数据加密原理分析及解密工具开发在一起案件中的应用

由于违法犯罪嫌疑人反侦查意识的增强,涉案的TF卡、U盘等存储介质内往往含有加密文件。在这些加密数据中往往包含着对侦查、起诉更有价值的信息。在这种情况下,对其中的数据进行解密成为数据能否成功提取的关键。本文针对一起涉及邪教案件中的加密解密原理进行研究,详细分析了基于异或运算的加密原理、解密原理及其方法,从而根据原理设计可以快速获取密钥的解密软件。在本案中,检验人员从检材中提取出加密程序,进行加密实验,通过对比加密前和加密后的数据,分析加密原理,研究解密方法。为了提高解密效率,检验人员通过C#语言开发Windows窗体应用程序,设计出了解密工具TFCrack。通过TFCrack可以方便快速获取密码,通过获取的密码可以快速解析出隐藏的数据。     

基于注册表中的ShellNoRoam表键解析文件夹操作行为

从Windows 95开始,Windows系列操作系统采用了一种叫做“注册表”的数据库来统一管理系统配置信息.作为集中存放Windows系统各类信息的“重地”,注册表中包含了所有的软、硬件配置和状态信息,主要有应用程序初始条件、系统设置许可、文件与应用程序关联、硬件属性描述、计算机性能记录、底层系统状态等信息.伴随着Windows系列操作系统的不断发展,注册表逐渐存储了愈来愈多的信息,其中包含用户帐号、URL地址、外接设备、文件操作历史等记录,由此形成了一个信息丰富的证据库.     

Windows操作系统注册表检验

对于计算机取证人员来说,知道如何从注册表中浏览特定信息是一项非常有用的技能。本文将介绍如何发现相关信息。注册表是Windows操作系统的核心。它实质上是一个庞大的数据库,存放有计算机硬件和全部配置信息、系统和应用软件的初始化信息、应用软件和文档文件的关联关系、硬件设备说明以及各种网络状态信息和数据。     

防止文件泄密和计算机反取证方法初探

目的研究防止文件泄密和计算机反取证的方法。方法文件粉碎既是保护文件安全和防止保密数据泄漏的有效方法,也是计算机反取证技术的方法之一。通过分析磁盘文件中存放和删除数据的原理,采用彻底删除和文件粉碎技术。结果可以应用于敏感数据的安全保密和提取,也有助于拓展计算机取证技术的工作思路。     

论加密技术对电子邮件证据力的影响

司法实践中电子邮件加密方法主要有对称密钥加密与非对称密钥加密两类,结合数字认证、数字签名等辅助加密技术,可以相应提高加密级别,增加电子邮件安全性。一般而言,加密电子邮件可靠性要高于非加密电子邮件,加密电子邮件证据能力受解密程序影响。电子邮件证据证明力受加密方法、行为人对电子邮件控制程度等因素影响。电子邮件证据证明力随加密级别的提高而提高。     

美国加密数据的强制性披露

随着加密技术的发展,犯罪分子为了达到反取证目的,通常会给自己的电子设备加密。在美国,执法机构要搜查加密设备,将面临来自宪法第四修正案和技术限制两方面的挑战。为应对这些挑战,通常执法机构会通过传票强制被告披露密码或提交解密数据,但这又引出了宪法第五修正案的特权问题。要同时解决宪法第四与第五修正案的问题,最好的办法是将传唤解密数据与限制数据提交范围相结合。然而,一旦被告拒绝传唤,拒不提交解密数据,就有可能导致控诉失败。因此,有必要实施额外的法律机制,以弥补这一法律缺陷。     

Windows Phone 7智能手机的取证

作为新兴的智能手机,Windows Phone手机呈稳步发展趋势,并越来越受到人们的关注.在介绍了WindowsPhone 7手机的系统架构和安全模型后,就取证遇到的问题详细地描述了取证方式,探讨了如何对Windows Phone 7智能手机进行取证.通过使用原生级方法和Windows Phone SDK访问Window Phone 7内核和其他数据来获得手机的有价值信息,同时通过一系列工具来分析手机上的文件.结果表明,能够从Windows Phone 7手机中有效寻找到短信、电子邮件、社交活动等证据资料.     

Android屏幕锁解锁在取证上的应用

移动通信的发展带动了智能终端的普及,随之带来的还有更多的手机犯罪、然而在犯罪手机上取证时往往受到了手机屏幕锁的阻碍。本文研究分析了目前具有最大智能终端市场的Android平台上的屏幕解锁技术：先简单阐述了Android平台的系统架构;然后针对Android智能终端上不同的屏幕锁定方式分别进行研究分析,总结对应加密流程和明文密码规则来简化解锁步骤,提高解密效率;使取证能在更短的时间内完成工作;最后,提出了更多的解锁方式,使取证遇到屏幕锁定时能进行灵活的选择     

常用字符编码在电子数据取证中的应用

文件部是通过字符编码进行存储的，因而只有掌握了文件的字符编码类型才能完成电子数据取证工作。     

基于逆向工程的Web站点违法行为取证方法研究

互联网技术发展使得依托各类网站进行非法活动的案例不断增加,为了对这类犯罪行为进行有效惩治,需要对违法网站结构、Web程序、数据库等进行分析,对犯罪行为的关键信息进行取证。网站的原始数据一般存储于数据库中,而数据加工规则会记录在数据库存储过程、程序代码、或编译后的程序文件中。研究基于逆向工程理论,首先将网站数据库逆向为数据模型图,获取整个系统信息结构模型;对网站程序文件进行反编译,得到代码执行规则,确定网站关键业务模式。网站数据取证实践案例表明,采用逆向工程方法可以有效辅助理解系统内部全局信息关联,找到关键取证对象,准确获取关键信息与原始数据对应规则,形成证据链。     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

USB Storage Device Forensics for Windows 10

Significantly increased use of USB devices due to their user‐friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances.     

Persistent systems techniques in forensic acquisition of memory

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

Tracking USB storage: Analysis of windows artifacts generated by USB storage devices

When a USB storage device, such as a thumb drive, is connected to a Windows system, several identifiers are created on the system. These identifiers, or artifacts, persist even after the system has been shut down. In many cases, these artifacts may be used for forensics purposes to identify specific devices that have been connected to the Windows system(s) in question.     

Media analyses based on Microsoft NTFS file ownership

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft Windows Operating System (OS). This was done because Microsoft's worldwide market penetration makes Windows and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.