论计算机取证及其规范
|
摘要
计算机取证诞生于上世纪60年代。美国等西方发达国家于上世纪80年代就已着手开始研究计算机取证,在取证思想、理论、技术、方法等方面现已取得不少成果。现在美国绝大多数法律部门拥有自己的计算机取证实验室,经过资格认证的取证专家运用专门技术,对存储与计算机和相关外设中的潜在电子证据进行识别、收集、保全和分析,提取与计算机违法犯罪活动相关的电子证据,并将这些电子证据呈交法庭,以便为法庭裁决提供证据支持。近年来,我国相关部门已意识到计算机取证的重要性,并开始进行理论探索和取证技术研发,但截至目前,我国对计算机取证的研究仍缺乏系统性。因此,廓清计算机取证的研究范围,通过多层次、多角度的研究,发现并解决我国计算机取证活动存在的问题,对于解决司法实践中计算机违法犯罪案件的“取证难”、“定案难”问题,应对我国计算机违法犯罪案件数量不断攀升的挑战意义重大。
鉴于计算机取证涉及计算机科学、法学、刑事侦查学等学科知识,笔者在撰写本文时从技术、程序和法律角度出发。首先,在比较研究的基础上,归纳提出了计算机取证的概念;其次,对于计算机取证技术的研究,主要界定了计算机取证技术的范围,介绍了一些常用的计算机取证技术,同时也列举了当前比较流行的几种计算机反取证技术,并从微观和宏观层面提出了若干取证对策;再次,对于计算机取证程序的研究,笔者提出了计算机取证程序模型化设计的构想;最后,笔者在研究计算机取证相关法律时,从实体法、程序法和证据法三种角度对计算机取证相关法律进行了分析,并针对我国相关立法存在的问题,提出了具体的完善建议。
具体来讲,全文可分为六个部分。笔者不揣冒昧,开篇概括论述了计算机取证的概念、计算机取证的分类、计算机取证的技术性和法律性要求、计算机取证的研究内容以及国内外计算机取证的研究现状。
计算机取证是指经过资质认证的专业取证人员针对入侵、攻击、破坏计算机信息系统、欺诈等计算机犯罪行为以及民、商事领域存在的利用计算机信息系统和互联网所进行的各种违法活动,对存在于计算机系统和相关外设中的电子数据和信息,运用计算机软硬件技术,按照符合法律规定的程序进行证据识别、收集、保全、分析、归档及出示,以获取足够可靠的、具有说服力的、能够被法庭接受的电子证据的过程;按照取证难易程度的不同可将计算机取证分为一般取证和复杂取证;从取证范围角度出发可将计算机取证分为外围取证和内部取证;从取证时间角度出发可将计算机取证分为事后取证和事中取证;根据取证状态的不同可将计算机取证分为静态取证和动态取证;计算机取证的技术性要求包括:1、不直接对数据进行技术分析,保证数据的原始性;2、在对电子证据进行分析时,要确保用以分析证据的信息网络系统及其辅助设备的绝对安全、可靠;3、分析前对数据进行数字签名;4、对数据获取过程进行详尽、具体的记录并归档等;计算机取证的法律性要求有:取证主体要求、取证程序要求、取证工具要求、取证中相关权利冲突的协调等;计算机取证研究的内容包括:计算机取证技术、取证程序、取证法律、取证工具和计算机取证的规范。
本文第二部分详细介绍了计算机取证技术。根据数字取证研究工作组(DFRWS)提出的框架,计算机取证技术的研究内容包括六个方面:证据识别技术、证据保全技术、证据收集技术、证据检查技术、证据分析技术和证据呈堂技术。在计算机取证活动中常用的技术有:数据复制技术、数据恢(修)复技术、数据解密技术、隐藏数据的显现技术、日志分析技术、对比搜索技术、数据挖掘技术、数据呈堂技术、蜜罐蜜网技术、网络数据包截获技术、攻击源追踪技术、数字摘要技术以及数字签名和数字时间戳技术等。
文章第三部分着重分析了计算机反取证的技术和方法,并提出了若干取证对策;常见的计算机反取证技术即可概括为三类:数据隐藏、数据删除和数据加密。从微观层面看,根据反取证方法的不同,在取证时可采取有针对性的取证策略;从宏观层面思考,反取证的取证对策应着眼以下三个方面:1、取证方式的转变(静态取证+动态取证);2、取证技术的深入研究和革新;3、安全的操作系统的保障。
在本文第四部分中,笔者指出了现有几种计算机取证程序模型存在的问题,并提出了构建“增强型”计算机取证程序模型的具体方案,同时对该取证程序模型的合理性和实用性进行了论证。
本文第五部分介绍了计算机取证的软件和硬件工具。根据初始研发目的的不同,可将计算机取证软件分为非专用取证软件和专用取证软件;计算机取证的硬件设备主要有:取证硬盘拷贝机和计算机取证勘查箱等。
由于我国对计算机取证的研究起步较晚,到目前为止各方面研究还都不成体系,尤其是在取证程序和取证规范研究方面较为欠缺。因此,笔者在本文最后一部分中分析了国外计算机取证的相关立法,并针对我国现行法律存在的问题,提出了具体的完善建议。笔者认为,借鉴西方发达国家的立法经验,在修订完善我国相关实体法、程序法和证据法的基础上,通过另行制定《计算机取证法》来指导和规范计算机取证,是早日实现我国计算机取证工作标准化、规范化的理想选择。
Computer Forensics emerged in the 1960s.The United States and other developed Western countries began to study Computer Forensics in the 1980s and achieved many results in evidence-collecting ideology,theory,technique and method.Nowadays,the vast majority of legal departments in the United States have their own computer forensic laboratory,computer forensic experts who were authorized to use special technology to extract electronic evidence relating to computer crime and illegal computer activities through recognizing, collecting,preserving and analyzing those potential electronic evidence storage in computer and peripheral devices,after doing this,the experts submit these electronic evidence to the Court to support the Court ruling.In recent years,relevant departments in China have been aware of the importance of Computer Forensics,started theoretical exploration and forensic technology research,but up to now,the research on Compute Forensics is still lack of integrality in China.Therefore,make it clear that what the researching scope of Computer Forensics is,meanwhile,recognize and resolve the problems of Computer Forensics in China through a multi-level and multi-angle study is of great importance to the resolution of "the difficult evidence -collecting" and "the hard verdict" in computer crimes and illegal computer activities in judicial practice,furthermore,it means a lot to deal with the challenge of the unceasingly rising number of these illegal and criminal activities.
In view of Computer Forensics involved in the knowledge of computer science,law and criminal investigation,the author started this article from technical,procedural and legal point.First of all,the author clearly defined what Computer Forensics is basis on comparison research;Secondly,as far as the study on computer forensic technology be concerned,the author mainly confirmed the scope of computer forensic technology,introduced several common computer forensic techniques,discussed some popular anti-forensic skills at present and brought forward a some countermeasures form the micro and macro level;Futhermore,as the Computer Forensics procedure be concerned,the author put forward the model design of Computer Forensics procedure;In the last part of this article,the author analyzed the law relevant to Computer Forensics form the three perspective of substantive law, procedural law and the evidence law,and also made specifically improving proposals in view of the problems of relevant legislation in China.
Specifically speaking,the full text can be divided into six parts.At the very beginning of this dissertation,I started this paper with the concept of Computer Forensics,the classification of Computer Forensics,the technical and legal demand,the content of Computer Forensics researching,as well as the status in quo of Computer Forensics researching in domestic and abroad.
Computer Forensics is a process of recognizing,collecting,preserving, analyzing,archiving and presenting electronic evidence that storaged in computer system and other peripheral devices relating to the activities of intruding,assaulting,destructing information systems of the computer and other computer crimes,as well as the illegal activities executed by using computer system and internet in the civil and commercial field,in this process, professional personnel who were authorized to do Computer Forensics through using software and hardware toolkits according with legal proceedings to obtain reliable and persuasible electronic evidence that can be accepted by the court;Computer Forensics can be divided into general and complex Computer Forensics in accordance with the difficulty level,as well as can be divided into internal and external forensics from the perspective of forensic scope;Furthermore,Computer Forensics can be divided into forensics after the case and forensics in the case according to the difference of forensic time;In addition,Computer Forensics can be divided into static and dynamic forensics according to the distinction of forensic state;The technical requirements of Computer Forensics include:1.don't make directly technical analysis on data to ensure its aboriginality;2.it is necessary to ensure that the absolute security and reliability of the information network system and its ancillary equipment that used in electronic evidence analyzing;3.make digital signature before data analysis;4.give the whole process of Computer Forensics a detail,specific records and archiving,etc;the legal requirements of Computer Forensics are:requirement to the main-body of Computer Forensics,procedural requirement,toolkits requirement,and the coordination of related rights conflict in Computer Forensics;The content of Computer Forensics including:Computer Forensics technology,evidence-gathering procedures,evidence-collecting law,evidence-gathering toolkits and Comput -er Forensics norms.
In the second part,the author introduced Computer Forensics technology specifically.According to the Evidence Research Working Group(DFRWS) framework,the content of Computer Forensics technology research including the six following:evidence identification technology,evidence preservation technology,evidence collection technology,evidence inspection technology, evidence analysis technology and the skill of taking evidence to the court.The technologies commonly used in Computer Forensics are data replication,data recovery/fix,data decryption,hidden data emerging,log analysis,comparison search technology,data mining,data present,honey-pot and honey-network technology,network data packets interception,attack source tracking,digital digest,digital signature and digital time-stamp technology,etc.
The third part of this article focused on the techniques and methods of Computer Anti-Forensics,and put forward a number of countermeasures;the common Computer Anti-Forensics technology can be summed up in three categories:data hiding,data deleting and data encryption.At the micro-level, according with the different anti-forensic methods,the professional personnel can choose the different strategies.Viewing from the macro level,the countermeasures for Computer Anti-Forensics should consider from these three aspects:1.the transformation of forensic ways(combine the static forensics with dynamic forensics);2.In-depth study and successive innovation of Computer Forensics technology;3.the protection of secure operation system.
In partⅣ,the author pointed out the problems existing in current Computer Forensics Process Model,proposed specific scheme for the building of Enhanced Computer Forensics Process Model,discussed the rationality and practicality of this forensic process model.
In the fifth chapter,the author introduced the software and hardware toolkits of Computer Forensics.According to the difference of researching purpose at the initial phase,Computer Forensics software can be divided into non-exclusive software and exclusive software;Computer Forensics hardware devices are mainly the following:Forensic Drive Duplicator and Computer Forensics Investigation Bin,and so on.
Cause of starting late,nowadays,our country's Computer Forensics research is still pre-mature,especially in computer forensic procedure and forensic standardization.Therefore,in the last part of this dissertation,the author analyzed the legislation of foreign countries relating to Computer Forensics and put forward specifically improving proposals with an eye to the problems exist in the current law of China.In my opinion,use the western developed countries' experience for reference,meanwhile,revise and improve our country's relevant substantive law,procedural law and the evidence law, furthermore,enact "Computer Forensics Law" individually to give a guidance and criterion for Computer Forensics are ideal choice to make the target of a standardizing Computer Forensics in China comes true at early days.
鉴于计算机取证涉及计算机科学、法学、刑事侦查学等学科知识,笔者在撰写本文时从技术、程序和法律角度出发。首先,在比较研究的基础上,归纳提出了计算机取证的概念;其次,对于计算机取证技术的研究,主要界定了计算机取证技术的范围,介绍了一些常用的计算机取证技术,同时也列举了当前比较流行的几种计算机反取证技术,并从微观和宏观层面提出了若干取证对策;再次,对于计算机取证程序的研究,笔者提出了计算机取证程序模型化设计的构想;最后,笔者在研究计算机取证相关法律时,从实体法、程序法和证据法三种角度对计算机取证相关法律进行了分析,并针对我国相关立法存在的问题,提出了具体的完善建议。
具体来讲,全文可分为六个部分。笔者不揣冒昧,开篇概括论述了计算机取证的概念、计算机取证的分类、计算机取证的技术性和法律性要求、计算机取证的研究内容以及国内外计算机取证的研究现状。
计算机取证是指经过资质认证的专业取证人员针对入侵、攻击、破坏计算机信息系统、欺诈等计算机犯罪行为以及民、商事领域存在的利用计算机信息系统和互联网所进行的各种违法活动,对存在于计算机系统和相关外设中的电子数据和信息,运用计算机软硬件技术,按照符合法律规定的程序进行证据识别、收集、保全、分析、归档及出示,以获取足够可靠的、具有说服力的、能够被法庭接受的电子证据的过程;按照取证难易程度的不同可将计算机取证分为一般取证和复杂取证;从取证范围角度出发可将计算机取证分为外围取证和内部取证;从取证时间角度出发可将计算机取证分为事后取证和事中取证;根据取证状态的不同可将计算机取证分为静态取证和动态取证;计算机取证的技术性要求包括:1、不直接对数据进行技术分析,保证数据的原始性;2、在对电子证据进行分析时,要确保用以分析证据的信息网络系统及其辅助设备的绝对安全、可靠;3、分析前对数据进行数字签名;4、对数据获取过程进行详尽、具体的记录并归档等;计算机取证的法律性要求有:取证主体要求、取证程序要求、取证工具要求、取证中相关权利冲突的协调等;计算机取证研究的内容包括:计算机取证技术、取证程序、取证法律、取证工具和计算机取证的规范。
本文第二部分详细介绍了计算机取证技术。根据数字取证研究工作组(DFRWS)提出的框架,计算机取证技术的研究内容包括六个方面:证据识别技术、证据保全技术、证据收集技术、证据检查技术、证据分析技术和证据呈堂技术。在计算机取证活动中常用的技术有:数据复制技术、数据恢(修)复技术、数据解密技术、隐藏数据的显现技术、日志分析技术、对比搜索技术、数据挖掘技术、数据呈堂技术、蜜罐蜜网技术、网络数据包截获技术、攻击源追踪技术、数字摘要技术以及数字签名和数字时间戳技术等。
文章第三部分着重分析了计算机反取证的技术和方法,并提出了若干取证对策;常见的计算机反取证技术即可概括为三类:数据隐藏、数据删除和数据加密。从微观层面看,根据反取证方法的不同,在取证时可采取有针对性的取证策略;从宏观层面思考,反取证的取证对策应着眼以下三个方面:1、取证方式的转变(静态取证+动态取证);2、取证技术的深入研究和革新;3、安全的操作系统的保障。
在本文第四部分中,笔者指出了现有几种计算机取证程序模型存在的问题,并提出了构建“增强型”计算机取证程序模型的具体方案,同时对该取证程序模型的合理性和实用性进行了论证。
本文第五部分介绍了计算机取证的软件和硬件工具。根据初始研发目的的不同,可将计算机取证软件分为非专用取证软件和专用取证软件;计算机取证的硬件设备主要有:取证硬盘拷贝机和计算机取证勘查箱等。
由于我国对计算机取证的研究起步较晚,到目前为止各方面研究还都不成体系,尤其是在取证程序和取证规范研究方面较为欠缺。因此,笔者在本文最后一部分中分析了国外计算机取证的相关立法,并针对我国现行法律存在的问题,提出了具体的完善建议。笔者认为,借鉴西方发达国家的立法经验,在修订完善我国相关实体法、程序法和证据法的基础上,通过另行制定《计算机取证法》来指导和规范计算机取证,是早日实现我国计算机取证工作标准化、规范化的理想选择。
Computer Forensics emerged in the 1960s.The United States and other developed Western countries began to study Computer Forensics in the 1980s and achieved many results in evidence-collecting ideology,theory,technique and method.Nowadays,the vast majority of legal departments in the United States have their own computer forensic laboratory,computer forensic experts who were authorized to use special technology to extract electronic evidence relating to computer crime and illegal computer activities through recognizing, collecting,preserving and analyzing those potential electronic evidence storage in computer and peripheral devices,after doing this,the experts submit these electronic evidence to the Court to support the Court ruling.In recent years,relevant departments in China have been aware of the importance of Computer Forensics,started theoretical exploration and forensic technology research,but up to now,the research on Compute Forensics is still lack of integrality in China.Therefore,make it clear that what the researching scope of Computer Forensics is,meanwhile,recognize and resolve the problems of Computer Forensics in China through a multi-level and multi-angle study is of great importance to the resolution of "the difficult evidence -collecting" and "the hard verdict" in computer crimes and illegal computer activities in judicial practice,furthermore,it means a lot to deal with the challenge of the unceasingly rising number of these illegal and criminal activities.
In view of Computer Forensics involved in the knowledge of computer science,law and criminal investigation,the author started this article from technical,procedural and legal point.First of all,the author clearly defined what Computer Forensics is basis on comparison research;Secondly,as far as the study on computer forensic technology be concerned,the author mainly confirmed the scope of computer forensic technology,introduced several common computer forensic techniques,discussed some popular anti-forensic skills at present and brought forward a some countermeasures form the micro and macro level;Futhermore,as the Computer Forensics procedure be concerned,the author put forward the model design of Computer Forensics procedure;In the last part of this article,the author analyzed the law relevant to Computer Forensics form the three perspective of substantive law, procedural law and the evidence law,and also made specifically improving proposals in view of the problems of relevant legislation in China.
Specifically speaking,the full text can be divided into six parts.At the very beginning of this dissertation,I started this paper with the concept of Computer Forensics,the classification of Computer Forensics,the technical and legal demand,the content of Computer Forensics researching,as well as the status in quo of Computer Forensics researching in domestic and abroad.
Computer Forensics is a process of recognizing,collecting,preserving, analyzing,archiving and presenting electronic evidence that storaged in computer system and other peripheral devices relating to the activities of intruding,assaulting,destructing information systems of the computer and other computer crimes,as well as the illegal activities executed by using computer system and internet in the civil and commercial field,in this process, professional personnel who were authorized to do Computer Forensics through using software and hardware toolkits according with legal proceedings to obtain reliable and persuasible electronic evidence that can be accepted by the court;Computer Forensics can be divided into general and complex Computer Forensics in accordance with the difficulty level,as well as can be divided into internal and external forensics from the perspective of forensic scope;Furthermore,Computer Forensics can be divided into forensics after the case and forensics in the case according to the difference of forensic time;In addition,Computer Forensics can be divided into static and dynamic forensics according to the distinction of forensic state;The technical requirements of Computer Forensics include:1.don't make directly technical analysis on data to ensure its aboriginality;2.it is necessary to ensure that the absolute security and reliability of the information network system and its ancillary equipment that used in electronic evidence analyzing;3.make digital signature before data analysis;4.give the whole process of Computer Forensics a detail,specific records and archiving,etc;the legal requirements of Computer Forensics are:requirement to the main-body of Computer Forensics,procedural requirement,toolkits requirement,and the coordination of related rights conflict in Computer Forensics;The content of Computer Forensics including:Computer Forensics technology,evidence-gathering procedures,evidence-collecting law,evidence-gathering toolkits and Comput -er Forensics norms.
In the second part,the author introduced Computer Forensics technology specifically.According to the Evidence Research Working Group(DFRWS) framework,the content of Computer Forensics technology research including the six following:evidence identification technology,evidence preservation technology,evidence collection technology,evidence inspection technology, evidence analysis technology and the skill of taking evidence to the court.The technologies commonly used in Computer Forensics are data replication,data recovery/fix,data decryption,hidden data emerging,log analysis,comparison search technology,data mining,data present,honey-pot and honey-network technology,network data packets interception,attack source tracking,digital digest,digital signature and digital time-stamp technology,etc.
The third part of this article focused on the techniques and methods of Computer Anti-Forensics,and put forward a number of countermeasures;the common Computer Anti-Forensics technology can be summed up in three categories:data hiding,data deleting and data encryption.At the micro-level, according with the different anti-forensic methods,the professional personnel can choose the different strategies.Viewing from the macro level,the countermeasures for Computer Anti-Forensics should consider from these three aspects:1.the transformation of forensic ways(combine the static forensics with dynamic forensics);2.In-depth study and successive innovation of Computer Forensics technology;3.the protection of secure operation system.
In partⅣ,the author pointed out the problems existing in current Computer Forensics Process Model,proposed specific scheme for the building of Enhanced Computer Forensics Process Model,discussed the rationality and practicality of this forensic process model.
In the fifth chapter,the author introduced the software and hardware toolkits of Computer Forensics.According to the difference of researching purpose at the initial phase,Computer Forensics software can be divided into non-exclusive software and exclusive software;Computer Forensics hardware devices are mainly the following:Forensic Drive Duplicator and Computer Forensics Investigation Bin,and so on.
Cause of starting late,nowadays,our country's Computer Forensics research is still pre-mature,especially in computer forensic procedure and forensic standardization.Therefore,in the last part of this dissertation,the author analyzed the legislation of foreign countries relating to Computer Forensics and put forward specifically improving proposals with an eye to the problems exist in the current law of China.In my opinion,use the western developed countries' experience for reference,meanwhile,revise and improve our country's relevant substantive law,procedural law and the evidence law, furthermore,enact "Computer Forensics Law" individually to give a guidance and criterion for Computer Forensics are ideal choice to make the target of a standardizing Computer Forensics in China comes true at early days.
引文
1 本论文是笔者在对已经发表的系列论文系统研究的基础上形成的。这些论文包括:1.《计算机取证相关问题分析》,发表于《新疆警官高等专科学校学报》,2006.12;
2.《个人计算机用户反取证惯用方法简析》,发表于《侦查》,2007.2
3.《数字证据完整性证明方法研究——安全的、可供审计的数字时间戳证明方法》,发表于《吉林公安高等专科学校学报》,2007.4;
4.《增强型计算机取证程序模式的构建》,发表于《上海公安高等专科学校学报》,2007.4;
5.《规范我国计算机取证活动的法律思考》,发表于《中国公共安全》,2007.4;
6.《论电子数据鉴定》,发表于《现代侦查》(第三卷),2008.1;
7《论计算机取证相关问题——现场动态分析,获取“易挥发”数字证据》,发表于《中国司法鉴定》,2008.1;
8《数字证据的收集和保全问题研究——试谈首要响应人员对“脆弱”数字证据的收集和保全》,发表于《云南警官学院学报》,2008.2。
2 See Michael Chissick.Electronic Commerce:Law and Practice,Sweet & Kelman 1999,143-144
3 张西安.论计算机证据的几个问题.人民法院报,2005-09-26
4 董杜骄.论电子证据法律地位.中国当代思想宝库.中国经济出版社,2002
5 赵小敏,陈庆章.打击计算机犯罪新课题——计算机取证技术.http://bbs.chinacissp.com/viewtopic.php?P=60406,2004-05-11
6 陈龙,麦永浩等.计算机取证技术.武汉大学出版社,2007.1-2
7 同注5
8 Joseph Giordano,Chester Maciag.Cyber Forensics:A Military Operation Perspective.International Journal of Digital Evidence,Sum 2002,3-5
9 通常可以聘请专业公证人员进行现场监督、现场摄录像以及现场公证。
10 刘东辉.计算机动态取证技术的研究.计算机系统应用,2005,(9):45
11 尉永青,刘培德.计算机取证技术研究.信息安全,2005,(4):85-86
12 Palme G.A Road Map for Digital Forensic Research.DFRWS Technical Report DTR-T001-01.Nov 2001
13 Carrier B,Eugene H,Spafford.Getting Physical with the Digital Investigation Process.International Journal of Digital Evidence.Fall 2003.5
14 Process C.Mandia K.Incident Response:Investigating Computer Crime.Osborne/McGraw-Hill.2001.49-50
15 Reith Mark,Carr Client,etc.An Examination of Digital Forensic Model.International Journal of Digital Evidence.Fall 2002(Volume 1,issue3):3-6
16 李学军.电子数据与证据.证据学论坛(第二卷).中国检察出版社,2001.444-445;魏士禀.电子合同法理论与实务.北京邮电大学出版社,2001.130
17 这里只是对现有的专用取证软件做了大致的分类,将某一软件工具列入某一类中并不代表在其它过程中就不能用到该工具。如TextSearchPlus也可能用到证据检查中,CRCMD5也可以用到证据保全中等。
18 Noblett M G;Pollitt M,Presley L A.Recovering and Examining Computer Forensic Evidence.Foren-sic Science Communications,2002,2(4)
19 http://www.dfrws.org/2001/dfrws-rm-final.pdf.A Road Map for Digital Forensic Research.DFRWS Technical Report DTR-T001-01 Final.August 7-8,2001:17
20 汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006:98-99
21 蒋平,黄舒华,杨莉莉.数字取证.北京:清华大学出版社,中国人民公安大学出版社,2007:73
22 DBF数据库文件的修复有以下两种方法:
①使用EXCEL或ACCESS修复,首先用EXCEL或ACCESS导出正确的数据,将其另存为一个同版本的DBF数据表,再通过修改DBF数据表的字段结构,来修正属性,最后重建索引;
②使用Database Desktop、Advanced DBF Repair、DBF Recovery等工具进行修复。
23 电脑硬盘格式化几点须知.http://www.ccw.com.cn/diynew/question/htm2005/20050413_23ZEG.htm,2005-4-13
24 硬盘的十大故障解决办法.http://bbs.cpcw.com/archiver/tid-1126564.html,2007-4-13
25 要检测CMOS中的硬盘类型设置是否正确,检查CMOS中的硬盘类型是否小于实际的硬盘容量。
26 汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006:57-59
27 每次重启计算机都可能造成交换文件的重写,所以在分析和处理交换文件数据时,切忌重启计算机。
28 聂元铭,曾志,黄燕宏.计算机数据修复与维护.北京:科学出版社,2006:137-140
29 按照技术手段运用的多寡,笔者认为可将隐藏数据分为简单隐藏数据和复杂隐藏数据。简单隐藏数据意指仅利用数据隐藏技术而形成的隐藏数据,复杂隐藏数据是指综合运用数据隐藏技术和其它计算机技术所形成的隐藏数据。
30 任伟,金海.网络取证技术研究.计算机安全,2004,(11):66-67
31 转引自:http://www.qqread.com/foxpro/u742126605.html,2005-12-03
32[加]Jiawei Han.数据挖掘概念与技术.北京:机械工业出版社,2001:14-17
34 主动取证是相对于被动取证而言的,主动取证是计算机不法行为开始之前就已经做好的取证的准备,一旦不法行为开始实施就开始适时取证,而被动取证是指计算机不法行为被发现之后所进行的取证。较之二者,则主动取证的效果较佳。
35 http://www.onlyblog.com/blog/zhongyuyang/archives/2007/6273.html,2007-6-17
36 任伟,金海.网络取证技术研究.计算机安全,2004,(11):66-67
37 http://www.stcsm.gov.cn/learning/lesson/xinxi/20020625/20020625-5.asp,2002-6-25
38 同注37,2002-6-25,5
39 绿色.隐藏加密文件的三个特别方法.CNKI学术期刊网[http://www.cnki.net]
40 王玲,钱华林.计算机取证技术及其发展趋势.软件学报,2003.(9):1642
41 王玲,钱华林.计算机取证技术及其发展趋势.软件学报.2003,(9):164
42 Kevin Mandia & Chris Prosise.Incident Response:Investigating Computer Crime.CRC Press,2001:16-18
43 National Institute of Justice.Electronic Crime Scene Investigation A Guide for First Responders.http://www.nc jrs.org/pdffiles1/nij/187736.pdf,2001-7
44 Mark Reith,Clint Carr and Gregg Gunsch.An Examination of Digital Forensic Models.International Journal of Digital Evidence,2002,(1):3
45 Brian Carrier and Eugene H Spafford.Getting Physical with theInvestigative Process[J].International Journal of Digital Evidence,2003,(2):2,5-6
46 National Institute of Justice.Results from Tools and Technology Working Group,Governors Summit on Cyber crime and Cyber terrorism,Princeton NJ,2002
47 Joseph Migga Kizza.Ethical and Social Issues in the Information Age,Second Edition.Springer,2003
49 孙铁成.计算机犯罪的罪名及其完善.中国法学.1998,(1)
50 赵秉志.计算机与网络犯罪专题整理.北京:中国人民公安大学出版社,2007:66-67
51 这里所讲的毁灭性是指造成计算机系统的崩溃、程序被严重篡改、计算机被劫持、无法对计算机进行任何操作、一个区域的计算机信息网络系统瘫痪等。
52 菲律宾的《电子证据规则》所确立的“拷贝等于原件(规则4——最佳证据规则第2条)”、“证明电子文档真实性的方式(规则5——电子文档的真实性证明第2条)”、“电子文档的证明力条款(规则7)”、“瞬息证据(规则 11第2条)”等规定,在世界电子证据立法领域处于领先地位,具有极大的立法参考价值。
1、聂元明,增志,黄燕宏.计算机数据修复与维修[M].科学出版社,2006
2、汪中夏,刘伟著.数据恢复高级技术[M].电子工业出版社,2006
3、张越今.网络安全与计算机犯罪勘查技术学[M].清华大学出版社,2003
4、常建平.网络安全与计算机犯罪[M].中国人民公安大学出版社,2002
5、[美]纽顿.刑侦高科技犯罪百科全书[M].上海科技文献出版社,2007
6、董玉格.攻击与防护——网络安全与实用防护技术.人民邮电出版社,2002
7、赵秉志.计算机与网络犯罪专题整理[C].中国人民公安大学出版社,2007
8、刘方权.犯罪侦查中对计算机的搜查扣押与电子证据的获取[M].中国检察出版社,2006
9、蒋平,黄淑华,杨莉莉编.数字取证[M].清华大学出版社,中国人民公安大学出版社,2007
10、蒋平,杨莉莉.电子证据[M].清华大学出版社,中国人民公安大学出版社,2007
11、欧陪宗.DOS命令行指令详解与实力应用大全[M].山东电子音像出版社,2007
12、孙锋.BIOS与注册表完全解决方案[M].机械工业出版社,2006
1、杨永川,李岩.电子证据取证技术的研究[J].中国人民公安大学学报(自然科学版).2005,(1)
2、殷联甫.计算机反取证技术研究[J].计算机系统应用.2005,(10)
3、冉晓曼.IP反向追踪技术综述[J].计算机安全.2005,(3)
4、王伟,刘力,徐家旺.计算机取证的技术和方法[J].中国刑事警察.2004,(3)
5、蔡自兴,董纯坚.网络安全技术的探讨[J].信息安全与通讯保密.2005,(12)
6、兰绍江.“电子证据”概述[J].天津市政法管理干部学院学报.2005, (2)
7、谢小剑,李万权.电子证据的收集程序研究[J].黑龙江省政法管理干部学院学报.2004,(5)
8、皮勇.电子证据的搜查扣押措施研究[J].江西公安专科学校学报.2004,(1)
9、蒋占卿,任云凯.计算机案件现场勘查应注意的几个问题[J].中国人民公安大学学报(自然科学版).2005,(1)
10、邓思清.论网络犯罪中电子证据的收集[J].2005,(6)
11、余金灿.美国的电子证据和法庭计算机科学[J].北京人民警察学院学报.2005,(7)
12、周旸,徐远芳.浅析计算机取证技术[J].现代计算机.2006,(3)
13 黄步根.数据恢复与计算机取证[J].计算机安全.2006,(6)
14、黄步根.硬盘数据修复技术[J].江苏公安专科学校学报.1999,(4)
15、张有东,王建东,叶飞跃,陈惠萍,李涛.网络取证及其应用技术研究[J].小型微型计算机系统.2006,(3)
16、王永全.通信网络中犯罪行为的取证技术[J].电信科学.2006,(6)
17、丁丽萍,王永吉.计算机取证相关法律技术问题研究[J].软件学报.2005,16:(2)
18、王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报.2003,14:(9)
19、陈丹.计算机数据恢复浅析[J].吉林师范大学学报.2005,(4)
20、吴晓春.加密技术概念、加密方法以及应用详解[J].中国科技信息.2006,(3)
21、龙丹,周学军,田燕妮.加密文件系统(EFS)技术研究[J].徽计算机信息.2006,(3)
22、于百炼.硬盘磁盘加密技术[J].电气时代.2002,(10)
23、蔡长安.硬盘数据恢复和防护[J].教育信息化.2002,(6)
24、陈红军.田相离.硬盘数据的抢修及防护[J].家庭电子
25、徐国栋,白英彩.加密文件系统在Windows下的实现[J].微型电脑应用.2006,(5)
26、李冬静,蒋平.攻击源追踪技术概述[J].网络安全.2005,(8)
27、姚建国,赵战生.计算机犯罪取证学之入侵追踪技术分析[J].通讯 技术.2003,(4)
28、任伟,金海.网络取证技术研究[J].计算机安全.2004,(11)
29、黄步根.电子证据的鉴定[J].安全监察.2004,(9)
1、Kevin Mandia and Chris prosise.Incident Response:Investigating Computer Crime[M].CRC Press,2001
2、Eoghan Casey.Digital Evidence and Computer Crime:Forensic Science,Computers,and the Intemet,Second Edition[M].Academic Press,2004
3、Robert Jones.Internet Forensics[M].O'Reilly,2005
4、Brian Carrie.File System Forensic Analysis[M].Adisson Welsey Professional,2005
5、www.elsevier.com/locate/diin.Digital Investigation[M].2005
6、Chad Steel John Wiley & Sons.Windows Forensics:The Field Guide for Corporate Computer Investigations[M].2006
7、Harlan Carvey.Windows Forensics and Incident Recovery[M].Add -ison Wesley,2004
8、Steve Bunting &William Wei.Encase Computer Forensics:The Offic -ial Ence Study Guide[M].Wiley Publishing,Inc,2006
1、Christian Johansson.Forensic and Anti-Forensic Computing Christi -an Johansson[J].2002,(12)
2、Lisa Oseles.Computer Forensics:The Key to Solving the Crime[J].2001,(10)
3、Venansius Baryamureeba and Florence Tushabe Barya.The Enhanc-ed Digital Investigation Process Model[J].2004,(5)
4、Joseph Giordano and Chester Maciag.Cyber Forensics:A Military Operations Perspective[J].Intemational Journal of Digital Evidence.2002,(2)
5、Robert Campbell.Crime Scene Investigators:The Next Generation [J].IEEE security & privacy.2003
6、Jeremy Travis.The Use of Computerized Crime Mapping by Law Enforcement:Survey Results[R].1999,(1)
2.《个人计算机用户反取证惯用方法简析》,发表于《侦查》,2007.2
3.《数字证据完整性证明方法研究——安全的、可供审计的数字时间戳证明方法》,发表于《吉林公安高等专科学校学报》,2007.4;
4.《增强型计算机取证程序模式的构建》,发表于《上海公安高等专科学校学报》,2007.4;
5.《规范我国计算机取证活动的法律思考》,发表于《中国公共安全》,2007.4;
6.《论电子数据鉴定》,发表于《现代侦查》(第三卷),2008.1;
7《论计算机取证相关问题——现场动态分析,获取“易挥发”数字证据》,发表于《中国司法鉴定》,2008.1;
8《数字证据的收集和保全问题研究——试谈首要响应人员对“脆弱”数字证据的收集和保全》,发表于《云南警官学院学报》,2008.2。
2 See Michael Chissick.Electronic Commerce:Law and Practice,Sweet & Kelman 1999,143-144
3 张西安.论计算机证据的几个问题.人民法院报,2005-09-26
4 董杜骄.论电子证据法律地位.中国当代思想宝库.中国经济出版社,2002
5 赵小敏,陈庆章.打击计算机犯罪新课题——计算机取证技术.http://bbs.chinacissp.com/viewtopic.php?P=60406,2004-05-11
6 陈龙,麦永浩等.计算机取证技术.武汉大学出版社,2007.1-2
7 同注5
8 Joseph Giordano,Chester Maciag.Cyber Forensics:A Military Operation Perspective.International Journal of Digital Evidence,Sum 2002,3-5
9 通常可以聘请专业公证人员进行现场监督、现场摄录像以及现场公证。
10 刘东辉.计算机动态取证技术的研究.计算机系统应用,2005,(9):45
11 尉永青,刘培德.计算机取证技术研究.信息安全,2005,(4):85-86
12 Palme G.A Road Map for Digital Forensic Research.DFRWS Technical Report DTR-T001-01.Nov 2001
13 Carrier B,Eugene H,Spafford.Getting Physical with the Digital Investigation Process.International Journal of Digital Evidence.Fall 2003.5
14 Process C.Mandia K.Incident Response:Investigating Computer Crime.Osborne/McGraw-Hill.2001.49-50
15 Reith Mark,Carr Client,etc.An Examination of Digital Forensic Model.International Journal of Digital Evidence.Fall 2002(Volume 1,issue3):3-6
16 李学军.电子数据与证据.证据学论坛(第二卷).中国检察出版社,2001.444-445;魏士禀.电子合同法理论与实务.北京邮电大学出版社,2001.130
17 这里只是对现有的专用取证软件做了大致的分类,将某一软件工具列入某一类中并不代表在其它过程中就不能用到该工具。如TextSearchPlus也可能用到证据检查中,CRCMD5也可以用到证据保全中等。
18 Noblett M G;Pollitt M,Presley L A.Recovering and Examining Computer Forensic Evidence.Foren-sic Science Communications,2002,2(4)
19 http://www.dfrws.org/2001/dfrws-rm-final.pdf.A Road Map for Digital Forensic Research.DFRWS Technical Report DTR-T001-01 Final.August 7-8,2001:17
20 汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006:98-99
21 蒋平,黄舒华,杨莉莉.数字取证.北京:清华大学出版社,中国人民公安大学出版社,2007:73
22 DBF数据库文件的修复有以下两种方法:
①使用EXCEL或ACCESS修复,首先用EXCEL或ACCESS导出正确的数据,将其另存为一个同版本的DBF数据表,再通过修改DBF数据表的字段结构,来修正属性,最后重建索引;
②使用Database Desktop、Advanced DBF Repair、DBF Recovery等工具进行修复。
23 电脑硬盘格式化几点须知.http://www.ccw.com.cn/diynew/question/htm2005/20050413_23ZEG.htm,2005-4-13
24 硬盘的十大故障解决办法.http://bbs.cpcw.com/archiver/tid-1126564.html,2007-4-13
25 要检测CMOS中的硬盘类型设置是否正确,检查CMOS中的硬盘类型是否小于实际的硬盘容量。
26 汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006:57-59
27 每次重启计算机都可能造成交换文件的重写,所以在分析和处理交换文件数据时,切忌重启计算机。
28 聂元铭,曾志,黄燕宏.计算机数据修复与维护.北京:科学出版社,2006:137-140
29 按照技术手段运用的多寡,笔者认为可将隐藏数据分为简单隐藏数据和复杂隐藏数据。简单隐藏数据意指仅利用数据隐藏技术而形成的隐藏数据,复杂隐藏数据是指综合运用数据隐藏技术和其它计算机技术所形成的隐藏数据。
30 任伟,金海.网络取证技术研究.计算机安全,2004,(11):66-67
31 转引自:http://www.qqread.com/foxpro/u742126605.html,2005-12-03
32[加]Jiawei Han.数据挖掘概念与技术.北京:机械工业出版社,2001:14-17
34 主动取证是相对于被动取证而言的,主动取证是计算机不法行为开始之前就已经做好的取证的准备,一旦不法行为开始实施就开始适时取证,而被动取证是指计算机不法行为被发现之后所进行的取证。较之二者,则主动取证的效果较佳。
35 http://www.onlyblog.com/blog/zhongyuyang/archives/2007/6273.html,2007-6-17
36 任伟,金海.网络取证技术研究.计算机安全,2004,(11):66-67
37 http://www.stcsm.gov.cn/learning/lesson/xinxi/20020625/20020625-5.asp,2002-6-25
38 同注37,2002-6-25,5
39 绿色.隐藏加密文件的三个特别方法.CNKI学术期刊网[http://www.cnki.net]
40 王玲,钱华林.计算机取证技术及其发展趋势.软件学报,2003.(9):1642
41 王玲,钱华林.计算机取证技术及其发展趋势.软件学报.2003,(9):164
42 Kevin Mandia & Chris Prosise.Incident Response:Investigating Computer Crime.CRC Press,2001:16-18
43 National Institute of Justice.Electronic Crime Scene Investigation A Guide for First Responders.http://www.nc jrs.org/pdffiles1/nij/187736.pdf,2001-7
44 Mark Reith,Clint Carr and Gregg Gunsch.An Examination of Digital Forensic Models.International Journal of Digital Evidence,2002,(1):3
45 Brian Carrier and Eugene H Spafford.Getting Physical with theInvestigative Process[J].International Journal of Digital Evidence,2003,(2):2,5-6
46 National Institute of Justice.Results from Tools and Technology Working Group,Governors Summit on Cyber crime and Cyber terrorism,Princeton NJ,2002
47 Joseph Migga Kizza.Ethical and Social Issues in the Information Age,Second Edition.Springer,2003
49 孙铁成.计算机犯罪的罪名及其完善.中国法学.1998,(1)
50 赵秉志.计算机与网络犯罪专题整理.北京:中国人民公安大学出版社,2007:66-67
51 这里所讲的毁灭性是指造成计算机系统的崩溃、程序被严重篡改、计算机被劫持、无法对计算机进行任何操作、一个区域的计算机信息网络系统瘫痪等。
52 菲律宾的《电子证据规则》所确立的“拷贝等于原件(规则4——最佳证据规则第2条)”、“证明电子文档真实性的方式(规则5——电子文档的真实性证明第2条)”、“电子文档的证明力条款(规则7)”、“瞬息证据(规则 11第2条)”等规定,在世界电子证据立法领域处于领先地位,具有极大的立法参考价值。
1、聂元明,增志,黄燕宏.计算机数据修复与维修[M].科学出版社,2006
2、汪中夏,刘伟著.数据恢复高级技术[M].电子工业出版社,2006
3、张越今.网络安全与计算机犯罪勘查技术学[M].清华大学出版社,2003
4、常建平.网络安全与计算机犯罪[M].中国人民公安大学出版社,2002
5、[美]纽顿.刑侦高科技犯罪百科全书[M].上海科技文献出版社,2007
6、董玉格.攻击与防护——网络安全与实用防护技术.人民邮电出版社,2002
7、赵秉志.计算机与网络犯罪专题整理[C].中国人民公安大学出版社,2007
8、刘方权.犯罪侦查中对计算机的搜查扣押与电子证据的获取[M].中国检察出版社,2006
9、蒋平,黄淑华,杨莉莉编.数字取证[M].清华大学出版社,中国人民公安大学出版社,2007
10、蒋平,杨莉莉.电子证据[M].清华大学出版社,中国人民公安大学出版社,2007
11、欧陪宗.DOS命令行指令详解与实力应用大全[M].山东电子音像出版社,2007
12、孙锋.BIOS与注册表完全解决方案[M].机械工业出版社,2006
1、杨永川,李岩.电子证据取证技术的研究[J].中国人民公安大学学报(自然科学版).2005,(1)
2、殷联甫.计算机反取证技术研究[J].计算机系统应用.2005,(10)
3、冉晓曼.IP反向追踪技术综述[J].计算机安全.2005,(3)
4、王伟,刘力,徐家旺.计算机取证的技术和方法[J].中国刑事警察.2004,(3)
5、蔡自兴,董纯坚.网络安全技术的探讨[J].信息安全与通讯保密.2005,(12)
6、兰绍江.“电子证据”概述[J].天津市政法管理干部学院学报.2005, (2)
7、谢小剑,李万权.电子证据的收集程序研究[J].黑龙江省政法管理干部学院学报.2004,(5)
8、皮勇.电子证据的搜查扣押措施研究[J].江西公安专科学校学报.2004,(1)
9、蒋占卿,任云凯.计算机案件现场勘查应注意的几个问题[J].中国人民公安大学学报(自然科学版).2005,(1)
10、邓思清.论网络犯罪中电子证据的收集[J].2005,(6)
11、余金灿.美国的电子证据和法庭计算机科学[J].北京人民警察学院学报.2005,(7)
12、周旸,徐远芳.浅析计算机取证技术[J].现代计算机.2006,(3)
13 黄步根.数据恢复与计算机取证[J].计算机安全.2006,(6)
14、黄步根.硬盘数据修复技术[J].江苏公安专科学校学报.1999,(4)
15、张有东,王建东,叶飞跃,陈惠萍,李涛.网络取证及其应用技术研究[J].小型微型计算机系统.2006,(3)
16、王永全.通信网络中犯罪行为的取证技术[J].电信科学.2006,(6)
17、丁丽萍,王永吉.计算机取证相关法律技术问题研究[J].软件学报.2005,16:(2)
18、王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报.2003,14:(9)
19、陈丹.计算机数据恢复浅析[J].吉林师范大学学报.2005,(4)
20、吴晓春.加密技术概念、加密方法以及应用详解[J].中国科技信息.2006,(3)
21、龙丹,周学军,田燕妮.加密文件系统(EFS)技术研究[J].徽计算机信息.2006,(3)
22、于百炼.硬盘磁盘加密技术[J].电气时代.2002,(10)
23、蔡长安.硬盘数据恢复和防护[J].教育信息化.2002,(6)
24、陈红军.田相离.硬盘数据的抢修及防护[J].家庭电子
25、徐国栋,白英彩.加密文件系统在Windows下的实现[J].微型电脑应用.2006,(5)
26、李冬静,蒋平.攻击源追踪技术概述[J].网络安全.2005,(8)
27、姚建国,赵战生.计算机犯罪取证学之入侵追踪技术分析[J].通讯 技术.2003,(4)
28、任伟,金海.网络取证技术研究[J].计算机安全.2004,(11)
29、黄步根.电子证据的鉴定[J].安全监察.2004,(9)
1、Kevin Mandia and Chris prosise.Incident Response:Investigating Computer Crime[M].CRC Press,2001
2、Eoghan Casey.Digital Evidence and Computer Crime:Forensic Science,Computers,and the Intemet,Second Edition[M].Academic Press,2004
3、Robert Jones.Internet Forensics[M].O'Reilly,2005
4、Brian Carrie.File System Forensic Analysis[M].Adisson Welsey Professional,2005
5、www.elsevier.com/locate/diin.Digital Investigation[M].2005
6、Chad Steel John Wiley & Sons.Windows Forensics:The Field Guide for Corporate Computer Investigations[M].2006
7、Harlan Carvey.Windows Forensics and Incident Recovery[M].Add -ison Wesley,2004
8、Steve Bunting &William Wei.Encase Computer Forensics:The Offic -ial Ence Study Guide[M].Wiley Publishing,Inc,2006
1、Christian Johansson.Forensic and Anti-Forensic Computing Christi -an Johansson[J].2002,(12)
2、Lisa Oseles.Computer Forensics:The Key to Solving the Crime[J].2001,(10)
3、Venansius Baryamureeba and Florence Tushabe Barya.The Enhanc-ed Digital Investigation Process Model[J].2004,(5)
4、Joseph Giordano and Chester Maciag.Cyber Forensics:A Military Operations Perspective[J].Intemational Journal of Digital Evidence.2002,(2)
5、Robert Campbell.Crime Scene Investigators:The Next Generation [J].IEEE security & privacy.2003
6、Jeremy Travis.The Use of Computerized Crime Mapping by Law Enforcement:Survey Results[R].1999,(1)