侦破计算机犯罪-电子取证介绍.ppt

Solving Computer Crime: An Introduction to Digital Forensics Golden G. Richard III, Ph.D. Dept. of Computer Science Gulf Coast Computer Forensics Laboratory (GCCFL) golden@ Digital Forensics Definition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.” Devices include computers, PDAs, cellular phones, videogame consoles… Examples of Digital Evidence Computers increasingly involved in criminal and corporate investigations Digital evidence may play a supporting role or be the “smoking gun” Email Harassment or threats Blackmail Illegal transmission of internal corporate documents Meeting points/times for drug deals Suicide letters Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or attacks Use of a machine as a spam email generator Use of a machine to distribute illegally copied software Major Issues Identification of potential digital evidence Where might the evidence be? Which devices did the suspect use? Preservation of evidence On the crime scene… First, stabilize evidence…prevent loss and contamination If possible, make identical copies of evidence for examination Careful extraction and examination of evidence Presentation “The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore ‘HITLIST.DOC’…” “The suspect attempted to hide the Microsoft Word document ‘HITLIST.DOC’ but I was able to recover it without tampering with the file contents.” Legal: Investigatory needs meet privacy Preservation of Evidence: Hardly trivial… Preservation: Imaging When making copies of media to be investigated, must prevent accidental modification or destruction of evidence! Write blockers: Use them. Always. dd under Linux DOS boot floppies Proprietary imaging solutions Extraction and Examination Know where evidence can be found Understand techniques used to hide