the Computer Forensic Tool Testing (CFTT) e-mail list on Yahoo! Groups. The results can be found in the CFTT list archives and in the Test Report Tracker.

Download Software http://sourceforge.net/projects/dftt/

see also: Overview NIST-Computer Forensic Tool Testting Program Project

NIST-CSRC: Mobile Forensics Project

Forensic Tools:

Forensic examination of mobile devices, such as Personal Digital Assistants (PDAs) and cell phones, is a growing subject area in computer forensics. Consequently, mobile device forensic tools are a relatively recent development and in the early stages of maturity. When mobile devices are involved in a crime or other incident, forensic specialists require tools that allow the proper retrieval and speedy examination of information present on the device. A number of existing commercial off-the-shelf (COTS) and open-source products provide forensics specialists with such capabilities.

In order to assess the capabilities of assorted forensic tools, generic scenarios can be devised to mirror situations that often arise during a forensic examination of a mobile device and associated media. The scenarios serve as a baseline for determining a tool’s capability to acquire and examine various types of known data, allowing a broad and probing perspective on the state of the art of present-day forensic tools to be made.

Forensic Guidelines:

Forensic examiners, law enforcement, and incident response teams rely heavily on proper procedures and techniques, as well as appropriate tools, to preserve and process digital evidence. Guidance in the area of mobile forensics is generally lacking. Procedures and techniques developed from a classical computer forensics cannot be used directly, because they do not account for the differing characteristics of mobile devices. Guidelines on mobile device forensics are needed to inform readers of the various technologies involved and the potential ways to approach theses device from a forensically sound perspective. The objective is twofold: to help organizations evolve appropriate policies and procedures for dealing with mobile devices, and to prepare forensic specialists to deal with new situations when they are encountered.

Mobile Forensic Publications:

Forensic Software Tools for Cell Phone Subscriber Identity Modules, Conference on Digital Forensics, Association of Digital Forensics, Security, and Law (ADFSL), April 2006. Wayne Jansen, Rick Ayers.

Cell Phone Forensic Tools: An Overview and Analysis, NISTIR 7250, October 2005. Rick Ayers, Wayne Jansen, Nicolas Cilleros, Ronan Daniellou.

An Overview and Analysis of PDA Forensic Tools, Digital Investigation, The International Journal of Digital Forensics and Incident Response, Volume 2, Issue 2, April 2005. Wayne Jansen, Rick Ayers.

Guidelines on PDA Forensics, SP 800-72, November 2004. Wayne Jansen, Rick Ayers.

PDA Forensic Tools: An Overview and Analysis, NISTIR 7100, August 2004. Rick Ayers, Wayne Jansen.

Mobile Forensic Links:

The Electronic Evidence Information Center is a compilation of resources pertaining to the field of digital forensics with a specialization in mobile devices/

Mobile and PDA Forensics provides links to journal articles, publications, presentations, and books pertaining to the field of mobile device forensics.

Phone Forensics is a website that has been developed for mobile phone forensic practitioners by practitioners.

Mobile Forensics provides users with detailed information, links, user-manuals, and reference guides pertaining to the field of mobile device forensics.

Phone Forensics Group provides users with training, procedures, software, hardware, solutions and best forensic practices through a Yahoo mail group.

source: http://csrc.nist.gov/mobile-forensics/projects.html