基于Windows的易失性内存数据取证分析方法研究

发布时间：2018-01-08 18:01

本文关键词：基于Windows的易失性内存数据取证分析方法研究　出处：《吉林大学》2012年硕士论文　论文类型：学位论文

【摘要】：在信息化时代计算机等各种智能信息设备在社会发展中起着越来越重要的作用，随着互联网的进一步发展与普及，信息技术促进了社会生产力的发展，同时也在不知不觉中改变着人们生活与工作方式，然而计算机等智能设备给人类生活带来便捷的同时，也产生了诸多的信息安全问题。国家计算机网络应急技术处理协调中心在2011年发布的一份年度报告中指出随着我国互联网新技术、新应用的快速发展，未来的信息安全形势将更加复杂，在2010年的检测统计数据中木马控制服务器IP总数达479626个，木马受控主机IP总数为10317169个，较2009年大幅增长274.9%。2010年爆发了“飞客”蠕虫病毒，根据国家计算机网络应急技术处理协调中心的2010年12月抽样监测结果，全球互联网已经有超过6000万个主机IP感染“飞客”蠕虫，境内仍然是“重灾区”，有超过900万个主机IP被感染。由此可见当前利用计算机等智能信息化设备和网络实施犯罪的问题日益严重，严重威胁着社会和谐稳定。仅仅通过网络与信息安全相关技术来阻止计算机相关犯罪不能从根本上解决日益严重的信息安全威胁，因此必须充分发挥现代社会的法制化手段来从根本上对人们的行为进行约束规范。计算机取证技术正是在计算机安全与法律相结合的交叉背景下而产生。计算机取证的主要目的是通过在涉案的相关电子设备中收集以数据形式存在的证据，重现犯罪的过程，进而为相关法律诉讼程序提供可靠有效的证据。传统的在计算机犯罪中所使用的取证流程大多数为关闭涉案计算机后，使用即插即用设备完全复制计算机的磁盘数据，然后对镜像数据进行事后分析。然而，随着计算机硬件水平的不断发展，大容量的内存广泛被使用，同时各种加密与反取证技术的出现，导致在这样传统的取证过程中损失了大量的有价值的信息。计算机内存中的易失性数据可能包含关于犯罪行为的关键性信息，如用来加密信息所使用的密码，系统在犯罪行为发生过程中的状态，使用反取证工具的痕迹以及一些很容易被调查者在分析硬盘数据过程中容易被忽略的至关重要的恶意软件或系统级后门程序等相关信息。所以近年来针对计算机易失性数据的取证分析工作越来越受到司法界和计算机安全专家的重视。内存取证分析的重点在于分析物理内存中的各种数据从而获得关于犯罪的相关信息，在近年的内存取证分析过程中尽管可以通过对可读文本内容或相应关键字进行搜索便可以从内存镜像中获取许多有用的信息，但是上下文运行的环境和单一证据的相关信息则需要在理解相关数据结构和背景情况的前提下才能更好的联系起来。对于内存取证分析来说，能够准确的识别出内存镜像中的数据并对特定的信息进行关联性分析则至关重要。本文在研究传统计算机取证相关理论与方法的基础上，总结了内存等类似介质中相关易失性数据的特点，提出了一种面向关联性分析的易失性数据取证分析模型，该种取证模型不再局限于传统的证据分析所采取的面向单一证据对象的分析方式，，而是更侧重于分析所获取的每个单一证据之间的内在联系，从法学角度来看这是一种面向证据链构建的取证分析方法。文中不但对易失性数据取证分析模型进行了层次上的划分与描述，同时在关键层次上设计了初步的解决方法。由于数字易失性数据具有以下特点：易失性；瞬时性；阶段稳定性；实体信息多维性；实体相互关联性；阶段内实体状态变化的可预见性，采用该方法分析具有以下三个优点：第一，从用户的单一动作分析扩展到用户的行为分析，可以更好了解用户一系列动作的目的；第二，打破了易失性证据获取中单一时间点的限制，通过对一个时间点所有证据对象的关联性分析，将可以向前或向后预测或判定一个时间段内用户的行为，而不仅仅限于获取证据的那个单一的时刻点；第三，关联性分析面向法学中的构建证据链的司法应用，可以更好应用于实际的法律执行和法庭审判的过程中。
[Abstract]:In the information age of computer intelligent information equipment and other plays a more and more important role in the development of the society, with the further development of the Internet and the popularization of information technology to promote the development of social productivity, but also in the imperceptibly changing people's life and work, however, computers and other intelligent devices bring convenience to human life. Also has the information security problems. A copy of the annual report of the national computer network Emergency Response Coordination Center released in 2011 pointed out that with the new technology of Internet in China, with the rapid development of new information, future security situation will be more complex, in the detection of statistical data in 2010 a total of 479626 IP Trojan control server a Trojan horse, host IP a total of 10317169, a significant increase compared to 2009 274.9%.2010 outbreak of the "flying off" worm virus, root According to sampling monitoring results of December 2010 national computer network Emergency Response Coordination Center, the global Internet already has more than 60 million host IP infection "fly off worm, is still within the disaster area, there are more than 9 million IP infected host. This shows that the current implementation of crime by computer information technology and other intelligent devices and networks increasingly serious problem that is a serious threat to social harmony and stability. Only through network and information security technology to prevent computer related crime can not solve the increasingly serious threat to information security fundamentally, because this must be sufficient to fundamentally on people's behavior norms play a legal means of modern society. Computer Forensics is cross in the background of computer security and legal combination. The main purpose of computer forensics is involved in the related Electronic equipment collects evidence in the form of data, reproduces the process of crime, and provides reliable and effective evidence for relevant legal proceedings.
Used in the computer crime forensics process most of the traditional close computer involved, disk data using the plug and play devices to complete copy of the computer, and then the image after the data analysis. However, with the continuous development of computer hardware, large capacity memory is widely used, and a variety of encryption and anti Forensics the result in this traditional forensics process lost a lot of valuable information. The computer memory nonvolatile data may contain key information on criminal acts, such as used to encrypt the password information, during the process of state system in criminal behavior, use of anti forensic tools and traces some are easy to be crucial to the investigation easily in the analysis of hard disk data process ignored the malicious software or system level backdoor and other related information. Therefore, in recent years, forensic and computer security experts have paid more and more attention to the forensic analysis of computer volatile data.
Key memory forensic analysis lies in the analysis of various data in physical memory to obtain relevant information about the crime, in recent memory forensics analysis process although through the search of readable text content or the keyword can obtain many useful information from memory, but the information related to the environment and context of single evidence the need in the premise of understanding relevant data structure and background to better link. For memory forensic analysis can accurately identify the memory image of the data and the correlation analysis of the specific information is crucial.
Based on the research of traditional computer forensics theory and method of this paper, summarizes the memory and other similar media related volatile characteristics of data, this paper presents an analytical model for the correlation analysis of the volatile data forensics, evidence analysis of the evidence model is no longer confined to the traditional taken for single object evidence analysis of the way, but more emphasis on internal relations between each single evidence obtained in the analysis, from the legal point of view this is an analysis method for the construction of the chain of evidence of evidence. This paper not only for non-volatile data forensics analysis model by divide and describe the level of design and preliminary solutions in the key level. Because digital nonvolatile data has the following characteristics: volatile; transient stability; stage; entity information multidimensional; entity relationship stage; Within the entity state changes predictable, this method has the following three advantages: first, analysis from the analysis of single user action analysis is extended to the user behavior, you can better understand the user of a series of actions; second, broke the volatile evidence obtained in single time limit, the association to a point in time all the evidence object analysis, will be moved forward or backward to predict or determine the user a period of time, but is not limited to the single point of obtaining evidence; third, correlation analysis method for learning in the construction of the chain of evidence of judicial application, the process can be better applied to the actual law enforcement and the court.

【学位授予单位】：吉林大学
【学位级别】：硕士
【学位授予年份】：2012
【分类号】：TP333

【参考文献】