LESSON 8 DIGITAL FORENSICS part IV

接上一篇的图讲解

From this you can start to make some attempts to read a certain type of file. There are a
number of file conversion utilities available to you under Linux, and even more available on
the Internet, as well as a number of file viewers for various formats. Sometimes it may require
more than one step to get to a place where you can really work with the data – try to think
laterally!
Occasionally, you will come across files which have been encrypted or password protected.
The complication that this presents varies, from encryption that is easily broken to stuff that
would even give the NSA ( or GCHQ or whatever your local government agency happens to
be ) a headache. There are again a number of tools available on the Internet that you can
use to try to break the encryption on a file. It pays to examine the area surrounding the
computer that you are dealing with. People aren't very good at remembering passwords, it
may well be written down somewhere nearby. Common choices for passwords also involve :
pets, relatives, dates ( marriage, date of birth ), telephone numbers, car registrations, and
other simple combinations ( 123456, abcdef, qwerty etc. ). People are also reluctant to use
more than one or two passwords for everything, so if you can reverse engineer a password on
one file or application, try it on the others. It is highly likely to be the same.

 

现在你可以尝试的查看某种类型的文件。在Linux系统下有很多文件转换器，因特网上除了有文件转换器外，还有很多针对不同格式文件的文件浏览器。有时候只需要更近一步就可以真正的使用一些信息---试着扩散思维。

有时候你会遇到被加密了的文件，密文的复杂度各种各样，有些密文很好解密，但有些及时给美国国家安全局（不管哪个国家的安全局）都不能解决。网上一样的有对加密文件进行解密的工具。这些工具检查待解密电脑周围的环境。人们不是很擅长记密码，有可能将密码写下来放到附近某个地方。密码设置一般包含下面内容：宠物名，亲戚名，一些特殊日期（结婚日期，出生日期），电话号码，车牌号，以及其它简单组合数（123456、abcdef、qwerty 等等）。人们一般不会设置很多的秘密，如果你解开了某个工程师的文件密码或者应用程序密码，用这个密码试试解别的加密文件，很有可能这个密码就能解码。

 

Exercises:
For these Exercises, we will learn about password cracking. While it is legal to crack your own
passwords if you forget them, it is not legal in some countries to figure out how something else
is encrypted, in order to protect the other material from being cracked.
DVD movies are encrypted to prevent them from being stolen off the DVD and sold. While
this is an excellent use of encryption, it is illegal for anyone to research how that encryption is
used. This leads to your first exercise:
1. What is "DeCSS" and how does it relate to DVD encryption? Search on "decss" to learn
more.
2. Knowing that something is password protected means learning how to open that file. This is
known as "cracking" the password. Find information about cracking various types of
passwords. To do this search for "cracking XYZ passwords" where XYZ is the password type you
are looking for. Do this for the following password types:

               a. MD5

               b. Adobe PDF
               c. Excel
3. If the encryption method is too strong to be broken, it may be necessary to perform a
“dictionary attack” ( sometimes known as “brute force”). Find out what a dictionary attack is.

 

练习：

通过这些练习，我们可以学习破解密码。当你忘记你自己的密码时破解自己的密码是合法的，在某些国家，为了保护资源被盗取，破解别人的密码是非法的。

DVD电影为了加密是为了防止他人盗取贩卖。但是加密也有一个很重要的用途，弄清加密原理对每个人来说都是非法的。下面是你的第一个练习：

1、“DeCSS”是什么，它和DVD加密是怎么联系的？在网上搜索“decss”。

2、知道某件物品是加密的就要尝试怎么去解密。这就叫做破解密码。查找破解密码的各种方法。在网上搜索“破解xyz密码”，其中xyz是你要查找的密码类型。查询下列几种密码：

               a. MD5

               b. Adobe PDF
               c. Excel

3、如果密码太难破解，试着采用字典破解的方法，查询关于字典破解的知识。          

 

8.2.3 Finding a Needle in a Haystack
Commercial forensic software includes powerful search tools that allow you to search for
many combinations and permutations of factors. Without these expensive commercial tools
you need to be a little more resourceful. Linux provides you with plenty of scope to construct
similar tools using standard utilities. The following text details the use of find, grep and strings,
and then describes the use of the pipe to combine them.

8.2.3.1 find
              find [path...][expression]

find is used to locate files meeting certain criteria within the operating system. It is not
designed for looking within the files. There must be a million permutations of expressions that
can be combined to search for a file.

Exercise:
1. Read the manual page for find. Complete the “Effect” for each “Expression” in the table
below. (Hint: Where a number is given as an argument, it can be specified as follows: +n – for
greater than n; -n – for less than n; n – for exactly n.)

 

8.2.3 大海捞针

商业诊断软件包含强大的搜索工具，可以搜索许多因子的组合体和排列体。如果没有这些昂贵的商业工具，你需要动一点脑筋。Linux系统可以用标准工具组建相似的搜索工具。下面文本信息告诉你怎样使用find、grep、strings，用pipe组合这些工具。

8.2.3.1 find

            find [path...][expression]

find是操作系统中查找某个特定格式文件的工具。find不是在所有文件中进行查找的工具。肯定有数以万记的表达式可以用来查找某个文件。

练习：

1、阅读find软件的操作指南，完成下面的表格（提示：一个数据作为条件给出，下面是其代表的意思：+n：大于n，-n：少于n，n-：等于n）