Unit 1: Computer Forensics Fundamentals 1.1 Computer Forensics Fundamentals Data Preservation

>> Since courts require evidence be authentic and unaltered,
the acquired digital evidence must be preserved in its original state.

>>由于法院要求证据真实且不变，所以获得的数字证据必须保持原状。

 

Forensics uses cryptographic hash algorithms to preserve evidence.

取证使用加密哈希算法来保存证据。

Cryptographic hash algorithm is a one-way function that maps data of arbitrary size,
like a message, to a fixed-size bitstream or called hash value.

加密散列算法是一种单向函数，它将任意大小的数据（如消息）映射到固定大小的比特流或称为散列值。

The same message always results in the same hash value.

相同的消息总是会产生相同的哈希值。

Here one-way means it is infeasible to reverse the mapping
to generate a message from its hash value.

这里单向意味着反转映射以从其散列值生成消息是不可行的。

A cryptographic hash should be a collision-free algorithm.

加密哈希应该是无冲突算法。

That means it is functionally impossible to find two different messages with the same
hash value.

这意味着在功能上不可能找到具有相同散列值的两个不同消息。

So if we want to prove or authorize that two hard drive images are identical,
we only need to calculate their hashes.

因此，如果我们想要证明或授权两个硬盘驱动器映像是相同的，我们只需要计算它们的哈希值。

If the hashes are same, the two images have to be the same according to the collision-free
property.

如果散列相同，则根据无碰撞属性，两个图像必须相同。

One commonly used cryptographic hash algorithm is MD5, which produce a 128-bit hash value.
Another one called SHA algorithm was developed as US federal standards and output a variety
of hashes.

一种常用的加密哈希算法是MD5，它产生128位哈希值。另一种称为SHA算法的方法是作为美国联邦标准开发的，并输出各种哈希值。

such as 160-bit, 256-bit, and 1,600-bits.

例如160位，256位和1,600位。

The lower bit hash algorithms like MD5 generate hash values more quickly
but are more likely to cause a collision.

像MD5这样的低位哈希算法会更快地生成哈希值，但更有可能导致冲突。 

Researchers have found collisions when using MD5 and SHA-1 separately.

研究人员分别使用MD5和SHA-1时发现了碰撞。

Forensics investigators use cryptographic hash to preserve evidence.

法医调查员使用加密哈希来保存证据。

They also use hash to conduct a hash analysis, which will be covered later in forensic analysis
lectures.

他们还使用哈希进行哈希分析，稍后将在法医分析讲座中介绍。

Now let's practice cryptographic hash functions on a Linux machine
and examine what changes will affect file hash value changes.

现在让我们在Linux机器上练习加密哈希函数，并检查哪些更改会影响文件哈希值的变化。

Hi, in this demo we will practice the basic hash algorithm MD5
and understand what changes will affect file hashes.

嗨，在这个演示中，我们将练习基本哈希算法MD5，并了解哪些更改将影响文件哈希。

Now, MD5 and SHA are free tools and are widely available for various operating systems.

现在，MD5和SHA是免费工具，可广泛用于各种操作系统。

Here I used the SANS Investigative Forensic Toolkit -- short for SIFT -- Workstation.

在这里，我使用了SANS Investigative Forensic Toolkit - SIFT的简称 - 工作站。

This is a free downloadable.

这是免费下载的。

The download instructions are provided in this unit's exercise.

本单元的练习中提供了下载说明。

The SIFT Workstation is created by an international team of forensic investigators led
by SANS faculty Robert Lee for incident response and digital forensics use.

SIFT工作站由SANS教师Robert Lee领导的一个由法医调查员组成的国际团队创建，用于事件响应和数字取证。

It is available to the whole community as a public service.

它作为公共服务可供整个社区使用。

SIFT includes many incident response and digital forensics tools suite.

SIFT包括许多事件响应和数字取证工具套件。

I will use SIFT in other exercises for this course.

我将在本课程的其他练习中使用SIFT。

Although it's not necessary you use this tool, you use this work station,
but I strongly recommend you to use this Ubuntu-based forensic workstation
to practice Linux/Unix-based forensic tools.

虽然您没有必要使用此工具，但您使用此工作站，但我强烈建议您使用此基于Ubuntu的取证工作站来练习基于Linux / Unix的取证工具。

Here is my SIFT Workstation.

这是我的SIFT工作站。

Before I start using md5sum, I want to find out where is this file located?

在我开始使用md5sum之前，我想找出这个文件的位置？

This is important because if you have two md5sum, one is malicious, and you need to
find out which one you are using at this point.

这很重要，因为如果你有两个md5sum，一个是恶意的，你需要找出你正在使用的那个。

So now we know this is /usr/bin/ supposed to be right place.

所以现在我们知道这是/ usr / bin /应该是正确的地方。

And then let's create a new file to generate md5sum.

然后让我们创建一个新文件来生成md5sum。

If you already have file exist to calculate md5sum, go ahead.

如果您已经有文件来计算md5sum，请继续。

And here I create a new file called file0 with the content of welcome.

在这里，我创建了一个名为file0的新文件，其内容为welcome。

We can look into the content, and it is welcome.

我们可以查看内容，这是值得欢迎的。

Okay.

So now calculate md5sum, it's very simple.

所以现在计算md5sum，这很简单。

So we simply just say md5sum and followed by file name.

所以我们只是说md5sum，然后是文件名。

So this is 128 bit of MD5 hash.

所以这是128位的MD5哈希。

It's a signature for file0.

它是file0的签名。

So that's nice.

所以这很好。

Now, we need to remember that md5sum and then we modify content of file0
to see whether the MD5 changes or not.

现在，我们需要记住md5sum然后我们修改file0的内容以查看MD5是否发生了变化。

So we're able to remember that.

所以我们能够记住这一点。

So let me create another terminal so we can compare.

那么让我创建另一个终端，以便我们进行比较。

So remember that's the top one.

所以请记住，这是最重要的一个。

We still have file0.

我们还有file0。

Now we modify file0.

现在我们修改file0。

So to modify it, simply I'm just adding something, append back to the file0.

所以要修改它，只是我只是添加一些内容，追加到file0。

So now file zero's content changed what it looks like now.

所以现在文件零的内容改变了它现在的样子。

So file0, now it's welcome back.

所以file0，现在欢迎回来。

Still called file0, but the content's different.

仍称为file0，但内容不同。

So I do md5sum again for file0.

所以我再次为file0做md5sum。

Let's compare the hash.

让我们比较哈希。

So now you can see the two hashes are totally different because the content is different.

所以现在你可以看到两个哈希完全不同，因为内容不同。

Actually, only need to change one bit of the content; the hash will be totally different.

实际上，只需要改变一点内容; 哈希将完全不同。

So now at least we answered our first question.

所以现在至少我们回答了第一个问题。

Say, if we change content, md5sum, whether will change or not, definitely yes.

比方说，如果我们改变内容，md5sum，是否会改变，肯定是的。

Next let's look at something else.

接下来让我们看看别的东西。

Like, for example, what if I rename it, what if I change metadata information?

比如，例如，如果我重命名它，如果我更改元数据信息怎么办？

Let's first to do rename it.

我们首先要重命名它。

So let's move file0, rename it to file1.

所以让我们移动file0，将其重命名为file1。

Okay.

So now in this case the file is called file1, and then the content
of file1 is exactly as before, welcome back.

所以现在在这种情况下，文件被称为file1，然后file1的内容与以前完全一样，欢迎回来。

Now we do md5sum again for file1.

现在我们再次为file1做md5sum。

 

If you compare file1, this line -- the 128 bits --
compare with this one because the content is the same, the hashes does not change,
even though the file name's different.

如果你比较file1，这一行--128位 - 与这一行比较，因为内容是相同的，即使文件名不同，散列也不会改变。

The file name one is called file0, one is called file1.

文件名1称为file0，其中一个名为file1。

The name is different.

名字不同。

Okay?

The reason is the name is not inside of content.

原因是名称不在内容之内。

MD5 has only looks at the content.

MD5哈希仅查看内容。

The name is saved at somewhere else.

该名称保存在其他位置。

We will talk about that in the later lectures.

我们将在后面的讲座中讨论这个问题。

The name information is not in the content.

名称信息不在内容中。

Let's try one more thing to modify some metadata.

让我们再尝试修改一些元数据。

First let me look at what is the file1's metadata?

首先让我看一下file1的元数据是什么？

So we do ls dash l.

所以我们做点儿。

And this file, file1, has the permission of owner is read write,
group is read write, and other is read-only.

并且此文件file1具有所有者的权限读写，组读写，其他是只读。

So let's change permission.

所以让我们改变许可。

Okay.

If I change permission, use chmod, and I say other add write
because other currently is only readable to file1, let's do ls dash l again.

如果我更改权限，请使用chmod，我说其他添加写入因为其他当前只对file1可读，让我们再次执行ls dash l。

Actually, you can use the up arrow to find that.

实际上，您可以使用向上箭头找到它。

So now it's readable/writable.

所以现在它是可读/可写的。

For file1 now we changed permission.

对于file1，我们现在更改了权限。

Okay.

Changed permission.

更改权限。

Let's do MD5.

Again, I can use the up arrow to find this one to save my typing.

再次，我可以使用向上箭头找到这个来保存我的输入。

Now, if you look at file1, now, is this permission changed?

现在，如果您查看file1，现在，此权限是否已更改？

And then here is the signature.

然后是签名。

And then before -- this is file1 before permission change, exactly same.

之前 - 这是在权限更改之前的file1，完全相同。

So change permission also does not change content
because permission information does not reside in that particular data content.

因此，更改权限也不会更改内容，因为权限信息不会驻留在该特定数据内容中。

Okay.

So what do we learn from this simple example?

那么我们从这个简单的例子中学到了什么呢？

We should understand that hash value of a file will change if and only
if the file content changes; therefore, if you change metadata, for example, permissions
or if you change a file name, it will not change the file content of that file.

我们应该理解，当且仅当文件内容改变时，文件的哈希值才会改变; 因此，如果更改元数据（例如，权限）或更改文件名，则不会更改该文件的文件内容。

 

By saying that, however, these changes will affect the hard drive's hash value
because both the file name and then the file metadata are saved in somewhere --
we will learn that later -- somewhere of the content of the hard drive.

然而，通过这样说，这些更改将影响硬盘驱动器的哈希值，因为文件名和文件元数据都保存在某个地方 - 我们将在稍后了解 - 硬盘内容的某个地方。

Okay.

That's all for this simple demo.

这就是这个简单的演示。

Hope you enjoy it.

希望你喜欢它。

转载于:https://www.cnblogs.com/sec875/articles/10013301.html