Python Digital Forensics 简明教程
Python Digital Forensics - Introduction
本章将向您介绍什么是数字取证以及它的历史回顾。您还将了解如何在现实生活中应用数字取证以及它的局限性。
This chapter will give you an introduction to what digital forensics is all about, and its historical review. You will also understand where you can apply digital forensics in real life and its limitations.
What is Digital Forensics?
数字取证可以定义为法证科学的一个分支,它分析、检查、识别和恢复驻留在电子设备上的数字证据。它通常用于刑法和私人调查。
Digital forensics may be defined as the branch of forensic science that analyzes, examines, identifies and recovers the digital evidences residing on electronic devices. It is commonly used for criminal law and private investigations.
例如,如果有人窃取电子设备上的数据,您可以依靠数字取证提取证据。
For example, you can rely on digital forensics extract evidences in case somebody steals some data on an electronic device.
Brief Historical Review of Digital Forensics
计算机犯罪史和数字取证史的回顾将在本节中进行解释,如下所述:
The history of computer crimes and the historical review of digital forensics is explained in this section as given below −
1970s-1980s: First Computer Crime
在这一年代之前,没有计算机犯罪被承认。然而,如果它发生了,那时现有的法律会处理它们。后来,在 1978 年,弗罗里达州计算机犯罪法案中承认了第一起计算机犯罪,其中包括针对计算机系统上数据未经授权修改或删除的法规。但随着时间的推移,由于技术的进步,计算机犯罪的范围也在增加。为了处理与版权、隐私和儿童色情有关的犯罪,通过了各种其他法律。
Prior to this decade, no computer crime has been recognized. However, if it is supposed to happen, the then existing laws dealt with them. Later, in 1978 the first computer crime was recognized in Florida Computer Crime Act, which included legislation against unauthorized modification or deletion of data on a computer system. But over the time, due to the advancement of technology, the range of computer crimes being committed also increased. To deal with crimes related to copyright, privacy and child pornography, various other laws were passed.
1980s-1990s: Development Decade
这一年代是数字取证的发展年代,所有这一切都是因为有史以来第一次调查(1986 年),Cliff Stoll 追踪了名为 Markus Hess 的黑客。在此期间,发展了两种数字取证学科——第一种在将此作为一种爱好来进行操作的执业者帮助下,利用特设工具和技术;而第二种由科学界开发。1992 年,术语 “计算机取证” 在学术文献中使用。
This decade was the development decade for digital forensics, all because of the first ever investigation (1986) in which Cliff Stoll tracked the hacker named Markus Hess. During this period, two kind of digital forensics disciplines developed – first was with the help of ad-hoc tools and techniques developed by practitioners who took it as a hobby, while the second being developed by scientific community. In 1992, the term *“Computer Forensics”*was used in academic literature.
2000s-2010s: Decade of Standardization
在数字取证发展到一定程度后,需要制定一些在进行调查时可以遵循的具体标准。相应地,各种科学机构和机构已经公布了数字取证指南。2002 年,数字证据科学工作组 (SWGDE) 发表了一篇名为“计算机取证最佳实践”的论文。另一项成就是一个由欧洲主导的国际条约,即 “The Convention on Cybercrime” 由 43 个国家签署,并由 16 个国家批准。即使有这样的标准,仍然需要解决研究人员发现的一些问题。
After the development of digital forensics to a certain level, there was a need of making some specific standards that can be followed while performing investigations. Accordingly, various scientific agencies and bodies have published guidelines for digital forensics. In 2002, Scientific Working Group on Digital Evidence (SWGDE) published a paper named “Best practices for Computer Forensics”. Another feather in the cap was a European led international treaty namely “The Convention on Cybercrime” was signed by 43 nations and ratified by 16 nations. Even after such standards, still there is a need to resolve some issues which has been identified by researchers.
Process of Digital Forensics
自 1978 年第一起计算机犯罪以来,数字犯罪活动大幅增加。由于这种增加,需要以结构化的方式来处理它们。1984 年,已经引入了一个正式的流程,在此之后,已经开发了许多新的和改进的计算机取证调查流程。
Since first ever computer crime in 1978, there is a huge increment in digital criminal activities. Due to this increment, there is a need for structured manner to deal with them. In 1984, a formalized process has been introduced and after that a great number of new and improved computer forensics investigation processes have been developed.
计算机取证调查过程涉及三个主要阶段,如下所述:
A computer forensics investigation process involves three major phases as explained below −
Phase 1: Acquisition or Imaging of Exhibits
数字取证的第一阶段涉及保存数字系统状态,以便以后进行分析。它非常类似于从犯罪现场拍摄照片、抽取血样等。例如,它涉及捕获硬盘或 RAM 的已分配和未分配区域的图像。
The first phase of digital forensics involves saving the state of the digital system so that it can be analyzed later. It is very much similar to taking photographs, blood samples etc. from a crime scene. For example, it involves capturing an image of allocated and unallocated areas of a hard disk or RAM.
Phase 2: Analysis
此阶段的输入是在采集阶段获得的数据。在这里,检查此数据以识别证据。此阶段提供了三种类型的证据,如下所示:
The input of this phase is the data acquired in the acquisition phase. Here, this data was examined to identify evidences. This phase gives three kinds of evidences as follows −
-
Inculpatory evidences − These evidences support a given history.
-
Exculpatory evidences − These evidences contradict a given history.
-
Evidence of tampering − These evidences show that the system was tempered to avoid identification. It includes examining the files and directory content for recovering the deleted files.
Applications of Digital Forensics
数字取证涉及收集、分析和保存包含在任何数字设备中的证据。数字取证的使用取决于应用程序。正如前面提到的,它主要用于以下两个应用程序 -
Digital forensics deals with gathering, analyzing and preserving the evidences that are contained in any digital device. The use of digital forensics depends on the application. As mentioned earlier, it is used mainly in the following two applications −
Criminal Law
在刑法中,收集证据是在法庭上支持或反对假设。取证程序与刑事调查中使用的程序非常相似,但法律要求和限制不同。
In criminal law, the evidence is collected to support or oppose a hypothesis in the court. Forensics procedures are very much similar to those used in criminal investigations but with different legal requirements and limitations.
Private Investigation
主要是企业界使用数字取证进行私人调查。当公司怀疑员工可能在其计算机上执行违反公司政策的非法活动时,就会使用它。数字取证为公司或个人在调查某人数字不当行为时提供了一条最佳途径。
Mainly corporate world uses digital forensics for private investigation. It is used when companies are suspicious that employees may be performing an illegal activity on their computers that is against company policy. Digital forensics provides one of the best routes for company or person to take when investigating someone for digital misconduct.
Branches of Digital Forensics
然而,数字犯罪并不仅限于计算机,黑客和罪犯也在大规模使用平板电脑、智能手机等小型数字设备。一些设备具有易失性内存,而另一些则具有非易失性内存。因此,根据设备类型,数字取证有以下分支 -
The digital crime is not restricted to computers alone, however hackers and criminals are using small digital devices such as tablets, smart-phones etc. at a very large scale too. Some of the devices have volatile memory, while others have non-volatile memory. Hence depending upon type of devices, digital forensics has the following branches −
Computer Forensics
数字取证的这一分支涉及计算机、嵌入式系统和 USB 驱动器等静态内存。可以在计算机取证中调查从日志到驱动器上实际文件的广泛信息。
This branch of digital forensics deals with computers, embedded systems and static memories such as USB drives. Wide range of information from logs to actual files on drive can be investigated in computer forensics.
Mobile Forensics
这涉及对移动设备中的数据的调查。本分支与计算机取证的不同之处在于,移动设备有一个内置通信系统,可用于提供有关位置的有用信息。
This deals with investigation of data from mobile devices. This branch is different from computer forensics in the sense that mobile devices have an inbuilt communication system which is useful for providing useful information related to location.
Skills Required for Digital Forensics Investigation
数字取证检查员帮助追踪黑客、恢复被盗数据、追踪计算机攻击的来源,并协助涉及计算机的其他类型的调查。下面讨论成为数字取证检查员所需的一些关键技能 -
Digital forensics examiners help to track hackers, recover stolen data, follow computer attacks back to their source, and aid in other types of investigations involving computers. Some of the key skills required to become digital forensics examiner as discussed below −
Outstanding Thinking Capabilities
数字取证调查员必须是一位杰出的思想家,并且应该能够在特定任务上应用不同的工具和方法论来获得产出。他/她必须能够找到不同的模式并在它们之间建立关联。
A digital forensics investigator must be an outstanding thinker and should be capable of applying different tools and methodologies on a particular assignment for obtaining the output. He/she must be able to find different patterns and make correlations among them.
Technical Skills
数字取证检查员必须具有良好的技术技能,因为这个领域需要了解网络、了解数字系统如何交互。
A digital forensics examiner must have good technological skills because this field requires the knowledge of network, how digital system interacts.
Passionate about Cyber Security
由于数字取证领域完全是关于解决网络犯罪的,这是一项艰巨的任务,需要有人对成为王牌数字取证调查员充满热情。
Because the field of digital forensics is all about solving cyber-crimes and this is a tedious task, it needs lot of passion for someone to become an ace digital forensic investigator.
Communication Skills
良好的沟通能力对于协调各个团队并提取任何缺失的数据或信息至关重要。
Good communication skills are a must to coordinate with various teams and to extract any missing data or information.
Skillful in Report Making
在成功实施获取和分析后,数字取证检查员必须在最终报告和演示中提到所有发现。因此,他/她必须具备良好的报告制作技能和对细节的关注。
After successful implementation of acquisition and analysis, a digital forensic examiner must mention all the findings the final report and presentation. Hence he/she must have good skills of report making and an attention to detail.
Limitations
数字取证调查提供了一定的限制,如下所述 -
Digital forensic investigation offers certain limitations as discussed here −
Need to produce convincing evidences
数字取证调查的主要挫折之一是,由于数据很容易被篡改,审查员必须遵守法庭上对证据要求的标准。另一方面,计算机取证调查员必须完全了解法律要求、证据处理和文件程序,以便在法庭上提供令人信服的证据。
One of the major setbacks of digital forensics investigation is that the examiner must have to comply with standards that are required for the evidence in the court of law, as the data can be easily tampered. On the other hand, computer forensic investigator must have complete knowledge of legal requirements, evidence handling and documentation procedures to present convincing evidences in the court of law.
Investigating Tools
数字调查的有效性完全取决于数字取证检查员的专业知识和适当调查工具的选择。如果使用不符合指定标准的工具,那么在法庭上,证据可能会被法官驳回。
The effectiveness of digital investigation entirely lies on the expertise of digital forensics examiner and the selection of proper investigation tool. If the tool used is not according to specified standards then in the court of law, the evidences can be denied by the judge.
Lack of technical knowledge among the audience
另一个限制在于有些人并不完全熟悉计算机取证;因此,许多人并不了解这一领域。调查人员必须确保以一种让每个人都能理解结果的方式向法庭传达他们的调查结果。
Another limitation is that some individuals are not completely familiar with computer forensics; therefore, many people do not understand this field. Investigators have to be sure to communicate their findings with the courts in such a way to help everyone understand the results.