EnCase

来自开放百科 - 灰狐
(版本间的差异)
跳转到: 导航, 搜索
 
 
(未显示2个用户的10个中间版本)
第1行: 第1行:
 +
[http://www.iittss.com/kijs Kijs's Blog] |
 +
 +
本WIKI不只是EnCase,而是涉及到所有的取证工具的使用,所以,这里不仅仅有EnCase
 +
 
EnCase  
 
EnCase  
 +
----
 +
EnCase取证版已经成为计算机取证的行业标准工具,用于发现、分析、展示计算机犯罪证据。它被广泛地运用于法 律机构、政府部门、商业集团、顾问咨询公司,为我们提供了强有力的途径,迅速、彻底地鉴定、查找和恢复计算机犯罪证据。   
  
 
在计算机取证过程中,相应的取证工具必不可少,常见的有tcpdump,Argus,NFR,EnCase,tcpwrapper,sniffers,honeypot,Tripwires,Network monitor,镜像工具等。在国外计算机取证过程中比较流行的是镜像工具和专业的取证软件。EnCase是目前使用最为广泛的计算机取证工具,至少超过2000家的去律执行部门在使用它。EnCase是用C++编写的容量大约为1M的程序,它能调查Windows,Macintosh,Anux,Unix或DOS机器的硬盘,把硬盘中的文件镜像或只读的证据文件。这样可以防止调查人员修改数居而使其成为无效的证据。为了确定镜像数据与原的数据相同。EnCase会与计算机CRC校验码和MD5台希值进行比较。EnCase对硬盘驱动镜像后重新组织文件结构,采用Windows GUI显示文件的内容。允许调查员使用多个工具完成多个任务。   在检查一个硬盘驱动时,EnCase深入操作系统底层查看所有的数据——包括file slack.未分配的空司和Windows交换分区(存有被删除的文件和其它潜生的证据)的数据。在显示文件方面,EnCase可以由多种标准,如时间戳或文件扩展名来排序。此外.EnCase可以比较已知扩展名的文件签名。使得调查人员能确定用户是否通过改变文件扩展名来隐藏证据。对调查结果可以采用html或文本方式显示,并可打印出来。
 
在计算机取证过程中,相应的取证工具必不可少,常见的有tcpdump,Argus,NFR,EnCase,tcpwrapper,sniffers,honeypot,Tripwires,Network monitor,镜像工具等。在国外计算机取证过程中比较流行的是镜像工具和专业的取证软件。EnCase是目前使用最为广泛的计算机取证工具,至少超过2000家的去律执行部门在使用它。EnCase是用C++编写的容量大约为1M的程序,它能调查Windows,Macintosh,Anux,Unix或DOS机器的硬盘,把硬盘中的文件镜像或只读的证据文件。这样可以防止调查人员修改数居而使其成为无效的证据。为了确定镜像数据与原的数据相同。EnCase会与计算机CRC校验码和MD5台希值进行比较。EnCase对硬盘驱动镜像后重新组织文件结构,采用Windows GUI显示文件的内容。允许调查员使用多个工具完成多个任务。   在检查一个硬盘驱动时,EnCase深入操作系统底层查看所有的数据——包括file slack.未分配的空司和Windows交换分区(存有被删除的文件和其它潜生的证据)的数据。在显示文件方面,EnCase可以由多种标准,如时间戳或文件扩展名来排序。此外.EnCase可以比较已知扩展名的文件签名。使得调查人员能确定用户是否通过改变文件扩展名来隐藏证据。对调查结果可以采用html或文本方式显示,并可打印出来。
 +
 +
 +
File Format
 +
----
 +
Perhaps the de facto standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic encase} uses a proprietary format for images, reportedly based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File .E01) format contains a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
 +
 +
Encase can store media dat into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.
 +
 +
At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.
 +
 +
With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
 +
 +
Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
 +
 +
Within Encase 5 the amount of sectors per block (chunk) can vary.
 +
 +
Encase from at least in version 3, 4 and 5 can hash the data of the media it acquires. It does this by calculating a MD5 hash of the original media data and adds a hash section to the last of the segment files.
 +
 +
External Links
 +
----
 +
EnCase Homepage - http://www.guidancesoftware.com/lawenforcement/ef_index.asp
 +
 +
Encase AOP Framework
 +
----
 +
http://theagiledeveloper.com/articles/Encase.aspx
 +
 +
[http://www.foolmoon.net/security/wft/ Windows Forensic Toolchest (WFT)]
 +
----
 +
 +
[[Category:Security]]

2010年8月20日 (五) 05:22的最后版本

Kijs's Blog |

本WIKI不只是EnCase,而是涉及到所有的取证工具的使用,所以,这里不仅仅有EnCase

EnCase


EnCase取证版已经成为计算机取证的行业标准工具,用于发现、分析、展示计算机犯罪证据。它被广泛地运用于法 律机构、政府部门、商业集团、顾问咨询公司,为我们提供了强有力的途径,迅速、彻底地鉴定、查找和恢复计算机犯罪证据。   

在计算机取证过程中,相应的取证工具必不可少,常见的有tcpdump,Argus,NFR,EnCase,tcpwrapper,sniffers,honeypot,Tripwires,Network monitor,镜像工具等。在国外计算机取证过程中比较流行的是镜像工具和专业的取证软件。EnCase是目前使用最为广泛的计算机取证工具,至少超过2000家的去律执行部门在使用它。EnCase是用C++编写的容量大约为1M的程序,它能调查Windows,Macintosh,Anux,Unix或DOS机器的硬盘,把硬盘中的文件镜像或只读的证据文件。这样可以防止调查人员修改数居而使其成为无效的证据。为了确定镜像数据与原的数据相同。EnCase会与计算机CRC校验码和MD5台希值进行比较。EnCase对硬盘驱动镜像后重新组织文件结构,采用Windows GUI显示文件的内容。允许调查员使用多个工具完成多个任务。   在检查一个硬盘驱动时,EnCase深入操作系统底层查看所有的数据——包括file slack.未分配的空司和Windows交换分区(存有被删除的文件和其它潜生的证据)的数据。在显示文件方面,EnCase可以由多种标准,如时间戳或文件扩展名来排序。此外.EnCase可以比较已知扩展名的文件签名。使得调查人员能确定用户是否通过改变文件扩展名来隐藏证据。对调查结果可以采用html或文本方式显示,并可打印出来。


File Format


Perhaps the de facto standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic encase} uses a proprietary format for images, reportedly based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File .E01) format contains a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.

Encase can store media dat into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.

At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.

With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.

Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.

Within Encase 5 the amount of sectors per block (chunk) can vary.

Encase from at least in version 3, 4 and 5 can hash the data of the media it acquires. It does this by calculating a MD5 hash of the original media data and adds a hash section to the last of the segment files.

External Links


EnCase Homepage - http://www.guidancesoftware.com/lawenforcement/ef_index.asp

Encase AOP Framework


http://theagiledeveloper.com/articles/Encase.aspx

Windows Forensic Toolchest (WFT)


分享您的观点
个人工具
名字空间

变换
操作
导航
工具箱