Introducing the Digital Forensics Search

Saturday, April 9, 2011 Posted by Corey Harrell
Have you ever run a *insert search engine* search to locate information about an artifact only to find a listing of mostly irrelevant hits? A lot of time is wasted going through the irrelevant hits to locate the few websites with information that helps you better see how the artifacts fit into your forensic examination. Wouldn't it be better if the majority of the search hits were in the context of digital forensics or incident response, thereby making the hits more relevant to your forensic examination? Here is the formal introduction of the Digital Forensic Search engine.

The combination of the Yahoo Win4n6 group's discussion about David Kovar's post The Fragmentation of the digital forensics community, hooked-on-mnemonics blog post Malware Analysis Search, and writing my last post on searching RSS feeds inspired me to want to search for information a different way. A more effective way is to use a custom search engine that's configured to only search blogs, groups, forums, or any other sites related to digital forensics and incident response. Digital Forensic Search is a custom Google search and in a way I think it harnesses the collective knowledge and research of the people/organizations who share information back to the forensics community.

Digital Forensic Search results in more search hits which are in the realm of digital forensics and incident response. Depending on the artifact being researched, the search hits may result in information on the artifact, tools to extract data from the artifact, and how the artifact affected other practitioners' examinations. For example, perform a search for the keyword "link file" (include the quotes) in your favorite search engine. The first 10 hits in my search only included one digital forensics hit while the other hits were for information not beneficial to any type of forensic investigation. Run the same search in the Digital Forensic Search and it results in the majority of the hits being directly related to link files in the context of a digital forensic examination. Three of the hits on the first page were an article about the Evidentiary Value of Link Files on Forensic Focus, Richard Drinkwater's blog post Link Files in System Restore Points, and the article The Meaning of Link Files in Forensic Examinations on the Computer Forensics Miscellany website.

If anyone still isn't convinced in the value of a custom search then I recommend performing a couple of searches between *insert search engine* and Digital Forensic Search. A few potential topics to search on are: comdlg32, tool validation, evidence collection, timeline analysis, or volume shadow copies. The searches should show that Digital Forensic Search has more relevant hits related to digital forensic and incident response which results in it being one effective method to locate information.

This post is where I'm going to be maintaining the list of sites included in the Digital Forensic Search so any updates to the index will be reflected below. The repository tries to focus on sites containing information on digital forensics and incident response as opposed to tool specific sites. With this in mind, if you see any sites missing or URLs with too much noise (such as job postings) then post a comment or send me an email.

Digital Forensic Search can be found at the top of jIIr or directly at this link:

http://www.google.com/cse/home?cx=011905220571137173365:7eskxxzhjj8


**********Sites Last Updated on 08/19/2014**********

The following is the listing of sites indexed by the Digital Forensic:

DFIR Blogs

A Geek Raised by Wolves  http://jessekornblum.livejournal.com/
A Renaissance Security Professional  http://renaissancesecurity.blogspot.com/
An Eye on Forensics  http://eyeonforensics.blogspot.com/
Active Security  http://active-security.blogspot.com/
Andrew Hay  http://www.andrewhay.ca
All things time related http://blog.kiddaland.net/
American Destroyer http://megadeus.com/
Another Forensics Blog  http://az4n6.blogspot.com/
Anton Chuvakin  http://blogs.gartner.com/anton-chuvakin
appointments-uk  http://appointments-uk.blogspot.com/
Ball In Your Court  http://ballinyourcourt.wordpress.com/
Blog Matt Churchill  http://mattchurchill.net/blog/
Bradley Schatz on the intersection of technology and the law  http://blog.schatzforensic.com.au/
BriMor Labs  http://brimorlabs.blogspot.com
Browser Forensics  http://www.browserforensics.com/
c-APT-ure  http://c-apt-ure.blogspot.com/
cci  http://takahiroharuyama.github.io/
Cellular.Sherlock - Mobile Forensics from the front lines  http://blog.csvance.com/
Cheeky4n6Monkey - Learning About Digital Forensics  http://cheeky4n6monkey.blogspot.com/
Chip_DFIR  http://chipdfir.blogspot.co.uk/
Chris Sanders  http://chrissanders.org/
Christa Miller  http://christammiller.com/
CnW Recovery  http://cnwrecovery.blogspot.com/
Codeslack  http://codeslack.blogspot.com/
Command Line Kung Fu  http://blog.commandlinekungfu.com/
Computer Forensic Blog  http://computer.forensikblog.de/en/
Computer Forensic Graduate  http://computerforensicgraduate.wordpress.com
Computer Forensic Source  http://forensicsource.blogspot.com/
Computer Forensics and IR - What's New  http://newinforensics.blogspot.com/
Computer Forensics, Malware Analysis & Digital Investigations  http://www.forensickb.com/
Computer Forensics-E-Discovery Tips-Tricks and Information  http://cfed-ttf.blogspot.com/
ComputerForensicSource.com  http://www.computerforensicsource.com/
Consortium of Digital Forensic Specialists CDFS Blog  http://www.cdfs.org/blog/
copgeek018  http://copgeek018.wordpress.com/
Crucial Security Forensics Blog http://crucialsecurityblog.harris.com/
CSITech - Computer Forensics  http://nickfurneaux.blogspot.com/
Cyber Security Maven -- Techie  http://cybersecuritymave-techie.blogspot.com
CyberSpeak's Podcast  http://cyberspeak.libsyn.com/
Cylance Blog  http://blog.cylance.com
Dancho Danchev's Blog - Mind Streams of Information Security Knowledge  http://ddanchev.blogspot.com/
Default Deny  http://kurtaubuchon.blogspot.com/
Derek Newton « Information Security Insights http://dereknewton.com/
DF Procedures and Musings  http://dfprocedures.blogspot.com
DFF and Open Sourse Digitial Forensics blog http://www.digital-forensic.org/blog/
Digital Forensics Solutions  http://dfsforensics.blogspot.com/
Enterprise Detection & Response  http://detect-respond.blogspot.com
Every Bit Counts  http://forensicmatt.blogspot.com

Ex Forensis  http://exforensis.blogspot.com/
FireEye Malware Intelligence Lab  http://blog.fireeye.com/research/
Forensic 4cast  http://www.forensic4cast.com/
forensic . seccure . net  http://seccure.blogspot.com/
Forensic Artifacts  http://forensicartifacts.com/
Forensic Computing — Digital forensics from the view of a computer scientist  http://www.forensicblog.org/
Forensics For the Newbs  http://forensicnewbs.wordpress.com/
Forensic Incident Response  http://forensicir.blogspot.com/
Forensic interviews  http://f-interviews.com/
Forensic Methods http://forensicmethods.com/
Forensic Photoshop  http://forensicphotoshop.blogspot.com/
Forensicaliente - because digital forensics is "hot"  http://forensicaliente.blogspot.com/
Forensically sound(ing off) http://marshalla99.wordpress.com/
Forensicator Of The Dead  http://forensicotd.blogspot.com/
Forensics from London  http://forensiccontrol.blogspot.com/
Forensics from the sausage factory  http://forensicsfromthesausagefactory.blogspot.com/
ForensicZone  http://forensiczone.blogspot.com/
Fun with Lost Bits n Bytes  http://blog.roberthaist.com
G33k G1r1 goes Binary  http://g33k-g1rl.blogspot.com/
Geoff Black's Forensic Gremlins - Everything that gives you fits in Digital
Ghetto Forensics  http://www.ghettoforensics.com
Girl, Unallocated  http://girlunallocated.blogspot.com/
GPS Evidence Tracking Issues http://gpsevidence.blogspot.com/
Grand Stream Dreams  http://grandstreamdreams.blogspot.com/
Forensics and E-Discovery  http://www.geoffblack.com/
Hacking Exposed Computer Forensics blog  http://hackingexposedcomputerforensicsblog.blogspot.com/
HandlerDiaries  http://blog.handlerdiaries.com
Happy As A Monkey  http://happyasamonkey.wordpress.com/
Hexacorn Blog  http://www.hexacorn.com/blog/
HeX-OR Forensics  http://nicoleibrahim.com
HolisticInfoSec http://holisticinfosec.blogspot.com/
InfoSec Insights  http://blog.seanmason.com
integriography A Journal of Broken Locks, Ethics, and Computer Forensics  http://integriography.wordpress.com/
Internet Storm Center Diary  http://isc.sans.edu/
JonRajewski  http://www.jonrajewski.com/cyberblog/
Journey into Incident Response  http://journeyintoir.blogspot.com/
JustAskWeg  http://justaskweg.com
Lenny Zeltser on Information Security  http://blog.zeltser.com
Linux Sleuthing  http://linuxsleuthing.blogspot.com/
Lowmanio (digital forensic category)  http://www.lowmanio.co.uk/blog/categories/digital-forensics/
Macaroni Forensics  http://macaroniforensics.blogspot.com/
man allyn-blog http://allynstott.blogspot.com/
Matthieu Suiche’s blog ! - Happiness only real when shared.  http://www.msuiche.net/
Malware Analysis Blog  http://www.malanalysis.com/blog/
Mark Russinovich's Blog  http://blogs.technet.com/b/markrussinovich/
McGrew Security Blog  http://www.mcgrewsecurity.com/
Memory Forensics  http://memoryforensics.blogspot.com/
MetaDatum  http://metadatum.me
MNIN Security  http://www.malwarecookbook.com/
MNIN Security Blog  http://mnin.blogspot.com/
Mobile Device Forensics  http://mobileforensics.wordpress.com/
Mobile Forensics Inc Blogger  http://blog.mobileforensicsinc.com/
Mobile Telephone Evidence  http://trewmte.blogspot.com/
Post Humorous  http://www.posthumorous.com/
Practical Digital Forensics http://practicaldigitalforensics.blogspot.com/
Propeller Head Forensics  http://propellerheadforensics.com/
Push the Red Button  http://moyix.blogspot.com/
RAM Slack – Random Thoughts from a Computer Forensic Examiner  http://ramslack.wordpress.com/
Riij morf tnetnoc siht elots I  http://journeyintoir.blogspot.com
Ryan Stillions  http://ryanstillions.blogspot.com

SANs Penetration Testing Blog  http://pen-testing.sans.org/blog
Sketchymoose's Blog  http://sketchymoose.blogspot.com/
Security Ripcord  http://www.cutawaysecurity.com/blog/
Securosis Blog  https://securosis.com/blog
Sempersecurus http://sempersecurus.blogspot.com/
Sergio Hernando http://www.sahw.com/wp/
Scudette in Wonderland  http://scudette.blogspot.com/
Student of Security http://mikeahrendt.blogspot.com/
Sucuri Blog  http://blog.sucuri.net
System Forensics  http://www.sysforensics.org/
Seculert  http://blog.seculert.com/
Secureartisan http://secureartisan.wordpress.com/
Security Braindump  http://securitybraindump.blogspot.com/
TaoSecurity  http://taosecurity.blogspot.com/
Taksati  http://taksati.wordpress.com/
The Cave  http://cyb3rdaw6.harpermountain.net/
The Digital Standard  http://thedigitalstandard.blogspot.com/
The Digital4rensics Blog  http://www.digital4rensics.com/
The Forensics Ferret Blog http://forensicsferret.wordpress.com/
The Last Line of Defense  http://blog.tllod.com/
Trace Evidence  http://traceevidence.blogspot.com
trustedsignal -- blog  http://trustedsignal.blogspot.com/
Unchained Forensics  http://unchainedforensics.blogspot.com/
Unmask Parisites blog  http://blog.unmaskparasites.com/
ViaForensics  https://viaforensics.com/blog/
Volatility Advanced Memory Forensics  http://volatility.tumblr.com/
Windows Incident Response  http://windowsir.blogspot.com/
WriteBlocked  http://writeblocked.org/
Wyatt Roersma Blog  http://www.wyattroersma.com/
Yogesh Khatri's forensic blog  http://www.swiftforensics.com/
Zena Forensics  http://blog.digital-forensics.it/
Zscaler  http://research.zscaler.com/

DFIR Websites

Brian Carrier Digital Investigation - Forensics and Evidence Research  http://www.digital-evidence.org/
CERIAS Reports and Papers Archive  https://www.cerias.purdue.edu/apps/reports_and_papers/
Computer Crime & Intellectual Property Section US DOJ  http://www.justice.gov/criminal/cybercrime/
Computer Forensics Miscellany  http://computerforensics.parsonage.co.uk/
Craig Gall Helping Lawyers Master Technology  http://www.craigball.com/
DFRWS (Digital Forensics Research Conference)  http://www.dfrws.org/
Digital Forensics Magazine supporting the professional computer security industry  http://www.digitalforensicsmagazine.com/
Digital Forensics Solutions' Research http://www.digitalforensicssolutions.com/research.shtml
ENSIA CERT  http://www.enisa.europa.eu/act/cert/
E-Evidence Information Center - Home  http://www.e-evidence.info/
FIRST - Improving security together  http://www.first.org/
Forensic Focus  www.forensicfocus.com/
Forensic Magazine Issues  http://www.forensicmag.com/
Forensics Wiki  http://www.forensicswiki.org/
HolisticInfoSec toolsmith http://holisticinfosec.org/toolsmith
Inside the registry  http://www.insidetheregistry.com/regdatabase/
I-Sight's Investigations http://i-sight.com/investigation/
International Journal of Digital Evidence on Utica College  http://www.utica.edu/academic/institutes/ecii/ijde/
Into The Boxes  http://intotheboxes.wordpress.com/
IronGeek's InfoSec Articles http://www.irongeek.com/i.php?page=security/
Journal of Digital Forensics, Security and Law  http://www.jdfsl.org/
Lenny Zeltser  http://zeltser.com/
log2timeline  http://log2timeline.net/
mnin.org  http://www.mnin.org/
Mobile Forensics Central  http://www.mobileforensicscentral.com/
National Institute of Justice Publications  http://nij.gov/nij/pubs-sum/
National White Collar Crime Center  http://www.nw3c.org/
Network Forensics Puzzle Contest  http://forensicscontest.com/
NIST Computer Security Division Special Publications  http://csrc.nist.gov/publications/nistpubs/
Open Source Digital Forensics  http://www2.opensourceforensics.org/
SANs Computer Forensics  http://computer-forensics.sans.org/
SANS InfoSec Reading Room - Forensics  http://www.sans.org/reading_room/whitepapers/forensics/
SANS InfoSec Reading Room - Incident Handling  http://www.sans.org/reading_room/whitepapers/incident/
SANS InfoSec Reading Room - Malicious Code  http://www.sans.org/reading_room/whitepapers/malicious/
SANS InfoSec Reading Room - Steganography  http://www.sans.org/reading_room/whitepapers/stenganography/
SANs Summit Archives  http://digital-forensics.sans.org/summit-archives
Small Scale Digital Device Forensics Journal  http://www.ssddfj.org/
SWGDE  http://www.swgde.org/
The Honeynet Project Challenges  https://www.honeynet.org/challenges/
Welcome AppleExaminer  http://www.appleexaminer.com/
Williballenthin.com  http://williballenthin.com

DFIR Webpages

AuSCERT Forming an Incident Response Team  http://www.auscert.org.au/render.html?it=2252&cid=1938
Cybercrime.gov searching and seizing manual  http://www.cybercrime.gov/ssmanual/index.html
Daubert v. Merrell Dow Pharmaceuticals  http://www.law.cornell.edu/supct/html/92-102.ZS.html
Default Processes in Windows 2000  http://support.microsoft.com/kb/263201
Digital Evidence: Standards and Principles  http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm
Digitalcorpora Disk Images  http://digitalcorpora.org/corpora/disk-images/
FileSignatures Table  http://www.garykessler.net/library/file_sigs.html
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics)  http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
Microsoft Windows XP - Default settings for services  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true
QQIS Whitepapers  http://qccis.com/resources/publications/
RFC 3227 - Guidelines for Evidence Collection and Archiving  http://www.rfc-archive.org/getrfc.php?rfc=3227
SEI Handbook for Incident Response Teams  http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm
Windows 7 Default Services and Suggested Startup Mode  http://www.windowsnetworking.com/articles_tutorials/Windows-7-Default-Services-Suggested-Startup-Mode.html

DFIR Groups

Yahoo Win4n6 Group  http://tech.groups.yahoo.com/group/win4n6/
Yahoo Linux Forensics Group  http://tech.groups.yahoo.com/group/linux_forensics/ 
The Vol-users Archives  http://lists.volatilesystems.com/pipermail/vol-users/

DFIR Tool Websites

Digital Forensics Framework Wiki  http://wiki.digital-forensic.org/
Jafat Archive of Forensic Analysis Tools  http://jafat.sourceforge.net/
Joakim Schicht  https://github.com/jschicht
Live View  http://liveview.sourceforge.net/
md5deep and hashdeep  http://md5deep.sourceforge.net/
mft2csv  http://code.google.com/p/mft2csv
MiTec  http://www.mitec.cz/
My SecTools  http://www.mysectools.com/
NirSoft  http://www.nirsoft.net/
OpenSourceForensics  http://code.google.com/p/opensourceforensics/
plaso - home of the super timeline  http://plaso.kiddaland.net
pydetective  http://code.google.com/p/pydetective/
Registry Decoder  http://code.google.com/p/registrydecoder/
Registry Decoder Live  http://code.google.com/p/regdecoderlive/
RegRipper  http://regripper.wordpress.com/
Rekall Memory Forensic Framework  http://www.rekall-forensic.com
Shadow Explorer  http://www.shadowexplorer.com/
Sleuthkit  http://www.sleuthkit.org/
TZWorks LLC  http://www.tzworks.net/
Volatility An advanced memory forensics framework  http://code.google.com/p/volatility/
Winforensicaanalysis  http://code.google.com/p/winforensicaanalysis/
Windows Forensic Environment  http://winfe.wordpress.com/
Woanware  http://www.woanware.co.uk/

DFIR Tool Webpages

Digital Detective - Free Tools  http://www.digital-detective.net/digital-forensic-software/free-tools/
Forensic Control Free Computer Forensic Tools  http://forensiccontrol.com/resources/free-software/
HB Gary Free Security Tools  http://www.hbgary.com/free-tools
Mandiant Free Software  http://www.mandiant.com/products/free_software
QCC Information Security Free Forensic Tools  http://www.qccis.com/forensic-tools
RedWolf Computer Forensics http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55
Sanderson Forensics Free Utilities  http://www.sandersonforensics.com/content.asp?page=15
  1. Anonymous

    I have been using "Digital Forensics Search Engine" from http://digfor.blogspot.com for at least a couple of years now. It works great and has similar functionality as the Digital Forensic Search.

    Giant

  2. I don't use search features on blogs since I just point Google at the sites using site:URL. I just assumed blogs search features either searched only that site, or that site & any links on the site. Digfor is one of the blogs I follow and I didn't know they had a Digital Forensic Search Engine since I never ran a search from their blog.

  3. HP

    Corey

    I picked up your DF search from Douglas Brush's post on FF and you have a great list of sources which is very helpful to have in one place. I'll look through my bookmarks and see if I can find any to add to your list.

    Thanks for this.

    H

  4. Kalyan

    Corey

    This search engine is awesome. Thanks for your efforts. I am using it regularly

  5. Good job Corey,

    I have set up "Digital Forensics Search Engine" a while ago and haven't updated it for some time now. It's ok for my purposes but it is not as comprehensive as yours, so keep up the good work.

    Best,
    ecophobia

  6. This comment has been removed by a blog administrator.

Post a Comment