Unit 1: Computer Forensics Fundamentals 1.1 Computer Forensics Fundamentals Data Acquisition && ...

>> With the chain of custody started, we begin the process of evidence acquisition,
preservation, analysis, and reporting.

>>随着监管链的启动，我们开始了证据获取，保存，分析和报告的过程。

In this unit we will demonstrate one or two tools for each step
to help you understand the process.
在本单元中，我们将为每个步骤演示一个或两个工具帮助您了解这个过程。

In later units, we will cover more technologies in detail for different operating systems.
在后面的单元中，我们将针对不同的操作系统详细介绍更多技术。

In computer forensics, as we mentioned earlier, we focus on digital data.
在计算机取证中，正如我们前面提到的，我们专注于数字数据。

This includes any information either in process, stored, or in transit in the form of files,
metadata like permissions, and deleted data.
这包括以文件形式处理，存储或传输的任何信息，诸如权限的元数据和已删除的数据。

From this data, investigators will get information about individuals,
determine what happened, construct a timeline, and discover malicious tools
or exploits used by the attacker.
根据这些数据，调查人员将获取有关个人的信息，确定发生的情况，构建时间表，并发现攻击者使用的恶意工具或漏洞。

Different cybercrimes may lead to different digital evidence.
不同的网络犯罪可能导致不同的数字证据。

For example, cyberstalkers may use emails to harass their victims.
例如，网络用户可能会使用电子邮件来骚扰他们的受害者。

Computer hackers usually leave malware, back doors, and other activities in system log files.

计算机黑客通常会在系统日志文件中留下恶意软件，后门和其他活动。

 

Child pornographers have digital images, possibly hidden images, stored on their devices.
儿童色情制品人将数字图像（可能是隐藏的图像）存储在他们的设备上。

Acquisition includes aquire both volatile and non-volatile data.
采集包括获取易失性和非易失性数据。

Volatile data requires power to maintain the stored information, like data in memory.
易失性数据需要电源来维护存储的信息，如内存中的数据。

Data stored on hard drives is a common example of non-volatile data.

存储在硬盘驱动器上的数据是非易失性数据的常见示例。

We always acquire volatile data first because they're short-lived.
我们总是首先获取易变数据，因为它们是短暂的。

To acquire volatile data, for example, network interface,
we simply run a command such as ifconfig or ipconfig.
要获取易失性数据，例如网络接口，我们只需运行ifconfig或ipconfig等命令。

Please be notified when working on collecting evidence from a suspect machine,
you have to make sure all output will be redirected outside of the suspect machine.
在收集来自可疑机器的证据时，请通知您，您必须确保所有输出都将被重定向到可疑机器之外。

Because otherwise you are tampering data.
因为否则你会篡改数据。

In addition, you have to make sure unwanted data is not retained on a drive of receiving machine.
此外，您必须确保不需要的数据不会保留在接收机器的驱动器上。

We usually call the receiving machine as forensics machine to avoid danger
of residual data on your target drive corrupting your evidence.
我们通常将接收机称为取证机，以避免目标驱动器上残留数据的危险，从而破坏您的证据。

In a common practice, you will sanitize the evidence drive
of the forensic machine before data acquisition.

在通常的做法中，您将在数据采集之前清理取证机器的证据驱动。

The method of wiping a hard disc will be covered later.

稍后将介绍擦拭硬盘的方法。

A bitstream copy gets every single bit of every byte on a device.

比特流复制获取设备上每个字节的每个比特。

It performs on the drive level, not on a file level, ignoring the end of file marker;
therefore, this process is often called hard drive imaging,
bitstream imaging, or forensic imaging.
它在驱动器级别上执行，而不是在文件级别上执行，忽略文件结束标记;因此，此过程通常称为硬盘驱动器映像，比特流映像或取证映像。

While commands such as CP copy, TA, cpio, dump, restore only copy file content,
stopping at the end of file marker, the bitstream copy will copy every bit
on the drive, including deleted data.
当CP copy，TA，cpio，dump等命令仅恢复复制文件内容，在文件标记结束时停止时，比特流复制将复制驱动器上的每一位，包括已删除的数据。

Both dd and the FTK imagers are well-known forensic imaging tools.
dd和FTK成像器都是众所周知的取证成像工具。

In the next video I will try to demonstrate how to use FTK Imager to create image,
and we will cover dd in a later lecture.
在下一个视频中，我将尝试演示如何使用FTK Imager创建图像，我们将在后面的讲座中介绍dd。

 

Demo: FTK Imager

>> Hi everyone.
In unit one, we have learned bit stream copy makes a bit-for-bit copy
of all sectors on the drive.

>>大家好
在第一单元中，我们学习了比特流复制，使得驱动器上所有扇区的逐位复制成为可能。

Now let's explore one well-known forensic imaging tool called FTK Imager.

现在让我们探索一种着名的法医成像工具FTK Imager。

FTK Imager is a free tool.

FTK Imager是一款免费工具。

In this unit's activity, I provide instructions for where
to download software and then how to play with it.

在本单元的活动中，我提供了下载软件的位置以及如何使用它的说明。

In this demo, we will use FTK Imager to bit stream copy a USB content.

在本演示中，我们将使用FTK Imager来比特流复制USB内容。

Now, if the USB is larger, than certainly it takes longer to image.

现在，如果USB更大，那么成像需要更长的时间。

And I am only using USB with 1-gig content.

我只使用1-gig内容的USB。

Also please be aware, FTK Imager does not guarantee data is not written
to the drive during imaging.

另请注意，FTK Imager不保证在成像过程中数据不会写入驱动器。

So a right blocker should be used in a real case.

因此，在实际案例中应该使用正确的阻止程序。

Assume you have a USB write blocker for this exercise.

假设您有一个USB写入阻止程序用于此练习。

Okay.
Let's play now.

好的。
我们现在玩吧。

We open up FTK Imager from my toolbox.

我们从工具箱中打开FTK Imager。

Now here you will see FTK Imager may modify the drive you are imaging,
so you have to use the right block.

现在，您将看到FTK Imager可能会修改您正在成像的驱动器，因此您必须使用正确的块。

So we open file.

所以我们打开文件。

Create disk image, because we are creating disk image.

创建磁盘映像，因为我们正在创建磁盘映像。

So we choose physical drive since USB is a physical drive, and then we select correct
one.

因此我们选择物理驱动器，因为USB是物理驱动器，然后我们选择正确的驱动器。

We want to image.

我们想要成像。

Click finish.

点击完成。

Now here we need to describe what type of image we want to create
and where should we put this FTK image.

现在我们需要描述我们想要创建什么类型的图像以及我们应该在哪里放置这个FTK图像。

We use raw dd.

我们使用原始dd。

In this case we create a raw dd type, and since FTK image can also create other types
like FT -- in case we will describe those later.

在这种情况下，我们创建一个原始的dd类型，因为FTK图像也可以创建其他类型的FT - 以防我们稍后将描述它们。

But in this case we only use dd, create a dd raw image.

但在这种情况下我们只使用dd，创建一个dd原始图像。

Now we fill in information such as case name and evidence number
and a description, examiner names.

现在我们填写案例名称和证据编号以及描述，审查员姓名等信息。

Those information eventually will be displayed in the summary file, in FTK image summary
file.

这些信息最终将显示在摘要文件中的FTK图像摘要文件中。

And here we'll describe where this image should be stored.

在这里，我们将描述应该存储此图像的位置。

We will put on desktop.

我们将放在桌面上。

You can choose any place you would like to.

您可以选择任何您想要的地方。

And then which image file name you want to call.

然后是您要调用的图像文件名。

We call it FTK Imager Demo.

我们称之为FTK Imager Demo。

Okay.
Now there's another option called verify images after they are created.

好的。
现在有另一个选项，称为验证图像后创建它们。

If this is checked, this by default is checked, FTK Imager will create MD5 and the SHA1
after imaging is done, and it will verify the hashes match.

如果选中此选项，则默认选中此选项，FTK Imager将在成像完成后创建MD5和SHA1，并且它将验证哈希是否匹配。

Then the imaging process is done.

然后完成成像过程。

So for FTK Imager, the preserve part is automatically built into the tool.

因此对于FTK Imager，保留部分会自动构建到工具中。

Now it is imaging and you see the status bar moving.

现在它是成像，你看到状态栏移动。

That's great to tell you how far it has gone.

很高兴告诉你它走了多远。

I'm using a 1-gig USB drive, so it should be very quick to finish.

我正在使用1-gig USB驱动器，所以应该很快完成。

After it's done, MD5 hash and SHA1 created.

完成后，创建MD5哈希和SHA1。

Now the bad sector list tells you whether it's encountered any bad sector.

现在坏扇区列表告诉你它是否遇到了任何坏扇区。

If that's the case then we will be in trouble because the hashes will not match.

如果是这种情况，那么我们将遇到麻烦，因为哈希值不匹配。

So all that information created.

所以创造了所有这些信息。

Now imaging is done because the original match the image.

现在完成成像是因为原始图像匹配。

In the summary file it details all information about the USB you're acquiring, and then the
MD5 SHA1 hash.

在摘要文件中，它详细介绍了有关您正在获取的USB的所有信息，然后是MD5 SHA1哈希。

So now we are done with imaging and we look at our desktop.

所以现在我们完成了成像，我们看看我们的桌面。

There are two files created.

创建了两个文件。

The name is kind of confusing.

这个名字有点令人困惑。

Both are called FTK Imager Demo, but actually one file is a text file.

两者都称为FTK Imager Demo，但实际上一个文件是文本文件。

It's a summary, and the one file is image itself.

这是一个摘要，一个文件是图像本身。

If you look at the time stamp -- if you look at the description, you will see.

如果你查看时间戳 - 如果你看一下描述，你就会看到。

So this is the text one.

所以这是文本之一。

This is the text file.

这是文本文件。

It is same as the summary.

它与摘要相同。

It's created to give you summary of imaging process.

它的创建是为了向您提供成像过程的摘要。

Now let's open -- now let's open the image we create.

现在让我们打开 - 现在让我们打开我们创建的图像。

We say add evidence item.

我们说添加证据项目。

FTK Imager not only can view -- not only create image, it also can view it.

FTK Imager不仅可以查看 - 不仅可以创建图像，还可以查看它。

So we choose image file because we create the image file.

所以我们选择图像文件是因为我们创建了图像文件。

So we're browsing in the tool identified image file from our desktop.

因此，我们正在从桌面浏览工具识别的图像文件。

 

Moving down now you will see two files name as FTK Imager Demo, but one is called 001
file.

现在向下移动，您将看到两个文件名称为FTK Imager Demo，但其中一个名为001文件。

Another one is called text document.

另一个叫做文本文档。

So we open up the 001 file.

所以我们打开001文件。

That's the image.
Say finish.

那就是形象。
说完。

So now FTK Imager allowed you to view the image you created.

所以现在FTK Imager允许您查看您创建的图像。

You cannot do many analysis functions here.

你不能在这里做很多分析功能。

Another tool call FTK will do it, but this FTK Imager at least lets you browse through
and simply you can see the content.

另一个工具叫FTK会这样做，但这个FTK Imager至少让你浏览，只是你可以看到内容。

And by using the image you create -- yeah, you can look into each of the folder.

通过使用您创建的图像 - 是的，您可以查看每个文件夹。

Whenever it has a plus you can expand it, and those details -- I will talk about that
later.

每当它有一个加号你可以扩展它，以及那些细节 - 我稍后会谈到它。

And the one with X, red X mark on, that one is deleted file.

而那个带有X，红色X标记的那个，那个是删除文件。

So interestingly, now we use FTK create image and also view.

有趣的是，现在我们使用FTK创建图像并查看。

There are other functions.

还有其他功能。

For example, capture memory -- that will dump memory out, dump the current memory out.

例如，捕获内存 - 将内存转储出来，转储当前内存。

And the Obtain Protected Files, that will dump out system files
such as Windows registry files out.

并获取受保护的文件，这将删除Windows注册表文件等系统文件。

So you can see FTK Imager is quite useful and has many functionalities.
Hopefully you enjoy it.

所以你可以看到FTK Imager非常有用并且具有许多功能。
希望你喜欢它。

 

转载于:https://www.cnblogs.com/sec875/articles/9997629.html