文档碎片取证关键技术研究
|
摘要
文档碎片取证技术是数字取证领域中当前重要研究热点之一。本文总结了文档碎片取证技术的相关理论、技术以及研究现状,重点研究了文档碎片取证模型以及该模型的关键问题,特别是文档碎片分类和重组算法。主要研究内容如下:
1.文档碎片取证模型。首先分析了现有取证模型存在的问题以及文档碎片的数据特性,并以此为基础,设计了一个文档碎片取证分析模型。其次,同其它的模型相比,该模型包含的取证分析阶段较为全面,并且在模型中引入了取证分析阶段所对应的“信息流”概念。最后,应用该模型进行了具体的案例分析。
2.文档碎片分类。首先确定了文档碎片的不同类型定义及其之间关系,对文档碎片分类问题进行了形式化描述,提出一个三级文档碎片分类模型,并确定了碎片分类模型的关键问题。其次,提出一个基于朴素贝叶斯原理的文件头碎片分类算法,并验证了该算法的可行性;利用支持向量机学习理论,提出一个基于增强k频谱核函数的文件头碎片分类算法,并对这两个算法进行了比较。最后,研究了信息论的熵原理在文档碎片分类中的应用,提出一个基于碎片熵值特征的分类算法,并验证了该算法的有效性。
3.文档碎片重组。首先对文档碎片重组问题进行了形式化描述。其次,提出了一个基于像素相似度的图像碎片重组算法,该算法利用碎片间像素相似性,确定了文档碎片之间的连接关系,从而重组文档碎片的原始内容。最后,提出一个基于区域的文档碎片重组算法,该算法关键是确定存储介质上特定类型的文档碎片所在区域,利用文档碎片熵值特征,移走该区域中噪音碎片,然后根据区域中碎片所在存储介质上的逻辑关系进行重组。
4.模型取证能力评价准则。首先阐述了现有模型和取证工具的不足。其次分析了取证人员当前面临的主要取证挑战。最后,试探性提出一套模型取证能力评价参考准则,并根据该准则,对现有取证模型进行了比较。
Document fragment forensics has been vital to restore deleted files from a scattered set of fragments in digital forensics. Document fragmentation is a regular occurrence in hard disks, memory cards, and other storage media. As a result, a forensic analyst examining a disk may en-counter many fragments of deleted digital files, but is unable to determine the proper sequence of fragments to rebuild the files. It is needed to design the model about document fragment, and to develop classification algorithm to identify the type of document and reassembly algorithm to restore files. Detailed researches are done about document fragment forensics in this thesis. The main works are as the following:
1. The Extended Forensic and Analysis Model of Document Fragment
An extended forensic and analysis model of document fragment is presented in order to ef-ficiently investigate document fragments in storage media. The model extended the existing the forensic process of document fragment. information flow and forensic result are introduced into the model. The comparisons between existed forensic models and document fragment forensic model are investigated. So the chain of custody about digital evidence is enhanced. Forensic case shows the model has the ability to investigate document fragment in digital system.
2. Document Fragment classification technique
At first, a three-phrase fragment classifying model is presented in order to find all fragments about a file. And a document fragment classifying algorithm based on Naive Bayes principle is given. Then Support Vector Machine is researched to improve document fragment classification. Finally the classifying algorithm based on the entropy of document fragments is proposed to classify document fragments. Experiments have provided good classification performance results about document fragment classifying algorithm.
3. Document Fragment Reassembly technique
First of all, a new reassembly algorithm is proposed to reassemble to image fragments. The algorithm computes the relevance measure between any fragments. Then according to the best candidate weights of all fragments, the best sequence of image fragments can be achieved. Fi-nally, the reassembly algorithm based fragments distance is proposed to reassemble fragments by information entropy principle, and the classification results showed that the algorithm can reas-semble document fragments by the entropy of fragments.
4. The Estimation Principle of Forensic Capability about Model
Firstly, in order to estimate digital forensic model and forensic tools, many traditional foren-sic models are researched. Secondly, forensic challenges are discussed during digital forensic investigation. Thirdly, the estimation principle of forensic capability about digital forensic model is brought forward.
1.文档碎片取证模型。首先分析了现有取证模型存在的问题以及文档碎片的数据特性,并以此为基础,设计了一个文档碎片取证分析模型。其次,同其它的模型相比,该模型包含的取证分析阶段较为全面,并且在模型中引入了取证分析阶段所对应的“信息流”概念。最后,应用该模型进行了具体的案例分析。
2.文档碎片分类。首先确定了文档碎片的不同类型定义及其之间关系,对文档碎片分类问题进行了形式化描述,提出一个三级文档碎片分类模型,并确定了碎片分类模型的关键问题。其次,提出一个基于朴素贝叶斯原理的文件头碎片分类算法,并验证了该算法的可行性;利用支持向量机学习理论,提出一个基于增强k频谱核函数的文件头碎片分类算法,并对这两个算法进行了比较。最后,研究了信息论的熵原理在文档碎片分类中的应用,提出一个基于碎片熵值特征的分类算法,并验证了该算法的有效性。
3.文档碎片重组。首先对文档碎片重组问题进行了形式化描述。其次,提出了一个基于像素相似度的图像碎片重组算法,该算法利用碎片间像素相似性,确定了文档碎片之间的连接关系,从而重组文档碎片的原始内容。最后,提出一个基于区域的文档碎片重组算法,该算法关键是确定存储介质上特定类型的文档碎片所在区域,利用文档碎片熵值特征,移走该区域中噪音碎片,然后根据区域中碎片所在存储介质上的逻辑关系进行重组。
4.模型取证能力评价准则。首先阐述了现有模型和取证工具的不足。其次分析了取证人员当前面临的主要取证挑战。最后,试探性提出一套模型取证能力评价参考准则,并根据该准则,对现有取证模型进行了比较。
Document fragment forensics has been vital to restore deleted files from a scattered set of fragments in digital forensics. Document fragmentation is a regular occurrence in hard disks, memory cards, and other storage media. As a result, a forensic analyst examining a disk may en-counter many fragments of deleted digital files, but is unable to determine the proper sequence of fragments to rebuild the files. It is needed to design the model about document fragment, and to develop classification algorithm to identify the type of document and reassembly algorithm to restore files. Detailed researches are done about document fragment forensics in this thesis. The main works are as the following:
1. The Extended Forensic and Analysis Model of Document Fragment
An extended forensic and analysis model of document fragment is presented in order to ef-ficiently investigate document fragments in storage media. The model extended the existing the forensic process of document fragment. information flow and forensic result are introduced into the model. The comparisons between existed forensic models and document fragment forensic model are investigated. So the chain of custody about digital evidence is enhanced. Forensic case shows the model has the ability to investigate document fragment in digital system.
2. Document Fragment classification technique
At first, a three-phrase fragment classifying model is presented in order to find all fragments about a file. And a document fragment classifying algorithm based on Naive Bayes principle is given. Then Support Vector Machine is researched to improve document fragment classification. Finally the classifying algorithm based on the entropy of document fragments is proposed to classify document fragments. Experiments have provided good classification performance results about document fragment classifying algorithm.
3. Document Fragment Reassembly technique
First of all, a new reassembly algorithm is proposed to reassemble to image fragments. The algorithm computes the relevance measure between any fragments. Then according to the best candidate weights of all fragments, the best sequence of image fragments can be achieved. Fi-nally, the reassembly algorithm based fragments distance is proposed to reassemble fragments by information entropy principle, and the classification results showed that the algorithm can reas-semble document fragments by the entropy of fragments.
4. The Estimation Principle of Forensic Capability about Model
Firstly, in order to estimate digital forensic model and forensic tools, many traditional foren-sic models are researched. Secondly, forensic challenges are discussed during digital forensic investigation. Thirdly, the estimation principle of forensic capability about digital forensic model is brought forward.
引文
[1]Alec Yasinsac. Policies to Enhance Computer and Network Forensics[C]. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, NY:United States Military Academy, West Point,2001,126-131.
[2]Y. Xiong. S. Liu, P. Sun. On the defense of the distributed denial of service attacks:an on-off feedback control approach[J]. IEEE Transaction on Systems, Man. and Cybernetics-Part A:Systems and Humans,2001, vol.31:282-293.
[3]Bob Blakley. The Emperor's Old Armor[C]. ACM proceedings of the new Security Para-digms Workshop, Lake Arrowhead:ACM Press,1996,:2-16.
[4]J. Xu. W. Lee. Sustaining availability of web servers under server denial of service at-tacks[J]. IEEE Transaction on Computers, special issue on Reliable Distributed Systems. 2003, vol.52(2):195-207.
[5]S. Kandula, D. Katabi, M. Jacob. Botz-4-Sale:Surviving Organized DDoS Attacks That Mimic Flash Crowds[C]. in 2nd Symposium on Networked Systems Design and Im-plementation (NSDI), (Boston, MA. USA), May 2005,68-72.
[6]Yongping Tang, Thomas E. Daniels. A Simple Framework for Distributed Foren-sics[C]. Proceedings of the 25th IEEE International Conference on Distributed Com-puting Systems Workshops(ICDCSW'05), Washington.2005,100-106.
[7]Palmer. G. A Road Map for Digital Forensic Research[R]. Utica, NY:The First Digital Fo-rensic Workshop(DFRWS),2001.
[8]United States Court of Appeals for the Ninth Circuit. Daubert. et al. Merrell Dow Pharma-ceuticals, Inc.,509 U.S.579, June 28,1993.
[9]M.Rogers. Computer Forensics:Science or fad[J]. Security Wire Digest, 2003,5(55):245-253.
[10]New Technology Inc. SwapFile defination[EB/OL]. http:www(?) 2006.
[11]Guidance Software. EnCase Forensic Edition[EB/OL]. http://www.encase.com,2006.
[12]A. Yaar, A. Perrig, D. Song. FIT:Fast Internet Traceback[C]. in Proceedings of IEEE INFOCOM, Miami, FL, USA, March 2005.
[13]Megan Carney, Marc Rogers. The Trojan Made Me Do It:A First Step in Statistical Based Computer Forensics Event Reconstruction[J]. International Journal of Digital Evi-dence(IJDE),2004,2(4):232-238.
[14]Vogon International Limited. EasyRecovery[EB/OL]. http://vogon-data-recovery.com,1997.
[15]R.D.Clifford. Cybercrime:investigation, prosecution, and defense of a computer-related crime[M]. Carolina:Carolina Academic Press,2001.
[16]H.Maher. Online and Out of Line:Why is Cybercrime on the Rise, and Who's Reponsi- ble[EB/OL]. http://abcnews.go.com/sections/us/bailyNews/cybercrime000117.html,June,2002.
[17]Marcus K. Rogers, Kathryn Seigfried, Kirti Tidke. Self-reported computer criminal behavior: A psychological Analysis [J]. Digital Investigation (Elsevier),2006,3S(2006):116-120.
[18]Sanjay Ghemawat, Howard Gobioff, Shun-Tak Leung. The Google File System[C]. Bolton Landing, NY, USA Proceedings of the nineteenth ACM symposium on Operating systems principles,2003,26-32.
[19]A. C. Goldstein. The Design and Implementation of a Distributed File System[J]. Digital Technical Journal,1987,1(5):45-55.
[20]Dave Hitz, James Lau, Michael Malcolm. File System Design for an NFS File Server Ap-pliance[C]. San Francisco, California, USENIX Winter Technical Conference,1994, 121-126.
[21]Andreas Schuster. Searching for processes and threads in Microsoft Windows memory dumps[J]. Digital Investigation (Elsevier),2006,3 S(2006):10-16.
[22]Ali Reza Arasteh, Mourad Debbabi. Forensic memory analysis:From stack and code to execution history[J]. Digital Investigation (Elsevier),2007,4S(2007):14-25.
[23]Kruse II WG, Heiser JG. Computer forensics:incident response essentials[M]. Boston, MA: Addison-Wesley,2002.
[24]Kornblum J. Using every part of the buffalo in Windows memory analysis[J]. Digit In-vestiggation,2006,3S(2006):49-60.
[25]Freenet. Freenet[EB/OL]. http://freenetproject.org/,2005.
[26]Gnutella. Gnutella[EB/OL]. http://gnntella.wego.com/,2005.
[27]Moot. Moot[EB/OL]. http://www.moot.org/,2005.
[28]J. Kubiatowicz, D. e. a. Bindel. Oceanstore:An architecture for global-scale persistent storage [C]. Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Cambridge,Massachusetts,2000.
[29]I. Stoica, R. e. a. Morris. Chord:A scalable peer-to-peer lookup service for internet appli-cations[C]. ACM SIGCOMM 2001, New York,2001.
[30]A. Rowstron, P. Druschel. Pastry:Scalable, distributed object location and routing for large-scale peer-to-peer systems[C]. IFIP/ACM International Conference on Distributed Systems Platforms, Heidelberg, Germany,2001.
[31]Ryan Harris. Arriving at an anti-forensics consensus:Examining how to define and control the anti-forensics problem[J]. Digital Investigation (Elsevier),2006,3S(3006):S44-S49.
[32]Rogers M. Anti-forensics[EB/OL]. http://www.cyberforensics.purdue.edu/docs/Lockhe-ed.ppt,2005.
[33]Grugq. The art of defiling:defeating forensic analysis[EB/OL].http://www.blackhat.com/p-resentations/bh-usa-05/bh-us-05-grugq.pdf,2005.
[34]Peron CSJ, Legary M. Digital anti-forensics:emerging trends in data transformation tech- niques[EB/OL]. http://www.seccuris.com/ documents/papers/Seccuris-Antiforensics.pdf, 2005.
[35]New Technology Inc. File Slack Defined[EB/OL]. http://www.forensics-intl.com/def6.html, 2006.
[36]Andy Jones, Christopher Meyler. What evidence is left after disk cleaners?[J]. Digital Investigation (Elsevier),2004,1(2004):183-188.
[37]U.S. Department Of Justice. Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations[EB/OL]. http://www.usdoj.gov/criminal/cybercrime.2006.
[38]FinalData Inc. FinalData[EB/OL]. http://www.finaldata.com/,2005.
[39]TCT (The Coroner's Toolkit)[EB/OL]. http://www.porcupine.org/forensics/tct.html,2005.
[40]GNU Coreutils. dd[EB/OL].http(?),2005.
[41]Brain Carrier. TSKit (The Sleuth Kit)[EB/OL].http://www.(?),2006.
[42]New Technology Inc. GetFileSlack 2.0 [EB/OL].http://wwww(?),2006.
[43]Association of Chief Police Officers. Good Practice Guide for Computer based Electronic Evidence[EB/OL].(?),2005.
[44]United States National Institute of Justice Technical Working Group for Electronic Crime Scene Investigation. Electronic Crime Scene Investigation:A Guide for First Responders, July 2001.
[45]Brian Carrier. Getting Physical with the Digital Investigatigation Process[J]. International Journal of Digital Evidence (IJDE),2003,2(2):70-81.
[46]Brian Carrier, Eugene H. Spaord. An Event-based Digital Forensic Investigation frame-work[C]. In Proceedings of the 2004 Digital Forensic Research Workshop (DFRWS), Baltimore, MD,2004,200-207.
[47]Nicole Lang Beebe. Jan Guynes Clark. A Hierarchical, Objectives-based Framework for the Digital Investigation Process[C]. In Proceedings of the 2004 Digital Forensic Research Workshop (DFRWS), Baltimore, MD,2004,123-128.
[48]Peter Stephenson. Modeling of Post-Incident Root Cause Analysis[J]. International Journal of Digital Evidence (IJDE),2003,2(2):100-114.
[49]Peter Stephenson. A Comprehensive Approach to Digital Incident Investiga-tion[J]. Information Security Technical Report,2004,8(2):40-50.
[50]Kulesh Shanmugasundaram, Nasir Memon. Automatic Reassembly of Document Fragments via Context Based Statistical Models[C]. Proceedings of the 19th Annual Computer Se-curity Applications Conference, Las Vegas, NV, USA,2003,211-218.
[51]Olivier de Vel. File classification using byte substream kernels[J]. Digital Investigation (Elsevier),2004,1(1):150-157.
[52]Oliver de Vel. Augmented sequence spectrum kernels for semi-structured document cate-gorization[C]. Proceedings of the Workshop on Text Mining and Link Analysis,18th International Joint Conference on Artificial Intelligence (IJCAI),2003,322-326.
[53]Graphic File Format.http://www.wotsit.org/list.asp?fc=1.
[54]FTK(Forensic ToolKit). FTK 2.0[EB/OL]. http://www.forensictookit.com/,2006.
[55]FileAlyzer. http://www.safer-networking.org/en/filealyzer/filealyzer/index.html,2005.
[56]McDaniel, Hossain Heydari.M. Content Based File Type Detection Algorithms[C].6th Annual Hawaii International Conference on System Sciences(HICSS), Hawaii, USA,2003, 12-20.
[57]WeiJen Li, Ke Wang, Salvatore J. Stolfo, et al. Fileprints:Identifying File Types by n-gram Analysis[C]. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY,2005,90-96.
[58]V. N. Vapnik. The Nature of Statistical Learning Theory[J]. Springer-Verlag, Berlin,1995.
[59]T. Joachims. Text categorization with support vector machines:learning with many relevant features[C]. Proceedings of ECML-98,10th European Conference on Machine Learning, 1398, Chemnitz, DE:Springer Verlag, Heidelberg, DE,1998,32-40.
[60]S. Pradhan, K. Hacioglu, V. Krugler, et al. Support Vector Learning for Semantic Argument Classification[J]. Machine Learning Journal,2005,1102-1109.
[61]D. Haussler. Convolution Kernels on Discrete Structures[R]. Tech. Rep. UCSCCRL-99-10, 1999.
[62]C. Watkins. Dynamic Alignment Kernels[R]. Tech. Rep. CSD-TR-98-11,1999.
[63]H. Lodhi, C. Saunders, J. Shawe-Taylor, et al. Text Classification using string kernels[J]. Journal of Machine Learning Research,2002,2:419-444.
[64]H. C. G. Leitao, J. Stolfi. A multi-scale mehtod for the reassembly of fragmented ob-jects[C]. Proc. British Machine Vision Conference-BMVC 2000,2000,76-81.
[65]R. Sablatnig, C. Menard. On finding archaeological fragment assemblies using a bottom-up design[C]. in Proc.21 st Workshop Austrian Association for Pattern Recognition Hallstatt, Oldenburg, Austria,1997,:203-207.
[66]Kampel M., Sablatnig R., Costa E. Classification of Archaeological Fragments using Profile Primitives[C]. in Computer Vision, Computer Graphics and Photogrammetry-A Common Viewpoint, Proc.25th Workshop of the Austrian Association for Pattern Recognition (OAGM),, Austria,2001,:151-158.
[67]Stemmer W. P. DNA shuffling by random fragmentation and reassembly:in vitro recom-bination for molecular evolution[C]. in Proc. Nat.Acad. Sci.,1994,115-120.
[68]Amigoni F., Gazzani S., Podico S. A method for reassembling fragments in image recon-struction[C]. in Proc. Int. Conf. Image Processing, Barcelona, Spain,2003,323-329.
[69]Nasir Memon, Anandabrata Pal. Atuomated Reassembly of File Fragmented Images Using Greedy Algorithms [J]. IEEE Transactions on Image Processing,2006,15(2):385-392.
[70]Anandabrutu Pal, Kulesh Shunmugasundurum, Nusir Memon. Automated Reassembly of Fragmented Images[C]. IEEE International Conference on Acoustics, Speech, and Signal Processing, San Francisco,2003.121-126.
[71]New Technology Inc. Net Threat Analyzer [EB/OL]. http://www.forensies-intl.com/,2006.
[72]NIST. CFTT Project Overview[EB/OL]. http://www.cftt.nist.gov/project_ov_erview.htm, 2006.
[73]NIST. Software Write Block Tool Specification & Test Plan. http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf,2003.
[74]NIST. Digital Data Acquisition Tool Test Assertions and Test Plan[EB/OL].http://www.cftt.nist.gov/DA-ATP-pc-01.pdf,2005.
[75]孙波.计算机取证方法关键问题研究[D].博士学位论文,中国科学院软件研究所,2004.
[76]钱桂琼,杨泽明,许榕生.计算机取证研究与设计[J].计算机工程,2002,28(6):56-58.
[77]王玲,钱华林.计算机取证技术及其趋势[J].软件学报,2003,14(09):1635-1644.
[78]陈龙,王国胤.计算机取证技术综述[J].重庆邮电学院学报(自然科学版),2005,17(6):161-167.
[79]梁昌宇,吴强,曾庆凯. 分布式计算机动态取证模型[J],计算机应用,2005.6:1290-1293.
[80]丁丽萍,王永吉.多维计算机取证模型[J].软件学报,2005,2:345-350.
[81]赵小敏.基于日志的计算机取证技术的研究及系统设计与实现.硕士学位论文,浙江工业大学,2003.
[82]Nitin Khanna, Aravind K. Mikkilineni, Anthony F. Martone. et al. A Survey of forensic characterization methods for physical devices[J]. Digital Investigation (Elsevier), 2006,3S(2006):17-28.
[83]Brian Carrier, Eugene H. Spafford. Categories of digital investigation analysis techniques based on the computer history model[J]. Digital Investigation (Elsevier), 2006,3S(2006):121-130.
[84]Frank Adelstein, Robert A. Joyce. File Marshal:Automatic extraction of peer-to-peer data[J]. Digital Investigation (Elsevier),2007,3S(2006):143-148.
[85]Brain Carrier. FragChallenge[EB/OL]. http://www.dfrws.org/challenge.html,2006.
[86]Brian Carrier. File System Forensic Analysis[M]. Boston:Addison Wesley,2005.
[87]International Organization on Computer Evidence. G8 Proposed Principles For The Pro-cedures Relating To Digital Evidence [EB/OL]. http://www.ioce.org,2002.
[88]Scientific Working Group on Digital Evidence. ASCLD Glossary Definitions:Version 1.0, 2005. Available at:http://www.swgde.org.
[89]Association of Chief Police Officers. Good Practice Guide for Computer based Electronic Evidence[EB/OL].http://www.nhtcu.org,2005.
[90]Eoghan Casey. Digital Evidence and Computer Crime[M]. Washington, USA:Academic Press, second edition,2004.
[91]Wm. Blair Gillam, Marc Rogers. File Hound:A Forensic Tool for First Responders: DFRWS 2005:Digital Foensic Research Workshop (DFRWS), New Oreans, LA, USA,8, 2005[C].2005:11-17.
[92]Brain Carrier. Definition Digital Forensic Examination and Analysis Tools Using Abstrac-tion Layers[J]. International Journal of Digital Evidence,2003,3(2):10-21.
[93]Stuart James, Jon Nordby. Forensic Science:An Introduction to Scientific and Investigative Techniques[M]. Florida, USA:CRC Press,2003.
[94]Henry Lee, Timothy Palmbach, Marilyn Miller. Henry Lee's Crime Scene Handbook[M]. Washington, USA:Academic Press,2001.
[95]Richard Saferstein. Criminalistics:An Introduction to Forensic Science[M]. Pearson, seventh edition,2000.
[96]X-Ways Software Technology AG. WinHex. http://www.x-ways,net,2005.
[97]CNCERT应急响应会议[EB/OL]. http://2005.cert.org.cn,2005.
[98]Pavel Gladyshev, Ahmed Patel. Finite State Machine Approach to Digital Event Recon-struction[J]. Journal of Digital Investigation,2004,1(2):134-145.
[99]Pavel Gladyshev. Finite State Machine Analysis of a Blackmail Investiga-tion[J]. International Journal of Digital Evidence (IJDE),2005,4(1):23-29.
[100]Kunt Eckstein. Forensics for Advanced UNIX File Systems[C]. in:Information As-surance Workshop,2004 Proceedings from the Fifth Annual IEEE SMC,2004,18-26.
[101]Air Force Office of Special Investigations and The Center for Information Systems Secu-rity Studies and Research. Foremost 0.69[EB/OL]. http://foremost.sourceforge.net/,2005.
[102]M. Karresand, N. Shahmehri. Oscar-file type identification of binary data in disk clusters and ram pages[C]. in Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), LNCS,2006,110-119.
[103]K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection[C]. in Recent Advances in Intrusion Detection 2004 (E. Jonsson el al., ed.), vol.3224 of LNCS, pp.203-222,Springer-Verlag, July 2004,300-312.
[104]S. Stolfo, K. Wang, W.-J. Li. Fileprint analysis for malware detection[C]. tech. rep., Computer Science Department, Columbia University, New York, NY, USA,2005, 220-227.
[105]K. Wang, G. Cretu, and S. Stolfo. Anomalous payload-based worm detection and signa-ture generation[C]. in 8th International Symposium on Recent Advances in Intrusion De-tection, RAID 2005, vol.3858 of LNCS, Springer Verlag,2006,227-246.
[106]A. Shamir, N. Someren. Playing'hide and seek'with stored keys[C]. in Financial Cryptography:Third International Conference, FC'99 (M. Franklin, ed.), vol.1648 of LNCS, Springer-Verlag,1999,118-124.
[107]M. Damashek. Gauging similarity with n-grams:Language independent categorization of text[J]. Science,1995. vol.267:843-848.
[108]Trier, O.D., Jain. A.K., Taxt, T. Feature extraction methods for character recognition-a survey[J]. Pattern Recognition,1996.29(4):641-662.
[109]Chuang Chen-Tsun, Tseng Lin-Yu. A heuristic algorithm for the recognition of printed Chinese characters[J]. IEEE Transactions on Systems, Man, and Cybernetics, 1995,25(4):710-717.
[110]Han Jiawei, Kamber Micheline. Data Mining Concepts and Techniques[M]. San Francisco: Morgan Kaufmann Publishers,2000.152-156.
[111]S. Stolfo, K. Wang, W.-J. Li. Fileprint analysis for malware detection[C]. Tech. rep., Computer Science Department, Columbia University, New York, NY, USA,2005.
[112]G. Lugosi, N. Vayatis. A consistent strategy for boosting algorithms[C]. In Proceedings of the Annual Conference on Computational Learning Theory, volume 2375 of LNAI, pages 303-318,Sydney, February 2002. Springer.
[113]S. Mannor, R. Meir, T. Zhang. The consistency of greedy algorithms for classifica-tion[C]. In Proceedings of the fifteenth Annual conference on Computational learning theory, volume 2375 of LNAI, Sydney,2002.
[114]S. Mannor. R. Meir. T. Zhang. Greedy algorithms for classification—consistency, con-vergence rates, and adaptivity. Technical Report CCIT 420, Department of Electrical En-gineering. Technion,2003.
[115]D. McAllester. Some PAC-Bayesian theorems[J]. Machine Learning,1999, 37(3):355-363.
[116]D. McAllester. PAC-Bayesian stochastic model selection[J]. Machine Learning,2003, 51(1):5-21.
[117]C. P. Robert. The Bayesian Choice:A Decision Theoretic Motivation[C]. Springer Verlag, New York, second edition,2001.
[118]Michie, D., Spiegelhalter. Machine Learning, Neural and Statistical Classifica-tion[M]. New York:Ellis Horwood,1994.
[119]I H Witten, E Frank. Data Mining:Practical Machine Learning Tools and Techniques, Second Edition[M]. San Francisco Morgan Kaufmann,2005.
[120]P Langley, S Sage. Induction of selective Bayesian classifiers[C]. In:Proc of the 10th Conf on Uncertainty in Artificial Intelligence, San Francisco:Morgan Kaufmann,1994. 399-406.
[121]M Singh, G M Provan. Efficient learning of selective Bayesian network classifiers[C]. In: Proc of the 13th Int'l Conf on machine Learning, San Francisco:Morgan Kaufman,1996.
[122]Oliver de Vel. Augmented sequence spectrum kernels for semi-structured document categorization[C]. Proceedings of the Workshop on Text Mining and Link Analysis,18th International Joint Conference on Artificial Intelligence (IJCAI),2003,:213-221.
[123]Yun Gao, Golden G. Richard III, Vassil Roussev. Bluepipe:A Scalable Architecture for On-the-Spot Digital Forensics[J]. International Journal of Digital Evidence,2004,3(1).
[124]Hastie T, Tibshirani R, Friedman J. The elements of statistical learning[C]. Springer-Verlag, 2001,512-518.
[125]Nir Friedman, Dan Geiger, Moises Goldszmidt. Bayesian network classifiers [J]. Machine Learning,1997,29:131-163.
[126]Witten I, Frank E. Data mining:practical machine learning tools and techniques with Java implementations[M]. San Francisco:Morgan Kaufmann,2000.
[127]Y. Yang. An evaluation of statistical approaches to text categorization[J]. Journal of In-formation Retrieval,1999,1(1/2):67-88.
[128]王玲,薄列峰,刘芳.最小二乘隐空间支持向量机[J].计算机学报,2005,28(8):1302-1307.
[129]刘向东,陈兆乾.一种快速支持向量机分类算法的研究[J].计算机研究与发展,2004,4l(8):1327-1332.
[130]S. V. N. Vishwanathan, A. J. Smola. Fast kernels for string and tree matching[C]. In Ad-vances in Neural Information Processing Systems, Cambridge, MA,2003.MIT Press.
[131]Leslie C, Eskin E, Stafford-Noble W. The spectrum kernel:a string kernel for SVM protein classification. In:Proceedings of the Pacific Symposium on Biocomputing (PSB-2002),2002,100-108.
[132]N Cristianini, J Shawe-Taylor. An Introduction to Support Vector Machines[M]. Cam-bridge,2000.
[133]E Ukkonen. On-line construction of suffix trees[M]. Algorithmica,1995,14:249-260.
[134]C. C. Chung, L. C. Jen. Libsvm:a library for support vector ma-chines[EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvmtools,2002.
[135]C. Shannon. A Mathematical Theory of Communication[J]. Bell System Technical Journal,1948, Vol.27:379-423.
[136]A. Wagner, B. Plattner. Entropy Based Worm and Anomaly Detection in Fast IP Net-works[C]. Proceeding of 14th IEEE Workshop on Enabling Technologies:Infrastructure for Collaborative Enterprises (WETICE 2006), Likoping, Sweden 2005,172-177,.
[137]Matthew M. Shannon. Forensic Relative Strength Scoring:ASCII and Entropy Scor-ing[J]. International Journal of Digital Evidence,2004,2(4):151-169.
[138]Martin Karresand, Nahid Shahmehri. File Type Identification of Data Fragments by Their Binary Structure[C]. Proceedings of the 2006 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY,2006,200-208.
[139]G. G. Richard III, V. Roussev. Scalpel:A Frugal, High Performance File Carver[C]. Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005), New Orleans,LA,2005,111-118.
[140]Simson L. Garfinkel. Carving contiguous and fragmented files with fast object valida-tion[J]. Digital Investigation (Elsevier),2007,3S(2007):2-12.
[141]Garfinkel Simson. DFRWS 2006 challenge report[EB/OL]. http://www.dfrws.org/-2006/c-Hallenge/submissions/,2006.
[142]Simson L., Garfinkel. Forensic feature extraction and cross-drive analysis[J]. Digital Investigation (Elsevier),2006,3S(2006):71-81.
[143]University of Southern California. USC-SIPI Image Data-base[EB/OL]. http://sipi.usc.edu/database/database.cgi?volume=sequences,2006.
[144]Geoff H.. The joys of complexity and the deleted file[J]. Digital Investigation (Elsevier), 2005,2(2005):89-93.
[145]Douceur John R, Bolosky William J. A large-scale study of filesystem contents[C]. In: SIGMETRICS'99:Proceedings of the 1999 ACM SIGMETRICS international conference on measurement and modeling of computer systems, New York, NY, USA:ACM Press, 1999.
[146]Warren Kruse, Jay Heiser. Computer Forensics:Incident Response Essen-tials[M]. Addison Wesley,2001.
[147]Reith, M., Carr, C. Gunsch, G. An Examination of Digital Forensic Mod-els[J]. International Journal of Digital Evidence,2002,1(3):123-127.
[148]Baryamureeba Venansius, Tushabe Florence. The enhanced digital investigation process model. In:Proceedings of the 2004 digital forensic research workshop (DFRWS), Balti-more, MD,2004,76-80.
[149]Ricci S.S. Ieong. FORZA-Digital forensics investigation framework that incorporate legal issues[J]. Digital Investigation (Elsevier),2006,3S(2006):29-36.
[150]Matthew Meyers, Marc Rogers. Computer Forensics:Meeting the Challenges of Scientific Evidence[J]. Research Advances in Digital Forensics,2005,49-56.
[151]Brian Carrier, Joe Grand. A hardware-based memory acquisition procedure for digital in-vestigation[J]. Digital Investigation (Elsevier),2004,1(2004):50-60.
[152]W.Alink, R.A.F. Bhoedjang, P.A.Boncz, et al. XIRAF-XML-based indexing and querying for digital forensics[J]. Digital Investigation (Elsevier),2006,3S(2006):50-58.
[153]Philip Turner. Selective and intelligent imaging using digital evidence bags[J]. Digital Investigation(Elsevier),2006,3S(2006):59-64.
[154]Brain. Carrier, E. spafford. Defining Event Reconstruction of Digital Crime Scenes[J]. Journal of Forensic Science,2004,49(6):783-789.
[155]Sundararaman Jeyaraman, Mikhail J. Atallah. An empirical study of automatic event re-construction systems [J]. Digital Investigation (Elsevier),2006,3S(2006):108-115.
[156]Ricci S.S. Ieong. FORZA-Digital forensics investigation framework that incorporate legal issues[J]. Digital Investigation (Elsevier),2006,3S(2006):29-36.
[157]J. P. Anderson. Computer security threat monitoring and surveillance[R]. Technical report, James P. Anderson Co., Fort Washington, PA, April,1980.
[158]Ryan Leigland, Axel W.Krings. A Formalization of Digital Forensics[J]. International Journal of Digital Evidence,2004,3(2):245-276.
[159]Pavel Gladyshev, Ahmed Patel. Formalising Event Time Bounding in Digital Investiga-tions[J]. International Journal of Digital Evidence (IJDE),2005,4(2):10-18.
[160]Pavel Gladyshev, Ahmed Patel. Finite State Machine Approach to Digital Event Recon-struction[J]. Digital Investigation (Elsevier),2004,1(2):12-17.
[161]Stephen Mason. Trusted computing and forensic investigations[J]. Digital Investiga-tion(Elsevier),2005,2(2005):189-192.
[162]李炳龙,王清贤,罗军勇,等.可信计算环境中的数字取证[J].武汉大学学报(理学版),2006,52(5):523-526.
[163]Harlan Carvey. Malware analysis for windows administrators[J]. Digital Investiga-tion(Elsevier),2005,2(2005):19-22.
[164]Vassil Roussev, Yixin Chen, Timothy Bourg, et al. Md5bloom:Forensic filesystem hashing revisited[J]. Digital Investigation (Elsevier),2006,3S(2006):82-90.
[165]Samuel T. King, peter M. Chen. Backtracking Intrusions[C]. Proceedings of the 2003 ACM Symposium on Operating Systems Principles(SOSP), Bolton Landing, NY USA, 2003,68-74.
[166]Bradley Schatz,George Mohay, Andrew Clark. A correlation method for establishing provenance of timestamps in digital evidence[J]. Digital Investigation(Elsevier), 2006,3S(2006):98-107.
[167]Tye Stallard, Karl Levitt. Automated Analysis for Digital Forensic Science:Semantic In-tegrity Checking[C]. Proceedings of the 2003 Annual Computer Security Application Conference(ACSAC), Las Vegas, NV, USA,2003,96-100.
[168]Lei Pan Lynn M Batten. Reproducibility of Digital Evidence in Forensic Investiga-tions[C].2005 Digital Forensic Research Workshop (DFRWS), New Orleans, LA,2005, 153-159.
[2]Y. Xiong. S. Liu, P. Sun. On the defense of the distributed denial of service attacks:an on-off feedback control approach[J]. IEEE Transaction on Systems, Man. and Cybernetics-Part A:Systems and Humans,2001, vol.31:282-293.
[3]Bob Blakley. The Emperor's Old Armor[C]. ACM proceedings of the new Security Para-digms Workshop, Lake Arrowhead:ACM Press,1996,:2-16.
[4]J. Xu. W. Lee. Sustaining availability of web servers under server denial of service at-tacks[J]. IEEE Transaction on Computers, special issue on Reliable Distributed Systems. 2003, vol.52(2):195-207.
[5]S. Kandula, D. Katabi, M. Jacob. Botz-4-Sale:Surviving Organized DDoS Attacks That Mimic Flash Crowds[C]. in 2nd Symposium on Networked Systems Design and Im-plementation (NSDI), (Boston, MA. USA), May 2005,68-72.
[6]Yongping Tang, Thomas E. Daniels. A Simple Framework for Distributed Foren-sics[C]. Proceedings of the 25th IEEE International Conference on Distributed Com-puting Systems Workshops(ICDCSW'05), Washington.2005,100-106.
[7]Palmer. G. A Road Map for Digital Forensic Research[R]. Utica, NY:The First Digital Fo-rensic Workshop(DFRWS),2001.
[8]United States Court of Appeals for the Ninth Circuit. Daubert. et al. Merrell Dow Pharma-ceuticals, Inc.,509 U.S.579, June 28,1993.
[9]M.Rogers. Computer Forensics:Science or fad[J]. Security Wire Digest, 2003,5(55):245-253.
[10]New Technology Inc. SwapFile defination[EB/OL]. http:www(?) 2006.
[11]Guidance Software. EnCase Forensic Edition[EB/OL]. http://www.encase.com,2006.
[12]A. Yaar, A. Perrig, D. Song. FIT:Fast Internet Traceback[C]. in Proceedings of IEEE INFOCOM, Miami, FL, USA, March 2005.
[13]Megan Carney, Marc Rogers. The Trojan Made Me Do It:A First Step in Statistical Based Computer Forensics Event Reconstruction[J]. International Journal of Digital Evi-dence(IJDE),2004,2(4):232-238.
[14]Vogon International Limited. EasyRecovery[EB/OL]. http://vogon-data-recovery.com,1997.
[15]R.D.Clifford. Cybercrime:investigation, prosecution, and defense of a computer-related crime[M]. Carolina:Carolina Academic Press,2001.
[16]H.Maher. Online and Out of Line:Why is Cybercrime on the Rise, and Who's Reponsi- ble[EB/OL]. http://abcnews.go.com/sections/us/bailyNews/cybercrime000117.html,June,2002.
[17]Marcus K. Rogers, Kathryn Seigfried, Kirti Tidke. Self-reported computer criminal behavior: A psychological Analysis [J]. Digital Investigation (Elsevier),2006,3S(2006):116-120.
[18]Sanjay Ghemawat, Howard Gobioff, Shun-Tak Leung. The Google File System[C]. Bolton Landing, NY, USA Proceedings of the nineteenth ACM symposium on Operating systems principles,2003,26-32.
[19]A. C. Goldstein. The Design and Implementation of a Distributed File System[J]. Digital Technical Journal,1987,1(5):45-55.
[20]Dave Hitz, James Lau, Michael Malcolm. File System Design for an NFS File Server Ap-pliance[C]. San Francisco, California, USENIX Winter Technical Conference,1994, 121-126.
[21]Andreas Schuster. Searching for processes and threads in Microsoft Windows memory dumps[J]. Digital Investigation (Elsevier),2006,3 S(2006):10-16.
[22]Ali Reza Arasteh, Mourad Debbabi. Forensic memory analysis:From stack and code to execution history[J]. Digital Investigation (Elsevier),2007,4S(2007):14-25.
[23]Kruse II WG, Heiser JG. Computer forensics:incident response essentials[M]. Boston, MA: Addison-Wesley,2002.
[24]Kornblum J. Using every part of the buffalo in Windows memory analysis[J]. Digit In-vestiggation,2006,3S(2006):49-60.
[25]Freenet. Freenet[EB/OL]. http://freenetproject.org/,2005.
[26]Gnutella. Gnutella[EB/OL]. http://gnntella.wego.com/,2005.
[27]Moot. Moot[EB/OL]. http://www.moot.org/,2005.
[28]J. Kubiatowicz, D. e. a. Bindel. Oceanstore:An architecture for global-scale persistent storage [C]. Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Cambridge,Massachusetts,2000.
[29]I. Stoica, R. e. a. Morris. Chord:A scalable peer-to-peer lookup service for internet appli-cations[C]. ACM SIGCOMM 2001, New York,2001.
[30]A. Rowstron, P. Druschel. Pastry:Scalable, distributed object location and routing for large-scale peer-to-peer systems[C]. IFIP/ACM International Conference on Distributed Systems Platforms, Heidelberg, Germany,2001.
[31]Ryan Harris. Arriving at an anti-forensics consensus:Examining how to define and control the anti-forensics problem[J]. Digital Investigation (Elsevier),2006,3S(3006):S44-S49.
[32]Rogers M. Anti-forensics[EB/OL]. http://www.cyberforensics.purdue.edu/docs/Lockhe-ed.ppt,2005.
[33]Grugq. The art of defiling:defeating forensic analysis[EB/OL].http://www.blackhat.com/p-resentations/bh-usa-05/bh-us-05-grugq.pdf,2005.
[34]Peron CSJ, Legary M. Digital anti-forensics:emerging trends in data transformation tech- niques[EB/OL]. http://www.seccuris.com/ documents/papers/Seccuris-Antiforensics.pdf, 2005.
[35]New Technology Inc. File Slack Defined[EB/OL]. http://www.forensics-intl.com/def6.html, 2006.
[36]Andy Jones, Christopher Meyler. What evidence is left after disk cleaners?[J]. Digital Investigation (Elsevier),2004,1(2004):183-188.
[37]U.S. Department Of Justice. Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations[EB/OL]. http://www.usdoj.gov/criminal/cybercrime.2006.
[38]FinalData Inc. FinalData[EB/OL]. http://www.finaldata.com/,2005.
[39]TCT (The Coroner's Toolkit)[EB/OL]. http://www.porcupine.org/forensics/tct.html,2005.
[40]GNU Coreutils. dd[EB/OL].http(?),2005.
[41]Brain Carrier. TSKit (The Sleuth Kit)[EB/OL].http://www.(?),2006.
[42]New Technology Inc. GetFileSlack 2.0 [EB/OL].http://wwww(?),2006.
[43]Association of Chief Police Officers. Good Practice Guide for Computer based Electronic Evidence[EB/OL].(?),2005.
[44]United States National Institute of Justice Technical Working Group for Electronic Crime Scene Investigation. Electronic Crime Scene Investigation:A Guide for First Responders, July 2001.
[45]Brian Carrier. Getting Physical with the Digital Investigatigation Process[J]. International Journal of Digital Evidence (IJDE),2003,2(2):70-81.
[46]Brian Carrier, Eugene H. Spaord. An Event-based Digital Forensic Investigation frame-work[C]. In Proceedings of the 2004 Digital Forensic Research Workshop (DFRWS), Baltimore, MD,2004,200-207.
[47]Nicole Lang Beebe. Jan Guynes Clark. A Hierarchical, Objectives-based Framework for the Digital Investigation Process[C]. In Proceedings of the 2004 Digital Forensic Research Workshop (DFRWS), Baltimore, MD,2004,123-128.
[48]Peter Stephenson. Modeling of Post-Incident Root Cause Analysis[J]. International Journal of Digital Evidence (IJDE),2003,2(2):100-114.
[49]Peter Stephenson. A Comprehensive Approach to Digital Incident Investiga-tion[J]. Information Security Technical Report,2004,8(2):40-50.
[50]Kulesh Shanmugasundaram, Nasir Memon. Automatic Reassembly of Document Fragments via Context Based Statistical Models[C]. Proceedings of the 19th Annual Computer Se-curity Applications Conference, Las Vegas, NV, USA,2003,211-218.
[51]Olivier de Vel. File classification using byte substream kernels[J]. Digital Investigation (Elsevier),2004,1(1):150-157.
[52]Oliver de Vel. Augmented sequence spectrum kernels for semi-structured document cate-gorization[C]. Proceedings of the Workshop on Text Mining and Link Analysis,18th International Joint Conference on Artificial Intelligence (IJCAI),2003,322-326.
[53]Graphic File Format.http://www.wotsit.org/list.asp?fc=1.
[54]FTK(Forensic ToolKit). FTK 2.0[EB/OL]. http://www.forensictookit.com/,2006.
[55]FileAlyzer. http://www.safer-networking.org/en/filealyzer/filealyzer/index.html,2005.
[56]McDaniel, Hossain Heydari.M. Content Based File Type Detection Algorithms[C].6th Annual Hawaii International Conference on System Sciences(HICSS), Hawaii, USA,2003, 12-20.
[57]WeiJen Li, Ke Wang, Salvatore J. Stolfo, et al. Fileprints:Identifying File Types by n-gram Analysis[C]. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY,2005,90-96.
[58]V. N. Vapnik. The Nature of Statistical Learning Theory[J]. Springer-Verlag, Berlin,1995.
[59]T. Joachims. Text categorization with support vector machines:learning with many relevant features[C]. Proceedings of ECML-98,10th European Conference on Machine Learning, 1398, Chemnitz, DE:Springer Verlag, Heidelberg, DE,1998,32-40.
[60]S. Pradhan, K. Hacioglu, V. Krugler, et al. Support Vector Learning for Semantic Argument Classification[J]. Machine Learning Journal,2005,1102-1109.
[61]D. Haussler. Convolution Kernels on Discrete Structures[R]. Tech. Rep. UCSCCRL-99-10, 1999.
[62]C. Watkins. Dynamic Alignment Kernels[R]. Tech. Rep. CSD-TR-98-11,1999.
[63]H. Lodhi, C. Saunders, J. Shawe-Taylor, et al. Text Classification using string kernels[J]. Journal of Machine Learning Research,2002,2:419-444.
[64]H. C. G. Leitao, J. Stolfi. A multi-scale mehtod for the reassembly of fragmented ob-jects[C]. Proc. British Machine Vision Conference-BMVC 2000,2000,76-81.
[65]R. Sablatnig, C. Menard. On finding archaeological fragment assemblies using a bottom-up design[C]. in Proc.21 st Workshop Austrian Association for Pattern Recognition Hallstatt, Oldenburg, Austria,1997,:203-207.
[66]Kampel M., Sablatnig R., Costa E. Classification of Archaeological Fragments using Profile Primitives[C]. in Computer Vision, Computer Graphics and Photogrammetry-A Common Viewpoint, Proc.25th Workshop of the Austrian Association for Pattern Recognition (OAGM),, Austria,2001,:151-158.
[67]Stemmer W. P. DNA shuffling by random fragmentation and reassembly:in vitro recom-bination for molecular evolution[C]. in Proc. Nat.Acad. Sci.,1994,115-120.
[68]Amigoni F., Gazzani S., Podico S. A method for reassembling fragments in image recon-struction[C]. in Proc. Int. Conf. Image Processing, Barcelona, Spain,2003,323-329.
[69]Nasir Memon, Anandabrata Pal. Atuomated Reassembly of File Fragmented Images Using Greedy Algorithms [J]. IEEE Transactions on Image Processing,2006,15(2):385-392.
[70]Anandabrutu Pal, Kulesh Shunmugasundurum, Nusir Memon. Automated Reassembly of Fragmented Images[C]. IEEE International Conference on Acoustics, Speech, and Signal Processing, San Francisco,2003.121-126.
[71]New Technology Inc. Net Threat Analyzer [EB/OL]. http://www.forensies-intl.com/,2006.
[72]NIST. CFTT Project Overview[EB/OL]. http://www.cftt.nist.gov/project_ov_erview.htm, 2006.
[73]NIST. Software Write Block Tool Specification & Test Plan. http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf,2003.
[74]NIST. Digital Data Acquisition Tool Test Assertions and Test Plan[EB/OL].http://www.cftt.nist.gov/DA-ATP-pc-01.pdf,2005.
[75]孙波.计算机取证方法关键问题研究[D].博士学位论文,中国科学院软件研究所,2004.
[76]钱桂琼,杨泽明,许榕生.计算机取证研究与设计[J].计算机工程,2002,28(6):56-58.
[77]王玲,钱华林.计算机取证技术及其趋势[J].软件学报,2003,14(09):1635-1644.
[78]陈龙,王国胤.计算机取证技术综述[J].重庆邮电学院学报(自然科学版),2005,17(6):161-167.
[79]梁昌宇,吴强,曾庆凯. 分布式计算机动态取证模型[J],计算机应用,2005.6:1290-1293.
[80]丁丽萍,王永吉.多维计算机取证模型[J].软件学报,2005,2:345-350.
[81]赵小敏.基于日志的计算机取证技术的研究及系统设计与实现.硕士学位论文,浙江工业大学,2003.
[82]Nitin Khanna, Aravind K. Mikkilineni, Anthony F. Martone. et al. A Survey of forensic characterization methods for physical devices[J]. Digital Investigation (Elsevier), 2006,3S(2006):17-28.
[83]Brian Carrier, Eugene H. Spafford. Categories of digital investigation analysis techniques based on the computer history model[J]. Digital Investigation (Elsevier), 2006,3S(2006):121-130.
[84]Frank Adelstein, Robert A. Joyce. File Marshal:Automatic extraction of peer-to-peer data[J]. Digital Investigation (Elsevier),2007,3S(2006):143-148.
[85]Brain Carrier. FragChallenge[EB/OL]. http://www.dfrws.org/challenge.html,2006.
[86]Brian Carrier. File System Forensic Analysis[M]. Boston:Addison Wesley,2005.
[87]International Organization on Computer Evidence. G8 Proposed Principles For The Pro-cedures Relating To Digital Evidence [EB/OL]. http://www.ioce.org,2002.
[88]Scientific Working Group on Digital Evidence. ASCLD Glossary Definitions:Version 1.0, 2005. Available at:http://www.swgde.org.
[89]Association of Chief Police Officers. Good Practice Guide for Computer based Electronic Evidence[EB/OL].http://www.nhtcu.org,2005.
[90]Eoghan Casey. Digital Evidence and Computer Crime[M]. Washington, USA:Academic Press, second edition,2004.
[91]Wm. Blair Gillam, Marc Rogers. File Hound:A Forensic Tool for First Responders: DFRWS 2005:Digital Foensic Research Workshop (DFRWS), New Oreans, LA, USA,8, 2005[C].2005:11-17.
[92]Brain Carrier. Definition Digital Forensic Examination and Analysis Tools Using Abstrac-tion Layers[J]. International Journal of Digital Evidence,2003,3(2):10-21.
[93]Stuart James, Jon Nordby. Forensic Science:An Introduction to Scientific and Investigative Techniques[M]. Florida, USA:CRC Press,2003.
[94]Henry Lee, Timothy Palmbach, Marilyn Miller. Henry Lee's Crime Scene Handbook[M]. Washington, USA:Academic Press,2001.
[95]Richard Saferstein. Criminalistics:An Introduction to Forensic Science[M]. Pearson, seventh edition,2000.
[96]X-Ways Software Technology AG. WinHex. http://www.x-ways,net,2005.
[97]CNCERT应急响应会议[EB/OL]. http://2005.cert.org.cn,2005.
[98]Pavel Gladyshev, Ahmed Patel. Finite State Machine Approach to Digital Event Recon-struction[J]. Journal of Digital Investigation,2004,1(2):134-145.
[99]Pavel Gladyshev. Finite State Machine Analysis of a Blackmail Investiga-tion[J]. International Journal of Digital Evidence (IJDE),2005,4(1):23-29.
[100]Kunt Eckstein. Forensics for Advanced UNIX File Systems[C]. in:Information As-surance Workshop,2004 Proceedings from the Fifth Annual IEEE SMC,2004,18-26.
[101]Air Force Office of Special Investigations and The Center for Information Systems Secu-rity Studies and Research. Foremost 0.69[EB/OL]. http://foremost.sourceforge.net/,2005.
[102]M. Karresand, N. Shahmehri. Oscar-file type identification of binary data in disk clusters and ram pages[C]. in Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), LNCS,2006,110-119.
[103]K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection[C]. in Recent Advances in Intrusion Detection 2004 (E. Jonsson el al., ed.), vol.3224 of LNCS, pp.203-222,Springer-Verlag, July 2004,300-312.
[104]S. Stolfo, K. Wang, W.-J. Li. Fileprint analysis for malware detection[C]. tech. rep., Computer Science Department, Columbia University, New York, NY, USA,2005, 220-227.
[105]K. Wang, G. Cretu, and S. Stolfo. Anomalous payload-based worm detection and signa-ture generation[C]. in 8th International Symposium on Recent Advances in Intrusion De-tection, RAID 2005, vol.3858 of LNCS, Springer Verlag,2006,227-246.
[106]A. Shamir, N. Someren. Playing'hide and seek'with stored keys[C]. in Financial Cryptography:Third International Conference, FC'99 (M. Franklin, ed.), vol.1648 of LNCS, Springer-Verlag,1999,118-124.
[107]M. Damashek. Gauging similarity with n-grams:Language independent categorization of text[J]. Science,1995. vol.267:843-848.
[108]Trier, O.D., Jain. A.K., Taxt, T. Feature extraction methods for character recognition-a survey[J]. Pattern Recognition,1996.29(4):641-662.
[109]Chuang Chen-Tsun, Tseng Lin-Yu. A heuristic algorithm for the recognition of printed Chinese characters[J]. IEEE Transactions on Systems, Man, and Cybernetics, 1995,25(4):710-717.
[110]Han Jiawei, Kamber Micheline. Data Mining Concepts and Techniques[M]. San Francisco: Morgan Kaufmann Publishers,2000.152-156.
[111]S. Stolfo, K. Wang, W.-J. Li. Fileprint analysis for malware detection[C]. Tech. rep., Computer Science Department, Columbia University, New York, NY, USA,2005.
[112]G. Lugosi, N. Vayatis. A consistent strategy for boosting algorithms[C]. In Proceedings of the Annual Conference on Computational Learning Theory, volume 2375 of LNAI, pages 303-318,Sydney, February 2002. Springer.
[113]S. Mannor, R. Meir, T. Zhang. The consistency of greedy algorithms for classifica-tion[C]. In Proceedings of the fifteenth Annual conference on Computational learning theory, volume 2375 of LNAI, Sydney,2002.
[114]S. Mannor. R. Meir. T. Zhang. Greedy algorithms for classification—consistency, con-vergence rates, and adaptivity. Technical Report CCIT 420, Department of Electrical En-gineering. Technion,2003.
[115]D. McAllester. Some PAC-Bayesian theorems[J]. Machine Learning,1999, 37(3):355-363.
[116]D. McAllester. PAC-Bayesian stochastic model selection[J]. Machine Learning,2003, 51(1):5-21.
[117]C. P. Robert. The Bayesian Choice:A Decision Theoretic Motivation[C]. Springer Verlag, New York, second edition,2001.
[118]Michie, D., Spiegelhalter. Machine Learning, Neural and Statistical Classifica-tion[M]. New York:Ellis Horwood,1994.
[119]I H Witten, E Frank. Data Mining:Practical Machine Learning Tools and Techniques, Second Edition[M]. San Francisco Morgan Kaufmann,2005.
[120]P Langley, S Sage. Induction of selective Bayesian classifiers[C]. In:Proc of the 10th Conf on Uncertainty in Artificial Intelligence, San Francisco:Morgan Kaufmann,1994. 399-406.
[121]M Singh, G M Provan. Efficient learning of selective Bayesian network classifiers[C]. In: Proc of the 13th Int'l Conf on machine Learning, San Francisco:Morgan Kaufman,1996.
[122]Oliver de Vel. Augmented sequence spectrum kernels for semi-structured document categorization[C]. Proceedings of the Workshop on Text Mining and Link Analysis,18th International Joint Conference on Artificial Intelligence (IJCAI),2003,:213-221.
[123]Yun Gao, Golden G. Richard III, Vassil Roussev. Bluepipe:A Scalable Architecture for On-the-Spot Digital Forensics[J]. International Journal of Digital Evidence,2004,3(1).
[124]Hastie T, Tibshirani R, Friedman J. The elements of statistical learning[C]. Springer-Verlag, 2001,512-518.
[125]Nir Friedman, Dan Geiger, Moises Goldszmidt. Bayesian network classifiers [J]. Machine Learning,1997,29:131-163.
[126]Witten I, Frank E. Data mining:practical machine learning tools and techniques with Java implementations[M]. San Francisco:Morgan Kaufmann,2000.
[127]Y. Yang. An evaluation of statistical approaches to text categorization[J]. Journal of In-formation Retrieval,1999,1(1/2):67-88.
[128]王玲,薄列峰,刘芳.最小二乘隐空间支持向量机[J].计算机学报,2005,28(8):1302-1307.
[129]刘向东,陈兆乾.一种快速支持向量机分类算法的研究[J].计算机研究与发展,2004,4l(8):1327-1332.
[130]S. V. N. Vishwanathan, A. J. Smola. Fast kernels for string and tree matching[C]. In Ad-vances in Neural Information Processing Systems, Cambridge, MA,2003.MIT Press.
[131]Leslie C, Eskin E, Stafford-Noble W. The spectrum kernel:a string kernel for SVM protein classification. In:Proceedings of the Pacific Symposium on Biocomputing (PSB-2002),2002,100-108.
[132]N Cristianini, J Shawe-Taylor. An Introduction to Support Vector Machines[M]. Cam-bridge,2000.
[133]E Ukkonen. On-line construction of suffix trees[M]. Algorithmica,1995,14:249-260.
[134]C. C. Chung, L. C. Jen. Libsvm:a library for support vector ma-chines[EB/OL]. http://www.csie.ntu.edu.tw/-cjlin/libsvmtools,2002.
[135]C. Shannon. A Mathematical Theory of Communication[J]. Bell System Technical Journal,1948, Vol.27:379-423.
[136]A. Wagner, B. Plattner. Entropy Based Worm and Anomaly Detection in Fast IP Net-works[C]. Proceeding of 14th IEEE Workshop on Enabling Technologies:Infrastructure for Collaborative Enterprises (WETICE 2006), Likoping, Sweden 2005,172-177,.
[137]Matthew M. Shannon. Forensic Relative Strength Scoring:ASCII and Entropy Scor-ing[J]. International Journal of Digital Evidence,2004,2(4):151-169.
[138]Martin Karresand, Nahid Shahmehri. File Type Identification of Data Fragments by Their Binary Structure[C]. Proceedings of the 2006 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY,2006,200-208.
[139]G. G. Richard III, V. Roussev. Scalpel:A Frugal, High Performance File Carver[C]. Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005), New Orleans,LA,2005,111-118.
[140]Simson L. Garfinkel. Carving contiguous and fragmented files with fast object valida-tion[J]. Digital Investigation (Elsevier),2007,3S(2007):2-12.
[141]Garfinkel Simson. DFRWS 2006 challenge report[EB/OL]. http://www.dfrws.org/-2006/c-Hallenge/submissions/,2006.
[142]Simson L., Garfinkel. Forensic feature extraction and cross-drive analysis[J]. Digital Investigation (Elsevier),2006,3S(2006):71-81.
[143]University of Southern California. USC-SIPI Image Data-base[EB/OL]. http://sipi.usc.edu/database/database.cgi?volume=sequences,2006.
[144]Geoff H.. The joys of complexity and the deleted file[J]. Digital Investigation (Elsevier), 2005,2(2005):89-93.
[145]Douceur John R, Bolosky William J. A large-scale study of filesystem contents[C]. In: SIGMETRICS'99:Proceedings of the 1999 ACM SIGMETRICS international conference on measurement and modeling of computer systems, New York, NY, USA:ACM Press, 1999.
[146]Warren Kruse, Jay Heiser. Computer Forensics:Incident Response Essen-tials[M]. Addison Wesley,2001.
[147]Reith, M., Carr, C. Gunsch, G. An Examination of Digital Forensic Mod-els[J]. International Journal of Digital Evidence,2002,1(3):123-127.
[148]Baryamureeba Venansius, Tushabe Florence. The enhanced digital investigation process model. In:Proceedings of the 2004 digital forensic research workshop (DFRWS), Balti-more, MD,2004,76-80.
[149]Ricci S.S. Ieong. FORZA-Digital forensics investigation framework that incorporate legal issues[J]. Digital Investigation (Elsevier),2006,3S(2006):29-36.
[150]Matthew Meyers, Marc Rogers. Computer Forensics:Meeting the Challenges of Scientific Evidence[J]. Research Advances in Digital Forensics,2005,49-56.
[151]Brian Carrier, Joe Grand. A hardware-based memory acquisition procedure for digital in-vestigation[J]. Digital Investigation (Elsevier),2004,1(2004):50-60.
[152]W.Alink, R.A.F. Bhoedjang, P.A.Boncz, et al. XIRAF-XML-based indexing and querying for digital forensics[J]. Digital Investigation (Elsevier),2006,3S(2006):50-58.
[153]Philip Turner. Selective and intelligent imaging using digital evidence bags[J]. Digital Investigation(Elsevier),2006,3S(2006):59-64.
[154]Brain. Carrier, E. spafford. Defining Event Reconstruction of Digital Crime Scenes[J]. Journal of Forensic Science,2004,49(6):783-789.
[155]Sundararaman Jeyaraman, Mikhail J. Atallah. An empirical study of automatic event re-construction systems [J]. Digital Investigation (Elsevier),2006,3S(2006):108-115.
[156]Ricci S.S. Ieong. FORZA-Digital forensics investigation framework that incorporate legal issues[J]. Digital Investigation (Elsevier),2006,3S(2006):29-36.
[157]J. P. Anderson. Computer security threat monitoring and surveillance[R]. Technical report, James P. Anderson Co., Fort Washington, PA, April,1980.
[158]Ryan Leigland, Axel W.Krings. A Formalization of Digital Forensics[J]. International Journal of Digital Evidence,2004,3(2):245-276.
[159]Pavel Gladyshev, Ahmed Patel. Formalising Event Time Bounding in Digital Investiga-tions[J]. International Journal of Digital Evidence (IJDE),2005,4(2):10-18.
[160]Pavel Gladyshev, Ahmed Patel. Finite State Machine Approach to Digital Event Recon-struction[J]. Digital Investigation (Elsevier),2004,1(2):12-17.
[161]Stephen Mason. Trusted computing and forensic investigations[J]. Digital Investiga-tion(Elsevier),2005,2(2005):189-192.
[162]李炳龙,王清贤,罗军勇,等.可信计算环境中的数字取证[J].武汉大学学报(理学版),2006,52(5):523-526.
[163]Harlan Carvey. Malware analysis for windows administrators[J]. Digital Investiga-tion(Elsevier),2005,2(2005):19-22.
[164]Vassil Roussev, Yixin Chen, Timothy Bourg, et al. Md5bloom:Forensic filesystem hashing revisited[J]. Digital Investigation (Elsevier),2006,3S(2006):82-90.
[165]Samuel T. King, peter M. Chen. Backtracking Intrusions[C]. Proceedings of the 2003 ACM Symposium on Operating Systems Principles(SOSP), Bolton Landing, NY USA, 2003,68-74.
[166]Bradley Schatz,George Mohay, Andrew Clark. A correlation method for establishing provenance of timestamps in digital evidence[J]. Digital Investigation(Elsevier), 2006,3S(2006):98-107.
[167]Tye Stallard, Karl Levitt. Automated Analysis for Digital Forensic Science:Semantic In-tegrity Checking[C]. Proceedings of the 2003 Annual Computer Security Application Conference(ACSAC), Las Vegas, NV, USA,2003,96-100.
[168]Lei Pan Lynn M Batten. Reproducibility of Digital Evidence in Forensic Investiga-tions[C].2005 Digital Forensic Research Workshop (DFRWS), New Orleans, LA,2005, 153-159.