8.2.4 Making use of other sources
There are many other interesting ways of examining how a computer has been used. Nearly
every application that gets run will record some additional data beyond the files that it
directly takes in, or files that it puts out. This could include temporary files for processing, lists of
last accessed files or the history of a web-browser.
Exercises:
1. What is browser cache? Find the location where your web browser stores its cache.
2. What are browser cookies? Find the location where your web browser stores its cookies.
3. Search for information about web browser cookies. What kinds of cookies are there and
what kind of information is stored in them?
4. Your computer uses temporary directories where it writes files by default for the user. This is
often times known as Application Data. Find the temporary directories you have available on
your computer. While may be called tmp or temp, often times, there are many more that you
don't know about. Try FIND on files written with today's date as a great way to find temporary
files. Do those files disappear when you reboot the computer?
8.2.4 利用其它資源
還有其它一些方式可以查看計算機的使用狀況。幾乎所有運行的程序都會記錄運行用到的文件之外的信息。這些信息包括運行過程中創建的臨時文件、最後訪問的文件以及瀏覽器的瀏覽歷史。
練習:
1、什麼是瀏覽器高速緩存?找出你電腦上瀏覽器的高速緩存存放的位置。
2、瀏覽器cookies是什麼》找出你電腦上瀏覽器存儲cookies的地方。
3、查找關於瀏覽器cookies的信息。都有哪些種類的cookies,分別都存儲什麼樣的信息?
4、電腦會創建臨時文件夾來爲用戶記錄默認的文件。也叫做應用程序數據。找出你電腦上的臨時文件夾,該文件夾可能叫做“tmp”或者“temp”,通常情況下,電腦上還有更多你不知道的臨時文件夾。試一試用電腦上文件查找功能來找出記錄有今天信息的文件。當你重啓電腦時,這些文件會消失嗎?
8.3 Network Forensics
8.3.0 Introduction
Network forensics is used to find out where a computer is located and to prove whether a
particular file was sent from a particular computer. While network forensics can be very
complicated, we will cover some of the basics that can be applied to everyday life.
8.3.1 Firewall Logs
Who's connecting to me? The firewall is a utility which can choke connections between two
points in a network. Many types of firewalls exist. Regardless of the type and job of the
firewall, it is the firewall logs which give you the details. Only by using the logs, can you find
patterns of attacks and abuse to your firewall.
8.3 網絡取證(前面都不是翻譯的這個,還有這個詞還真不知道怎麼翻譯纔好,今天查詞發現這個比較好,以後就用這個吧~~~)
8.3.0 簡介
網絡取證是用來查明電腦的位置,然後確定某個電腦是不是正在接收某個文件。因爲網絡取證是非常複雜的,我們就介紹幾種可以在日常生活中用到的基本知識。
8.3.1 防火牆日誌
誰和我進行過連接?防火牆可以阻止一個網絡中兩個電腦的聯機。防火牆有很多的種類,防火牆除了有那麼種類和功能外,防火牆日誌會給你更過的詳細信息。只有通過日誌,你才能發現對你電腦上防火牆進行的攻擊。
Exercises:
1. Visit the website http://www.dshield.org. This website takes firewall logs from all over the
world to find patterns of network attack attempts. This helps security professionals be sure to
verify if the networks they are protecting are vulnerable to those particular attacks before
they happen. Read through the website and explain how that pie graph of the world is
made and what it means.
2. On the same website, read through the "Fight back" section and the response e-mails they
receive. Explain the purpose of this.
練習:
1、訪問http://www.dshield.org,這個網站接收從世界各地發過來的防火牆日誌,查出網絡攻擊模式。這可以幫助安全專家在攻擊成功之前更改防禦措施來保護網絡的安全。瀏覽該網站,解釋那個世界扇形圖是怎麼做的,該扇形圖有什麼含義。
2、同一個網站上,閱讀“回擊”部分,該部分接收到的郵件。解釋這麼做的目的。
8.3.2 Mail Headers
E-mails come with information of every computer they pass through to get to you. This is kept
in the headers. Sometimes even more information is in the headers. To view the headers
however is not always so simple. Various mail clients will all have different ways to view this.
The real trick to reading headers, though, is to know they are backwards. The top of the list is
you. Then it travels goes with each line until the very last line is the computer or network that
the mail was sent from.
Exercises:
1. A great resource focused on network forensics for fighting SPAM is
http://www.samspade.org. Visit SamSpade.org and go to the section called "The Library".
Using this section you should be able to explain how to read e-mail headers. You should also
read about forged e-mail headers and e-mail abuse. Explain the various ways e-mail can be
used to cause harm.
2. Determine how to look at your e-mail headers in the e-mails you receive. Are there any
particular fields in those headers that seem foreign to you? Look them up. You should be
able to explain what each field means in that header.
8.3.2 郵件標題
電子郵件裝載這發給你這封郵件的電腦的信息。這些信息包含在郵件標題上。標題上有時包含更多的信息,要瀏覽這些標題信息也不是很簡單的。不同的郵件客戶端需要採用不同的方式瀏覽信息。最巧妙閱讀標題的方法是瞭解這些郵件是逆序的。這些數據串的頭是你的電腦,然後一天一條的傳送數據串,一直到最後一個數據串。
練習:
1、http://www.samspade.org包含有大量關於抗擊SPAM的網絡取證的資源。訪問SamSpade.org後進入“The Library”板塊,通過這個板塊的知識,你就能夠知道怎麼去讀電子郵件的標題了。你也要閱讀假冒的電子郵件和垃圾郵件的標題。說說使用電子郵件攻擊電腦的各種方式。
2、怎樣查看電子郵件的標題。在標題欄有不有你感到陌生的信息?查資料瞭解它們。這樣你就能更深入的瞭解標題欄每個部分的意思了。
Further Reading (深入閱讀)
The following links are in English. (下面鏈接的網站都是英文的)
http://www.honeynet.org/papers/forensics/
http://www.honeynet.org/misc/chall.html - Some forensic Exercises.(一些取證練習)
http://www.porcupine.org/forensics/ - The classics (經典)
http://www.computerforensics.net/
http://www.guidancesoftware.com/corporate/whitepapers/index.shtm#EFE
http://www.forensicfocus.com/
http://www.securityfocus.com/infocus/1679
http://www.linuxsecurity.com/feature_stories/feature_story-139.html
http://www.linuxsecurity.com/feature_stories/feature_story-140.html
http://www.securityfocus.com/incidents
http://staff.washington.edu/dittrich/talks/blackhat/blackhat/forensics.html
http://www.openforensics.org/
http://fire.dmzs.com/
http://www.sleuthkit.org/
http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm