Home Digital Forensics BIBLIO What's New ALL Other Resources Digital Forensic Books OS Specific Articles Links to Links Reciprocal Links About This Site

OPERATING SYSTEM-SPECIFIC This is my initial attempt to organize some of the content within this site into categories. Articles, papers, & presentations presented below are specific to a particular operating system. [They will continue to be listed in the Bibliography section] Linux | Unix | Windows | Win95 | WinNT | WinXP | Handhelds Macintosh DD’s Ultimate Guide to Mac OS Forensics A Collection of Links to Resources Donnelly, Derrick Open Source Digital Forensic Acquisition and Analysis on Mac OS X [PDF Presentation] October 2004 Dornseif, Max Forensic Tools on the Mac October 2004 Hawkins, Peter Macintosh Forensic Analysis Using OS X October 2002 Miller, Roland E. III GIAC Certified Forensic Analyst Practical Assignment [PDF] September 2002 "A detailed forensic analysis of a Mac OS X system using primarily open source forensic utilities on a Mac OS X analysis system. The paper clearly illustrates the potential of using Mac OS X for forensic analysis as well as some of the issues related to analyzing Mac OS X itself; in this case the Public Beta. The analysis is contained in Part I of the paper." Anonymous Rennich, Joel Forensic Analysis of a Compromised Mac OS X (Client) Machine May 2002 Siracusa, John Metadata, The Mac, and You Back to Top Linux Belshaw, Gary Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine [PDF] August 2002 Carrier, Brian Performing an Autopsy Examination on FFS and EXT2FS Partition Images: An Introduction to TCTUTILs and the Autopsy Forensic Browser [PDF] Chuvakin, Anton Linux Data Hiding and Recovery March 2002 Crane, Aaron Linux Ext2fs Undeletion mini-HOWTO February 1999 Fung, James Dead Linux Machines Do Tell Tales [PDF] 2003 Holcroft, Stephen Incident Analysis of a Compromised RedHat Linux 6.2 Honeypot April 2002 Kralik, James and Shlomo Koenig Linux OS, Networking and Forensics [PDF] Murphy, Keven GIAC Certified Forensic Analyst Practical Assignment v1.0 [PDF] Red Hat Linux 8.0: The Official Red Hat Linux Security Guide Chapter 11. Incident Response Rogers, Russ Undeleting Files in the Linux OS 2000 Rude, Thomas Next Generation Data Forensics & Linux [PDF] July 2002 Next Generation Data Forensics & Linux [Presentation in PDF] PP Presentation August 2002 Willis, Chuck Forensics with Linux 101 or How to do Forensics for Free [Presentation in PDF] July 2003 Link to the Zipped Tools associated with presentation Back to Top Unix Cheng, Derek Freeware Forensics Tools for Unix November 2001 Step by step instructions for using TCT Dittrich, Dave Basic Steps in Forensic Analysis of Unix Systems Farmer, Dan and Wietse Venema Computer Forensics Analysis Class Handouts August 1999 Hamilton, Martin Unix Security 101 - forensic examples [Javascript Slideshow] Jones, Keith Incident Response: Performing Investigations on a Live Host [PDF] Kuethe, Chris Examine a Unix Box for Possible Compromise Lam, Alan S. H. Computer Forensics Analysis October 2000 A step-by-step analysis of a compromised Unix box, detailing commands and switches. This seminar introduces some basic techniques in Computer Forensics. It shows how to collect evidence without interfering the activities of the inspected system. It also discusses how hackers hide their traces when breaking into a system and the methods to work against it. Lee, Rob Unix Forensic Techniques for Incident Response [PP Presentation] December 2000 Pettinari, Cmdr. Dave Unix Investigations [PDF] Prosise, Chris and Kevin Mandia Incident Response: Investigating Computer Crime Chapter 11 [PDF] Initial Response to Unix Systems Sans Institute Examine a Unix Box for Possible Compromise 1999 To identify a potential compromised Unix box is some what of an arcane art, though there are some simple things to look for. the grugq Defeating Forensic Analysis on Unix July 2002 Widdowson, Liam & John Ferlito Tales from the Abyss: UNIX File Recovery Back to Top Windows, General Barish, Stephen Windows Forensics: A Case Study, Part One December 2002 Windows Forensics: A Case Study, Part Two March 2003 Bates, Jim File Deletion in MS FAT Systems April 1999 (updated September 2002) Windows Explorer Properties July 2001 (updated September 2002) Burke, Joseph Windows Forensic How-to: Incident Response Plan for Abuse of Corporate Assets [PDF] February 2003 Fulton, Lora & Eric Jacobsen (Boston University) Practical Windows Forensics July 2001 Grinler Windows Forensics: Have I been hacked? Jones, Keith J. Forensic Analysis of Internet Explorer Activity Files [PDF] Revised May 2003 Forensic Analysis of Microsoft Internet Explorer Cookie Files [PDF] May 2003 Forensic Analysis of Microsoft Windows Recycle Bin Records [PDF] Revised May 2003 Lawler, James A. Corrupted Cache - Internet Explorer Index.Dat Files and Primary I.E. Folders Problem Clearing Internet Explorer's History Data Lee, Rob Windows Media Imaging (First 17 pages) [PDF] April 2002 Lewis, Jack The New De-Tech-Tives [PDF] Spring/Summer 1999 The Social Secuirty Administration Office of the Inspector General's Experience (Page 39) Marcella, Albert, and Robert Greenfield Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. Table of contents and introduction [PDF] Chapter 3 The Liturgical Forensic Examination: Tracing Activity on a Windows-Based Desktop [PDF] Morris, Jamie Forensics on the Windows Platform, Part One January 2003 Forensics on the Windows Platform, Part Two February 2003 Rose, Curtis W. Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition (From archive.org) Yaw, Tan Koon Windows Responder’s Guide Back to Top Windows 95 Leibolt, Gregory Forensic Analysis of a Windows 95 System [Word document] April 2002 Back to Top Windows NT/2000 Carvey, Harlan Data Hiding on NT/2K (Download the zipped Blackhat file) Detecting and Removing Trojans and Malicious Code from Win2K September 2002 Incident Response for NT/2K (Download the zipped Blackhat file) NT Incident Response Investigation and Analysis (From archive.org) [PDF] June 2001 NT/2K Incident Response Tools August 2001 The Dark Side of NTFS (Microsoft’s Scarlet Letter) Win2K First Responder's Guide September 2002 Haase, Norman Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000 December 2001 Henson, Teena J. Using Fport on Windows NT to Map Applications to Open Ports April 2001 Jacobsen, Eric and Lora Fulton (Boston University) Practical Windows Forensics July 2001 Mandia, Kevin Initial Response to Windows NT/2000 [PDF] Mares, Dan What Forensic Analysts/Investigators should know about NT Multiple Data Streams Martin, Damon Windows, NTFS and Alternate Data Streams May 2001 Oliviera, Flávio de Souza, Célio Cardoso Guimarães & Paulo Lício de Geus Pre-Forensic Setup Automation for Windows 2000 [PDF] May 2002 Sanderson, Paul NTFS Compression - a forensic view [PDF] October 2002 Schultze, Eric NT Information Gathering Commands van Essen, Maarten How to use Forensic Toolkit v2.0 on Windows NT 4.0 Server [Word document] Back to Top Windows XP Leibrock, Larry Documenting State File Changes Made By The Windows XP Family of Operating Systems Forensic Tools and Processes for Windows XP Clients [PDF] October 2002 Tutorial - Forensics for Windows XP Clients [Presentation in PDF] June 2002 Sedory, Daniel B. The Windows XP Startup Disk [An Example in Basic Forensics / Data Recovery] 2003 Stone, Kimberly & Richard Keightley Can Computer Investigations Survive Windows XP? [PDF] December 2001 Back to Top Handhelds Burnette, Michael W. Forensic Examination of a RIM (BlackBerry) Wireless Device [PDF] June 2002 de Haas, Job PDA Forensics (From securityfocus forum) August 2003 Frichot, Christian An Analysis of the Integrity of Palm Images Acquired with PDD [PDF] 2004 Grand, Joe pdd: Memory Imaging and Forensic Analysis of Palm OS Devices [PDF] March 2002 Memory Imaging and Forensic Analysis of Palm OS Devices [Presentation in PDF] June 2002 Mobile Device Security page - small collection of tools GSM-Security.net http://www.gsm-security.net/ Portal to the world of GSM Security Guidance Software How to Acquire a Palm PDA [Macromedia Flash] Palm PDA Support Mislan, Richard P. Acquisition of a Palm OS PDA using @Stake’s Palm dd, Paraben’s PDA Seizure, and Guidance Software’s EnCase [PDF] 2004 NIST Guidelines on PDA Forensics [PDF] November 2004 PDA Forensic Tools: An Overview and Analysis [PDF] August 2004 PDA 4N6 http://www.pda4n6.com/ Research site PDAZap http://www.zone-h.org/en/download/category=15/ PDAZap is a small application that when placed on a P800 will allow you to image the device's flash to a Sony Memory Stick Duo Paraben's PDA Seizure http://www.paraben-forensics.com/pda.html Peikari, Cyrus & Seth Fogie Security Reference Guide October 2004 Select "Data Forensics" / "PDA Forensics" Schiffman, Mike D. The Need for an 802.11b Toolkit [PP presentation] July 2002 SEARCH Short list of PDA Duplication Tools Watson, David Handhelds give up secrets Discusses Zert, a tool which allows you to image mobile phones and PDAs, produced by the Netherlands Forensic Institute (http://www.forensischinstituut.nl/) and available only to law enforcement. Weiss, Aaron PDAs and Forensic Science [PP Presentation] Spring 2002 Willassen, Svein Yngvar Forensics and the GSM Mobile Telephone System [PP Presentation] Spring 2003 © 2005 All rights reserved