CERT
 
Publications CatalogHistorical Documents Virtual Training Environment
 

Forensics

Grounded in years of research and real-world experience, CERT's forensics team focuses on "gap areas" not addressed by commercial tools or standard techniques. Some of their current work includes

  • Resource Amplification
    With computers now being used to facilitate nearly every aspect of criminal activity, skilled computer forensic investigators are swamped by the backlog of machines waiting for analysis. We are searching for ways to empower traditional investigators to perform triage and initial examinations. Live View is our first step in this direction.
  • Memory Extraction and Analysis
    As the standard amount of installed RAM increases, the amount and importance of volatile data rises proportionally. The ability to quickly extract and understand this data is critical for forensic examiners.
  • Encryption Counter-Measures
    Law enforcement agencies and other investigators are discovering that an increasing amount of gathered digital data is unusable because of the pervasive use of strong encryption. We are developing methods and tools to adapt the data acquisition process and recover encrypted data in real-world scenarios.

Tools and Demos

  • Linux Forensics Tools Repository
    The CERT Forensics Tools Repository, a collection of add-on packages for Fedora, provides many useful cyber forensics tools for analysts and practitioners.

  • CERT's Clustered-Computing Analysis Platform (C-CAP)
    C-CAP is a state-of-the-art forensics analysis environment that provides a complete suite of tools for host-based and network investigations.

  • Live View
    This tool, available to the public in an open-source version, facilitates the forensic examination of disk images or physical drives using virtualization technology.
  • Demos
    There are a variety of demos available in the library of the Virtual Training Environment (VTE). Look for "forensics" in the category field drop-down menu.

Our PGP Key

You can contact us by sending email to If you are sending sensitive information, please encrypt it.

Our PGP Public Key: forensics.asc


Fingerprint:
0F7B 12E7 436A 63E3 F1EC DB82 509B 1856 5DA8 32D6

Announcements

June 29, 2009

The Training and Demo videos available through CERT's Virtual Training Environment (VTE) were added to the Aperio, CryptHunter, and LiveView ISO images that are available in the Tools Area. If you retrieved these ISO images before June 29th, 2009, you can retrieve them with the same credentials that you previously used to get these new versions. The Training and Demo videos are located in the folders named Training and Demos respectively.

In addition, each ISO image now has a file named README.txt that contains the MD5, SHA1, and SHA256 checksums for all files in the ISO image. Use the contents of README.txt to verify the files in the ISO images.

Finally, there is also a file named README.txt.asc that contains a digital signature for the README.txt file, signed with the CERT Forensics team key. You can use this key along with PGP or GPG to verify the authenticity of README.txt file.

Information for Law Enforcement

Members of the law enforcement community can access forensics tools by visiting our Tools Area. For access, you need to agree to certain terms and conditions and provide some of your preferences by filling out a form.

The following LE-restricted tools are available:

  • Live View LE
    This tool allows forensic investigators to take a physical device or an "image" file of a disk or partition and automatically transform it into a virtual machine. The LE version of the tool offers features to investigators that are not available in the public version.
  • CryptHunter
    Designed for pre-acquisition screening, CryptHunter will detect mounted encrypted volumes as well as whole disk encryption on running systems.
  • Aperio
    Aperio detects operational signatures left by commercial counter-forensic software and can guide the search for latent data that remains.
  • Forensic Appliance
    A fully functional Linux VM forensics appliance, this virtual machine is pre-loaded with many specialized forensics and network analysis tools.

Last updated May 4, 2009