计算机取证实用教程

《计算机取证实用教程》内容简介在这本教材里，编者阐述了计算机取证的概念和内容，介绍了计算机取证的技术与工具，剖析了主流的磁盘分区和文件系统，分析了数据恢复的基本原理和关键技术。

本书所讨论的设备对象涵盖了计算机、移动智能终端和网络设备；分析的操作系统包含了：三种主流的计算机操作系统（Windows、Linux和Mac OS X），两种占据了绝大部分市场份额的的移动智能终端操作系统（Android和iOS），网络设备中最具代表性的思科IOS操作系统。

本书从取证原理、相关技术和常用工具等方面系统地介绍了计算机取证的核心内容，并辅以必需的预备知识介绍，使读者能够在短时间内了解计算机取证的主要内容和通用程序，掌握计算机取证的的基础理论和技术方法。

全书通俗易懂的原理分析、图文并茂的流程说明，能够令读者在学习过程中感受到良好的实践体验。

本书既可以作为高等院校计算机科学与技术、信息安全、法学、侦查学等专业计算机取证、电子数据检验鉴定等课程的教材，也可作为计算机取证从业人员的培训和参考用书。

对于信息安全技术与管理人员、律师和司法工作者、信息安全技术爱好者，本书也具有很高的参考价值。

前言信息技术的迅猛发展，计算机和网络应用的全方位普及，不断改变着人们工作、学习和生活的习惯和方式，政府运作、商贸往来乃至个人休闲娱乐都已进入了网络模式。

在企事业单位内部调查、民事纠纷、刑事诉讼等案/事件的举证中，数字证据正在发挥越来越大的作用，成为信息化时代的证据之王。

信息技术的专业性和数字证据来源的多样性，决定了计算机取证的复杂性。

本书编者试图凭借多年的教学和实践经验，将博大精深的计算机取证知识体系提炼为通俗易懂、循序渐进的篇章。

只会操作自动取证软件，无法成为独当一面的优秀取证分析师。

本书的编写旨在培养读者掌握技术原理基础上的实践技能，同时注重提高读者对相关知识的自主学习能力，为胜任不同类型的计算机取证工作奠定牢固的理论基础。

计算机取证的目的是发现与案/事件相关联的行为及其结果，为证明案/事件事实和重现案/事件提供依据。

简述计算机取证的步骤计算机取证是指通过收集和分析数字证据，来获取与计算机相关的犯罪行为的证据。

它是一项重要的技术，用于调查网络犯罪、数据泄露和计算机滥用等问题。

下面将介绍计算机取证的主要步骤。

第一步：确定取证目标在进行计算机取证之前，首先需要明确取证的目标。

这可以是调查一个特定的犯罪行为，或者是查找特定的数字证据。

明确取证目标有助于指导后续的取证工作，并提高取证的效率和准确性。

第二步：收集证据收集证据是计算机取证的核心步骤。

可以通过多种方式收集证据，包括镜像硬盘、复制文件、抓取网络数据包等。

在收集证据时，需要确保采取的方法不会影响到原始数据的完整性和可靠性。

另外，为了保证证据的可信度，应该详细记录每一步的操作过程，并保留相关的日志文件和报告。

第三步：分析证据在收集完证据后，需要对其进行分析。

这包括对收集到的文件、日志、网络数据包等进行深入研究和解读，以找出与取证目标相关的信息。

在分析证据时，可以借助各种取证工具和技术，如数据恢复、关键字搜索、文件比对等。

分析证据的过程中，需要保持严谨和客观，确保结论的准确性和可靠性。

第四步：提取证据在分析证据的过程中，可能会发现一些与取证目标相关的信息。

这些信息需要被提取出来，以供后续的调查和审核。

提取证据的方式可以根据具体情况而定，可以是复制到外部存储设备，也可以是生成报告和摘要。

无论采用何种方式，都需要确保提取的证据完整、可靠，并且符合法律和法规的要求。

第五步：制作取证报告制作取证报告是计算机取证的最后一步。

取证报告是对整个取证过程的总结和归纳，需要清晰、详细地记录取证的目标、过程、结果和结论。

取证报告应该包括所有的关键信息和证据，以便于后续的调查和审查。

同时，取证报告还应该遵循相关的法律和法规要求，确保其合法性和有效性。

计算机取证的主要步骤包括确定取证目标、收集证据、分析证据、提取证据和制作取证报告。

这些步骤需要有专业的技术和方法支持，并且需要严格遵循法律和法规的要求。

计算机取证与分析步骤1、关闭计算机2、记录（拍照）嫌疑计算机硬件配置与状态3、将嫌疑计算机转移至安全地点4、对硬盘或软盘做位对位获取5、对存储介质中的数据做验证6、记录系统日期和时间7、确定关键字符清单8、分析Windows Swap交换文件9、分析文件残留区File Slack10、分析未分配空间11、在文件、文件残留区、未分配空间中搜索关键字符12、记录文件名、日期、时间13、Computer Evidence Processing StepsNTI conducts hands-on computer forensics training courses which expose computer professionals to the many hazzards and risks associated with computer evidence processing and computer security. NTI's computer forensics training courses designed to drive home several important points, i.e., computer evidence is fragile by its very nature and the problem is compounded by the potential for destructive programs and hidden data.Even the normal operation of the computer can destroy computer evidence that might be lurking in temporary operating system files, temporary application working files and ambient data storage areas. NTI provides its training clients with a solid foundation built upon technical knowledge so that they will understand the technical issues concerning the creation, modification and storage of computer data. Without this knowledge they will be unable to testify about their computer forensic findings. NTI also wants its clients to have a complete understanding of the technical issues so that they can make the right decisions about computer security risk management and computer evidence processing issues. It is not enough to run a computer forensics program and get results. Good decisions are made by knowledgable individuals who understand the underlying tec hnical issues tied to the potential security risks and evidence processing issues tied to personal computers.There are no strict rules that must be followed concerning the processing of computer evidence. Every case is different and flexibility and good technical knowledge make the difference between success and failure. However, many times decisions need to be made without full the knowledge of the issues involved. For that reason NTI has provided the following guidelines which are intended to assist its clients. Please remember that these guidelines do not represent 'the only true way'. They are intended to be general guidelines which are provided as food for thought. If you have an emergency and you are not yet formally trained, click here for emergency guidelines.General evidence processing guidelines follow:1. Shut Down the ComputerDepending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. At the option of the computer specialists, pictures of the screen image can be taken using a camera. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible.2. Document the Hardware Configuration of The SystemIt is assumed that the computer system will be moved to a secure location where a proper chain of custody can be maintained and the processing of evidence can begin. Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important so that the original computer configuration can be restored. Computer evidence should ideally be processed in a computer hardware environment that is identical to the original hardware configuration.3. Transport the Computer System to A Secure LocationThis may seem basic but all too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location! NTI provides a program named Seized to law enforcement computer specialists free of charge. It is also made available to NTI's business and government in various suites of software that are available for purchase. The program is simple but very effective in locking the seized computer and warning the computer operator that the computer contains evidence and should not be operated. Click here for information about NTI's software suites or click here for the law enforcement order form.4. Make Bit Stream Backups of Hard Disks and Floppy DisksThe computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processingshould be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. More information about bit stream backups has been provided on this site. Click here for the article about making bit stream backups. In March 2000, NTI purchased SafeBack software from Sydex, Inc. This is a very popular bit stream backup tool that has become an international standard since 1991. NTI covers the use of this software in its computer forensics training courses.5. Mathematically Authenticate Data on All Storage DevicesY ou want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a restored bit stream backup and it is made available free of charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also included in our various suites of forensic software which are sold NTI's clients.6. Document the System Date and TimeThe dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. NTI has created a program called GetTime which is used for this purpose. It is included in the NTI various suite of tools.7. Make a List of Key Search WordsBecause modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. One such tool is NTI's TextSearch NT which is certified for use by the U. S. Department of Defense. Usually, some information is known about the allegations in the case, the computer user and the alleged associates that may be involved. Gathering information from individuals familiar with the case to help compile a list of relevant key words is important. Such key words can be used in the search all computer hard disk drives and floppy diskettes using automated software. Keeping the list as short as possible is important and you should avoid using common words orwords that make up part of other words. In such cases, the words should be surrounded with spaces. Intelligent filtering tools can also be helpful in crafting lists of key words for use in computer evidence processing, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML.8. Evaluate the Windows Swap FileThe Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies patterns of English language text, phone numbers, social security numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names of people.In the past this tedious task of analyzing Windows swap files was done with hex editors and the process took days to evaluate just one Windows swap file. By using automated tools, that process now takes just a few minutes. When Windows 95/98 is involved, the swap file may be set to be dynamically created as the computer is operated. This is the default setting and when the computer is turned off, the swap file is erased. However, not all is lost because the content of the swap file can easily be captured and evaluated by NTI's GetFree program. This program automatically captures erased file space and creates a file that can be evaluated by NTI's various intelligent filter programs mentioned above.The NTA Stealth program relies upon artificial intelligence fuzzy logic to identify patterns of text associated with past Internet activities. This program is used by probation and parole officers to montior the computer and Internet activity of convicted sex offenders. It is also used in corporations to identify inappropriate uses of computers in the workplace and it is used in law enforcement and military agencies.The output from NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. can be successfully used to identify 'unknown key words' that can supplement the key word list created in the step above. The automated review of the Windows swap file takes just a few minutes with these automated tools. A manual review of the Windows swap file can take days or even weeks if the process is done manually using programs like the Norton utilities.9. Evaluate File SlackFile slack is a data storage area of which most computer users are unaware. It is a source of significant 'security leakage' and consists of raw memory dumps that occur during the work session as files are closed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or the view of the computer user. Specialized forensic tools are required to view and evaluate file slack and it can prove to provide a wealth of information and investigative leads. Like the Windows swap file, this source of ambient data can help provide relevant key words and leads that may have previously been unknown.On a well used hard disk drive, as much as 900 million bytes of storage space may be occupied by file slack. File slack should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list ofkey words for use later. Because of the nature of file slack, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetSlack that captures file slack from hard disk drives and floppy disks. The output from the GetSlack program can be evaluated in the same fashion as a Windows swap file using the intelligent filter programs listed above. File slack is typically a good source of Internet leads.10. Evaluate Unallocated Space (Erased Files)The DOS and Windows 'delete' function does not completely erase file names or file content. Many computer users are unaware the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Unallocated space is a source of significant 'security leakage' and it potentially contains erased files and file slack associated with the erased files. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help provide relevant key words and leads that may have previously been unknown to the computer investigator. On a well used hard disk drive, millions of bytes of storage space may contain data associated with previously erased files. Unallocated space should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use in the next processing step. Because of the nature of data contained in unallocated space and its volume, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetFree that quickly captures all unallocated space from hard disk drives and floppy disks. The output from the GetFree program can be evaluated in the same fashion as the other types of ambient data mentioned previously using intelligent filter programs. Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files created by various computer applications. It is also a good source of leads concerning graphics files that have been viewed over the Internet and NTI's GExtract software can be used very effectively to identify these graphic file remnants left behind in unallocated storage space.11. Search Files, File Slack and Unallocated Space for Key WordsThe list of relevant key words identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. There are several forensic text search utilities available in the marketplace. NTI's forensic search TextSearch NT can be used for that purpose and it has been tested and certified for accuracy by the U. S. Department of Defense. This powerful search tool is also included as part of NTI's suites of software tools. It was designed to be a state-of-the-art search tool for use as a security review tool by U. S. government intelligence agencies. This program and other NTI forensic tools also provide significant benefits in cases involving computer related evidence. For this reason and to help stretch limited law enforcement budgets, NTI makes all of its forensic software tools and training available to law enforcement computer crime specialists for discounted prices.It is important to review the output of a forensic text search utility. When relevant evidence or leads are identified, the fact should be noted and the identified data should be documented. When new key words are identified in the searching process, then they should be added to the list and anew search should be conducted using the text search utility again with the updated search list. Text search utilities are also used, on a regular basis, in classified government agencies for security reviews. When evidence or unexpected findings are uncovered in government security reviews, they should also be documented and archived as potential evidence. NTI's TextSearch NT is certified by the U. S. Department of Defense and its little brother, TextSearch Plus has been used for years in classified U. S. government agencies to process evidence and to conduct computer security reviews.12. Document File Names, Dates and TimesFrom an evidence standpoint, file names, creation dates, last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and 'erased' files. NTI includes a program called FileList Pro in its various suites of forensic tools. The FileList Pro program generates its output in the form of a database file. The file can be sorted based on the file name, file size, file content, creation date, last modified date and time. Such sorted information can provide a timeline of computer usage. When FileList Pro created databases can be combined from several computers in the same case and the sorted output can provide conspiratorial leads for further investigation. This powerful inventory tool is used to evaluate all Microsoft-based computer systems in computer related investigations.NTI also created another forensic documentation tool called NTIDOC. This program is used to take electronic snapshots of relevant computer files. The program automatically records the file name, time and date along with relevant file attributes. The output is in the form of a word processing compatible file that can be used to help document computer evidence issues tied to specific files.13. Identify File, Program and Storage AnomaliesEncrypted, compressed and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and in the case of encrypted files, much work may be involved. NTI's TextSearch Plus program has built in features that automatically identify the most common compressed and graphic file formats. The use of this feature will help identify files that require detailed manual evaluation. Depending on the type of file involved, the contents should be viewed and evaluated for its potential as evidence.Reviewing the partitioning on seized hard disk drives is also important. The potential exists for hidden partitions and/or partitions formatted with other than a DOS compatible operating system. When this situation exists it is comparable to finding a hidden hard disk drive and volumes of data and potential evidence can be involved. The partitioning can be checked with any number of utilities including the DOS FDISK program or Partition Magic. When hidden partitions are found, they should be evaluated for evidence and their existence should be documented.If Windows is involved, it makes sense to evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fac t that they have been selected for deletion may have some relevance from an evidentiary standpoint. Ifrelevant files are found, the issues involved should be documented throughly.14. Evaluate Program FunctionalityDepending on the application software involved, running programs to learn their purpose may be necessary. NTI's training courses make this point by exposing the students to computer applications that do more than the anticipated task. When destructive processes are discovered that are tied to relevant evidence, this can be used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the execution of common operating commands tied to the operating system or applications. Before and after comparisons can be made using the FileList Pro program and/or mathematical authentication programs. All these tools are included in most of NTI's suites of forensic tools15. Document Y our FindingsAs indicated in the preceding steps, it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence including the version numbers of the programs used is also important. Be sure that you are legally licensed to use the forensic software. Software pirates do not stand up well under the riggers of a trial. Smart defense lawyers will usually question software licensing and you don't want to testify that you used unlicensed software in the processing of computer evidence. Technically, software piracy is a criminal violation of federal copyright laws.When appropriate, mention in your documentation that you are licensed to use the forensic software involved. With NTI's software, a trail of documentation is automatically created for the computer investigator and the name of the licensed user is listed in most output files. This feature aids in establishing who did the processing and the exact time and date when the processing was done. Screen prints of the operating software also help document the version of the software and how it was used to find and/or process the evidence.16. Retain Copies of Software UsedAs part of your documentation process, we recommend that a copy of the software used be included with the output of the forensic tool involved. Normally this is done on an archive Zip disk, Jazz disk or other external storage device, e.g. external hard disk drive. When this documentation methodology is followed, it eliminates confusion at trial time about which version of the software was used to create the output. Often it is necessary to duplicate forensic processing results during or before trial. Duplication of results can be difficult or impossible to achieve, if the software has been upgraded and the original version used was not retained. Please note that there is a high probability that you will encounter this problem because most commercial software is upgraded routinely but it may take years for a case to go to trial.。

实验一文件恢复FAT
在我的U盘新建一个图片imag0326.jpg，然后删除。

打开winhex，打开U盘根目录，找到文件imag0326.jpg，找到文件开头地址和结束地址。

找到文件开头地址
用计算器算出文件偏移地址，输入偏移地址，找到文件尾地址。

恢复文件。

回复出的文件。

实验结论
这次试验，我学会了用winhex恢复文件，但是当文件太大或U盘中文件太多时，恢复数据时可能会遇到一些意外的情况，导致不能恢复文件。

实验二内存取证
打开qq，输入一段聊天内容，发送。

打开winhex，打开内存。

找到qq相关内容，找到聊天内容所在区域。

恢复文件。

实验三IE取证用IE分析工具分析电脑中的IE浏览器的一些信息。

计算机犯罪案件证据收集提取的注意事项一、计算机犯罪的特点近年来，计算机犯罪呈现出了一些特点，主要表现在以下几个方面：1)高智商性：计算机是现代社会科学技术发展的产物，计算机犯罪则是一种高智商的犯罪，这种高智商体现在：①作案者多采用高科技犯罪手段。

②犯罪分子犯罪前都经过了精心的策划和预谋。

③犯罪主体都具有相当高的计算机知识，或者是计算机领域的拔尖人才，有一些还是从事计算机工作多年的骨干人员。

2)作案动机简单化：计算机犯罪中，大多数犯罪主体精心研制计算机病毒，破坏计算机信息系统，特别是计算机黑客，他们犯罪的目的很多时候并不是为了金钱，也不是为了权利，而是为了显示自己高超的计算机技术，他们认为这些病毒的传播就是他们成果的体现，通过这种方式来认可自己研究成果，其目的之简单有时令破案者都吃惊。

3)实施犯罪容易：只需要一根网线，就能够对整个世界实施犯罪。

这反映了网络犯罪特别容易实施，很多犯罪活动在网吧中就可以进行，如此方便的实施手段给计算机网络犯罪创造了孳生的环境。

从1996年以来，我国的计算机网络犯罪数量呈直线上升。

自动化的病毒生产机和木马生成器大大降低了计算机犯罪的门槛，让许多未成年人也能够容易的实施计算机犯罪。

4)教强的隐蔽性：计算机犯罪分子作案大都比较隐蔽，这种隐蔽性不但体现在犯罪行为本身，还体现在犯罪结果上。

计算机犯罪侵害的多是无形的目标，比如电子数据或信息，而这些东西一旦存入计算机，人的肉眼无法看到，况且这种犯罪一般很少留有痕迹，一般很难侦破。

5)巨大的危害性：计算机犯罪所造成的损失往往是巨大的，是其他犯罪所无法比拟的，2000年据美国“信息周研究社”发表的研究报告称，全球今年因电脑病毒造成的损失将高达150000亿美元。

二、计算机犯罪取证光有法律并不能完全解决问题，计算机犯罪隐蔽性极强，可以足不出户而对千里之外的目标实施犯罪活动，甚至进行跨过犯罪。

并且一般在实施犯罪活动前会先通过某个国家预先被“黑”掉的主机为跳板进行犯罪活动，这样更加增大破获犯罪活动的难度。

一、计算机取证的概念、步骤和相关的工具1、计算机取证的概念取证专家Reith Clint Mark认为：计算机取证（computer forensics）可以认为是“从计算机中收集和发现证据的技术和工具”[11]。

实际上，计算机取证就是对于存在于计算机及其相关设备中的证据进行获取、保存、分析和出示。

用于计算机取证的工具必须在计算机取证的任意一个步骤中具有特殊的功能，使得由于这一工具的使用保证了计算机取证工作能够顺利进行并获取到可以被作为证据使用的数据资料。

2、计算机取证的步骤.2.1 保护现场和现场勘查现场勘查是获取证据的第一步，主要是物理证据的获取。

这项工作可为下面的环节打下基础。

包括封存目标计算机系统并避免发生任何的数据破坏或病毒感染，绘制计算机犯罪现场图、网络拓扑图等，在移动或拆卸任何设备之前都要拍照存档，为今后模拟和还原犯罪现场提供直接依据。

在这一阶段使用的工具软件由现场自动绘图软件、检测和自动绘制网络拓扑图软件等组成。

2.2 获取证据证据的获取从本质上说就是从众多的未知和不确定性中找到确定性的东西。

这一步使用的工具一般是具有磁盘镜像、数据恢复、解密、网络数据捕获等功能的取证工具。

2.3 鉴定证据计算机证据的鉴定主要是解决证据的完整性验证和确定其是否符合可采用标准。

计算机取证工作的难点之一是证明取证人员所搜集到的证据没有被修改过。

而计算机获取的证据又恰恰具有易改变和易损毁的特点。

例如，腐蚀、强磁场的作用、人为的破坏等等都会造成原始证据的改变和消失。

所以，取证过程中应注重采取保护证据的措施。

在这一步骤中使用的取证工具包括含有时间戳、数字指纹和软件水印等功能的软件，主要用来确定证据数据的可靠性。

2.4 分析证据这是计算机取证的核心和关键。

证据分析的内容包括：分析计算机的类型、采用的操作系统，是否为多操作系统或有无隐藏的分区；有无可疑外设；有无远程控制、木马程序及当前计算机系统的网络环境。

注意分析过程的开机、关机过程，尽可能避免正在运行的进程数据丢失或存在的不可逆转的删除程序。

计算机取证技术应用(2) 计算机取证技术应用所谓计算机取证是指对计算机入侵、破坏及攻击等犯罪行为，依靠计算机硬软件技术，并遵循国家相关法律规范，对犯罪行为提取证据，并对其进行分析及保存。

从技术角度看，计算机取证可对入侵计算机的系统进行破解及扫描，对入侵的过程进行重建。

计算机取证也称之为电子取证、数字取证或计算机法医学，主要包括两个阶段，即获取数据、发现信息。

其中获取数据是指取证人员针对入侵现象，寻找相关的计算机硬件;而发现信息则是指从获取的数据中寻找相关的犯罪证据，该证据与传统的证据一样具有较高的可靠性及真实性。

计算机取证流程分为以下几个步骤：取证准备――现场勘查――数据分析――证据呈递四大步骤，每一步骤都有自己的特点。

如：数据分析是将与犯罪相关的事实数据相继找出来，与案件取得相关性。

2 分析计算机取证技术计算机取证技术主要分为蜜罐网络取证系统、数字图像边缘特性滤波取证系统、分布式自治型取证系统及自适应动态取证系统。

2.1 蜜罐网络取证系统从当前来看，蜜罐网络取证系统已受到很多计算机研究者的重视，并对其进行研究分析，通过布置安全的蜜网，就能够正确收集大量的攻击行为。

通过近几年的研究，一种主动的蜜罐系统被提出来，该系统能够自动生成一个供给目的的匹配对象，并对入侵的信息研究较为深入。

蜜罐取证系统结构中每一个蜜罐都是虚拟的，并配备有合法的外部的IP 地址，可看成一个独立的机器，对不同的操作系统进行模仿，并能够收集相关日志数据，最终实现日志与蜜罐的分离。

通过蜜罐系统可根据攻击者在蜜罐中的时间，获取更多有关攻击的信息，进而采取有效的防范措施，最终提升系统的安全性。

2.2 数字图像边缘特性滤波取证系统所谓的数字图像边缘特性滤波取证系统是指攻击者对图像的篡改，要想对图像进行正确的取证则需要对图像的篡改手段进行详细的掌握，最为主要的就是对图像的合成及润饰的检测。

对于图像的合成主要采用同态滤波放大人工的模糊边界，在一定频域中对图像的亮度进行压缩，并对图像的对比度进行增强，进而使得人工模糊操作中的模糊边界得到放大，提高取证的准确性。

简述计算机取证的步骤
计算机取证是指对涉嫌违法犯罪的计算机系统进行调查和取证，以获取证据，为案件破案提供帮助。

计算机取证主要包括以下步骤：
第一步：确定调查目标
确定调查的目标是计算机取证的第一步。

调查人员需要了解案件背景、案件涉及到的计算机系统及相关设备的情况等，从而对调查目标进行明确分析。

第二步：准备工作
在开始取证前，需要进行相关的准备工作。

调查人员需组建专业团队，分工明确，确定工作方式和工作规划。

同时，必须准备好取证工具和设备，保证证据获取的准确性和完整性。

第三步：收集证据
调查人员在获得授权后，开始收集证据。

收集证据的方式包括：在计算机系统中获取物理证据、从计算机存储设备中收集数据和信息、从互联网中获取数据和信息等。

第四步：分析证据
收集证据后，需要进行证据分析。

证据分析的目的是通过研究证据建立事件的时间线、确定人物的身份、确定事件的原因等等。

证据分析需要借助一些专业工具，如取证分析软件、数据恢复软件、加密解密工具等等。

第五步：制定报告
根据证据分析结果，调查人员需要制定详细的取证报告，报告内容应包括案件描述、证据收集方式、证据分析结果及结论等。

确保报告符合相关法律法规和取证标准，并符合证据认定的法律规定。

第六步：证据呈现
在取证分析工作完成后，可以将证据呈现给审查人员或法院。

为方便审查人员或法院理解，可以制定详细的展示报告和证据呈现手段。

综上所述，计算机取证是一项涉及多个专业领域的复杂工作。

只有具备专业技能的取证人员才能真正发挥取证工作的效果，同时根据相关法律法规规章及标准严谨实施取证工作。

专业资格取证实训实训题目：1. 个人简历2.名片3.计算机工程系电子小报4.工资报表5.我的大学生活实训步骤：1. 个人简历：首先制作好表格模式，然后把个人信息一一列出，再写出所希望从事的职业目标，把自己的所学课程以及特长科目罗列出来，再写出一些工作经历以及经验，最后写上自我评价就可以了。

2.名片：首先要从网上下载一个名片的模板，然后再根据自己的需要把模板图片进行处理，最后写上自己的姓名，学校专业以及电话就可以了。

3. 计算机工程系电子小报：通过使用WORD中的菜单功能把报纸分割出不同的几个板块，但是要做到简洁明了，漂亮整洁。

4. 工资报表：首先使用WORD表格，把工资表中的相关字段以及信息录入表格中，然后做一个柱状图，再做一些高级筛选工作即可。

5.我的大学生活：首先从自己的照片集中选择出一些比较有代表性的照片作为主体，在PowerPoint中进行一系列的制作，并根据自己的感受写下一些文字表达。

（1）机器语言（2）中央处理器（3）地址总线宽度（4）独立的声卡应安装在AGP插槽中（5）内存（6）投影仪（7）1024×768（8）实时响应突发事件（9）DRAM比SRAM 速度快、价格高（10）JPEG （11）文件传输协议（12）内存插槽（13）PCI插槽（14）http://www.ciif-expo.co （15）按网络的拓扑结构可分为星形网、环形网和圆形网等（16）200Mbps （17）192.168.3.56 （18）路由器（19）邮件服务器内存中的一块区域（20）保存在POP3服务器上（21）下达任务的国家机关（22）参考性标准（23）宏病毒会影响对文档的操作（24）稳定性（25）第一名（26）4 （27）2E（28）4D （29）采样频率（30）声音（31）信息的价值不会改变（32）压缩处理（33）比较（34）a.htm （35）压缩过程可逆，相对无损压缩其压缩比较高（36）在“任务管理器”中可以实现应用程序的切换（37）创建文件夹（38）快捷方式是对某种系统资源的链接（39）点击“后退”按钮返回上一次访问的资源（40）制表（41），（42）屏幕上能有多个应用程序窗口，但只有一个是活动窗口（43）Ctrl+Alt+Delete （44）是文档内容的一部分，打印文档时会被打印出来（45）Shift（46）分栏数（47）指定格式（48）=Sum(LEFT)（49） A （50）在“格式”菜单下的“段落”选项中使用孤行控制（51）降序排列（52）9 （53） A （54）B（55）0 （56）靠左（57）求出A1～A10单元格数组中的最小值（58）图形中出现一个闪烁的竖线（59）排练计时（60）蛇形排列（61）B （62）第5张幻灯片与第6张幻灯片互相交换位置（63）Tab（64）不能恢复（65）Count和Group By （66）节能存储量（67）多1/100 （68）600 （69）r1≤r2（70）17．6 % （71）Printer （72）server （73）Files （74）document （75）record实训总结：通过此次实训，使我对word有了进一步的了解和认识，在操作方面有了很大进步，针对一些不经常使用的工具也有了很多了解。

关于计算机取证的步骤计算机取证是指通过采集、分析、保全和呈现电子数据的过程，以用于调查犯罪案件或其他法律诉讼。

这是一个复杂且耗时的过程，涉及多个步骤和技术。

以下是计算机取证的常见步骤：1.确定调查目的：在开始计算机取证的过程之前，必须明确调查的目的。

这可以是针对特定犯罪行为的调查，例如网络攻击，也可以是内部调查或电子数据管理的需要。

2.制定调查计划：制定一个详细的计划，明确取证的范围、时间线、资源需求和团队成员的职责。

这是确保调查取证过程顺利进行的重要步骤。

3.确认法律要求：在进行任何取证工作之前，了解和遵守与取证相关的法律要求至关重要。

这包括隐私法、数据保护法以及相关法律条文。

4.确定采集策略：根据调查目的和法律要求，确定适当的采集策略。

这可能包括现场取证、网络采集、数据恢复或在法庭证据保全令下的取证。

5.确认取证所需工具和设备：根据调查的类型，选择适当的取证工具和设备。

这可能包括计算机硬件和软件工具、取证工作站、存储介质和连接设备等。

6.开展取证工作：根据采集策略和计划，开始实际的取证工作。

这可能包括取证现场调查、数据采集、存储介质复制和数据恢复等。

7.数据分析和筛选：在采集到的数据中，进行数据分析和筛选，以确定与调查目的相关的证据。

这可能包括关键字、元数据分析和数据恢复等技术。

8.数据验证和完整性保证：对采集到的数据进行验证和完整性保证，确保数据的真实性、准确性和完整性。

这包括使用哈希算法、数字签名和时间戳等技术进行数据验证。

9.数据保全：对采集到的证据进行保全，以确保其不被篡改或丢失。

这可能包括数据备份、密封和签名等措施。

10.编制取证报告：根据调查目的和取证结果，编制详细的取证报告。

这包括收集到的证据、取证过程中遇到的问题、数据分析结果和相关的法律要求等。

11.出庭呈现：根据需要，将取证报告和相关证据出庭呈现给法庭。

这可能包括准备证人证词、呈现物证和进行技术解释等。

12.跟踪和补充调查：在完成初步取证之后，可能需要进行进一步的调查工作。