WIXLIB

Proceedings of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013)physically stored within the computer system memory toprove the computer crime. Compared with traditional typesof evidence, it is accurate, fragile, perishable, concealed,complex, diverse and easy to diffuse. In addition to that,electronic evidence collection is rapid to collect, easy to store,taking up little space with great capacity, transmission andconvenient transportation. It can be reproduced, with simpleapplication and operation.Concerning electronic evidence eligibility, the hearsayrule and the best evidence rule hinder the electronic evidenceto be admitted into evidence in common law, but countriesmake the evidence qualifications by extending the originalconnotation and replacement of the original method.Countries in continental law system generally require it toprovide original evidence. Provisions in many countries ofcontinental law system are relatively broad and generalprinciples recognize the electronic evidence. Procedure lawsof China holds that “facts that prove the real situation of thecase are all evidence” and this general provision offers thespace and the legal basis for the use of electronic evidence inlitigation. Therefore, whether the electronic evidence can beevidence is not so controversial in China.We can also use positive identification method to provethe power of electronic evidence, i.e., to start fromidentifying the evidence itself, or the other side of evidence.We review the following aspects using the positive methodsto find the probative force of electronic evidence: (1) Thegeneration of electronic evidence; (2) The storage ofelectronic evidence; (3) The transmission of electronicevidence; (4) Electronic evidence collection; (5) Whether theelectronic evidence has been deleted. Positive method provesthe power of electronic evidence based on the identificationof the ordinary evidence principles. However, due to the factthat electronic evidence is vulnerability, easy to be altered,increased and deleted, which is often difficult to detect, it isunrealistic to have the integrity of electronic evidence frombeing tampered, increased and excision. Then we must usethe presumption to ensure the integrity of electronic evidence.Of course, the defence can research on the electronicevidence in computer crime and its rules of evidence todebate.For the position of the electronic evidence, this subjectidentities it as independent types of evidence. The reason isthat it is different from the audio-visual materials, thetraditional evidence and the mixed evidence.In making the electronic evidence into the audio-visualmaterials, we need to expand the interpretation of audiovisual materials, and to break the boundaries of audio-visualmaterials on the evidence of the tapes, video tapes and so on;In addition, the electronic evidence is expressed in binarydata to a digital signal, which the other kind of evidence doesnot possess. Finally, the position of the audio-visualmaterials in the law of evidence is limited. At best, it is a toolfor confirming the parties’ statements, evidence, and so on.Therefore, we believe that bringing electronic evidence intoaudio-visual materials simply will limit its effectiveness ofevidence, and it is not conducive to the facts of the case.Electronic evidence should also not be included in thetraditional documentary evidence. First, it is difficult for theelectronic evidence’s long-term storage and safety.Electronic evidence in computer and network may beexposed to viruses, hacker attacks, misuse, and also be easilydamaged or eliminated, while the traditional documentaryevidence do not have these troubles; Secondly, electronicevidence can not be read directly and its access andtransmission depends on the support of modern informationtechnology service system. If there is no appropriate ITequipment, it is difficult to see the fact that the evidencereflected upon, and the extraction of electronic evidence ismuch more demanding than traditional documentaryevidence; finally, although the content recorded in thetradition documentary evidence is also easy to be changed, asin judicial practice, there have been many situations that theparties change or add the contents of the documentaryevidence for self-interest, the electronic evidence stored inthe computer is more convenient for the correction,modification or supplement of a variety of data, even if thedata encrypted has the possibility to be decrypted.Electronic evidence is different from the mixed evidence.For mixed evidence, we believe that the mixed evidence isopen to question for the classification. First, the informationstored in a disk and CD-ROM is not the objective existencefor its own property, the external characteristics or existenceto prove the case. Therefore, the disk or CD-ROM is not theevidence; Secondly, using computer for simulating crime todetermine the possibility of a crime is not the record ofinspection; Finally, the evidence from computer and itstesting system must be divided into two parts.Because the standards and methods for reviewingelectronic evidence are different from the traditional ones,the rules and methods for collection, extraction, applicationrules and preservation of electronic evidence are differentfrom the traditional ones. Only by giving electronic evidenceindependent legal status, can it provide effective protectionfor the sound and orderly development of the application ofinformation technology for e-commerce.III.THE TECHNICAL AND THEORETICAL QUESTIONS OFCOMPUTER FORENSICSThis part, we investigate the technical methods andmodels, then propose a computer forensic black box systemmodel.A. Technical methods of computer forensics Forensic Technologies based on Algorithms andSoftware Analysis. (1) Cryptography. In many cases,computer forensics needs to deal with the problemson how to decrypt the encrypted data. Currentlythere are a number of encryption and decryptionalgorithms and relevant tools. The cryptographictechniques and methods used in computer forensicsmainly include: ① Cryptanalysis: The technologyrequires that a password forensic expert havespecialized knowledge in the field of cryptography.It is worth noting that the existing software tools arenot practically applied. ② Password crackingtechniques: These include passwords dictionary, keyPublished by Atlantis Press, Paris, France. the authors1566

Proceedings of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013) guessing,brute-forcetechniques.Passworddictionary is generally based on software and thereare a variety of dictionaries available. Manydictionary-based password cracking softwarepackages are available with a relatively highcracking rate. For example, AOPR is such a crackingtool dedicated to Office files. ③Password search:These include physical search in the physicalenvironment around the computer, logical search inthe documents of computer systems, and networkeavesdropping in email messages and networkenvironments. ④ Password extraction: In general,many of the Windows passwords are in plain textform and stored in the registry or other designatedplaces. Therefore, passwords can be extracted fromthe registry files. ⑤ Password recovery: Usingpassword recovery mechanism, password can beobtained from the system administrator. (2) DataMining Technology. Data mining is a decisionsupport process, mainly based on artificialintelligence (AI), machine learning, statisticaltechniques and methods, highly automated analysisof massive amounts of data obtained, and theinductive reasoning. In this way, knowledge can beobtained to predict the behaviour trends of theanalyzed objects which can help decision-makers ormanagers to adjust strategies to make the rightdecisions. Data mining is highly valuable inanalyzing criminal behaviours. The criminal patterns,trends, and the associations among criminalbehaviours can be found by designing high qualitydata mining algorithms to analyse large amounts ofhistorical criminal records which are stored in datawarehouses and maintained in a consistent way. Theobtained knowledge is of value to police and judicialdepartments.Hardware-based Forensics. (1) Data RecoveryTechnology. Data recovery technology is primarilyused to recover the data from the deleted files andformatted disk of the suspects. Disk formatting onlyre-organizes the entries to file systems. Data will stillbe available if it is stored before disk formatting.Disk formatting will create a new blank index tablelinks with unallocated data blocks. The operation ofdeleting files does not permanently remove the filesfrom disk, but put the data blocks back into the filesystem which is invisible for normal read and writeoperations. Therefore, we can use popular andpromising forensic software tools such as TCT andENCASE to recover data. Based on optics principles,these tools recovers data by analyzing the refraction,spectral radiation and diffraction. Many companiesprovide such data recovery services such as Ontrackcompany and Ibas laboratory. (2) ComputerForensics Chip Design. It is understood that amongthe products in computer forensics in China, the"forensics machine" produced by the ComputingCenter of the Institute of High Energy Physics, Chinese Academy of Sciences can detect the waysthat hackers intrude and produce analysis reportswhich can be used as legal evidence. In addition, thedetection box of computer evidence mainlydeveloped by Xiamen Meiya Pico Information Co.Ltd. in Xiamen city, China, has the functions such asevidence extraction, cracking, analysis and recovery.Many forensic tools are also available in othercountries, notably TCT and EnCase. TCT cananalyze the activities of the running machines in realtime and capture the current state information.EnCase is a product that is recognized by the U.S.government for computer forensics. EnCase is anintegrated forensics application based on Windowsinterfaces. Its features include data browsing, search,disk browsing, creation of evidence files, savingcases. Among the existing computer forensics tools,hardware based products are mainly focused on theaspects of "data erase forensics interface of harddisk", "hard disk data cloning" and "networkmonitoring", whereas software products are mainlyon "file content browsing (text and images)", "textsearch using keywords", "undelete ", "drive imaging(copying the full storage space bit by bit). Currentlythere are no uniform standards and specificationsthat forensics tools can follow in the study ofcomputer and network related crimes. It is thereforehard for users to compare the effectiveness andreliability of these tools. To this end, Brain Carrierproposed to use open source tools to ensure thereliability of the forensics tools [8]. Although thereliability can be improved through the testing workcontributed by many researchers, the ownerships andinterests of these tools have to be reflected.Forensics based on Tightly Coupled Hardware andSoftware. (1) Post-Event based Static Analysis.Regardless of the roles that computer crimes playlike "hacker intruder", "crime tool" or "criminalinformation storage", a large amount of crimerelated data will be left in the computer and itsperipheral equipment. Therefore, this data can beobtained through static analysis (i.e. static computerforensics which is also referred to as computerforensic) to be used as the evidence of litigation. Thenature of static analysis is that it considers computeras a crime scene, and analyzes the criminalbehaviours in network communications in the formof forensic anatomy and also conducts a detailedanalysis on the data stored in various computingmedias. In this way, the important data and reportsassociated with the facts can be obtained. Post-eventbased static analysis includes two stages: " physicalevidence acquisition" and "information discovery".The former refers to the process that investigatorssearch for relevant computer hardware at computercrime or intrusion scene and keep it for investigation.The latter searches for evidence from the originaldata including files and logs which can be used tosupport the associated facts or refute them. SimilarPublished by Atlantis Press, Paris, France. the authors1567

Proceedings of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013)to other evidence, computer evidence or electronicevidence must be true, reliable, complete andcomplies with relevant laws and regulations andjudicial procedures. It should be pointed out thatphysical evidence acquisition is the basis of thewhole forensics process. When obtaining physicalevidence, the most important thing is to ensure thatthe evidence obtained is original without anydamage. It is extremely difficult to find all therelevant data as computer crime evidence may existin the system log, data files, hidden files, registers,swap buffer, user process memory, stack, file buffers,the file system itself, free disk space, the printerbuffer, network data buffer, and the counter location.To this end, trade-offs have to be made through athorough analysis and judgement. In static computerforensics, information discovery comes afterphysical evidence has been obtained. Computercrime cases have different requirements oninformation discovery. Some cases only need the keydocuments, pictures or email messages, while othersmight need to reproduce the details of the workhappened. Unless there are special needs, undernormal circumstances, information discovery is aprocess that makes a physical copy of the originaldata with an aim to protect the original data.Typically, forensics experts also use MD5 algorithmto summarize the data in the original evidence andkeep the evidence and the summary in a safe place.Considering the files that contain evidence of acrime may have been deleted, data recovery isneeded to recover the key files, communicationrecords and other clues. In the mean time, thisprocess also facilitates acquisition of file attributesand document processing. After data is recovered,forensics experts should carefully conduct queriesbased on keywords, analysis, analyze file attributesand digital summary, search for system logs, decryptdocuments, access Windows swap buffers. Theresults of information discovery largely depends onforensics experts' experience and wisdom due to thelack of tools for comprehensive data analysis. Thisrequires that a qualified forensics personnel musthave a profound understanding of informationsystems with an expertise in computer architecture,operating systems, distributed computing, databasetheory and applications, network architecture andprotocols. In this way, forensics experts can producecomprehensive reports based on the results ofinformation discovery which will become animportant basis in against crime. (2) Pre-EventPrediction and dynamic Detection. With thepopularity and penetration of network applications, itis difficult to use static analysis which is mainly usedfor standalone computer forensics to detect andacquire evidence in real time to meet the growingnumber of cyber crimes. To minimize the defects ofpassive firewall technologies and intrusiondetections, forensics can be conducted via pre-eventprediction and dynamic detection method referred toas dynamic computer forensics (DCF). DCFincorporates forensics technology into firewallsystems, intrusion detection systems and honeypotsto dynamically detect all the possible computercrimes in communication networks, capture data inreal-time and analyze the intentions of intruders.DCF takes effective measures to cut off the networkconnections or to induce the intruders to providemore information. In this way, as much as possibledata can be obtained and analyzed with a saferunning of the system. It can be noted that DCF canproduce complete and true evidence. In the meantime, it can also analyze the means and motivationsof crimes for right decisions which triggers relevantfirewall and detection systems to action on intrusions.This facilitates the interactions between computerforensics, firewall and detections systems. Throughsystem self structure changes and backup strategies,all the aspects in the communication network can beprotected which leads to an integrated securityinfrastructure. DCF can record the working status ofthe system especially the whole process of hackerintrusion. It can capture and analyze the intrusionbehaviours through which self defence strategies canbe generated. DCF mainly involves the stages ion, preservation of evidence and evidencesubmission as following in detail [9]. ① DataAcquisition: The volume of data in data acquisitionphase is very large and data is updated from time totime, (e.g. on a daily basis, millions of event recordsmay be generated on a Web). This kind of dataincludes system logs, logs related to firewall, FTP,WWW, and anti-virus software, system audit records,network traffic monitoring, the relevant operatingsystem (such as the Windows operating system) andthe hidden files or temporary files of databases,database operation records, hard drive swap, slackdata and free buffers, software configuration data;script files, Web browser data buffers; e-mail; realtime chat records, bookmarks, history records orsession logs. For the acquisition of these massivedata, the network data can be obtained via adedicated hardware. The core idea is to set thenetwork card to promiscuous mode in order tomonitor the data passing through the networksegment. The header of every packet received willbe analyzed and matched with certain rules. Thematched data will be stored in network data files.Unmatched data will be discarded. In general,network data files are stored in a binary format basedon time intervals for subsequent analysis. ②DataAnalysis: In the data acquisition stage, the use ofdata acquisition software (technology) to coll

computer forensics is a process of finding evidence from computer systems to prove the existence of an objective fact making use of computer related technologies and approaches. Computer evidence refers to computer materials and their d