MS SQL Server数据库的取证检验

目的研究MS SQL Server数据库的取证方法。方法通过对MS SQL Server数据库存储结构的研究,以名为＂sradmin＂的数据库为实例,介绍了SQL Server数据库的提取、检验分析方法。结论本文提出的方法可以提取、检验分析SQL Server数据库,具有很强的实用性。     

NTFS格式存储设备数据恢复方法研究

目的研究NTFS存储设备的3种数据恢复方式,测试、比较不同方式的恢复效果,促进电子物证检验工作。方法本文针对同一NTFS存储设备,分别使自行设计的NTFS日志检验软件测试基于NTFS日志文件的恢复方式,使用Final Data的快速扫描功能测试基于MFT记录的恢复方式,使用Final Data的完整扫描功能测试基于文件头部存储特征值的恢复方式,比较3种方式的恢复效果,分析各自的恢复原理。结果基于NTFS日志和MFT记录的方式恢复出的信息较全,用时较短,但不适合恢复较长时间之前删除的文件。基于文件头部存储特征值的方式可恢复较长时间前删除的文件,但用时长,不能恢复文件名、创建时间等信息,也不能有效恢复离散存储的文件。结论结合实际情况、综合运用3种方式可有效恢复数据。     

SQLite数据库结构分析在司法鉴足中的应用

SQLite是一个轻量级SQL数据库引擎,由于运行简单、功能强大,被广泛应用在手机短信、浏览器历史记录等各种应用中。在鉴定实践中也经常需要在SQLite的数据库文件中搜索查找特定内容,所以了解SQLite数据库文件结构非常重要。分析了SQLite数据库文件的结构,分析了android手机中的短信息文件的数据结构,以实际案例分析了被删除短信的搜索分析方法．这种检验分析的思路和方法对所有使用SQLite数据库的应用都是可以借鉴的。     

防止文件泄密和计算机反取证方法初探

目的研究防止文件泄密和计算机反取证的方法。方法文件粉碎既是保护文件安全和防止保密数据泄漏的有效方法,也是计算机反取证技术的方法之一。通过分析磁盘文件中存放和删除数据的原理,采用彻底删除和文件粉碎技术。结果可以应用于敏感数据的安全保密和提取,也有助于拓展计算机取证技术的工作思路。     

一种针对MongoDB数据库的证据获取方法

根据MongoDB文件型数据库的特点,提出了一种针对MongoDB文件型数据库的证据获取方法。在研究GridFS文件系统原理的基础上,详细阐述了MongoDB和GirdFS文件系统结构,对MongoDB存放数据的文件进行了分析,进而获取被删除的文件数据。实验结果表明该方法能有效地从MongoDB数据库中获取电子证据。     

SIM卡中信息提取方法的研究

目的建立从SIM卡中提取具有证据价值的数据,包括删除数据的原理及方法。方法通过Paraben Cell Seizure软件(版本2.0)及其配套的读卡器,读取SIM卡中现存和删除的数据信息。结果从实验用的SIM卡中可恢复出电话记录和短信等一系列数据。结论SIM卡中包含大量有价值的信息,这些信息中的多数都可以再现和利用,有作为证据的价值。     

PBM可实现智能监控

SQL Server 2008通过引入可扩展的基于策略的管理功能降低了数据平台的管理工作量。其中最引人注意的莫过于基于策略的管理（Policy Based Management），简称为PBM。PBM使DBA们可以制定管理策略，并将这些策略应用到服务器、数据库以及数据环境中的其他对象上去。经过精心设计的管理策略可以帮助DBA们对数据环境进行前摄性的管理。     

司法鉴定视域下嵌入式DVR系统的数据恢复可行性探究

目的 嵌入式数字视频录像机（digital video recorder, DVR）系统中的多媒体（视频/音频）数据往往是电子数据司法鉴定领域的重要证据,然而在司法鉴定实践中,DVR被意外删除、恶意删除或遭受损坏导致DVR中数据无法访问的现象屡见不鲜,这无疑使得电子数据鉴定过程变得更加困难。方法 结合司法鉴定工作实务,主要以存储于Micro SD卡中无法访问的DVR视频文件为例,开展了基于文件分配表（file allocation table, FAT）32文件系统和H.264相关文件格式的DVR数据恢复研究。结果 通过探讨的两种方法恢复的视频文件可以正常访问,同时还可通过运行脚本文件实现DBR的自动重建。结论 探讨的两种方法可有效恢复FAT32文件系统的DVR数据和H.264格式的DVR数据。此外,通过运行脚本文件自动重构DBR,可有效提高司法鉴定效率。相关鉴定技术的研究对嵌入式DVR视频的鉴定技术研究具有重要的理论研究意义和实践应用价值。     

篡改Microsoft Office办公文件的实验研究

本文利用现有的篡改Microsoft Office办公文件的工具和方法,设计了若干套篡改Microsoft Office办公文件内容、属性的实验方案,使用工具软件对Microsoft Office办公文件的属性进行检验和分析,总结出检验Microsoft Office办公文件的方法。     

篡改Microsoft Office办公文件的实验研究

本文利用现有的篡改Microsoft Office办公文件的工具和方法,设计了若干套篡改Microsoft Office办公文件内容、属性的实验方案,使用工具软件对Microsoft Office办公文件的属性进行检验和分析,总结出检验Microsoft Office办公文件的方法。     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.     

IoT forensics: Exploiting unexplored log records from the HIKVISION file system

CCTV surveillance systems are IoT products that can be found almost everywhere. Their digital forensic analysis often plays a key role in solving crimes. However, it is common for these devices to use proprietary file systems, which frequently hinders a complete examination. HIKVISION is a well-known manufacturer of such devices that typically ships its products with its proprietary file system. The HIKVISION file system has been analyzed before but that research has focused on the recovery of video footage. In this paper, the HIKVISION file system is being revisited regarding the log records it stores. More specifically, these log records are thoroughly examined to uncover both their structure and meaning. These unexplored pieces of evidence remain unexploited by major commercial forensic software, yet they can contain critical information for an investigation. To further assist digital forensic examiners with their analysis, a Python utility, namely the Hikvision Log Analyzer, was developed as part of this study that can automate part of the process.     

Availability of information and records to the public; fees for providing information and records; procedures and appeals--SSA. Notice of proposed rulemaking

The Social Security Administration (SSA) announces proposed changes in the fees it charges for providing records from its files and record related services. These proposed changes will conform SSA's fee schedule to that recently published by the Department of Health and Human Services (HHS). The proposed rules also implement the discretion given the Secretary of Health and Human Services by section 2207 of the Omnibus Budget Reconciliation Act of 1981 to charge the full cost of providing certain information and records. The proposed rules do not change SSA's longstanding policy of generally not charging an individual for information needed to assure that our records concerning her or him are correct. In preparing these amendments, we deleted from SSA's rules several provisions concerning Medicare information. The Health Care Financing Administration (HCFA) has published separate regulations governing the availability of Medicare information and records. We have also clarified the rules for handling requests for information about individuals under the Privacy Act and the Freedom of Information Act (FOIA) and incorporated HHS' recent rules on who has authority to release or deny records in this revised material.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Privacy Act; exempt record system--Office of the Secretary, DHHS. Notice of proposed rulemaking

The Office for Civil Rights of the Department of Health and Human Services maintains a system of records entitled "Complaint Files and Log. HHS/OS/OCR." The Department intends to exempt this system from certain provisions of the Privacy Act, 5 U.S.C. 552a. The proposed exemption is authorized by subsection (k)(2) of the Privacy Act, which applies to investigative materials compiled for law enforcement purposes. The Office for Civil Rights (OCR) is authorized to gather information for civil and administrative law enforcement purposes pursuant to several statutes requiring nondiscrimination in programs or activities receiving Federal financial assistance. In order to maintain the integrity of the OCR investigative process and to access to complete and accurate information, the Department proposes to exempt this system, under subsection (k)(2), from the notification, access, correction and amendment provisions of the Privacy Act. The Department is requesting public comments on the proposed exemption.     

Privacy Act; exempt record system--HHS. Final rule

The Office for Civil Rights of the Department of Health and Human Services maintains a system of records entitled "Complaint Files and Log. HHS/OC/OCR." The Department is exempting this system from certain provisions of the Privacy Act, 5 U.S.C. 552a. The exemption is authorized by subsection (k)(2) of the Privacy Act, which applies to investigative materials compiled for law enforcement purposes. The Office for Civil Rights (OCR) is authorized to gather information for civil and administrative law enforcement purposes pursuant to several statutes requiring nondiscrimination in programs or activities receiving Federal financial assistance. In order to maintain the integrity of the OCR investigative process and to assure that OCR will be able to obtain access to complete and accurate information, the Department is exempting this system, under subsection (k)(2), from the notification, access, correction and amendment provisions of the Privacy Act.     

A novel file carving algorithm for National Marine Electronics Association (NMEA) logs in GPS forensics

Globe positioning system (GPS) devices are an increasing importance source of evidence, as more of our devices have built-in GPS capabilities. In this paper, we propose a novel framework to efficiently recover National Marine Electronics Association (NMEA) logs and reconstruct GPS trajectories. Unlike existing approaches that require file system metadata, our proposed algorithm is designed based on the file carving technique without relying on system metadata. By understanding the characteristics and intrinsic structure of trajectory data in NMEA logs, we demonstrate how to pinpoint all data blocks belonging to the NMEA logs from the acquired forensic image of GPS device. Then, a discriminator is presented to determine whether two data blocks can be merged. And based on the discriminator, we design a reassembly algorithm to re-order and merge the obtained data blocks into new logs. In this context, deleted trajectories can be reconstructed by analyzing the recovered logs. Empirical experiments demonstrate that our proposed algorithm performs well when the system metadata is available/unavailable, log files are heavily fragmented, one or more parts of the log files are overwritten, and for different file systems of variable cluster sizes.     

A classifier for the SNP-based inference of ancestry

Ancestral inference from DNA could serve as an important adjunct for both standard and future human identity testing procedures. However, current STR methods for the inference of ancestral affiliation have inherent statistical and technical limitations. In an effort to identify bi-allelic markers that can be used to infer ancestral affiliation from DNA, we screened 211 SNPs in the human pigmentation and xenobiotic metabolism genes. Allele frequencies of 56 SNPs (most from pigmentation genes) were dramatically different between groups of unrelated individuals of Asian, African, and European descent, and both observed and simulated log likelihood ratios revealed that the markers were of exceptional value for ancestral inference. Log likelihood ratios of the multilocus estimates of biological ancestry (EAE/EBA) ranged from 7 to 10, which are on par with the best of the STR batteries yet described. A linear classification method was developed for incorporating these SNPs into a classifier model that was 99, 98, and 100% accurate for identifying individuals of European, African, and Asian descent, respectively. The methods and markers we describe are therefore an important first step for the development of a practical multiplex test for the inference of ancestry in a forensics setting.