>> We emphasized in the previous video that forensic procedure
and technologists are the two most important aspects in computer forensics.
>>我们在之前的视频中强调,法医程序和技术人员是计算机取证中最重要的两个方面。
Now, let's get into the forensics procedure.
现在,让我们进入取证程序。
When a computer incident is confirmed, forensic investigation starts.
当计算机事件得到确认后,法医调查就开始了。
If the suspect machine is still on and connected to the network, how do we start?
如果可疑机器仍然打开并连接到网络,我们该如何开始?
Should we turn the system off?
The answer is, we should follow the company's incident response policies and procedures
to decide whether turn off the suspect machine immediately or not.
我们应该关闭系统吗?答案是,我们应该遵循公司的事件响应政策和程序来决定是否立即关闭可疑机器。
However, we should be aware that if we turn the system off, we will lose computer memory
and volatile data, such as logged-in users, PCP connections, and the running processes,
etc.
但是,我们应该知道,如果我们关闭系统,我们将丢失计算机内存和易失性数据,例如登录用户,PCP连接和正在运行的进程等。
If possible, we should collect the volatile data before turning off the machine.
如果可能,我们应该在关闭机器之前收集易失性数据。
If the suspect machine can be turned off, the second question is, how to turn off the system?
如果可疑机器可以关闭,第二个问题是,如何关闭系统?
Turn off gracefully or forcefully?
优雅或有力地关闭?
If you turn off the system gracefully, it ensures the system remains
in a consistent state, since graceful shutdown includes fresh buffers to save information
to disks, notify users and services, etc.
如果正常关闭系统,它可确保系统保持一致状态,因为正常关闭包括新的缓冲区以将信息保存到磁盘,通知用户和服务等。
However, intruders may have installed rootkits
to destroy evidence upon receiving graceful shutdown command.
但是,入侵者可能已经安装了rootkit以在收到正常关闭命令时销毁证据。
For example, they may deleting certain or all files on system.
例如,他们可能会删除系统上的某些或所有文件。
You will lose volatile data, including the network state, such as network connections
and app tables, along with running processes, logged users, kernel and swap space contents.
您将丢失易失性数据,包括网络状态,如网络连接和应用程序表,以及正在运行的进程,已记录的用户,内核和交换空间内容。
If you shut down the system forcefully by yanking the power cord,
it will avoid potential loss of evidence caused by rootkits.
如果通过拉动电源线强行关闭系统,将避免因rootkit导致的证据丢失。
However, it may cost data in cache not written to disk, and leave data in a inconsistent state,
and you will still lose volatile data.
但是,它可能会使缓存中的数据无法写入磁盘,并使数据处于不一致状态,并且仍会丢失易失性数据。
Comparing these two shutdown scenarios from a forensic perspective,
you should always yank the power cord, and you have to document every action.
从法医角度比较这两种关机场景,你应该总是拉动电源线,你必须记录每一个动作。
The forensic procedure starts with establishing a detailed chain of custody.
法医程序从建立详细的监管链开始。
The concept for chain of custody is not new.
监管链的概念并不新鲜。
It is to maintain a record of how evidence has been handled, from the moment it was collected
to the moment it was present to a court.
这是为了保持记录证据的处理方式,从收集到现场到法院的那一刻起。
Chain-of-custody items include date and the time the evidence was collected,
full name and signature of each person possessing the evidence, and for how long,
location and lockers for the evidence, and whether it was stored in a tamper-proof manner.
监管链项目包括收集证据的日期和时间,拥有证据的每个人的全名和签名,以及证据的长度,位置和储物柜,以及是否以防篡改的方式存储。
You must document all activities and transfers of the evidences
from one person to another person.
您必须记录所有活动并将证据从一个人转移到另一个人。
If a computer is seized and powered off, then the hard drives should be removed
and tagged separately from the system.
如果计算机被占用并关闭电源,则应移除硬盘驱动器并将其与系统分开标记。
The maker, model, and serial number for hard drives, along with other descriptions
of evidences, case number, and item or tag number of evidence should be recorded.
应记录硬盘的制造商,型号和序列号,以及证据的其他描述,案例编号和项目或标签的证据数量。
115
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
