Ding Liping 1, 2 , Wang Yongji 1
1 (Internet Software Technology Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, 100080)
2 (Beijing People's Police Institute Research Institute, Beijing, 100029)
Abstract: Computer forensics tools are used for acquisition, analysis, transmission, archiving, preservation, and town of computer evidence, in order to ensure that computer evidence has strong certificates and has evidenceable standards, tool software for computer forensics must be performed. Strict testing. This article discusses the concepts and steps of computer forensics, and proposes the basic functions of computer forensics software tools and the need to detect computer forensics and basic methods.
Keywords: computer evidence computer forensics step function detection method
I. Concepts, steps and related tools of computer forensics
1. Concept of computer forensics
The certification expert Reith Clint Mark believes: Computer forensics can be considered "Technical and Tools" and Tools from the Computer Collection and Discovery Evidence [11]. In fact, computer forensics are acquisition, saving, analyzing, and presenting evidence existing in a computer and related devices. Tools for computer forensics must have special functions in any of the computer forensics, so that because the use of this tool ensures that computer forensics can be performed smoothly and acquired data that can be used as evidence.
Computer forensics
.2.1 Protection site and on-site exploration
The on-site investigation is the first step in obtaining evidence, mainly the acquisition of physical evidence. This work can be laying the foundation for the following links. Including a seal target computer system and avoids any data damage or viral infection, drawing computer crime scene, network topology map, etc., you must take a photo archive before moving or disassembling any device, and provides direct basis for future simulation and restore crime scene. The tool software used at this stage consists of field automatic drawing software, detecting and automatically drawing network topology.
2.2 Get evidence [6] [7]
The acquisition of evidence is essentially from many unknown and uncertainties. The tool used in this step is generally a forensic tool with a function of disk mirror, data recovery, decryption, network data capture.
2.3 Evidence of Identification [6] [9]
The identification of computer evidence is mainly to solve the integrity verification of evidence and determine if it meets the standards. One of the difficulties of computer forensics work is to prove that the evidence collected by the evidence is not modified. The evidence of computer acquisition is just a characteristic of volatility and vulnerable. For example, corrosion, strong magnetic field, human damage, etc. will cause changes and disappears of primitive evidence. Therefore, measures should be paid to the protection evidence during the forensic process. The forensics used in this step include software including functional functions such as timestamp, digital fingerprint, and software, mainly used to determine the reliability of evidence data.
.2.4 Analysis Evidence
This is the core and key of computer forensics. The contents of the evidence include: Analysis of the type of computer, the operating system adopted, whether it is a multi-operating system or has a hidden partition; there is undoubtedly equipped; there is a network environment with long-range control, Trojan and current computer system. Note that the start-up, shutdown process of the analysis process, avoiding the running process data loss or the inversive delete procedure existing. Analyze all relevant data found in the special area of the disk. Data analysis techniques using disk storage free space for data recovery, obtain files, delete, change, and replication. The traces of tampering are found by comparing the collected procedures, data, and backups with the currently running program data. It is combined with other evidence of the entire case with other evidence of the entire case, the owner of the computer, or electronic signature, password, transaction record, return mailbox, mail sending server log, Internet IP. Note that the computer evidence is to confirm each other with other evidence and integrated with each other. At the same time, pay attention to whether computer evidence can provide other clues to the case or determine possible commit time and criminals. Tools for performing computer card analysis must complete one of these tasks.
2.5 tracking
The computer forensic step mentioned above is static, that is, the static analysis of the target system after the event occurs. With the upgrade of computer crime technology, this static analysis has not been able to meet the requirements, and the development trend is combined with network security tools such as computer forensics and intrusion detection and network architecture technology. The entire forensic process will be more systematic and intelligent, and will be more flexible. For some specific cases, such as hacker attacks, evidence should be collected include: system login file, application login file, AAA login file (such as RADIUS login), network element login, firewall login, HIDS event, NIDS event, disk drive, file backup, phone record, etc. It is necessary to monitor cyber attacks on cyber attacks during the proceeds during the forensics. You can also capture criminal suspects by using a related device or set trap. .2.6 submission results
Print the comprehensive analysis and tracking result of the target computer system, then give the analysis conclusion: the overall situation of the system, the file structure, data, author's information, any hidden, delete, protection, encryption of information, and investigation Other related information found in it. Marked extraction time, place, machine, extraction and witness. Then submit it to the judiciary in accordance with the legal procedures in the form of evidence.
3, computer forensics related tools
.3.1 General Tools Software
Tool software, anti-virus software, various compression tool software, etc. used to detect partitions.
3.2 Approaching Special Tool Software:
File Browser: This type of tool is a reading tool designed to view data files. It is only for viewing without editing and recovery, so that the size is small and can prevent evidence. The better software is Quik View Plus (http://www.jasc.com). It can identify 200 types of file types, you can browse a variety of email documents. More convenient than frequent conversion of WordPerfect. Conversion Plus can be used to browse Macintosh files under the Windows system.
Picture Check Tools: thumbsplus is a tool that is fully comprehensively performed.
Anti-deletion tool: The most important thing in this area is Norton tool, although this is an old-fashioned tool, but it is useful to be useful.
CD-ROM Tool: Use CD-R Diagnostics to see data that can not be seen in general.
Text Search Tools: DTSearch is a good tool for text search, especially with the ability to search for Outlook. PST files.
Drive Image Programs: Disk Image Software that can meet the forensics analysis (ie, the image to create the entire drive) includes: SafeBack (http://www.forensics-intl.com), snapback (http://www.cdp .com, ghost (http://symantec.com), DD (standard tool in UNIX), etc.
Disk Erase Tools: This type of tool is mainly used before using the foregoing analysis machine, to ensure that residual data is not included in the drive of the machine, it is clear that simple format is definitely not. After starting from the floppy disk, run NTI's DisksCrub program to clear the data of each sector on the hard disk.
Acting procedure: The efficiency of the forensic software tends to have functions that collect and analyze data. At present, the international mainstream products are:
Forensic Toolkit: It is a series of command-based tools to help infer the access behavior in the Windows NT file system. The commands included in these programs are: AFIND (the list of files is given according to the final access time, and this does not change the access time of the directory), HFIND (the file in the scanning of the hidden property is filed), sfind (Scan the entire disk to find hidden data Flow), Filestat (Report all individual files attributes), NTLAST (providing a standard GUI event browser, login and login time for each session, and it can point out that the login is remote or local). The Coroner's Toolkit (TCT): Mainly used to investigate the "black" UNIX host, it provides powerful investigations, it is characterized by analyzing the active operation of the host, and captures current status information. The Grove-Robber can collect a large number of running processes, network connections, and hard drive information. The data is basically collected in volatile order, collecting all data is a slow process, spend a few hours. TCT also includes data recovery and browsing tools unrm & lazarus, get tools for MAC time MACTIME. It also includes some gadgets such as ILS (used to display the original data of the deleted index node), and the contents of the file corresponding to the specific index node), and the like.
Encase self-proclaimed Windows interface-based forensic applications, including data browsing, search, disk browsing, data preview, establishment case, establish evidence file, save case, etc.
Forensicx: Mainly in the Linux environment, is a tool for collecting data and analyzing data as the main purpose. It consists of a special work platform with a supporting hardware. It uses Linux to support multiple file systems, providing automatic assembly of images in different file systems, can discover data in dispersion space, can analyze if the UNIX system contains Trojans. Where WebTrace can automatically search for domain names on the Internet, making the necessary collection work for network forensics, and new versions have tools that identify hidden files.
New Technologies Incorporated (nti, http://www.forensics-intl.com.): NTI is one of the most fixed businesses that demonstrate software. NTI executes software in the form of a command, so the speed is very fast, the package is small, suitable for use on the floppy disk. The company's forensics tools include:
CRCMD5: A CRC tool that can verify one or more file contents.
DisksCRUB: A tool for clearing all data in a hard drive.
Disksig: A CRC program for verifying the accuracy of the image backup.
FileList: A disk directory tool is used to create a behavior schedule on the system.
Filter_WE: A smart fuzzy logic filter for surrounding environmental data.
Getslack: A surrounding environmental data collection tool for capturing unallocated data.
GetTime: A surrounding environmental data collection tool for capturing dispersed files.
Net Threat Analyzer: Network forensics analysis software for identifying company internet account abuse.
M-SWEEP: A surrounding environmental data clearance tool.
NTI-DOC: A file program is used to record the date, time, and properties of the file.
PTABLE: Used to analyze and demonstrate tools for hard drive partitions.
SEIZED: A program for locking and protection against evidence computers.
Showfl: The program used to analyze the file output list.
TEXTSEARCH PLUS: Tools for locating a string in text or graphics files.
The software tools discussed in this article mainly refer to the dedicated software.
Basic features that computer forensics should have
Software tools required by computer forensics must meet the most basic forensics, one of the basic features of the following: Discover computer evidence
You can locate suspicious hosts and criminal scenes according to the case.
Storage computer evidence
Software tools for storing computer evidence are primarily software that can preserve the computer evidence, which can prove that computer evidence is not modified from the time of obtaining the submission court.
Transmission computer evidence
Can guarantee reliable transmission of computer evidence.
4, extract computer evidence
The computer forensics in this regard is mainly used to automatically extract computer evidence from suspicious hosts or networks.
5, analyze computer evidence
All data data associated with computers or networks containing computer evidence, discovery and criminal facts
6, identify computer evidence
Determine the computer evidence that can be used in accordance with the evidence.
Third, the necessity of computer forensics tool detection
At present, computer forensics tools are mainly based on production abroad, and there are few domestic products. However, with the popularity of computer applications, more and more computer evidence is more and more domestic tools for computer forensics, and some are currently developing. Which software tools can be used in computer forensics, which companies can produce computer forensics tools, what kind of computer forensics can be used for judicial activities, which are urgent to solve problems. Therefore, the detection and identification of my country's computer forensics tools are very necessary. Stronte and meticulous professional testing and management can be made on the "Double Soft Determination" (referred to as software companies and software products, http://www.chinasoftware.com.cn/cognizance_guide_product.asp).
Production of computer forensics belongs to special industries
Enterprises that produce computer forever tool software are actually in production and solving tools, should be a strict qualified enterprise or state organ, and should belong to the special industries identified by the public security organ or other judicial organs. The current situation of such any software enterprises can produce and develop must be changed.
The quality of computer forensics is important
The quality of computer forensics software tools is related to whether the case can be detected in time and related to the fairness and impartiality of judicial activities. If the computer forensics tool is poor or lack of functionality, it is possible to cause criminals to be unfastened or wrong, so that the law lost dignity and lost fairness. Therefore, the quality of computer forensics must be guaranteed.
Fourth, the detection method of computer forensics
Develop computer forensics and industry standards
Companies that produce computer forensics should conduct qualifications for special industries, and they have filled with management departments. At the same time, the development of management methods for routine management of production enterprises engaged in computer forensics. These management methods should include scale, equipment, technical level, technicians, etc. of production enterprises. Production enterprises should be checked regularly, and companies that do not qualify for corporates that do not have production conditions should be revoked. For credible products can be promoted to form our own representative forensics.
The management of computer forensics includes management and use of product production and use the whole process. In particular, strict testing and trial operation should be conducted before the product is put into use. Computer forensics should strictly prohibit false, risk, pseudo, infer, adopt advanced technology such as software, watermarking, and establish strict laws and regulations to prevent pirated infringement. The management standards in this regard should include quality standards, exquisite standards, etc.
Establish a special testing mechanism
Specific institutions or laboratories should be conducted in the product quality supervision department to detect the test of computer forensics. Such a department should be composed of computer software test experts, computer forensics experts and other computer professionals, responsible for strict detection and identification of computer forensics tool software products, only through this institutional products can be put into use.
Computer forensics software product test practice
The detection of computer forensics should include testing and checking two parts of computer forensics software. Specifically, there should be the following steps
Check the qualifications of the product's production enterprise, check whether the various documents of the submitted products are complete.
Writing test plan: After reading the various documents of the product, write test plans, and should write the scope, demand, reference information, technical background, product equipment, option, test method, test method, test method, Test tools, detailed descriptions of test cases, and related data lists, should pay special attention to writing the possible inputs and output results that should appear in each test case. Testing: Strictly follow the test plan for detailed testing. The test process should be recorded in detail: each running result, reaction time, evaluation, etc.
Write test reports and test reports: After testing and check, you should write detailed test reports and test reports based on records. Test reports and test reports should include: detecting people, detection dates, actual detection methods and tools, testing technical indicators, input, output, whether each output meets requirements, response time, conclusions, etc.
V. conclusion
With the development of network and computer technology, the computer evidence of digital form storage and transmission is gradually increased. The tool software for computer forensics will also appear, how to ensure the quality of calculation of certification tool software to fair and national Dignity, so strict management and detection of computer forensics tool software.
references:
Http://www.chinasoftware.com.cn/cognizance_guide_product.asp, Software Product Certification Guide.
Http://www.cftt.nist.gov/project_overview.htm, cftt project overview
3, Warren G. Kruseii, Jay G.heiser. Computer Forensics: Incident Response Essentials. 1st Edition, ISBN: 0201707195, Pearson Education, Inc, USA.
4, Michael R. Anderson. Computer Evidence Processing: The Important First Step-Safe Seizure of The Computer. Http://www.forensics-intl.com.
5, Sommer P. Computer forensics: an introduction in proceedings of the computer forensics '92 -the 9th world conference on Computer Security Audit and Control London Elsevier Advanced Technology, 1992:. 82-96, http://www.virtualcity.co .uk / vcaForens.htm.
6, Anderson Michael R. Electronic FingerPrints-Computer Evidence Comes of Age, http://www.forensics-intl.com.
