基于Linux系統(tǒng)的證據(jù)收集研究與實現(xiàn)
發(fā)布時間:2018-12-29 16:32
【摘要】:計算機科學(xué)以及信息技術(shù)的發(fā)展,使人們從信息技術(shù)的應(yīng)用中享受到了諸多好處,但同時也面臨著越來越多的計算機犯罪活動。目前全世界范圍內(nèi)大多數(shù)服務(wù)器都運行著Linux系統(tǒng),隨著計算機犯罪的技術(shù)水平不斷提高,有必要研究基于Linux系統(tǒng)的計算機取證方法與關(guān)鍵技術(shù),以滿足打擊計算機犯罪,保證信息安全的需要。 首先,介紹了取證基本模型,提出了計算機系統(tǒng)取證的總體框架結(jié)構(gòu)圖,并將取證體系結(jié)構(gòu)劃分為證據(jù)收集模塊、數(shù)據(jù)保全模塊、證據(jù)分析模塊、取證監(jiān)督模塊和證據(jù)提交模塊,本文重點研究的是證據(jù)收集模塊。 在動態(tài)證據(jù)收集方面,本文首先研究了如何查找收集Rootkit證據(jù)。從分析內(nèi)核Rootkit的實現(xiàn)原理入手,進行內(nèi)核Rootkit的檢測和收集方法設(shè)計,再給出具體實現(xiàn)過程。通過特征文件匹配、特征字符串查找、用戶登錄日志、隱藏進程、隱藏端口和網(wǎng)卡混雜模式檢測,實現(xiàn)了用戶級Rootkit的檢測與收集,最后,本文給出了內(nèi)核和用戶級Rootkit檢測與收集的實驗結(jié)果。 再次,從入侵軌跡、痕跡,攻擊目標、手段和隱藏入侵的角度出發(fā),研究了靜態(tài)證據(jù)的收集,靜態(tài)證據(jù)重點收集可疑文件、日志文件、用戶權(quán)限敏感文件、隱藏文件和部分配置文件信息。 最后,本文設(shè)計與實現(xiàn)了靜態(tài)證據(jù)收集系統(tǒng),采用分層設(shè)計開發(fā)的思想,將系統(tǒng)劃分為四個層次:鏡像層、文件系統(tǒng)層、應(yīng)用層和界面層,提高了開發(fā)的效率,也減少了系統(tǒng)測試的難度。鏡像層獲取被入侵計算機上的Linux分區(qū)數(shù)據(jù),并以文件的形式保存在取證計算機上。文件系統(tǒng)層實現(xiàn)數(shù)字證據(jù)收集中所必需的文件訪問操作,應(yīng)用層主要日志格式化輸出、字符串查找、隱藏文件、suid文件收集等操作,界面層主要是通過瀏覽器網(wǎng)頁的形式展示獲取證據(jù)的結(jié)果,實現(xiàn)與客戶端的瀏覽器交互。對系統(tǒng)功能需求的測試結(jié)果表明系統(tǒng)達到預(yù)期的目標,實現(xiàn)了原定的各項功能。
[Abstract]:With the development of computer science and information technology, people enjoy many benefits from the application of information technology, but at the same time, they are faced with more and more computer criminal activities. At present, most servers in the world are running Linux system. With the development of computer crime technology, it is necessary to study the methods and key technologies of computer forensics based on Linux system in order to meet the challenge of computer crime. The need to ensure information security. Firstly, the basic model of forensics is introduced, and the overall frame structure of computer system is presented. The architecture of forensics is divided into three modules: evidence collection module, data preservation module, evidence analysis module. Evidence monitoring module and evidence submission module, this paper focuses on the evidence collection module. In the aspect of dynamic evidence collection, this paper first studies how to find and collect Rootkit evidence. Based on the analysis of the principle of kernel Rootkit, the detection and collection methods of kernel Rootkit are designed, and the implementation process is given. Through feature file matching, feature string search, user logon log, hidden process, hidden port and network card hybrid mode detection, the detection and collection of user-level Rootkit is realized. The experimental results of kernel and user level Rootkit detection and collection are given in this paper. Thirdly, from the point of view of invasion track, trace, attack target, means and hiding intrusion, the paper studies the collection of static evidence, which focuses on collecting suspicious files, log files, user rights sensitive files, etc. Hide file and partial profile information. Finally, the static evidence collection system is designed and implemented in this paper. The system is divided into four levels: mirror image layer, file system layer, application layer and interface layer, which improves the efficiency of development. It also reduces the difficulty of system testing. The mirrored layer acquires the Linux partition data on the intruded computer and saves it on the forensics computer as a file. The file system layer realizes the necessary file access operation in the digital evidence collection, the main log format output in the application layer, string search, hidden file, suid file collection and so on. The interface layer mainly displays the result of obtaining evidence through the form of browser web page and realizes the interaction with client browser. The test results of the system function requirements show that the system achieves the expected goal and achieves the original functions.
【學(xué)位授予單位】:電子科技大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2011
【分類號】:TP393.08;D918.2
本文編號:2395071
[Abstract]:With the development of computer science and information technology, people enjoy many benefits from the application of information technology, but at the same time, they are faced with more and more computer criminal activities. At present, most servers in the world are running Linux system. With the development of computer crime technology, it is necessary to study the methods and key technologies of computer forensics based on Linux system in order to meet the challenge of computer crime. The need to ensure information security. Firstly, the basic model of forensics is introduced, and the overall frame structure of computer system is presented. The architecture of forensics is divided into three modules: evidence collection module, data preservation module, evidence analysis module. Evidence monitoring module and evidence submission module, this paper focuses on the evidence collection module. In the aspect of dynamic evidence collection, this paper first studies how to find and collect Rootkit evidence. Based on the analysis of the principle of kernel Rootkit, the detection and collection methods of kernel Rootkit are designed, and the implementation process is given. Through feature file matching, feature string search, user logon log, hidden process, hidden port and network card hybrid mode detection, the detection and collection of user-level Rootkit is realized. The experimental results of kernel and user level Rootkit detection and collection are given in this paper. Thirdly, from the point of view of invasion track, trace, attack target, means and hiding intrusion, the paper studies the collection of static evidence, which focuses on collecting suspicious files, log files, user rights sensitive files, etc. Hide file and partial profile information. Finally, the static evidence collection system is designed and implemented in this paper. The system is divided into four levels: mirror image layer, file system layer, application layer and interface layer, which improves the efficiency of development. It also reduces the difficulty of system testing. The mirrored layer acquires the Linux partition data on the intruded computer and saves it on the forensics computer as a file. The file system layer realizes the necessary file access operation in the digital evidence collection, the main log format output in the application layer, string search, hidden file, suid file collection and so on. The interface layer mainly displays the result of obtaining evidence through the form of browser web page and realizes the interaction with client browser. The test results of the system function requirements show that the system achieves the expected goal and achieves the original functions.
【學(xué)位授予單位】:電子科技大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2011
【分類號】:TP393.08;D918.2
【參考文獻】
相關(guān)期刊論文 前7條
1 劉凌;;淺談計算機靜態(tài)取證與計算機動態(tài)取證[J];計算機安全;2009年08期
2 周世斌,賓曉華,董占球;口令竊取的基本途徑及其防護對策[J];計算機工程與應(yīng)用;2001年20期
3 丁麗萍,王永吉;計算機取證的相關(guān)法律技術(shù)問題研究[J];軟件學(xué)報;2005年02期
4 尉永青,劉培德;計算機取證技術(shù)研究[J];信息技術(shù)與信息化;2005年04期
5 周子庭 ,李建華;系統(tǒng)日志分析及在主機入侵檢測中的應(yīng)用[J];信息安全與通信保密;2004年09期
6 殷聯(lián)甫;計算機反取證技術(shù)研究[J];計算機系統(tǒng)應(yīng)用;2005年10期
7 戴士劍;張杰;郭久武;;數(shù)據(jù)恢復(fù)技術(shù)綜述(上)[J];信息網(wǎng)絡(luò)安全;2006年01期
相關(guān)碩士學(xué)位論文 前2條
1 金霞;EXT3文件系統(tǒng)結(jié)構(gòu)研究及入侵檢測的實現(xiàn)[D];解放軍信息工程大學(xué);2004年
2 王中杉;基于Windows的計算機取證技術(shù)研究與實現(xiàn)[D];電子科技大學(xué);2009年
,本文編號:2395071
本文鏈接:http://sikaile.net/shekelunwen/gongan/2395071.html
