LESSON 8 DIGITAL FORENSICS part VI

8.2.4 Making use of other sources
There are many other interesting ways of examining how a computer has been used. Nearly
every application that gets run will record some additional data beyond the files that it

directly takes in, or files that it puts out. This could include temporary files for processing, lists of
last accessed files or the history of a web-browser.
Exercises:
1. What is browser cache? Find the location where your web browser stores its cache.
2. What are browser cookies? Find the location where your web browser stores its cookies.
3. Search for information about web browser cookies. What kinds of cookies are there and
what kind of information is stored in them?
4. Your computer uses temporary directories where it writes files by default for the user. This is
often times known as Application Data. Find the temporary directories you have available on
your computer. While may be called tmp or temp, often times, there are many more that you
don't know about. Try FIND on files written with today's date as a great way to find temporary
files. Do those files disappear when you reboot the computer?

 

8.2.4 利用其它资源

还有其它一些方式可以查看计算机的使用状况。几乎所有运行的程序都会记录运行用到的文件之外的信息。这些信息包括运行过程中创建的临时文件、最后访问的文件以及浏览器的浏览历史。

练习：

1、什么是浏览器高速缓存？找出你电脑上浏览器的高速缓存存放的位置。

2、浏览器cookies是什么》找出你电脑上浏览器存储cookies的地方。

3、查找关于浏览器cookies的信息。都有哪些种类的cookies，分别都存储什么样的信息？

4、电脑会创建临时文件夹来为用户记录默认的文件。也叫做应用程序数据。找出你电脑上的临时文件夹，该文件夹可能叫做“tmp”或者“temp”，通常情况下，电脑上还有更多你不知道的临时文件夹。试一试用电脑上文件查找功能来找出记录有今天信息的文件。当你重启电脑时，这些文件会消失吗？

 

8.3 Network Forensics
8.3.0 Introduction
Network forensics is used to find out where a computer is located and to prove whether a
particular file was sent from a particular computer. While network forensics can be very
complicated, we will cover some of the basics that can be applied to everyday life.
8.3.1 Firewall Logs
Who's connecting to me? The firewall is a utility which can choke connections between two
points in a network. Many types of firewalls exist. Regardless of the type and job of the
firewall, it is the firewall logs which give you the details. Only by using the logs, can you find
patterns of attacks and abuse to your firewall.

 

8.3 网络取证（前面都不是翻译的这个，还有这个词还真不知道怎么翻译才好，今天查词发现这个比较好，以后就用这个吧~~~）

8.3.0 简介

网络取证是用来查明电脑的位置，然后确定某个电脑是不是正在接收某个文件。因为网络取证是非常复杂的，我们就介绍几种可以在日常生活中用到的基本知识。

8.3.1 防火墙日志

谁和我进行过连接？防火墙可以阻止一个网络中两个电脑的联机。防火墙有很多的种类，防火墙除了有那么种类和功能外，防火墙日志会给你更过的详细信息。只有通过日志，你才能发现对你电脑上防火墙进行的攻击。

 

Exercises:
1. Visit the website http://www.dshield.org. This website takes firewall logs from all over the
world to find patterns of network attack attempts. This helps security professionals be sure to
verify if the networks they are protecting are vulnerable to those particular attacks before
they happen. Read through the website and explain how that pie graph of the world is
made and what it means.
2. On the same website, read through the "Fight back" section and the response e-mails they
receive. Explain the purpose of this.

 

练习：

1、访问http://www.dshield.org，这个网站接收从世界各地发过来的防火墙日志，查出网络攻击模式。这可以帮助安全专家在攻击成功之前更改防御措施来保护网络的安全。浏览该网站，解释那个世界扇形图是怎么做的，该扇形图有什么含义。

2、同一个网站上，阅读“回击”部分，该部分接收到的邮件。解释这么做的目的。

 

8.3.2 Mail Headers
E-mails come with information of every computer they pass through to get to you. This is kept
in the headers. Sometimes even more information is in the headers. To view the headers
however is not always so simple. Various mail clients will all have different ways to view this.
The real trick to reading headers, though, is to know they are backwards. The top of the list is
you. Then it travels goes with each line until the very last line is the computer or network that
the mail was sent from.
Exercises:
1. A great resource focused on network forensics for fighting SPAM is
http://www.samspade.org. Visit SamSpade.org and go to the section called "The Library".
Using this section you should be able to explain how to read e-mail headers. You should also
read about forged e-mail headers and e-mail abuse. Explain the various ways e-mail can be
used to cause harm.
2. Determine how to look at your e-mail headers in the e-mails you receive. Are there any
particular fields in those headers that seem foreign to you? Look them up. You should be
able to explain what each field means in that header.

 

8.3.2 邮件标题

电子邮件装载这发给你这封邮件的电脑的信息。这些信息包含在邮件标题上。标题上有时包含更多的信息，要浏览这些标题信息也不是很简单的。不同的邮件客户端需要采用不同的方式浏览信息。最巧妙阅读标题的方法是了解这些邮件是逆序的。这些数据串的头是你的电脑，然后一天一条的传送数据串，一直到最后一个数据串。

练习：

1、http://www.samspade.org包含有大量关于抗击SPAM的网络取证的资源。访问SamSpade.org后进入“The Library”板块，通过这个板块的知识，你就能够知道怎么去读电子邮件的标题了。你也要阅读假冒的电子邮件和垃圾邮件的标题。说说使用电子邮件攻击电脑的各种方式。

2、怎样查看电子邮件的标题。在标题栏有不有你感到陌生的信息？查资料了解它们。这样你就能更深入的了解标题栏每个部分的意思了。

 

Further Reading  （深入阅读）
The following links are in English. （下面链接的网站都是英文的）
http://www.honeynet.org/papers/forensics/
http://www.honeynet.org/misc/chall.html - Some forensic Exercises.（一些取证练习）
http://www.porcupine.org/forensics/ - The classics （经典）
http://www.computerforensics.net/
http://www.guidancesoftware.com/corporate/whitepapers/index.shtm#EFE
http://www.forensicfocus.com/
http://www.securityfocus.com/infocus/1679
http://www.linuxsecurity.com/feature_stories/feature_story-139.html
http://www.linuxsecurity.com/feature_stories/feature_story-140.html
http://www.securityfocus.com/incidents
http://staff.washington.edu/dittrich/talks/blackhat/blackhat/forensics.html
http://www.openforensics.org/
http://fire.dmzs.com/
http://www.sleuthkit.org/
http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm