Key Problems For Computer Forensics Analysis

Recently, computer crime is increasingly rampant, and it becames a serious threat to the government and the people of all countries. So it is the inevitable requirement of cleaning up the computer network environment, ensuring the national security and safeguarding the interests of the public for cracking down the computer criminal activities effectively. The key of combating the computer crime is to obtain the electronic evidence with legitimacy. Today, people pay close attention to computer forensics. The research for computer forensics has been an important part of computer security.In view of the immediate problem in the computer forensics technology, this dissertation focuses on the computer forensics process model, the electronic evidence analysis, the unified representation of the electronic evidence, the electronic evidence fusion and the evidence data filtering. The details are as follows:An evidence investigation process model is presented in accordance with China’s laws and the features of the electronic evidence. This model uses the basic ideas on the work flow of the traditational investigation process model and the basic framework model of the computer forensics presented by the Digital Forensics Research Workshop. The establishment of the model contributes to the comprehensive research in the computer forensics model suit for Chinese condition.To improve the efficiency of the electronic evidence analysis on data mining, a new method for the electronic evidence analysis of the behavior profiling on the longest frequent pattern which is constructed by immune clonal algorithm is proposed. The proposed method and the method on Apriori-CGA are applied in the same problem. The comparison results indicate that the setting up time of behavior profiling and the test time of abnormal data are dramatic reduction. Therefore, the proposed method has a good ability in the efficiency of the forensic analysis and the electronic crime investigation.Aim at the difficulty of constructing evidential chain due to the miscellaneous format of the electronic evidence, a notation method for the electronic evidential metadata is proposed. The electronic evidential metadata of computer abnormal event are designed. The results indicate that the attributes and relations of the electronic evidence can be expressed uniformly, and the electronic evidence can be organized, analyzed, melted and submitted conveniently.To improve the algorithm complexity and the accuracy of the reproduced scene, a new method for the evidence fusion on the Hidden Markov models is proposed. The proposed method and the method on Bayesian network are applied in the same problem. The comparison results indicate that the algorithm complexity and the anti-interference ability are dramatic modified by the former. Therefore, the proposed method has a good ability in the cost to reproduce the scene of the crime.In order to improve the necessity of the storage resource and the interference in the electronic evidence analysis for the evidence data, a new method for filtering the evidence data based on the artificial immune network clustering is proposed. The results indicate that the algorithm could provided higher data-compression ratios in the case of the rational selection time window and the filtering threshold without any priori knowledge. Therefore, the proposed method has a good ability in narrowing the scope of survey data and in the efficiency of the forensic analysis.