Incident Response (IR) & Forensics / Respuesta ante incidentes & A. Forense

You have seen something suspicious in one of your systems and you think that perhaps it has been compromissed. You need to confirm if your guess is true or not. Then, you incident handling/management/investigation/response... methods, whatever you want to call them, should be applied and will help you manage the situation. In the worse case scenario, you have been hacked, so you should determine How, What, Who, When, Where, Why...; the forensic analysis techniques will answer all these!
Has visto algo sospechoso en uno de tus sistemas y piensas que quizás ha podido ser comprometido. Debes confirmar si tu sospecha es cierta o no. Entonces, tus métodos de manejo/gestión/investigación/respuesta ante incidentes, como quieras llamarlos, deben entrar en juego y ayudarte a resolver la situación. En el peor caso, el sistema fue vulnerado, por lo que deberías determinar Cómo, Qué, Quién, Cuándo, Dónde, Porqué...; para ello dispones de las técnicas de análisis forense!

Whitepapers / Artículos

Freeware Forensics Tools for Unix Derek Cheng November, 2001

Windows Forensics: A Case Study, Part One Stephen Barish December, 2002

Windows Forensics: A Case Study, Part Two Stephen Barish March, 2003

Handbook of Forensic Services U.S. DoJ 2003

Detailed Explanation of FAT Boot Sector Microsoft December, 2003

Computer Security Incident Handling Guide NIST January, 2004

Forensic Analysis of a Live Linux System, Pt. 1 Mariusz Burdach March, 2004

Forensic Analysis of a Live Linux System, Pt. 2 Mariusz Burdach April, 2004

A Method for Forensic Previews Timothy E. Wright March, 2005

Web Browser Forensics, part 1 Keith J. Jones, R. Belani March 2005

Web Browser Forensics, part 2 Keith J. Jones, R. Belani May 2005

Advanced Antiforensics: SELF Pluf & Ripe August, 2005

Process Dump and Binary Reconstruction ilo August, 2005

Packet forensics using TCP D. Parker, M. Sues August 2005

Windows Memory Analysis Challenge DFRWS 2005

Tracing an E-mail Raven January, 2006

Tools / Herramientas

dcfldd Nick Harbour Enhanced "dd"

TSK & Autopsy Brian Carrier The Sleuth Kit & The Autopsy Forensic Browser: digital forensics tools

DFTT Brian Carrier Digital Forensics Tool Testing Images

AFF Simson L. Garfinkel Advanced Forensic Format (AFF)

Exiftool Phil Harvey Read and write meta information in image, audio and video files

Tcpxtract Nick Harbour Tool for extracting files from network traffic based on file signatures

Foremost Afosi, Cisr Console program to recover files based on their headers/footers/structures

Analysis CDs

Helix e-fense Incident Response & Computer Forensics Live CD

FCCU (d-fence) Christophe Monniez FCCU GNU/Linux Forensic Boot CD

F.I.R.E. Dirk Loss Forensic and Incident Response Environment on a bootable CD-ROM

Penguin Sleuth Ernest Baca Penguin Sleuth Bootable CD

RIP Kent Robotti (R)ecovery (I)s (P)ossible Linux rescue CD

Windows

Pasco The Open Forensics Group A tool for analyzing the Microsoft Windows index.dat file (Odessa)

Galleta The Open Forensics Group A tool for analyzing Internet Explorer cookies (Odessa)

Rifiuti The Open Forensics Group A tool for investigating the Microsoft Windows recycle bin info2 file (Odessa)

Web Historian Red Cliff Tool for reviewing websites stored in the history files of the most commonly used browsers

Unix utils Karl M. Syring Common GNU utilities to native Win32

FSP Harlan Carvey Forensic Server Project: retrieve volatile data from compromised systems

Web

Open Source Digital Forensics Reference for the use of open source software in digital forensics and incident response

IACIS The International Association of Computer Investigative Specialists

HTCN High Tech Crime Network

Forensics.nl (www.forensix.org) Computer Forensics, Cybercrime and Steganography Resources

E-evidence info The Electronic Evidence Information Center

IH Windows 2000/XP Intrusion Discovery Windows 2000/XP - Cheat Sheet (SANS Institute)

IH Linux Intrusion Discovery Linux - Cheat Sheet (SANS Institute)

Digital Detective Forensic Computing Tools & Utilities

NSRL National Software Reference Library (NIST)

Forensic-es.org Portal dedicado a la ciencia informática forense

Conferences

DFRWs Digital Forensic Research Workshop (DFRWS)

IMF International Conference on IT-Incident Management & IT-Forensics

Mailing lists

The Sleuth Kit Informer Bi-monthly newsletter for The Sleuth Kit, Autopsy, and related tools (Brian Carrier)

Books / Libros

Incident Response and Computer Forensic, 2nd Ed. C. Prosise, K. Mandia, M. Pepe (McGraw-Hill) July 2003

Windows Forensics and Incident Recovery Halan Harvey (Addison Wesley) July 2004

Forensic Discovery Dan Farmer, Wietse Venema (Addison Wesley) December 2004

File System Forensic Analysis Brian Carrier (Addison Wesley) March 2005

Real Digital Forensics: Computer Security and Incident Response K. Jones, R. Bejtlich, C. Rose (Addison Wesley) September 2005

Freeware Forensics Tools for Unix	Derek Cheng	November, 2001
Windows Forensics: A Case Study, Part One	Stephen Barish	December, 2002
Windows Forensics: A Case Study, Part Two	Stephen Barish	March, 2003
Handbook of Forensic Services	U.S. DoJ	2003
Detailed Explanation of FAT Boot Sector	Microsoft	December, 2003
Computer Security Incident Handling Guide	NIST	January, 2004
Forensic Analysis of a Live Linux System, Pt. 1	Mariusz Burdach	March, 2004
Forensic Analysis of a Live Linux System, Pt. 2	Mariusz Burdach	April, 2004
A Method for Forensic Previews	Timothy E. Wright	March, 2005
Web Browser Forensics, part 1	Keith J. Jones, R. Belani	March 2005
Web Browser Forensics, part 2	Keith J. Jones, R. Belani	May 2005
Advanced Antiforensics: SELF	Pluf & Ripe	August, 2005
Process Dump and Binary Reconstruction	ilo	August, 2005
Packet forensics using TCP	D. Parker, M. Sues	August 2005
Windows Memory Analysis Challenge	DFRWS	2005
Tracing an E-mail	Raven	January, 2006

dcfldd	Nick Harbour	Enhanced "dd"
TSK & Autopsy	Brian Carrier	The Sleuth Kit & The Autopsy Forensic Browser: digital forensics tools
DFTT	Brian Carrier	Digital Forensics Tool Testing Images
AFF	Simson L. Garfinkel	Advanced Forensic Format (AFF)
Exiftool	Phil Harvey	Read and write meta information in image, audio and video files
Tcpxtract	Nick Harbour	Tool for extracting files from network traffic based on file signatures
Foremost	Afosi, Cisr	Console program to recover files based on their headers/footers/structures
	Analysis CDs
Helix	e-fense	Incident Response & Computer Forensics Live CD
FCCU (d-fence)	Christophe Monniez	FCCU GNU/Linux Forensic Boot CD
F.I.R.E.	Dirk Loss	Forensic and Incident Response Environment on a bootable CD-ROM
Penguin Sleuth	Ernest Baca	Penguin Sleuth Bootable CD
RIP	Kent Robotti	(R)ecovery (I)s (P)ossible Linux rescue CD
	Windows
Pasco	The Open Forensics Group	A tool for analyzing the Microsoft Windows index.dat file (Odessa)
Galleta	The Open Forensics Group	A tool for analyzing Internet Explorer cookies (Odessa)
Rifiuti	The Open Forensics Group	A tool for investigating the Microsoft Windows recycle bin info2 file (Odessa)
Web Historian	Red Cliff	Tool for reviewing websites stored in the history files of the most commonly used browsers
Unix utils	Karl M. Syring	Common GNU utilities to native Win32
FSP	Harlan Carvey	Forensic Server Project: retrieve volatile data from compromised systems

Open Source Digital Forensics	Reference for the use of open source software in digital forensics and incident response
IACIS	The International Association of Computer Investigative Specialists
HTCN	High Tech Crime Network
Forensics.nl (www.forensix.org)	Computer Forensics, Cybercrime and Steganography Resources
E-evidence info	The Electronic Evidence Information Center
IH Windows 2000/XP	Intrusion Discovery Windows 2000/XP - Cheat Sheet (SANS Institute)
IH Linux	Intrusion Discovery Linux - Cheat Sheet (SANS Institute)
Digital Detective	Forensic Computing Tools & Utilities
NSRL	National Software Reference Library (NIST)
Forensic-es.org	Portal dedicado a la ciencia informática forense
Conferences
DFRWs	Digital Forensic Research Workshop (DFRWS)
IMF	International Conference on IT-Incident Management & IT-Forensics
Mailing lists
The Sleuth Kit Informer	Bi-monthly newsletter for The Sleuth Kit, Autopsy, and related tools (Brian Carrier)

Incident Response and Computer Forensic, 2nd Ed.	C. Prosise, K. Mandia, M. Pepe (McGraw-Hill)	July 2003
Windows Forensics and Incident Recovery	Halan Harvey (Addison Wesley)	July 2004
Forensic Discovery	Dan Farmer, Wietse Venema (Addison Wesley)	December 2004
File System Forensic Analysis	Brian Carrier (Addison Wesley)	March 2005
Real Digital Forensics: Computer Security and Incident Response	K. Jones, R. Bejtlich, C. Rose (Addison Wesley)	September 2005