LESSON 8 DIGITAL FORENSICS part I

Table of Contents
8.0 Introduction

8.1 Forensic Principles

8.1.0 Introduction

8.1.1 Avoid Contamination

8.1.2 Act Methodically

8.1.3 Chain of Evidence
8.1.4 Conclusion

8.2 Stand-alone Forensics

8.2.0 Introduction

8.2.1 Hard Drive and Storage Media Basics
8.2.2 Encryption, Decryption and File Formats
8.2.3 Finding a Needle in a Haystack
8.2.3.1 find

8.2.3.2 grep
8.2.3.3 strings
8.2.3.4 awk
8.2.3.5 The Pipe “|”
8.2.4 Making use of other sources
8.3 Network Forensics
8.3.0 Introduction
8.3.1 Firewall Logs

8.3.2 Mail Headers

Further Reading

目录

8.0 简介

8.1 法庭原则

8.1.0 简介

8.1.1 避免污染

8.1.2 行动有条理

8.1.3 证据链

8.1.4 结论

8.2 独立法庭

8.2.0 简介

8.2.1 硬件和存储介质基础

8.2.2 加密、解密和文件格式

8.2.3 大海捞针

8.2.3.1 查找

8.2.3.2  grep

8.2.3.3 字符串

8.2.3.4 awk

8.2.3.5 管子 “|”

8.2.4 利用其它资源

8.3 网络法庭

8.3.0 简介

8.3.1 防火墙日志

8.3.2 邮件标题

深入阅读

8.0 Introduction
Forensics concerns the application of a methodical investigation technique in order to
reconstruct a sequence of events. Most people are now familiar with the concept of forensics
from TV and films, “CSI ( Crime Scene Investigation )” being one of the most popular. Forensic
science was for a long time – and still is really – most associated with Forensic Pathology –
finding out how people died. The first recorded description of forensics was on just this subject
In 1248, a Chinese book called Hsi DuanYu (the Washing Away of Wrongs) was published. This
book describes how to tell if someone has drowned or has been strangled.1
Digital forensics is a bit less messy and a bit less well known. This is the art of recreating
what has happened in a digital device. In the past it was restricted to computers only, but
now encompasses all digital devices such as mobile phones, digital cameras, and even GPS2
devices. It has been used to catch murderers, kidnappers, fraudsters, Mafia bosses and many
other decidedly unfriendly people.
In this lesson, we are going to cover two aspects of forensics (all computer based I'm
afraid – no mobile phone stuff here).
1. What people have been up to on their own computer.
This covers ...
• ... the recovery of deleted files.
• ... elementary decryption.
• ... searching for certain file types.
• ... searching for certain phrases.
• ... looking at interesting areas of the computer.
2. What a remote user has been doing on someone else's computer.
This covers ...
• ... reading log files.
• ... reconstructing actions.
• ... tracing the source.
This lesson is going to focus on the tools available under Linux. There are tools that are
available under Windows, as well as dedicated software and hardware for doing forensics,
but with the capability of Linux to mount and understand a large number of alternate
operating and file systems, it is the ideal environment for most forensic operations.

8.0 简介

法医技术是为了重现一系列的事件而关注系统调查技术的应用。大多数的人通过电视和电影了解到法医的概念。“CSI（犯罪现场调查）”成为最受欢迎的概念之一。法庭科学很早就和法医病理学相联系来调查死因。关于法医的第一个记录是在1248年，一本中国书籍出版，这本书告诉人们怎么分辨某个人是淹死的还是被掐死的。

       数字法医不是很脏，但也不是很有名。这是用数字设备来还原发生的事。过去只能用电脑，但现在所有的数字产品都可以，譬如手机，数字照相机，甚至GPS定位设备。它们都用来抓住谋杀犯，绑匪，诈骗犯，黑手党头领和很多不怀好意的人。

       这几课，我们将介绍法医的两个方面（可能全部都是基于电脑的）

1、人们都在电脑上忙些什么

    包括：

   ------恢复删除了的文件

   ------基本解密

   ------查找某个格式文件

   ------查找某个短语

   ------查看电脑上感兴趣的部分

2、远程电脑对别人的电脑做了什么

     包括：

     -------读取日志文件

     -------重建行为

     -------追踪源文件

这节课主要集中讲述Linux系统下的工具。也有一些工具在Windows系统下有用。还会介绍专门做法医行为的专门软件和硬件。但是因为Linux系统能装载和识别大量运行的操作系统和文件系统，所以Linux系统是进行法医操作最理想的环境。