Research Of Computer Forensics Method Based On Active Acquisition And Implementation Techniques

Along with the popularization of computer and network application, the people rely on the computer and network more and more. The computer more and more participates in the work and life of people, and computer-related court cases also continue to appear. The computer-related crime with high tech is a new crime, which has the characteristics of criminal behavior more rampant and criminal means more secretive. Rely on traditional network security technologies, such as access control, network isolation and intrusion detection etc. to fight against computer crime is not very effective, therefore to strengthen law enforcement means and increase law enforcement efforts are needed to fight against computer crime. Under this kind of situation, the computer forensics is proposed, which is not only effective application of the law in computer science, but also the powerful supplement of the existing network security architecture. Computer forensics mainly research how to provide thorough, effective and safe technologies, procedures and methods for the investigation of computer crime, and the key is to ensure the evidence's true, reliable, complete and legitimate.The existing technologies and products of computer forensics are mostly designed for static forensics. In recent years, as the development trend of computer forensics, dynamic forensics technologies has obtained the fast development, but also focus on the research of real-time monitoring, and rarely come down to forensics technologies of initiative obtainment. In this instance, this paper proposes computer forensics method based on initiative obtainment, which has very strong pertinence to discover computer-related crime, especially organized computer-related crime.In this paper, the primary research works include:1,Research of computer forensics model based on active acquisition. This paper researches in computer forensics requirements of investigation subject and related objects under a variety of ways for different purposes. By the combination of policy control, operation control and technology control and the enforcement of law, a framework for computer forensics based on active acquisition is given, which includes dynamic forensics, honeynet forensics and remote forensics. Combine computer forensics technology to firewall, intrusion detection system for the implementation of dynamic forensics. Obtain and analysis data in real-time to possible computer criminal acts, to identify the intruder's purpose to take measures to cut off the link or other response method, under ensuring the system security, gain the most substantial evidence, and identify, preserve, submit the evidence. Honey net forensics system constitutes a network architecture of hacker entrap. It can learn hackers' attack processes and obtain a lot of useful information, thereby it can forewarn new attacks, delay attacks and transfer target of attack, and implement simulation response and trigger warning to response attacks. Remote forensics can remotely get electronic evidence in the suspect's hosts. To obtain crime evidences of suspect before crimes, at the same time acquire the list of persons and hosts who contact with criminal in accordance with the relevant information, to determine whether the aggressive behavior is a personal crime or gang crime, so as to achieve the purpose of detection.2,This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. A security audit assistance management system (UPAM) is proposed, which provides write operation monitoring to physical ports, and gives a detailed log function, enhancing effective information sources for the computer forensics and making up for the disadvantage of current forensics sources. Furthermore filter forensics sources by layers to increase the strength of forensics analysis.3,This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance. When carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.4,A method for establishing the attack group model by means of the relationship graph of various attacks has been proposed. Under the constraints of time characteristics as well as the causality relation it can determine the attack sequence and reconstruct the attack sequence of the network compound attacks. Beside, make a timely response without considering the ratio of damage cost and response cost of the individual attack, so as to achieve the maximal reduction of the response cost.5,A multi-level compression based on decision tree algorithm has been proposed, which overcomes the disadvantage of C4.5 when constructing tree through several times data scanning and sorting. Optimize the size and classification accuracy of tree, improve the efficiency of decision-making. Use the classification decision-making to set up multi-level decision tree, which not only can speed up the growth of trees, but also get tree with good structures, to get better rule information.Innovations of this paper are mainly reflected in the following aspects:1,In this paper, when carrying on the remote forensics, custom driver can traverse in different levels of the core layer, which not only can successfully traverse current mainstream firewalls, but also can preferably traverse IMD-based firewalls of carrying on network monitoring.2,This paper presents a active acquisition computer forensics model (A2CFM), expanding the scope of computer forensics sources and defining the different levels of forensics sources, in order to extend the forensics scope to the whole attacking process including before, during and after attack. Describe main sources of computer forensics by unified knowledge representation, and define the different levels of sources. The output of forensics system depends on the available type, quantity and quality of the input data. So for a computer forensics system, how to acquire forensics information sources is the first issue to solve. This paper uses UPAM logs, honeynet logs and intrusion detection information sources as direct inputs of forensics information sources. Other information such as outside belt information, firewall logs, host data, network data etc. as intrusion detection information sources, first of all, execute the filter analysis of intrusion detection. The benefits of doing so are:1) Enhance safety and efficiency of forensics. The computer forensics is different from the intrusion detection, and the biggest difference is the requirement to the legitimacy. For evidences generated by the forensics, its extraction, storage and transmission process have special request in the confidentiality, integrity and availability compared to the process to generate intrusion logs. The use of hierarchical filtering and the use of filtering redundant log information by intrusion detection doesn't only guarantee the diversity of forensics sources, but the minimum input of the forensics system.2) Intrusion detection is a more mature technology. Compared to computer forensics technology called a new technology, its technical means are rich and target-oriented. Using intrusion detection to filter information means to use mature technologies to complete the analysis and extraction of logs, providing the basic guarantee to the accuracy of crime analysis of the whole system. 3,This paper designs and implements a remote forensics system based on active acquisition (A2RFS). This system simulates two types of network environments, and it can obtain evidence for computer that can not access the computer network in specific circumstance.4,Propose intrusion response method based on cost. It researches the calculation method of the response cost under coordinated attack situation. Following by minimizing the cost to obtain the goal of maximum security. Using methods of graph theory establishes the attack group model, under constraints of time characteristic and causal relation, to determine the course of coordinated intrusion attack, and consider the overall relationship between the individual response cost and the coordinated attack whole response cost, to determine whether needs to make the response, thus achieve the goal of maximum reduction response cost.To sum up, this paper conducts the systematic research to the computer dynamic forensics methods of initiative obtainment, and proposes the computer dynamic forensics model base on initiative obtainment, through real-time monitoring attack occurrence, on the one hand may carry on the real-time synchronized forensics, to make the detailed records of intrusion behavior; On the other hand may activate the response system to call firewall or IRS to implement corresponding response to the intrusion behavior of different intensity. The dynamic computer forensics model makes forensics more real-time and continuous, and reduces the damage to the forensics system as much as possible by the interaction of firewalls and intrusion detection system, and can see the steps and methods of network attacks by the honeynet technologies thereby can know weaknesses and cracks of the system, in order to update the intrusion characteristics treasury and call the corresponding measures to response. Under the authority of the public security organs, long-distance forensics technologies can obtain electronic evidence in hosts of criminal suspects remotely. Before or during the crime, obtain evidence of the crime, at the same time acquire list of hosts who often contact with criminal suspects in accordance with the relevant information of attack hosts to determine that the attack is a personal crime or gang crime, and achieve the purpose of detection. Partial contents of this paper are very effective in practice. The research has a more important theoretical significance and application value.