电子证据完整性的几个关键技术研究
|
摘要
社会信息化程度的加速发展,电子政务、电子商务等的普及,由此而来的一些社会问题也和电子信息联系在一起,解决纠纷和争议时电子证据的处理也将成为焦点。电子证据的运用是法学和技术学科的交叉领域研究问题,两者有机结合还缺乏一定的研究。法学领域电子证据的技术特性不够了解,在现代证据制度下,多数法官都远离电子技术或信息技术,法官判定某一电子证据的证明力大小,没有硬性的规则可遵循,只能基于个人的经验。从当前的司法实践上看,对电子证据证明力如何进行认定,即电子证据的证明力如何?往往成为法庭争论的焦点,亦成为法官认定电子证据的棘手之处。
由于电子证据容易被篡改,破坏和伪造而不易留痕,电子证据依附的计算机系统容易受到攻击、篡改且不易发觉,也使电子证据面临着被诉讼的问题,电子证据的完整性也变成了当前法庭,侦查机关和被告极为关注的重要的问题。因此有些学者认为电子证据完整性是考察证据证明力的一个重要的属性指标,但电子证据完整性涉及到从电子证据源的固定、证据提取、分析推理、报告的生成中的每个方面,是一个复杂的技术过程,这也是目前国内外学术界对电子证据完整性研究不多的原因。
本文作者总结概述了当前计算机取证理论的最新成果和电子证据应用发展需求,提出了电子证据完整性研究课题,明确了本文的研究方向,并提出了以证据监管链为核心,对电子证据的法学调查过程采用分层、划分层次模块地进行电子证据完整性的研究思路。本文作者在研究过程中结合当前电子证据理论研究发展、当前电子证据取证实践应用,当前法庭对电子证据处理应用,系统地对电子证据完整性的几个关键技术问题展开了有针对性研究。具体的研究内容包括:电子证据完整性程度的评估体系及其定量化的分析方法;证据收集阶段中的证据时间分析技术;以数字签名的密码技术解决文档层的电子证据完整性方案设计;呈述层中的电子证据分析推理的完整性分析。部分理论成果如作者提出的证据的时间绑定技术、在证据分析阶段中的以Biba模型为基础的动态标记技术和方法、以条件有限状态机进行证据的推理过程的模型化定义等内容,已在本文作者作为国家司法鉴定人参与的一些案件如“熊猫烧香”、“全国首例网站联盟诈骗”等实践中进行了初步应用探索。
With the accelerated development of social informatization level and the popularity of applications of the e-government, e-business, etc, thus some social problems and digital information relate in together, the key to settle disputes is to appropriately ensure the digital evidence. As an interdiscipline of law and computer science, the application of digital evidence still lacks further study. Researchers of law investigate the relevant law features and identification of digital evidence, which lack technological features and acquisition methods of digital evidences. The majority of judges stand away from the information technology, there are no rigid constraints to follow, only based on personal experiences, to evaluate the probative force of digital evidence for the judges. But for a particular case to be testified, how much weight does the digital evidence? To what degree does the digital evidence has probative force? It becomes the court debates and a ticklish question for the judges as the judicial evidence.
The ease with which digital evidence can be altered, destroyed, or manufactured in a convincing way is alarming, which constrains the widespread utilization of digital evidence in crucial litigious procedures. Protecting the integrity of digital evidence becomes paramount concern for courts, investigation organs and those accused. When studying the digital evidence integrity, some law learners consider it as an important attribute index of the probative value of digital evidence. Protecting the integrity of digital evidence is a complicated technological process, which involves in several aspects such as:fixation of digital evidence source, extraction of digital evidence, analysis and expression of digital evidence. This is also the reason that less research on integrity of digital evidence by the domestic and international academic circles.
In this paper, after summarizing the newest academic achievement of computer forensic and the application development requirement of digital evidence, the research subject of digital evidence integrity are briefly introduced. Then the author proposes Chain of Custody as core and law investigation of computer forensic being divided into several module-levels to analyze the integrity of digital evidence. Based on combining the research development of current digital evidence theory, the practical use of the digital forensics and digital evidence application of current court prosecution, this article studies the several critical problems of digital evidence integrity and points proposition solutions, which include:integrity index system of digital evidence and quantitative methods of degree evaluation, Digital timestamp of digital evidence, Digital signature of digital evidence integrity, Integrity assurance of evidence analysis. Some research achievements, such as method of the dynamic labels of the Biba model in forensic evidence analysis, etc. are being applied in reality of computer forensics.
由于电子证据容易被篡改,破坏和伪造而不易留痕,电子证据依附的计算机系统容易受到攻击、篡改且不易发觉,也使电子证据面临着被诉讼的问题,电子证据的完整性也变成了当前法庭,侦查机关和被告极为关注的重要的问题。因此有些学者认为电子证据完整性是考察证据证明力的一个重要的属性指标,但电子证据完整性涉及到从电子证据源的固定、证据提取、分析推理、报告的生成中的每个方面,是一个复杂的技术过程,这也是目前国内外学术界对电子证据完整性研究不多的原因。
本文作者总结概述了当前计算机取证理论的最新成果和电子证据应用发展需求,提出了电子证据完整性研究课题,明确了本文的研究方向,并提出了以证据监管链为核心,对电子证据的法学调查过程采用分层、划分层次模块地进行电子证据完整性的研究思路。本文作者在研究过程中结合当前电子证据理论研究发展、当前电子证据取证实践应用,当前法庭对电子证据处理应用,系统地对电子证据完整性的几个关键技术问题展开了有针对性研究。具体的研究内容包括:电子证据完整性程度的评估体系及其定量化的分析方法;证据收集阶段中的证据时间分析技术;以数字签名的密码技术解决文档层的电子证据完整性方案设计;呈述层中的电子证据分析推理的完整性分析。部分理论成果如作者提出的证据的时间绑定技术、在证据分析阶段中的以Biba模型为基础的动态标记技术和方法、以条件有限状态机进行证据的推理过程的模型化定义等内容,已在本文作者作为国家司法鉴定人参与的一些案件如“熊猫烧香”、“全国首例网站联盟诈骗”等实践中进行了初步应用探索。
With the accelerated development of social informatization level and the popularity of applications of the e-government, e-business, etc, thus some social problems and digital information relate in together, the key to settle disputes is to appropriately ensure the digital evidence. As an interdiscipline of law and computer science, the application of digital evidence still lacks further study. Researchers of law investigate the relevant law features and identification of digital evidence, which lack technological features and acquisition methods of digital evidences. The majority of judges stand away from the information technology, there are no rigid constraints to follow, only based on personal experiences, to evaluate the probative force of digital evidence for the judges. But for a particular case to be testified, how much weight does the digital evidence? To what degree does the digital evidence has probative force? It becomes the court debates and a ticklish question for the judges as the judicial evidence.
The ease with which digital evidence can be altered, destroyed, or manufactured in a convincing way is alarming, which constrains the widespread utilization of digital evidence in crucial litigious procedures. Protecting the integrity of digital evidence becomes paramount concern for courts, investigation organs and those accused. When studying the digital evidence integrity, some law learners consider it as an important attribute index of the probative value of digital evidence. Protecting the integrity of digital evidence is a complicated technological process, which involves in several aspects such as:fixation of digital evidence source, extraction of digital evidence, analysis and expression of digital evidence. This is also the reason that less research on integrity of digital evidence by the domestic and international academic circles.
In this paper, after summarizing the newest academic achievement of computer forensic and the application development requirement of digital evidence, the research subject of digital evidence integrity are briefly introduced. Then the author proposes Chain of Custody as core and law investigation of computer forensic being divided into several module-levels to analyze the integrity of digital evidence. Based on combining the research development of current digital evidence theory, the practical use of the digital forensics and digital evidence application of current court prosecution, this article studies the several critical problems of digital evidence integrity and points proposition solutions, which include:integrity index system of digital evidence and quantitative methods of degree evaluation, Digital timestamp of digital evidence, Digital signature of digital evidence integrity, Integrity assurance of evidence analysis. Some research achievements, such as method of the dynamic labels of the Biba model in forensic evidence analysis, etc. are being applied in reality of computer forensics.
引文
[1]Joseph Giordano, Chester Maciag, Cyber Forensics:A Military Operations Perspective. International Journal of Digital Evidence. Summer 2002, Volume 1, Issue 2
[2]Gregory A. Hall, Wilbon P. Davis, Toward Defining the Intersection of Forensics and Information Technology. International Journal of Digital Evidence. Spring 2005, Volume 4, Issue1
[3]Jigang Liu, Developing an Innovative Baccalaureate Program in Computer Forensics. Frontiers in Education Conference,36th Annual 27-31 Oct.2006 Page(s):1-6
[4]Herath, A.; Herath, S.; Samarasinghe, P.; Herath, Computer forensics, information security and law:a case study. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):135-141
[5]刘志军,麦永浩.计算机取证理论及课程建设的思考[J].计算机教育.2007年第9期P46-48
[6]Liu Zhijun, Wang Ning, Developing a Computer Forensics Program in Police Higher Education. The 4th International Conference on Computer Science & Education(ICCSE), July 25-28,2009, Nanning, China, Page(s):1451-1455
[7]赵廷光.信息时代的电脑犯罪与刑法立法[J].法商研究.1997年第2期P43-46
[8]张晶,刘焱.高智能犯罪研究[J].法学.2005年第3期P80-84
[9]Robert Rowlingson, A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence. Winter 2004, Volume 2, Issue 3
[10]Dixon, P.D, An overview of computer forensics. Potentials, IEEE.Volume 24, Issue 5, Dec. 2005 Page(s):7-10
[11]Peisert, S.; Bishop, M.; Marzullo, K. Computer Forensics in Forensis. Systematic Approaches to Digital Forensic Engineering,2008. SADFE 08. Third International Workshop on 22-22 May 2008 Page(s):102-122
[12]Liu Zhijun; Zhang Huanguo, Wang Ning, Ontology Modeling for Network Forensics with OWL Representation,2nd International Conference on Intelligent Information Management Systems and Technology, OCT 20-22,2007 Ludong Univ China, Yantai, PEOPLES R CHINA, Page(s):183-188
[13]Liu Zhijun; Zhang Huanguo, Study on relevant law and technology issues about network forensics, International Symposium on Computer Science & Technology. MAY 18-24,2007 Ningbo, PEOPLES R CHINA, Page(s):1067-1071
[14]Casey E. Digital Evidence and Computer Crime. Academic Press,2 edition,2004
[15]http://www.ncfs.org/digital_evd.html(last accessed Oct 8,2008)
[16]李鹏.电子数据证据新论[EB/OL].http://www.chinacourt.org/public/_detail.php?id=80
[17]蒋平.电子证据的形式、效力及认定[J].信息网络安全.2002第7期,P32-36
[18]Dominique, Brezinski. Guidelines for Evidence Collection and Archiving. RFC3227. February 2002
[19]K.J. Kuchta, "Computer Forensics Today," Information Systems Security, vol.9, no.2, pp. 29-33,2002.
[20]S. Deniz, "Computer Forensics Invertigations in a Corporate Environment," IEEE Computer Fraud & Security,2002.
[21]Lin, A.C.; Lin, I.L.; Lan, T.H.; Tzong-chen Wu, Establishment of the standard operating procedure (SOP) for gathering digital evidence. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):56-65
[22]C. L. Tsai, and W. P. Chang, "Study of Computer crime Evidence", Criminal Law Magazine, 2000.
[23]刘金友.证据法学(新编)[M].中国政法大学出版社,2003:102.
[24]江伟.民事诉讼法专论[M].中国人民大学出版社,2005:225-226.
[25]Oppliger R, Rytz R. Digital evidence:dream and reality. Security & Privacy, IEEE. Volume 1, Issue 5, Sept.-Oct.2003 Page(s):44-48
[26]Mohay, G. Technical challenges and directions for digital forensics. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):155-159
[27]孙波.计算机取证方法关键问题研究[D].中国科学院研究生院.2004.5
[28]Gary Palmer. A Road Map for Digital Forensic Research, Technical Report DTRT0010-01, DFRWS, November 2001.15-20
[29]丁丽萍、王永吉.论计算机取证工具软件及其检测[EB/OL], http://www.istroop.Org/ Article_Show.asp?ArticleID=651
[30]丁丽萍、王永吉.计算机取证的相关法律技术问题的研究[J].软件学报,2005,16(2):P260-P275
[31]Scientific working Group on Digital Evidence and International Organization on Digital Evidence.Digital Evidence:Standards and principles.Forensic Science Communications,2(2)2000,P 10-14
[32]Carrie Morgan Whitcomb, An Historical Perspective of Digital Evidence:A Forensic Scientist's View. International Journal of Digital Evidence. Spring 2002 Volume 1, Issue 1
[33]James R.Lyle.NIST CFTT:Testing Disk Imaging Tools.International Journal of Digital Evidence.Winter 2003, Volume 1, Issue 4
[34]http://www.cftt.nist.gov/project_overview.htm(last accessed Oct 8,2008)
[35]NIST CFTT.Hardware Write Blocker Device (HWB) Specification Version 1.2003
[36]NIST CFTT.Disk Imaging Tool Specification,3.16 edition, Oct 2001
[37]刘志军,麦永浩.取证工具及产品的评估方法浅探[J].警察技术.2006(4),P26-28
[38]何家弘,刘品新.电子证据法研究[M].法律出版社.2002年7月第1版
[39]周波.公证网络电子证据的完整性要求[J].电子知识产权.2009(5),P78-81
[40]http://www.acpo.police.uk/(last accessed Oct 8,2008)
[41]Chet Hosmer, Proving the Integrity of Digital Evidence with Time. International Journal of Digital Evidence. Spring 2002 Volume 1, Issue 1
[42]Oatley G, Zeleznikow J, Leary R, et al. From links to meaning:A burglary data case study. 9th International Conference on Knowledge-Based Intelligent Information and Engineering Systems, SEP 14-16,2005 Page(s):813-822
[43]Stallard T, Levitt K. Automated analysis for digital forensic science:Semantic integrity checking.19th Annual Computer Security Conference, DEC 08-12,2003 Page(s):160-167
[44]So-Lin Yen; Sou-Chan Chen, The Study on Planning and Building a Cyber Forensic Laboratory in MJIB, Taiwan, R.O.C. Carnahan Conferences Security Technology, Proceedings 2006 40th Annual IEEE International Oct.2006 Page(s):287-293
[45]Kawaguchi, N.; Obata, N.; Ueda, S.; Azuma, Y.; Shigeno, H.; Okada, K.; Efficient log authentication for forensic computing. Information Assurance Workshop,2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC 15-17 June 2005 Page(s):215-223
[46]Seokhee Lee; Hyunsang Kim; Sangjin Lee; Jongin Lim; Digital evidence collection process in integrity and memory information gathering. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):236-247
[47]Law, F.Y.W.; Chow, K.P.; Kwan, M.Y.K.; Lai, P.K.Y.; Consistency Issue on Live Systems Forensics. Future generation communication and networking (fgcn 2007) Volume 2,6-8 Dec. 2007 Page(s):136-140
[48]Pollitt M, Caloyannides M, Novotny J, et al. Digital forensics:Operational, legal and research issues.17th Annual Working Conference on Data and Applications Security, AUG 04-06, 2003 Estes Pk, CO.Page(s):393-403
[49]Eoghan Casey, Error, Uncertainty, and Loss in Digital Evidence. International Journal of Digital Evidence. Summer 2002, Volume 1, Issue 2
[50]梁广寒.判断数字记录真实完整性的指标体系[J].档案管理.2003(5),P14-15
[51]刘家真Richard E.Barry(美)与电子文件的凭证性——国外电子文件专家与他们的学术研究系列论文之一[J].档案管理,1999(2),P43-44
[52]张宁.电子文件真实性及其凭证价值研究[J].档案学通讯,2005(4),P35-37
[53]Dan Farmer and Wietse Venema, Forensic Computer Analysis:An Introduction, http://www.ddj.com/architect/184404242, September 2000
[54]Brian Carrier, Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers, International Journal of Digital Evidence, Winter 2003, Volume 1, Issue 4
[55]Hirota, K.; Nakagawa, Y. A fuzzy knowledge representation method. Fuzzy Information Processing Society,1996. NAFIPS.1996 Biennial Conference of the North American 19-22 June 1996 Page(s):255-259
[56]何新贵.模糊知识处理与技术[M].北京:国防工业出版社,1998:122-123.
[57]刘志军,麦永浩.全国首例网站联盟诈骗案件鉴定与启示[J].警察技术2007(4),P23-25
[58]Waltz EL, Buede D M. Data fusion and decision support for command and control. IEEE Transactions on Systems Man and Cybernetics,1986, SMC16(6):865-879
[59]Bogler PL. Shafer-Dempster reasoning with applications to multisensor target identification systems. IEEE Transactions on Systems Man and Cybernetics,1987, SMC17(6):968-977
[60]Wierman M J. Measuring conflict in evidence theory. Joint 9th IFSA World Congress and 20th NAFIPS International Conference 2001,2001(3):1741-1745.
[61]Liu Yanqiong, Chen Yingwu, Gao Feng,et.al. Risk evaluation using evidence reasoning theory, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics,2005 (10):2855-2860.
[62]Ahmed A A,Mohamed D.New. Technique for combining multiple classifiers using the dempster-shafer theory of evidence. Journal of Artificial Intelligence Research,2002(17):333-361.
[63]Pearl J F, propagation and structuring in belief networks. Artificial Intelligence,1986,29(3): 241-288.
[64]Zhang N L, Poole D. A simple approach to Bayesian network computations. Proceedings of the Tenth Canadian Conference on Artificial Intelligence,1994:171-178.
[65]Michael C. Weil, Dynamic Time & Date Stamp Analysis. International Journal of Digital Evidence. Summer 2002, Volume 1, Issue 2
[66]Florian Buchholz, Brett Tjaden. A brief study of time. Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 31-42
[67]Lamport L, Melliar-Smith PM. Synchronizing clocks in the presence of faults. J ACM 1985;32(1):52-78.
[68]Mills D. Internet time synchronization:the network time protocol. Communications, IEEE Transactions on COMMUNICATIONS,.Volume 39, Issue 10, Oct.1991 Page(s):1482-1493
[69]Guyton James D, Schwartz Michael F. Experiences with a survey tool for discovering network time protocol servers. In:USENIX Summer; 1994. p.257-65.
[70]Minar Nelson. A survey of the NTP network,
http://www.media.mit. edu/wnelson/research/ntp-survey99/
[71]Paxson V. On calibrating measurements of packet transit times. Meas Model Comput Syst 1998;11-21
[72]Stevens Malcolm W. Unification of relative time frames for digital forensics. Digit Investig 2005;1(3):225-39.
[73]Pavel Gladyshev, Ahmed Patel. Formalising Event Time Bounding in Digital Investigations. International Journal of Digital Evidence. Fall 2005, Volume 4, Issue 2
[74]P. Gutmann. Secure deletion of data from magnetic and solid-state memory. In Proceedings of Sixth USENIX Security Symposium, July 22-25 1996.
[75]I. D. Mayergoyz, C. Serpico, C. Krafft, and C. Tse. Magnetic imaging on a spin-stand. Journal of Applied Physics,87(9):6824-6826,May 2000.
[76]C. H. Sobey. Recovering unrecoverable data:The need for drive-independent data recovery. Channel Science, April 2004.
[77]Sitaraman, S.; Krishnamurthy, S.; Venkatesan, S. Byteprints:a tool to gather digital evidence, Information Technology:Coding and Computing,2005. ITCC 2005. International Conference on Volume 1,4-6 April 2005 Page(s):715-720 Vol.1
[78]Liu Zhi Jun; Zhang Huan guo, Time Bounding Event Reasoning in Computer Forensic, Computational Intelligence and Security Workshops,2007. CISW 2007. International Conference on 15-19 Dec.2007 Page(s):946-952
[79]M. J. Bach. The Design of the Unix Operating System. Prentice Hall,1986.
[80]Pavel Gladyshev, Ahmed Patel.Formalising Event Time Bounding in Digital Investigations. International Journal of Digital Evidence. Fall 2005, Volume 4, Issue 2
[81]Ladkin, B.P. Causal Reasoning about Aircraft Accidents. In proceedings of SAFECOMP 2000 conference, Rotterdam, Netherlands, pp.344-360.
[82]Bates, J. (1997) Blackmail:case study. International Journal of Forensic Computing,1(2), pp. 9-11.
[83]Pavel Glady shev. Finite State Machine Analysis of a Blackmail Investigation. International Journal of Digital Evidence. Spring 2005, Volume 4, Issue 1
[84]RFC 3227, "Guidelines for Evidence Collection and Archiving", http://www.faqs.org/rfcs/rfc3227.html,2002
[85]RFC http://rfc.net/rfc3227.html#p2(last accessed Oct 8,2008)
[86]Bruce Schneier and John Kelsey. Secure audit logs to support computer forensics.ACM Transactions on Information and System Security,2(2):159-176,1999.
[87]Lucas C.K. Hui, K.P. Chow, and S.M. Yiu, Tools and Technology for Computer Forensics:Research and Development in Hong Kong. ISPEC 2007, LNCS 4464, pp.11-19, 2007.
[88]Yu-Li Lin; Tzong-Chen Wu; Chien-Lung Hsu; Yen-Chun Chou, Standard Operating Procedure and Privilege Management in Taiwan Digital Forensics, Future generation communication and networking (fgcn 2007)Volume 2,6-8 Dec.2007 Page(s):154-158
[89]M. Bellars, B. S. Yee, "Forward Integrity For Secure Audit Logs"1997 University of California, San Diego
[90]J.Kelsey and B.Schnier:"Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs", Second International Workshop on the Recent Advance in Intrusion Detection(RAID'99),Sep.1999
[91]Kawaguchi, N.; Ueda, S.; Obata, N.; Miyaji, R.; Kaneko, S.; Shigeno, H.; Okada, K.; A secure logging scheme for Forensic Computing. Information Assurance Workshop,2004. Proceedings from the Fifth Annual IEEE SMC10-11 June 2004 Page(s):386-393
[92]Jae-Hyeok Jang, Myung-Chan Park,et al. A Mechanism for Securing Digital Evidences in Pervasive Environments. APWeb/WAIM 2007 Ws, LNCS 4537, pp.602-611,2007.
[93]I L. Lin, C.L. Huang, and S.L. Yen, "A Study on the Standard Operating Procedure in the Digital Forensic", Taiwan,2006.
[94]YASINSAC A, MANZANO Y. Policies to enhance computer and network forensics:proc of IEEE Workshop on Information Assurance and Security. New York:West Point,2001: 289-295
[95]Gong Ruibin and Mathias Gaertner, Case-Relevance Information Investigation:Binding Computer Intelligence to the Current Computer Forensic Framework, International Journal of Digital Evidence, Spring 2005, Volume 4, Issue 1
[96]Beebe NL, Clark JG. A hierarchical objectives based framework for digital investigations process, Digital Investigation 2005:2, pp147-167.
[97]Jae Hoon Sun; Hyun Seok Yoon; Jae Hyung Yoo, Design and Implementation of KFMS for Digital Forensics, Information Science and Security,2008. ICISS. International Conference on 10-12 Jan.2008 Page(s):214-219
[98]Peter Stephenson, The Application of Formal Methods to Root Cause Analysis of Digital Incidents, International Journal of Digital Evidence, Summer 2004, Volume 3, Issue 1
[99]Peter Stephenson, Modeling of Post-Incident Root Cause Analysis, International Journal of Digital Evidence. Fall 2003, Volume 2, Issue 2
[100]Gladyshev P. Formalising event reconstruction in digital investigations. PhD Dissertation; University College Dublin; 2004
[101]Gladyshev, P. Event Analysis and Reconstruction in Lisp (EARL),2005 http://www.gladyshev.info/smforensics/earl
[102]Gladyshev P, Patel A. Finite state machine approach to digital event reconstruction. Digital Investigation Journal,2004, 1(2):130-149
[103]Wang Ning, Liu Zhijun,Applying Dynamic Labels of the Biba model in Forensic Evidence Analysis.2009 International Conference on Computational Intelligence and Security.November 11-13,2009, Beij ing, China
[104]Liu Zhijun, Zhang Huanguo, Inference Model of Digital Evidence Based on cFSA.2009International Conference on Multimedia Information Networking and Security. November 18-20,2009,Wuhan, China
[105]KK Arthur, MS Olivier and HS Venter, "Applying the Biba Integrity Model within a Forensic Evidence Management System," in P Craiger and S Shenoi (eds), Advances in Digital Forensics Ⅲ,317-327 Springer,2007
[106]KK Arthur, MS Olivier, HS Venter and JHP Eloff, "Considerations Towards a Cyber Crime Profiling System", in S Jakoubi, S Tjoa and ER Weippl, Proceedings of AReS 2008-The Third International Conference on Availability, Security and Reliability,1388-1393, IEEE, 2008
[107]Bell DE, Lapadula LJ. Secure computer systems:unified exposition and multics interpretation. MTR-2997, MITRE Corp.,1976.
[108]Biba K J. Integrity considerations for secure computer systems. Bedford, Massachusetts: The MITRE Corporation,1977.
[109]Gligor VD, Burch EL, Chandersekaran CS, Chapman RS, Dotterer LJ, Hecht MS, Jiang WD, Luckenbaugh GL, Vasudevan N. On the design and the implementation of secure Xenix workstation. In:IEEE Symposium on Security and Privacy. IEEE Computer Society,1987. 102-117.
[110]Landwehr CE, Heitmeyer CL, Mclean J. A security model for military message systems. ACM Transactions on Computer Systems,1984,9(3):198-222.
[111]Mcilroy MD, Reeds JA. Multilevel security in the UNIX tradition. Software Practice and Experience,1992,22(8):673-694.
[112]梁洪亮+,孙玉芳,赵庆松,张相锋,孙波.一个安全标记公共框架的设计与实现[J].软件学报.2003,14(3).P547-552
[113]United States National Institute of Justice. Electronic Crime Scene Investigation:A Guide for First Responders, July 2001. http://www.ncjrs.gov/txtfilesl/nij/187736.txt.
[2]Gregory A. Hall, Wilbon P. Davis, Toward Defining the Intersection of Forensics and Information Technology. International Journal of Digital Evidence. Spring 2005, Volume 4, Issue1
[3]Jigang Liu, Developing an Innovative Baccalaureate Program in Computer Forensics. Frontiers in Education Conference,36th Annual 27-31 Oct.2006 Page(s):1-6
[4]Herath, A.; Herath, S.; Samarasinghe, P.; Herath, Computer forensics, information security and law:a case study. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):135-141
[5]刘志军,麦永浩.计算机取证理论及课程建设的思考[J].计算机教育.2007年第9期P46-48
[6]Liu Zhijun, Wang Ning, Developing a Computer Forensics Program in Police Higher Education. The 4th International Conference on Computer Science & Education(ICCSE), July 25-28,2009, Nanning, China, Page(s):1451-1455
[7]赵廷光.信息时代的电脑犯罪与刑法立法[J].法商研究.1997年第2期P43-46
[8]张晶,刘焱.高智能犯罪研究[J].法学.2005年第3期P80-84
[9]Robert Rowlingson, A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence. Winter 2004, Volume 2, Issue 3
[10]Dixon, P.D, An overview of computer forensics. Potentials, IEEE.Volume 24, Issue 5, Dec. 2005 Page(s):7-10
[11]Peisert, S.; Bishop, M.; Marzullo, K. Computer Forensics in Forensis. Systematic Approaches to Digital Forensic Engineering,2008. SADFE 08. Third International Workshop on 22-22 May 2008 Page(s):102-122
[12]Liu Zhijun; Zhang Huanguo, Wang Ning, Ontology Modeling for Network Forensics with OWL Representation,2nd International Conference on Intelligent Information Management Systems and Technology, OCT 20-22,2007 Ludong Univ China, Yantai, PEOPLES R CHINA, Page(s):183-188
[13]Liu Zhijun; Zhang Huanguo, Study on relevant law and technology issues about network forensics, International Symposium on Computer Science & Technology. MAY 18-24,2007 Ningbo, PEOPLES R CHINA, Page(s):1067-1071
[14]Casey E. Digital Evidence and Computer Crime. Academic Press,2 edition,2004
[15]http://www.ncfs.org/digital_evd.html(last accessed Oct 8,2008)
[16]李鹏.电子数据证据新论[EB/OL].http://www.chinacourt.org/public/_detail.php?id=80
[17]蒋平.电子证据的形式、效力及认定[J].信息网络安全.2002第7期,P32-36
[18]Dominique, Brezinski. Guidelines for Evidence Collection and Archiving. RFC3227. February 2002
[19]K.J. Kuchta, "Computer Forensics Today," Information Systems Security, vol.9, no.2, pp. 29-33,2002.
[20]S. Deniz, "Computer Forensics Invertigations in a Corporate Environment," IEEE Computer Fraud & Security,2002.
[21]Lin, A.C.; Lin, I.L.; Lan, T.H.; Tzong-chen Wu, Establishment of the standard operating procedure (SOP) for gathering digital evidence. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):56-65
[22]C. L. Tsai, and W. P. Chang, "Study of Computer crime Evidence", Criminal Law Magazine, 2000.
[23]刘金友.证据法学(新编)[M].中国政法大学出版社,2003:102.
[24]江伟.民事诉讼法专论[M].中国人民大学出版社,2005:225-226.
[25]Oppliger R, Rytz R. Digital evidence:dream and reality. Security & Privacy, IEEE. Volume 1, Issue 5, Sept.-Oct.2003 Page(s):44-48
[26]Mohay, G. Technical challenges and directions for digital forensics. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):155-159
[27]孙波.计算机取证方法关键问题研究[D].中国科学院研究生院.2004.5
[28]Gary Palmer. A Road Map for Digital Forensic Research, Technical Report DTRT0010-01, DFRWS, November 2001.15-20
[29]丁丽萍、王永吉.论计算机取证工具软件及其检测[EB/OL], http://www.istroop.Org/ Article_Show.asp?ArticleID=651
[30]丁丽萍、王永吉.计算机取证的相关法律技术问题的研究[J].软件学报,2005,16(2):P260-P275
[31]Scientific working Group on Digital Evidence and International Organization on Digital Evidence.Digital Evidence:Standards and principles.Forensic Science Communications,2(2)2000,P 10-14
[32]Carrie Morgan Whitcomb, An Historical Perspective of Digital Evidence:A Forensic Scientist's View. International Journal of Digital Evidence. Spring 2002 Volume 1, Issue 1
[33]James R.Lyle.NIST CFTT:Testing Disk Imaging Tools.International Journal of Digital Evidence.Winter 2003, Volume 1, Issue 4
[34]http://www.cftt.nist.gov/project_overview.htm(last accessed Oct 8,2008)
[35]NIST CFTT.Hardware Write Blocker Device (HWB) Specification Version 1.2003
[36]NIST CFTT.Disk Imaging Tool Specification,3.16 edition, Oct 2001
[37]刘志军,麦永浩.取证工具及产品的评估方法浅探[J].警察技术.2006(4),P26-28
[38]何家弘,刘品新.电子证据法研究[M].法律出版社.2002年7月第1版
[39]周波.公证网络电子证据的完整性要求[J].电子知识产权.2009(5),P78-81
[40]http://www.acpo.police.uk/(last accessed Oct 8,2008)
[41]Chet Hosmer, Proving the Integrity of Digital Evidence with Time. International Journal of Digital Evidence. Spring 2002 Volume 1, Issue 1
[42]Oatley G, Zeleznikow J, Leary R, et al. From links to meaning:A burglary data case study. 9th International Conference on Knowledge-Based Intelligent Information and Engineering Systems, SEP 14-16,2005 Page(s):813-822
[43]Stallard T, Levitt K. Automated analysis for digital forensic science:Semantic integrity checking.19th Annual Computer Security Conference, DEC 08-12,2003 Page(s):160-167
[44]So-Lin Yen; Sou-Chan Chen, The Study on Planning and Building a Cyber Forensic Laboratory in MJIB, Taiwan, R.O.C. Carnahan Conferences Security Technology, Proceedings 2006 40th Annual IEEE International Oct.2006 Page(s):287-293
[45]Kawaguchi, N.; Obata, N.; Ueda, S.; Azuma, Y.; Shigeno, H.; Okada, K.; Efficient log authentication for forensic computing. Information Assurance Workshop,2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC 15-17 June 2005 Page(s):215-223
[46]Seokhee Lee; Hyunsang Kim; Sangjin Lee; Jongin Lim; Digital evidence collection process in integrity and memory information gathering. Systematic Approaches to Digital Forensic Engineering,2005. First International Workshop on 7-9 Nov.2005 Page(s):236-247
[47]Law, F.Y.W.; Chow, K.P.; Kwan, M.Y.K.; Lai, P.K.Y.; Consistency Issue on Live Systems Forensics. Future generation communication and networking (fgcn 2007) Volume 2,6-8 Dec. 2007 Page(s):136-140
[48]Pollitt M, Caloyannides M, Novotny J, et al. Digital forensics:Operational, legal and research issues.17th Annual Working Conference on Data and Applications Security, AUG 04-06, 2003 Estes Pk, CO.Page(s):393-403
[49]Eoghan Casey, Error, Uncertainty, and Loss in Digital Evidence. International Journal of Digital Evidence. Summer 2002, Volume 1, Issue 2
[50]梁广寒.判断数字记录真实完整性的指标体系[J].档案管理.2003(5),P14-15
[51]刘家真Richard E.Barry(美)与电子文件的凭证性——国外电子文件专家与他们的学术研究系列论文之一[J].档案管理,1999(2),P43-44
[52]张宁.电子文件真实性及其凭证价值研究[J].档案学通讯,2005(4),P35-37
[53]Dan Farmer and Wietse Venema, Forensic Computer Analysis:An Introduction, http://www.ddj.com/architect/184404242, September 2000
[54]Brian Carrier, Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers, International Journal of Digital Evidence, Winter 2003, Volume 1, Issue 4
[55]Hirota, K.; Nakagawa, Y. A fuzzy knowledge representation method. Fuzzy Information Processing Society,1996. NAFIPS.1996 Biennial Conference of the North American 19-22 June 1996 Page(s):255-259
[56]何新贵.模糊知识处理与技术[M].北京:国防工业出版社,1998:122-123.
[57]刘志军,麦永浩.全国首例网站联盟诈骗案件鉴定与启示[J].警察技术2007(4),P23-25
[58]Waltz EL, Buede D M. Data fusion and decision support for command and control. IEEE Transactions on Systems Man and Cybernetics,1986, SMC16(6):865-879
[59]Bogler PL. Shafer-Dempster reasoning with applications to multisensor target identification systems. IEEE Transactions on Systems Man and Cybernetics,1987, SMC17(6):968-977
[60]Wierman M J. Measuring conflict in evidence theory. Joint 9th IFSA World Congress and 20th NAFIPS International Conference 2001,2001(3):1741-1745.
[61]Liu Yanqiong, Chen Yingwu, Gao Feng,et.al. Risk evaluation using evidence reasoning theory, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics,2005 (10):2855-2860.
[62]Ahmed A A,Mohamed D.New. Technique for combining multiple classifiers using the dempster-shafer theory of evidence. Journal of Artificial Intelligence Research,2002(17):333-361.
[63]Pearl J F, propagation and structuring in belief networks. Artificial Intelligence,1986,29(3): 241-288.
[64]Zhang N L, Poole D. A simple approach to Bayesian network computations. Proceedings of the Tenth Canadian Conference on Artificial Intelligence,1994:171-178.
[65]Michael C. Weil, Dynamic Time & Date Stamp Analysis. International Journal of Digital Evidence. Summer 2002, Volume 1, Issue 2
[66]Florian Buchholz, Brett Tjaden. A brief study of time. Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 31-42
[67]Lamport L, Melliar-Smith PM. Synchronizing clocks in the presence of faults. J ACM 1985;32(1):52-78.
[68]Mills D. Internet time synchronization:the network time protocol. Communications, IEEE Transactions on COMMUNICATIONS,.Volume 39, Issue 10, Oct.1991 Page(s):1482-1493
[69]Guyton James D, Schwartz Michael F. Experiences with a survey tool for discovering network time protocol servers. In:USENIX Summer; 1994. p.257-65.
[70]Minar Nelson. A survey of the NTP network,
http://www.media.mit. edu/wnelson/research/ntp-survey99/
[71]Paxson V. On calibrating measurements of packet transit times. Meas Model Comput Syst 1998;11-21
[72]Stevens Malcolm W. Unification of relative time frames for digital forensics. Digit Investig 2005;1(3):225-39.
[73]Pavel Gladyshev, Ahmed Patel. Formalising Event Time Bounding in Digital Investigations. International Journal of Digital Evidence. Fall 2005, Volume 4, Issue 2
[74]P. Gutmann. Secure deletion of data from magnetic and solid-state memory. In Proceedings of Sixth USENIX Security Symposium, July 22-25 1996.
[75]I. D. Mayergoyz, C. Serpico, C. Krafft, and C. Tse. Magnetic imaging on a spin-stand. Journal of Applied Physics,87(9):6824-6826,May 2000.
[76]C. H. Sobey. Recovering unrecoverable data:The need for drive-independent data recovery. Channel Science, April 2004.
[77]Sitaraman, S.; Krishnamurthy, S.; Venkatesan, S. Byteprints:a tool to gather digital evidence, Information Technology:Coding and Computing,2005. ITCC 2005. International Conference on Volume 1,4-6 April 2005 Page(s):715-720 Vol.1
[78]Liu Zhi Jun; Zhang Huan guo, Time Bounding Event Reasoning in Computer Forensic, Computational Intelligence and Security Workshops,2007. CISW 2007. International Conference on 15-19 Dec.2007 Page(s):946-952
[79]M. J. Bach. The Design of the Unix Operating System. Prentice Hall,1986.
[80]Pavel Gladyshev, Ahmed Patel.Formalising Event Time Bounding in Digital Investigations. International Journal of Digital Evidence. Fall 2005, Volume 4, Issue 2
[81]Ladkin, B.P. Causal Reasoning about Aircraft Accidents. In proceedings of SAFECOMP 2000 conference, Rotterdam, Netherlands, pp.344-360.
[82]Bates, J. (1997) Blackmail:case study. International Journal of Forensic Computing,1(2), pp. 9-11.
[83]Pavel Glady shev. Finite State Machine Analysis of a Blackmail Investigation. International Journal of Digital Evidence. Spring 2005, Volume 4, Issue 1
[84]RFC 3227, "Guidelines for Evidence Collection and Archiving", http://www.faqs.org/rfcs/rfc3227.html,2002
[85]RFC http://rfc.net/rfc3227.html#p2(last accessed Oct 8,2008)
[86]Bruce Schneier and John Kelsey. Secure audit logs to support computer forensics.ACM Transactions on Information and System Security,2(2):159-176,1999.
[87]Lucas C.K. Hui, K.P. Chow, and S.M. Yiu, Tools and Technology for Computer Forensics:Research and Development in Hong Kong. ISPEC 2007, LNCS 4464, pp.11-19, 2007.
[88]Yu-Li Lin; Tzong-Chen Wu; Chien-Lung Hsu; Yen-Chun Chou, Standard Operating Procedure and Privilege Management in Taiwan Digital Forensics, Future generation communication and networking (fgcn 2007)Volume 2,6-8 Dec.2007 Page(s):154-158
[89]M. Bellars, B. S. Yee, "Forward Integrity For Secure Audit Logs"1997 University of California, San Diego
[90]J.Kelsey and B.Schnier:"Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs", Second International Workshop on the Recent Advance in Intrusion Detection(RAID'99),Sep.1999
[91]Kawaguchi, N.; Ueda, S.; Obata, N.; Miyaji, R.; Kaneko, S.; Shigeno, H.; Okada, K.; A secure logging scheme for Forensic Computing. Information Assurance Workshop,2004. Proceedings from the Fifth Annual IEEE SMC10-11 June 2004 Page(s):386-393
[92]Jae-Hyeok Jang, Myung-Chan Park,et al. A Mechanism for Securing Digital Evidences in Pervasive Environments. APWeb/WAIM 2007 Ws, LNCS 4537, pp.602-611,2007.
[93]I L. Lin, C.L. Huang, and S.L. Yen, "A Study on the Standard Operating Procedure in the Digital Forensic", Taiwan,2006.
[94]YASINSAC A, MANZANO Y. Policies to enhance computer and network forensics:proc of IEEE Workshop on Information Assurance and Security. New York:West Point,2001: 289-295
[95]Gong Ruibin and Mathias Gaertner, Case-Relevance Information Investigation:Binding Computer Intelligence to the Current Computer Forensic Framework, International Journal of Digital Evidence, Spring 2005, Volume 4, Issue 1
[96]Beebe NL, Clark JG. A hierarchical objectives based framework for digital investigations process, Digital Investigation 2005:2, pp147-167.
[97]Jae Hoon Sun; Hyun Seok Yoon; Jae Hyung Yoo, Design and Implementation of KFMS for Digital Forensics, Information Science and Security,2008. ICISS. International Conference on 10-12 Jan.2008 Page(s):214-219
[98]Peter Stephenson, The Application of Formal Methods to Root Cause Analysis of Digital Incidents, International Journal of Digital Evidence, Summer 2004, Volume 3, Issue 1
[99]Peter Stephenson, Modeling of Post-Incident Root Cause Analysis, International Journal of Digital Evidence. Fall 2003, Volume 2, Issue 2
[100]Gladyshev P. Formalising event reconstruction in digital investigations. PhD Dissertation; University College Dublin; 2004
[101]Gladyshev, P. Event Analysis and Reconstruction in Lisp (EARL),2005 http://www.gladyshev.info/smforensics/earl
[102]Gladyshev P, Patel A. Finite state machine approach to digital event reconstruction. Digital Investigation Journal,2004, 1(2):130-149
[103]Wang Ning, Liu Zhijun,Applying Dynamic Labels of the Biba model in Forensic Evidence Analysis.2009 International Conference on Computational Intelligence and Security.November 11-13,2009, Beij ing, China
[104]Liu Zhijun, Zhang Huanguo, Inference Model of Digital Evidence Based on cFSA.2009International Conference on Multimedia Information Networking and Security. November 18-20,2009,Wuhan, China
[105]KK Arthur, MS Olivier and HS Venter, "Applying the Biba Integrity Model within a Forensic Evidence Management System," in P Craiger and S Shenoi (eds), Advances in Digital Forensics Ⅲ,317-327 Springer,2007
[106]KK Arthur, MS Olivier, HS Venter and JHP Eloff, "Considerations Towards a Cyber Crime Profiling System", in S Jakoubi, S Tjoa and ER Weippl, Proceedings of AReS 2008-The Third International Conference on Availability, Security and Reliability,1388-1393, IEEE, 2008
[107]Bell DE, Lapadula LJ. Secure computer systems:unified exposition and multics interpretation. MTR-2997, MITRE Corp.,1976.
[108]Biba K J. Integrity considerations for secure computer systems. Bedford, Massachusetts: The MITRE Corporation,1977.
[109]Gligor VD, Burch EL, Chandersekaran CS, Chapman RS, Dotterer LJ, Hecht MS, Jiang WD, Luckenbaugh GL, Vasudevan N. On the design and the implementation of secure Xenix workstation. In:IEEE Symposium on Security and Privacy. IEEE Computer Society,1987. 102-117.
[110]Landwehr CE, Heitmeyer CL, Mclean J. A security model for military message systems. ACM Transactions on Computer Systems,1984,9(3):198-222.
[111]Mcilroy MD, Reeds JA. Multilevel security in the UNIX tradition. Software Practice and Experience,1992,22(8):673-694.
[112]梁洪亮+,孙玉芳,赵庆松,张相锋,孙波.一个安全标记公共框架的设计与实现[J].软件学报.2003,14(3).P547-552
[113]United States National Institute of Justice. Electronic Crime Scene Investigation:A Guide for First Responders, July 2001. http://www.ncjrs.gov/txtfilesl/nij/187736.txt.