在犯罪的第一現場進行電腦蒐証,常受限於蒐查人員的知識不足、蒐證時間有限、蒐證的設備不足等,在蒐證中也無法有效地控管蒐證的品質,無法有效地掌握物證。 為了改善電腦蒐證的品質與效率,本研究以蒐證程序之需求作為準則,進行改善電腦蒐證的方法。這些準則分別是:在蒐證前根據案情作充分的準備;在蒐證中維持證據的完整性;而蒐證後有系統地管理證據。經過與傳統的兩種蒐證方式比較過後,本研究提出以LiveCD對目標主機進行採証,以維持電腦蒐證的品質與增加電腦蒐證的效率。本研究將光碟製作的方法模組化,分別修改開機模組、系統核心模組、介面模組以及外加工具模組,做成為專為個人電腦數位證據蒐證用之雛形蒐証工具,提供未來研究者與檢調單位能製作出更符合自身需求的蒐證光碟。 此蒐證光碟能提供適當的工具以配合蒐證程序使用。其中,使用的工具分類為系統類、鑑別類、萃取類以及設定類;系統類工具可將不同格式的檔案系統掛載至蒐證系統,鑑別類工具可用來瀏覽不同格式的檔案,以識別出與案情相關之電腦主機,萃取類工具可用來製作數位證據副本並進行數位鉛封。全程蒐證的過程與結果也將被書面化予以記錄,經偵辦人員及當事人簽署後完成蒐證程序。 The quality of computer evidence collection in a crime scene is very restricted to the professional knowledge of agents, investigation time limit, proper equipment usage, etc. This cause the effectiveness and efficiency of computer evidence collection are hardly controlled. This thesis, following the procedure of crime scene evidence, provides a computer evidence collection method to improve the effectiveness and efficiency of evidence collection.. As a result of contrasting with two of traditional methods, using a LiveCD to acquisition of evidence from the marked computer is proposed and the effectiveness (quality) and efficiency of computer evidence collection is then be improved. Boot module, System Kernel module, Interface module and Extra Tool module are the 4 main modules in the Live CD development. It is only a prototype demonstration and rooms are leaved to those who want to do needed modification to adequate their situation. Applicable tools are also provided to cooperate with investigation procedure. They are categorized as Operation System Tools, Identification Tools, Extraction Tools and Configuration Tools. Operation System Tools is used to mount various file system types of the target platform being evidenced. Identification Tools can browse various file formats for helping investigator to identify the target machine. Extraction Tools is used to make the copy of digital evidence and proceeds "Digital Seal". The whole course and result of collecting evidence shall also be put down in written. After investigator and the whatever persons related have their signature on the written document, the whole evidence collection phase is the completed.
