Unit 1: Computer Forensics Fundamentals 1.1 Computer Forensics Fundamentals Data Analysis and Re...

>> After we have made a bit stream copy and preserved the evidence,
we can move on to analyze the evidence working on the copy.

>>在我们进行了比特流复制并保存证据之后，我们可以继续分析在副本上工作的证据。

Whenever possible, you should protect the original physical evidence
and only work with the digital copy.

您应尽可能保护原始物证并仅使用数字副本。

We start analysis by looking at the partition table on the suspect drive to learn the number
of partitions on the drive and checking for gaps between partitions for hidden data.

我们通过查看可疑驱动器上的分区表来开始分析，以了解驱动器上的分区数量，并检查分区之间是否存在隐藏数据的间隙。

Other analysis steps include retrieving deleted files, generating a timeline based on timestamps
and the log files, finding hidden data, keyword search for terms related to your case.

其他分析步骤包括检索已删除的文件，根据时间戳和日志文件生成时间轴，查找隐藏数据，关键字搜索与您的案例相关的术语。

Signature analysis to identify fake extensions.

用于识别虚假扩展的签名分析。

Hash analysis to filter out both innocent files
and malicious files and OS specific media analysis.

散列分析可以过滤掉无辜文件和恶意文件以及操作系统特定的媒体分析。

We will cover the analysis process in technologies in detail later
in terms Windows and then Linux systems.

稍后我们将在Windows和Linux系统中详细介绍技术中的分析过程。

After completing the forensic examination with pertinent evidence and findings,
the last step is to report your findings.

在完成具有相关证据和发现的法医检查后，最后一步是报告您的发现。

Writing a report and presenting your findings and technical explanations
to largely non-technical audience including attorneys, judge,
and the jury is a very important yet challenging task.

撰写报告并向包括律师，法官和陪审团在内的非技术性受众展示您的发现和技术解释是一项非常重要但具有挑战性的任务。

Earlier I mentioned that you need to document detailed notes during all aspects
of forensic examination.

之前我提到你需要在法医检查的各个方面记录详细的注释。

This notes will help you tremendously when writing your report.

在撰写报告时，本说明将为您提供极大的帮助。

Here are some general guidelines for writing a report.

以下是编写报告的一般指导原则。

A typical report begins with the specific task assigned to forensic examiner
and the factual statement identified.

典型的报告从分配给法医检查员的具体任务和确定的事实陈述开始。

This section, at least, includes the case description, how the examiners are involved,
and the initial evidence such as a suspect machine
or a given acquired image and a hash value.

本节至少包括案例描述，审查员如何参与，以及初始证据，如可疑机器或给定的获取图像和哈希值。

This section includes the equipment used such as a write block and forensic machine.

本节包括使用的设备，如写入块和取证机。

The methodology employed to duplicate data, the methodology used to forensically wipe
storage.

用于复制数据的方法，用于法医学擦除存储的方法。

In next section, we will cover the analysis process and the tools used
for analyzing the forensic image.

在下一节中，我们将介绍分析过程和用于分析取证图像的工具。

This is the most detailed section describing your investigation.

这是描述您的调查的最详细的部分。

It should show all findings including recovered files, registry values, keyword search hits,
emails, pictures, and web contents, etc.

它应显示所有发现，包括恢复的文件，注册表值，关键字搜索命中，电子邮件，图片和Web内容等。

Since you are the expert, you can always include your opinions in your
report.

由于您是专家，因此您始终可以在报告中包含您的意见。

For each opinion you offer, you have to provide supporting data from your analysis phase.

对于您提供的每个意见，您必须提供分析阶段的支持数据。

Finally, conclude your report with your statements.

最后，用你的陈述结束你的报告。

Examiners often use phrases such as based on my knowledge,
this is my professional opinion, the finding indicates.

审查员经常使用基于我的知识的短语，这是我的专业意见，该发现表明。

Use those phrases to summarize their conclusions.

使用这些短语来总结他们的结论。

There is a sample report outline suggested by Amelia Kelly
in the resource section of this unit.

Amelia Kelly在本单元的资源部分提供了一份样本报告大纲。

Before we conclude this unit, I would like to mention some challenges in digital forensics.

在结束本单元之前，我想提一下数字取证方面的一些挑战。

The first 10 years since its inception were the golden years for computer forensics.

自成立以来的头10年是计算机取证的黄金岁月。

As technology progresses, computer forensics are facing more challenges.

随着技术的进步，计算机取证正面临更多挑战。

For example, increasing storage densities require us to develop fast speed imaging tools.

例如，增加存储密度需要我们开发快速成像工具。

Cloud computing, pervasive disk and accountant [phonetic] encryption make forensic acquisition
and analysis more difficult.

云计算，普及磁盘和会计[语音]加密使得取证和分析更加困难。

The use of solid state drives can possibly destroy deleted data which is one
of the most important sources of evidence in forensics analysis.

使用固态驱动器可能会破坏已删除的数据，这是取证分析中最重要的证据来源之一。

This week, in conclusion, we learned what is computer forensics
and the general forensics procedure.

本周，总之，我们学到了什么是计算机取证和一般取证程序。

In next couple of weeks, we will move on to learn how
to conduct forensic investigations on Linux Unix systems.

在接下来的几周内，我们将继续学习如何在Linux Unix系统上进行取证调查。

 

转载于:https://www.cnblogs.com/sec875/articles/10013315.html