【作者】 周刚；

【导师】 谢长生； 曹强；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2011， 博士

【摘要】 云计算的特点是整合计算资源,在保持低成本的状态下提供良好的计算服务质量,企业和个人用户都能通过云计算的海量信息库来实现信息的自由分享。虽然云计算平台可以给广大用户提供高效服务,但是不法分子也可以在此平台上进行违法活动,取证技术是有效发现、证实违法行为的必要手段。但是传统以文件为基础的取证方式已经不适应云计算的服务模式,云计算环境主要由大量的分布式异构虚拟计算资源构成,这些复杂的结构给计算机取证工作的开展带来巨大的挑战。为了适应这些取证环境的变化,实现在云计算环境下进行取证工作成为一个重要的课题。系统虚拟化技术和数据迁移技术的运用让云计算环境下进行取证工作成为可能。云计算环境下还缺乏可用的取证模型,通过对云计算取证的建模,将云计算平台视为由多个虚拟机构成的系统,其上运行的虚拟机实例可以作为取证分析对象。为了获取取证分析对象,利用了现场迁移技术,在虚拟化软件层对虚拟机实例进行信息保全,保证迁移的镜像文件的内容完整性和一致性。为了在本地化系统中加载虚拟机镜像文件进行取证分析,利用单独划分的临时镜像文件分区作为镜像文件和本地化系统之间的信息交换场所,可以正确加载虚拟机镜像文件,实现云计算环境下的现场取证工作。为此,首先提出了一种新的云计算环境下的计算机取证模型——云计算取证模型,该模型定义了云计算环境下的工作层次,通过场景描述和过程组件的划分,刻画了完整的取证机制。通过对云计算取证模型的完整性和强隔离性的证明,可以将虚拟机镜像文件作为取证的对象进行分析,进而实现云计算环境下的计算机取证过程。其次,在云计算平台中通过对虚拟化软件层的控制,利用其状态转换,提出了一种虚拟机镜像文件的迁移方法。通过对虚拟化软件层迁移状态时的上层虚拟机的进程标识,内存映射,网络连接情况信息和文件系统信息进行保存和重构设计,可以完整的保存虚拟机的整个系统状态,并通过本地化镜像加载,将虚拟机镜像整个从云计算平台迁移到本地取证环境中进行分析,实现云计算平台下电子证据的获取。再次,由于迁移出来的虚拟机镜像文件需要在本地化加载,才能进一步进行取证分析,据此提出了一种临时镜像磁盘的加载方法。为了使镜像文件可以正常在本地环境下加载,设计了一个非文件系统分配的临时磁盘分区作为镜像文件系统和本地设备的操作系统之间信息交互的场所,以保持两个系统在硬件配置和服务的一致性,使虚拟机镜像文件正确加载。最后,为方便查找分析和管理取证的对象文件,提出了一种针对涉案取证镜像文件的数据库管理结构。通过上述方法的研究,实现了云计算环境下取证工作。更多还原

【Abstract】 The main advantages of cloud computing are its lower cost by use of computing services to achieve sustainability, and both business and individual users being able to achieve the freedom of information sharing through the cloud mass information. Although cloud computing can provide efficient service to customers, but criminals can also conduct illegal activities on this platform. Forensic technology is effective, proven violations method to prevent crime. But the traditional file-based evidence approach is not suited for cloud computing service model. Large-scale distributed heterogeneous virtual computing infrastructure of non-authorized investigation and evidence gathering is a big challenge in cloud computing environment. In order to meet these changes, forensic work has become an important issue in the cloud computing environment.System virtualization and data migration technology is possible to use for forensic work in cloud computing environment. Cloud computing is a virtualization platform in the business model. There is lack of available evidence model a cloud computing environment. Cloud computing platform can be viewed as a system composed by multiple virtual organizations if the evidence is modeled by the cloud. And the instance of virtual machines can be used as forensic analysis. In order to obtain the object of forensic analysis, we get use of the site migration technology, virtualization software layer on the virtual machine instances of information security, to ensure the content of the image file transfer integrity and consistency. In order to locate the system in a virtual machine image file to load the forensic analysis by using a separate partition for the temporary image file system image file and the exchange of information between localized sites, you can load the virtual machine image file correctly, the cloud computing evidence of work-site environment.Therefore, firstly, we proposed a new environment in the cloud model of computer forensics-Cloud Computing Forensics Model (CCFM), CCFM defines the evidence of work under the cloud level, through the scene description and process components division, gives evidence of a complete model. Through the cloud computing model integrity and strong evidence of proof isolation, the virtual machine image file can be analysized as evidence in the cloud computing environment to fulfill computer forensics process.Secondly, a virtual machine image files migration method have been proposed in the cloud platform virtualization software layer with the use of the state transition. Through the migration of the virtualization software layer on top of virtual machine state, the process of identity, memory mapping, network connection information, and file system information preservation and reconstruction of the design, you can save the complete state of the system virtual machine, and by localization Image loading, the entire virtual machine image transfer from the cloud computing platform to the local forensics analysis environment, under the cloud computing platform for electronic evidence.Thirdly, a temporary disk image loading methods is introduced. Because migration the virtual machine image file need load in the localization to further forensic analysis. To make image files can be loaded properly in the local environment, the design of a provisional allocation of non-file system image file system disk partition as the operating system and local device information exchange between the sites, to keep the two systems and services in the hardware configuration the consistency of the virtual machine image file loaded correctly.Finally, a forensic image files in the database involved in the management structure to facilitate the analysis and management to find evidence of the object file. We can achieve evidence by the above method in cloud computing environment.更多还原