计算机取证的安全性及取证推理研究
|
摘要
计算机取证是解决争议和打击计算机犯罪的重要手段,是实现信息安全保障的一个重要方面,在保持社会稳定和维护法律秩序方面具有重要作用。计算机取证的安全性、可靠性面临特殊的挑战:首先,电子证据的脆弱性导致了证据容易被修改且修改后不易被发现,电子证据在收集过程中和获得之后都面临着证据毁坏、介质错误、特定数据伪造等各种威胁:其次,大量案例涉及的海量数据信息使得对电子证据的固定面临着细粒度的完整性检验需求与Hash数据量大之间的矛盾;同时,反取证威胁使得电子证据获取工具的安全成为新的问题,计算机取证分析结论的可靠性也不断受到质疑。
本文在分析计算机取证领域国内外研究现状和存在问题的基础上,以加强计算机取证的安全性、可靠性为目标,研究了细粒度数据完整性检验理论以支持细粒度电子证据固定,从而支持电子证据的真实性、完整性;研究电子证据获取方法的安全性和可靠的形式化取证推理方法。归纳起来,本文的主要研究工作和创新内容表现在以下几个方面:
首先,针对计算机取证的细粒度数据完整性检验需求及海量数据导致的Hash大数据量问题,基于组合编码原理提出了细粒度数据完整性检验方法,称为完整性指示编码。完整性指示编码使用监督矩阵表示Hash和数据对象之间的监督关系,通过适当的交叉检验,在保持Hash检验安全性不变的前提下,可用较少的Hash数据实现细粒度数据完整性检验。该方法适用于细粒度电子证据固定。几种传统的完整性检验方案均是完整性指示编码的无交叉检验特例。设计了一种编码收益度量指标作为选择不同编码及进行参数设置的依据。采用细粒度数据完整性检验方案可以对少数错误进行准确和高效的隔离,从而减轻因偶然错误或少量篡改而导致的整体数据失效的灾难性影响。
其次,依据细粒度数据完整性检验方法,分别构造了组合单错完整性指示码、超方体单错完整性指示码以及有限域多错完整性指示码等三种编码;采用并发计算和再Hash计算两种方式加速Hash生成过程,提高了细粒度数据完整性检验效率。
组合单错完整性指示码在单错条件下可实现对Hash数据的大幅度压缩。超方体单错完整性指示码在单错条件下具有高压缩率、较低错误放大率,并可通过选取任意自然数作为超方体的阶,以高效率的组合方式处理各种不同规模的数据对象。有限域多错完整性指示码能准确指示多个错误,在低出错率条件下具有较高的压缩率、低错误放大率,并可通过灵活设置码参数来满足不同的实际需要。有限域多错完整性指示码具有模块化的Hash结构,对于有限域GF(q)上的d维向量空间,每增加(d-1)组共(d-1)q个Hash即可多指示一个错。超方体单错完整性指示码和有限域多错完整性指示码的Hash具有平行的分组关系,单独一组Hash即可独立指示所有数据的完整性,为Hash数据的多方分离存储提供了条件,增强了细粒度数据完整性检验方法在电子证据固定等应用中的实用性。
随后,针对反取证威胁,分析了一种典型的基于数据底层特征的证据识别方法——上下文触发分片Hash算法的脆弱性,提出了带密钥的上下文触发分片Hash'快速算法。通过在上下文触发分片Hash算法及其传统Hash算法中引入可变参数,由不同密钥生成不同的文件指纹,增加了攻击者通过猜测密钥或比较文件指纹来获得密钥或参数组合进而攻击文件指纹的难度。改进算法在多生成一个Hash指纹的情况下和原算法的速度相当或更快,而且可以在更大程度上找到相似的文件。算法性能分析及实验结果表明由不同密钥生成的参数组之间有较好的独立性,且参数组选择空间大,可较好地抵抗伪造、文件分割与合并、特定位置修改等针对性攻击,安全性得到明显提高。
最后,针对现有有限状态自动机模型的不足,提出了通用的Mealy型时间有限状态自动机模型及其正向、双向等推理策略。该模型可同时表达系统输入、输出、内部运行状态等多方面的证据及其时间属性,有利于电子证据的形式化表示和案例建模。案例分析和实验结果表明了该通用模型及其推理策略的有效性。
Computer forensics is an important method for solving civil dispute and fighting against computer crime, and also a way to realize information assurance. It plays a more and more important role in maintaining social stability and law order.
The security and reliability of computer forensics face special challenges. First of all, digital evidence is inherently vulnerable, and it is easy to be modified while it is very difficult to discover the modifications. In the process of gathering and preserving digital evidence, there are many kinds of threats, such as evidence destroying, medium error and specific data forging. Secondly, mass data occurred in many cases is a difficult challenge for computer forensics, which is the contradiction between the demand of fine-grained evidence preservation and mass hash data. Furthermore, with the development of anti-forensics technologies, the security of digital evidence acquisition and identification methods and tools becomes a new difficult problem. At the same time, the reliability of analysis conclusion of computer forensics is doubted occasionally.
In this dissertation, we summarize the research results of theories and methods about computer forensics at first. Then, in order to improve the security and reliability of computer forensics, the fine-grained data integrity theory is studied to support the fine-grained digital evidence preservation. It is helpful for assuring the fidelity, integrity and security of digital evidence. Secure method of digital evidence acquisition and identification, and the formal forensics reasoning method are also studied. The main contributions of this dissertation are recapitulated as follows:
First of all, to satisfy the demand of fine-grained data integrity check in computer forensics and solve the issue of mass hash data, a fine-grained data integrity check method is proposed based on the combinatorial coding theory。It is named as integrity indication coding (ⅡC). Check matrix is used to express the check relationship of hashes and data.ⅡC could accomplish fine-grained data integrity check using less hash data via cross hash checking. It is suitable for fine-grained digital evidence preservation. Traditional integrity check schemes can be taken as the particular cases of IIC without cross hash checking. The measurement of code gain is also designed to guide the choosing of right code and parameters for real application. Fine-grained data integrity check method could mitigate the disastrous effect of some random errors or intentional forging modification. In case of a portion of evidence data or file is corrupted, it could isolate the damage efficiently and accurately, so the intact remainder will be still usable.
Thereafter, based on fine-grained data integrity check method, combinatorial one error integrity indication code (CleⅡC), hypercube one error integrity indication code (HleⅡC) and Galois field multi-error integrity indication code (GFIIC) are proposed respectively. Concurrent computing model and rehash computing model are used to accelerate the hash computing process, and improve the efficiency of fine-grained data integrity checking.
Combinatorial one error integrity indication code has very high hash compression ratio. Hypercube one error integrity indication code has high compression ratio and low base error amplification ratio. By setting any positive integer as the hypercube's order, HleⅡC is able to deal with different scale of data objects efficiently.
GFIIC can indicate multiple errors accurately with high compression ratio and low error amplification ratio, and it provides a scalable scheme for different applications with several parameters. GFIIC has a modular hash check structure. In a d dimension vector space over GF(q), one more error can be indicated by adding q rows d-1 columns hashes every time. At the same time, all hashes of GFIIC and HleⅡC can be divided into several groups, and each group can indicate the integrity of all data independently. So it has the capability of preserving hash data separately and making fine-grained data integrity check method useful in digital evidence preservation.
Next, an improved resilient and quick context triggered piecewise hash algorithm with key is proposed. Context triggered piecewise hashing technique is suitable for indentifying or filtering evidence, which is based on the bit stream characteristic of data. Facing the threat of anti-forensics technology, the vulnerability of context triggered piecewise hashing is analyzed and then an improved resilient and quick algorithm with key, named secure and quick hash checksum (Sksum), is proposed. By using variable parameters in the context triggered piecewise hashing, the algorithm will produce a different file signature for a file with a different key. It will be more difficult for attackers to obtain the key or the parameter combination of a file signature so as to attack the file signature by guessing keys or comparing file signatures. Sksum can generate a file signature with one more hash signature in the same or faster speed compared to the original algorithm. The performance analysis and experiment results show that the different parameter combinations of different keys are independent, and there are a huge amount of choices for parameter combinations. The algorithm can deal with forging, file splitting and merging, specific file position modification attack, and its security performance is improved obviously.
Finally, a timed Mealy finite state machine model with multiple reasoning strategies is proposed to overcome the disadvantage of Gladyshev's finite state machine model. It can express the evidence of system input, output and inner state with time attribute at the same time. It is suitable for the digital evidence formalization and case modeling. Case study and experiment result show that the general model with reasoning strategies is feasible and adaptable.
本文在分析计算机取证领域国内外研究现状和存在问题的基础上,以加强计算机取证的安全性、可靠性为目标,研究了细粒度数据完整性检验理论以支持细粒度电子证据固定,从而支持电子证据的真实性、完整性;研究电子证据获取方法的安全性和可靠的形式化取证推理方法。归纳起来,本文的主要研究工作和创新内容表现在以下几个方面:
首先,针对计算机取证的细粒度数据完整性检验需求及海量数据导致的Hash大数据量问题,基于组合编码原理提出了细粒度数据完整性检验方法,称为完整性指示编码。完整性指示编码使用监督矩阵表示Hash和数据对象之间的监督关系,通过适当的交叉检验,在保持Hash检验安全性不变的前提下,可用较少的Hash数据实现细粒度数据完整性检验。该方法适用于细粒度电子证据固定。几种传统的完整性检验方案均是完整性指示编码的无交叉检验特例。设计了一种编码收益度量指标作为选择不同编码及进行参数设置的依据。采用细粒度数据完整性检验方案可以对少数错误进行准确和高效的隔离,从而减轻因偶然错误或少量篡改而导致的整体数据失效的灾难性影响。
其次,依据细粒度数据完整性检验方法,分别构造了组合单错完整性指示码、超方体单错完整性指示码以及有限域多错完整性指示码等三种编码;采用并发计算和再Hash计算两种方式加速Hash生成过程,提高了细粒度数据完整性检验效率。
组合单错完整性指示码在单错条件下可实现对Hash数据的大幅度压缩。超方体单错完整性指示码在单错条件下具有高压缩率、较低错误放大率,并可通过选取任意自然数作为超方体的阶,以高效率的组合方式处理各种不同规模的数据对象。有限域多错完整性指示码能准确指示多个错误,在低出错率条件下具有较高的压缩率、低错误放大率,并可通过灵活设置码参数来满足不同的实际需要。有限域多错完整性指示码具有模块化的Hash结构,对于有限域GF(q)上的d维向量空间,每增加(d-1)组共(d-1)q个Hash即可多指示一个错。超方体单错完整性指示码和有限域多错完整性指示码的Hash具有平行的分组关系,单独一组Hash即可独立指示所有数据的完整性,为Hash数据的多方分离存储提供了条件,增强了细粒度数据完整性检验方法在电子证据固定等应用中的实用性。
随后,针对反取证威胁,分析了一种典型的基于数据底层特征的证据识别方法——上下文触发分片Hash算法的脆弱性,提出了带密钥的上下文触发分片Hash'快速算法。通过在上下文触发分片Hash算法及其传统Hash算法中引入可变参数,由不同密钥生成不同的文件指纹,增加了攻击者通过猜测密钥或比较文件指纹来获得密钥或参数组合进而攻击文件指纹的难度。改进算法在多生成一个Hash指纹的情况下和原算法的速度相当或更快,而且可以在更大程度上找到相似的文件。算法性能分析及实验结果表明由不同密钥生成的参数组之间有较好的独立性,且参数组选择空间大,可较好地抵抗伪造、文件分割与合并、特定位置修改等针对性攻击,安全性得到明显提高。
最后,针对现有有限状态自动机模型的不足,提出了通用的Mealy型时间有限状态自动机模型及其正向、双向等推理策略。该模型可同时表达系统输入、输出、内部运行状态等多方面的证据及其时间属性,有利于电子证据的形式化表示和案例建模。案例分析和实验结果表明了该通用模型及其推理策略的有效性。
Computer forensics is an important method for solving civil dispute and fighting against computer crime, and also a way to realize information assurance. It plays a more and more important role in maintaining social stability and law order.
The security and reliability of computer forensics face special challenges. First of all, digital evidence is inherently vulnerable, and it is easy to be modified while it is very difficult to discover the modifications. In the process of gathering and preserving digital evidence, there are many kinds of threats, such as evidence destroying, medium error and specific data forging. Secondly, mass data occurred in many cases is a difficult challenge for computer forensics, which is the contradiction between the demand of fine-grained evidence preservation and mass hash data. Furthermore, with the development of anti-forensics technologies, the security of digital evidence acquisition and identification methods and tools becomes a new difficult problem. At the same time, the reliability of analysis conclusion of computer forensics is doubted occasionally.
In this dissertation, we summarize the research results of theories and methods about computer forensics at first. Then, in order to improve the security and reliability of computer forensics, the fine-grained data integrity theory is studied to support the fine-grained digital evidence preservation. It is helpful for assuring the fidelity, integrity and security of digital evidence. Secure method of digital evidence acquisition and identification, and the formal forensics reasoning method are also studied. The main contributions of this dissertation are recapitulated as follows:
First of all, to satisfy the demand of fine-grained data integrity check in computer forensics and solve the issue of mass hash data, a fine-grained data integrity check method is proposed based on the combinatorial coding theory。It is named as integrity indication coding (ⅡC). Check matrix is used to express the check relationship of hashes and data.ⅡC could accomplish fine-grained data integrity check using less hash data via cross hash checking. It is suitable for fine-grained digital evidence preservation. Traditional integrity check schemes can be taken as the particular cases of IIC without cross hash checking. The measurement of code gain is also designed to guide the choosing of right code and parameters for real application. Fine-grained data integrity check method could mitigate the disastrous effect of some random errors or intentional forging modification. In case of a portion of evidence data or file is corrupted, it could isolate the damage efficiently and accurately, so the intact remainder will be still usable.
Thereafter, based on fine-grained data integrity check method, combinatorial one error integrity indication code (CleⅡC), hypercube one error integrity indication code (HleⅡC) and Galois field multi-error integrity indication code (GFIIC) are proposed respectively. Concurrent computing model and rehash computing model are used to accelerate the hash computing process, and improve the efficiency of fine-grained data integrity checking.
Combinatorial one error integrity indication code has very high hash compression ratio. Hypercube one error integrity indication code has high compression ratio and low base error amplification ratio. By setting any positive integer as the hypercube's order, HleⅡC is able to deal with different scale of data objects efficiently.
GFIIC can indicate multiple errors accurately with high compression ratio and low error amplification ratio, and it provides a scalable scheme for different applications with several parameters. GFIIC has a modular hash check structure. In a d dimension vector space over GF(q), one more error can be indicated by adding q rows d-1 columns hashes every time. At the same time, all hashes of GFIIC and HleⅡC can be divided into several groups, and each group can indicate the integrity of all data independently. So it has the capability of preserving hash data separately and making fine-grained data integrity check method useful in digital evidence preservation.
Next, an improved resilient and quick context triggered piecewise hash algorithm with key is proposed. Context triggered piecewise hashing technique is suitable for indentifying or filtering evidence, which is based on the bit stream characteristic of data. Facing the threat of anti-forensics technology, the vulnerability of context triggered piecewise hashing is analyzed and then an improved resilient and quick algorithm with key, named secure and quick hash checksum (Sksum), is proposed. By using variable parameters in the context triggered piecewise hashing, the algorithm will produce a different file signature for a file with a different key. It will be more difficult for attackers to obtain the key or the parameter combination of a file signature so as to attack the file signature by guessing keys or comparing file signatures. Sksum can generate a file signature with one more hash signature in the same or faster speed compared to the original algorithm. The performance analysis and experiment results show that the different parameter combinations of different keys are independent, and there are a huge amount of choices for parameter combinations. The algorithm can deal with forging, file splitting and merging, specific file position modification attack, and its security performance is improved obviously.
Finally, a timed Mealy finite state machine model with multiple reasoning strategies is proposed to overcome the disadvantage of Gladyshev's finite state machine model. It can express the evidence of system input, output and inner state with time attribute at the same time. It is suitable for the digital evidence formalization and case modeling. Case study and experiment result show that the general model with reasoning strategies is feasible and adaptable.
引文
[1]何家弘,刘品新等编.电子证据法研究[M].北京:法律出版社,2002:3-16.
[2]陈龙,王国胤.计算机取证技术综述[J].重庆邮电学院学报(自然科学版).2005,17(6):726-732.
[3]陈克非,黄征.信息安全技术导论[M].北京:电子工业出版社,2007:1-5.
[4]陈龙,麦永浩,黄传河等.计算机取证技术[M].武汉:武汉大学出版社,2007:1-5.
[5]Reith M, Carr C, Gunsch G. An Examination of Digital Forensic Models[J]. International Journal of Digital Evidence.2002,1(3), http://www.ijde.org.
[6]Digital Forensics Research Workshop. A Road Map for Digital Forensic Research[R]. Digital Forensic Research Workshop(DFRWS), August,2001. Final Report
[7]Farmer D, Venema W. Computer Forensics Analysis Class Handouts. http://www.fish.com/forensics/class.html.1999.
[8]Yasinsac A, Manzano Y. Policies to Enhance Computer and Network Forensics[C]. Proceeding of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY. 2001:289-295.
[9]Mocas S. Building Theoretical Underpinnings for Digital Forensics Research[J]. Digital Investigation.2004,1(1):61-68.
[10]Casey E著,陈圣琳等译.数字证据与计算机犯罪[M].第2版.北京:电子工业出版社,2004:113-124,350-435.
[11]Mercuri R T. Challenges in Forensic Computing. Communications of the ACM.2005,48(12):17-21.
[12]Harrison W, Heuston G, Mocas S, Morrissey M and Richardson J. High-Tech Forensics. Communications of the ACM.2004,47(7):49-52.
[13]王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报.2003,14(9):1635-1644.
[14]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报.2005,16(2):260-275.
[15]孙波,刘欣然,孙玉芳.一种计算机取证中需求定义的方法[J].电子学 报.2006,34(5):921-923.
[16]孙波.计算机取证方法关键问题研究[D].博士学位论文,北京:中国科学院研究生院(软件研究所),2004:16-26.
[17]许榕生,吴海燕,刘宝旭.计算机取证概述.计算机工程与应用.2001,37(21):7-8/114.
[18]钱桂琼,杨泽明,许榕生.计算机取证的研究与设计[J].计算机工程.2002,28(6):56-58.
[19]Technical Working Group. Electronic Crime Scene Investigation:A Guide for First Responders[R]. Technical Working Group. Technical Report.2001.
[20]Pollitt M M. An Ad Hoc Review of Digital Forensic Models[C]. Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA, 2007. IEEE Computer Society,43-54.
[21]Carrier B. Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers[J]. International Journal of Digital Evidence.2003,1(4): 1-12. http://www.ijde.org.
[22]丁丽萍,王永吉.多维计算机取证模型研究[J].计算机安全.2005.11:5-9.
[23]Memon N, Pal A. Automated Reassembly of File Fragmented Images Using Greedy Algorithms[J]. IEEE Transactions on Image Processing.2006,15(2): 385-393.
[24]Shanmugasundaram K, Memon N. Automatic Reassembly of Document Fragments via Context Based Statistical Models[C]. Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, NV, USA, 2003. IEEE Computer Society(Washington, DC, USA),152-159.
[25]Schneier B and Kellsey J. Secure Audit Logs to Support Computer Forensics[J]. ACM Transaction on Information and System Security. May 1999,2(2):159-176.
[26]Ahmad A, Ruighaver A. Design of a Network-access Audit Log for Security Monitoring and Forensic Investigation[C]. Proceedings of the 1st Australian Computer Network, Information & Forensics Conference. Edith Cowan University(Churchlands),2003:1-7.
[27]Ahmad A, Ruighaver A. Improved Event Logging for Security and Forensics:Developing Audit Management Infrastructure Requirements[C]. Proceedings of ISOneWorld Conference:Nurturing Executive Networks, Las Vegas, USA,2003. The Information Institute,1-10.
[28]Shanmugasundaram K et al. ForNet:A Distributed Forensics Network [C]. Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg,2003. Springer(Berlin),1-16.
[29]Oppliger R, Rytz R. Digital Evidence:Dream and Reality[J]. IEEE Security & Privacy.2003,44-48.
[30]Harris R. Arriving at an Anti-Forensics Consensus:Examining How to Define and Control the Anti-Forensics Problem[J]. Digital Investigation. 2006,3(s1):44-49.
[31]Hayati P, Potdar V, and Chang E. A Survey of Steganographic and Steganalytic Tools for the Digital Forensic Investigator[C]. Proceedings of Workshop of Information Hiding and Digital Watermarking to be held in conjunction with IFIPTM, Moncton, New Brunswick, Canada, July 2007.
[32]Wolfe H. Penetrating Encrypted Evidence[J]. Digital Investigation.2004, 1(2):102-105.
[33]Bradford P G, Brown M, Perdue J, Self B. Towards Proactive Computer-System Forensics[C]. Proceedings of the International Conference on Information Technology:Coding and Computing, The Orleans, Las Vegas, Nevada, USA,2004. IEEE Computer Society(Washington, DC, USA),2004(2):648-652.
[34]李涛.基于免疫的网络监控模型[J].计算机学报.2006,29(9):1515-1522.
[35]孙波,孙玉芳等.电子数据证据收集系统保护机制的研究与实现[J].电子学报.2004,32(8):1374-1380.
[36]丁丽萍,周博文,王永吉.基于安全操作系统的电子证据获取与存储[J].软件学报.2007,18(7):1715-1729.
[37]刘武,段海新,杨路,吴建平,任萍.基于Web的网络入侵检测取证系统的设计与实现[J].计算机应用.2003,23(5):50-52.
[38]Bellare M, Yee B S. Forward Integrity For Secure Audit Logs.2007.
[39]Schonberg D, Kirovski D. Fingerprinting and Forensic Analysis of Multimedia[C]. Proceedings of the 12th annual ACM International Conference on Multimedia, New York, NY, USA,2004. ACM,788-795.
[40]He S, Wu M. Collusion-Resistant Dynamic Fingerprinting for Multimedia. IEEE ICASSP 2007:289-292.
[41]The Common Digital Evidence Storage Format Working Group, Standardizing Digital Evidence Storage[J]. Communications of the ACM. 2006,49(2):67-68.
[42]Turner P. Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags)[J]. Digital Investigation.2005,2(3):223-228.
[43]张焕国,刘玉珍.密码学引论[M].武汉:武汉大学出版社,2003:166-191.
[44]Hosmer C. Proving the Integrity of Digital Evidence with Time[J]. International Journal of Digital Evidence.2002,1(1):1-7. http://www.ijde.org.
[45]Dcfldd N H. [EB/OL]. Defense Computer Forensics Lab. http://dcfldd.sourceforge.net/,2002.
[46]Roussev V, Chen Y, Bourg T, and Richard III G G. md5bloom:Forensic Filesystem Hashing Revisited[J]. Digital Investigation.2006,3(sl):82-90.
[47]Richard III G G and Roussev V. Next-Generation Digital Forensics [J]. Communications of the ACM.2006,49(2):76-80.
[48]陈龙,王国胤.一种细粒度数据完整性检验方法[J].软件学报.2009,20(4):902-909.
[49]杨晓元,季称利,秦晴,胡予濮.基于Shamir秘密共享的安全取证服务器方案[J].计算机工程与应用.2005,22:147-149.
[50]周洪伟,韦大伟,郭渊博.一种数字取证完整性方案术[J].计算机应用研究.2007,24(12):149-150,154.
[51]Mont M C, Tomasi L, Montanari R. An Adaptive System Responsive to Trust Assessment based on Peer-to-Peer Evidence Replication and Storage[R]. Hewlett-Packard Company. Technical Report:HPL-2001-133. http://www.hpl.hp.com/techreports/2001/HPL-2001-133.html.2001
[52]Steel C著,吴渝,唐红,陈龙译.Windows取证——企业计算机调查指南[M].科学出版社,2007:188-192.
[53]National Institute of Standards and Technology, National Software Reference Library RDS. [EB/OL]. http://www.nsrl.nist.gov/.2007.3
[54]Kornblum J. Identifying Almost Identical Files using Context Triggered Piecewise Hashing[J]. Digital Investigation.2006,3(s1):91-97.
[55]Chen L, Wang G. An Efficient Piecewise Hashing Method for Computer Forensics[C]. Proc. of WKDD2008. IEEE Computer Society(Washington, DC, USA),635-638.
[56]Roussev V, Richard III G G, Marziale L. Multi-resolution Similarity Hashing[J]. Digital Investigation.2007,4(sl):105-113.
[57]Chen Y, Roussev V, Richard III G G and Gao Y. Content-based Image Retrieval for Digital Forensics[C]. Proceedings of the International Conference on Digital Forensics (IFIP 2005):1-16.
[58]Choudhury A, Rogers M, Gillam B. A Novel Skin Tone Detection Algorithm for Contraband Image Analysis [C]. Proceedings of Third International Workshop on Systematic Approaches to Digital Forensic Engineering.2008:3-9.
[59]Nusimow A. Intelligent Video for Homeland Security Application [C]. Proceedings of the 7th Technologies for Homeland Security, Boston, 2007:139-144.
[60]Li L, Huang W, Gu Y, et al. An Efficient Sequential Approach to Tracking Multiple Objects Through Crowds for Real-Time Intelligent CCTV Systems[J]. IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics,2008,28(5):1254-1269.
[61]Carrier B D and Spafford E H. Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence[C]. In Proceedings of the 2005 Digital Forensics Research Workshop, Astor Crowne Plaza, New Orleans, Louisiana, USA,2005:1-10.
[62]Stallard T, Levitt K. Automated Analysis for Digital Forensic Science, Semantic Integrity Checking[C]. Proceedings of Computer Security Applications Conference,2003. IEEE Computer Society(Washington, DC, USA),160-167.
[63]Chen L, Wang G. Attacks to Context Triggered Piecewise Hashing and Their Countermeasures[J]. Journal of Information & Computational Science.2008.3,5(2):589-597.
[64]周琳娜.数字图像盲取证技术研究[D].博士学位论文,北京:北京邮电大学,2007:11-28.
[65]吴琼,李国辉,涂丹,孙韶杰.面向真实性鉴别的数字图像盲取证技术综述[J].自动化学报.2008,34(12):1458-1466.
[66]刘在强,林东岱,冯登国.一种用于网络取证分析的模糊决策树推理方法[J].软件学报.2007,18(10):2635-2644.
[67]Elsaesser C and Tanner M C. Automated Diagnosis for Computer Forensics: [Cognitive Science and Artificial Intelligence Center Report].2001. http://www.mitre.org/work/tech_papers/tech_papers_01/elsaesser_forensics/ esaesser_forensics.pdf.
[68]Teng G, Lai M, Ma J, LI Y. E-Mail Authorship Mining Based on SVM for Computer Forensic[C]. Proceedings of the Third International Conference on Machine Learning and Cyhemetics, Shanghai,26-29 August 2004. IEEE Press,1204-1207.
[69]Carrier B. Open Source Digital Forensics Tools:The Legal Argument: [Atstake's Research Report].2002.
[70]Geiger M. Evaluating Commercial Counter-Forensic Tools.2005 Digital Forensic Research Workshop (DFRWS). New Orleans, LA.:1-12.
[71]Gladyshev P, Patel A. Finite State Machine Approach to Digital Event Reconstruction [J]. Digital Investigation.2004,1(2):130-149.
[72]Gladyshev P. Finite State Machine Analysis of a Blackmail Investigation[J]. International Journal of Digital Evidence.2005,4 (1):1-14. http://www.ijde.org.
[73]Brewer N, Liu N, Vel O D, Caelli T. Using Coupled Hidden Markov Models to Model Suspect Interacions in Digital Forensic Analysis [C]. International Workshop on Integration AI and Data Mining, AIDM'06, Hobart, Tasmania, Australia,2006. IEEE Computer Society(Washington, DC, USA),58-64.
[74]Gerber M and Leeson J. Formalization of Computer Input and Output:the Hadley Model[J]. Digital Investigation.2004,1(2):214-224.
[75]Casey E. Error, Uncertainty, and Loss in Digital Evidence[J]. International Journal of Digital Evidence.2002,1(2). http://www.ijde.org.
[76]Gladyshev P. Rigorous Development of Automated Inconsistency Checks for Digital Evidence Using the B Method[J]. International Journal of Digital Evidence.2007,6(2):1-21. http://www.ijde.org.
[77]翟征德,冯登国,徐震.细粒度的基于信任度的可控委托授权模型[J].软件学报.2007,18(8):2002-2015.
[78]靳蕃,陈志编著.组合编码原理及应用[M].上海:上海科学技术出版社,1995:1-7,215-237.
[79]Hamming R W. Error Detecting and Error Correcting Codes. The Bell System Technical Journal[J].1950, XXVI(2):147-160.
[80]Bose R.信息论、编码与密码学(Information Theory, Coding and Cryptography) [M].英文版.北京:机械工业出版社,2003:75-105.
[81]李继国,余纯武等.信息安全数学基础[M].武汉:武汉大学出版社,2006:112-126.
[82]Rizzo L. Effective erasure codes for reliable computer communication protocols[J]. ACM Computer Communication Review,1997,27(2):24-36.
[83]陶钧,沙基昌,王晖.基于数据分散编码存储的门限方案分析研究[J].小型微型计算机系统.2008,29(2):353-356
[84]靳蕃.复数旋转码特性的初步探讨[J].西南交通大学学报.1983,4:23-32.
[85]陈龙,方新蕾,王国胤.基于复数旋转码的细粒度完整性指示方法[J].西
南交通大学学报.已录用,待发表.
[86]Merkle R C. Protocols for Public Key Cryptosystems[C]. In IEEE Symposium on Security and Privacy, Oakland, California, USA,1980. IEEE Computer Society(Washington, DC, USA),122-134.
[87]侯方勇,王志英,刘真.基于Hash树热点窗口的存储器完整性校验方法[J].计算机学报.2004,27(11):1471-1479.
[88]张福泰,李继国等.密码学教程[M].武汉:武汉大学出版社.2006:112-122.
[89]Kornblum J. Ssdeep. [EB/OL]. http://ssdeep.sourceforge.net/.2006.
[90]Noll Landon C. Fowler/Noll/Vo Hash[EB/OL]. http://www.isthe.com/chongo/tech/comp/fnv/.2001.
[91]Minimalist GNU for Windows. http://www.mingw.org/.2008.
[92]The USC-SIPI Image Database [EB/OL]. http://sipi.usc.edu/database/database.cgi?volume=misc.2007.
[93]Gladyshev P. Adding Real Time Into State Machine Analysis of Digital Evidence Technical Report Ucd-Csi-2006-3 [R].2006.
[94]Stephenson P. Modeling of Post-Incident Root Cause Analysis[J]. International Journal of Digital Evidence.2003,2(2):1-16. http://www.ijde.org.
[95]鄢羽,陈龙,王国胤.基于Petri网的事件重建逆向推理算法[J].重庆大学学报(自然科学版).2007,30(s):33-35.
[96]蒋宗礼,姜守旭著.形式语言与自动机理论[M].北京:清华大学出版社.2003:124-125.
[97]Gladyshev P, Patel A. Formalising Event Time Bounding in Digital Investigation[J]. International Journal of Digital Evidence,2005,4(2):1-14. http://www.ijde.org.
[98]Weil M C. Dynamic Time & Date Stamp Analysis[J]. International Journal of Digital Evidence.2002,1(2):1-6. http://www.ijde.org.
[99]Willassen S Y. Hypothesis Based Investigation of Digital Timestamps[C]. IFIP WG 11.9 Workshop, Kyoto, Japan,2008,258/2008:75-86.
[100]Schatz B, Mohay G, Clark A. A Correlation Method for Establishing Provenance Timestamps in Digital Evidence [J]. Digital Investigation.2006, 3(s):98-107.
[101]Willassen S Y. Timestamp Evidence Correlation by Model Based Clock Hypothesis Testing[C]. e-Forensics 2008, Adelaide, Australia. Jan.2008. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), No.15.
[102]Hosmer C. The Importance of Binding Time to Digital Evidence[C]. The 12th Annual Economic Crime Investigation Institute Conference, McLean, VA.2001.
[103]Boyd C, Forster P. Time and Date Issues in Forensic Computing--a Case Study. Digital Investigation.2004 1(1):18-23.
[104]Carrier B, Spafford E H. Defining Digital Event Reconstruction of Digital Crime Scenes[J]. Journal of Forensic Science.2004,49(6):1-9.
[105]Chen L, Wang G. General Finite State Machine Reasoning Method for Digital Forensics[C]. Agaian, Sos S., Jassim, Sabah A. Proc. of SPIE Mobile Multimedia/Image Processing, Security, and Applications 2008, 6982:69820101-12.
[106]Allen J F. Maintaining Knowledge about Temporal Intervals [J]. Communications of the ACM.1983,26(11):832-843.
[107]周学广,刘艺编著.信息安全学[M].北京:机械工业出版社,2003.
[108]Mandia K等箸,汪青青等译.应急响应&计算机司法鉴定(第2版)[M].清华大学出版社,2004.
[109]Kruse W等著,段海新等译.计算机取证:应急响应精要[M].人民邮电出版社,2003.
[110][美]Farmer D, Venema W著.Forensic Discovery[M].北京:机械工业出版社,2006.
[111]Guidance Software. About Encase Forensic[EB/OL]. http://www.guidancesoftware.com/products/ef_index.asp.2008.3.
[112]AccessData. Forensic Toolkit[EB/OL]. http://www.accessdata.com/Products/ftk2test.aspx.2008.3.
[2]陈龙,王国胤.计算机取证技术综述[J].重庆邮电学院学报(自然科学版).2005,17(6):726-732.
[3]陈克非,黄征.信息安全技术导论[M].北京:电子工业出版社,2007:1-5.
[4]陈龙,麦永浩,黄传河等.计算机取证技术[M].武汉:武汉大学出版社,2007:1-5.
[5]Reith M, Carr C, Gunsch G. An Examination of Digital Forensic Models[J]. International Journal of Digital Evidence.2002,1(3), http://www.ijde.org.
[6]Digital Forensics Research Workshop. A Road Map for Digital Forensic Research[R]. Digital Forensic Research Workshop(DFRWS), August,2001. Final Report
[7]Farmer D, Venema W. Computer Forensics Analysis Class Handouts. http://www.fish.com/forensics/class.html.1999.
[8]Yasinsac A, Manzano Y. Policies to Enhance Computer and Network Forensics[C]. Proceeding of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY. 2001:289-295.
[9]Mocas S. Building Theoretical Underpinnings for Digital Forensics Research[J]. Digital Investigation.2004,1(1):61-68.
[10]Casey E著,陈圣琳等译.数字证据与计算机犯罪[M].第2版.北京:电子工业出版社,2004:113-124,350-435.
[11]Mercuri R T. Challenges in Forensic Computing. Communications of the ACM.2005,48(12):17-21.
[12]Harrison W, Heuston G, Mocas S, Morrissey M and Richardson J. High-Tech Forensics. Communications of the ACM.2004,47(7):49-52.
[13]王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报.2003,14(9):1635-1644.
[14]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报.2005,16(2):260-275.
[15]孙波,刘欣然,孙玉芳.一种计算机取证中需求定义的方法[J].电子学 报.2006,34(5):921-923.
[16]孙波.计算机取证方法关键问题研究[D].博士学位论文,北京:中国科学院研究生院(软件研究所),2004:16-26.
[17]许榕生,吴海燕,刘宝旭.计算机取证概述.计算机工程与应用.2001,37(21):7-8/114.
[18]钱桂琼,杨泽明,许榕生.计算机取证的研究与设计[J].计算机工程.2002,28(6):56-58.
[19]Technical Working Group. Electronic Crime Scene Investigation:A Guide for First Responders[R]. Technical Working Group. Technical Report.2001.
[20]Pollitt M M. An Ad Hoc Review of Digital Forensic Models[C]. Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA, 2007. IEEE Computer Society,43-54.
[21]Carrier B. Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers[J]. International Journal of Digital Evidence.2003,1(4): 1-12. http://www.ijde.org.
[22]丁丽萍,王永吉.多维计算机取证模型研究[J].计算机安全.2005.11:5-9.
[23]Memon N, Pal A. Automated Reassembly of File Fragmented Images Using Greedy Algorithms[J]. IEEE Transactions on Image Processing.2006,15(2): 385-393.
[24]Shanmugasundaram K, Memon N. Automatic Reassembly of Document Fragments via Context Based Statistical Models[C]. Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, NV, USA, 2003. IEEE Computer Society(Washington, DC, USA),152-159.
[25]Schneier B and Kellsey J. Secure Audit Logs to Support Computer Forensics[J]. ACM Transaction on Information and System Security. May 1999,2(2):159-176.
[26]Ahmad A, Ruighaver A. Design of a Network-access Audit Log for Security Monitoring and Forensic Investigation[C]. Proceedings of the 1st Australian Computer Network, Information & Forensics Conference. Edith Cowan University(Churchlands),2003:1-7.
[27]Ahmad A, Ruighaver A. Improved Event Logging for Security and Forensics:Developing Audit Management Infrastructure Requirements[C]. Proceedings of ISOneWorld Conference:Nurturing Executive Networks, Las Vegas, USA,2003. The Information Institute,1-10.
[28]Shanmugasundaram K et al. ForNet:A Distributed Forensics Network [C]. Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg,2003. Springer(Berlin),1-16.
[29]Oppliger R, Rytz R. Digital Evidence:Dream and Reality[J]. IEEE Security & Privacy.2003,44-48.
[30]Harris R. Arriving at an Anti-Forensics Consensus:Examining How to Define and Control the Anti-Forensics Problem[J]. Digital Investigation. 2006,3(s1):44-49.
[31]Hayati P, Potdar V, and Chang E. A Survey of Steganographic and Steganalytic Tools for the Digital Forensic Investigator[C]. Proceedings of Workshop of Information Hiding and Digital Watermarking to be held in conjunction with IFIPTM, Moncton, New Brunswick, Canada, July 2007.
[32]Wolfe H. Penetrating Encrypted Evidence[J]. Digital Investigation.2004, 1(2):102-105.
[33]Bradford P G, Brown M, Perdue J, Self B. Towards Proactive Computer-System Forensics[C]. Proceedings of the International Conference on Information Technology:Coding and Computing, The Orleans, Las Vegas, Nevada, USA,2004. IEEE Computer Society(Washington, DC, USA),2004(2):648-652.
[34]李涛.基于免疫的网络监控模型[J].计算机学报.2006,29(9):1515-1522.
[35]孙波,孙玉芳等.电子数据证据收集系统保护机制的研究与实现[J].电子学报.2004,32(8):1374-1380.
[36]丁丽萍,周博文,王永吉.基于安全操作系统的电子证据获取与存储[J].软件学报.2007,18(7):1715-1729.
[37]刘武,段海新,杨路,吴建平,任萍.基于Web的网络入侵检测取证系统的设计与实现[J].计算机应用.2003,23(5):50-52.
[38]Bellare M, Yee B S. Forward Integrity For Secure Audit Logs.2007.
[39]Schonberg D, Kirovski D. Fingerprinting and Forensic Analysis of Multimedia[C]. Proceedings of the 12th annual ACM International Conference on Multimedia, New York, NY, USA,2004. ACM,788-795.
[40]He S, Wu M. Collusion-Resistant Dynamic Fingerprinting for Multimedia. IEEE ICASSP 2007:289-292.
[41]The Common Digital Evidence Storage Format Working Group, Standardizing Digital Evidence Storage[J]. Communications of the ACM. 2006,49(2):67-68.
[42]Turner P. Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags)[J]. Digital Investigation.2005,2(3):223-228.
[43]张焕国,刘玉珍.密码学引论[M].武汉:武汉大学出版社,2003:166-191.
[44]Hosmer C. Proving the Integrity of Digital Evidence with Time[J]. International Journal of Digital Evidence.2002,1(1):1-7. http://www.ijde.org.
[45]Dcfldd N H. [EB/OL]. Defense Computer Forensics Lab. http://dcfldd.sourceforge.net/,2002.
[46]Roussev V, Chen Y, Bourg T, and Richard III G G. md5bloom:Forensic Filesystem Hashing Revisited[J]. Digital Investigation.2006,3(sl):82-90.
[47]Richard III G G and Roussev V. Next-Generation Digital Forensics [J]. Communications of the ACM.2006,49(2):76-80.
[48]陈龙,王国胤.一种细粒度数据完整性检验方法[J].软件学报.2009,20(4):902-909.
[49]杨晓元,季称利,秦晴,胡予濮.基于Shamir秘密共享的安全取证服务器方案[J].计算机工程与应用.2005,22:147-149.
[50]周洪伟,韦大伟,郭渊博.一种数字取证完整性方案术[J].计算机应用研究.2007,24(12):149-150,154.
[51]Mont M C, Tomasi L, Montanari R. An Adaptive System Responsive to Trust Assessment based on Peer-to-Peer Evidence Replication and Storage[R]. Hewlett-Packard Company. Technical Report:HPL-2001-133. http://www.hpl.hp.com/techreports/2001/HPL-2001-133.html.2001
[52]Steel C著,吴渝,唐红,陈龙译.Windows取证——企业计算机调查指南[M].科学出版社,2007:188-192.
[53]National Institute of Standards and Technology, National Software Reference Library RDS. [EB/OL]. http://www.nsrl.nist.gov/.2007.3
[54]Kornblum J. Identifying Almost Identical Files using Context Triggered Piecewise Hashing[J]. Digital Investigation.2006,3(s1):91-97.
[55]Chen L, Wang G. An Efficient Piecewise Hashing Method for Computer Forensics[C]. Proc. of WKDD2008. IEEE Computer Society(Washington, DC, USA),635-638.
[56]Roussev V, Richard III G G, Marziale L. Multi-resolution Similarity Hashing[J]. Digital Investigation.2007,4(sl):105-113.
[57]Chen Y, Roussev V, Richard III G G and Gao Y. Content-based Image Retrieval for Digital Forensics[C]. Proceedings of the International Conference on Digital Forensics (IFIP 2005):1-16.
[58]Choudhury A, Rogers M, Gillam B. A Novel Skin Tone Detection Algorithm for Contraband Image Analysis [C]. Proceedings of Third International Workshop on Systematic Approaches to Digital Forensic Engineering.2008:3-9.
[59]Nusimow A. Intelligent Video for Homeland Security Application [C]. Proceedings of the 7th Technologies for Homeland Security, Boston, 2007:139-144.
[60]Li L, Huang W, Gu Y, et al. An Efficient Sequential Approach to Tracking Multiple Objects Through Crowds for Real-Time Intelligent CCTV Systems[J]. IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics,2008,28(5):1254-1269.
[61]Carrier B D and Spafford E H. Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence[C]. In Proceedings of the 2005 Digital Forensics Research Workshop, Astor Crowne Plaza, New Orleans, Louisiana, USA,2005:1-10.
[62]Stallard T, Levitt K. Automated Analysis for Digital Forensic Science, Semantic Integrity Checking[C]. Proceedings of Computer Security Applications Conference,2003. IEEE Computer Society(Washington, DC, USA),160-167.
[63]Chen L, Wang G. Attacks to Context Triggered Piecewise Hashing and Their Countermeasures[J]. Journal of Information & Computational Science.2008.3,5(2):589-597.
[64]周琳娜.数字图像盲取证技术研究[D].博士学位论文,北京:北京邮电大学,2007:11-28.
[65]吴琼,李国辉,涂丹,孙韶杰.面向真实性鉴别的数字图像盲取证技术综述[J].自动化学报.2008,34(12):1458-1466.
[66]刘在强,林东岱,冯登国.一种用于网络取证分析的模糊决策树推理方法[J].软件学报.2007,18(10):2635-2644.
[67]Elsaesser C and Tanner M C. Automated Diagnosis for Computer Forensics: [Cognitive Science and Artificial Intelligence Center Report].2001. http://www.mitre.org/work/tech_papers/tech_papers_01/elsaesser_forensics/ esaesser_forensics.pdf.
[68]Teng G, Lai M, Ma J, LI Y. E-Mail Authorship Mining Based on SVM for Computer Forensic[C]. Proceedings of the Third International Conference on Machine Learning and Cyhemetics, Shanghai,26-29 August 2004. IEEE Press,1204-1207.
[69]Carrier B. Open Source Digital Forensics Tools:The Legal Argument: [Atstake's Research Report].2002.
[70]Geiger M. Evaluating Commercial Counter-Forensic Tools.2005 Digital Forensic Research Workshop (DFRWS). New Orleans, LA.:1-12.
[71]Gladyshev P, Patel A. Finite State Machine Approach to Digital Event Reconstruction [J]. Digital Investigation.2004,1(2):130-149.
[72]Gladyshev P. Finite State Machine Analysis of a Blackmail Investigation[J]. International Journal of Digital Evidence.2005,4 (1):1-14. http://www.ijde.org.
[73]Brewer N, Liu N, Vel O D, Caelli T. Using Coupled Hidden Markov Models to Model Suspect Interacions in Digital Forensic Analysis [C]. International Workshop on Integration AI and Data Mining, AIDM'06, Hobart, Tasmania, Australia,2006. IEEE Computer Society(Washington, DC, USA),58-64.
[74]Gerber M and Leeson J. Formalization of Computer Input and Output:the Hadley Model[J]. Digital Investigation.2004,1(2):214-224.
[75]Casey E. Error, Uncertainty, and Loss in Digital Evidence[J]. International Journal of Digital Evidence.2002,1(2). http://www.ijde.org.
[76]Gladyshev P. Rigorous Development of Automated Inconsistency Checks for Digital Evidence Using the B Method[J]. International Journal of Digital Evidence.2007,6(2):1-21. http://www.ijde.org.
[77]翟征德,冯登国,徐震.细粒度的基于信任度的可控委托授权模型[J].软件学报.2007,18(8):2002-2015.
[78]靳蕃,陈志编著.组合编码原理及应用[M].上海:上海科学技术出版社,1995:1-7,215-237.
[79]Hamming R W. Error Detecting and Error Correcting Codes. The Bell System Technical Journal[J].1950, XXVI(2):147-160.
[80]Bose R.信息论、编码与密码学(Information Theory, Coding and Cryptography) [M].英文版.北京:机械工业出版社,2003:75-105.
[81]李继国,余纯武等.信息安全数学基础[M].武汉:武汉大学出版社,2006:112-126.
[82]Rizzo L. Effective erasure codes for reliable computer communication protocols[J]. ACM Computer Communication Review,1997,27(2):24-36.
[83]陶钧,沙基昌,王晖.基于数据分散编码存储的门限方案分析研究[J].小型微型计算机系统.2008,29(2):353-356
[84]靳蕃.复数旋转码特性的初步探讨[J].西南交通大学学报.1983,4:23-32.
[85]陈龙,方新蕾,王国胤.基于复数旋转码的细粒度完整性指示方法[J].西
南交通大学学报.已录用,待发表.
[86]Merkle R C. Protocols for Public Key Cryptosystems[C]. In IEEE Symposium on Security and Privacy, Oakland, California, USA,1980. IEEE Computer Society(Washington, DC, USA),122-134.
[87]侯方勇,王志英,刘真.基于Hash树热点窗口的存储器完整性校验方法[J].计算机学报.2004,27(11):1471-1479.
[88]张福泰,李继国等.密码学教程[M].武汉:武汉大学出版社.2006:112-122.
[89]Kornblum J. Ssdeep. [EB/OL]. http://ssdeep.sourceforge.net/.2006.
[90]Noll Landon C. Fowler/Noll/Vo Hash[EB/OL]. http://www.isthe.com/chongo/tech/comp/fnv/.2001.
[91]Minimalist GNU for Windows. http://www.mingw.org/.2008.
[92]The USC-SIPI Image Database [EB/OL]. http://sipi.usc.edu/database/database.cgi?volume=misc.2007.
[93]Gladyshev P. Adding Real Time Into State Machine Analysis of Digital Evidence Technical Report Ucd-Csi-2006-3 [R].2006.
[94]Stephenson P. Modeling of Post-Incident Root Cause Analysis[J]. International Journal of Digital Evidence.2003,2(2):1-16. http://www.ijde.org.
[95]鄢羽,陈龙,王国胤.基于Petri网的事件重建逆向推理算法[J].重庆大学学报(自然科学版).2007,30(s):33-35.
[96]蒋宗礼,姜守旭著.形式语言与自动机理论[M].北京:清华大学出版社.2003:124-125.
[97]Gladyshev P, Patel A. Formalising Event Time Bounding in Digital Investigation[J]. International Journal of Digital Evidence,2005,4(2):1-14. http://www.ijde.org.
[98]Weil M C. Dynamic Time & Date Stamp Analysis[J]. International Journal of Digital Evidence.2002,1(2):1-6. http://www.ijde.org.
[99]Willassen S Y. Hypothesis Based Investigation of Digital Timestamps[C]. IFIP WG 11.9 Workshop, Kyoto, Japan,2008,258/2008:75-86.
[100]Schatz B, Mohay G, Clark A. A Correlation Method for Establishing Provenance Timestamps in Digital Evidence [J]. Digital Investigation.2006, 3(s):98-107.
[101]Willassen S Y. Timestamp Evidence Correlation by Model Based Clock Hypothesis Testing[C]. e-Forensics 2008, Adelaide, Australia. Jan.2008. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), No.15.
[102]Hosmer C. The Importance of Binding Time to Digital Evidence[C]. The 12th Annual Economic Crime Investigation Institute Conference, McLean, VA.2001.
[103]Boyd C, Forster P. Time and Date Issues in Forensic Computing--a Case Study. Digital Investigation.2004 1(1):18-23.
[104]Carrier B, Spafford E H. Defining Digital Event Reconstruction of Digital Crime Scenes[J]. Journal of Forensic Science.2004,49(6):1-9.
[105]Chen L, Wang G. General Finite State Machine Reasoning Method for Digital Forensics[C]. Agaian, Sos S., Jassim, Sabah A. Proc. of SPIE Mobile Multimedia/Image Processing, Security, and Applications 2008, 6982:69820101-12.
[106]Allen J F. Maintaining Knowledge about Temporal Intervals [J]. Communications of the ACM.1983,26(11):832-843.
[107]周学广,刘艺编著.信息安全学[M].北京:机械工业出版社,2003.
[108]Mandia K等箸,汪青青等译.应急响应&计算机司法鉴定(第2版)[M].清华大学出版社,2004.
[109]Kruse W等著,段海新等译.计算机取证:应急响应精要[M].人民邮电出版社,2003.
[110][美]Farmer D, Venema W著.Forensic Discovery[M].北京:机械工业出版社,2006.
[111]Guidance Software. About Encase Forensic[EB/OL]. http://www.guidancesoftware.com/products/ef_index.asp.2008.3.
[112]AccessData. Forensic Toolkit[EB/OL]. http://www.accessdata.com/Products/ftk2test.aspx.2008.3.