Windows系统存储区DPAPI的解密技术研究

目的在电子数据取证过程中,数据的加解密经常是取证人员关注的重点。数据保护接口(DPAPI)作为Windows系统提供的数据保护接口被广泛使用,目前主要用于保护加密的数据。其特性主要表现在加密和解密必须在同一台计算机上操作,密钥的生成、使用和管理由Windows系统内部完成,如果更换计算机则无法解开DPAPI加密数据。通过对DPAPI加密机制的分析,以达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。方法通过深入研究分析Windows XP、Windows 7、Windows 10等多款操作系统的DPAPI加密流程和解密流程,确定系统存储区数据离线解密主要依赖于系统的注册表文件和主密钥文件。结果利用还原后的解密流程和算法,以及系统的注册表文件和主密钥文件,可以正常解开DPAPI加密数据。结论该方法可达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。     

Android智能手机锁屏密码及破解方法研究

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。由于人们对数据安全和隐私保护意识的提高,以及涉案嫌疑人的反侦查意识的增强,涉案的智能手机通常带有锁屏密码,在这种情况下,如何对其中的数据进行提取、处理和分析成为一个重要的研究方向。本文主要针对Android手机的锁屏问题进行研究,详细介绍了Android智能手机三种锁屏密码,即手势密码、PIN码密码以及复杂密码的文件结构和存储原理,分析了如何借助Android的ADB(Android debug bridge)调试模式方法来对Android智能手机进行手动的密码绕过或清除,针对Android手机在调试模式打开和未打开的情况下提出了不同的解决方法用于对手机进行密码破解和清除,这些方法在笔者实践中证明具有较高的实用性。     

美国加密数据的强制性披露

随着加密技术的发展,犯罪分子为了达到反取证目的,通常会给自己的电子设备加密。在美国,执法机构要搜查加密设备,将面临来自宪法第四修正案和技术限制两方面的挑战。为应对这些挑战,通常执法机构会通过传票强制被告披露密码或提交解密数据,但这又引出了宪法第五修正案的特权问题。要同时解决宪法第四与第五修正案的问题,最好的办法是将传唤解密数据与限制数据提交范围相结合。然而,一旦被告拒绝传唤,拒不提交解密数据,就有可能导致控诉失败。因此,有必要实施额外的法律机制,以弥补这一法律缺陷。     

强化证据意识正确发挥DNA作用

在许多案件中，现场勘查中提取的检材不能或暂时不能作为直接证据使用，但案件侦查往往需要这些证据，而且这些检材表面看来也确实难以为侦查所用，这需要技术人员开动脑筋，大胆启用逆向思维，从现有的物证中发挥主观能动性，从检验结果中灵活分析，变无用为有用，变间接为直接，充分发挥技术为侦查服务的功能。一些案件，特别是一些凶杀案件，现场能提取的生物检材非常之多，但是否能够被我所用，具有多大的价值，需要我们现场勘查人员的深思熟虑。侦查员、现场勘查技术人员、DNA检验人员，三者之间虽然分工不同，但对于侦查破案，发现…     

论非典型痕迹及其运用

痕迹物证可以为侦查破案提供线索、为诉讼提供证据。然而在实际公安工作中,许多刑事技术人员赶赴现场后,往往仅限于现场勘查寻找、发现、提取、固定常见的典型痕迹物证亦即狭义的犯罪痕迹,对不需通过刑事技术手段获取的广义犯罪痕迹以外的非"典型痕迹",不善于发现、分析和利用,甚至是对这一方面"毫无概念",从而为案件的侦破带来困难甚至是失去战机。为此,结合实际案例,论述非典型痕迹及其在侦查破案中的运用,以拓宽现场勘查人员和侦查人员的侦破视野。     

法庭科学DNA检验设备的现状和发展

法庭科学DNA检验技术是上世纪80年代发展起来的一项新型检验技术,该技术自应用于刑事案件侦查领域以来,因其能够进行个体认定而倍受关注,成为提供法庭证据的主要技术之一。我国公安系统DNA检验技术研究紧跟国际先进水平,研究人员在最短时间内完成了实验室技术研究和实际办案技术转化，相继研发出DNA指纹图技术、PCR技术、STR技术、DNA数据库技术、国产DNA检验试剂、DNA提取纯化试剂与仪器等，并陆续在侦查办案工作中应用，为打击各类刑事犯罪提供了大量证据和线索，发挥了突出作用。     

浅谈足迹检验在刑事案件侦查中的应用

足迹是人类活动中在地面等承受客体上遗留下的痕迹.本文指出在刑事案件侦查过程中,通过对犯罪现场遗留的足迹进行检验,可以获取到犯罪分子的信息,为确定侦查方向和范围,确定作案人数及作案人的自然条件,提供有效的侦查线索和破案依据.     

如何有效提高痕迹检验技术在刑事侦查工作中的应用水平

痕迹检验技术是刑事侦查人员在进行刑事侦查工作中所运用的一种侦查技术。痕迹检验就是刑事侦查人员对犯罪现场的犯罪痕迹进行提取并进行检验,当前痕迹检验技术在我国刑事侦查工作中的应用范围越来越广。本文将详细阐述痕迹检验技术的种类、痕迹检验技术发展过程中阻碍因素、如何提高痕迹检验技术在刑事侦查工作中的应用水平以及痕迹检验技术未来的发展趋势。     

基于Photoshop的足迹套模比对检验研究

足迹分析检验在刑事侦查中具有十分重要的作用,可以划定侦查方向、缩小侦查范围。现行的足迹比较方法主观性高、误差较大,利用照相技术对图片处理又略为繁琐,将计算机数字图像处理技术融入足迹比较检验是大势所趋。本文以Photoshop CS 6为制作程序,分别从足迹比较检验的现状、存在问题和需求、足迹图像预处理、利用快速蒙版制作比对框、实际应用等方面对计算机足迹套模比较检验新方法进行阐述,并在Photoshop中设计了具体流程。此方法精确可靠、方便快捷,对于实际工作有重要意义。     

自动化高通量提取脱落细胞检材DNA

正脱落细胞是目前法医DNA检验中的重要检材之一,此类物证具有体积小、较为隐蔽、不易察觉、不易毁灭等特点。通过提取脱落细胞中的DNA,可以直接获取犯罪现场人员信息,为案件侦破提供重要技术支持。但在现场检材中通常仅能采集到微量的脱落细胞,且常常带有扩增抑制物,手工进行DNA提取操作复杂,提取效果因人而异,给DNA检验带来了诸多困难。为有效提高脱落细胞的获取量,必然要增加现场采样的数量,这又大大增加了后续DNA提取的工作     

论加密技术对电子邮件证据力的影响

司法实践中电子邮件加密方法主要有对称密钥加密与非对称密钥加密两类,结合数字认证、数字签名等辅助加密技术,可以相应提高加密级别,增加电子邮件安全性。一般而言,加密电子邮件可靠性要高于非加密电子邮件,加密电子邮件证据能力受解密程序影响。电子邮件证据证明力受加密方法、行为人对电子邮件控制程度等因素影响。电子邮件证据证明力随加密级别的提高而提高。     

Looking for some light through the lens of “cryptowar” history: Policy options for law enforcement authorities against “going dark”

As companies and end-users increasingly deploy end-to-end encryption, law enforcement and national security agencies claim they “go dark”, i.e. lose in practice the power to legally intercept and gain access to information and communications. This has revived a debate that seemed closed by the late 1990s, namely whether backdoors should be embedded in encryption systems. This paper provides a historical overview of the policy debates surrounding encryption, to identify the potential regulatory options for policy-makers, based on the lessons that can be learned from “cryptowar” history. We discuss the First Cryptowars (1990s, focusing on backdoor schemes), the Interbellum (featuring a rise in powers to order decryption), the Second Cryptowars (2010s, renewed backdoor discussions) and their aftermath: the newly emerging battlefield of legal hacking. The latter can be seen as a condition for the truce with which – for now – the Cryptowars seem to have ended. Cryptowar history teaches us that the two main policy options for decryption by government agencies – ensuring access to keys ex ante (backdoors) or ex post (decryption orders) – both suffer from fundamental flaws. Therefore, legal hacking powers – if human rights standards are sufficiently taken into account – could be the only realistic policy option to preserve some light in an era of dark communication channels.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

Laws of encryption: An emerging legal framework

This article examines the emerging legal framework of encryption. It reviews the different categories of law that make up this legal framework, namely: export control laws, substantive cybercrime laws, criminal procedure laws, human rights laws, and cybersecurity laws. These laws are analysed according to which of the three regulatory subjects or targets they specifically address: the technology of encryption, the parties to encryption, or encrypted data and communications. For each category of law, illustrative examples of international and national laws are discussed. This article argues that understanding the legal framework of encryption is essential to determining how this technology is currently regulated and how these regulations can be improved. It concludes that the legal framework is the key to discerning the present state and future direction of encryption laws and policies.     

Talking in the dark: Rules to facilitate open debate about lawful access to strongly encrypted information

Strong encryption can prevent anybody from accessing user data, including the technology companies responsible for its implementation. As strong encryption technology has become increasingly prevalent, law enforcement agencies have sought legislation to secure continued lawful access to the data affected. Following analysis of the encryption debates in the United States and the United Kingdom, this article will propose three rules that governments should follow to facilitate open debate and prevent the implementation of unsafe lawful access solutions. Firstly, we will provide context on current encryption policy. Secondly, it will be shown that continuous open debate must be facilitated in order to prevent the implementation of unsafe lawful access solutions. Finally, it will be argued that governments should be held to three rules when engaging in debate about lawful access: legislation governing lawful access must state clearly on its face whether decryption can be mandated; the encryption debate must not be oversimplified or reduced to emotive examples in order to secure public support for unsafe solutions; and safeguards on warrants must not be conflated with safeguards on lawful access mechanisms in order to suggest that solutions are safer than is actually the case.     

Encryption: A 21st Century National Security Dilemma

As the 21st century approaches, encryption is presenting a national security dilemma in the US. While the use of strong encryption for computerized data is essential in protecting our nation, widespread, unregulated encryption poses serious problems on two levels: encryption could inhibit the government's ability to enforce the law as well as gather foreign intelligence. As a result, the government has established export controls on encryption products and proposed a 'key recovery' system designed to enable law enforcement officers to access encrypted data in the course of lawful investigations. The export controls have been ineffective and counterproductive policy and are arguably unconstitutional under the First Amendment. However, export controls are the only viable solution to the intelligence gathering problem and will need to survive these political and legal attacks or our national security could be jeopardized. Key recovery will be difficult and costly to implement and has come under attack by civil liberties' groups. Nevertheless, a cost-effective compromise on key recovery is necessary to meet the needs of law enforcement. Such a system, if it mirrored current electronic surveillance law, would effectively balance individual privacy rights and governmental interests and thus should survive constitutional scrutiny. Congress and President Clinton ought to enact key recovery legislation soon before the use of encryption becomes commonplace. A failure to act intelligently and effectively on this critical, cutting-edge issue could compromise our nation's future.     

Windows Vista and digital investigations

Several of the new features of Windows Vista may create challenges for digital investigators. However, some also provide opportunities and create interesting new evidential artefacts which can be recovered and analysed. This paper examines several of these new features and describes methods for recovering shadow copies of files from Restore Points, identifying BitLocker on a system, the importance of recovery keys in dealing with BitLocker encrypted volumes and also the problems that User Account Control could cause for live investigations.     

Protecting Journalists’ Sources Without a Shield: Four Proposals

Journalists’ right to protect the identities of their confidential sources relies on an inconsistent set of court decisions based on constitutional and common law interpretations and state statutes. Efforts to bring some consistency to federal law through the passage of a shield law have stalled while journalists face new threats because of the vulnerability of their communications to discovery and monitoring by third parties. Also, the entry of non-professional communicators into the news ecosystem is causing courts to reevaluate and redefine long-standing protections. This article proposes four ways that sources could be better protected from unmasking without the passage of a shield law: improving whistleblower laws to better protect people who report illegal or unethical actions to the media; vastly reducing the number of government secrets to make “leaking” less attractive or necessary; changing legal strategy to focus on protecting the anonymity of sources instead of the rights of journalists to keep secrets; and more widespread and intelligent use of encrypted applications and software could all improve the security of journalistic sources. Because of the complexity of amending multiple whistleblower protection laws and changing the government’s document classification system, the article argues that the best solutions may be to persuade news organizations to change legal tactics and to use better encryption technology.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.