本文關鍵詞：基于Windows的易失性內存數據取證分析方法研究　出處：《吉林大學》2012年碩士論文　論文類型：學位論文

  更多相關文章： 計算機取證 易失性 關聯性分析 內存取證 證據鏈

【摘要】：在信息化時代計算機等各種智能信息設備在社會發(fā)展中起著越來越重要的作用，隨著互聯網的進一步發(fā)展與普及，信息技術促進了社會生產力的發(fā)展，同時也在不知不覺中改變著人們生活與工作方式，然而計算機等智能設備給人類生活帶來便捷的同時，也產生了諸多的信息安全問題。國家計算機網絡應急技術處理協調中心在2011年發(fā)布的一份年度報告中指出隨著我國互聯網新技術、新應用的快速發(fā)展，未來的信息安全形勢將更加復雜，在2010年的檢測統(tǒng)計數據中木馬控制服務器IP總數達479626個，木馬受控主機IP總數為10317169個，較2009年大幅增長274.9%。2010年爆發(fā)了“飛客”蠕蟲病毒，根據國家計算機網絡應急技術處理協調中心的2010年12月抽樣監(jiān)測結果，全球互聯網已經有超過6000萬個主機IP感染“飛客”蠕蟲，境內仍然是“重災區(qū)”，有超過900萬個主機IP被感染。由此可見當前利用計算機等智能信息化設備和網絡實施犯罪的問題日益嚴重，嚴重威脅著社會和諧穩(wěn)定。僅僅通過網絡與信息安全相關技術來阻止計算機相關犯罪不能從根本上解決日益嚴重的信息安全威脅，因此必須充分發(fā)揮現代社會的法制化手段來從根本上對人們的行為進行約束規(guī)范。計算機取證技術正是在計算機安全與法律相結合的交叉背景下而產生。計算機取證的主要目的是通過在涉案的相關電子設備中收集以數據形式存在的證據，重現犯罪的過程，進而為相關法律訴訟程序提供可靠有效的證據。 傳統(tǒng)的在計算機犯罪中所使用的取證流程大多數為關閉涉案計算機后，使用即插即用設備完全復制計算機的磁盤數據，然后對鏡像數據進行事后分析。然而，隨著計算機硬件水平的不斷發(fā)展，大容量的內存廣泛被使用，同時各種加密與反取證技術的出現，導致在這樣傳統(tǒng)的取證過程中損失了大量的有價值的信息。計算機內存中的易失性數據可能包含關于犯罪行為的關鍵性信息，如用來加密信息所使用的密碼，系統(tǒng)在犯罪行為發(fā)生過程中的狀態(tài)，使用反取證工具的痕跡以及一些很容易被調查者在分析硬盤數據過程中容易被忽略的至關重要的惡意軟件或系統(tǒng)級后門程序等相關信息。所以近年來針對計算機易失性數據的取證分析工作越來越受到司法界和計算機安全專家的重視。 內存取證分析的重點在于分析物理內存中的各種數據從而獲得關于犯罪的相關信息，在近年的內存取證分析過程中盡管可以通過對可讀文本內容或相應關鍵字進行搜索便可以從內存鏡像中獲取許多有用的信息，但是上下文運行的環(huán)境和單一證據的相關信息則需要在理解相關數據結構和背景情況的前提下才能更好的聯系起來。對于內存取證分析來說，能夠準確的識別出內存鏡像中的數據并對特定的信息進行關聯性分析則至關重要。 本文在研究傳統(tǒng)計算機取證相關理論與方法的基礎上，總結了內存等類似介質中相關易失性數據的特點，提出了一種面向關聯性分析的易失性數據取證分析模型，該種取證模型不再局限于傳統(tǒng)的證據分析所采取的面向單一證據對象的分析方式，，而是更側重于分析所獲取的每個單一證據之間的內在聯系，從法學角度來看這是一種面向證據鏈構建的取證分析方法。文中不但對易失性數據取證分析模型進行了層次上的劃分與描述，同時在關鍵層次上設計了初步的解決方法。由于數字易失性數據具有以下特點：易失性；瞬時性；階段穩(wěn)定性；實體信息多維性；實體相互關聯性；階段內實體狀態(tài)變化的可預見性，采用該方法分析具有以下三個優(yōu)點：第一，從用戶的單一動作分析擴展到用戶的行為分析，可以更好了解用戶一系列動作的目的；第二，打破了易失性證據獲取中單一時間點的限制，通過對一個時間點所有證據對象的關聯性分析，將可以向前或向后預測或判定一個時間段內用戶的行為，而不僅僅限于獲取證據的那個單一的時刻點；第三，關聯性分析面向法學中的構建證據鏈的司法應用，可以更好應用于實際的法律執(zhí)行和法庭審判的過程中。
[Abstract]:In the information age of computer intelligent information equipment and other plays a more and more important role in the development of the society, with the further development of the Internet and the popularization of information technology to promote the development of social productivity, but also in the imperceptibly changing people's life and work, however, computers and other intelligent devices bring convenience to human life. Also has the information security problems. A copy of the annual report of the national computer network Emergency Response Coordination Center released in 2011 pointed out that with the new technology of Internet in China, with the rapid development of new information, future security situation will be more complex, in the detection of statistical data in 2010 a total of 479626 IP Trojan control server a Trojan horse, host IP a total of 10317169, a significant increase compared to 2009 274.9%.2010 outbreak of the "flying off" worm virus, root According to sampling monitoring results of December 2010 national computer network Emergency Response Coordination Center, the global Internet already has more than 60 million host IP infection "fly off worm, is still within the disaster area, there are more than 9 million IP infected host. This shows that the current implementation of crime by computer information technology and other intelligent devices and networks increasingly serious problem that is a serious threat to social harmony and stability. Only through network and information security technology to prevent computer related crime can not solve the increasingly serious threat to information security fundamentally, because this must be sufficient to fundamentally on people's behavior norms play a legal means of modern society. Computer Forensics is cross in the background of computer security and legal combination. The main purpose of computer forensics is involved in the related Electronic equipment collects evidence in the form of data, reproduces the process of crime, and provides reliable and effective evidence for relevant legal proceedings.
Used in the computer crime forensics process most of the traditional close computer involved, disk data using the plug and play devices to complete copy of the computer, and then the image after the data analysis. However, with the continuous development of computer hardware, large capacity memory is widely used, and a variety of encryption and anti Forensics the result in this traditional forensics process lost a lot of valuable information. The computer memory nonvolatile data may contain key information on criminal acts, such as used to encrypt the password information, during the process of state system in criminal behavior, use of anti forensic tools and traces some are easy to be crucial to the investigation easily in the analysis of hard disk data process ignored the malicious software or system level backdoor and other related information. Therefore, in recent years, forensic and computer security experts have paid more and more attention to the forensic analysis of computer volatile data.
Key memory forensic analysis lies in the analysis of various data in physical memory to obtain relevant information about the crime, in recent memory forensics analysis process although through the search of readable text content or the keyword can obtain many useful information from memory, but the information related to the environment and context of single evidence the need in the premise of understanding relevant data structure and background to better link. For memory forensic analysis can accurately identify the memory image of the data and the correlation analysis of the specific information is crucial.
Based on the research of traditional computer forensics theory and method of this paper, summarizes the memory and other similar media related volatile characteristics of data, this paper presents an analytical model for the correlation analysis of the volatile data forensics, evidence analysis of the evidence model is no longer confined to the traditional taken for single object evidence analysis of the way, but more emphasis on internal relations between each single evidence obtained in the analysis, from the legal point of view this is an analysis method for the construction of the chain of evidence of evidence. This paper not only for non-volatile data forensics analysis model by divide and describe the level of design and preliminary solutions in the key level. Because digital nonvolatile data has the following characteristics: volatile; transient stability; stage; entity information multidimensional; entity relationship stage; Within the entity state changes predictable, this method has the following three advantages: first, analysis from the analysis of single user action analysis is extended to the user behavior, you can better understand the user of a series of actions; second, broke the volatile evidence obtained in single time limit, the association to a point in time all the evidence object analysis, will be moved forward or backward to predict or determine the user a period of time, but is not limited to the single point of obtaining evidence; third, correlation analysis method for learning in the construction of the chain of evidence of judicial application, the process can be better applied to the actual law enforcement and the court.

【學位授予單位】：吉林大學
【學位級別】：碩士
【學位授予年份】：2012
【分類號】：TP333

【參考文獻】

相關期刊論文 前9條

1 王笑強;;數據恢復技術成為電子取證的核心技術[J];計算機安全;2009年12期

2 郭牧;王連海;;基于KPCR結構的Windows物理內存分析方法[J];計算機工程與應用;2009年18期

3 鄭捷文;許榕生;張晉;;一種抽象的數字取證模型[J];計算機工程;2006年01期

4 蘇璞睿;楊軼;;基于可執(zhí)行文件靜態(tài)分析的入侵檢測模型[J];計算機學報;2006年09期

5 周洪偉;韋大偉;郭淵博;;一種數字取證完整性方案[J];計算機應用研究;2007年12期

6 楊莉莉;楊永川;;抽象數字事件重構模型的設計[J];計算機科學;2008年06期

7 王玲,錢華林;計算機取證技術及其發(fā)展趨勢[J];軟件學報;2003年09期

8 丁麗萍,王永吉;計算機取證的相關法律技術問題研究[J];軟件學報;2005年02期

9 李宵聲;;計算機取證中增強電子證據時態(tài)性方案[J];通信技術;2008年04期

本文編號：1398098