لطفا منتظر باشید ...
Part 2 of this text. Deleted system log fragments can be found in unallocated space by searching for characteristics such as the date or message fields (e.g. "Mar 3," "LOGIN"). Also, it may be possible to repair corrupt UNIX "wtmp" log files or NT Event log files or at least extract some useful information from uncorrupted portions. Notably, it is possible for the "wtmp" file to become corrupted in a way that is not obvious and, when processed uncritically, can associate the wrong user account with the wrong connection. This emphasizes the importance of verifying important log entries before using them to form conclusions.
It is also be possible to recover digital evidence from network traffic. Network traffic relating to a single machine may contain e-mail communications, downloaded files, Web pages viewed, and much more. Interesting items can be recovered from network traffic by extracting individual packets and combining them. For instance, Figure 15.4 shows a network sniffer called Ethereal being used to reconstruct a TCP stream and display the contents of the communication. In this instance, the connection was a request to a Web server for a JPEG image. In this process of reconstruction, Ethereal takes data collected on the physical layer, extracts only the relevant packets from the transport and network layers, and displays the application layer protocol; a HTTP GET request for one image on a Web page.
Figure 15.4: Ethereal (www.ethereal.com) used to reconstruct a TCP Stream relating to one component of a Web page being downloaded.
Ethereal was not designed with evidence collection in mind but it is still useful for examining network traffic. The "Save As" option at the bottom right of the screen can be used to save the data to a file that can be opened with a Web browser, image viewer, or some other suitable software. However, the resulting exported file often contains data that prevent other programs from displaying the file correctly (such as the HTTP request data in Chapter 16. Different network traffic analysis tools can reconstruct and display different types of data including e-mail, FTP, and Instant Messenger with varying degrees of success. So, when an individual downloads a compressed file from an FTP server or IRC, it may be desirable to recover this file from a network capture and examine its contents. Certain data formats are harder to reconstruct from network traffic, requiring special purpose tools. For instance, Review has a module for interpreting and displaying X sessions as detailed in Chapter 4 of the Handbook of Computer Crime Investigation (Romig 2001).Some commercial tools (e.g. NetIntercept, NetDetector[8]) have many more analysis features and some are even marketed as digital evidence processing tools. The visualization capabilities of these tools help make examinations of digital evidence from networks more efficient. Regardless of the tool used, when collecting and analyzing network traffic using these systems, digital investigators must take some additional steps to document important details that are not recorded by these tools - such as the MD5 value of tcpdump files containing network traffic, the number of packets dropped, and actions taken by the examiner during analysis of data (i.e. no logs of examiners' actions are created by these tools).[8]http://www.niksun.com
