{"id":371,"date":"2015-10-19T00:16:00","date_gmt":"2015-10-18T16:16:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=371"},"modified":"2023-10-31T00:17:24","modified_gmt":"2023-10-30T16:17:24","slug":"computer-forensics","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/371","title":{"rendered":"Computer Forensics"},"content":{"rendered":"\n

Computer Forensics<\/strong>
application of computer Investigation and analysis techniques in the interests of determining potential legal evidence. 
investigation of data that can be retrieved from computer by applying scientific methods to retrieve the data.
the science of capturing, processing, and investigating data security incidents and making it acceptable to a court of law.
To determine the evidential value of the crime scene and related evidence.
Extract, process, and interpret the factual evidence so that it proves the attacker’s actions in the court.<\/p>\n\n\n\n

Object of computer forensics<\/strong>
for a court of law
estimate the potential impact of the malicious activity on the victim
assess the intent and identity of the perpetrator
ex:
copyright and intellectual property theft has occurred<\/p>\n\n\n\n

Father of forensics<\/strong>
Francls galton, made the first recorded study of fingerprints<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Computer forensic 3A<\/strong>
1.Acquire – \u8b49\u64da\u53d6\u5f97
2.Authenticate – \u8b49\u64da\u8ddf\u539f\u4f86\u4e00\u6a23
3.Analyze – \u5728\u7121\u8b8a\u52d5\u4e0b\u5206\u6790<\/p>\n\n\n\n

CSIRT(Company Security Incident Response Team)<\/strong>
1.\u65e9\u671f\u767c\u73feincodent\u9632\u6b62\u64f4\u5927
2.\u4fdd\u8b77Critical Information
3.\u63d0\u4f9b\u6559\u80b2\u8a13\u7df4
4.\u767c\u5c55\u8207\u64b0\u5beb\u7a0b\u5f0f
5.\u52a0\u5f37\u7d44\u7e54\u5b89\u5168
6.\u6e1b\u5c11\u53cd\u61c9\u6642\u9593<\/p>\n\n\n\n

\u5275\u5efa\u4e00\u500bCSIRT<\/strong>
1.\u53d6\u5f97\u7ba1\u7406\u968e\u5c64\u7684\u652f\u6301
2.\u64ec\u5b9aCSIRT\u7684\u6230\u7565\u8a08\u756b
3.\u6536\u96c6\u6709\u95dc\u7684\u8cc7\u8a0a
4.\u8a2d\u8a08\u8996\u91ce
5.\u5c07CSIRT\u7684\u8996\u91ce\u8207\u9700\u8981\u77e5\u9053\u7684\u4eba\u6e9d\u901a
6.\u958b\u59cb\u5efa\u7acbCSIRT
7.\u516c\u544aCSIRT<\/p>\n\n\n\n

refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n

……………..<\/p>\n\n\n\n

Steps in forensics investigation<\/strong>
1. indentify the coputer crime
2. \u521d\u6b65\u8a55\u4f30,collect preliminary evidence
3. (optional)\u53d6\u5f97\u641c\u7d22\u4ee4, obtain court warrant for seizure
4.perform first responder procedures
5.\u6263\u62bc\u8b49\u7269, seize evidence at the crime scene
6.\u8b49\u7269\u904b\u9001, transport evidence to the forensic laboratory
7.\u539f\u59cb\u8b49\u7269\u8907\u88fd, create two bit stream copies of the evidence
8.\u78ba\u8a8d\u8b49\u7269\u8907\u672c\u662f\u5426\u8207\u539f\u59cb\u8b49\u7269\u4e00\u81f4,generate hash value for checksum on the images
9.(Important), maintain a chain of custody
10.\u539f\u59cb\u8b49\u7269\u4fdd\u5b58,store the original evidence in a secure location
11.\u8b49\u7269\u8907\u672c\u5206\u6790, analyze the image copy for evidence
12.\u5831\u544a\u64b0\u5beb, prepare a forensic report
13. submit the report to the client
14.\u6cd5\u5ead\u505a\u8b49, attend the court and testify as an expert witness<\/p>\n\n\n\n

key point of forensics investigation<\/strong>
\u5118\u91cf\u4e0d\u8981\u5728\u539f\u59cb\u8cc7\u6599\u4e0a\u505a\u5206\u6790
\u4e0d\u8981\u7834\u58de\u539f\u59cb\u8a2d\u5099
\u8b49\u64da\u53d6\u5f97\u8981\u7b26\u5408\u9451\u8b58\u7b49\u7d1a\u7684\u5f37\u5ea6\uff0c\u9700\u7d93\u5f97\u8d77\u6cd5\u5ead\u6aa2\u9a57\uff0c\u53ef\u53c3\u8003rules of evidence<\/p>\n\n\n\n

………………….<\/p>\n\n\n\n

Security incident report<\/strong>
statistic of security incident from different field to understand whole security event
reference data source:
\u3000verizon DBIR
\u3000www.pwc.com<\/p>\n\n\n\n

Resource of forensics<\/strong>
www.nij.gov \u985e\u4f3c\u53f8\u6cd5\u9ad4\u7cfb\u7684\u5b78\u8853\u55ae\u4f4d\uff0c\u63d0\u4f9b\u8a31\u591aforensics guides\u4f9b\u53c3\u8003
forensicswiki.org \u63d0\u4f9bforensics\u76f8\u95dc\u77e5\u8b58
www.cert.org\/forensics \u63d0\u4f9b\u8a31\u591a\u7814\u7a76\u5831\u544a\u548c\u5de5\u5177
digital-forensics.sans.org \u63d0\u4f9b\u8a31\u591aforensics\u6587\u7ae0,\u548c\u63d0\u4f9bSIFT tool\u4f9b\u5b78\u7fd2
www.dfrws.org \u77e5\u540d\u9451\u8b58\u7814\u8a0e\u6703, \u4e5f\u6709\u8209\u8fa6\u9451\u8b58\u904a\u6232
www.forensicfocus.com \u77e5\u540d\u9451\u8b58\u8ad6\u58c7
www.swgde.org \u63d0\u4f9b\u4e00\u4e9b\u95dc\u65bc\u9451\u8b58\u6d41\u7a0b\u7684document\u548cbest pratices\u4f9b\u53c3\u8003
ps:
liveview\uff1acomputer hard convert to VM, it is form cert<\/p>\n\n\n\n

….<\/p>\n\n\n\n

Common organization<\/strong>
NIST<\/strong>(National Institute of Standards and Technology,\u570b\u5bb6\u6a19\u6e96\u6280\u8853\u7814\u7a76\u6240)
providing tools and creating procedures for testing and validating computer forensics software
NIPC<\/strong>(National Infrastructure Protection Center)
a unit of the United States federal government charged with protecting computer systems and information systems critical to the United States’ infrastructure
CERT<\/strong>(Computer emergency response teams)
expert groups that handle computer security incidents
CIAC<\/strong>(Computer Incident Advisory Capability)
the original computer security incident response team at the Department of Energy.
response organization tracks hoaxes as well as viruses
USSS<\/strong>(United States Secret Service)
a federal law enforcement agency under the U.S. Department of Homeland Security
responsibility include Financial Crimes and Protection important leaders
refer
https:\/\/en.wikipedia.org\/wiki\/National_Infrastructure_Protection_Center
https:\/\/en.wikipedia.org\/wiki\/Computer_emergency_response_team
https:\/\/en.wikipedia.org\/wiki\/Computer_Incident_Advisory_Capability
https:\/\/en.wikipedia.org\/wiki\/United_States_Secret_Service
…<\/p>\n\n\n\n


Common TITLE 18-CRIMES AND CRIMINAL PROCEDURE<\/strong>
18 U.S.C. 1029
\u3000FRAUD AND RELATED ACTIVITY IN CONNECTION WITH ACCESS DEVICES
\u3000for fraud and related activity in connection with access devices like routers
18 U.S.C. 1030
\u3000FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
\u3000for computer crimes involving e-mail scams and mail fraud
18 U.S.C. 2703
\u3000REQUIRED DISCLOSURE OF CUSTOMER COMMUNICATIONS OR RECORDS
\u3000for authorize this phone call and obligates the ISP to preserve e-mail records
refer
http:\/\/www.gpo.gov\/fdsys\/pkg\/USCODE-2009-title18\/html\/USCODE-2009-title18.htm<\/p>\n","protected":false},"excerpt":{"rendered":"

Computer Forensicsapplication …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-371","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=371"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/371\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}