Practical Digital Forensics

实用数字取证(作者、审稿人，前言)

Get started with the art and science of digital forensics with this practical, hands-on guide!

——带你走近数字取证的科学与艺术

理查德·伯丁顿（Richard Boddington）

Copyright © 2016 Packt Publishing All rights reserved.

首次出版：2016.05

ISBN 978-1-78588-710-9

https://www.packtpub.com/

About the Author

关于作者

Richard Boddington commenced general policing with the London Metropolitan Police in 1968 and joined the Royal Hong Kong Police in 1971, later serving as a chief inspector in the Special Branch. In 1980, Richard moved to Australia and worked as a desk offier and case offier with the Australian Security Intelligence Organization. He later worked in several federal and state government agencies, including the Western Australia Department of Treasury and Finance, as a senior intelligence offier.

理查德·伯丁顿( Richard Boddington )，1968年入职伦敦警局，1971年加入香港皇家警察，随后在政治保安处担任总督察。1980年移居澳大利亚，在澳大利亚安全情报组织负责管理和案件承办。此后，作为高级情报官，他还在数个联邦和州政府机构工作过，包括西澳大利亚财政部。

In 2008, he commenced developing and coordinating information security and digital forensics undergraduate and postgraduate courses at Murdoch University, where he was responsible for the creation of a digital forensic and information security degree offering. He provided a unique online virtual digital forensics unit for postgraduate students at the University of Western Australia in 2014.

2008年，他开始在默多克大学发展与协调信息安全与数字取证本科及研究生课程，负责创立数字取证和信息安全学位。2014年，他为西澳大利亚大学的研究生提供了独特的在线虚拟数字取证单元。

Between 1991 and 2015, Richard was a security analyst and digital forensic practitioner, providing independent consultancy services for legal practitioners and organizations requiring independent digital forensic examinations and reports. This included analyzing case evidence in criminal and civil cases heard at Magistrate, District and Commonwealth Courts. His work included the compilation of digital forensic reports and testifying as an expert witness on complex technical matters to assist the jury in understanding digital evidence presented during trial.

1991到2015年间，理查德是一名安全分析师和数字取证实践者，为需要独立数字取证核查及报告的法务人员和组织提供独立咨询服务。这包括分析在治安官、地方和联邦法庭处接办的刑事及民事案件证据。他的工作包括编译数字取证报告，以及作为专家证人在复杂技术问题上辅助法官理解审理过程中呈交的数字证据。

Recent forensic examinations undertaken by him include analyzing digital evidence recovered from computers, mobile phones, and other digital devices and then preparing expert testimony relating to a broad range of criminal and civil cases, including:

• Child pornography and child exploitation

• Cyberstalking

• Aggravated burglary and false imprisonment

• Analysis of CCTV video digital evidence of assault and rape cases

• Alleged homicide, suicide, and other crimes of violence

• Bomb threats

• Family law disputes and Australian Vietnamese Relief Organization (AVRO) breaches

• Workers' compensation disputes

• Suspected forgery or manipulation of digital video and mobile phone evidence

• Industrial espionage and sabotage and intellectual property theft

他最近的取证审查包括分析从计算机、手机和其他数字设备中恢复的数字证据，然后准备与各种刑事和民事案件相关的专家证词。案件类型包括：

• 儿童色情和童工剥削
• 网络骚扰
• 入室行窃和非法拘禁
• 非礼及强奸案监控视频数字证据的分析
• 他杀、自杀和其他暴力犯罪
• 炸弹威胁
• 家庭法律争端和澳大利亚越南救援组织数据泄露
• 工人补偿纷争
• 数字视频和手机证据造假或篡改
• 工业间谍和破坏活动，以及知识产权窃取

Since 2015, Richard has continued his digital forensics examinations on behalf of TSW Analytical Pty Ltd in Western Australia, where he now heads the Digital Forensics and Data Recovery Team.

2015年起，理查德为西澳大利亚的 TSW Analytical 有限公司继续从事数字取证审查工作，目前是该公司数字取证和数据恢复团队负责人。

He is also the General Manager for Research and Training at eReveal Technologies Pty Ltd (TSW Global Company) and is responsible for designing and coordinating online digital forensics, multimedia forensics, and e-discovery training courses for a broad range of organizations.

他还是eReveal技术有限公司(TSW全球公司)研究与培训部总经理，负责为各类组织设计和协调在线数字取证、多媒体取证，以及电子发现培训课程。

Richard is presently developing online digital forensics and e-discovery academic postgraduate course for the evolving Institute for Applied Forensic Science, associated with TSW Analytical, as part of broader postgraduate forensic course offerings in Australasia and overseas.

理查德目前在为不断发展的应用法医学研究所(与TSW Analytical 相关)，开发在线数字取证和电子发现学术研究生课程——作为大洋洲和海外研究生取证课程的一部分。

In 2010, Richard authored two digital forensics chapters in Digital Business Security Development: Management Technologies. He has also written a number of journal articles on the validation of digital evidence, his ongoing research area.

2010年，理查德为《数字业务安全发展：管理技术》贡献了两章数字取证内容。他还撰写了数字证据验证方面的一系列期刊文章，这是他仍在延续的研究领域。

In 2015, he authored an online video cast series, Emerging Forensic Tools for Locating and Analyzing Digital Evidence, on behalf of IGI Global Video Lecture E-Access Videos (http://www.igi-global.com/video/emerging-forensic-tools-locating-analyzing/134946).

2015年，他以IGI全球视频讲座电子访问视频的名义，编撰了在线播客系列《定位和分析数字证据的新兴取证工具》。(http://www.igi-global.com/video/emerging-forensic-tools-locating-analyzing/134946)。

About the Reviewer

关于审稿人

Colin J. Armstrong has extensive business experience in communications and information technology, information systems and services, security, and forensic science education, spanning the aviation, transport, hotel and catering, tertiary education, and charitable industries. His experience derives not only from industry roles, but studies acquiring bachelor, masters, and doctoral degrees, participation in the Australian Standards Expert Committee, memberships to various professional industry bodies, board memberships, and company directorships.

科林·J·阿姆斯特朗( Colin J. Armstrong )，在通信、信息技术、信息系统与服务、安全，以及取证科学教育上具广泛业务经验，横跨航空航天、交通运输、酒店餐饮、高等教育和慈善行业。他的经验不仅来自于行业角色，还来自于其本科、硕士和博士学位获取过程中的学习，在澳大利亚标准专家委员会中的活跃，各种职业行业组织、董事会及公司领导层的参与。

Preface

前言

This book will provide you with a clear understanding of digital forensics, from its relatively recent emergence as a sub-discipline of forensics to its rapidly growing importance alongside the more established forensic disciplines. It will enable you to gain a clear understanding of the role of digital forensics practitioners and their vital work in cybercrime and corporate environments, where they recover evidence of criminal offences and civil transgressions. Examples of real case studies of digital crime scenes will help you understand the complexity typical of many cases and the challenges digital evidence analysis poses to practitioners.

本书为你提供对数字取证的清晰理解，从其作为取证亚学科的兴起，到其重要性快速增长，直至成为更为确立的取证科学。本书将带你深入了解数字取证从业者的角色，及其在网络犯罪和企业环境中至关重要的工作——恢复刑事犯罪和民事违法行为中的证据。书中数字犯罪现场的真实案例研究，将让你了解到很多案例中典型的复杂性，以及数字证据分析给从业者带来的挑战。

During the past 10 years or so, there has been a growing interest in digital forensics as part of tertiary courses and as a career path in law enforcement and corporate investigations. New technologies and forensic processes have developed to meet the growing number of cases relying on digital evidence. However, it has been apparent that the increasing complexity, size, and number of cases is creating problems for practitioners, who also face resource and costing restrictions and a shortage of well-trained and experienced personnel. The book will describe these challenges and offer some solutions, which hopefully will assist and empower current and prospective practitioners to manage problems more effectively in the future.

过去十几年里，作为高等教育课程的一部分，作为司法及企业调查的职业路线，人们对数字取证的兴趣在持续上升。而随着依赖数字证据的案件数量不断增长，新技术及新取证过程被不断开发出来。然而，很明显，一路飙升的案件数量、规模和复杂度，同样给从业者制造了很多麻烦，而且他们还面临着资源和开销的限制，训练有素经验丰富的人员也呈现短缺状态。本书将描述这些问题和挑战，并提供一些解决方案，希望能帮助当前和未来的数字取证实践者，在未来更有效地解决问题。

These are truly exciting and challenging times for practitioners seeking to enhance their skills and experience in recovering evidence and assisting the legal fraternity in making sense of their important fidings. For those wishing to enter the discipline, they do so at a time when banality, complacency, and fatigue are disappointingly quite common. The enthusiasm of entering the profession can rapidly dissipate because of tedium and heavy caseloads, notwithstanding the inherently exciting and important nature of the work. Presented in this book are new and more effective ways to reduce tedium and time wastage, reinvigorate practitioners, and restore the excitement of the hunt for evidence heralded by fresh winds of change.

寻求通过修复证据和辅助司法界确立证据，以强化自身技术与经验的数字取证从业者，会遇到很多令人兴奋又充满挑战的时候。对想要进入该学科的人而言，当陈词滥调、自鸣得意、身心俱疲变得令人沮丧地普遍的时候，他们就摸到数字取证的门槛了。进入该职业的激情，会随单调而繁重的工作量迅速消退，尽管该工作的本质是令人兴奋而又举足轻重的。本书中呈现的，是更为有效的新方法，可以减少枯燥和时间浪费，让实践者重新振作，恢复狩猎变革之风所预示证据的兴奋感。

What this book covers

本书内容

Chapter 1, The Role of Digital Forensics and Its Environment, describes the digital forensics environment—an emerging discipline within the broader fild of forensic science. It outlines the main digital forensics environments of criminal and civil law cases and describes the role of digital forensics practitioners.

第1章，“数字取证的角色及其环境”，描述了数字取证所处环境——鉴证科学领域的新兴学科。本章概括了刑事和民事案件的主要数字取证环境，描述了数字取证实践者的角色职能。

Chapter 2, Hardware and Software Environments, presents the basic working of computer hardware, operating systems, and application software and describes the nature of recovered digital evidence. A basic introduction to fiesystems and files commonly recovered during forensics examination is given as well as an insight into file encryption and password protection.

第2章，“硬件和软件环境”，展现计算机硬件、操作系统和应用软件的基本运行机制，描述被恢复出来的数字证据的本质。本章给出了通常在取证调查过程中恢复出来的文件系统和文件的一个基本介绍，并带领读者一探文件加密和口令保护机制。

Chapter 3, The Nature and Special Properties of Digital Evidence, describes the special characteristics of digital evidence, including the nature of files, file metadata, and timestamps, which form an essential part in the reconstruction of suspected offences.The complex nature of digital evidence is introduced, and the expectations of the courts as to its admissibility in legal hearings is explained.

第3章，“数字证据特殊属性的本质”，描述数字证据的特殊属性，包括文件、文件元数据和时间戳的本质——涉嫌罪行重建的一个基本组成部分。本章介绍了数字证据的复杂本质，解释了法庭对于其在法律听证会上被采纳的期望值。

Chapter 4, Recovering and Preserving Digital Evidence, explains the importance of preserving digital evidence in accordance with legal conventions. It describes forensic recovery processes and tools used to acquire digital evidence without undue contamination under different forensic conditions.

第4章，“恢复和保存数字证据”，解释了根据法律规范保存数字证据的重要性。本章描述了取证恢复过程，以及用于获取数字证据的工具——在不同取证条件下保持证据不被污染。

Chapter 5, The Need for Enhanced Forensic Tools, emphasizes the redundancy of conventional forensic imaging and the indexing of increasingly larger datasets and introduces new forensic processes and tools to assist in sounder evidence recovery and better use of resources. The chapter introduces the disruptive technology now challenging established digital forensic responses and the overreliance on forensic specialists, who are themselves becoming swamped with heavier caseloads and larger, more disparate datasets.

第5章，“加强版取证工具的需求”，强调常规取证镜像冗余，及对愈趋庞大的数据集的索引；介绍新的取证过程及工具，以辅助更加合理的证据恢复和更好的资源利用。对取证专家的过度依赖，让专家们被越来越重的待处理案件量和更大更迥异的数据集所淹没。本章介绍了如今正冲击既定数字取证响应和这种过度依赖的颠覆性技术。

Chapter 6, Selecting and Analyzing Digital Evidence, introduces the structure of digital forensic examinations of digital information through the iterative and interactive stages of selecting and analyzing digital evidence that may be used in legal proceedings. The chapter introduces the stages of digital evidence selection and analysis in line with acceptable forensic standards.

第6章，“选择和分析数字证据”，选择和分析法律程序中可能用到的数字证据，是迭代和互动的阶段。本章便通过该阶段介绍数字取证调查的结构，描述符合可接受取证标准的数字证据选择和分析过程。

Chapter 7, Windows and Other Operating Systems as Sources of Evidence, provides you with an understanding of the complexity and nature of information processed on computers that assist forensic examinations. The chapter looks at the structure of typical Windows, Apple, and other operating systems to facilitate the recreation of key events relating to the presence of recovered digital evidence. It touches on malware attacks and the problems encountered with anti-forensics tactics used by transgressors.

第7章，“Windows和其他操作系统作为证据源”，介绍计算机上处理信息的复杂性和本质，辅助取证调查。本章探讨典型Windows、苹果和其他操作系统的结构，方便重建关键事件，恢复数字证据。恶意软件攻击和案犯采用的反取证策略也有涉及。

Chapter 8, Examining Browsers, E-mails, Messaging Systems, and Mobile Phones, looks at Internet browsers, e-mail and messaging systems, mobile phone and other handheld devices, and the processes of locating and recovering digital evidence relating to records of personal communications such as e-mails, browsing records, and mobile phones. The value of extracting and examining communications between persons of interest stored on computer and mobile phones is described.

第8章，调查浏览器、电子邮件、消息系统和手机，研究互联网浏览器、电子邮件及消息系统、手机及其他手持设备，以及定位与恢复个人通信记录相关数字证据的过程，此类证据包括电子邮件、浏览历史和手机等。对存储在计算机和手机上的疑犯间通信进行跟踪审查的价值，本章也做了描述。

Chapter 9, Validating the Evidence, emphasizes the importance of validating digital evidence to ensure that as thorough as possible an examination of the evidence is undertaken to test its authenticity, relevance, and reliability. Some common pitfalls that diminish the admissibility of digital evidence, as well as the evidentiary weight or value of evidence, are discussed, as is the need for open-minded and unbiased testing and checking of evidence to be a routine matter. The presentation of digital evidence and the role of the forensic expert is outlined in the chapter.

第9章，验证证据，强调数字证据验证的重要性，以确保尽可能彻底地检查证据，测试其真实性、相关性和可靠性。一些降低数字证据可采用性和证明价值的常见陷阱也做了介绍，以便让开放公正的证据测试与核查成为常规。本章还概述了数字证据的呈现和取证专家的角色职能。

Chapter 10, Empowering Practitioners and Other Stakeholders, provides a summary of the book and reflects on the changes presently occurring within the discipline. It offers some new processes and tools that enhance the work of practitioners and reduce the time spent on each case as well as untangling the complexity of analyzing large datasets.

第10章，授权从业者和其他利益相关者，总结全书，反映该学科当前变革。本章提供了一些新过程和工具，用以提升实践者工作效率，减少单位案件耗时，以及解开大型数据集分析复杂性。

What you need for this book

阅读此书你需要什么

No software is required for the book.

无需任何软件。

Who this book is for

本书适合人群

This book is for anyone who wants to get into the field of digital forensics. Prior knowledge of programming languages may be helpful but is not required and is not a compulsory prerequisite. This is a helpful guide for readers contemplating becoming a digital forensic practitioner and others wishing to understand the nature of recovering and preserving digital information that may be required for legal or disciplinary proceedings. The book will appeal to a range of readers requiring a fundamental understanding of this rapidly evolving discipline, including:

本书适合想进入数字鉴证领域的任何人。预先了解编程语言或许有所帮助，但这不是必须的，也不是强制性的先决条件。本书是打算成为数字取证从业者的有用指南，对希望理解恢复与保存法律或纪律程序所需数字信息的其他人也有所帮助。需要对该快速发展的学科有一个基本理解的人士，将发现本书蕴含的吸引力。这些人包括：

• Police, law enforcement, and government investigative bodies

• Corporate investigators

• Banking, business, and forensic auditors

• Security managers and investigators

• IT security professionals

• Taxation compliance investigators

• Defense and intelligence personnel

• The legal fraternity and criminologists

• 警察、司法部门、政府调查机构
• 企业调查员
• 银行、商业和取证审计师
• 安全经理和调查员
• IT安全从业者
• 税务合规调查员
• 国防和情报人员
• 法律援助组织和犯罪学家