There are so many resources available for digital forensic investigators on the Internet, but so far there has been no central site to consolidate references to them all. Each individual professional, researcher, or vendor has compiled their own list specific to their interests, and maybe even provided some resources of their own.

This site is an attempt at consolidating all these references and categorizing them so that an investigator can easily find valuable digital forensic resources for training, certification, technical tips, recent publications, software tools, hardware tools, etc. This site is the compilation of the various resources our investigation team has found useful over the years or have been recommended by colleagues in the industry. Additional suggestions for content are always welcome.

We are constantly adding new references to valuable resources, so check back often.

Industry Certifications

The following certifications are vendor neutral:

• GIAC Certified Forensics Analyst (GCFA), SANS Institute
  
• Certified Computer Examiner (CCE), The International Society of Forensic Computer Examiners
  
• Computer Hacking Forensic Investigator (CHFI), EC-Council
  

Education & Training

The following training offerings are vendor neutral:

• The SANS Institute - SANS offers many courses for professionals in several different formats ranging from intensive instructor lead six day courses to on demand online formats. The flagship forensics course is SEC508: Computer Forensics, Investigation, and Response. Get a free demo of this course on the SANS Portal. SANS also offers many related courses on incident response, packet analysis, and malware inspection that are also recommended for investigators. A Macintosh Forensics Survival course and SEC427: Browser Forensics are just some of the special topics courses being offered.
  
• The National White Collar Crime Center - The mission of NW3C is to provide a nationwide support system for agencies involved in the prevention, investigation, and prosecution of economic and high-tech crimes and to support and partner with other appropriate entities in addressing homeland security initiatives, as they relate to economic and high-tech crimes.
  
• Defense Cyber Investigations Training Academy - The DCITA develops and delivers computer investigation training courses for DoD organizations, Defense Criminal Investigative organizations, Military Counterintelligence agencies, and law enforcement organizations.
• CERT Incident Response and Computer Forensics Courses - CERT offers learning opportunities in network computing security through an educational collaboration with Carnegie Mellon University and through our own training courses aimed at private and public sector professionals.
  

Professional Organizations

• The High Technology Crime Investigation Association - The HTCIA is designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership.
  
• The National Cyber-Forensics and Training Alliance - The NCFTA provides a neutral collaborative venue where critical confidential information about cyber incidents can be shared discreetly, and where resources can be shared among industry, academia and law enforcement.
  
• The High Tech Crime Consortium - The HTCC is a professional organization that assists law enforcement and corporate investigators to obtain the knowledge and skills needed to combat 21st Century crime where the use or abuse of digital technology is an element of an offense.
  
• The International Society of Forensic Computer Examiners - The ISFCE is dedicated to the advancement of the science of forensic computer examinations. The ISFCE administers the Certified Computer Examiner (CCE) certification. The CCE certification is available internationally to both law enforcement and non-law enforcement forensic computer examiners.
  
• The High Tech Crime Network - The mission of the HTCN is to achieve the most valuable and recognized certification by regulating its membership through a comprehensive process that verifies an applicant's training, experience and ethical reputation, enforcing the highest standards of stringent certification requirements and diligent enforcement of our policies, procedures and code of ethics.
  
• The Women in eDiscovery - The mission of the WIED is to bring together businesswomen interested in technology related to the legal industry and to provide opportunities for them to help themselves and other businesswomen grow personally and professionally through leadership, education, networking support, and national recognition.
  
• The High Tech Crime Institute - As a global leader in the field of Computer Crime Investigation and Computer Forensics, HTCI is uniquely qualified to provide expert instruction, proactive security management and computer forensic platforms to both the private and public sectors.
  
• The Computer Technology Investigators Network - CTIN has been providing high tech crime fighting training since 1996 in the areas of high-tech security, investigation, and prosecution of high-tech crimes for both private and public sector security and investigative personnel and prosecutors. CTIN sponsors training from experts world-wide for the benefit of private organizations and law enforcement agencies.
  
• The International Information Systems Forensics Association - IISFA is a nonprofit organization whose mission is to promote the discipline of information forensics in the form of evangelism, education, and certification. IISFA consists of a governing body of Board of Directors that represent various areas of expertise in information forensics and a large community of Subject Matter Experts that volunteer time and expertise to further the goals of the association.
  
• National Center for Forensic Science - NCFS Digital Evidence initiative's primary goal is to enhance public safety by assisting the criminal justice system. They provide several educational opportunities including graduate certificates, a professional track masters degree, and undergraduate courses. Research is performed in their Virtual Digital Evidence Lab which is funded by the National Institute of Justice.
  
• The Law Enforcement & Emergency Services Video Association - LEVA is a non-profit corporation committed to improving the quality of video training and promoting the use of state-of-the-art, effective equipment in the law enforcement and emergency services community. We make a positive contribution to a more competent public safety establishment.
  

Software & Hardware Tools

The essentials:

• Helix - Incident Response & Computer Forensics Live CD by e-fense. Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.
  

Software tools:

• Encase Forensic - EnCase® Forensic is the industry standard in computer forensic investigation technology. With an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase® provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to end. Law enforcement officers, government/corporate investigators and consultants around the world benefit from the power of EnCase® Forensic in a way that far exceeds any other forensic solution.
  
• Forensic Toolkit - FKT is the foundation of all our software solutions. It is a new breed of forensic technology with an architecture that is radically different than that of competing tools. The first and only forensic solution to be built from the ground up with a fully integrated Oracle database at its core, FTK 2.0 delivers unmatched flexibility, computational power, scale and ease-of-use.
  
• Helix - See the Essentials section above.
  

Hardware tools:

• Forensic Recovery of Evidence Device - The FRED family of forensic workstations are highly integrated, flexible and modular forensic platforms and now include Digital Intelligence's exclusive UltraBay Write Protected Imaging Bay.
  

Technical Resources

• Investigations Involving the Internet and Computer Networks (PDF) - This special report, dated January 2007, from the U.S. Department of Justice is part of a series. This report was developed by the Technical Working Group for the Investigation of High Technology Crimes and is intended to be a resource for individuals responsible for investigations involving the Internet and other computer networks. It is one of a series of electronic crime investigation documents already published or in development by the National Institute of Justice (NIJ). The guides are developed by technical working groups that consist of practitioners and subject matter experts brought together by NIJ to help law enforcement agencies and prosecutors deal with the growing volume and complexity of electronic crime.
  
• Forensic Examination of Digital Evidence: A Guide for Law Enforcement (PDF) - This special report, dated April 2004, from the U.S. Department of Justice is the second in a series. To assist law enforcement agencies and prosecutorial offices, a series of guides dealing with digital evidence has been selected to address the complete investigation process. This process expands from the crime scene through analysis and finally into the courtroom. The guides summarize information from a select group of practitioners who are knowledgeable about the subject matter. These groups are more commonly known as technical working groups.
  
• Electronic Crime Scene Investigation: A Guide for First Responders (PDF) - This special report, dated July 2001, from the U.S. Department of Justice is the first in a series. This guide is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence. It is not all-inclusive. Rather, it deals with the most common situations encountered with electronic evidence.
  
• Oracle Forensics - Presented by Pete Finnigan at the Oracle User Group Conference in Scotland on April 30th 2008.
  
• SANS Whitepapers - Forensics whitepapers from the SANS Reading Room on topics of investigating an Intranet server, an SQL server, a journaling file system, etc.
  
• Guidelines on Cell Phone Forensics (PDF) - NIST Special Publication 800-101, May 2007. The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones, when they arise.
  
• NIST Computer Security Division Publications on Mobile Forensics - Papers and publications on cell phone forensics and PDA forensics from the NIST Computer Security Resource Center.
  
• Best Practices for Seizing Electronic Evidence v2 - A project of the International Association of Chiefs of Police, PricewaterhouseCoopers LLP, Technical Support Working Group, and the Untied States Secret Service.
  
• Best Practices for Seizing Electronic Evidence v3 - A project of the United States Secret Service and participating law enforcement agencies. A working group of various law enforcement agencies was convened to identify common issues encountered in today's electronic crime scenes. Representatives from several government and law enforcement agencies designed and developed this manual.
  

Legal References

• State Security Breach Notification Laws as of March 31, 2008 (MS Word Format) - Courtesy of David Thomas LLP at the Greenberg Traurig law firm
  
• PI License Requirement by State to perform Computer Forensics or EDiscovery - provided by the New England Chapter of the HTCIA
  
• E-Discovery Legal Roadmap - This interactive workflow for handling e-discovery cases is provided by the Legal Technology section of the www.law.com website. This roadmap walks the users through the steps of the e-discovery process while providing multiple pathways and detailed guidance for each step along the way.
  
• QUON v ARCH WIRELESS OPERATING COMPANY, United States Court of Appeals for the Ninth Circuit - Ruling on SMS messages as private communications.
  

Articles & Publications

• E-Discovery: No More Losing Needles in the Electronic Haystack published by Trent Henry of the Burton Group on March 7, 2007. In order to balance costs with the security requirements of electronic discovery (e-discovery), information technology organizations will need to enhance policies and automate the processes of preserving, locating, and producing electronic evidence.
  
• When E-Discovery Is Put to the Test published by Leonard Deutchman in the Pennsylvania Law Weekly on May 14, 2008. This article discusses the use of linguistic or statistical patterning to perform more intelligent and efficient keyword searches for e-discovery cases.
  

Webcasts & Podcasts

• The IT Impact of E-Discovery podcast was published by Trent Henry of the Burton Group on August 7, 2007 and a modified version was presented at the RSA Conference in April of 2008 (PDF version of presentation). In this podcast, senior analyst Trent Henry speaks on the IT impact of E-Discovery. E-Discovery invokes tremendous IT requirements to preserve, find, and produce critical electronic evidence. IT teams serve as strategic helpers for enterprise litigation, and the choices they make for the creation, storage, archival, and destruction of information have substantial impacts on legal and regulatory evidence handling.