/LawEnforcementResources

Resources provided by the community that can serve to be useful for Law Enforcement worldwide

MIT LicenseMIT

LawEnforcementResources

Resources provided by the community that can serve to be useful for Law Enforcement worldwide

  1. Free Training
  2. Guides, Publications and Books
  3. Ransomeware Identification and Decryption Resources
  4. Malware Analysis
  5. Reverse Engineering
  6. Phishing
  7. Computer Investigations
    1. Decryption
    2. Windows Investigations
    3. Linux Investigations
    4. Mac Investigations
  8. Mobile Investigations
    1. Pin Code, Pattern Lock, and Password Resources
  9. IP Resolution Services
  10. Email Analysis
  11. MLA Resources
  12. End-to-end encrypted messengers
  13. Self Contained and Darknet Resources
  14. Regular Expressions
  15. Android Resources
  16. Contributing to this Project

Free Training

  • NW3C - Online Training - Free online training provided by NW3C. Great for padding the CV with training! US LE only. Outside US LE may have to contact NW3C to ask for access, but I can't promise LE outside of the USA can access the training.
  • Texas A&M TEEX - Cybersecurity - Any class with the FEMA logo (A) is free! Stock up on the certificates of completion!

Guides, Publications and Books

Ransomware Identification and Decryption Resources

Malware Analysis

  • Any.run - Interactive Online Malware Analysis Sandbox - ANY.RUN
  • VirusTotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
  • Hybrid Analysis - Free Automated Malware Analysis Service - powered by Falcon Sandbox.
  • Cuckoo Sandbox - Cuckoo Sandbox.
  • FlareVM - FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
  • Joe Sandbox - Joe Sandbox
  • Hatching Triage - Malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS)
  • REMnux - A Linux Toolkit for Malware Analysis
  • Reverse.it - Web-based malware analysis tool - powered by CrowdStrike Falcon.
  • Limon - Malware Analysis Sandbox for analyzing Linux malwares.

Reverse Engineering

Phishing

  • PhishTank - PhishTank is a collaborative clearing house for data and information about phishing on the Internet.

Computer Investigations

Decryption

Windows Investigations

Linux Investigations

Mac Investigations

Mobile Investigations

Pin Code, Pattern Lock, and Android Password Resources

IP Resolution Services

  • [MaxMind]{https://www.maxmind.com/en/home} - Useful for resolving IPs. MaxMind is known for offering better geolocation than most other similar services.
  • WhoisXML API - Useful for gathering, analyzing, and correlating domain, IP, and DNS data. Obtain precise geographical data down to the postal code with latitude and longitude coordinates, network information, timezone, connected domains, and more for deeper contextualization.

MLA Resources

Email Analysis

  • Email Header Analyzer - Will make email headers human readable by parsing them according to RFC 822
  • DMARC Check Tool - Diagnostic tool that will parse the DMARC Record for the queried domain name, display the DMARC Record, and run a series of diagnostic checks against the record

MLA Resources

End-to-end encrypted messengers

Name URL iOS Android Windows Mac Linux Web
BRIAR https://briarproject.org/ ? ? ? ? ? ?
Element https://element.io/ ? ? ? ? ? ?
Jitsi https://meet.jit.si/ ? ? ? ? ? ?
Line https://line.me/en/ ? ? ? ? ? ?
Session https://getsession.org/ ? ? ? ? ? ?
Signal https://www.signal.org/ ? ? ? ? ? ?
Silence https://silence.im/ ? ? ? ? ? ?
Telegram https://telegram.org/ ? ? ? ? ? ?
Threema https://threema.ch/en/ ? ? ? ? ? ?
Tox https://tox.chat/ ? ? ? ? ? ?
Viber https://www.viber.com/ ? ? ? ? ? ?
WhatsApp https://www.whatsapp.com/ ? ? ? ? ? ?
Wickr Me https://wickr.com/ ? ? ? ? ? ?
Wire https://wire.com/en/ ? ? ? ? ? ?
Keybase https://keybase.io/ ? ? ? ? ? ?

Self Contained and Darknet Resources

  • TOR - The Onion Router.
    • .onion
  • I2P - The Invisible Internet Project.
    • .i2p .b32.i2p
  • Lokinet - Anonymous Internet Access.
    • .loki
  • ZeroNet - Decentralized websites using Bitcoin cryptography and the BitTorrent network.
    • .bit https://zeronet.link/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Retroshare - Retroshare establish encrypted connections between you and your friends to create a network of computers, and provides various distributed services on top of it: forums, channels, chat, mail...
  • OpenBazaar - A FREE ONLINE MARKETPLACE. NO PLATFORM FEES. NO RESTRICTIONS. EARN CRYPTOCURRENCY.
  • Freenet - Freenet is a peer-to-peer platform for censorship-resistant communication and publishing.
  • Tails - is a portable operating system that protects against surveillance and censorship.
  • Whonix - Software That Can Anonymize Everything You Do Online.

Regular Expressions

  • Tor hidden services (V2 & V3)
    • [a-z2-7]{16}.onion|[a-z2-7]{56}.onion
  • I2P hidden service (b32)
    • ([a-zA-Z0-9]{52}.b32.i2p)
  • I2P hidden service (.i2p)
    • ([a-zA-Z0-9]+\.i2p(?<!b32\.i2p))

Cryptocurrency Regular Expressions

  • Bitcoin address (SegWit & Legacy) (BTC)
    • ([13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
  • Litecoin address (LTC)
    • [LM3][a-km-zA-HJ-NP-Z1-9]{26,33}
  • Ethereum & Ethereum Classic address (ETH & ETC)
    • 0x[a-fA-F0-9]{40}
  • Ripple address (XRP)
    • [0-9a-zA-Z]{24,34}
  • Dogecoin address (DOGE)
    • D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}
  • Monero address (XMR)
    • [48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}
  • Dash address (DASH)
    • X[1-9A-HJ-NP-Za-km-z]{33}

Cryptocurrency Address Examples

The addresses generated below are completely random and are in no way affilated with this repository, do not send money to the addresses listed below!!!

  • Bitcoin (Legacy)
    • 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
  • Bitcoin (SegWit)
    • bc1qj89046x7zv6pm4n00qgqp505nvljnfp6xfznyw
  • Litecoin (Legacy)
    • LVtdzELRdQDTa35y1bQPKTSvL3TEv1y5Ut
  • Ethereum & Ethereum Classic
    • 0xF25228015a2be633a6a60e9cB4643813DAf28AA0
  • Ripple
    • rJiZJRSiseTcKWepsAC6ed6EDbgu2ohPov
  • Monero
    • 49fpXfThF8bZwuLADG1WZ57vM8oNEuQGaHyBEomSXaaAZhCQqX6j4E9QNz6cqniBrian3zZhu7UpkD85MbrsrjvwMTxqnqe
  • DogeCoin
    • DJJ2gcQ6WP59Z7mRuGKaW6sbMpcBvGqfoE
  • Dash
    • XcsNx9hSEqDzFZrBrVViiZ8GhYgndBVyEY

Android Resources

Lock Pattern Wordlist

Pattern.7z includes an Android Lock Pattern Wordlist taken from over 15,000 actual cases worked. The first 88 patterns should match about 80% of the commonly used lock patterns. Special thanks to Bjoern Kerler for providing this to the DFIR community.

Contributing to This Project

New to GitHub? No problem! Here is a repo that you can test the below instructions on until you're comfortable to contribute to this repo!

Fork this repo by clicking on the Fork button on the top right of this page.

image

After that, you'll be working off of your Fork of this repository, which is effectively a snapshop in time.

image

As time goes on, this repository will evolve and your Fork will be left behind if you don't keep it updated. Be sure to Fetch Upstream prior contributing more so you have the most up to date copy of the repository before you starting adding to it!

GitHubFetchandMergeandContributeExample

Above is an example of Fetch Upstream combined with doing a Pull Request, which is what you should do when you have something new to the repo you'd like to add to the main repo.

New to Markdown? No problem!

  • Use StackEdit to write in Markdown with live preview.
  • Additionally, GitHub has a useful guide for Markdown syntax here.
  • Need help with making/using tables in Markdown? Check out this site!