{"title":"获取受基于 Linux 的加密技术保护的数据的技术和方法 - 从业人员参考指南","authors":"Ben Findlay","doi":"10.1016/j.fsidi.2023.301662","DOIUrl":null,"url":null,"abstract":"<div><p>This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with <em>fscrypt</em> is also presented, for reference. Current limitations and gaps in knowledge are also discussed.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723001816/pdfft?md5=09cf1be607089778a7ef98c74df23839&pid=1-s2.0-S2666281723001816-main.pdf","citationCount":"0","resultStr":"{\"title\":\"Techniques and methods for obtaining access to data protected by linux-based encryption – A reference guide for practitioners\",\"authors\":\"Ben Findlay\",\"doi\":\"10.1016/j.fsidi.2023.301662\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with <em>fscrypt</em> is also presented, for reference. Current limitations and gaps in knowledge are also discussed.</p></div>\",\"PeriodicalId\":48481,\"journal\":{\"name\":\"Forensic Science International-Digital Investigation\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2023-12-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2666281723001816/pdfft?md5=09cf1be607089778a7ef98c74df23839&pid=1-s2.0-S2666281723001816-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Forensic Science International-Digital Investigation\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2666281723001816\",\"RegionNum\":4,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281723001816","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
本研究概述了数字取证调查员在调查 Linux 操作系统时可能遇到的典型磁盘和文件夹级加密。基于先前的第一手经验以及大量的后续测试和研究,本著作从用户的角度研究了此类加密的操作,讨论了加密如何在 "引擎盖 "下运行;并探讨了在现场/实时取证调查期间以及现场后访问和检索此类加密设备中数据的方法和技术。为帮助读者理解,还提供了工作实例。本研究还介绍了调查人员可以使用的注意事项、方法和步骤,以便最大限度地挖掘数据获取的潜力,最重要的是讨论了在此类案件中获得最佳证据的经验教训。此外,还介绍了与 fscrypt 相关的密钥文件的二进制结构,以供参考。此外,还讨论了当前的局限性和知识差距。
Techniques and methods for obtaining access to data protected by linux-based encryption – A reference guide for practitioners
This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with fscrypt is also presented, for reference. Current limitations and gaps in knowledge are also discussed.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
