8.1 Forensic Principles
8.1.0 Introduction
There are a number of basic principles that are necessary regardless of whether you
are examining a computer or a corpse. This section is a quick summary of these principals.
8.1.1 Avoid Contamination
On TV you see forensic examiners dressed up in white suits with gloves, handling all
evidence with tweezers and putting it into sealed plastic bags. This is all to prevent
“contamination”. This is where evidence is tainted, for example, by fingerprints being added
to the handle of a knife by someone picking it up (think The Fugitive if you have seen it ... Look
what trouble it got him into ! )
8.1.2 Act Methodically
Whatever you do, when ( if ? ) you get to court, you will need to justify all the actions
that you have taken. If you act in a scientific and methodical manner, making careful notes
of what it is that you are doing and how you do it, this justification becomes much easier. It
also allows for someone else to follow your steps and verify that you haven't made a mistake
which may cast the value of your evidence in doubt.
8.1 法庭原則
8.1.0 簡介
不管你是檢查一個電腦還是一具屍體,都需要遵循一系列原則。這部分是關於這些原則的介紹。
8.1.1 避免污染
在電視上的法醫都穿着白外套,戴着手套,用鉗子提取證物,並將證物放到密封的塑料袋裏。這都是爲了防止“污染”。如果某個人拿起一把刀的手柄,那麼指印就會留下,這就是很典型的證據污染方式(想想你在《亡命天涯》裏看到的。。。看他惹得麻煩!)
8.1.2 有條理的行動
不管你做什麼,當你站在法庭上時,你必須澄清你所做的所有的行爲。如果你的行爲科學並且有條理,並記錄下了你所做的事情和所做的方法,證明就會變得簡單。這樣某個人就會支持你,證明你沒有犯錯。
8.1.3 Chain of Evidence
You must maintain something called the “Chain of Evidence”. This means that at any
point in time from the seizure of the evidence until it's final presentation in court, that you can
account for who has had access to it, and where it has been. This rules out the possibility that
someone has tampered with it, or falsified it in some way,
8.1.4 Conclusion
Keep these things in mind, and even if you are not going to take your work to court,
you will be able to maximize your abilities as a forensic examiner.
8.1.3 證據鏈
你必須保護好證據鏈,這意味着在證據被發現到被拿到法庭上的這段時間內,你需要記錄接近它的所有人,以及它所到過的地方。這樣就容易發現試圖通過某種途徑破壞它的人。
8.1.4 結論
將這些事記住,或許你不會在法庭上展示你的工作,但作爲一個法醫鑑定人員,你就能最大限度的發揮自己的能力。
8.2 Stand-alone Forensics
8.2.0 Introduction
This section is about the forensic examination of an individual machine. For want of a better
term, we will call it “stand-alone forensics”. This is probably the most common part of
computer forensics - its main role is to find out what has been done using a particular
computer. The forensic examiner could be looking for evidence of fraud, such as financial
spreadsheets, evidence of communication with someone else, e-mails or an address book, or
evidence of a particular nature, such as pornographic images.
8.2 獨立法醫
8.2.0 簡介
這部分是關於對個人計算機進行“法醫檢查“的介紹。爲了更好的形容這種行爲,我們叫它"獨立法醫"。這可能是電腦醫生最普通的部分了---它的主要功能是查出某個電腦被用來做了什麼事情。鑑定人員會查看錯誤的證據,譬如財政電子表格,和他人聊天記錄,電子郵件或者記錄地址的文件,或者某個別的證據例如色情照片。
8.2.1 Hard Drive and Storage Media Basics
There are several components that make up an average computer. There is the processor,
memory, graphics cards, CD drives and much more. One of the most crucial components is
the harddisk (hard drive). This is where a majority of the information that the computer requires
to operate is stored. The Operating System ( OS ) such as Windows or Linux resides here, along
with user applications such as word processors and games. This is also where significant
amounts of data is stored, either deliberately, through the action of saving a file, or
incidentally, through the use of temporary files and caches. This allows a forensic examiner to
reconstruct the actions that a computer user has carried out on a computer, which files have
been accessed and much, much more.
There are several levels at which you can examine a harddisk. For the purposes of this
exercise, we are only going to look at the file system level. It is worth noting though, that
professionals are capable of looking in a great level of detail at a disk to determine what it
used to contain – even if it has been overwritten many times.
The file system is the computer's implementation of a filing cabinet. It contains drawers
( partitions ), files (directories) and individual pieces of paper ( files ). Files and directories can
be hidden, although this is only a superficial thing and can easily be overcome.
Working through the following Exercises should give you a far better understanding of the
basics of disk storage.
8.2.1 硬件和存儲介質基礎
電腦是由幾部分組成的。處理器,存儲器,顯卡,CD 驅動器等等。其中最重要的成分是硬件。硬件是電腦信息量存儲最多的地方。操作系統,Windows或者Linux存儲在硬盤上,Word 文檔,遊戲等用戶應用程序也存儲在硬盤上。也有可能通過保存文件或者創建臨時文件或Cache不小心將重要文件存儲到硬盤上。法醫鑑定人員能通過重現這些行爲來調查某個用戶在該電腦上所做的工作,像哪個文件被打開過等等。
可以在電腦的不同層檢查硬盤。因爲是個練習,我們將通過文件系統層次查看。這種能力很重要,一個專業人員能夠通過一個硬盤查看到大量的信息,用來判斷電腦原來裝載的東西---儘管它被重寫了很多次。
文件系統是電腦的文件櫃的實現方式。包括抽屜,文件和單份的文件。文件和目錄可以隱藏,這只是表面的,很容易被發現。
通過下面的練習,你可以更好的理解硬盤存儲介質基礎知識。