基于物理内存获取的在线取证的可信性分析
发布时间:2019-03-20 12:42
【摘要】:作为打击计算机犯罪案件的主要手段——计算机取证技术,在维持社会稳定和保护良好的上网环境等方面发挥着重要作用,是实现信息安全的重要保障。然而目前计算机取证面临着许多方面的挑战,比如数据量爆炸式增长、计算机犯罪技术水平提高、分析推理结论的可信性等问题日益突出。电子数据由于它自身的特性——易变性,使得电子证据捕获过程受到多方面的威胁,包括证据覆盖、证据篡改、证据删除、存储介质毁坏等威胁,同时随着反取证技术的进一步发展使得电子证据获取工具遇到了更严重的可靠性问题,取证获得的电子证据在法庭上没有说服力。 电子取证的可信性是计算机取证技术实施的首要前提,是进行证据分析研究工作的基础,然而现实中却只注重电子证据的获取,却忽略了对获取的电子证据可信性的研究,取证过程及分析多是手工完成,效率低,操作失误概率大。基于以上这些问题,本文以可信的计算机取证模型作为出发点,详细讨论了证据获取过程中的电子证据的发现、数据的固定、电子数据的安全获取、证据分析技术等各阶段的可靠性问题,从磁盘数据存储内部结构的角度分析了取证工具和取证方法对电子证据的影响,,并结合概率论知识给出了定量的评价指标,最后提出带有时间约束因素的有限状态自动机对取证过程进行形式化分析,使电子证据获取方法进一步科学化、形式化的取证推理方法更加规范化。 归纳起来,本文的主要研究工作和章节内容安排如下。 (1)了解国内外计算机安全取证领域的前沿信息。 (2)分析目前一些较为常见的计算机取证模型。 (3)具体的介绍可信的计算机取证模型各阶段的主要工作。 (4)分析物理内存数据存储情况、镜像文件获取及分析镜像文件所用的工具。 (5)了解概率论知识,为计算机证据的数据可信性分析做好基础。 (6)仿真实验评估取证工具和内存自身变化对电子证据可信性的影响概率。 (7)对计算机取证过程应用带有时间因素约束的有限状态自动机进行形式化推理。
[Abstract]:As the main means of cracking down on computer crime cases, computer forensics technology plays an important role in maintaining social stability and protecting good Internet environment. It is also an important guarantee to realize information security. However, at present, computer forensics is faced with many challenges, such as the explosive growth of data, the improvement of computer crime technology, the credibility of analytical and inference conclusions, and so on. Due to its own characteristics-variability, electronic data is threatened by many aspects of the electronic evidence capture process, including evidence coverage, evidence tampering, evidence deletion, destruction of storage media and other threats, such as evidence coverage, evidence tampering, evidence deletion, storage medium destruction, and so on. At the same time, with the further development of anti-forensics technology, the electronic evidence acquisition tools encounter more serious reliability problems, and the electronic evidence obtained by evidence is not convincing in the court. The credibility of electronic forensics is the first prerequisite for the implementation of computer forensics technology and the basis of evidence analysis. However, in reality, it only pays attention to the acquisition of electronic evidence, but neglects the research on the credibility of obtained electronic evidence. The forensic process and analysis are mostly done by hand, with low efficiency and high probability of operation error. Based on the above problems, this paper takes the credible computer forensics model as the starting point, and discusses in detail the discovery of electronic evidence in the process of obtaining evidence, the fixation of data, and the secure acquisition of electronic data. This paper analyzes the influence of forensic tools and methods on electronic evidence from the point of view of internal structure of disk data storage from the point of view of reliability of evidence analysis technology and other stages, and gives a quantitative evaluation index based on the knowledge of probability theory. Finally, the finite state automata with time constraints is proposed to formalize the forensic process, which makes the electronic evidence acquisition method more scientific and the formalized forensic reasoning method more standardized. To sum up, the main research work and chapter contents are arranged as follows. (1) to understand the frontier information in the field of computer security forensics at home and abroad. (2) some common computer forensics models are analyzed. (3) the main work of the credible computer forensics model is introduced in detail. (4) analyze the physical memory data storage, image file acquisition and the tools used to analyze the image file. (5) to understand the knowledge of probability theory, and to lay a good foundation for the data credibility analysis of computer evidence. (6) the probability of the influence of the changes of forensic tools and memory on the credibility of electronic evidence is evaluated by simulation experiments. (7) the finite state automata with time constraints is used to formalize the computer forensics process.
【学位授予单位】:山东轻工业学院
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP309;TP333.1
本文编号:2444226
[Abstract]:As the main means of cracking down on computer crime cases, computer forensics technology plays an important role in maintaining social stability and protecting good Internet environment. It is also an important guarantee to realize information security. However, at present, computer forensics is faced with many challenges, such as the explosive growth of data, the improvement of computer crime technology, the credibility of analytical and inference conclusions, and so on. Due to its own characteristics-variability, electronic data is threatened by many aspects of the electronic evidence capture process, including evidence coverage, evidence tampering, evidence deletion, destruction of storage media and other threats, such as evidence coverage, evidence tampering, evidence deletion, storage medium destruction, and so on. At the same time, with the further development of anti-forensics technology, the electronic evidence acquisition tools encounter more serious reliability problems, and the electronic evidence obtained by evidence is not convincing in the court. The credibility of electronic forensics is the first prerequisite for the implementation of computer forensics technology and the basis of evidence analysis. However, in reality, it only pays attention to the acquisition of electronic evidence, but neglects the research on the credibility of obtained electronic evidence. The forensic process and analysis are mostly done by hand, with low efficiency and high probability of operation error. Based on the above problems, this paper takes the credible computer forensics model as the starting point, and discusses in detail the discovery of electronic evidence in the process of obtaining evidence, the fixation of data, and the secure acquisition of electronic data. This paper analyzes the influence of forensic tools and methods on electronic evidence from the point of view of internal structure of disk data storage from the point of view of reliability of evidence analysis technology and other stages, and gives a quantitative evaluation index based on the knowledge of probability theory. Finally, the finite state automata with time constraints is proposed to formalize the forensic process, which makes the electronic evidence acquisition method more scientific and the formalized forensic reasoning method more standardized. To sum up, the main research work and chapter contents are arranged as follows. (1) to understand the frontier information in the field of computer security forensics at home and abroad. (2) some common computer forensics models are analyzed. (3) the main work of the credible computer forensics model is introduced in detail. (4) analyze the physical memory data storage, image file acquisition and the tools used to analyze the image file. (5) to understand the knowledge of probability theory, and to lay a good foundation for the data credibility analysis of computer evidence. (6) the probability of the influence of the changes of forensic tools and memory on the credibility of electronic evidence is evaluated by simulation experiments. (7) the finite state automata with time constraints is used to formalize the computer forensics process.
【学位授予单位】:山东轻工业学院
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP309;TP333.1
【参考文献】
相关期刊论文 前10条
1 安德智;;计算机取证技术应用[J];计算机安全;2006年09期
2 谭安芬;张春瑞;;失控单机及介质事后取证研究[J];计算机安全;2006年10期
3 张新刚;刘妍;;计算机取证技术研究[J];计算机安全;2007年01期
4 刘凌;;浅谈计算机静态取证与计算机动态取证[J];计算机安全;2009年08期
5 王笑强;;数据恢复技术成为电子取证的核心技术[J];计算机安全;2009年12期
6 许榕生;;我国数字取证技术研究的十年回顾[J];计算机安全;2011年03期
7 谭安芬;;基于单机和设备的计算机取证技术[J];计算机安全;2007年05期
8 张俊;麦永浩;龚德忠;;计算机取证的时间分析方法[J];湖北警官学院学报;2009年02期
9 程杰仁;殷建平;刘运;钟经伟;;蜜罐及蜜网技术研究进展[J];计算机研究与发展;2008年S1期
10 许榕生,吴海燕,刘宝旭;计算机取证概述[J];计算机工程与应用;2001年21期
相关博士学位论文 前1条
1 陈龙;计算机取证的安全性及取证推理研究[D];西南交通大学;2009年
相关硕士学位论文 前4条
1 刘秀波;基于计算机物理内存分析的Rootkit查找方法研究与实现[D];山东轻工业学院;2011年
2 娄晓会;细粒度数据完整性检验方法研究[D];重庆邮电大学;2011年
3 陈恒;计算机取证物理内存镜像获取技术的研究与实现[D];山东轻工业学院;2009年
4 王小玲;基于NDIS中间层驱动的ARP欺骗防范设计[D];电子科技大学;2009年
本文编号:2444226
本文链接:https://www.wllwen.com/kejilunwen/jisuanjikexuelunwen/2444226.html
