The Reaserch And Implementation Of Remote Computer Forensics System Based On Data Recovery

With the development of computer technology, computers has been applied widespreadly, and is used to learn, work, play and store important information by people, computer has become an indispensable part of our society. At the same time, varieties of criminal activities on the computer are more than before. Combating and punishing computer crimes and maximally obtaining electronic evidence have become a common concern in the computer science and law field.The emergence of anti-forensic technology and the elevation of criminals'technology, especially criminals often delete or erase the crime data, the traditional static computer forensics technology can no longer meet the needs of the situation. This thesis designed and implemented a long-range dynamic computer forensics system based on data recovery and remote control technology in computer. The system can remotely obtain some data that is deleted or formatted by the aim hosts and the real-time operating of the aim users. It can effectively solve the shortcomings of static methods of computer forensics which is single and slowly respond to incidents of crime.This thesis introduced the concept and theory of the computer remote control technology, forensics technology and the data reconversion technology, then, analyzed the advantage and disadvantage of the existing technology, tool and model. Secondly, the article studied the structure of data storage media and data storage mode, especially the data structure of popular FAT32 and NTFS file system, and proposed and implemented the data recovery technology based on the combination of the file character and directory lists. Then, this paper presented and realized the data reconversion method on the discontinuous data fragment by the FAT list.This paper designed and implemented the computer forensics system which included the client terminal, switch terminal and service terminal. This system used hierarchical control technology, the single port data-exchanged mechanism, secretly and actively obtained some data that is deleted or formatted by the aim hosts, at the same time, obtained the real-time operating information of the aim users by intercepting screen function. The article especially researched the mobile storage medium, which made people obtain the mobile storage medium, at the same time, the dialog box that the mobile storage medium cannot be deleted, when we acquire evidence to the aim user on mobile storage medium.The test of remote computer forensics system shows that this system is multifunctional, effective, and can secretly and actively obtain some data that is deleted or formatted by the aim hosts and the real-time operating information of the aim users. In conclusion, this system is forward-looking and practical application value.