Digital Evidence and Computer Crime Forensic Science, Computers and The Internet 2nd Ed [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Digital Evidence and Computer Crime Forensic Science, Computers and The Internet 2nd Ed [Electronic resources] - نسخه متنی

Eoghan Casey

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
توضیحات
افزودن یادداشت جدید


Chapter 2, Safeback[Scott 2003]. Others believe that this proprietary format is better because it maintains integrity checks throughout the file, enabling digital investigators to identify what portion of data is creating a problem if there is a problem. Whichever approach is used, courts are generally satisfied provided the evidence can be authenticated as described in Chapter 7. Also, since it is advisable to make two copies using different tools, one copy can be made in a proprietary format and the other using the de facto dd standard.

Most of these tools can either use information from the BIOS, or bypass the BIOS and access the disk directly to ensure that no false information in the BIOS causes a partial acquisition. Some of these tools contained bugs that prevented them from acquiring all of the data on some drives. For this reason, it is important to compare the amount of data that were copied with the size of the drive (Cylinders Heads Sectors per track) as described in Chapter 8.

Once digital evidence has been acquired, there are two main approaches to viewing digital evidence: physically and logically. The physical view involves examining the raw data stored on disk using a disk editor such as Norton DiskEdit or WinHex. Data are generally shown in two forms in a disk viewer: in hexadecimal form on the left and in plain text on the right. The advantage of DiskEdit is that it can run from a bootable floppy disk but WinHex has more examination and analysis capabilities such as recovering all slack or unallocated space, and comparing files to find any differences. For instance, Figure 10.2 shows WinHex being used to compare two seemingly identical Microsoft Word documents created at different times to locate internal date-time stamps discussed later in this chapter.


Figure 10.2: WinHex "File Manager Compare" feature.


The logical view involves examining data on a disk as it is represented by the file system. In the past digital investigators used Norton Commander (Figure 10.3) to view the file structure on a drive. Viewing the file system in this way facilitates certain types of analysis but does not show underlying information that is visible using a disk editor. Also, Norton Commander displays limited file information such as name, size, modification time, and attributes.[11]


Figure 10.3: Norton Commander.

Each of the above methods of viewing a disk has limitations. For instance, when searching for a keyword, a physical sector-by-sector search will not find occurrences of the keyword that are broken across non-adjacent sectors (the sectors that comprise a file do not have to be adjacent). On the other hand, a physical examination gives access to areas of the disk that are not represented by the file system such as file slack and unallocated space. Integrated tools like EnCase and Forensic Toolkit (FTK[12]) on Windows, and The Sleuth Kit[13] on UNIX combine both of these and other features into a single tool, enabling an examiner to view a disk physically and logically. EnCase and FTK have many other capabilities that facilitate examine of digital evidence, some of which are demonstrated later in this chapter. It is critical to realize that any tool that represents data on a disk can contain bugs that misinterpret data. Therefore, verify important results using multiple tools.


Other tools exist to facilitate specialized tasks during examination such as Maresware utilities described in Chapter 24. Also, Net Threat Analyzer from NTI (www.secure-data.com) will search a binary file such as unallocated space or a swap file for Internet-related data such as e-mail addresses and Web pages (Figure 10.4).


Figure 10.4: NTI Net Threat Analyzer—

No single tool is suitable for all purposes and it is advisable to verify important findings with multiple tools to ensure that all findings are accurate. In some cases, it is advisable to verify results at the lowest level using a disk editor. There is still some debate regarding the best approach to examine digital evidence - using tools from the command line or through a Graphical User Interface. Provided the forensic principles outlined in Chapter 9 are abided by, it does not matter if the tool has a Windows interface or must be run from the command line.

[5]http://www.encase.com

[6]http://www.forensics-intl.com

[7]http://www.sydex.com

[8]http://www.accessdata.com

[9]http://www.cdp.com

[10]http://www.toolsthatwork.com

[11]Some file viewing programs alter last accessed date-time stamps and should not be used on the original disk.

[12]http://www.accessdata.com

[13]http://www.sleuthkit.org

/ 280