节点文献

计算机动态取证关键技术研究

【作者】 谭敏

【导师】 胡小龙;

【作者基本信息】 中南大学 , 软件工程, 2007, 硕士

【摘要】 计算机取证是打击计算机犯罪的重要手段。本文针对计算机静态取证技术中存在的问题,提出了基于多Agent的分布式计算机动态取证系统模型。该模型将入侵检测技术应用于计算机取证系统,在被保护子网上对流经的网络数据和系统中的用户行为进行实时监控,获取入侵证据,达到实时动态取证的目的。论文针对该动态取证模型中的证据收集、证据分析、证据保全三个重要环节所涉及的相关技术进行了研究。在证据分析方面,采用误用检测、异常检测、完整性检测相结合的证据分析模式,并提出了在入侵检测分析Agent中融合多检测技术的实现方案。由于通常的入侵检测模块所获取的只是入侵证据,为将计算机犯罪证据从收集的数据中分离出来,方案进一步将犯罪特征库引入入侵检测模块,设计了一个改进的入侵检测模型;在证据保全方面,研究了证据链的表示方法,同时为了确保证据的真实性和完整性,提出结合消息摘要、数字签名和时间戳技术于一体的证据保全方案。国内在计算机动态取证方面的研究刚刚起步,本文的研究成果为进一步探讨计算机动态取证基本方法,从而构建实用有效的计算机取证系统建立了基础。

【Abstract】 The computer forensics is an important tool in battling with the computer crime. In view of the weakness of computer static forensics, a distributed dynamic forensics system based on multi-agent was designed. With the intrusion detection technology, the system can monitor the users behavior and the network flow in the protected net , so it can obtain the intrusion evidences in time and achieve dynamic forensics.In the paper, the three important aspects of computer dynamic forensics such as evidence collection,evidence analysis,evidence preservation were also deeply studied. In evidence analysis, an intrusion detection model fusing misuse detection, anomaly detection and file integrity detection was adopted, an intrusion detection agent fusing multi-detection technique was also designed. To distinguish between a crime evidence and an invasion evidence , an improved intrusion detection model was designed with the crime features database applying. In evidence preservation, the chain of computer crime evidence was studied,to guarantee the legal effect of digital evidence, an evidence-securing methodology that unite message digest, digital signature with timestamp technique was brought forward.The research about computer dynamic forensics in our country is in the initial stage now,so the principal achievements of this paper are helpful to the exploration of computer forensic methods and to the construction of useful computer forensic system.

  • 【网络出版投稿人】 中南大学
  • 【网络出版年期】2009年 01期
  • 【分类号】TP399-C2
  • 【被引频次】7
  • 【下载频次】338
节点文献中: