Forensics with Linux 101 by Chuck Willis - Additional Information Links

Forensics with Linux 101

How to do Forensics for Free

by Chuck Willis
chuckfwillis@netscape.net
Black Hat USA 2003

Additional Information Links

This document contains hyperlinks to the tools and web sites mentioned in my presentation for easy visiting.

Brian Carrier's Paper about Open Source Forensics Tools, "Open Source Digital Forensic Tools: The Legal Argument" - http://www.atstake.com/research/reports/acrobat/atstake_opensource_forensics.pdf

Tools discussed in the presentation:

FIRE Boot CD - http://fire.dmzs.com
NASA Loopback Drivers - ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/
Foremost - http://foremost.sourceforge.net
Sleuthkit - http://www.sleuthkit.org
Autopsy - http://www.sleuthkit.org

Discussions of splitting a partition from a whole disk image:

Sleuthkit Informer #2 by Brian Carrier - http://sleuthkit.sourceforge.net/informer/sleuthkit-informer-2.html
Mounting Disks with Linux's Loopback Device by Jason Boxman - http://talk.trekweb.com/~jasonb/articles/linux_loopback.shtml

Other potentially useful tools:

MD5deep (http://md5deep.sourceforge.net) - recursive md5s
Fatback (http://sourceforge.net/projects/biatchux) - File uneraser for FAT file systems
Stegdetect (http://www.outguess.org) - will detect some kinds of steganography in images
Galleta (http://www.openforensics.org) - IE Cookie Parser
Pasco (http://www.openforensics.org) - IE Activity Parser
Rifiuti (http://www.openforensics.org) - Recycle Bin INFO2 File Parser
LibPST (http://sourceforge.net/projects/ol2mbox) - converts Outlook and Outlook Express files to Linux mbox format

Virus Scanning Tools:

F-Prot - http://www.fprot.org
Bitdefender - http://www.bitdefender.com

Upcoming Tools:

Odessa Project - http://www.openforensics.org
Penguin Sleuth (http://www.linux-forensics.com) - Forensics Boot CD based on Knoppix
Forensic and Log Analysis GUI (FLAG) - http://www.dsd.gov.au/software/flag/
Knoppix STD (http://www.knoppix-std.org/) - Another "Security Tools Distribution" Boot CD based on Knoppix

Additional Resources:

Honeynet Project Scans of the Month (http://www.honeynet.org/scans/) #15, #24, and #26 deal with forensics
SleuthKit/Autopsy information, mailing list, and download - http://www.sleuthkit.org
Case studies of Honeynet Scans http://www.sleuthkit.org/case/index.php
Great news letter - http://www.sleuthkit.org/informer/index.php
Linux Forensic User Group - http://groups.yahoo.com/group/linux_forensics/
Information about the National Software Reference Library (NSRL) - http://www.nsrl.nist.gov
Tools, forums, mailing lists - http://www.openforensics.org
Penguin Sleuth CD, forums, and information - http://www.linux-forensics.com
Tools and information - http://www.opensourceforensics.org
The Coroner's Toolkit - http://www.porcupine.org/forensics/tct.html