本文選題：計(jì)算機(jī)取證 + 注冊(cè)表　； 參考：《廣東工業(yè)大學(xué)》2013年碩士論文

【摘要】：隨著計(jì)算機(jī)技術(shù)廣泛使用,計(jì)算機(jī)犯罪呈現(xiàn)越演越烈的趨勢(shì),給國(guó)民經(jīng)濟(jì)帶來了嚴(yán)重的干擾和破壞,預(yù)防和打擊計(jì)算機(jī)犯罪成為當(dāng)下一個(gè)難題。Windows注冊(cè)表中包含了豐富的各類信息,其中往往記錄了罪犯分子進(jìn)行犯罪證據(jù),因此注冊(cè)表取證對(duì)于預(yù)防和打擊計(jì)算機(jī)犯罪具有重要的意義。 本文在國(guó)內(nèi)外注冊(cè)表取證技術(shù)研究的基礎(chǔ)上,重點(diǎn)研究了注冊(cè)表Hive文件結(jié)構(gòu)和具有取證價(jià)值的信息、Windows NTFS文件系統(tǒng)的大目錄結(jié)構(gòu)和變化規(guī)律及其改進(jìn)建議,同時(shí)分析了VMware虛擬機(jī)文件系統(tǒng),并設(shè)計(jì)了在主機(jī)上直接提取虛擬機(jī)內(nèi)部文件的解決方案,開發(fā)出能用于虛擬機(jī)注冊(cè)表取證的工具VMFSExplorer。 本文的主要貢獻(xiàn)在于： 1、對(duì)Windows NTFS文件系統(tǒng)的大目錄結(jié)構(gòu)進(jìn)行了全面的分析,解析大目錄生成條件和變化規(guī)律,提出改進(jìn)大目錄結(jié)構(gòu)的算法。為在大目錄復(fù)雜情況下進(jìn)行計(jì)算機(jī)取證提供理論支持。 2、對(duì)注冊(cè)表Hive文件總體結(jié)構(gòu)和各種cell提供了詳細(xì)解析,在驗(yàn)證Hive文件中多處校驗(yàn)和算法基礎(chǔ)之上提出操作Hive文件的算法。從計(jì)算機(jī)取證對(duì)電子證據(jù)有效性角度出發(fā),設(shè)計(jì)了Hive文件解析工具,設(shè)計(jì)了針對(duì)注冊(cè)表取證的操作算法---訪問型原子操作操作 3、分析VMware虛擬磁盤文件系統(tǒng)數(shù)據(jù)組織方式,基于Hosted Sparse Extents Disk(主機(jī)稀疏擴(kuò)展盤)模型和NTFS文件系統(tǒng)設(shè)計(jì)并開發(fā)專門用于虛擬機(jī)取證的文件提取工具VMFSExplorer。VMFSExplorer取證工具運(yùn)行在主機(jī)系統(tǒng)之上,能有效解決虛擬機(jī)因系統(tǒng)損壞、無法破解虛擬機(jī)系統(tǒng)等情況下無法取證的問題,同時(shí)對(duì)原始數(shù)據(jù)信息進(jìn)行全面的保護(hù)。VMFSExplorer不僅可以用于虛擬機(jī)注冊(cè)表取證,也適用于虛擬機(jī)取證的一般情況。 4、VMFSExplorer取證工具使用三種類型的文件一起保存獲取的電子證據(jù)信息,在保證電子證據(jù)信息有效性和完整性的同時(shí),也給計(jì)算機(jī)取證人員帶來極大的易操作性和方便證據(jù)的呈現(xiàn)。 基于NTFS注冊(cè)表取證工具研究與設(shè)計(jì),不僅能為注冊(cè)表取證過程提供指導(dǎo),能有效的擴(kuò)大注冊(cè)表的取證范圍,而且也是注冊(cè)表取證工具開發(fā)的理論基礎(chǔ)。最重要的是本文提出VMware虛擬機(jī)上的注冊(cè)表取證方法,并開發(fā)出能直接在主機(jī)上獲取VMware虛擬機(jī)原始電子數(shù)據(jù)的工具VMFSExplorer,從而擴(kuò)展了注冊(cè)表取證范圍。
[Abstract]:With the widespread use of computer technology, computer crime is becoming more and more violent, which has brought serious interference and destruction to the national economy.Preventing and combating computer crime has become a problem of the moment. The Windows registry contains a wealth of information, often recording evidence that criminals commit crimes.Therefore, it is of great significance to take evidence from the registry to prevent and combat computer crime.Based on the research of registry forensics technology at home and abroad, this paper focuses on studying the structure of registry Hive file and the large directory structure and changing rule of information Hive file system with forensics value and its improvement suggestions.At the same time, this paper analyzes the VMware virtual machine file system, and designs a solution for extracting the internal files of the virtual machine directly on the host computer, and develops a tool, VMS Explorer, which can be used to obtain the evidence of the virtual machine registry.The main contributions of this paper are:1. The large directory structure of Windows NTFS file system is analyzed, the generating conditions and changing rules of large directory are analyzed, and the algorithm to improve the large directory structure is put forward.To provide theoretical support for computer forensics in the case of large directory complexity.2. The general structure of registry Hive file and various cell are analyzed in detail. On the basis of verifying the multiple checksum algorithm in Hive file, the algorithm of operating Hive file is put forward.From the point of view of the validity of computer forensics to electronic evidence, a Hive file parsing tool is designed, and an operation algorithm-access atomic operation is designed for registry forensics.3. The data organization mode of VMware virtual disk file system is analyzed. Based on the Hosted Sparse Extents disk model and NTFS file system, a file extraction tool named VMFSExplorer.VMFSExplorer is designed and developed for virtual machine forensics, which runs on the host system.It can effectively solve the virtual machine because of system damage, can not crack the virtual machine system can not obtain evidence. At the same time, the original data information can be fully protected. VMFS Explorer can not only be used for virtual machine registry forensics,It also applies to the general case of virtual machine forensics.4VMFS Explorer forensics tool uses three types of files to preserve the obtained electronic evidence information together, which not only ensures the validity and integrity of electronic evidence information, but also brings great convenience to computer forensics personnel to operate and present evidence conveniently.The research and design of registry forensics tools based on NTFS can not only provide guidance for the process of registry forensics, but also effectively expand the scope of registry forensics, and also serve as the theoretical basis for the development of registry forensics tools.The most important thing is that this paper proposes the method of registry forensics on VMware virtual machine, and develops a tool, VMS Explorer, which can directly obtain the original electronic data of VMware virtual machine on the host computer, thus extending the scope of registry forensics.
【學(xué)位授予單位】：廣東工業(yè)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2013
【分類號(hào)】：TP393.08;D918.1

【引證文獻(xiàn)】

相關(guān)期刊論文 前1條

1 魏思宇;;計(jì)算機(jī)主機(jī)隱秘信息取證技術(shù)的研究[J];信息技術(shù)與信息化;2015年10期

相關(guān)碩士學(xué)位論文 前1條

1 林水賓;基于NTFS文件創(chuàng)建的技術(shù)研究[D];廣東工業(yè)大學(xué);2015年

，

本文編號(hào)：1761596