【网络安全10】取证

本片是作者取证学习的笔记。

部分图片和内容源自HKU讲义，版权归香港大学所有，搬运侵删

免责声明

以下所有关于黑客技术、病毒攻击、拒绝服务或任何其他计算机系统攻击手段的讲义、资料和讨论内容，仅用于教育目的。这些内容不得用于对任何计算机系统发起攻击或造成损害，也不以任何方式鼓励任何人从事此类行为。

本文所涉及的所有技术讨论仅供学习和研究使用。作者不对任何人使用这些信息用于非法用途负责。阅读本文即表示您同意不会将文中讨论或披露的任何技术手段用于实施网络攻击等违法行为。

本文遵循学术研究和技术交流的目的，拒绝为任何恶意行为提供指导。如有违法使用，使用者需自行承担所有法律责任。

L1: Introduction & History

purpose is to obtain digital data

• highly complex, frequently scattered, and requires expertise and tools to collect.
• can easily be altered without leaving any trace.
• can easily be copied and distributed, presenting challenges to preserving confidentiality.
• can be temporary in nature if not preserved in a timely manner.

Phases of Digital Forensics

• Identification:
  • Identify and seize potential sources of digital device in a forensically sound manner
• Preservation:
  • Bagging and tagging
  • Secure storage
  • Protect the evidence
  • Forensic Duplication of evidence
  • Calculate Hash (MD5, SHA-1)
  • Chain of custody (5W1H)
• Analysis：
  • Longest phase
  • Levels of Examination
  • Preparation for Examination
  • Often outsourced
  • Apply a scientific method
• Presentation：
  • A report containing a thorough and unbiased presentation of your findings.
  • Must have a clear and logical structure.

Digital Forensics Process

graph LR
    A[Acceptance<br>接受性] --> B[Reliability<br>可靠性]
    B --> C[Repeatability<br>可重复性]
    C --> D[Integrity<br>完整性]
    D --> E[Cause and effect<br>因果关系]
    E --> F[Documentation<br>文档记录]

Tools and Techniques

• File System Analysis: Understanding file structures and metadata to gather crucial information.
• Forensic Software: Tools like EnCase, FTK (Forensic Toolkit), Autopsy, and Sleuth Kit used for data extraction, analysis, and reporting.
• Network Forensics: Monitoring and analyzing network traffic to identify security breaches or unauthorized activities.
• Mobile Device Forensics: Extraction and analysis of data from smartphones, tablets, and other portable devices.
• Memory Forensics: Examination of volatile memory (RAM) to retrieve valuable evidence.
• Live Forensics: Analyzing a system while it's running to collect evidence without shutting it down.

Recovery in Computer Forensics

1. Data Recovery

• photos, documents, SMS and software

2. Event Reconstruction

• the process of identifying the underlying conditions and reconstructing the sequence of events that led to a security incident

3. Crime scene reconstruction

• Court purpose & Legal requirement
• Smart carving / File carving: the process of reassembling computer files without metadata
• Subject to challenge

Daubert’s Rule

A rule of evidence regarding the admissibility of expert witnesses' testimony

• reliably tested
• peer review
• error rates
• standards and controls
• generally accepted

Case Study

A child porn photo was copied to the current location on 22 Feb 2005

• MAC time

C time: file creation time
M time: last modified time
A time: last access time

• identical (完全相同)

  • Hash value computation
  • Byte-to-byte or frame-to-frame comparison
  • Meta data comparison

• Analysis

  • All accessed at the same time, no modification after creation

  • created time is after the modified time: Copy from other places in the same file system。

    创建时间记录的是文件在当前位置（目录）被创建的时间。当文件被复制到同一文件系统的其他位置时，新的副本会被赋予新的创建时间，而不会更改原文件的修改时间（M time）。
    修改时间记录的是文件内容最后被修改的时间。 文件内容在复制或移动过程中通常不会发生改变。
    

    创建时间晚于修改时间是文件被复制的标志。 而在同一文件系统内复制时，文件的修改时间通常会保留原始值，只更新创建时间，从而说明是系统内复制的。

    

  • The file Lolita-1.mpg in Disk-1 and Disk-2 are identical and their M time are the same. In Disk-1, the C time is after the M time. -> Disk 2 mpg is downloaded on 12 June and finished on 13 Disk 1.mpg is copied from disk 2 on 16 June.

    

  • Lolita-1.mpg and Lolita-1.avi have the same content, the M time of Lolita-1.avi is after the C time.-> Convert mpg to avi on 26 June.

    

Did Not Know Defences

• Trojan Horse Defence (THD) A Trojan installed itself on the defendant's computer;  The Trojan downloaded the CP image files from a remote website (most probably not a public one);  The Trojan placed the downloaded image files in the location on the computer where the defendant usually works;  The Trojan then uninstalled itself, leaving no trace of itself on the defendant’s computer.
• Inadvertent Download Defence (IDD)

Complexity Based Model

通过比较两种路径的复杂性，判断哪种路径更可能导致现有的数字证据，从而支持或反驳控方或辩方的论点。

An inverse relationship exists between the difficulty of performing a process and its probability of occurrence. 
The more difficult / intricate / complex a process is, the less likely it is to occur. 
We measure the difficulty of performing a process using a complexity metric.

法律辩护：

• 辩护可能会主张用户并不知道文件内容为儿童色情，或文件下载是无意的。
• 可能会提出文件的处理是出于教育、科学或艺术目的，或认为文件中的人物不是儿童。

公式与解释

1. 复杂性公式： $C_k = KLM_k + CC_k$

• $C_k$：路径 $k$ 的总复杂性。
• $KLM_k$：人为操作复杂性（通过键盘和鼠标操作模型量化）。
• $CC_k$：计算机操作复杂性（通过计算复杂性理论量化）。

2. 概率与复杂性的关系： $p_k \propto C_k^{-1}$

• $p_k$：路径 $k$ 的发生概率。
• 路径的发生概率与其复杂性的倒数成正比。

3. 后验概率比： $O(k:k') = \frac{\Pr(H_k|\{E\})}{\Pr(H_{k'}|\{E\})} = \frac{C_k}{C_{k'}}$

• $O(k:k')$：路径 $k$ 和路径 $k'$ 的后验概率比。
• $\Pr(H_k|\{E\})$：路径 $k$ 导致数字证据 $\{E\}$ 的概率。
• $\Pr(H_{k'}|\{E\})$：路径 $k'$ 导致数字证据 $\{E\}$ 的概率。
• 通过计算 $C_k$ 和 $C_{k'}$，可以判断哪种路径更可能导致现有的数字证据。

实际意义

• 如果 (O(k:k') > 1)，说明路径 (k) 更可能。
• 如果 (O(k:k') < 1)，说明路径 (k') 更可能。

这一模型为数字取证中的推理提供了一个科学且量化的框架，帮助法庭在多种可能路径中找到最合理的解释。

L2 Digital Evidence

Evidence

• Definition: A body of facts or information indicating the truth or validity of a belief or proposition.

• Types of Evidence:

  • Direct Evidence: Provides direct proof of an assertion's truth.
  • Circumstantial Evidence: Consistent with an assertion but does not eliminate contradictory assertions.

• Digital Evidence Definition: Digital data establishing a crime or linking it to a victim/perpetrator. Characteristics:

  • Composed of binary data (0s and 1s).
  • Accepted as tangible by US and UK courts.
  • No fixed formats for court presentation.

• Compliance: Admissibility: Must meet legal standards.

• Digital Evidence Investigation

• Admissibility

  • Admissible evidence in court includes testimonial, documentary, or tangible evidence that can establish or support a legal argument.
  • For evidence to be admissible, it must be relevant.
  • Authenticity, integrity, and reliability are crucial for admissibility.

• Digital Forensics

  • The digital forensics conclusion is the probability of a hypothesis given the available digital evidence: P(hypothesis | DE1, DE2, ..., DEn).
  • The judge/jury determines the probability of guilt given all the evidence: P(Guilty | E1, E2, Digital Forensics Conclusion, ..., En).

• Intangible Nature of Digital Evidence

  • Digital evidence is intangible and easy to alter.
  • Difficult to completely destroy digital evidence.
  • Replicas of digital evidence may be acceptable.
  • Techniques exist to detect alterations and recover destroyed digital evidence.

• Observer model: observe the data in the computer or the state of the finite state machine, Bitstream Copy instead of copy the file

• Locard’s Principle: every contact leaves a trace

• 2 types of digital evidence:

  • Computer Generated Record : shows processes that have been performed (e.g. systems logs, registry hives)
  • Computer Stored Record : shows user’s actions performed on created files (e.g. date & time stamps)

• Daubert Rule: reliably tested, peer review, potential error rates, standards and controls, generally accepted

Digital Evidence Preservation

• Key Principle: Must prevent any modification/destruction of original evidence - Write Blockers

  • Hardware devices that prevent write signals to evidence drives
  • Ensures read-only access to storage devices
  • Can be: OS-specific or Independent boot solutions

• Imaging Tools

  • Linux dd command
  • DOS boot floppies
  • Proprietary solutions

• Disk Images: Files containing complete contents/structure of storage devices

  • Bit-by-bit copy
  • Replicates structure & contents
  • File system independent
  • 在取证领域，更常用磁盘镜像，因为：更容易保存多个副本; 方便传输和存档; 可以添加元数据和校验信息; 符合取证规范要求

• Disk Cloning

  • Direct disk-to-disk copy method
  • Use Cases: - Upgrading storage - Replacing aging drives - OS disk backup - System migration - Full disk snapshots with boot records

Cryptographic Hash Function

• Hashing = Digital fingerprint for files

• One-way function: Same input = Same hash, Different input = Different hash

• Used for file identification & integrity verification

• Key Uses

  • File Comparison

    • System file exclusion
    • Target file identification
    • Duplicate detection

  • Evidence Integrity

    • Tamper detection
    • Chain of custody verification
    • Digital signature validation

• Common Hash Functions

### MD5
- 128-bit hash value
- Fast & widely supported
- Known vulnerabilities (hash collisions)
- Still used for:
  - File integrity checks
  - Legacy systems
  - Non-security critical tasks

### SHA-1
- Deprecated for security use
- Known vulnerabilities

### SHA-256
- Recommended for security tasks
- More secure than MD5/SHA-1
- Industry standard

• Best Practices

  • Evidence Handling
    • Hash before & after analysis
    • Document all hash values
    • Use multiple hash algorithms

• Security Considerations

  • Avoid MD5 for security-critical tasks
  • Use SHA-256 for sensitive data
  • Maintain hash databases

• Applications

  • Password storage
  • Digital signatures
  • File integrity verification
  • Evidence authentication
  • Duplicate file detection

• Technical Notes

  • MD5 collision resistance: $2^{128}$ operations
  • Useful for identical system comparison
  • Essential for forensic documentation

L3 Digital Evidence II

Key Forensic Artifacts in Windows

• User Profiles and AppData
  • Contains user-specific settings and data
• Windows Registry
  • Central database storing system/user configuration
• Event Logs
  • Records system events, security events, etc
• Prefetch Files
  • Records application launch history
• LNK Files
  • Shortcut files showing file access history
• Metadata
  • File timestamps, attributes, etc

Limitations of Data Recovery

• Physical Destruction: If media physically destroyed, recovery impossible
• Secure Overwriting: Multiple overwrites make recovery extremely difficult/impossible
• SSD TRIM: TRIM command marks blocks for erasure, impacts recovery
• Degaussing: Erases magnetic media by disrupting magnetic fields
• Disk Sanitization: DoD standard multi-pass overwriting process

Challenges of Digital Evidence

• Evidential Challenges
  • Bias in digital logs
  • Identity proof issues
  • Integrity verification
  • Originality concerns
  • Hearsay issues
• Technical Challenges
  • Rapidly evolving technology
  • Multiple media types
  • Volatile data handling
• Legal Challenges
  • Privacy rights
  • Chain of custody
  • Admissibility requirements
  • Documentation needs
• 3 possible approaches
  • Using software that bypass the operating system’s file system
  • Bypass the hard disk controller
  • Use special equipment to read the magnetic field of the disk surface

Applying Forensics Principles

• Locard's Exchange Principle
  • Every contact leaves a trace
• Inman-Rudin Paradigm (系统的取证框架)
  • Transfer: Exchange of material
  • Divisibility: Part represents whole
  • Four Processes:
    1. Identification: Placing objects in class
    2. Classification/Individualization: Narrowing to one
    3. Association: Linking person to crime scene
    4. Reconstruction: Understanding event sequence

L5: Network Forensics

Challenges in Network Forensics

Technical Challenges

• Acquisition (在网络环境中难以找到特定证据; 证据可能分布在多个设备上; 网络数据的易失性)
• Storage & Content (网络设备存储容量有限, 许多设备缺乏持久存储)

Procedural Challenges

• Privacy Issues
• Seizure Complications (网络中断风险; 业务连续性问题; 责任分配)

Admissibility Concerns

Network Basics for Digital Investigators

Key Network Concepts

• MAC Address: 48-bit hardware identifier
• IP Address: Logical address (IPv4: 32 bits)
• Ports: Identify services/processes
• Subnets: Network segmentation
• Static vs Dynamic IP addressing
• DHCP: Dynamic Host Configuration Protocol

Subnet

• IP address separated into two parts: Network identifier and Host identifier.
• 子网划分方式：使用CIDR表示法（如/24、/30），数字表示网络标识符的位数。 例：/30表示前30位是网络标识，后2位是主机标识
• 计算方法-主机数量 = 2^(主机标识位数)。 例：/30有2位主机标识，因此有2²=4个地址。

Sources of Network-Based Evidence

Stages of Network ForensicPreparation and authorization

1. Preparation and authorization

2. Identification: locating systems that contain the most useful digital evidence

   • Evidence Sources
     • End-points systems
     • Intermediate systems (routers, switches)
     • Log files (traffic, netflow, IDS alerts)
     • Supporting systems (auth servers)
   • Digital Evidence Map
     • Network topology visualization
     • Evidence source locations
     • Data retention periods
     • Collection methods

3. Documentation, collection and preservation

4. Filtering and data reduction

   • Filter irrelevant data
   • Data reduction: performed with different criteria, such as data
     • aggregation
     • feature selection
     • anomaly detection

5. Analyze

   • Correlation
   • Timeline
   • Events of interest
   • Recovery of additional evidence
   • Interpretation

6. Investigative reconstruction

7. Reporting results

Sources of Network-Based Evidence

Category	Device/System	Evidence Types
Physical Layer	Physical Media	- Wired connectivity traces
	Wireless	- WiFi traffic
Network Devices	Switches	- MAC address tables - Port mappings
	Routers	- Routing tables - Denied traffic logs - Packet filter records
Network Services	DHCP Servers	- IP address assignments - Lease timestamps - Renewal records
	DNS Servers	- IP resolution logs - Hostname queries
	Authentication Servers	- Login attempts - Failed access logs - Suspicious activities
Security Systems	IDS/IPS	- Attack detection logs - Network anomalies - Alert records
	Firewalls	- Traffic logs - Configuration changes - Rule modifications
Infrastructure	Web Proxies	- Browsing history - Access logs
	Central Log Servers	- Aggregated event logs - System logs
Application Servers	Database Servers	- Data access logs - Query records
	Web Servers	- Access logs - Error logs - Page modifications
	Email Servers	- Mail logs - Traffic records
	Chat Servers	- Communication logs
	VoIP/Voicemail	- Call records - Message logs

Evidence Acquisition

• 被动证据获取 (Passive Evidence Acquisition)
  • 不产生任何网络流量的证据收集方式
  • 纯粹的观察和监听
  • 不会干扰或改变目标网络
  • 例如：监听网络流量；分析已有日志； 收集历史记录
• 主动证据获取 (Active/Interactive Evidence Acquisition)
  • 需要与网络设备进行交互的证据收集方式
  • 会产生新的网络流量
  • 可能会改变网络状态
  • 例如：登录路由器查看配置； 进行端口扫描；主动请求系统信息

1. Physical Interception Methods

Method	Description
Cables	Passive interception of data transmitted through physical cables
Radio Frequency	Capture of wireless network traffic
Hubs	Collection from network hubs
Switches	Interception at network switches

2. Switch Traffic Collection

Method	Description
Port Mirroring	Replication of traffic from source ports to analysis port
SPAN	Cisco's Switched Port Analyzer
RSPAN	Remote Switched Port Analyzer

3. Traffic Acquisition Tools

Tool	Description
libpcap	UNIX C library for capturing/filtering data link layer frames
WinPcap	Windows version of libpcap
Common Tools	- tcpdump - Wireshark - Snort - nmap - ngrep

4. Tcpdump Features

Feature	Description
Primary Function	Capturing, filtering and analyzing network traffic
Capabilities	- Bit-by-bit traffic capture - Protocol decoding - Hex/ASCII display
Use Cases	- Network troubleshooting - Digital forensics evidence collection

5. Wireshark Features

Feature	Description
Type	Graphical, open-source tool
Functions	- Traffic capture - Filtering - Protocol analysis/decoding

6. Active Acquisition

Aspect	Description
Definition	Direct interaction with live network devices
When Needed	- Device cannot be removed from production - Evidence is volatile

7. External Inspection Methods

Method	Description
Port Scanning	Using tools like nmap to identify open ports and software versions
Vulnerability Scanning	Testing systems for known vulnerabilities (may affect target systems)