LESSON 8 DIGITAL FORENSICS part II

8.1 Forensic Principles
8.1.0 Introduction
There are a number of basic principles that are necessary regardless of whether you
are examining a computer or a corpse. This section is a quick summary of these principals.
8.1.1 Avoid Contamination
On TV you see forensic examiners dressed up in white suits with gloves, handling all
evidence with tweezers and putting it into sealed plastic bags. This is all to prevent
“contamination”. This is where evidence is tainted, for example, by fingerprints being added
to the handle of a knife by someone picking it up (think The Fugitive if you have seen it ... Look
what trouble it got him into ! )
8.1.2 Act Methodically
Whatever you do, when ( if ? ) you get to court, you will need to justify all the actions
that you have taken. If you act in a scientific and methodical manner, making careful notes
of what it is that you are doing and how you do it, this justification becomes much easier. It
also allows for someone else to follow your steps and verify that you haven't made a mistake
which may cast the value of your evidence in doubt.

8.1 法庭原则

8.1.0 简介

不管你是检查一个电脑还是一具尸体，都需要遵循一系列原则。这部分是关于这些原则的介绍。

8.1.1 避免污染

在电视上的法医都穿着白外套，戴着手套，用钳子提取证物，并将证物放到密封的塑料袋里。这都是为了防止“污染”。如果某个人拿起一把刀的手柄，那么指印就会留下，这就是很典型的证据污染方式（想想你在《亡命天涯》里看到的。。。看他惹得麻烦！）

8.1.2 有条理的行动

不管你做什么，当你站在法庭上时，你必须澄清你所做的所有的行为。如果你的行为科学并且有条理，并记录下了你所做的事情和所做的方法，证明就会变得简单。这样某个人就会支持你，证明你没有犯错。

8.1.3 Chain of Evidence
You must maintain something called the “Chain of Evidence”. This means that at any
point in time from the seizure of the evidence until it's final presentation in court, that you can
account for who has had access to it, and where it has been. This rules out the possibility that
someone has tampered with it, or falsified it in some way,
8.1.4 Conclusion
Keep these things in mind, and even if you are not going to take your work to court,
you will be able to maximize your abilities as a forensic examiner.

8.1.3 证据链

你必须保护好证据链，这意味着在证据被发现到被拿到法庭上的这段时间内，你需要记录接近它的所有人，以及它所到过的地方。这样就容易发现试图通过某种途径破坏它的人。

8.1.4 结论

将这些事记住，或许你不会在法庭上展示你的工作，但作为一个法医鉴定人员，你就能最大限度的发挥自己的能力。

8.2 Stand-alone Forensics
8.2.0 Introduction
This section is about the forensic examination of an individual machine. For want of a better
term, we will call it “stand-alone forensics”. This is probably the most common part of
computer forensics - its main role is to find out what has been done using a particular
computer. The forensic examiner could be looking for evidence of fraud, such as financial
spreadsheets, evidence of communication with someone else, e-mails or an address book, or
evidence of a particular nature, such as pornographic images.

8.2 独立法医

8.2.0 简介

这部分是关于对个人计算机进行“法医检查“的介绍。为了更好的形容这种行为，我们叫它"独立法医"。这可能是电脑医生最普通的部分了---它的主要功能是查出某个电脑被用来做了什么事情。鉴定人员会查看错误的证据，譬如财政电子表格，和他人聊天记录，电子邮件或者记录地址的文件，或者某个别的证据例如色情照片。

8.2.1 Hard Drive and Storage Media Basics
There are several components that make up an average computer. There is the processor,
memory, graphics cards, CD drives and much more. One of the most crucial components is
the harddisk (hard drive). This is where a majority of the information that the computer requires
to operate is stored. The Operating System ( OS ) such as Windows or Linux resides here, along
with user applications such as word processors and games. This is also where significant
amounts of data is stored, either deliberately, through the action of saving a file, or
incidentally, through the use of temporary files and caches. This allows a forensic examiner to
reconstruct the actions that a computer user has carried out on a computer, which files have
been accessed and much, much more.
There are several levels at which you can examine a harddisk. For the purposes of this
exercise, we are only going to look at the file system level. It is worth noting though, that
professionals are capable of looking in a great level of detail at a disk to determine what it
used to contain – even if it has been overwritten many times.
The file system is the computer's implementation of a filing cabinet. It contains drawers
( partitions ), files (directories) and individual pieces of paper ( files ). Files and directories can
be hidden, although this is only a superficial thing and can easily be overcome.
Working through the following Exercises should give you a far better understanding of the
basics of disk storage.

8.2.1 硬件和存储介质基础

电脑是由几部分组成的。处理器，存储器，显卡，CD 驱动器等等。其中最重要的成分是硬件。硬件是电脑信息量存储最多的地方。操作系统，Windows或者Linux存储在硬盘上，Word 文档，游戏等用户应用程序也存储在硬盘上。也有可能通过保存文件或者创建临时文件或Cache不小心将重要文件存储到硬盘上。法医鉴定人员能通过重现这些行为来调查某个用户在该电脑上所做的工作，像哪个文件被打开过等等。

可以在电脑的不同层检查硬盘。因为是个练习，我们将通过文件系统层次查看。这种能力很重要，一个专业人员能够通过一个硬盘查看到大量的信息，用来判断电脑原来装载的东西---尽管它被重写了很多次。

文件系统是电脑的文件柜的实现方式。包括抽屉，文件和单份的文件。文件和目录可以隐藏，这只是表面的，很容易被发现。

通过下面的练习，你可以更好的理解硬盘存储介质基础知识。