發(fā)布時(shí)間：2018-12-29 16:32

【摘要】：計(jì)算機(jī)科學(xué)以及信息技術(shù)的發(fā)展,使人們從信息技術(shù)的應(yīng)用中享受到了諸多好處,但同時(shí)也面臨著越來越多的計(jì)算機(jī)犯罪活動(dòng)。目前全世界范圍內(nèi)大多數(shù)服務(wù)器都運(yùn)行著Linux系統(tǒng),隨著計(jì)算機(jī)犯罪的技術(shù)水平不斷提高,有必要研究基于Linux系統(tǒng)的計(jì)算機(jī)取證方法與關(guān)鍵技術(shù),以滿足打擊計(jì)算機(jī)犯罪,保證信息安全的需要。 首先,介紹了取證基本模型,提出了計(jì)算機(jī)系統(tǒng)取證的總體框架結(jié)構(gòu)圖,并將取證體系結(jié)構(gòu)劃分為證據(jù)收集模塊、數(shù)據(jù)保全模塊、證據(jù)分析模塊、取證監(jiān)督模塊和證據(jù)提交模塊,本文重點(diǎn)研究的是證據(jù)收集模塊。 在動(dòng)態(tài)證據(jù)收集方面,本文首先研究了如何查找收集Rootkit證據(jù)。從分析內(nèi)核Rootkit的實(shí)現(xiàn)原理入手,進(jìn)行內(nèi)核Rootkit的檢測(cè)和收集方法設(shè)計(jì),再給出具體實(shí)現(xiàn)過程。通過特征文件匹配、特征字符串查找、用戶登錄日志、隱藏進(jìn)程、隱藏端口和網(wǎng)卡混雜模式檢測(cè),實(shí)現(xiàn)了用戶級(jí)Rootkit的檢測(cè)與收集,最后,本文給出了內(nèi)核和用戶級(jí)Rootkit檢測(cè)與收集的實(shí)驗(yàn)結(jié)果。 再次,從入侵軌跡、痕跡,攻擊目標(biāo)、手段和隱藏入侵的角度出發(fā),研究了靜態(tài)證據(jù)的收集,靜態(tài)證據(jù)重點(diǎn)收集可疑文件、日志文件、用戶權(quán)限敏感文件、隱藏文件和部分配置文件信息。 最后,本文設(shè)計(jì)與實(shí)現(xiàn)了靜態(tài)證據(jù)收集系統(tǒng),采用分層設(shè)計(jì)開發(fā)的思想,將系統(tǒng)劃分為四個(gè)層次:鏡像層、文件系統(tǒng)層、應(yīng)用層和界面層,提高了開發(fā)的效率,也減少了系統(tǒng)測(cè)試的難度。鏡像層獲取被入侵計(jì)算機(jī)上的Linux分區(qū)數(shù)據(jù),并以文件的形式保存在取證計(jì)算機(jī)上。文件系統(tǒng)層實(shí)現(xiàn)數(shù)字證據(jù)收集中所必需的文件訪問操作,應(yīng)用層主要日志格式化輸出、字符串查找、隱藏文件、suid文件收集等操作,界面層主要是通過瀏覽器網(wǎng)頁(yè)的形式展示獲取證據(jù)的結(jié)果,實(shí)現(xiàn)與客戶端的瀏覽器交互。對(duì)系統(tǒng)功能需求的測(cè)試結(jié)果表明系統(tǒng)達(dá)到預(yù)期的目標(biāo),實(shí)現(xiàn)了原定的各項(xiàng)功能。
[Abstract]:With the development of computer science and information technology, people enjoy many benefits from the application of information technology, but at the same time, they are faced with more and more computer criminal activities. At present, most servers in the world are running Linux system. With the development of computer crime technology, it is necessary to study the methods and key technologies of computer forensics based on Linux system in order to meet the challenge of computer crime. The need to ensure information security. Firstly, the basic model of forensics is introduced, and the overall frame structure of computer system is presented. The architecture of forensics is divided into three modules: evidence collection module, data preservation module, evidence analysis module. Evidence monitoring module and evidence submission module, this paper focuses on the evidence collection module. In the aspect of dynamic evidence collection, this paper first studies how to find and collect Rootkit evidence. Based on the analysis of the principle of kernel Rootkit, the detection and collection methods of kernel Rootkit are designed, and the implementation process is given. Through feature file matching, feature string search, user logon log, hidden process, hidden port and network card hybrid mode detection, the detection and collection of user-level Rootkit is realized. The experimental results of kernel and user level Rootkit detection and collection are given in this paper. Thirdly, from the point of view of invasion track, trace, attack target, means and hiding intrusion, the paper studies the collection of static evidence, which focuses on collecting suspicious files, log files, user rights sensitive files, etc. Hide file and partial profile information. Finally, the static evidence collection system is designed and implemented in this paper. The system is divided into four levels: mirror image layer, file system layer, application layer and interface layer, which improves the efficiency of development. It also reduces the difficulty of system testing. The mirrored layer acquires the Linux partition data on the intruded computer and saves it on the forensics computer as a file. The file system layer realizes the necessary file access operation in the digital evidence collection, the main log format output in the application layer, string search, hidden file, suid file collection and so on. The interface layer mainly displays the result of obtaining evidence through the form of browser web page and realizes the interaction with client browser. The test results of the system function requirements show that the system achieves the expected goal and achieves the original functions.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2011
【分類號(hào)】：TP393.08;D918.2

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 劉凌;;淺談?dòng)?jì)算機(jī)靜態(tài)取證與計(jì)算機(jī)動(dòng)態(tài)取證[J];計(jì)算機(jī)安全;2009年08期

2 周世斌,賓曉華,董占球;口令竊取的基本途徑及其防護(hù)對(duì)策[J];計(jì)算機(jī)工程與應(yīng)用;2001年20期

3 丁麗萍,王永吉;計(jì)算機(jī)取證的相關(guān)法律技術(shù)問題研究[J];軟件學(xué)報(bào);2005年02期

4 尉永青,劉培德;計(jì)算機(jī)取證技術(shù)研究[J];信息技術(shù)與信息化;2005年04期

5 周子庭 ,李建華;系統(tǒng)日志分析及在主機(jī)入侵檢測(cè)中的應(yīng)用[J];信息安全與通信保密;2004年09期

6 殷聯(lián)甫;計(jì)算機(jī)反取證技術(shù)研究[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2005年10期

7 戴士劍;張杰;郭久武;;數(shù)據(jù)恢復(fù)技術(shù)綜述(上)[J];信息網(wǎng)絡(luò)安全;2006年01期

相關(guān)碩士學(xué)位論文 前2條

1 金霞;EXT3文件系統(tǒng)結(jié)構(gòu)研究及入侵檢測(cè)的實(shí)現(xiàn)[D];解放軍信息工程大學(xué);2004年

2 王中杉;基于Windows的計(jì)算機(jī)取證技術(shù)研究與實(shí)現(xiàn)[D];電子科技大學(xué);2009年

，

本文編號(hào)：2395071