第一天(7月17-18日) Day One(July. 17-18)
引言:7.18 拍牌网站被黑案件中电子物证发挥的关键作用
Introduction: the
key role of electronic forensics in the case of the license website’s hacking
on July 18th
一、 电子取证概述
The introduction of electronic forensics
1. 电子取证在欧美等国家的法律地位
The electronic forensics’ legal status in Europe and the United States.
2. 我国电子取证的法律地位演变,及各阶段典型案例
The development of the legal status of our country’s electronic forensics
and the typical case at each stage.
1) 电子物证的有效性的争议
The effective disputes of electronic forensics
案例分享:华南虎案件
Case sharing:
Southern China tiger case
2) 电子物证引起重视
Electronic forensics caused importance.
案例分享:熊猫烧香
Case sharing: Panda burns joss sticks
3) 通过电子物证破获的案件
The case was carried out by electronic forensics
二、 基本的电子取证技术实践操作(一)
The basic practical practice of electronic forensics
technology (One)
1. 数据恢复理论
Data recovery theory
2. 互动:数据恢复基本技能实践(敬请自带U盘一个)
Interactive: the basic skills’ practice of data recovery ( please bring U
plate)
3. 数据恢复在调查过程中的作用
Data recovery’s role in the process of investigation
4. 硬件和Raid中数据的恢复
The data recovery in hardware and raid
5. 电子现场保护的基本原则(结合数据恢复理论讲解)
The basic principle of electronic site protection (combined data recovery
theory to explain)
三、 电子物证在企业调查的表现形式
The electronic forensics’ performance form in enterprise
investigation
1. 电子物证的种类及应用案例
The types and application case of electronic forensics
1) 电子计算机
Electronic computer
2) 移动存储设备
The mobile storage device
3) 智能手机(通过分析智能手机话单破案的案例)
Intelligent mobile phone (the crime case cleared up by analyzing the
intelligent mobile phone’s bill)
4) 各类文档(通过对office文档进行分析而提供关键性证据的案例)
All kinds of documents (provide the crucial evidence case through
analyzing office documents)
2. 现场中,电子物证的识别与运用
On site, the identification and application of electronic forensics.
3. 灵活选用被分析的电子物证,导致案件破获的两个案例
Flexibly chose the analyzed electronic forensics, two cases led to crack
四、 企业调查中电子现场的电子物证的固定
The electronic forensics fix on spot in enterprise
investigation
1. 电子物证固定的基本理论
The basic theory of electronic forensics fix
1) 基本固定方法:Hash
The basic fix method: Hash
2) 本地数据固定方式
The fix method of local data
3) 远程数据固定方式
The fix method of remote data
4) 特殊情况下的变通方案
The workaround under special circumstances
2.
电子取证:外包?还是自己做?各个方案的优缺点
Electronic forensics:
outsourcing? Or do it by yourself? The advantages and disadvantages of each
program.
3.
互动:电子物证固定的实践练习(Hash,及模拟现场练习,通过练习使学员对如何保护现场及易犯的错误有感性认识)
Interaction: the practical
practice of electronic forensics fix (Hash and simulated filed practice,
through practice, make the participants have perceptual knowledge on how to
protect the field and easy mistake.
4.
电子取证的基本规则(不同于电子现场保护的基本原则,这里强调的是可重复性等原则)
The basic principle of
electronic forensics ( different from the basic principle of electronic filed
protection, here emphasize the repeatability principle)
5.
不同类型案件中现场保护的方法
The field protection method in
different types of cases
1)
关机状态下的静态数据固定方法
The fix method of static data
under the shutdown state
2)
开机状态下的动态数据固定方法
The fix method of dynamic data
under the on state
6. 电子物证固定的各种方法及优缺点和适用情况
All kinds of method, the
advantages & disadvantages and the application situation of electronic
forensics fix.
五、 基本的电子取证技术在企业案件中的实践操作(二)
The basic electronic forensics technology’s practical
practice in enterprise case (Two)
1. 操作系统分析
The analysis of operation system
2. 密码破解
Password cracking
互动:不同情况下,都能得到怎样的最佳结果。
Interaction: under different situation, can get the best
results.
3. 移动设备的分析
The analysis of mobile equipment
第二天(7月18日) Day Two(July.18)
六、 电子取证在企业案件中的运用
The electronic forensics’ application in enterprise case
1. 数据恢复技术在案件中的应用,特别是一些特殊的数据恢复技术的应用案例一个
The data recovery technology ’s application in the case, especially some
special data recovery technology’s application
2. 分析操作系统所得的信息在案件中的使用
Analyze the information’s application in the case, which got from the
operation system
1) 各类邮件分析
All kinds of mail analysis
2) 对注册表的分析
The registry’s analysis
3) 对数据库的分析(特别是各类公司内部的物流和信息关系系统)
The data’s analysis (especially the internal logistic and information
system of all kinds of company
4) 其他
Others
3. 计算机程序分析技术在案件中的应用
The computer program analysis technology’s application in the case
1) 分析恶意软件
Analyze the malicious software
2) 知识产权的保护
The protection of the intellectual property rights
3) 异样程序的鉴别
The identification of unusual program
4. 移动设备的取证
The forensics of mobile equipment
1) 通讯录、短信、通话记录的提取和恢复
The extraction and recovery of address list, SMS and call records
2) 移动设备中其他数据的获取和分析
Other data’s extraction and recovery in mobile equipment
3) 移动设备中各类应用程序产生的数据的分析
The data analysis produced from all kinds of application in mobile
equipment
5. 科学的灾难评估方法
The scientific disaster evaluation method
6. 互动:一个综合案例
Interaction: a comprehensive case
七、 沟通、局限及解决方案
Communication, limit and solutions
1. 案件侦办人员与专业技术人员的沟通方式和方法
The case personnel’s communication way and means with professional
technical person
1) 初检(/现场)中的沟通、交互以及技术方案的选择
The communication, interaction and the choice of technology in initial
inspection (on site)
2) 送检时的沟通
The communication while submission
3) 各类特殊场合中的沟通
The communication in various special occasions
4) 询问(面谈)时,专技人员的参与方式及禁忌
While inquiry (interview), the participation way and taboo of technical
persons.
5) 专技人员参与现场勘查情况下的沟通技巧
The technical persons’ communication skills under the field exploration
2. 电子取证理论的极限,以及如何让理论极限为我所用,帮助我更好地取证
The limit of the electronic forensics, and how to make use of the
theoretical limit to help me better get the evidence.
1) 电子取证技术的理论极限
The theory limit of electronic forensics
2) 各种电子取证技术的成本预判
The cost prediction of all kinds of electronic forensics
3) 即使是同类技术的成本判别
The cost prediction of even the similar technology
4) 如何把一个天马行空的构想转化为可以实际操作的技术方案
How to turn a powerful and unconstrained idea into a practical operational
technical program
3. 调查方案的确定要素
The confirmed elements of survey program
一般人在没有接触过电子取证之前,都存在轻视相关技术工作的倾向,提不出要求;在了解电子取证之后,甚至使用相关技术破案之后,又容易在以后的办案过程中出现自我放大电子取证作用,提出各种不切实际的要求的倾向。如何防止这两种极端的倾向。给办案人员正确的电子取证的观念,使其能够恰如其分地使用电子取证技术,正确地预估办案成本是这一节所要解决的问题。
Before people
un-contact the electronic forensics, they look down on the related technical
work, not to mention the requirements; after understanding the electronic
forensics, even after the crack of the use of related technology, easy to
appear self-amplified use of electronic forensics in the process of future
case, have various kinds of unrealistic requirements. How to prevent the two
extreme tendencies? Proving the correct concept of
electronic forensics for the case personnel, and let them can make use of the
electronic forensics, correctly estimate case cost is the problem which we need
to solve.
八、 电子取证的一般流程概述
The general process introduction of electronic forensics
九、 网络取证概述及案例
The concept of network forensics and case
1. 企业网络中可能在证据源概述
The possible evidence introduction in enterprise network
2. 网络取证的难点及相关法律问题
The difficulties of network forensics and related law issues
3. 网络的获取和分析概述
The extraction and analysis introduction of network
1) 获取(抓包、日志提取等)
The extraction (capture, log extraction)
2) 获取的证据的汇聚、关联和分析方法
The collection, relation and analysis method of extracted evidence
4. 网络取证的典型案例
The typical case of network forensics
十、 关于电子物证相关法律更新细则的分析与讨论
The update regulations’ analysis and discussion on
related law of electronic forensics
十一、 现场答疑及互动环节
Q&A and Networking Session