节点文献
基于Windows日志的计算机取证研究
Computer Forensics Research Based on Windows Log
【作者】 李秋香;
【导师】 胡亮;
【作者基本信息】 吉林大学 , 计算机系统结构, 2008, 硕士
【摘要】 近年来,计算机犯罪手段不断升级,单靠网络安全防御技术打击计算机犯罪不可能非常有效。因为被保护的目标系统仍然有可能被入侵,所带来的损失无法通过法律途径进行弥补,因此需要发挥法律的强大威力来对付计算机犯罪,计算机取证正是在这种形势下产生和发展起来的。打击计算机犯罪的关键是具有法律效力的电子证据。日志是目前计算机取证中重要的电子证据来源。传统的计算机取证技术所分析的信息是案发后提取的,很有可能是已被作案者破坏的。针对以上问题,本文提出了基于Windows日志的计算机取证模型。采用实时提取被监控主机的日志信息,解决取证的滞后性问题。提出取证信息完整保护方法,该方法通过数字签名技术和安全散列算法对取证信息的完整性进行严格的保护,以确保日志信息成为电子证据的资格。论述了使用SSL协议将日志信息安全传输到监控机上的可行性。在日志信息的存储上采用信息分散算法(IDA),将日志信息分散在n台日志服务器上存储。取证分析时利用任意m(m<n)个分片即可重建原有日志信息。
【Abstract】 Nowadays, computer is revolutionizing our life, making quickeradvancement and more convenience possible. However, it also bringsunexpected negative impact. With the artifices of computer crimecontinuously upgrading, defended technology of network security, such asAntivirus Software, Firewall and Intrusion Detection System, can’t be veryeffective. Because they are unable to overcome the same defect that theprotected object system may be infected by virus, hacker and trojan.Moreover, the loss brought by intrusion could not be made up throughapproach of law. Under such application background, computer forensics,which analyzes and gets the evidence about the crimes happened incomputer system and computer networks, began to develop rapidly. Thus,the loss caused by the intrusion can be avoided. And the criminals can alsobe cautioned and deterred simultaneously.The evidence is the key and soul of the case which decides the fate ofthe case, so as the computer criminals. New electronic evidence emergedwith the development of computer forensics theory. It is distinguished fromany other types of traditional evidence because of its high accuracy,frangibility and multiformity.Each device produces logs to record its behavior or events, so that theadministrator can check the reasons of errors or the trace left by attacker.Therefore, the logs become an important source of electronic evidence incomputer forensics. However, characteristics of log is extremelyinconvenient as electronic evidence. It contains five aspects: diversity andrelevance, weak of readability, poor reliability, large volume of data anddifficult obtaining.In this thesis, basic theories and techniques of computer forensics arediscussed, as well as the principles and current problems are mentioned.Meanwhile, the log’s characteristics are further studied. Five essential aspects that must be solved so as to make logs become electronic evidenceare emphasized, including are diversity and relevance, weak of readability,poor reliability, large volume of data and difficult obtaining characteristic.The existing log system can record log’s information comprehensively,however, its objective doesn’t aim at computer forensics and it doesn’tpossess authentication mechanism. Therefore, the recorded logs don’t haveLaw Effect and they can’t become legal evidence either. The existingsoftware of computer forensics may also get Logs, but it mainly disk-copyand analyzes on the information which left after crime. The information maybe broken by intruders who possess anti-forensics technology.Considering the mentioned question above, a computer forensics modelbased on Windows log is proposed in this thesis through the further researchon the aspects of computer forensics, electronic evidence and log, etc. It is akind of dynamic model forensics, which focuses on the protection of log.The system is divided into three modules: log access module, protectionmodule of log integrity, storage and reconstruction module of log. Logaccess module uses the method to extract log information from monitoredmainframe at runtime, so the problem of forensics posteriority can be wellsolved. Protection module of log integrity presents a method to protect theintegrity of forensics information, which makes the protection be strict viadigital signature and secure hash algorithm, so as to ensure that loginformation becomes the eligibility of electronic forensics. Storage andreconstruction module of log uses the method of IDA(Information DispersalArithmetic) which can tolerate the destructive activities from attackers. Inother words, if the destructive activities are in the tolerance scope of thealgorithm, the initial log information can be recovered by the algorithm.In log access module, the log files of application, system and securityare circularly monitored. In this case, the new log can be accessed when itgenerates. The intruders can’t destroy the evidence even they modified anddeleted the logs after intrusion. It makes up the deficiency of post-event investigation.In the protection module of log integrity, the logs are indeed accessedfrom the monitored mainframe by the method of creating digital signaturefor log. Meanwhile, the association relation is created among logs, so as tofind if the logs are deleted or lost in verification. Notably, the feasibilitythe logs are transmitted to monitor mainframe by SSL in security isdiscussed. In the whole process, it protects the consistency and ensures theevidence qualification of logs.In storage and reconstruction module of log, the slicing process whenthe log records are stored is as follows: The log records are respectivelydispersed into n shares by information dispersal arithmetic in the monitormainframe. In order to ensure the integrity verification when the shares arereconstructed, the share and the hash values of all shares are sent secure logserver. And the reconstruction process when the log records are analyzed isas follows: the monitor mainframe requests shares from m log servers, thenthe monitor mainframe can reconstruct the log records throughcorresponding information in m(m<n) random log servers and validate theintegrity of the log records through the hash values of all shares. The logrecords are dispersedly stored in n log servers, because m in n shares canreconstruct the logs, the intruder must inbreak n-m+1 log servers if he wantsto destroy. The difficulty of the intruder’s attack is increased greatly. Thesecurity of long-time stored logs is guaranteed.In conclusion, a computer forensics model based on Windows log isproposed in this thesis. It solves the security and integrity when the logs aretransferred and stored. The logs are protected by the way of real-timesending to the remote. The method ensures the credibility, accuracy andintegrity of the logs as electronic evidence. The work lays the foundation forthe obtainment of electronic evidence and detecting of computer criminalcases.
- 【网络出版投稿人】 吉林大学 【网络出版年期】2008年 10期
- 【分类号】TP309
- 【被引频次】7
- 【下载频次】510