分布式动态计算机取证技术的研究与实现

发布时间：2017-12-31 15:35

本文关键词：分布式动态计算机取证技术的研究与实现　出处：《电子科技大学》2012年硕士论文　论文类型：学位论文

【摘要】：随着互联网应用和信息技术的高速发展，在极大的便利了人们的工作及生活的同时，网络安全问题也日益突出。在计算机犯罪手段层出不穷，与传统网络安全防御技术的较量日趋激烈的形式下，仅仅依靠单一、传统的网络安全防御技术来对抗计算机犯罪已不现实。因此需要尽快完善相关的法律法规，进一步提高人们的计算机安全意识，借助法律和社会的力量来对抗计算机犯罪，正是在这种形势下诞生了计算机取证技术。对计算机取证技术进行研究，对维护网络安全、预防和打击计算机犯罪行为，具有极强的现实意义。本文在研究计算机取证发展动态的基础上，介绍了计算机取证技术的相关概念，对比分析了传统的静态取证技术和动态取证技术，总结了这两者的优点与不足。在此基础上提出了一个分布式动态计算机取证系统(Distributed DynamicForensics System, DDFS)的设计思想。该系统结合了静态取证和动态取证的优点，借助Rootkit技术完成对取证代理的隐藏保护和相关监控功能的实现。利用取证代理完成分布式的证据收集，并具有能根据配置的策略对非法行为采取灵活应对方式的特点，能有效的提升搜集证据的能力，更有利于保障证据的准确性、完整性、安全性。深入剖析了分布式动态计算机取证系统的设计需求，明确了设计目标，给出了系统的总体框架结构及系统处理流程，并着重针对系统五大功能模块:取证管理平台、证据存储中心、转发中心、取证节点以及取证代理进行了详细的设计。本文针对分布式动态计算机取证系统涉及的关键技术进行了较深入的研究。将重点放在系统最关键的功能模块——取证代理的研究与实现上，围绕取证代理实际取证的需求，，给出了利用Rootkit技术完成自身隐藏、实时监控以及证据搜集的具体实现方法。同时也给出了其他四个功能模块的实现方法和工作流程。经过实际的测试运行，本系统能有效的运行于网络环境之下，完成对目标主机的监控，高效的获取相关电子证据，安全的传输证据，基本完成了最初的设计目标。
[Abstract]:With the rapid development of Internet application and information technology, the problem of network security has become increasingly prominent while greatly facilitating people's work and life. Under the increasingly fierce competition with the traditional network security defense technology, it is not realistic to rely only on the single, traditional network security defense technology to fight against computer crime. Therefore, it is necessary to improve the relevant laws and regulations as soon as possible. It is in this situation that the computer forensics technology was born, and the computer forensics technology was studied in order to further improve people's computer security consciousness and fight against computer crime with the help of law and social forces. It is of great practical significance to maintain network security and to prevent and crack down on computer crime. On the basis of studying the development of computer forensics, this paper introduces the related concepts of computer forensics, and analyzes the traditional static forensics technology and dynamic forensics technology. The advantages and disadvantages of these two methods are summarized. On the basis of this, a distributed dynamic computer forensics system (. Distributed DynamicForensics System. The system combines the advantages of static and dynamic forensics. With the help of Rootkit technology, the realization of the hidden protection and related monitoring function of the forensics agent is completed, and the distributed evidence collection is completed by using the forensics agent. And it has the characteristics of flexible response to illegal behavior according to the disposition strategy, can effectively enhance the ability to collect evidence, and is more conducive to ensure the accuracy and integrity of evidence. Security. The design requirements of distributed dynamic computer forensics system are deeply analyzed, the design objectives are defined, and the overall frame structure and system processing flow are given. The five functional modules of the system, namely, the evidence management platform, the evidence storage center, the forwarding center, the forensics node and the forensics agent, are designed in detail. In this paper, the key technologies involved in distributed dynamic computer forensics system are deeply studied. The emphasis is on the research and implementation of forensics agent, which is the most key functional module of the system. According to the requirement of evidence gathering agent, this paper presents the use of Rootkit technology to hide itself. At the same time, the realization method and workflow of the other four functional modules are given. After the actual test and running, the system can effectively run under the network environment. Complete the monitoring of the target host, efficient acquisition of relevant electronic evidence, secure transmission of evidence, basically completed the initial design objectives.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2012
【分类号】：TP393.08;D918.2

【参考文献】