>> Digital evidence is the foundation for identifying,capturing, and prosecuting cyber criminals.
What is digital evidence?It's information stored or transmitted in binary form that may be relied on in courtand it's comprised of both data and metadata.
This could include contact information; evidence of malicious attacks on systems; GPS locationand movement records; transmission records, both authorized and unauthorized; system useor abuse; account production and use, either authorized or unauthorized;correspondence records; and content like images and files.
This evidence can potentially answer common questions.
It can gather information about individuals.
Who? Determine events that transpired.
What? Identify which systems and networks were affected.
Where? Construct a timeline.
When? And discover tools and exploits used.
How? Sometimes the evidence can even reveal motivations of the attackers.
Why? Where can you glean this evidence?Well, different cyber crimes result in different types of digital evidence.
Computer hackers may leave evidence of their activities in log files.
Cyber stalkers use email to harass their victims.
Child pornographers have digitized images stored on their computers.
Host-based information on computing devices can include both volatile data stored in RAMwhich is lost when there's no power, and non-volatile data on the hard drivewhich stays when there's no power.
Optical discs and removal devices could also contain artifacts and remnantsof significance for the investigator.
Network data can consist of either live traffic, stored communications, or server logs.
It can contain information that might be useful to the forensic investigator.
In fact, there is so much potential information in these log files and stored communications.
Due diligence requires the investigator to look at as much of this information as possiblebut the sheer volume makes it nearly impossible to examine eachand every source of data in every case.
This is where keyword searches can come into play.
Searching for words that have significance in a particular case.
Common locations of network data include IDS, IPS, and firewall logs, application logs,server logs, HTTP captures, FTP captures, and email.
Evidence transmitted over the internet and storedin the cloud is quite different than a company's network data.
Now you've got third party companies who are in possession of important data on their devices.
These companies like ISP's and major corporations like Microsoft, Apple,and Google are not too eager to hand over informationto private companies conducting investigations or even for law enforcement agencies.
Sometimes for this reason an undercover officer could initiate a chat conversationand save the conversation as evidence.
转载于:https://www.cnblogs.com/sec875/articles/10452757.html
