Forensics

Response Team Support National CSIRTs CSIRT Development
Investigation Forensics

Publications Catalog Historical Documents Virtual Training Environment CERT Contact Information CERT Statistics Meet CERT Employment Opportunities

Forensics

Grounded in years of research and real-world experience, CERT's forensics team focuses on "gap areas" not addressed by commercial tools or standard techniques. Some of their current work includes

Resource Amplification
With computers now being used to facilitate nearly every aspect of criminal activity, skilled computer forensic investigators are swamped by the backlog of machines waiting for analysis. We are searching for ways to empower traditional investigators to perform triage and initial examinations. Live View is our first step in this direction.

Memory Extraction and Analysis
As the standard amount of installed RAM increases, the amount and importance of volatile data rises proportionally. The ability to quickly extract and understand this data is critical for forensic examiners.

Encryption Counter-Measures
Law enforcement agencies and other investigators are discovering that an increasing amount of gathered digital data is unusable because of the pervasive use of strong encryption. We are developing methods and tools to adapt the data acquisition process and recover encrypted data in real-world scenarios.

Tools and Demos

CERT's Clustered-Computing Analysis Platform (C-CAP)
C-CAP is a state-of-the-art forensics analysis environment that provides a complete suite of tools for host-based and network investigations.
Live View
This tool, available to the public in an open-source version, facilitates the forensic examination of disk images or physical drives using virtualization technology.

Demos
There are a variety of demos available in the library of the Virtual Training Environment (VTE). Look for "forensics" in the category field drop-down menu.

Our PGP Key

You can contact us by sending email to forensics@cert.org. If you are sending sensitive information, please encrypt it.

Our PGP Public Key: pdt_forensics.asc

Fingerprint: 95D2 1894 20FB 1C13 C4E5 6C8A 9FDE 7E56 CE28 B247

Publications & Media

Publications

Podcasts

Information for Law Enforcement

Authorized members of the law enforcement community can access forensics tools through VTE. For access, visit Law Enforcement Computer Forensics Tools and Training, VTE Subscription.

The following LE-restricted tools are available:

Live View LE
This tool allows forensic investigators to take a physical device or an "image" file of a disk or partition and automatically transform it into a virtual machine. The LE version of the tool offers features to investigators that are not available in the public version.

CryptHunter
Designed for pre-acquisition screening, CryptHunter will detect mounted encrypted volumes as well as whole disk encryption on running systems.

Aperio
Aperio detects operational signatures left by commercial counter-forensic software and can guide the search for latent data that remains.

Forensic Appliance
A fully functional Linux VM forensics appliance, this virtual machine is pre-loaded with many specialized forensics and network analysis tools.

Last updated August 30, 2008