计算机动态取证关键技术研究
|
摘要
计算机取证是打击计算机犯罪的重要手段。本文针对计算机静态取证技术中存在的问题,提出了基于多Agent的分布式计算机动态取证系统模型。该模型将入侵检测技术应用于计算机取证系统,在被保护子网上对流经的网络数据和系统中的用户行为进行实时监控,获取入侵证据,达到实时动态取证的目的。
论文针对该动态取证模型中的证据收集、证据分析、证据保全三个重要环节所涉及的相关技术进行了研究。在证据分析方面,采用误用检测、异常检测、完整性检测相结合的证据分析模式,并提出了在入侵检测分析Agent中融合多检测技术的实现方案。由于通常的入侵检测模块所获取的只是入侵证据,为将计算机犯罪证据从收集的数据中分离出来,方案进一步将犯罪特征库引入入侵检测模块,设计了一个改进的入侵检测模型;在证据保全方面,研究了证据链的表示方法,同时为了确保证据的真实性和完整性,提出结合消息摘要、数字签名和时间戳技术于一体的证据保全方案。
国内在计算机动态取证方面的研究刚刚起步,本文的研究成果为进一步探讨计算机动态取证基本方法,从而构建实用有效的计算机取证系统建立了基础。
The computer forensics is an important tool in battling with the computer crime. In view of the weakness of computer static forensics, a distributed dynamic forensics system based on multi-agent was designed. With the intrusion detection technology, the system can monitor the users behavior and the network flow in the protected net , so it can obtain the intrusion evidences in time and achieve dynamic forensics.
In the paper, the three important aspects of computer dynamic forensics such as evidence collection,evidence analysis,evidence preservation were also deeply studied. In evidence analysis, an intrusion detection model fusing misuse detection, anomaly detection and file integrity detection was adopted, an intrusion detection agent fusing multi-detection technique was also designed. To distinguish between a crime evidence and an invasion evidence , an improved intrusion detection model was designed with the crime features database applying. In evidence preservation, the chain of computer crime evidence was studied,to guarantee the legal effect of digital evidence, an evidence-securing methodology that unite message digest, digital signature with timestamp technique was brought forward.
The research about computer dynamic forensics in our country is in the initial stage now,so the principal achievements of this paper are helpful to the exploration of computer forensic methods and to the construction of useful computer forensic system.
论文针对该动态取证模型中的证据收集、证据分析、证据保全三个重要环节所涉及的相关技术进行了研究。在证据分析方面,采用误用检测、异常检测、完整性检测相结合的证据分析模式,并提出了在入侵检测分析Agent中融合多检测技术的实现方案。由于通常的入侵检测模块所获取的只是入侵证据,为将计算机犯罪证据从收集的数据中分离出来,方案进一步将犯罪特征库引入入侵检测模块,设计了一个改进的入侵检测模型;在证据保全方面,研究了证据链的表示方法,同时为了确保证据的真实性和完整性,提出结合消息摘要、数字签名和时间戳技术于一体的证据保全方案。
国内在计算机动态取证方面的研究刚刚起步,本文的研究成果为进一步探讨计算机动态取证基本方法,从而构建实用有效的计算机取证系统建立了基础。
The computer forensics is an important tool in battling with the computer crime. In view of the weakness of computer static forensics, a distributed dynamic forensics system based on multi-agent was designed. With the intrusion detection technology, the system can monitor the users behavior and the network flow in the protected net , so it can obtain the intrusion evidences in time and achieve dynamic forensics.
In the paper, the three important aspects of computer dynamic forensics such as evidence collection,evidence analysis,evidence preservation were also deeply studied. In evidence analysis, an intrusion detection model fusing misuse detection, anomaly detection and file integrity detection was adopted, an intrusion detection agent fusing multi-detection technique was also designed. To distinguish between a crime evidence and an invasion evidence , an improved intrusion detection model was designed with the crime features database applying. In evidence preservation, the chain of computer crime evidence was studied,to guarantee the legal effect of digital evidence, an evidence-securing methodology that unite message digest, digital signature with timestamp technique was brought forward.
The research about computer dynamic forensics in our country is in the initial stage now,so the principal achievements of this paper are helpful to the exploration of computer forensic methods and to the construction of useful computer forensic system.
引文
[1]许榕生,吴海燕,刘宝旭.计算机取证概述[J].计算机工程与应用,2001,(21):7-8
[2]Scientific Working Group on Digital Evidence and International Organization on Digital Evidence.Digital Evidence:Standards and Principles.Forensic Science Communications,2002,2(2)
[3]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,2005,16(2):260-275
[4]Michael G.Noblett,Mark M.Pollitt,Lawrence A.Presley.Recovering and Examining Computer Forensic Evidence[J].Forensic Science Communications,2000,2(4)
[5]Mark M.Pollitt.A Brief History of Computer Forensics.http://ncsf.org/documents/swgde2000/historyofCF.pdf,1999
[6]FIRST历届年会.http://www.first.org/conference
[7]Amelia Philips,Bill Nelson,Frank Enfinger,et al.Guide to Computer Forensics and Investigations[M].Second Edition.2005.
[8]Peter Sommer.Digital Evidence:Emerging Problems in Forensic Computing.http://www.cl.cam.ac.uk/Research/Security/seminars/2002/2002-05-21.pdf,2002
[9]M.Rogers.Computer Forensic:Science or Fad[J].Security Wire Digest,2003,5(55)
[10]梁锦华,蒋建春,戴飞雁等.计算机取证技术研究[J].计算机工程,2002,28(8):12-14
[11]陈祖义,龚俭,徐晓琴.计算机取证的工具体系[J].计算机工程,2005,31(5):162-164
[12]Lee Garber.Encase:A Case Study in Computer-Forensic Technology.IEEE Computer Magazine 2001.01 http://www.computer.org/computer/homepage/January/technews2.htm
[13]Robbins Judd.An Explanation of Computer Forensics.http://www.computer forensics.net/forensics.htm
[14]M.Rogers.Computer Forensic:Science or Fad[J].Security Wire Digest,2003,5(55)
[15]Eoghan Casey.Digital Evidence And Computer Crime Second Edition[M].北京: 电子工业出版社,2004
[16]公安部教材编审委员会.信息网络安全监察[M].北京:群众出版社,2000
[17]杨晨光.电子商务中的电子证据及其法律地位.http://Hcooltoy.yesky.com/20010118/1558241.shtml
[18]唐娟,王海平,孙国梓等.电子数据取证及其有效性研究[J].计算机工程与应用,2006(10):115-116
[19]蒋平.电子证据的形式、效力及认定[J].信息网络安全,2002,(7)
[20]梁平,杨力平.计算机犯罪证据的收集研究[J].广西公安管理干部学院学报,2001,(2):7-9
[21]凌斌.计算机犯罪中数字证据取证的技术分析[J]法治论丛 2004,(1):45
[22]何家弘.新编证据法学[M].北京:法律出版社,2000
[23]张斌.计算机取证有效打击计算机犯罪[J]网络安全技术与应用 2004,(7):60
[24]Warren G.KruselI,Jay G.Heiser.Computer forensics:incident response essentials[M].1st Edition,ISBN:0201707195,Pearson Education,Inc,USA.
[25]Anderson Michael R.Electronic fingerprints-computer evidence comes of age.http://www.forensics-ind.com.
[26]齐莹素,佟晖.浅谈计算机取证技术[J].北京人民警察学院学报,2005,(1):34-36
[27]钱桂琼,杨泽明,许榕生.计算机取证的研究与设计[J].计算机工程,2002,28(6):56-58
[28]钟秀玉,凌捷.计算机动态取证的数据分析技术研究[J].计算机应用与软件,2004,(9):26-27
[29]刘东辉.计算机动态取证的研究[J].计算机系统应用,2005,(9):45-47
[30]林果园,黄皓.入侵检测动态取证模型[J].计算机工程与应用,2006,(27):142-144
[31]段丹青,杨卫平,黄伟平.计算机入侵动态取证技术研究[J].湖南公安高等专科学校学报,2005,(6):67-70
[32]杨卫平,黄烟波,段丹青等.基于协议分析的网络入侵动态取证系统设计[J].计算机技术与发展,2006,16(4):215-217,220
[33]杨卫平.分布式计算机动态取证系统研究[硕士学位论文].长沙:中南大学,2006
[34]仰石,李涛,丁菊玲.基于Multi-agent的计算机动态取证[J].2005,31(1):153-154
[35]毛志勇.基于移动代理的可动态构建分布式入侵检测系统研究[硕士学位论文].哈尔滨:辽宁工程技术大学,2006
[36]林辉.网络入侵取证中的安全日志系统[硕士学位论文].合肥:中国科技大学,2002
[37]钟秀玉.基于智能代理的动态取证技术研究[J].网络安全技术与应用,2005,(8):65-67
[38]张基温,蒋中云.基于Multi-Agent的网络入侵动态取证[J].计算机工程与设计,2006,27(6):2051-2053
[39]蒋中云.基于多代理的网络入侵动态取证的研究[硕士学位论文].无锡:江南大学,2006
[40]刘东辉,王树明,张庆生.基于数据挖掘的计算机动态取证系统[J].微计算机信息,2005,21(3):82-84
[41]俞晓雯,高强,丁杰.一种入侵检测取证系统模型的设计[J].微机发展,2004,14(8)
[42]张瑞霞,智国建.应用数据融合的计算机取证[J].计算机与现代化,2007,(3):45-47
[43]McClure S,Scambray J,Kurtz G.黑客大曝光[M].北京:清华大学出版社,2003
[44]John Tan.Forensic Preparation:Planning and policies are the keys to successful forensic analysis[J].Secure Business Quarterly,2001,1(1)
[45]王波.计算机取证方法关键问题研究[博士学位论文].北京:中国科学院软件研究所,2004
[46]Wark Reith,Clint Carr,Gregg Gunsch.An Examination of Digital Forensic Model[J].International Journal of Digital Evidence,2002,1(3)
[47]IEEE.POSIX Standards.http://standards.ieec.org/catalog/olis/posix.html
[48]R.D.Clifford.Cybercrime:the investigation,prosecution,and defense of a computer-related crime[M].Carolina Academic Press,2001
[49]James P.Anderson.Computer Security Threat Monitoring and surveillance[R].Technical report,James P.Anderson Co.,fort Washington,Pa.,1980
[50]黄文,文春生,欧红星.基于日志分析策略的分布式网络入侵预警系统模型[J]. 湘潭大学自然科学学报,2004,26(4):39-42
[51 陈爱莉,张焕国.一种支持计算机取证的日志系统的设计[J].计算机工程与应用,2003,(15):122-124
[52]郝桂英,刘凤,李世忠.网络实时取证模型的研究与设计[J].计算机时代,2007,(4):16-18
[53]孙波,孙玉芳,张相锋等.电子数据取证研究概述[J].计算机科学,2005,32(2):13-19
[54]Network ICE.Protocol analysis and command parsing vs.pattem matching in intrusion detection system,http://www.etworkice.com.products/ocumentation.html.2000
[55]梁昌宇,吴强,曾庆凯.分布式计算机动态取证模型[J].计算机应用,2002,28(6):56-58
[56]赵丽,孙敏.一种融合多检测技术的分布式入侵检测模型[J].计算机工程,2005,31(6):148-150
[57]杨波编著.现代密码学[M].北京:清华大学出版社.2003:92
[58]Chef Hosmer.Proving the Integrity of Digital Evidence with Time.International Journal of Digital Evidence.Spring 2002 Volumel,Issue 1
[59]Warren G.Kruse Ⅱ.计算机取证:应急响应精要[M].北京:人民邮电出版社.2003
[60]Michael C.Weil.Dynamic Time&Date Stamp Analysis.International Journal of Digital Evidence.Summer 2002,Voulme 1,Issue 2.
[2]Scientific Working Group on Digital Evidence and International Organization on Digital Evidence.Digital Evidence:Standards and Principles.Forensic Science Communications,2002,2(2)
[3]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,2005,16(2):260-275
[4]Michael G.Noblett,Mark M.Pollitt,Lawrence A.Presley.Recovering and Examining Computer Forensic Evidence[J].Forensic Science Communications,2000,2(4)
[5]Mark M.Pollitt.A Brief History of Computer Forensics.http://ncsf.org/documents/swgde2000/historyofCF.pdf,1999
[6]FIRST历届年会.http://www.first.org/conference
[7]Amelia Philips,Bill Nelson,Frank Enfinger,et al.Guide to Computer Forensics and Investigations[M].Second Edition.2005.
[8]Peter Sommer.Digital Evidence:Emerging Problems in Forensic Computing.http://www.cl.cam.ac.uk/Research/Security/seminars/2002/2002-05-21.pdf,2002
[9]M.Rogers.Computer Forensic:Science or Fad[J].Security Wire Digest,2003,5(55)
[10]梁锦华,蒋建春,戴飞雁等.计算机取证技术研究[J].计算机工程,2002,28(8):12-14
[11]陈祖义,龚俭,徐晓琴.计算机取证的工具体系[J].计算机工程,2005,31(5):162-164
[12]Lee Garber.Encase:A Case Study in Computer-Forensic Technology.IEEE Computer Magazine 2001.01 http://www.computer.org/computer/homepage/January/technews2.htm
[13]Robbins Judd.An Explanation of Computer Forensics.http://www.computer forensics.net/forensics.htm
[14]M.Rogers.Computer Forensic:Science or Fad[J].Security Wire Digest,2003,5(55)
[15]Eoghan Casey.Digital Evidence And Computer Crime Second Edition[M].北京: 电子工业出版社,2004
[16]公安部教材编审委员会.信息网络安全监察[M].北京:群众出版社,2000
[17]杨晨光.电子商务中的电子证据及其法律地位.http://Hcooltoy.yesky.com/20010118/1558241.shtml
[18]唐娟,王海平,孙国梓等.电子数据取证及其有效性研究[J].计算机工程与应用,2006(10):115-116
[19]蒋平.电子证据的形式、效力及认定[J].信息网络安全,2002,(7)
[20]梁平,杨力平.计算机犯罪证据的收集研究[J].广西公安管理干部学院学报,2001,(2):7-9
[21]凌斌.计算机犯罪中数字证据取证的技术分析[J]法治论丛 2004,(1):45
[22]何家弘.新编证据法学[M].北京:法律出版社,2000
[23]张斌.计算机取证有效打击计算机犯罪[J]网络安全技术与应用 2004,(7):60
[24]Warren G.KruselI,Jay G.Heiser.Computer forensics:incident response essentials[M].1st Edition,ISBN:0201707195,Pearson Education,Inc,USA.
[25]Anderson Michael R.Electronic fingerprints-computer evidence comes of age.http://www.forensics-ind.com.
[26]齐莹素,佟晖.浅谈计算机取证技术[J].北京人民警察学院学报,2005,(1):34-36
[27]钱桂琼,杨泽明,许榕生.计算机取证的研究与设计[J].计算机工程,2002,28(6):56-58
[28]钟秀玉,凌捷.计算机动态取证的数据分析技术研究[J].计算机应用与软件,2004,(9):26-27
[29]刘东辉.计算机动态取证的研究[J].计算机系统应用,2005,(9):45-47
[30]林果园,黄皓.入侵检测动态取证模型[J].计算机工程与应用,2006,(27):142-144
[31]段丹青,杨卫平,黄伟平.计算机入侵动态取证技术研究[J].湖南公安高等专科学校学报,2005,(6):67-70
[32]杨卫平,黄烟波,段丹青等.基于协议分析的网络入侵动态取证系统设计[J].计算机技术与发展,2006,16(4):215-217,220
[33]杨卫平.分布式计算机动态取证系统研究[硕士学位论文].长沙:中南大学,2006
[34]仰石,李涛,丁菊玲.基于Multi-agent的计算机动态取证[J].2005,31(1):153-154
[35]毛志勇.基于移动代理的可动态构建分布式入侵检测系统研究[硕士学位论文].哈尔滨:辽宁工程技术大学,2006
[36]林辉.网络入侵取证中的安全日志系统[硕士学位论文].合肥:中国科技大学,2002
[37]钟秀玉.基于智能代理的动态取证技术研究[J].网络安全技术与应用,2005,(8):65-67
[38]张基温,蒋中云.基于Multi-Agent的网络入侵动态取证[J].计算机工程与设计,2006,27(6):2051-2053
[39]蒋中云.基于多代理的网络入侵动态取证的研究[硕士学位论文].无锡:江南大学,2006
[40]刘东辉,王树明,张庆生.基于数据挖掘的计算机动态取证系统[J].微计算机信息,2005,21(3):82-84
[41]俞晓雯,高强,丁杰.一种入侵检测取证系统模型的设计[J].微机发展,2004,14(8)
[42]张瑞霞,智国建.应用数据融合的计算机取证[J].计算机与现代化,2007,(3):45-47
[43]McClure S,Scambray J,Kurtz G.黑客大曝光[M].北京:清华大学出版社,2003
[44]John Tan.Forensic Preparation:Planning and policies are the keys to successful forensic analysis[J].Secure Business Quarterly,2001,1(1)
[45]王波.计算机取证方法关键问题研究[博士学位论文].北京:中国科学院软件研究所,2004
[46]Wark Reith,Clint Carr,Gregg Gunsch.An Examination of Digital Forensic Model[J].International Journal of Digital Evidence,2002,1(3)
[47]IEEE.POSIX Standards.http://standards.ieec.org/catalog/olis/posix.html
[48]R.D.Clifford.Cybercrime:the investigation,prosecution,and defense of a computer-related crime[M].Carolina Academic Press,2001
[49]James P.Anderson.Computer Security Threat Monitoring and surveillance[R].Technical report,James P.Anderson Co.,fort Washington,Pa.,1980
[50]黄文,文春生,欧红星.基于日志分析策略的分布式网络入侵预警系统模型[J]. 湘潭大学自然科学学报,2004,26(4):39-42
[51 陈爱莉,张焕国.一种支持计算机取证的日志系统的设计[J].计算机工程与应用,2003,(15):122-124
[52]郝桂英,刘凤,李世忠.网络实时取证模型的研究与设计[J].计算机时代,2007,(4):16-18
[53]孙波,孙玉芳,张相锋等.电子数据取证研究概述[J].计算机科学,2005,32(2):13-19
[54]Network ICE.Protocol analysis and command parsing vs.pattem matching in intrusion detection system,http://www.etworkice.com.products/ocumentation.html.2000
[55]梁昌宇,吴强,曾庆凯.分布式计算机动态取证模型[J].计算机应用,2002,28(6):56-58
[56]赵丽,孙敏.一种融合多检测技术的分布式入侵检测模型[J].计算机工程,2005,31(6):148-150
[57]杨波编著.现代密码学[M].北京:清华大学出版社.2003:92
[58]Chef Hosmer.Proving the Integrity of Digital Evidence with Time.International Journal of Digital Evidence.Spring 2002 Volumel,Issue 1
[59]Warren G.Kruse Ⅱ.计算机取证:应急响应精要[M].北京:人民邮电出版社.2003
[60]Michael C.Weil.Dynamic Time&Date Stamp Analysis.International Journal of Digital Evidence.Summer 2002,Voulme 1,Issue 2.