计算机取证综合系统研究

【作者】 王娟；

【导师】 耿技；

【作者基本信息】 电子科技大学 ， 计算机系统结构， 2006， 硕士

【摘要】 随着计算机技术的发展和网络的普及,利用或以计算机为目标的犯罪事件频繁发生。如何最大限度地获取计算机犯罪相关的电子证据,将犯罪分子绳之以法,政法机关在利用高技术手段对付这种高技术犯罪方面缺乏必要的技术保障和支持,为了提高打击计算机犯罪的能力,需要对计算机取证领域进行深入的研究,这不但需要开发切实有效地取证工具,更需要对计算机取证领域的取证定义、取证标准、取证程序等理论基础进行研究,其中涉及的技术就是目前人们研究和关注的计算机取证技术。计算机取证学是包括计算机科学,法学,刑事侦查学等学科在内的新兴边缘学科。在研读了大量文献的基础上,本文对计算机取证技术的产生,发展,现状和未来研究的趋势作出了总结性描述;对计算机领域涉及的基础概念、相关技术、相关理论、基本原则,实用工具等进行了综述性介绍。在对国内外已有成果深入研究的基础上设计和开发了一套计算机综合取证系统,根据电子证据的获取时机不同分为电子证据的静态提取和电子证据的动态提取两大子系统。静态提取子系统整合了多种取证技术,全面提取磁盘信息包括已被彻底删除的文件和系统信息。动态取证子系统将蜜罐技术实际应用于动态取证中,实现了攻击过程的重现。目前静态部分已开发完毕,进入动态部分开发阶段。由于提取的电子数据一般数量巨大而且零散,如何将这些零散的数据关联起来,或是从中定位出有明确指向性的、有说服力,被法律认可的“电子证据”即电子证据的分析技术是当前计算机取证领域的一个热点和难点。本文的第四章在对现有电子证据的分析技术总结和分析的基础上,对比了各个方法的优缺点,并对一些方法提出了自己改进策略,最后提出了自己的新的取证分析方法思路“计算机犯罪行为分析库”该方法为分析海量数据,尽快缩小分析范围,寻找电子证据提出了新的方向;基于语义分析和数据挖掘的“文本关联分析”为自动构建关键词库和发现词语间的联系提供了新的方法。更多还原

【Abstract】 With the development of computer technology and the prevalent network, people are exposed to frequent occurrence of crimes committed by or aimed at computers. However, the politics and law institutions lack such necessary high-tech support to attain the most extensive electronic evidence of the computer-related crimes to penalize the offenders. In order to enhance the abilities of attacking computer-related offences, we need to conduct a profound study on the field of computer forensics, which is related to the computer forensics technology in question and requires not only the development of effective forensics tools, but also the research on its definition, standards, proceedings and some other basic theories. Computer forensics is a newly emerged interdisciplinary study encompassing subjects such as computer science, legal science and criminal scientific technology.Based on a relatively thorough literature review, this paper concludes the emergence, development, status quo and the prospective research of computer forensics. It also makes a comprehensive introduction of the basic concepts, relevant technology and theories, basic principles and practical tools, etc relating to the field of computer. It designs and develops a computer synthetical forensics system based on the previous research made both at home and abroad. The system is divided into static electronic evidence collection and dynamic electronic evidence collection systems as regards the different timing of attaining the electronic evidence. The static electronic evidence collection system integrates a variety of forensics technology and it thoroughly extracts the disc information including the deleted files and the system information. The dynamic electronic evidence collection system applies the honeypot technology to the dynamic evidence collection and realizes the reappearance of the attacking process. Currently the research has completed the development of static electronic evidence collection system and is developing the dynamic electronic evidence collection system. In view of the massive and scatted electronic data extracted, how to correlate or locate the evidently directive, persuasive and legally approved ones, i.e., the“electronic evidence”, is a spotlight as well as a difficult point of computer forensics. By summarizing the current analyzing technology of electronic evidence, chapter 5 compares the strengths and weaknesses of different methods. It put forward some strategy for improvement and at last presents a new forensics method,“suspect characteristic- computer activity information database”. This method points out a new direction for analyzing massive data, narrowing analyzing scope and seeking electronic evidence. It also introduces a new way to correlate the words in“text correlation analysis”, which is on the basis of data mining.更多还原