Network Working Group                                       D. Brezinski
Request for Comments: 3227                                      In-Q-Tel
BCP: 55                                                      T. Killalea
Category: Best Current Practice                                neart.org
                                                           February 2002
        
Network Working Group                                       D. Brezinski
Request for Comments: 3227                                      In-Q-Tel
BCP: 55                                                      T. Killalea
Category: Best Current Practice                                neart.org
                                                           February 2002
        

Guidelines for Evidence Collection and Archiving

证据收集和归档指南

Status of this Memo

本备忘录的状况

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

Abstract

摘要

A "security incident" as defined in the "Internet Security Glossary", RFC 2828, is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident.

“互联网安全术语表”RFC 2828中定义的“安全事件”是指违反或违反系统安全策略的安全相关系统事件。本文档旨在为系统管理员提供有关收集和归档此类安全事件相关证据的指南。

If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.

如果证据收集工作做得正确,那么在逮捕袭击者方面会更加有用,并且在起诉的情况下被接受的可能性也会大得多。

Table of Contents

目录

   1 Introduction.................................................... 2
     1.1 Conventions Used in this Document........................... 2
   2 Guiding Principles during Evidence Collection................... 3
     2.1 Order of Volatility......................................... 4
     2.2 Things to avoid............................................. 4
     2.3 Privacy Considerations...................................... 5
     2.4 Legal Considerations........................................ 5
   3 The Collection Procedure........................................ 6
     3.1 Transparency................................................ 6
     3.2 Collection Steps............................................ 6
   4 The Archiving Procedure......................................... 7
     4.1 Chain of Custody............................................ 7
     4.2 The Archive................................................. 7
   5 Tools you'll need............................................... 7
        
   1 Introduction.................................................... 2
     1.1 Conventions Used in this Document........................... 2
   2 Guiding Principles during Evidence Collection................... 3
     2.1 Order of Volatility......................................... 4
     2.2 Things to avoid............................................. 4
     2.3 Privacy Considerations...................................... 5
     2.4 Legal Considerations........................................ 5
   3 The Collection Procedure........................................ 6
     3.1 Transparency................................................ 6
     3.2 Collection Steps............................................ 6
   4 The Archiving Procedure......................................... 7
     4.1 Chain of Custody............................................ 7
     4.2 The Archive................................................. 7
   5 Tools you'll need............................................... 7
        
   6 References...................................................... 8
   7 Acknowledgements................................................ 8
   8 Security Considerations......................................... 8
   9 Authors' Addresses.............................................. 9
   10 Full Copyright Statement.......................................10
        
   6 References...................................................... 8
   7 Acknowledgements................................................ 8
   8 Security Considerations......................................... 8
   9 Authors' Addresses.............................................. 9
   10 Full Copyright Statement.......................................10
        

1 Introduction

1导言

A "security incident" as defined in [RFC2828] is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident. It's not our intention to insist that all System Administrators rigidly follow these guidelines every time they have a security incident. Rather, we want to provide guidance on what they should do if they elect to collect and protect information relating to an intrusion.

[RFC2828]中定义的“安全事件”是指违反或违反系统安全策略的安全相关系统事件。本文档旨在为系统管理员提供有关收集和归档此类安全事件相关证据的指南。我们无意坚持所有系统管理员在每次发生安全事件时都严格遵守这些准则。相反,如果他们选择收集和保护与入侵相关的信息,我们希望为他们提供指导。

Such collection represents a considerable effort on the part of the System Administrator. Great progress has been made in recent years to speed up the re-installation of the Operating System and to facilitate the reversion of a system to a 'known' state, thus making the 'easy option' even more attractive. Meanwhile little has been done to provide easy ways of archiving evidence (the difficult option). Further, increasing disk and memory capacities and the more widespread use of stealth and cover-your-tracks tactics by attackers have exacerbated the problem.

这样的收集代表了系统管理员相当大的努力。近年来,在加快操作系统的重新安装和促进系统恢复到“已知”状态方面取得了巨大进展,从而使“简单选项”更具吸引力。与此同时,在提供简单的证据归档方法(困难的选择)方面几乎没有做什么。此外,磁盘和内存容量的增加以及攻击者更广泛地使用隐形和隐蔽战术加剧了这一问题。

If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.

如果证据收集工作做得正确,那么在逮捕袭击者方面会更加有用,并且在起诉的情况下被接受的可能性也会大得多。

You should use these guidelines as a basis for formulating your site's evidence collection procedures, and should incorporate your site's procedures into your Incident Handling documentation. The guidelines in this document may not be appropriate under all jurisdictions. Once you've formulated your site's evidence collection procedures, you should have law enforcement for your jurisdiction confirm that they're adequate.

您应将这些指南作为制定现场证据收集程序的基础,并应将现场程序纳入事件处理文档中。本文件中的指南可能不适用于所有司法管辖区。一旦你制定了网站的证据收集程序,你应该让你所在司法管辖区的执法部门确认这些程序是足够的。

1.1 Conventions Used in this Document
1.1 本文件中使用的公约

The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].

本文件中的关键词“必需”、“必须”、“不得”、“应该”、“不应该”和“可能”应按照“RFC中用于表示需求水平的关键词”中的描述进行解释[RFC2119]。

2 Guiding Principles during Evidence Collection

2证据收集的指导原则

- Adhere to your site's Security Policy and engage the appropriate Incident Handling and Law Enforcement personnel.

- 遵守网站的安全政策,并聘请适当的事件处理和执法人员。

- Capture as accurate a picture of the system as possible.

- 尽可能准确地捕捉系统的图像。

- Keep detailed notes. These should include dates and times. If possible generate an automatic transcript. (e.g., On Unix systems the 'script' program can be used, however the output file it generates should not be to media that is part of the evidence). Notes and print-outs should be signed and dated.

- 做详细的笔记。这些应该包括日期和时间。如果可能,生成一份自动成绩单。(例如,在Unix系统上,可以使用“脚本”程序,但它生成的输出文件不应发送到作为证据一部分的媒体)。注释和打印件应签字并注明日期。

- Note the difference between the system clock and UTC. For each timestamp provided, indicate whether UTC or local time is used.

- 请注意系统时钟和UTC之间的差异。对于提供的每个时间戳,指出是使用UTC时间还是本地时间。

- Be prepared to testify (perhaps years later) outlining all actions you took and at what times. Detailed notes will be vital.

- 准备好作证(也许几年后),概述你在什么时候采取的所有行动。详细的说明至关重要。

- Minimise changes to the data as you are collecting it. This is not limited to content changes; you should avoid updating file or directory access times.

- 在收集数据时尽量减少对数据的更改。这不仅限于内容变更;您应该避免更新文件或目录访问时间。

- Remove external avenues for change.

- 消除外部的改变途径。

- When confronted with a choice between collection and analysis you should do collection first and analysis later.

- 当面临收集和分析之间的选择时,您应该先进行收集,然后再进行分析。

- Though it hardly needs stating, your procedures should be implementable. As with any aspect of an incident response policy, procedures should be tested to ensure feasibility, particularly in a crisis. If possible procedures should be automated for reasons of speed and accuracy. Be methodical.

- 虽然几乎不需要说明,但您的过程应该是可实施的。与事故响应政策的任何方面一样,应对程序进行测试,以确保可行性,特别是在危机中。如果可能的话,出于速度和准确性的原因,程序应该自动化。要有条不紊。

- For each device, a methodical approach should be adopted which follows the guidelines laid down in your collection procedure. Speed will often be critical so where there are a number of devices requiring examination it may be appropriate to spread the work among your team to collect the evidence in parallel. However on a single given system collection should be done step by step.

- 对于每个设备,应采用系统的方法,遵循收集程序中规定的指南。速度通常是至关重要的,因此,如果有许多设备需要检查,那么在团队中分散工作以并行收集证据可能是合适的。但是,在单个给定系统上,应逐步完成收集。

- Proceed from the volatile to the less volatile (see the Order of Volatility below).

- 从波动性到波动性较小(见下文波动性顺序)。

- You should make a bit-level copy of the system's media. If you wish to do forensics analysis you should make a bit-level copy of your evidence copy for that purpose, as your analysis will almost certainly alter file access times. Avoid doing forensics on the evidence copy.

- 您应该制作系统介质的位级副本。如果你想做法医学分析,你应该为你的证据副本做一个小拷贝,因为你的分析几乎肯定会改变文件访问时间。避免对证据副本进行取证。

2.1 Order of Volatility
2.1 波动顺序

When collecting evidence you should proceed from the volatile to the less volatile. Here is an example order of volatility for a typical system.

在收集证据时,你应该从易失性到不易失性。下面是一个典型系统的波动顺序示例。

- registers, cache

- 寄存器、缓存

- routing table, arp cache, process table, kernel statistics, memory

- 路由表、arp缓存、进程表、内核统计信息、内存

- temporary file systems

- 临时文件系统

- disk

- 磁盘

- remote logging and monitoring data that is relevant to the system in question

- 与相关系统相关的远程日志记录和监控数据

- physical configuration, network topology

- 物理配置、网络拓扑

- archival media

- 档案媒体

2.2 Things to avoid
2.2 避免的事情

It's all too easy to destroy evidence, however inadvertently.

无论多么无意,销毁证据都太容易了。

- Don't shutdown until you've completed evidence collection. Much evidence may be lost and the attacker may have altered the startup/shutdown scripts/services to destroy evidence.

- 在完成证据收集之前不要关机。大量证据可能丢失,攻击者可能已更改启动/关闭脚本/服务以销毁证据。

- Don't trust the programs on the system. Run your evidence gathering programs from appropriately protected media (see below).

- 不要信任系统上的程序。从适当保护的媒体上运行证据收集程序(见下文)。

- Don't run programs that modify the access time of all files on the system (e.g., 'tar' or 'xcopy').

- 不要运行修改系统上所有文件访问时间的程序(例如,“tar”或“xcopy”)。

- When removing external avenues for change note that simply disconnecting or filtering from the network may trigger "deadman switches" that detect when they're off the net and wipe evidence.

- 当移除外部变更通道时,请注意,简单地断开网络连接或从网络中过滤可能会触发“死锁开关”,该开关可在断开网络时进行检测并清除证据。

2.3 Privacy Considerations
2.3 隐私考虑

- Respect the privacy rules and guidelines of your company and your legal jurisdiction. In particular, make sure no information collected along with the evidence you are searching for is available to anyone who would not normally have access to this information. This includes access to log files (which may reveal patterns of user behaviour) as well as personal data files.

- 尊重您公司和您的法律管辖区的隐私规则和指南。特别是,请确保您所搜索的证据以及收集的信息不可供通常无法访问此信息的任何人使用。这包括访问日志文件(可能揭示用户行为模式)以及个人数据文件。

- Do not intrude on people's privacy without strong justification. In particular, do not collect information from areas you do not normally have reason to access (such as personal file stores) unless you have sufficient indication that there is a real incident.

- 无正当理由不得侵犯他人隐私。特别是,除非您有足够的证据表明发生了真实事件,否则不要从您通常没有理由访问的区域(如个人文件存储)收集信息。

- Make sure you have the backing of your company's established procedures in taking the steps you do to collect evidence of an incident.

- 在采取措施收集事件证据时,确保你有公司既定程序的支持。

2.4 Legal Considerations
2.4 法律考虑

Computer evidence needs to be

需要对计算机证据进行分析

- Admissible: It must conform to certain legal rules before it can be put before a court.

- 可接受的:它必须符合一定的法律规则才能提交法院。

- Authentic: It must be possible to positively tie evidentiary material to the incident.

- 真实性:必须能够将证据材料与事件正面联系起来。

- Complete: It must tell the whole story and not just a particular perspective.

- 完整:它必须讲述整个故事,而不仅仅是一个特定的视角。

- Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity.

- 可靠:证据的收集和随后的处理方式决不能让人怀疑其真实性和准确性。

- Believable: It must be readily believable and understandable by a court.

- 可信的:它必须容易被法庭相信和理解。

3 The Collection Procedure

3收集程序

Your collection procedures should be as detailed as possible. As is the case with your overall Incident Handling procedures, they should be unambiguous, and should minimise the amount of decision-making needed during the collection process.

您的收款程序应尽可能详细。与您的整体事故处理程序一样,这些程序应明确无误,并应尽量减少收集过程中所需的决策量。

3.1 Transparency
3.1 透明度

The methods used to collect evidence should be transparent and reproducible. You should be prepared to reproduce precisely the methods you used, and have those methods tested by independent experts.

用于收集证据的方法应透明且可复制。你应该准备好精确复制你使用的方法,并让独立专家对这些方法进行测试。

3.2 Collection Steps
3.2 收集步骤

- Where is the evidence? List what systems were involved in the incident and from which evidence will be collected.

- 证据在哪里?列出事件涉及的系统以及将从中收集证据。

- Establish what is likely to be relevant and admissible. When in doubt err on the side of collecting too much rather than not enough.

- 确定可能相关和可接受的内容。当有疑问时,错误在于收集太多而不是不够。

- For each system, obtain the relevant order of volatility.

- 对于每个系统,获得相关的波动顺序。

- Remove external avenues for change.

- 消除外部的改变途径。

- Following the order of volatility, collect the evidence with tools as discussed in Section 5.

- 按照波动性顺序,使用第5节讨论的工具收集证据。

- Record the extent of the system's clock drift.

- 记录系统时钟漂移的范围。

- Question what else may be evidence as you work through the collection steps.

- 当您完成收集步骤时,询问还有哪些证据。

- Document each step.

- 记录每个步骤。

- Don't forget the people involved. Make notes of who was there and what were they doing, what they observed and how they reacted.

- 不要忘记参与其中的人。记下谁在那里,他们在做什么,他们观察到了什么,以及他们的反应。

Where feasible you should consider generating checksums and cryptographically signing the collected evidence, as this may make it easier to preserve a strong chain of evidence. In doing so you must not alter the evidence.

在可行的情况下,您应该考虑生成校验和并对所收集的证据进行密码学签名,因为这样可以更容易维护强有力的证据链。在这样做时,你不能改变证据。

4 The Archiving Procedure

4存档程序

Evidence must be strictly secured. In addition, the Chain of Custody needs to be clearly documented.

证据必须严格保密。此外,监管链需要明确记录。

4.1 Chain of Custody
4.1 监管链

You should be able to clearly describe how the evidence was found, how it was handled and everything that happened to it.

你应该能够清楚地描述证据是如何被发现的,它是如何被处理的,以及发生在它身上的一切。

The following need to be documented

需要记录以下内容

- Where, when, and by whom was the evidence discovered and collected.

- 发现和收集证据的地点、时间和人员。

- Where, when and by whom was the evidence handled or examined.

- 证据的处理或审查地点、时间和人员。

- Who had custody of the evidence, during what period. How was it stored.

- 谁拥有证据的保管权,在什么时期。它是如何储存的。

- When the evidence changed custody, when and how did the transfer occur (include shipping numbers, etc.).

- 当证据改变保管时,转移发生的时间和方式(包括装运编号等)。

4.2 Where and how to Archive
4.2 归档地点和方式

If possible commonly used media (rather than some obscure storage media) should be used for archiving.

如果可能,应使用常用介质(而不是一些模糊的存储介质)进行归档。

Access to evidence should be extremely restricted, and should be clearly documented. It should be possible to detect unauthorised access.

获取证据应受到严格限制,并应明确记录在案。应该能够检测未经授权的访问。

5 Tools you'll need

5个你需要的工具

You should have the programs you need to do evidence collection and forensics on read-only media (e.g., a CD). You should have prepared such a set of tools for each of the Operating Systems that you manage in advance of having to use it.

您应该拥有在只读媒体(如CD)上进行证据收集和取证所需的程序。在使用之前,您应该为您管理的每个操作系统准备这样一套工具。

Your set of tools should include the following:

您的工具集应包括以下内容:

- a program for examining processes (e.g., 'ps').

- 检查过程的程序(如“ps”)。

- programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp').

- 用于检查系统状态的程序(例如,“showrev”、“ifconfig”、“netstat”、“arp”)。

- a program for doing bit-to-bit copies (e.g., 'dd', 'SafeBack').

- 一种进行逐位复制的程序(例如,“dd”、“SafeBack”)。

- programs for generating checksums and signatures (e.g., 'sha1sum', a checksum-enabled 'dd', 'SafeBack', 'pgp').

- 用于生成校验和和签名的程序(例如,“sha1sum”,启用校验和的“dd”、“SafeBack”、“pgp”)。

- programs for generating core images and for examining them (e.g., 'gcore', 'gdb').

- 用于生成岩芯图像和检查岩芯图像的程序(例如,“gcore”、“gdb”)。

- scripts to automate evidence collection (e.g., The Coroner's Toolkit [FAR1999]).

- 自动化证据收集的脚本(例如,验尸官工具包[FAR1999])。

The programs in your set of tools should be statically linked, and should not require the use of any libraries other than those on the read-only media. Even then, since modern rootkits may be installed through loadable kernel modules, you should consider that your tools might not be giving you a full picture of the system.

工具集中的程序应该是静态链接的,并且不需要使用只读介质上的程序库以外的任何程序库。即使如此,由于现代rootkit可能通过可加载内核模块安装,您应该考虑您的工具可能不会给您一个完整的系统图片。

You should be prepared to testify to the authenticity and reliability of the tools that you use.

您应该准备好证明您使用的工具的真实性和可靠性。

6 References

6参考文献

   [FAR1999]   Farmer, D., and W Venema, "Computer Forensics Analysis
               Class Handouts", http://www.fish.com/forensics/
        
   [FAR1999]   Farmer, D., and W Venema, "Computer Forensics Analysis
               Class Handouts", http://www.fish.com/forensics/
        

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, September 1997.

[RFC2196]弗雷泽,B.,《现场安全手册》,第8期,RFC 2196,1997年9月。

[RFC2350] Brownlee, N. and E. Guttman, "Expectations for Computer Security Incident Response", FYI 8, RFC 2350, June 1998.

[RFC2350]Brownlee,N.和E.Guttman,“对计算机安全事件响应的期望”,FYI 8,RFC 23501998年6月。

[RFC2828] Shirey, R., "Internet Security Glossary", FYI 36, RFC 2828, May 2000.

[RFC2828]Shirey,R.,“互联网安全词汇表”,FYI 36,RFC 2828,2000年5月。

7 Acknowledgements

7致谢

We gratefully acknowledge the constructive comments received from Harald Alvestrand, Byron Collie, Barbara Y. Fraser, Gordon Lennox, Andrew Rees, Steve Romig and Floyd Short.

我们衷心感谢哈拉尔·阿尔韦斯特朗、拜伦·科利、芭芭拉·弗雷泽、戈登·伦诺克斯、安德鲁·里斯、史蒂夫·罗米格和弗洛伊德·肖特提出的建设性意见。

8 Security Considerations

8安全考虑

This entire document discuses security issues.

整个文档讨论了安全问题。

9 Authors' Addresses

9作者地址

Dominique Brezinski In-Q-Tel 1000 Wilson Blvd., Ste. 2900 Arlington, VA 22209 USA

多米尼克·布雷津斯基In-Q-Tel 1000威尔逊大道,圣。美国弗吉尼亚州阿灵顿市2900号,邮编22209

   EMail: dbrezinski@In-Q-Tel.org
        
   EMail: dbrezinski@In-Q-Tel.org
        

Tom Killalea Lisi/n na Bro/n Be/al A/tha na Muice Co. Mhaigh Eo IRELAND

Tom Killalea Lisi/n na Bro/n Be/al A/tha na Muice Co.Mhaigh Eo IRELAND

   Phone: +1 206 266-2196
   EMail: tomk@neart.org
        
   Phone: +1 206 266-2196
   EMail: tomk@neart.org
        
10. Full Copyright Statement
10. 完整版权声明

Copyright (C) The Internet Society (2002). All Rights Reserved.

版权所有(C)互联网协会(2002年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。