>> You may be familiar with the concept of computer forensics
from the TV series Crime Scene Investigation, <i>CSI</i> and its spinoff, <i>CSI: Cyber</i>.
>>您可能熟悉电视连续剧犯罪现场调查,<i> CSI </ i>及其分拆,<i> CSI:Cyber </ i>中的计算机取证概念。
Modern computer crime or cybercrime includes child pornography; fraud; terrorism; extortion;
cyberstalking; money laundering; forgery; and identify theft, among others.
现代计算机犯罪或网络犯罪包括儿童色情;欺诈; 恐怖主义;敲诈;网络跟踪; 洗钱;伪造; 并识别盗窃等。
For cybercrime investigations, detectives rely heavily on digital evidences,
such as suspects' GPS data, smartphone data, and computer network data.
对于网络犯罪调查,侦探严重依赖数字证据,例如嫌疑人的GPS数据,智能手机数据和计算机网络数据。
The ultimate goal of a forensic investigation is to identify, analyze, reconstruct past events
or activities, and to present admissible evidence to court.
法医调查的最终目标是识别,分析,重建过去的事件或活动,并向法院提交可接受的证据。
Starting this week we will study computer forensics concepts, along appropriate procedures
and technologies forensic investigator uses to work
on digital evidence without tampering with data.
从本周开始,我们将研究计算机取证概念,以及法医调查员用于处理数字证据而不篡改数据的适当程序和技术。
The field of computer forensics is relatively young.
计算机取证领域相对年轻。
In 1999, Dan Farmer and Wietse Venema -- both of them computer security researchers
and programmers -- they presented the forensic process
and the first computer forensic suite called The Coroner's Toolkit or shortly called TCT,
which marked the beginning of the computer forensics field.
1999年,Dan Farmer和Wietse Venema--他们都是计算机安全研究人员
和程序员 - 他们提出了法医程序和第一个计算机取证套件,名为The Coroner's Toolkit,简称TCT,标志着计算机取证领域的开端。
In their presentation, Farmer and Venema defined computer forensics as gathering
and analyzing data in a manner as free from distortion or bias as possible,
to reconstruct data or what has happened in the past on a system.
在他们的演讲中,Farmer和Venema将计算机取证定义为聚会
以尽可能无失真或偏差的方式分析数据,重建数据或过去在系统上发生的事情。
Now, it's kind of long, but actually it means computer forensic investigators use forensic
tools and follow appropriate procedures to collect, preserve, analyze,
and report admissible evidence to court providing his
or her critical judgments of exactly what has happened.
现在,它有点长,但实际上它意味着计算机取证调查员使用法医
工具并遵循适当的程序来收集,保存,分析和向法院报告可接受的证据,提供他或她对确切发生的事情的批判性判断。
The term preserve here means to authorize that evidence presented
to court has never been modified.
这里保留一词意味着授权向法院提交的证据从未被修改过。
This is crucially important.
这非常重要。
Following forensic procedure and using appropriate tools are important.
在法医程序和使用适当的工具之后很重要。
The digital evidence could be tainted depending on how it was collected
and analyzed and where it was stored.
数字证据可能会受到污染,具体取决于它的收集和分析方式以及存储位置。
Also, if you copy a file using, for example, the Linux/Unix command CP,
you modified files' access time, which accidentally taints the evidence.
此外,如果使用例如Linux / Unix命令CP复制文件,则修改了文件的访问时间,这会不小心污染证据。
Let's look at types of computer forensics technology.
我们来看看计算机取证技术的类型。
When reconstructing evidence, the first question is:
Where do we extract or collect evidence from?
The evidence may reside in computer systems, computer networks, computer media,
computer peripherals -- basically everywhere.
在重建证据时,第一个问题是:我们从哪里提取或收集证据?证据可能存在于计算机系统,计算机网络,计算机媒体,计算机外围设备中 - 基本上无处不在。
Data can be in one of the three states: At rest, which means stored in a computer drive,
the Cloud, or a USB drive, etc, a mobile phone; data in use, which means data is
in a computer's memory currently in use; or data in transit,
which means moving through a network.
数据可以处于以下三种状态之一:静止时,表示存储在计算机驱动器中,
云,或USB驱动器等,一部手机; 正在使用的数据,这意味着数据在当前正在使用的计算机内存中; 或传输中的数据,这意味着在网络中移动。
The forensic tools that collect and analyze data at rest are different
from the tools targeting to data in transit.
收集和分析静态数据的取证工具与针对传输中的数据的工具不同。
So based on that, we can categorize computer forensics by technologists working
with different types of evidence.
因此,基于此,我们可以通过使用不同类型证据的技术人员对计算机取证进行分类。
System forensics focus on evidence from volatile data, such as data in memory,
and non-volatile data, which resides in hard drives; computer discs;, floppy discs;
magnetic tapes; zip and the JAZ discs; log files;
etc.
系统取证专注于来自易失性数据的证据,例如内存中的数据和驻留在硬盘中的非易失性数据; 电脑光盘;软盘;磁带; 拉链和JAZ碟片; 日志文件;等等。
Network forensics determines what happened on a system based on network traffic study,
such as timeline analysis, IP address, or contents of the packets.
网络取证确定基于网络流量研究的系统上发生的情况,例如时间线分析,IP地址或数据包内容。
This task is technically challenging since this evidence is often transient
and does not last as long as stored media.
这项任务在技术上具有挑战性,因为这些证据通常是短暂的,并且不会像存储介质那样持续。
Cloud forensics is an emerging area focusing on Cloud-based evidence, such as Google Drives,
web-based email stored on servers owned by a third party.
云取证是一个新兴领域,专注于基于云的证据,例如Google Drives,存储在第三方拥有的服务器上的基于Web的电子邮件。
This course, however, focus primary on computer system forensics,
especially for Windows and Linux/Unix operating system.
然而,本课程主要侧重于计算机系统取证,尤其是Windows和Linux / Unix操作系统。
While forensic tools and technologies differ from various types of operating systems,
the general forensic procedure remains the same.
虽然取证工具和技术与各种类型的操作系统不同,但一般的取证程序保持不变。
Now, we know that computer forensics use technologies
to discover information about illegal activities.
现在,我们知道计算机取证使用技术来发现有关非法活动的信息。
There are also the counterpart called anti-digital forensics or ADF,
which are technologies designed to thwart discovery of such information.
还有一种称为反数字取证或ADF的对应物,它们是旨在阻止发现此类信息的技术。
ADF approaches aim to manipulate, erase, or obfuscate digital data
to make forensic examination difficult, time-consuming, or virtually impossible.
ADF方法旨在操纵,擦除或混淆数字数据,使法医检查变得困难,耗时或几乎不可能。
Here I give you some examples of ADF technologies, for example,
renaming files by changing file extensions; data hiding by associating good blocks
with the bad block inodes; overwriting data and metadata, sometimes called wiping;
hide or obfuscating data through steganography, cryptography, and other methods.
在这里,我给出一些ADF技术的例子,例如,通过更改文件扩展名来重命名文件; 通过将好块与坏块inode相关联来隐藏数据; 覆盖数据和元数据,有时称为擦除;通过隐写术,密码术和其他方法隐藏或混淆数据。
Finally, I want to discuss the role of expert witness,
which is one of the computer forensic examiner's most important function.
最后,我想讨论专家证人的作用,这是计算机取证审查员最重要的职能之一。
Expert witness present in court to judges, attorneys, juries, and other attendants
to state their findings, opinions, and conclusions within the bounds of the trial.
专家证人在法庭上向法官,律师,陪审团和其他服务员出庭,在审判范围内陈述他们的调查结果,意见和结论。
Expert witnesses follow the procedure of the court, testifying the scientific basis
of findings, analyses, and conclusions,
and demonstrate the scientific knowledge associated with their areas of expertise.
专家证人遵循法院程序,证明调查结果,分析和结论的科学依据,并展示与其专业领域相关的科学知识。
It is critical that the expert shows no bias in action or explanation and speaks only truths.
至关重要的是,专家在行动或解释中没有偏见,只说真话。
133
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
