计算机取证与分析鉴定共42页

计算机取证技术实验报告一、实验目的二、实验原理1.计算机文件的删除计算机文件的删除并不是真正的删除，而是将文件的存储空间标记为可重用状态。

通过合适的方法可以恢复已删除的文件。

2.隐藏文件计算机中的文件可以通过更改文件的属性来隐藏。

隐藏文件需要特殊的手段进行查找和恢复。

3.数据流计算机中的数据都是以数据流的形式存储的，可以通过分析数据流来获取有用的信息和证据。

4.元数据元数据是指记录文件属性和存储位置的数据，包括文件的创建时间、修改时间等信息。

通过分析元数据可以还原文件的使用轨迹。

三、实验步骤1.文件删除恢复实验首先，在计算机上创建一个包含敏感信息的文件，然后将其删除到回收站。

接下来，使用特定的恢复软件对回收站进行扫描，找回已删除的文件。

最后，验证恢复的文件是否包含原始的敏感信息。

2.隐藏文件实验在计算机上创建一个需要隐藏的文件，并将其属性设置为隐藏。

然后，通过查找隐藏文件的方法来寻找被隐藏的文件。

验证查找结果是否正确。

3.数据流分析实验在计算机上创建一个包含敏感信息的文件，并将其复制到不同的位置。

通过分析数据流，找到敏感文件的所有副本。

验证数据流分析的准确性。

4.元数据分析实验在计算机上创建一个包含敏感信息的文件，并对其进行不同的操作，如复制、重命名等。

通过分析文件的元数据，还原文件的使用过程。

验证元数据分析的有效性。

四、实验结果与分析本实验中，通过对文件删除恢复、隐藏文件、数据流分析和元数据分析的实验，成功地获取了敏感信息和相关证据。

实验结果表明，计算机取证技术是一种高效、可靠的方法，对于犯罪活动的调查和审判具有重要的意义。

五、实验总结本实验通过对计算机取证技术的实践，加深了对计算机取证技术原理和方法的理解和掌握。

计算机取证技术在现代社会中具有重要的应用价值，对于维护社会安全和网络安全起到了重要的作用。

通过本次实验，我对计算机取证技术有了更深入的了解，并对其在实际工作中的应用有了更清晰的认识。

计算机取证分析内部编号：（YUUT-TBBY-MMUT-URRUY-UOOY-DBUYI-0128）摘要信息技术的不断发展给人们的生活带来了巨大的改变，网络已经越来越渗透到人们的现实生活与工作当中。

然而，网络在为人民生活和工作带来便利的同时，也引发了无数网络犯罪。

计算机静态取证便是针对网络犯罪而出现的一种电子取证技术，而随着网络犯罪形式和手段的千变万化，计算机静态取证已不能满足打击网络犯罪的需求，为适应信息化发展的要求，建立安全网络环境和严厉打击网络犯罪行为势在必行，本论文针对计算机动态取证技术进行分析，主要浅谈电子动态取证采集系统的实现、网络证据收集和网络数据分析等几个方面。

通过对计算机取证基本概念、特点和技术的基础研究，对计算机动态取证进行分析。

关键词：电子取证动态取证动态电子证据采集网络数据协议目录一、概述（一）、研究背景目前，人类社会已经迈入了网络时代，计算机与互联网已经与老百姓的日常工作、学习与工作息息相关，社会信息化对政治、经济、文化和科技等各项社会生活产生了深远的影响。

然而，网络技术给人类社会带来有利影响的同时，也带来了负面的影响。

在国外，1988年11月美国国防部的军用九三级网络遭受莫里斯病毒袭击，致使美国Internet网络上6000多台计算机感染，直接经济损失9600万美元。

2000年5月，“爱虫”病毒通过电子邮件传播，在世界各地迅速蔓延，造成全世界空前的计算机系统破坏。

而在国内，人们利用计算机网络犯罪的案例也层出不穷。

2002年，作案人吕薜文通过盗用他人账号，对中国公众多媒体通信网广州主机进行了攻击，并对其部分文件进行删除、修改、增加等一系列非法操作，造成严重后果。

2008年4月，作案人赵哲窜至上海某证券攻击营业部，利用该营业部电脑安全防范上的漏洞，修改该营业部部分股票交易数据，致使股价短时间内剧烈震荡。

计算机以及其他信息设备越来越多的被运用到犯罪活动中，尽管随着入侵检测系统的广泛使用降低了非法使用计算机资源所带来的损失，但网络犯罪依然不可忽视。

计算机取证与分析步骤1、关闭计算机2、记录（拍照）嫌疑计算机硬件配置与状态3、将嫌疑计算机转移至安全地点4、对硬盘或软盘做位对位获取5、对存储介质中的数据做验证6、记录系统日期和时间7、确定关键字符清单8、分析Windows Swap交换文件9、分析文件残留区File Slack10、分析未分配空间11、在文件、文件残留区、未分配空间中搜索关键字符12、记录文件名、日期、时间13、Computer Evidence Processing StepsNTI conducts hands-on computer forensics training courses which expose computer professionals to the many hazzards and risks associated with computer evidence processing and computer security. NTI's computer forensics training courses designed to drive home several important points, i.e., computer evidence is fragile by its very nature and the problem is compounded by the potential for destructive programs and hidden data.Even the normal operation of the computer can destroy computer evidence that might be lurking in temporary operating system files, temporary application working files and ambient data storage areas. NTI provides its training clients with a solid foundation built upon technical knowledge so that they will understand the technical issues concerning the creation, modification and storage of computer data. Without this knowledge they will be unable to testify about their computer forensic findings. NTI also wants its clients to have a complete understanding of the technical issues so that they can make the right decisions about computer security risk management and computer evidence processing issues. It is not enough to run a computer forensics program and get results. Good decisions are made by knowledgable individuals who understand the underlying tec hnical issues tied to the potential security risks and evidence processing issues tied to personal computers.There are no strict rules that must be followed concerning the processing of computer evidence. Every case is different and flexibility and good technical knowledge make the difference between success and failure. However, many times decisions need to be made without full the knowledge of the issues involved. For that reason NTI has provided the following guidelines which are intended to assist its clients. Please remember that these guidelines do not represent 'the only true way'. They are intended to be general guidelines which are provided as food for thought. If you have an emergency and you are not yet formally trained, click here for emergency guidelines.General evidence processing guidelines follow:1. Shut Down the ComputerDepending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. At the option of the computer specialists, pictures of the screen image can be taken using a camera. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible.2. Document the Hardware Configuration of The SystemIt is assumed that the computer system will be moved to a secure location where a proper chain of custody can be maintained and the processing of evidence can begin. Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important so that the original computer configuration can be restored. Computer evidence should ideally be processed in a computer hardware environment that is identical to the original hardware configuration.3. Transport the Computer System to A Secure LocationThis may seem basic but all too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location! NTI provides a program named Seized to law enforcement computer specialists free of charge. It is also made available to NTI's business and government in various suites of software that are available for purchase. The program is simple but very effective in locking the seized computer and warning the computer operator that the computer contains evidence and should not be operated. Click here for information about NTI's software suites or click here for the law enforcement order form.4. Make Bit Stream Backups of Hard Disks and Floppy DisksThe computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processingshould be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. More information about bit stream backups has been provided on this site. Click here for the article about making bit stream backups. In March 2000, NTI purchased SafeBack software from Sydex, Inc. This is a very popular bit stream backup tool that has become an international standard since 1991. NTI covers the use of this software in its computer forensics training courses.5. Mathematically Authenticate Data on All Storage DevicesY ou want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a restored bit stream backup and it is made available free of charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also included in our various suites of forensic software which are sold NTI's clients.6. Document the System Date and TimeThe dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. NTI has created a program called GetTime which is used for this purpose. It is included in the NTI various suite of tools.7. Make a List of Key Search WordsBecause modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. One such tool is NTI's TextSearch NT which is certified for use by the U. S. Department of Defense. Usually, some information is known about the allegations in the case, the computer user and the alleged associates that may be involved. Gathering information from individuals familiar with the case to help compile a list of relevant key words is important. Such key words can be used in the search all computer hard disk drives and floppy diskettes using automated software. Keeping the list as short as possible is important and you should avoid using common words orwords that make up part of other words. In such cases, the words should be surrounded with spaces. Intelligent filtering tools can also be helpful in crafting lists of key words for use in computer evidence processing, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML.8. Evaluate the Windows Swap FileThe Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies patterns of English language text, phone numbers, social security numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names of people.In the past this tedious task of analyzing Windows swap files was done with hex editors and the process took days to evaluate just one Windows swap file. By using automated tools, that process now takes just a few minutes. When Windows 95/98 is involved, the swap file may be set to be dynamically created as the computer is operated. This is the default setting and when the computer is turned off, the swap file is erased. However, not all is lost because the content of the swap file can easily be captured and evaluated by NTI's GetFree program. This program automatically captures erased file space and creates a file that can be evaluated by NTI's various intelligent filter programs mentioned above.The NTA Stealth program relies upon artificial intelligence fuzzy logic to identify patterns of text associated with past Internet activities. This program is used by probation and parole officers to montior the computer and Internet activity of convicted sex offenders. It is also used in corporations to identify inappropriate uses of computers in the workplace and it is used in law enforcement and military agencies.The output from NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. can be successfully used to identify 'unknown key words' that can supplement the key word list created in the step above. The automated review of the Windows swap file takes just a few minutes with these automated tools. A manual review of the Windows swap file can take days or even weeks if the process is done manually using programs like the Norton utilities.9. Evaluate File SlackFile slack is a data storage area of which most computer users are unaware. It is a source of significant 'security leakage' and consists of raw memory dumps that occur during the work session as files are closed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or the view of the computer user. Specialized forensic tools are required to view and evaluate file slack and it can prove to provide a wealth of information and investigative leads. Like the Windows swap file, this source of ambient data can help provide relevant key words and leads that may have previously been unknown.On a well used hard disk drive, as much as 900 million bytes of storage space may be occupied by file slack. File slack should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list ofkey words for use later. Because of the nature of file slack, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetSlack that captures file slack from hard disk drives and floppy disks. The output from the GetSlack program can be evaluated in the same fashion as a Windows swap file using the intelligent filter programs listed above. File slack is typically a good source of Internet leads.10. Evaluate Unallocated Space (Erased Files)The DOS and Windows 'delete' function does not completely erase file names or file content. Many computer users are unaware the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Unallocated space is a source of significant 'security leakage' and it potentially contains erased files and file slack associated with the erased files. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help provide relevant key words and leads that may have previously been unknown to the computer investigator. On a well used hard disk drive, millions of bytes of storage space may contain data associated with previously erased files. Unallocated space should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use in the next processing step. Because of the nature of data contained in unallocated space and its volume, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetFree that quickly captures all unallocated space from hard disk drives and floppy disks. The output from the GetFree program can be evaluated in the same fashion as the other types of ambient data mentioned previously using intelligent filter programs. Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files created by various computer applications. It is also a good source of leads concerning graphics files that have been viewed over the Internet and NTI's GExtract software can be used very effectively to identify these graphic file remnants left behind in unallocated storage space.11. Search Files, File Slack and Unallocated Space for Key WordsThe list of relevant key words identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. There are several forensic text search utilities available in the marketplace. NTI's forensic search TextSearch NT can be used for that purpose and it has been tested and certified for accuracy by the U. S. Department of Defense. This powerful search tool is also included as part of NTI's suites of software tools. It was designed to be a state-of-the-art search tool for use as a security review tool by U. S. government intelligence agencies. This program and other NTI forensic tools also provide significant benefits in cases involving computer related evidence. For this reason and to help stretch limited law enforcement budgets, NTI makes all of its forensic software tools and training available to law enforcement computer crime specialists for discounted prices.It is important to review the output of a forensic text search utility. When relevant evidence or leads are identified, the fact should be noted and the identified data should be documented. When new key words are identified in the searching process, then they should be added to the list and anew search should be conducted using the text search utility again with the updated search list. Text search utilities are also used, on a regular basis, in classified government agencies for security reviews. When evidence or unexpected findings are uncovered in government security reviews, they should also be documented and archived as potential evidence. NTI's TextSearch NT is certified by the U. S. Department of Defense and its little brother, TextSearch Plus has been used for years in classified U. S. government agencies to process evidence and to conduct computer security reviews.12. Document File Names, Dates and TimesFrom an evidence standpoint, file names, creation dates, last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and 'erased' files. NTI includes a program called FileList Pro in its various suites of forensic tools. The FileList Pro program generates its output in the form of a database file. The file can be sorted based on the file name, file size, file content, creation date, last modified date and time. Such sorted information can provide a timeline of computer usage. When FileList Pro created databases can be combined from several computers in the same case and the sorted output can provide conspiratorial leads for further investigation. This powerful inventory tool is used to evaluate all Microsoft-based computer systems in computer related investigations.NTI also created another forensic documentation tool called NTIDOC. This program is used to take electronic snapshots of relevant computer files. The program automatically records the file name, time and date along with relevant file attributes. The output is in the form of a word processing compatible file that can be used to help document computer evidence issues tied to specific files.13. Identify File, Program and Storage AnomaliesEncrypted, compressed and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and in the case of encrypted files, much work may be involved. NTI's TextSearch Plus program has built in features that automatically identify the most common compressed and graphic file formats. The use of this feature will help identify files that require detailed manual evaluation. Depending on the type of file involved, the contents should be viewed and evaluated for its potential as evidence.Reviewing the partitioning on seized hard disk drives is also important. The potential exists for hidden partitions and/or partitions formatted with other than a DOS compatible operating system. When this situation exists it is comparable to finding a hidden hard disk drive and volumes of data and potential evidence can be involved. The partitioning can be checked with any number of utilities including the DOS FDISK program or Partition Magic. When hidden partitions are found, they should be evaluated for evidence and their existence should be documented.If Windows is involved, it makes sense to evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fac t that they have been selected for deletion may have some relevance from an evidentiary standpoint. Ifrelevant files are found, the issues involved should be documented throughly.14. Evaluate Program FunctionalityDepending on the application software involved, running programs to learn their purpose may be necessary. NTI's training courses make this point by exposing the students to computer applications that do more than the anticipated task. When destructive processes are discovered that are tied to relevant evidence, this can be used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the execution of common operating commands tied to the operating system or applications. Before and after comparisons can be made using the FileList Pro program and/or mathematical authentication programs. All these tools are included in most of NTI's suites of forensic tools15. Document Y our FindingsAs indicated in the preceding steps, it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence including the version numbers of the programs used is also important. Be sure that you are legally licensed to use the forensic software. Software pirates do not stand up well under the riggers of a trial. Smart defense lawyers will usually question software licensing and you don't want to testify that you used unlicensed software in the processing of computer evidence. Technically, software piracy is a criminal violation of federal copyright laws.When appropriate, mention in your documentation that you are licensed to use the forensic software involved. With NTI's software, a trail of documentation is automatically created for the computer investigator and the name of the licensed user is listed in most output files. This feature aids in establishing who did the processing and the exact time and date when the processing was done. Screen prints of the operating software also help document the version of the software and how it was used to find and/or process the evidence.16. Retain Copies of Software UsedAs part of your documentation process, we recommend that a copy of the software used be included with the output of the forensic tool involved. Normally this is done on an archive Zip disk, Jazz disk or other external storage device, e.g. external hard disk drive. When this documentation methodology is followed, it eliminates confusion at trial time about which version of the software was used to create the output. Often it is necessary to duplicate forensic processing results during or before trial. Duplication of results can be difficult or impossible to achieve, if the software has been upgraded and the original version used was not retained. Please note that there is a high probability that you will encounter this problem because most commercial software is upgraded routinely but it may take years for a case to go to trial.。

计算机犯罪案件证据收集提取的注意事项一、计算机犯罪的特点近年来，计算机犯罪呈现出了一些特点，主要表现在以下几个方面：1)高智商性：计算机是现代社会科学技术发展的产物，计算机犯罪则是一种高智商的犯罪，这种高智商体现在：①作案者多采用高科技犯罪手段。

②犯罪分子犯罪前都经过了精心的策划和预谋。

③犯罪主体都具有相当高的计算机知识，或者是计算机领域的拔尖人才，有一些还是从事计算机工作多年的骨干人员。

2)作案动机简单化：计算机犯罪中，大多数犯罪主体精心研制计算机病毒，破坏计算机信息系统，特别是计算机黑客，他们犯罪的目的很多时候并不是为了金钱，也不是为了权利，而是为了显示自己高超的计算机技术，他们认为这些病毒的传播就是他们成果的体现，通过这种方式来认可自己研究成果，其目的之简单有时令破案者都吃惊。

3)实施犯罪容易：只需要一根网线，就能够对整个世界实施犯罪。

这反映了网络犯罪特别容易实施，很多犯罪活动在网吧中就可以进行，如此方便的实施手段给计算机网络犯罪创造了孳生的环境。

从1996年以来，我国的计算机网络犯罪数量呈直线上升。

自动化的病毒生产机和木马生成器大大降低了计算机犯罪的门槛，让许多未成年人也能够容易的实施计算机犯罪。

4)教强的隐蔽性：计算机犯罪分子作案大都比较隐蔽，这种隐蔽性不但体现在犯罪行为本身，还体现在犯罪结果上。

计算机犯罪侵害的多是无形的目标，比如电子数据或信息，而这些东西一旦存入计算机，人的肉眼无法看到，况且这种犯罪一般很少留有痕迹，一般很难侦破。

5)巨大的危害性：计算机犯罪所造成的损失往往是巨大的，是其他犯罪所无法比拟的，2000年据美国“信息周研究社”发表的研究报告称，全球今年因电脑病毒造成的损失将高达150000亿美元。

二、计算机犯罪取证光有法律并不能完全解决问题，计算机犯罪隐蔽性极强，可以足不出户而对千里之外的目标实施犯罪活动，甚至进行跨过犯罪。

并且一般在实施犯罪活动前会先通过某个国家预先被“黑”掉的主机为跳板进行犯罪活动，这样更加增大破获犯罪活动的难度。

论计算机取证及其规范1计算机取证计算机取证，也称为计算机数据取证，是一门专门研究并检索计算机存储器中的可能有价值的信息的学科。

这是一项研究、搜集、分析、证实和报告由计算机科学家对计算机中的信息进行取证方面的活动，包括分析文件系统及其相关硬件软件。

从可信计算机硬件、元数据和文件系统中推断活动和伪存在的目的是计算机取证的主要目标。

2计算机取证技术计算机取证技术旨在通过构建计算机系统，以收集、保护和解释取证，帮助调查人员追查犯罪或解决其他法律问题。

这种技术允许调查人员收集、解释和报告计算机证据，以支持法律上的结论。

计算机取证技术的应用涉及社会网络取证，移动设备取证，复杂环境取证，病毒和木马取证，数据隐私取证，内存取证，网络取证和密码学取证等。

3计算机取证规范计算机取证学会（Computer Forensics Association，CFA）实施了一系列认证规范，以确保计算机取证原则的使用，进而增强法庭上的可信度。

CFA认证包括了多个生态环境，如法定处理取证和法定证据。

另外，还建立起一套准则，以确保计算机取证过程的全部过程的方向性，以及人们最终保存的证据正确可靠。

CFA认证还要求合规处理可能受到调查的计算机上的数据，以及确保取证人员正确地记录取证信息。

4计算机取证的重要性计算机取证在司法中起着重要作用，因为它可以帮助司法机关确定准确的证据，对案件和犯罪的调查有着非常重要的作用。

它可以有效帮助司法机关在犯罪调查和案件诉讼中进行严谨和准确的证据收集，以及有效地挜掘和分析隐藏在计算机系统、社交媒体、网络和存储介质中的可能有价值的信息，以及确保这些信息可以在法庭上合法地使用。

5小结计算机取证是一门研究、搜集、分析和证实由计算机科学家分析计算机中可能有价值的信息的学科。

它可以支持法律的结论，并帮助调查人员调查犯罪活动。

CFA认证是计算机取证过程中的一个重要步骤，旨在确保取证原则的遵守，也能够保障取得的证据的真实性和可靠性。

浅谈计算机取证与司法鉴定杜江田燕摘要：随着计算机技术和信息产业的快速发展，利用计算机等高科技和信息化手段进行犯罪的事件也越来越多。

这类犯罪所带来的破坏性目前来说是最大的，而要打击和遏制这处犯罪，计算机取证和司法鉴定承担着不可取代的作用。

计算机与司法鉴定是一个计算机科学与法学紧密结合的交叉学科、边缘学科和新兴学科。

关键词：计算机取证；司法鉴定TP399 ：A ：1007-9599（2013）01-0150-021 引言随着互联网技术的迅猛发展和信息技术的广泛应用，计算机及相关的电子产品已经越来越多地渗入到人们的生活中。

一方面，人们在享受着电子产品给我们生活中带来便利和快捷的同时，另一方面，利用高科技，信息化手段进行犯罪的事件也不断出现，因此在信息安全方面我们面临着严峻的挑战。

由于计算机证据的脆弱性、隐蔽性和分散性等特征，因此，必须将计算机取证和司法鉴定相结合，才能保证计算机证据的客观性、真实性和合法性。

2 计算机取证与司法鉴定的研究现状2.1 国外研究现状计算机取证是伴随着计算机犯罪事件的出现而发展的，计算机取证在美国等网络技术发达的国家，已经有了接近三十年的发展历史了。

国际上计算机取证的研究方向主要是结合防火墙、网络侦听、入侵检测等网络安全工具，进行的动态取证。

而计算机取证的分析就是从海量的数据中获取与计算机犯罪相关的有力证据的过程。

随着电子犯罪的猖狂，司法机关对取证工具的需求更加强烈，这也催生了国外关于取证产品工具的市场。

但是由于计算机与司法鉴定理论的发展滞后，无法理出统一的取证流程标准，故还需要对计算机取证方面的知识进行相关的研究和讨论。

2.2 国内研究现状在我国，有关计算机取证的研究和实践还处于初步阶段，不管是从取证软件上，还是从所需要的设备方面，国内执法机关目前使用的还多为国外的产品，计算机取证的标准和操作规范的执行也尚未建立。

2012年8月31日第11届全国人大常委会第28次会议中，我国民法大修，首次添加了“电子证据”这一新的证据种类，我国传统的七大类证据变成了八大类，赋予了电子证据明确的法律地位，此次修改的民法将自2013年1月1日起我国施行。

计算机取证与司法鉴定第3版题库摘要：1.计算机取证与司法鉴定的概念与重要性2.计算机取证的方法和技术3.司法鉴定在计算机取证中的应用4.计算机取证与司法鉴定的发展趋势和挑战正文：计算机取证与司法鉴定是数字时代司法机关打击犯罪、维护社会公正的重要手段。

计算机取证指的是通过技术手段获取、保护和分析计算机系统中的电子数据，以便为司法诉讼提供证据。

司法鉴定是指在诉讼过程中，由具有专门知识的人员对案件中的专门性问题进行评估和判断的活动。

计算机取证与司法鉴定在许多案件中都发挥着关键作用，如网络犯罪、电子数据纠纷等。

计算机取证的方法和技术多种多样，主要包括以下几类：1.磁盘映像技术：通过制作磁盘映像文件，对原始数据进行加密保护，并作为取证的备份。

2.数据恢复技术：对于损坏或者删除的数据，通过专业的数据恢复技术进行修复和提取。

3.隐藏数据挖掘技术：通过分析磁盘空间，寻找可能被隐藏的数据。

4.网络数据捕获和分析技术：对网络数据进行实时捕获、分析和存储，以获取犯罪证据。

司法鉴定在计算机取证中起着关键作用，通过对电子数据的真实性、完整性、合法性进行评估，为司法机关提供可靠的证据。

司法鉴定的过程包括：鉴定申请、鉴定受理、鉴定实施、鉴定结论等环节。

鉴定人员需要具备丰富的计算机知识和技能，才能在鉴定过程中发现关键证据。

随着计算机技术和互联网的快速发展，计算机取证与司法鉴定面临着许多新的挑战和发展趋势，如大数据、云计算、人工智能等。

为了应对这些挑战，计算机取证与司法鉴定需要不断创新方法和技术，提高取证和鉴定的效率和准确性。

同时，加强国际合作，分享计算机取证与司法鉴定的经验和技术，也是未来发展的重要方向。

总之，计算机取证与司法鉴定在数字时代具有重要的社会意义和法律价值。