基于Linux系统的证据收集研究与实现
发布时间:2018-12-29 16:32
【摘要】:计算机科学以及信息技术的发展,使人们从信息技术的应用中享受到了诸多好处,但同时也面临着越来越多的计算机犯罪活动。目前全世界范围内大多数服务器都运行着Linux系统,随着计算机犯罪的技术水平不断提高,有必要研究基于Linux系统的计算机取证方法与关键技术,以满足打击计算机犯罪,保证信息安全的需要。 首先,介绍了取证基本模型,提出了计算机系统取证的总体框架结构图,并将取证体系结构划分为证据收集模块、数据保全模块、证据分析模块、取证监督模块和证据提交模块,本文重点研究的是证据收集模块。 在动态证据收集方面,本文首先研究了如何查找收集Rootkit证据。从分析内核Rootkit的实现原理入手,进行内核Rootkit的检测和收集方法设计,再给出具体实现过程。通过特征文件匹配、特征字符串查找、用户登录日志、隐藏进程、隐藏端口和网卡混杂模式检测,实现了用户级Rootkit的检测与收集,最后,本文给出了内核和用户级Rootkit检测与收集的实验结果。 再次,从入侵轨迹、痕迹,攻击目标、手段和隐藏入侵的角度出发,研究了静态证据的收集,静态证据重点收集可疑文件、日志文件、用户权限敏感文件、隐藏文件和部分配置文件信息。 最后,本文设计与实现了静态证据收集系统,采用分层设计开发的思想,将系统划分为四个层次:镜像层、文件系统层、应用层和界面层,提高了开发的效率,也减少了系统测试的难度。镜像层获取被入侵计算机上的Linux分区数据,并以文件的形式保存在取证计算机上。文件系统层实现数字证据收集中所必需的文件访问操作,应用层主要日志格式化输出、字符串查找、隐藏文件、suid文件收集等操作,界面层主要是通过浏览器网页的形式展示获取证据的结果,实现与客户端的浏览器交互。对系统功能需求的测试结果表明系统达到预期的目标,实现了原定的各项功能。
[Abstract]:With the development of computer science and information technology, people enjoy many benefits from the application of information technology, but at the same time, they are faced with more and more computer criminal activities. At present, most servers in the world are running Linux system. With the development of computer crime technology, it is necessary to study the methods and key technologies of computer forensics based on Linux system in order to meet the challenge of computer crime. The need to ensure information security. Firstly, the basic model of forensics is introduced, and the overall frame structure of computer system is presented. The architecture of forensics is divided into three modules: evidence collection module, data preservation module, evidence analysis module. Evidence monitoring module and evidence submission module, this paper focuses on the evidence collection module. In the aspect of dynamic evidence collection, this paper first studies how to find and collect Rootkit evidence. Based on the analysis of the principle of kernel Rootkit, the detection and collection methods of kernel Rootkit are designed, and the implementation process is given. Through feature file matching, feature string search, user logon log, hidden process, hidden port and network card hybrid mode detection, the detection and collection of user-level Rootkit is realized. The experimental results of kernel and user level Rootkit detection and collection are given in this paper. Thirdly, from the point of view of invasion track, trace, attack target, means and hiding intrusion, the paper studies the collection of static evidence, which focuses on collecting suspicious files, log files, user rights sensitive files, etc. Hide file and partial profile information. Finally, the static evidence collection system is designed and implemented in this paper. The system is divided into four levels: mirror image layer, file system layer, application layer and interface layer, which improves the efficiency of development. It also reduces the difficulty of system testing. The mirrored layer acquires the Linux partition data on the intruded computer and saves it on the forensics computer as a file. The file system layer realizes the necessary file access operation in the digital evidence collection, the main log format output in the application layer, string search, hidden file, suid file collection and so on. The interface layer mainly displays the result of obtaining evidence through the form of browser web page and realizes the interaction with client browser. The test results of the system function requirements show that the system achieves the expected goal and achieves the original functions.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2011
【分类号】:TP393.08;D918.2
本文编号:2395071
[Abstract]:With the development of computer science and information technology, people enjoy many benefits from the application of information technology, but at the same time, they are faced with more and more computer criminal activities. At present, most servers in the world are running Linux system. With the development of computer crime technology, it is necessary to study the methods and key technologies of computer forensics based on Linux system in order to meet the challenge of computer crime. The need to ensure information security. Firstly, the basic model of forensics is introduced, and the overall frame structure of computer system is presented. The architecture of forensics is divided into three modules: evidence collection module, data preservation module, evidence analysis module. Evidence monitoring module and evidence submission module, this paper focuses on the evidence collection module. In the aspect of dynamic evidence collection, this paper first studies how to find and collect Rootkit evidence. Based on the analysis of the principle of kernel Rootkit, the detection and collection methods of kernel Rootkit are designed, and the implementation process is given. Through feature file matching, feature string search, user logon log, hidden process, hidden port and network card hybrid mode detection, the detection and collection of user-level Rootkit is realized. The experimental results of kernel and user level Rootkit detection and collection are given in this paper. Thirdly, from the point of view of invasion track, trace, attack target, means and hiding intrusion, the paper studies the collection of static evidence, which focuses on collecting suspicious files, log files, user rights sensitive files, etc. Hide file and partial profile information. Finally, the static evidence collection system is designed and implemented in this paper. The system is divided into four levels: mirror image layer, file system layer, application layer and interface layer, which improves the efficiency of development. It also reduces the difficulty of system testing. The mirrored layer acquires the Linux partition data on the intruded computer and saves it on the forensics computer as a file. The file system layer realizes the necessary file access operation in the digital evidence collection, the main log format output in the application layer, string search, hidden file, suid file collection and so on. The interface layer mainly displays the result of obtaining evidence through the form of browser web page and realizes the interaction with client browser. The test results of the system function requirements show that the system achieves the expected goal and achieves the original functions.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2011
【分类号】:TP393.08;D918.2
【参考文献】
相关期刊论文 前7条
1 刘凌;;浅谈计算机静态取证与计算机动态取证[J];计算机安全;2009年08期
2 周世斌,宾晓华,董占球;口令窃取的基本途径及其防护对策[J];计算机工程与应用;2001年20期
3 丁丽萍,王永吉;计算机取证的相关法律技术问题研究[J];软件学报;2005年02期
4 尉永青,刘培德;计算机取证技术研究[J];信息技术与信息化;2005年04期
5 周子庭 ,李建华;系统日志分析及在主机入侵检测中的应用[J];信息安全与通信保密;2004年09期
6 殷联甫;计算机反取证技术研究[J];计算机系统应用;2005年10期
7 戴士剑;张杰;郭久武;;数据恢复技术综述(上)[J];信息网络安全;2006年01期
相关硕士学位论文 前2条
1 金霞;EXT3文件系统结构研究及入侵检测的实现[D];解放军信息工程大学;2004年
2 王中杉;基于Windows的计算机取证技术研究与实现[D];电子科技大学;2009年
,本文编号:2395071
本文链接:https://www.wllwen.com/shekelunwen/gongan/2395071.html
