本文關(guān)鍵詞：基于Windows的易失性內(nèi)存數(shù)據(jù)取證分析方法研究　出處：《吉林大學(xué)》2012年碩士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： 計算機(jī)取證 易失性 關(guān)聯(lián)性分析 內(nèi)存取證 證據(jù)鏈

【摘要】：在信息化時代計算機(jī)等各種智能信息設(shè)備在社會發(fā)展中起著越來越重要的作用，隨著互聯(lián)網(wǎng)的進(jìn)一步發(fā)展與普及，信息技術(shù)促進(jìn)了社會生產(chǎn)力的發(fā)展，同時也在不知不覺中改變著人們生活與工作方式，然而計算機(jī)等智能設(shè)備給人類生活帶來便捷的同時，也產(chǎn)生了諸多的信息安全問題。國家計算機(jī)網(wǎng)絡(luò)應(yīng)急技術(shù)處理協(xié)調(diào)中心在2011年發(fā)布的一份年度報告中指出隨著我國互聯(lián)網(wǎng)新技術(shù)、新應(yīng)用的快速發(fā)展，未來的信息安全形勢將更加復(fù)雜，在2010年的檢測統(tǒng)計數(shù)據(jù)中木馬控制服務(wù)器IP總數(shù)達(dá)479626個，木馬受控主機(jī)IP總數(shù)為10317169個，較2009年大幅增長274.9%。2010年爆發(fā)了“飛客”蠕蟲病毒，根據(jù)國家計算機(jī)網(wǎng)絡(luò)應(yīng)急技術(shù)處理協(xié)調(diào)中心的2010年12月抽樣監(jiān)測結(jié)果，全球互聯(lián)網(wǎng)已經(jīng)有超過6000萬個主機(jī)IP感染“飛客”蠕蟲，境內(nèi)仍然是“重災(zāi)區(qū)”，有超過900萬個主機(jī)IP被感染。由此可見當(dāng)前利用計算機(jī)等智能信息化設(shè)備和網(wǎng)絡(luò)實施犯罪的問題日益嚴(yán)重，嚴(yán)重威脅著社會和諧穩(wěn)定。僅僅通過網(wǎng)絡(luò)與信息安全相關(guān)技術(shù)來阻止計算機(jī)相關(guān)犯罪不能從根本上解決日益嚴(yán)重的信息安全威脅，因此必須充分發(fā)揮現(xiàn)代社會的法制化手段來從根本上對人們的行為進(jìn)行約束規(guī)范。計算機(jī)取證技術(shù)正是在計算機(jī)安全與法律相結(jié)合的交叉背景下而產(chǎn)生。計算機(jī)取證的主要目的是通過在涉案的相關(guān)電子設(shè)備中收集以數(shù)據(jù)形式存在的證據(jù)，重現(xiàn)犯罪的過程，進(jìn)而為相關(guān)法律訴訟程序提供可靠有效的證據(jù)。 傳統(tǒng)的在計算機(jī)犯罪中所使用的取證流程大多數(shù)為關(guān)閉涉案計算機(jī)后，使用即插即用設(shè)備完全復(fù)制計算機(jī)的磁盤數(shù)據(jù)，然后對鏡像數(shù)據(jù)進(jìn)行事后分析。然而，隨著計算機(jī)硬件水平的不斷發(fā)展，大容量的內(nèi)存廣泛被使用，同時各種加密與反取證技術(shù)的出現(xiàn)，導(dǎo)致在這樣傳統(tǒng)的取證過程中損失了大量的有價值的信息。計算機(jī)內(nèi)存中的易失性數(shù)據(jù)可能包含關(guān)于犯罪行為的關(guān)鍵性信息，如用來加密信息所使用的密碼，系統(tǒng)在犯罪行為發(fā)生過程中的狀態(tài)，使用反取證工具的痕跡以及一些很容易被調(diào)查者在分析硬盤數(shù)據(jù)過程中容易被忽略的至關(guān)重要的惡意軟件或系統(tǒng)級后門程序等相關(guān)信息。所以近年來針對計算機(jī)易失性數(shù)據(jù)的取證分析工作越來越受到司法界和計算機(jī)安全專家的重視。 內(nèi)存取證分析的重點(diǎn)在于分析物理內(nèi)存中的各種數(shù)據(jù)從而獲得關(guān)于犯罪的相關(guān)信息，在近年的內(nèi)存取證分析過程中盡管可以通過對可讀文本內(nèi)容或相應(yīng)關(guān)鍵字進(jìn)行搜索便可以從內(nèi)存鏡像中獲取許多有用的信息，但是上下文運(yùn)行的環(huán)境和單一證據(jù)的相關(guān)信息則需要在理解相關(guān)數(shù)據(jù)結(jié)構(gòu)和背景情況的前提下才能更好的聯(lián)系起來。對于內(nèi)存取證分析來說，能夠準(zhǔn)確的識別出內(nèi)存鏡像中的數(shù)據(jù)并對特定的信息進(jìn)行關(guān)聯(lián)性分析則至關(guān)重要。 本文在研究傳統(tǒng)計算機(jī)取證相關(guān)理論與方法的基礎(chǔ)上，總結(jié)了內(nèi)存等類似介質(zhì)中相關(guān)易失性數(shù)據(jù)的特點(diǎn)，提出了一種面向關(guān)聯(lián)性分析的易失性數(shù)據(jù)取證分析模型，該種取證模型不再局限于傳統(tǒng)的證據(jù)分析所采取的面向單一證據(jù)對象的分析方式，，而是更側(cè)重于分析所獲取的每個單一證據(jù)之間的內(nèi)在聯(lián)系，從法學(xué)角度來看這是一種面向證據(jù)鏈構(gòu)建的取證分析方法。文中不但對易失性數(shù)據(jù)取證分析模型進(jìn)行了層次上的劃分與描述，同時在關(guān)鍵層次上設(shè)計了初步的解決方法。由于數(shù)字易失性數(shù)據(jù)具有以下特點(diǎn)：易失性；瞬時性；階段穩(wěn)定性；實體信息多維性；實體相互關(guān)聯(lián)性；階段內(nèi)實體狀態(tài)變化的可預(yù)見性，采用該方法分析具有以下三個優(yōu)點(diǎn)：第一，從用戶的單一動作分析擴(kuò)展到用戶的行為分析，可以更好了解用戶一系列動作的目的；第二，打破了易失性證據(jù)獲取中單一時間點(diǎn)的限制，通過對一個時間點(diǎn)所有證據(jù)對象的關(guān)聯(lián)性分析，將可以向前或向后預(yù)測或判定一個時間段內(nèi)用戶的行為，而不僅僅限于獲取證據(jù)的那個單一的時刻點(diǎn)；第三，關(guān)聯(lián)性分析面向法學(xué)中的構(gòu)建證據(jù)鏈的司法應(yīng)用，可以更好應(yīng)用于實際的法律執(zhí)行和法庭審判的過程中。
[Abstract]:In the information age of computer intelligent information equipment and other plays a more and more important role in the development of the society, with the further development of the Internet and the popularization of information technology to promote the development of social productivity, but also in the imperceptibly changing people's life and work, however, computers and other intelligent devices bring convenience to human life. Also has the information security problems. A copy of the annual report of the national computer network Emergency Response Coordination Center released in 2011 pointed out that with the new technology of Internet in China, with the rapid development of new information, future security situation will be more complex, in the detection of statistical data in 2010 a total of 479626 IP Trojan control server a Trojan horse, host IP a total of 10317169, a significant increase compared to 2009 274.9%.2010 outbreak of the "flying off" worm virus, root According to sampling monitoring results of December 2010 national computer network Emergency Response Coordination Center, the global Internet already has more than 60 million host IP infection "fly off worm, is still within the disaster area, there are more than 9 million IP infected host. This shows that the current implementation of crime by computer information technology and other intelligent devices and networks increasingly serious problem that is a serious threat to social harmony and stability. Only through network and information security technology to prevent computer related crime can not solve the increasingly serious threat to information security fundamentally, because this must be sufficient to fundamentally on people's behavior norms play a legal means of modern society. Computer Forensics is cross in the background of computer security and legal combination. The main purpose of computer forensics is involved in the related Electronic equipment collects evidence in the form of data, reproduces the process of crime, and provides reliable and effective evidence for relevant legal proceedings.
Used in the computer crime forensics process most of the traditional close computer involved, disk data using the plug and play devices to complete copy of the computer, and then the image after the data analysis. However, with the continuous development of computer hardware, large capacity memory is widely used, and a variety of encryption and anti Forensics the result in this traditional forensics process lost a lot of valuable information. The computer memory nonvolatile data may contain key information on criminal acts, such as used to encrypt the password information, during the process of state system in criminal behavior, use of anti forensic tools and traces some are easy to be crucial to the investigation easily in the analysis of hard disk data process ignored the malicious software or system level backdoor and other related information. Therefore, in recent years, forensic and computer security experts have paid more and more attention to the forensic analysis of computer volatile data.
Key memory forensic analysis lies in the analysis of various data in physical memory to obtain relevant information about the crime, in recent memory forensics analysis process although through the search of readable text content or the keyword can obtain many useful information from memory, but the information related to the environment and context of single evidence the need in the premise of understanding relevant data structure and background to better link. For memory forensic analysis can accurately identify the memory image of the data and the correlation analysis of the specific information is crucial.
Based on the research of traditional computer forensics theory and method of this paper, summarizes the memory and other similar media related volatile characteristics of data, this paper presents an analytical model for the correlation analysis of the volatile data forensics, evidence analysis of the evidence model is no longer confined to the traditional taken for single object evidence analysis of the way, but more emphasis on internal relations between each single evidence obtained in the analysis, from the legal point of view this is an analysis method for the construction of the chain of evidence of evidence. This paper not only for non-volatile data forensics analysis model by divide and describe the level of design and preliminary solutions in the key level. Because digital nonvolatile data has the following characteristics: volatile; transient stability; stage; entity information multidimensional; entity relationship stage; Within the entity state changes predictable, this method has the following three advantages: first, analysis from the analysis of single user action analysis is extended to the user behavior, you can better understand the user of a series of actions; second, broke the volatile evidence obtained in single time limit, the association to a point in time all the evidence object analysis, will be moved forward or backward to predict or determine the user a period of time, but is not limited to the single point of obtaining evidence; third, correlation analysis method for learning in the construction of the chain of evidence of judicial application, the process can be better applied to the actual law enforcement and the court.

【學(xué)位授予單位】：吉林大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2012
【分類號】：TP333

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 王笑強(qiáng);;數(shù)據(jù)恢復(fù)技術(shù)成為電子取證的核心技術(shù)[J];計算機(jī)安全;2009年12期

2 郭牧;王連海;;基于KPCR結(jié)構(gòu)的Windows物理內(nèi)存分析方法[J];計算機(jī)工程與應(yīng)用;2009年18期

3 鄭捷文;許榕生;張晉;;一種抽象的數(shù)字取證模型[J];計算機(jī)工程;2006年01期

4 蘇璞睿;楊軼;;基于可執(zhí)行文件靜態(tài)分析的入侵檢測模型[J];計算機(jī)學(xué)報;2006年09期

5 周洪偉;韋大偉;郭淵博;;一種數(shù)字取證完整性方案[J];計算機(jī)應(yīng)用研究;2007年12期

6 楊莉莉;楊永川;;抽象數(shù)字事件重構(gòu)模型的設(shè)計[J];計算機(jī)科學(xué);2008年06期

7 王玲,錢華林;計算機(jī)取證技術(shù)及其發(fā)展趨勢[J];軟件學(xué)報;2003年09期

8 丁麗萍,王永吉;計算機(jī)取證的相關(guān)法律技術(shù)問題研究[J];軟件學(xué)報;2005年02期

9 李宵聲;;計算機(jī)取證中增強(qiáng)電子證據(jù)時態(tài)性方案[J];通信技術(shù);2008年04期

本文編號：1398098