Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis Forensic Analysis Preparation

>> Last unit we reviewed Windows file systems and studied how
to examine the Windows registry to discover evidence.

>>上一单元我们回顾了Windows文件系统，并研究了如何检查Windows注册表来发现证据。

This week, we will continue to study other Windows artifacts
to identify valuable information for forensic investigations.

本周，我们将继续研究Windows的其他构件，为法医调查识别有价值的信息。

I will also demonstrate two industrial leading digital forensic tools, Forensics Toolkit
and EnCase Forensic to learn their forensic analysis features.

我还将演示两个行业领先的数字取证工具，取证工具包和装箱法医，以学习他们的法医分析特征。

We begin the analysis process by first setting up the time zone on the forensic machine
to be the same as the suspect systems time zone.

我们首先在法医机器上设置与可疑系统时区相同的时区来开始分析过程。

We then examine the partition table on the suspect drive to learn the number
of partitions existed on the drive, to identify each mountable partition,
and then to find any data hidden in between the partitions.

然后，我们检查可疑驱动器上的分区表，了解驱动器上存在的分区数量，识别每个可挂载分区，然后查找分区之间隐藏的任何数据。

The Sleuth kit tool MMLS still can be used for identifying partitions.

侦探工具包工具MMLS仍然可以用于识别分区。

However, the advanced forensic analysis tools covered later
in this unit will automatically mount all partitions and provide other analysis features.

但是，本单元后面介绍的高级法医分析工具将自动挂载所有分区并提供其他分析功能。

After partitions are mounted we will retrieve deleted files and recover hidden data.

挂载分区后，我们将检索删除的文件并恢复隐藏数据。

Since data carving technology relies only on headers and footers to identify our files
without using file systems metadata, therefore, data carving tools, such as Foremost,
Scalpel and the Magic Rescue will still work for Windows file carving.

由于数据雕刻技术只依赖于页眉和页脚来识别我们的文件，而不使用文件系统元数据，因此，数据雕刻工具，如最重要的，手术刀和魔术救援仍然适用于Windows文件雕刻。

Certainly, most forensic analysis tools support data carving feature.

当然，大多数法医分析工具都支持数据雕刻功能。

We then put the file's mac times in a timeline sequence to reconstruct the data
and get a better understanding of what has happened.

然后，我们将文件的mac时间按照时间轴顺序重新构建数据，以便更好地理解发生了什么。

Mac times in Windows are slightly different than mac times in Linux UNIX.

Windows中的Mac时间与Linux UNIX中的Mac时间略有不同。

In Windows M stands for the last time when a file's content was modified.

在Windows中，M表示最后一次修改文件内容。

C stands for the timestamps when a file was created.

C表示创建文件时的时间戳。

A stands for the last time when a file was last accessed.

代表最后一次访问文件的时间。

In addition, E stands for the last time the file's MFT entry was changed.

另外，E代表最后一次更改文件的MFT条目。

Mac times can be intentionally changed.

Mac时代可以被有意地改变。

A free Windows utility called timestamp can change all four timestamps
in Windows file systems.

一个名为timestamp的免费Windows实用程序可以更改Windows文件系统中的所有四个时间戳。

To generate and analyze Windows mac times we can use Sleuth kit tools,
such as ILS, FLS and Mac Time.

为了生成和分析Windows mac时间，我们可以使用侦探工具包工具，如盲降、FLS和mac时间。

However, most of the advanced forensic analysis tools will generate mac times automatically
and display the mac times in both graphical and table view.

然而，大多数高级法医分析工具将自动生成mac时间，并在图形和表格视图中显示mac时间。

When we have search terms related to our case for example, names and activities identified
from e-mails and logs, we conduct a keyword search on these terms to find clues.

当我们有与案例相关的搜索词时，例如，从电子邮件和日志中识别出的名称和活动，我们对这些词进行关键字搜索以找到线索。

More information will be covered later.

稍后将介绍更多信息。

E-mails, pictures and internet data provide rich evidence for our examination.

电子邮件、图片和互联网数据为我们的考试提供了丰富的证据。

We also examine evidence from Windows specific artifacts, such as registry,
recycle bin, shortcuts, and event logs.

我们还检查来自Windows特定工件的证据，例如注册表、回收站、快捷方式和事件日志。

Many forensic analysis tools exist for Windows analysis.

Windows分析有许多法医分析工具。

Before trying out this GUI-based advanced forensic analysis tools let's first go
through Windows artifacts to learn how to effectively use the features supported
by these GUI-based tools for analysis.

在尝试这种基于gui的高级法医分析工具之前，让我们首先浏览Windows工件，了解如何有效地使用这些基于gui的工具支持的特性进行分析。