基于NTFS注册表取证工具研究与设计

发布时间：2018-04-17 02:12

本文选题：计算机取证 + 注册表　；参考：《广东工业大学》2013年硕士论文

【摘要】：随着计算机技术广泛使用,计算机犯罪呈现越演越烈的趋势,给国民经济带来了严重的干扰和破坏,预防和打击计算机犯罪成为当下一个难题。Windows注册表中包含了丰富的各类信息,其中往往记录了罪犯分子进行犯罪证据,因此注册表取证对于预防和打击计算机犯罪具有重要的意义。本文在国内外注册表取证技术研究的基础上,重点研究了注册表Hive文件结构和具有取证价值的信息、Windows NTFS文件系统的大目录结构和变化规律及其改进建议,同时分析了VMware虚拟机文件系统,并设计了在主机上直接提取虚拟机内部文件的解决方案,开发出能用于虚拟机注册表取证的工具VMFSExplorer。本文的主要贡献在于： 1、对Windows NTFS文件系统的大目录结构进行了全面的分析,解析大目录生成条件和变化规律,提出改进大目录结构的算法。为在大目录复杂情况下进行计算机取证提供理论支持。 2、对注册表Hive文件总体结构和各种cell提供了详细解析,在验证Hive文件中多处校验和算法基础之上提出操作Hive文件的算法。从计算机取证对电子证据有效性角度出发,设计了Hive文件解析工具,设计了针对注册表取证的操作算法---访问型原子操作操作 3、分析VMware虚拟磁盘文件系统数据组织方式,基于Hosted Sparse Extents Disk(主机稀疏扩展盘)模型和NTFS文件系统设计并开发专门用于虚拟机取证的文件提取工具VMFSExplorer。VMFSExplorer取证工具运行在主机系统之上,能有效解决虚拟机因系统损坏、无法破解虚拟机系统等情况下无法取证的问题,同时对原始数据信息进行全面的保护。VMFSExplorer不仅可以用于虚拟机注册表取证,也适用于虚拟机取证的一般情况。 4、VMFSExplorer取证工具使用三种类型的文件一起保存获取的电子证据信息,在保证电子证据信息有效性和完整性的同时,也给计算机取证人员带来极大的易操作性和方便证据的呈现。基于NTFS注册表取证工具研究与设计,不仅能为注册表取证过程提供指导,能有效的扩大注册表的取证范围,而且也是注册表取证工具开发的理论基础。最重要的是本文提出VMware虚拟机上的注册表取证方法,并开发出能直接在主机上获取VMware虚拟机原始电子数据的工具VMFSExplorer,从而扩展了注册表取证范围。
[Abstract]:With the widespread use of computer technology, computer crime is becoming more and more violent, which has brought serious interference and destruction to the national economy.Preventing and combating computer crime has become a problem of the moment. The Windows registry contains a wealth of information, often recording evidence that criminals commit crimes.Therefore, it is of great significance to take evidence from the registry to prevent and combat computer crime.Based on the research of registry forensics technology at home and abroad, this paper focuses on studying the structure of registry Hive file and the large directory structure and changing rule of information Hive file system with forensics value and its improvement suggestions.At the same time, this paper analyzes the VMware virtual machine file system, and designs a solution for extracting the internal files of the virtual machine directly on the host computer, and develops a tool, VMS Explorer, which can be used to obtain the evidence of the virtual machine registry.The main contributions of this paper are:1. The large directory structure of Windows NTFS file system is analyzed, the generating conditions and changing rules of large directory are analyzed, and the algorithm to improve the large directory structure is put forward.To provide theoretical support for computer forensics in the case of large directory complexity.2. The general structure of registry Hive file and various cell are analyzed in detail. On the basis of verifying the multiple checksum algorithm in Hive file, the algorithm of operating Hive file is put forward.From the point of view of the validity of computer forensics to electronic evidence, a Hive file parsing tool is designed, and an operation algorithm-access atomic operation is designed for registry forensics.3. The data organization mode of VMware virtual disk file system is analyzed. Based on the Hosted Sparse Extents disk model and NTFS file system, a file extraction tool named VMFSExplorer.VMFSExplorer is designed and developed for virtual machine forensics, which runs on the host system.It can effectively solve the virtual machine because of system damage, can not crack the virtual machine system can not obtain evidence. At the same time, the original data information can be fully protected. VMFS Explorer can not only be used for virtual machine registry forensics,It also applies to the general case of virtual machine forensics.4VMFS Explorer forensics tool uses three types of files to preserve the obtained electronic evidence information together, which not only ensures the validity and integrity of electronic evidence information, but also brings great convenience to computer forensics personnel to operate and present evidence conveniently.The research and design of registry forensics tools based on NTFS can not only provide guidance for the process of registry forensics, but also effectively expand the scope of registry forensics, and also serve as the theoretical basis for the development of registry forensics tools.The most important thing is that this paper proposes the method of registry forensics on VMware virtual machine, and develops a tool, VMS Explorer, which can directly obtain the original electronic data of VMware virtual machine on the host computer, thus extending the scope of registry forensics.
【学位授予单位】：广东工业大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP393.08;D918.1

【引证文献】