网络取证系统的技术分析与模型实现

首先分析了网络取证的基本概念，然后介绍了网络取证系统的分析过程，最后提出和设计了一个分布式网络实时取证系统的实现模型。     

PyFlag – An advanced network forensic framework

Network forensics is an investigation technique looking at the network traffic generated by a system. PyFlag is a general purpose, open source, forensic package which merges disk forensics, memory forensics and network forensics.This paper describes the PyFlag architecture and in particular how that is used in the network forensics context. The novel processing of HTML pages is described and the PyFlag page rendering is demonstrated. PyFlag's novel processing of complex web applications such as Gmail and other web applications is described. Finally PyFlag's report generation capabilities are demonstrated.     

PyFlag – An advanced network forensic framework

Network forensics is an investigation technique looking at the network traffic generated by a system. PyFlag is a general purpose, open source, forensic package which merges disk forensics, memory forensics and network forensics.This paper describes the PyFlag architecture and in particular how that is used in the network forensics context. The novel processing of HTML pages is described and the PyFlag page rendering is demonstrated. PyFlag's novel processing of complex web applications such as Gmail and other web applications is described. Finally PyFlag's report generation capabilities are demonstrated.     

Cybercrime investigation in Finland

Nordic police cooperation concerning cybercrimes has been developed during the last few years, e.g. through the Nordic Computer Forensics Investigators (NCFI) and Nordplus training programmes. More empirical research is needed in order to enhance cybercrime investigation and address the training needs of police officers. There is a knowledge gap concerning organizational models for the police’s cybercrime investigation: How the function is organized, what the professional characteristics of the staff are and how to combine computer forensics with crime investigation? The purpose of this paper was to study the organization of cybercrime investigation in Finland. Data were collected by a questionnaire from all 11 local police districts and the National Bureau of Investigation in July–August 2014. In addition, six thematic interviews of cybercrime investigators were conducted in 2014. Three investigation models of computer integrity crimes were found: (1) Computer forensic investigators conduct the entire pre-trial examination, (2) Computer forensic investigators conduct only the computer forensics, and tactical investigation is done by an occasional investigator, (3) Computer forensic investigators conduct only the computer forensics and tactical investigation is centralized to designated investigators. The recognition of various organizational models and educational backgrounds of investigators will help to develop cybercrime investigation training.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

计算机网络证据的取证研究

计算机网络的快速发展巨大地改变着人们的生活，但同时网络犯罪也呈现骤增的趋势，为了有效地打击犯罪，必须研究与网络犯罪相关的侦查技术，而计算机取证是其中最重要的环节之一。计算机取证的主要工具，主要技术和采用方法都有别与传统犯罪的取证，并随着科学技术和犯罪的发展而产生着相应的变化。     

网络电子证据取证技术与反取证技术研究

随着网络技术的发展,计算机网络犯罪现象日趋严重。为了有效地打击网络犯罪行为,完善网络电子证据立法基础,取证技术专家不仅要研究网络取证相关技术,同时还必须对网络反取证技术充分进行研究。通过研究反取证技术来促进取证技术的提高,这样才能在网络取证过程中拓宽思路,提高获取有效证据的效率。     

Massive threading: Using GPUs to increase the performance of digital forensics tools

The current generation of Graphics Processing Units (GPUs) contains a large number of general purpose processors, in sharp contrast to previous generation designs, where special-purpose hardware units (such as texture and vertex shaders) were commonly used. This fact, combined with the prevalence of multicore general purpose CPUs in modern workstations, suggests that performance-critical software such as digital forensics tools be “massively” threaded to take advantage of all available computational resources.Several trends in digital forensics make the availability of more processing power very important. These trends include a large increase in the average size (measured in bytes) of forensic targets, an increase in the number of digital forensics cases, and the development of “next-generation” tools that require more computational resources. This paper presents the results of a number of experiments that evaluate the effectiveness of offloading processing common to digital forensics tools to a GPU, using “massive” numbers of threads to parallelize the computation. These results are compared to speedups obtainable by simple threading schemes appropriate for multicore CPUs. Our results indicate that in many cases, the use of GPUs can substantially increase the performance of digital forensics tools.     

Applying a forensic approach to incident response,network investigation and system administration using Digital Evidence Bags

This paper questions the current approach to forensic incident response and network investigations. Although claiming to be ‘forensic’ in nature it shows that the basic processes and mechanisms used in traditional computer forensics are rarely applied in the live incident investigation arena. This paper demonstrates how the newly proposed Digital Evidence Bag (DEB) storage format can be applied to a dynamic environment. A DEB is a universal container for digital evidence from any source. It allows the provenance to be recorded and continuity to be maintained throughout the life of the investigation. With a small amount of forethought a forensically rigorous approach can be applied to incident response, network investigations and system administration with minimal overhead.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

电子数据司法鉴定主要类型及其定位简

电子数据司法鉴定已经成为当前司法鉴定研究热点问题之一。它是计算机司法鉴定的一种主要类型。根据鉴定性质不同，电子数据司法鉴定可以分为以“发现证据”为目标的鉴定和以“评估证据”为目标的鉴定。前者包括数据检索与固定、数据恢复、数据来源分析、数据内容分析、数据综合分析；后者包括同一鉴定、真伪鉴定、相似性鉴定、功能鉴定、复合鉴定等不同性质的鉴定项目。这两类鉴定在鉴定目标、程序、风险、意见主观性和证据审查等方面均存在显著差异。     

Likelihood Ratios for Deep Neural Networks in Face Comparison

In this study, we aim to compare the performance of systems and forensic facial comparison experts in terms of likelihood ratio computation to assess the potential of the machine to support the human expert in the courtroom. In forensics, transparency in the methods is essential. Consequently, state-of-the-art free software was preferred over commercial software. Three different open-source automated systems chosen for their availability and clarity were as follows: OpenFace, SeetaFace, and FaceNet; all three based on convolutional neural networks that return a distance (OpenFace, FaceNet) or similarity (SeetaFace). The returned distance or similarity is converted to a likelihood ratio using three different distribution fits: parametric fit Weibull distribution, nonparametric fit kernel density estimation, and isotonic regression with pool adjacent violators algorithm. The results show that with low-quality frontal images, automated systems have better performance to detect nonmatches than investigators: 100% of precision and specificity in confusion matrix against 89% and 86% obtained by investigators, but with good quality images forensic experts have better results. The rank correlation between investigators and software is around 80%. We conclude that the software can assist in reporting officers as it can do faster and more reliable comparisons with full-frontal images, which can help the forensic expert in casework.     

Application of BioRobot M48 to forensic DNA extraction

The development of a nucleic acid extraction method based on magnetic separation has opened up possibilities forl automation of DNA extraction. The BioRobot M48 is one of robotic stations applicable to automated DNA extraction in forensics. However, each new method should be thoroughly validated before application to routine casework. Our aim was to compare the effectiveness of the currently utilized organic/Microcon 100 based extraction procedure and magnetic extraction with BioRobot M48. The DNA concentration of DNA extracts obtained from different kinds of typical forensic material was evaluated followed by amplification with the SGM Plus or Identifiler kit and capillary electrophoresis using ABI 3100 Avant. We can conclude that BioRobot M48 is a very effective instrument for DNA extraction from most specimens and can be successfully applied in forensic laboratories.     

微生物物证检验

面对21世纪生物犯罪或生物恐怖活动的新挑战,物证鉴定的新专业--微生物物证检验将成为执法部门侦查和起诉生物犯罪必不可少的手段。微生物物证检验以用作犯罪武器的各种微生物为检验对象,获得微生物种类和能够提供来源信息的菌毒株细致分型结果,达到提供犯罪侦查线索和法庭证据的目的。本文综述了微生物物证检验的定义、特征、技术应用以及美国近年来在微生物物证检验的实践和值得借鉴的成功经验。并建议我国物证鉴定实验室应积极开展研究,建立能够满足生物犯罪侦查需求的微生物物证检验能力。     

基于内存中的网络传输数据结构获取电子数据

电子数据取证实践中,获取嫌疑人进行网络信息传输涉及的IP地址、端口号、MAC地址以及对应进程信息,有助于全面深入揭示嫌疑人网络犯罪行为。基于IPv4首部、sockaddr_in、_TCPT_OBJECT、Ethernet V2标准MAC帧等四种数据结构于内存中的具体格式,归纳总结用于定位相关结构的特征关键字,同时通过实例说明提取网络传输电子证据的方法,并对过程中涉及的具体技术与注意事项予以阐述。电子数据取证实践证明,所述方法准确高效。     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

On the Role of Process Forensics in the Characterization of Fugitive Gasoline

The need to determine the source(s) of fugitive gasoline in the environment is common when multiple candidate sources co-exist nearby to the discovery or when gasoline is discovered subsequent to a property transfer. Process forensics is the component of environmental forensics that relies upon a detailed understanding of the current and historic refining and engineering practices and how these practices would predictably have affected the chemical composition of the automotive gasoline manufactured at different refineries at different times. Since not all gasoline is ‘created equal’, when the detailed “chemical fingerprint” of a fugitive gasoline in the environment is interpreted in light of process forensics, a more thorough understanding of the production practices used to refine the fugitive gasoline can emerge. In some circumstances this knowledge can help to implicate a particular source(s) of the gasoline.     

构建我国计算机仿真取证标准的思考

得益于虚拟仿真技术的发展,计算机仿真取证目前已在我国悄然兴起,其可以很大程度上弥补传统静态取证证据获取能力之不足,但由于适用环境条件不成熟,仿真取证的司法应用问题一直未能解决。有鉴于此,从技术、法律和程序三个方面分析了仿真取证司法应用过程中亟待解决的问题,同时对仿真取证的法律、技术和程序标准的内容进行了系统构思。     

Specifying digital forensics: A forensics policy approach

In this paper we present an approach to digital forensics specification based on forensic policy definition. Our methodology borrows from computer security policy specification, which has accumulated a significant body of research over the past 30 years. We first define the process of specifying forensics properties through a forensics policy and then present an example application of the process. This approach lends itself to formal policy specification and verification, which would allow for more clarity and less ambiguity in the specification process.     

Computer crime enforcement in Texas: Funding,training, and investigating problems

As a new challenge to law enforcement, computer crime has recently received increasing attention from law enforcement and government officials. However, most writings about this issue are not empirical. This study fills this void by examining the attitudes of computer crime officers in Texas in two areas: general problems in dealing with computer crime, and the impact of demographic and institutional support factors on officers' attitudes. The results are: (1) more budgetary support and training are needed; (2) lack of computer skill/knowledge is the most problematic for computer investigations/forensics; (3) the idea of cooperating and sharing resources has already been utilized; and (4) officers understand the complexity of computer crime but are uncertain about its seriousness. The size of the city and whether the departments have a computer crime unit are the most significant factors that impact officers' attitudes toward the need for institutional support. This study suggests four elements (officers' attitude, institutional support, personnel, and network) that are important to successfully combat against computer crime; these elements need to be included in the development and implementation of both short-term and medium-term plans. Authors' Note: Dr. Sutham Cheurprakobkit is Associate Professor of Criminal Justice in the Department of Sociology, Geography, and Anthropology, Kennesaw State University, 1000 Chastain Road, Kennesaw, GA 30144. Gloria Pena is a criminology major at The University of Texas of the Permian Basin, Odessa, TX 79762.