Active Forensics System Based On Windows Platform Of Electronic Evidence Preservation Research

With the continuous development of IT，computer-related crime is increasinglybecoming issues of concern to people. Computer crime is a new crime, which has thefeature of intelligence and concealment. It becomes increasingly difficult to protectagainst computer-related crime solely on traditional network security technologies.Computer forensics is a process to acquire, preserve, analyze the electronicevidence. Its task is to tap and collect the criminals crime traces, effectively combatingand prevention of computer crime. Most of traditional computer forensics is staticcomputer forensics,the collection of evidence is not timely, comprehensive. Data bydata recovery may have been tampered before, and thus the effectiveness of the law ofevidence is low. Dynamic forensics is the development trend of computer forensics, butmainly focus on the theoretical study of dynamic forensics. And most ways are relatedto the combination of defensive thinking of intrusion detection and honey-pottechnology, and few involved to take the initiative technology to get the evidence.In this thesfs, on the basis of the existing computer forensics model, a new modelis proposed for computer forensics. It is an initiative forensics model,The new model’sidea is introducing secret investigative measures. The model adds the"preseting","monitoring","Internet penetration", active acquisition techniques to theexisting computer forensics technology system. When the target host is locked, theForensics Agent is implanted into the host with the means of network penetration.So itcan carry out real-time、controllable forensics. By adding the alarm system, it can makeuse of the advantage of static forensics. When the danger happens, it can notifyforensics officers in time,so the forensics officers can carry out static forensics in thecrime scene.Electronic strength of the evidence has always been a problem in the forensicsscience, involved data collected can be adopted as the basis of a decision by the judge.Preservation of electronic evidence is against the evidence may be lost or difficult toobtain later fixed, and safety stores electronic evidence. Its main purpose is to ensure theintegrity and non-repudiation of electronic evidence. In this thefs,it designs a Initiative forensics system on the bases of Initiativeforensics workflow and studies the main problems that will be faced in Initiativeforensics process,such as the security of data transmission problems, Tamper-resistantdesign of the data and evidence storage access management issues.