考试情况

  • 时间
  • 答题 : 分点, things + why;

Example 1:

  • Expert Witness
  • Evidence-based conclusions

Version 1: 直接反驳: 客观、中立、不能像律师“站队”

Version 2: 删除某些发现,担心陪审团误解: 证据完整性,拒绝改报告,同时解释统计意义

  • 专家证人 duty is to the court
  • 保持独立性 independence
  • 不偏不倚 impartiality
  • 不能篡改、删除、隐藏证据
  • 合法沟通方式(向律师解释、写补充说明、告知不能更改报告)

Version1 - Contradicting Evidence

  1. My duty as an expert witness is to the court, not the instructing solicitor + why
    I would make it clear that my conclusions must reflct the evidence, even if they contradict the narrative proposed by the solicitor. An expert must remain independent to maintain credibility and ensure admissible testimoney.

  2. I would document the contradictory evidence thoroughly and transparently + why
    Providing clear documentation prevents misinterpretation and demonstrates that the analysis is based solely on factual findings. This protects both the investigation and the court process from bias.

  3. I would communicate the findings professionally to the solicitor + why
    This allows the legal team to adjust their case strategy while ensuring I do not compromise ethical standards or mislead the court.

Version2 - Solicitor Asking to Remove Findings

  1. I would refuse to alter or remove accurate findings from my report + why
    Removing evidence would compromise the integrity of the investigation and breach my duty to provide impartial, complete information to the court.

  2. I would explain the statistical context clearly instead of deleting the findings. + why
    The correct approach is to flarify limitations, confidence levels, or likelihoods so the court can interpret the evidence properly without omission.

  3. If pressured further, I would escalate or withdraw from the engagement + why.
    Maintaining professional independence is critical, and continued pressure to manipulate evidence would require formal escalation or disengagement toprotect ethical obligations.

perverting the course of justice

Example 2

  • 法律义务 > 企业内部指令
  • 取证人员的伦理责任
  • Chain of Custody / evidence preservation
  • escalation path: hr –> Legal Counsel –> Law Enforcement
  • Obstruction of justice
  1. Immediately preserve the evidence - because any further analysis or modification could compromise its admissibility in a criminal investigation.
  2. Stop the internal investigation immediately - xxx
  3. Escalate to corporate legal counsel, not HR - xxx
  4. Report to law enforcement as required by law - xxx
  5. Document all actions and maintain chain of custody - xxx
  6. Decline HR’s request and explain your legal / ethical duty - xxx
  • obstrction of justice
  • regulatory violations
  • corporate liability
  • civil lawsuits

revision

week1

  • prepare - secure & seize - preserve - analyse - report
  • forensic acquisition
  • Expert Witness Format (EWF): CRC + MD5/SHA1
  • Acquisition Documentation & ABD (Always be Documenting)

week2

  • 磁盘物理结构:platter –> track –>sector; LBA, CHS
  • 逻辑结构:MBR; Volume vs Filesystem; Cluster; Unpartitioned Space
  • Acquisition: physical, logical, LEF
  • Volume Slack

week3

  • NTFS:MFT C/M/A/B
  • Deleted Files: MFT entry;Bitmap
  • Unallocated Space & File Carving:为被分配给文件的clusters,可能有大量旧文件碎片,file signature
  • File Slack:Drive Slack;RAM Slack(0)

week4

  • Signature:header signature(.jpg –> .pdf)
  • Hash Analysis: known good set; known bad set; 即使修改文件名、路径,hash不变 –> 仍能识别
  • Search
  • Timeline

week5

  • Windows Artefacts
  1. registry hive
  • system, software, security, sam, ntuser.dat
  1. USB Usage Evidence
USBSTOR
setupapi.dev.log
MountedDevices
MountPoints2
Linkfiles(.lnk)
  1. Prefetch
    程序名,运行次数,最后运行时间,依赖DLL

week7

  • Memory Forensics
artefacts:
密码,密钥
明文数据
进程信息
网络连接
Registry hive 的内存载入版本
MFT
  • Memory Acquisition
  • Memory Analysis Checklist
process
handles & DLLs
Ports & Collections
Code Injection
Rootkits
Export suspicious processes for analysis
  • Volatility
imageinfo
pslist / pstree
netscan
dlllist
handles
malfind
procdump

考试专业术语 Glossary

  • Acquisition & methodology
chain of custody
forensic image / acquisition
EWF(export witness format)
CRC / MD5/ SHA1
physical vs logical image vs LEF
volume slack / file slack / unallocated space
data carving
  • Disk / Filesystem
platter / track / sector
LBA (Logical Block Addressing)
MBR
cluster
resident / non-resident data
$MFT / FILE Record
$STANDARD_INFORMATION
$FILENAME
$DATA
ADS(Alternate Data Stream)
  • Windows Artefacts
Registry hive (SAM / SYSTEM / SOFTWARE / SECURITY / NTUSER.dat)
USBSTOR
MountedDevices
MoutPoints2
Linkfiles/.lnk
Prefetch
  • Network Forensics
Encryption ad barrier
  • Memory Forensics
malfind
procdump

答疑

  • 只要metadata修改, C
  • metadata
文件权限 (ACL / permissions)
文件名
文件路径
文件大小
属性变化 (read-only, hidden等)
MFT entry 中的任何 metadata字段变化
  • 时间
Create(Crt) 创建时间
Modified(M) 内容修改时间
Change(C) 元数据修改时间
Accessed(A) 访问时间
  • 镜像
dd  12TB
E01 > 12TB